Considerations for Outsourcing Records Storage to the Cloud

Size: px
Start display at page:

Download "Considerations for Outsourcing Records Storage to the Cloud"

Transcription

1 Considerations for Outsourcing Records Storage to the Cloud

2 2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage to Retention 4.0 Keeping it private and secure PART II: Making Cloud Storage Work: A Records Management Action Plan 1.0 Get it in Writing 2.0 Enforce the written requirements! 3.0 Establish Records Retention Periods 4.0 Make sure the solution supports retention periods 5.0 Understand Location Requirements 6.0 Assess information retrieval and accessibility capabilities 7.0 Perform a Privacy Impact Assessment PART III: Moving Toward a Cloud-Based Solution The phrase cloud computing can refer to a wide range of network-based applications and services. In the specific context of records and information management, the cloud more typically refers to network-based storage arrangements, whereby electronic records are actually moved to a vendor s storage hardware but retrieved and used from the customer s work locations via remote access. The more widely acknowledged benefits of such an arrangement include cheaper, higher capacity storage without the large capital outlay that an organization would require to build or expand its own infrastructure. Combine this with the increasing prevalence of electronic recordkeeping, and it s a wonder every business organization isn t actively moving its records to the cloud. So why are some organizations hesitating? This article explores the very real legal and business challenges that cloud computing can pose for an organization. While none of these challenges need be an impediment to realize the benefits of the cloud, they do warrant careful assessment and planning. By giving these questions full consideration and taking active steps to mitigate identified risks, an organization can enjoy the advantages of the cloud model while at the same time meeting the basic principles and objectives of an effective records management program. Part I: Identifying the challenges Challenge 1: Are we even allowed to move the records? The most common question that comes up regarding cloud-based storage is, Are we allowed to do it? In other words, is it legal? As with many questions in records management, the answer depends on a variety of legal and business factors. While statutes and regulations typically do not use phrases like cloud computing, laws in the United States, Canada and other jurisdictions can be quite specific about the location and format in which required records must be retained. A survey of commercial sector legislation in North America shows clear requirements to retain specified records and/or information in equally specific locations. Such locations may be geographically specified; that is, within the country, state, province, territory, or other legal jurisdiction by which the statute or regulation is issued. Other laws will require that records be kept at a corporate head office, registered office or other equivalent location, or at a work site, field station or other specified location. Similarly, laws may explicitly require that records be retained as hard copy, electronically, or in another specified format.

3 3 In the worst case scenario, the movement of records to network servers, data warehouses and other storage hardware that is well outside your organization s normal operating jurisdictions can also mean movement away from the legal obligations and remedies that records owners need to enforce their rights and meet their basic requirements. But the law isn t always bad news for an organization that is contemplating electronic storage, in the cloud or elsewhere. Even some of those same laws which require retention in the state or at the registered office may also make allowance for retention at some secondary location, provided that the record can be accessed promptly by inspectors or other relevant authorities. And whether your organization is subject to any of these requirements in the first place will depend on where you are located, which laws your organization is incorporated or otherwise established under, and the specific business operations you perform. Challenge #2: Maintaining Legal Control Issues of information ownership and control are by no means unique to cloud-based storage. Any scenario that sees an organization s important business records removed from their direct custody and stored by a third-party service provider can challenge the ability of that business to meet their legal requirements and enforce their legal rights with respect to those records. But cloud-based storage does raise ownership and control challenges well above those that are typically experienced in the more traditional situation of sending boxes of paper records to the local offsite warehouse. Whereas third-par ty paper storage typically takes place within a shor t drive from an organization s offices, the fast access capabilities of cloud-based storage make it possible to store information in another country or even on another continent! In the worst case scenario, the movement of records to network servers, data warehouses and other storage hardware that is well outside your organization s normal operating jurisdictions can also mean movement away from the legal obligations and remedies that records owners need to enforce their rights and meet their basic requirements. This situation can pose serious challenges to your organization s ability to: m Ensure that information security and integrity are safeguarded at a level required by legislation under your operating jurisdictions. m Review or monitor how information is handled and processed in terms of compliance with laws and contractual requirements. m Resume direct custody and control of your records in the event of contract termination or dispute. m Control and prevent access to your information by unauthorized parties.

