Presentation is loading. Please wait.

Presentation is loading. Please wait.

Generalny Inspektor Ochrony Danych Osobowych ul. Stawki 2, 00-193 Warszawa Belgrade, April 10-12th, 2013 PRIVACY.

Similar presentations


Presentation on theme: "Generalny Inspektor Ochrony Danych Osobowych ul. Stawki 2, 00-193 Warszawa Belgrade, April 10-12th, 2013 PRIVACY."— Presentation transcript:

1

2 Generalny Inspektor Ochrony Danych Osobowych ul. Stawki 2, Warszawa Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT IN E-GOVERNMENTAL CLOUD SERVICES WOJCIECH WIEWIÓROWSKI PhD Inspector General for Personal Data Protection, Poland Laboratory of Legal Informatics, Faculty of Law and Administration, University of Gdansk 15 th Meeting of Central Eastern Europe Data Protection Authorities (CEEDPA) Belgrade, April 10-12th, 2012

3 © M. Narojek for GIODO 2011

4 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data Recognising that it is necessary to reconcile the fundamental values of the respect for privacy and the free flow of information between peoples Article 1 – Object and purpose The purpose of this convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him ("data protection"). PRIVACY AND DATA PROTECTION Belgrade, April 10-12th, 2013

5 Treaty on The Functioning Of The European Union Article 16 (ex Article 286 TEC) 1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union. PRIVACY AND DATA PROTECTION Belgrade, April 10-12th, 2013

6 COPERNICAN REVOLUTION ?

7 COM(2012) 11/4 draft Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) KEY ISSUES FOR THE EUROPEAN DEBATE Belgrade, April 10-12th, 2013

8 COM(2012) 10 final 2012/0010 (COD) Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data KEY ISSUES FOR THE EUROPEAN DEBATE Belgrade, April 10-12th, 2013

9 KEY ISSUES FOR THE EUROPEAN DEBATE Belgrade, April 10-12th, 2013

10 Privacy by design Privacy impact assessments KEY ISSUES FOR THE EUROPEAN DEBATE Belgrade, April 10-12th, 2013

11 PRIVACY BY DESIGN Belgrade, April 10-12th, 2013 Privacy by Design Resolution October 2010, Jerusalem, Israel 32nd International Conference of Data Protection and Privacy Commissioners Privacy by Design: The 7 Foundational Principles 1. Proactive not Reactive; Preventative not Remedial 2. Privacy as the Default Setting 3. Privacy Embedded into Design 4. Full Functionality: Positive-Sum, not Zero-Sum 5. End-to-End Security — Full Lifecycle Protection 6. Visibility and Transparency — Keep it Open 7. Respect for User Privacy — Keep it User-Centric

12 PRIVACY IMPACT ASSESSMENT Belgrade, April 10-12th, 2013 A Privacy Impact Assessment (PIA) is a process whereby a conscious and systematic effort is made to assess the privacy and data protection impacts of a specific actions with the view of taking appropriate actions to prevent or at least minimise those impacts. A PIA Report is the document resulting from the PIA Process that is made available to competent authorities. Proprietary and security sensitive information may be removed from PIA Reports before the Reports are provided externally (e.g., to the competent authorities) as long as the information is not specifically pertinent to privacy and data protection implications. The manner in which the PIA should be made available (e.g., upon request or not) will be determined by member states. In particular, the use of special categories of data may be taken into account, as well as other factors such as the presence of a data protection officer. PIA Templates may be developed based on the Framework to provide industry-based, application-based, or other specific formats for PIAs and resulting PIA Reports.

13 PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE Belgrade, April 10-12th, 2013 (70) Directive 95/46/EC provided for a general obligation to notify processing of personal data to the supervisory authorities. While this obligation produces administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Therefore such indiscriminate general notification obligation should be abolished, and replaced by effective procedures and mechanism which focus instead on those processing operations which are likely to present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes. In such cases, a data protection impact assessment should be carried out by the controller or processor prior to the processing, which should include in particular the envisaged measures, safeguards and mechanisms for ensuring the protection of personal data and for demonstrating the compliance with this Regulation. (71) This should in particular apply to newly established large scale filing systems, which aim at processing a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects.

