HOW SAFE IS YOUR DATA? Are you at risk of making the headlines for all the wrong reasons?

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "HOW SAFE IS YOUR DATA? Are you at risk of making the headlines for all the wrong reasons?"

Transcription

1 HOW SAFE IS YOUR DATA? Are you at risk of making the headlines for all the wrong reasons?

2 What do you need to consider when choosing a cloud service? G-Cloud gives central and local government departments and organisations much more freedom of choice about the IT platforms they use, and the suppliers they work with, to deliver digital services. Policies like Cloud First encourage you to consider cloud before any other option. Because cloud is quicker and less expensive to procure and deploy than other platforms, it helps you reduce development lead times and deliver innovative services more efficiently and cost effectively. It s faster and cheaper But when you re choosing a new cloud service provider or cloud platform, there s more to think about than just how fast or how cheaply you can deliver a new service. Before you sign on the dotted line, you also need to think about the security, privacy and location of the sensitive data that s entrusted to you. You may be happy storing your holiday photos in Dropbox or using Gmail for personal s but would you make similar choices for citizen or government data? It s your responsibility to make sure that the data in your care will be protected at all times. Once you ve got the facts, assess the risks and choose your cloud provider wisely. You don t want to be the next headline in the Daily Mail. 2

3 What s the worst thing that could happen? Security breaches can happen to any IT service whether it s running on traditional infrastructure or the cloud. Statistically, fewer breaches happen on cloud platforms but, when they do, they make the news like the ones that affected icloud, Sony and Moonpig. The consequences go far beyond the high fines. The negative publicity and the loss of trust can be much harder to deal with. It s bad enough for commercial firms, but for government departments and organisations entrusted with sensitive citizen data, the fallout can be much worse. So when you re choosing a cloud platform or provider, you re naturally concerned about how well the citizen data in your care will be protected against viruses, malware and other cyber threats. But there s also another important consideration: assuring the privacy of that data, and knowing where it will be stored and processed. 3

4 Data privacy what PRISM can tell us Edward Snowden s revelations about PRISM a data-collection program authorised by the US Foreign Intelligence Surveillance Act (FISA) raised significant concerns about the reach of foreign surveillance programmes, and their effect on the privacy of data held and processed by US internet and cloud service providers (ISPs and CSPs). PRISM collected foreign intelligence passing through American servers as a counter-terrorism measure without the consent of the data owners or controllers. Many US-based ISPs and CSPs including Microsoft, Yahoo, Google and AOL were implicated. The global nature of many cloud services throws data privacy issues into stark relief. That s because, if a cloud service stores and processes data across geographical borders, it s possible for more than one legal jurisdiction to have an impact on the privacy of that data. What does that mean when you re choosing a cloud provider? If you choose a cloud platform operated by a US-based or other overseas provider, the citizen data you re responsible for could be subject to foreign surveillance without your knowledge compromising its privacy. 4

5 I don t know where my is, I don t know what country it s in, I don t know what laws are regulating it, I don t even know if the vendor knows where my is! That s going to change. You can t just be searching on the internet, using consumer services, doing various things and you don t know what s going on. You re going to have to have complete and total disclosure. Mark Benioff, CEO, salesforce.com, speaking at the 2015 World Economic Forum in Davos during a debate on government s ability to access personal data and the impact on consumer trust 5

6 Five things you need to know The five points that follow will help you understand the data security and privacy issues you need to think about, and how to mitigate them Breaching the UK Data Protection Act can lead to big fines and reputational damage. Make sure you know where your data will be processed and stored, and by whom. You re responsible for validating suppliers statements about security and understanding data jurisdiction. Take that responsibility seriously interrogate your suppliers. Safe Harbor isn t really safe, and doesn t exempt US companies from US law. Ask yourself who you re contracting with, and whether UK or US law prevails. Data disclosure is a global issue. If you contract with an overseas supplier, your data could be subject to foreign surveillance. There s a growing trend towards keeping data sovereign. Most parliamentarians we surveyed believe UK public sector data should be processed in the UK. 6