4 4 In order to support the fundamental objectives of legal compliance and risk management, good records management practices dictate that records are kept as long as needed and disposed of in a legally defensible manner once all such needs have lapsed. Challenge #3: From Storage to Retention Any organization which aims to implement and maintain a records management program which meets ARMA International s Generally Accepted Recordkeeping Principles should note that the closely related requirements of records retention and disposition make up two of the eight principles. In order to support the fundamental objectives of legal compliance and risk management, good records management practices dictate that records are kept as long as needed and disposed of in a legally defensible manner once all such needs have lapsed. But how can we meet those principles in a situation where the normal challenges of electronic retention are compounded by those legal and contractual challenges already discussed? Some of the legal, technical and other challenges that cloud-based storage poses for meeting legally mandated retention times include: m Inability of the electronic records storage and retrieval system to apply event-based retention. In the more traditional world of paper filing, a file is typically closed at the arrival of some pre-identified trigger. The retention period for a specific collection or category of records will begin to accrue when the retention trigger takes place. The trigger might consist of something as regular as the end of a current fiscal year or the occurrence of a more discrete event, such as termination of a contract, completion of a project, or decommissioning of an asset. An electronic storage solution can apply retention with relative ease to those records whose retention periods automatically begin at year s end, but what about the event driven retention periods? Some level of human intervention is necessary to indicate when an event occurs, even if that intervention means entering certain metadata after records have already been created and stored on the system. A system that misses this inconvenient but undeniable reality runs a serious risk of either destroying records too early or failing to implement disposition processes at all. m Failure to retain and keep records available for entire duration of their records retention periods, especially where records are required to be kept for 10, 20, 30 or more years. Without effective strategies to combat the effects of hardware and software obsolescence, legacy data easily can become unreadable or corrupted after one or more system changes. Anyone who recently tried reading a floppy disk or watching a VHS cassette can attest to this reality! Meanwhile, even if migration strategies are in place for a given storage solution and vendor, what happens if and when that service arrangement is concluded? Records that are returned to their owner in some proprietary format accessible only via the vendor s technology may as well have been destroyed as far as usability and compliance are concerned. m Risk that back-ups and other copies of records remain on the vendor s systems after which the official or original records have been disposed, seriously compromising otherwise legally defensible disposition processes.

5 5 The world s legislators have given privacy concerns centre stage in emerging regulations of cloud-based storage and other technology solutions. Challenge #4: Keeping it private and secure The challenge of privacy and personal information protection bears special discussion, even though it directly touches on the issues of legal compliance, contractual coverage and records retention already discussed. Sensitive, identifying information about individuals can include everything from financial data to employment details to medical history. If this information is lost, stolen or inappropriately disclosed, the risks to those individuals can include identity theft, financial losses, reputational damage, or inaccurate medical diagnoses and treatment. It is little wonder then, that the world s legislators have given privacy concerns centre stage in emerging regulations of cloud-based storage and other technology solutions. One such emerging law, the European Union s General Data Protection Regulation, prescribes fines of up to 1 million Euros for breaches that relate to international data transfers, an error that could occur more easily when using cloud computing. Specific challenges that cloud-based computing can pose from a privacy perspective are as follows: m Removal of information from the privacy legislation and other legal protection offered by the customer s operating jurisdiction. m Inability to monitor and control how personal information is handled, protected and used. m Increased risk of hacking and other forms of unauthorized access and misuse, from literally anywhere on earth.

6 6 Part II: Making Cloud Storage Work - A Records Management Action Plan Your organization should develop a formal, documented audit and/or monitoring plan that addresses all pertinent issues, from basic hardware and software functionality through to security controls at the technical, administrative and physical levels. Action Item #1: Get it in Writing Implementing and enforcing a formal records management program requires more than blindly signing a cloud storage vendor s template service agreement. It is critical that records management requirements be directly accounted for in such contracts. Possible requirements to be addressed in these contracts include: m Acknowledgement that all information is the property of the customer. m Compliance with the customer s policies and standards with respect to such matters as records retention, information security and privacy. m Governance by the laws of federal and state/provincial/territorial jurisdictions specified in the agreement. m Guarantee that the storage provider will only use the stored information for purposes necessary to and consistent with providing the contracted services. m Segregation of the customer s information from that of other customers. m Notification of the customer in the event of an information security breach or other incident or condition which potentially threatens the security, integrity and/or availability of the stored records. m Timely remediation of security breach or other threats to records. m Return of all information to the customer s direct custody and control in the event of contract termination or dispute. Such clauses should also provide for an appropriate level of assistance by the vendor in making information usable and accessible, as well as the deletion or destruction of any back-ups and other copies which would otherwise continue to be retained by the vendor. Action Item #2: Enforce the written requirements! Don t be afraid to invoke the audit and monitoring clauses provided for in the service contract. In order for those clauses to meet their original purpose, they need to do more than pay lip service to your organization s rights and obligations to actively monitor how information is stored and handled. Your organization should develop a formal, documented audit and/or monitoring plan that addresses all pertinent issues, from basic hardware and software functionality through to security controls at the technical, administrative and physical levels. Then, put the plan into action. The fact that your records are stored on the other side of the world should not and cannot stop you from physically looking at the storage arrangement!

