1 1 EPD in the cloud Jean-Marc Van Gyseghem Head of the «Liberties and Information Society» - Crids, University of Namur Member of the Bar of Brussels, Rawlings Giles lawfirm
2 2 Table of content What s Privacy? Health related data Behind the cloud Cloud and privacy Causes to effects Memorandum.
3 3 What s Privacy? «Il faut se réserver une arrière-boutique toute nôtre, toute franche, en laquelle nous établissons notre vraie liberté et principale retraite et solitude» MONTAIGNE «The right to be let alone» WARREN & BRANDEIS (1890) «La solitude à plusieurs» : The freedom to manage relationships with people without any exposure to any illegal interference. F. RIGAUX (1984)
4 4 What s Privacy? Privacy is one dimension of the human dignity; Privacy is a protection given to the personal sphere of each individual, including the right to establish details of their identity as individual human beings (ECHR, Christine Goodwin v. The United Kingdom, , par. 90) Privacy is a fundamental right
5 5 What s Privacy? Data protection = a tradition on the go: Universal declaration of Human Rights (UN) Privacy guidelines (OECD) European Convention on Human Rights (CoE) in 1950 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS108; CoE) in 1981 The Charter of Fundamental Rights of the EU in 2000 Privacy/data protection is anchored in Universal principles
6 6 Table of content What s Privacy? Health related data Behind the cloud Cloud and privacy Causes to effects Memorandum.
7 7 Health related data? Health related data = sensitive data; Health related data = extra protection Medical files = in the hospital under the responsability of the medical head (médecin-chef). Art. 25 lois coordonnées sur le hôpitaux de 2008.
8 8 Table of content What s Privacy? Health related data Behind the cloud Cloud and privacy Causes to effects Memorandum.
9 9 Behind the Cloud User Cloud provider User User server server?????
10 10 Behind the cloud Technical aspects Simple data base HTML «dressing» Access policy Legal aspects Administrator draws up the general access management unilateral changes If modifications occur the content accessible might change Secrecy breach.
11 11 Behind the Cloud Security User Cloud provider User User server server?????
12 12 Behind the cloud Technical aspects Recoverability Durability Availability Interconnection with data bases - Crossing of information Necessity of Internet connection Legal aspects Who is the access manager? User? Administrator? Who assures the access? User? Administrator? Who has the control on the data? User? Administrator? Who has the control on the data? User? Administrator? What about the continuity of the service in case of Internet shut down? What about the medical secrecy?
13 Data processor Data processor Cloud computing provider Hospital Data controller Data processor Data processor Cloud computing system Hospital Data controller Personal data flow
14 14 Table of content What s Privacy? Health related data Behind the cloud Cloud and privacy Causes to effects Memorandum.
15 Cloud and Privacy 15 What about the data subject? Principle of transparency and, beyond, which rights for the data subject? Obligation to inform about the recourse to a CCS: do we need a specific information towards the data subject (e.g patients)? Right to access: how to ensure the access when the data are at the CLCS data bases? Case of CLCS bankruptcy? Right of deletion: how can we be sure about the deletion of the data in case of contract s cancellation?
16 16 Cloud and Privacy What about the security/confidentiality? Security of transmission to the CCP and security within the CCP System Cloud computing system Secured connection Data processor Data processor Cloud computing provider Hospital Data processor Hospital
17 17 Cloud and Privacy Appropriate security measures to be supported by the data controller/hospital: obligation for Data controller to use a data processor of good quality (use of label system, need for ISO standards); Contract between the data controller and the data processor; Obligation to have specific clauses in case of termination of activities (problem of transfer and of bankruptcy)?
18 18 Cloud and Privacy Appropriate security measures by the Cloud privider: Information accountability principle (tell what you are doing and ensure that you will do it) Standardization as regards audit, nomination of a security obligation, data segregation, Obligations in case of security breach
19 19 Cloud and Privacy What about liability? Each actor has its own liability: Cloud computing provider: Security; Confidentiality; Etc. Hospital: Under the responsibility of the medical head Security of its own network; Access precaution; Etc.
20 20 Cloud and Privacy Data processor of the Cloud computing provider: Security; Confidentiality; Etc. Internet provider
21 21 Cloud and Privacy What about the probationary strength? Art. 36/1 of the Act of August 21st 2008 on the E-health platform: What about the security? What about the sustainability? What about the data protection itself (Europe, out of Europe, etc)
22 22 Table of content What s Privacy? Health related data Behind the cloud Cloud and privacy Causes to effects Memorandum.
23 23 Causes to effects Cause Breach to the access management Effect Lost of the patient confidence
24 24 Causes to effects Cause Breach to the access management Law enforcement (Patriot Act, etc) Effect Lost of the patient confidence Secrecy breach
25 25 Causes to effects Cause Breach to the access management Law enforcement (Patriot Act, etc) Decision tree Effect Lost of the patient confidence Secrecy breach Choice about the documents to be put in the cloud
26 26 Causes to effects Cause Breach to the access management Law enforcement (Patriot Act, etc) Function tree Back-up by the Cloud provider Effect Lost of the patient confidence Secrecy breach Choice about the documents to be put in the cloud Recoverability of the data (fire, water, etc)
27 27 Causes to effects Cause Breach to the access management Law enforcement (Patriot Act, etc) Function tree Back-up by the Cloud provider Negotiation Effect Lost of the patient confidence Secrecy breach Choice about the documents to be put in the cloud Recoverability of the data (fire, water, virus, etc) Negotiation together with other hospitals to get more strength.
