The refusal of some federal government departments to allow outsourcers to store personal data of citizens outside Canada won’t keep foreign governments from getting legal access to it, says a lawyer who specializes in cloud computing.
“Data sovereignty is a bit of an illusion because we’re so interconnected (with law enforcement agencies) and there’s so much data sharing taking place,” David Fraser told an audio conference call Tuesday sponsored by the Canadian Advanced Technology Alliance (CATA).
In particular, fears that the USA Patriot Act acts as a “huge vacuum cleaner” for American law enforcement agencies to get at personal data is baseless, he said.
The Patriot Act is a “boogey man,” he said.
The fact is most developed countries have legal tools that allow their law enforcement agencies to make legal claims on data held in their countries or outside their borders, Fraser said.
Fraser, a partner with the Halifax firm McInnes Cooper, argued the real issue for Ottawa when considering outsourcing that includes storing data in the U.S. should be assessing the risk that data can be lost or unlawfully accessed and taking steps to lower the risk.
The teleconference is part of a campaign by CATA, which represents IT manufacturers, solution providers, system integrators and consultants trying to sell products and services to governments, to get Ottawa to clarify its position on outsourcing data.
In an interview John Reid, CATA chief executive officer, said that since the creation last year of Shared Services Canada, an agency trying to consolidate federal IT services, the government has suggested it may mandate that personal data of citizens must be held in data centres here.
There isn’t a formal federal policy on cross-border data storage, Fraser told the conference call. Nor is there federal law that prohibits it. Instead, it is up to individual departments to do a risk assessment if they decide cross-border data storage is justified and take appropriate privacy measures. Only two provinces have policies forbidding cloud providers from storing provincial data outside Canada: British Columbia (complete ban) and Nova Scotia (forbidden unless necessary).
Shared Services Canada has been trying to create new buying and outsourcing policies, setting up several committees on which CATA and other private sector groups sit. It is those committees, Reid said, that CATA is getting signals of SSC’s only-in-Canada intent.