7 7 Once retention periods have been identified based on legal and business requirements and formalized as part of organizational information governance, the actual retention periods themselves should be directly factored into the identification and planning of storage system requirements. Action Item #3: Establish Records Retention Periods Already, we ve discussed the need to consider any legal requirements which directly impact the physical location and medium in which records are to be kept. It is equally important to proactively identify any legal and/or business requirements that affect how long records must be kept. A Records Retention Schedule meets this need by dividing records into clearly identifiable categories and prescribing standard time periods for keeping records in each category, subject to possible extension in the event of Legal Holds or other exceptional circumstances. An effective, legally defensible retention schedule should be based on documented research of applicable requirements, which include: m Direct, explicit requirements under statutes and regulations to keep specified records for a given time period. m Indirect legal requirements to keep records, in the form of legal limitation periods applicable to litigation, audits, and other proceedings which require discovery and production of records. m Business requirements to keep and use records, as identified by end users and other organizational stakeholders. Action Item #4: Make sure the solution supports retention periods Once retention periods have been identified based on legal and business requirements and formalized as part of organizational information governance, the actual retention periods themselves should be directly factored into the identification and planning of storage system requirements. Whether through vendor selection criteria or more active participation in the solution development process, records management professionals can and should help their organization s ensure that cloud-based systems support meeting records retention requirements by keeping records for as long as needed and helping dispose of them when all such requirements expire. Possible strategies for making this happen include: m Development and implementation of migration plans and conversion strategies that are expressly designed to ensure the forward compatibility of all legacy records with new or upgraded hardware and software. m Design of metadata taxonomies, workflows and other tools to help identify when retention events actually take place in the real world, triggering the accrual of retention periods for one or more related records. m Proactively addressing data back-up retention and disposition as part of service contracts and/or attached policies and procedures.

8 8 If, instead of being required to keep records in the state or at the registered office, your organization is only required to ensure that records are readily accessible, make sure the cloud-based solution is able to provide the fast, reliable access necessary to comply. Action Item #5: Understand Location Requirements Perform a comprehensive review of legal recordkeeping requirements applicable to your organization, including any statutes or regulations that specify where and in what format records must be kept. If this review has not already been factored into the Records Retention Schedule development described in Action Item #3, specialized research may be needed. Action Item #6: Assess information retrieval and accessibility capabilities If, instead of being required to keep records in the state or at the registered office, your organization is only required to ensure that records are readily accessible, make sure the cloudbased solution is able to provide the fast, reliable access necessary to comply. Specific retrieval times will vary depending on the specific inspection, audit or other timelines that apply to your organization. At the very least, the cloud solution must be able to ensure that information is available just as quickly as if the records were retained in paper or electronic format at the original place of business. Better yet, the cloud-based system may even be able to offer an improvement over more manual or ad hoc retrieval tools! Action Item #7: Perform a Privacy Impact Assessment While its exact form can vary across different risk scenarios, a privacy impact assessment can be a powerful tool in identifying applicable privacy requirements, risks and mitigation strategies. An effective privacy impact assessment works in tandem with the other action items described above and can include key elements such as: m Formal identification of specific statutes, regulations and industry standards governing privacy and personal information in the organization. m Declaration of authorized business purposes for which information may be collected, used, disclosed and/or retained. m Determination of requirements to seek individual consent for any collection, use or disclosure of personal information, including possible information access by records storage providers. m Description of contractual provisions and related enforcement controls related to information ownership, control, retention and protection. m Summary of records retention rules and any technology specifications, workflow processes or other tools for implementing those rules. m Assessment of information security and integrity risks, as well as any technical, physical or administrative safeguards to help prevent or mitigate those risks.

9 9 Part III: Moving Toward a Cloud-Based Solution Contact one of our representatives today. UNITED STATES CANADA AUSTRALIA EUROPE So, is moving toward a cloud-based solution for electronic records storage right for your organization? It just might be. The benefits of more storage space at a cheaper cost are hard to argue with in isolation, but those benefits can be negated if challenges with records ownership, retention, privacy and overall compliance cannot be adequately addressed. They key is to take a measured approach, considering all foreseeable risks and taking concrete, proactive steps to prevent and mitigate those risks. By taking actions such as those outlined in this article, a decision about records storage in the cloud becomes a lot less cloudy! If you d like to discuss whether a cloud-based solution is right for storing your electronic records, please get in touch.

Strategies for Developing a Document Imaging & Electronic Retention Program

Strategies for Developing a Document Imaging & Electronic Retention Program Is it okay to destroy the paper source records? Are there any exceptions? Strategies for Developing a Document Imaging & Electronic Retention Program How do we ensure the program will stand up in court?

More information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL INTRODUCTION WHAT IS A RECORD? AS ISO 15489-2002 Records Management defines a record as information created,

More information

Information Sheet: Cloud Computing

Information Sheet: Cloud Computing info sheet 03.11 Information Sheet: Cloud Computing Info Sheet 03.11 May 2011 This Information Sheet gives a brief overview of how the Information Privacy Act 2000 (Vic) applies to cloud computing technologies.

More information

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015

Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred

More information

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013

CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013 CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street

More information

Union County. Electronic Records and Document Imaging Policy

Union County. Electronic Records and Document Imaging Policy Union County Electronic Records and Document Imaging Policy Adopted by the Union County Board of Commissioners December 2, 2013 1 Table of Contents 1. Purpose... 3 2. Responsible Parties... 3 3. Availability

More information

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS White Paper Table of Contents Addressing compliance with privacy laws for cloud-based services through persistent encryption and key ownership... Section

More information

CIHI Submission: 2011 Prescribed Entity Review

CIHI Submission: 2011 Prescribed Entity Review pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health

More information

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013 INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.

More information

Cloud Service Contracts: An Issue of Trust

Cloud Service Contracts: An Issue of Trust Cloud Service Contracts: An Issue of Trust Marie Demoulin Assistant Professor Université de Montréal École de Bibliothéconomie et des Sciences de l Information (EBSI) itrust 2d International Symposium,

More information

NSW Government. Cloud Services Policy and Guidelines

NSW Government. Cloud Services Policy and Guidelines NSW Government Cloud Services Policy and Guidelines August 2013 1 CONTENTS 1. Introduction 2 1.1 Policy statement 3 1.2 Purpose 3 1.3 Scope 3 1.4 Responsibility 3 2. Cloud services for NSW Government 4

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)

CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline) CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline) David J. Chavolla, Esq. and Gary L. Kemp, Esq. Casner & Edwards, LLP 303 Congress Street Boston, MA 02210 A. Document and Record Retention Preservation

More information

How MetadataWorks with Records Management

How MetadataWorks with Records Management How MetadataWorks with Records Management How Metadata Works with Records Management : Understanding Metadata and What it Means for Your Organization 2 Table of Contents PART I: Understanding Metadata

More information

Responsibilities of Custodians and Health Information Act Administration Checklist

Responsibilities of Custodians and Health Information Act Administration Checklist Responsibilities of Custodians and Administration Checklist APPENDIX 3 Responsibilities of Custodians in Administering the Each custodian under the Act must establish internal processes and procedures

More information

How the Information Governance Reference Model (IGRM) Complements ARMA International s Generally Accepted Recordkeeping Principles (GARP )

How the Information Governance Reference Model (IGRM) Complements ARMA International s Generally Accepted Recordkeeping Principles (GARP ) The Electronic Discovery Reference Model (EDRM) How the Information Governance Reference Model (IGRM) Complements ARMA International s Generally Accepted Recordkeeping Principles (GARP ) December 2011

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Managing Contracts under the FOIP Act. A Guide for Government of Alberta Contract Managers and FOIP Coordinators

Managing Contracts under the FOIP Act. A Guide for Government of Alberta Contract Managers and FOIP Coordinators Managing Contracts under the FOIP Act A Guide for Government of Alberta Contract Managers and FOIP Coordinators ISBN 978-0-7785-6102-6 Produced by Access and Privacy Service Alberta 3rd Floor, 10155 102

More information

INTERNATIONAL SOS. Data Retention, Archiving and Destruction Policy. Version 1.07

