Cloud computing comes in many shapes and forms. Know what you need, so you can evaluate your options.
Different cloud services carry different risks and responsibilities. Think of what risks you currently have with handling personal information. Will using the cloud increase or decrease those risks? The cloud will not always be a riskier option - if you have personal information on a poorly secured server sitting in the back room of your office, it might be safer stored with a trustworthy cloud provider.
2. Know what information you'll be sending to the cloud
Work out what information you'll be putting into the cloud, so you know what to focus on and what you can relax about.
If none of the information is personal information, then privacy isn't an issue.
If some of it is personal information, could it harm your clients if the information was lost, deleted, stolen or misused? The more harm it could cause, the more care you have to take to check it's protected.
3. Recognise that the responsibility is ultimately yours
All cloud services involve trusting someone else with your clients' personal information to some extent. Your cloud provider might have some responsibility for handling the information safely - check the contract. But if you're putting client information in the cloud, you're still responsible for it. The buck stops with you. Period.
4. Security - lock it down
Make sure the information is protected both while it travels and when it's at the provider's end. Encrypting your data is the easiest and most reliable way of doing this. If it's encrypted, it's unlikely to get misused, or to cause harm if it gets hacked or lost. So encrypting the information takes a bit of pressure off you.
5. Check out your provider
Do an internet search on the cloud provider you're thinking of using - along with words like "breach" and "privacy". If the provider has had problems in the past, it might show up. Check how well they dealt with things. Are they regularly and independently audited?
New Zealand-based providers may be signed up to the Institute of IT Professionals (IITP) CloudCode, which requires them to provide information on a set list of important issues.
6. Know exactly what you're signing up for
You may not have much clout when it comes to negotiating contract terms, but you probably have a choice of providers - compare the protections they're able to offer.
Be clear about what the contract says. You don't want things to fall through the cracks. For instance, make sure you know what will happen if the provider goes under, or is bought out. Where will your information go? What if there's a data breach - will you get told?
7. Be as up front with your clients as you can
Wherever you can, tell the people concerned what you're doing with their personal information. Also, work out how you would respond to a customer's request to see information about themselves.
8. Location - where will the information be?
If possible, work out where your information is going and what privacy laws apply.
Not all providers will tell you where their data centres are. But at least make sure that they tell you how they deal with government requests, whether they demand a search warrant before giving access to information on their servers, and your rights to be notified if they pass the information on to somebody else. Also find out who you would complain to if something goes wrong.
9. Use and disclosure - who sees the information and what will it be used for
Make sure you know if your cloud provider will be passing the information to a third party. It's very common for cloud providers to contract out key parts of their services. The protections for the information should be equally strong whoever is providing the service. What come-back do you have if the third party contractor stuffs up?
Who will be able to see or use the information? Make sure you know what the provider will be doing with the information (if anything).
10. Ability to exit, and deleting information
Can you get the information out, in a form that you can use, if you decide to switch providers? Will the provider delete the information or will they try to keep it?