Download as PPSX, PPTX
![A.1.5 Third-Party Coverage Transparency
Statement about the extent to which the organization accepts indirect
responsibility for the organization's suppliers. [This covers e.g. the situation
of the organization's suppliers going out of business.] For example: for the
technical failure of vendors in the supply chain such as co-location where
services are taken off-line.
(1) customer can limit countries to which data is transferred to comply wth 8th
principle
(2) LawCloud and Rise accepts responsibility for the provision of its infrastructure
services, including any technical failures of third party vendors
(3) LawCloud and Rise's responsibility to direct Customers is subject to
contractual agreement and associated terms and conditions.
(4) In respect of contractual liability, such liability will be limited
(5) direct Customers are required to undertake their own areas of responsibility...
(6) the contractual relationship is between LawCloud and the direct customer.
LawCloud has a separate agreement with Rise and Microsoft who are under no
obligation or liability to direct customers. Any requests from a customer will
be reviewed on an individual basis and in association with LawCloud.
CLOUD INDUSTRY FORUM’S CERTIFICATION PROCESS
6](https://image.slidesharecdn.com/what-all-organisations-need-to-know-about-cloud-computing-part2-by-brian-miller-solicitor-150310084100-conversion-gate01/75/Data-Protection-and-the-Cloud-Part-2-by-Brian-Miller-Solicitor-and-Vicki-Bowles-Barrister-25-2048.jpg)
![Attributions
Slide 32 Some rights reserved by opensourceway
Slide 33 Some rights reserved by archer10 (Dennis)
Slide 34 Some rights reserved by storem
Slide 35 Some rights reserved by Moyan_Brenn
Slide 13 Some rights reserved by Intersection Consulting
Slide 14 All rights reserved by edbutowsky
Slide 15 Some rights reserved by kilokon.tw
Slide 16 Some rights reserved by Celso Flores
Slide 17 Some rights reserved by mediadeo
Slide 18 Some rights reserved by brionv
Slide 30 Some rights reserved by scott.tanis
Slide 31 Some rights reserved by CarbonNYC [in SF!]
37](https://image.slidesharecdn.com/what-all-organisations-need-to-know-about-cloud-computing-part2-by-brian-miller-solicitor-150310084100-conversion-gate01/75/Data-Protection-and-the-Cloud-Part-2-by-Brian-Miller-Solicitor-and-Vicki-Bowles-Barrister-56-2048.jpg)
Uploaded byBrian Miller, Solicitor
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bowles Barrister
The document discusses essential aspects organizations need to consider regarding cloud computing and data protection, particularly highlighting compliance with data protection principles and EU regulations. It outlines key responsibilities for data controllers, security certifications for cloud providers, and the risks associated with cloud storage, including data breaches and compliance challenges. Additionally, it emphasizes the importance of conducting due diligence and maintaining an active management approach to ensure data protection compliance.
Law◦
More Related Content
Similar to Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bowles Barrister
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bowles Barrister
- 1. NEW TECHNOLOGIES, OLDDATA: WHAT ALL ORGANISATIONS NEED TO KNOW Part 2 Cloud Computing Brian Miller Partner Vicki Bowles, Barrister Stone King LLP 1
- 2. Content • Legislative framework– reminder • Disclosure to third parties • BYOD • EU regulation changes
- 3. Legislative framework - reminder •Back to basics – key information: – Who is the data controller? – What personal data do you have? – Are you compliant with the principles?
- 4. Disclosure • Comply withthe first data protection principle: Personal data shall be processed fairly and lawfully, and in particular, shall not be processed unless- – At least one of the conditions in Schedule 2 is met, and – In the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- 5. Disclosure • What is“fair”? – How was the information obtained? – What was the individual told about the purposes of processing when the information was obtained?
- 6. Disclosure • Schedule 2conditions: – Para 1: consent – Para 2: contracts – Para 3: compliance with legal obligation – Para 4: protect vital interest of data subject – Para 6: Necessary for the legitimate interests subject to unwarranted prejudice to rights and freedoms
- 7. BYOD • Bring YourOwn Device – Responsibility for breaches – Level of risk v resources • No BYOD – low risk/not practical • You supply the device and control security settings – medium risk/expensive • Access limited to certain components of system – medium/high risk/more practical • Unlimited access – high risk
- 8. BYOD • Have apolicy in place: – Minimum levels of security required – Expectations re: downloads etc. if your device • Training – Do your staff/volunteers understand what they need to do to secure their device? – Make your requirements clear
- 9. EU Regulation • Expectedto be in force 2018, but with transitional period • Will be directly effective as soon as passed as EU law, will apply to the UK • Subject, of course, to a Brexit…
- 10. EU Regulation • Summaryof main changes: – Extension of Remit – New Definition of Consent – Definition of Child – New Principles – New Rights – International Transfers – Data Protection Officer
- 11. EU Regulation: Extensionof Remit • “natural persons” excluded, as are law enforcement agencies • All data controllers in the EEA. • Any data controller offering goods or services to customers in the EEA • Any data controller that is monitoring the behaviour of individuals in the EEA
- 12. EU Regulation: Consent •Explicit • Freely given • Informed • Specific
- 13. EU Regulation: Definitionof Child • Below 18 • Under 13 can never give valid consent • 13-16 up to member states
- 14. EU Regulation: New Principles •One – fair, lawful, transparent, and justified • Adequate, relevant and the minimum necessary to meet the specified purpose • To process data under your responsibility and liability and to ensure you can demonstrate compliance with accountability principle
- 15. EU Regulation: New Principles •Justifications for processing: – Consent – Contract – Legal obligation – Vital interest – Task carried out in public interest – Legitimate interests – but not for public authorities BUT – further processing for purpose other than that which collected, can’t rely on legitimate interests.
- 16. EU Regulation: NewRights • Right to be forgotten: – Individuals have a new right to be forgotten – Must take steps to make others aware of objection if information has been made public • Right to portability: – Right to data in an electronic and structured form, commonly used, which permits further use by the data subject – Aimed at allowing ease of movement of accounts such as Facebook
- 17. EU Regulation: International Transfers •Adequacy decision by Commission. • Additional safeguards, eg: – BCR – Model Contract Clauses – Approved code of conduct or certification AND binding and enforceable commitments
- 18. EU regulation: DPO •Impact assessments for all if risky • DPO if: – Public body – 250 employees – Regularly and systematically monitors data subjects
- 20. NEW TECHNOLOGIES, OLDDATA: WHAT ALL ORGANISATIONS NEED TO KNOW Part 2 Cloud Computing Brian Miller Partner, IP & IT Stone King LLP @theitsolicitor brianmillersolicitor brianmiller@stoneking.co.uk 1
- 21. RECAP Part 1 • Ismy data safe in the cloud? • Transfers outside of the EEA • Legal obligations to data subjects • Sanctions for non-compliance with DPA Part 2 • How to check vendor’s systems are secure • How US Safe Harbor worked in practice • What do we do about transfers to US since abolition • DfE’s paper on Cloud Computing 2
- 22. (1) Security If cloudprovider not using adequate security, data never safe. Minimum protection: •ISO 27001 certification (security) •ISO 9001 (Quality Management) •ISO 27018 (cloud certified) •Cloud Industry Forum self-certified •DfE self-certified 3
- 23. CHECKING ISO CERTIFICATION ISOCERTIFICATES Still need to do due diligence on certificate: 1. Check certificate genuine1 2. Request copy certificate 3. Contact the Certification Body 4. Check scope of certificate Check date of issue and expiry date Check the statement of applicability (SoA) 5. Check national accreditation body accrediting Certification Body 4 For more information, please see: (1) http://www.isoregister.info/index.php (2) http://blog.itgovernance.co.uk/how-can-you-validate-an-iso-27001-vendor/
- 24. FINDING A REPUTABLESUPPLIER There are various bodies with their own certification process: • Cloud Industry Forum (CIF): here • Department for Education: here • Numerous other certification systems: here 5
- 25. A.1.5 Third-Party CoverageTransparency Statement about the extent to which the organization accepts indirect responsibility for the organization's suppliers. [This covers e.g. the situation of the organization's suppliers going out of business.] For example: for the technical failure of vendors in the supply chain such as co-location where services are taken off-line. (1) customer can limit countries to which data is transferred to comply wth 8th principle (2) LawCloud and Rise accepts responsibility for the provision of its infrastructure services, including any technical failures of third party vendors (3) LawCloud and Rise's responsibility to direct Customers is subject to contractual agreement and associated terms and conditions. (4) In respect of contractual liability, such liability will be limited (5) direct Customers are required to undertake their own areas of responsibility... (6) the contractual relationship is between LawCloud and the direct customer. LawCloud has a separate agreement with Rise and Microsoft who are under no obligation or liability to direct customers. Any requests from a customer will be reviewed on an individual basis and in association with LawCloud. CLOUD INDUSTRY FORUM’S CERTIFICATION PROCESS 6
- 26. Self-Certification via theDfE • DfE offers similar process by way of published Q&A • Several inc. Microsoft and Google have filled these out See examples later on.... Google’s can be found here Microsoft’s can be found here 7
- 27. SCHOOLS & CLOUDCOMPUTING (1) Key Data Protection Issues Cloud appeal attractive:- Offsite storage and archiving Website hosting, email and remote access No need to invest in IT architecture No need for expensive IT support staff 8
- 28. Cloud Pitfalls (a) ObligationsUnder the DPA • Cloud providers do not have your interests • Organisation remains legally responsible for: – retention – storage – usage – security of personal data managed on its behalf by a provider Responsibility for fair and secure handling of personal data cannot be delegated 9
- 29. (b) Dispersion ofData Data often scattered across variety of devices Staff reluctant to delete local records Records difficult to track down Such records can form part of subject access requests Risk multiply with remote storage solutions eg OneDrive 10
- 30. (c) Data SecurityCompliance Education of staff on information security compliance Awareness of local data protection policies Robust management of access passwords Consistent use of conventions for sensitive data Other challenges: Multiplicity of users High staff turnover Ensuring high level understanding of complex policies 11
- 31. (a)Privacy Impact Assessment •demonstrate their data handling systems robust • due diligence carried out on commissioned services (b) Contractual protection: Prohibit unrestricted use of sub- contractors Limit ability of contractors to use personal data etc. 2) How Can Organisations Ensure DPA Compliance? 12 DPA 7th Principle: “Appropriate technical and organisational measures must be put in place to guard against loss, damage or unauthorised access to personal data.”
- 32. 3) Auditing andDue Diligence • Organisations expected to audit suppliers periodically • DPA requires active management to ensure supplier: – Delivering contracted services – in line with agreed security standards and specifications • Any information handling systems adopted should permit compliance under DPA 13
- 33. 4) What IssuesArise When Adopting the Cloud? a) Security and Data Breaches • Cloud services tempting target for hackers • Risks to child safety/donor data => high level of assurance • Staff induced risks: Sloppy use of passwords Loss of unencrypted device 14
- 34. b) Out ofthe Box Services • Most cloud providers still providing standard service • No real recognition of regulatory obligations on organisations •Some now making real efforts to adapt to this 15 Remember: responsibilities for compliance under the Act rest exclusively with the data controller
- 35. c) Transfer ofData Outside of the EEA • DPA prohibits transfers outside of the EEA unless adequate protection for privacy • Some providers now providing “EU only” service • ISO certificate is no guarantee of “no offshoring” • Choose EU based service if possible 16
- 36. d) Back-Up • Makesure provider has suitable back-up systems • Make your own back up as a back up! never assume you will be able to get your data back in the event of provider failure e) Marketing • restrict/exclude provider’s ability to market to users • Children/students may not be in a position to object 17
- 37. SUBMISSION TO DfE Amber– on the fence Green – complies Black – not applicable 3/37 amber, 1 black, 33 green Google’s Self Certification 18
- 38.
