Naturally one of the critical areas specified in the Canadian E-Health Cloud strategy document is the risks related to data privacy.

Specifically in section 8, from page 42 through 49, they describe the comprehensive standards, audit and certification frameworks that will be required to protect this next major phase of Cloud adoption.

CHI point to the number one risk issue cited by CIOs – Fears of inadequate data privacy protections, and they describe the various component parts what is required to address these risks including due diligence procedures and state of the art privacy controls.

Cloud Privacy By Design – Federated Consent Management

Throughout the document they also identify the technologies needed to achieve compliance with these new capabilities, such as Federated Identity and Consent Management applications, that they describe as new ‘greenfield’ apps for them.

We can see an example of this through the Real Me service from the New Zealand Government. Developed in conjunction with their national postal service they have deployed a novel service for online Identity authentication and related access, with over 40 different government service providers unified into delivery for half a million users.

This implements an ‘iCMS‘ – Extended Authentication Context Management Service, that utilizes a security token service based on WS-Trust Messaging and SAML tokens, Identity open standards from OASIS, enabling:

• Pseudonymous Authentication, via ‘federated sharing tags’
• Two-factor authentication through text message to cell phone
• Verified Data – A secure, privacy-centric data exchange
• A clear consent model – An extensible data across multiple providers
• Government Cloud attribute provider: Drivers licence information

These trends will have uniquely dramatic changes to how software architecture is designed and implements, as ‘Cloud SOA’ will emerge by utilizing this plumbing, features the NZL Government such as a “privacy domain bus” for managing exchanges of data between applications.