Cloud computing offers significant benefits to businesses and organisations in terms of scalability, availability, and cost. However, entities that store information in the cloud still have responsibilities for that information under the Privacy Act 2020.
A business or organisation that stores information in the cloud must be able to control access to and use of the information, as well as protect the legal rights of the individuals whose information has been sent to the cloud. Those legal responsibilities become more complex when information crosses borders as the interface between different regulatory regimes can be ambiguous, uncertain, and risky.
This article addresses the privacy obligations for businesses and organisations under the Act and describes the measures that can be taken to minimise the risk of breaching those obligations.
Privacy Act Principles
Section 22 of the Act sets out 13 information privacy principles with which businesses and organisations dealing with “personal information” must comply. The following five principles are of particular relevance in the context of cloud computing:
Principle 5: Storage and security of personal information
Principle 6: Access to personal information
Principle 7: Correction of personal information
Principle 10: Limits on use of personal information
Principle 11: Limits on disclosure of personal information
Principle 12: Disclosure of personal information outside New Zealand.
Contractual Considerations
To assist your business or organisation to comply with the Act and the privacy principles, you should seek to ensure that the contract with your cloud provider deals satisfactorily with the following issues:
Ownership of data
The contract should be clear that all data provided by or generated for your business or organisation is owned by the business or organisation, and can only be used by the cloud provider for the purpose for which you provided the data to them (i.e. to store it).
Access to data
You should know how to access and retrieve your data from the cloud provider during and after termination of the contract.
Confidentiality, security, and privacy
The cloud provider should be contractually obliged to keep your business or organisation’s information (including personal information) confidential and adequately protected. It should also be contractually obliged to be responsive to any request about its confidentiality practices, back up processes, security, and privacy as they relate to your business or organisation’s information, including personal information. You should be comfortable with such practices before signing the contract.
Warranties, indemnities, and liability
Your business or organisation should try to negotiate sufficient warranties and indemnities from the cloud provider in relation to the security and confidentiality of information (including personal information). If the cloud provider seeks to exclude certain losses or limit its liability, such exclusions and liability should not apply to breaches of confidentiality or privacy.
Support
The contract should be clear about the level of support that will be supplied by the cloud provider to your business or organisation should you need to, for example, retrieve data to comply with an access or correction request from an individual. Consider for example if the cloud provider is based outside New Zealand—will support be provided during New Zealand business hours?
Geographic restrictions on data storage
A business or organisation may only share personal information outside of New Zealand with third parties that are subject to the Act, have comparable safeguards to the Act, or enter arrangements to ensure personal information is protected as it would be under the Act.
A business or organisation may send information to an overseas third party to hold or process (i.e. not use for its own purposes) and this transfer will not be treated as disclosure under the Act.
Nonetheless, the business or organisation remains responsible for any personal information shared or transferred outside of New Zealand. Personal information should not be shared to countries without comparable safeguards unless contractual arrangements have been entered to ensure information will remain protected as required under the Act.
Termination
Your business or organisation may want to ensure it has the right to terminate its contract with the cloud provider for convenience. It could also prescribe the sort of assistance the cloud provider might give the business in such circumstances to allow it to shift seamlessly to another cloud provider.
Other ways to minimise your risk
In addition to negotiating the above provisions into its contract with a cloud provider, a business or organisations can consider the following precautions to minimise its risk of not complying with the Act:
Staff Compliance
Seek advice on, and ensure that staff understand, the business/organisation’s privacy policy (if any) and its obligations under the Act. The terms of any employment contract with staff should also stipulate an employee’s obligation to comply with the privacy policies of the business or organisation.
Availability of Information
Ensure that critical operations can be immediately resumed in the event of a disruption or disaster and that the cloud provider has a response plan to reinstate all operations in a timely and organised manner.
Incident Response
Understand (and, if possible, negotiate) the contract provisions and procedures for incident response to minimise the impact of disruption or disaster on the business or organisation.
Systems Access Management
A business or organisation can reduce its risk of wrongfully disclosing personal details by ensuring that it has adequate safeguards in place to make sure that only authorised individuals are able to access its systems and information.
Each business and organisation is responsible for ensuring that personal information is transferred and stored safely, can be accessed and corrected when necessary, and will be removed when it is no longer needed.
Duncan Cotterill can assist you to identify the privacy obligations of your business or organisation, consider the privacy implications of a potential cloud provider, and negotiate an appropriate contract with your chosen cloud provider. For more information, please contact a member of our Data Protection and Privacy team.
Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.
