The following topics describe analysis of the potential impact of cloud computing
on the key OECD and other common privacy principles.1. Collection Limitation Principle
This principle specifies that collection of personal data should be
limited to the minimum amount of data required for the purpose for which
it is collected. Any such data should be obtained by lawful and fair
means and, where appropriate, with the knowledge or consent of the data
subject.
In the privacy arena, lack of specifics on data collection with
providers creates misunderstandings down the road. For instance, one
global outsourcer said, “Clients come in expecting the right things in
security, but the wrong things in privacy. They are expecting best
practices, but they don’t know what they are.” There are comprehensive
security frameworks and standards (such as the ISO 27000 series, NIST
guidelines, etc.), and organizations know how to implement them. There
is no universally adopted privacy standard—instead, there are
conflicting laws, regulations, and views on what privacy is and what it
requires from organizations to protect it. Many organizations want to do
what they perceive to be “the right thing”; however, their perception
may be different from the law. As a result, there may be different
expectations regarding what privacy means between the organization and
the CSP, and no agreed best practices.
It is essential that service-level agreements (SLAs) are initially
defined before any information is provided or shared, because it is very
hard to negotiate them later. If you start the request for proposal (RFP) process with an SLA target, you
will be able to disqualify providers who cannot meet your stated needs.
Well-defined security and privacy SLAs should be part of the statement of work (SOW). Ensure
that your SLAs have teeth with specific penalty clauses. Do not cede
command of service-level negotiation to the provider.
Moreover, organizations face the risk that, as different data
elements about individuals are collected and later merged, the combined
information is more than needed and the original purpose as well as the
organization may be in potential violation of local laws.
2. Use Limitation Principle
This principle specifies that personal data should not be disclosed, made
available, or otherwise used for purposes other than those with the
consent of the data subject, or by the authority of law.
Cloud computing places a diverse collection of user and business
information in a single location. As data flows through the cloud,
strong data governance is needed to ensure that the original purpose of
collection and limitation on use is attached to the data. This is
critical when organizations create a centralized database, because
future applications can easily combine the data via expanded views that
are utilized for new purposes never approved by data subjects.
The ability to combine data from multiple sources increases the
risk of unexpected uses by governments. Governments in different
countries could ask CSPs to report on particular types of behaviors or
to monitor activities of particular types or categories of users. The
possibility that a CSP could be obliged to inform a government or a
third party about user activities might be troubling to the provider as
well as to its users.
3. Security Principle
Security is one of the key requirements to enable privacy. This principle specifies
that personal data should be protected by reasonable security safeguards
against such risks as loss or unauthorized access, destruction, use,
modification, or disclosure of data.
4. Retention and Destruction Principle
This principle specifies that personal data should not be retained for longer than
needed to perform the task for which it was collected, or as required by
laws or regulations. Data should be destroyed in a secure way at the end
of the retention period.
How long data should be retained and when it should be destroyed
is still a challenge for most companies. Data growth has led to
definitions of policies and procedures for data retention and
destruction. Most policies have been driven or imposed by legislation
and regulations, such as the Health Insurance Portability and Accountability Act of
1996 (HIPAA), the Sarbanes-Oxley Act (SOX), and other federal and state
compliance requirements.
The actual deletion process is sometimes loosely defined. But when
data copies, data backups, or archives are deleted, are they really
gone? Deleting a file only marks the space (or blocks) it occupies as
usable. Until the blocks are actually overwritten, the data is still
there and can be retrieved. In fact, the disk space occupied by deleted
files must be overwritten with other data several times before the
entirety of the files is deemed irretrievable (a minimum of seven times
per the U.S. federal government’s guidelines).
In many cases, disk or tape media is reused to store more data;
therefore, data deletion typically does not constitute much of an issue.
However, when leased IT assets, such as servers or disk arrays, must be
returned, when obsolete systems are replaced, or when storage media has
reached end-of-life, special care must be taken to ensure that any data
once stored is irretrievable.
