• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Eduserv Symposium 2013 - New technologies & paradigms, old laws

Eduserv Symposium 2013 - New technologies & paradigms, old laws



Kuan Hon, an independant consultant (Kuan0.com) presents 'New technologies & paradigms, old laws', at the Eduserv Symposium 2013: In with the new.

Kuan Hon, an independant consultant (Kuan0.com) presents 'New technologies & paradigms, old laws', at the Eduserv Symposium 2013: In with the new.



Total Views
Views on SlideShare
Embed Views



2 Embeds 62

http://www.eduserv.org.uk 60
http://localhost 2



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Eduserv Symposium 2013 - New technologies & paradigms, old laws Eduserv Symposium 2013 - New technologies & paradigms, old laws Document Transcript

    • 19/05/20131New Technologies& Paradigms,Old LawsKuan HonIndependent ConsultantPhD Candidate, QMULEduserv Symposium 2013, London 16 May 2013@kuan∅Outline• Introduction• Cloud• Open data, big data
    • 19/05/20132@kuan∅Introduction• Self[2 hats 4 clouds 3 weasels]• Attendees?@kuan∅Legal risks of new techRisk pyramidLegalReputational[Public trust] etc etc
    • 19/05/20133@kuan∅Communication&Mindsets@kuan∅TechnologistsBinary, 1s & 0s
    • 19/05/20134@kuan∅LawyersLawyers(Image reproduced bykind permission ofFirebox.com)Certainty? Hah!‘It depends…’InterpretationContextProbabilities
    • 19/05/20135@kuan∅SkillsFor legal (& many other) issues:Know WHO to ask,& WHEN,& WHAT to tell ‘em!@kuan∅WHOLawyers
    • 19/05/20136@kuan∅WHENASAP!@kuan∅WHATYour role
    • 19/05/20137@kuan∅HOWMoney!@kuan∅CloudOpen dataBig data
    • 19/05/20138@kuan∅Laws & the internet@kuan∅Cloud computing & lawRisk pyramidLawsReputational[Public trust] etc etc
    • 19/05/20139@kuan∅Let your lawyer do theworrying…@kuan∅Cloud computing• Legal risks - brief lawyers on:– what’s cloud?•recap•NB layers•12 Cs; cf traditional outsourcing– what do you want to use it for?•requirements, risk toleranceUser ---- DropBox ---- AmazonSaaS IaaS
    • 19/05/201310@kuan∅Cloud legal issues• Lots! – IP, competition – no time…– see cloudlegalproject.org + book• Pre-contract checks + contract• For public sector:– government policy– CloudStore@kuan∅Location
    • 19/05/201311@kuan∅Data location, me & you• Public sector – Gov ICT Offshoring(International Sourcing) Guidance -data location unrestricted, unless:– national security– data protection laws• Data protection – cloud guidance– Article 29 WP opinion– UK ICO guidance@kuan∅Law vs IT“Technical &organisationalmeasures”IT security& IT“dataprotection”“Dataprotection”(law)
    • 19/05/201312@kuan∅Data protection laws:“Personal data”(cf anonymous data)@kuan∅EU Data Protection DirectiveData export restrictionNO transfer of PD outsideEuropean Economic Area
    • 19/05/201313@kuan∅Unless…• Exception• “Adequate protection”/ “adequate safeguards”• But problems…@kuan∅So, in practice…• Regional clouds - easy, safe
    • 19/05/201314@kuan∅EEA, EU, Europe…http://bit.ly/eu-venn forlarge version& table@kuan∅‘Transfer’ – physical location• Gear: storage / processing; caches• People: remote access
    • 19/05/201315@kuan∅• + Names of all“sub-contractors”• Follow this… + otherDP regulators’recommendations(eg liability chain)public cloud!Gimme gimme gimmeyour data locations…Image from Beeld en Geluidwiki@kuan∅TraditionaloutsourcingCloudCook food yourselfHire caterers to cookfor you on yourinstructionsRent kitchen, cookfood yourselfGet take-out or readymeal, cook it yourself
    • 19/05/201316@kuan∅Key tensions• “Guaranteed” security / liability– should be possible – but will cost!– cheap / free public cloud model• Control of supply / contract chain– will big players be the winners?@kuan∅“It’s unworkable, so just ignore it?”@kuan∅