- 39.
- 40. Transfers Outside theEEA 21
- 41.
- 42. User Access toData 23
- 43.
- 44. Staff Access toData 25
- 45.
- 46. Commercial Use ofData 27
- 47.
- 48. DESIRABLE PROVIDER REQUIREMENTS •Contract is DPA compliant √ • Handling systems are robust/data encrypted √ • Commitment to delivering cloud services via European servers only x • Independent audits √ • Provider’s staff have very limited access to data √ • Information handling system configurable for compliance √ • Limits on the ability of provider to make secondary use of data √ • System prohibits the unrestricted use of sub-contractors ? • Suitable back-up systems √ 29
- 49. 8th Principle /Transfers Outside the EEA Means of ensuring adequate protection: 1.Main provider: model clauses signed up with contractor 2.Sub-processors • US: entity on Safe Harbor List • Signing data processing agreement Transfer without consent or adequacy = breach of the Act 30
- 50. • US SafeHarbor based on self-certification • Abolished in Schrems: now Privacy Shield • Pending agreement btw. EU-US authorities • Given its abolition in Schrems case, consider: • EU model clauses • Intra-group binding corporate rules Note: risk of enforcement action Unsafe Harbor? 31
- 51. • Fine ofup to £500K for serious breaches • Binding enforcement notices What Are the Consequences for Failing to Put Appropriate Protections In Place a. Statutory • Non-binding undertakings • Publication of penalties on ICO website 32
- 52. b) Civil Actions •Aggrieved data subjects can bring civil action for damages – Harm suffered – Distress occasioned by breach • Claims rare but likely to become more common – Lawyers more alive to group actions in UK – Social media/internet => increased availability of information 33
- 53. SUMMARY When thinking ofputting your data in the cloud: • Check your provider’s security credentials • Consider the key data protection issues affecting your organisation • Consider the most appropriate provider for your purposes in conjunction with any surveys you can find, eg CIF, DfE • Where the provider is transferring data outside the EEA, ensure model clauses in the contract 34
- 54. For further informationabout cloud computing, please see the following article on Stone King’s website: •How can Charities Protect Their Data in the Cloud? •Cloud Computing: How safe is your data? •Ten Questions You Should Ask Your Cloud Provider •Cloud Computing: What Do I Need To Know? Brian Miller Partner IP, IT & Commercial Stone King LLP brianmiller@stoneking.co.uk @theitsolicitor brianmillersolicitor BrianMillerSolicitor +44 (0) 207 324 1523 35
- 55. Attributions Slide 1 Somerights reserved by caribb Slide 2 Some rights reserved by bob august Slide 3 Some rights reserved by FutUndBeidl Slide 4 Some rights reserved by Dennis Wong Slide 5 Some rights reserved by Todd Barnard Slide 6 All rights reserved by Bhaskar Dutta Slide 7 Some rights reserved by goforchris Slide 8 Some rights reserved by celestehodges Slide 9 Some rights reserved by zachstern Slide 10 Some rights reserved by adactio Slide 11 Some rights reserved by Defence Images Slide 12 Some rights reserved by IntelFreePress 36
- 56. Attributions Slide 32 Somerights reserved by opensourceway Slide 33 Some rights reserved by archer10 (Dennis) Slide 34 Some rights reserved by storem Slide 35 Some rights reserved by Moyan_Brenn Slide 13 Some rights reserved by Intersection Consulting Slide 14 All rights reserved by edbutowsky Slide 15 Some rights reserved by kilokon.tw Slide 16 Some rights reserved by Celso Flores Slide 17 Some rights reserved by mediadeo Slide 18 Some rights reserved by brionv Slide 30 Some rights reserved by scott.tanis Slide 31 Some rights reserved by CarbonNYC [in SF!] 37
Editor's Notes
- #21 Good afternoon everybody. I’d like to take you through today the second part of our series of seminars on data protection and cloud computing. [NEXT SLIDE]
- #22 In Part 1, we looked at [ON SLIDE] According to a new study and despite a lack of encryption planning, over 80 per cent of organisations are planning to store sensitive and confidential data in the cloud by 2018.
