data privacy, cloud & purchasing department

DATA PRIVACY &

PURCHASING DEPARTMENT Jacques Folon www.folon.com

Partner Edge Consulting

Maître de conférences Université de Liège Chargé de cours ICHEC Brussels Professeur invité

Université de Lorraine ESC Rennes IACE Tunis

IAM OUagadougou http://www.nyls.edu/institute_for_information_law_and_policy/conferences/visualizing_law_in_the_digital_age/

All presentation and resources are available on WWW.FOLON.COM (cours)

TABLE OF CONTENT1.THE END OF DATA PRIVACY ?

2.A FEW DEFINITIONS

3.DATA ARCHIVING

4.DATA PRIVACY ISSUES IN SUPPLIER’S CONTRACTS

5.SECURITY ASPECTS & LIABILITY

6.EMPLOYEES ARE THE WEAKEST LINK

7.DATA PRIVACY AND CLOUD COMPUTING

8.CONCLUSION

http://www.jerichotechnology.com/wp-content/uploads/2012/05/SocialMediaisChangingtheWorld.jpg

4

By giving people the power to share, we're making the world more transparent.

The question isn't, 'What do we want to know about people?', It's, 'What do

people want to tell about themselves?'Data privacy is outdated !

Mark Zuckerberg

If you have something that you don’t want anyone to know, maybe you shouldn’t be

doing it in the first place.

Eric Schmidt

From Big Brother to Big Other

http://fr.slideshare.net/bodyspacesociety/casilli-privacyehess-2012def

Antonio Casili

• Importance of T&C

• Everybody speaks

• mutual surveillance

• Lateral surveillance

geolocalisation

http://upload.wikimedia.org/wikipedia/commons/thumb/9/99/Geolocalisation_GPS_SAT.png/267px-Geolocalisation_GPS_SAT.png

data collection

19

Interactions controlled by citizens in the Information Society

http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm

Interactions NOT controlled by citizens in the Information Society

http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm


2.A FEW DEFINITIONS

3.DATA ARCHIVING





8.CONCLUSION

some definitions

'personal data' shall mean any information relating to an identified or identifiable natural person ('data

subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by

reference to an identification number or to one or more factors specific to his physical, physiological,

mental, economic, cultural or social identity

'processing of personal data' ('processing') shall mean any operation or set of operations which is performed

upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use,

disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking,

erasure or destruction

personal data filing system' ('filing system') shall mean any structured set of personal data which are

accessible according to specific criteria, whether centralized, decentralized or dispersed on a

functional or geographical basis

121

controller shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others

determines the purposes and means of the processing of personal data; where the purposes and means of processing are

determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be

designated by national or Community law;

19

'the data subject's consent' shall mean any freely given specific and informed indication of his

wishes by which the data subject signifies his agreement to

personal data relating to him being processed

20

Member States shall provide that personal data must be: (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards; (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed; (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.

21

Member States shall provide that personal data may be processed only if: (a) the data subject has unambiguously given his consent; or (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or (d) processing is necessary in order to protect the vital interests of the data subject; or (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed

22

Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life

125

Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it: (a) the identity of the controller and of his representative, if any; (b) the purposes of the processing for which the data are intended; (c) any further information such as - the recipients or categories of recipients of the data, - whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply, - the existence of the right of access to and the right to rectify the data concerning him in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject

24

Right of access Member States shall guarantee every data subject the right to obtain from the controller: (a) without constraint at reasonable intervals and without excessive delay or expense: - confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed, - communication to him in an intelligible form of the data undergoing processing and of any available information as to their source, - knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1); (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data; (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort


2.A FEW DEFINITIONS

3.DATA ARCHIVING





8.CONCLUSION

OPT IN

Coockies


2.A FEW DEFINITIONS

3.DATA ARCHIVING





8.CONCLUSION

international transfer & in particular cloud computing

Importance of data privacy issues for contracts with sub

contractors

Sub-contractor’s choice

129

The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures

33

The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that: - the processor shall act only on instructions from the controller, - the obligations as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor


2.A FEW DEFINITIONS

3.DATA ARCHIVING





8.CONCLUSION

DATA SECURITY IS A KEY ELEMENT IN SUPPLYER’S CONTRACTS

SOURCE DE L’IMAGE: http://www.techzim.co.zw/2010/05/why-organisations-should-worry-about-security-2/

Source : https://www.britestream.com/difference.html.

Everything must be transparent

AND YOU NEED TO HAVE THE SYSTEM IN ORDER TO DEFEND YOUR COMPANY IN COURT

Article 16 Confidentiality of processing Any person acting under the authority of the controller or of the processor, including the processor himself, who has access to personal data must not process them except on instructions from the controller, unless he is required to do so by law

Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

86

SECURITY IS A LEGAL OBLIGATION


2.A FEW DEFINITIONS

3.DATA ARCHIVING





8.CONCLUSION

What your boss thinks...

Employees share (too) many information and also with third parties

INTERNAL TRAININGS ARE NEEDED IN THE PURCHASING

DEPARTMENT

Where do one steal data?

•Banks•Hospitals•Ministries•Police•Newspapers•Telecoms•...

Which devices are stolen?

•USB •Laptops•Hard disks•Papers•Binders•Cars

63

RESTITUTIONS

154Source de l’image : http://ediscoverytimes.com/?p=46

DATA SECURITY IS REQUESTED BY LAW AND IT IS THE COMPANY’S RESPONSIBILITY

Control by the employer

161SOURCE DE L’IMAGE: http://blog.loadingdata.nl/2011/05/chinese-privacy-protection-to-top-american/

SO CALLED HIDDEN COSTS

46http://www.theatlantic.com/technology/archive/2011/09/estimating-the-damage-to-the-us-economy-caused-by-angry-birds/244972/

Phishing

Sources/ Luc Pooters, Triforensic, 2011

DATA THEFT

Social engineering

Sources/ Luc Pooters, Triforensic, 2011

May the employer control everything?

