Data Protection& The Cloud

We will start the webinar in a just a moment……..

Webinar Presenters

Miles Maier @LasaICT

Paul Ticher @PaulTicher

www.londoncouncils.gov.uk/grants

London Councils is committed to fighting for more resources for London and getting the best possible deal for London's 33 councils. London Councils has a website about its grants service. To read about our grants funding and the work of some of the 300 groups we support

Supported by:

• London For All – partnership of LVSC, Lasa,

ROTA, WRC and HEAR

• Only pan-London charity tech advice service

• www.lvsc.org/londonforall/

About Lasa

• 30 years in the sector

• Technology leadership, publications, events and consultancy

www.lasa.org.uk

• Welfare Rights

www.rightsnet.org.uk

Webinar Tips

• Ask questionsPost questions via chat or raise your virtual hand

• InteractRespond to polls during webinar

• Focus Avoid multitasking. You may just miss the best part of the presentation

• Webinar PowerPoint & RecordingPowerPoint and recording links will be shared after the webinar

Paul Ticher

• Data Protection expert, author and trainer

• Specialist in information management and systems

• Many charity clients

Twitter: @PaulTicher

Data Protection webinar:

Using cloud services

15th April 2015

This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation.It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

Programme

Where are the risks?

Your Data Protection responsibilities

What you should be doing, especially about:

Security

Transfers abroad

Alternative title:

Feel the fear

Do it anyway

(probably)

Cloud computing characteristics

Cheap and flexible, especially for small organisations

Available anywhere there is an internet connection

Suppliers claim good security and service levels

Based on:

Standard offering, usually non-negotiable

Shared facilities, controlled by the supplier

Location of data irrelevant (and may be obscure)

May be layers of sub-contract

Cloud examples

Microsoft 365, Google Apps (office programs)

Huddle, GoToMeeting, Skype (collaboration)

Amazon (storage & processing capacity)

Salesforce (contact management database)

YouTube, Instagram (photo/video storage and sharing)

MailChimp (bulk mailings)

SurveyMonkey (online surveys)

Social networking sites

Data Protection Principles

1. Data ‘processing’ must be ‘fair’ and legal

2. You must limit your use of data to the purpose(s) you obtained it for

3. Data must be adequate, relevant & not excessive

4. Data must be accurate & up to date

5. Data must not be held longer than necessary

6. Data Subjects’ rights must be respected

7. You must have appropriate security

8. Special rules apply to transfers abroad

Ranking the risks

Principle Risk rank Comment

1. Fairness Low

(Medium)

No different from in-house considerations unless cloud

provider also captures personal data for own purposes2. Limited purposes

3. AdequacyMedium

Minor implications if the design of the cloud application

does not support good data quality4. Accuracy

5. Retention Low No different from in-house considerations

6. Data subject rights Medium Possible minor implications for subject access

7. Security Very high Significant additional risks from cloud computing

8. Transfers abroad HighCloud applications may (without making this obvious)

locate data outside ‘safe’ jurisdictions

Data Controller / Data Processor

“Data Controller” means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed.

“Data Processor” … means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.

Data Processor requirements

A contract, ‘evidenced in writing’, covering at least:

Setting out the relationship and how it will work

Underpinning both parties’ security obligations

Allowing the Data Controller to verify the Data Processor’s security

See also my checklist that includes:

Limitations on transfers abroad and subcontracting

Clear confidentiality obligations on Data Processor

Requirement to inform of any breach

Principle 7: Security

You must take steps to prevent:

Unauthorised access

Accidental loss or damage

Your measures must be appropriate

They must be technical and organisational

You cannot transfer this responsibility to a Data Processor

The standard aims of security:

Confidentiality

Limits on access, depending on need to know

Integrity

No unintended or unauthorised modification

Availability

No accidental loss

There when you need it

Security in the cloud

‘Data in transit’ vs ‘Data at rest’

End-to-end – from the device to the depths of the cloud provider’s system

Additional BYOD risks

Personal vs corporate accounts

Cloud security breaches do occur

British Pregnancy Advisory Service Website ‘contact us’ form

Stored for five years – almost 10,000 records

Admin password not changed from default

Successfully hacked into and personal data stolen

Aberdeen City Council Social worker working from home, with permission

Computer set to synch with cloud storage location

Cloud location not secure – personal data showed up in search

Security when the Data Processor is a cloud provider

Cannot be an afterthought

Don’t just rely on the provider: you have responsibilities too

Negotiated contract: require your supplier to take security precautions – and check that they have done so

Standard terms and conditions: often non-negotiable – due diligence required Understand what you are checking

Risk cannot be wholly eliminated

Guidance & recommendations: I

Cyber essentials UK government scheme – two levels

Information Commissioner’s May 2014 report

Open Web Application Security Project Top Ten Updated every three years (most recent 2013)

More technical

Common points

Firewalls & gateways -- Malware protection

Secure configuration (including SSL and TLS)

Access control -- Default credentials

Patch management/Software updates

SQL injection

Unnecessary services

Password storage

Inappropriate locations for processing data

Guidance & recommendations: II

International standard -- ISO 27001:2013 check credentials of certifying company

check relevance & scope (ISO 27000 Statement of Applicability)

HMG Security Policy Framework (recently revised)

CESG guidance on cloud security risk management

COBIT Relates to US Sarbanes-Oxley Act

ISAE3402 and SSAE16 (previously SAS70) Auditing process, not a security standard

Potential cost of a breach

Notification to potentially affected individuals, if appropriate

Assistance to potentially affected individuals

Compensation for harm and associated distress

Damage to business (including reputation)

Data restoration

Monetary penalty (up to £500,000)

Potential cost of a breach

Notification to potentially affected individuals, if appropriate

Assistance to potentially affected individuals

Compensation for harm and associated distress

Damage to business (including reputation)

Data restoration

Monetary penalty (up to £500,000)

Principle 8: Transfers abroad

Transfers of data outside the European Economic Area are allowed if:

the jurisdiction it is going to has an acceptable law

the recipient in the USA is signed up to Safe Harbor

a few other options

What else can go wrong?

Loss of service at their end

at your end

Retrieving your data if the service ceases or you get into a dispute (Example: Charity Business)

Proprietary formats for data storage

Processes or contract terms which make the supplier a Data Controller in their own right

Unclear ownership/location of data and the equipment it is stored on

Unilateral changes in policy by provider

And finally …

Most countries have laws allowing authorities to access data

US Patriot Act ostensibly anti-terrorist

applies to US companies, wherever the data is held

has also been used in non-terrorist cases

supplier may not agree (or even be allowed) to inform customer of access

Include in risk assessment

So what do you need to do?

Get your own house in order

Check the contract (or standard terms and conditions) very carefully on areas like:

security and how it is guaranteed

location of data (especially if it could be outside the EEA)

liability/sub contractors

back-up/access

copyright (e.g. Google)

Use your findings to make and record a risk assessment and get authorisation to proceed

Further information

Information Commissioner

Guidance on cloud computing

Analysis of top eight online security issues

Data Protection and the Cloud

Cloud computing: A practical introduction to the legal issues

Watch out for EU updates on cloud computing and possibly standard contract terms

Resources 1

• Lasa Knowledgebase:

– www.ictknowledgebase.org.uk/dataprotectionactintroduction

– www.ictknowledgebase.org.uk/dataprotectionpolicies

• Cyber essentials

• UK government scheme – two levels

• Information Commissioner’s May 2014 report

• Open Web Application Security Project Top Ten

• Updated every three years (most recent 2013)

• More technical

Resources 2

• Lasa Knowledgebase:

– www.ictknowledgebase.org.uk/dataprotectionactintroduction

– www.ictknowledgebase.org.uk/dataprotectionpolicies

• Cyber essentials

• UK government scheme – two levels

• Information Commissioner’s May 2014 report

• Open Web Application Security Project Top Ten

• Updated every three years (most recent 2013)

• More technical

Follow-up questions:

paul@paulticher.com

LINKS TO SLIDES AND RECORDING SOON

HELP KEEP THIS SERVICE FREE BY COMPLETING THE EVALUATION

Twitter @LasaICT