Earlier this month CATA sent a letter to SSC asking for the department’s intentions, but Reid said he hasn’t had a reply yet.
In reply to a query, SSC told IT World Canada in an email that the government has an important responsibility to ensure personal information of employees and citizens is secure. The department continues to consult through advisory committees to ensure it has a long term relationship with the IT industry, the statment said.
One person on the conference call said some government departments already demand in requests for proposals (RPFs) her organization that any outsourced solution has to keep data in Canada.
Reid wants to persuade Ottawa to be more open to cloud solutions where data is stored outside the country in part so his members get opportunities to bid on business, and in part, he said, because the government shouldn’t turn aside possible solutions that will make it more efficient.
Fraser noted that according to international law, U.S. law enforcement authorities have the right to subpoena data even if the data is held outside its borders, as long as there are connecting factors. (The same is true for police here, he added.)
For example, he said, if the data is held in Canada the U.S. could subpoena it through a person working for a company there.
For that reason, he said, a Canadian data centre owner might be able to safeguard data here if none of its executives ever crossed the border.
More practically, he said the Canadian government could take a number of steps to reduce the odds of the personal data of its citizens being misused by U.S. authorities.
The first is to encrypt the data – which should be a standard procedure anyway, he said ---- and make sure control of the encryption keys is held here.
Second, the government could decide that only “low risk” data can be sent out of the country.
Third, the government could demand certain contractual provisions with a service provider, such as clauses that says the data belongs to the customer, not the data centre, that the service provider won’t turn data over unless legally required to so, and that it will notify the customer of any subpoenas.
There could also be a requirement the provider to go a U.S. court to resist a subpoena, although Fraser admitted there’s no guarantee will be successful.
“There isn’t a shortage of ideas of how to mitigate risk,” he said.
Fraser didn’t say, but these risk mitigation options also apply to private sector companies who have been shy about adopting American cloud-based solutions.