Data Protection in the Cloud
Kawser Hamid
Lead Policy Officer
Information Commissioner’s Office
What I will talk about
•How does the Data Protection Act apply to the cloud?
•What are the key issues which need to be add...
Data Protection Act - background
• Replaced the Data Protection Act 1984
• Framework for the use of personal data
• Techno...
How does the Data Protection Act apply
to the cloud?
Q: What is the DPA about?
A: The DPA applies to the processing of per...
Key concepts: data
Data is information within:
• A relevant filing system (or with that intention) i.e. highly structured ...
Key concepts: personal data
The DPA defines personal data as:
“data which relate to a living individual who can be identif...
Other key concepts
• Processing – basically anything you can do to personal data e.g.
hold, disclose, amend or delete
• Da...
The eight principles
The DPA is based on eight principles of good personal data handling.
The data must be:
1. Fairly and ...
Seventh principle
The seventh principle states that:
“Appropriate technical and organisational measures shall be
taken aga...
Seventh principle
Deciding on what is “appropriate”:
• Nature of the information
• Harm which may result
Types of measures...
Eighth principle
The eighth principle states that:
“Personal data shall not be transferred to a country or
territory outsi...
Eighth principle
How to ensure adequacy:
• General factors to consider
• Non-EEA countries already considered adequate
• E...
So how does this apply to the cloud?
• Information in the cloud is data because it’s computerised.
• Much of the informati...
What are the key issues which need
to be addressed?
• Large cloud service providers are dictating the terms and
conditions...
What are the potential solutions?
Cloud service providers proactively addressing data protection issues:
• Flexibility ove...
ICO guidance
New cloud sections on our website:
For organisations -
“Guidance on the use of cloud computing”
http://www.ic...
Guidance on the use of cloud
computing – key points
Select which data to move to the cloud
Select the right the cloud prov...
How might future changes in data
protection law change things?
New (draft) Data Protection Regulation:
• Article 17 – Righ...
www.twitter.com/iconews
Keep in touch
Email: casework@ico.gsi.gov.uk
Subscribe to our e-newsletter at www.ico.gov.uk
or fi...
Upcoming SlideShare
Loading in …5
×

Kawser Hamid : ICO and Data Protection in the Cloud

331 views
277 views

Published on

Kawser Hamid Lead Policy Officer at the Information Commissioner's Office talks about the challenges of Cloud Computing and complying with Data Protection Act

