Why cloud computing deals need privacy level agreements

There are some audience questions you can see coming a mile away.

I was hosting one of our ComputerWorld Interactive events this morning in Edmonton, where we were discussing IBM’s proposal that Linux is an ideal OS on which to develop a cloud computing strategy. Although most of the people in the audience have introduced some level of virtualization into their IT infrastructure, the concept of clouds was, to some extent, still new to them. I knew this because early in the Q&A one IT executive put up his hand and asked how any company could be comfortable enough with the privacy issues around handing data to a third party.

Although I let our IBM guest speaker tackle the question first, I followed up by suggesting that the IT industry has sometimes been too focused on the service-level agreements, or SLAs around the delivery of technology services through cloud providers and not enough on how data will be used or managed. This is particularly true in Canada, where provincial laws often prohibit any situations where local data is being housed in the United States, and therefore subject to the Patriot Act.

“What we need,” I said, “is to be more focused on setting up privacy level agreements that govern the data usage in a cloud environment.”

Yes, I just made up “privacy level agreements” on the spot, but I think the idea is valid. We have service levels because there are different demands placed on compute infrastructure depending on what’s going on in your business. Similarly, although enterprises collect all sorts of information about their customers, partners and employees, not all of it is subject to the same stringent collection, storage and disposal policies. There are levels of privacy.

A privacy level agreement, or PLA, would set out in contractual terms how a third party provider will ensure that the information it hosts will not be seen by the wrong sets of eyes. I would imagine there are already some provisions to that effect in certain cloud computing deals today. However the PLA would also include more detailed information about the escalation procedures should a privacy breach occur: how the breach would be reported, how quickly a report could be delivered to the customer and who would have responsibility for contacting the appropriate authorities. I would be surprised if this level of depth has been established in many cloud agreements today, if only because most businesses are too focused on simply shifting from a traditional model of on-premise applications and infrastructure. Privacy, as always, is something you deal with later.

Our event, which we called The Linux-Powered Cloud, didn’t dwell all that much on public clouds, because that doesn’t seem to be where the majority of the action is in Canada. But PLAs would still be a good idea in private cloud projects, as would a privacy impact assessment before the first virtual servers are deployed. If your SLAs – internal or otherwise – aren’t being met, you won’t be able to run your business properly. If your PLAs – internal or otherwise – aren’t being met, no one can trust you. You tell me which problem is worse.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Shane Schick
Shane Schickhttp://shaneschick.com
Your guide to the ongoing story of how technology is changing the world

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight