Norwegian Data Inspectorate
|
|
- Herbert Ramsey
- 8 years ago
- Views:
Transcription
1 Norwegian Data Inspectorate Narvik kommune Postboks NARVIK Norway Your reference Our reference (please quote in any reply) Date 1111/1210-6/PEJA 11/ /SEV 16 January 2012 Notification of decision New solution within Narvik local authority (Narvik kommune) Google Apps 1 Reference is made to the Norwegian Data Inspectorate s letter of 30 June 2011, the local authority s letter of 8 July 2011, the Data Inspectorate s letter of 1 August 2011, and the local authority s statement received on 2 September The matter concerns the local authority s existing, and planned extended, use of the product Google Apps. In the Data Inspectorate s letter of 30 June 2011, a statement was requested from the local authority concerning the following points: 1. An account of the personal data that the local authority will process in Google Apps. 2. The risk assessment that the local authority has carried out in respect of the processing of personal data in Google Apps; cf. Section 13 of the Norwegian Personal Data Act and Section 2-4 of the Norwegian Personal Data Regulations. 3. A copy of any agreement that the local authority has entered into with Google, together with an overview of the security measures that Google has implemented in the solution that the local authority has decided to use. 4. A copy of any processor agreement between the local authority and Google, as well as a description of the information system s design and physical location. 5. A description of how the following problems have been clarified with Google: Back-up Who at Google has access to the local authority s personal data? How will the local authority conduct a security audit of Google? Cf. Section 2-5 of the Personal Data Regulations. Postal address: Office address: Telephone: Fax: Company reg. no.: Website: Postboks 8177 Dep Tollbugt 3 (+47) (+47) OSLO Norway 1 The translation is unofficial. Should any doubt arise, only the Norwegian text of the decision is valid and binding.
2 Assessment of the local authority s statement Point 1 An account of the personal data that the local authority will process in Google Apps. The regulatory requirements Section 13 of the Personal Data Act states that the controller must ensure a satisfactory level of information security with regard to confidentiality, integrity and availability in connection with the processing of personal data through the use of planned and systematic measures. Section 2-11 third paragraph of the Personal Data Regulations states that personal data that is transferred electronically with the aid of a transfer medium that is outside the controller s physical control shall be encrypted or otherwise secured when confidentiality is necessary. The local authority s statement The local authority states that only an solution has so far been taken into use. However, it is stated that the organisation is also considering using other services that are offered via Google Apps. The local authority justifies this through a need for efficient internal cooperation through the sharing of documents, presentations, spreadsheets, forms or drawings. The local authority then gives some examples of areas where it may be appropriate to use the other tools. Common to these examples is the fact that the processing of personal data will, as regards the employees, be limited to name, telephone number, address and organisational affinity. The local authority furthermore states that all this information is already published on the local authority s website. The Data Inspectorate s assessment The Data Inspectorate restricts its assessment to the specified area of use: to/from and between the local authority s employees. The local authority describes clarity in the regulations, which state that no sensitive personal information must be sent by . Much of the work that is carried out within the local authority is linked to the provision of services to the inhabitants of the municipality, and it is therefore natural that much of the communication to/from the local authority and between the local authority s employees contains personal data. From a purely practical perspective, the Data Inspectorate believes that the local authority faces challenges in preventing sensitive data being sent by , either to/from or between the local authority s employees. However, the local authority can limit the risks through systematic training and the repeated communication of applicable routines. The Data Inspectorate believes that the risk of unauthorised sending of sensitive or confidential personal data will apply both between employees and between the local authority and the public. The Data Inspectorate does not however consider this to be a problem that is limited to Google Apps alone. The reason that this point is highlighted is that, with the specified solution, such information will be processed in systems that are not under the direct control of the controller. The Data Inspectorate s experience suggests that unauthorised communication (e.g. that contains sensitive personal data) will be stored on the processor s server for a long period of time, even after the user has actively deleted messages. This is due to the replication of content, among other things. 2
3 The local authority draws an analogy with Norway Post s distribution system as regards the opportunity for the public to assess the level of security in the communication between the local authority and the public regardless of whether this takes place via or via the post. The Data Inspectorate does not support such an argument. The security level and organisation of Norway Post s distribution system is subject to strict regulation through the Norwegian Postal Services Act and associated regulations. Letters with private or confidential content will be sent in sealed envelopes, where necessary as a registered consignment. The level of security for unencrypted is however based on a standard protocol called Simple Mail Transfer Protocol (SMTP). In practice, this protocol does not afford the content of the communication any protection. The Data Inspectorate s conclusion The local authority cannot exclude the possibility that sensitive personal data will be processed in the solution, and must therefore take into account the fact that both sensitive and general personal data will be processed in the system. The Data Inspectorate does not believe that the local authority has implemented adequate measures (cf. Section 2-11 of the Personal Data Regulations), given that confidential information will be processed in the solution. The local authority must take this into consideration in connection with an assessment of information security; cf. the discussion in the points below. Point 2 A statement with regard to the risk assessment that the local authority has carried out in respect of the processing of personal data in Google Apps; cf. Section 13 of the Norwegian Personal Data Act; cf. Section 2-4 of the Norwegian Personal Data Regulations. The regulatory requirements Section 13 of the Personal Data