Considerations for Outsourcing Records Storage to the Cloud
|
|
- Michael Briggs
- 8 years ago
- Views:
Transcription
1 Considerations for Outsourcing Records Storage to the Cloud
2 2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage to Retention 4.0 Keeping it private and secure PART II: Making Cloud Storage Work: A Records Management Action Plan 1.0 Get it in Writing 2.0 Enforce the written requirements! 3.0 Establish Records Retention Periods 4.0 Make sure the solution supports retention periods 5.0 Understand Location Requirements 6.0 Assess information retrieval and accessibility capabilities 7.0 Perform a Privacy Impact Assessment PART III: Moving Toward a Cloud-Based Solution The phrase cloud computing can refer to a wide range of network-based applications and services. In the specific context of records and information management, the cloud more typically refers to network-based storage arrangements, whereby electronic records are actually moved to a vendor s storage hardware but retrieved and used from the customer s work locations via remote access. The more widely acknowledged benefits of such an arrangement include cheaper, higher capacity storage without the large capital outlay that an organization would require to build or expand its own infrastructure. Combine this with the increasing prevalence of electronic recordkeeping, and it s a wonder every business organization isn t actively moving its records to the cloud. So why are some organizations hesitating? This article explores the very real legal and business challenges that cloud computing can pose for an organization. While none of these challenges need be an impediment to realize the benefits of the cloud, they do warrant careful assessment and planning. By giving these questions full consideration and taking active steps to mitigate identified risks, an organization can enjoy the advantages of the cloud model while at the same time meeting the basic principles and objectives of an effective records management program. Part I: Identifying the challenges Challenge 1: Are we even allowed to move the records? The most common question that comes up regarding cloud-based storage is, Are we allowed to do it? In other words, is it legal? As with many questions in records management, the answer depends on a variety of legal and business factors. While statutes and regulations typically do not use phrases like cloud computing, laws in the United States, Canada and other jurisdictions can be quite specific about the location and format in which required records must be retained. A survey of commercial sector legislation in North America shows clear requirements to retain specified records and/or information in equally specific locations. Such locations may be geographically specified; that is, within the country, state, province, territory, or other legal jurisdiction by which the statute or regulation is issued. Other laws will require that records be kept at a corporate head office, registered office or other equivalent location, or at a work site, field station or other specified location. Similarly, laws may explicitly require that records be retained as hard copy, electronically, or in another specified format.
3 3 In the worst case scenario, the movement of records to network servers, data warehouses and other storage hardware that is well outside your organization s normal operating jurisdictions can also mean movement away from the legal obligations and remedies that records owners need to enforce their rights and meet their basic requirements. But the law isn t always bad news for an organization that is contemplating electronic storage, in the cloud or elsewhere. Even some of those same laws which require retention in the state or at the registered office may also make allowance for retention at some secondary location, provided that the record can be accessed promptly by inspectors or other relevant authorities. And whether your organization is subject to any of these requirements in the first place will depend on where you are located, which laws your organization is incorporated or otherwise established under, and the specific business operations you perform. Challenge #2: Maintaining Legal Control Issues of information ownership and control are by no means unique to cloud-based storage. Any scenario that sees an organization s important business records removed from their direct custody and stored by a third-party service provider can challenge the ability of that business to meet their legal requirements and enforce their legal rights with respect to those records. But cloud-based storage does raise ownership and control challenges well above those that are typically experienced in the more traditional situation of sending boxes of paper records to the local offsite warehouse. Whereas third-par ty paper storage typically takes place within a shor t drive from an organization s offices, the fast access capabilities of cloud-based storage make it possible to store information in another country or even on another continent! In the worst case scenario, the movement of records to network servers, data warehouses and other storage hardware that is well outside your organization s normal operating jurisdictions can also mean movement away from the legal obligations and remedies that records owners need to enforce their rights and meet their basic requirements. This situation can pose serious challenges to your organization s ability to: m Ensure that information security and integrity are safeguarded at a level required by legislation under your operating jurisdictions. m Review or monitor how information is handled and processed in terms of compliance with laws and contractual requirements. m Resume direct custody and control of your records in the event of contract termination or dispute. m Control and prevent access to your information by unauthorized parties.
