This report focuses on the growing interest in and use of cloud computing services by public sector institutions across Ontario.
However, the expected benefits of migrating internal operations to the cloud need to be tempered by an acknowledgement of the privacy, security and compliance risks associated with “outsourcing” personal information to third parties for processing and storage.
The IPC advocates an informed, principled approach under FIPPA and MFIPPA when considering cloud computing services. This should include appropriate planning, consultation and co-ordination, project documentation, risk analyses, data minimization, due diligence, effective contracts and a credible incident management strategy.
The intent of this paper and the recommended mitigation strategies is to ensure that Ontario public institutions remain effectively in control of, and fully accountable for, the personal information entrusted to them by Ontarians under FIPPA and MFIPPA.
Institutions should consult legal and other relevant expertise whenever undertaking significant cloud-related initiatives that may have an impact on the privacy of Ontarians.