Guidelines for Outsourcing, Offshoring, and Cloud Services

Transcription

1 Preview Guidelines fr Outsurcing, Offshring, and Clud Services Frewrd Data security and data prtectin challenges arise in mst utsurcing and ffshring transactins, particularly where services are clud based. Unfrtunately, these challenges are ften reslved at the last minute, resulting in higher csts, unwieldy slutins and the increased prspect f regulatry interventin. In many cases, data gvernance issues are nt addressed early enugh because the parties d nt knw where t begin the dialgue r hw t identify relevant cncerns. There is little practical guidance in the market which addresses bth data security and data prtectin issues in the cntext f internatinal utsurcing and ffshring transactins. The advent f the prvisin f cludbased services is bringing these issues int sharp fcus. The dcument is a result f the cperatin between ICT Nrway and Intellect (a UK technlgy industry trade assciatin), with the cntributin frm several representatives frm bth private and public sectr. Deserving special mentin in this respect are the fllwing players: Accenture AS, Evry AS, the Financial Supervisry Authrity f Nrway, Itera ASA, Lgica Nrge AS, Micrsft Nrge AS, the Natinal Archives f Nrway, NrSIS and Sparebank1. Our main intentin with this dcument is merely t prvide parties with relevant and practical guidelines describing the steps that culd r need t be taken in rder t increase the level f cmpliance and t reduce the level f unwanted expsure. It is imprtant t nte that infrmatin prvided in these guidelines is nt intended nr recmmended as a substitute fr prfessinal, legal r ther advice. We have deliberately fcused n data privacy matters in the cntext f utsurcing and ffshring transactins, as this is highly relevant fr many parties invlved. Hwever, it is imprtant t nte that different kinds f transactins in mst cases will als give rise t ther legal matters in additin t data privacy matters in crssbrder situatins. Therefre we prvide a sectin with a legal verview f the sectr specific regulatins that may be f relevance depending n the characteristics f the transactin (cf. Sectin 4 Legislatin verview (Nrway)). The verview may be expanded with a mre indepth analysis upn request and/r in a later editin f these guidelines. If s happens, the analysis and specific guidelines regarding sectr specific regulatins may be added as schedules t this main dcument. Accrdingly, an example f the structure f the dcument wuld be as shwn in the figure belw: MAIN DOCUMENT SCHEDULE 1: BANKING AND FINANCIAL DATA SCHEDULE 2: INFORMATION SECURITY SCHEDULE 3: ARCHIVING SCHEDULE 4: (TBD) We feel that wider debate f these matters, frm bth a security and a data prtectin perspective and fr all the phases in the utsurcing lifecycle, will ensure that these issues are dealt with pragmatically and cnstructively in the future; particularly as clud cmputing achieves wider prminence. Hpefully, these guidelines will encurage parties t discuss these cmplex challenges as early as pssible in the utsurcing lifecycle.

2 Cntents 1. Intrductin t the guidelines Key data issues The utsurcing and ffshring lifecycle data prtectin and security bligatins Legislatin verview (Nrway) Checklist 10 Phase 1. Analyse 10 Phase 2. Scpe and select 17 Phase 3. Cntract 22 Phase 4. Implement 23 Phase 5. Manage steady state 25 Phase 6. Terminatin, transfer r stepin 27 Phase 7. Exit 29 Appendix A: List f useful standards 30 Appendix B: Data prtectin laws in key jurisdictins 31 Appendix C: EU Security Breach Ntificatin Requirements 35 Appendix D: Glssary 37 Appendix E: List f useful guidance dcuments 39 Appendix F: Examples f cmmnly used ICTcntract mdels fr in NORWAY 41

3 1. Intrductin t the guidelines What are the guidelines? Data security and data prtectin requirements frequently trigger frictin and frustratin in internatinal utsurcing and ffshring transactins. T ften, this is because the parties d nt understand their respective bligatins r are unable t identify and fcus n the key issues. This set f guidelines will encurage vendrs and custmers t wrk tgether t anticipate and address the data security and data prtectin issues which may affect the success f their utsurcing prjects. The guidelines als seek t eliminate last minute frustratins by prviding bth custmer and vendr with a clear verview f the types f issues which arise, the stage f the prject at which they can mst easily be addressed, and indicating which party is best placed (r legally bliged) t deal with the issues. Key definitins and explanatins Fr ease f reference we include belw sme definitins and explanatins f a limited selectin f the mst imprtant terms that are being used in these guidelines. Fr further clarificatin f terms and phrases being used thrughut this dcument, please see the Glssary in Appendix D and als Appendix B fr explanatins f the mst cmmn terms related t data privacy. Outsurcing: Mst cmmnly the term utsurcing refers t the transmissin f services, prductin, prcesses r activities t an external prvider. The term is ften used tgether with a descriptin f what services, prcesses etc. that are being utsurced. Fr example, scalled business prcess utsurcing typically includes transmissin f HR functins and assciated peratinal activities t a third party. Amng many ther examples are IT infrastructure utsurcing and IT applicatin management utsurcing. Offshring: Offshring as referred t in this dcument means the relcatin f services, prductin, prcesses r activities frm ne cuntry t anther. As fr the relatinship t the term utsurcing as explained abve; when the ffshred services, prcesses etc. are being transferred t an external prvider in that ther cuntry, the situatin may be described as ffshre utsurcing (as ppsed t nshre utsurcing where the utsurcing is perfrmed within ne cuntry). It may be the case that the ther cuntry is nt ffshre in the strictest sense f the wrd, fr example the ther cuntry may be a nearby cuntry, ften sharing a brder, where bth parties expect t benefit frm ne r mre f the fllwing dimensins f prximity: gegraphic, tempral (time zne), cultural, linguistic, ecnmic, plitical, r histrical linkages. In these cases the term nearshring may be used. Clud: Accrding t the fficial Natinal Institute f Standards and Technlgy's (NIST) definitin, "clud cmputing is a mdel fr enabling ubiquitus, cnvenient, ndemand netwrk access t a shared pl f cnfigurable cmputing resurces (e.g., netwrks, servers, strage, applicatins and services) that can be rapidly prvisined and released with minimal management effrt r service prvider interactin." The NIST definitin lists five essential characteristics f clud cmputing: ndemand selfservice, brad netwrk access, resurce pling, rapid elasticity r expansin, and measured service. The terms Clud, Clud cmputing and Clud services are in this dcument interchangeable terms unless therwise specified r bvius cnsidering the cntext.examples f service mdels fr Clud cmputing : Sftware as a Service ( SaaS ), which is a mdel f sftware deplyment ver a netwrk where the custmer uses the prvider s applicatin(s) n a clud infrastructure; Platfrm as a Service where the custmer deplys custmercreated/acquired applicatins nt the prvider s clud infrastructure using prgramming languages and tls supprted by the prvider; and Infrastructure as a Service ( IaaS ) which refers t the delivery f cmputer infrastructure as a service ver a netwrk. Clud is related t ffshring in the sense that the external prvider and its servers may be situated in anther cuntry than the user. Als, Clud is related t utsurcing in the sense that the delivery f clud services may be a way f the Custmer t utsurce sme f its services, prductin, prcesses r activities t an external prvider.

