Eduserv Symposium 2013 - New technologies & paradigms, old laws

607 views

Published on

Kuan Hon, an independant consultant (Kuan0.com) presents 'New technologies & paradigms, old laws', at the Eduserv Symposium 2013: In with the new.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
607
On SlideShare
0
From Embeds
0
Number of Embeds
73
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Eduserv Symposium 2013 - New technologies & paradigms, old laws

  1. 1. 19/05/20131New Technologies& Paradigms,Old LawsKuan HonIndependent ConsultantPhD Candidate, QMULEduserv Symposium 2013, London 16 May 2013@kuan∅Outline• Introduction• Cloud• Open data, big data
  2. 2. 19/05/20132@kuan∅Introduction• Self[2 hats 4 clouds 3 weasels]• Attendees?@kuan∅Legal risks of new techRisk pyramidLegalReputational[Public trust] etc etc
  3. 3. 19/05/20133@kuan∅Communication&Mindsets@kuan∅TechnologistsBinary, 1s & 0s
  4. 4. 19/05/20134@kuan∅LawyersLawyers(Image reproduced bykind permission ofFirebox.com)Certainty? Hah!‘It depends…’InterpretationContextProbabilities
  5. 5. 19/05/20135@kuan∅SkillsFor legal (& many other) issues:Know WHO to ask,& WHEN,& WHAT to tell ‘em!@kuan∅WHOLawyers
  6. 6. 19/05/20136@kuan∅WHENASAP!@kuan∅WHATYour role
  7. 7. 19/05/20137@kuan∅HOWMoney!@kuan∅CloudOpen dataBig data
  8. 8. 19/05/20138@kuan∅Laws & the internet@kuan∅Cloud computing & lawRisk pyramidLawsReputational[Public trust] etc etc
  9. 9. 19/05/20139@kuan∅Let your lawyer do theworrying…@kuan∅Cloud computing• Legal risks - brief lawyers on:– what’s cloud?•recap•NB layers•12 Cs; cf traditional outsourcing– what do you want to use it for?•requirements, risk toleranceUser ---- DropBox ---- AmazonSaaS IaaS
  10. 10. 19/05/201310@kuan∅Cloud legal issues• Lots! – IP, competition – no time…– see cloudlegalproject.org + book• Pre-contract checks + contract• For public sector:– government policy– CloudStore@kuan∅Location
  11. 11. 19/05/201311@kuan∅Data location, me & you• Public sector – Gov ICT Offshoring(International Sourcing) Guidance -data location unrestricted, unless:– national security– data protection laws• Data protection – cloud guidance– Article 29 WP opinion– UK ICO guidance@kuan∅Law vs IT“Technical &organisationalmeasures”IT security& IT“dataprotection”“Dataprotection”(law)
  12. 12. 19/05/201312@kuan∅Data protection laws:“Personal data”(cf anonymous data)@kuan∅EU Data Protection DirectiveData export restrictionNO transfer of PD outsideEuropean Economic Area
  13. 13. 19/05/201313@kuan∅Unless…• Exception• “Adequate protection”/ “adequate safeguards”• But problems…@kuan∅So, in practice…• Regional clouds - easy, safe
  14. 14. 19/05/201314@kuan∅EEA, EU, Europe…http://bit.ly/eu-venn forlarge version& table@kuan∅‘Transfer’ – physical location• Gear: storage / processing; caches• People: remote access
  15. 15. 19/05/201315@kuan∅• + Names of all“sub-contractors”• Follow this… + otherDP regulators’recommendations(eg liability chain)public cloud!Gimme gimme gimmeyour data locations…Image from Beeld en Geluidwiki@kuan∅TraditionaloutsourcingCloudCook food yourselfHire caterers to cookfor you on yourinstructionsRent kitchen, cookfood yourselfGet take-out or readymeal, cook it yourself
  16. 16. 19/05/201316@kuan∅Key tensions• “Guaranteed” security / liability– should be possible – but will cost!– cheap / free public cloud model• Control of supply / contract chain– will big players be the winners?@kuan∅“It’s unworkable, so just ignore it?”@kuan∅
  17. 17. 19/05/201317@kuan∅Draft Data Protection RegulationUp to 2%annualglobalturnover@kuan∅@kuan∅Goodintentions…Flames of hell…?