4 4 In order to support the fundamental objectives of legal compliance and risk management, good records management practices dictate that records are kept as long as needed and disposed of in a legally defensible manner once all such needs have lapsed. Challenge #3: From Storage to Retention Any organization which aims to implement and maintain a records management program which meets ARMA International s Generally Accepted Recordkeeping Principles should note that the closely related requirements of records retention and disposition make up two of the eight principles. In order to support the fundamental objectives of legal compliance and risk management, good records management practices dictate that records are kept as long as needed and disposed of in a legally defensible manner once all such needs have lapsed. But how can we meet those principles in a situation where the normal challenges of electronic retention are compounded by those legal and contractual challenges already discussed? Some of the legal, technical and other challenges that cloud-based storage poses for meeting legally mandated retention times include: m Inability of the electronic records storage and retrieval system to apply event-based retention. In the more traditional world of paper filing, a file is typically closed at the arrival of some pre-identified trigger. The retention period for a specific collection or category of records will begin to accrue when the retention trigger takes place. The trigger might consist of something as regular as the end of a current fiscal year or the occurrence of a more discrete event, such as termination of a contract, completion of a project, or decommissioning of an asset. An electronic storage solution can apply retention with relative ease to those records whose retention periods automatically begin at year s end, but what about the event driven retention periods? Some level of human intervention is necessary to indicate when an event occurs, even if that intervention means entering certain metadata after records have already been created and stored on the system. A system that misses this inconvenient but undeniable reality runs a serious risk of either destroying records too early or failing to implement disposition processes at all. m Failure to retain and keep records available for entire duration of their records retention periods, especially where records are required to be kept for 10, 20, 30 or more years. Without effective strategies to combat the effects of hardware and software obsolescence, legacy data easily can become unreadable or corrupted after one or more system changes. Anyone who recently tried reading a floppy disk or watching a VHS cassette can attest to this reality! Meanwhile, even if migration strategies are in place for a given storage solution and vendor, what happens if and when that service arrangement is concluded? Records that are returned to their owner in some proprietary format accessible only via the vendor s technology may as well have been destroyed as far as usability and compliance are concerned. m Risk that back-ups and other copies of records remain on the vendor s systems after which the official or original records have been disposed, seriously compromising otherwise legally defensible disposition processes.
5 5 The world s legislators have given privacy concerns centre stage in emerging regulations of cloud-based storage and other technology solutions. Challenge #4: Keeping it private and secure The challenge of privacy and personal information protection bears special discussion, even though it directly touches on the issues of legal compliance, contractual coverage and records retention already discussed. Sensitive, identifying information about individuals can include everything from financial data to employment details to medical history. If this information is lost, stolen or inappropriately disclosed, the risks to those individuals can include identity theft, financial losses, reputational damage, or inaccurate medical diagnoses and treatment. It is little wonder then, that the world s legislators have given privacy concerns centre stage in emerging regulations of cloud-based storage and other technology solutions. One such emerging law, the European Union s General Data Protection Regulation, prescribes fines of up to 1 million Euros for breaches that relate to international data transfers, an error that could occur more easily when using cloud computing. Specific challenges that cloud-based computing can pose from a privacy perspective are as follows: m Removal of information from the privacy legislation and other legal protection offered by the customer s operating jurisdiction. m Inability to monitor and control how personal information is handled, protected and used. m Increased risk of hacking and other forms of unauthorized access and misuse, from literally anywhere on earth.
