A threshold issue for the enterprise is to assess if its compliance obligations permit the use of a cloud based service. Such compliance obligations may arise under the general law (such as privacy statutes), under specific requirements of certain regulated industry or as a result of contractual or other limitations on the enterprise.

"A cloud service is typically made up of a variety of different entities. The enterprise may not be aware of all of them or have contractual privity to some of the specific application provider’s subcontractors such as an infrastructure provider, O/S provider, storage provider, etc."

Absent these specific constraints generally private sector businesses in Canada can use cloud service providers provided that such service providers are managed to provide a comparable level of protection for the personal information collected by the enterprise. The enterprise remains responsible for that compliance.

Considerations for choosing a cloud service provider

A cloud service is typically made up of a variety of different entities. The enterprise may not be aware of all of them or have contractual privity to some of the specific application provider’s subcontractors such as an infrastructure provider, O/S provider, storage provider, etc.

Some enterprises are regulated as to where data can reside, or be processed, or stored (for example, healthcare, financial services, and public bodies). Where the service provider stores data outside of Canada the enterprise needs to address if its privacy policies have addressed any required disclosure and other compliance requirements.

Other things to consider

Other considerations of an enterprise seeking to focus on compliance with its responsibilities in respect of personal information (data) processed by a cloud service provider would include:

  • Assess what security and privacy compliance standards the cloud service provider complies with. Are these standards consistent with the enterprises compliance requirements? Many credible compliance standards involve 3rd party audits. The enterprise should review these audit reports to assess the service provider compliance with the standard.
  • Assess the service provider’s security compliance experience. Have there been data breaches? If so, what was the vulnerability? Was it addressed? How did the service provider respond?
  • Assess the use of encryption by the service provider and whether applied to data in motion (e.g. transmission) and data at rest (while stored).
  • Assess back up arrangements available and the protections and availability of such services.
  • The cloud service provider will typically offer services under a service level agreement where performance standards for the services are outlined. The enterprise should assess that the standards meet its operational needs. The agreement should permit service verification, including enterprise’s right to audit, access to key subcontracts, data recovery and backup plans and a service provider duty to report service level compliance (uptime, lag and latency, etc).
  • The service agreement should provide a duty of service provider to promptly report material non-compliance with its obligations, including remedial efforts and implications.
  • A critical term is clarity that the enterprise’s data is owned and always available to the enterprise. The service provider should have no use of the data other than to provide the service. The service level agreement should provide for transitional assistance when the enterprise moves off of the service.
  • The agreement should address a prohibition against suspension of service without sufficient notice from the service provider and bona fides fee disputes should not be a sufficient reason to suspend the service.