Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop.

Slides:

Advertisements

Similar presentations

Privacy by Design: Big Privacy for Big Data

Advertisements

Office of the Information and Privacy Commissioner, Ontario, Canada

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.

Tunis, Tunisia, June 2012 Privacy in Cloud Computing Vijay Mauree, Programme Coordinator, TSB, ITU ITU Workshop on Cloud Computing.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

SEMINAR NAIC/ASSAL/SVS REGULATION & SUPERVISION OF MARKET CONDUCT © 2014 National Association of Insurance Commissioners Overview and Purpose of Market.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

1 Opening the Door: Access to Government Information A primer for Media Students Mohawk College Sept. 18, 2002 Bob Spence Communications Co-ordinator Office.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

Securing North America’s Power Grid Dr. Ann Cavoukian, Ontario information and privacy commissioner Mark Fabro CISSP, CISM, President and Chief Security.

Complying with Privacy to Enable Innovation & Research

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

Security Controls – What Works

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.

IETF Plenary Monday 25 July 2011 Quebec City, Canada Privacy: A Regulator’s Perspective Fred Carter Senior Policy & Technology Advisor IPC/O.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Protecting information rights – advancing information policy Privacy law reform for APP entities (organisations)

Privacy by Design

SmartPrivacy for the Smart Grid Catherine Thompson Office of the Information and Privacy Commissioner Ontario, Canada Practical Smart Grid Security (SG-11)

Public Sector Case Studies: THE ESTABLISHMENT OF A PRIVACY OFFICE.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

HIPAA COMPLIANCE WITH DELL

CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.

Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.

Introduction Arrangements Louis P. Piergeti VP, IIROC March 29, 2011.

Dino Tsibouris (614) Vendor Contracts: What You Need and What You May Be Missing.

Ann Cavoukian, Ph.D. Information and Privacy Commissioner Ontario, Canada Privacy by Design: Integrating Technology into Global Privacy Practices Harvard.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Name Position Organisation Date. What is data integration? Dataset A Dataset B Integrated dataset Education data + EMPLOYMENT data = understanding education.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

PIPEDA and Receivables Management Robin Gould-Soil Receivables Management Association of Canada November 16, 2011.

BC Public Libraries November, 2008 Privacy Principles.

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Outsourcing Arrangements John Sudano, Senior Associate Hall & Wilcox, Lawyers.

The Internet of Things and Consumer Protection

1Copyright Jordan Lawrence. All rights reserved. U. S. Privacy and Security Laws DELVACCA INAUGURAL INHOUSE COUNSEL CONFERENCE April 1, 2009 Marty.

What Is Employment? Compare employee with agent and independent contractor Differences: Control test - Degree of control exercised over an employee is.

Privacy Practices.

Privacy Information for Advisors. Agenda PIPEDA Advisor Required Privacy Program Our MGA Privacy Program Recommendations for Advisors.

Protecting your Managed Services Practice: Are you at Risk?

Data protection—training materials [Name and details of speaker]

ISO 9001:2015 Subject: Quality Management System Clause 8 - Operation

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

The Privacy Symposium: Transferring Risk of a Privacy Event Paul Paray & Scott Ernst August 20, 2008.

1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.

Data Protection Officer’s Overview of the GDPR

PRIVACY TRAINING For CAILBA members

Accountability & Structured Privacy Management

Security Standard: “reasonable security”

Privacy principles Individual written policies

EPA CONTRACT TEMPLATE Overview

EPA SUBCONTRACT TEMPLATE Overview September 2017

Privacy principles Individual written policies

APP entities (organisations)

Privacy: A Regulator’s Perspective

Bob Siegel President Privacy Ref, Inc.

