BC privacy commissioner issues guidelines for use of cloud computing by public bodies

The Office of the Information and Privacy Commissioner for BC has
published guidelines for public bodies considering the benefits and
risks of cloud computing.

“Cloud computing” refers to the practice of using the Internet to
process, manage and store data on remote network services, rather
than on one’s own computer hard drives.

As the popularity of cloud computing grows, public bodies (including
schools, hospitals, municipalities and local police forces) are looking
to take advantage of the cost-savings and functionality these
services offer. But the use of cloud computing by both public bodies
and private enterprises in Canada is controversial.

If the servers on which information is stored are located in a foreign
country, any personal information stored may be outside of the
jurisdiction of Canadian privacy laws and subject to foreign laws that provide far less privacy protection, such as the infamous USA Patriot Act.

The Commissioner’s report provides information to public bodies about how BC’s Freedom of Information and Protection of Privacy Act applies to the use of cloud computing, including:

• Data storage and access: The law requires that personal information in the custody or under the control of a public body be stored and accessed only in Canada, subject to limited exceptions, and

• Data security: The law requires public bodies to take reasonable
steps to protect personal information against such risks as unauthorized access, collection, use, disclosure or disposal.

Commissioner’s news release

Cloud Computing Guidelines for Public Bodies