Definition
Cloud computing involves data being stores remotely and instead of accessing that information locally, on your computer drive, the data is accessed on the internet.
Examples
- Reviewing a document that someone else created on Google Docs
- Signing a contract on DocuSign
- Saving a client’s file on TitanFile
- Uploading documents onto Closing Folder
Lawyer’s obligations when using cloud services
- Knowing where the cloud company is storing client’s personal information
- Know how cloud companies are handling client’s personal information
- Understand the security and privacy policies and practices of the provider
- Review the terms of service of the cloud provider and ensure that the personal information it entrusts to it will be treated in a manner consistent with PIPEDA.
Practice Tip
- If an organization has obtained an individual’s consent to collect and use personal information for a specific purpose, it does not need separate consent when outsourcing to a cloud provider to process the information for the same purpose outlined at the time of collection. Ideally, at the time of collection, organizations should inform customers in clear and understandable language that their information may be processed by a third-party service provider.
- What would your customers think of the proposed uses? You need to maintain the trust of your customers, while providing them with the best possible service and protection.
Learn More:
The pros and cons of cloud computing
| Pros | Cons |
|---|---|
| Accessing information anywhere in the world | Potential for others to access your information |
| Peace of mind when crossing borders knowing there is no client information on your computer | Potential for the cloud company to keep the stored information indefinitely |
| Reduce the cost and logistics of owning technology infrastructure, hardware or software licences | Potential for the cloud company to use the sorted information for purposes which the user did not expect |
Learn More:
Questions to ask before using cloud services
Why the cloud?
What information will you input into the service? How sensitive is the information? What are the benefits and risks? What are your privacy obligations?
How can you ensure that you maintain control over the data?
Does your organization maintain control over how the data is used, accessed and retained? Does the cloud provider claim limited liability in the event of a breach? Does the contract include termination procedures that require the provider to delete personal information?
What security measures are in place?
Will the provider encrypt the information? Does the provider have authentication procedures? What are the notification procedures in the event of a security breach?
Unexpected uses
What does the cloud provider do with the information? Is the provider allowed to sell the information or analyse the data for its own purposes?
What is the level of transparency
Do your clients know that you are using cloud services? If the provider uses the information for a purpose not originally anticipated, how will you manage obtaining consent from your clients?
How accessible is the information
Does the provider allow you to meet your obligation to allow individuals to access their personal information? Are you able to transfer the data to a new provider?
The location of the data
Where will the data be stored? Are there risks to having the data stored in that jurisdiction? Are there foreign entities that are allowed access to that information?
Learn More:
- Cloud computing and privacy
- Cloud computing for small and medium-sized enterprises
- Cloud Computing Guide
Can you store information outside of the country or province/territory
PIPEDA (Principle 4.1.3 of Schedule 1 of PIPEDA)
- Does not prohibit even when the provider is outside of Canada
- Organizations are accountable for the personal information that it transfers to the cloud service
- Ensure that the personal information remain protected in the hands of that cloud service provider.
Privacy Act
- Does not address cross border data processing
- Treasury Board requires that an assessment is done to determine whether using services that store personal information outside of Canada is appropriate
PIIDPA - Nova Scotia (S.5)
- Prohibits the storage or access of information outside of Canada
- Applies to public sector bodies
- Permit head of public body to allow if it’s in the public bodies necessary operations
PIPA – Alberta (S.13.1(2), 13.1(3))
- People must receive notice about cross border data transfers
Act Respecting the Protection of Personal Information in the Private Sector - Quebec
- Requires a privacy impact statement before communicating personal information outside the province (S.17)
- Ensure the information would receive adequate protection (S.17)
- Written agreement with terms to mitigate risks (S.17)
Health Legislation in General
- Most prohibit disclosures outside of Canada without consent, some outside of the province
Learn More:
- Guidelines for processing personal data across borders
- Privacy and outsourcing for federal institutions
What Does the Model Code Say About Withdrawal From Representation and Confidentiality
Rule 3.7-1
A lawyer must not withdraw from representation of a client except for good cause and on reasonable notice to the client.
Rule 3.7-2
If there has been a serious loss of confidence between the lawyer and the client, the lawyer may withdraw.
Rule 3.3-2
A lawyer must not use or disclose a client’s or former client’s confidential information to the disadvantage of the client or former client, or for the benefit of the lawyer or a third person without the consent of the client or former client.
Rule 3.3-1
A lawyer at all times must hold in strict confidence all information concerning the business and affairs of a client acquired in the course of the professional relationship and must not divulge any such information unless:
- expressly or impliedly authorized by the client;
- required by law or a court to do so;
- required to deliver the information to the Law Society; or
- otherwise permitted by this rule.
Rule 3.3-1 [Commentary 3]
A lawyer owes the duty of confidentiality to every client without exception and whether or not the client is a continuing or casual client. The duty survives the professional relationship and continues indefinitely after the lawyer has ceased to act for the client, whether or not differences have arisen between them.
The Model Code allows lawyers to withdraw from representing a client in appropriate circumstances. When a lawyer withdraws from representing a client, that does not mean that their obligation to maintain client confidentiality stops. The obligation to maintain client confidentiality survives the professional relationship between the lawyer and the client.