Delivery date: 18 October 2014

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Delivery date: 18 October 2014"

Transcription

1 Genomic and Clinical Data Sharing Policy Questions with Technology and Security Implications: Consensus s from the Data Safe Havens Task Team Delivery date: 18 October 2014 When the Security Working Group (SWG) was asked to expedite the development of a security technology infrastructure specification for the Global Alliance for Genomics and Health, the lack of a uniform privacy and security policy foundation confounded the task. To begin to establish such policy, the SWG posed to the Regulatory and Ethics Working Group (REWG) a set of eight key genomic and clinical data sharing policy questions that carry technology and security implications. To address these questions, the REWG formed the Data Safe Havens Task Team, with members from both working groups. The following constitutes the consensus position of the Data Safe Havens Task Team for each question. The Task Team intends for these position statements to help guide the policy work of the REWG and the technology infrastructure work of the SWG. 1

2 Question 1 One can envision a number of ways that Global Alliance for Genomics and Health (GA4GH) participants might make their genomic and clinical data available to other GA4GH participants, and each of these ways implies a different technology architecture. Which of the following most closely matches how you envision GA4GH participants sharing data? a. Each GA4GH participant that is a data provider will hold and manage its own data and will provide means for other GA4GH participants to query the data, consistent with the data provider s own privacy and security policy; b. The GA4GH will help steward one or more shared repositories that hold genomic and clinical data contributed by GA4GH data providers, each of whom will manage its own data sets under its own privacy and security rules; or c. Some other way (please describe). The GA4GH as an entity will not hold any data. Rather, it will define policy for responsible stewardship and technology standards to serve as guidance for participants in the GA4GH ecosystem. Some genomic and clinical data shared within the GA4GH ecosystem will reside in large repositories that are managed by a single entity, under a single policy. Some GA4GH participants will hold their own data, managed under their own local rules. And some participants may adopt a hybrid approach wherein certain data are locally managed, and some data subsets are contributed to a shared repository. In general, data used in clinical practice may be more likely to be held locally and protected under local policy. The GA4GH will set forth a high- level set of principles of responsible data sharing to which all participating organizations and individuals should conform. Local rules are acceptable so long as they do not violate the overarching GA4GH mission and the principles and core elements articulated in the Framework for Responsible Sharing of Genomic and Health- Related Data. Layers of policy may apply. Question 2 One can also envision a number of ways that GA4GH participants might access and use shared genomic and clinical data, and each of these ways implies different security mechanisms. Which of the following most closely matches how you envision GA4GH participants accessing shared data? a. By searching for and retrieving data, or downloading an entire data set, from one or more repository(s) made available to GA4GH participants, and analyzing the data using a software application running on the participant s own computer system; b. By using a web- based query service that the data holder makes available to GA4GH participants and that returns a response to the user s query; 2

3 c. By executing a software application that analyzes data stored in one or more GA4GH participants repositories, without copying any data to the user s own machine; or d. Some other way (please describe). Options A and B will definitely happen, but it is not yet clear how much federation (option C) will be possible. The Regulatory and Ethics Working Group should address the policy implications of options B and C. Question 3 We assume that identity needs to be managed, and actions attributed, to the level of an individual user (versus group affiliation). That is, each person will log- in to the shared resource using her own, validated identity; access to applications and data will be controlled based on the authorizations assigned to that identity and its associated role/affiliation; actions will be attributed to that identity; and digital signatures will be at the individual level. Is this a valid assumption? a. Who will be responsible for identity- proofing individuals prior to giving them access to GA4GH- shared genomic and clinical data? b. What level of assurance is required for identity proofing? For example, will the individual need to be present in person in order to be identity proofed? c. Who will issue access credentials (e.g., password, digital certificate) to individuals? d. Can an individual s authenticated identity be passed from one server to another? That is, if an individual logs into a software server authorized to access data held by a GA4GH participant, can that server pass that authenticated identity to another server without requiring the user to login again? If identities are shared in this way, how strong should the initial authentication be to make it trustworthy? e. Who will identity- proof and issue credentials to software servers that access data held by GA4GH participants? Yes, this is a valid assumption. The GA4GH may want to investigate the use of third- party identity- proofing options. The GA4GH definitely needs the ability for an individual s authenticated identity to be passed from one server to another. Also, individuals local access authorizations are subject to change, such as when the individual changes roles or leaves the institution. The GA4GH needs a way to assure that any local changes in an individual s authorizations, or deletion of their local account, is propagated across the GA4GA ecosystem. The methods used for identity proofing and authentication, and the levels of assurance provided by those methods, may vary based on local policy and the sensitivity of the 3

