Privacy and Security Guidance: Cloud Computing in the MUSH Sector

by Dentons


I. Purpose of this Guidance Document and How to Apply

II. Why Focus on the MUSH Sector?

III. What is Cloud Computing?

IV. Why Use the Cloud?

V. Due Diligence on the Cloud

VI. ISO/IEC 27018 Standard for Privacy on the Cloud

VII. Frequently Asked Questions

I. Purpose of this Guidance Document and How to Apply

This document is intended to be used by decision makers in the MUSH Sector when considering using cloud services.

The document compiles observations and recommendations from a roundtable discussion held June 16, 2015. The discussion was based on a preliminary document on cloud computing for the MUSH Sector prepared by Dentons Canada LLP. Operational advice was provided by experts from academic, medical, government, and private institutions.

II. Why Focus on the MUSH Sector?

Cloud computing is attractive to any organization holding personal information with limited means to secure it. Ensuring privacy and security is a particular challenge for organizations in the MUSH Sector: in order to provide essential services, they must collect and hold highly sensitive data, yet they have limited resources to protect it. Not surprisingly, these organizations appear to be increasingly vulnerable to information security breaches.

Examples of Identified Operational Cloud Risks and Benefits in Health Care Institutions

Risks and Benefits 1

Examples of Identified Operational Cloud Risks and Benefits in Educational Institutions

Risks and Benefits 2

III. What is Cloud Computing?

The National Institute of Standards and Technology of the United States Department of Commerce (“NIST”) defines cloud computing as ubiquitous access to a shared pool of configurable computing resources. These resources could be networks, servers, storage, applications, or services. Five characteristics of cloud computing include:

Characteristics of Cloud Computing

Characteristics of Cloud Computing

Service Models

Deployment Models

IV. Why Use the Cloud?

The Office of the Privacy Commissioner of Canada identifies the main benefits of cloud computing as:
• Scalability, by offering unlimited storage and processing capacity;

  • Reliability, since it eliminates the risk of losing paper, laptops, or hard drives and allows access to documents and applications via the Internet worldwide;
  • Cost savings, since resources are pooled for optimal safeguards thus eliminating the need for investment in infrastructure;
  • Efficiency, as the freeing up of resources through the pooling of expertise allows focus on other priorities; and
  • Access to new technology as the cloud providers, being more resourceful and specialized in the area, are in a position to offer a much wider choice.

The Québec Commission d’accès à l’information adds: increased storage capacity and opportunity to base expenses on actual use. Experts underline the low cost of cloud computing and world wide availability.

A survey conducted by SafeGov indicated why many organizations are ‘going cloud’:


V. Due Diligence on the Cloud

When considering whether to move to cloud computing, MUSH organizations should exercise due diligence commensurate to the sensitivity of the personal information they hold by:

  1. assessing organizational needs and available cloud computing services;
  2. examining legal obligations in relation to privacy protection;
  3. performing a risk/benefit analysis of cloud computing in relation to their particular mandate; and
  4. negotiating with the cloud provider,
  • Appropriate authentication/access controls that correspond with the sensitivity of the data;
  • Business continuity measures to prevent data loss in case of an outage, particularly if essential services are provided;
  • Capacity to integrate existing directory services, considering the number of files on one individual as well as the fact that some files may go on cloud and others not
  • Financial stability, technological security, track record and corporate responsibility, to ensure long term service, considering the essential, long-term mandates of MUSH organizations;
  • Clear policies for cookies, data collection minimization, use, retention and disclosure, and individual access rights;
  • Protocol for managing encryption;
  • Termination clauses to recover or delete all personal information held in the cloud;
  • Plan for data breach response;
  • Breach insurance or indemnification.
  • Transparent policies about purposes of cloud out-sourcing and in obtaining consent, considering the sensitivity of data collected in the MUSH Sector.
  • Describing each party’s obligations;
  • Providing for periodic audits.

The clauses are essential and yet may be difficult to secure. Many MUSH institutions find themselves in front of “take it or leave it” cloud computing contracts. A solution is to go with a cloud provider compliant with ISO/IEC 27018 Code of Practice for Personally Identifiably Information (“PII”) Protection in Public Clouds Acting as PII Processors which requires all these guarantees as a matter of certification.

VI. ISO/IEC 27018 Standard for Privacy on the Cloud

ISO/IEC 27018 is the International Code of Practice for Personally Identifiably Information (“PII”) Protection in Public Clouds Acting as PII Processors. The Office of the Privacy Commissioner of Canada – with input from representatives of the Government of Canada, other states and Data Protection Authorities – has significantly contributed to the development of the standard. It is not the only standard for data protection in the cloud, but it has unique value in that it:

  • offers a single, standardized, international set of privacy controls that align closely with existing privacy requirements;
  • integrates directly into a data security framework; and
  • has the highest compliance mechanisms through a certification process issued by an independent auditor and annual audits to ensure ongoing compliance.

This new standard holds certified cloud service providers to the following main obligations:

  • Customer control: Store and use personal information exclusively in accordance with the instructions of the cloud customer and do not require the customer to consent to the use of their data for advertising and marketing purposes as a condition of their use of the service;
  • Data retention: Establish a retention period after which customer data will be permanently returned or deleted;
  • Accountability:
    • Disclose sub-processors of personal data, notify the cloud customer of any changes in sub-processors, and provide the customer the opportunity to terminate their agreement if they object to a change;
    • Promptly notify the cloud customer of any breach, unauthorized access to personal information or unauthorized access to processing equipment or facilities resulting in law, disclosure or alternation of personal information;
    • Disclose the countries in which a cloud customer’s personal information might be stored;
    • Undergo an annual audit by the cloud customer or by an independent auditor.
  • Non-disclosure: Reject any requests for personal information disclosure that are not legally binding and consult with the relevant cloud customer unless notification is prohibited (for example if it compromises an investigation); and
  • Safeguards: Implement technical and organizational measures to safeguards to protect personal information.

