Downloaded 28 times
![EXAMPLE
Aid to the Church In Need [link]
• Website hacked
• Donor’s bank details taken
• More than £100K stolen](https://image.slidesharecdn.com/dataprotectionandcloudcomputingbybrianmillersolicitorandvickibowlesbarrister-141215124032-conversion-gate02/75/What-All-Organisations-Need-to-Know-About-Data-Protection-and-Cloud-Computing-Part-1-by-Brian-Miller-Solicitor-and-Vicki-Bowles-Barrister-31-2048.jpg)
Uploaded byBrian Miller, Solicitor
What All Organisations Need to Know About Data Protection and Cloud Computing (Part 1) by Brian Miller Solicitor and Vicki Bowles Barrister
This document discusses data protection and cloud computing. It begins with an overview of data protection obligations under UK law, including definitions of key terms, notification requirements, and the data protection principles. It then discusses issues around keeping data safe and compliant when using cloud computing services. Specifically, it notes that personal data must not be transferred outside the EEA without adequate protections, and companies must ensure through due diligence and contracts that cloud providers and any subcontractors maintain appropriate security and use data only as instructed. Failure to do so could result in fines or civil liability if a data breach occurs.
More Related Content
Similar to What All Organisations Need to Know About Data Protection and Cloud Computing (Part 1) by Brian Miller Solicitor and Vicki Bowles Barrister
What All Organisations Need to Know About Data Protection and Cloud Computing (Part 1) by Brian Miller Solicitor and Vicki Bowles Barrister
- 1. Data Protection andCloud Computing Vicki Bowles and Brian Miller
- 2. Data Protection: Overviewof Obligations Vicki Bowles, Barrister Company and Commercial
- 3. DATA PROTECTION 3. TheData Protection Principles 4. Subject Access 1. Language of Data Protection 2. Notification
- 4. Data Protection: Language •Personal data: “data which relate to a living individual who can be identified – a) from those data, or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”
- 5. Data Protection: Language •Processing: “…means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including – a) organisation, adaptation or alteration of the information or data, b) retrieval, consultation or use of the information or data, c) disclosure of the information or data by transmission, Dissemination or otherwise making available, or d) alignment, combination, blocking, erasure or destruction of the information or data”
- 6. Data Protection: Language •Sensitive Personal Data: “…means personal data consisting of information as to – a) the racial or ethnic origin of the data subject, b) his political opinions, c) his religious beliefs or other beliefs of a similar nature, d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act1992), e) his physical or mental health or condition, f) the commission or alleged commission by him of any offence, or g) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.”
- 7. Data Protection: Language •Data Controller: “…subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;” • Data Processor: “…any person (other than an employee of the data controller) who processes the data on behalf of the data controller;”
- 8. Data Protection: Language •Controller v Processor – Can have more than one controller for the same information; – Key is control;
- 9. Data Protection: Notification •All controllers required to “notify” (register) with Information Commissioners Office (ICO), unless exempt: – Accounts and records; – Staff administration; – Advertising, marketing and PR of business; – Non-profit membership admin. • Exemption only applies to registration rather than the whole Act.
- 10. Obligations: Principles • Personaldata shall be processed fairly and lawfully, and in particular, shall not be processed unless – − At least one of the conditions in Schedule 2 is met, and − In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- 11. Obligations: Principles • Personaldata shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- 12. Obligations: Principles • Personaldata shall be accurate, and, where necessary, kept up to date. • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. • Personal data shall be processed in accordance with the rights of data subjects under this Act.
- 13. Obligations: Principles • Appropriatetechnical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
- 14. Obligations: SAR • Section7 entitles a data subject to request: – Whether or not you process their personal data; – A description of the data held, the purposes for which it is processed, and the recipients or classes or recipient to which disclosed; – Have communicated to them the data held, and any details of source if known.
- 15. Obligations: SAR • Ifpaper files – only if relevant filing system (the “temp test”). • Exception where third party personal data is included and no consent. • Various other exceptions, e.g. negotiations and references.
