1. Data Protection webinar: Using cloud services 4 th June 2014 Welcome. We’re just making the last few preparations for the webinar to start at 11.00. Keep your speakers or headphones turned on and you will shortly hear a voice!

2. Please note:  If you want to make the links and animations in this presentation work, you need to Show it as a slideshow (press F5)  If you can see this slide, you are not in Show mode and the links and animations won’t work

3. This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.

4. Programme  Your Data Protection responsibilities  Where are the risks?  What you should be doing  Security  Transfers abroad  Transparency and choice

5. Alternative title: Feel the fear Do it anyway (probably)

6. Data Protection Principles 1.Data ‘processing’ must be ‘fair’ and legal 2.You must limit your use of data to the purpose(s) you obtained it for 3.Data must be adequate, relevant & not excessive 4.Data must be accurate & up to date 5.Data must not be held longer than necessary 6.Data Subjects’ rights must be respected 7.You must have appropriate security 8.Special rules apply to transfers abroad

7. Data Controller / Data Processor  “Data Controller” means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed.personal data  “Data Processor” … means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.

8. 8 Personal data The Act applies to information that is ‘personal’ and ‘data’ The personal part means that it is about: identifiable, living individuals The data part means that it is recorded:  on an electronic or other automated system  (in some cases on paper or other manual systems)

9. The cloud relationship Data Controller (your organisation ) Passes data For Data Controller’s purposes Does task Passes results back Cloud provider Data Processor

10. Data Processor requirements A contract, ‘evidenced in writing’  Setting out the relationship and how it will work  Underpinning both parties’ security obligations  Allowing the Data Controller to verify the Data Processor’s security  Ideally providing indemnity against any costs resulting from the Data Processor’s failure to deliver See checklistchecklist

11. Cloud examples  Microsoft 365, Google Apps (office programs)  Huddle, GoToMeeting, Skype (collaboration)  Amazon (storage & processing capacity)  Salesforce (contact management database)  YouTube, Instagram (photo/video storage and sharing)  MailChimp (bulk mailings)  SurveyMonkey (online surveys)  Social networking sites

12. Cloud computing characteristics  Cheap and flexible, especially for small organisations  Available anywhere there is an internet connection  Suppliers claim good security and service levels  Based on:  Standard offering, usually non-negotiable  Shared facilities, controlled by the supplier  Location of data irrelevant (and may be obscure)  May be layers of sub-contract

13. Principle 7: Security  You must take steps to prevent:  Unauthorised access  Accidental loss or damage  Your measures must be appropriate  They must be technical and organisational  You cannot transfer this responsibility to a Data Processor

14. Cloud security breaches do occur  British Pregnancy Advisory Service  Website ‘contact us’ form  Stored for five years – almost 10,000 records  Admin password not changed from default  Successfully hacked into and personal data stolen  Aberdeen City Council  Social worker working from home, with permission  Computer set to synch with cloud storage location  Cloud location not secure – personal data showed up in search

15. Security when the Data Processor is a cloud provider  Instruct your supplier to take security precautions – and check that they have done so  Standard terms and conditions often non-negotiable – due diligence required  Understand what you are checking  International standards  ISO 27000 series (from British Standards Institute)British Standards Institute  self-assessed less reliable than certified  check credentials of certifying company  relevance & scope (ISO 27000 Statement of Applicability)  HMG Security Policy Framework (recently revised) HMG Security Policy Framework  SAS70 (US) – auditing process, not security

16. Potential cost of a breach  Notification to potentially affected individuals, if appropriate  Assistance to potentially affected individuals  Compensation for harm and associated distress  Damage to business (including reputation)  Data restoration  Monetary penalty (up to £500,000)

17. Potential cost of a breach  Notification to potentially affected individuals, if appropriate  Assistance to potentially affected individuals  Compensation for harm and associated distress  Damage to business (including reputation)  Data restoration  Monetary penalty (up to £500,000)

18. Principle 8: Transfers abroad  Transfers of data outside the European Economic Area are allowed if:  the jurisdiction it is going to has an acceptable lawjurisdiction  the recipient in the USA is signed up to Safe HarborSafe Harbor  a few other optionsother options

19. Acceptable countries  European Economic Area, by definition:  EU – all 28 countries  Iceland, Liechtenstein, Norway  Equivalent laws, if approved:  Andorra, Argentina, Australia, Canada, Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay

20. Safe harbor  Optional scheme agreed by US to placate EU  Basically a fig-leaf  US companies sign up voluntarily to EU practices US companies  Flimsy: self assessed and largely self-policed  Can be expensive for individual to complain  Only covers data types that are subject to FTC or DoT oversight – not HR, for example  Little understanding of Data Processor issue (examples) therefore questionably safe to rely onexamples

21. Safe Harbor examples  Amazon’s cloud service Amazon’s cloud service  Amazon’s Safe Harbor entry Amazon’s Safe Harbor entry  Salesforce Salesforce

22. Other options  Contract – but must be EU authorised:  Gives rights to Data Subjects as well as Data Controller  Doesn’t clearly address onward transfers  Doesn’t prevent onward transfer to another country  Self-assessment  UK law only, not EU  Data Controller adopts all the risk  Consent (but what if they don’t agree?)

23. What else can go wrong?  Loss of service  at their end  at your end  Retrieving your data if the service ceases or you get into a dispute (Example: Charity Business)  Contract terms which make the supplier a Data Controller in their own right  Unclear ownership/location of data and the equipment it is stored on  Unilateral changes in policy by provider

24. Principle 1: Transparency & choice  Transparency: tell people if the data is going abroad & where  but not who to if you are using a Data Processor (because there is technically no disclosure)  Choice: probably unwise, but then you must meet 6th Schedule 2 Condition (legitimate interests) Schedule 2 Condition  Sensitive data: not generally enforced, but possible question of consent

25. Schedule 2 (Fair processing) 1.With consent of the Data Subject (“specific, informed and freely given”) 2.For a contract involving the Data Subject 3.To meet a legal obligation 4.To protect the Subject’s ‘vital interests’ 5.Government functions 6.In your ‘legitimate interests’ provided the Data Subject’s interests are respected

26. And finally …  Most countries have laws allowing authorities to access data  US Patriot Act ostensibly anti-terrorist  has also been used in non-terrorist cases  supplier may not agree (or even be allowed) to inform customer of access  Include in risk assessment

27. So what do you need to do?  Check the contract (or standard terms and conditions) very carefully on areas like:  security  location of data (especially if it could be outside the EEA)  liability/sub contractors  back-up/access  copyright (e.g. Google)  Use your findings to make and record a risk assessment and get authorisation to proceed  Be transparent with your Data Subjects

28. Further information  Information Commissioner  Guidance on cloud computing Guidance on cloud computing  Analysis of top eight online security issues Analysis of top eight online security issues  Cloud computing: A practical introduction to the legal issues Cloud computing: A practical introduction to the legal issues  Watch out for EU updates on cloud computing and possibly standard contract terms

29. Many thanks To come by e-mail: *Link to evaluation questionnaire *Link to download the presentation and other materials, after you have completed the questionnaire Follow-up questions: paul@paulticher.compaul@paulticher.com