by John Shingleton - Director, Shingleton Lawyers Limited LL.B, LL.M France (1989)
As more and more businesses use cloud services, it has become apparent that not all businesses appreciate their legal responsibilities under Privacy Laws in respect to the personal information of others. This is not to say using the cloud for storing information is bad. In fact it is hard to argue against the conclusion that information is better protected using a reputable cloud service such as Amazon or Microsoft compared to say a poorly secured private server, in the back office of a mid -sized firm. But, the moment you put someone else’s personal information on the cloud, you become responsible for the safety of that personal information. This means you need to not only exercise good due diligence into the cloud provider, by reviewing the cloud provider’s policy guidelines and contract for cloud services, the Privacy legislation applicable to where the information is actually physically held and any history of breaches, but also you must make sure that the personal information is encrypted at the point it departs your server or computer, and remains encrypted while held by the cloud service. The New Zealand Privacy Act 1993 further places a legal obligation to make sure there is easy access to the information, that the information can be corrected or destroyed, and that the information cannot be misused or improperly disclosed to another party .
In February 2013, The Privacy Commissioner issued some guidelines called “Cloud Computing A guide to making the right Choices. These guidelines are very helpful as a first step in appreciating the framework of compliance. However, the key is really in how you undertake that due diligence and what other steps you are able to take to protect not only the personal information of your clients and customers but also how you minimise the risk of liability. Not all laws are the same internationally. This is an issue as some countries have no privacy laws at all, yet companies offer cloud services. Without asking the right questions, you could end up placing personal information of key clients at risk. Most OECD countries have adopted the OECD Guidelines on the protection of privacy and most countries in the European Union have signed up to the Council of Europe 1981 Convention for the protection of individuals with regard to the automatic processing of personal data. So, if your data is in the cloud in Europe, chances are it is within a jurisdiction with good privacy laws. Interestingly, the United Kingdom is a signatory. Will it continue after Brexit? A serious problem with the US arises because the US Privacy laws only apply to the Federal Government and US citizens and residents. This means, if you are a New Zealand company using a cloud service based in the US, you cannot rely on US legislation. Your only protection will be through the internal policies and contract. It is fair to point out that the US Consumer Financial Bureau has adopted a policy of pretending the law applies to non- residents and encouraging agencies and companies holding information to not discriminate. But, this is all voluntary. So, what to take from all this.
As some of you know, I have started one of New Zealand’s first 100% cloud based law firms. What happens to client information was my primary consideration before launching the platform. When reviewing the cloud options, I first researched where the data centres would be, in my case I opted for Microsoft data centres in Sydney and Melbourne , with a final back up in Singapore. I reviewed Microsoft’s policies and terms of contract. I put in place automatic encryption of all information being sent to the centres, using Office 365 and Share-point. The encryption is at the same level used by governments, including the US federal government. I also back up everything locally. It was neither complicated nor overly expensive to achieve high level security. I used the services of a highly reputable IT company Code Blue.
We love to mind your business