CIO Council guides privacy in the cloud

By Jason Miller
Executive Editor
Federal News Radio

Before an agency moves its data to a public cloud, such as those offered by Google, Amazon or Microsoft, the chief information officer and chief privacy officer should use the acquisition process to protect federal information.

Senior agency officials shouldn’t rely on the company’s terms of service agreement, and instead ensure the vendor is held to federal security and privacy laws, regulations and standards through the acquisition of the cloud services.

“In cases where cloud computing will include the transmittal and storage of personal identifiable information (PII), amending a cloud provider’s terms of service may not adequately cover all of the agency’s requirements, as they are not typically written with federal privacy and security requirements in mind,” states the CIO Council in new privacy recommendations for cloud computing issued Aug. 19. “Privacy and security risks are magnified when the cloud provider has reserved the right to change its terms and policies at will which is a common provision in some terms of service. Without precautions, there is no way an agency can ensure that cloud providers do not use subcontractors or that information is not transferred to other third parties without the knowledge and approval of the contracting agency.”

This is just one area the CIO Council addresses in its new document that tries to highlight the privacy considerations when moving to the cloud computing.

“The purpose of this paper, and of privacy interests in general, is not to discourage agencies from using cloud computing; indeed a thoughtfully considered cloud computing solution can enhance privacy and security,” the council states. “Instead, the purpose is to ensure that federal agencies recognize and consider the privacy rights of individuals, and that agencies identify and address the potential risks when using cloud computing.”

This is the third privacy guidance issued this summer by the CIO Council. In June, it posted the Homeland Security Department’s privacy guide and its own best practices guide to privacy. The council also has issues a State of the Public Cloud report in May and makes agency case studies available monthly.

This latest document details nine potential risks, including how data for a public cloud provider could be an asset if the company goes into bankruptcy, concerns about how state, local or foreign laws may govern the search of data under court order or other informal request and the potential harm of poor record keeping by the vendor, making it harder for the customer agency to conduct audits to ensure the proper controls are in place to keep its data is secure and private.

“Organizations need to consider the laws and policies of the country where the data processing machines are located,” the document states. “For example, a cloud provider may without notice to the organization, move the organization’s information from one jurisdiction to another, from provider to provider, or from machine to machine thus creating different legal problems. Personal information that ends up maintained by a cloud provider in a European Union member state could be subject to domestic privacy laws that must follow specific EU standards. It may not be clear how the privacy laws and protections apply given these complex relationships.”

The council recommends agencies conduct a Privacy Threshold Analysis (PTA) to assess systems and data proposed for cloud storage. Additionally, the document states that if agencies are moving a legacy system that doesn’t require a privacy impact assessment (PIA) to the cloud, a PIA then would be required.

A PIA for the cloud should assess:

  • What information the agency will collect and put into the cloud?
  • Why the agency is collecting the information?
  • Intended use of the information.
  • With whom the agency will share the information?
  • What opportunities individuals have to decline to provide information or to consent to particular uses of the information and how individuals can grant consent?
  • How the agency and the cloud provider will secure information in the cloud?
  • Whether the agency is creating a system of records under the Privacy Act and if so, drafting the mandated notice for publication in the Federal Register?
  • Where the server on which the data will be stored is physically located?

There also are a number of Privacy Act considerations agencies must keep in mind. The council says if the data is on a server not controlled the government-which is the case with public cloud computing-the cloud provider must provide accurate notice, right of access and redress, information on how they will collect, use, retain and dispose of the data and how they will meet several other requirements.

“Location of the data is a key issue, not only in terms of access and retrieval under the Privacy Act, but also in consideration of other issues such as application of foreign privacy laws, the requirements of E-Discovery, and in any Privacy Act statements on forms used to collect information from the individual,” the document states.

The council recommended agencies should involve their CPO during the initial discussions of moving to the cloud.

(Copyright 2010 by All Rights Reserved.)


Sign up for breaking news alerts