- 16. Case Study • BritishPregnancy Advisory Service – Fine £200,000 from ICO – Website hacked – BPAS didn’t know what was stored on their website
- 17.
- 18. Vicki Bowles e: vb@stoneking.co.uk m:07827 822977
- 19. ATTRIBUTIONS/CREDITS 1 Some rightsreserved by kevin dooley 2 Some rights reserved by StockMonkeys.com 3 Some rights reserved by StockMonkeys.com 4 Some rights reserved by slightly everything 5 Some rights reserved by kenteegardin Some rights reserved by BLW Photography 6 Some rights reserved by mwfearnley 7 Some rights reserved by Adikos 8 Some rights reserved by .faramarz 9 Some rights reserved by NHS Confederation 10 Some rights reserved by slightly everything I would like to thank and credit the following persons for the photographs provided in some of the slides:
- 20. 11 Some rightsreserved by jovike 12 Some rights reserved by StockMonkeys.com 13 Some rights reserved by deejayres 15 Some rights reserved by jovike 17 Some rights reserved by rodaniel
- 21. CLOUD COMPUTING: An Introductionto the Legal Aspects of Keeping Your Data Safe and Compliant Brian Miller Partner, IP & IT Stone King LLP
- 22. 1.Is my datasafe 2.Is my data kept within the territorial borders permitted by the Data Protection Act 3.What are the legal obligations to my data subjects Three Things You Need to Know
- 23. Cloud computing isthe name given to the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet). (Wikipedia)
- 24. PUBLIC, PRIVATE ORHYBRID CLOUD?
- 25. (1) Security If cloudprovider not using adequate security, data never safe: Adequate firewalls Adequate encryption Data Protection Act, Seventh Principle: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data“
- 26.
- 27. How Do IKnow If My Supplier Has Secured My Data? Data Protection Act, Seventh Principle (again): If you outsource storage of data, IT and legal experts must carry out due diligence on: • Supplier’s systems • Supplier’s terms and conditions
- 28. How Do IKnow If My Supplier Has Secured My Data? (cont’d) Obligations are on both:- The data processor (the cloud provider) The data controller (your organisation) No due diligence => you could be liable if breach Personal data accessible by a third party = Breach of the Data Protection Act
- 29. • No guaranteesthey won’t unless contract says so • Adequate Encryption by supplier by you if confidential HOW SECURE IS MY DATA? Can My Supplier Read My Data?
- 30. CRACKED AND HACKED Server Intrusion • Theftof valuable personal data • Sale of data to others or • Use of data for identity theft
- 31. EXAMPLE Aid to theChurch In Need [link] • Website hacked • Donor’s bank details taken • More than £100K stolen
- 32. (2) Who AreYou Contracting With? • May be a number of • providers involved • sub-contractors must be bound by same standards of – Security – Confidentiality
- 33. Main provider needsto carry can for subcontractors Difficult to trace if insolvent or abroad Unlikely to have direct contact with them They are unlikely to have any legal liability to you
- 34. (3) Where isMy Data? If data stored or transferred outside EEA, 8th Principle requires adequate security measures to be in place: • “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
- 35. Where is MyData (cont’d)? • ICO recommends getting • list of countries where data is likely to be processed • details of the safeguards in place • ICO requires DP to sign a data processing agreement: • only to use and disclose personal data in accordance with your instructions • to take appropriate security measures to protect the data • to get your consent to transfer the data outside EEA
- 36. DATA BREACHES Consequences ofbreach: • Fine of up to £500K • Civil actions from data subjects
- 37. Data Breach Examples 2012:NHS Trust £325K for a serious data breach •hard disks with sensitive personal data •ended up on eBay •fine highest issued by ICO
- 38. Data Breach Examples 2013:local authority fined £80K by ICO (sensitive personal data: unencrypted memory stick) If there is a claim, you do not want to be funding it: Make sure you get some cyberliability insurance!