    • 19/05/201317@kuan∅Draft Data Protection RegulationUp to 2%annualglobalturnover@kuan∅@kuan∅Goodintentions…Flames of hell…?
    • 19/05/201318@kuan∅Cloud contracts@kuan∅Cloud contracts• 3 aspects:– pre-contract due diligence– contract terms– post-contract – monitoring etc• See negotiated contracts article– “no names” interviews, FOI etc– Forbes report
    • 19/05/201319@kuan∅Standard terms• Providers’ standard terms– weighted; customer-appropriate?• Negotiable? – customer / deal size• Gov / banks - trad. IT outsourcing– cloud-appropriate?• Customer process issue – bypass IT,legal!@kuan∅Pre-contract due diligence• If personal data – all sub-providers’names; locations; security• Lock-in and exit – practical: test dataportability in advance (NB fake data!)• Security – pen testing, certifications?• NB backups• + Post-contract - security audits etc• ENISA papers (hunt!)
    • 19/05/201320@kuan∅Contract terms• If personal data:– choice of provider (security), contractrequirements: “instructions”, security• More generally, some key issues:– provider liability (vs price)– lock-in – term, termination; exit terms– security – confidentiality; audit rights?– right to change terms? (cf G-Cloud…)@kuan∅G-Cloud: CloudStore• Process - no mini-competition,no negotiation! (though fill in blanks…)- Price / MEAT• Info - G-Cloud site, @G_Cloud_UK,BuyCamp events (Friday; 7 June)• NB overlay approach & supplier terms:– get advice on own specific data type/use– see G-Cloud paper
    • 19/05/201321@kuan∅CloudOpen dataBig data@kuan∅Protection of Freedoms Act• s 102 amends FOIA– datasets – electronic, reusable form– open licensing – allow reuse (fees?)• In force May/June…?– Draft Code of Practice – consultation– ICO publication scheme, guidance• What datasets, how to handle?
    • 19/05/201322@kuan∅Open data vs personal data• Anonymise any PD before release• Tricky! eg Sweeney etc research• Big, eg EE / Ipsos Mori! But worthwhile• ICO Code of Practice (full disclosure..)– limited controlled release, vs fully public• UK Anonymisation Network (2 years)– anonymisation clinics – 28 June@kuan∅STOP PRESS• Shakespeare review of PSI, 15 May 2013– Deloitte market assessment– His summary in the Guardian• Same ol’ same ol’, words vs action? (eg jail forunlawfully obtaining personal data…)– Following best practice guidelines should be enough, solong as we are willing to prosecute those who misusepersonal data… In considering further legislation we shouldinstitute increased penalties – not only loss ofaccreditation and much heavier fines, but alsoimprisonment in cases of deliberate and harmful misusesof data.
    • 19/05/201323@kuan∅CloudOpen dataBig data@kuan∅Big data vs personal data• Data protection compliance (egsecurity) & anonymisation, again…• Less data good?• Other issues? eg IP
    • 19/05/201324@kuan∅New technologiesand paradigms,old laws@kuan∅Old laws• Outdated assumptions• Appropriate to new paradigms??• But - the law is the law!• Until laws are updated properly…• Same ol’ strategy still sensible:– RRRR + EEEE
    • 19/05/201325@kuan∅Key takeaways 1• RRRR:– requirements evaluation, for– real life intended use– review & understand tech / model– risk assessment – technological,legal, reputational, public trust etc(for intended data type/use case)@kuan∅Key takeaways 2• EEEE – get:– expert input / advice – legal, IT,risk, security, stats etc– based on exact data type, use case– explain the tech / model properly– early, not last minute or after!
    • 19/05/201326@kuan∅Thank you!Kuan HonTwitter: @kuan∅Email: k @ domain belowkuan∅.com/publications.htmlblog.kuan∅.comHalf lawyer | half geek | mostly harmless