SlideShare a Scribd company logo

Lasa webinar data protection and the cloud

Download as PPTX, PDF
Miles Maier
Miles Maier

Watch the webinar with data protection expert Paul Ticher at: https://vimeo.com/125553379 A shift towards a greater use of cloud computing is well underway. Cloud services are frequently cited by charities as free or low cost, flexible and easy to use alternatives to replacing their old servers. If you're thinking of adopting cloud based services like Office 365, Google Apps and Dropbox, you still have data protection obligations that make your organisation liable for any breach or loss of personal data. Some of the topics we'll cover are: * using cloud services outside the UK * understanding your obligations and being compliant * tips for selecting a cloud provider This webinar is supported by London for All, a London Councils’ funded project to capacity build London’s voluntary and community sector. More at: www.lvsc.org/londonforall/

Internet
1 of 34
Data Protection & The Cloud We will start the webinar in a just a moment……..
Webinar Presenters Miles Maier @LasaICT Paul Ticher @PaulTicher www.londoncouncils.gov.uk/grants London Councils is committed to fighting for more resources for London and getting the best possible deal for London's 33 councils. London Councils has a website about its grants service. To read about our grants funding and the work of some of the 300 groups we support Supported by:
• London For All – partnership of LVSC, Lasa, ROTA, WRC and HEAR • Only pan-London charity tech advice service • www.lvsc.org/londonforall/
About Lasa • 30 years in the sector • Technology leadership, publications, events and consultancy www.lasa.org.uk • Welfare Rights www.rightsnet.org.uk
Webinar Tips • Ask questions Post questions via chat or raise your virtual hand • Interact Respond to polls during webinar • Focus Avoid multitasking. You may just miss the best part of the presentation • Webinar PowerPoint & Recording PowerPoint and recording links will be shared after the webinar
Paul Ticher • Data Protection expert, author and trainer • Specialist in information management and systems • Many charity clients Twitter: @PaulTicher
Data Protection webinar: Using cloud services 15th April 2015
This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.
Programme  Where are the risks?  Your Data Protection responsibilities  What you should be doing, especially about:  Security  Transfers abroad
Alternative title: Feel the fear Do it anyway (probably)
Cloud computing characteristics  Cheap and flexible, especially for small organisations  Available anywhere there is an internet connection  Suppliers claim good security and service levels  Based on:  Standard offering, usually non-negotiable  Shared facilities, controlled by the supplier  Location of data irrelevant (and may be obscure)  May be layers of sub-contract
Cloud examples  Microsoft 365, Google Apps (office programs)  Huddle, GoToMeeting, Skype (collaboration)  Amazon (storage & processing capacity)  Salesforce (contact management database)  YouTube, Instagram (photo/video storage and sharing)  MailChimp (bulk mailings)  SurveyMonkey (online surveys)  Social networking sites
Data Protection Principles 1. Data ‘processing’ must be ‘fair’ and legal 2. You must limit your use of data to the purpose(s) you obtained it for 3. Data must be adequate, relevant & not excessive 4. Data must be accurate & up to date 5. Data must not be held longer than necessary 6. Data Subjects’ rights must be respected 7. You must have appropriate security 8. Special rules apply to transfers abroad
Ranking the risks Principle Risk rank Comment 1. Fairness Low (Medium) No different from in-house considerations unless cloud provider also captures personal data for own purposes2. Limited purposes 3. Adequacy Medium Minor implications if the design of the cloud application does not support good data quality4. Accuracy 5. Retention Low No different from in-house considerations 6. Data subject rights Medium Possible minor implications for subject access 7. Security Very high Significant additional risks from cloud computing 8. Transfers abroad High Cloud applications may (without making this obvious) locate data outside ‘safe’ jurisdictions
Data Controller / Data Processor  “Data Controller” means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed.  “Data Processor” … means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
Data Processor requirements A contract, ‘evidenced in writing’, covering at least:  Setting out the relationship and how it will work  Underpinning both parties’ security obligations  Allowing the Data Controller to verify the Data Processor’s security See also my checklist that includes:  Limitations on transfers abroad and subcontracting  Clear confidentiality obligations on Data Processor  Requirement to inform of any breach
Principle 7: Security  You must take steps to prevent:  Unauthorised access  Accidental loss or damage  Your measures must be appropriate  They must be technical and organisational  You cannot transfer this responsibility to a Data Processor