4 data. This variability will make it necessary for information regarding methods to be passed along with the authenticated identity. 1 Question 4 We recognize that data privacy and security laws differ among GA4GH participant jurisdictions. How will these differences be accommodated within a GA4GH privacy and security policy? a. Will the GA4GH adopt policy that reflects the most restrictive rules among all jurisdictions represented in the GA4GH organizational membership? b. Will the GA4GH adopt minimal policy, assigning to each GA4GH participant responsibility for assuring compliance with more restrictive applicable law? c. Will the GA4GH adopt some other type of policy? d. Will the GA4GH require each participant to formally agree to comply with the GA4GH privacy and security policy? The GA4GH will certainly need an agreed- upon privacy and security policy, guided in part by the Framework for Responsible Sharing of Genomic and Health- Related Data. Questions that need to be considered include: what technological mechanisms would need to be in place to prevent violations of policy, and who would be responsible for monitoring and enforcing these policies. While performing an analysis in situ within a country of origin would provide a technological solution to enable simplified policy, practically, it must be assumed that data will pass between countries. Sharing data between countries may be simplified by ensuring that sufficient privacy protections are in place to comply with local data protection regulations. For those countries with anonymization policies, there are difficulties and considerations to deal with in relation to the possibility of stripping data of usefulness as part of the anonymizing process. Allowing data to leave countries to a small number of aggregation depots may create a simple ecosystem with a lower overall policy management scenario. In the end, a privacy and security policy must drive the technological choices and final security architecture when sharing data among entities that may span institutional, geographic, and regulatory boundaries. 1 The ability to pass authenticated identities makes the strength of the initial authentication even more important with regard to security assurance. 4

5 Question 5 What will be the policy regarding the generation and maintenance of an accounting of accesses and uses of genomic and clinical data shared among GA4GH participants? Will the GA4GH maintain a centralized accounting of data accesses and uses, or will such logs reside with each participant? Who will review this/these log(s)? How will potential breaches and misuses be detected, and to whom will they be reported? The GA4GH could act as a certification authority, possibly issuing a data safe haven badge of trust. There will not be any centralized accounting. Who is responsible for reviewing logs matters less than ensuring that the logs would in fact be available, reviewable and in an interoperable common log format. The GA4GH should develop guidelines on sanctions for beach of policies. A deliberate and material breach of a policy could lead to expulsion from the GA4GH, but notification should first be sent to the member. Options could also include contractual sanctions in a GA4GH data transfer agreement. We anticipate that most breaches will likely be accidental, and it will be important to set a threshold/gradation for seriousness of breaches. Both the airline and financial industries provide good models for incident handling. Question 6 What types of data will be sharable among GA4GH participants? For example, will demographic data be included? What is the policy for protecting phenotypic data? Both genomic and clinical data could be shareable within the GA4GH ecosystem. This could be broadened under the umbrella term health- related data. Policies for protecting different categories of data, based on sensitivity or other attribute, may be developed by the GA4GH. Question 7 Will a GA4GH privacy and security policy contain any restrictions around the use of cloud services? For example, are public (i.e. commercial) clouds and private clouds equally acceptable? Does the GA4GH plan to use a community cloud for use only among GA4GH participants? Does the GA4GH plan to certify cloud service providers? Foundational security protections will be consistent with generally accepted practices on all technology systems, i.e., a need for authentication, encryption, etc. Protections will be implemented at multiple 5

