Kawser Hamid : ICO and Data Protection in the Cloud
-
Upload
gurbir-singh -
Category
Technology
-
view
189 -
download
2
description
Transcript of Kawser Hamid : ICO and Data Protection in the Cloud
Data Protection in the Cloud
Kawser HamidLead Policy Officer
Information Commissioner’s Office
What I will talk about
•How does the Data Protection Act apply to the cloud?
•What are the key issues which need to be addressed?
•What are the potential solutions?
•Key points from our cloud guidance
•How might future changes in data protection law change things?
Data Protection Act - background
• Replaced the Data Protection Act 1984
• Framework for the use of personal data
• Technologically neutral
• Implements the 1995 EU Directive on Data Protection95/46/EC
How does the Data Protection Act apply to the cloud?
Q: What is the DPA about?
A: The DPA applies to the processing of personal data.
What does this mean?
Key concepts: data
Data is information within:
• A relevant filing system (or with that intention) i.e. highly structured and readily accessible paper filing system
• Any type of information held by a body subject to the Freedom of information Act
• An accessible record ie health, education, housing and social services records
• Equipment operating automatically in response to instructions (or with that intention) i.e. computerised format
Key concepts: personal data
The DPA defines personal data as:
“data which relate to a living individual who can be identified-
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”
Other key concepts
• Processing – basically anything you can do to personal data e.g. hold, disclose, amend or delete
• Data Subject - an individual who is the subject of personal data
• Data Controller – a person or body which decides what happens to the personal data it processes
• Data Processor - a person or body (other than an employee of the data controller) who processes personal data on behalf of the data controller
• The DPA eight principles
The eight principles
The DPA is based on eight principles of good personal data handling.
The data must be:
1. Fairly and lawfully processed (and an appropriate Schedule 2 and 3 condition for processing)
2. Processed for limited purposes and not further processed in a manner which is incompatible with those purposes
3. Adequate, relevant and not excessive4. Accurate and up to date 5. Not kept longer than necessary 6. Processed in accordance with the individual’s rights 7. Secure 8. Not transferred to countries outside of European Economic Area
unless adequate protection is provided
Seventh principle
The seventh principle states that:
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”
Seventh principle
Deciding on what is “appropriate”:
• Nature of the information• Harm which may result
Types of measures:
• Management and organisational• Staff• Physical security• Computer security
If using a data processor, the data controller must:
• Make sure that they choose a processor who can offer an adequate level of security• Have a written contact in place with the processor • Check that the processor is complying with the security elements of the contract
Eighth principle
The eighth principle states that:
“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”
Eighth principle
How to ensure adequacy:
• General factors to consider
• Non-EEA countries already considered adequate
• European Commission model contract clauses
• Binding Corporate Rules
So how does this apply to the cloud?
• Information in the cloud is data because it’s computerised.• Much of the information bodies will use in the cloud is about living
identifiable people which says something about them – therefore is personal data.
• The people themselves will be data subjects.• Something is going to happen to the personal data – therefore is
being processed.• A cloud service purchaser will be the data controller because it will
make the decisions about how the personal data is used.• A cloud service provider will be the data processor because it is
acting upon the instructions of the data controller.• The cloud service provider will have to provide adequate security
(7th principle).• Cloud service providers may transfer personal data outside the EEA
(8th principle).
What are the key issues which need to be addressed?
• Large cloud service providers are dictating the terms and conditions.
• A cloud service provider may have its servers anywhere around the world.
• Many cloud service providers use chains of subcontractors.
• How does a data controller ensure information governance?
• Many of the large cloud service providers are US companies and are subject to the USA PATRIOT Act.
What are the potential solutions?
Cloud service providers proactively addressing data protection issues:
• Flexibility over terms and conditions Consumer power:
• Cloud service purchasers have to demand appropriate data protection standards.
ICO action:
• Be clear about what we think
• Empowering cloud service purchasers to make the right choices
ICO guidance
New cloud sections on our website:
For organisations -
“Guidance on the use of cloud computing”
http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/online/cloud_computing.aspx
For the public –
Guidance on cloud storage
http://www.ico.gov.uk/for_the_public/topic_specific_guides/online/cloud_computing.aspx
Guidance on the use of cloud computing – key points
Select which data to move to the cloud
Select the right the cloud provider:
• What type of provider• Transfers outside the EEA• Security• Monitoring performance• Contracts
How might future changes in data protection law change things?
New (draft) Data Protection Regulation:
• Article 17 – Right to be forgotten.
• Article 18 – Right to data portability.
• Article 30 - the European Commission may specify the technical and organisational measures required in a particular sector.
• Article 31 – Breach notification
• Article 33 – Mandatory data protection impact assessments for processing that represents specific risks to the rights and freedoms of data subjects.
• Article 34 - Prior authorisation and consultation for international transfers.
• Article 77 - places liability on data processors as well as data controllers.
www.twitter.com/iconews
Keep in touch
Email: [email protected]
Subscribe to our e-newsletter at www.ico.gov.ukor find us on…