Clio

In the age of spam, social media and other privacy encroachments, its sometimes hard to envision the Internet as someplace where sensitive data can be securely hidden from scrutiny, and where privacy is guarded at all costs. Fortunately the Internet is such a place, and the availability of many excellent SaaS solutions for business are helping to restore professional confidence in the capacity of the web as a secure medium for information storage and collaboration. However, trust must be earned, and legal professionals should perform thorough diligence when selecting services to host their practice’s needs, ensuring that the privacy policy and ownership terms are aligned with professional requirements and individual philosophy. The following questions provide a summary of some important considerations when evaluating a SaaS solution:

What is the Privacy Policy?: Policies should be clearly stated, and disclose how information supplied to the service is housed, protected, shared, manipulated, or disposed of.

Who owns the data?: When entrusting your practice to a SaaS solution, it’s critical to understand the impact of the company’s privacy policy on your ethical requirements as a legal practitioner. It may seem ridiculous to contemplate a service where the user isn’t the owner of the information, however, a quick look at Facebook’s privacy policy reveals a disturbing lack of control over the data supplied to the service. In the case of status updates, and photos of the weekend BBQ, this may not be a contentious issue, but when it comes to sensitive client data hosted on a SaaS solution, there should be no question with respect to ownership.

How can the data be used?: When it comes to confidential client information, the privacy policy generally outlines how the SaaS provider can (or can’t) use the data you enter into the application. In general, all information you enter into a SaaS application should be treated as confidential, private information that can’t be used by the SaaS provider for any other purpose. Furthermore, the SaaS provider should only be permitted to view any of your private information with your explicit consent (say, for example, to troubleshoot a technical issue).

While in many cases this seems to be the only obvious and fair way of treating private data, there have been some high-profile cases of very popular websites imposing less-than-fair privacy policies on their users. For example, Facebook recently caused a virtual firestorm with an update to its privacy policies that apparently granted the company perpetual control over content posted by its users.

The above checklist provides a rough outline of the issues to be concerned with while reviewing a web site or SaaS provider’s privacy policy. However, reviewing privacy policies can be a time-consuming process, and diligently reviewing the privacy policy of every website you use can rapidly become impractical. Luckily, firms such as TRUSTe serve as a “privacy watchdog”, and provide an independent review of a website’s or SaaS provider’s privacy policy. If the website or SaaS provider complies with TRUSTe’s stringent privacy policy guidelines, they are allowed to display the TRUSTe privacy seal. Thus, if you see the TRUSTe seal (pictured above) on a website you use, you can rest assured the website is complying with TRUSTe’s “best practices” for privacy policies.