Act states that the controller must ensure a satisfactory level of information security with regard to confidentiality, integrity and availability in connection with the processing of personal data through the use of planned and systematic measures. Section 2-4 second paragraph of the Personal Data Regulations states that the controller must carry out a risk assessment in order to assess the probability and consequences of security breaches. The local authority s statement The local authority states that an overall risk analysis has been carried out as regards the introduction of a new ICT system. The analysis was enclosed with the local authority s letter. According to the analysis, the use of Google Apps will in most cases give a risk picture similar to that of the local authority s old system with certain exceptions. The local authority notes that the existing challenge of a lack of space and access to technological resources constituted an important factor in the choice of solution. The local authority furthermore refers to the risk of the existing organisation being unable to obtain and maintain specialist expertise to operate yet another specialised IT system. The local authority states that that due to the lack of space it would not be desirable to further burden the local authority s IT centre. 3
4 The local authority furthermore states that a new IT system is to be added. It has been found that it would be appropriate to replace some of the systems that the local authority currently uses with a system that requires fewer operating resources. As the Data Inspectorate understands the situation, the local authority must completely phase out use of the old solution in order to switch to the new one. In connection with such migration, it would be natural for both hardware and physical space to be released. The local authority states that it is believed that Google Apps solution is adequate with regard to availability, integrity and security. Nevertheless, the local authority acknowledges that it is worth noting that in many cases no probability/frequency can be described, as there is no usable reference material for this type of incident. The local authority also gives an account of how it will audit its processor. This will take place through a third party company, which the processor hires, conducting an audit based on the ISAE3402 standard and making available its findings in an audit report. The local authority will have access to this report and will be able to bring up issues within the local authority s information security committee. The Data Inspectorate s assessment Despite the absence of any basis, the local authority has decided to set values for defining the probability in its risk assessment. The Data Inspectorate notes that in the analyses very low probabilities are set for data intrusion, failure in continuity and lack of monitoring in Google Apps solution as mentioned previously without having any usable reference material at its disposal. The Data Inspectorate believes that the uncertainty linked to the probability should be stated much more clearly in the analysis. As regards failure in continuity, the local authority cannot exclusively consider the processor s uptime, but must also consider the uptime of the infrastructure from the local authority s network to the processor. It is unclear to the Data Inspectorate how the local authority will be able to alter the way in which the processor processes its data through the abovementioned audit reports. It appears to the Data Inspectorate that the local authority will only be able to alter how they themselves use the solution, and will have little influence over the design of the solution itself. The latter view is based on observations that the Data Inspectorate has made generally with regard to agreements between organisations. An audit report, based on the ISAE3402 standard, otherwise normally constitutes confirmation or rejection that the organisation complies with a given standard, its own security regime and any certificates that the solution is required to have. Such reports will therefore give little indication as to whether the local authority s standard with regard to security measures is met. The local authority can of course choose a different supplier if the results in the audit report are unsatisfactory, but it must thus be assumed that forcing the existing supplier to implement direct changes will be a challenging process. The Data Inspectorate is aware that changing supplier can lead to major challenges with regard to lock-in effects. There could for example be a contract period and added work involved in the migration process. In the best case scenario, the local authority must verify that this can be done in purely practical terms should a dispute arise. 4
5 The Data Inspectorate s conclusion The Data Inspectorate does not believe that the risk assessment gives a complete picture of the risks associated with the solution chosen by the local authority. The type of risk assessment that the local authority carried out in this case is not sufficient according to Section 2-4 of the Personal Data Regulations. Points 3 and 4 A copy of any agreement that the local authority has entered into with Google, including: An overview of the security measures that Google has implemented in the solution that the local authority has decided to use. A description of the information system s design and physical location. The regulatory requirements Processor agreement Section 15 of the Personal Data Act states that a processor cannot process personal data in any manner other than as agreed in writing with the controller. In addition, the data cannot be transferred to any other party for storage or processing without such an agreement. The agreement with the controller must also state that the processor is obliged to carry out such security measures as follow from Section 13. The information system s design and security measures Section 13 first paragraph of the Personal Data Act states that the controller must ensure a satisfactory level of information security with regard to confidentiality, integrity and availability in connection with the processing of personal data through the use of planned and systematic measures. Section 13 third paragraph of the Personal Data Act states that a controller that permits another party to gain access to personal data, e.g. a processor or other party that is carrying out an assignment in connection with the information system, must ensure that the party concerned fulfils the requirements in the first and second paragraphs. Physical location Section 29 of the Personal Data Act states that personal data can only be transferred to States that ensure appropriate processing of the information. States that have implemented Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, fulfil the requirement for appropriate processing. The local authority s statement The local authority has not entered into any mutual agreement with Google concerning the delivery of a solution for , but has, through system integrator Avalon Information Systems AB, been referred to Google s document which describes the service level and customer support. The local authority states that, as the solution is based on Cloud computing, no additional agreement concerning support from the supplier is necessary, other than the service levels that are listed in the standard agreement from Google. The local authority gives an account of the security measures that Google has described in the Security Whitepaper: Google Apps Messaging and Collaboration Products. In other contexts, the Data Inspectorate has found that such documents are often subject to revision by 5
