Lasa webinar data protection and the cloud
-
Upload
miles-maier -
Category
Internet
-
view
181 -
download
0
Transcript of Lasa webinar data protection and the cloud
Webinar Presenters
Miles Maier @LasaICT
Paul Ticher @PaulTicher
www.londoncouncils.gov.uk/grants
London Councils is committed to fighting for more resources for London and getting the best possible deal for London's 33 councils. London Councils has a website about its grants service. To read about our grants funding and the work of some of the 300 groups we support
Supported by:
• London For All – partnership of LVSC, Lasa,
ROTA, WRC and HEAR
• Only pan-London charity tech advice service
• www.lvsc.org/londonforall/
About Lasa
• 30 years in the sector
• Technology leadership, publications, events and consultancy
www.lasa.org.uk
• Welfare Rights
www.rightsnet.org.uk
Webinar Tips
• Ask questionsPost questions via chat or raise your virtual hand
• InteractRespond to polls during webinar
• Focus Avoid multitasking. You may just miss the best part of the presentation
• Webinar PowerPoint & RecordingPowerPoint and recording links will be shared after the webinar
Paul Ticher
• Data Protection expert, author and trainer
• Specialist in information management and systems
• Many charity clients
Twitter: @PaulTicher
This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.
Programme
Where are the risks?
Your Data Protection responsibilities
What you should be doing, especially about:
Security
Transfers abroad
Cloud computing characteristics
Cheap and flexible, especially for small organisations
Available anywhere there is an internet connection
Suppliers claim good security and service levels
Based on:
Standard offering, usually non-negotiable
Shared facilities, controlled by the supplier
Location of data irrelevant (and may be obscure)
May be layers of sub-contract
Cloud examples
Microsoft 365, Google Apps (office programs)
Huddle, GoToMeeting, Skype (collaboration)
Amazon (storage & processing capacity)
Salesforce (contact management database)
YouTube, Instagram (photo/video storage and sharing)
MailChimp (bulk mailings)
SurveyMonkey (online surveys)
Social networking sites
Data Protection Principles
1. Data ‘processing’ must be ‘fair’ and legal
2. You must limit your use of data to the purpose(s) you obtained it for
3. Data must be adequate, relevant & not excessive
4. Data must be accurate & up to date
5. Data must not be held longer than necessary
6. Data Subjects’ rights must be respected
7. You must have appropriate security
8. Special rules apply to transfers abroad
Ranking the risks
Principle Risk rank Comment
1. Fairness Low
(Medium)
No different from in-house considerations unless cloud
provider also captures personal data for own purposes2. Limited purposes
3. AdequacyMedium
Minor implications if the design of the cloud application
does not support good data quality4. Accuracy
5. Retention Low No different from in-house considerations
6. Data subject rights Medium Possible minor implications for subject access
7. Security Very high Significant additional risks from cloud computing
8. Transfers abroad HighCloud applications may (without making this obvious)
locate data outside ‘safe’ jurisdictions
Data Controller / Data Processor
“Data Controller” means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed.
