際際滷

際際滷Share a Scribd company logo

We Really Don\'t Know Clouds at All: Challenges to Privacy Compliance

E
eldercomlaw

The document discusses the challenges of privacy compliance in cloud computing. It outlines key privacy obligations under Canadian law, such as security, breach notification, limiting use and disclosure of personal information, and consent. The cloud introduces challenges in meeting these obligations due to lack of control over data location and security practices, difficulty auditing cloud systems, and uncertainty around retention and access. However, organizations can manage privacy risks by carefully selecting cloud providers with strong privacy terms and controls in contracts.

1 of 20
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
We Really Dont Know Clouds at All: Challenges to Privacy Compliance David Elder Stikeman Elliott 2nd Cloud Computing Law Federated Press Ottawa 21 June 2011 STIKEMAN ELLIOTT LLP www.stikeman.com
Outline On clouds Legal framework for privacy in canada Key privacy obligations Cloud challenges The sky is not falling SLIDE 1 STIKEMAN ELLIOTT LLP
What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. National Institute of Standards and Technology SLIDE 2 STIKEMAN ELLIOTT LLP
Cloud Computing Fundamentals Essential Characteristics: Deployment models: On-demand self-service Broad network access Private cloud Community cloud Resource pooling Public cloud Rapid elasticity Hybrid cloud Measured Service Service models: Key enabling technologies include: Software as a Service (SaaS) Platform as a Service (PaaS) fast wide-area networks Infrastructure as a Service powerful, inexpensive server (IaaS) computers high-performance virtualization for commodity hardware SLIDE 3 STIKEMAN ELLIOTT LLP
Legislative Framework Patchwork? Mix of Federal and Provincial Regimes Private Sector Health Sector Public Sector Employees 息 TinyApartmentCrafts SLIDE 4 STIKEMAN ELLIOTT LLP
Private Sector Privacy Provincial: B.C.: Personal Information Protection Act Alberta: Personal Information Protection Act Qu辿bec: An Act Respecting the Protection of Personal Information in the Private Sector Federal: Personal Information Protection and Electronic Documents Act SLIDE 5 STIKEMAN ELLIOTT LLP
Private Sector Privacy Federal Personal Information Protection and Electronic Documents Act Applies to collection, use and disclosure of personal information by: Private sector federal works & undertakings, including their employees Private sector organizations, in course of commercial activities, when: Transferred across provincial borders Collected, used or disclosed in province without substantially similar legislation SLIDE 6 STIKEMAN ELLIOTT LLP
Private Sector Privacy Provincial B.C.: Personal Information Protection Act Alberta: Personal Information Protection Act Qu辿bec: An Act Respecting the Protection of Personal Information in the Private Sector Apply to collection, use and disclosure of personal information by all private sector organizations in the Province Not just in course of commercial activities Including employee personal information N/A to interprovincial transfers and federal undertakings SLIDE 7 STIKEMAN ELLIOTT LLP
Health Sector Privacy Provincial: British Columbia: Personal Information Protection Act Alberta: Health Information Act Saskatchewan: Health Information Protection Act Manitoba: Personal Health Information Act Ontario: Personal Health Information Protection Act New Brunswick: Personal Health Information Privacy and Access Act Nova Scotia: Personal Health Information Act* Newfoundland & Labrador: Personal Health Information Act Federal: Personal Information Protection and Electronic Documents Act SLIDE 8 STIKEMAN ELLIOTT LLP
Health Sector Privacy Provincial health sector privacy laws generally apply to: Personal health information, held by Health Information Custodians: persons or organizations with custody or control of PHI in performing duties, including: Health care practitioners Hospitals and long-term care facilities Community health centres Pharmacies Laboratories, etc. SLIDE 9 STIKEMAN ELLIOTT LLP
Key Privacy Obligations Security Personal info must be protected by security safeguards appropriate to the sensitivity of the information Nature of safeguards will vary according to sensitivity, quantity, distribution, format, method of storage Should include physical, organizational, technological measures See PIPA Advisory #8: Implementing Reasonable Safeguards http://www.oipc.ab.ca/ims/client/upload/PIPA_Advisory_8_Reasonable_Safeguards20 07.pdf See Securing Personal Information: A Self-Assessment Tool for Organizations: http://priv.gc.ca/resource/tool-outil/security- securite/english/AssessRisks.asp?formAction=ShowPrintedAssess&methods=full SLIDE 10 STIKEMAN ELLIOTT LLP
Key Privacy Obligations Limiting Use, Disclosure and Retention Personal info to be used solely for purposes for which collected Personal info to be retained only as long as necessary to fulfil purposes for which collected, then returned, deleted or destroyed Access & Accuracy Upon request, individual has right of access to their personal information, including how used and disclosed Inaccurate or incomplete info must be corrected SLIDE 11 STIKEMAN ELLIOTT LLP
Key Privacy Obligations Accountability Organization responsible for personal info it collects Still responsible for personal info transferred to third parties for processing Breach Notification Requirement or expectation to notify Privacy Commissioner, affected individual Consent Knowledge and consent required for the collection, use and disclosure of personal information SLIDE 12 STIKEMAN ELLIOTT LLP
The Dark Side of the Cloud Out of your control, vision obscured Multiple and unknown locations, jurisdictions Focus on low cost, efficiency may mean One-size fits all service, reluctance to customize Security as a secondary focus? Co-mingling in community, public, hybrid cloud may mean potential Cross-info, segregation problems auditability? Exposure to others vulnerabilities Delays where breaches SLIDE 13 STIKEMAN ELLIOTT LLP
Key Privacy Obligations & Challenges Obligations Cloud Challenges Security Tendency to one-size-fits all Security safeguards appropriate Cloud makes security decisions - to sensitivity of personal info not you Cloud unaware of sensitivity of info Breach Notification Need to be advised of cloud Advise Privacy Commissioner(s), breach individuals/customers How to define what notifiable Need cooperation, up-to-minute details Could be many cloud users affected SLIDE 14 STIKEMAN ELLIOTT LLP
Key Privacy Obligations & Challenges Obligations Cloud Challenges: Limiting Use, Disclosure, Uncertainty wont be Retention mined/used for other purposes To be used solely for identified Uncertainty of retention purpose periods, foreign requirements? To be retained only as long as Right to destroy, delete, have necessary to fulfil purposes, returned then returned or destroyed Access & Accuracy Ensure individual will have Right of access access Right to correct Ensure can quickly correct incomplete or inaccurate data SLIDE 15 STIKEMAN ELLIOTT LLP
Key Privacy Obligations & Challenges Obligations Cloud Challenges: Accountability How to maintain control, visibility? Organization responsible for personal info it collects, even Difficult to audit if widely when transferred to 3rd parties dispersed, co-mingled Consent Can be need for explicit consent to storage/processing Knowledge and consent outside Canada, due to foreign required for the collection, use legal jurisdictions and disclosure of personal information Consent to cloud itself? SLIDE 16 STIKEMAN ELLIOTT LLP
Nothing New Under the Sun Control Company Outsource Offshore Cloud Risk SLIDE 17 STIKEMAN ELLIOTT LLP
I Can See Clearly Now Not for everyone Choose your provider very carefully Where located? Pick your cloud Bake key terms, levels, guarantees into contract: Security practices and requirements Breach/investigation response/CIRT Audit Liability, indemnity Subcontracting control SLIDE 18 STIKEMAN ELLIOTT LLP
Questions & Answers David Elder delder@stikeman.com STIKEMAN ELLIOTT LLP www.stikeman.com
Ad