6 the supplier without negotiation. In such a case, the local authority would have to accept such changes or choose a different supplier. The local authority refers to security mechanisms that Google describes in its Whitepaper. This Whitepaper refers to a number of security adaptations and options that the controller can implement through the solution. The local authority has not explained whether they have chosen any of these adaptations and options. The local authority believes that the supplier s Whitepaper, Google s affiliation to the Safe Harbor agreement and the fact that the local authority has access to the audit reports, should be sufficient to satisfy the authorities requirements concerning a processor agreement. The local authority states that for security reasons Google does not wish to release details concerning the supplier s IT centres. Google also does not wish to publish technical details which could compromise security. The Data Inspectorate s assessment On its website, the Data Inspectorate has presented a proposal for a processor agreement which contains the points that the Data Inspectorate believes should be included in a processor agreement. These points are: the aim and purpose of the agreement, the processor s obligations, the use of subcontractors, security, security audits, duration of the agreement, in the event of termination, communication, and choice of law and legal venue. As the processor does not wish to release information concerning the countries in which their IT centres are located, this presents challenges with regard to the requirements in a processor agreement; cf. Sections 15 and 29 of the Personal Data Act. The local authority will not be able to adequately clarify the level of security in the solution without knowing that the States to which information is transferred have an adequate level of protection for personal data. States that have implemented Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data fulfil the requirement for appropriate processing. Google is an American company and it is therefore possible that information that is processed in the local authority s solution will be stored in the USA and elsewhere. The USA is currently not included in the list of countries that the Commission recognises as ensuring adequate protection for personal data. In order to remedy this, the Safe Harbor scheme was established in This scheme means that US companies can be considered as providing adequate protection for personal data that they receive from the EU/EEA if they voluntarily implement a set of rules for processing of the information. Since Safe Harbor was established, the USA has introduced a law entitled Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, abbreviated to the USA Patriot Act, as a result of the terrorist attacks on 11 September This act is extremely complicated and comprehensive. The act gives US authorities the right to monitor terrorist suspects without charge or legal proceedings. In connection with this, the Data Inspectorate wishes to note that the USA Patriot Act must be considered as representing a challenge with regard to the safeguarding of personal privacy, even within the Safe Harbor scheme. The Data Inspectorate s conclusion 6
7 On the basis of the above, the Data Inspectorate does not believe that Google s standard agreement is sufficient in relation to what is expected of a processor agreement; cf. Section 15 of the Personal Data Act. In the opinion of the Data Inspectorate, the absence of a processor agreement will constitute a deviation in relation to the requirements in Section 15 of the Personal Data Act. The Data Inspectorate does not believe that the local authority has the opportunity to use a processor which, among other things, does not state which country the information will be processed in and, as a consequence of this, does not provide an adequate account of security measures; cf. Section 29 of the Personal Data Act. Point 5 A description of how the following problems have been clarified with Google: Backup Who at Google has access to the local authority s personal data? How will the local authority conduct a security audit at Google? Cf. Section 2-5 of the Personal Data Regulations. The regulatory requirements Section 2-12 fourth paragraph of the Personal Data Regulations states that personal data and other information that is necessary for the restoration of normal use must be backed up. Section 2-8 of the Personal Data Regulations states that employees of the controller must only use the information system in order to carry out assigned tasks, and must themselves be authorised for such use. The employees must possess the knowledge necessary to use the information system in accordance with the established routines. Section 2-5 of the Personal Data Regulations states that security audits of the use of the information system must be conducted regularly. The security audit must include an assessment of the organisation, security measures and use of communication partners and suppliers. If the security audit identifies unforeseen use of the information, this must be treated as a deviation; cf. Section 2-6. The local authority s statement The local authority refers to Google s Whitepaper, which states that the data will be stored on several systems at the same IT centre and simultaneously replicated to a secondary IT centre. There is no description of how Google has designed their backup system, except that it is presupposed that no data will ever be lost. As regards disposal, the Whitepaper describes how the file will be de-indexed and eventually written over by other data. Google also does not state who has access to the local authority s information, but states that this information is covered by Google s system for authorisation and access control. No statement is given of how many people this concerns and the specific job positions or access requirements that this covers is not defined. The reply concerning security audits is given with under question 2. The Data Inspectorate s assessment and conclusion The local authority has accepted Google s description of the solution. The Data Inspectorate does not believe that the local authority has any opportunity to influence how this solution is put together. On the basis of this, the Data Inspectorate does not believe that the local authority has demonstrated that the conditions in Chapter 2 of the Personal Data Regulations are met. 7