A recording of the Northwest Regional meeting of the Institute of Information Security Professionals in Manchester on 23rd May 2013. Copyright of this presentation is held by the author, Kawser Hamid.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
331
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • APOLOGIES KNOW DP ALREADY
  • RFS - TEMP TEST PA – NOT IN RFS / UNSTRUCTURED – IS DATA ACCESSIBLE R – HISTORIC ACCESS RIGHTS – DPA CANT GIVE LESS MST RELEVANT TO CLOUD: CLOUD CLEARLY COMPUTERISED - THEREFORE WILL ALWAYS BE DATA
  • BASICALLY ANY INFORMATION THAT IDENTIFIES A LIVING INDIVIDUAL AND TELLS YOU SOMETHING ABOUT THEM – EG HEALTH INFORMATION SENSITIVE PERSONAL DATA IE Racial or ethnic origin Political opinions Religious opinions (or similar in nature) Membership of a trade union Physical or mental condition Sexual life Commission (or alleged commission) of an offence Any proceedings for any offence committed (or alleged to have been committed), the disposal of such proceedings or the sentence of any court in such proceedings.
  • DC – legal liability THIRD PARITES EXCLUDE DATA SUBJECT DATA PROCESSOR
  • Most self explanatory – but require little more explaining PRINCIPLE 1 and some particularly relevant to CLOUD C PRINCIPLE 7 AND 8
  • regard to the state of technological development and the cost of implementing any measures APPROPRIATE TO: NATURE OF INFORMATION, AND HARM WHICH MAY RESULT NOT ONE SIZE FITS ALL – MORE SENSITIVE / GREATER HARM = BETTER SECURITY VICE VERSA MEASURES: ORG - EG APPOINT A PERSON / DEPARTMENT SPECIFIC RESPONSIBILITY AND HAVE POLICY STAFF – AWARE OF POLICIES AND TRAINED ON DPA RESTRICTIONS ON USE OF PD PHYSICAL – LOCKS / ALARMS / CCTV / DISPOSAL - SHREDDING COMPUTER – PASSWORDS / ENCRYPTION PRIVACY BY DESIGN – PETS – DATA MINMISATION PSEUDONYMS BLIND SIGNATURES TRUSTED THIRD PARTIES ENCRYPTION PRIVACY IMPACT ASSESSMENTS
  • TRANSFER: NOT TRANSIT THROUGH – ARRIVAL AT ADEQUACY: GENERAL - NATURE OF INFO / HOW DATA USED / LAWS PRACTICES OF COUNTRY (ENFORCABLE /) NON EEA OK – INCLUDE ARGENTINA / CANADA / USA – COMPANIES OK UNDER SAFE HABOR SCHEME – SIGN UP PRINCIPLE AND ACCOUNTABLE TO FEDERAL TRADE COM OR OTHER OVERSIGHT MODEL – IF YOU USE CLAUSES DON’T NEED TO MAKE OWN ADEQUACY ASSESSMENT / CANNOT CHANGE PARTS OF CLAUSE / BCR – APPLIES TO TRANSFER WITHIN MULTINATIONAL COMPANIES / MUST BE APPROVED BY EURO DP REGULATOR EG ICO LEGAL CLAIMS NECESARY: LEGAL PROCEEDINGS LEGAL ADVICE DEFENC LEGAL RIGHTS
  • DC/DP – DC LEGALLY RESPONSIBLE NOT DP
  • MAIN ONES: Large cloud service providers are dictating the terms – INCOMPATIBLE WITH STANDARD DPA DC/DP MODEL A cloud service provider may have its servers anywhere around the world, therefore knowing exactly WHERE personal data is being processed will be an issue in terms of the 8 th principle. SUBCRONTRACTORS – DON’T KNOW WHO IS ACTUALLY DOING THE REAL PROCESSING OF DATA – SAAS,PAAS,IAAS – DROP BOX/FACEBOOK/NETFLIX - 8 TH PRINCIPLE INFORMATION GOVERNANCE ENSURE SECURITY – DC MUST TAKE REASONABLE STEPS – BUT WHAT ARE THEY WHO CAN SEE THE DATA WHO HAS ACCESS TO THE DATA WHAT HAS IF CLOUD FAILS – RESILIENCE? INTHE CLOUD YOU HAVE NO DIRECT CONTROL! PAT ACT – DP WILL HAND OVER STUFF TO US AUTHORITY WITHOUT DC APPROVAL – DC CLIENT LEGAL CONCERNS Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001
  • PROVIDER ACTION - Transparency about the location of processing and by whom (8 th ). - Security audit (7 th ) independent third-party to conduct a detailed security audit of the service and be able to provide a copy of this assessment to prospective cloud customers. CUSTOMER POWER – MARKET SOLUTION, IN THEIR COMMERCIAL INTERESTS WE DON’T TAKE UP THEIR SERVICES THEY LOSE BUSINESS MAY FORCE A CHANGE IN THEIR STANCE. ICO ACTION: BE CLEAR – pat act PROVIDER IS DC FOR DISCLOSURE PURCHASER NO ACTION SIMPLY FOR CHOOSING NOT LIKELY TO TAKE ACTION AGAINST PROVIDER BECAUSE HAD TO COMPLY SENSITIVE PD EMPOWERING PURCHASER CLOUD STANDARDS - PROVIDERS SIGNING UP TO AN INDEPENDENTLY RECOGNISED STANDARD Standard data protection contract clauses PRIVACY LEVEL AGREEMENT BY CLOUD SECURITY ALLIANCE EUROPEAN COMMISSION – EURO-WIDE CERTIFICATION / STANDARD T/C
  •   Other useful stuff eg Article 29 Opinion on cloud computing QMUL Cloud Legal Project CPNI’s information security briefing on cloud computing Public 1. Think carefully about who can access your files 2. Choose your passwords carefully 3. Check the storage provider’s terms and conditions and privacy notice
  • Select which data to move to the cloud   Person with DP / Privacy responsibilities needs to consider:   Not all needs to go in cloud – may decide low sensitivity PD can go in, high sensitivity stays on local servers May decide that all PD is going in but certain categories require higher security Need to review all PD in DC possession and decide which should go in cloud / what level of security and keep record of decisions Need to assess privacy implications – cloud use can create metadata which may be personal data – consider using a PIA   Selecting cloud provider   Once selection made, DPO needs to liaise with procurement staff to select appropriate cloud provider:   What type of cloud service / provider   Different types of cloud eg IAAS, PAAS, SAAS – some may specialise further - decide which is right   Transfers outside the EEA   Does the cloud provider have servers outside EEA? If so, how can P8 be complied with? Does provider have policy on PAT ACT or similar requests?   Security   What guarantees is the provider giving in relation to PD:   Confidentiality – will the provider be able to access the PD? Integrity - what happens if providers systems go down, is PD recoverable / how quickly? Is data deleted completely when required? Availability – can provider cope with fluctuations in demand / can users access when they need it? Is PD encrypted?   Monitoring performance   How can see if the provider is living up to their guarantees (P7 – reasonable steps):   Must be a continuing process throughout time with provider Is it possible for DC to do an inspection? If not, is a third party auditor used, if so how detailed will report be that’s given to DC? Is a standard being applied?   Contract   P7 requires that a written contract is in place with your provider:   Are the terms and conditions fixed by the provider or is there room to negotiate? Does the contract compel the provider to deliver your needs?  
  • The European Commission has recently released its proposal for a new general Data Protection Regulation CAN SAY TOO MUCH ABOUT THIS BECAUSE ITS STILL A PROPOSAL Article 30 Security of processing (3) The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the technical and organisational measures referred to in paragraphs 1 and 2, including the determinations of what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default , unless paragraph 4 applies. Art 77(1) Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with this Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered. REPRESENTS BIG CHANGE – IF STAYS AS IS IN REG
  • Contact US FURTHER INFORMATION
  • Kawser Hamid : ICO and Data Protection in the Cloud