28 28 Causes to effects Cause Breach to the access management Law enforcement (Patriot Act, etc) Function tree Back-up by the Cloud provider Negotiation Use of private cloud computing Effect Lost of the patient confidence Secrecy breach Choice about the documents to be put in the cloud Recoverability of the data (fire, water, etc) Negotiation together with other hospitals to get more strength. Maintaining control on the data.
29 29 Table of content What s Privacy? Health related data Behind the cloud Cloud and privacy Causes to effects Memorandum.
30 Memorandum 30 Long and short terms risks analysis: Adequate security measures (ISO/CEI 27002, for example): Physical security: Access to the data; Access to the server; Technical security: Access management; Network; Communication; Contract with the data processor.
31 31 Memorandum Security breach: Notification to the Privacy Commission within 48 hours (avis 01/2013); Information campaign to the public within 14 to Au public endéans les 24 à 48 heures (avis 01/2013).
INFORMATION TECHNOLOGY CHARTER INFORMATION TECHNOLOGY CHARTER Reference : extract- internal rules and regulations Name Position Date and signature Author Revised by Validation: Bruno Frédéric Head of IT
ARTICLE 29 DATA PROTECTION WORKING PARTY 01037/12/EN WP 196 Opinion 05/2012 on Cloud Computing Adopted July 1 st 2012 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent
Cloud Computing This information leaflet aims to advise organisations on the factors they should take into account in considering engaging cloud computing. It explains the relevance of the Personal Data
EUROPEAN COMMISSION Brussels, 25.1.2012 COM(2012) 11 final 2012/0011 (COD) Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing
ICO lo Data Protection Act Contents Introduction... 1 Overview... 2 What the DPA says... 3 Create an asset disposal strategy... 3 How will devices be disposed of when no longer needed?... 3 Conduct a risk
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
The Guide to Data Protection Contents Introduction 1 Key definitions of the Data Protection Act 4 The Data Protection Principles 19 1. Processing personal data fairly and lawfully (Principle 1) 20 2. Processing
DIRECTORATE GENERAL FOR INTERNAL POLICIES POLICY DEPARTMENT C: CITIZENS' RIGHTS AND CONSTITUTIONAL AFFAIRS CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS Protection of Personal Data in Work-related Relations
Security Standard The security and risk management baseline for the lottery sector worldwide Updated by the WLA Security and Risk Management Committee V1.0, November 2006 The WLA Security Standard is the
Council of the European Union Brussels, 19 December 2014 (OR. en) Interinstitutional File: 2012/0011 (COD) 15395/14 LIMITE NOTE From: To: No. prev. doc.: DATAPROTECT 165 JAI 860 MI 965 DRS 167 DAPIX 167
Marist College Information Security Policy February 2005 INTRODUCTION... 3 PURPOSE OF INFORMATION SECURITY POLICY... 3 INFORMATION SECURITY - DEFINITION... 4 APPLICABILITY... 4 ROLES AND RESPONSIBILITIES...
Cloud Service Level Agreement Standardisation Guidelines Brussels 24/06/2014 1 Table of Contents Preamble... 4 1. Principles for the development of Service Level Agreement Standards for Cloud Computing...
2011 CONSUMER U.S. INTELLECTUAL DATA PRIVACY PROPERTY ENFORCEMENT IN A NETWORKED COORDINATOR WORLD: COVER ANNUAL TITLE REPORT HERE ON A FRAMEWORK FOR PROTECTING PRIVACY INTELLECTUAL AND PROMOTING PROPERTY
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
Data breach notification guide: A guide to handling personal information security breaches August 2014 The Office of the Australian Information Commissioner (OAIC) was established on 1 November 2010 by
Freedom of information guidance Exemptions guidance Section 41 Information provided in confidence 14 May 2008 Contents Introduction 2 What information may be covered by this exemption? 3 Was the information
Version: 1.1 Ratified by: NHS Bury CCG IM&T Steering Group Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual: Greater Manchester CSU - IT Department NHS Bury
REED COLLEGE ediscovery GUIDELINES FOR PRESERVATION AND PRODUCTION OF ELECTRONIC RECORDS TABLE OF CONTENTS A. INTRODUCTION... 1 B. THE LANDSCAPE OF ELECTRONIC RECORDS SYSTEMS... 1 1. Email Infrastructure...
ICO lo Notification of data security breaches to the Information Commissioner s Data Protection Act Contents Overview... 2 What the DPA says... 2 Reporting a breach... 2 Potential detriment to data subjects...
Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing
EXPLANATORY MEMORANDUM FEDERATION OF EUROPEAN DIRECT MARKETING EUROPEAN CODE OF PRACTICE FOR THE USE OF PERSONAL DATA IN DIRECT MARKETING FEDMA represents the direct marketing sector at the European level.
April 21, 2009 Dines Bjørner: MITS: Models of IT Security: 1 Models of IT Security Security Rules & Regulations: An Interpretation Dines Bjørner Fredsvej 11, DK 2840 Holte, Denmark Presented at Humboldt
CUSTOMERS BANK ONLINE & MOBILE BANKING ACCESS AGREEMENT 1) Scope of Agreement 2) Definitions 3) Terms and Conditions of Online Banking A. Requirements B. Online Banking Services - General C. Electronic
EUROPEAN COMMISSION Brussels, 6.5.2015 COM(2015) 192 final COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE