Privacy obligations in the cloud
Cloud computing offers significant benefits to businesses and organisations in terms of scalability, availability, and cost. However, entities that store information in the cloud still have responsibilities for that information under the Privacy Act 2020.
A business or organisation that stores information in the cloud must be able to control access to and use of the information, as well as protect the legal rights of the individuals whose information has been sent to the cloud. Those legal responsibilities become more complex when information crosses borders as the interface between different regulatory regimes can be ambiguous, uncertain, and risky.
This article addresses the privacy obligations for businesses and organisations under the Act and describes the measures that can be taken to minimise the risk of breaching those obligations.
Privacy Act Principles
Section 22 of the Act sets out 13 information privacy principles with which businesses and organisations dealing with “personal information” must comply. The following five principles are of particular relevance in the context of cloud computing:
- Principle 5: Storage and security of personal information
- Principle 6: Access to personal information
- Principle 7: Correction of personal information
- Principle 10: Limits on use of personal information
- Principle 11: Limits on disclosure of personal information
- Principle 12: Disclosure of personal information outside New Zealand.
To assist your business or organisation to comply with the Act and the privacy principles, you should seek to ensure that the contract with your cloud provider deals satisfactorily with the following issues:
The contract should be clear that all data provided by or generated for your business or organisation is owned by the business or organisation, and can only be used by the cloud provider for the purpose for which you provided the data to them (i.e. to store it).
You should know how to access and retrieve your data from the cloud provider during and after termination of the contract.
The cloud provider should be contractually obliged to keep your business or organisation’s information (including personal information) confidential and adequately protected. It should also be contractually obliged to be responsive to any request about its confidentiality practices, back up processes, security, and privacy as they relate to your business or organisation’s information, including personal information. You should be comfortable with such practices before signing the contract.
Your business or organisation should try to negotiate sufficient warranties and indemnities from the cloud provider in relation to the security and confidentiality of information (including personal information). If the cloud provider seeks to exclude certain losses or limit its liability, such exclusions and liability should not apply to breaches of confidentiality or privacy.
The contract should be clear about the level of support that will be supplied by the cloud provider to your business or organisation should you need to, for example, retrieve data to comply with an access or correction request from an individual. Consider for example if the cloud provider is based outside New Zealand—will support be provided during New Zealand business hours?
business or organisation may want to ensure it has the right to terminate its contract with the cloud provider for convenience. It could also prescribe the sort of assistance the cloud provider might give the business in such circumstances to allow it to shift seamlessly to another cloud provider.
Other ways to minimise your risk
In addition to negotiating the above provisions into its contract with a cloud provider, a business or organisations can consider the following precautions to minimise its risk of not complying with the Act:
Ensure that critical operations can be immediately resumed in the event of a disruption or disaster and that the cloud provider has a response plan to reinstate all operations in a timely and organised manner.
Understand (and, if possible, negotiate) the contract provisions and procedures for incident response to minimise the impact of disruption or disaster on the business or organisation.
A business or organisation can reduce its risk of wrongfully disclosing personal details by ensuring that it has adequate safeguards in place to make sure that only authorised individuals are able to access its systems and information.
Each business and organisation is responsible for ensuring that personal information is transferred and stored safely, can be accessed and corrected when necessary, and will be removed when it is no longer needed.
Duncan Cotterill can assist you to identify the privacy obligations of your business or organisation, consider the privacy implications of a potential cloud provider, and negotiate an appropriate contract with your chosen cloud provider. For more information, please contact a member of our Data Protection and Privacy team.
Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.