news In a recent speech on ‘Privacy risks and potential benefits in the cloud’, Acting Victorian Privacy Commissioner Anthony Bendall has highlighted some of the privacy concerns with cloud computing, particularly in its use by the local government.
Privacy, Bendall said, was a fundamental right, however, while fundamental, privacy was not an absolute right, as the Information Privacy Act 2000 (Vic) explicitly acknowledged. The objects of that Act included: “… to balance the public interest in the free flow of information with the public interest in protecting the privacy of personal information in the public sector.” The full speech, which was first referenced by iTNews, is available online here as a PDF.
Referring to cloud computing as a “juggernaut” Bendall said it was “impossible to stop with individuals, business and government embracing the technology with open arms.” “Cloud computing” is the term used for information technology infrastructure that hosts data or applications in the “cloud” – that is, it refers to offsite, geographically remote software or data storage accessed via the Internet. Data or applications are usually accessed on demand through a web browser.
Linking privacy concerns with cloud computing, Bendall told the Local Government Forum in Melbourne that while use of cloud computing services in government was more or less inevitable because of the huge advantages that cloud computing offered – cost, scalability, convenience, and technical support, it was important that privacy concerns be recognized at the foundation and built into the systems. That way, organisations that used cloud computing could be certain that personal information was protected, even while enjoying the benefits that cloud provided.
Bendall said the main threat was the organisation’s lack of control, especially if the cloud provider was based overseas. He said: “The cloud provider would need to be contractually bound by the Information Privacy Act, or fulfil the requirement that a similar privacy scheme to the Information Privacy Act operates in that state or country.”
In relation to data security, it was essential to ensure that the cloud service provider met certain minimum security standards which the organisation was obliged to comply with, especially if there was a data breach. It was also part of the due diligence for organisations selecting the appropriate cloud service provider. Bendall felt that certain questions that needed to be asked were:
- Who actually has my data, and where is it located?
- Is the service provider owned or controlled by a foreign company?
- What control does the foreign company have over the service provider?
- Is the service provider owned by an organisation in a different jurisdiction?
- Can my organisation audit the cloud provider to ensure they are complying with their obligations?
- What happens when the contract is terminated? How will personal information the cloud provider holds be destroyed or retrieved, bearing in mind any requirements under public records or archives legislation?
Since privacy laws only applied to personal information, some organisations proposed de-identifying anything containing personal information so that it could be stored on cloud servers. In some cases, however, de-identification rendered the information in question useless. There were also risks where de-identification was not done properly and a person could be re-identified easily with sophisticated data matching techniques.
Bendall called on government organisations to shift their mindset to “privacy first”. He said: “If private organisations want to come to the cloud computing party and provide services to government, they should ensure they are compliant with privacy laws, because ultimately if something happens, it is the government organisation or council’s data (and reputation) that is at stake.”
I think Bendall’s comments are somewhat useful in that they do highlight some of the privacy risks of cloud computing, and come as a timely reminder not to leave privacy out of any cloud computing discussion. However, right now in Australia’s public sector, I think the fear of cloud computing is so strong that many of these kinds of considerations need to be de-prioritised in the scale of things — at least long enough for government IT professionals to be able to get their hands dirty with cloud computing pilot projects. Right now, there aren’t many government cloud computing projects that can serve as case studies for how privacy can be done right in the cloud. We need a few more of those — and less fear-mongering in general about government use of cloud computing technologies. We’ve been hearing these same kind of warnings from privacy commissioners for half a decade now, after all ;)
Opinion/analysis by Renai LeMay