Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Frequently asked questions about cloud computing

October 2011

What is cloud computing?

Simply put, cloud computing is the delivery of computing services over the Internet. Whether they realize it or not, many people use cloud computing services for their own personal needs. For example, many people use social networking sites or webmail, and these are cloud services. Photographs that people once kept on their own computers are now being stored on servers owned by third parties. These are also examples of cloud services.

Cloud services are popular because people can access their e-mail, social networking site or photo service from anywhere in the world, at any time, at minimal or no charge. Some cloud providers may, however, use the personal information of users for advertising purposes or to learn more about the users for other reasons. The Office of the Privacy Commissioner of Canada (OPC) has been critical of some of these practices, largely because they occur without individuals fully realizing how their personal information is being used “in the cloud.” Individuals should pay careful attention to whether and how the cloud company protects their personal information. Users should also protect their own personal information by using any privacy settings that the service may offer.

Can cloud computing affect privacy?

When it comes to cloud computing, the security and privacy of personal information is extremely important. Given that personal information is being turned over to another organization, often in another country, it is vital to ensure that the information is safe and that only the people who need to access it are able to do so. There is the risk that personal information sent to a cloud provider might be kept indefinitely or used for other purposes. Such information could also be accessed by government agencies, domestic or foreign (if the cloud provider retains the information outside of Canada).

For businesses that are considering using a cloud service, it is important to understand the security and privacy policies and practices of the provider. The terms of service that govern the relationship with the provider sometimes allow for rather liberal usage and retention practices.

Which party is accountable for personal information? The business that collects it from individuals or the cloud provider?

The Personal Information Protection and Electronic Documents Act (PIPEDA) does not prohibit cloud computing, even when the cloud provider is in another country. Under PIPEDA, organizations must ensure that they collect personal information for appropriate purposes and that these purposes be made clear to individuals; they obtain consent; they limit collection of personal information to those purposes; they protect the information; and that they be transparent about their privacy practices.

PIPEDA also requires that when an organization transfers personal information to a third party for processing, it remains accountable for that information. It must use contractual or other means to ensure that the personal information transferred to the third-party is appropriately protected. Therefore, an organization that is considering using a cloud service remains accountable for the personal information that it transfers to the cloud service, and it must ensure that the personal information remain protected in the hands of that cloud service provider. Organizations need to carefully review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA. For more information on transferring of personal information to third parties, please see our Guidelines for Processing Personal Data Across Borders.

Why are organizations interested in cloud computing?

Cloud computing can significantly reduce the cost and complexity of owning and operating computers and networks. If an organization uses a cloud provider, it does not need to spend money on information technology infrastructure, or buy hardware or software licences. Cloud services can often be customized and flexible to use, and providers can offer advanced services that an individual company might not have the money or expertise to develop.

I've heard that cloud computing may improve privacy protection. Is this true?

For businesses that are considering using a cloud service, cloud computing could offer better protection of personal information compared with current security and privacy practices. Through economies of scale, large cloud providers may be able to use better security technologies than individuals or small companies can, and have better backup and disaster-recovery capabilities. Cloud providers may also be motivated to build privacy protections into new technology, and to support better audit trails.

On the other hand, while cloud computing may not increase the risk that personal information will be misused or improperly exposed, it could increase the scale of exposure. The aggregation of data in a cloud provider can make that data very attractive to cybercriminals, for example. Moreover, given how inexpensive it is to keep data in the cloud, there may be a tendency to retain it indefinitely, thereby increasing the risk of breaches.

Date modified: