Consider this: A service organization we’ll call CloudCo collects and compiles personal information from its corporate customer. The individual whose personal information is being collected has a relationship directly with the corporate customer, but not with CloudCo. The personal information has been shared with CloudCo without the individual’s knowledge or consent. Sound familiar?
Many cloud service providers host personal information without any direct relationship with the individual. Maybe they rely on assurances from their own customer. Or they may simply collect personal information without thinking through the privacy implications.
This recent decision of the Information & Privacy Commissioner of Alberta (Professional Drivers Bureau of Canada Inc. Case File Number P1884) deals with the collection of personal information of truck drivers by a private service company, called the “Professional Drivers Bureau”. This company collected personal information about drivers from trucking companies, created a database of information, and then offered a search service, by which trucking companies paid a fee for a report on the driver. In that report, the personal information about the driver was disclosed to the trucking company. The personal information was gleaned and compiled into a database over a long period of time, and it became clear during the Commissioner’s investigation that the individuals never consented to this collection, use and disclosure. The Commissioner ultimately decided that the “Professional Drivers Bureau” was in breach of Alberta privacy laws because it never obtained consent directly from the individual truck drivers.
What can other service companies - including cloud service providers - take away from this case?
Cloud service providers should consider if they are “collecting” any personal information themselves, or merely providing a service which allows their customer to store information in the cloud. When a service provider collects personal information, it must obtain consent. In this case, the service provider did not provide any notice to the individual of its collection of her personal information, did not indicate its purposes, did not provide the name of someone who could answer her questions. It apparently did not inform the trucking companies about its purposes in collecting the personal information. All of this was in contravention of privacy laws.
If a service provider is merely providing space on a server, the terms of service should address privacy issues, and make it clear that no personal information is collected, used or disclosed by the cloud provider.
Termination issues should also be addressed in the agreement. What happens to that data when the service relationship ends?
Consider the position of the trucking company: in this case, the trucking company shared personal information about individuals with the “Bureau”. When personal information is disclosed in such a way, the trucking company should be asking: Was this disclosure authorized by the individual? What is the purpose of the disclosure? What contractual restrictions are placed on the recipient, to ensure that the personal information is used in accordance with the consent from the individual. In the cloud context, this means contractual terms that directly address the privacy issues.
Get privacy advice when entering into cloud-based service agreements.