Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012

288 views

Published on

Overview of key challenges of complying with Canadian private sector privacy legislation when sending personal information to the cloud

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
288
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012

  1. 1. Cloudy with a Chance of Privacy Compliance Cross Border Data Flows; Multi National Cloud EnvironmentsPRESENTATION OCTOBER 5, 2012 3rd Annual Privacy, Access and Security Congress David Elder Stikeman Elliott LLP STIKEMAN ELLIOTT LLP www.stikeman.com
  2. 2. Transborder Data Flows  A key element to privacy policy approaches and guidelines since the early days of “the information society”  Should ensure protection, security of data  Should avoid using privacy laws as trade barriers  Where laws in two or more countries offer comparable privacy safeguards, information should be able to flow freely between them  Where no reciprocal safeguards, limits on transfers should go only so far as required to protect privacySLIDE 1 STIKEMAN ELLIOTT LLP
  3. 3. European Data Protection Directive  Allows transfer between Member States  Data can be transferred outside the EU only where continued protection guaranteed or certain exemptions apply  “Adequacy” assessed based on range of factors, can be at country level or company level (based on “Safe Harbour” commitment)  Can also transfer to companies in “inadequate” countries, where transfer governed by EC standard contractual clausesSLIDE 2 STIKEMAN ELLIOTT LLP
  4. 4. The Dark Side of the Cloud  Out of your control  Insufficient information about cloud operations  Dispersed, complex, multiple players  Co-mingling with others’ data may raise issues: segregation; auditability; exposure to other’s vulnerabilities; notification delays where breaches  Potential access by foreign states  Focus on low cost, efficiency may mean – One-size fits all service, reluctance to customize – Security as a secondary focus?SLIDE 3 STIKEMAN ELLIOTT LLP
  5. 5. Nothing New Under the Sun Control Company Outsource Offshore Cloud RiskSLIDE 4 STIKEMAN ELLIOTT LLP
  6. 6. Private Sector Privacy PIPEDA PIPA (B.C.) PIPA (Alberta) NUNAVUT Quebec Privacy Act YUKON NORTHWEST TERRITORIES NEWFOUNDLAND BRITISH QUEBEC COLUMBIA MANITOBA ALBERTA PEI ONTARIO SASKATCHEWAN NOVA SCOTIA NEW BRUNSWICKSLIDE 5 STIKEMAN ELLIOTT LLP
  7. 7. Key Privacy Obligations & Challenges Obligations Cloud Challenges: Accountability  How to maintain control, visibility?  Organization responsible for personal info it collects, even  Difficult to audit if widely when transferred to 3rd parties dispersed, co-mingled Consent  Can be need for explicit consent to storage/processing  Knowledge and consent outside Canada, due to foreign required for the collection, use legal jurisdictions and disclosure of personal information  Consent to cloud itself?SLIDE 6 STIKEMAN ELLIOTT LLP
  8. 8. Key Privacy Obligations & Challenges Obligations Cloud Challenges: Limiting Use, Disclosure,  Uncertainty won’t be Retention mined/used for other purposes  To be used solely for identified  Uncertainty of retention purpose periods, foreign requirements?  To be retained only as long as  Right to destroy, delete, have necessary to fulfil purposes, returned then returned or destroyed Access & Accuracy  Ensure individual will have  Right of access access  Right to correct  Ensure can quickly correct incomplete or inaccurate dataSLIDE 7 STIKEMAN ELLIOTT LLP
  9. 9. Key Privacy Obligations & Challenges Obligations Cloud Challenges Security  Tendency to one-size-fits all  Security safeguards appropriate  Cloud makes security decisions - to sensitivity of personal info not you  Cloud unaware of sensitivity of info Breach Notification  Need to be advised of cloud  Advise Privacy Commissioner(s), breach individuals/customers  How to define what notifiable  Need cooperation, up-to-minute details  Could be many cloud users affectedSLIDE 8 STIKEMAN ELLIOTT LLP
  10. 10. Other Legal Obligations  OSFI Guidelines on Outsourcing of Business Activities, Functions and Processes  In accordance with federal legislation, certain records should be maintained in Canada, OSFI access ensured  Tendency to overly conservative approach?  Requires audit and access rights over service provider (for institution and OSFI)  Requires detailing physical data storage locationsSLIDE 9 STIKEMAN ELLIOTT LLP
  11. 11. Guidelines for Processing Personal Data Across Borders  Apply to private sector only  Accountability principle is key  Be transparent  Actual safeguards can vary, based on inherent sensitivity of data, potential risk of unauthorized disclosure or access (and cost?)  Third party should have clear and reliable security policies, consistent training program for staff  Audit rights help, but difficult to execute – likely more a deterrentSLIDE 10 STIKEMAN ELLIOTT LLP
  12. 12. Guidelines for Processing Personal Data Across Borders  Most fundamentally, organizations should be selective in choosing foreign service providers, cloud providers  Should pay particular attention to legal/political regimes in which third party operates  Economic and social conditions may also be relevant  Clarity, transparency, security, careful location selection can be a competitive advantage for organizations and third party service providers – and particularly for cloud providersSLIDE 11 STIKEMAN ELLIOTT LLP
  13. 13. EC Standard Contractual Clauses Data importer agrees and warrants:  Will process only for purposes directed by exporter  Applicable laws no barrier to fulfilling obligations  Has implemented specified technical & operational security measures  Will respond to exporter inquiries and submit to audit  Will promptly notify re: – LEA demand for disclosure (unless prohibited) – Breach – Access request by subject – Sub-contracting (& get consent, bind to safeguards)SLIDE 12 STIKEMAN ELLIOTT LLP
  14. 14. Standards & Certifications  Independent certification by reputable 3rd pary  Audit against recognized standard: ISO, PCI, etc.  Some regulators have recognized as legitimate approach  Some process/governance related; some about physical/technical measures  Registries also useful, but less so – good initial step, will facilitate comparisons, drive privacy/security as a competitive attributeSLIDE 13 STIKEMAN ELLIOTT LLP
  15. 15. “Accountability, rather than geographical limits, is the basic model for Canadian data protection. This model brings the advantages of flexibility and low compliance overhead for corporations whose profits derive from innovation. But accountability also means that use of Canadian’s personal information must meet Canadian legal standards, wherever in the cloud this may be happening.” Jennifer Stoddart, 2009SLIDE 14 STIKEMAN ELLIOTT LLP
  16. 16. I Can See Clearly Now  Not for everyone  Choose your provider very carefully  Look for standards, certifications  Bake key terms, levels, guarantees into contract: – Security practices and requirements – Breach/investigation response – Audit – Liability, indemnity – Subcontracting controlSLIDE 15 STIKEMAN ELLIOTT LLP

×