- #23 Let's start with [TITLE] and first line. [READ FIRST THREE BULLETS OF SLIDE] ISO standard for cloud, ISO 27018, which is specifically targeted at cloud providers It covers many of the things we are going to look at today, such as keeping your data secure, data transfers outside the EEA and identification of subcontractors etc [NEXT SLIDE]
- #24 [READ HEADING] The first aspect of checking certification is looking at the security certificates themselves. [SLIDE, IGNORING FIRST LINE] For more info, see the link on the screen to the blog by Steve Watkins on this topic. [EXPLAIN HYPERLINKS] At the end of the day, who can be bothered to check all this (and this is the problem), so ideally, try and find a reputable supplier.
- #25 [READ HEADING] [READ FIRST LINE OF SLIDE].... so that you can try and ascertain whether a supplier is reputable or not. Unfortunately, most if not all of these bodies, rely on self certification as the means of rating the supplier, so is it not 100% reliable. I am going to look at two certification processes today: that provided by the Cloud Industry Forum and the DfE’s. Each party’s certification tools can be found at the locations stated on the screen
- #26 Let’s start with the Cloud Industry Forum (or CIF’s) certification process. CIF provides certification of suppliers registered and certified with it. On screen are the sort of statements you get as part of the certificate. What you can see is details about a supplier called LawCloud and its subcontractor Rise. Let's see what they offer the customer: [ON SCREEN, BUT COMMENT AFTER EACH NUMBERED POINT AS PER THE BELOW] GOOD FINE IF THERE IS A TECHNICAL FAILURE SO YOU DON’T KNOW WHAT YOU ARE GETTING UNLESS YOU GET A GOOD LAWYER OK, I KNOW IT IS NOT UNUSUAL FOR COS TO LIMIT LIABILITY, BUT WHAT IS THIS LIMIT? WHAT DOES THAT MEAN? So if Rise or MS go insolvent or run off with your data, tough luck If you have a concern, it will be “reviewed on a individual basis”. Not very clear.
- #27 Contrast this with the rather more impressive [..READ TITLE ON SCREEN + FIRST TWO BULLETS] [AFTER SECOND BULLET]: 15 signed up so What you will find if you read it, is that it is really quite detailed and the Department have made a big effort to ask the right questions/ get answers needed. [READ MAIN ARROW] I shall only look at Google’s today, but you can find links to other supplier responses by going to P.12 of the link at top of page.
- #28 But before we do that, let’s look at four key points affecting your decision to go to the cloud. [SLIDE, TITLE (1) ] [READ SLIDE] [LAST BULLET] However, there are some issues which you need to be aware of… [NEXT SLIDE]
- #29 So what are some of the pitfalls. I am going to look at three. (a) [READ FIRST HEADING] Because cloud services are presented as ‘off the shelf’ and tend to come with standard terms, it is easy to think that The provider is taking care of everything The customer retains no legal responsibility for anything. That couldn’t be further from the truth… [SLIDE: FIRST TWO BULLETS AND SUB-BULLETS ONLY] Because schools tend to handle highly sensitive information regarding children and charities hold donor financial data, it is very important to ensure robust data security mechanisms are in place with the provider. [SLIDE: last two lines in white]
- #30 A second problem when trying to put data into the cloud is the general dispersion of data which takes place over a number of years at an organisation. [SLIDE] Data literally becomes ‘out of sight, out of mind’
- #31 The third pitfall is ensuring [TITLE] There are significant challenges in ensuring staff are educated on information security compliance. There needs to be [SLIDE, FIRST THREE SUB-BULLETS AND REST OF SLIDE]
- #32 [READ TITLE] There are a number of measures an organisation can adopt: Those who attended Part 1 will recollect 7th Principle: “[READ BUBBLE]” An organisation therefore needs to be able to [READ FIRST TWO BULLETS] This is best achieved by carrying out [SUBHEADING (a)] or PIA to identify what kinds of data will be involved and to map the data flows, both between the end users and the cloud, and within the cloud itself. Eg. A PIA might lead an organisation to conclude that certain data is too sensitive to put into the cloud, or that it can only be put in the cloud if encrypted. [HEADING (b)] is needed to [SLIDE, (b), two arrows]
- #33 [READ HEADING] [READ BULLET 1] Where contractors are used to handle data on behalf of an organisation, [READ REST OF SLIDE] For example: cloud storage systems ought to be capable of aligning with an organisation’s own policies in relation to the deletion and retention of certain categories of records: -an organisation should not adopt the default data retention periods used by service providers
- #34 [FIRST HEADING] [READ 1ST & 2ND BULLETS] to prevent [READ SUB-HEADING] Security and integrity of data must be an overriding concern We also have to think about [READ THIRD BULLET (“staff induced...”) and sub-arrows]] ..means it is only going to be a matter of time before there is a security breach.