14 PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE Belgrade, April 10-12th, 2013 (72) There are circumstances under which it may be sensible and economic that the subject of a data protection impact assessment should be broader than a single project, for example where public authorities or bodies intend to establish a common application or processing platform or where several controllers plan to introduce a common application or processing environment across an industry sector or segment or for a widely used horizontal activity. (73) Data protection impact assessments should be carried out by a public authority or public body if such an assessment has not already been made in the context of the adoption of the national law on which the performance of the tasks of the public authority or public body is based and which regulates the specific processing operation or set of operations in question.

15 PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - PREAMBLE Belgrade, April 10-12th, 2013 (74) Where a data protection impact assessment indicates that processing operations involve a high degree of specific risks to the rights and freedoms of data subjects, such as excluding individuals from their right, or by the use of specific new technologies, the supervisory authority should be consulted, prior to the start of operations, on a risky processing which might not be in compliance with this Regulation, and to make proposals to remedy such situation. Such consultation should equally take place in the course of the preparation either of a measure by the national parliament or of a measure based on such legislative measure which defines the nature of the processing and lays down appropriate safeguards.

16 PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3 Belgrade, April 10-12th, 2013 SECTION 3 - DATA PROTECTION IMPACT ASSESSMENT AND PRIOR AUTHORISATION Article 33 Data protection impact assessment 1. Where processing operations present specific risks to the rights and freedoms of data subjects by virtue of their nature, their scope or their purposes, the controller or the processor acting on the controller's behalf shall carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. 2. The following processing operations in particular present specific risks referred to in paragraph 1: (a) a systematic and extensive evaluation of personal aspects relating to a natural person or for analysing or predicting in particular the natural person's economic situation, location, health, personal preferences, reliability or behaviour, which is based on automated processing and on which measures are based that produce legal effects concerning the individual or significantly affect the individual; (b) information on sex life, health, race and ethnic origin or for the provision of health care, epidemiological researches, or surveys of mental or infectious diseases, where the data are processed for taking measures or decisions regarding specific individuals on a large scale;

17 PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3 Belgrade, April 10-12th, 2013 Article 33 (…) (c) monitoring publicly accessible areas, especially when using optic-electronic devices (video surveillance) on a large scale; (d) personal data in large scale filing systems on children, genetic data or biometric data; (e) other processing operations for which the consultation of the supervisory authority is required pursuant to point (b) of Article 34(2). 3. The assessment shall contain at least a general description of the envisaged processing operations, an assessment of the risks to the rights and freedoms of data subjects, the measures envisaged to address the risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation, taking into account the rights and legitimate interests of data subjects and other persons concerned. 4. The controller shall seek the views of data subjects or their representatives on the intended processing, without prejudice to the protection of commercial or public interests or the security of the processing operations.

18 PRIVACY IMPACT ASSESSMENT IN DRAFT REGULATION - SECTION 3 Belgrade, April 10-12th, 2013 Article 33 (…) 5. Where the controller is a public authority or body and where the processing results from a legal obligation pursuant to point (c) of Article 6(1) providing for rules and procedures pertaining to the processing operations and regulated by Union law, paragraphs 1 to 4 shall not apply, unless Member States deem it necessary to carry out such assessment prior to the processing activities. 6. The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying the criteria and conditions for the processing operations likely to present specific risks referred to in paragraphs 1 and 2 and the requirements for the assessment referred to in paragraph 3, including conditions for scalability, verification and auditability. In doing so, the Commission shall consider specific measures for micro, small and medium-sized enterprises. 7. The Commission may specify standards and procedures for carrying out and verifying and auditing the assessment referred to in paragraph 3. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

19 © M. Narojek for GIODO 2011

20 Belgrade, April 10-12th, 2013 CLOUD COMPUTING National Institute of Standards and Technology (NIST) defines cloud computing: “Cloud computing is a model for enabling ubiquitous, convenient, on- demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.” National Institute of Standards and Technology (NIST), Special Publication , The NIST Definition of Cloud Computing, September 2011, Page 3.

21 Belgrade, April 10-12th, 2013 CLOUD COMPUTING National Institute of Standards and Technology (NIST) defines cloud computing: Cloud computing is an ICT sourcing and delivery model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.[It is NOT a new technology.] P. Mell, T. Grance: The NIST Definition of Cloud Computing (Draft) Recommendations of the National Institute of Standards and Technology, Computer Security Division Information Technology Laboratory National Institute of Standards and Technology, January 2011

22 Belgrade, April 10-12th, 2013 CLOUD COMPUTING - MODELS IaaS – a service that provides basic computer networking, load balancing, content delivery networks, routing, commodity data storage, and virtualized operating system hosting. PaaS – a service provides a platform in which to develop software applications, usually web based, with immediate abstractions of the underlying infrastructure. SaaS – a service that provides a software solution to the system clients. The software may be internal to a business, delivered by other means, or most commonly delivered over the Internet.