6 6 Part II: Making Cloud Storage Work - A Records Management Action Plan Your organization should develop a formal, documented audit and/or monitoring plan that addresses all pertinent issues, from basic hardware and software functionality through to security controls at the technical, administrative and physical levels. Action Item #1: Get it in Writing Implementing and enforcing a formal records management program requires more than blindly signing a cloud storage vendor s template service agreement. It is critical that records management requirements be directly accounted for in such contracts. Possible requirements to be addressed in these contracts include: m Acknowledgement that all information is the property of the customer. m Compliance with the customer s policies and standards with respect to such matters as records retention, information security and privacy. m Governance by the laws of federal and state/provincial/territorial jurisdictions specified in the agreement. m Guarantee that the storage provider will only use the stored information for purposes necessary to and consistent with providing the contracted services. m Segregation of the customer s information from that of other customers. m Notification of the customer in the event of an information security breach or other incident or condition which potentially threatens the security, integrity and/or availability of the stored records. m Timely remediation of security breach or other threats to records. m Return of all information to the customer s direct custody and control in the event of contract termination or dispute. Such clauses should also provide for an appropriate level of assistance by the vendor in making information usable and accessible, as well as the deletion or destruction of any back-ups and other copies which would otherwise continue to be retained by the vendor. Action Item #2: Enforce the written requirements! Don t be afraid to invoke the audit and monitoring clauses provided for in the service contract. In order for those clauses to meet their original purpose, they need to do more than pay lip service to your organization s rights and obligations to actively monitor how information is stored and handled. Your organization should develop a formal, documented audit and/or monitoring plan that addresses all pertinent issues, from basic hardware and software functionality through to security controls at the technical, administrative and physical levels. Then, put the plan into action. The fact that your records are stored on the other side of the world should not and cannot stop you from physically looking at the storage arrangement!
7 7 Once retention periods have been identified based on legal and business requirements and formalized as part of organizational information governance, the actual retention periods themselves should be directly factored into the identification and planning of storage system requirements. Action Item #3: Establish Records Retention Periods Already, we ve discussed the need to consider any legal requirements which directly impact the physical location and medium in which records are to be kept. It is equally important to proactively identify any legal and/or business requirements that affect how long records must be kept. A Records Retention Schedule meets this need by dividing records into clearly identifiable categories and prescribing standard time periods for keeping records in each category, subject to possible extension in the event of Legal Holds or other exceptional circumstances. An effective, legally defensible retention schedule should be based on documented research of applicable requirements, which include: m Direct, explicit requirements under statutes and regulations to keep specified records for a given time period. m Indirect legal requirements to keep records, in the form of legal limitation periods applicable to litigation, audits, and other proceedings which require discovery and production of records. m Business requirements to keep and use records, as identified by end users and other organizational stakeholders. Action Item #4: Make sure the solution supports retention periods Once retention periods have been identified based on legal and business requirements and formalized as part of organizational information governance, the actual retention periods themselves should be directly factored into the identification and planning of storage system requirements. Whether through vendor selection criteria or more active participation in the solution development process, records management professionals can and should help their organization s ensure that cloud-based systems support meeting records retention requirements by keeping records for as long as needed and helping dispose of them when all such requirements expire. Possible strategies for making this happen include: m Development and implementation of migration plans and conversion strategies that are expressly designed to ensure the forward compatibility of all legacy records with new or upgraded hardware and software. m Design of metadata taxonomies, workflows and other tools to help identify when retention events actually take place in the real world, triggering the accrual of retention periods for one or more related records. m Proactively addressing data back-up retention and disposition as part of service contracts and/or attached policies and procedures.
8 8 If, instead of being required to keep records in the state or at the registered office, your organization is only required to ensure that records are readily accessible, make sure the cloud-based solution is able to provide the fast, reliable access necessary to comply. Action Item #5: Understand Location Requirements Perform a comprehensive review of legal recordkeeping requirements applicable to your organization, including any statutes or regulations that specify where and in what format records must be kept. If this review has not already been factored into the Records Retention Schedule development described in Action Item #3, specialized research may be needed. Action Item #6: Assess information retrieval and accessibility capabilities If, instead of being required to keep records in the state or at the registered office, your organization is only required to ensure that records are readily accessible, make sure the cloudbased solution is able to provide the fast, reliable access necessary to comply. Specific retrieval times will vary depending on the specific inspection, audit or other timelines that apply to your organization. At the very least, the cloud solution must be able to ensure that information is available just as quickly as if the records were retained in paper or electronic format at the original place of business. Better yet, the cloud-based system may even be able to offer an improvement over more manual or ad hoc retrieval tools! Action Item #7: Perform a Privacy Impact Assessment While its exact form can vary across different risk scenarios, a privacy impact assessment can be a powerful tool in identifying applicable privacy requirements, risks and mitigation strategies. An effective privacy impact assessment works in tandem with the other action items described above and can include key elements such as: m Formal identification of specific statutes, regulations and industry standards governing privacy and personal information in the organization. m Declaration of authorized business purposes for which information may be collected, used, disclosed and/or retained. m Determination of requirements to seek individual consent for any collection, use or disclosure of personal information, including possible information access by records storage providers. m Description of contractual provisions and related enforcement controls related to information ownership, control, retention and protection. m Summary of records retention rules and any technology specifications, workflow processes or other tools for implementing those rules. m Assessment of information security and integrity risks, as well as any technical, physical or administrative safeguards to help prevent or mitigate those risks.
9 9 Part III: Moving Toward a Cloud-Based Solution Contact one of our representatives today. UNITED STATES CANADA AUSTRALIA EUROPE So, is moving toward a cloud-based solution for electronic records storage right for your organization? It just might be. The benefits of more storage space at a cheaper cost are hard to argue with in isolation, but those benefits can be negated if challenges with records ownership, retention, privacy and overall compliance cannot be adequately addressed. They key is to take a measured approach, considering all foreseeable risks and taking concrete, proactive steps to prevent and mitigate those risks. By taking actions such as those outlined in this article, a decision about records storage in the cloud becomes a lot less cloudy! If you d like to discuss whether a cloud-based solution is right for storing your electronic records, please get in touch.
Strategies for Developing a Document Imaging & Electronic Retention Program
Is it okay to destroy the paper source records? Are there any exceptions? Strategies for Developing a Document Imaging & Electronic Retention Program How do we ensure the program will stand up in court?
More informationCLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationTERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL
TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL INTRODUCTION WHAT IS A RECORD? AS ISO 15489-2002 Records Management defines a record as information created,
More informationHow To Ensure Health Information Is Protected
pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health
More informationUnion County. Electronic Records and Document Imaging Policy
Union County Electronic Records and Document Imaging Policy Adopted by the Union County Board of Commissioners December 2, 2013 1 Table of Contents 1. Purpose... 3 2. Responsible Parties... 3 3. Availability
More informationAnnex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015
Annex 1. Contract Checklist for Cloud-Based Genomic Research Version 1.0, 21 July 2015 The following comprises a checklist of areas that genomic research organizations or consortia (collectively referred
More informationInformation Sheet: Cloud Computing
info sheet 03.11 Information Sheet: Cloud Computing Info Sheet 03.11 May 2011 This Information Sheet gives a brief overview of how the Information Privacy Act 2000 (Vic) applies to cloud computing technologies.
More informationCANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper
CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS White Paper Table of Contents Addressing compliance with privacy laws for cloud-based services through persistent encryption and key ownership... Section
More informationCloud Service Contracts: An Issue of Trust
Cloud Service Contracts: An Issue of Trust Marie Demoulin Assistant Professor Université de Montréal École de Bibliothéconomie et des Sciences de l Information (EBSI) itrust 2d International Symposium,
More informationCloud Computing and Records Management
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
More informationINFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013
INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.
More informationCORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline)
CORPORATE RECORD RETENTION IN AN ELECTRONIC AGE (Outline) David J. Chavolla, Esq. and Gary L. Kemp, Esq. Casner & Edwards, LLP 303 Congress Street Boston, MA 02210 A. Document and Record Retention Preservation
More informationNSW Government. Cloud Services Policy and Guidelines
NSW Government Cloud Services Policy and Guidelines August 2013 1 CONTENTS 1. Introduction 2 1.1 Policy statement 3 1.2 Purpose 3 1.3 Scope 3 1.4 Responsibility 3 2. Cloud services for NSW Government 4
More informationCLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS. Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE. October 2, 2013
CLOUD COMPUTING ISSUES FOR SCHOOL DISTRICTS Presented to the 2013 BRADLEY F. KIDDER LAW CONFERENCE October 2, 2013 By: Diane M. Gorrow Soule, Leslie, Kidder, Sayward & Loughman, P.L.L.C. 220 Main Street
More informationResponsibilities of Custodians and Health Information Act Administration Checklist
Responsibilities of Custodians and Administration Checklist APPENDIX 3 Responsibilities of Custodians in Administering the Each custodian under the Act must establish internal processes and procedures
More informationReport of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:
Information and Privacy Commissioner of Ontario Report of the Information & Privacy Commissioner/Ontario Review of the Canadian Institute for Health Information: A Prescribed Entity under the Personal
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationHow the Information Governance Reference Model (IGRM) Complements ARMA International s Generally Accepted Recordkeeping Principles (GARP )
The Electronic Discovery Reference Model (EDRM) How the Information Governance Reference Model (IGRM) Complements ARMA International s Generally Accepted Recordkeeping Principles (GARP ) December 2011
More informationStandard: Information Security Incident Management
Standard: Information Security Incident Management Page 1 Executive Summary California State University Information Security Policy 8075.00 states security incidents involving loss, damage or misuse of
More informationBusiness System Recordkeeping Assessment - Digital Recordkeeping Compliance
Introduction The following assessment will assist to identify whether the system complies with State Records Authority of NSW Standards on Records Management The broad Principles of this standard are as
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationEnforce Governance, Risk, and Compliance Programs for Database Data
Enforce Governance, Risk, and Compliance Programs for Database Data With an Information Lifecycle Management Strategy That Includes Database Archiving, Application Retirement, and Data Masking WHITE PAPER
More informationCloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity. Amy Mushahwar, Esq.
Cloud Service Agreements: Avoiding the Pitfalls of the Cloud as a Commodity Amy Mushahwar, Esq. What s New? Not That Much. Some have their heads in the cloud we prefer to stay down in the weeds and know
More informationManaging Contracts under the FOIP Act. A Guide for Government of Alberta Contract Managers and FOIP Coordinators
Managing Contracts under the FOIP Act A Guide for Government of Alberta Contract Managers and FOIP Coordinators ISBN 978-0-7785-6102-6 Produced by Access and Privacy Service Alberta 3rd Floor, 10155 102
More informationWellesley College Written Information Security Program
Wellesley College Written Information Security Program Introduction and Purpose Wellesley College developed this Written Information Security Program (the Program ) to protect Personal Information, as
More informationData Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005
Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad Toronto, Ontario June 14, 2005 Outsourcing Update: New Contractual Options and Risks Lisa K. Abe June 14, 2005
More informationCLOUD IN MOTION QUESTIONS EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD. FRANK JACQUETTE, JACQUETTE CONSULTING, INC.
CLOUD IN MOTION QUESTIONS EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD. FRANK JACQUETTE, JACQUETTE CONSULTING, INC. S EVERY LIFE SCIENCES COMPANY SHOULD ASK BEFORE MOVING TO THE CLOUD.
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationWhat We ll Cover. Defensible Disposal of Records and Information Litigation Holds Information Governance the future of records management programs
What We ll Cover Foundations of Records and Information Management Creating a Defensible Retention Schedule Paper v. Electronic Records Organization and Retrieval of Records and Information Records Management
More informationplantemoran.com What School Personnel Administrators Need to know
plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of
More informationData Sharing Agreements: Principles for Electronic Medical Records/Electronic Health Records
CMA POLICY Data Sharing Agreements: Principles for Electronic Medical Records/Electronic Health Records I. INTRODUCTION This document is intended to provide some interim guidance with respect to the main
More informationState of Florida ELECTRONIC RECORDKEEPING STRATEGIC PLAN. January 2010 December 2012 DECEMBER 31, 2009
State of Florida ELECTRONIC RECORDKEEPING STRATEGIC PLAN January 2010 December 2012 DECEMBER 31, 2009 Florida Department of State State Library and Archives of Florida 850.245.6750 http://dlis.dos.state.fl.us/recordsmanagers
More informationHow to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice
Information and Privacy Commissioner / Ontario How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice Ann Cavoukian, Ph.D. Commissioner
More informationRECORDS MANAGEMENT POLICY
RECORDS MANAGEMENT POLICY POLICY STATEMENT The records of Legal Aid NSW are a major component of its corporate memory and risk management strategies. They are a vital asset that support ongoing operations
More informationINTERNATIONAL SOS. Data Retention, Archiving and Destruction Policy. Version 1.07
INTERNATIONAL SOS Data Retention, Archiving and Destruction Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: January 2009 Revised: 2015 All copyright in these materials
More informationAdministrative Procedures Memorandum A1452
Page 1 of 11 Date of Issue February 2, 2010 Original Date of Issue Subject References February 2, 2010 PRIVACY BREACH PROTOCOL Policy 2197 Management of Personal Information APM 1450 Management of Personal
More informationInformation Management Advice 18 - Managing records in business systems Part 1: Checklist for decommissioning business systems
Information Management Advice 18 - Managing records in business systems Part 1: Checklist for decommissioning business systems Introduction Agencies have systems which hold business information, such as
More informationADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0
ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright
More informationPrivacy in the Cloud Computing Era. A Microsoft Perspective
Privacy in the Cloud Computing Era A Microsoft Perspective November 2009 The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date
More informationCloud Computing Contracts. October 11, 2012
Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best
More informationGuideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013
Public Record Office Victoria Cloud Computing Policy Guideline 2 Cloud Computing: Tools Version Number: 1.0 Issue Date: 26/06/2013 Expiry Date: 26/06/2018 State of Victoria 2013 Version 1.0 Table of Contents
More informationPHIA GENERAL INFORMATION
To: From: Researchers Legal Services and Research Services Date: May 21, 2013 Subject: Research and the New Personal Health Information Act On June 1, 2013, the Personal Health Information Act ( PHIA )
More informationTen Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder
Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system
More informationRetention & Disposition in the Cloud Do you really have control?
InterPARES Trust Retention & Disposition in the Cloud Do you really have control? Franks Patricia, San Jose State University, San Jose, USA and Alan Doyle, University of British Columbia, Canada October
More informationDATA BREACH COVERAGE
THIS ENDORSEMENT CHANGES THE POLICY. PLEASE READ THIS CAREFULLY. DATA BREACH COVERAGE SCHEDULE OF COVERAGE LIMITS Coverage Limits of Insurance Data Breach Coverage $50,000 Legal Expense Coverage $5,000
More informationA Privacy and Data Security Checklist for All
July 2015 Many companies know they have to follow privacy and data security rules. Companies in the health care industry know about Health Insurance Portability and Accountability Act (HIPAA). Financial
More informationCloud Computing Contracts: Hazards Ahead
Cloud Computing Contracts: Hazards Ahead General Cloud Concerns Internal Network Requirements Connectivity Dependent Sustainability Loss of Control Legal Requirements Specific Hazards in the Contracts
More informationRequirements for Technology Outsourcing
Requirements for Technology Outsourcing Table of Contents Revision History... 3 Overview... 4 Service Provider Selection... 5 Service Delivery Models... 5 Legal Considerations... 5 Security Assessments...
More informationService Schedule for CLOUD SERVICES
Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this
More informationGenerally Accepted Recordkeeping Principles
Generally Accepted Recordkeeping Principles Information Governance Maturity Model Information is one of the most vital strategic assets any organization possesses. Organizations depend on information to
More informationOperational Risk Publication Date: May 2015. 1. Operational Risk... 3
OPERATIONAL RISK Contents 1. Operational Risk... 3 1.1 Legislation... 3 1.2 Guidance... 3 1.3 Risk management process... 4 1.4 Risk register... 7 1.5 EBA Guidelines on the Security of Internet Payments...
More informationState of Michigan Records Management Services. Frequently Asked Questions About E mail Retention
State of Michigan Records Management Services Frequently Asked Questions About E mail Retention It is essential that government agencies manage their electronic mail (e mail) appropriately. Like all other
More informationCredit Union Code for the Protection of Personal Information
Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve
More informationGuidelines for Digital Imaging Systems
NORTH CAROLINA DEPARTMENT OF CULTURAL RESOURCES OFFICE OF ARCHIVES AND HISTORY DIVISION OF HISTORICAL RESOURCES ARCHIVES AND RECORDS SECTION Guidelines for Digital Imaging Systems Phase I: Project Planning
More informationProcedure for Managing a Privacy Breach
Procedure for Managing a Privacy Breach (From the Privacy Policy and Procedures available at: http://www.mun.ca/policy/site/view/index.php?privacy ) A privacy breach occurs when there is unauthorized access
More informationPRIVACY BREACH POLICY
Approved By Last Reviewed Responsible Role Responsible Department Executive Management Team March 20, 2014 (next review to be done within two years) Chief Privacy Officer Quality & Customer Service SECTION
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationRemote Deposit Service Terms and Conditions Personal and Business Accounts
Remote Deposit Service Terms and Conditions Personal and Business Accounts In this Agreement, the words you and your mean the member who enrolls or uses the services described in this Agreement. The words
More informationIntroduction Thanks Survey of attendees Questions at the end
Introduction Thanks Survey of attendees Questions at the end 1 Electronic records come in a variety of shapes and sizes and are stored in a multitude of ways. Just what are you managing? Video Cloud computing
More informationCLOUD COMPUTING. 11 December 2013 TOWNSHIP OF KING TATTA 1
CLOUD COMPUTING (outsourcing records storage) TATTA SRINIVASA RECORDS MANAGER 11 December 2013 TOWNSHIP OF KING TATTA 1 Cloud computing A style of computing where scalable and elasticity ITenabled capabilities
More informationDATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT
Advisor Article DATA SECURITY: A CRUCIAL TOPIC FOR CORPORATE COUNSEL AND MANAGEMENT By James R. Carroll, David S. Clancy and Christopher G. Clark* Skadden, Arps, Slate, Meagher & Flom Customer data security
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationPIPEDA and Online Backup White Paper
PIPEDA and Online Backup White Paper The cloud computing era has seen a phenomenal growth of the data backup service industry. Backup service providers, by nature of their business, are compelled to collect
More informationAPIP - Cyber Liability Insurance Coverages, Limits, and FAQ
APIP - Cyber Liability Insurance Coverages, Limits, and FAQ The state of Washington purchases property insurance from Alliant Insurance Services through the Alliant Property Insurance Program (APIP). APIP
More informationMinistry of Children and Family Development (MCFD) Contractor s Information Management Guidelines
(This document supersedes the document previously entitled MCFD Contractor Records Guidelines) Ministry of Children and Family Development (MCFD) Contractor s Information Management Guidelines November
More informationPrivacy and Cloud Computing for Australian Government Agencies
Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy
More informationGuideline 2. Cloud Computing: Tools. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013
Public Record Office Victoria Cloud Computing Policy Guideline 2 Cloud Computing: Tools Version Number: 1.0 Issue Date: 26/06/2013 Expiry Date: 26/06/2018 State of Victoria 2013 Version 1.0 Table of Contents
More informationGlobal Headquarters: 5 Speen Street Framingham, MA 01701 USA P.508.872.8200 F.508.935.4015 www.idc.com
WHITE PAPER The IT Manager's Role in Proactive Information Retention and Disposition Management: Balancing ediscovery and Compliance Obligations with IT Operational and Budget Constraints Sponsored by:
More informationThis form may not be modified without prior approval from the Department of Justice.
This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate
More informationPrivacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee
Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies Privacy Committee Web 2.0/Cloud Computing Subcommittee August 2010 Introduction Good privacy practices are a key
More informationMicrosoft s Compliance Framework for Online Services
Microsoft s Compliance Framework for Online Services Online Services Security and Compliance Executive summary Contents Executive summary 1 The changing landscape for online services compliance 4 How Microsoft
More informationAccelerating HIPAA Compliance with EMC Healthcare Solutions
Accelerating HIPAA Compliance with EMC Healthcare Solutions A HealthCIO White Paper Sponsored by the EMC Corporation by Jonathan Bogen 2003 E-mail: Info@HealthCIO.com www.healthcio.com Accelerating HIPAA
More informationPersonal Information Protection Act Information Sheet 11
Notification of a Security Breach Personal Information Protection Act Information Sheet 11 Introduction Personal information is used by organizations for a variety of purposes: retail and grocery stores
More informationHow To Deal With Cloud Computing
A LEGAL GUIDE TO CLOUD COMPUTING INTRODUCTION Many companies are considering implementation of cloud computing services to decrease IT costs while providing the flexibility to scale usage on demand. The
More informationPrivacy Best Practices
Privacy Best Practices Mount Royal University Electronic Collection/Storage/Transmission of Personal (Google Drive/Forms/Docs) Google Suite: Document, Presentation, Spreadsheet, Form, Drawing Overview
More informationGenerally Accepted Recordkeeping Principles How Does Your Program Measure Up?
