Presentation is loading. Please wait.

Presentation is loading. Please wait.

Patrick Sefton | Principal Privacy and data control in the era of cloud computing.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Patrick Sefton | Principal Privacy and data control in the era of cloud computing."— Presentation transcript:

1 Patrick Sefton | Principal Privacy and data control in the era of cloud computing

2 Outline “cloud computing” definition & examples information privacy compliance requirements pre-contract enquiries / capability questions contracts (including GITC in particular) standards & certifications ongoing contract management & reporting

3 “Cloud computing” Many names, slightly different meanings data / application hosting ICT managed services ASP / software-as-a-service platform-as-a-service infrastructure-as-a-service utility computing but the same concept: ICT capability provisioned remotely, delivered as a service with abstraction of detail

4 ← less of this more like this... →

5 ...connected to these →

6 Commercial & technical drivers ubiquitous high-speed communications leverage economies of scale cost of supporting infrastructure & redundancy energy costs reduce capital expenditure flexibility / agility rapid provisioning / dynamic scalability

7 Example: Microsoft Steve Ballmer, 4 March 2010: “literally I will tell you we’re betting our company on it.”

8 Example: Google Google Apps (Office workalike, email, storage) USD50/user/year 2M+ clients, including significant government clients eg City of Los Angeles, City of Washington DC Google AppEngine Run private software on Google’s infrastructure Spanner (announced October 2009) storage and computation system which spans all datacentres & scales to 10M+ servers, 1B+ clients

9 The devil is in the details so... ICT capability is provided as a service, the details are abstracted and the cost is down so everyone’s happy? but... some of those about-to-be-abstracted-away details are really important information privacy and data control are important details that need to be addressed up front in cloud computing arrangements statutory essentials pre-contract enquiries contract terms

10 IPA & service providers to agencies special provisions about agencies entering service arrangements if service provider performing agency function... s35: agency must take all reasonable steps to ensure service provider required to comply with IPPs/NPPs as if it was the agency s36: “bound contracted service provider” required to comply with IPPs/NPPs (attracts complaint, approval, compliance mechanics of IPA) s37: failure to bind → agency still has obligation

11 IPA section 35 s35: agency must take all reasonable steps to ensure service provider required to comply with IPPs/NPPs as if it was the agency essential minimal requirement for departments & agencies – a low water mark easy to include: The Contractor must comply with Parts 1 and 3 of Chapter 2 of the Act, as if it was the Customer, in relation to the discharge of its obligations under this agreement.

12 IPA & cross-border transfers special provisions about cross-border transfers by agencies (s33) consent, or at least 2 of the following: equivalent treatment necessity individual benefits, consent impracticable & likely reasonable steps to protect

13 Service providers & the Cth Act private sector has no provision like s35 IPA: you’re on your own is the service provider governed by the Act? $3M turnover threshold s6D(4)(c) & (d): collecting/disclosing for payment should contractor “opt in”? (s6EA) otherwise, contract terms equivalent to NPPs

14 Pre-contract enquiries What questions should we ask a potential cloud computing service provider? location of provider, data (including backups) deletion & disposal process? who has access? what access controls are used? are any subcontractors involved? insolvency of supplier? ease of transfer to another supplier? single- or multi-tenanted servers? supplier’s own privacy & security policies (incl. physical security) awareness of compliance mechanics of IPA reporting / notification / breach response standards compliance & certifications, audit reports?

15 Contract terms is GITC sufficient? cl 5.4: broad confidentiality terms cl 5.5: broad privacy terms can obtain deed of confidentiality / privacy from subcontractors, but only if not reasonably satisfied proper practices in place (query whether this is done as a matter of course) a good start, but what about...

16 Contract terms what about... supplier’s responses to pre-contract enquiries (incorporate them) more detailed action in response to security / privacy breach promptness & detail of report information about security / privacy breaches for other clients audit right (electronic & physical practices) or periodic audit awareness of personnel who have access (with ongoing updates) disposal / return of records regular reporting freedom to move (incl. return of data in standard format) limitation of liability: does the normal position work?

17 Standards & Certifications FISMA: a framework for managing information security under Federal Information Security Management Act of 2002 (US) HIPAA: standards for eHealth transactions under Health Insurance Portability and Accountability Act of 1996 (US) extended by HITECH: Health Information Technology for Economic and Clinical Health Act 2009 (US) SOX: Sarbanes-Oxley Act of 2002 (US) (public companies) & Basel II: international standard for risks in financial sector PCI DSS: Payment Card Industry Data Security Standard SAS70: Statement on Auditing Standards No.70: an accounting standard to assess internal controls within a service organisation ISO15489: int’l standard for record and information management ISO27001: int’l standard for information security systems access to audit/certification reports?

18 Ongoing management Don’t forget ongoing management periodic reporting: review & act on issues options under contract including audit, further deed internal process for privacy breaches co-operative & transparent management of privacy complaints and investigations appropriate escalation of issues: privacy a critical reputational & political risk

19 Thank you. Patrick Sefton patrick.sefton@brightline.com.au

Download ppt "Patrick Sefton | Principal Privacy and data control in the era of cloud computing."

Similar presentations

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.

Security, Privacy and the Cloud Connecticut Community Providers’ Association June 20, 2014 Steven R Bulmer, VP of Professional Services.
Data-Sharing and Governance Consultation ANALYSIS OF RESPONSES.

Data-Sharing and Governance Consultation ANALYSIS OF RESPONSES.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.

What does the Data Protection Act do? It sets standards which must be satisfied when obtaining, recording, holding, using, disclosing or disposing of.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.

Brief Synopsis of Computer Security Standards. Tenets of Information Systems Security Confidentiality Integrity Availability Over the years, standards.
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Security Controls – What Works

Security Controls – What Works
Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.

Insights on the Legal Landscape for Data Privacy in Higher Education Rodney Petersen, J.D. Government Relations Officer and Security Task Force Coordinator.
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
CS591 Troy Hutchison.  ISO 27000 series of standards have been specifically reserved by ISO for information security matters.  Health Insurance Portability.

CS591 Troy Hutchison.  ISO series of standards have been specifically reserved by ISO for information security matters.  Health Insurance Portability.
Data Privacy: Third Parties, Vendors, & Nonprofits Baron Rodriguez (PTAC), Michael Hawes (DoED), & Mike Tassey (PTAC)

Data Privacy: Third Parties, Vendors, & Nonprofits Baron Rodriguez (PTAC), Michael Hawes (DoED), & Mike Tassey (PTAC)
Outsourcing Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Outsourcing Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Cloud Computing Guide & Handbook SAI USA Madhav Panwar.

Cloud Computing Guide & Handbook SAI USA Madhav Panwar.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

Similar presentations

Ads by Google