  18. 18. 19/05/201318@kuan∅Cloud contracts@kuan∅Cloud contracts• 3 aspects:– pre-contract due diligence– contract terms– post-contract – monitoring etc• See negotiated contracts article– “no names” interviews, FOI etc– Forbes report
  19. 19. 19/05/201319@kuan∅Standard terms• Providers’ standard terms– weighted; customer-appropriate?• Negotiable? – customer / deal size• Gov / banks - trad. IT outsourcing– cloud-appropriate?• Customer process issue – bypass IT,legal!@kuan∅Pre-contract due diligence• If personal data – all sub-providers’names; locations; security• Lock-in and exit – practical: test dataportability in advance (NB fake data!)• Security – pen testing, certifications?• NB backups• + Post-contract - security audits etc• ENISA papers (hunt!)
  20. 20. 19/05/201320@kuan∅Contract terms• If personal data:– choice of provider (security), contractrequirements: “instructions”, security• More generally, some key issues:– provider liability (vs price)– lock-in – term, termination; exit terms– security – confidentiality; audit rights?– right to change terms? (cf G-Cloud…)@kuan∅G-Cloud: CloudStore• Process - no mini-competition,no negotiation! (though fill in blanks…)- Price / MEAT• Info - G-Cloud site, @G_Cloud_UK,BuyCamp events (Friday; 7 June)• NB overlay approach & supplier terms:– get advice on own specific data type/use– see G-Cloud paper
  21. 21. 19/05/201321@kuan∅CloudOpen dataBig data@kuan∅Protection of Freedoms Act• s 102 amends FOIA– datasets – electronic, reusable form– open licensing – allow reuse (fees?)• In force May/June…?– Draft Code of Practice – consultation– ICO publication scheme, guidance• What datasets, how to handle?
  22. 22. 19/05/201322@kuan∅Open data vs personal data• Anonymise any PD before release• Tricky! eg Sweeney etc research• Big, eg EE / Ipsos Mori! But worthwhile• ICO Code of Practice (full disclosure..)– limited controlled release, vs fully public• UK Anonymisation Network (2 years)– anonymisation clinics – 28 June@kuan∅STOP PRESS• Shakespeare review of PSI, 15 May 2013– Deloitte market assessment– His summary in the Guardian• Same ol’ same ol’, words vs action? (eg jail forunlawfully obtaining personal data…)– Following best practice guidelines should be enough, solong as we are willing to prosecute those who misusepersonal data… In considering further legislation we shouldinstitute increased penalties – not only loss ofaccreditation and much heavier fines, but alsoimprisonment in cases of deliberate and harmful misusesof data.
  23. 23. 19/05/201323@kuan∅CloudOpen dataBig data@kuan∅Big data vs personal data• Data protection compliance (egsecurity) & anonymisation, again…• Less data good?• Other issues? eg IP
  24. 24. 19/05/201324@kuan∅New technologiesand paradigms,old laws@kuan∅Old laws• Outdated assumptions• Appropriate to new paradigms??• But - the law is the law!• Until laws are updated properly…• Same ol’ strategy still sensible:– RRRR + EEEE
  25. 25. 19/05/201325@kuan∅Key takeaways 1• RRRR:– requirements evaluation, for– real life intended use– review & understand tech / model– risk assessment – technological,legal, reputational, public trust etc(for intended data type/use case)@kuan∅Key takeaways 2• EEEE – get:– expert input / advice – legal, IT,risk, security, stats etc– based on exact data type, use case– explain the tech / model properly– early, not last minute or after!
  26. 26. 19/05/201326@kuan∅Thank you!Kuan HonTwitter: @kuan∅Email: k @ domain belowkuan∅.com/publications.htmlblog.kuan∅.comHalf lawyer | half geek | mostly harmless

×