Where your data is stored could impact your clients’ privacy

Posted on Aug 19, 2016 in IT policy, Legal, Security
Where your data is stored could impact your clients’ privacy

This year Resolve exhibited at the LawTechNZ conference. We spoke to nearly every decision maker there that didn’t yet have their data in the cloud. Their main concerns with the cloud were security and hidden costs, but the other that should be top of mind when making a decision about the cloud is “where is my data stored?”

Based on a recent survey by InfoTrack, that question is exactly what over half of Australian law firms are asking (56% of respondents said “data sovereignty” was their primary concern with cloud services.)

When it comes to a law firm, the information of their clients is their responsibility, and that continues to hold true if the storage and protection of that data is outsourced to a cloud provider. The provider may (should) have obligations with safe handling of your data (refer to the contract), but the buck still ends with the law firm.

This is not to say our company, and companies like us want to be absolved of any wrong doing, it is in fact set out within New Zealand’s privacy laws.

Principle five in S.6 of the Privacy Act 1993 says that an agency (ie law firm) is responsible for the information it outsources to service providers, and S.10 says it would remain responsible regardless of whether their service provider was based or utilised facilities offshore or within New Zealand.

BUT, as soon as the data goes offshore it is now subject to the privacy, security and intelligence laws of the country or state where the information is kept, and the laws within that jurisdiction may be a far cry from New Zealand’s privacy laws.

AND, if your data is offshore, it’s likely the backups are in an offshore country or state different from where the original copy is based. Your backups are subject to the privacy, security and intelligence laws of that jurisdiction as well.

So the question is – is the location of your data and backups in a jurisdiction that means you can confidently tick the box of the New Zealand Law Society guidelines?

The New Zealand Law Society sets out that:

“Lawyers need to be aware of their obligations to protect clients’ personal data. Any move to using cloud services cannot compromise these statutory obligations.”

“All use of cloud computing by lawyers and law firms must always be within the parameters of lawyers’ professional obligations under the Rules of Conduct and Client Care and the Privacy Act 1993.”

So how can you find out where your current provider or your prospective provider stores your data? We found a useful checklist from the Office of the Privacy Commissioner to answer that very question.

Data location checklist

The Office of the Privacy Commissioner’s guidance note Cloud Computing – A guide to making the right choices recommends that the following location information is sought from a cloud computing provider:

  • whether there is a privacy law that applies in the country or countries where your data is stored or processed;
  • whether that privacy law is similar to New Zealand’s privacy law;
  • whether the law applies to the cloud provider and to your information (some privacy laws exempt some types of businesses, or do not apply to the personal information of foreigners);
  • how the cloud provider will deal with any requests for information that it receives from government agencies, courts etc. For example will the provider only disclose information in response to a court order? Will the provider let you know if it has to disclose information in response to a request?
  • will the cloud provider notify you if data is lost or stolen, for instance if the provider is hacked?
  • who can you or your clients complain to if there’s a breach of privacy?

So in your next Partner’s meetings, or when you next speak to your IT team/provider – ask the question “where is our firm’s data stored and backed up?”