The standard aims of security:  Confidentiality  Limits on access, depending on need to know  Integrity  No unintended or unauthorised modification  Availability  No accidental loss  There when you need it
Security in the cloud  ‘Data in transit’ vs ‘Data at rest’  End-to-end – from the device to the depths of the cloud provider’s system  Additional BYOD risks  Personal vs corporate accounts
Cloud security breaches do occur  British Pregnancy Advisory Service  Website ‘contact us’ form  Stored for five years – almost 10,000 records  Admin password not changed from default  Successfully hacked into and personal data stolen  Aberdeen City Council  Social worker working from home, with permission  Computer set to synch with cloud storage location  Cloud location not secure – personal data showed up in search
Security when the Data Processor is a cloud provider  Cannot be an afterthought  Don’t just rely on the provider: you have responsibilities too  Negotiated contract: require your supplier to take security precautions – and check that they have done so  Standard terms and conditions: often non-negotiable – due diligence required  Understand what you are checking  Risk cannot be wholly eliminated
Guidance & recommendations: I  Cyber essentials  UK government scheme – two levels  Information Commissioner’s May 2014 report  Open Web Application Security Project Top Ten  Updated every three years (most recent 2013)  More technical
Common points  Firewalls & gateways -- Malware protection  Secure configuration (including SSL and TLS)  Access control -- Default credentials  Patch management/Software updates  SQL injection  Unnecessary services  Password storage  Inappropriate locations for processing data
Guidance & recommendations: II  International standard -- ISO 27001:2013  check credentials of certifying company  check relevance & scope (ISO 27000 Statement of Applicability)  HMG Security Policy Framework (recently revised)  CESG guidance on cloud security risk management  COBIT  Relates to US Sarbanes-Oxley Act  ISAE3402 and SSAE16 (previously SAS70)  Auditing process, not a security standard
Potential cost of a breach  Notification to potentially affected individuals, if appropriate  Assistance to potentially affected individuals  Compensation for harm and associated distress  Damage to business (including reputation)  Data restoration  Monetary penalty (up to £500,000)
Potential cost of a breach  Notification to potentially affected individuals, if appropriate  Assistance to potentially affected individuals  Compensation for harm and associated distress  Damage to business (including reputation)  Data restoration  Monetary penalty (up to £500,000)
Principle 8: Transfers abroad  Transfers of data outside the European Economic Area are allowed if:  the jurisdiction it is going to has an acceptable law  the recipient in the USA is signed up to Safe Harbor  a few other options
What else can go wrong?  Loss of service  at their end  at your end  Retrieving your data if the service ceases or you get into a dispute (Example: Charity Business)  Proprietary formats for data storage  Processes or contract terms which make the supplier a Data Controller in their own right  Unclear ownership/location of data and the equipment it is stored on  Unilateral changes in policy by provider
And finally …  Most countries have laws allowing authorities to access data  US Patriot Act ostensibly anti-terrorist  applies to US companies, wherever the data is held  has also been used in non-terrorist cases  supplier may not agree (or even be allowed) to inform customer of access  Include in risk assessment
So what do you need to do?  Get your own house in order  Check the contract (or standard terms and conditions) very carefully on areas like:  security and how it is guaranteed  location of data (especially if it could be outside the EEA)  liability/sub contractors  back-up/access  copyright (e.g. Google)  Use your findings to make and record a risk assessment and get authorisation to proceed
Further information  Information Commissioner  Guidance on cloud computing  Analysis of top eight online security issues  Data Protection and the Cloud  Cloud computing: A practical introduction to the legal issues  Watch out for EU updates on cloud computing and possibly standard contract terms
Resources 1 • Lasa Knowledgebase: – www.ictknowledgebase.org.uk/dataprotectionactintroduction – www.ictknowledgebase.org.uk/dataprotectionpolicies • Cyber essentials • UK government scheme – two levels • Information Commissioner’s May 2014 report • Open Web Application Security Project Top Ten • Updated every three years (most recent 2013) • More technical
Resources 2 • Lasa Knowledgebase: – www.ictknowledgebase.org.uk/dataprotectionactintroduction – www.ictknowledgebase.org.uk/dataprotectionpolicies • Cyber essentials • UK government scheme – two levels • Information Commissioner’s May 2014 report • Open Web Application Security Project Top Ten • Updated every three years (most recent 2013) • More technical
Follow-up questions: paul@paulticher.com LINKS TO SLIDES AND RECORDING SOON HELP KEEP THIS SERVICE FREE BY COMPLETING THE EVALUATION Twitter @LasaICT

