what all organisations need to know about data protection and cloud computing (part 1) by brian...
TRANSCRIPT
What All Organisations Need to Know About Data Protection and
Cloud Computing
Vicki Bowles and Brian Miller
Stone King LLP
Data Protection: Overview of Obligations
Vicki Bowles, Barrister
Charity and Social Enterprise
DATA PROTECTION
• Language of Data Protection • Notification
• The Data Protection Principles
• Subject Access
Data Protection: Language
• Personal data:
“data which relate to a living individual who can be identified –
a) from those data, or
b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual”
Data Protection: Language
• Processing:
“…means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including –
a) organisation, adaptation or alteration of the information or data,
b) retrieval, consultation or use of the information or data,
c) disclosure of the information or data by transmission, Dissemination or otherwise making available, or
d) alignment, combination, blocking, erasure or destruction of the information or data”
Data Protection: Language
• Sensitive Personal Data:
“…means personal data consisting of information as to –
a) the racial or ethnic origin of the data subject,
b) his political opinions,
c) his religious beliefs or other beliefs of a similar nature,
d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act1992),
e) his physical or mental health or condition,
f) the commission or alleged commission by him of any offence, or
g) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.”
Data Protection: Language
• Data Controller:
“…subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;”
• Data Processor:
“…any person (other than an employee of the data controller) who processes the data on behalf of the data controller;”
Data Protection: Language
• Controller v Processor– Can have more than one controller for the
same information;– Key is control;
Data Protection: Notification
• All controllers required to “notify” (register) with Information Commissioners Office (ICO), unless exempt:– Accounts and records;
– Staff administration;
– Advertising, marketing and PR of business;
– Non-profit membership admin.
• Exemption only applies to registration rather than the whole Act.
Obligations: Principles
• Personal data shall be processed fairly and lawfully, and in particular, shall not be processed unless –
− At least one of the conditions in Schedule 2 is met, and− In the case of sensitive personal data, at least one of the
conditions in Schedule 3 is also met.
Obligations: Principles
• Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
• Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Obligations: Principles
• Personal data shall be accurate, and, where necessary, kept up to date.
• Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
• Personal data shall be processed in accordance with the rights of data subjects under this Act.
Obligations: Principles
• Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
• Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Obligations: SAR
• Section 7 entitles a data subject to request:– Whether or not you process their personal data;
– A description of the data held, the purposes for which it is processed, and the recipients or classes or recipient to which disclosed;
– Have communicated to them the data held, and any details of source if known.
Obligations: SAR
• If paper files – only if relevant filing system (the “temp test”).
• Exception where third party personal data is included and no consent.
• Various other exceptions, e.g. negotiations and references.
Case Study
• British Pregnancy Advisory Service– Fine £200,000 from ICO– Website hacked– BPAS didn’t know what was stored on their website
Questions?
ATTRIBUTIONS/CREDITS
1 Some rights reserved by kevin dooley
2 Some rights reserved by StockMonkeys.com
3 Some rights reserved by StockMonkeys.com
4 Some rights reserved by slightly everything
5 Some rights reserved by kenteegardinSome rights reserved by BLW Photography
6 Some rights reserved by mwfearnley
7 Some rights reserved by Adikos
8 Some rights reserved by .faramarz
9 Some rights reserved by NHS Confederation
10 Some rights reserved by slightly everything
I would like to thank and credit the following persons for the photographs provided in some of the slides:
11 Some rights reserved by jovike
12 Some rights reserved by StockMonkeys.com
13 Some rights reserved by deejayres
15 Some rights reserved by jovike
17 Some rights reserved by rodaniel
CLOUD COMPUTING:
An Introduction to the Legal Aspects of Keeping Your Data Safe and Compliant
Brian MillerPartner, IP & ITStone King LLP
1.Is my data safe2.Is my data kept within the territorial
borders permitted by the Data Protection Act
3.What are the legal obligations to my data subjects
Three Things You Need to Know
Cloud computing is the name given to the use of computing resources (hardware and software) that are delivered as a service over a network (typically the Internet).
