July 20, 2009
To the Members of the Los Angeles City Council
Information Technology and General Services Committee
The Honorable Tony Cardenas, Chair
and ITGS designated staff member Eduardo Soriano Hewitt
The Honorable Bernard Parks
and ITGS designated staff member Lorenzo Briceno
The Honorable Herb Wesson
and designated ITGS staff member Edward Johnson
and
Legislative Assistant Adam Lid
Dear Sirs:
I am writing to express concern about the proposal for the City of LA to implement Google Apps for its e-mail and office systems.
I am concerned about the propriety of a government entity using services that are “in the cloud,” so to speak, as repositories for sensitive personal and organizational information.
I question if enough is yet known about the privacy, security and confidentiality of personal information in a cloud environment.
There are two concepts I would propose in analyzing this proposal. The first is stewardship – the responsibility of the City to ensure that personal information it collects, holds, analyzes, merges with other information, and disseminates is fully protected from illegitimate access and uses. Key questions include these:
- Is a cloud environment going to provide sufficient protection for such sensitive information?
- Does the City’s stewardship role in regard to personal information preclude movement of personal information to a cloud environment?
Second, I recommend that the City consider a rigorous privacy and security impact assessment about the cloud computing proposal. This process would include a thorough risk analysis.
The purpose would be to leave no stone unturned in examining every possible scenario in which sensitive personal information could be compromised in a cloud environment. Such an assessment should include a legal analysis in which relevant state and federal privacy-related laws are reviewed vis-à-vis the cloud computing proposal.
In conclusion, it is vitally important that the City of Los Angeles ensure that sensitive personal information in its possession is adequately safeguarded in a cloud environment.
If you are interested in learning more about privacy impact assessments, I am happy to suggest some resources.
Thank you for your consideration,
Sincerely,
Beth Givens, Director
Privacy Rights Clearinghouse
Related links:
- LA City Council web page with documents regarding proposed contract, public comments, and status of proposal,
http://cityclerk.lacity.org/lacityclerkconnect/index.cfm?fa=ccfi.viewrecord&cfnumber=09-1714 - Proposed Contract, Los Angeles Office of the City Administrator, http://clkrep.lacity.org/onlinedocs/2009/09-1714_rpt_cao_7-9-09.pdf
- Privacy Rights Clearinghouse Alert on the privacy implications of cloud computing, www.privacyrights.org/ar/cloud-computing.htm
- World Privacy Forum letter to LA Mayor Villaraigosa on the City's cloud computing proposal, www.worldprivacyforum.org/pdf/WPFLetterLA_July172009fs.pdf
- World Privacy Forum report on cloud computing, www.worldprivacyforum.org/cloudprivacy.html