Recommended

Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...
Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...
Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...
Neocenter SA de CV
 
Data Protection Webinar
Data Protection WebinarData Protection Webinar
Data Protection Webinar
ObserveIT
 
CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1
CMSLondon
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
David Brossard
 
Data is the new oil, privacy is the new green - Eye4Travel Amsterdam
Data is the new oil, privacy is the new green - Eye4Travel AmsterdamData is the new oil, privacy is the new green - Eye4Travel Amsterdam
Data is the new oil, privacy is the new green - Eye4Travel Amsterdam
Aurélie Pols
 
Todo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXTodo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBX
PaloSanto Solutions
 
Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016
Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016
Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016
FERMA
 
La Blockchain au service de la CyberSécurité - FIC 2017 Lille
La Blockchain au service de la CyberSécurité - FIC 2017 LilleLa Blockchain au service de la CyberSécurité - FIC 2017 Lille
La Blockchain au service de la CyberSécurité - FIC 2017 Lille
Vidal Chriqui
 

Recommended

Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...
Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...
Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...
Neocenter SA de CV
 
Data Protection Webinar
Data Protection WebinarData Protection Webinar
Data Protection Webinar
ObserveIT
 
CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1
CMSLondon
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
David Brossard
 
Data is the new oil, privacy is the new green - Eye4Travel Amsterdam
Data is the new oil, privacy is the new green - Eye4Travel AmsterdamData is the new oil, privacy is the new green - Eye4Travel Amsterdam
Data is the new oil, privacy is the new green - Eye4Travel Amsterdam
Aurélie Pols
 
Todo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXTodo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBX
PaloSanto Solutions
 
Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016
Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016
Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016
FERMA
 
La Blockchain au service de la CyberSécurité - FIC 2017 Lille
La Blockchain au service de la CyberSécurité - FIC 2017 LilleLa Blockchain au service de la CyberSécurité - FIC 2017 Lille
La Blockchain au service de la CyberSécurité - FIC 2017 Lille
Vidal Chriqui
 
Lasa cyp social media
Lasa cyp social mediaLasa cyp social media
Lasa cyp social media
Miles Maier
 
Managing ICT
Managing ICTManaging ICT
Managing ICT
Miles Maier
 
Social media for service delivery
Social media for service deliverySocial media for service delivery
Social media for service delivery
Miles Maier
 
Using technology to help deliver advice services
Using technology to help deliver advice servicesUsing technology to help deliver advice services
Using technology to help deliver advice services
Miles Maier
 
New Media
New MediaNew Media
New Media
Miles Maier
 
Writing a wining ict grant proposal in an hour
Writing a wining ict grant proposal in an hourWriting a wining ict grant proposal in an hour
Writing a wining ict grant proposal in an hour
Miles Maier
 
ICT for development workers
ICT for development workersICT for development workers
ICT for development workers
Miles Maier
 
Shining On A Shoestring
Shining On A ShoestringShining On A Shoestring
Shining On A Shoestring
Miles Maier
 
Free ICT Resources and Social Media
Free ICT Resources and Social MediaFree ICT Resources and Social Media
Free ICT Resources and Social Media
Miles Maier
 
Help! I'm an accidental techie
Help! I'm an accidental techieHelp! I'm an accidental techie
Help! I'm an accidental techie
Miles Maier
 
Where to go for ICT Help and Support
Where to go for ICT Help and SupportWhere to go for ICT Help and Support
Where to go for ICT Help and Support
Miles Maier
 
Accidental Techies Half Day Session
Accidental Techies Half Day SessionAccidental Techies Half Day Session
Accidental Techies Half Day Session
Miles Maier
 