General Data Protection Regulation

Move this to online module slides 11-56

Policies for Information Sharing

Mandatory Breach Reporting (isn’t *that* bad)

Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP

Getting Ready For GDPR Simon Marks Director

Ontario’s privacy protective Philadelphia model governance framework

Presentation transcript:

Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner Ontario, Canada MISA Ontario Cloud Computing Transformation Workshop 26 March 2013 Privacy by Design in the Clouds: You Can’t Outsource Accountability

Commissioner Ann Cavoukian, Ph.D. Appointed by Ontario legislature Independent from government Oversees 3 privacy & access to information laws Longest serving privacy commissioner in the world Mandated to: Investigate privacy complaints Resolve appeals from refusals to provide access to information Ensure organizations comply with the access and privacy provisions of the Acts Educate public about Ontario access & privacy laws Conduct research on access and privacy issues, provide advice and comment on proposed government legislation & programs. Information & Privacy Commissioner Ontario, Canada

IPC Interest in Cloud Computing Oversight: information management practices of provincial / municipal public and health care sectors in Ontario Outsourcing, due diligence and accountability Design and deployment of new ICTs Applying Privacy by Design Foundational Principles to technologies, business processes, and networked infrastructures

The Power and Promise of Cloud Computing Flexibility Better reliability and security Enhanced collaboration Efficiency in deployment Portability Potential cost savings Simpler devices

Cloud Computing Risks Loss of control by customer over technology infrastructure / loss of governance Possible loss of control over location of data Concerns about segregation of data Data retention, destruction and return Rights to data Data security

… but you can’t outsource accountability You can outsource data / services … You always remain accountable

IPC Advice Some things to consider: 1.Exercise due diligence 2.Conduct a Privacy Impact Assessment 3.Use identifying information only when necessary 4.Identify and minimize privacy and security risks 5.Use privacy enhancing technological tools 6.Ensure transparency, notice, education, awareness 7.Develop a privacy breach management plan 8.Create and enforce contractual clauses

Privacy by Design Meets the Cloud: Current and Future Privacy Challenges What is Privacy by Design? Building privacy into technologies, business processes, and networked infrastructures from the ground up. Goal: to establish and achieve highest possible standards of accountability, confidence, and trust in management of PII, beyond compliance Requires: Proactive, capable leadership; Systemic, verifiable methods; Practical, demonstrable results

Privacy by Design: The 7 Foundational Principles 1.Proactive not Reactive: Preventative, not Remedial; 2.Privacy as the Default setting; 3.Privacy Embedded into Design; 4.Full Functionality: Positive-Sum, not Zero-Sum; 5.End-to-End Security: Full Lifecycle Protection; 6.Visibility and Transparency: Keep it Open; 7.Respect for User Privacy: Keep it User-Centric.

Applied Privacy by Design Large Ontario educational institution initiative to upgrade, outsource IT infrastructure to a U.S.-based cloud service provider Evidence of Capable, Proactive Leadership –Open and transparent processes Evidence of Systemic, Verifiable Methods –World class PIA, TRA and metrics Expected Practical, Demonstrable Results

Conclusions Cloud computing has many benefits and risks You can outsource your operations and services but not your accountability Conduct proper due diligence on your cloud provider Ensure you have the appropriate contractual provisions in place Build PbD into the cloud infrastructure Embed privacy as a core functionality: the future of privacy may depend on it!

Contractual Provisions to Consider Description of Services Service Level Commitments Data Ownership and Other IPR issues Confidentiality, privacy and security –Data confidentiality obligations –Obligations of cloud service provider for protecting customer data –Location of data –Audit provisions –Data return and destruction –Data breach notification

Contractual Provisions to Consider Representations and Warranties Insurance Coverage Liabliity and Indemnity Issues Termination / transition provisions Subcontracting by cloud service provider Assignment by either party Governing law and forum for resolution of disputes Dispute resolution

Contractual Provisions to Consider Service provider should not use PI except as necessary in providing services Provider should not improperly disclose PI Provider must employ safeguards to ensure PI is retained, transferred and disposed of securely Provider must notify the organization immediately of any order or other requirement to compel production of PI Provider must notify the organization immediately if PI is stolen, lost, accessed by unauthorized persons Implement oversight and monitoring program, including audits of the provider’s compliance with the terms of the agreement No one on behalf of provider should have access to PI unless that person agrees to comply with restrictions in the agreement.

USA Patriot Act and Cloud Computing BC, NS legislation restricts government’s ability to outsource beyond Canadian border There will always be laws that allow law enforcement to gain access to information in their jurisdictions – the important question is what steps can an organization take to help ensure privacy and security, regardless of jurisdiction Organizations considering outsourcing or cloud computing should ensure accountability through appropriate contractual provisions and a Privacy by Design approach that ensures privacy is built in as an integral part of the proposed technologies and business practices