This document discusses data protection and cloud computing. It begins with an overview of data protection obligations under UK law, including definitions of key terms, notification requirements, and the data protection principles. It then discusses issues around keeping data safe and compliant when using cloud computing services. Specifically, it notes that personal data must not be transferred outside the EEA without adequate protections, and companies must ensure through due diligence and contracts that cloud providers and any subcontractors maintain appropriate security and use data only as instructed. Failure to do so could result in fines or civil liability if a data breach occurs.
Similar to What All Organisations Need to Know About Data Protection and Cloud Computing (Part 1) by Brian Miller Solicitor and Vicki Bowles Barrister (20)
3. DATA PROTECTION
3. The Data Protection
Principles
4. Subject Access
1. Language of Data
Protection
2. Notification
4. Data Protection: Language
• Personal data:
“data which relate to a living individual who can be identified –
a) from those data, or
b) from those data and other information which is in the possession
of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any
indication of the intentions of the data controller or any other person in
respect of the individual”
5. Data Protection: Language
• Processing:
“…means obtaining, recording or holding the information or data or carrying
out any operation or set of operations on the information or data, including –
a) organisation, adaptation or alteration of the information or data,
b) retrieval, consultation or use of the information or data,
c) disclosure of the information or data by transmission, Dissemination or
otherwise making available, or
d) alignment, combination, blocking, erasure or destruction of the
information or data”
6. Data Protection: Language
• Sensitive Personal Data:
“…means personal data consisting of information as to –
a) the racial or ethnic origin of the data subject,
b) his political opinions,
c) his religious beliefs or other beliefs of a similar nature,
d) whether he is a member of a trade union (within the meaning of the Trade
Union and Labour Relations (Consolidation) Act1992),
e) his physical or mental health or condition,
f) the commission or alleged commission by him of any offence, or
g) any proceedings for any offence committed or alleged to have been
committed by him, the disposal of such proceedings or the sentence of any
court in such proceedings.”
7. Data Protection: Language
• Data Controller:
“…subject to subsection (4), a person who (either alone or jointly or in
common with other persons) determines the purposes for which and the
manner in which any personal data are, or are to be, processed;”
• Data Processor:
“…any person (other than an employee of the data controller) who
processes the data on behalf of the data controller;”
8. Data Protection: Language
• Controller v Processor
– Can have more than one controller for the
same information;
– Key is control;
9. Data Protection: Notification
• All controllers required to “notify” (register) with Information
Commissioners Office (ICO), unless exempt:
– Accounts and records;
– Staff administration;
– Advertising, marketing and PR of business;
– Non-profit membership admin.
• Exemption only applies to registration rather than the whole Act.
10. Obligations: Principles
• Personal data shall be processed fairly and
lawfully, and in particular, shall not be processed
unless –
− At least one of the conditions in Schedule 2 is met, and
− In the case of sensitive personal data, at least one of the
conditions in Schedule 3 is also met.
11. Obligations: Principles
• Personal data shall be obtained only for one or more specified and
lawful purposes, and shall not be further processed in any manner
incompatible with that purpose or those purposes.
• Personal data shall be adequate, relevant and not excessive in
relation to the purpose or purposes for which they are processed.
12. Obligations: Principles
• Personal data shall be accurate, and, where necessary, kept up to
date.
• Personal data processed for any purpose or purposes shall not be
kept for longer than is necessary for that purpose or those purposes.
• Personal data shall be processed in accordance with the rights of
data subjects under this Act.
13. Obligations: Principles
• Appropriate technical and organisational measures shall be taken
against unauthorised or unlawful processing of personal data and
against accidental loss or destruction of, or damage to, personal
data.
• Personal data shall not be transferred to a country or territory
outside the European Economic Area unless that country or territory
ensures an adequate level of protection for the rights and freedoms
of data subjects in relation to the processing of personal data.
14. Obligations: SAR
• Section 7 entitles a data subject to request:
– Whether or not you process their personal data;
– A description of the data held, the purposes for which it
is processed, and the recipients or classes or recipient
to which disclosed;
– Have communicated to them the data held, and any
details of source if known.
15. Obligations: SAR
• If paper files – only if relevant filing system
(the “temp test”).
