The CIO Council released a number of guidelines for Privacy Thresholds that government agencies should be aware of, but in the overall viewpoint of cloud computing and privacy, many of these recommendations simply make sense for companies that also deal with confidential information. The original file was released towards the end of august 2010 and can be found here.
The good news in all this is that the CIO council is not recommending multi-million dollar solutions to the problem of privacy and data. Nor are they recommending specific technology to help resolve the issues of privacy and cloud space storage of data that is protected under any number of privacy regulations. Rather they are handing out a set of well thought out processes that make sense in relationship to the data as well as a set of procedural controls that will be familiar to anyone who is working in the privacy space. The most valuable part of this, while remaining technology agnostic, is understanding that different governmental groups do business differently, and have different business needs. The CIO council Privacy committee is part of the Web 2.0/Cloud Computing subcommittee that is helping establish rules for Federal level security in the cloud computing environment.
The idea of a privacy threshold is that the data that is being stored might not be in itself privacy protected data, but how that data is used, or how that data is joined to other data sets might make it protected. Some data is immediately understood as protected, such as health care records, while the joining of military records with benefits records might not be as immediately well understood as protected information. The focus of the paper is to look at what constitutes a privacy threshold, which will then trigger additional protections that need to be written into the contract of the cloud service provider rather than solely relying on SLA’s.
Of the privacy thresholds though the CIO council states:
Examples of changes that are possible in the cloud environment, and which should be addressed in a PTA before moving data to a cloud include (as defined by OMB Memorandum 03-22):
• Significant System Management Changes – when new uses of an existing IT system, including application of new technologies, significantly change how information in identifiable form is managed in the system
• Significant Merging – when agencies adopt or alter business processes so that government databases holding PII are merged, centralized, matched with other databases or otherwise significantly manipulated: For example, when databases are merged to create one central source of information, such a link may aggregate data in ways that create new privacy concerns
• New Public Access – when user-authenticating technology (i.e., password, digital certificate, biometric) is newly applied to an electronic information system accessed by members of the public
• New Interagency Uses – when agencies work together on shared functions involving significant new uses or exchanges of information in identifiable form, such as the cross-cutting E-Government initiatives; in such cases, both agencies should complete a PIA
• Internal Flow or Collection – when alteration of a business process results in significant new uses or disclosures of information or incorporation into the system of additional items of information in identifiable form
• Alteration in Character of Data – when new information in identifiable form added to a collection raises the risks to personal privacy (for example, the addition of health or financial information)
Source: CIO Council
For companies that are in the cloud space or providing services to federal agencies who want to store data in the cloud the idea of a privacy threshold makes it easier to manage data storage in the cloud. While additional controls might be needed in certain instances of cloud storage space, the idea of understanding and then working out a compliance process for data is one of the more important issues that companies are working with in cloud computing.
Using a process that defines “trigger events” or those events that might make data fall under privacy regulations is a unique approach to solving the data privacy in cloud computing problem. The CIO Council by using Privacy Thresholds is using an interesting approach to the problem of privacy in cloud space. This unique approach made the entire privacy paper much more readable and understandable from any perspective. And it is well worth getting to know better if your company works with protected data and is thinking about using cloud computing, or is currently involved in cloud computing. You can download the paper for free at this government web site.
(Cross-posted @ Managing Intellectual Property & IT Security)