Repositories thru the looking glass Andy Powell Eduserv Foundation [email protected] .
Eduserv Symposium 2013 - New technologies & paradigms, old laws
-
Upload
eduserv -
Category
Technology
-
view
623 -
download
1
description
Transcript of Eduserv Symposium 2013 - New technologies & paradigms, old laws
19/05/2013
1
New Technologies & Paradigms,
Old Laws
Kuan Hon Independent Consultant
PhD Candidate, QMUL
Eduserv Symposium 2013, London 16 May 2013
@kuan∅
Outline • Introduction
• Cloud
• Open data, big data
19/05/2013
2
@kuan∅
Introduction • Self
[2 hats 4 clouds 3 weasels]
• Attendees?
@kuan∅
Legal risks of new tech
Risk pyramid
Legal
Reputational
[Public trust] etc etc
19/05/2013
3
@kuan∅
Communication &
Mindsets
@kuan∅
Technologists
Binary, 1s & 0s
19/05/2013
4
@kuan∅
Lawyers Lawyers
(Image reproduced by kind permission of Firebox.com)
Certainty? Hah!
‘It depends…’
Interpretation Context
Probabilities
19/05/2013
5
@kuan∅
Skills For legal (& many other) issues:
Know WHO to ask, & WHEN,
& WHAT to tell ‘em!
@kuan∅
WHO
Lawyers
19/05/2013
6
@kuan∅
WHEN
ASAP!
@kuan∅
WHAT
Your role
19/05/2013
7
@kuan∅
HOW
Money!
@kuan∅
Cloud Open data
Big data
19/05/2013
8
@kuan∅
Laws & the internet
@kuan∅
Cloud computing & law
Risk pyramid
Laws
Reputational
[Public trust] etc etc
19/05/2013
9
@kuan∅
Let your lawyer do the worrying…
@kuan∅
Cloud computing • Legal risks - brief lawyers on:
– what’s cloud?
•recap
•NB layers
•12 Cs; cf traditional outsourcing
– what do you want to use it for?
•requirements, risk tolerance
User ---- DropBox ---- Amazon
SaaS IaaS
19/05/2013
10
@kuan∅
Cloud legal issues • Lots! – IP, competition – no time…
– see cloudlegalproject.org + book
• Pre-contract checks + contract
• For public sector:
– government policy
– CloudStore
@kuan∅
Location
19/05/2013
11
@kuan∅
Data location, me & you • Public sector – Gov ICT Offshoring
(International Sourcing) Guidance - data location unrestricted, unless:
– national security
– data protection laws
• Data protection – cloud guidance
– Article 29 WP opinion
– UK ICO guidance
@kuan∅
Law vs IT
“Technical & organisational
measures”
IT security & IT
“data protection”
“Data protection” (law)
19/05/2013
12
@kuan∅
Data protection laws: “Personal data”
(cf anonymous data)
@kuan∅
EU Data Protection Directive Data export restriction
NO transfer of PD outside European Economic Area
19/05/2013
13
@kuan∅
Unless… • Exception
• “Adequate protection” / “adequate safeguards”
• But problems…
@kuan∅
So, in practice… • Regional clouds - easy, safe
19/05/2013
14
@kuan∅
EEA, EU, Europe… http://bit.ly
/eu-venn for
large version
& table
@kuan∅
‘Transfer’ – physical location
• Gear: storage / processing; caches
• People: remote access
19/05/2013
15
@kuan∅
• + Names of all “sub-contractors”
• Follow this… + other DP regulators’ recommendations (eg liability chain) public cloud!
Gimme gimme gimme your data locations…
Image from Beeld en Geluidwiki
@kuan∅
Traditional outsourcing
Cloud
Cook food yourself Hire caterers to cook for you on your instructions
Rent kitchen, cook food yourself Get take-out or ready meal, cook it yourself
19/05/2013
16
@kuan∅
Key tensions
• “Guaranteed” security / liability
– should be possible – but will cost!
– cheap / free public cloud model
• Control of supply / contract chain
– will big players be the winners?
@kuan∅
“It’s unworkable, so just ignore it?”