8 Other circumstances On pages 11, 13 and 15 of the appendix entitled Risk and vulnerability analysis for the implementation of a new system within Narvik local authority Google Apps (the analysis document), it is stated that Google has recently introduced an additional function which can be activated by the local authority in order to reject the sending of which contains words or expressions that could indicate sensitive or unacceptable content under current guidelines. The Data Inspectorate does not believe that the introduction of such an additional function will overcome the abovementioned challenges on its own. It is possible that such a solution could, depending on how it is practised, be problematic when viewed in context with Chapter 9 of the Personal Data Regulations. On page 13 of the analysis document, it is stated that an additional layer of security can be added through requiring each individual employee who sends to confirm that the e- mail does not contain sensitive personal data by typing the text Does not contain sensitive personal data in the message. The Data Inspectorate does not believe that this routine will necessarily add an extra layer of security in reality. We believe that this could be automated by the users in order to send . This is therefore a measure which can easily be circumvented and which is little suited to preventing undesirable behaviour. Segmentation of different controllers A processor cannot process personal data on behalf of a controller unless a processor agreement has been established; Section 15 of the Personal Data Act. In practice, this means that if personal data is processed on behalf of several controllers, the processor must process the personal data for each individual controller with an adequate degree of separation. In its documents, Google has not explained how this requirement is adequately met in the solution. It is however explained that the overall system will ensure that it is not be possible to extract the controller s data from a location. This could involve the mixing of information belonging to different controllers. The level of information security is common to all controllers, based on guidelines established by the processor. Such a practice could come into conflict with the role of Google as processor for different parties, which could each have differing requirements concerning security. The problem of such sequential storage becomes of even greater relevance in connection with the need to delete information from the solution. This must be done in accordance with the guidelines that different controllers establish. The problem is also of relevance in connection with the question of deletion in backup copies; cf. Section 28 of the Personal Data Act concerning deletion. In the case of a sequential database, every single entry in the database must be reviewed in order to assess whether it should be deleted, unlike a segmented database for each individual processor s data where one can go in and delete elements that are no longer relevant. This can be done in the form of segmentation of the database. Such a solution means that data from different controllers is not mixed together in a large database, but kept sufficiently separate. Segmentation will be necessary for all activity that can be attributed to a controller. This also includes copies of communicated content, logs, etc. The Data Inspectorate s conclusion In accordance with the regulations, the local authority must implement a satisfactory logical or physical segmentation of the information system, so that the requirements for a satisfactory 8
9 level of information security and different needs with regard to deletion between different controllers can be safeguarded; cf. Sections 13 and 15 of the Personal Data Act. Summary Given the above, the Data Inspectorate does not believe that the local authority has adequately ensured that the use of Google Apps is in line with the Personal Data Act. This particularly applies to the establishment of a valid processor agreement in accordance with Section 15 of the Personal Data Act, requirements concerning the transfer of personal data abroad (cf. Section 29) and fulfilment of the requirements concerning information security in accordance with Section 13 of the Personal Data Act. Against the background of the Data Inspectorate s conclusion, the decision is notified to the local authority. Reference is made to the following section. Notification of decision This is notification that the Data Inspectorate, pursuant to Section 46 of the Personal Data Act, will reach a decision concerning the following instruction: 1. Narvik local authority s use of Google Apps must cease, unless the processing of personal data in the solution can be brought into line with the requirements of the Personal Data Act; cf. Sections 13, 15 and 29 of the Personal Data Act. Deadline for replies Any comments concerning this notification should be sent to the Data Inspectorate as soon as possible and by 1 March 2012 at the latest. It is recommended that the company send the Data Inspectorate a proposal for a schedule for eliminating the deviations described in the control report. The Data Inspectorate will consider this schedule when it sets a deadline for the organisation s implementation of the decision. Notwithstanding the above, the Data Inspectorate will not adopt the decision referred to here if by the same deadline the organisation is able to document that the deviations described in the control report have been closed. Yours sincerely, Bjørn Erik Thon Director Stein Erik Vetland Chief Engineer 9
10 10
Cloud Computing and Data Protection Compliance - Experiences from Norway
Cloud Computing and Data Protection Compliance - Experiences from Norway PhD Thomas Olsen Legal Aspects of Cloud Computing, UiO, 27 January 2015 www.svw.no Overview Cloud Computing Introduction to EU and
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services
More informationDean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage
Dean Bank Primary and Nursery School Secure Storage of Data and Cloud Storage January 2015 All school e-mail is disclosable under Freedom of Information and Data Protection legislation. Be aware that anything
More informationRecommendations for companies planning to use Cloud computing services
Recommendations for companies planning to use Cloud computing services From a legal standpoint, CNIL finds that Cloud computing raises a number of difficulties with regard to compliance with the legislation
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationSupplier IT Security Guide
Revision Date: 28 November 2012 TABLE OF CONTENT 1. INTRODUCTION... 3 2. PURPOSE... 3 3. GENERAL ACCESS REQUIREMENTS... 3 4. SECURITY RULES FOR SUPPLIER WORKPLACES AT AN INFINEON LOCATION... 3 5. DATA
More informationINFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS 357-7 8. Risk Assessment 357-7
Information Technology Management Page 357-1 INFORMATION TECHNOLOGY MANAGEMENT CONTENTS CHAPTER A GENERAL 357-3 1. Introduction 357-3 2. Applicability 357-3 CHAPTER B SUPERVISION AND MANAGEMENT 357-4 3.
More informationBriefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:
UNOFFICIAL TRANSLATION Written opinion on the application of the Wet bescherming persoonsgegevens [Dutch Data Protection Act] in the case of a contract for cloud computing services from an American provider
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationPrivacy and Electronic Communications Regulations
ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3
More informationPrivacy Policy. February, 2015 Page: 1
February, 2015 Page: 1 Revision History Revision # Date Author Sections Altered Approval/Date Rev 1.0 02/15/15 Ben Price New Document Rev 1.1 07/24/15 Ben Price Verify Privacy Grid Requirements are met
More informationTasks for which the efaktura connection unit is responsible are performed by Nets Norway AS (Nets) on behalf of the bank.
A. Introductory provisions 1. Brief description of the service efaktura B2C is a service for the electronic transmission and presentation of payment claims and invoices in the invoice recipient s (payer
More informationThe supplier shall have appropriate policies and procedures in place to ensure compliance with
Supplier Instructions for Processing of Personal Data 1 PURPOSE SOS International has legal and contractual obligations on the matters of data protection and IT security. As a part of these obligations
More informationBRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationSummary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL
Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL 1. Definition of Cloud Computing In the public consultation, CNIL defined
More informationAIRBUS GROUP BINDING CORPORATE RULES
1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These
More informationAstaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between
Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen Supplementary data protection agreement to the license agreement for license ID: between...... represented by... Hereinafter referred to as the "Client"
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationCloud computing and the legal framework
Cloud computing and the legal framework - Guidance on legislative requirement and the contractual environment related to cloud computing Content 1. Introduction 3 2. The Danish Act on Processing of Personal
More informationData Breach Management Policy and Procedures for Education and Training Boards
Data Breach Management Policy and Procedures for Education and Training Boards POLICY on DATA BREACHES in SCHOOLS/COLLEGES and OTHER EDUCATION and ADMINISTRATIVE CENTRES UNDER the REMIT of TIPPERARY EDUCATION
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationNYSED DATA DASHBOARD SOLUTIONS RFP ATTACHMENT 6.4 MAINTENANCE AND SUPPORT SERVICES
NYSED DATA DASHBOARD SOLUTIONS RFP ATTACHMENT 6.4 MAINTENANCE AND SUPPORT SERVICES 1. Definitions. The definitions below shall apply to this Schedule. All capitalized terms not otherwise defined herein
More informationSHARPCLOUD SECURITY STATEMENT
SHARPCLOUD SECURITY STATEMENT Summary Provides details of the SharpCloud Security Architecture Authors: Russell Johnson and Andrew Sinclair v1.8 (December 2014) Contents Overview... 2 1. The SharpCloud
More informationVPO NOK Rules. Rules for the Central Securities Settlement. in Norwegian Kroner
Entry into force: 29. April 2015 Version: 1.1 Published 27. April 2015 VPO NOK Rules Rules for the Central Securities Settlement in Norwegian Kroner This document is a translation from the original Norwegian
More informationUniversity of Liverpool
University of Liverpool Information Security Policy Reference Number Title CSD-003 Information Security Policy Version Number 3.0 Document Status Document Classification Active Open Effective Date 01 October
More informationWEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY
WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY DATA LABEL: PUBLIC INFORMATION SECURITY POLICY CONTENTS 1. INTRODUCTION... 3 2. MAIN OBJECTIVES... 3 3. LEGISLATION... 4 4. SCOPE... 4 5. STANDARDS... 4
More informationNegotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham
Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham The dynamic provisioning of IT capabilities, whether hardware, software, or
More informationThis Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.
Microsoft Online Subscription Agreement Amendment adding Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Proposal ID MOSA number Microsoft to complete This Amendment
More informationBig Data for Mutuals. Marc Dautlich 25 November 2013
Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?