• Exception where third party personal data is
included and no consent.
• Various other exceptions, e.g. negotiations
and references.
16. Case Study
• British Pregnancy Advisory Service
– Fine £200,000 from ICO
– Website hacked
– BPAS didn’t know what was stored on their website
19. ATTRIBUTIONS/CREDITS
1 Some rights reserved by kevin dooley
2 Some rights reserved by StockMonkeys.com
3 Some rights reserved by StockMonkeys.com
4 Some rights reserved by slightly everything
5 Some rights reserved by kenteegardin
Some rights reserved by BLW Photography
6 Some rights reserved by mwfearnley
7 Some rights reserved by Adikos
8 Some rights reserved by .faramarz
9 Some rights reserved by NHS Confederation
10 Some rights reserved by slightly everything
I would like to thank and credit the following persons for the photographs
provided in some of the slides:
20. 11 Some rights reserved by jovike
12 Some rights reserved by StockMonkeys.com
13 Some rights reserved by deejayres
15 Some rights reserved by jovike
17 Some rights reserved by rodaniel
21. CLOUD COMPUTING:
An Introduction to the Legal Aspects of
Keeping Your Data Safe and Compliant
Brian Miller
Partner, IP & IT
Stone King LLP
22. 1.Is my data safe
2.Is my data kept within the territorial
borders permitted by the Data
Protection Act
3.What are the legal obligations to my
data subjects
Three Things You Need to Know
23. Cloud computing is the name given to the use of computing
resources (hardware and software) that are delivered as a
service over a network (typically the Internet).
(Wikipedia)
25. (1) Security
If cloud provider not using adequate
security, data never safe:
Adequate firewalls
Adequate encryption
Data Protection Act, Seventh Principle:
“Appropriate technical and
organisational measures shall be
taken against unauthorised or
unlawful processing of personal data
and against accidental loss or
destruction of, or damage to,
personal data“
27. How Do I Know If My Supplier Has Secured My
Data?
Data Protection Act, Seventh Principle (again):
If you outsource storage of data, IT and legal experts
must carry out due diligence on:
• Supplier’s systems
• Supplier’s terms and conditions
28. How Do I Know If My Supplier Has Secured My
Data? (cont’d)
Obligations are on both:-
The data processor (the cloud provider)
The data controller (your organisation)
No due diligence => you could be liable if breach
Personal data accessible by a third party
=
Breach of the Data Protection Act
29. • No guarantees they won’t
unless contract says so
• Adequate Encryption
by supplier
by you if confidential
HOW SECURE IS MY
DATA?
Can My Supplier Read
My Data?
31. EXAMPLE
Aid to the Church In Need [link]
• Website hacked
• Donor’s bank details taken
• More than £100K stolen
32. (2) Who Are You
Contracting With?
• May be a number of
• providers involved
• sub-contractors must be
bound by same standards of
– Security
– Confidentiality
33. Main provider needs to carry
can for subcontractors
Difficult to trace if
insolvent or abroad
Unlikely to have direct
contact with them
They are unlikely to have
any legal liability to you
34. (3) Where is My Data?
If data stored or transferred outside EEA, 8th Principle
requires adequate security measures to be in place:
• “Personal data shall not be transferred to a country or
territory outside the EEA unless that country or territory
ensures an adequate level of protection for the rights
and freedoms of data subjects in relation to the
processing of personal data.”
35. Where is My Data (cont’d)?
• ICO recommends getting
• list of countries where data is likely to be processed
• details of the safeguards in place
• ICO requires DP to sign a data processing agreement:
• only to use and disclose personal data in accordance
with your instructions
• to take appropriate security measures to protect the
data
• to get your consent to transfer the data outside EEA
37. Data Breach Examples
2012: NHS Trust £325K for a
serious data breach
•hard disks with sensitive personal data
•ended up on eBay
•fine highest issued by ICO
38. Data Breach Examples
2013: local authority fined £80K by ICO
(sensitive personal data: unencrypted memory stick)
If there is a claim, you do not want to be funding it:
Make sure you get some cyberliability insurance!
