Watch the webinar with data protection expert Paul Ticher at: https://vimeo.com/125553379
A shift towards a greater use of cloud computing is well underway. Cloud services are frequently cited by charities as free or low cost, flexible and easy to use alternatives to replacing their old servers.
If you're thinking of adopting cloud based services like Office 365, Google Apps and Dropbox, you still have data protection obligations that make your organisation liable for any breach or loss of personal data.
Some of the topics we'll cover are:
* using cloud services outside the UK
* understanding your obligations and being compliant
* tips for selecting a cloud provider
This webinar is supported by London for All, a London Councils’ funded project to capacity build London’s voluntary and community sector. More at: www.lvsc.org/londonforall/
2. Webinar Presenters
Miles Maier @LasaICT
Paul Ticher @PaulTicher
www.londoncouncils.gov.uk/grants
London Councils is committed to fighting for more resources for London and getting the best possible deal for London's 33 councils. London Councils has a
website about its grants service. To read about our grants funding and the work of some of the 300 groups we support
Supported by:
3. • London For All – partnership of LVSC, Lasa,
ROTA, WRC and HEAR
• Only pan-London charity tech advice service
• www.lvsc.org/londonforall/
4. About Lasa
• 30 years in the sector
• Technology leadership, publications, events
and consultancy
www.lasa.org.uk
• Welfare Rights
www.rightsnet.org.uk
5. Webinar Tips
• Ask questions
Post questions via chat or raise your virtual hand
• Interact
Respond to polls during webinar
• Focus
Avoid multitasking. You may just miss the best part of the
presentation
• Webinar PowerPoint & Recording
PowerPoint and recording links will be shared after the
webinar
6. Paul Ticher
• Data Protection expert, author and trainer
• Specialist in information management and
systems
• Many charity clients
Twitter: @PaulTicher
8. This presentation is intended to help you
understand aspects of the Data Protection
Act 1998 and related legislation.
It is not intended to provide detailed advice
on specific points, and is not necessarily a full
statement of the law.
9. Programme
Where are the risks?
Your Data Protection responsibilities
What you should be doing, especially about:
Security
Transfers abroad
11. Cloud computing characteristics
Cheap and flexible, especially for small organisations
Available anywhere there is an internet connection
Suppliers claim good security and service levels
Based on:
Standard offering, usually non-negotiable
Shared facilities, controlled by the supplier
Location of data irrelevant (and may be obscure)
May be layers of sub-contract
13. Data Protection Principles
1. Data ‘processing’ must be ‘fair’ and legal
2. You must limit your use of data to the purpose(s)
you obtained it for
3. Data must be adequate, relevant & not excessive
4. Data must be accurate & up to date
5. Data must not be held longer than necessary
6. Data Subjects’ rights must be respected
7. You must have appropriate security
8. Special rules apply to transfers abroad
14. Ranking the risks
Principle Risk rank Comment
1. Fairness Low
(Medium)
No different from in-house considerations unless cloud
provider also captures personal data for own purposes2. Limited purposes
3. Adequacy
Medium
Minor implications if the design of the cloud application
does not support good data quality4. Accuracy
5. Retention Low No different from in-house considerations
6. Data subject rights Medium Possible minor implications for subject access
7. Security Very high Significant additional risks from cloud computing
8. Transfers abroad High
Cloud applications may (without making this obvious)
locate data outside ‘safe’ jurisdictions
15. Data Controller / Data Processor
“Data Controller” means … a person who (either
alone or jointly or in common with other persons)
determines the purposes for which and the manner in
which any personal data are … processed.
“Data Processor” … means any person (other than an
employee of the Data Controller) who processes the
data on behalf of the Data Controller.
