More and more, web players must document their data preservation practices. While in traditional evidence law, one must use documents produced by third parties to prove something (a signature, documents produced by the opposite side, etc.), digital evidence introduced in front of the courts must be accompanied by explanations of the conditions under which these documents were created, hosted, archived, transmitted.Whether it is an html page, a screen capture, a word file, or a Wikipedia entry, each new piece of evidence, to be admitted, must explain how the document was managed. A new major principle therefore emerges:documentation. Breaking somehow established legal traditions, each stage of a document’s lifecycle must beconsidered beforehand. This process often rests on technical norms and standards designed by the industry(ISA, ARMA, COBIT). But these technical norms precisely require companies to adopt procedures and policies demonstrating their due diligence in how their protect their data.
An Introduction guidance of the European Union Law 2020_EU Seminar 4.pptx
GautraiSerene
1. cybersecurity ecosystem: the
documentation dimension
full professor | director of crdp
www.gautrais.com
www.crdp.umontreal.ca
www.twitter.com/gautrais
Ottawa | 04/22/2015
9. plan
1.State of the Art + Individuel Normativity
1. State of the Art in General (facts)
2. State of the Law (law)
2.Suspicious + Individual Normativity
1. Suspicious about I.N. Process (facts)
2. Suspicious about I.N. Law Recognition (law)
10. 1 – State of the art of individual
normativity phenomenon
1
20. Daniel J. Weitzner, Harold Abelson, Tim
Berners-Lee, Joan Feigenbaum, James
Hendler, and Gerald Jay Sussman,
Information Accountability, (2007)
21. “This paper argues that debates over online privacy,
copyright, and information policy questions have
been overly dominated by the access restriction
perspective. We propose an alternative to the “hide
it or lose it” approach that currently characterizes
policy compliance on the Web. Our alternative is to
design systems that are oriented toward
information accountability and appropriate use,
rather than information security and access
restriction.”
22. “In many cases it is only by making
better use of the information that is
collected, and by retaining what is
necessary to hold data users responsible
for policy compliance that we can actually
achieve greater information
accountability”
27. An Act to Establish a Legal Framework for
Information Technology, CQLR c C-1.1
28. Documentation and Quebec Law
Transfer
(17)
Communication
(30 + 34)
Retention
(21)
Evidence
in general
29. Quite the same at the federal level
(Canada evidence act)
(31.3) the integrity of an electronic
documents system by or in which an
electronic document is recorded or stored
is proven (…) the computer system or
other similar device used by the electronic
documents system was operating
properly (…)
34. 34
PIPEDA
4.1 Principle 1 — Accountability
An organization is responsible for personal information under its
control and shall designate an individual or individuals who are
accountable for the organization’s compliance with the following
principles.
(…)
4.1.4
Organizations shall implement policies and practices to give effect
to the principles, including
• (a) implementing procedures to protect personal information;
• (b) establishing procedures to receive and respond to complaints
and inquiries;
• (c) training staff and communicating to staff information about the
organization’s policies and practices; and
• (d) developing information to explain the organization’s policies and
procedures.
35. on the proposal for a regulation of the
European Parliament and of the Council on
the protection of individual with regard to the
processing of personal data and on the
free movement of such data (General Data
Protection Regulation) (COM(2012)0011 –
C7-0025/2012 – 2012/0011(COD))
48. 1. ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for
protection of personally identifiable information (PII) in public clouds acting as PII processors.
2. ISO/IEC 29100:2011, Information technology -- Security techniques – Privacy framework.
3. ISO/IEC WD 29134, Privacy Impact Assessment – Methodology.
4. ISO 13008:2012 – Information and Documentation – Digital records conversion and migration
process.
5. ISO 13008:2012 – Information and documentation – Digital records conversion and migration
process (PDF)
6. ISO/TR 23081-3:2011– Information and Documentation – Managing Metadata for Records – Part
3: Self-Assessment Method.
7. ISO 23081-1: 2006 – Information and Documentation – Metadata for records – Part 1 – Principles.
8. ISO 23081-2:2009 Information and documentation – Managing metadata for records – Part 2:
Conceptual and implementation issues.
9. ISO/TR 26122:2008 Information and documentation – Work Process Analysis for Records.
10. ISO 16175-1:2010 Information and documentation – Principles and functional requirements for
records in electronic office environments – Part 1: Overview and statement of principles.
11. ISO 16175-2:2011 Information and documentation – Principles and functional requirements for
records in electronic office environments – Part 2: Guidelines and functional requirements for
digital records management systems.
12. ISO 30300:2011 Information and Documentation – Management Systems for Records -
Fundamentals and Vocabulary.
13. ISO 30301:2011 Information and Documentation – Management Systems for Records -
Requirements.
14. ISO 15489-1, Information and Documentation – Records Management, Part. 1 – General, 2001.
15. ISO/TR 15489-2, Technical Report, Information and Documentation – Records Management,
Part. 2 – Guidelines, 2001
60. ex 3: paper version of “.xls”
(Stadacona, s.e.c./Papier White Birch c.
KSH Solutions inc., 2010)
61. ex 4: digital picture
(with no reference to metadata)
62. No respect of double evidence rule
document itself
documentation
on document
63. Mainstream Canada v. Staniford, 2012 BCSC 1433
« [23] Among other things, Cermaq has published the principles
governing its sustainability program and reported on the company’s
performance, using the standards set by the Global Reporting
Initiative (“GRI”) for sustainability reporting. Since 2010, the
sustainability reporting is also subject to review by KPMG’s
sustainability team. Ms. Bergan explained further that, if Cermaq
deviates from the indicators that are part of the GRI, Cermaq must
disclose the manner in which it has done so. This manner of
reporting, using the GRI standards, applies to both Cermaq and
Mainstream, according to Ms. Bergan. »
64. cybersecurity ecosystem: the
documentation dimension
full professor | director of crdp
www.gautrais.com
www.crdp.umontreal.ca
www.twitter.com/gautrais
Ottawa | 04/22/2015