23 Belgrade, April 10-12th, 2013 CLOUD COMPUTING - MODELS BaaS – Business as a Service CaaS – Communications as a Service DaaS – Data as a Service – eg. The Google® Geocoding API TM E …

24 Belgrade, April 10-12th, 2013 CLOUD COMPUTING - MODELS Source: Wikipedia

25 Belgrade, April 10-12th, 2013 MAIN CONCERNS a.there is not yet international agreement on common terminology; b.the development of the technology is still in progress; c.enormous amounts of data are being accumulated and concentrated; d.the technology is boundless and transboundary; e.data processing has become global; f.transparency is lacking with respect to cloud service provider processes, procedures and practices, including whether or not cloud service providers sub-contract any of the processing and if so, what their respective processes, procedures and practices are;

26 Belgrade, April 10-12th, 2013 MAIN CONCERNS g. this lack of transparency makes it difficult to conduct a proper risk assessment; h. this lack of transparency also makes it more difficult to enforce rules regarding data protection; i. cloud service providers are under great pressure to quickly capitalise significant investment costs; j. cloud customers are under increasing pressure to reduce costs, including those of their data processing, in part accelerated due to the global financial crisis; and k. to keep low prices cloud service providers are more likely to offer standard terms and conditions.

27 Belgrade, April 10-12th, 2013 EUROPEAN COMMISSION & CLOUD COMPUTING Brussels, COM(2012) 529 final COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS Unleashing the Potential of Cloud Computing in Europe (Text with EEA relevance) {SWD(2012) 271 final}

28 Belgrade, April 10-12th, 2013 EUROPEAN COMMISSION & CLOUD COMPUTING (1)Key Action 1: Cutting through the Jungle of Standards (2) Key Action 2: Safe and Fair Contract Terms and Conditions (3) Key Action 3: Establishing a European Cloud Partnership to drive innovation and growth from the public sector.

29 Belgrade, April 10-12th, 2013 RISK ANALYSIS AND MANAGEMENT: Examples Council CIO, Proposed Security Assessment & Authorization for U.S. Government Cloud Computin. Draft version 0.96, US CIO, November 2010

30 RISK ANALYSIS AND MANAGEMENT: Examples D. Catteddu, G. Hogben, Cloud Computing. Benefits, risks and recommendations for information security, European Network and Information Security Agency (ENISA), November 2009

31 RISK ANALYSIS AND MANAGEMENT: Examples Giles Hogben, Marnix Dekker: Procure Secure: A guide to monitoring of security service levels in cloud contracts ENISA, April 02, 2012 A practical guide aimed at the procurement and governance of cloud services.

32 RISK ANALYSIS AND MANAGEMENT: Examples Creating Effective Cloud Computing Contracts for the Federal Government Best Practices for Acquiring IT as a Service, US CIO Council, Chief Aquisition Officers Council, Federal Cloud Computing Committee, Washington DC, February 2012

33 RISK ANALYSIS AND MANAGEMENT: Examples Council CIO, Proposed Security Assessment & Authorization for U.S. Government Cloud Computin. Draft version 0.96, US CIO, November 2010

34 RISK ANALYSIS AND MANAGEMENT: Examples Department of Finance and Deregulation: Cloud Computing Strategic Direction Paper. Opportunities and applicability for use by the Australian Government, Australian Government, April2011

35 RISK ANALYSIS AND MANAGEMENT: Examples J.Budszus, H.-W.Heibey, R. Hillenbrand- Beck, S.Polenz, M.Seifert, M.Thiermann: Orientierungshilfe – Cloud Computing. Version 1.0, Arbeitskreise Technik und Medien der Konferenz der Datenschutzbeauftragten des Bundes und der Länder September 2011

36 RISK ANALYSIS AND MANAGEMENT: Examples D. Bigo, G. Boulet, C. Bowden, S. Carrera, J. Jeandesboz, A. Scherrer, Fighting cyber crime and protecting privacy in the cloud. Study, European Parliament, Brussels, November 2012

37 RISK ANALYSIS AND MANAGEMENT: Examples Information Commissioners' Office, Guidance on the use of cloud computing. Version: 1.1, Wilmslow October 2012.

38 RISK ANALYSIS AND MANAGEMENT: Examples Information Technology Reform. Progress Made but Future Cloud Computing Efforts Should be Better Planned. Report to the Subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security, Committee on Homeland Security and Governmental Affairs United States Senate, GAO , United States Government Accountability Office, lipiec 2012,

39 SOPOT MEMORANDUM “Sopot Memorandum” - Working Paper on Cloud Computing - Privacy and data protection issues International Working Group on Data Protection in Telecommunications, April 2012

40 Belgrade, April 10-12th, 2013 "THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)" I Cloud customers shall be able solely manage the data they transferred into the cloud. Such data sell be use only for the purposes of the customer. Based on: Information Law Group LLP: Cloud Customers’ Bill of Rights, 2010, electronic document at: -- Cloud Customers’ Bill of Rights -- Parchment _pocket-sized_(1).pdf V.J.R.Winkler: Securing the Cloud. Cloud Computer Security Techniques and Tactics, Elsevier Inc. 2011, p B. Segalis: Cloud Computing Legal Risk and Liability, Information law group, Oct. 20th, 2011, slides 24-30

41 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENTS FOR E-GOVERNEMENT Examples Sample System Privacy Impact Assessments Samples of U.S. Department of Health and Human Services privacy impact assessments for systems that collect personally identifiable information. Administration for Children and Families Privacy Impact Assessments (PDF - 170KB)Administration for Children and Families Privacy Impact Assessments Agency for Healthcare Research and Quality Privacy Impact Assessments (PDF - 460KB)Agency for Healthcare Research and Quality Privacy Impact Assessments Administration on Aging Privacy Impact Assessments (PDF - 25KB)Administration on Aging Privacy Impact Assessments Centers for Disease Control & Prevention Privacy Impact Assessments (PDF MB)Centers for Disease Control & Prevention Privacy Impact Assessments Centers for Medicare & Medicaid Services Privacy Impact Assessments (PDF MB)Centers for Medicare & Medicaid Services Privacy Impact Assessments Food & Drug Administration Privacy Impact Assessments (PDF - 896KB)Food & Drug Administration Privacy Impact Assessments Health Resources & Services Administration Privacy Impact Assessments (PDF - 580KB)Health Resources & Services Administration Privacy Impact Assessments Indian Health Service Privacy Impact Assessments (PDF - 82KB)Indian Health Service Privacy Impact Assessments National Institutes of Health Privacy Impact Assessments (PDF MB)National Institutes of Health Privacy Impact Assessments Office of the Inspector General Privacy Impact Assessments (PDF - 117KB)Office of the Inspector General Privacy Impact Assessments Office of the Secretary Privacy Impact Assessments (PDF MB)Office of the Secretary Privacy Impact Assessments Substance Abuse and Mental Health Services Administration Privacy Impact Assessments (PDF - 166KB)Substance Abuse and Mental Health Services Administration Privacy Impact Assessments

42 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT

43 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example 1. Has your agency established a policy or procedure for deciding when it will be appropriate to use cloud computing services? Does the policy or procedure address the following? will the proposal involve the storage or processing of personal information? if so, is an assessment of the ability of a cloud solution to provide adequate protection to the personal information required? if sensitive personal information is involved, what extra measures might be required? what type of cloud service provider will be appropriate? (e.g. private, public or community) 2. Has your agency decided what it will use cloud service infrastructure for? just storing just processing both storing and processing 3. Has your agency developed a contract with the cloud service provider that is consistent with (…) the Privacy Act? How will your agency ensure that the contract’s requirements are being met?

