StatsCan moving some data to the cloud, prompting concerns
Signage marks the Statistics Canada offices in Ottawa on July 21, 2010. (The Canadian Press/Sean Kilpatrick)
Jim Bronskill, The Canadian Press
Published Sunday, January 12, 2020 10:12AM EST
OTTAWA -- Statistics Canada is planning to move its information holdings to the digital cloud - a shift the national number-crunching agency acknowledges will prompt questions about the protection of sensitive data.
The initiative is part of the federal government's “cloud-first strategy” to meet the increasing demand for online services and provide an alternative to its own, increasingly creaky computers.
Privately run cloud companies provide customers, such as federal departments, with virtual computer services - from email systems to vast storage capacity - using software, servers and other hardware hosted on the company's premises.
Statistics Canada sees several benefits including affordable access to the latest technologies, additional processing power and storage, and more timely provision of data to the public and researchers.
But the statistics agency also realizes some rumbling could emerge from the cloud.
“The use of cloud technology will raise questions about data security and Statistics Canada's ability to protect sensitive data,” say internal agency notes disclosed through the Access to Information Act. “Furthermore, Canadians will want to know what steps are being taken to ensure their information continues to be safe.
“The use of cloud technology may also raise questions about data sovereignty and the possible access to and use of data under the laws of another country.”
The federal government is mindful that many countries, including Canada, have laws allowing them to subpoena or obtain a warrant for information from private organizations to support legal investigations.
Ottawa says the primary risk to data sovereignty is the U.S. Foreign Intelligence Surveillance Act and Washington's ability to compel an organization subject to American law to turn over data under its control, regardless of the data's location and without notifying Canada.
In addition, there are long-standing information-sharing agreements and a legal assistance process between security and law-enforcement agencies in Canada and the U.S.
The Canadian government is obligated to protect personal data and highly sensitive information related to national security, cabinet discussions, military affairs and legal matters.
As a result, only data information designated up to and including a category called Protected B may be placed in the cloud. Protected B information, if compromised, could cause serious harm to an individual, organization or government.
In addition, all Protected B information - as well as the more sensitive Protected C and classified electronic data - must be stored in a government-approved computing facility located in Canada or within the premises of a department abroad, such as a diplomatic mission.
Data-scrambling encryption will also be used to shield sensitive material from prying eyes.
None of that provides sufficient comfort to Wayne Smith, a former chief statistician of Canada who resigned in 2016 over concerns about Statistics Canada's independence. Smith had reservations about the move of agency data to Shared Services Canada facilities.
In the same vein, shifting statistical data to the cloud creates “a heightened level of risk that isn't necessary” given the possibility of data hacks and breaches, Smith said.
“A better arrangement would be to have Statistics Canada operating its own data centres and keeping them offline.”
The statistics agency is in the planning stages of the project, meaning it is currently storing only “non-sensitive, unclassified information” in the cloud, said spokesman Peter Frayne.
“Statistics Canada will only migrate protected information once our systems have been deemed secure for cloud services appropriate for sensitive information, as per Government of Canada procedures and processes,” he said in a written response to questions.
The agency intends to adopt a “hybrid, multi-cloud strategy” that will see applications and data housed by a mix of government data centres and cloud providers, he added.
Lisa Carroll, a senior executive with Microsoft Canada, one of the first global cloud providers to receive federal certification, stresses the company's track record on keeping data secure.
Microsoft says it spends over $1 billion a year on cybersecurity and has more than 3,500 full-time security professionals working with artificial-intelligence tools to analyze more than 6.5 trillion global signals each day.
“The value of cloud is innovation,” Carroll said. “It's about leveraging the technologies of the future.”