Lasa European NFP Technology Conference 2010 - Data protection and the cloud


Published on

Lasa European NFP Technology Conference 2010 - Paul Ticher's presentation on data protection and cloud computing

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Lasa European NFP Technology Conference 2010 - Data protection and the cloud

  1. 1. Data Protection & Confidentiality <ul><li>Speaker: Paul Ticher </li></ul>
  2. 2. <ul><li>This presentation is intended to help you understand the Data Protection Act and related legislation. </li></ul><ul><li>It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law. </li></ul>
  3. 3. Overview <ul><li>Prevent harm to the individuals whose data you hold, or other people </li></ul><ul><li>Allay people’s concerns, demonstrate respect, and build good relationships </li></ul><ul><li>Comply with specific legal requirements </li></ul>
  4. 4. The Data Protection Principles <ul><li>Data ‘processing’ must be ‘fair’ and legal </li></ul><ul><li>You must obtain data only for specified purpose(s) and use it only in ways that are compatible with the purposes </li></ul><ul><li>Data must be adequate, relevant & not excessive </li></ul><ul><li>Data must be accurate & up to date </li></ul><ul><li>Data must not be held longer than necessary </li></ul><ul><li>Data Subjects’ rights must be respected </li></ul><ul><li>You must have appropriate security </li></ul><ul><li>Special rules apply to transfers abroad </li></ul>
  5. 5. <ul><li>Prevent harm: </li></ul><ul><ul><li>Security – keep information in the right hands </li></ul></ul><ul><ul><li>Data quality – design systems to promote this </li></ul></ul><ul><li>Allay people’s concerns: </li></ul><ul><ul><li>Transparency about purposes, disclosures and location of data (if outside Europe) </li></ul></ul><ul><ul><li>Choice – accurate recording & easy suppression </li></ul></ul><ul><li>Specific legal responsibilities: </li></ul><ul><ul><li>Subject Access – ease of retrieval </li></ul></ul>Main implications for ICT
  6. 6. Personal data <ul><li>The Act applies to information about </li></ul><ul><li>identifiable, living individuals </li></ul><ul><li>that is recorded: </li></ul><ul><ul><ul><li>on a computer or automated system </li></ul></ul></ul><ul><ul><ul><li>held in a ‘relevant filing system’ </li></ul></ul></ul><ul><ul><ul><li>with the intention of going into one of these systems </li></ul></ul></ul>
  7. 7. Data Protection Confidentiality Clear boundaries
  8. 8. Security (Principle 7) <ul><li>Protects the boundaries set up by the confidentiality policy </li></ul><ul><li>Has to prevent </li></ul><ul><ul><li>unauthorised access </li></ul></ul><ul><ul><li>accidental loss or damage </li></ul></ul><ul><li>Must be appropriate </li></ul><ul><li>Must be technical and organisational </li></ul>
  9. 9. <ul><li>Defined access levels and controls </li></ul><ul><li>Vetting, training, induction, supervision </li></ul><ul><li>Technology: VPNs, SSL, etc. </li></ul><ul><li>Minimise consequences of breach: </li></ul><ul><ul><li>Minimise amount of data exported </li></ul></ul><ul><ul><li>Passwords & encryption of media and/or files which leave a secure environment </li></ul></ul><ul><li>Monitoring & enforcement </li></ul><ul><li>Apply to everyone including contractors </li></ul>Security implications
  10. 10. Breaches of security <ul><li>Criminal offence, committed by individual: </li></ul><ul><ul><li>Knowingly or recklessly accessing data without authorisation </li></ul></ul><ul><ul><li>Knowingly or recklessly allowing another person unauthorised access </li></ul></ul><ul><ul><li>Selling data accessed without authorisation </li></ul></ul><ul><li>Penalties for organisation up to £500,000 for gross breaches of security </li></ul>
  11. 11. Transfers abroad (Principle 8) <ul><li>Try to maintain protection </li></ul><ul><ul><li>by law: (most of Europe, plus a few others) </li></ul></ul><ul><ul><li>recipient in USA signs up to ‘safe harbors’ </li></ul></ul><ul><ul><li>by approved contract with recipient organisation </li></ul></ul><ul><li>Otherwise, in most cases, get consent </li></ul><ul><li>Implications: </li></ul><ul><ul><li>Personal data on a web site may need consent from the Data Subject (opt-out probably OK) </li></ul></ul><ul><ul><li>Overseas web or application hosting? </li></ul></ul>
  12. 12. Data Controller <ul><li>The ‘person’ legally responsible for complying with the Data Protection Act </li></ul><ul><li>Can be an individual if they are acting on their own account, but usually an organisation; (individual workers or volunteers are ‘agents’ of the Data Controller) </li></ul><ul><li>Two separate legal entities (even a charity and its trading company) are separate Data Controllers, but ... </li></ul><ul><li>... Two or more organisations can be joint Data Controllers of the same data </li></ul>
  13. 13. Data Processor <ul><li>An organisation that the Data Controller outsources work to, which involves accessing Personal Data (e.g. ICT maintenance company) </li></ul><ul><li>The Data Controller remains responsible for what happens to the data </li></ul><ul><li>There must be a written contract with the Data Processor, setting out what they are to do </li></ul><ul><li>The Data Controller must be satisfied with the Data Processor’s security </li></ul>
  14. 14. Cloud providers – some examples <ul><li>Salesforce: about to open a European data centre </li></ul><ul><li> </li></ul><ul><li>aws . amazon .com/s3/#protecting </li></ul><ul><li> </li></ul>
  15. 15. Approaching the cloud <ul><li>Data held within Europe poses far fewer problems </li></ul><ul><li>Security is your responsibility; checking out the provider is essential </li></ul><ul><li>Backup and business continuity is your responsibility </li></ul><ul><li>Raising concerns is worthwhile </li></ul><ul><li>Document your decisions (and get the risk signed off at the appropriate level) </li></ul>