Keeping data inside Canada’s borders is a key consideration in the federal government’s cloud computing strategy.
Public Works and Government Services Canada’s Request for Information seeking industry feedback on how the government can use and deliver cloud computing services to Canadians, outlined some of the requirements that potential providers would likely face.
The deadline for submission to the RFI expired on January 30 and it is unlikely that the public will have access to the submission since the RFI includes a non-disclosure agreement.
However, the RFI itself sheds some light into the government’s data encryption and cloud storage concerns.
Public works wanted to find out from industry if the following strategies for “reducing Canada’s risk associated with contracting cloud services” were viable as well as what challenges could be present and what alternative solutions should be considered:
- Require that all domestic data traffic be routed exclusively through Canada;
- Require that all databases in which data is stored be running on servers located in Canada;
- Ensure that there are no connections from the Canadian database(s)/servers to any supplier database located outside Canada, with no way (short of hacking) of accessing the Canadian database(s) from a location outside of Canada;
- Encrypt the data (in transit and at rest) and ensure that encryption keys are held only by Canada;
- Require physical segregation of Canada’s data as part of the design of the solution
The government also wants any contract with a provider to clearly state that “Canada owns and controls all data.”
The government also wants it to be considered a breach of contract if the contractor accessed data “except as necessary to perform the contract” or to print, copy or provide access to the data to any third-party.
The Treasury Board of Canada has been developing a government-wide policy on the use of cloud computing services since 2014, according to privacy advocate Michael Geist, a law professor at the University of Ottawa and holder of the Canada Research Chair of Internet and E-commerce law.
He said the government hopes to complete its consultation and come up with cloud computing usage policy by this summer.
The requirements of the government are not unique to Canada, according to a recent article in Infoworld.com.
“Some European countries also won’t allow certain types of data to leave the country,” said writer David Linthicum.
However, he said, if Canada were to go with a large multinational providers it is likely that data will be replicated across borders and in some cases “you’ll have no clue” that this is happening.
If the concern is that data cross the border might not be safe from the prying eye of United States authorities, the idea of data sovereignty is “a bit of an illusion,” according to David Fraser, a Canadian privacy lawyer and partner with the Halifax firm McInnes Cooper.
He said most countries have legal tools that allow their law enforcement agencies to make legal claims to data held in their countries or outside their borders.
The real issue for Ottawa when considering outsourcing that includes storing data in the U.S. should be assessing the risk that data can be lost or unlawfully accessed and taking steps to lower the risk, Fraser said.