- #35 The second issue we need to think about is [READ HEADING] [1st & 2nd BULLETS] The good news is [3RD BULLET] and provide a service which is mindful of the obligations imposed on organisations such as schools and charities Let it not be forgotten [READ FROM ‘REMEMBER’ ON SCREEN]: in terms of protecting personal data of pupils and donors
- #36 Thirdly, we need to think about: [READ HEADING AND 1ST TWO BULLETS] Please note that [THIRD BULLET] So make sure that… [FOURTH BULLET]
- #37 Next [HEADING (d)] [READ TWO BULLETS]. The saga with 2e2 provides a salutary tale on that front (2e2 went under: administrator charging £50K to get data) And finally: [HEADING (e): Marketing] Make sure you [READ 1ST BULLET,] noting that [2ND BULLET], which is why it is important to do so in the contract and even though the Act restricts such usage.
- #38 So let’s now look at Google’s own answers to the DfE’s Q&A about cloud computing. There are three types of answer to the Q & A... [SLIDE]
- #39 If we look at the first question [READ 3.1 AND 1ST SENTENCE OF ANSWER ONLY], you will see Google gives an affirmative answer to the question and suggests they are open to amendments. [GIVE THEM TIME TO READ IT AND CHECK THEY HAVE]
- #40 Q.4.3 & 5.7 ROBUSTNESS OF SYSTEMS AND ENCRYPTION OF DATA: READ QUESTION AND ANSWER Even though Google has given a part amber answer, it looks like the data is encrypted adequately.
- #41 Turning now to Q 8.1, transfers of data outside of the EEA: READ ALL OF BOTH So you will see that, although Google is not promising to keep the data within the EEA, it says it complies with the Act because:- It uses the Safe Harbour Schemes (I’ll come on to safe harbor later) It uses model clauses in its contracts with subcontractors, as approved by the EU Commission.
- #42 Independent Audits [READ QUESTIONS ONLY; DO NOT READ ANSWERS] In both cases, the answer seems to be Yes. [ALLOW TIME FOR READING]
- #43 Q3.4 USER ACCESS TO DATA READ Q 3.4 : the answer is basically YES. READ Q5.12: and ANSWER down to “export functions”. [ALLOW READING TIME]
- #44 Deletion & Retention of Data READ READ Q 5.10 ONLY ANSWER: Yes
- #45 Staff Access to Data & Security READ ANSWER TO "application specific passwords" Two step authentication (for those of you who do not know) means users can be required to set up an additional security measures before they can log in, such as the texting of a code to their mobile phone
- #46 Q 5.5 ACCESS BY GOOGLE STAFF TO YOUR DATA – READ QUESTION ONLY Answer is basically YES [ALLOW READING TIME]
- #47 Qs 9.2 and 9.3 ADVERTISING & COMMERCIAL USE OF DATA [DO NOT READ SLIDE]: 9.2 Data Mining of Users Data – Google says it won’t do it 9.3 says Google will not use the data of pupils or staff for any commercial purpose
- #48 Q6.5 LASTLY. DOES THE PROVIDER HAVE SUITABLE BACK-UP SYSTEMS? [DO NOT READ SLIDE] The clear answer from 6.5 seems to be that Google backs up your data and that it is recoverable.
