Skip to content

10-point checklist for privacy and the cloud

The New Zealand Office of the Privacy Commissioner has published a 10-point checklist for privacy and cloud computing for small business and a guide to making the right choices.

lt’s great to see this focus on behalf of small business on these issues. It is also great to measure ourselves up against expectations. We are heavily engaged with the Institute of IT Professionals’ Cloud Computing Code of Practice and as a leader in cloud computing for small business we are committed to protecting our customers’ data.

The point of the Commissioner’s checklist is to help businesses weigh up the benefits of using cloud services with any concerns they have about privacy, trust and legal obligations. The Privacy Act covers “personal information,” which is any information which can be used to identify a particular person, but you may also have confidential or sensitive information that you may find it useful to apply the checklist to.

The checklist

  1. Figure out which cloud services will work for you and what your current risk level is
  2. Know what information you’ll be sending to the cloud
  3. Recognise that the responsibility is ultimately yours
  4. Security – lock it down
  5. Check out your provider
  6. Know exactly what you’re signing up for
  7. Be as upfront with your clients as you can
  8. Location – where will the information be
  9. Use and disclosure – who sees the information and what will it be used for
  10. Ability to exit, and deleting information

The first point in the checklist notes that, while it means holding your customer’s data with a third party, using the cloud can be safer. We often talk about the comparison of a poorly secured server in an office versus a heavily secure data centre as used by Xero, noting that your data is also encrypted between the browser and the server.

Other highlights include recognising that you are responsible for your customers’ data regardless of where you store your data, so trust and terms are really important. Part of this is about being upfront with your customers about what you are doing with their data and the decisions you have made.

Transparency is key, and it’s something we’re proud of – advising where data is stored and whether any storage is being subcontracted. We hold our primary data in a private cloud in a secure centre run by Rackspace in Chicago with secondary storage at their site in Dallas. We blogged recently about our infrastructure.

It is important to know about your cloud provider as a business, is looking after customer data, is looking after its customers, is well funded and is there for the long haul.

Ultimately you want to be sure that the information your cloud provider is storing is treated as private and confidential and can be exported from the system if you decide to switch providers. If you were to move to another supplier, key information can be exported out of Xero in standard formats that can be loaded into other systems. We haven’t been asked yet to provide a mechanism for deleting data as accounts are usually required to be retained.

We’re always open to any of your questions about privacy and strive to deliver professional cloud services that meet the expectations of our customers, our partners, and the privacy authorities.

 

Read more about Business, Cloud computing

 

3 comments

Tyson Goldsworthy
14 February 2013 #

What I would love to see is an automatically generated email message/notification that alerts me to when one of my staff has changed a draft invoice Status to Awaiting Approval and to Awaiting payment, or any variation of change of status that you can select on and off depending on what notifications you want to receive.
It would help when you have numerous staff in a company dealing with quotes/draft invoices and invoicing etc. so you can stay across the progress of accounts in a more dynamic way.
Maybe even a Xero inbox as part of the app/browser that can receive and display a notifications list. like a job tracker, simple, lightweight, nothing flash, just an account s change of status record..
Yes, no?

Here is a link to a document produced by the Australian Government Department of Defence Intelligence and Security department, entitled Cloud Computing Security Considerations.

The document addresses the following topics:
? availability of data and business functionality
? protecting data from unauthorised access
? handling security incidents.

http://www.asd.gov.au/infosec/cloudsecurity.htm

Sorry the ‘?’ were bullet points, and I was offering this up as info for Australians reading this post

Add your comment





We welcome all feedback but prefer a real name and email address.