Privacy by Design in the Clouds:You Can’t Outsource Accountability                 David Goodis            Director of Leg...
Cloud Computing and Deployment• Cloud computing – convenient, on-demand  network access to a shared pool of computing  res...
The Power and Promise of Cloud         Computing•   Flexibility•   Better reliability and security•   Enhanced collaborati...
The Cloud and Privacy Concerns• Fraud, confidentiality and security concerns are  inhibiting confidence, trust, and the gr...
You can outsource services …… but you can’t outsource     accountabilityYou always remain accountable
Privacy by Design Meets the Cloud:  Current and Future Privacy Challenges• What is Privacy by Design? building privacy int...
Privacy by Design:            The 7 Foundational Principles1. Proactive not Reactive:      Preventative, not Remedial;2. P...
Privacy by Design Meets the CloudSome things to consider: • Exercise due diligence • Conduct a Privacy Impact Assessment •...
Contractual Provisions to Consider• Service provider should not use PI except as necessary in providing  services• Provide...
USA Patriot Act and Cloud Computing• BC, NS legislation restricts government’s ability to  outsource beyond Canadian borde...
Privacy by Design    in Action
Privacy in the Clouds• The 21st Century  Privacy Challenge;• Creating a User-Centric  Identity Management  Infrastructure;...
Cloud Computing Architecture and Privacy• Cloud Delivery Models• Use cloud in privacy  protective manner – user  control• ...
Conclusions• Cloud computing has many benefits and risks• You can outsource your services but not your  accountability• Co...
How to Contact UsDavid GoodisDirector of Legal Services andGeneral CounselInformation & Privacy Commissioner of Ontario2 B...
MISA Cloud Workshop_ ipc privacy in the cloud
Upcoming SlideShare
Loading in...5
×

MISA Cloud Workshop_ ipc privacy in the cloud

918

Published on

Published in: Spiritual, Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
918
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

MISA Cloud Workshop_ ipc privacy in the cloud

  1. 1. Privacy by Design in the Clouds:You Can’t Outsource Accountability David Goodis Director of Legal Services and General CounselInformation and Privacy Commissioner of Ontario Cloud Computing - 101 and Beyond Municipal Information Systems Association, Ontario April 11, 2012
  2. 2. Cloud Computing and Deployment• Cloud computing – convenient, on-demand network access to a shared pool of computing resources• Examples: – Public Cloud – Private Cloud – Community Cloud – Hybrid Cloud
  3. 3. The Power and Promise of Cloud Computing• Flexibility• Better reliability and security• Enhanced collaboration• Efficiency in deployment• Portability• Potential cost savings• Simpler devices
  4. 4. The Cloud and Privacy Concerns• Fraud, confidentiality and security concerns are inhibiting confidence, trust, and the growth of cloud computing• Fears of surveillance and excessive collection, use and disclosure of personal information by others are also diminishing confidence and use• Lack of individual user empowerment and control – Uncertainty as to location of data, rights to data• Function creep, power asymmetries, discrimination• Data breach notification• Proper data return and destruction• Governing law
  5. 5. You can outsource services …… but you can’t outsource accountabilityYou always remain accountable
  6. 6. Privacy by Design Meets the Cloud: Current and Future Privacy Challenges• What is Privacy by Design? building privacy into technology from the ground up• The goal is to establish trust in: • Data (that travels through the cloud) • Personal devices (that interact with cloud-based services) • Software • Service providers
  7. 7. Privacy by Design: The 7 Foundational Principles1. Proactive not Reactive: Preventative, not Remedial;2. Privacy as the Default setting;3. Privacy Embedded into Design;4. Full Functionality: Positive-Sum, not Zero-Sum;5. End-to-End Security: Full Lifecycle Protection;6. Visibility and Transparency: Keep it Open;7. Respect for User Privacy: Keep it User-Centric. www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf
  8. 8. Privacy by Design Meets the CloudSome things to consider: • Exercise due diligence • Conduct a Privacy Impact Assessment • Use identifying information only when necessary • Identify and minimize privacy and security risks • Use privacy enhancing technological tools • Ensure transparency, notice, education, awareness • Develop a privacy breach management plan • Create and enforce contractual clauses
  9. 9. Contractual Provisions to Consider• Service provider should not use PI except as necessary in providing services• Provider should not improperly disclose PI• Provider must employ safeguards to ensure PI is retained, transferred and disposed of securely• Provider must notify the organization immediately of any order or other requirement to compel production of PI• Provider must notify the organization immediately if PI is stolen, lost, accessed by unauthorized persons• Implement oversight and monitoring program, including audits of the provider’s compliance with the terms of the agreement• No one on behalf of provider should have access to PI unless that person agrees to comply with restrictions in the agreement.
  10. 10. USA Patriot Act and Cloud Computing• BC, NS legislation restricts government’s ability to outsource beyond Canadian border• There will always be laws that allow law enforcement to gain access to information in their jurisdictions – the important question is what steps can an organization take to help ensure privacy and security, regardless of jurisdiction• Organizations considering outsourcing or cloud computing should ensure accountability through appropriate contractual provisions and a Privacy by Design approach that ensures privacy is built in as an integral part of the proposed technologies and business practices
  11. 11. Privacy by Design in Action
  12. 12. Privacy in the Clouds• The 21st Century Privacy Challenge;• Creating a User-Centric Identity Management Infrastructure;• Using Technology Building Blocks;• A Call to Action. www.ipc.on.ca/images/Resources%5Cprivacyintheclouds.pdf
  13. 13. Cloud Computing Architecture and Privacy• Cloud Delivery Models• Use cloud in privacy protective manner – user control• e.g. encryption, segregation www.ipc.on.ca/images/Resources/pbd-NEC-cloud.pdf
  14. 14. Conclusions• Cloud computing has many benefits and risks• You can outsource your services but not your accountability• Conduct proper due diligence on your cloud provider• Ensure you have the appropriate contractual provisions in place• Build PbD into the cloud infrastructure• Embed privacy as a core functionality: the future of privacy may depend on it!
  15. 15. How to Contact UsDavid GoodisDirector of Legal Services andGeneral CounselInformation & Privacy Commissioner of Ontario2 Bloor Street East, Suite 1400Toronto, Ontario, CanadaM4W 1A8Phone: (416) 326-3948 / 1-800-387-0073Web: www.ipc.on.caE-mail: info@ipc.on.ca
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×