- #49 Recap of Desirable Requirements for Cloud Providers in the context of Google’s answers [DO ALL ON SCREEN THEN NEXT SLIDE (IGNORE NOTES BELOW] [PAUSE BEFORE MOVING ON] [Contract is DPA compliant and amendable (3.1 & 3.2) TICK Handling systems are robust and data encrypted (4.3 & 5.7) TICK There is a commitment to delivering cloud services via European servers only (8.1, 8.2, 8.3, 8.4) NO Provide is independently audited (6.1 & 6.2) TICK Provider staff have very limited access to data on a ‘need to know basis’ only (5.5) TICK Information handling system adopted by a school can be configured in a way which enables the school to comply with its general obligations under the Act schools must be able to provide individuals with copies of their own personal data on request, to correct inaccurate data, and in some cases to stop processing an individual's personal data altogether (3.4 & 5.12) TICK RE USERS ACCESSING OWN DATA eg. cloud storage systems should be capable of aligning with the school's own policies in relation to the deletion and retention of certain categories of records (5.10) TICK Ability to ensure all staff are accessing cloud server securely (5.4) TICK Contract limits the ability of contractors to make secondary use of personal information (9.2 & 9.3) TICK Contract prohibits the unrestricted use of sub-contractors THERE IS NO CLEAR ANSWER BUT CONTRACTUAL PROMISES REGARDING EU MODEL CLAUSES SHOULD HELP TO KEEP USAGE RESTRICTED Provider has suitable back-up systems (6.5) TICK]
- #50 Transfers Outside of the EEA – A Recap 1) Where the main provider is outside EEA, the ICO recommends model clauses are signed up to. These can be found on the EU Commission’s website or supplied by your lawyer. 2) Where transfer of data is to a sub-processor outside the EEA, a means other than model clauses will need to be used, such as: [FIRST BULLET UNDER POINT 2]. This has now recently been done away by the EU court and which I will come on to in a moment [2nd BULLET]: ensures that the supplier confirms that its legal obligations under the Act will be complied with Note: as a data controller, you remain responsible for protecting your data subjects’ data, whatever a data processing agreement with your provider may say. [READ LAST LINE] unless you can show destination country has adequate protections in place for the rights and freedoms of the data subjects in relation to the processing of their data.** [NEXT SLIDE] [** See page 5 highlighted text of DPA note Assessing Adequacy for International Data Transfers for notes on assessing legal adequacy of a third party country outside EEA [in D E Ford folder]
- #51 A quick word now about the US Safe Harbor Scheme, which had around 3,000+ members at the time [READ SLIDE to "Privacy Shield"], as agreed in a draft agreement negotiated between EU Commission and US Govt Amongst other things, the shield will give enhanced rights of redress for EU data subjects. [READ REST OF SLIDE] ….by EU DPAs, now that the official grace period on enforcement has expired [against companies that have not implemented compliant data transfer mechanisms]. . [NEXT SLIDE]
- #52 Finally, [READ HEADING]. Eg. If you choose the wrong cloud provider and it all goes pear-shaped The first category is [READ HEADING A] [READ BULLET A], where the breach is wide scale or involves sensitive personal data. You remain liable as data controller, even if your contractor screws things up Less serious breaches will not give rise to fines but may result in other ICO enforcement action, including: [2ND BULLET, COL 1],requiring corrective action within prescribed timescales; or [3RD BULLET, COL 2] [LAST BULLET]=> can give rise to substantial adverse publicity, damaging your reputation
- #53 The second category is: [READ TITLE AND WHOLE SLIDE FIRST]
- #54 [READ SLIDE] THAT’S ALL, FOLKS, THANKS FOR LISTENING [ASK IF ANY QUESTIONS] [NEXT SLIDE!]
- #55 THANK YOU FOR LISTENING.