This document summarizes a presentation about privacy and cloud computing. It discusses the benefits and risks of cloud computing, as well as the importance of privacy by design and accountability. Key points include that while cloud services can be outsourced, accountability cannot. Organizations must conduct due diligence on cloud providers and ensure proper contractual provisions through a privacy by design approach.

1. Privacy by Design in the Clouds:
You Can’t Outsource Accountability
David Goodis
Director of Legal Services and
General Counsel
Information and Privacy Commissioner of Ontario
Cloud Computing - 101 and Beyond
Municipal Information Systems Association, Ontario
April 11, 2012

2. Cloud Computing and Deployment
• Cloud computing – convenient, on-demand
network access to a shared pool of computing
resources
• Examples:
– Public Cloud
– Private Cloud
– Community Cloud
– Hybrid Cloud

3. The Power and Promise of Cloud
Computing
• Flexibility
• Better reliability and security
• Enhanced collaboration
• Efficiency in deployment
• Portability
• Potential cost savings
• Simpler devices

4. The Cloud and Privacy Concerns
• Fraud, confidentiality and security concerns are
inhibiting confidence, trust, and the growth of cloud
computing
• Fears of surveillance and excessive collection, use
and disclosure of personal information by others are
also diminishing confidence and use
• Lack of individual user empowerment and control
– Uncertainty as to location of data, rights to data
• Function creep, power asymmetries, discrimination
• Data breach notification
• Proper data return and destruction
• Governing law

5. You can outsource services …
… but you can’t outsource
accountability
You always remain accountable

6. Privacy by Design Meets the Cloud:
Current and Future Privacy Challenges
• What is Privacy by Design? building privacy into
technology from the ground up
• The goal is to establish trust in:
• Data (that travels through the cloud)
• Personal devices (that interact with cloud-based
services)
• Software
• Service providers

7. Privacy by Design:
The 7 Foundational Principles
1. Proactive not Reactive:
Preventative, not Remedial;
2. Privacy as the Default setting;
3. Privacy Embedded into Design;
4. Full Functionality:
Positive-Sum, not Zero-Sum;
5. End-to-End Security:
Full Lifecycle Protection;
6. Visibility and Transparency:
Keep it Open;
7. Respect for User Privacy:
Keep it User-Centric.
www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf

8. Privacy by Design Meets the Cloud
Some things to consider:
• Exercise due diligence
• Conduct a Privacy Impact Assessment
• Use identifying information only when necessary
• Identify and minimize privacy and security risks
• Use privacy enhancing technological tools
• Ensure transparency, notice, education, awareness
• Develop a privacy breach management plan
• Create and enforce contractual clauses

9. Contractual Provisions to Consider
• Service provider should not use PI except as necessary in providing
services
• Provider should not improperly disclose PI
• Provider must employ safeguards to ensure PI is retained, transferred
and disposed of securely
• Provider must notify the organization immediately of any order or
other requirement to compel production of PI
• Provider must notify the organization immediately if PI is stolen,
lost, accessed by unauthorized persons
• Implement oversight and monitoring program, including audits of the
provider’s compliance with the terms of the agreement
• No one on behalf of provider should have access to PI unless that
person agrees to comply with restrictions in the agreement.

10. USA Patriot Act and Cloud Computing
• BC, NS legislation restricts government’s ability to
outsource beyond Canadian border
• There will always be laws that allow law enforcement to
gain access to information in their jurisdictions – the
important question is what steps can an organization take
to help ensure privacy and security, regardless of
jurisdiction
• Organizations considering outsourcing or cloud computing
should ensure accountability through appropriate
contractual provisions and a Privacy by Design approach
that ensures privacy is built in as an integral part of the
proposed technologies and business practices

11. Privacy by Design
in Action

12. Privacy in the Clouds
• The 21st Century
Privacy Challenge;
• Creating a User-Centric
Identity Management
Infrastructure;
• Using Technology
Building Blocks;
• A Call to Action.
www.ipc.on.ca/images/Resources%5Cprivacyintheclouds.pdf

13. Cloud Computing Architecture and Privacy
• Cloud Delivery Models
• Use cloud in privacy
protective manner – user
control
• e.g. encryption,
segregation
www.ipc.on.ca/images/Resources/pbd-NEC-cloud.pdf

14. Conclusions
• Cloud computing has many benefits and risks
• You can outsource your services but not your
accountability
• Conduct proper due diligence on your cloud
provider
• Ensure you have the appropriate contractual
provisions in place
• Build PbD into the cloud infrastructure
• Embed privacy as a core functionality:
the future of privacy may depend on it!

15. How to Contact Us
David Goodis
Director of Legal Services and
General Counsel
Information & Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario, Canada
M4W 1A8
Phone: (416) 326-3948 / 1-800-387-0073
Web: www.ipc.on.ca
E-mail: info@ipc.on.ca