(Wikipedia)
PUBLIC, PRIVATE OR HYBRID CLOUD?
FACEBOOK’S DATA CENTRE
How Do I Know If My Supplier Has Secured My Data?
Data Protection Act, Seventh Principle (again):
If you outsource storage of data, IT and legal experts must carry out due diligence on:
• Supplier’s systems• Supplier’s terms and conditions
How Do I Know If My Supplier Has Secured My Data? (cont’d)
Obligations are on both:-
The data processor (the cloud provider) The data controller (your organisation)
No due diligence => you could be liable if breach
Personal data accessible by a third party=
Breach of the Data Protection Act
• No guarantees they won’t unless contract says so
• Adequate Encryption by supplier by you if confidential
HOW SECURE IS MY DATA?
Can My Supplier Read My Data?
CRACKEDAND
HACKED
Server Intrusion
•Theft of valuable personal data•Sale of data to others or •Use of data for identity theft
EXAMPLE
Aid to the Church In Need [link]
• Website hacked• Donor’s bank details taken• More than £100K stolen
(2) Who Are You Contracting With?
• May be a number of • providers involved
• sub-contractors must be bound by same standards of– Security– Confidentiality
Main provider needs to carry can for subcontractors
Difficult to trace if insolvent or abroad
Unlikely to have direct contact with them
They are unlikely to have any legal liability to you
(3) Where is My Data?
If data stored or transferred outside EEA, 8th Principle requires adequate security measures to be in place:
• “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
Where is My Data (cont’d)?• ICO recommends getting
• list of countries where data is likely to be processed• details of the safeguards in place
• ICO requires DP to sign a data processing agreement:• only to use and disclose personal data in accordance
with your instructions• to take appropriate security measures to protect the
data• to get your consent to transfer the data outside EEA
DATA BREACHES
Consequences of breach:• Fine of up to £500K• Civil actions from data subjects
Data Breach Examples
2012: NHS Trust £325K for a serious data breach
• hard disks with sensitive personal data • ended up on eBay• fine highest issued by ICO
Data Breach Examples
2013: local authority fined £80K by ICO (sensitive personal data: unencrypted memory stick)
If there is a claim, you do not want to be funding it:
Make sure you get some cyberliability insurance!
THREE THINGS TO REMEMBER WHEN PUTTING DATA IN THE CLOUD…
…carry out IT and legal due diligence on your provider to check that:
• your data is kept confidential and secure• not transferred outside of the EEA without
your data subjects’ consent• where it is, data processing agreements are
also in place with any foreign sub-processors
For more information, see Government Papers on
• Cloud Security Guidance• Cloud (Education apps) Software Services and the Dat
a Protection Act• Cloud Security Principles
For further information about cloud computing, please see the following article on Stone King’s website:
•Cloud Computing: What Do I Need to Know?
Brian MillerPartner
IP, IT & CommercialStone King LLP
[email protected] IT Solicitor@theitsolicitor
brianmillersolicitor 0207 324 1523
ATTRIBUTIONS/CREDITS
1 Some rights reserved by francisco.j.gonzalez
2 Some rights reserved by Marsel Minga
3 Some rights reserved by daniel_iversen
5 Some rights reserved by renaissancechambara
7 + 8 Some rights reserved by get directly down
9 Some rights reserved by Simon Cocks
10 + 11 Some rights reserved by devdsp
I would like to thank and credit the following persons for the photographs provided in some of the slides:
ATTRIBUTIONS/CREDITS CONTINUED
12 + 13 Some rights reserved by Gunnar Wrobel
14 + 15 Some rights reserved by Stefan Baudy
16 Some rights reserved by IntelFreePressSome rights reserved by wwarby
17 Some rights reserved by IntelFreePressSome rights reserved by Free the Image
18 Some rights reserved by fsse8infoSome rights reserved by IntelFreePress
19 + 20 Some rights reserved by geezaweezer