39. THREE THINGS TO REMEMBER WHEN PUTTING DATA
IN THE CLOUD…
…carry out IT and legal due diligence on your provider
to check that:
• your data is kept confidential and secure
• not transferred outside of the EEA without
your data subjects’ consent
• where it is, data processing agreements are
also in place with any foreign sub-processors
40. For more information, see Government Papers on
• Cloud Security Guidance
• Cloud (Education apps) Software Services and
the Data Protection Act
• Cloud Security Principles
41. For further information about cloud computing, please see the
following article on Stone King’s website:
•Cloud Computing: What Do I Need to Know?
Brian Miller
Partner
IP, IT & Commercial
Stone King LLP
brianmiller@stoneking.co.uk
IT Solicitor@theitsolicitor
brianmillersolicitor
0207 324 1523
42. ATTRIBUTIONS/CREDITS
1 Some rights reserved by francisco.j.gonzalez
2 Some rights reserved by Marsel Minga
3 Some rights reserved by daniel_iversen
4 Some rights reserved by devdsp
6 Some rights reserved by renaissancechambara
7 Some rights reserved by get directly down
12 +13 Some rights reserved by Gunnar Wrobel
9 + 10 Some rights reserved by Stefan Baudy
12 Some rights reserved by IntelFreePress
Some rights reserved by wwarby
13 Some rights reserved by IntelFreePress
Some rights reserved by wwarby
14 Some rights reserved by geezaweezer
I would like to thank and credit the following persons for the photographs
provided in some of the slides:
Editor's Notes
(4) Refers to processing for purposes required under an enactment
Good afternoon everybody. I’d like to talk to you today about the legal and security aspects of keeping your data safe and compliant in the cloud.
There are essentially three things that you need to be concerned about when putting your data in the cloud: [FIRST]
Is my data safe, ie. are the cloud vendor’s systems secure from a technical point of view
Is my data kept within the territorial borders permitted by the Data Protection Act
What are my legal obligations to my data subjects under the Act when putting their data in the cloud.
=> Definition (First, What is Cloud Computing?)
[NEXT SLIDE]
WHAT IS CLOUD COMPUTING?
[READ SLIDE]
“Cloud computing is the name given to the use of computing resources (both hardware and software) that are delivered as a service over a network (typically the Internet). “
The name (comes from):
the use of a cloud-shaped symbol in system diagrams when flowcharting cloud computing networks.
What does cloud computing really mean: well what it’s all about is putting your data in the hands of a remote service provider.
Examples
GMail (all your email is replicated on Google’s cloud server)
Sky Drive (also owned by Google): is a large hard disk in the cloud where your data is stored; or
e-payslips (a system we use at SK), where payslips are hosted and delivered to staff via their desktops.
[NEXT SLIDE]
At least three types of cloud networks:
Public
Private
Hybrid
With a public cloud
data is shared at a data centre with many other customers. Eg. Google Docs, where you data is shared with a number of other Google users on the same server
main benefit: economies of scale (costs are spread across all users and is therefore cheap to operate and buy).
downside is privacy: if a government authority obtains a court order for disclosure in relation to another user on same server=> your data could be scrutinized.
In a private cloud
data is in an environment built exclusively for your organisation, which means you get all the benefits of cloud computing, whilst getting privacy, because data is not shared on a server with others
Downside: cost much higher
A hybrid cloud
traditional private cloud service with resources of public provider (such as Amazon)
Advantages:
scalability and comfort of using a reputable player; and
privacy of a private cloud.
Example: Rackspace (own server; locked in cage, very secure environment etc)
[NEXT SLIDE]
SECURITY
If your provider is not employing sufficient security measures =>your data will never be safe. Eg:
inadequate firewalls are used, or
the supplier employs inadequate encryption
Seventh Principle provides.. [ON SCREEN- READ]
[NEXT SLIDE]
If you want to see what a secure data centre looks like, take a look at Facebook’s..
(this is probably more a shot of the ventilation system in there, but you get the idea. I understand armed guards patrol outside..)
[NEXT SLIDE]
I would like now to touch upon the legal aspects of cloud computing. The first point to consider is whether a supplier has confirmed in a contract that it has secured your data.