The main advantages of ISO/IEC 27018 for the MUSH sector are as follows:

  • Selecting a cloud service provider that is ISO/IEC 27018 compliant supports the cloud customer’s due diligence efforts;
  • The annual independent audit required by ISO/IEC 27018 provides the cloud customer ongoing assurance that the cloud service provider remains in compliance with the standard’s requirements; and
  • Because ISO/IEC 27018 is built on ISO/IEC 27001 and 27002 (INSERT NAME), the cloud service customer benefits from the enhanced security of a cloud service that adheres to international security standards.

VII. Frequently Asked Questions

  • Question: Are data centers in the United States subject to the USA PATRIOT Act?
    • Answer: Yes, and the sharing of data between Canadian and US law enforcement agencies occurs whether or not information is stored in the cloud. However, ISO/IEC 27018 requires cloud service providers to deny any request for personal information from law enforcement authorities without consent unless there is a legally binding authority, and even then the cloud provider will consult the cloud customer, unless prohibited by law. Customers should negotiate this requirement with their non-certified cloud provider.
  • Question: Should the cloud customer encrypt data to be stored on the cloud?
    • Answer: Yes. Encryption is an important safeguard. Cloud customers should use cloud providers that encrypt data “in transit” between their customers and their service, between their data centers, and “at rest”, The ISO27018 Standard states that “PII (personal identifiable information) that is transmitted over public data-transmission networks should be encrypted prior to transmission.”
  • Question: Can personal data be mined in the cloud for advertising/marketing purposes?
    • Answer: Yes, with the customer’s consent. However, ISO/IEC 27018 prohibits a cloud service provider from making such consent a mandatory condition for using the service. The cloud provider holds the information on behalf of the customer much like a bank holds deposits in a safety deposit box on behalf of its customers.
  • Question: How effective are contractual obligations to protect data?
    • Answer: A cloud provider that has made the significant investment to bring its operations in line with ISO/IEC 27018 to obtain certification, and whose business rests on that certification, will treat ISO/IEC 27018 obligations with the utmost seriousness. Breach of those obligations could result in the cloud provider failing an audit and losing its certification. If a cloud customer relies solely on contractual terms, it may not know if the cloud service provider is complying with those obligations absent a private audit (which the customer may not have the contractual right to demand, and if it does, may be too costly to be practical).
  • Question: Which laws apply to cloud service providers?
    • Answer: In Canada, the cloud customer is responsible for ensuring that the cloud provider that receives the data for processing provides a “comparable level of protection [to which the cloud customer is obligated under Canadian law] while the information is being processed” by the cloud provider. This is ensured by contractual or other means.

The cloud provider is bound by contract to respect the data protection obligations of the cloud customer. ISO27018 certified cloud providers also undertake to offer “ support for and commitment to achieving compliance with applicable PII protection legislation and the contractual terms agreed (between) the public cloud processor and its clients (cloud service customers)”. However, the cloud provider is also bound by the law applicable in the territory where it is located. For that reason, requests from government authorities of the territory of the cloud provider apply to disclosure of that data. It is with that in mind that ISO 27018 requires certified cloud providers to disclose to the cloud customers the location of their servers as well as the countries of origin of their sub-contractors.

Blurb 1


1See Anna Wilde Mathews & Danny Yadron, ‘Health Insurer Anthem Hit by Hackers’, Wall Street Journal, 4 February 2015; Natasha Singer, ‘Uncovering Security Flaws in Digital Education Products for Schoolchildren’, The New York Times, 8 February 2015.

2This section benefited from information provided by NIST, the United Kingdom Information Commissioner’s Office (“ICO”), and the Office of the Privacy Commissioner of Canada (OPC). See Peter Mell & Timothy Grance, NIST Special Publication 800-145 ‘The NIST Definition of Cloud Computing’, September 2011, online:; ‘Guidance on the use of cloud computing’, UK ICO, 2012, online:; ‘Fact Sheets: Cloud Computing’, Office of the Privacy Commissioner of Canada,4 October 2011, online:

3 ‘Report on the 2010 Office of the Privacy Commissioner of Canada’s Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing’, Office of the Privacy Commissioner of Canada, May 2010, online:

4 Martin PJ Kratz, Canada’s Internet Law in a Nutshell (Carswell, 2013), at 488; ‘Privacy in Cloud Computing’, ITU-T Technology Watch Report, March 2012, online:

5 Chart 3, “Survey on Cloud Computing and Law Enforcement”, The International Association of Chiefs of Police (IACP), the Ponemon Institute, and SafeGov, January 2013, online:

6 Based on ISO/IEC 27018 and guidance from the following documents: ‘Department Releases New Guidance on Protecting Student Privacy While Using Online Educational Services’, US Department of Education, 25 February 2014, online:

Wayne Jansen & Timothy Grance, ‘Guidelines on Security and Privacy in Public Cloud Computing’ Special Publication 800-144, US Department of Commerce National Institute of Standards and Technology, December 2011, online:

See Jeffrey White, ‘Cloud Computing in Healthcare: Is there a Silver Lining?’, Aspen Advisors, December 2010, online:; ‘Cloud Computing for Health Care Organizations’, Foley & Lardner LLP Health Care Industry Team and IT & Outsourcing Practice, 26 November 2012, online:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dentons | Attorney Advertising

Written by:


Dentons on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.