- 39. THREE THINGS TOREMEMBER WHEN PUTTING DATA IN THE CLOUD… …carry out IT and legal due diligence on your provider to check that: • your data is kept confidential and secure • not transferred outside of the EEA without your data subjects’ consent • where it is, data processing agreements are also in place with any foreign sub-processors
- 40. For more information,see Government Papers on • Cloud Security Guidance • Cloud (Education apps) Software Services and the Data Protection Act • Cloud Security Principles
- 41. For further informationabout cloud computing, please see the following article on Stone King’s website: •Cloud Computing: What Do I Need to Know? Brian Miller Partner IP, IT & Commercial Stone King LLP brianmiller@stoneking.co.uk IT Solicitor@theitsolicitor brianmillersolicitor 0207 324 1523
- 42. ATTRIBUTIONS/CREDITS 1 Some rightsreserved by francisco.j.gonzalez 2 Some rights reserved by Marsel Minga 3 Some rights reserved by daniel_iversen 4 Some rights reserved by devdsp 6 Some rights reserved by renaissancechambara 7 Some rights reserved by get directly down 12 +13 Some rights reserved by Gunnar Wrobel 9 + 10 Some rights reserved by Stefan Baudy 12 Some rights reserved by IntelFreePress Some rights reserved by wwarby 13 Some rights reserved by IntelFreePress Some rights reserved by wwarby 14 Some rights reserved by geezaweezer I would like to thank and credit the following persons for the photographs provided in some of the slides:
Editor's Notes
- #8 (4) Refers to processing for purposes required under an enactment
- #22 Good afternoon everybody. I’d like to talk to you today about the legal and security aspects of keeping your data safe and compliant in the cloud. There are essentially three things that you need to be concerned about when putting your data in the cloud: [FIRST] Is my data safe, ie. are the cloud vendor’s systems secure from a technical point of view Is my data kept within the territorial borders permitted by the Data Protection Act What are my legal obligations to my data subjects under the Act when putting their data in the cloud. => Definition (First, What is Cloud Computing?) [NEXT SLIDE]
- #24 WHAT IS CLOUD COMPUTING? [READ SLIDE] “Cloud computing is the name given to the use of computing resources (both hardware and software) that are delivered as a service over a network (typically the Internet). “ The name (comes from): the use of a cloud-shaped symbol in system diagrams when flowcharting cloud computing networks. What does cloud computing really mean: well what it’s all about is putting your data in the hands of a remote service provider. Examples GMail (all your email is replicated on Google’s cloud server) Sky Drive (also owned by Google): is a large hard disk in the cloud where your data is stored; or e-payslips (a system we use at SK), where payslips are hosted and delivered to staff via their desktops. [NEXT SLIDE]
- #25 At least three types of cloud networks: Public Private Hybrid With a public cloud data is shared at a data centre with many other customers. Eg. Google Docs, where you data is shared with a number of other Google users on the same server main benefit: economies of scale (costs are spread across all users and is therefore cheap to operate and buy). downside is privacy: if a government authority obtains a court order for disclosure in relation to another user on same server=> your data could be scrutinized. In a private cloud data is in an environment built exclusively for your organisation, which means you get all the benefits of cloud computing, whilst getting privacy, because data is not shared on a server with others Downside: cost much higher A hybrid cloud traditional private cloud service with resources of public provider (such as Amazon) Advantages: scalability and comfort of using a reputable player; and privacy of a private cloud. Example: Rackspace (own server; locked in cage, very secure environment etc) [NEXT SLIDE]
- #26 SECURITY If your provider is not employing sufficient security measures =>your data will never be safe. Eg: inadequate firewalls are used, or the supplier employs inadequate encryption Seventh Principle provides.. [ON SCREEN- READ] [NEXT SLIDE]
- #27 If you want to see what a secure data centre looks like, take a look at Facebook’s.. (this is probably more a shot of the ventilation system in there, but you get the idea. I understand armed guards patrol outside..) [NEXT SLIDE]
- #28 I would like now to touch upon the legal aspects of cloud computing. The first point to consider is whether a supplier has confirmed in a contract that it has secured your data. Seventh Principle of the Data Protection Act (which we visited earlier) affects your organisation if you outsource storage of your customers’ or donors’ data to the cloud IT and legal experts must carry out due diligence on: the supplier's systems to ensure there is adequate protection for your data from a security point of view (as we learnt earlier); and (2) the supplier’s terms and conditions: these should be DPA compliant (ie. the requisite promises about data security and international transfers of data (which I will come on to) are given) You cannot take provider’s word all is ok. If you cannot show you carried out due diligence and something goes wrong => ICO could hold your organisation liable. Cannot blame outsourced entity - the ICO will not accept this. [NEXT PAGE]
