Victorian Privacy Commission's warning on Cloud Computing: E-Alert May 2011

Cloud Computing Privacy

Office of the Victorian Privacy Commissioner Info Sheet 03.11. 

As more government agencies consider cloud computing as an alternative to operating software and storing data in house, the Victorian Privacy Commissioner reminds of the need to address information privacy.

Broadly, 'cloud computing' refers to the new wave of information technology services and resources which can be provided to customers via the internet, rather than by on-site installations of information technology hardware and software.  With the arrival of faster internet connectivity, cloud computing is seen as one way for government to achieve a reduction in IT capital and operating costs.

Yet, where the use of cloud computing requires the transmission or storage of personal information, Government agencies must still ensure that the Information Privacy Act 2000 (Vic) is complied with.

For example, Government agencies will still be required to comply with Information Privacy Principle 4 with respect to data security.  This means that that data security and segregation principles will need to be agreed with the cloud provider and that the agency may need to take steps to de-identify the data being sent to the cloud.  The Victorian Privacy Commissioner also reminds agencies that they need to know where data will be stored physically, particularly if outside of Australia and comply with Information Privacy Principle 9 relating to transborder data flows.

Once contracts are signed, the Victorian Privacy Commissioner recommends that data security measures under cloud computing contracts are reviewed at least annually to ensure that security measures are kept up to date.

Issues for further consideration

While the issues to be considered will differ depending on the proposed cloud computing model, the Victorian Privacy Commissioner suggests that relevant matters for consideration by agencies include:

• Who will have access to the data?  Is the data segregated?  What happens when the data is no longer needed?  Can the agency get the data back?
• Will cloud computing still be cost effective when all data security costs are factored in?
• Where will the data be stored?  Does that jurisdiction have suitable privacy legislation in place?
• What methods does the service provider have in place to identify and respond to security breaches?
• What happens if the service provider is insolvent or taken over?
• What audit rights can the agency obtain?

For more information about cloud computing privacy issues visit: http://www.privacy.vic.gov.au/privacy/web2.nsf/files/cloud-computing

or contact one of the Maddocks ICT team