The IPC has prepared this new guidance document, Thinking About Clouds? Privacy, security and compliance considerations for Ontario public sector institutions, to help institutions evaluate whether cloud computing services are suitable for their information management needs. In particular, it seeks to raise awareness of the risks associated with using cloud computing services and outlines some strategies to mitigate those risks.
Recommended mitigation strategies include appropriate project planning, co-ordination, and documentation, undertaking risk analyses, applying data minimization measures, due diligence investigation of the cloud provider, negotiating effective contracts, and having an incident management plan in place.
It is the responsibility of all public institutions in Ontario to maintain effective control of, and be fully accountability for, the personal information entrusted to them by the public they serve.