Generally Accepted Recordkeeping Principles How Does Your Program Measure Up? GARP Overview Creation Purpose GARP Overview Creation About ARMA International and the Generally Accepted Recordkeeping Principles
More informationThe HR Skinny: Effectively managing international employee data flows
The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationSigning the Contract - Contracture of People Managers
CERTIFICATION APPLICATION FOR AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM This form is reserved for agencies and brokers acting on their own account and for designers of EDM systems for those agencies and
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationWhich Backup Option is Best?
Which Backup Option is Best? Which Backup Option is Best? Why Protect Your Data? Data loss disasters happen more frequently than you would think, for many different reasons: Human error and accidental
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationAttachment A. Identification of Risks/Cybersecurity Governance
Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year
More informationTAB Guide: Demonstrating Return-On-Investment for Records Management Initiatives
TAB Guide: Demonstrating Return-On-Investment for Records Management Initiatives 2 A 2008 survey by the Association for Information and Image Management (AIIM) concluded that when it comes to records management
More informationDEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY
DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed
More informationRECORD AND INFORMATION MANAGEMENT FRAMEWORK FOR ONTARIO SCHOOL BOARDS/AUTHORITIES
PURPOSE Records and information are important strategic assets of an organization and, like other organizational assets (people, capital and technology), must be managed to maximize their value. Information
More informationAcquia Comments on EU Recommendations for Data Processing in the Cloud
Acquia Comments on EU Recommendations for Data Processing in the Cloud Executive Summary On July 1, 2012, European Union (EU) data protection regulators provided guidelines for service providers processing
More informationAccountable Privacy Management in BC s Public Sector
Accountable Privacy Management in BC s Public Sector Contents Accountable Privacy Management In BC s Public Sector 2 INTRODUCTION 3 What is accountability? 4 Steps to setting up the program 4 A. PRIVACY
More informationGain Efficiency, Cost Savings and Compliance with Iron Mountain s Portfolio of Services
ONE SOLUTION Maximize the Business Value of Your Information Gain Efficiency, Cost Savings and Compliance with Iron Mountain s Portfolio of Services In today s world, information whether in paper or digital
More informationTransition Guidelines: Managing legacy data and information. November 2013 v.1.0
Transition Guidelines: Managing legacy data and information November 2013 v.1.0 Document Control Document history Date Version No. Description Author October 2013 November 2013 0.1 Draft Department of
More informationCloud Computing Contract Clauses
Cloud Computing Contract Clauses Management Advisory Report Report Number SM-MA-14-005-DR April 30, 2014 Highlights The 13 cloud computing contracts did not address information accessibility and data security
More informationOverview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin
Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin Best Practices for Security in the Cloud John Essner, Director
More informationE-mail Management: A Guide For Harvard Administrators
E-mail Management: A Guide For Harvard Administrators E-mail is information transmitted or exchanged between a sender and a recipient by way of a system of connected computers. Although e-mail is considered
More informationTECHNOLOGY AND INNOVATION DEPARTMENT BACKUP AND RECOVERY REVIEW AUDIT 14-08 SEPTEMBER 23, 2014
TECHNOLOGY AND INNOVATION DEPARTMENT BACKUP AND RECOVERY REVIEW AUDIT 14-08 SEPTEMBER 23, 2014 CITY OF TAMPA Bob Buckhorn, Mayor Internal Audit Department Christine Glover, Internal Audit Director September
More informationTest Data Management for Security and Compliance
White Paper Test Data Management for Security and Compliance Reducing Risk in the Era of Big Data WHITE PAPER This document contains Confidential, Proprietary and Trade Secret Information ( Confidential
More informationEHR Contributor Agreement
This EHR Contributor Agreement (this Agreement ) is made effective (the Effective Date ) and sets out certain terms and conditions that apply to the sharing of Personal
More information