6 layers (e.g., application layer, operating system layer, and hardware layer) both within local data centers and within virtual facilities providing cloud services. As discussed in Question 5, audit logs of security- relevant events, including data accesses, should be interoperable. To enable compliance with jurisdictional and institutional policies, the physical location of stored data and application services should be transparent. For example, the virtualization model for cloud services moves data from server to server, data center to data center, and may cross countries or regions. Virtualization that crosses geographical boundaries may be problematic with respect to compliance with applicable laws (e.g. data privacy, intellectual property). Security and privacy policies, as well as consent policies, need to be respected by cloud service providers. A program to certify cloud service providers may be instituted by the GA4GH or a third party. Question 8 How will appropriate individual consent be obtained, managed, and enforced within the GA4GH community? How will an individual be able to change his or her authorizations for data sharing and use? a. Each GA4GH participant will be responsible for obtaining unrestricted consent for any individual data shared with any other GA4GH participant, and for terminating sharing of the individual s data to the GA4GH upon the individual s request; b. Each GA4GH participant will be responsible for obtaining the consent necessary for the intended usage before sharing individual data with any other GA4GH participant; for communicating to a recipient any restrictions the individual has placed on the use of those data; and for implementing any authorization changes the individual may make; c. Each GA4GH participant will be responsible for obtaining consent authorizing the GA4GH to manage access to an individual s data, and the GA4GH will enable individuals to select (and change) sharing preferences to be enforced within the GA4GH community; or d. Some other consent scheme. The entity that makes the data available within the GA4GH ecosystem will be responsible for assuring that, where required, the consent necessary for the intended usage has been obtained before sharing individual data within the GA4GH ecosystem; for assuring that any restrictions the individual has placed on the use of those data are conveyed along with the data; and for communicating any authorization changes the individual may make. The provider of the data service that enables users to access the data is responsible for enforcing these restrictions, and for communicating restrictions to the data recipient. We recognize that the privacy and consent laws vary among the countries involved in the GA4GH. We further recognize that the institutional privacy and consent policies and practices vary among the institutions that hold and manage genomic and clinical data, including the granularity of permission and authorization rules. Our challenge is to discover and enable means and mechanisms for enabling data to 6

7 be shared among a broad diversity of geographies and institutions, while adhering to applicable law, policies, and individual preferences. Also, mechanisms for making legacy collections more efficiently available, which may include clinical information and tissues from deceased individuals, need to be developed. 7

SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data

SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data Global Alliance for Genomics and Health SECURITY INFRASTRUCTURE Standards and implementation practices for protecting the privacy and security of shared genomic and clinical data VERSION 1.1 March 12,

More information

Cloud Computing Security Considerations

Cloud Computing Security Considerations Cloud Computing Security Considerations Roger Halbheer, Chief Security Advisor, Public Sector, EMEA Doug Cavit, Principal Security Strategist Lead, Trustworthy Computing, USA January 2010 1 Introduction

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Assessing Risks in the Cloud

Assessing Risks in the Cloud Assessing Risks in the Cloud Jim Reavis Executive Director Cloud Security Alliance Agenda Definitions of Cloud & Cloud Usage Key Cloud Risks About CSA CSA Guidance approach to Addressing Risks Research

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

Use Cases for Argonaut Project. Version 1.1

Use Cases for Argonaut Project. Version 1.1 Page 1 Use Cases for Argonaut Project Version 1.1 July 31, 2015 Page 2 Revision History Date Version Number Summary of Changes 7/31/15 V 1.1 Modifications to use case 5, responsive to needs for clarification

More information

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9 1 of 9 PURPOSE: To define standards for appropriate and secure use of MCG Health electronic systems, specifically e-mail systems, Internet access, phones (static or mobile; including voice mail) wireless