    1. 1. Data Protection in the Cloud Kawser Hamid Lead Policy Officer Information Commissioner’s Office
    2. 2. What I will talk about •How does the Data Protection Act apply to the cloud? •What are the key issues which need to be addressed? •What are the potential solutions? •Key points from our cloud guidance •How might future changes in data protection law change things?
    3. 3. Data Protection Act - background • Replaced the Data Protection Act 1984 • Framework for the use of personal data • Technologically neutral • Implements the 1995 EU Directive on Data Protection 95/46/EC
    4. 4. How does the Data Protection Act apply to the cloud? Q: What is the DPA about? A: The DPA applies to the processing of personal data. What does this mean?
    5. 5. Key concepts: data Data is information within: • A relevant filing system (or with that intention) i.e. highly structured and readily accessible paper filing system • Any type of information held by a body subject to the Freedom of information Act • An accessible record ie health, education, housing and social services records • Equipment operating automatically in response to instructions (or with that intention) i.e. computerised format
    6. 6. Key concepts: personal data The DPA defines personal data as: “data which relate to a living individual who can be identified- (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”
    7. 7. Other key concepts • Processing – basically anything you can do to personal data e.g. hold, disclose, amend or delete • Data Subject - an individual who is the subject of personal data • Data Controller – a person or body which decides what happens to the personal data it processes • Data Processor - a person or body (other than an employee of the data controller) who processes personal data on behalf of the data controller • The DPA eight principles
    8. 8. The eight principles The DPA is based on eight principles of good personal data handling. The data must be: 1. Fairly and lawfully processed (and an appropriate Schedule 2 and 3 condition for processing) 2. Processed for limited purposes and not further processed in a manner which is incompatible with those purposes 3. Adequate, relevant and not excessive 4. Accurate and up to date 5. Not kept longer than necessary 6. Processed in accordance with the individual’s rights 7. Secure 8. Not transferred to countries outside of European Economic Area unless adequate protection is provided
    9. 9. Seventh principle The seventh principle states that: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”
    10. 10. Seventh principle Deciding on what is “appropriate”: • Nature of the information • Harm which may result Types of measures: • Management and organisational • Staff • Physical security • Computer security If using a data processor, the data controller must: • Make sure that they choose a processor who can offer an adequate level of security • Have a written contact in place with the processor • Check that the processor is complying with the security elements of the contract
    11. 11. Eighth principle The eighth principle states that: “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”
    12. 12. Eighth principle How to ensure adequacy: • General factors to consider • Non-EEA countries already considered adequate • European Commission model contract clauses • Binding Corporate Rules
    13. 13. So how does this apply to the cloud? • Information in the cloud is data because it’s computerised. • Much of the information bodies will use in the cloud is about living identifiable people which says something about them – therefore is personal data. • The people themselves will be data subjects. • Something is going to happen to the personal data – therefore is being processed. • A cloud service purchaser will be the data controller because it will make the decisions about how the personal data is used. • A cloud service provider will be the data processor because it is acting upon the instructions of the data controller. • The cloud service provider will have to provide adequate security (7th principle). • Cloud service providers may transfer personal data outside the EEA (8th principle).
    14. 14. What are the key issues which need to be addressed? • Large cloud service providers are dictating the terms and conditions. • A cloud service provider may have its servers anywhere around the world. • Many cloud service providers use chains of subcontractors. • How does a data controller ensure information governance? • Many of the large cloud service providers are US companies and are subject to the USA PATRIOT Act.
    15. 15. What are the potential solutions? Cloud service providers proactively addressing data protection issues: • Flexibility over terms and conditions Consumer power: • Cloud service purchasers have to demand appropriate data protection standards. ICO action: • Be clear about what we think • Empowering cloud service purchasers to make the right choices
    16. 16. ICO guidance New cloud sections on our website: For organisations - “Guidance on the use of cloud computing” http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online/ cloud_computing.aspx For the public – Guidance on cloud storage http://www.ico.gov.uk/for_the_public/topic_specific_guides/online/cloud_comp uting.aspx
    17. 17. Guidance on the use of cloud computing – key points Select which data to move to the cloud Select the right the cloud provider: • What type of provider • Transfers outside the EEA • Security • Monitoring performance • Contracts
    18. 18. How might future changes in data protection law change things? New (draft) Data Protection Regulation: • Article 17 – Right to be forgotten. • Article 18 – Right to data portability. • Article 30 - the European Commission may specify the technical and organisational measures required in a particular sector. • Article 31 – Breach notification • Article 33 – Mandatory data protection impact assessments for processing that represents specific risks to the rights and freedoms of data subjects. • Article 34 - Prior authorisation and consultation for international transfers. • Article 77 - places liability on data processors as well as data controllers.
    19. 19. www.twitter.com/iconews Keep in touch Email: casework@ico.gsi.gov.uk Subscribe to our e-newsletter at www.ico.gov.uk or find us on…

    ×