Seventh Principle of the Data Protection Act (which we visited earlier) affects your organisation if you outsource storage of your customers’ or donors’ data to the cloud
IT and legal experts must carry out due diligence on:
the supplier's systems to ensure there is adequate protection for your data from a security point of view (as we learnt earlier); and
(2) the supplier’s terms and conditions: these should be DPA compliant (ie. the requisite promises about data security and international transfers of data (which I will come on to) are given)
You cannot take provider’s word all is ok.
If you cannot show you carried out due diligence and something goes wrong => ICO could hold your organisation liable.
Cannot blame outsourced entity - the ICO will not accept this.
[NEXT PAGE]
I would like now to touch upon the legal aspects of cloud computing. The first point to consider is whether a supplier has confirmed in a contract that it has secured your data.
Seventh Principle of the Data Protection Act (which we visited earlier) affects your organisation if you outsource storage of your customers’ or donors’ data to the cloud
IT and legal experts must carry out due diligence on:
the supplier's systems to ensure there is adequate protection for your data from a security point of view (as we learnt earlier); and
(2) the supplier’s terms and conditions: these should be DPA compliant (ie. the requisite promises about data security and international transfers of data (which I will come on to) are given)
You cannot take provider’s word all is ok.
If you cannot show you carried out due diligence and something goes wrong => ICO could hold your organisation liable.
Cannot blame outsourced entity - the ICO will not accept this.
[NEXT PAGE]
How Secure Is My Data?
Not very unless encrypted to a sufficiently high level where only persons with a ‘need to know’ have access.
If supplier has encrypted your data, this should suffice if they have used a high enough encryption standard and measures, BUT
Will not prevent supplier from reading your data (key to unlock)
not prevent governmental agencies from seeing your data (eg. if there is a court order and your data is on a server with another)
won’t prevent governments snooping on your data, as we learnt from the Snowden revelations
[GCHQ has a back door to RSA encryption keys, the key fobs used by many companies to access their online networks]
An example of what can happen if, for instance, your website is insecure is that a third party can hack in and
deface your site ie. replace the text there with its own (and let’s face it, it’s not going to be complimentary..),
steal valuable personal data,
sell it to others or
use it for its own advantage, eg. for the purposes of identity theft.
The damage to an organisation’s reputation in these circumstances is likely to be severe.
If you want to read about just what can happen to a charity and its donors if its website gets hacked, take a look at the article written by Neville Kyrke-Smith, the national director of Aid to the Church in Need: details of the link are on screen. It is a salutary tale and makes for very interesting reading. I recommend you all read it (if for nothing else) to learn how to deal with a data breach if it happens (details of which are beyond the scope of this seminar).
An example of what can happen if, for instance, your website is insecure is that a third party can hack in and
deface your site ie. replace the text there with its own (and let’s face it, it’s not going to be complimentary..),
steal valuable personal data,
sell it to others or
use it for its own advantage, eg. for the purposes of identity theft.
The damage to an organisation’s reputation in these circumstances is likely to be severe.
If you want to read about just what can happen to a charity and its donors if its website gets hacked, take a look at the article written by Neville Kyrke-Smith, the national director of Aid to the Church in Need: details of the link are on screen. It is a salutary tale and makes for very interesting reading. I recommend you all read it (if for nothing else) to learn how to deal with a data breach if it happens (details of which are beyond the scope of this seminar).
The next point to consider when putting your data in the cloud is..:
Who Are You Contracting With
May be a number of sub-contractors involved
won’t know about all or possibly any of them.
Seek confirmation from your cloud provider that any sub-contractors hired are bound are by same standards of:
Security
Confidentiality,
just as your provider hopefully is with you.
Make sure these points are in contract.
Main provider also needs to be responsible for the acts and omissions of its sub-contractors:
It may be very difficult to trace any subcontractors if their ship goes down
You are unlikely to have a direct contract with them (as the LawCloud terms showed) and therefore
they are unlikely to have any legal liability to your organisation = > no legal right of redress for you.
[NEXT SLIDE]
The next point to consider when putting your data in the cloud is..:
Who Are You Contracting With
May be a number of sub-contractors involved
won’t know about all or possibly any of them.
