Tony Conaghan and Ray Marshall

Cloud Computing Legal Primer Pt 1: Confidentiality in the Cloud

Tony Conaghan and Ray Marshall

2 July 2015

Confidentiality and Privacy IT

In the first of a three-part series on cloud computing legal concerns, we will be looking at what is often the first question asked by customers: how do I know that my data will be kept private and secure?


Anyone who uses cloud computing services for any commercially sensitive activity has an obvious interest in ensuring that information is accessible only by authorised persons.


If you have entered into any confidentiality agreement or undertaking, you may have an obligation to one or more other parties to ensure that data received from them (or derived from such data) is kept confidential. If you are bound by the Privacy Act 1988 (Cth), you have a legal obligation to ensure that your privacy policy clearly explains how the personal information in your possession or control may be used, including any offshore data storage or transfer.


Of course, to ensure you are compliant with your obligations, or to make full disclosure, requires that you be fully informed yourself. Completing your due diligence in relation to cloud storage data security and confidentiality is more than simply accepting what is presented to you, but making your own enquiries to ensure that the service that you are using meets your commercial and legal requirements and that your service provider will maintain compliance with those requirements.


In some circumstances, you may want (or need) to implement further data security measures. For example, you may have legal or contractual obligations which require a particular standard for confidentiality, or be in possession of highly sensitive commercial information beyond the norm. In these circumstances, it may be appropriate to consider further technological protection measures such as encryption and two-factor authentication.


As part of the annual Privacy Awareness Week in May 2015, the Office of the Australian Information Commissioner published a privacy business resource on sending personal information overseas. This resource sets out the Commissioner’s recommendations for dealing with personal information stored or used offshore and may provide useful guidance to anyone looking at moving data to the cloud, even if the service provider is Australian-based.


It is also important to remember, as is well known to data security experts, that one of the weakest parts of any data security system is behind the keyboard. Comprehensive legal and technological protection may not be sufficient to prevent inadvertent or deliberate misuse of confidential data by a human user. Sound confidentiality starts in the workplace ( wherever that may be nowadays)  including making sure that all staff are aware of the need to keep confidential or private information confidential and ensuring that measures are taken to prevent the most commons forms of inadvertent information disclosure (BYO devices, insecure VPN, misplaced USB drives, etc.).


Questions to consider


  1. Does the cloud service agreement provide terms regarding confidentiality of data? What rights does the service provider obtain over data?
  2. What software security standards does the service provider follow? Has the implementation of these standards been audited by an independent and trusted body?
  3. Where is the data physically stored (e.g. on-shore or off-shore)?¬† What, and how many, interconnections are there between the “primary” data centre and your office?
  4. What physical security measures are in place to prevent unauthorised access to data servers? Does the service provider have exclusive physical access to the servers or is server space shared with other parties? What measures are in place to ensure that the service provider’s employees do not access data without authorisation?
  5. If your data is accessed without authorisation, is there a process in place for notifying you of the breach?


The next instalment of this series titled ‘Cloud Computing Legal Primer Pt 2: It’s 2015. Do you know where your data is?‘ will be published here next week.