Privacy and cloud computing: How secure is your customer data?
In brief - Cloud computing brings both benefits and risks
There has been consistent and growing hype about cloud computing for the past five years. What is this cloud they speak of? How come it seems to leak personal information? And can you trust the cloud to look after your customer data?
Cloud computing as a data hosting solution for businesses
"The cloud" is more a term of marketeers than IT geeks, but it seems to have stuck.
To most, "the cloud" means the internet, but that is not correct. If anything, it means the world wide web. But hang on a second, the internet IS the world wide web, isn’t it? Well, no. Put most simply, the internet is the network (or infrastructure), while the world wide web is the collection of applications that uses this infrastructure. The best analogy I have is to say that the internet is the network of roads, whereas the cars are the world wide web.
The best way to think of the cloud is that it is a reference to www services offered via the internet. Like hotmail - possibly the first successful cloud computing solution.
The cloud is cool because it offers endless scope for the business world and enables SMEs in particular to harness the power and scale of the likes of Google for themselves.
For example, many businesses use Google docs (TM) as their application and data hosting solution. This saves them paying licence fees for software and having to own and manage their own servers to store all the information.
So if you use a cloud application to create or hold your customer list, where exactly is that information?
Why don’t you ask Sony, or Apple, or Google, or Del, or Telstra and maybe even Vodafone. The one thing all these big names have in common is that their customer data recently fell out of the cloud and into the public domain, much to the chagrin of said customers.
So what would a person in a white wig say about all this?
Three points about privacy law in Australia
- Personal information (which is the term the law uses) is basically any data which can be used to identify an individual, like a name, address, credit card number, photo, phone number... you get the picture.
- The collection, hosting, use and dissemination of personal information is regulated in Australia under the Privacy Act (Cth) 1988.
- It is not illegal to host personal information in the cloud, but there are rules you need to follow.
Often when a cloud solution is being implemented, the host servers will NOT be in Australia. If you are considering using the cloud for your business, you should find out where the servers are. If they are not in Australia, you need to take further steps to ensure your compliance with the Privacy Act.
Failure to comply with the Privacy Act can lead to fines and additional regulation from the Information Commissioner. A customer data leak may also damage the reputation of your business and lead to an exodus of customers.
Rules governing the collection of customer data
When you collect personal data from your customers, you must ensure:
- you tell your customer the reason for collecting their personal information
- if you are going to disclose the information to a third party, that you tell your customer (and in some circumstances get their consent)
- you take steps to ensure the personal information you hold is accurate, up-to-date and is kept secure from unauthorised use or access
- you have a policy on how you manage personal information and make it available to anyone who asks for it
- you give individuals a general right of access to their personal information and the right to have that information corrected if it is inaccurate, incomplete or out of date
- you must not use an Australian government identifier for an individual (e.g. a Medicare number) as your internal identifier
- where possible, that you give individuals the opportunity to do business with you without the individual having to identify themselves
- that sensitive information like health, racial or ethnic background, or criminal records are held in a very secure and safe way and not disseminated without express consent
Outsourcing management of customer data
If you outsource the hosting or management of all this data, you will be responsible for ensuring your host partner complies with all these requirements too.
An Australia-based host partner will also be subject to these laws, but that does not discharge your primary obligations under the Privacy Act.
An overseas host partner will not be subject to the Privacy Act. However, you are required under the law to ensure that they are subject to laws of equal or higher standards.
You will need to have a working knowledge of the relevant jurisdiction's privacy regime to make this assessment.
Other things to consider when putting your customer data in the cloud
Your access to the service provider which holds your data is via the internet; this means that it is subject to your local and the recipient's local internet connectivity.
Confidentiality clauses in customer contracts may be breached by sending commercially sensitive data to a third party to host. You will need to review your current contracts.
You should consider:
- The privacy laws in the jurisdiction of the overseas recipient
- Data ownership and your intellectual property
- Audit and service levels
- Migration services and your IT team
- Termination of the service and return of your data
Playing it safe with personal information
- Ensure you have sound contractual obligations binding the recipient of the information
- Undertake comprehensive IT due diligence of the recipient's practices and software
- Undertake regular reviews of the contract to ensure that it is in line with legal and technological changes
- Get some good legal advice before you click "send"!