Data Protection webinar:Using cloud services

4th June 2014

Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers or headphones turned on

and you will shortly hear a voice!

This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

Programme

Your Data Protection responsibilities Where are the risks? What you should be doing

Security Transfers abroad Transparency and choice

Alternative title:

Feel the fearDo it anyway

(probably)

Data Protection Principles

1. Data ‘processing’ must be ‘fair’ and legal2. You must limit your use of data to the purpose(s)

you obtained it for3. Data must be adequate, relevant & not excessive4. Data must be accurate & up to date5. Data must not be held longer than necessary6. Data Subjects’ rights must be respected7. You must have appropriate security8. Special rules apply to transfers abroad

Data Controller / Data Processor

“Data Controller” means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed.

“Data Processor” … means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.

The cloud relationship

Data Controller(your organisation )

Passes data

For Data Controller’s purposes

Does task

Passes results back

Cloud providerData Processor

Data Processor requirements

A contract, ‘evidenced in writing’Setting out the relationship and how it will workUnderpinning both parties’ security obligationsAllowing the Data Controller to verify the Data Processor’s securityIdeally providing indemnity against any costs resulting from the Data Processor’s failure to deliverSee checklist

Cloud examples

Microsoft 365, Google Apps (office programs) Huddle, GoToMeeting, Skype (collaboration) Amazon (storage & processing capacity) Salesforce (contact management database) YouTube, Instagram (photo/video storage and

sharing) MailChimp (bulk mailings) SurveyMonkey (online surveys) Social networking sites

Cloud computing characteristics

Cheap and flexible, especially for small organisations

Available anywhere there is an internet connection Suppliers claim good security and service levels Based on:

Standard offering, usually non-negotiable Shared facilities, controlled by the supplier Location of data irrelevant (and may be obscure) May be layers of sub-contract

Principle 7: Security

You must take steps to prevent: Unauthorised access Accidental loss or damage

Your measures must be appropriate They must be technical and organisational

You cannot transfer this responsibility to a Data Processor

Cloud security breaches do occur

British Pregnancy Advisory Service Website ‘contact us’ form Stored for five years – almost 10,000 records Admin password not changed from default Successfully hacked into and personal data

stolen Aberdeen City Council

Social worker working from home, with permission Computer set to synch with cloud storage location Cloud location not secure – personal data showed

up in search

Security when the Data Processor is a cloud

provider

Instruct your supplier to take security precautions – and check that they have done so

Standard terms and conditions often non-negotiable – due diligence required Understand what you are checking International standards

ISO 27000 series (from British Standards Institute) self-assessed less reliable than certified check credentials of certifying company relevance & scope (ISO 27000 Statement of Applicability)

HMG Security Policy Framework (recently revised) SAS70 (US) – auditing process, not security

Potential cost of a breach

Notification to potentially affected individuals, if appropriate

Assistance to potentially affected individuals Compensation for harm and associated

distress Damage to business (including reputation) Data restoration Monetary penalty (up to £500,000)

Potential cost of a breach

Notification to potentially affected individuals, if appropriate

Assistance to potentially affected individuals Compensation for harm and associated

distress Damage to business (including reputation) Data restoration Monetary penalty (up to £500,000)

Principle 8: Transfers abroad

Transfers of data outside the European Economic Area are allowed if: the jurisdiction it is going to has an acceptable

law the recipient in the USA is signed up to

Safe Harbor a few other options

What else can go wrong?

Loss of service at their end at your end

Retrieving your data if the service ceases or you get into a dispute (Example: Charity Business)

Contract terms which make the supplier a Data Controller in their own right

Unclear ownership/location of data and the equipment it is stored on

Unilateral changes in policy by provider

Principle 1: Transparency & choice

Transparency: tell people if the data is going abroad & where but not who to if you are using a Data Processor

(because there is technically no disclosure) Choice: probably unwise, but then you must

meet 6th Schedule 2 Condition (legitimate interests)

Sensitive data: not generally enforced, but possible question of consent

And finally …

Most countries have laws allowing authorities to access data

US Patriot Act ostensibly anti-terrorist has also been used in non-terrorist cases supplier may not agree (or even be allowed) to

inform customer of access Include in risk assessment

So what do you need to do?

Check the contract (or standard terms and conditions) very carefully on areas like: security location of data (especially if it could be outside the

EEA) liability/sub contractors back-up/access copyright (e.g. Google)

Use your findings to make and record a risk assessment and get authorisation to proceed

Be transparent with your Data Subjects

Further information

Information Commissioner Guidance on cloud computing Analysis of top eight online security issues

Cloud computing: A practical introduction to the legal issues

Watch out for EU updates on cloud computing and possibly standard contract terms

Many thanks

To come by e-mail:* Link to evaluation questionnaire* Link to download the presentation and other

materials, after you have completed the questionnaire

Follow-up questions: paul@paulticher.com