The Privacy Commissioner this month released the results of a survey of current practices relating to the international transfer of personal information by New Zealand organisations. The survey confirmed the international transfer of personal data was increasingly common and there are a number of gaps and deficiencies in the ways in which local organisations are currently managing the privacy risks.
Importantly for organisations trying to work out what practical compliance steps they need to take in a cloud computing context, the survey results also provide further indications about the types of controls and safeguards which will be expected.
While the results certainly do not offer any concrete guidance on what is required, they do provide some further helpful pointers towards the actions the regulator is likely to be looking for.
Questions about privacy and security often hold organisations back from wider take-up of cloud computing.
Under Principle 5 of the Privacy Act 1993, where a customer agency provides its information to a cloud provider, that customer agency is under a specific obligation to ensure that “everything reasonably within the power of the agency is done” to prevent unauthorised access or disclosure.
This is quite an onerous obligation. Even if you have taken a number of quite detailed (and costly) steps, it is difficult to be certain that you have done everything reasonable within your power.
Because the legal standard is so high, guidance from the regulator about the sorts of practical measures the Privacy Commission will deem to be sufficient would be genuinely welcomed.
However, in the meantime, it is possible to highlight a number of points from the results of the data to assist in the consideration of practical compliance steps.
1. Security controls need to be broader than just in transit.
Substantive protection for the actual transmission of the data between New Zealand and an international location was found to be quite widespread. However, the controls on the use of the information once it is overseas were found to be less convincing.
2. Contractual safeguards are a minimum.
A number of organisations relied on contractual safeguards to control how service providers use and protect the data. If contractual clauses are to become the primary means of protecting privacy and security (as in other parts of the world), then it becomes quite important to get the drafting of those provisions right. Reliance on the supplier’s standard terms may not always be appropriate.
3. Check that the provider does what it says it will.
While a number of organisations claimed to use contractual conditions to protect their data, only a small minority actually carried out independent audits to check if the provider was complying with those conditions.
In a public presentation in the first week of May to highlight the survey results, Privacy Commissioner Marie Shroff highlighted that this is seen as a particularly important step.
4. Individuals should be given genuine notice.
The survey results shows that in many cases individuals are not informed their personal information is being sent overseas. A significant majority of agencies currently either do not tell individuals at all, or only reveal this when asked. In some cases these practices are likely to be in breach of Principles 3 or 4 of the Privacy Act 1993.
5. Internal decision making processes are important.
The survey results showed that decisions to use overseas IT infrastructure are predominantly being made on an ad-hoc basis – relatively few agencies have policies in place to assist these decisions. Given the complexity of the legal and technical risks involved, having a consistent decision-making process in place to consider the risks and determine appropriate mitigation measures is an invaluable compliance tool.
Comments made by Shroff when releasing the results from the survey, seem to confirm that further regulatory activity is likely in this area.
The Commissioner explained that, “If New Zealand businesses and government agencies are going to take advantage of the benefits the cloud can offer, it is imperative that privacy issues are tackled and got right.”
That there are privacy and data security risks involved in cloud computing does not mean organisations should be prevented from taking advantage of the cloud’s benefits, but this does make it worthwhile to think carefully about the best steps to take to address those risks.
Hopefully, future guidance from the Commissioner will provide New Zealand organisations with more specific recommendations about the steps they need to take to manage the privacy risks in cloud computing.
However, in the meantime, there is enough information and guidance out there for agencies to start taking action to put themselves in an improved compliance position.
Winslade is a senior solicitor at lawyers Duncan Cotterill. He is a specialist in information technology, data privacy and intellectual property.