INTERNATIONAL SOS. Data Retention, Archiving and Destruction Policy. Version 1.07 INTERNATIONAL SOS Data Retention, Archiving and Destruction Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: January 2009 Revised: 2015 All copyright in these materials

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY RECORDS MANAGEMENT POLICY POLICY STATEMENT The records of Legal Aid NSW are a major component of its corporate memory and risk management strategies. They are a vital asset that support ongoing operations

More information

Administrative Procedures Memorandum A1452

Administrative Procedures Memorandum A1452 Page 1 of 11 Date of Issue February 2, 2010 Original Date of Issue Subject References February 2, 2010 PRIVACY BREACH PROTOCOL Policy 2197 Management of Personal Information APM 1450 Management of Personal

More information

Procedure for Managing a Privacy Breach

Procedure for Managing a Privacy Breach Procedure for Managing a Privacy Breach (From the Privacy Policy and Procedures available at: http://www.mun.ca/policy/site/view/index.php?privacy ) A privacy breach occurs when there is unauthorized access

More information

What We ll Cover. Defensible Disposal of Records and Information Litigation Holds Information Governance the future of records management programs

What We ll Cover. Defensible Disposal of Records and Information Litigation Holds Information Governance the future of records management programs What We ll Cover Foundations of Records and Information Management Creating a Defensible Retention Schedule Paper v. Electronic Records Organization and Retrieval of Records and Information Records Management

More information

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005 Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad Toronto, Ontario June 14, 2005 Outsourcing Update: New Contractual Options and Risks Lisa K. Abe June 14, 2005

More information

Business System Recordkeeping Assessment - Digital Recordkeeping Compliance

Business System Recordkeeping Assessment - Digital Recordkeeping Compliance Introduction The following assessment will assist to identify whether the system complies with State Records Authority of NSW Standards on Records Management The broad Principles of this standard are as

More information

Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity. Amy Mushahwar, Esq.

Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity. Amy Mushahwar, Esq. Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity Amy Mushahwar, Esq. What s New? Not That Much. Some have their heads in the cloud we prefer to stay down in the weeds and know

More information

Article 29 Working Party Issues Opinion on Cloud Computing

Article 29 Working Party Issues Opinion on Cloud Computing Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,

More information

Enforce Governance, Risk, and Compliance Programs for Database Data

Enforce Governance, Risk, and Compliance Programs for Database Data Enforce Governance, Risk, and Compliance Programs for Database Data With an Information Lifecycle Management Strategy That Includes Database Archiving, Application Retirement, and Data Masking WHITE PAPER

More information

Standard: Information Security Incident Management

Standard: Information Security Incident Management Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of

More information

INFORMATION TECHNOLOGY SECURITY STANDARDS

INFORMATION TECHNOLOGY SECURITY STANDARDS INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL

More information

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0 ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright

More information

How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice

How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice Information and Privacy Commissioner / Ontario How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice Ann Cavoukian, Ph.D. Commissioner

More information

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information: Information and Privacy Commissioner of Ontario Report of the Information & Privacy Commissioner/Ontario Review of the Canadian Institute for Health Information: A Prescribed Entity under the Personal

More information

Information Management Advice 18 - Managing records in business systems Part 1: Checklist for decommissioning business systems

Information Management Advice 18 - Managing records in business systems Part 1: Checklist for decommissioning business systems Information Management Advice 18 - Managing records in business systems Part 1: Checklist for decommissioning business systems Introduction Agencies have systems which hold business information, such as

More information

Privacy in the Cloud Computing Era. A Microsoft Perspective

Privacy in the Cloud Computing Era. A Microsoft Perspective Privacy in the Cloud Computing Era A Microsoft Perspective November 2009 The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Generally Accepted Recordkeeping Principles

Generally Accepted Recordkeeping Principles Generally Accepted Recordkeeping Principles Information Governance Maturity Model Information is one of the most vital strategic assets any organization possesses. Organizations depend on information to

More information

Ministry of Children and Family Development (MCFD) Contractor s Information Management Guidelines

Ministry of Children and Family Development (MCFD) Contractor s Information Management Guidelines (This document supersedes the document previously entitled MCFD Contractor Records Guidelines) Ministry of Children and Family Development (MCFD) Contractor s Information Management Guidelines November

More information

Generally Accepted Recordkeeping Principles How Does Your Program Measure Up?

Generally Accepted Recordkeeping Principles How Does Your Program Measure Up? Generally Accepted Recordkeeping Principles How Does Your Program Measure Up? GARP Overview Creation Purpose GARP Overview Creation About ARMA International and the Generally Accepted Recordkeeping Principles

More information

State of Florida ELECTRONIC RECORDKEEPING STRATEGIC PLAN. January 2010 December 2012 DECEMBER 31, 2009

State of Florida ELECTRONIC RECORDKEEPING STRATEGIC PLAN. January 2010 December 2012 DECEMBER 31, 2009 State of Florida ELECTRONIC RECORDKEEPING STRATEGIC PLAN January 2010 December 2012 DECEMBER 31, 2009 Florida Department of State State Library and Archives of Florida 850.245.6750 http://dlis.dos.state.fl.us/recordsmanagers

More information

Privacy and Cloud Computing for Australian Government Agencies

Privacy and Cloud Computing for Australian Government Agencies Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy

More information

plantemoran.com What School Personnel Administrators Need to know

plantemoran.com What School Personnel Administrators Need to know plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of

More information

A Privacy and Data Security Checklist for All

A Privacy and Data Security Checklist for All July 2015 Many companies know they have to follow privacy and data security rules. Companies in the health care industry know about Health Insurance Portability and Accountability Act (HIPAA). Financial

More information

Cloud Computing Contracts: Hazards Ahead

Cloud Computing Contracts: Hazards Ahead Cloud Computing Contracts: Hazards Ahead General Cloud Concerns Internal Network Requirements Connectivity Dependent Sustainability Loss of Control Legal Requirements Specific Hazards in the Contracts

More information

Wellesley College Written Information Security Program

Wellesley College Written Information Security Program Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as

More information

Retention & Disposition in the Cloud Do you really have control?

Retention & Disposition in the Cloud Do you really have control? InterPARES Trust Retention & Disposition in the Cloud Do you really have control? Franks Patricia, San Jose State University, San Jose, USA and Alan Doyle, University of British Columbia, Canada October

More information

Cloud Computing Contracts. October 11, 2012

Cloud Computing Contracts. October 11, 2012 Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best

More information

PHIA GENERAL INFORMATION

PHIA GENERAL INFORMATION To: From: Researchers Legal Services and Research Services Date: May 21, 2013 Subject: Research and the New Personal Health Information Act On June 1, 2013, the Personal Health Information Act ( PHIA )

More information

State of Michigan Records Management Services. Frequently Asked Questions About E mail Retention

State of Michigan Records Management Services. Frequently Asked Questions About E mail Retention State of Michigan Records Management Services Frequently Asked Questions About E mail Retention It is essential that government agencies manage their electronic mail (e mail) appropriately. Like all other

More information

DATA BREACH COVERAGE

DATA BREACH COVERAGE THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ THIS CAREFULLY. DATA BREACH COVERAGE SCHEDULE OF COVERAGE LIMITS Coverage Limits of Insurance Data Breach Coverage $50,000 Legal Expense Coverage $5,000

More information

Service Schedule for CLOUD SERVICES

Service Schedule for CLOUD SERVICES Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this

More information

Data Sharing Agreements: Principles for Electronic Medical Records/Electronic Health Records

Data Sharing Agreements: Principles for Electronic Medical Records/Electronic Health Records CMA POLICY Data Sharing Agreements: Principles for Electronic Medical Records/Electronic Health Records I. INTRODUCTION This document is intended to provide some interim guidance with respect to the main

More information

Guidelines for Digital Imaging Systems

Guidelines for Digital Imaging Systems NORTH CAROLINA DEPARTMENT OF CULTURAL RESOURCES OFFICE OF ARCHIVES AND HISTORY DIVISION OF HISTORICAL RESOURCES ARCHIVES AND RECORDS SECTION Guidelines for Digital Imaging Systems Phase I: Project Planning

More information

Introduction Thanks Survey of attendees Questions at the end

Introduction Thanks Survey of attendees Questions at the end Introduction Thanks Survey of attendees Questions at the end 1 Electronic records come in a variety of shapes and sizes and are stored in a multitude of ways. Just what are you managing? Video Cloud computing

More information

Information Management Advice 18 Managing records in business systems

Information Management Advice 18 Managing records in business systems Information Management Advice 18 Managing records in business systems Assessment tool: Measuring recordkeeping compliance in business systems Introduction Using this tool to identify and assess core business

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

CLOUD IN MOTION QUESTIONS EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD. FRANK JACQUETTE, JACQUETTE CONSULTING, INC.

CLOUD IN MOTION QUESTIONS EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD. FRANK JACQUETTE, JACQUETTE CONSULTING, INC. CLOUD IN MOTION QUESTIONS EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD. FRANK JACQUETTE, JACQUETTE CONSULTING, INC. S EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD.

More information

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT

DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security

More information

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ

APIP - Cyber Liability Insurance Coverages, Limits, and FAQ APIP - Cyber Liability Insurance Coverages, Limits, and FAQ The state of Washington purchases property insurance from Alliant Insurance Services through the Alliant Property Insurance Program (APIP). APIP

More information

PRIVACY BREACH POLICY

PRIVACY BREACH POLICY Approved By Last Reviewed Responsible Role Responsible Department Executive Management Team March 20, 2014 (next review to be done within two years) Chief Privacy Officer Quality & Customer Service SECTION

More information

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013 Public Record Office Victoria Cloud Computing Policy Guideline 2 Cloud Computing: Tools Version Number: 1.0 Issue Date: 26/06/2013 Expiry Date: 26/06/2018 State of Victoria 2013 Version 1.0 Table of Contents

More information

Remote Deposit Service Terms and Conditions Personal and Business Accounts

Remote Deposit Service Terms and Conditions Personal and Business Accounts Remote Deposit Service Terms and Conditions Personal and Business Accounts In this Agreement, the words you and your mean the member who enrolls or uses the services described in this Agreement. The words

More information

CLOUD COMPUTING. 11 December 2013 TOWNSHIP OF KING TATTA 1

CLOUD COMPUTING. 11 December 2013 TOWNSHIP OF KING TATTA 1 CLOUD COMPUTING (outsourcing records storage) TATTA SRINIVASA RECORDS MANAGER 11 December 2013 TOWNSHIP OF KING TATTA 1 Cloud computing A style of computing where scalable and elasticity ITenabled capabilities

More information

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

More information

Personal Information Protection Act Information Sheet 11

Personal Information Protection Act Information Sheet 11 Notification of a Security Breach Personal Information Protection Act Information Sheet 11 Introduction Personal information is used by organizations for a variety of purposes: retail and grocery stores

More information

A LEGAL GUIDE TO CLOUD COMPUTING

A LEGAL GUIDE TO CLOUD COMPUTING A LEGAL GUIDE TO CLOUD COMPUTING INTRODUCTION Many companies are considering implementation of cloud computing services to decrease IT costs while providing the flexibility to scale usage on demand. The

More information

The HR Skinny: Effectively managing international employee data flows

The HR Skinny: Effectively managing international employee data flows The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study

More information

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies Privacy Committee Web 2.0/Cloud Computing Subcommittee August 2010 Introduction Good privacy practices are a key

More information

Privacy Best Practices

Privacy Best Practices Privacy Best Practices Mount Royal University Electronic Collection/Storage/Transmission of Personal (Google Drive/Forms/Docs) Google Suite: Document, Presentation, Spreadsheet, Form, Drawing Overview

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, 2003. A Guide for Data Controllers Office of the Data Protection Commissioner of The Bahamas Data Protection (Privacy of Personal Information) Act, 2003 A Guide for Data Controllers 1 Acknowledgement Some of the information contained in

More information

Credit Union Code for the Protection of Personal Information

Credit Union Code for the Protection of Personal Information Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve

More information

Accelerating HIPAA Compliance with EMC Healthcare Solutions

Accelerating HIPAA Compliance with EMC Healthcare Solutions Accelerating HIPAA Compliance with EMC Healthcare Solutions A HealthCIO White Paper Sponsored by the EMC Corporation by Jonathan Bogen 2003 E-mail: Info@HealthCIO.com www.healthcio.com Accelerating HIPAA

More information

Microsoft s Compliance Framework for Online Services

Microsoft s Compliance Framework for Online Services Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft

More information

CERTIFICATION APPLICATION FOR AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM

CERTIFICATION APPLICATION FOR AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM CERTIFICATION APPLICATION FOR AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM This form is reserved for agencies and brokers acting on their own account and for designers of EDM systems for those agencies and