Encryption can play a key role in the destruction process. Encrypted
data can be destroyed even when organizations lose track of their data
by destroying the encryption key—data can no longer be decrypted and
hence is rendered inaccessible. This is especially beneficial when the
data is kept by CSPs—encrypted data can be destroyed without the
involvement of the CSPs.
The problem begins when there is a lack of clearly defined
policies around data destruction in cloud computing. Virtual storage
devices can be reallocated to new users without deleting the data, and
then allocated to new users. Personal information stored in this device
may now be available to the new user, potentially violating individual
rights, laws, and regulations. Servers or disks can be decommissioned
without much thought as to whether data is still accessible. There are
several approved methods of data destruction, including media
destruction, disk degaussing, multiple data overwrites with random byte
patterns, and destruction of keying material for encrypted data.
5. Transfer Principle
This principle specifies that data should not be transferred to countries
that don’t provide the same level of privacy protection as the
organization that collected the information.
In a cloud computing environment, infrastructure is shared between
organizations; therefore, there are threats associated with the fact
that the data is stored and processed remotely, and there is increased
sharing of platforms between users, which increases the need to protect
privacy of data stored in the cloud. Another feature of cloud computing
is that it is a dynamic environment; for example, service interactions
can be created in a more dynamic way than in traditional e-commerce.
Services can potentially be aggregated and changed dynamically by
customers, and service providers can change the provisioning of
services. In such scenarios, personal and sensitive data can move around
within a single CSP infrastructure and across CSP organizational boundaries. The goal of integrated
services provided by multiple CSPs is to enhance the possibility of data
transfer to third parties. This transfer should be disclosed to the data
subject prior to collection. In many cases there is a need for
unambiguous consent by the individual to the data transfer. Typically
the organization is required to agree to the provider’s standard terms
of service without any scope for negotiation. The terms are likely to be
biased in the provider’s favor, and the organization may not know all
the entities that are involved in the process, and hence is rendered
unable to provide an accurate notice to the data subjects.
The transfer challenge is further complicated because data can be
anywhere in the world—usually, a company computing in the cloud does not
know in what country its data resides at any given time. Instead of its
data being stored on the company’s servers, data is stored on the
service provider’s servers, which could be in Europe, China, or anywhere
else. This tenet of cloud computing conflicts with various legal
requirements, such as the European laws that require that a company know
where the personal data in its possession is at all times, and there may
be a need to report to data protection authorities on the data transfer.
In some cases there may be a need to preapprove the transfer by data
subjects.
The U.S. Safe Harbor Program—perhaps the most common means of compliance with EU
requirements imposed when transferring the personal data of EU citizens to the United States—may not satisfy a multinational’s
EU legal obligations, because in cloud computing data could be stored on
servers outside of both Europe and the United States, making the Safe
Harbor Program ineffective. Furthermore, the Safe Harbor option may not
be available for certain organizations not regulated by the Federal
Trade Commission, such as those in the financial services industry. This
may be the case even if the CSP is registered under the Safe Harbor
Program.
One cloud computing application service provider (ASP) offers its customers
the option to store their data only on European servers (for a higher
fee, naturally). However, it is an impractical solution because it
limits the very flexibility and efficiency that cloud computing is
designed to provide. Given the enormous potential and benefits of
computing in the cloud, it seems that, once again, the law needs to
catch up with technology.
6. Accountability Principle
This principle states that an organization is responsible for personal
information under its control and should designate an individual or
individuals who are accountable for the organization’s compliance with
the remaining principles.
Accountability within cloud computing can be achieved by attaching
policies to data and mechanisms to ensure that these policies are
adhered to by the parties that use, store, or share that data,
irrespective of the jurisdiction in which the information is
processed.
The way to move onward is for organizations to value
accountability and build mechanisms for accountable, responsible
decision making while handling data. Specifically, accountable
organizations ensure that obligations to protect data are observed by
all processors of the data, irrespective of where that processing
occurs.