- #29 I would like now to touch upon the legal aspects of cloud computing. The first point to consider is whether a supplier has confirmed in a contract that it has secured your data. Seventh Principle of the Data Protection Act (which we visited earlier) affects your organisation if you outsource storage of your customers’ or donors’ data to the cloud IT and legal experts must carry out due diligence on: the supplier's systems to ensure there is adequate protection for your data from a security point of view (as we learnt earlier); and (2) the supplier’s terms and conditions: these should be DPA compliant (ie. the requisite promises about data security and international transfers of data (which I will come on to) are given) You cannot take provider’s word all is ok. If you cannot show you carried out due diligence and something goes wrong => ICO could hold your organisation liable. Cannot blame outsourced entity - the ICO will not accept this. [NEXT PAGE]
- #30 How Secure Is My Data? Not very unless encrypted to a sufficiently high level where only persons with a ‘need to know’ have access. If supplier has encrypted your data, this should suffice if they have used a high enough encryption standard and measures, BUT Will not prevent supplier from reading your data (key to unlock) not prevent governmental agencies from seeing your data (eg. if there is a court order and your data is on a server with another) won’t prevent governments snooping on your data, as we learnt from the Snowden revelations [GCHQ has a back door to RSA encryption keys, the key fobs used by many companies to access their online networks]
- #31 An example of what can happen if, for instance, your website is insecure is that a third party can hack in and deface your site ie. replace the text there with its own (and let’s face it, it’s not going to be complimentary..), steal valuable personal data, sell it to others or use it for its own advantage, eg. for the purposes of identity theft. The damage to an organisation’s reputation in these circumstances is likely to be severe. If you want to read about just what can happen to a charity and its donors if its website gets hacked, take a look at the article written by Neville Kyrke-Smith, the national director of Aid to the Church in Need: details of the link are on screen. It is a salutary tale and makes for very interesting reading. I recommend you all read it (if for nothing else) to learn how to deal with a data breach if it happens (details of which are beyond the scope of this seminar).
- #32 An example of what can happen if, for instance, your website is insecure is that a third party can hack in and deface your site ie. replace the text there with its own (and let’s face it, it’s not going to be complimentary..), steal valuable personal data, sell it to others or use it for its own advantage, eg. for the purposes of identity theft. The damage to an organisation’s reputation in these circumstances is likely to be severe. If you want to read about just what can happen to a charity and its donors if its website gets hacked, take a look at the article written by Neville Kyrke-Smith, the national director of Aid to the Church in Need: details of the link are on screen. It is a salutary tale and makes for very interesting reading. I recommend you all read it (if for nothing else) to learn how to deal with a data breach if it happens (details of which are beyond the scope of this seminar).
- #33 The next point to consider when putting your data in the cloud is..: Who Are You Contracting With May be a number of sub-contractors involved won’t know about all or possibly any of them. Seek confirmation from your cloud provider that any sub-contractors hired are bound are by same standards of: Security Confidentiality, just as your provider hopefully is with you. Make sure these points are in contract. Main provider also needs to be responsible for the acts and omissions of its sub-contractors: It may be very difficult to trace any subcontractors if their ship goes down You are unlikely to have a direct contract with them (as the LawCloud terms showed) and therefore they are unlikely to have any legal liability to your organisation = > no legal right of redress for you. [NEXT SLIDE]
- #34 The next point to consider when putting your data in the cloud is..: Who Are You Contracting With May be a number of sub-contractors involved won’t know about all or possibly any of them. Seek confirmation from your cloud provider that any sub-contractors hired are bound are by same standards of: Security Confidentiality, just as your provider hopefully is with you. Make sure these points are in contract. Main provider also needs to be responsible for the acts and omissions of its sub-contractors: It may be very difficult to trace any subcontractors if their ship goes down You are unlikely to have a direct contract with them (as the LawCloud terms showed) and therefore they are unlikely to have any legal liability to your organisation = > no legal right of redress for you. [NEXT SLIDE]
- #35 Third point to consider is WHERE IS MY DATA? If data is stored or transferred by your provider outside of the European Economic Area (or EEA): Eighth Principle requires that [READ SCREEN] So unless you can satisfy yourself that those measures and protections are in place, you should not use a provider that allows your data to be transferred outside of the EEA. I will come on to how you can make these checks in a moment.