Fundraising Using The Internet
Fundraising Using The InternetFundraising Using The Internet
Fundraising Using The Internet
Miles Maier
 
Social Media 101
Social Media 101Social Media 101
Social Media 101
Miles Maier
 
Lasa Circuit Rider development
Lasa Circuit Rider developmentLasa Circuit Rider development
Lasa Circuit Rider development
Miles Maier
 
SIP to Win: VOIP telephony
SIP to Win: VOIP telephonySIP to Win: VOIP telephony
SIP to Win: VOIP telephony
Miles Maier
 
Visualising opportunities - from vBase to Google Maps
Visualising opportunities - from vBase to Google MapsVisualising opportunities - from vBase to Google Maps
Visualising opportunities - from vBase to Google Maps
Miles Maier
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
Matthew Sinclair
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
meghakumariji156
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
meghakumariji156
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 

More Related Content

More from Miles Maier

Lasa cyp social media
Lasa cyp social mediaLasa cyp social media
Lasa cyp social media
Miles Maier
 
Social media for service delivery
Social media for service deliverySocial media for service delivery
Social media for service delivery
Miles Maier
 
Accidental Techies Half Day Session
Accidental Techies Half Day SessionAccidental Techies Half Day Session
Accidental Techies Half Day Session
Miles Maier
 
Fundraising Using The Internet
Fundraising Using The InternetFundraising Using The Internet
Fundraising Using The Internet
Miles Maier
 

More from Miles Maier (17)

Lasa cyp social media
Lasa cyp social mediaLasa cyp social media
Lasa cyp social media
 
Managing ICT
Managing ICTManaging ICT
Managing ICT
 
Social media for service delivery
Social media for service deliverySocial media for service delivery
Social media for service delivery
 
Using technology to help deliver advice services
Using technology to help deliver advice servicesUsing technology to help deliver advice services
Using technology to help deliver advice services
 
New Media
New MediaNew Media
New Media
 
Writing a wining ict grant proposal in an hour
Writing a wining ict grant proposal in an hourWriting a wining ict grant proposal in an hour
Writing a wining ict grant proposal in an hour
 
ICT for development workers
ICT for development workersICT for development workers
ICT for development workers
 
Shining On A Shoestring
Shining On A ShoestringShining On A Shoestring
Shining On A Shoestring
 
Free ICT Resources and Social Media
Free ICT Resources and Social MediaFree ICT Resources and Social Media
Free ICT Resources and Social Media
 
Help! I'm an accidental techie
Help! I'm an accidental techieHelp! I'm an accidental techie
Help! I'm an accidental techie
 
Where to go for ICT Help and Support
Where to go for ICT Help and SupportWhere to go for ICT Help and Support
Where to go for ICT Help and Support
 
Accidental Techies Half Day Session
Accidental Techies Half Day SessionAccidental Techies Half Day Session
Accidental Techies Half Day Session
 
Fundraising Using The Internet
Fundraising Using The InternetFundraising Using The Internet
Fundraising Using The Internet
 
Social Media 101
Social Media 101Social Media 101
Social Media 101
 
Lasa Circuit Rider development
Lasa Circuit Rider developmentLasa Circuit Rider development
Lasa Circuit Rider development
 
SIP to Win: VOIP telephony
SIP to Win: VOIP telephonySIP to Win: VOIP telephony
SIP to Win: VOIP telephony
 
Visualising opportunities - from vBase to Google Maps
Visualising opportunities - from vBase to Google MapsVisualising opportunities - from vBase to Google Maps
Visualising opportunities - from vBase to Google Maps
 

Recently uploaded

pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
JOHNBEBONYAP1
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
Asmae Rabhi
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
galaxypingy
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 

Recently uploaded (20)

20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx75539-Cyber Security Challenges PPT.pptx
75539-Cyber Security Challenges PPT.pptx
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
PowerDirector Explination Process...pptx
PowerDirector Explination Process...pptxPowerDirector Explination Process...pptx
PowerDirector Explination Process...pptx
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 

