Over the past few months, the Treasury Board of Canada has quietly been developing a government-wide policy on the use of cloud computing services. The initiative started with an industry engagement event in November that highlighted many of the issues faced by the government. Following that event, the government issued a cloud computing Request for Information that asked the industry to provide detailed information and recommendations on the government’s approach. The deadline for submissions to the RFI close today. Unfortunately, the public is unlikely to gain access to the submissions as the government has promised to keep confidential the information it receives.
The government’s cloud computing RFI provides considerable insight into its current thinking. Of particular interest are the privacy implications of using cloud computing services, particularly where the data is either hosted outside the country or by foreign-owned organizations. While the consultation asks the industry for its views on these questions, the document features proposed contractual clauses that address encryption and data storage. These include:
The Contractor must encrypt all non-public, personal and sensitive data and information in
transit to the Cloud during the life of the Contract and 90 days after termination.
The Services Provider (the Contractor) must not store any non-public, personal or sensitive data and information outside of Canada. This includes backup data and disaster recovery locations.
The Contractor and/or any and all subcontractors must ensure that all the databases
used by organizations to provide the services described in the Contract containing any
Personal Information, related to the Work, are located in Canada, the United States (US),
the European Union (EU) or in the following additional countries with which Canada has
a Bilateral and Multinational Memorandum of Understanding and Industrial Security
Arrangement: Australia, Israel, New Zealand, Norway, and Switzerland.
The government apparently hopes to conclude its process with a fully-developed cloud computing usage policy by the summer.