The cloudy future of government IT

In recent years there has been an ongoing debate in Sweden regarding personal data and the implications for cloud computing and cloud-based services. However, it is not only personal data that becomes problematic when moving information to the cloud – a recent decision from the Swedish Parliamentary Ombudsman (Sw.: Justitieombudsmannen) (“JO”) raises many questions when it comes to the possibility of Swedish public authorities, government agencies and municipalities (collectively “public sector bodies”) purchasing IT and using cloud-based services. Cloud suppliers aiming to sell cloud-based services to customers in Sweden should be aware of this debate.

For public sector bodies in Sweden, information that is being processed in the cloud is subject not only to the Personal Data Act (Sw.: Personuppgiftslagen), but also to the Public Access to Information and Secrecy Act (Sw.: Offentlighetsoch sekretesslagen) regulations. According to this particular Act, public sector bodies have an obligation to disclose public records to anyone who requests access to such records. When public sector bodies receive a request for disclosure, they have to make a mandatory secrecy assessment to ensure that the request for disclosure should not – depending on the circumstances of the specific case – be rejected due to secrecy obligations in accordance with the Act in question.

An issue that has been up for discussion is whether it is a requirement that the Swedish public sector bodies should perform a mandatory secrecy assessment prior to information being disclosed to a cloud supplier, or whether a cloud supplier should be considered as connected with the public sector body as such, and therefore automatically bound by the regulations concerning public access and secrecy. The answer to this question will be crucial in evaluating whether Swedish public sector bodies’ use of cloud-based services complies with Swedish legislation.

New decision from the Swedish Parliamentary Ombudsman

JO concluded in a recent decision that some public health care providers were not legally entitled to commission a cloud supplier to work with medical record entries. The public health care providers had commissioned the cloud supplier to transfer recorded notes dictated by doctors to patients’ medical records in order to shorten the time it took for a recorded note to be registered in the medical records. The process was handled electronically and no information was stored outside of the health care providers’ IT-systems.

Both the cloud supplier and its employees were bound by a secrecy agreement, and had data processing agreements in place with the public health care providers. Given all the facts of the situation, JO concluded that the actions undertaken by the public health care providers constituted a disclosure of information to the cloud supplier and its employees.

JO further stated that the secrecy agreements in place were inadequate in this case. This was owing to the lack of sanctions to which the cloud supplier and its employees were subject. In contrast with the public health care providers’ employees, the cloud supplier’s employees were not subject to sanctions according to the Public Access to Information and Secrecy Act and the Swedish Penal Code (Sw.: Brottsbalken).

Impact assessment

This recent decision has sparked controversy regarding the impact the JO decision might have. Some argue that the decision constitutes a general obstacle for Swedish public sector bodies that are subject to the Public Access to Information and Secrecy Act to commission private entities to process or access data. This would be an obstacle that would prevent most public sector bodies from moving towards cloud-based services.

Others consider the decision to be more of a one-off case. The JO case concerned “highly sensitive information” and one could argue that the secrecy agreement in this specific case was not drafted tightly enough. It would thus not mean that other cases should be treated in the same way.

Also, one could argue that the JO case should not have an impact on cloud-based services since in most cloud-based services, a cloud supplier does not access information the way the cloud supplier did in that particular situation, which involved listening to recordings of dictated notes. Even if the cloud supplier’s employees technically have the possibility of accessing the information that has been stored, there are usually both technical security measures and instructions and agreements in place limiting such access.

Conclusion

It is not clear how and to what extent the JO case in question might impact on cloud-based services in general. Nevertheless, Swedish public sector bodies need to consider both the Personal Data Act and the Public Access to Information and Secrecy Act when considering storing information in the cloud.

Furthermore, it is not clear how strictly the Public Access to Information and Secrecy Act should be interpreted and in what circumstances it could constitute an obstacle to public sector bodies using cloud-based services for storing information regulated by the Act.

It is important for cloud suppliers offering cloud-based services to Swedish public sector bodies to be aware of the ongoing debate regarding their ability to use cloudbased services. The outcome of this debate could have an impact on how a cloud supplier might choose to develop its services in order to meet the requirements of a Swedish public sector body, e.g. with regard to the level of protection given to any information stored, how unauthorised access to and usage of information can be prevented, how employees are instructed to handle the information and regulations regarding liability for data loss.