Seek confirmation from your cloud provider that any sub-contractors hired are bound are by same standards of:
Security
Confidentiality,
just as your provider hopefully is with you.
Make sure these points are in contract.
Main provider also needs to be responsible for the acts and omissions of its sub-contractors:
It may be very difficult to trace any subcontractors if their ship goes down
You are unlikely to have a direct contract with them (as the LawCloud terms showed) and therefore
they are unlikely to have any legal liability to your organisation = > no legal right of redress for you.
[NEXT SLIDE]
Third point to consider is
WHERE IS MY DATA?
If data is stored or transferred by your provider outside of the European Economic Area (or EEA):
Eighth Principle requires that [READ SCREEN]
So unless you can satisfy yourself that those measures and protections are in place, you should not use a provider that allows your data to be transferred outside of the EEA. I will come on to how you can make these checks in a moment.
ICO recommends getting from the provider:
a list of countries to which data may be transferred, and
details of the safeguards in place between your provider and any foreign sub-processor
An expert can check all the requirements have been met (eg. ‘model EU clauses’)
ICO also requires that a written contract be entered into with the processor (a data processing agreement) containing the following clauses:
Processor only uses and discloses personal data in accordance with your instructions;
must take appropriate security measures to protect data; and
it must get consent to transfer data outside EEA
[NEXT SLIDE]
(Fifth and lastly) Data Breaches
What are the consequences for
failing to secure data from third parties, or
Allowing a provider to make a transfer outside of the EEA without the data subjects’ consent?
THE ANSWER IS:
Fine up to £500K for serious data breaches.
Civil actions by data subjects
All of this can therefore get very expensive, particularly with a large data breach involving a large number of data subjects.
Examples of Data Breaches
October 2013: local authority fined £80K by the ICO (loss of sensitive personal data about children with special needs on an unencrypted memory stick).
2012: an NHS Trust fined £325K for a serious data breach
IT contractor was hired to destroy around 1000 hard drives kept in a secure location
It smuggled 252 of them out of the building
some ended up on internet auction sites;
Disks contained confidential details about patients with HIV, including:
patients’ medical conditions and treatment
disability living allowance forms
children’s reports.
The fine is the highest issued by the Information Commissioner’s Office since granted the power to issue fines in April 2010.
If all else fails and there is a claim, you want to be sure you are covered. So make sure you get some cyberliability insurance!
Examples of Data Breaches
October 2013: local authority fined £80K by the ICO (loss of sensitive personal data about children with special needs on an unencrypted memory stick).
2012: an NHS Trust fined £325K for a serious data breach
IT contractor was hired to destroy around 1000 hard drives kept in a secure location
It smuggled 252 of them out of the building
some ended up on internet auction sites;
Disks contained confidential details about patients with HIV, including:
patients’ medical conditions and treatment
disability living allowance forms
children’s reports.
The fine is the highest issued by the Information Commissioner’s Office since granted the power to issue fines in April 2010.
If all else fails and there is a claim, you want to be sure you are covered. So make sure you get some cyberliability insurance!
WRAP.
If you remember nothing else from this seminar, try and just take away these three things.
If you choose to put your data in the cloud, carry out IT and legal due diligence on your provider to check that their systems and terms require that:
data is kept confidential and secure;
it is not transferred outside of the EEA without your/data subjects’ consent; and
any processors outside the EEA have adequate security measures in place in accordance with the Act to safeguard your data
Government has now issued its own guidance for consumers and business and which can be found on its website using the link on screen.
I will circulate an electronic copy of this presentation so you can access the links on screen.
[NEXT SLIDE]
WRAP.
If you remember nothing else from this seminar, try and just take away these three things.
If you choose to put your data in the cloud, carry out IT and legal due diligence on your provider to check that their systems and terms require that:
data is kept confidential and secure;
it is not transferred outside of the EEA without your/data subjects’ consent; and
any processors outside the EEA have adequate security measures in place in accordance with the Act to safeguard your data
Government has now issued its own guidance for consumers and business and which can be found on its website using the link on screen.
I will circulate an electronic copy of this presentation so you can access the links on screen.
[NEXT SLIDE]