The ‘cloud’ is a very hot destination these days. For corporate IT managers and individual computer users, the cloud is like a relaxing vacation spot for our data.
In computing terms, the cloud offers almost ‘anything-as-a-service’. From e-mail to music storage to credit card processing to records retention.
Users and vendors alike often refer to the cloud as a “solution” as one of the problems it seems to solve is the need for an expensive IT infrastructure.
The cloud offers both small businesses and large enterprises a chance to ‘free up’ or eliminate in-house IT costs and resource commitments by outsourcing data processing, storage, back-up and transmission activity to third party providers ‘in the cloud’.
Even as more and more data and data services are located ‘out there’, industry analysts and observers remind that the cloud providers are physical entities, often located in other countries: data flows quickly and easily across many borders on its way in and out of the cloud.
Among the many industry groups and organizations that have released information for those companies having or making cloud computing arrangements, the Payment Card Industry Security Standards Council.
It has published guidelines for protecting sensitive data in the cloud. And while it was written to protect credit card information, the same concepts apply to any data stored remotely.
It stresses that cloud-hosted data and cross-border data flows require an awareness of and sensitivity to the differing data protection rules of each country that data may travel through.
The PCI guidance says that clients will need to verify all locations and the flow of their data to ensure compliance and meet legal obligations in each country.
The challenge organizations face when storing data in the cloud is that they lose an element of control, the Council says, and therefore important security and privacy issues are raised by cross-border data flow.
So three of Canada’s privacy commissioners have also issued advice to those considering or using cloud computing services.
Federal and provincial privacy commissioners alike have addressed several practical cloud computing considerations for businesses in Cloud Computing for Small and Medium-sized Enterprises: Privacy Responsibilities and Considerations, including those around transborder data flow.
There’s no privacy legislation that prohibits a company in Canada from transferring personal information to an organization in another jurisdiction for processing, but those that do are advised to carefully evaluate what can happen when such data moves outside our country.
Data on its way to or from the cloud may either travel through or be physically located in multiple countries, where it will be subject to the laws of those jurisdictions.
Knowing just where in the cloud your data may go and where back-ups may reside is a key contractual consideration for cloud users and service providers alike: business agreements, service contracts or peering arrangements can be used to help spell out multi-national data considerations.
So, too, a Canadian developed website and interactive tool called IXMaps, that lets users track the route their data takes when heading to an intended destination.
With supporting from the federal privacy commissioner, the IXmaps site and related investigative research project is coordinated by Andrew Clement, with the Faculty of Information at the University of Toronto, with co-investigator Nancy Paterson, Faculty of Art, OCAD University.
They have shown that data sent from one Canadian location to another Canadian location nevertheless crosses borders and jurisdictions on its way.
With all that travelling, it may soon be necessary or advisable to get our data a passport, and maybe even some inoculating shots before heading out.
-30-
submitted by Lee Rickwood
Yeah, I have seen so many people discussing it over the last few years that it has actually made me question it too. I think it would have been possible if they were not doing it.