International privacy standards for governments and schools?
Editor’s note: Bradley Shear is a lawyer in private practice. His areas of expertise include information privacy, cybersecurity and data protection.
Privacy and cyber security are no longer issues that interest just academics, lawyers, and technologists. The increased risk of data breaches and revelations that some cloud providers abused their relationships with governments by scanning emails for advertising purposes demonstrates the need for improvement. It has become necessary to demand that government vendors, like many enterprise and corporate entities, adhere to the strongest international privacy practices.
While many think of state and local governments as just repositories of public records, they also store massive amounts of highly sensitive personal information, including tax returns, family services files, student records and health data. And as state and local governments move more data to the cloud, privacy concerns become paramount. It is imperative governments establish robust privacy standards for cloud storage to prevent the misuse of personal data.
Moving forward, governments should require their vendors to follow the recently adopted International Standards Organization (ISO) 27018 cloud privacy guidelines. These standards foster transparency while increasing security and data privacy. Without adherence to ISO 27018, government entities — such as public schools, which collect, process, and archive tremendous amounts of student data — could have their data used for non-educational purposes.
With these standards in mind, cloud providers’ terms of service and privacy policies must be closely reviewed. For example, in April 2014, Google announced it would stop scanning student data for advertising purposes, stating it would “make similar changes for…Google Apps customers, including business, government and for legacy users of the free version, and… provide an update when the rollout is complete.” A year has passed and Google has not made any additional mention of these changes for government users.
Required adherence to ISO 27018 will help stop vendors from being able to exploit the data they process and store as well as give governments full control over how their information is used. Public entities must be able to legally require that vendors return or delete data. This means that service providers will no longer have the option to analyze customer data for non-contractual purposes or retain it after an agreement ends. It also mandates third-party audits and compliance reviews which will ensure transparency. Gone are the days when a cloud provider could claim that its technology was proprietary to prevent an independent audit.
The ISO 27018 cloud privacy standards will help state and local governments keep data secure and confidential. A cloud vendor’s inability or unwillingness to adopt ISO 27018 should raise a red flag, indicating that the vendor may abuse its access to non-public government records. Many companies are now requiring their cloud providers adhere to ISO 27018. It’s time the public sector follows suit by making this requirement part of the government cloud procurement process.
Bradley S. Shear advises clients and federal and state lawmakers on digital law and public policy issues. Shear’s blog is here.