IBM Corporation

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Archived

This page has been archived on the Web.

December 10, 2010

2010 Consumer Privacy Consultations,
Office of the Privacy Commissioner of Canada,
112 Kent Street
Ottawa, ON,
K1A 1H3

Subject: Privacy Implications of Cloud Computing / Feedback on Safeguards
Via email to: consultation1@priv.gc.ca

Dear Commissioner:

Thank you for seeking feedback on the issue of safeguards in the cloud computing environment. In response to your request for further input on work being done in this area, we submit this response from IBM.

IBM believes that cloud computing represents a new era of responsiveness, effectiveness and efficiency in IT service delivery – not a new technology in and of itself. In its essence, cloud computing is a style of computing whose foundation is the delivery of services, software and processing capacity using private or public networks.

Accordingly, cloud computing should not be an impetus by itself for new policies on privacy and security.

Citizen expectations for data privacy and security need to be met and monitored as they would for any system. Cloud computing does not fundamentally change nor alter security and privacy risks and requirements. Regulatory and jurisdictional requirements for electronic data management (e.g., hacking prevention and penalties, data security and privacy, data retention and disposal, breach notification, etc.) must be uniform across the country / globe and across technologies be they ?cloud?, stand-alone computers or larger server environments.

Today's IT environment in many organizations--and especially in those of their IT service providers--must support enormous numbers of devices and services; it is thus not surprising to see data centers embracing a much more standardized, process oriented and industrialized approach to services management and delivery. Industry participants like IBM continue to review and upgrade their existing security practices in this dynamic environment.

This close attention to the safeguarding or security of data is not unique to cloud computing and, we would submit, should not be addressed by governments in actions specifically aimed at cloud computing or other forms of computing.

In a common configuration of cloud computing, much of the control over the computing infrastructure operation shifts from the enterprise (customer) using the cloud to the cloud provider. This is similar to the responsibility shift that occurs when organizations entrust all or part of their IT operations to service providers via what is known as outsourcing. In such environments, the security provisions put in place to safeguard data will be established by contract between the cloud provider and the customer. Often, those provisions will be dictated by existing regulatory obligations and accountability the customer already has because of sectoral privacy or security obligations. In others, the security provisions and practices will vary based on the sensitivity of the data and the type of cloud deployed. In either case, the customer generally retains the direct relationship with the ultimate consumer, including on matters such as breach notification. The same is true for data retention, for instance, and the privacy points about notice, purpose, access, etc.

Thus, an enterprise using a cloud must ensure that the cloud provider's standard security procedures and offerings are adequate for the purpose of protecting the content that it wants to host in the cloud.

As mentioned in our original submission, we think industry-driven open standards will benefit cloud users by establishing baseline data security features common across the architecture of the cloud and by allowing cloud users to more easily compare offerings (from a data security perspective as well as for other concerns). That being said, governments should allow standards to develop within the industry; any new regulation aimed at safeguarding data should be strictly technology-neutral in order to allow for innovation in addressing the security and other needs that emerge in the most efficient fashion.

In other words, developments in emerging technology and concerns about the adequacy of safeguards for data should not result in legislative changes specific to the protection of personal information. Instead, as more and more privacy-by-design practices are incorporated into the new technologies and how they are used, data security improvements should continue to evolve, both for cloud computing and outsourcing.

We believe the fundamental principle of accountability, the underlying principle of PIPEDA and other relevant regulations, sufficiently incentivizes those who are accountable to be responsible collectors and users of data, and to look to their providers and suppliers to be the same.

With regards,

Yim Chan,
Global Privacy and Data Protection Executive, IBM Corporation
Chief Privacy Officer, IBM Canada