44 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example 4. Has your agency considered what specific terms should be included in the contract to complement the general requirement under s 95B to adhere to the Information Privacy Principles? Some specific matters that could be addressed in the contract include requirements relating to: data breach notification the location of information access to information by agency staff audits 5. If personal information is to be disclosed to a cloud service provider, has your agency determined how that disclosure will be authorised? express permission from individuals individuals are notified in privacy notice/terms and conditions by legislative provisions

45 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example 6. If you are intending to use an off-shore cloud service provider, do you know where their head office is located? What are the privacy implications? 7. Does your agency know where the data will be stored; keeping in mind the possibility it may be across different countries or continents? What are the Privacy implications? 8. Keeping in mind privacy law reform, has your agency determined that there is data protection or privacy legislation in place in relevant foreign jurisdictions that, at a minimum, meets the requirements in the Privacy Act? Is the relevant law enforceable? 9. Has your agency determined how the personal information will be kept separate from other organisations’ data housed in the cloud service provider’s infrastructure? 10. Has your agency determined how employees of the cloud service provider will be prevented from unauthorised access to the data? Has your agency decided how it will control a cloud service provider passing personal information onto unauthorised third party organisations or using it for purposes other than those it was originally collected for?

46 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example 11. Has your agency determined how it will monitor the cloud service provider’s use and management of the agency’s information? 12. Has your agency determined the controls (for example, encryption) that will be in place to ensure the security of personal information as it travels between here and possible overseas cloud data storage location? 13. If an Australian citizen requests access or alteration to their personal information, has your agency put in place appropriate controls so that all copies can be retrieved and amended easily? Has your agency put in place arrangements to ensure that where an individual requests an amendment to their personal information and this request is not agreed to, it will be possible to attach a statement provided by the individual regarding the requested amendment to the record?

47 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – Australian example 14. Has your agency ensured that the cloud service provider will hold the personal information only as long as your agency needs it? Has your agency specified how the cloud service provider will manage their backup regime? Has your agency specified how personal information that is no longer needed is to be destroyed or de-identified? 15. Has your agency determined what happens at the conclusion of the contract with the cloud service provider? Will information be able to be retrieved or destroyed (including all backups where appropriate) in compliance with the Privacy Act and associated legislation?

48 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example Creating Effective Cloud Computing Contracts for the Federal Government Best Practices for Acquiring IT as a Service, US CIO Council, Chief Aquisition Officers Council, Federal Cloud Computing Committee, Waszyngton luty 2012

49 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example General Questions 1. Who is actively involved in negotiating and reviewing the agency’s contract and ancillary Service Level Agreement for cloud services? a. Contracting Officer/Procurement? Chief Information Officer? General Counsel? FOIA staff? Records Officer? Privacy Officer? E-Discovery Counsel? Cybersecurity personnel? b. What is the process for developing the agency’s needs criteria and evaluating the cloud provider proposal and post-award performance? 2. Are the unique operational aspects of the cloud computing environment addressed in the acquisition plan required by FAR Part 7? In particular, in terms of the written acquisition plan format described in FAR Section 7.105, how are technical, schedule and cost risks addressed, and has any test and evaluation program and Government Furnished Information (GFI) to be considered?

50 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example General Questions 3. Based on market research conducted in accordance with FAR Part 10, does the acquisition plan contemplate use of a system integrator in addition to a Cloud Service Provider (CSP)? Will the CSP be a subcontractor to the system integrator, or will the CSP have a direct contractual relationship with the agency? 4. Is there a clear statement in the contract for cloud services that all data is owned by the agency? 5. Can the cloud provider access or use the agency’s information in the cloud? 6. How is the agency’s data handled both at rest and in motion in the cloud? 7. Who has access to the agency’s data, both in its live and backup state?

51 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example General Questions 8. In the cloud, what geographic boundaries apply to data at rest and what boundaries are traversed by data in motion? 9. Where are the cloud servers that will store agency data physically located? Can the provider certify where the data is located at any one point in time? 10. How will the cloud provider meet regulatory compliance requirements applicable to the USG, [including but not limited to the Privacy Act, the Federal Information Management and Security Act (FISMA), the Paperwork Reduction Act, the Federal Records Act, the Freedom of Information Act (FOIA), the Trade Secrets Act and related guidance and authorities]?

52 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example 11. What is the potential termination liability that would result from application of the contract clauses associated with FAR Part 49 Termination of Contracts? 12. How is the migration of agency data upon contract termination or completion addressed? 13. How is agency data destroyed? (e.g. upon request? Periodically?) a. Methodology used? (e.g. remove data pointer or overwritten in accordance with USG security standards) b. How does the cloud provider segregate data? If encryption schemes are used have the design of those schemes been tested for efficacy? 14. If the cloud provider or reseller agreement incorporates “URLs” into the terms, which policies and terms are being incorporated into the agreement? (URLs are not static and change over time) a. What notice is provided to the agency if URLs/policies change? Remedies for agency if new policies or URLs are not acceptable?