4 Persnal data: Data that relates t a living individual wh can be identified frm thse data, r frm thse data and ther data in the pssessin f the data cntrller (cfr. belw). Data cntrller: Persn/cmpany wh determines hw and fr which purpses persnal data is t be prcessed. Often the Custmer is the riginal data cntrller wh wishes t utsurce the prcessing (and ccasinally) cntrl functins t a third party vendr. The prcessr may be situated in anther cuntry ( ffshre ). Please nte that the categrizatin f data cntrller and data prcessr (cfr. belw) may be difficult, and that there are substantially different legal requirements applicable depending n whether the party is a data cntrller r a data prcessr. Data prcessr: Any persn/cmpany, ther than an emplyee f the data cntrller (r that the data cntrller has the pwer t instruct), wh utilises r prcesses persnal data n behalf f the data cntrller, fr example as part f an utsurcing agreement. The prcessr may be situated in anther cuntry ( ffshre ). Please nte that the categrizatin f data cntrller (cfr. abve) and data prcessr may be difficult, and that there are substantially different legal requirements applicable depending n whether the party is a data cntrller r a data prcessr. Why are the guidelines imprtant? In recent years, the media has been inundated with stries relating t data breaches in bth the public and private sectrs. In respnse t the public s cncerns abut the security f their data, EU regulatrs have becme mre practive in raising awareness f individual s rights and enfrcing cmpliance. In turn rganisatins are becming increasingly mre fcused n addressing data security and data prtectin issues, recgnising that data is ften an rganisatin s mst valuable asset. Failure t cmply with the data security and data prtectin regulatry framewrk may: expse an rganisatin t financial risk (eg. delayed implementatin and/r the csts f remedying a breach); result in damage t an rganisatin s reputatin the regulatrs are quick t publicise data breaches in the press which may cmprmise trust in an rganisatin; result in enfrcement actin (eg. an rganisatin may be prevented frm prcessing data, r be required t implement cmpliant practices); expse an rganisatin t civil penalties (eg. fines by regulatrs); result in an rganisatin s fficers and directrs being cnvicted f a criminal ffence. Mst utsurcing prjects require data t be transferred frm custmer t vendr, frequently n an internatinal basis. Data security and data prtectin laws affect hw data may be transferred between the parties. Increases in glbal data use and technlgical develpments have made data security and data prtectin challenging. An additinal level f cmplexity arises where the data are transferred between multiple jurisdictins, particularly where the vendr utilises a cludbased infrastructure. Many f the bligatins rest with the custmer, as wner f the data; hwever, in an utsurcing cntext, custmers (unlike vendrs) d nt usually deal with data issues. This can result in misunderstanding f data security and data prtectin requirements. It is essential that data security and data prtectin cnsideratins are included in the initial vendr due diligence. Bth the custmer and the vendr shuld carefully analyse the prpsed slutin t ensure regulatry cmpliance issues are addressed. Crucially, if identified early in the utsurcing prcess, data issues can be dealt with in a practical, cmpliant and efficient manner. If ignred during the early stages f an utsurcing prject, data issues can delay implementatin r even require fundamental rethinking f the structure f the data prcessing activity. Hw d the guidelines wrk? These guidelines ffer a checklist f cmmn data security and data prtectin issues, structured arund an utsurcing transactin and addressing ffshre and clud aspects where applicable. The guidelines identify issues that typically arise at each f the stages f the utsurcing lifecycle and indicate which party (custmer r vendr) is usually respnsible fr dealing with the issues. The early visibility f issues determines the expectatins f bth custmer and vendr, enabling bth parties t anticipate and begin t address data issues frm the utset f the prject. This leadtime can be critical t develping efficient and csteffective slutins t issues.

5 Wh shuld use the guidelines? This set f guidelines is intended fr custmers wh, typically, d nt deal as ften as vendrs with the data security and data prtectin issues that arise in an utsurcing cntext. The guidelines will als be a useful tl fr vendrs. They prvide a resurce fr enabling the parties t wrk cllabratively t address at an early stage issues which, if ignred, can cause unnecessary and unfreseen csts and delays later in the prject. The guidelines will be relevant fr parties wrking in bth public and private sectr. Increases in glbal data use and technlgical develpments have made data security and data prtectin mre challenging. An additinal level f cmplexity arises where the data are transferred between multiple jurisdictins, such as when a vendr utilises a cludbased infrastructure. Fr what types f prjects shuld the guidelines be cnsulted? The guidelines shuld be cnsulted fr all utsurcing prjects which invlve data prcessing. They will be particularly useful where persnal data relating t individuals are prcessed. Eurpean data prtectin laws require careful cnsideratin f data security and data prtectin issues in an utsurcing cntext, especially where persnal data are transferred utside the EU, r int the clud. Several nneurpean jurisdictins als have either cmprehensive r sectral data prtectin laws and regulatins, such as India, Ukraine, China, Russia and the United States f America. Resurces relating t the data prtectin laws in key utsurcing jurisdictins are set ut in Appendix B. In additin, Appendix C prvides an verview f emerging EU data breach laws.