Fred Carter Senior Policy & Technology Advisor

2. Privacy by Design in the Clouds: You Can’t Outsource Accountability Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop 26 March 2013

3. Commissioner Ann Cavoukian, Ph.D. Appointed by Ontario legislature Independent from government Oversees 3 privacy & access to information laws Longest serving privacy commissioner in the world Mandated to: Investigate privacy complaints Resolve appeals from refusals to provide access to information Ensure organizations comply with the access and privacy provisions of the Acts Educate public about Ontario access & privacy laws Conduct research on access and privacy issues, provide advice and comment on proposed government legislation & programs. Information & Privacy Commissioner Ontario, Canada

4. IPC Interest in Cloud Computing • Oversight: information management practices of provincial / municipal public and health care sectors in Ontario • Outsourcing, due diligence and accountability • Design and deployment of new ICTs • Applying Privacy by Design Foundational Principles to technologies, business processes, and networked infrastructures

5. The Power and Promise of Cloud Computing • Flexibility • Better reliability and security • Enhanced collaboration • Efficiency in deployment • Portability • Potential cost savings • Simpler devices

6. Cloud Computing Risks • Loss of control by customer over technology infrastructure / loss of governance • Possible loss of control over location of data • Concerns about segregation of data • Data retention, destruction and return • Rights to data • Data security

7. You can outsource data / services … … but you can’t outsource accountability You always remain accountable

8. IPC Advice Some things to consider: • Exercise due diligence • Conduct a Privacy Impact Assessment • Use identifying information only when necessary • Identify and minimize privacy and security risks • Use privacy enhancing technological tools • Ensure transparency, notice, education, awareness • Develop a privacy breach management plan • Create and enforce contractual clauses

9. Privacy by Design Meets the Cloud: Current and Future Privacy Challenges • What is Privacy by Design? Building privacy into technologies, business processes, and networked infrastructures from the ground up. • Goal: to establish and achieve highest possible standards of accountability, confidence, and trust in management of PII, beyond compliance • Requires: Proactive, capable leadership; Systemic, verifiable methods; Practical, demonstrable results

10. Privacy by Design:The 7 Foundational Principles • Proactive not Reactive: Preventative, not Remedial; • Privacy as the Default setting; • Privacy Embedded into Design; • FullFunctionality: Positive-Sum, not Zero-Sum; • End-to-End Security: Full Lifecycle Protection; • Visibility and Transparency: Keep it Open; • Respect for User Privacy: Keep it User-Centric. www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf

11. Applied Privacy by Design • Large Ontario educational institution initiative to upgrade, outsource IT infrastructure to a U.S.-based cloud service provider • Evidence of Capable, Proactive Leadership • Open and transparent processes • Evidence of Systemic, Verifiable Methods • World class PIA, TRA and metrics • Expected Practical, Demonstrable Results

12. Conclusions • Cloud computing has many benefits and risks • You can outsource your operations and services but not your accountability • Conduct proper due diligence on your cloud provider • Ensure you have the appropriate contractual provisions in place • Build PbD into the cloud infrastructure • Embed privacy as a core functionality: the future of privacy may depend on it!

14. Contractual Provisions to Consider • Description of Services • Service Level Commitments • Data Ownership and Other IPR issues • Confidentiality, privacy and security • Data confidentiality obligations • Obligations of cloud service provider for protecting customer data • Location of data • Audit provisions • Data return and destruction • Data breach notification

15. Contractual Provisions to Consider • Representations and Warranties • Insurance Coverage • Liabliity and Indemnity Issues • Termination / transition provisions • Subcontracting by cloud service provider • Assignment by either party • Governing law and forum for resolution of disputes • Dispute resolution

16. Contractual Provisions to Consider • Service provider should not use PI except as necessary in providing services • Provider should not improperly disclose PI • Provider must employ safeguards to ensure PI is retained, transferred and disposed of securely • Provider must notify the organization immediately of any order or other requirement to compel production of PI • Provider must notify the organization immediately if PI is stolen, lost, accessed by unauthorized persons • Implement oversight and monitoring program, including audits of the provider’s compliance with the terms of the agreement • No one on behalf of provider should have access to PI unless that person agrees to comply with restrictions in the agreement.

17. USA Patriot Act and Cloud Computing • BC, NS legislation restricts government’s ability to outsource beyond Canadian border • There will always be laws that allow law enforcement to gain access to information in their jurisdictions – the important question is what steps can an organization take to help ensure privacy and security, regardless of jurisdiction • Organizations considering outsourcing or cloud computing should ensure accountability through appropriate contractual provisions and a Privacy by Design approach that ensures privacy is built in as an integral part of the proposed technologies and business practices