Recommended

Six Irrefutable Laws of Information Security
Six Irrefutable Laws of Information Security
IT@Intel
Can Information Security Survive
Can Information Security Survive
IT@Intel
EXIN (3)
EXIN (3)
Fabio Azevedo,MBA ICP ITS
Internet of things
Internet of things
varungoyal98
Ipc Policy Brief Re Mcss Fippa Act
Ipc Policy Brief Re Mcss Fippa Act
ROSEMARY DECAIRES
Securing the Digital Economy: Reinventing the Internet
Securing the Digital Economy: Reinventing the Internet
accenture
MA Privacy Law
MA Privacy Law
travismd
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Protecting Industrial Control Systems V1.2, Ahmad Alanazy, 2012
Ahmed Al Enizi
A Year in Privacy: Highlights for the Courts and the Commissioner
A Year in Privacy: Highlights for the Courts and the Commissioner
eldercomlaw
The Wide Net of Canada\'s New Anti-Spam Legislation
The Wide Net of Canada\'s New Anti-Spam Legislation
eldercomlaw
Navigating Privacy And Spam Compliance In Social Media Advertising
Navigating Privacy And Spam Compliance In Social Media Advertising
eldercomlaw
Abusive Content & Privacy/Security Breaches: Best Practices for Response ...
Abusive Content & Privacy/Security Breaches: Best Practices for Response ...
eldercomlaw
Privacy Breaches: Legal Risks, Obligations & Best Practices
Privacy Breaches: Legal Risks, Obligations & Best Practices
eldercomlaw
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
eldercomlaw
How to Battle Bad Reviews
How to Battle Bad Reviews
Glassdoor
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk
Infosec lecture-final
Infosec lecture-final
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
Dr. Donald Macfarlane
Data Protection & Security Breakfast Briefing - Master 際際滷s_28 June_final
Data Protection & Security Breakfast Briefing - Master 際際滷s_28 June_final
Dr. Donald Macfarlane
Lessons in privacy engineering from a nation scale identity system - connect id
Lessons in privacy engineering from a nation scale identity system - connect id
David Kelts, CIPT
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)
Bonagiri Rajitha
Understanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: Webinar
CipherCloud
Network Security for Computer science and Engineering.ppt
Network Security for Computer science and Engineering.ppt
AkfeteAssefa
6102015 1 McGraw-Hill-Ryerson 息2015 The McGraw-Hill .docx
6102015 1 McGraw-Hill-Ryerson 息2015 The McGraw-Hill .docx
evonnehoggarth79783
Securing the Internet of Things
Securing the Internet of Things
Syam Madanapalli
DATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptx
JaeKim165097
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec
Legal update 21 september 2012
Legal update 21 september 2012
Rachel Aldighieri
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security

