HOW SAFE IS YOUR DATA? Are you at risk of making the headlines for all the wrong reasons?
|
|
- Miles Golden
- 8 years ago
- Views:
Transcription
1 HOW SAFE IS YOUR DATA? Are you at risk of making the headlines for all the wrong reasons?
2 What do you need to consider when choosing a cloud service? G-Cloud gives central and local government departments and organisations much more freedom of choice about the IT platforms they use, and the suppliers they work with, to deliver digital services. Policies like Cloud First encourage you to consider cloud before any other option. Because cloud is quicker and less expensive to procure and deploy than other platforms, it helps you reduce development lead times and deliver innovative services more efficiently and cost effectively. It s faster and cheaper But when you re choosing a new cloud service provider or cloud platform, there s more to think about than just how fast or how cheaply you can deliver a new service. Before you sign on the dotted line, you also need to think about the security, privacy and location of the sensitive data that s entrusted to you. You may be happy storing your holiday photos in Dropbox or using Gmail for personal s but would you make similar choices for citizen or government data? It s your responsibility to make sure that the data in your care will be protected at all times. Once you ve got the facts, assess the risks and choose your cloud provider wisely. You don t want to be the next headline in the Daily Mail. 2
3 What s the worst thing that could happen? Security breaches can happen to any IT service whether it s running on traditional infrastructure or the cloud. Statistically, fewer breaches happen on cloud platforms but, when they do, they make the news like the ones that affected icloud, Sony and Moonpig. The consequences go far beyond the high fines. The negative publicity and the loss of trust can be much harder to deal with. It s bad enough for commercial firms, but for government departments and organisations entrusted with sensitive citizen data, the fallout can be much worse. So when you re choosing a cloud platform or provider, you re naturally concerned about how well the citizen data in your care will be protected against viruses, malware and other cyber threats. But there s also another important consideration: assuring the privacy of that data, and knowing where it will be stored and processed. 3
4 Data privacy what PRISM can tell us Edward Snowden s revelations about PRISM a data-collection program authorised by the US Foreign Intelligence Surveillance Act (FISA) raised significant concerns about the reach of foreign surveillance programmes, and their effect on the privacy of data held and processed by US internet and cloud service providers (ISPs and CSPs). PRISM collected foreign intelligence passing through American servers as a counter-terrorism measure without the consent of the data owners or controllers. Many US-based ISPs and CSPs including Microsoft, Yahoo, Google and AOL were implicated. The global nature of many cloud services throws data privacy issues into stark relief. That s because, if a cloud service stores and processes data across geographical borders, it s possible for more than one legal jurisdiction to have an impact on the privacy of that data. What does that mean when you re choosing a cloud provider? If you choose a cloud platform operated by a US-based or other overseas provider, the citizen data you re responsible for could be subject to foreign surveillance without your knowledge compromising its privacy. 4
5 I don t know where my is, I don t know what country it s in, I don t know what laws are regulating it, I don t even know if the vendor knows where my is! That s going to change. You can t just be searching on the internet, using consumer services, doing various things and you don t know what s going on. You re going to have to have complete and total disclosure. Mark Benioff, CEO, salesforce.com, speaking at the 2015 World Economic Forum in Davos during a debate on government s ability to access personal data and the impact on consumer trust 5
6 Five things you need to know The five points that follow will help you understand the data security and privacy issues you need to think about, and how to mitigate them Breaching the UK Data Protection Act can lead to big fines and reputational damage. Make sure you know where your data will be processed and stored, and by whom. You re responsible for validating suppliers statements about security and understanding data jurisdiction. Take that responsibility seriously interrogate your suppliers. Safe Harbor isn t really safe, and doesn t exempt US companies from US law. Ask yourself who you re contracting with, and whether UK or US law prevails. Data disclosure is a global issue. If you contract with an overseas supplier, your data could be subject to foreign surveillance. There s a growing trend towards keeping data sovereign. Most parliamentarians we surveyed believe UK public sector data should be processed in the UK. 6
7 1 Breaching the UK Data Protection Act can lead to big fines and reputational damage Data protection law, such as the UK Data Protection Act, applies whenever a data controller processes personal data. A data controller determines the purposes for which, and the manner in which, personal data is processed. A data processor processes or stores the data. The UK Data Protection Act 1998 (DPA) is based on these principles: 1. Data should be processed fairly and lawfully and may not be processed unless the data controller can satisfy one of the conditions for processing set out in the DPA 2. Data should be obtained only for specified and lawful purposes 3. Data should be adequate, relevant and not excessive 4. Data should be accurate and, where necessary, kept up to date 5. Data should not be kept longer than is necessary for the purposes for which it is processed 6. Data should be processed in accordance with the rights of the data subject under the DPA 7. Appropriate technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data 8. Data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data Principle 8 isn t just a technical requirement: it s a legal requirement. You need to be confident that your supplier is providing adequate legal protection for the sensitive personal data about citizens that s under your control. 7
8 Data controllers must put written contracts in place with their data processors which set out what the data processor may or may not do with the personal data, including what security measures should be taken to safeguard the data. In particular, your G-Cloud suppliers must not pass the data you control to third parties, including sub-contractors, without your written consent. Your G-Cloud suppliers must also put in place technical and organisational measures to protect your data. Failure to do so would breach both the DPA and the terms of the G-Cloud framework and its call-off contracts. What could happen if you breach the DPA? Apart from causing significant reputational damage, breaching the DPA can lead to fines of up to 500,000 from the Information Commissioner. Make sure you know where your data will be processed and stored, and by whom. 8
9 2 You re responsible for validating suppliers statements about security and understanding data jurisdiction The introduction of the Government Security Classifications Policy (GSCP) means you can no longer rely on the assurance previously provided by CESG Pan Government Accreditation (PGA) to understand whether a supplier s systems will protect your data appropriately. Over to you Now it s up to you to determine whether suppliers comply with the government s 14 Cloud Security Principles. You must validate their statements of compliance ranging from their own assertions to formal assurance by an independent third party and decide whether you re satisfied with the security and integrity of their services. You also have to be sure you know where in which country a supplier will process and store your data, in order to understand: The legal implications of data jurisdiction and the circumstances in which your data could be accessed without your consent How a supplier s data-handling controls relate to the UK DPA What you should look for in a supplier To avoid any nasty surprises, you ll want to look for suppliers who: Have independent third-party accreditation of their compliance with the 14 Cloud Security Principles Use security-cleared personnel for data processing activities Are UK-registered companies that keep data in the UK only Process data in accordance with the DPA and the lawful instructions of the data controller (your organisation) 9
10 3 Safe Harbor isn t really safe, and doesn t exempt US companies from US law The EU US Safe Harbor agreement is a voluntary arrangement by which US companies comply with EU data processing regulations. It s long been regarded as a way of de-risking exposure to the US Patriot Act, a counter-terrorism measure which can force US companies to disclose information to the US government. Why can Safe Harbor no longer be considered safe? In 2014 the Center for Digital Democracy, a US consumer protection and privacy organisation, lodged a complaint against 30 US companies which weren t complying with Safe Harbor In 2014, in the wake of Edward Snowden s PRISM revelations, the European Parliament called for the suspension of Safe Harbor In 2015 German data protection authorities filed proceedings against US companies that allegedly don t comply with Safe Harbor, sending US companies the message that they need to pull their data protection socks up or find themselves designated an unsafe harbor 10
11 FISA effectively makes Safe Harbor irrelevant, as it allows the US government to oblige any US company to hand over data on request, without informing the people affected. So Microsoft, a US company, is having to fight the US federal government in the courts to prevent the handover of customer s which reside on Microsoft servers in Dublin, Ireland. Caspar Bowden, Microsoft s former Chief Privacy Advisor, went on record with the statement: If you are not American, you cannot trust U.S. software services. He went on to say that non-compliance with the US government could lead to an espionage charge and up to 20 years in prison. Plainly, Safe Harbor doesn t exempt US companies from US law. If you are not American, you cannot trust U.S. software services. Caspar Bowden, Microsoft s former Chief Privacy Advisor 11
12 Ask yourself who you re contracting with To protect citizen and other sensitive data from programmes like PRISM and overseas legislation like FISA, you ll want to work with suppliers who can prove they: Are registered in the UK Are not subsidiaries of overseas companies Have their physical premises in the UK Keep data in the UK only The UK government clearly recognises the potential risks of working with overseas cloud providers, as any central government department wishing to offshore data, or make use of a cloud service with data storage, processing or management offshore, needs agreement from the Cabinet Office OGSIRO (Office of the Government Senior Information Risk Officer). 12
13 Whether you re an enterprise vendor or a consumer vendor we need to all open up a lot more to be able to say exactly where is the data, what s going on with the data, who has the data and if there s a problem with the data whether it s a security problem or some other issue there is immediate disclosure and complete and total transparency. Mark Benioff, CEO of salesforce.com, speaking at the World Economic Forum, Davos 2015 Edward Snowden did more to create a future with many clouds in many locations than any tech company has done. Steve Herrod, former CTO of VMware 13
14 4 Data disclosure is a global issue It would be unfair to claim that issues around data disclosure law relate only to the US, or only to US ISPs and CSPs. Many countries, including the UK, have similar legislation. Between January and June 2014: Microsoft Received more than 34,000 law enforcement requests They came from 68 countries They related to over 58,000 accounts Microsoft released at least some data in response to over 75% of the requests Google Received over 31,000 law enforcement requests They came from 68 countries They related to over 48,000 accounts Google released at least some data for 65% of the requests 14
15 Can a foreign government request your data? To understand the legal circumstances in which the citizen data entrusted to you could be accessed without your consent, you need to know the geographical location in which a supplier will store and process it. Here s an example: a US government body could instruct Microsoft to release data to it that belongs to a UK organisation. Microsoft wouldn t have to ask a UK court or the UK government for permission to do so, nor even make them aware it was releasing the data. What would the UK public think if they thought data about them could be released to other countries without their knowledge? How can you minimise the risk? If your supplier is a UK company which keeps data in the UK only, your data won t be exposed to data disclosure requests from other countries, unless a UK court explicitly instructs the supplier to release it. 15
16 5 There s a growing trend towards keeping data sovereign When Skyscape Cloud Services asked the House of Commons and the House of Lords about their attitudes to data location and jurisdiction, a clear majority said that UK public sector data should be securely processed in the UK, by security-cleared personnel. The European General Data Protection Regulation (GDPR), which becomes law in 2017 and will replace the UK DPA, aims to harmonise European data protection regulation and make Europe as a whole a much safer place to store and process data. It will put more emphasis on individual rights and increase transparency. It will also increase the penalties for breaching the regulation to up to 5% of an organisation s global turnover or 100 million, whichever is the greater. A voluntary Data Protection Code of Conduct for European CSPs is being developed and embedded in the draft regulation. Skyscape and other CSPs are working hard to make sure the code strikes the right balance between keeping data safe and facilitating digital growth in Europe. 16
17 How can you assess the risks? To make an informed risk assessment about which cloud services will provide appropriate protection for your data, you need to: Be sure you know where in which country your data will be processed and stored Clearly understand the legal implications Over 80% of the MPs and almost 100% of the peers we surveyed agreed that the UK provides adequate protection for processing public sector data. 17
18 Keep out of the headlines by making the right decisions about cloud Data privacy concerns and the global nature of many cloud services create legal and regulatory ambiguities for public sector cloud buyers. These are compounded by the introduction of the GSCP, which means public sector cloud buyers can no longer rely on the assurance provided by PGA. Instead, it s up to the buying organisation to: Validate the statements made by G-Cloud suppliers about the security and integrity of their services Identify the geographical location where their data will be processed and stored Understand how data-handling controls will be managed in relation to prevailing UK legislation As the SIRO or civil servant responsible for the security and privacy of the citizen data entrusted to your organisation, you have to decide whether the risk of exposing your data to non- UK authorities is acceptable. Keeping data securely in the UK, with a UK-sovereign data processor, is the best mitigation you can have. Skyscape is a UK company, with UK data centres run by UK-based, security-cleared staff. By hosting your services on our assured UK-sovereign cloud platform, you can realise the benefits of cloud and deliver better public services safe in the knowledge that your data will be securely stored and processed exclusively in the UK. 18
19 About Skyscape Skyscape s assured cloud solutions are designed to meet the exclusive needs of the UK public sector. We deliver UK-sovereign services that are easy to adopt, easy to use and easy to leave, and offer genuine pay-by-the-hour consumption models. A UK SME, we ve won high-profile contracts via the G-Cloud framework and by working with our many channel partners who embed the Skyscape cloud platform in their solutions. All our services are Pan Government Accredited (PGA) up to IL3, so suitable for all data at OFFICIAL (including OFFICIAL-SENSITIVE). The Skyscape cloud platform is connected to government networks including the Public Services Network (PSN) and the N3 health network. We offer IaaS, PaaS and SaaS services: IaaS compute and storage on demand SaaS services providing messaging and document management capability PaaS based on Cloud Foundry and Hadoop All our services are hosted in one or both of our highly resilient Tier 3 UK data centres in Farnborough and Corsham. We deliver them using leading technologies from our Cloud Alliance partners: QinetiQ, VMware, Cisco, EMC and Ark Continuity. The Cloud Alliance provides a collaborative resource which drives innovation and technical product development, helping to continually improve our offering to meet the needs of the UK public sector. Skyscape provides cloud services in an agile, secure and costeffective manner. We strive to deliver solutions that harness technology as a way to facilitate the changes needed to streamline processes and reduce costs to support the UK public sector and, ultimately, UK citizens and taxpayers. 19
20 Skyscape Cloud Services Limited A8 Cody Technology Park Ively Road Farnborough Hampshire GU14 0LX +44 (0) SC-GEN /2015 Skyscape Cloud Services Limited All Rights Reserved.
HOW TO BUY FROM G-CLOUD AND CLOUDSTORE A GUIDE FOR BUYING ORGANISATIONS
white paper HOW TO BUY FROM G-CLOUD AND CLOUDSTORE A GUIDE FOR BUYING ORGANISATIONS EXECUTIVE SUMMARY There has been much talk of cloud services, G-Cloud and Cloud First in recent months, but what does
More informationblueprint IL3 CONNECTIVITY FROM SECURE END-USER DEVICES
blueprint IL3 CONNECTIVITY FROM SECURE END-USER DEVICES INTRODUCTION Skyscape is one of very few cloud providers that has achieved Pan Government Accreditation (PGA) and PSN Accreditation for our IL3 Compute,
More informationwhite paper CLOUD SERVICES AND THE GOVERNMENT SECURITY CLASSIFICATIONS POLICY
white paper CLOUD SERVICES AND THE GOVERNMENT SECURITY CLASSIFICATIONS POLICY SECURITY EXECUTIVE SUMMARY The UK government has increasingly been encouraging the use of cloud services instead of traditional
More informationAugust 2011. Report on Cloud Computing and the Law for UK FE and HE (An Overview)
August 2011 Report on Cloud Computing and the Law for UK FE and HE (An Overview) Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision.
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationHow To Compare Cloud To Onpremises For A Public Sector Organisation
white paper CLOUD: THE TOTAL COST OF OPERATION BUILDING THE BUSINESS CASE FOR CHANGE EXECUTIVE SUMMARY Cloud computing is now an integral part of the government s ICT Strategy offering the potential to
More informationAssurance in the Cloud: Outsourcing Risk in a Shifting Landscape
by SCC We make IT work Assurance in the Cloud: Outsourcing Risk in a Shifting Landscape 02 CONTENTS You hold sensitive public sector data Sentinel protects it. Sentinel by SCC not only provides faster
More informationBRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
More informationCloud Security Trust Cisco to Protect Your Data
Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive
More informationMitigating and managing cyber risk: ten issues to consider
Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed
More informationHacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows
Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne Agenda Top 10 legal need-to-knows, including: What is cyber
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationAttitudes to Use of Social Networks in the Workplace and Protection of Personal Data
Attitudes to Use of Social Networks in the Workplace and Protection of Personal Data David Haynes, City University, School of Informatics, Department of Information Science August 2011 Background Two surveys
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationThe HR Skinny: Effectively managing international employee data flows
The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study
More informationCloud Computing in a Government Context
Cloud Computing in a Government Context Introduction There has been a lot of hype around cloud computing to the point where, according to Gartner, 1 it has become 'deafening'. However, it is important
More informationThales Service Definition for PSN Secure Email Gateway Service for Cloud Services
Thales Definition for PSN Secure Email Gateway Thales Definition for PSN Secure Email Gateway for Cloud s April 2014 Page 1 of 12 Thales Definition for PSN Secure Email Gateway CONTENT Page No. Introduction...
More informationCorporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationINFORMATION SECURITY GUIDE. Cloud Computing Outsourcing. Information Security Unit. Information Technology Services (ITS) July 2013
INFORMATION SECURITY GUIDE Cloud Computing Outsourcing Information Security Unit Information Technology Services (ITS) July 2013 CONTENTS 1. Background...2 2. Legislative and Policy Requirements...3 3.
More informationCloud Computing. Introduction
Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between
More informationCyber Security and Privacy Services. Working in partnership with you to protect your organisation from cyber security threats and data theft
Cyber Security and Privacy Services Working in partnership with you to protect your organisation from cyber security threats and data theft 2 Cyber Security and Privacy Services What drives your security
More informationSafe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data
Jisc Safe Harbour NOTE ON THE COURT OF JUSTICE OF THE EUROPEAN UNION'S JUDGMENT ON 'SAFE HARBOUR' ARRANGEMENTS FOR THE TRANSFER OF PERSONAL DATA FROM THE EEA TO THE USA KEY POINTS Safe Harbour Agreement
More informationImplications for Cloud Computing & Data Privacy
Implications for Cloud Computing & Data Privacy Diane Mueller Cloud Evangelist, ActiveState dianem@activestate.com http://www.activestate.com/stackato Founded 1997 2 million developers, 97% of Fortune
More informationGOVERNMENT HOSTING. Cloud Service Security Principles Memset Statement. www.memset.com
GOVERNMENT HOSTING Cloud Service Security Principles Memset Statement Summary - March 2014 The Cabinet Office has produced a set of fourteen Cloud Service Security Principles to be considered when purchasers
More informationContext. To cloud or not to cloud, that is a very serious question. Legal challenges in a post Safe Harbour and pre GDPR cloud world
To cloud or not to cloud, that is a very serious question EEMA / TrustCore Legal challenges in a post Safe Harbour and pre GDPR cloud world 18 November 2015 hans.graux@timelex.eu Context Major cloud providers
More informationDATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
More informationFISHER & PAYKEL PRIVACY POLICY
FISHER & PAYKEL PRIVACY POLICY 1. About this Policy Fisher & Paykel Australia Pty Limited (ABN 71 000 042 080) and its related companies ('we', 'us', 'our') understands the importance of, and is committed
More informationThe legal and commercial risks and issues to consider when managing emails
The legal and commercial risks and issues to consider when managing emails Change Harbour, October 2012 About Change Harbour Change Harbour Ltd is a consultancy organisation that delivers innovative strategic,
More informationDATA PROTECTION ACT 1998 COUNCIL POLICY
DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More informationWebinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015
Webinar Questions Local Government Data Security Help Improve Your Compliance, 30 July 2015 Here are the answers to the questions we were asked during the webinar. There are a few questions we are still
More informationAs the US debates email privacy a Berlin start up surges with...
TOP STORIES / SCI-TECH DATA PROTECTION As the US debates email privacy a Berlin start up surges with 'anonymous post' No matter how much we say we're angry about the NSA scandal, we still use all the services
More informationCPNI VIEWPOINT 01/2010 CLOUD COMPUTING
CPNI VIEWPOINT 01/2010 CLOUD COMPUTING MARCH 2010 Acknowledgements This viewpoint is based upon a research document compiled on behalf of CPNI by Deloitte. The findings presented here have been subjected
More informationNine Steps to Smart Security for Small Businesses
Nine Steps to Smart Security for Small Businesses by David Lacey Co-Founder, Jericho Forum Courtesy of TABLE OF CONTENTS INTRODUCTION... 1 WHY SHOULD I BOTHER?... 1 AREN T FIREWALLS AND ANTI-VIRUS ENOUGH?...
More informationFRANCE. Chapter XX OVERVIEW
Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection
More informationDean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage
Dean Bank Primary and Nursery School Secure Storage of Data and Cloud Storage January 2015 All school e-mail is disclosable under Freedom of Information and Data Protection legislation. Be aware that anything
More information(a) the kind of data and the harm that could result if any of those things should occur;
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
More informationGDPR & Cloud Providers Keynote Presentation
Cloudscape VII 9 March 2015 GDPR & Cloud Providers Keynote Presentation Kuan Hon Research Consultant, Cloud Legal Project & MCCRC Centre for Commercial Law Studies Queen Mary, University of London w.k.hon@qmul.ac.uk
More informationFactsheet on the Right to be
101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against
More informationSecurity & privacy in the cloud; an easy road?
Security & privacy in the cloud; an easy road? A journey to the trusted cloud Martin Vliem CISSP, CISA National Security Officer Microsoft The Netherlands mvliem@microsoft.com THE SHIFT O L D W O R L D
More informationDelivering Government Cloud in 2012 Andy Tait VMware UK. VMware Copyright 2009 VMware, Inc. All rights reserved.
Delivering Government Cloud in 2012 Andy Tait VMware UK VMware Copyright 2009 VMware, Inc. All rights reserved. Agenda A Brief History The UK Commitment to Cloud Latest Progress Update The CloudStore The
More informationRegulation of Investigatory Powers Act 2000
Regulation of Investigatory Powers Act 2000 Consultation: Equipment Interference and Interception of Communications Codes of Practice 6 February 2015 Ministerial Foreword The abilities to read or listen
More informationCORPORATE TRAVEL MANAGEMENT PRIVACY POLICY
CORPORATE TRAVEL MANAGEMENT PRIVACY POLICY 1. About this Policy Corporate Travel Management Group Pty Ltd (ABN 52 005 000 895) (CTM) ('we', 'us', 'our') understands the importance of, and is committed
More informationWhite Paper Security. Data Protection and Security in School Management Systems
White Paper Security Data Protection and Security in School Management Systems This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems.
More informationData protection issues on an EU outsourcing
Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process
More informationIn-House Counsel Day Priorities for 2012
In-House Counsel Day Priorities for 2012 Cloud Computing the benefits, potential risks and security for the future Presented by Anthony Willis Group Head IP and Technology Thursday 1 March 2012 WIN: What
More informationPrivacy and Cloud Computing for Australian Government Agencies
Privacy and Cloud Computing for Australian Government Agencies Better Practice Guide February 2013 Version 1.1 Introduction Despite common perceptions, cloud computing has the potential to enhance privacy
More informationInformation Governance and Assurance Framework Version 1.0
Information Governance and Assurance Framework Version 1.0 Page 1 of 19 Document Control Title: Original Author(s): Owner: Reviewed by: Quality Assured by: Meridio Location: Approval Body: Policy and Guidance
More informationData Protection for Charities
Data Protection for Charities CFG 15 May 2014 Overview Overview and key definitions The data protection principles Fair and lawful processing Data security and outsourcing Rights of data subjects Recent
More informationPatriot Act Impact on Canadian Organizations Using Cloud Services
Patriot Act Impact on Canadian Organizations Using Cloud Services November 8, 2013 By Scott Wright The Streetwise Security Coach http://www.securityperspectives.com 1 PRESENTATION TITLE Why do nation-states
More informationHow to ensure control and security when moving to SaaS/cloud applications
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
More informationThe Data Protection Landscape. Before and after GDPR: General Data Protection Regulation
The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)
More informationCSA Survey Results Government Access to Information July 2013
CSA Survey Results Government Access to Information July 2013 EXECUTIVE OVERVIEW During June and July of 2013, news of a whistleblower, US government contractor Edward Snowden, dominated global headlines.
More informationFIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS
FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),
More informationCybercrime: risks, penalties and prevention
Cybercrime: risks, penalties and prevention Cyber attacks have been appearing in the news with increased frequency and recent victims of cybercrime have included well-known companies such as Sony, LinkedIn,
More informationNew EU Data Protection legislation comes into force today. What does this mean for your business?
24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )
More information005ASubmission to the Serious Data Breach Notification Consultation
005ASubmission to the Serious Data Breach Notification Consultation (Consultation closes 4 March 2016 please send electronic submissions to privacy.consultation@ag.gov.au) Your details Name/organisation
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationTHE TRANSFER OF PERSONAL DATA ABROAD
THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE
More informationPrepared by: CACI Digital Services Date issued: March 2014. CACI Managed Cloud Hosting Overview
Prepared by: CACI Digital Services Date issued: March 2014 Overview Document Control This section details document control in terms of its distribution, configuration management, amendment history and
More informationI. Personal data and its use in the business to business environment.
RESPONSE FROM THE DIRECT MARKETING ASSOCIATION (UK) LTD. TO THE EUROPEAN COMMISSION'S CONSULTATION ON THE IMPLEMENTATION OF DIRECTIVE 95/46 EC ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING
More informationCloud Storage Policy (Draft for consultation)
(Draft for consultation) Please note that this draft is under consultation with stakeholders in colleges and university services, before refinement and approval by the appropriate University Committee.
More informationCloud Computing and Records Management
GPO Box 2343 Adelaide SA 5001 Tel (+61 8) 8204 8773 Fax (+61 8) 8204 8777 DX:336 srsarecordsmanagement@sa.gov.au www.archives.sa.gov.au Cloud Computing and Records Management June 2015 Version 1 Version
More informationCloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL
Cloud computing and personal data protection Gwendal LE GRAND Director of technology and innovation CNIL 1 Data protection in Europe Directive 95/46/EC Loi 78-17 du 6 janvier 1978 amended in 2004 (France)
More informationICO SME data protection workshop 25 September, NEC
ICO SME data protection workshop 25 September, NEC Information security & working with government Amanda Hillman Data Sharing & Data Protection Manager Claire Francis Supply Chain Information Assurance
More informationHMG Security Policy Framework
HMG Security Policy Framework Security Policy Framework 3 Foreword Sir Jeremy Heywood, Cabinet Secretary Chair of the Official Committee on Security (SO) As Cabinet Secretary, I have a good overview of
More informationThe Impact on Marketing-Related Activities of the Data Protection Act and Related Legislation
The Impact on Marketing-Related Activities of the Data Protection Audience 1. This guidance is intended for all University staff who maintain or use database of contacts for marketing purposes, including
More informationEU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014
EU Data Protection and Information Security for Banking & Financial Service sectors 4 th December 2014 Janine Regan, Associate George Willis, Associate charlesrussellspeechlys.com Janine Regan Associate
More informationBig Data for Mutuals. Marc Dautlich 25 November 2013
Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?
More informationInhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie
Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie Rewriting the Past Oisin Tobin otobin@mhc.ie Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A
More informationHALIFAX CASH ISA. Conditions and information
HALIFAX CASH ISA. Conditions and information Welcome to Halifax 3 Section 1 How these conditions work 5 Section 2 Special Conditions 7 ISA Saver Variable 12 ISA Saver Online 13 ISA Saver Fixed 14 Junior
More informationClause 1. Definitions and Interpretation
[Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-
More informationThird European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010. Panel IV: Privacy and Cloud Computing
Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010 Panel IV: Privacy and Cloud Computing Data Protection and Cloud Computing under EU law Peter Hustinx European Data Protection
More informationTop 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World
Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society
More informationwww.corrs.com.au OFFSHORING Data the new privacy laws
www.corrs.com.au OFFSHORING Data the new privacy laws OFFSHORING DATA THE NEW PRIVACY LAWS Transfer of data by Australian organisations to other jurisdictions is increasingly common. This is a result of
More informationInformation Governance Policy
Information Governance Policy Implementation date: 30 September 2014 Control schedule Approved by Corporate Policy and Strategy Committee Approval date 30 September 2014 Senior Responsible Officer Kirsty-Louise
More informationYour SOS Survival Guide for Software Audits
Your SOS Survival Guide for Software Audits Produced by FAST Ltd. A Leading UK Authority in Software Asset Management & IT Compliance. Your SOS Survival Guide for Software Audits Facing a software audit?
More informationThe era of hacks and cyber regulation
6 February 2014 The era of hacks and cyber regulation We trust that you are well versed with the details of the various cyber-attacks that made the headlines towards the end of 2014, and early this year,
More informationCloud Security under the EU Data Protection Directive and draft General Data Protection Regulation
ENISA EU28 Cloud Security Conference 16 June 2015 Cloud Security under the EU Data Protection Directive and draft General Data Protection Regulation Kuan Hon Senior Researcher, Cloud Legal Project & Microsoft
More informationChair: Stephen Darvill (Logica) Raporteur: Edward Phelps (EURIM) SUMMARY OF ROUND TABLE STATEMENTS AND DISCUSSION
1 Summary Report of the Directors Round Table on Information Governance, 1600-1800, 24 th November 2008, The Boothroyd Room, Portcullis House, Westminster Chair: Stephen Darvill (Logica) Raporteur: Edward
More informationAlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
More informationHow To Control Content On The Cloud
1 EXPERT GROUP MEETING ON CLOUD COMPUTING CONTRACTS SYNTHESIS OF THE MEETING OF 30 APRIL 2014 On 30 April 2014, the Expert Group on Cloud Computing Contracts met for the sixth time. Three sessions were
More informationAustralia s unique approach to trans-border privacy and cloud computing
Australia s unique approach to trans-border privacy and cloud computing Peter Leonard Partner, Gilbert + Tobin Lawyers and Director, iappanz In Australia, as in many jurisdictions, there have been questions
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationCorporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
More informationData Privacy in the Cloud: A Dozen Myths & Facts
Data Privacy in the Cloud: A Dozen Myths & Facts March 7-9 Washington DC Presented by: Barbara Cosgrove, Chief Security Officer, Workday, Inc. Lothar Determann, Partner, Baker & McKenzie LLP We re taking
More informationNATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH
NATIONAL PARTNERSHIP AGREEMENT ON E-HEALTH Council of Australian Governments An agreement between the Commonwealth of Australia and the States and Territories, being: The State of New South Wales The State
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationForeign Currency Account & Foreign Currency Term Deposit Terms and Conditions Effective 1 April 2015
Foreign Currency Account & Foreign Currency Term Deposit Terms and Conditions Effective 1 April 2015 What you need to know about these terms and conditions This booklet sets out the terms and conditions
More informationData Protection Act 1998. Bring your own device (BYOD)
Data Protection Act 1998 Bring your own device (BYOD) Contents Introduction... 3 Overview... 3 What the DPA says... 3 What is BYOD?... 4 What are the risks?... 4 What are the benefits?... 5 What to consider?...
More informationCanvassing the Cloud. An Eversheds LLP and PA Consulting Group study into the adoption of Cloud technologies
Canvassing the Cloud An Eversheds LLP and PA Consulting Group study into the adoption of Cloud technologies Contents Foreword 1 Insights from the study 2 Defining the Cloud 3 Study results 4 General 4
More informationPrivacy & Data Security: The Future of the US-EU Safe Harbor
Privacy & Data Security: The Future of the US-EU Safe Harbor NAOMI MCBRIDE, LISA J. SOTTO AND BRIDGET TREACY, HUNTON & WILLIAMS LLP, WITH PRACTICAL LAW US INTELLECTUAL PROPERTY & TECHNOLOGY AND UK IP&IT
More informationLegal Issues in the Cloud: A Case Study. Jason Epstein
Legal Issues in the Cloud: A Case Study Jason Epstein Outline Overview of Cloud Computing Service Models (SaaS, PaaS, IaaS) Deployment Models (Private, Community, Public, Hybrid) Adoption Different types
More informationDraft guidance for registered pharmacies providing internet and distance sale, supply or service provision
Draft guidance for registered pharmacies providing internet and distance sale, supply or service provision September 2014 1 The General Pharmaceutical Council is the regulator for pharmacists, pharmacy
More informationPrivacy Policy Draft
Introduction Privacy Policy Draft Please note this is a draft policy pending final approval Alzheimer s Australia values your privacy and takes reasonable steps to protect your personal information (that
More informationService description RFL Virtual Data Centre
Service description RFL Virtual Data Centre IaaS G-Cloud 6 1 Contents Overview... 3 Highlights... 3 Description... 3 Use cases... 3 Use cases... 5 Use cases... 5 Pricing... 5 Information assurance... 5
More information23/1/15 Version 1.0 (final)
Information Commissioner s Office response to the Cabinet Office s consultation on the proposal to amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 ( PECR ), to enable the
More informationCLOUD COMPUTING GUIDELINES FOR LAWYERS
INTRODUCTION Legal practices are increasingly using cloud storage and software systems as an alternative to in-house data storage and IT programmes. The cloud has a number of advantages particularly flexibility
More informationProtective Monitoring as a Service. Lot 4 - Specialist Cloud Services. Version: 2.1, Issue Date: 05/02/201405/02/2014. Classification: Open
Protective Monitoring as a Service Version: 2.1, Issue Date: 05/02/201405/02/2014 Classification: Open Classification: Open ii MDS Technologies Ltd 201416/12/2014. Other than for the sole purpose of evaluating
More information