Data in the cloud

| August 5, 2011
Cloud Computing topic of the month

Technological advancements and the protection of personal information are not irreconcilable goals. When we take the effort to implement new technologies correctly, they can actually be complementary.

Take cloud computing[i], whereby the computing capabilities from an organisation or agency’s in-house facility are transferred to third parties, generally using the internet to transport data.

Cloud computing can raise important privacy questions such as:

• Where is the cloud service provider based, and what privacy laws, if any, is it subject to?
• How does it secure the data it stores, and is it secure enough for all types of personal information?
• What backup systems are in place?
• How quickly can an organisation or agency access information it is storing in the cloud, or update it if it becomes inaccurate?

But cloud computing could also offer opportunities to enhance privacy protection.

For example, stories about security breaches due to lost or stolen laptops and USB devices abound. This risk may be reduced by storing data in the cloud. However, the challenge is to ensure that data can be moved onto and within the web safely in order to take advantage of these opportunities.

By its nature, cloud computing involves the virtualisation of resources such as data storage space. This means that the personal information of Australians may end up being stored in data centres in other countries.

In terms of how this information is protected, I remind organisations using cloud computing that they may need to comply with the transborder data flow principle in the Privacy Act

Cloud Computing topic of the monthThis principle sets out the circumstances in which an organisation in Australia may transfer personal information about an individual to someone in a foreign country. These circumstances include, but are not limited to, if the organisation reasonably believes that the recipient of the information is bound by a law, binding scheme or contract that is similar to the standards imposed by the Australian Privacy Act, or if the individual has consented to the transfer of their information.

Australian Government agencies need to be aware that section 95 of the Privacy Actrequires them to ensure that contracted service providers do not do anything in relation to information they receive that would breach an an Information Privacy Principle if it were done by the agency itself. This means that in contracting a cloud service provider, agencies must make sure that there are contractual measures in place to ensure that any personal information is handled appropriately.

The power of computers has developed exponentially over recent years, and as the need for data storage grows, so too will computing in the clouds. This will inevitably lead to greater levels of international coordination as state boundaries become less significant to the transfer of information. In fact, this is already starting to happen through forums such as the APEC Cross-border Privacy Enforcement Arrangement and the Global Privacy Enforcement Network, which was flowed from a recommendation from the OECD.
 

So for anyone considering the cloud, make sure that privacy is built into projects from the outset by undertaking a privacy impact assessment.
 
Technological developments can provide great opportunities for privacy protection, if privacy is embedded proactively into the technology itself—a process known as ‘‘Privacy by Design’. Good privacy practices can go hand in hand with other important aims such as innovation and business growth. With creativity and cooperation, it is always possible to achieve such aims in a privacy enhancing, rather than privacy intrusive, way.
 


[i] An interesting discussion about what exactly could constitute cloud computing is available in this article by Eric Knorr and Galen Gruman.
 

Mr Timothy Pilgrim is Australian Privacy Commissioner. He was first appointed to the Office of the Privacy Commissioner as Deputy Privacy Commissioner in February 1998. Prior to this he held senior management positions in a range of Australian Government agencies, including the Small Business Program within the Australian Taxation Office and the Child Support Agency. Timothy has made a significant contribution to the field of privacy in Australia, including the development of the private sector provisions of the Privacy Act 1988 (Cth). He also played a key role in implementing the private sector provisions, which took effect on 21 December 2001. More recently, Timothy has participated in the Australian Law Reform Commission inquiry into Australian privacy laws and practice, and continues to work on privacy law reform.

 

SHARE WITH:

0 Comments

  1. JohnW

    September 21, 2011 at 3:37 am

    Technology and the failure to secure Privacy by Government

    "Technological advancements and the protection of personal information are not irreconcilable goals. This is very incorrect in relation to Government.

    How can Timothy say the things he does to private industry, when his own department have many issues with Privacy in relation to it’s own data, and a failure of oversight with staff.

    "Cloud computing can raise important privacy questions such as:" I think the issue is to have proper systems in place before you even consider this ! Recently Timothy’s department had their heads in the cloud with in house data alone. Could a Government department ever manage such a system reliably with it’s limitations and arrogance ?

    Recently it has come to my attention that a member of the public submitted a complaint to Timothy’s department and a person Timothy personnally authorised abused the complainant in question;  refusing to listen, and blaming the loss of private data on user input error repeatably in email and phone conversation. It has been proven through tracking data the gentleman had screen captured, and has sent to Timothy personnally, that the appointed member of Timothy’s staff was in total error.

    The complainant an experienced computer technician  has advised that he believes the error was simply the Privacy Commissions own lack of understanding of their own systems and a filaure to recognise that the Australian Government had introduced a tracking number system that Timothy and his appointed spokesman was not made aware of. A failure in Privacy system development.

    From a logical point of view it appears also that Timothy’s underling failed to realise that his own Registration number actually appeared to be a file name, when Timothy’s own department returns a copy of the submitted privacy complaint to verify submission.

    The disturbing issue the gentleman advises was the fact that the emailed copy of the submitted complaint from Timothy’s department was not deemed relevant to non user input error. Timothy’s spokesman refused to accept any suggestions by the complainant.

    The point is if Timothy’s department alone can be shown  to have lost control of data and refuse to audit their own systems due to arrogance of  Management, how can they continually release statements in relation to the privacy issues of others ?

    I have viewed all the evidence and if the Privacy commission wants to educate the public then it would seem very reasonable for it have systems in place to avoid issues with private information it loses track of.

    The registration number I have viewed, and it is a valid Australian Governement tracking number. The Commissioner has no knowledge of it according to the gentleman at the time

    This is a small extract from the email from Timothy Pilgrims representative claiming what is known to be  false as the tracking screen capture referred to his own department for direction.

    "Your email refers to complaint  ************ As this is not a reference number used within the Office of the Australian Information Commissioner, it occurred to me that you may have unintentionally misdirected your email to this Office rather than the agency who is dealing with your matter."

    This conversation in phone discussions apparently became hostile with timothy’s representative claiming user error over and over.

    The gentleman also states the department does not have a comlpaints process in place re: abuse of powers by departmental officers and they refuse to allow oversight.

     

    John W 21/09/2011

     

    To conclude Goverment intervention in the private world is all well and good if they set an example themselves. When they fail how can they morally castigate industry and preach a false gospel. Maybe this department should be staffed with computer skilled staff in a private industry.