More Related Content

Viewers also liked (7)

A Year in Privacy: Highlights for the Courts and the Commissioner
A Year in Privacy: Highlights for the Courts and the Commissioner
eldercomlaw
The Wide Net of Canada\'s New Anti-Spam Legislation
The Wide Net of Canada\'s New Anti-Spam Legislation
eldercomlaw
Navigating Privacy And Spam Compliance In Social Media Advertising
Navigating Privacy And Spam Compliance In Social Media Advertising
eldercomlaw
Abusive Content & Privacy/Security Breaches: Best Practices for Response ...
Abusive Content & Privacy/Security Breaches: Best Practices for Response ...
eldercomlaw
Privacy Breaches: Legal Risks, Obligations & Best Practices
Privacy Breaches: Legal Risks, Obligations & Best Practices
eldercomlaw
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
eldercomlaw
How to Battle Bad Reviews
How to Battle Bad Reviews
Glassdoor
A Year in Privacy: Highlights for the Courts and the Commissioner
A Year in Privacy: Highlights for the Courts and the Commissioner
eldercomlaw
The Wide Net of Canada\'s New Anti-Spam Legislation
The Wide Net of Canada\'s New Anti-Spam Legislation
eldercomlaw
Navigating Privacy And Spam Compliance In Social Media Advertising
Navigating Privacy And Spam Compliance In Social Media Advertising
eldercomlaw
Abusive Content & Privacy/Security Breaches: Best Practices for Response ...
Abusive Content & Privacy/Security Breaches: Best Practices for Response ...
eldercomlaw
Privacy Breaches: Legal Risks, Obligations & Best Practices
Privacy Breaches: Legal Risks, Obligations & Best Practices
eldercomlaw
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
eldercomlaw
How to Battle Bad Reviews
How to Battle Bad Reviews
Glassdoor

Similar to We Really Don\'t Know Clouds at All: Challenges to Privacy Compliance (20)

Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk
Infosec lecture-final
Infosec lecture-final
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
Dr. Donald Macfarlane
Data Protection & Security Breakfast Briefing - Master 際際滷s_28 June_final
Data Protection & Security Breakfast Briefing - Master 際際滷s_28 June_final
Dr. Donald Macfarlane
Lessons in privacy engineering from a nation scale identity system - connect id
Lessons in privacy engineering from a nation scale identity system - connect id
David Kelts, CIPT
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)
Bonagiri Rajitha
Understanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: Webinar
CipherCloud
Network Security for Computer science and Engineering.ppt
Network Security for Computer science and Engineering.ppt
AkfeteAssefa
6102015 1 McGraw-Hill-Ryerson 息2015 The McGraw-Hill .docx
6102015 1 McGraw-Hill-Ryerson 息2015 The McGraw-Hill .docx
evonnehoggarth79783
Securing the Internet of Things
Securing the Internet of Things
Syam Madanapalli
DATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptx
JaeKim165097
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec
Legal update 21 september 2012
Legal update 21 september 2012
Rachel Aldighieri
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
saurnou
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Priyanka Aash
Cyber Safe Southwark
Cyber Safe Southwark
The Integrate Agency CIC
unit-1-is1.pptx
unit-1-is1.pptx
sorabhsingh17
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1
Mukesh Chinta
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk
Infosec lecture-final
Infosec lecture-final
Paul Dutot IEng MIET MBCS CITP OSCP CSTM
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
IBM Security
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
Dr. Donald Macfarlane
Data Protection & Security Breakfast Briefing - Master 際際滷s_28 June_final
Data Protection & Security Breakfast Briefing - Master 際際滷s_28 June_final
Dr. Donald Macfarlane
Lessons in privacy engineering from a nation scale identity system - connect id
Lessons in privacy engineering from a nation scale identity system - connect id
David Kelts, CIPT
Presentation1 110616195133-phpapp01(information security)
Presentation1 110616195133-phpapp01(information security)
Bonagiri Rajitha
Understanding Global Data Protection Laws: Webinar
Understanding Global Data Protection Laws: Webinar
CipherCloud
Network Security for Computer science and Engineering.ppt
Network Security for Computer science and Engineering.ppt
AkfeteAssefa
6102015 1 McGraw-Hill-Ryerson 息2015 The McGraw-Hill .docx
6102015 1 McGraw-Hill-Ryerson 息2015 The McGraw-Hill .docx
evonnehoggarth79783
Securing the Internet of Things
Securing the Internet of Things
Syam Madanapalli
DATA-PRIVACY-ACT.pptx
DATA-PRIVACY-ACT.pptx
JaeKim165097
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec Webinar Part 6 of 6 GDPR Compliance, Breach Notification, Detection,...
Symantec
Legal update 21 september 2012
Legal update 21 september 2012
Rachel Aldighieri
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
Encryption and Key Management: Ensuring Compliance, Privacy, and Minimizing t...
IBM Security
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
Data Confidentiality, Security and Recent Changes to the ABA Model Rules
saurnou
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
Priyanka Aash
Cyber Safe Southwark
Cyber Safe Southwark
The Integrate Agency CIC
unit-1-is1.pptx
unit-1-is1.pptx
sorabhsingh17
Cisco Cyber Security Essentials Chapter-1
Cisco Cyber Security Essentials Chapter-1
Mukesh Chinta
Ad