More informationDecision on adequate information system management. (Official Gazette 37/2010)
Decision on adequate information system management (Official Gazette 37/2010) Pursuant to Article 161, paragraph (1), item (3) of the Credit Institutions Act (Official Gazette 117/2008, 74/2009 and 153/2009)
More informationCCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING
CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law
More informationMicrosoft Online Services - Data Processing Agreement
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID This Amendment consists of
More informationFIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS
FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),
More informationFederal Act on Combating Money Laundering and Terrorist Financing in the Financial Sector 1
English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Combating Money Laundering and Terrorist
More informationAct no 41 on Insurance Mediation (2005-06-10)
Translation Translated January 2006 This translation is for information purposes only. Legal authenticity remains with the official Norwegian version as published in Norsk Lovtidend. Act no 41 on Insurance
More informationComments and proposals on the Chapter IV of the General Data Protection Regulation
Comments and proposals on the Chapter IV of the General Data Protection Regulation Ahead of the trialogue negotiations later this month, EDRi, Access, Panoptykon Bits of Freedom, FIPR and Privacy International
More informationGas Supplier Agreement. between. the Distribution Company. and. the Gas Supplier
Gas Supplier Agreement between the Distribution Company and the Gas Supplier (Version 2.0) Valid as from 6th June 2012 Non-binding translation TABLE OF CONTENTS 1. PARTIES TO THE AGREEMENT... 3 2. PURPOSE...
More informationRegulations on the obligation to provide information, the obligation to ensure compliance, and the right of inspection
Regulations on the obligation to provide information, the obligation to ensure compliance, and the right of inspection Laid down by the Ministry of Labour and Social Inclusion on 22 February 2008 pursuant
More informationThis interpretation of the revised Annex
Reprinted from PHARMACEUTICAL ENGINEERING The Official Magazine of ISPE July/August 2011, Vol. 31 No. 4 www.ispe.org Copyright ISPE 2011 The ISPE GAMP Community of Practice (COP) provides its interpretation
More informationSERVICE SCHEDULE INFRASTRUCTURE AND PLATFORM SERVICES
SERVICE SCHEDULE INFRASTRUCTURE AND PLATFORM SERVICES This Product Schedule Terms & Conditions is incorporated into a Services Agreement also comprising the General Terms and Conditions which the Customer
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is by and between ( Covered Entity ) and Xelex Digital, LLC ( Business Associate ), and is effective as of. WHEREAS,
More informationData Protection Policy.
Data Protection Policy. Data Protection Policy Foreword 2 Foreword Ladies and Gentlemen, In the information age, we offer customers the means to be always connected, even in their cars. This requires data
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationPursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;
Decision No. 2011-316 dated 6 October 2011 adopting a standard for delivering privacy seals in audit procedures covering the protection of persons with regard to the processing of personal data The French
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationSpillemyndigheden s Certification Programme Information Security Management System
SCP.03.00.EN.1.0 Table of contents Table of contents... 2 1 Objectives of the... 3 1.1 Scope of this document... 3 1.2 Version... 3 2 Certification... 3 2.1 Certification frequency... 3 2.1.1 Initial certification...
More informationColáiste Pobail Bheanntraí
Coláiste Pobail Bheanntraí Seskin Bantry, Co. Cork. Principal: Dr. Kevin Healy B.A, H.D.E, M.Ed, Ed.D Deputy Principal: Mr. Denis O Sullivan, BSc. (Ed.), H.D.E Phone: 027 56434 Fax: 027 56439 E-mail: admin@colaistepobailbheanntrai.com
More informationSigning the Contract - Contracture of People Managers
CERTIFICATION APPLICATION FOR AN ELECTRONIC DOCUMENT MANAGEMENT SYSTEM This form is reserved for agencies and brokers acting on their own account and for designers of EDM systems for those agencies and
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationPractical Overview on responsibilities of Data Protection Officers. Security measures
Practical Overview on responsibilities of Data Protection Officers Security measures Manuel Villaseca Spanish Data Protection Agency mvl@agpd.es Security measures Agenda: The rol of DPO on security measures
More informationCorporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationSTRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS
Policy: Title: Status: ISP-S9 Use of Computers Policy Revised Information Security Policy Documentation STRATEGIC POLICY 1. Introduction 1.1. This information security policy document contains high-level
More informationPRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA
PRIVACY REGULATIONS regarding the Web Health History ("W.H.H.") Service called LifepassportPRO provided by Meshpass SA Updated: 20 Jun 2015 (substitutes previous versions) This Privacy Policy describes
More informationRecords Management Policy.doc
INDEX Pages 1. DESCRIPTORS... 1 2. KEY ROLE PLAYERS... 1 3. CORE FUNCTIONS OF THE RECORDS MANAGER... 1 4. CORE FUNCTIONS OF THE HEAD OF REGISTRIES... 1 5. PURPOSE... 2 6. OBJECTIVES... 2 7. POLICY... 2
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI-2010-1-v1.0
ADRI Advice on managing the recordkeeping risks associated with cloud computing ADRI-2010-1-v1.0 Version 1.0 29 July 2010 Advice on managing the recordkeeping risks associated with cloud computing 2 Copyright
More informationClause 1. Definitions and Interpretation
[Standard data protection [agreement/clauses] for the transfer of Personal Data from the University of Edinburgh (as Data Controller) to a Data Processor within the European Economic Area ] In this Agreement:-
More informationOffice 365 Data Processing Agreement with Model Clauses
Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081
More informationDBC 999 Incident Reporting Procedure
DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible
More informationGmail Security - Concerns About Privacy
Office of Risk Management and Access to Information MEMORANDUM Tel.: (807) 343-8518; 343-8267 Fax: (807) 346-7735 Email: mshaw1@lakeheadu.ca TO: FROM: Inquirers about Lakehead University s Adoption of
More informationCork ETB Data Breach Management Policy and Procedures
Cork ETB Data Breach Management Policy and Procedures POLICY ON THE MANAGEMENT OF DATA BREACHES IN SCHOOLS/COLLEGES AND OTHER EDUCATION AND ADMINISTRATIVE CENTRES UNDER THE REMIT OF CORK EDUCATION AND
More informationBRING YOUR OWN DEVICE
BRING YOUR OWN DEVICE Legal Analysis & Practical TIPs for an effective BYOD corporate Policy CONTENTS 1. What is BYOD? 2. Benefits and risks of BYOD in Europe 3. BYOD and existing Policies 4. Legal issues
More informationWhite Paper Security. Data Protection and Security in School Management Systems
White Paper Security Data Protection and Security in School Management Systems This paper clarifies the roles and responsibilities of those dealing with the data that is central to school management systems.
More informationGRTGAZ NETWORK TRANSMISSION CONTRACT
Page 1 of 9 GRTGAZ NETWORK TRANSMISSION CONTRACT APPENDIX A3 STANDARD EVIDENCE AGREEMENT English translation for information. Disclaimer The present translation is not binding and is provided by GRTgaz
More informationRS Official Gazette, No 23/2013 and 113/2013
RS Official Gazette, No 23/2013 and 113/2013 Pursuant to Article 15, paragraph 1 and Article 63, paragraph 2 of the Law on the National Bank of Serbia (RS Official Gazette, Nos 72/2003, 55/2004, 85/2005
More informationTERMS & CONDITIONS of SERVICE for MSKnote. Refers to MSKnote Limited. Refers to you or your organisation
TERMS & CONDITIONS of SERVICE for MSKnote Definitions: "Us or Our or We or Company" You or Your or Client Refers to MSKnote Limited Refers to you or your organisation Information about us: We are MSKnote
More information<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129
Addendum Amendment ID Proposal ID Enrollment number Microsoft to complete This addendum ( Windows Azure Addendum ) is entered into between the parties identified on the signature form for the
More informationTransition Guidelines: Managing legacy data and information. November 2013 v.1.0
Transition Guidelines: Managing legacy data and information November 2013 v.1.0 Document Control Document history Date Version No. Description Author October 2013 November 2013 0.1 Draft Department of
More informationCAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD. Data Breach Management Policy. Adopted by Cavan and Monaghan Education Training Board
CAVAN AND MONAGHAN EDUCATION AND TRAINING BOARD Data Breach Management Policy Adopted by Cavan and Monaghan Education Training Board on 11 September 2013 Policy Safeguarding personally identifiable information
More informationIBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]
IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System
More informationHow To Use A Minicloud Server On An Ovh Cloud (For Free) For A Long Time
O V H SPECIAL CONDITIONS FOR MINICL0UD SOLUTIONS Version dated 31th May 2010 Definitions: Cloud: Technology aimed for the remote use of executing resources and storage. Loyalty scheme: A section in the
More informationDATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE
DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE 1. INTRODUCTION Annex C 1.1 Surrey Heath Borough Council (SHBC) processes personal data and must respond appropriately against unauthorised or unlawful
More informationRegulations concerning measures to combat money laundering and the financing of terrorism, etc.
Regulations concerning measures to combat money laundering and the financing of terrorism, etc. Translation as of April 2009. This translation is for information purposes only. Legal authenticity remains
More informationINSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES
SD 0880/10 INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES Laid before Tynwald 16 November 2010 Coming into operation 1 October 2010 The Supervisor, after consulting
More informationService Level Policy. San Diego Geographic Information Source. City and County of San Diego. by and between. and. Version 1.1 Revised January 12, 2011
Service Level Policy by and between San Diego Geographic Information Source and City and County of San Diego Version 1.1 Revised January 12, 2011 TABLE OF CONTENTS REVISION HISTORY... 3 INTRODUCTION...
