Cloud computing – new Privacy Commissioner guidance

The Privacy Commissioner recently released guidance material for small to medium sized businesses (SMEs), to help them protect personal information when using cloud computing. 

“Businesses today are increasingly turning to cloud computing, but many are flying blind with the range of options, providers and risks. Shifting to the cloud can often make really good sense. But responsible businesses will always want to be sure that their client and staff information will be safe. We saw a gap in the guidance that was available,” says Privacy Commissioner Marie Shroff. 

“The reality is you’re still responsible for what happens to your customers’ information in the cloud. You are going to be the one answering the questions about what went wrong if there’s a privacy breach. A loss of customer trust will directly hit a business’ bottom line, so a lot of SMEs are nervous about using the cloud. But sometimes they’re too nervous – the risks may be easier to manage than they think. 

“Deciding whether to move to the cloud is a business decision that depends on a variety of factors – but businesses don’t necessarily have time to put together a checklist for themselves. So we’ve developed some guidance, including a list that sets out the most important questions for SMEs to think about, and ask prospective cloud providers about.”

Some questions to ask providers are:

• What information will you be sending to the cloud? Some types of information are more sensitive or risky than other types of information.

• How will you keep the information secure, both while it’s crossing the Internet and when it’s stored with your cloud provider?

• Will your cloud provider tell you if there’s a security breach, or if the information is accessed by anyone other than you?

• Where will the information be stored? Some countries may not protect the information as strongly as you would like. 

• Can you get the information back – quickly – if you want it?

• Who else might see the information and why?

• Will the cloud provider delete the information if you decide to move service, or if you don’t need it any more?

 

“We started by talking to some New Zealand businesses and government agencies to see how they were using the cloud, and work out where the information gaps might be. We’ve also consulted those businesses and agencies in developing the guidance. We welcome feedback to help us ensure that the guidance remains up to date and useable throughout the business and government community,” Marie Shroff said.