“Data Processor” … means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
Data Processor requirements
A contract, ‘evidenced in writing’, covering at least:
Setting out the relationship and how it will work
Underpinning both parties’ security obligations
Allowing the Data Controller to verify the Data Processor’s security
See also my checklist that includes:
Limitations on transfers abroad and subcontracting
Clear confidentiality obligations on Data Processor
Requirement to inform of any breach
Principle 7: Security
You must take steps to prevent:
Unauthorised access
Accidental loss or damage
Your measures must be appropriate
They must be technical and organisational
You cannot transfer this responsibility to a Data Processor
The standard aims of security:
Confidentiality
Limits on access, depending on need to know
Integrity
No unintended or unauthorised modification
Availability
No accidental loss
There when you need it
Security in the cloud
‘Data in transit’ vs ‘Data at rest’
End-to-end – from the device to the depths of the cloud provider’s system
Additional BYOD risks
Personal vs corporate accounts
Cloud security breaches do occur
British Pregnancy Advisory Service Website ‘contact us’ form
Stored for five years – almost 10,000 records
Admin password not changed from default
Successfully hacked into and personal data stolen
Aberdeen City Council Social worker working from home, with permission
Computer set to synch with cloud storage location
Cloud location not secure – personal data showed up in search
Security when the Data Processor is a cloud provider
Cannot be an afterthought
Don’t just rely on the provider: you have responsibilities too
Negotiated contract: require your supplier to take security precautions – and check that they have done so
Standard terms and conditions: often non-negotiable – due diligence required Understand what you are checking
Risk cannot be wholly eliminated
Guidance & recommendations: I
Cyber essentials UK government scheme – two levels
Information Commissioner’s May 2014 report
Open Web Application Security Project Top Ten Updated every three years (most recent 2013)
More technical
Common points
Firewalls & gateways -- Malware protection
Secure configuration (including SSL and TLS)
Access control -- Default credentials
Patch management/Software updates
SQL injection
Unnecessary services
Password storage
Inappropriate locations for processing data
Guidance & recommendations: II
International standard -- ISO 27001:2013 check credentials of certifying company
check relevance & scope (ISO 27000 Statement of Applicability)
HMG Security Policy Framework (recently revised)
CESG guidance on cloud security risk management
COBIT Relates to US Sarbanes-Oxley Act
ISAE3402 and SSAE16 (previously SAS70) Auditing process, not a security standard
Potential cost of a breach
Notification to potentially affected individuals, if appropriate
Assistance to potentially affected individuals
Compensation for harm and associated distress
Damage to business (including reputation)
Data restoration
Monetary penalty (up to £500,000)
Potential cost of a breach
Notification to potentially affected individuals, if appropriate
Assistance to potentially affected individuals
Compensation for harm and associated distress
Damage to business (including reputation)
Data restoration
Monetary penalty (up to £500,000)
Principle 8: Transfers abroad
Transfers of data outside the European Economic Area are allowed if:
the jurisdiction it is going to has an acceptable law
the recipient in the USA is signed up to Safe Harbor
a few other options
What else can go wrong?
Loss of service at their end
at your end
Retrieving your data if the service ceases or you get into a dispute (Example: Charity Business)
Proprietary formats for data storage
Processes or contract terms which make the supplier a Data Controller in their own right
Unclear ownership/location of data and the equipment it is stored on
Unilateral changes in policy by provider
And finally …
Most countries have laws allowing authorities to access data
US Patriot Act ostensibly anti-terrorist
applies to US companies, wherever the data is held
has also been used in non-terrorist cases
supplier may not agree (or even be allowed) to inform customer of access
Include in risk assessment
So what do you need to do?
Get your own house in order
Check the contract (or standard terms and conditions) very carefully on areas like:
security and how it is guaranteed
location of data (especially if it could be outside the EEA)
liability/sub contractors
back-up/access
copyright (e.g. Google)
Use your findings to make and record a risk assessment and get authorisation to proceed
Further information
Information Commissioner
Guidance on cloud computing
Analysis of top eight online security issues
Data Protection and the Cloud
Cloud computing: A practical introduction to the legal issues
Watch out for EU updates on cloud computing and possibly standard contract terms
Resources 1
• Lasa Knowledgebase:
– www.ictknowledgebase.org.uk/dataprotectionactintroduction
– www.ictknowledgebase.org.uk/dataprotectionpolicies
• Cyber essentials
• UK government scheme – two levels
• Information Commissioner’s May 2014 report
• Open Web Application Security Project Top Ten
• Updated every three years (most recent 2013)
• More technical
Resources 2
• Lasa Knowledgebase:
– www.ictknowledgebase.org.uk/dataprotectionactintroduction
– www.ictknowledgebase.org.uk/dataprotectionpolicies
• Cyber essentials
• UK government scheme – two levels
• Information Commissioner’s May 2014 report
• Open Web Application Security Project Top Ten
• Updated every three years (most recent 2013)
• More technical
Follow-up questions:
LINKS TO SLIDES AND RECORDING SOON
HELP KEEP THIS SERVICE FREE BY COMPLETING THE EVALUATION
Twitter @LasaICT