Lasa webinar data protection and the cloud

  • 1. Data Protection & The Cloud We will start the webinar in a just a moment……..
  • 2. Webinar Presenters Miles Maier @LasaICT Paul Ticher @PaulTicher www.londoncouncils.gov.uk/grants London Councils is committed to fighting for more resources for London and getting the best possible deal for London's 33 councils. London Councils has a website about its grants service. To read about our grants funding and the work of some of the 300 groups we support Supported by:
  • 3. • London For All – partnership of LVSC, Lasa, ROTA, WRC and HEAR • Only pan-London charity tech advice service • www.lvsc.org/londonforall/
  • 4. About Lasa • 30 years in the sector • Technology leadership, publications, events and consultancy www.lasa.org.uk • Welfare Rights www.rightsnet.org.uk
  • 5. Webinar Tips • Ask questions Post questions via chat or raise your virtual hand • Interact Respond to polls during webinar • Focus Avoid multitasking. You may just miss the best part of the presentation • Webinar PowerPoint & Recording PowerPoint and recording links will be shared after the webinar
  • 6. Paul Ticher • Data Protection expert, author and trainer • Specialist in information management and systems • Many charity clients Twitter: @PaulTicher
  • 7. Data Protection webinar: Using cloud services 15th April 2015
  • 8. This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.
  • 9. Programme  Where are the risks?  Your Data Protection responsibilities  What you should be doing, especially about:  Security  Transfers abroad
  • 10. Alternative title: Feel the fear Do it anyway (probably)
  • 11. Cloud computing characteristics  Cheap and flexible, especially for small organisations  Available anywhere there is an internet connection  Suppliers claim good security and service levels  Based on:  Standard offering, usually non-negotiable  Shared facilities, controlled by the supplier  Location of data irrelevant (and may be obscure)  May be layers of sub-contract
  • 12. Cloud examples  Microsoft 365, Google Apps (office programs)  Huddle, GoToMeeting, Skype (collaboration)  Amazon (storage & processing capacity)  Salesforce (contact management database)  YouTube, Instagram (photo/video storage and sharing)  MailChimp (bulk mailings)  SurveyMonkey (online surveys)  Social networking sites
  • 13. Data Protection Principles 1. Data ‘processing’ must be ‘fair’ and legal 2. You must limit your use of data to the purpose(s) you obtained it for 3. Data must be adequate, relevant & not excessive 4. Data must be accurate & up to date 5. Data must not be held longer than necessary 6. Data Subjects’ rights must be respected 7. You must have appropriate security 8. Special rules apply to transfers abroad
  • 14. Ranking the risks Principle Risk rank Comment 1. Fairness Low (Medium) No different from in-house considerations unless cloud provider also captures personal data for own purposes2. Limited purposes 3. Adequacy Medium Minor implications if the design of the cloud application does not support good data quality4. Accuracy 5. Retention Low No different from in-house considerations 6. Data subject rights Medium Possible minor implications for subject access 7. Security Very high Significant additional risks from cloud computing 8. Transfers abroad High Cloud applications may (without making this obvious) locate data outside ‘safe’ jurisdictions
  • 15. Data Controller / Data Processor  “Data Controller” means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed.  “Data Processor” … means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
  • 16. Data Processor requirements A contract, ‘evidenced in writing’, covering at least:  Setting out the relationship and how it will work  Underpinning both parties’ security obligations  Allowing the Data Controller to verify the Data Processor’s security See also my checklist that includes:  Limitations on transfers abroad and subcontracting  Clear confidentiality obligations on Data Processor  Requirement to inform of any breach
  • 17. Principle 7: Security  You must take steps to prevent:  Unauthorised access  Accidental loss or damage  Your measures must be appropriate  They must be technical and organisational  You cannot transfer this responsibility to a Data Processor
  • 18. The standard aims of security:  Confidentiality  Limits on access, depending on need to know  Integrity  No unintended or unauthorised modification  Availability  No accidental loss  There when you need it
  • 19. Security in the cloud  ‘Data in transit’ vs ‘Data at rest’  End-to-end – from the device to the depths of the cloud provider’s system  Additional BYOD risks  Personal vs corporate accounts
