Post on 15-Jan-2015
description
transcript
#AIIM14 #AIIM14
#AIIM14
Ge#ng Lost in the Cloud: Privacy Risks and Cloud Compu<ng* *with apologies to Joni Mitchell
Else Khoury Manager, Informa8on Management Services/Freedom of Informa8on and Privacy Coordinator
Niagara Region @ElseKhoury
#AIIM14
It’s All About Me § Freedom of Informa8on/Privacy Coordinator § Regional Municipality of Niagara § Federal Provincial Regional Municipal § Public health, planning, public works, Seniors care § Responsible for privacy compliance BUT no tangible authority, inconsistent compliance measures
§ Shameless fear-‐mongering: it’s kind of what I do
#AIIM14
Thank you, Edward Snowden You just made my job a lot easier
#AIIM14
Bows and flows of angel hair, ice cream castles in the air
I’ve looked at Cloud that way § Flexibility § BeOer reliability § Enhanced collabora8on § Efficiency in deployment § Portability § Poten8al cost savings § Simpler devices
#AIIM14
But now they only block the sun, They rain and snow on everyone
Cloud got in my way § Loss of control by customer over technology infrastructure /
loss of governance § Possible loss of control over loca8on of data § Concerns about segrega8on of data § Data reten8on, destruc8on § Rights to data § Data security § USA Patriot Act
#AIIM14
Caught in the Cloud
#AIIM14
Privacy Defined § U.S.A. Protec8on of Liberty, i.e., protec8on from government § Canada Individual autonomy through personal control of informa8on Privacy Law in the United States, the EU and Canada: The Allure of the Middle Ground Avner Levin and Mary Jo Nicholson, 2005
www.aiim.org/infochaos�
Do YOU understand the business challenge of the next 10 years?
This ebook from AIIM President John Mancini explains.
#AIIM14
Canadian Privacy Laws § Privacy Act (Federal) § PIPEDA (Personal Informa8on Protec8on and Electronic
Documents Act) Ontario: § FIPPA (Freedom of Informa8on and Protec8on of Privacy Act) § MFIPPA (Municipal Freedom of Informa8on and Protec8on of
Privacy Act) § PHIPA (Personal Health Informa8on Protec8on Act)
#AIIM14
They’ve looked at Cloud from both sides now
Chantal Bernier, Federal Privacy Commissioner
Ann Cavoukian, Informa8on/ Privacy Commissioner, Ontario
Jill Clayton, Informa8on/Privacy Commissioner, Alberta
Elizabeth Denham, Informa8on/Privacy Commissioner, Bri8sh Colombia
#AIIM14
From up (federal)
…Canadian government agencies can obtain personal informa;on held in Canada about foreign individuals, just as a foreign government can obtain personal informa;on that may be held in that country about Canadians. § Privacy Implica8ons of the USA Patriot Act, 2004
#AIIM14
Ontario …There will always be law enforcement methods and techniques that will access certain types of informa;on here, there and everywhere. What you should concern yourself with is the kind of accountability that you will be able to maintain if your e-‐mail systems go into the Cloud. § Exploring the Future of E-‐Mail, Privacy and Cloud Compu8ng, Ryerson University, Toronto, 2011 (Ontario)
#AIIM14
And down (B.C.)
…personal informa;on, including informa;on in computer logs and on backup tapes or drives cannot be stored or accessed outside of Canada…it is an offence to store or allow access to personal informa;on outside of Canada unless it is authorized. § Cloud Compu8ng Guidelines for Public Bodies, Office of the Informa8on and Privacy Commissioner for Bri8sh Colombia
#AIIM14
Alberta • Compelling a witness to tes;fy or compelling the produc;on of documents can only be in response to the direc;on of a court tribunal in Canada
• Health informa;on can only be disclosed under an order, warrant, or subpoena issued by a court person or body that has jurisdic;on in Alberta
• $500,000 penalty § The Freedom of Informa8on and Protec8on of Privacy Act (FOIP)
amendments (2006)
#AIIM14
Penal<es/Repercussions § Mandatory privacy breach repor8ng in some provinces/sectors
§ Most governments will self-‐report (to save face) § Fines § Li8ga8on (class ac8on law suits are the new black) § Nega<ve media aWen<on § Loss of public trust
#AIIM14
Accountability
§ Services can be outsourced, but accountability can’t
§ An ins8tu8on is responsible for the personal (health) informa8on in its custody and control
#AIIM14
Opera<onalizing Accountability § Strong contracts:
§ Define confiden8al informa8on § Limit disclosure/movement/exposure § Outline vendor’s obliga8on to abide by legislated
requirements of the organiza8on (privacy, security, reten8on, destruc8on)
§ Privacy Impact Assessments (PIA)
§ Threat/Risk Assessments (TRAs) § privacybydesign.ca
#AIIM14
Privacy in the mainstream
#AIIM14
Real changes in the marketplace
AHer Snowden, Privacy Should be Profitable. Ivor Russell, Globe and Mail. August 30, 2013.
#AIIM14
#AIIM14
And in the law?
When we decided to open our border to trade with the United States, we did so with a free trade agreement. That agreement put in place various legal obliga;ons and a dispute-‐resolu;on process. This is how we deal with our interconnected world. If we can do it with goods and services, we can do it with data. Lisa M. Aus8n, Heather Black, Michael Geist, Avner Levin, and Ian Kerr, Na8onal Post, December 12, 2013
#AIIM14
I really don’t know Cloud at all
#AIIM14
Bring an Umbrella
else.khoury@outlook.com
www.aiim.org/infochaos�
Do YOU understand the business challenge of the next 10 years?
This ebook from AIIM President John Mancini explains.