More informationATMD Bird & Bird. Singapore Personal Data Protection Policy
ATMD Bird & Bird Singapore Personal Data Protection Policy Contents 1. PURPOSE 1 2. SCOPE 1 3. COMMITMENT TO COMPLY WITH DATA PROTECTION LAWS 1 4. PERSONAL DATA PROTECTION SAFEGUARDS 3 5. ATMDBB EXCEPTIONS:
More informationDistribution Agreement for the ENC Service by and between Norwegian Hydrographic Service and. Agreement No.:.. Version No.: 1.0
Distribution Agreement for the ENC Service by and between Norwegian Hydrographic Service and. Agreement No.:.. Version No.: 1.0 Contents: 1 Parties and relevant documents... 3 2 Definitions... 3 3 Grant
More informationTHE BUDAPEST STOCK EXCHANGE LTD. REGULATIONS ON THE USE OF REMOTE TRADING
THE BUDAPEST STOCK EXCHANGE LTD. REGULATIONS ON THE USE OF REMOTE TRADING Date and reference no. of approval/modification resolutions by the Board of Directors: Date and reference no. of approval by Supervisory
More informationINFORMATION TECHNOLOGY SECURITY STANDARDS
INFORMATION TECHNOLOGY SECURITY STANDARDS Version 2.0 December 2013 Table of Contents 1 OVERVIEW 3 2 SCOPE 4 3 STRUCTURE 5 4 ASSET MANAGEMENT 6 5 HUMAN RESOURCES SECURITY 7 6 PHYSICAL AND ENVIRONMENTAL
More informationThe Anti-Corruption Compliance Platform
The Anti-Corruption Compliance Platform DATA COLLECTION RISK IDENTIFICATION SCREENING INTEGRITY DUE DILIGENCE CERTIFICATIONS GIFTS, TRAVEL AND ENTERTAINMENT TRACKING SECURITY AND DATA PROTECTION The ComplianceDesktop
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationHeslop & Platt Solicitors Limited
TERMS OF BUSINESS Heslop & Platt Solicitors Limited 1. Introduction and Definitions 1.1 In these terms of business, the following words and phrases have the following meanings: Initial Client Letter Client
More informationEnrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------
w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------
More informationRules for the admission of shares to stock exchange listing (Listing Rules)
Rules for the admission of shares to stock exchange listing (Listing Rules) TABLE OF CONTENTS: 1. GENERAL... 3 2. CONDITIONS FOR ADMISSION TO LISTING... 3 2.1 GENERAL CONDITIONS... 3 2.1.1 Public interest,
More informationData Transfer Policy. Data Transfer Policy London Borough of Barnet
Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).
More informationIndicative Requirements for Cloud Service Providers. connect communicate collaborate
Requirements Document Cloud Services connect communicate collaborate www.geant.net This document has been produced with the financial assistance of the European Union. The contents of this document are
More informationCODE OF CONDUCT as adopted by the Board of Directors on 20 February 2015
GOLDFIELDS MONEY LIMITED ACN 087 651 849 CODE OF CONDUCT as adopted by the Board of Directors on 20 February 2015 1. Purpose This Code of Conduct (Code) clearly states the standards of responsibility and
More informationHICAPS. Provider Agreement. Terms and Conditions
HICAPS Provider Agreement Terms and Conditions This agreement is made up of this booklet and the HICAPS Provider Agreement Details. HICAPS Pty Limited ABN 11 080 688 866 Terms and Conditions 1. Interpretation
More information1. Scope of application
Terms and conditions for electronic communication 1. Scope of application These terms and conditions apply to electronic communication undertaken by the Customer or the User using ebanking or telephone
More informationPAYMENT SERVICES AND SYSTEMS ACT (ZPlaSS) CHAPTER 1 GENERAL PROVISIONS SUBCHAPTER 1 CONTENT OF THE ACT. Article 1. (scope)
Legal notice All effort has been made to ensure the accuracy of this translation, which is based on the original Slovenian text. All translations of this kind may, nevertheless, be subject to a certain
More informationMicrosoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10
Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between
More informationEURODAC Central Unit. Inspection Report
EURODAC Central Unit Inspection Report June 2012 Case file: 2011-1103 INDEX 1. INTRODUCTION... 3 1.1 The EURODAC system... 3 1.2 EDPS supervision of the EURODAC Central Unit... 3 1.3 Scope of the inspection...
More informationQuality Assurance Agreement (QAA)
Quality Assurance Agreement (QAA) between W. GESSMANN GmbH Eppinger Str. 221, D-74211 Leingarten - hereafter "W. GESSMANN" - and Company Road, house number Postal code and city - hereafter called "Supplier"
More informationFinansinspektionen s Regulatory Code
Finansinspektionen s Regulatory Code Publisher: Finansinspektionen, Sweden, www.fi.se ISSN 1102-7460 This translation is furnished for information purposes only and is not itself a legal document. Finansinspektionen's
More informationUsing AWS in the context of Australian Privacy Considerations October 2015
Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More information