@kuan∅
19/05/2013
17
@kuan∅
Draft Data Protection Regulation
Up to 2% annual global turnover
@kuan∅
@kuan∅
Good intentions…
Flames of hell…?
19/05/2013
18
@kuan∅
Cloud contracts
@kuan∅
Cloud contracts • 3 aspects:
– pre-contract due diligence
– contract terms
– post-contract – monitoring etc
• See negotiated contracts article
– “no names” interviews, FOI etc
– Forbes report
19/05/2013
19
@kuan∅
Standard terms • Providers’ standard terms
– weighted; customer-appropriate?
• Negotiable? – customer / deal size
• Gov / banks - trad. IT outsourcing
– cloud-appropriate?
• Customer process issue – bypass IT, legal!
@kuan∅
Pre-contract due diligence • If personal data – all sub-providers’
names; locations; security
• Lock-in and exit – practical: test data portability in advance (NB fake data!)
• Security – pen testing, certifications?
• NB backups
• + Post-contract - security audits etc
• ENISA papers (hunt!)
19/05/2013
20
@kuan∅
Contract terms • If personal data:
– choice of provider (security), contract requirements: “instructions”, security
• More generally, some key issues:
– provider liability (vs price)
– lock-in – term, termination; exit terms
– security – confidentiality; audit rights?
– right to change terms? (cf G-Cloud…)
@kuan∅
G-Cloud: CloudStore • Process - no mini-competition,
no negotiation! (though fill in blanks…) - Price / MEAT
• Info - G-Cloud site, @G_Cloud_UK, BuyCamp events (Friday; 7 June)
• NB overlay approach & supplier terms: – get advice on own specific data type/use
– see G-Cloud paper
19/05/2013
21
@kuan∅
Cloud Open data
Big data
@kuan∅
Protection of Freedoms Act
• s 102 amends FOIA
– datasets – electronic, reusable form
– open licensing – allow reuse (fees?)
• In force May/June…?
– Draft Code of Practice – consultation
– ICO publication scheme, guidance
• What datasets, how to handle?
19/05/2013
22
@kuan∅
Open data vs personal data
• Anonymise any PD before release
• Tricky! eg Sweeney etc research
• Big, eg EE / Ipsos Mori! But worthwhile
• ICO Code of Practice (full disclosure..) – limited controlled release, vs fully public
• UK Anonymisation Network (2 years)
– anonymisation clinics – 28 June
@kuan∅
STOP PRESS
• Shakespeare review of PSI, 15 May 2013 – Deloitte market assessment
– His summary in the Guardian
• Same ol’ same ol’, words vs action? (eg jail for unlawfully obtaining personal data…) – Following 'best practice' guidelines should be enough, so
long as we are willing to prosecute those who misuse personal data… In considering further legislation we should institute increased penalties – not only loss of accreditation and much heavier fines, but also imprisonment in cases of deliberate and harmful misuses of data.
19/05/2013
23
@kuan∅
Cloud Open data Big data
@kuan∅
Big data vs personal data
• Data protection compliance (eg security) & anonymisation, again…
• Less data good?
• Other issues? eg IP
19/05/2013
24
@kuan∅
New technologies and paradigms,
old laws
@kuan∅
Old laws
• Outdated assumptions
• Appropriate to new paradigms??
• But - the law is the law!
• Until laws are updated properly…
• Same ol’ strategy still sensible:
– RRRR + EEEE
19/05/2013
25
@kuan∅
Key takeaways 1
• RRRR:
– requirements evaluation, for
– real life intended use
– review & understand tech / model
– risk assessment – technological, legal, reputational, public trust etc (for intended data type/use case)
@kuan∅
Key takeaways 2
• EEEE – get:
– expert input / advice – legal, IT, risk, security, stats etc
– based on exact data type, use case
– explain the tech / model properly
– early, not last minute or after!
19/05/2013
26
@kuan∅
Thank you!
Kuan Hon
Twitter: @kuan∅ Email: k @ domain below
kuan∅.com/publications.html blog.kuan∅.com Half lawyer | half geek | mostly harmless