Disclosing client data – Cloud arrangements Part 3

Prepared by Julia Winzar

As discussed in Parts 1 and 2 of this series, to meet the client confidentiality obligations under the Code of Professional Conduct, limited ASFL holders need to obtain consent from their client before disclosing any of the client’s information (personal and other) to a third party.

 

Third parties include cloud storage providers. If you use cloud storage services and your cloud storage provider can access the data that is stored using the cloud service, you will effectively be disclosing this data.

 

If you are disclosing data you will need to obtain consent from each client to disclose their information to the cloud storage provider. See Part 2 of this series for a discussion on obtaining consent.

 

In addition to obtaining client consent, you must have controls in place with the cloud storage provider to ensure the confidentiality of your client’s data. These controls should be built into your agreement with your cloud storage provider. Your agreement should at a minimum cover off on the following:

 

  • Confidentiality – Ensuring the service provider agrees to keep your data confidential.
  • Integrity – Ensuring that there are appropriate controls in place to ensure that your data is secure and protected from inadvertent disclosure or access. For example, audit trails, access controls to prevent unauthorized access and security controls (such as passwords, encryption and backups).

 

When reviewing your cloud storage agreement it is also a good idea to consider the following:

 

  • How can the agreement be varied? The agreement should not allow the cloud storage provider to unilaterally change key terms of the agreement.
  • How is the information transferred between systems? Is this done in a way that is secure and the integrity of your data is maintained?
  • How is the information being stored?
  • Is information held offshore? If it is, you will need to ensure that this is disclosed in your privacy policy. Unless you retain full control over the information, this will be classified as a disclosure for privacy purposes.
  • Is the information stored by the cloud storage provider backed up?
  • Is the cloud storage provider required to put processes in place to prevent service access being disrupted? Are there certain service level requirements that the cloud storage provider must meet?
  • Are there any limitation of liability clauses? Limitation of liability clauses that limit the cloud storage provider’s liability to a nominal amount where they are in breach of the agreement and you suffer a loss as a result should be avoided.
  • What will happen if your arrangement with the cloud storage provider ends? The agreement should require the cloud storage provider to return all of your information and not retain any copy of this information.

 

If you haven’t reviewed the terms of the agreement with your cloud storage provider, this is a good prompt to do so.