16. Data Processor requirements
A contract, ‘evidenced in writing’, covering at least:
Setting out the relationship and how it will work
Underpinning both parties’ security obligations
Allowing the Data Controller to verify the Data
Processor’s security
See also my checklist that includes:
Limitations on transfers abroad and subcontracting
Clear confidentiality obligations on Data Processor
Requirement to inform of any breach
17. Principle 7: Security
You must take steps to prevent:
Unauthorised access
Accidental loss or damage
Your measures must be appropriate
They must be technical and organisational
You cannot transfer this responsibility to a Data
Processor
18. The standard aims of security:
Confidentiality
Limits on access, depending on need to know
Integrity
No unintended or unauthorised modification
Availability
No accidental loss
There when you need it
19. Security in the cloud
‘Data in transit’ vs ‘Data at rest’
End-to-end – from the device to the depths of the
cloud provider’s system
Additional BYOD risks
Personal vs corporate accounts
20. Cloud security breaches do occur
British Pregnancy Advisory Service
Website ‘contact us’ form
Stored for five years – almost 10,000 records
Admin password not changed from default
Successfully hacked into and personal data stolen
Aberdeen City Council
Social worker working from home, with permission
Computer set to synch with cloud storage location
Cloud location not secure – personal data showed up in
search
21. Security when the Data Processor
is a cloud provider
Cannot be an afterthought
Don’t just rely on the provider: you have
responsibilities too
Negotiated contract: require your supplier to take
security precautions – and check that they have done
so
Standard terms and conditions: often non-negotiable
– due diligence required
Understand what you are checking
Risk cannot be wholly eliminated
22. Guidance & recommendations: I
Cyber essentials
UK government scheme – two levels
Information Commissioner’s May 2014 report
Open Web Application Security Project Top Ten
Updated every three years (most recent 2013)
More technical
23. Common points
Firewalls & gateways -- Malware protection
Secure configuration (including SSL and TLS)
Access control -- Default credentials
Patch management/Software updates
SQL injection
Unnecessary services
Password storage
Inappropriate locations for processing data
24. Guidance & recommendations: II
International standard -- ISO 27001:2013
check credentials of certifying company
check relevance & scope (ISO 27000 Statement of
Applicability)
HMG Security Policy Framework (recently revised)
CESG guidance on cloud security risk management
COBIT
Relates to US Sarbanes-Oxley Act
ISAE3402 and SSAE16 (previously SAS70)
Auditing process, not a security standard
25. Potential cost of a breach
Notification to potentially affected individuals, if
appropriate
Assistance to potentially affected individuals
Compensation for harm and associated distress
Damage to business (including reputation)
Data restoration
Monetary penalty (up to £500,000)
26. Potential cost of a breach
Notification to potentially affected individuals, if
appropriate
Assistance to potentially affected individuals
Compensation for harm and associated distress
Damage to business (including reputation)
Data restoration
Monetary penalty (up to £500,000)
27. Principle 8: Transfers abroad
Transfers of data outside the European Economic
Area are allowed if:
the jurisdiction it is going to has an acceptable law
the recipient in the USA is signed up to Safe Harbor
a few other options
28. What else can go wrong?
Loss of service
at their end
at your end
Retrieving your data if the service ceases or you get
into a dispute (Example: Charity Business)
Proprietary formats for data storage
Processes or contract terms which make the supplier
a Data Controller in their own right
Unclear ownership/location of data and the
equipment it is stored on
Unilateral changes in policy by provider
29. And finally …
Most countries have laws allowing authorities to
access data
US Patriot Act ostensibly anti-terrorist
applies to US companies, wherever the data is held
has also been used in non-terrorist cases
supplier may not agree (or even be allowed) to inform
customer of access
Include in risk assessment
30. So what do you need to do?
Get your own house in order
Check the contract (or standard terms and
conditions) very carefully on areas like:
security and how it is guaranteed
location of data (especially if it could be outside the
EEA)
liability/sub contractors
back-up/access
copyright (e.g. Google)
Use your findings to make and record a risk
assessment and get authorisation to proceed
31. Further information
Information Commissioner
Guidance on cloud computing
Analysis of top eight online security issues
Data Protection and the Cloud
Cloud computing: A practical introduction to the legal issues
Watch out for EU updates on cloud computing and
possibly standard contract terms
32. Resources 1
• Lasa Knowledgebase:
– www.ictknowledgebase.org.uk/dataprotectionactintroduction
– www.ictknowledgebase.org.uk/dataprotectionpolicies
• Cyber essentials
• UK government scheme – two levels
• Information Commissioner’s May 2014 report
• Open Web Application Security Project Top Ten
• Updated every three years (most recent 2013)
• More technical
33. Resources 2
• Lasa Knowledgebase:
– www.ictknowledgebase.org.uk/dataprotectionactintroduction
– www.ictknowledgebase.org.uk/dataprotectionpolicies
• Cyber essentials
• UK government scheme – two levels
• Information Commissioner’s May 2014 report
• Open Web Application Security Project Top Ten
• Updated every three years (most recent 2013)
• More technical