- #36 ICO recommends getting from the provider: a list of countries to which data may be transferred, and details of the safeguards in place between your provider and any foreign sub-processor An expert can check all the requirements have been met (eg. ‘model EU clauses’) ICO also requires that a written contract be entered into with the processor (a data processing agreement) containing the following clauses: Processor only uses and discloses personal data in accordance with your instructions; must take appropriate security measures to protect data; and it must get consent to transfer data outside EEA [NEXT SLIDE]
- #37 (Fifth and lastly) Data Breaches What are the consequences for failing to secure data from third parties, or Allowing a provider to make a transfer outside of the EEA without the data subjects’ consent? THE ANSWER IS: Fine up to £500K for serious data breaches. Civil actions by data subjects All of this can therefore get very expensive, particularly with a large data breach involving a large number of data subjects.
- #38 Examples of Data Breaches October 2013: local authority fined £80K by the ICO (loss of sensitive personal data about children with special needs on an unencrypted memory stick). 2012: an NHS Trust fined £325K for a serious data breach IT contractor was hired to destroy around 1000 hard drives kept in a secure location It smuggled 252 of them out of the building some ended up on internet auction sites; Disks contained confidential details about patients with HIV, including: patients’ medical conditions and treatment disability living allowance forms children’s reports. The fine is the highest issued by the Information Commissioner’s Office since granted the power to issue fines in April 2010. If all else fails and there is a claim, you want to be sure you are covered. So make sure you get some cyberliability insurance!
- #39 Examples of Data Breaches October 2013: local authority fined £80K by the ICO (loss of sensitive personal data about children with special needs on an unencrypted memory stick). 2012: an NHS Trust fined £325K for a serious data breach IT contractor was hired to destroy around 1000 hard drives kept in a secure location It smuggled 252 of them out of the building some ended up on internet auction sites; Disks contained confidential details about patients with HIV, including: patients’ medical conditions and treatment disability living allowance forms children’s reports. The fine is the highest issued by the Information Commissioner’s Office since granted the power to issue fines in April 2010. If all else fails and there is a claim, you want to be sure you are covered. So make sure you get some cyberliability insurance!
- #40 WRAP. If you remember nothing else from this seminar, try and just take away these three things. If you choose to put your data in the cloud, carry out IT and legal due diligence on your provider to check that their systems and terms require that: data is kept confidential and secure; it is not transferred outside of the EEA without your/data subjects’ consent; and any processors outside the EEA have adequate security measures in place in accordance with the Act to safeguard your data Government has now issued its own guidance for consumers and business and which can be found on its website using the link on screen. I will circulate an electronic copy of this presentation so you can access the links on screen. [NEXT SLIDE]
- #41 WRAP. If you remember nothing else from this seminar, try and just take away these three things. If you choose to put your data in the cloud, carry out IT and legal due diligence on your provider to check that their systems and terms require that: data is kept confidential and secure; it is not transferred outside of the EEA without your/data subjects’ consent; and any processors outside the EEA have adequate security measures in place in accordance with the Act to safeguard your data Government has now issued its own guidance for consumers and business and which can be found on its website using the link on screen. I will circulate an electronic copy of this presentation so you can access the links on screen. [NEXT SLIDE]
- #42 THANK YOU FOR LISTENING. [OVER TO MICHAEL]