Who controls what?

Could my employer open my emails?

169

64

CODE OF CONDUCTS

TELEWORKING

Employer’s control

177http://fr.slideshare.net/olivier/identitenumeriquereseauxsociaux


2.A FEW DEFINITIONS

3.DATA ARCHIVING





8.CONCLUSION

Source: Wikipedia

CLOUD COMPUTING CONTRACTS A SPECIFIC EXAMPLE OF

DATA PRIVACY ISSUES

Five key characteristics,

¢• A service-oriented technology, where consumer concerns are abstracted from provider concerns, and that is ready-to-use SERVICE BASED;

¢• Services scale on-demand to add or remove resources as needed RAPID ELASTICITY AND SCALABILITY;

¢• Services share a pool of resources to build economies of scale SHARED RESOURCES;

¢• Services are tracked with usage metrics to enable the “pay-as-you-go model” PAY PER USE;

¢• Services are delivered through use of Web identifiers, standards, formats and protocols and with an identical access UBIQUITOUS NETWORK ACCESS;

Cloud Computing in France – A model that will transform companies, Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france

3 types of services


Software as a service (SAAS)

○ The service provided makes use of the provider’s applications accessible through a client interface, such as a web browser (ex: Gmail).

○ The consumer doesn’t manage or control the infrastructure, the network, the servers, the operating system, the storage and cannot add specific development (even if there are limited user specific application configuration settings).

○ Offers: Billing, Financials, Legal, Sales, Desktop productivity, Human Resources, Content Management, Backup & Recovery, CRM (Customer Relationship Management), Document Management, Collaboration Tools, Social Networks.


Platform as a service (PAAS)The service provided consists in the deployment of

consumercreated applications on the provider’s infrastructure and the use of programming languages and tools supported by the platform (ex: Java or Python available on Google App Engine).

○ The consumer doesn’t manage or control the infrastructure, the network, the servers, the operating system and the storage but he has control over the deployed applications, and occasionally application hosting environment configurations.

○ Offers: General purpose, Business intelligence, Integration, Development & Testing, Database.


Platform as a Service (PaaS)

Now you don’t need to invest millions of $$$ to get that development foundation ready for your developers. The PaaS provider will deliver the platform on the web, and in most of the cases you can consume the platform using your browser, i.e. no need to download any software. It has definitely empowered small & mid-size companies or even an individual developer to launch their own SaaS leveraging the power of these platform providers, without any initial investment. PaaS Examples Google App Engine and Windows Azure are examples of Cloud OS. OrangesScape & Wolf PaaS are cloud middleware.

http://www.techno-pulse.com/

INFRASTRUCTURE AS A SERVICE (IAAS)

The service provided gives the possibility to rent resources, such as processing, storage or bandwidth, and allows the consumer to deploy and run anysoftware (operating systems and/or applications). The consumer doesn’t manage and control the infrastructure but he controls the operating system, the storage, the deployed applications, and occasionally networking components (firewall, load balancing). Some providers offer to manage the application if the latter is not too specific and is compatible with the perimeter of their offer.

o Offers: Storage, Compute, Services Management.


Infrastructure as a Service (IaaS)This is the base layer of the cloud stack.

It serves as a foundation for the other two layers, for their execution. The keyword behind this stack is Virtualization.

Let us try to understand this using Amazon EC2. In Amazon EC2 (Elastic Compute Cloud) your application will be executed on a virtual computer (instance). You have the choice of virtual computer, where you can select a configuration of CPU, memory & storage that is optimal for your application. The whole cloud infrastructure viz. servers, routers, hardware based load-balancing, firewalls, storage & other network equipments are provided by the IaaS provider. The customer buy these resources as a service on a need basis.

http://www.techno-pulse.com/

Is this just Hosting 2.0?

No, they have different

architectures and business model

Cloud PlayersHosting Players

Only few can afford billions dollar

investment on data centers

Hundreds of them around

the world

Hosting Players

Often yearly

Your contracts

Cloud Players

Pay As You Go

Pay only what you use

Hosting Players

Reliability, High Availability, Capacity Elasticity

Cloud Players

Built-in Redundancy

Virtually unlimited storage, computing power

You have to manage reliability, fail over yourself

Bring your own or rentservers to increase capacity

Who controls what ?

Gouvernance et Sécurité dans le Cloud Computing : Avantages et Défis. Yves LE ROUX

CLOUD AND PRIVACY

SOURCE: http://fr.slideshare.net/ISPABelgium/cloud-computing-legal-issues-3195424?qid=18bb64e0-9210-424a-8a67-1d356af61e27&v=qf1&b=&from_search=1

SOURCE: http://fr.slideshare.net/ISPABelgium/cloud-computing-legal-issues-3195424?qid=18bb64e0-9210-424a-8a67-1d356af61e27&v=qf1&b=&from_search=1

CLOUD COMPUTING CONTRACTS ARE COMPLEX


2.A FEW DEFINITIONS

3.DATA ARCHIVING





8.CONCLUSION

CONCLUSION

DATA PRIVACY IS AN IMPORTANT ISSUE FOR ANY PURCHASING DEPARTMENT BECAUSE IT HAS CONSEQUENCES IN

MANY CONTRACTS AND IN PARTICULAR FOR CLOUD COMPUTING

95

SECURITY ???

87

“It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change.”

C. Darwin

ANY QUESTIONS ?

data privacy, cloud & purchasing department

Education

data archiving

data privacy issues

end of data privacy

identifiable person

information societyhttp

suppliers contracts

legal person

security aspects liability