More information

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed

More information

INFORMATION SECURITY GUIDELINES

INFORMATION SECURITY GUIDELINES INFORMATION SECURITY GUIDELINES TABLE OF CONTENTS: Scope of Document 1 Data Definition Guidelines (Appendix 1).2 Data Protection Guidelines (Appendix 2).3 Protection of Electronic or Machine- Readable

More information

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

Guideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013 Public Record Office Victoria Cloud Computing Policy Guideline 2 Cloud Computing: Tools Version Number: 1.0 Issue Date: 26/06/2013 Expiry Date: 26/06/2018 State of Victoria 2013 Version 1.0 Table of Contents

More information

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015 Breaking Down the Silos: A 21st Century Approach to Information Governance May 2015 Introduction With the spotlight on data breaches and privacy, organizations are increasing their focus on information

More information

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Acquia Comments on EU Recommendations for Data Processing in the Cloud Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3

Operational Risk Publication Date: May 2015. 1. Operational Risk... 3 OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...

More information

DHS Data Privacy & Integrity Advisory Committee 07 May 2007. Comments of the. DHS Data Privacy & Integrity Advisory Committee

DHS Data Privacy & Integrity Advisory Committee 07 May 2007. Comments of the. DHS Data Privacy & Integrity Advisory Committee DHS Data Privacy & Integrity Advisory Committee 07 May 2007 Comments of the DHS Data Privacy & Integrity Advisory Committee Regarding the Notice of Propose Rulemaking For Implementation of the REAL ID

More information

PIPEDA and Online Backup White Paper

PIPEDA and Online Backup White Paper PIPEDA and Online Backup White Paper The cloud computing era has seen a phenomenal growth of the data backup service industry. Backup service providers, by nature of their business, are compelled to collect

More information

Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com

Global Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com WHITE PAPER The IT Manager's Role in Proactive Information Retention and Disposition Management: Balancing ediscovery and Compliance Obligations with IT Operational and Budget Constraints Sponsored by:

More information

POWER PROTECT PROMOTE. Information Governance In The Cloud

POWER PROTECT PROMOTE. Information Governance In The Cloud Information Governance In The Cloud Galina Datskovsky, Ph. D., CRM President of ARMA International SVP Information Governance Solutions Topics Cloud Characteristics And Risks Information Management In

More information

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal

More information

E-mail Management: A Guide For Harvard Administrators

E-mail Management: A Guide For Harvard Administrators E-mail Management: A Guide For Harvard Administrators E-mail is information transmitted or exchanged between a sender and a recipient by way of a system of connected computers. Although e-mail is considered

More information

SUPPLIER SECURITY STANDARD

SUPPLIER SECURITY STANDARD SUPPLIER SECURITY STANDARD OWNER: LEVEL 3 COMMUNICATIONS AUTHOR: LEVEL 3 GLOBAL SECURITY AUTHORIZER: DALE DREW, CSO CURRENT RELEASE: 12/09/2014 Purpose: The purpose of this Level 3 Supplier Security Standard

More information

E-MAIL RETENTION BEST PRACTICE. Issue Date: April 20, 2011. Intent and Purpose:

E-MAIL RETENTION BEST PRACTICE. Issue Date: April 20, 2011. Intent and Purpose: E-MAIL RETENTION BEST PRACTICE Issue Date: April 20, 2011 Intent and Purpose: The intent of this best practice is for county officials to have an educational mechanism to explain requirements for maintaining

More information

Accountable Privacy Management in BC s Public Sector

Accountable Privacy Management in BC s Public Sector Accountable Privacy Management in BC s Public Sector Contents Accountable Privacy Management In BC s Public Sector 2 INTRODUCTION 3 What is accountability? 4 Steps to setting up the program 4 A. PRIVACY

More information

EHR Contributor Agreement

EHR Contributor Agreement This EHR Contributor Agreement (this Agreement ) is made effective (the Effective Date ) and sets out certain terms and conditions that apply to the sharing of Personal

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

Cloud Computing: Privacy and Other Risks

Cloud Computing: Privacy and Other Risks December 2013 Cloud Computing: Privacy and Other Risks by George Waggott, Michael Reid and Mitch Koczerginski, McMillan LLP Introduction While the benefits of outsourcing organizational data storage to

More information

Transition Guidelines: Managing legacy data and information. November 2013 v.1.0

Transition Guidelines: Managing legacy data and information. November 2013 v.1.0 Transition Guidelines: Managing legacy data and information November 2013 v.1.0 Document Control Document history Date Version No. Description Author October 2013 November 2013 0.1 Draft Department of

More information