Data Protection webinar: Using cloud services 4 th June 2014 Welcome. We’re just making the last...
-
Upload
sherilyn-floyd -
Category
Documents
-
view
215 -
download
2
Transcript of Data Protection webinar: Using cloud services 4 th June 2014 Welcome. We’re just making the last...
Data Protection webinar:Using cloud services
4th June 2014
Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers or headphones turned on
and you will shortly hear a voice!
This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.
Programme
Your Data Protection responsibilities Where are the risks? What you should be doing
Security Transfers abroad Transparency and choice
Data Protection Principles
1. Data ‘processing’ must be ‘fair’ and legal2. You must limit your use of data to the purpose(s)
you obtained it for3. Data must be adequate, relevant & not excessive4. Data must be accurate & up to date5. Data must not be held longer than necessary6. Data Subjects’ rights must be respected7. You must have appropriate security8. Special rules apply to transfers abroad
Data Controller / Data Processor
“Data Controller” means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed.
“Data Processor” … means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
The cloud relationship
Data Controller(your organisation )
Passes data
For Data Controller’s purposes
Does task
Passes results back
Cloud providerData Processor
Data Processor requirements
A contract, ‘evidenced in writing’Setting out the relationship and how it will workUnderpinning both parties’ security obligationsAllowing the Data Controller to verify the Data Processor’s securityIdeally providing indemnity against any costs resulting from the Data Processor’s failure to deliverSee checklist
Cloud examples
Microsoft 365, Google Apps (office programs) Huddle, GoToMeeting, Skype (collaboration) Amazon (storage & processing capacity) Salesforce (contact management database) YouTube, Instagram (photo/video storage and
sharing) MailChimp (bulk mailings) SurveyMonkey (online surveys) Social networking sites
Cloud computing characteristics
Cheap and flexible, especially for small organisations
Available anywhere there is an internet connection Suppliers claim good security and service levels Based on:
Standard offering, usually non-negotiable Shared facilities, controlled by the supplier Location of data irrelevant (and may be obscure) May be layers of sub-contract
Principle 7: Security
You must take steps to prevent: Unauthorised access Accidental loss or damage
Your measures must be appropriate They must be technical and organisational
You cannot transfer this responsibility to a Data Processor
Cloud security breaches do occur
British Pregnancy Advisory Service Website ‘contact us’ form Stored for five years – almost 10,000 records Admin password not changed from default Successfully hacked into and personal data
stolen Aberdeen City Council
Social worker working from home, with permission Computer set to synch with cloud storage location Cloud location not secure – personal data showed
up in search
Security when the Data Processor is a cloud
provider
Instruct your supplier to take security precautions – and check that they have done so
Standard terms and conditions often non-negotiable – due diligence required Understand what you are checking International standards
ISO 27000 series (from British Standards Institute) self-assessed less reliable than certified check credentials of certifying company relevance & scope (ISO 27000 Statement of Applicability)
HMG Security Policy Framework (recently revised) SAS70 (US) – auditing process, not security
Potential cost of a breach
Notification to potentially affected individuals, if appropriate
Assistance to potentially affected individuals Compensation for harm and associated
distress Damage to business (including reputation) Data restoration Monetary penalty (up to £500,000)
Potential cost of a breach
Notification to potentially affected individuals, if appropriate
Assistance to potentially affected individuals Compensation for harm and associated
distress Damage to business (including reputation) Data restoration Monetary penalty (up to £500,000)
Principle 8: Transfers abroad
Transfers of data outside the European Economic Area are allowed if: the jurisdiction it is going to has an acceptable
law the recipient in the USA is signed up to
Safe Harbor a few other options
What else can go wrong?
Loss of service at their end at your end
Retrieving your data if the service ceases or you get into a dispute (Example: Charity Business)
Contract terms which make the supplier a Data Controller in their own right
Unclear ownership/location of data and the equipment it is stored on
Unilateral changes in policy by provider
Principle 1: Transparency & choice
Transparency: tell people if the data is going abroad & where but not who to if you are using a Data Processor
(because there is technically no disclosure) Choice: probably unwise, but then you must
meet 6th Schedule 2 Condition (legitimate interests)
Sensitive data: not generally enforced, but possible question of consent
And finally …
Most countries have laws allowing authorities to access data
US Patriot Act ostensibly anti-terrorist has also been used in non-terrorist cases supplier may not agree (or even be allowed) to
inform customer of access Include in risk assessment
So what do you need to do?
Check the contract (or standard terms and conditions) very carefully on areas like: security location of data (especially if it could be outside the
EEA) liability/sub contractors back-up/access copyright (e.g. Google)
Use your findings to make and record a risk assessment and get authorisation to proceed
Be transparent with your Data Subjects
Further information
Information Commissioner Guidance on cloud computing Analysis of top eight online security issues
Cloud computing: A practical introduction to the legal issues
Watch out for EU updates on cloud computing and possibly standard contract terms
Many thanks
To come by e-mail:* Link to evaluation questionnaire* Link to download the presentation and other
materials, after you have completed the questionnaire
Follow-up questions: [email protected]