  • 20. Cloud security breaches do occur  British Pregnancy Advisory Service  Website ‘contact us’ form  Stored for five years – almost 10,000 records  Admin password not changed from default  Successfully hacked into and personal data stolen  Aberdeen City Council  Social worker working from home, with permission  Computer set to synch with cloud storage location  Cloud location not secure – personal data showed up in search
  • 21. Security when the Data Processor is a cloud provider  Cannot be an afterthought  Don’t just rely on the provider: you have responsibilities too  Negotiated contract: require your supplier to take security precautions – and check that they have done so  Standard terms and conditions: often non-negotiable – due diligence required  Understand what you are checking  Risk cannot be wholly eliminated
  • 22. Guidance & recommendations: I  Cyber essentials  UK government scheme – two levels  Information Commissioner’s May 2014 report  Open Web Application Security Project Top Ten  Updated every three years (most recent 2013)  More technical
  • 23. Common points  Firewalls & gateways -- Malware protection  Secure configuration (including SSL and TLS)  Access control -- Default credentials  Patch management/Software updates  SQL injection  Unnecessary services  Password storage  Inappropriate locations for processing data
  • 24. Guidance & recommendations: II  International standard -- ISO 27001:2013  check credentials of certifying company  check relevance & scope (ISO 27000 Statement of Applicability)  HMG Security Policy Framework (recently revised)  CESG guidance on cloud security risk management  COBIT  Relates to US Sarbanes-Oxley Act  ISAE3402 and SSAE16 (previously SAS70)  Auditing process, not a security standard
  • 25. Potential cost of a breach  Notification to potentially affected individuals, if appropriate  Assistance to potentially affected individuals  Compensation for harm and associated distress  Damage to business (including reputation)  Data restoration  Monetary penalty (up to £500,000)
  • 26. Potential cost of a breach  Notification to potentially affected individuals, if appropriate  Assistance to potentially affected individuals  Compensation for harm and associated distress  Damage to business (including reputation)  Data restoration  Monetary penalty (up to £500,000)
  • 27. Principle 8: Transfers abroad  Transfers of data outside the European Economic Area are allowed if:  the jurisdiction it is going to has an acceptable law  the recipient in the USA is signed up to Safe Harbor  a few other options
  • 28. What else can go wrong?  Loss of service  at their end  at your end  Retrieving your data if the service ceases or you get into a dispute (Example: Charity Business)  Proprietary formats for data storage  Processes or contract terms which make the supplier a Data Controller in their own right  Unclear ownership/location of data and the equipment it is stored on  Unilateral changes in policy by provider
  • 29. And finally …  Most countries have laws allowing authorities to access data  US Patriot Act ostensibly anti-terrorist  applies to US companies, wherever the data is held  has also been used in non-terrorist cases  supplier may not agree (or even be allowed) to inform customer of access  Include in risk assessment
  • 30. So what do you need to do?  Get your own house in order  Check the contract (or standard terms and conditions) very carefully on areas like:  security and how it is guaranteed  location of data (especially if it could be outside the EEA)  liability/sub contractors  back-up/access  copyright (e.g. Google)  Use your findings to make and record a risk assessment and get authorisation to proceed
  • 31. Further information  Information Commissioner  Guidance on cloud computing  Analysis of top eight online security issues  Data Protection and the Cloud  Cloud computing: A practical introduction to the legal issues  Watch out for EU updates on cloud computing and possibly standard contract terms
  • 32. Resources 1 • Lasa Knowledgebase: – www.ictknowledgebase.org.uk/dataprotectionactintroduction – www.ictknowledgebase.org.uk/dataprotectionpolicies • Cyber essentials • UK government scheme – two levels • Information Commissioner’s May 2014 report • Open Web Application Security Project Top Ten • Updated every three years (most recent 2013) • More technical
  • 33. Resources 2 • Lasa Knowledgebase: – www.ictknowledgebase.org.uk/dataprotectionactintroduction – www.ictknowledgebase.org.uk/dataprotectionpolicies • Cyber essentials • UK government scheme – two levels • Information Commissioner’s May 2014 report • Open Web Application Security Project Top Ten • Updated every three years (most recent 2013) • More technical
  • 34. Follow-up questions: paul@paulticher.com LINKS TO SLIDES AND RECORDING SOON HELP KEEP THIS SERVICE FREE BY COMPLETING THE EVALUATION Twitter @LasaICT