7 1 Breaching the UK Data Protection Act can lead to big fines and reputational damage Data protection law, such as the UK Data Protection Act, applies whenever a data controller processes personal data. A data controller determines the purposes for which, and the manner in which, personal data is processed. A data processor processes or stores the data. The UK Data Protection Act 1998 (DPA) is based on these principles: 1. Data should be processed fairly and lawfully and may not be processed unless the data controller can satisfy one of the conditions for processing set out in the DPA 2. Data should be obtained only for specified and lawful purposes 3. Data should be adequate, relevant and not excessive 4. Data should be accurate and, where necessary, kept up to date 5. Data should not be kept longer than is necessary for the purposes for which it is processed 6. Data should be processed in accordance with the rights of the data subject under the DPA 7. Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 8. Data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data Principle 8 isn t just a technical requirement: it s a legal requirement. You need to be confident that your supplier is providing adequate legal protection for the sensitive personal data about citizens that s under your control. 7

8 Data controllers must put written contracts in place with their data processors which set out what the data processor may or may not do with the personal data, including what security measures should be taken to safeguard the data. In particular, your G-Cloud suppliers must not pass the data you control to third parties, including sub-contractors, without your written consent. Your G-Cloud suppliers must also put in place technical and organisational measures to protect your data. Failure to do so would breach both the DPA and the terms of the G-Cloud framework and its call-off contracts. What could happen if you breach the DPA? Apart from causing significant reputational damage, breaching the DPA can lead to fines of up to 500,000 from the Information Commissioner. Make sure you know where your data will be processed and stored, and by whom. 8

9 2 You re responsible for validating suppliers statements about security and understanding data jurisdiction The introduction of the Government Security Classifications Policy (GSCP) means you can no longer rely on the assurance previously provided by CESG Pan Government Accreditation (PGA) to understand whether a supplier s systems will protect your data appropriately. Over to you Now it s up to you to determine whether suppliers comply with the government s 14 Cloud Security Principles. You must validate their statements of compliance ranging from their own assertions to formal assurance by an independent third party and decide whether you re satisfied with the security and integrity of their services. You also have to be sure you know where in which country a supplier will process and store your data, in order to understand: The legal implications of data jurisdiction and the circumstances in which your data could be accessed without your consent How a supplier s data-handling controls relate to the UK DPA What you should look for in a supplier To avoid any nasty surprises, you ll want to look for suppliers who: Have independent third-party accreditation of their compliance with the 14 Cloud Security Principles Use security-cleared personnel for data processing activities Are UK-registered companies that keep data in the UK only Process data in accordance with the DPA and the lawful instructions of the data controller (your organisation) 9

10 3 Safe Harbor isn t really safe, and doesn t exempt US companies from US law The EU US Safe Harbor agreement is a voluntary arrangement by which US companies comply with EU data processing regulations. It s long been regarded as a way of de-risking exposure to the US Patriot Act, a counter-terrorism measure which can force US companies to disclose information to the US government. Why can Safe Harbor no longer be considered safe? In 2014 the Center for Digital Democracy, a US consumer protection and privacy organisation, lodged a complaint against 30 US companies which weren t complying with Safe Harbor In 2014, in the wake of Edward Snowden s PRISM revelations, the European Parliament called for the suspension of Safe Harbor In 2015 German data protection authorities filed proceedings against US companies that allegedly don t comply with Safe Harbor, sending US companies the message that they need to pull their data protection socks up or find themselves designated an unsafe harbor 10

11 FISA effectively makes Safe Harbor irrelevant, as it allows the US government to oblige any US company to hand over data on request, without informing the people affected. So Microsoft, a US company, is having to fight the US federal government in the courts to prevent the handover of customer s which reside on Microsoft servers in Dublin, Ireland. Caspar Bowden, Microsoft s former Chief Privacy Advisor, went on record with the statement: If you are not American, you cannot trust U.S. software services. He went on to say that non-compliance with the US government could lead to an espionage charge and up to 20 years in prison. Plainly, Safe Harbor doesn t exempt US companies from US law. If you are not American, you cannot trust U.S. software services. Caspar Bowden, Microsoft s former Chief Privacy Advisor 11

12 Ask yourself who you re contracting with To protect citizen and other sensitive data from programmes like PRISM and overseas legislation like FISA, you ll want to work with suppliers who can prove they: Are registered in the UK Are not subsidiaries of overseas companies Have their physical premises in the UK Keep data in the UK only The UK government clearly recognises the potential risks of working with overseas cloud providers, as any central government department wishing to offshore data, or make use of a cloud service with data storage, processing or management offshore, needs agreement from the Cabinet Office OGSIRO (Office of the Government Senior Information Risk Officer). 12

13 Whether you re an enterprise vendor or a consumer vendor we need to all open up a lot more to be able to say exactly where is the data, what s going on with the data, who has the data and if there s a problem with the data whether it s a security problem or some other issue there is immediate disclosure and complete and total transparency. Mark Benioff, CEO of salesforce.com, speaking at the World Economic Forum, Davos 2015 Edward Snowden did more to create a future with many clouds in many locations than any tech company has done. Steve Herrod, former CTO of VMware 13

14 4 Data disclosure is a global issue It would be unfair to claim that issues around data disclosure law relate only to the US, or only to US ISPs and CSPs. Many countries, including the UK, have similar legislation. Between January and June 2014: Microsoft Received more than 34,000 law enforcement requests They came from 68 countries They related to over 58,000 accounts Microsoft released at least some data in response to over 75% of the requests Google Received over 31,000 law enforcement requests They came from 68 countries They related to over 48,000 accounts Google released at least some data for 65% of the requests 14

15 Can a foreign government request your data? To understand the legal circumstances in which the citizen data entrusted to you could be accessed without your consent, you need to know the geographical location in which a supplier will store and process it. Here s an example: a US government body could instruct Microsoft to release data to it that belongs to a UK organisation. Microsoft wouldn t have to ask a UK court or the UK government for permission to do so, nor even make them aware it was releasing the data. What would the UK public think if they thought data about them could be released to other countries without their knowledge? How can you minimise the risk? If your supplier is a UK company which keeps data in the UK only, your data won t be exposed to data disclosure requests from other countries, unless a UK court explicitly instructs the supplier to release it. 15

16 5 There s a growing trend towards keeping data sovereign When Skyscape Cloud Services asked the House of Commons and the House of Lords about their attitudes to data location and jurisdiction, a clear majority said that UK public sector data should be securely processed in the UK, by security-cleared personnel. The European General Data Protection Regulation (GDPR), which becomes law in 2017 and will replace the UK DPA, aims to harmonise European data protection regulation and make Europe as a whole a much safer place to store and process data. It will put more emphasis on individual rights and increase transparency. It will also increase the penalties for breaching the regulation to up to 5% of an organisation s global turnover or 100 million, whichever is the greater. A voluntary Data Protection Code of Conduct for European CSPs is being developed and embedded in the draft regulation. Skyscape and other CSPs are working hard to make sure the code strikes the right balance between keeping data safe and facilitating digital growth in Europe. 16

17 How can you assess the risks? To make an informed risk assessment about which cloud services will provide appropriate protection for your data, you need to: Be sure you know where in which country your data will be processed and stored Clearly understand the legal implications Over 80% of the MPs and almost 100% of the peers we surveyed agreed that the UK provides adequate protection for processing public sector data. 17

18 Keep out of the headlines by making the right decisions about cloud Data privacy concerns and the global nature of many cloud services create legal and regulatory ambiguities for public sector cloud buyers. These are compounded by the introduction of the GSCP, which means public sector cloud buyers can no longer rely on the assurance provided by PGA. Instead, it s up to the buying organisation to: Validate the statements made by G-Cloud suppliers about the security and integrity of their services Identify the geographical location where their data will be processed and stored Understand how data-handling controls will be managed in relation to prevailing UK legislation As the SIRO or civil servant responsible for the security and privacy of the citizen data entrusted to your organisation, you have to decide whether the risk of exposing your data to non- UK authorities is acceptable. Keeping data securely in the UK, with a UK-sovereign data processor, is the best mitigation you can have. Skyscape is a UK company, with UK data centres run by UK-based, security-cleared staff. By hosting your services on our assured UK-sovereign cloud platform, you can realise the benefits of cloud and deliver better public services safe in the knowledge that your data will be securely stored and processed exclusively in the UK. 18

19 About Skyscape Skyscape s assured cloud solutions are designed to meet the exclusive needs of the UK public sector. We deliver UK-sovereign services that are easy to adopt, easy to use and easy to leave, and offer genuine pay-by-the-hour consumption models. A UK SME, we ve won high-profile contracts via the G-Cloud framework and by working with our many channel partners who embed the Skyscape cloud platform in their solutions. All our services are Pan Government Accredited (PGA) up to IL3, so suitable for all data at OFFICIAL (including OFFICIAL-SENSITIVE). The Skyscape cloud platform is connected to government networks including the Public Services Network (PSN) and the N3 health network. We offer IaaS, PaaS and SaaS services: IaaS compute and storage on demand SaaS services providing messaging and document management capability PaaS based on Cloud Foundry and Hadoop All our services are hosted in one or both of our highly resilient Tier 3 UK data centres in Farnborough and Corsham. We deliver them using leading technologies from our Cloud Alliance partners: QinetiQ, VMware, Cisco, EMC and Ark Continuity. The Cloud Alliance provides a collaborative resource which drives innovation and technical product development, helping to continually improve our offering to meet the needs of the UK public sector. Skyscape provides cloud services in an agile, secure and costeffective manner. We strive to deliver solutions that harness technology as a way to facilitate the changes needed to streamline processes and reduce costs to support the UK public sector and, ultimately, UK citizens and taxpayers. 19

20 Skyscape Cloud Services Limited A8 Cody Technology Park Ively Road Farnborough Hampshire GU14 0LX +44 (0) SC-GEN /2015 Skyscape Cloud Services Limited All Rights Reserved.

HOW TO BUY FROM G-CLOUD AND CLOUDSTORE A GUIDE FOR BUYING ORGANISATIONS

HOW TO BUY FROM G-CLOUD AND CLOUDSTORE A GUIDE FOR BUYING ORGANISATIONS white paper HOW TO BUY FROM G-CLOUD AND CLOUDSTORE A GUIDE FOR BUYING ORGANISATIONS EXECUTIVE SUMMARY There has been much talk of cloud services, G-Cloud and Cloud First in recent months, but what does

More information

blueprint IL3 CONNECTIVITY FROM SECURE END-USER DEVICES

blueprint IL3 CONNECTIVITY FROM SECURE END-USER DEVICES blueprint IL3 CONNECTIVITY FROM SECURE END-USER DEVICES INTRODUCTION Skyscape is one of very few cloud providers that has achieved Pan Government Accreditation (PGA) and PSN Accreditation for our IL3 Compute,

More information

white paper CLOUD SERVICES AND THE GOVERNMENT SECURITY CLASSIFICATIONS POLICY

white paper CLOUD SERVICES AND THE GOVERNMENT SECURITY CLASSIFICATIONS POLICY white paper CLOUD SERVICES AND THE GOVERNMENT SECURITY CLASSIFICATIONS POLICY SECURITY EXECUTIVE SUMMARY The UK government has increasingly been encouraging the use of cloud services instead of traditional

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

August 2011. Report on Cloud Computing and the Law for UK FE and HE (An Overview)

August 2011. Report on Cloud Computing and the Law for UK FE and HE (An Overview) August 2011 Report on Cloud Computing and the Law for UK FE and HE (An Overview) Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision.

More information

Cloud Computing. Introduction

Cloud Computing. Introduction Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

Assurance in the Cloud: Outsourcing Risk in a Shifting Landscape

Assurance in the Cloud: Outsourcing Risk in a Shifting Landscape by SCC We make IT work Assurance in the Cloud: Outsourcing Risk in a Shifting Landscape 02 CONTENTS You hold sensitive public sector data Sentinel protects it. Sentinel by SCC not only provides faster

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft

Cyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security

More information

Attitudes to Use of Social Networks in the Workplace and Protection of Personal Data

Attitudes to Use of Social Networks in the Workplace and Protection of Personal Data Attitudes to Use of Social Networks in the Workplace and Protection of Personal Data David Haynes, City University, School of Informatics, Department of Information Science August 2011 Background Two surveys

More information

CLOUD: THE TOTAL COST OF OPERATION BUILDING THE BUSINESS CASE FOR CHANGE

CLOUD: THE TOTAL COST OF OPERATION BUILDING THE BUSINESS CASE FOR CHANGE white paper CLOUD: THE TOTAL COST OF OPERATION BUILDING THE BUSINESS CASE FOR CHANGE EXECUTIVE SUMMARY Cloud computing is now an integral part of the government s ICT Strategy offering the potential to

More information

(a) the kind of data and the harm that could result if any of those things should occur;

(a) the kind of data and the harm that could result if any of those things should occur; Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data

More information

Data Protection Act 1998. Guidance on the use of cloud computing

Data Protection Act 1998. Guidance on the use of cloud computing Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered

More information

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING

CPNI VIEWPOINT 01/2010 CLOUD COMPUTING CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Safe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data

Safe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data Jisc Safe Harbour NOTE ON THE COURT OF JUSTICE OF THE EUROPEAN UNION'S JUDGMENT ON 'SAFE HARBOUR' ARRANGEMENTS FOR THE TRANSFER OF PERSONAL DATA FROM THE EEA TO THE USA KEY POINTS Safe Harbour Agreement

More information

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows

Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne Agenda Top 10 legal need-to-knows, including: What is cyber

More information

Thales Service Definition for PSN Secure Email Gateway Service for Cloud Services

Thales Service Definition for PSN Secure Email Gateway Service for Cloud Services Thales Definition for PSN Secure Email Gateway Thales Definition for PSN Secure Email Gateway for Cloud s April 2014 Page 1 of 12 Thales Definition for PSN Secure Email Gateway CONTENT Page No. Introduction...

More information

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998.

BHCC Policy Summary. This policy outlines BHCC s obligations and responsibilities in relation to the Data Protection Act 1998. BHCC Policy Summary 1 Policy Name Data Protection Policy. 2 Purpose of Policy To define the standards expected of all Brighton & Hove City Council employees, and any third parties, when processing information

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage Dean Bank Primary and Nursery School Secure Storage of Data and Cloud Storage January 2015 All school e-mail is disclosable under Freedom of Information and Data Protection legislation. Be aware that anything

More information

The HR Skinny: Effectively managing international employee data flows

The HR Skinny: Effectively managing international employee data flows The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study

More information

Implications for Cloud Computing & Data Privacy

Implications for Cloud Computing & Data Privacy Implications for Cloud Computing & Data Privacy Diane Mueller Cloud Evangelist, ActiveState dianem@activestate.com http://www.activestate.com/stackato Founded 1997 2 million developers, 97% of Fortune

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

Nine Steps to Smart Security for Small Businesses

Nine Steps to Smart Security for Small Businesses Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...

More information

GOVERNMENT HOSTING. Cloud Service Security Principles Memset Statement. www.memset.com

GOVERNMENT HOSTING. Cloud Service Security Principles Memset Statement. www.memset.com GOVERNMENT HOSTING Cloud Service Security Principles Memset Statement Summary - March 2014 The Cabinet Office has produced a set of fourteen Cloud Service Security Principles to be considered when purchasers

More information

Security & privacy in the cloud; an easy road?

Security & privacy in the cloud; an easy road? Security & privacy in the cloud; an easy road? A journey to the trusted cloud Martin Vliem CISSP, CISA National Security Officer Microsoft The Netherlands mvliem@microsoft.com THE SHIFT O L D W O R L D

More information

Cloud Computing in a Government Context

Cloud Computing in a Government Context Cloud Computing in a Government Context Introduction There has been a lot of hype around cloud computing to the point where, according to Gartner, 1 it has become 'deafening'. However, it is important

More information

White Paper Security. Data Protection and Security in School Management Systems

White Paper Security. Data Protection and Security in School Management Systems White Paper Security Data Protection and Security in School Management Systems This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems.

More information

Context. To cloud or not to cloud, that is a very serious question. Legal challenges in a post Safe Harbour and pre GDPR cloud world

Context. To cloud or not to cloud, that is a very serious question. Legal challenges in a post Safe Harbour and pre GDPR cloud world To cloud or not to cloud, that is a very serious question EEMA / TrustCore Legal challenges in a post Safe Harbour and pre GDPR cloud world 18 November 2015 hans.graux@timelex.eu Context Major cloud providers

More information

HMG Security Policy Framework

HMG Security Policy Framework HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of

More information

Thales Service Definition for PSN Secure Web Gateway Service for Cloud Services

Thales Service Definition for PSN Secure Web Gateway Service for Cloud Services Thales Service Definition for PSN Secure Web Gateway Service for Cloud Services April 2014 Page 1 of 12 CONTENT Page No. Introduction... 3 Overview of Service... 3 Key Features... 4 The Thales SaaS Cloud

More information

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013

INFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013 INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Pensions. Data protection and pensions. Briefing. Application Data Controller v Data Processor

Pensions. Data protection and pensions. Briefing. Application Data Controller v Data Processor Financial institutions Energy Infrastructure, mining and commodities Transport Technology and innovation Life sciences and healthcare Pensions Data protection and pensions Briefing January 2016 Trustees

More information

Privacy and Cloud Computing for Australian Government Agencies

Privacy and Cloud Computing for Australian Government Agencies Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy

More information

CSA Survey Results. Government Access to Information

CSA Survey Results. Government Access to Information CSA Survey Results Government Access to Information July 2013 EXECUTIVE OVERVIEW During June and July of 2013, news of a whistleblower, US government contractor Edward Snowden, dominated global headlines.

More information

In-House Counsel Day Priorities for 2012

In-House Counsel Day Priorities for 2012 In-House Counsel Day Priorities for 2012 Cloud Computing the benefits, potential risks and security for the future Presented by Anthony Willis Group Head IP and Technology Thursday 1 March 2012 WIN: What

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie Rewriting the Past Oisin Tobin otobin@mhc.ie Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A

More information

How to ensure control and security when moving to SaaS/cloud applications

How to ensure control and security when moving to SaaS/cloud applications How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk

More information

Delivering Government Cloud in 2012 Andy Tait VMware UK. VMware Copyright 2009 VMware, Inc. All rights reserved.

Delivering Government Cloud in 2012 Andy Tait VMware UK. VMware Copyright 2009 VMware, Inc. All rights reserved. Delivering Government Cloud in 2012 Andy Tait VMware UK VMware Copyright 2009 VMware, Inc. All rights reserved. Agenda A Brief History The UK Commitment to Cloud Latest Progress Update The CloudStore The

More information

Factsheet on the Right to be

Factsheet on the Right to be 101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against

More information

Information Governance and Assurance Framework Version 1.0

Information Governance and Assurance Framework Version 1.0 Information Governance and Assurance Framework Version 1.0 Page 1 of 19 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: Meridio Location: Approval Body: Policy and Guidance

More information

The Cadence Partnership Service Definition

The Cadence Partnership Service Definition The Cadence Partnership Service Definition About Cadence The Cadence Partnership is an independent management consultancy, specialising in working with a wide range of organisations, solving complex issues

More information

FISHER & PAYKEL PRIVACY POLICY

FISHER & PAYKEL PRIVACY POLICY FISHER & PAYKEL PRIVACY POLICY 1. About this Policy Fisher & Paykel Australia Pty Limited (ABN 71 000 042 080) and its related companies ('we', 'us', 'our') understands the importance of, and is committed

More information

005ASubmission to the Serious Data Breach Notification Consultation

005ASubmission to the Serious Data Breach Notification Consultation 005ASubmission to the Serious Data Breach Notification Consultation (Consultation closes 4 March 2016 please send electronic submissions to privacy.consultation@ag.gov.au) Your details Name/organisation

More information

Regulation of Investigatory Powers Act 2000

Regulation of Investigatory Powers Act 2000 Regulation of Investigatory Powers Act 2000 Consultation: Equipment Interference and Interception of Communications Codes of Practice 6 February 2015 Ministerial Foreword The abilities to read or listen

More information

THE TRANSFER OF PERSONAL DATA ABROAD

THE TRANSFER OF PERSONAL DATA ABROAD THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE

More information

Webinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015

Webinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015 Webinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015 Here are the answers to the questions we were asked during the webinar. There are a few questions we are still

More information

Protective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 2.1, Issue Date: 05/02/201405/02/2014. Classification: Open

Protective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 2.1, Issue Date: 05/02/201405/02/2014. Classification: Open Protective Monitoring as a Service Version: 2.1, Issue Date: 05/02/201405/02/2014 Classification: Open Classification: Open ii MDS Technologies Ltd 201416/12/2014. Other than for the sole purpose of evaluating

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)

More information

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),

More information

As the US debates email privacy a Berlin start up surges with...

As the US debates email privacy a Berlin start up surges with... TOP STORIES / SCI-TECH DATA PROTECTION As the US debates email privacy a Berlin start up surges with 'anonymous post' No matter how much we say we're angry about the NSA scandal, we still use all the services

More information

Using AWS in the context of Australian Privacy Considerations October 2015

Using AWS in the context of Australian Privacy Considerations October 2015 Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview

More information

New EU Data Protection legislation comes into force today. What does this mean for your business?

New EU Data Protection legislation comes into force today. What does this mean for your business? 24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )

More information

Data Protection Act 1998. Bring your own device (BYOD)

Data Protection Act 1998. Bring your own device (BYOD) Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...

More information

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

www.corrs.com.au OFFSHORING Data the new privacy laws

www.corrs.com.au OFFSHORING Data the new privacy laws www.corrs.com.au OFFSHORING Data the new privacy laws OFFSHORING DATA THE NEW PRIVACY LAWS Transfer of data by Australian organisations to other jurisdictions is increasingly common. This is a result of

More information

GDPR & Cloud Providers Keynote Presentation

GDPR & Cloud Providers Keynote Presentation Cloudscape VII 9 March 2015 GDPR & Cloud Providers Keynote Presentation Kuan Hon Research Consultant, Cloud Legal Project & MCCRC Centre for Commercial Law Studies Queen Mary, University of London w.k.hon@qmul.ac.uk

More information

Data Protection for Charities

Data Protection for Charities Data Protection for Charities CFG 15 May 2014 Overview Overview and key definitions The data protection principles Fair and lawful processing Data security and outsourcing Rights of data subjects Recent

More information

Legal Issues in the Cloud: A Case Study. Jason Epstein

Legal Issues in the Cloud: A Case Study. Jason Epstein Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types

More information

Cloud Computing in the Victorian Public Sector

Cloud Computing in the Victorian Public Sector Cloud Computing in the Victorian Public Sector AIIA response July 2015 39 Torrens St Braddon ACT 2612 Australia T 61 2 6281 9400 E info@aiia.com.au W www.aiia.comau Page 1 of 9 17 July 2015 Contents 1.

More information

The legal and commercial risks and issues to consider when managing emails

The legal and commercial risks and issues to consider when managing emails The legal and commercial risks and issues to consider when managing emails Change Harbour, October 2012 About Change Harbour Change Harbour Ltd is a consultancy organisation that delivers innovative strategic,

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

Prepared by: CACI Digital Services Date issued: March 2014. CACI Managed Cloud Hosting Overview

Prepared by: CACI Digital Services Date issued: March 2014. CACI Managed Cloud Hosting Overview Prepared by: CACI Digital Services Date issued: March 2014 Overview Document Control This section details document control in terms of its distribution, configuration management, amendment history and

More information

Data, Privacy, Cookies and the FTC in 2013. Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller

Data, Privacy, Cookies and the FTC in 2013. Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller Data, Privacy, Cookies and the FTC in 2013 Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller BIOS Kevin Stark: Product Manager at ExactTarget. Focused on data security,

More information

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014

EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 Janine Regan, Associate George Willis, Associate charlesrussellspeechlys.com Janine Regan Associate

More information

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL Cloud computing and personal data protection Gwendal LE GRAND Director of technology and innovation CNIL 1 Data protection in Europe Directive 95/46/EC Loi 78-17 du 6 janvier 1978 amended in 2004 (France)

More information

ICO SME data protection workshop 25 September, NEC

ICO SME data protection workshop 25 September, NEC ICO SME data protection workshop 25 September, NEC Information security & working with government Amanda Hillman Data Sharing & Data Protection Manager Claire Francis Supply Chain Information Assurance

More information

CORPORATE TRAVEL MANAGEMENT PRIVACY POLICY

CORPORATE TRAVEL MANAGEMENT PRIVACY POLICY CORPORATE TRAVEL MANAGEMENT PRIVACY POLICY 1. About this Policy Corporate Travel Management Group Pty Ltd (ABN 52 005 000 895) (CTM) ('we', 'us', 'our') understands the importance of, and is committed

More information

Patriot Act Impact on Canadian Organizations Using Cloud Services

Patriot Act Impact on Canadian Organizations Using Cloud Services Patriot Act Impact on Canadian Organizations Using Cloud Services November 8, 2013 By Scott Wright The Streetwise Security Coach http://www.securityperspectives.com 1 PRESENTATION TITLE Why do nation-states

More information

Protective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 1.0, Issue Date: 05/02/201405/02/2014. Classification: Open

Protective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 1.0, Issue Date: 05/02/201405/02/2014. Classification: Open Protective Monitoring as a Service Version: 1.0, Issue Date: 05/02/201405/02/2014 Classification: Open Classification: Open ii MDS Technologies Ltd 2014. Other than for the sole purpose of evaluating this

More information

Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010. Panel IV: Privacy and Cloud Computing

Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010. Panel IV: Privacy and Cloud Computing Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010 Panel IV: Privacy and Cloud Computing Data Protection and Cloud Computing under EU law Peter Hustinx European Data Protection

More information

FRANCE. Chapter XX OVERVIEW

FRANCE. Chapter XX OVERVIEW Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection

More information

Cloud Storage Policy (Draft for consultation)

Cloud Storage Policy (Draft for consultation) (Draft for consultation) Please note that this draft is under consultation with stakeholders in colleges and university services, before refinement and approval by the appropriate University Committee.

More information

Cybercrime: risks, penalties and prevention

Cybercrime: risks, penalties and prevention Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,

More information

Information governance strategy 2014-16

Information governance strategy 2014-16 Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope

More information

Clause 1. Definitions and Interpretation

Clause 1. Definitions and Interpretation [Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-

More information

Chair: Stephen Darvill (Logica) Raporteur: Edward Phelps (EURIM) SUMMARY OF ROUND TABLE STATEMENTS AND DISCUSSION

Chair: Stephen Darvill (Logica) Raporteur: Edward Phelps (EURIM) SUMMARY OF ROUND TABLE STATEMENTS AND DISCUSSION 1 Summary Report of the Directors Round Table on Information Governance, 1600-1800, 24 th November 2008, The Boothroyd Room, Portcullis House, Westminster Chair: Stephen Darvill (Logica) Raporteur: Edward

More information

Considerations for Outsourcing Records Storage to the Cloud

Considerations for Outsourcing Records Storage to the Cloud Considerations for Outsourcing Records Storage to the Cloud 2 Table of Contents PART I: Identifying the Challenges 1.0 Are we even allowed to move the records? 2.0 Maintaining Legal Control 3.0 From Storage

More information

Quick guide: Using the Cloud to support your business

Quick guide: Using the Cloud to support your business Quick guide: Using the Cloud to support your business This Quick Guide is one of a series of information products targeted at small to medium sized enterprises (SMEs). It is designed to help businesses

More information

Data and Cyber Laws Up-date 9 July 2015

Data and Cyber Laws Up-date 9 July 2015 Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR

More information

IG: Third Party Contracts and Contractors Policy

IG: Third Party Contracts and Contractors Policy IG: Third Party Contracts and Contractors Policy Document Summary This policy provides guidance on the Information Governance arrangements that need to be considered and / or implemented when engaging

More information

2013 Cloud Computing Outlook: Private Cloud Expected to Grow at Twice the Rate of Public Cloud

2013 Cloud Computing Outlook: Private Cloud Expected to Grow at Twice the Rate of Public Cloud Private Cloud Expected to Grow at Twice the Rate of Public Cloud In This Paper Security, privacy concerns about the cloud remain SaaS is the most popular cloud service model in use today Microsoft, Google

More information

What You Need to Know About CLOUD INFORMATION PROTECTION SOLUTIONS

What You Need to Know About CLOUD INFORMATION PROTECTION SOLUTIONS What You Need to Know About CLOUD INFORMATION PROTECTION SOLUTIONS Table of Contents Cloud Adoption Drivers Key Capabilities and Technologies Usability and User Experience Security Technology Architecture

More information

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations

DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations DIGITALEUROPE and European Services Forum (ESF) response to the Draft Supervision Rules on Insurance Institutions Adopting Digitalised Operations Brussels, October 2015 INTRODUCTION On behalf of the European

More information

IT Services. Capita Private Cloud. Cloud potential unleashed

IT Services. Capita Private Cloud. Cloud potential unleashed IT Services Capita Private Cloud Cloud potential unleashed Cloud computing at its best Cloud is fast becoming an integral part of every IT strategy. It reduces cost and complexity, whilst bringing freedom,

More information

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE THIRD ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE

2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE THIRD ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE 2014 NETWORK SECURITY & CYBER RISK MANAGEMENT: THE THIRD ANNUAL SURVEY OF ENTERPRISE-WIDE CYBER RISK MANAGEMENT PRACTICES IN EUROPE February 2014 Sponsored by: 2014 Network Security & Cyber Risk Management:

More information

BHF Southern African Conference

BHF Southern African Conference BHF Southern African Conference Navigating the complexities of the new legislative framework Peter Hill, Director: IT Governance Network TOPICS TO BE COVERED The practical implementation of the PPI Act

More information

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. PRIVACY POLICY 1. Introduction Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. We will only collect information that

More information

Cloud Computing and Records Management

Cloud Computing and Records Management GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise

More information