We Really Don\'t Know Clouds at All: Challenges to Privacy Compliance

  • 1. We Really Dont Know Clouds at All: Challenges to Privacy Compliance David Elder Stikeman Elliott 2nd Cloud Computing Law Federated Press Ottawa 21 June 2011 STIKEMAN ELLIOTT LLP www.stikeman.com
  • 2. Outline On clouds Legal framework for privacy in canada Key privacy obligations Cloud challenges The sky is not falling SLIDE 1 STIKEMAN ELLIOTT LLP
  • 3. What is Cloud Computing? Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. National Institute of Standards and Technology SLIDE 2 STIKEMAN ELLIOTT LLP
  • 4. Cloud Computing Fundamentals Essential Characteristics: Deployment models: On-demand self-service Broad network access Private cloud Community cloud Resource pooling Public cloud Rapid elasticity Hybrid cloud Measured Service Service models: Key enabling technologies include: Software as a Service (SaaS) Platform as a Service (PaaS) fast wide-area networks Infrastructure as a Service powerful, inexpensive server (IaaS) computers high-performance virtualization for commodity hardware SLIDE 3 STIKEMAN ELLIOTT LLP
  • 5. Legislative Framework Patchwork? Mix of Federal and Provincial Regimes Private Sector Health Sector Public Sector Employees 息 TinyApartmentCrafts SLIDE 4 STIKEMAN ELLIOTT LLP
  • 6. Private Sector Privacy Provincial: B.C.: Personal Information Protection Act Alberta: Personal Information Protection Act Qu辿bec: An Act Respecting the Protection of Personal Information in the Private Sector Federal: Personal Information Protection and Electronic Documents Act SLIDE 5 STIKEMAN ELLIOTT LLP
  • 7. Private Sector Privacy Federal Personal Information Protection and Electronic Documents Act Applies to collection, use and disclosure of personal information by: Private sector federal works & undertakings, including their employees Private sector organizations, in course of commercial activities, when: Transferred across provincial borders Collected, used or disclosed in province without substantially similar legislation SLIDE 6 STIKEMAN ELLIOTT LLP
  • 8. Private Sector Privacy Provincial B.C.: Personal Information Protection Act Alberta: Personal Information Protection Act Qu辿bec: An Act Respecting the Protection of Personal Information in the Private Sector Apply to collection, use and disclosure of personal information by all private sector organizations in the Province Not just in course of commercial activities Including employee personal information N/A to interprovincial transfers and federal undertakings SLIDE 7 STIKEMAN ELLIOTT LLP
  • 9. Health Sector Privacy Provincial: British Columbia: Personal Information Protection Act Alberta: Health Information Act Saskatchewan: Health Information Protection Act Manitoba: Personal Health Information Act Ontario: Personal Health Information Protection Act New Brunswick: Personal Health Information Privacy and Access Act Nova Scotia: Personal Health Information Act* Newfoundland & Labrador: Personal Health Information Act Federal: Personal Information Protection and Electronic Documents Act SLIDE 8 STIKEMAN ELLIOTT LLP
  • 10. Health Sector Privacy Provincial health sector privacy laws generally apply to: Personal health information, held by Health Information Custodians: persons or organizations with custody or control of PHI in performing duties, including: Health care practitioners Hospitals and long-term care facilities Community health centres Pharmacies Laboratories, etc. SLIDE 9 STIKEMAN ELLIOTT LLP
  • 11. Key Privacy Obligations Security Personal info must be protected by security safeguards appropriate to the sensitivity of the information Nature of safeguards will vary according to sensitivity, quantity, distribution, format, method of storage Should include physical, organizational, technological measures See PIPA Advisory #8: Implementing Reasonable Safeguards http://www.oipc.ab.ca/ims/client/upload/PIPA_Advisory_8_Reasonable_Safeguards20 07.pdf See Securing Personal Information: A Self-Assessment Tool for Organizations: http://priv.gc.ca/resource/tool-outil/security- securite/english/AssessRisks.asp?formAction=ShowPrintedAssess&methods=full SLIDE 10 STIKEMAN ELLIOTT LLP
  • 12. Key Privacy Obligations Limiting Use, Disclosure and Retention Personal info to be used solely for purposes for which collected Personal info to be retained only as long as necessary to fulfil purposes for which collected, then returned, deleted or destroyed Access & Accuracy Upon request, individual has right of access to their personal information, including how used and disclosed Inaccurate or incomplete info must be corrected SLIDE 11 STIKEMAN ELLIOTT LLP
  • 13. Key Privacy Obligations Accountability Organization responsible for personal info it collects Still responsible for personal info transferred to third parties for processing Breach Notification Requirement or expectation to notify Privacy Commissioner, affected individual Consent Knowledge and consent required for the collection, use and disclosure of personal information SLIDE 12 STIKEMAN ELLIOTT LLP
  • 14. The Dark Side of the Cloud Out of your control, vision obscured Multiple and unknown locations, jurisdictions Focus on low cost, efficiency may mean One-size fits all service, reluctance to customize Security as a secondary focus? Co-mingling in community, public, hybrid cloud may mean potential Cross-info, segregation problems auditability? Exposure to others vulnerabilities Delays where breaches SLIDE 13 STIKEMAN ELLIOTT LLP
  • 15. Key Privacy Obligations & Challenges Obligations Cloud Challenges Security Tendency to one-size-fits all Security safeguards appropriate Cloud makes security decisions - to sensitivity of personal info not you Cloud unaware of sensitivity of info Breach Notification Need to be advised of cloud Advise Privacy Commissioner(s), breach individuals/customers How to define what notifiable Need cooperation, up-to-minute details Could be many cloud users affected SLIDE 14 STIKEMAN ELLIOTT LLP
  • 16. Key Privacy Obligations & Challenges Obligations Cloud Challenges: Limiting Use, Disclosure, Uncertainty wont be Retention mined/used for other purposes To be used solely for identified Uncertainty of retention purpose periods, foreign requirements? To be retained only as long as Right to destroy, delete, have necessary to fulfil purposes, returned then returned or destroyed Access & Accuracy Ensure individual will have Right of access access Right to correct Ensure can quickly correct incomplete or inaccurate data SLIDE 15 STIKEMAN ELLIOTT LLP
  • 17. Key Privacy Obligations & Challenges Obligations Cloud Challenges: Accountability How to maintain control, visibility? Organization responsible for personal info it collects, even Difficult to audit if widely when transferred to 3rd parties dispersed, co-mingled Consent Can be need for explicit consent to storage/processing Knowledge and consent outside Canada, due to foreign required for the collection, use legal jurisdictions and disclosure of personal information Consent to cloud itself? SLIDE 16 STIKEMAN ELLIOTT LLP
  • 18. Nothing New Under the Sun Control Company Outsource Offshore Cloud Risk SLIDE 17 STIKEMAN ELLIOTT LLP
  • 19. I Can See Clearly Now Not for everyone Choose your provider very carefully Where located? Pick your cloud Bake key terms, levels, guarantees into contract: Security practices and requirements Breach/investigation response/CIRT Audit Liability, indemnity Subcontracting control SLIDE 18 STIKEMAN ELLIOTT LLP
  • 20. Questions & Answers David Elder delder@stikeman.com STIKEMAN ELLIOTT LLP www.stikeman.com
About
息 2025 際際滷