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

STATE UNIVERSITY OF NEW YORK AT BROOKLYN DOWNSTATE MEDICAL CENTER COMPUTER and NETWORK USAGE POLICY I. INTRODUCTION

STATE UNIVERSITY OF NEW YORK AT BROOKLYN DOWNSTATE MEDICAL CENTER COMPUTER and NETWORK USAGE POLICY I. INTRODUCTION STATE UNIVERSITY OF NEW YORK AT BROOKLYN DOWNSTATE MEDICAL CENTER COMPUTER and NETWORK USAGE POLICY I. INTRODUCTION Access to modern information technology is essential to the state university mission

More information

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129 Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version November 3, 2015 1. Scope and order of precedence This agreement (the Data Processing Agreement ) applies to Oracle s Processing of Personal

More information

webcrm Privacy Policy (webcrm website) April 2015

webcrm Privacy Policy (webcrm website) April 2015 webcrm Privacy Policy (webcrm website) April 2015 Introduction This privacy policy provides information on how webcrm A/S ( webcrm ) processes the personal data which you may leave and/or submit when you

More information

APPLICATION COMPLIANCE AUDIT & ENFORCEMENT

APPLICATION COMPLIANCE AUDIT & ENFORCEMENT TELERAN SOLUTION BRIEF Building Better Intelligence APPLICATION COMPLIANCE AUDIT & ENFORCEMENT For Exadata and Oracle 11g Data Warehouse Environments BUILDING BETTER INTELLIGENCE WITH BI/DW COMPLIANCE

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

CIHI Submission: 2011 Prescribed Entity Review

CIHI Submission: 2011 Prescribed Entity Review pic pic CIHI Submission: 2011 Prescribed Entity Review October 2011 Who We Are Established in 1994, CIHI is an independent, not-for-profit corporation that provides essential information on Canada s health

More information

Privacy Policy and Notice of Information Practices

Privacy Policy and Notice of Information Practices Privacy Policy and Notice of Information Practices Effective Date: April 27, 2015 BioMarin Pharmaceutical Inc. ("BioMarin") respects the privacy of visitors to its websites and online services and values

More information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

More information

PRIVACY POLICY. Consent

PRIVACY POLICY. Consent PRIVACY POLICY car2go N.A. LLC and car2go Canada Ltd. (collectively, car2go ) recognize the importance of protecting your personal information. We take the protection of your personal information seriously

More information

INTRODUCTION. The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment

INTRODUCTION. The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment INTRODUCTION This guidance is composed of a series of fact sheets that clarify how the HIPAA Privacy Rule applies to, and can be used to help structure the privacy policies behind, electronic health information

More information

Rowan University Data Governance Policy

Rowan University Data Governance Policy Rowan University Data Governance Policy Effective: January 2014 Table of Contents 1. Introduction... 3 2. Regulations, Statutes, and Policies... 4 3. Policy Scope... 4 4. Governance Roles... 6 4.1. Data

More information

The problem of cloud data governance

The problem of cloud data governance The problem of cloud data governance Vasilis Tountopoulos, Athens Technology Center S.A. (ATC) CSP EU Forum 2014 - Thursday, 22 nd May, 2014 Focus on data protection in the cloud Why data governance in

More information

Security Issues in Cloud Computing

Security Issues in Cloud Computing Security Issues in Computing CSCI 454/554 Computing w Definition based on NIST: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources

More information

OpenHRE Security Architecture. (DRAFT v0.5)

OpenHRE Security Architecture. (DRAFT v0.5) OpenHRE Security Architecture (DRAFT v0.5) Table of Contents Introduction -----------------------------------------------------------------------------------------------------------------------2 Assumptions----------------------------------------------------------------------------------------------------------------------2

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access

More information

Cloud Computing. Introduction

Cloud Computing. Introduction Cloud Computing Introduction This information leaflet aims to advise organisations which are considering engaging cloud computing on the factors they should consider. It explains the relationship between

More information

Privacy Policy. February, 2015 Page: 1

Privacy Policy. February, 2015 Page: 1 February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met

More information

Yale University Open Data Access (YODA) Project Procedures to Guide External Investigator Access to Clinical Trial Data Last Updated August 2015

Yale University Open Data Access (YODA) Project Procedures to Guide External Investigator Access to Clinical Trial Data Last Updated August 2015 OVERVIEW Yale University Open Data Access (YODA) Project These procedures support the YODA Project Data Release Policy and more fully describe the process by which clinical trial data held by a third party,

More information

Privacy in the Cloud Computing Era. A Microsoft Perspective

Privacy in the Cloud Computing Era. A Microsoft Perspective Privacy in the Cloud Computing Era A Microsoft Perspective November 2009 The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date

More information

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1 2 How does IBM deliver cloud security? Contents 2 Introduction 3 Cloud governance 3 Security governance, risk management

More information

Clevertar Privacy Policy

Clevertar Privacy Policy Clevertar Privacy Policy At Clevertar, we take privacy very seriously. We encourage you to read this Privacy Policy Policy carefully. The defined terms in this Policy have the same meaning as in our Terms

More information

Cloud Computing in a Government Context

Cloud Computing in a Government Context Cloud Computing in a Government Context Introduction There has been a lot of hype around cloud computing to the point where, according to Gartner, 1 it has become 'deafening'. However, it is important

More information

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud 1 Contents The Obligation to Protect Patient Data in the Cloud................................................... Complying with the HIPAA

More information

DiamondStream Data Security Policy Summary

DiamondStream Data Security Policy Summary DiamondStream Data Security Policy Summary Overview This document describes DiamondStream s standard security policy for accessing and interacting with proprietary and third-party client data. This covers

More information

Use of ESF Computing and Network Resources

Use of ESF Computing and Network Resources Use of ESF Computing and Network Resources Introduction: The electronic resources of the State University of New York College of Environmental Science and Forestry (ESF) are powerful tools, shared among

More information

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources Southern Law Center Law Center Policy #IT0014 Title: Privacy Expectations for SULC Computing Resources Authority: Department Original Adoption: 5/7/2007 Effective Date: 5/7/2007 Last Revision: 9/17/2012

More information

Online/Cloud Services Trust challenges & eidentity-aspects

Online/Cloud Services Trust challenges & eidentity-aspects Online/Cloud Services Trust challenges & eidentity-aspects Erik R. van Zuuren, Director Deloitte AERS Belgium Global Forum Brussels Nov 07/08, 2011 Member of Deloitte Touche Tohmatsu Agenda Weather Forecast

More information

Appendix : Business Associate Agreement

Appendix : Business Associate Agreement I. Authority: Pursuant to 45 C.F.R. 164.502(e), the Indian Health Service (IHS), as a covered entity, is required to enter into an agreement with a business associate, as defined by 45 C.F.R. 160.103,

More information

Southern Law Center Law Center Policy #IT0004. Title: Email Policy

Southern Law Center Law Center Policy #IT0004. Title: Email Policy Southern Law Center Law Center Policy #IT0004 Title: Email Policy Authority: Department Original Adoption: 7/20/2007 Effective Date: 7/20/2007 Last Revision: 9/17/2012 1.0 Purpose: To provide members of

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

Security Considerations

Security Considerations Concord Fax Security Considerations For over 15 years, Concord s enterprise fax solutions have helped many banks, healthcare professionals, pharmaceutical companies, and legal professionals securely deliver

More information

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

DESCRIPTION OF APPLICATIONS FOR WHICH THIS PRIVACY POLICY APPLIES: CHANGES AND UPDATES TO THIS PRIVACY POLICY:

DESCRIPTION OF APPLICATIONS FOR WHICH THIS PRIVACY POLICY APPLIES: CHANGES AND UPDATES TO THIS PRIVACY POLICY: GENERAL INFORMATION: PLEASE READ THIS PRIVACY STATEMENT AND NOTICE OF PRIVACY PRACTICES CAREFULLY. The purpose of this Privacy Statement and Notice of the Privacy Practices for Asurion s Mobile Applications

More information

CHAPTER 1 INTRODUCTION

CHAPTER 1 INTRODUCTION 1 CHAPTER 1 INTRODUCTION 1.1 Introduction Cloud computing as a new paradigm of information technology that offers tremendous advantages in economic aspects such as reduced time to market, flexible computing

More information

NEES@Buffalo Cybersecurity Plan. Introduction. Roles and Responsibilities. Laboratory Executive Commitee (ExCom)

NEES@Buffalo Cybersecurity Plan. Introduction. Roles and Responsibilities. Laboratory Executive Commitee (ExCom) NEES@Buffalo Cybersecurity Plan Introduction The NEES Cyberinfrastructure (CI) system is composed of fourteen equipment sites and one central IT facility, henceforth referred to as NEEScomm IT. With IT

More information

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity

More information

Niagara County Community College

Niagara County Community College Niagara County Community College NCCCnet Computer Usage Policy Document: NCCCnet Computer Usage Policy Owner: Chief Information Officer Version: 2.0 NCCCnet Policy Page 1 of 7 NCCCnet Use Policy Introduction:

More information

EXHIBIT FOR MANAGED SERVICES (2013V3)

EXHIBIT FOR MANAGED SERVICES (2013V3) EXHIBIT FOR MANAGED SERVICES (2013V3) This Exhibit for Managed Services, in addition to the General Terms, the OnDemand Exhibit, and any applicable PDM, applies to any Managed Services offering licensed

More information

HIPAA/HITECH Compliance Using VMware vcloud Air

HIPAA/HITECH Compliance Using VMware vcloud Air Last Updated: September 23, 2014 White paper Introduction This paper is intended for security, privacy, and compliance officers whose organizations must comply with the Privacy and Security Rules of the

More information

Network Resource Management Directive

Network Resource Management Directive Office of the Prime Minister Central Information Management Unit Directive document CIMU D 0036:2003 Network Resource Management Directive Version: 1.0 Effective date: 10.12.2003 Table of Contents 1. Purpose...3

More information

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston Protecting Official Records as Evidence in the Cloud Environment Anne Thurston Introduction In a cloud computing environment, government records are held in virtual storage. A service provider looks after

More information

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution Automating policy enforcement to prevent endpoint data loss IBM Data Security Services for endpoint data protection endpoint data loss prevention solution Highlights Protecting your business value from

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

Cloud security architecture

Cloud security architecture ericsson White paper Uen 284 23-3244 January 2015 Cloud security architecture from process to deployment The Trust Engine concept and logical cloud security architecture presented in this paper provide

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name: Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

Johnson Controls Privacy Notice

Johnson Controls Privacy Notice Johnson Controls Privacy Notice Johnson Controls, Inc. and its affiliated companies (collectively Johnson Controls, we, us or our) care about your privacy and are committed to protecting your personal

More information

TECHNICAL SPECIFICATION: LEGISLATION EXECUTING CLOUD SERVICES

TECHNICAL SPECIFICATION: LEGISLATION EXECUTING CLOUD SERVICES REALIZATION OF A RESEARCH AND DEVELOPMENT PROJECT (PRE-COMMERCIAL PROCUREMENT) ON CLOUD FOR EUROPE TECHNICAL SPECIFICATION: LEGISLATION EXECUTING CLOUD SERVICES ANNEX IV (D) TO THE CONTRACT NOTICE TENDER

More information

Information Technology Security Policy for IBTS

Information Technology Security Policy for IBTS Information Technology Security Policy for IBTS Pakistan Stock Exchange Limited Table of contents Information Technology Security Policy for IBTS 1- INTRODUCTION AND SCOPE... 3 2- CHARTER OF THE DOCUMENT...

More information

Privacy Impact Assessment

Privacy Impact Assessment MAY 24, 2012 Privacy Impact Assessment matters management system Contact Point: Claire Stapleton Chief Privacy Officer 1700 G Street, NW Washington, DC 20552 202-435-7220 claire.stapleton@cfpb.gov DOCUMENT

More information

Strengthen security with intelligent identity and access management

Strengthen security with intelligent identity and access management Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers

More information

HIPAA Audit Risk Assessment - Risk Factors

HIPAA Audit Risk Assessment - Risk Factors I II Compliance Compliance I Compliance II SECTION ONE COVERED ENTITY RESPONSIBILITIES AREA ONE Notice of Privacy Practices 1 Is your full notice of privacy practices given to every new patient in your

More information

Type of Personal Data We Collect and How We Use It

Type of Personal Data We Collect and How We Use It Philips Lumify App Privacy Notice This Privacy Notice was last changed on September 1, 2015. Philips Electronics North America Corporation ("Philips") strongly believes in protecting the privacy of the

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Internet File Management & HIPAA A Practical Approach towards Responding to the Privacy Regulation of the Act

Internet File Management & HIPAA A Practical Approach towards Responding to the Privacy Regulation of the Act White Paper Internet File Management & HIPAA A Practical Approach towards Responding to the Privacy Regulation of the Act The recent activation of the privacy requirement of the Health Insurance Portability

More information

Paxata Security Overview

Paxata Security Overview Paxata Security Overview Ensuring your most trusted data remains secure Nenshad Bardoliwalla Co-Founder and Vice President of Products nenshad@paxata.com Table of Contents: Introduction...3 Secure Data

More information

Service Line Warranties of Canada PRIVACY STATEMENT

Service Line Warranties of Canada PRIVACY STATEMENT Service Line Warranties of Canada PRIVACY STATEMENT We at Service Line Warranties of Canada ( us, our we, or Company ) consider the protection of your personal information to be a priority when you visit

More information

Synapse Privacy Policy

Synapse Privacy Policy Synapse Privacy Policy Last updated: April 10, 2014 Introduction Sage Bionetworks is driving a systems change in data-intensive healthcare research by enabling a collective approach to information sharing

More information

Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management

Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management Securing the Healthcare Enterprise for Compliance with Cloud-based Identity Management Leveraging Common Resources and Investments to Achieve Premium Levels of Security Summary The ecosystem of traditional

More information

Cloud Security Who do you trust?

Cloud Security Who do you trust? Thought Leadership White Paper Cloud Computing Cloud Security Who do you trust? Nick Coleman, IBM Cloud Security Leader Martin Borrett, IBM Lead Security Architect 2 Cloud Security Who do you trust? Cloud

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

ISO 27001 COMPLIANCE WITH OBSERVEIT

ISO 27001 COMPLIANCE WITH OBSERVEIT ISO 27001 COMPLIANCE WITH OBSERVEIT OVERVIEW ISO/IEC 27001 is a framework of policies and procedures that include all legal, physical and technical controls involved in an organization s information risk

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA PRIVACY AND SECURITY AWARENESS HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect

More information

GUESTBOOK REWARDS, INC. Privacy Policy

GUESTBOOK REWARDS, INC. Privacy Policy GUESTBOOK REWARDS, INC. Privacy Policy Welcome to Guestbook Rewards, Inc. the online and mobile service of Guestbook Rewards, Inc. ( The Guestbook, we, or us ). Our Privacy Policy explains how we collect,

More information

Proposed Commons Credits Model Pilot Service Provider Conformance Requirements 12/22/2015 Version

Proposed Commons Credits Model Pilot Service Provider Conformance Requirements 12/22/2015 Version Proposed Commons Credits Model Pilot Service Provider Conformance Requirements 12/22/2015 Version Definitions: 1. Digital Object: An electronic artifact, including, but not limited to data, software, metadata,

More information

Access Control patient centric selective sharing Emergency Access Information Exchange

Access Control patient centric selective sharing Emergency Access Information Exchange Electronic Health Record Software Required Security Features and Recommendations for Technical Specifications of Single Source Contracts and RFI for the Behavioral Health Information Technology Grant Scope:

More information

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions Medical Privacy Version 2015.12.10 - Standard Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a