53 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example 15. What remedies are being agreed to for breach or violations of the agreement? Litigation? Mediation? Waiver of right to sue? a. Are choice of law and jurisdiction provisions in the agreement appropriate? (e.g. has the agency unknowingly subjected itself and USG to the jurisdiction of a state or foreign court) 16. Is the agency indemnifying the cloud provider in violation of the Anti-Deficiency Act? a. What rights is the agency waiving, if any? b. What limitations of liability, whether direct or indirect, is the agency granting? c. How does the Force Majeure clause deal with the action of Federal agencies other than the customer agency? 17. Can the agency manage content in the cloud with its own tools or only through contractor resources? 18. How are upgrades and maintenance (hardware and software) handled? (e.g. who conducts these activities? How often? And how is the USG advised of findings?)

54 Belgrade, April 10-12th, 2013 PRIVACY IMPACT ASSESSMENT FOR E-GOVERNMENT – American example 19. How are asset availability, compatibility, software updates and hardware refreshes addressed? a. What does the agreement say about estimated outage time the cloud provider foresees for standard hardware and software updates and the cloud provider’s estimated response time should an emergency take the system off line? 20. What responsibility does the cloud provider have for assuring proper patching and versioning control? a. What language is in the agreement specifically requiring the cloud provider to take on this responsibility? 21. Is there a discussion of how the cloud provider will continue to maintain or otherwise support the agency’s data in a designated format to ensure that the data remains accessible/readable over the life of the data?

55 Belgrade, April 10-12th, 2013 "THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)" I Cloud customers shall be able solely manage the data they transferred into the cloud. Such data sell be use only for the purposes of the customer. Based on: Information Law Group LLP: Cloud Customers’ Bill of Rights, 2010, electronic document at: -- Cloud Customers’ Bill of Rights -- Parchment _pocket-sized_(1).pdf V.J.R.Winkler: Securing the Cloud. Cloud Computer Security Techniques and Tactics, Elsevier Inc. 2011, p B. Segalis: Cloud Computing Legal Risk and Liability, Information law group, Oct. 20th, 2011, slides 24-30

56 Belgrade, April 10-12th, 2013 "THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)" II Cloud providers shall provide full information and access to documentation concerning their security policies and measures, including the ability for cloud customers to conduct periodic security assessments.

57 Belgrade, April 10-12th, 2013 "THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)" III Cloud providers shall inform the client what is the physical location of the servers that will be processing their cloud data.

58 Belgrade, April 10-12th, 2013 "THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)" IV Cloud providers shall inform the client of any subpoena or other legal process seeking their data, and shall assist and cooperate with their customers in responding to such legal process

59 Belgrade, April 10-12th, 2013 "THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)" V Cloud providers shall reveal their data search, retention and destruction practices to their cloud customers. Data search, retention and destruction capabilities (including relevant metadata) shell be accessible to the customer.

60 Belgrade, April 10-12th, 2013 "THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)" VI Cloud providers shall provide cloud customers with an information on all third parties which will be able to access customer’s data.

61 Belgrade, April 10-12th, 2013 "THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)" VII Cloud providers shall conduct reasonable due diligence and security assessments of subcontractors or other third parties that will have access to customers’ data or systems.

62 Belgrade, April 10-12th, 2013 "THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)" VIII Cloud providers shall provide prompt notice of any security breach and shall coordinate, cooperate and assist their customers with the investigation, containment and mitigation of the breach.

63 Belgrade, April 10-12th, 2013 "THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)" IX Only the open discussion on indemnation and limitation of liability may serve the interests of cloud provider, cloud users and data subjects

64 Belgrade, April 10-12th, 2013 "THE DECALOGUE OF CLEVER A (DMINISTATION) IN CONTACTS WITH B (USINESS) ON C (LOUDS)" X Do not allow the vendor’s lock syndrome

65 Belgrade, April 10-12th, 2013 MOTTO FOR LAWYERS DEALING WITH CLOUD COMPUTING

66 THANKS FOR YOUR ATTENTION


Download ppt "Generalny Inspektor Ochrony Danych Osobowych ul. Stawki 2, 00-193 Warszawa Belgrade, April 10-12th, 2013 PRIVACY."

Similar presentations


Ads by Google