SPF SANTE PUBLIQUE, SECURITE DE LA CHAINE ALIMENTAIRE ET ENVIRONNEMENT. EPD in the cloud

Transcription

1 1 EPD in the cloud Jean-Marc Van Gyseghem Head of the «Liberties and Information Society» - Crids, University of Namur Member of the Bar of Brussels, Rawlings Giles lawfirm

2 2 Table of content What s Privacy? Health related data Behind the cloud Cloud and privacy Causes to effects Memorandum.

3 3 What s Privacy? «Il faut se réserver une arrière-boutique toute nôtre, toute franche, en laquelle nous établissons notre vraie liberté et principale retraite et solitude» MONTAIGNE «The right to be let alone» WARREN & BRANDEIS (1890) «La solitude à plusieurs» : The freedom to manage relationships with people without any exposure to any illegal interference. F. RIGAUX (1984)

4 4 What s Privacy? Privacy is one dimension of the human dignity; Privacy is a protection given to the personal sphere of each individual, including the right to establish details of their identity as individual human beings (ECHR, Christine Goodwin v. The United Kingdom, , par. 90) Privacy is a fundamental right

5 5 What s Privacy? Data protection = a tradition on the go: Universal declaration of Human Rights (UN) Privacy guidelines (OECD) European Convention on Human Rights (CoE) in 1950 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS108; CoE) in 1981 The Charter of Fundamental Rights of the EU in 2000 Privacy/data protection is anchored in Universal principles

6 6 Table of content What s Privacy? Health related data Behind the cloud Cloud and privacy Causes to effects Memorandum.

7 7 Health related data? Health related data = sensitive data; Health related data = extra protection Medical files = in the hospital under the responsability of the medical head (médecin-chef). Art. 25 lois coordonnées sur le hôpitaux de 2008.

8 8 Table of content What s Privacy? Health related data Behind the cloud Cloud and privacy Causes to effects Memorandum.

9 9 Behind the Cloud User Cloud provider User User server server?????

10 10 Behind the cloud Technical aspects Simple data base HTML «dressing» Access policy Legal aspects Administrator draws up the general access management unilateral changes If modifications occur the content accessible might change Secrecy breach.

11 11 Behind the Cloud Security User Cloud provider User User server server?????

12 12 Behind the cloud Technical aspects Recoverability Durability Availability Interconnection with data bases - Crossing of information Necessity of Internet connection Legal aspects Who is the access manager? User? Administrator? Who assures the access? User? Administrator? Who has the control on the data? User? Administrator? Who has the control on the data? User? Administrator? What about the continuity of the service in case of Internet shut down? What about the medical secrecy?

13 Data processor Data processor Cloud computing provider Hospital Data controller Data processor Data processor Cloud computing system Hospital Data controller Personal data flow

14 14 Table of content What s Privacy? Health related data Behind the cloud Cloud and privacy Causes to effects Memorandum.

15 Cloud and Privacy 15 What about the data subject? Principle of transparency and, beyond, which rights for the data subject? Obligation to inform about the recourse to a CCS: do we need a specific information towards the data subject (e.g patients)? Right to access: how to ensure the access when the data are at the CLCS data bases? Case of CLCS bankruptcy? Right of deletion: how can we be sure about the deletion of the data in case of contract s cancellation?

16 16 Cloud and Privacy What about the security/confidentiality? Security of transmission to the CCP and security within the CCP System Cloud computing system Secured connection Data processor Data processor Cloud computing provider Hospital Data processor Hospital

17 17 Cloud and Privacy Appropriate security measures to be supported by the data controller/hospital: obligation for Data controller to use a data processor of good quality (use of label system, need for ISO standards); Contract between the data controller and the data processor; Obligation to have specific clauses in case of termination of activities (problem of transfer and of bankruptcy)?

18 18 Cloud and Privacy Appropriate security measures by the Cloud privider: Information accountability principle (tell what you are doing and ensure that you will do it) Standardization as regards audit, nomination of a security obligation, data segregation, Obligations in case of security breach

19 19 Cloud and Privacy What about liability? Each actor has its own liability: Cloud computing provider: Security; Confidentiality; Etc. Hospital: Under the responsibility of the medical head Security of its own network; Access precaution; Etc.

20 20 Cloud and Privacy Data processor of the Cloud computing provider: Security; Confidentiality; Etc. Internet provider

21 21 Cloud and Privacy What about the probationary strength? Art. 36/1 of the Act of August 21st 2008 on the E-health platform: What about the security? What about the sustainability? What about the data protection itself (Europe, out of Europe, etc)

22 22 Table of content What s Privacy? Health related data Behind the cloud Cloud and privacy Causes to effects Memorandum.

23 23 Causes to effects Cause Breach to the access management Effect Lost of the patient confidence

24 24 Causes to effects Cause Breach to the access management Law enforcement (Patriot Act, etc) Effect Lost of the patient confidence Secrecy breach

25 25 Causes to effects Cause Breach to the access management Law enforcement (Patriot Act, etc) Decision tree Effect Lost of the patient confidence Secrecy breach Choice about the documents to be put in the cloud

26 26 Causes to effects Cause Breach to the access management Law enforcement (Patriot Act, etc) Function tree Back-up by the Cloud provider Effect Lost of the patient confidence Secrecy breach Choice about the documents to be put in the cloud Recoverability of the data (fire, water, etc)

27 27 Causes to effects Cause Breach to the access management Law enforcement (Patriot Act, etc) Function tree Back-up by the Cloud provider Negotiation Effect Lost of the patient confidence Secrecy breach Choice about the documents to be put in the cloud Recoverability of the data (fire, water, virus, etc) Negotiation together with other hospitals to get more strength.

28 28 Causes to effects Cause Breach to the access management Law enforcement (Patriot Act, etc) Function tree Back-up by the Cloud provider Negotiation Use of private cloud computing Effect Lost of the patient confidence Secrecy breach Choice about the documents to be put in the cloud Recoverability of the data (fire, water, etc) Negotiation together with other hospitals to get more strength. Maintaining control on the data.

29 29 Table of content What s Privacy? Health related data Behind the cloud Cloud and privacy Causes to effects Memorandum.

30 Memorandum 30 Long and short terms risks analysis: Adequate security measures (ISO/CEI 27002, for example): Physical security: Access to the data; Access to the server; Technical security: Access management; Network; Communication; Contract with the data processor.

31 31 Memorandum Security breach: Notification to the Privacy Commission within 48 hours (avis 01/2013); Information campaign to the public within 14 to Au public endéans les 24 à 48 heures (avis 01/2013).

32 32 Thanks for your attention