More information

Global Alliance for Genomics & Health Data Sharing Lexicon

Global Alliance for Genomics & Health Data Sharing Lexicon Global Alliance for Genomics & Health Data Sharing Lexicon Preamble The Global Alliance for Genomics and Health ( GA4GH ) is an international, non-profit coalition of individuals and organizations working

More information

The Anti-Corruption Compliance Platform

The Anti-Corruption Compliance Platform The Anti-Corruption Compliance Platform DATA COLLECTION RISK IDENTIFICATION SCREENING INTEGRITY DUE DILIGENCE CERTIFICATIONS GIFTS, TRAVEL AND ENTERTAINMENT TRACKING SECURITY AND DATA PROTECTION The ComplianceDesktop

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. PRIVACY POLICY 1. Introduction Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. We will only collect information that

More information

Securing The Cloud With Confidence. Opinion Piece

Securing The Cloud With Confidence. Opinion Piece Securing The Cloud With Confidence Opinion Piece 1 Securing the cloud with confidence Contents Introduction 03 Don t outsource what you don t understand 03 Steps towards control 04 Due diligence 04 F-discovery

More information

Security and Data Protection for Online Document Management Software

Security and Data Protection for Online Document Management Software Security and Data Protection for Online Document Management Software Overview As organizations transition documents and company information to Software as a Service (SaaS) applications that are no longer

More information

Central Desktop Enterprise Edition (Security Pack)

Central Desktop Enterprise Edition (Security Pack) Central Desktop Enterprise Edition (Security Pack) The Central Desktop Security Pack is included in the Enterprise Edition of Central Desktop. The Enterprise Edition is for companies and organizations

More information

Certification Practice Statement

Certification Practice Statement FernUniversität in Hagen: Certification Authority (CA) Certification Practice Statement VERSION 1.1 Ralph Knoche 18.12.2009 Contents 1. Introduction... 4 1.1. Overview... 4 1.2. Scope of the Certification

More information

Cloud Computing Governance & Security. Security Risks in the Cloud

Cloud Computing Governance & Security. Security Risks in the Cloud Cloud Computing Governance & Security The top ten questions you have to ask Mike Small CEng, FBCS, CITP Fellow Analyst, KuppingerCole This Webinar is supported by Agenda What is the Problem? Ten Cloud

More information

CITY OF PORTLAND HUMAN RESOURCES ADMINISTRATIVE RULES EMPLOYEE BEHAVIOR &EXPECTATIONS 4.08 INFORMATION TECHNOLOGIES

CITY OF PORTLAND HUMAN RESOURCES ADMINISTRATIVE RULES EMPLOYEE BEHAVIOR &EXPECTATIONS 4.08 INFORMATION TECHNOLOGIES CITY OF PORTLAND HUMAN RESOURCES ADMINISTRATIVE RULES EMPLOYEE BEHAVIOR &EXPECTATIONS 4.08 INFORMATION TECHNOLOGIES Purpose The City of Portland provides information technologies to its employees to use

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This BA Agreement, effective as of the effective date of the Terms of Use, adds to and is made part of the Terms of Use by and between Business Associate and Covered Entity.

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources being accessed, and that Participants

More information

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS

More information

e-authentication guidelines for esign- Online Electronic Signature Service

e-authentication guidelines for esign- Online Electronic Signature Service e-authentication guidelines for esign- Online Electronic Signature Service Version 1.0 June 2015 Controller of Certifying Authorities Department of Electronics and Information Technology Ministry of Communications

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

Using AWS in the context of Australian Privacy Considerations October 2015

Using AWS in the context of Australian Privacy Considerations October 2015 Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview

More information

Privacy Policy Version 1.0, 1 st of May 2016

Privacy Policy Version 1.0, 1 st of May 2016 Privacy Policy Version 1.0, 1 st of May 2016 THIS PRIVACY POLICY APPLIES TO PERSONAL INFORMATION COLLECTED BY GOCIETY SOLUTIONS FROM USERS OF THE GOCIETY SOLUTIONS APPLICATIONS (GoLivePhone and GoLiveAssist)

More information