10-point checklist for privacy and the cloud
lt’s great to see this focus on behalf of small business on these issues. It is also great to measure ourselves up against expectations. We are heavily engaged with the Institute of IT Professionals’ Cloud Computing Code of Practice and as a leader in cloud computing for small business we are committed to protecting our customers’ data.
The point of the Commissioner’s checklist is to help businesses weigh up the benefits of using cloud services with any concerns they have about privacy, trust and legal obligations. The Privacy Act covers “personal information,” which is any information which can be used to identify a particular person, but you may also have confidential or sensitive information that you may find it useful to apply the checklist to.
- Figure out which cloud services will work for you and what your current risk level is
- Know what information you’ll be sending to the cloud
- Recognise that the responsibility is ultimately yours
- Security – lock it down
- Check out your provider
- Know exactly what you’re signing up for
- Be as upfront with your clients as you can
- Location – where will the information be
- Use and disclosure – who sees the information and what will it be used for
- Ability to exit, and deleting information
The first point in the checklist notes that, while it means holding your customer’s data with a third party, using the cloud can be safer. We often talk about the comparison of a poorly secured server in an office versus a heavily secure data centre as used by Xero, noting that your data is also encrypted between the browser and the server.
Other highlights include recognising that you are responsible for your customers’ data regardless of where you store your data, so trust and terms are really important. Part of this is about being upfront with your customers about what you are doing with their data and the decisions you have made.
Transparency is key, and it’s something we’re proud of – advising where data is stored and whether any storage is being subcontracted. We hold our primary data in a private cloud in a secure centre run by Rackspace in Chicago with secondary storage at their site in Dallas. We blogged recently about our infrastructure.
It is important to know about your cloud provider as a business, is looking after customer data, is looking after its customers, is well funded and is there for the long haul.
Ultimately you want to be sure that the information your cloud provider is storing is treated as private and confidential and can be exported from the system if you decide to switch providers. If you were to move to another supplier, key information can be exported out of Xero in standard formats that can be loaded into other systems. We haven’t been asked yet to provide a mechanism for deleting data as accounts are usually required to be retained.
We’re always open to any of your questions about privacy and strive to deliver professional cloud services that meet the expectations of our customers, our partners, and the privacy authorities.