Keeping on top of the Cloud - Compliance from a Regulator’s Perspective Henry Chang, IT Advisor Office of the Privacy Commissioner for Personal Data, Hong.

Slides:

Advertisements

Similar presentations

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

Advertisements

Could mandatory Privacy Impact Assessment be a solution to enhance Personal Privacy and Data Protection? Chester Soong.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

Sarah Branam Mehmet MunurDino Tsibouris

Identity Management In A Federated Environment Identity Protection and Management Conference Presented by Samuel P. Jenkins, Director Defense Privacy and.

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

The University of Hong Kong Personal Data Protection

Personal Data Privacy and The Internet by Stephen Lau Privacy Commissioner for Personal Data, Hong Kong SAR at the Joint Conference of the OECD, HCOPIL,

Personal Data (Privacy) Ordinance Hong Kong Personal Data (Privacy) Ordinance Hong Kong by Stephen Lau Privacy Commissioner for Personal Data Hong Kong.

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.

1 Office of the Privacy Commissioner for Personal Data Hong Kong SAR Tony LAM Deputy Privacy Commissioner for Personal Data Asian Personal Data Privacy.

Processing on behalf of the controller Joint control under Regulation 45/2001.

The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.

Privacy, Personal Data and the Cloud Billy Hawkes Data Protection Commissioner Public Affairs Ireland Conference Dublin, 30 June 2011.

Federal Trade Commission U.S. Rules on Privacy and Data Security Organization for International Investment General Counsel Conference October 16, 2009.

FTAA Joint Government-Private Sector Committee of Experts on Electronic Commerce - Feb.15, 2002 Some views on consumer protection in the context of electronic.

1 PARCC Data Privacy & Security Policy December 2013.

Cloud Computing and Standards - A Regulator’s View OASIS International Cloud Symposium 11 October 2011 Steven Johnston, CISSP Senior Security and Technology.

1 Role of the Data Protection Officer Donald Henderson Information Compliance Manager 30 September 2010.

Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.

Dino Tsibouris (614) Updates on Cloud, Contracting, Privacy, Security, and International Privacy Issues Mehmet Munur (614)

Data protection—training materials [Name and details of speaker]

Key Points for a Privacy Programme for Multinationals Steve Coope.

Your Code of Conduct: Data Protection & Compliance Your Code of Conduct: Data Protection & Compliance for Charities.

-1- WORKSHOP ON DATA PROTECTION AND DATA TRANSFERS TO THIRD COUNTRIES Technical and organizational security measures Skopje, 16 May - 17 May 2011 María.

Framework of engagement : big data for official use Roy D. Ibay AVP Regulatory PLDT – Smart.

Surveillance around the world

GDPR (General Data Protection Regulation)

Preparing for a data protection audit 28 September 2017

Privacy principles Individual written policies

General Data Protection Regulations and the IoT

Microsoft 365 Get help with regulatory compliance

GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E

General Data Protection Regulation

GDPR Overview Gydeline – October 2017

Information Governance and Data Privacy: A World of Risk

GDPR Overview Gydeline – October 2017

GDPR Security: How to do IT? IT reediness for competitive advantage

GDPR Road map to Compliance.

Bob Siegel President Privacy Ref, Inc.

Introduction to GDPR 09/11/2018.

State of the privacy union

G.D.P.R General Data Protection Regulations

The GDPR and research data

Bart van der Sloot Data Protection 2.0 The proposal for a General Data Protection Regulation Bart van.

Preparing for the GDPR - What do we need to do if we process children’s personal data? Data Protection Practitioners’ Conference 2018 #DPPC2018.

GDPR - New Data Protection Regulation

General Data Protection Regulation

IMPLICATIONS OF GDPR ROBERT BELL.

Bart van der Sloot Data Protection 2.0 The proposal for a General Data Protection Regulation Bart van.

Data transfers to non-EU countries under the new GDPR

By The Data Protection Commissioner

GDPR & Accountability ISACA Ireland Annual Conference 2018

Is Data Protection a Fundamental Right Protecting the Individual?

Mandatory Breach Reporting (isn’t *that* bad)

Reflections on PIPEDA and the Future of Privacy Law in Canada

GDPR PERSONDATAFORORDNINGEN I PRAKSIS

Overview of the recommendations regarding approximation of the Law on personal data protection to the new EU General data protection regulation Valerija.

Data Protection What can I do? GDPR Principles General Data Protection

General Data Protection Regulation “11 months in”

EU Data Protection Legislation

GDPR Workshop – Partnerships for Jewish Schools

Getting Ready For GDPR Simon Marks Director

Presentation transcript:

Keeping on top of the Cloud - Compliance from a Regulator’s Perspective Henry Chang, IT Advisor Office of the Privacy Commissioner for Personal Data, Hong Kong 6 July 2013 Up in the Cloud: Conference on Legal and Privacy Challenges in Cloud Computing

2 Bottom lines 1.Data users are responsible for the protection of personal data entrusted to them; 2.Outsourcing of data processing does not mean outsourcing of legal liability.

3 Guiding principles of data protection 1.Informed Consent 2.Protection 3.Transparency

4 Data flow and data protection principles (DPPs) Personal Data Flow Collection Retention/ Erasure DPP 6 – Rights of access and correction DPP 5 – Transparency DPP 1 – Collection DPP 3 – Use DPP 2 – Accuracy and retention DPP 4 – Security Storage, Use or Processing IT System

5 The heat map of cloud Private Cloud (dedicated) Public Cloud (shared) Consumers Enterprises Types of Cloud Types of Users SMEs Most vulnerable

6 For Consumers

7 Attractive/free consumer solutions… 1.Uncertainty on whether data protection laws apply 2.Terms often favour service providers 3.There is no free lunch – where is the hidden cost? 4.Ultimate victims of any data breach are consumers 5.Assess risks before using cloud services 6.Consider encrypting data before uploading

8 For Businesses

9 Important issues that are not specific to clouds 1.Technical safeguards - Identity management and authentication 2.Proper exit plan, data erasure and data portability 3.Use by contractors that does not match with original purposes 4.Formal data breach notification arrangement

10 Cloud characteristics 1.Rapid transborder data flow 2.Loose outsourcing arrangements 3.Standard services and contracts

11 Rapid transborder data flow 1.Does the law allow? 2.Comparable data protection laws –Who can tell where the data are? –How could data user obligations be fulfilled? –Can data flow be limited to a few ‘white list’ jurisdictions? 3.Potential access by foreign LEAs

1.Lack of controls/relationship –No guarantee of controls downstream –No contractual remedies 2.Uncertain privacy rules, culture and training –Are outsourcers subject to privacy law in their jurisdictions? –Are they accustomed to privacy laws? –Can they be sanctioned? 3.Where does the loyalty lie? 12 Loose outsourcing arrangement

13 Standard services and contracts 1.If standard services do not meet the data protection requirements, can cloud provider customise? 2.If customisation is offered, how can cloud customers be sure that the extra measures are in place?

14 Views from data protection authorities 1.Hong Kong PCPD – 2.The Article 29 Working Party – 3.Office of the Privacy Commissioner, Canada – 4.Dutch DPA – 5.French DPA (CNIL) – vices.pdf 6.Office of the Privacy Commissioner, New Zealand – pdf 7.UK Information Commissioner’s Office – _computing_guidance_for_organisations.ashx 8.International working group on data protection in telecommunications –

Thank You