The World Privacy Forum report on cloud computing highlights the benefits of buying-in applications as a service but lists a number of privacy concerns.
It is in sharp contrast to the comments made last week at an IDC cloud computing forum, where speakers described concerns about data security in cloud environments as overblown and "emotional."
"There are a whole lot of companies out there that are not thinking about privacy" when they consider cloud computing, said Pam Dixon, executive director of the US-based privacy advocacy group. "You shouldn't be putting consumer data in the cloud until you've done a thorough [privacy] review."
According to the World Privacy Forum's, the data stored in cloud-based systems includes customer records, tax and financial data, e-mails, health records, word processing documents, spreadsheets and PowerPoint presentations. The list of potential privacy issues cited in the report include the following:
Breaking the rules. Organisations could find themselves on the wrong side of privacy regulations if they aren't careful, the report said. For example, a federal agency that uses a cloud service to host personal data may be in violation of the Privacy Act of 1974, especially if it doesn't have provisions for protecting the data in its contract with the cloud provider, according to the report. In addition, it said, federal records management and disposal laws may limit the ability of agencies to store official records in the cloud.
Similarly, the privacy rules in US laws such as HIPAA and the Gramm-Leach-Bliley Act restrict companies from disclosing personal health care or financial data to non-affiliated third parties unless specific contractual arrangements have been put in place, the report said. In another example, it noted that IRS rules prohibit tax preparers from using third parties such as cloud service providers to host returns. "Companies could be loading data into the cloud illegally without their knowing it," Dixon said.
Surprises in the fine print. Companies need to understand that the data-disclosure terms and conditions set by cloud vendors and the storage and access rights they include in contracts can have a significant effect on privacy, the report claimed. And the privacy risks can be magnified, Dixon said, if a cloud vendor retains the ability to change its terms and policies at will. Users should make sure, she added, that they're protected against attempts by cloud providers to access or use data for any secondary purposes -- for instance, using personal health information to deliver targeted marketing messages to consumers.
Follow highlights from ComputerworldUK on Twitter