Data Privacy in the Cloud E-Government Perspective

Similar documents
Article 29 Working Party Issues Opinion on Cloud Computing

The Austrian Citizen Card

Cloud Service Contracts: An Issue of Trust

Third European Cyber Security Awareness Day BSA, European Parliament, 13 April Panel IV: Privacy and Cloud Computing

D . A reliable and secure online communication platform. Armin Wappenschmidt (secunet) More information:

Johnson Controls Privacy Notice

Cloud Computing: Legal Risks and Best Practices

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Resolution Database Privacy preserving based Single-Signon

Office 365 Data Processing Agreement with Model Clauses

Recommendations for companies planning to use Cloud computing services

IT-Security All safe and sound?

TECHNICAL SPECIFICATION: SECURE LEGISLATION-AWARE STORAGE SOLUTION

Government Use of Cloud Computing Legal Challenges

Cloud Computing and Data Protection Compliance - Experiences from Norway

Lots of clouds: a stormy weather for information privacy?

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Data Protection Act Guidance on the use of cloud computing

Privacy Rights Management Using DRM Is this a good idea?

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

BRING YOUR OWN DEVICE

New Relic EU Data Protection Whitepaper

Secure Information Technology Center Signature verification and digital services

CPA Global North America LLC SAFE HARBOR PRIVACY POLICY. Introduction

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Cloud Security Introduction and Overview

Cloud Computing and Records Management

Presentation by: Dr. Nathalie Moreno Partner. Cloud Computing and Data Protection: an Update 4 October 2012

Cloud for Europe trusted Cloud Services for the European market for public administrations

Cloud Computing and Privacy Laws! Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

Data Processing Agreement for Oracle Cloud Services

How Microsoft is taking Privacy by Design to Work. Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015

<Choose> Addendum Windows Azure Data Processing Agreement Amendment ID M129

The Austrian Citizen Card

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

ECSA EuroCloud Star Audit Data Privacy Audit Guide

EXIN Cloud Computing Foundation

Digital Continuity Plan

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Secure Data Sharing and Processing in Heterogeneous Clouds. Bojan Suzic, Graz University of Technology

AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

The problem of cloud data governance

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Cloud Computing Governance & Security. Security Risks in the Cloud

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

MIS Privacy Statement. Our Privacy Commitments

Digital signature and e-government: legal framework and opportunities. Raúl Rubio Baker & McKenzie

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Data Protection Policy.

Data Sharing Protocol

Data protection issues on an EU outsourcing

Cloud Computing. by Civic Consulting (research conducted October 2011 January 2012)

Information Security Risks when going cloud. How to deal with data security: an EU perspective.

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

Summary Report Report # 1. Security Challenges of Cross-Border Use of Cloud Services under Special Consideration of ENISA s Contributions

Expert Meeting on CYBERLAWS AND REGULATIONS FOR ENHANCING E-COMMERCE: INCLUDING CASE STUDIES AND LESSONS LEARNED March 2015.

The potential legal consequences of a personal data breach

Smart Open Services for European Patients Open ehealth initiative for a European large scale pilot of patient summary and electronic prescription

Corporate Policy. Data Protection for Data of Customers & Partners.

Proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market

Privacy Policy. 1. Principle

TECHNICAL SPECIFICATION: LEGISLATION EXECUTING CLOUD SERVICES

DS : Trust eservices. The policy context: eidas Regulation

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Information Security: Cloud Computing

Cloud Security Trust Cisco to Protect Your Data

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

August Report on Cloud Computing and the Law for UK FE and HE (An Overview)

How To Protect Your Data In European Law

Data Protection and Cloud Computing: an Overview of the Legal Issues

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Cloud computing and the legal framework

CLOUD SERVICES RHUL CODE OF PRACTICE. Cloud Services RHUL Code of Practice

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

PRIVACY AND DATA SECURITY MODULE

International Working Group on Data Protection in Telecommunications

Chapter 1: Introduction

The HR Skinny: Effectively managing international employee data flows

ISMS Implementation Guide

Boosting Productivity and Innovation Through. Public Sector Compliant Cloud Services

Online/Cloud Services Trust challenges & eidentity-aspects

Matthias Hauss- SRC Security Research & Consulting GmbH October PCI DSS Requirements in the Context of European Data Protection Law

Delivery date: 18 October 2014

Brainloop Cloud Security

Cloud Computing: Implications and Guidelines for Records Management in Kentucky State Government

LATISYS SAFE HARBOR POLICY

Indicative Requirements for Cloud Service Providers. connect communicate collaborate

How To Manage Cloud Data Safely

EU Cross-border e-id & Safety Services Antonio Skarmeta Gómez Universidad de Murcia. IPv6@GOV workshop Brussels, January, 2013

SECURITY MEASURES RELATED WITH DATA PROTECTION. A PRACTICAL APPROACH: THE IMPORTANCE OF THE ORGANIZATIONAL MEASURES

Privacy & Big Data: Enable Big Data Analytics with Privacy by Design. Datenschutz-Vereinigung von Luxemburg Ronald Koorn DRAFT VERSION 8 March 2014

Secure Cloud Identity Wallet

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

Transcription:

Data Privacy in the Cloud E-Government Perspective Herbert Leitold; EGIZ, A-SIT International Cloud Symposium 2011, Panel on Data Privacy and the Role Policy Plays in Defining Trust Requirements Ditton Manor, Slough, October 14 th, 2011

Outline Austrian Approach Position Paper by Platform Digital Austria Main Findings on Privacy and Policy Challenges Relation to EU Initiatives How can eid fit in?

Position paper Platform Digital Austria Coordination and Strategy Committee of the Federal Government for egovernment in Austria AG Cloud whitepaper (unpublished) on Legal Structural Economic Technical Business Process aspects, effects, opportunities, and risks

Cloud and Government IT?

Overview of Findings legal - Data protection issues,... - Influence on contract,... - Procurement law economical + Standardization of IT infrastructure and services,... - Functional adaptation cost adjustments, +/- Operating costs vs. capital costs structural technical + Faster service provisioning + Standardization, scalability,.. + Flexible bandwidth,... - Identity management - LockIn effects - Technical audit,... - Silo solutions - Compliance with governance rules,...

Legal Aspects Public Cloud: - processing of personal data largely excluded, - no possibility of contractual adjustment - Take it or leave it contracts Virtual Private Cloud: - minor customization options compared to public cloud Private Cloud: - offers the best conditions to meet data protection non-personal or not very sensitive data are an option for Cloud usage Contractual issues, procurement law issues!

Data protection issues (1) Controller vs. processor (as of EU Data Protection Directive) Controller remains responsible and accountable: Data security measures: protection against accidental or unlawful destruction; unauthorized access; access logs Data subject rights: information, deletion, correction, objection can be hard to achieve with existing clouds Cross-border transfer Defined within EEA (and with a few countries where comparable levels of protection of personal data are found) Prior authorization by DPA otherwise Generally prohibited in a few cases

Data protection issues (2) Applicable law in cross-border transfer Controller has to fulfill domestic obligations For cross-border permissions, the foreign processor needs to declare adherence to that obligations Clouds possibly operating under various legislations Further complexity with off-shoring Aspects to be considered Access: Subject s information rights Destruction: Defined policies? Residual copies? Retention: How long remains data in the cloud? Compliance: Against what? Audit: Periodic inspections?

E-Government may be Informational processes e.g. law information system no immediate data protection dimension Transactional processes Processing personal data Authentication / quality eid plays a major role

eid Cloud something new? It is changing some of the basic assumptions The one to one model CLIENT-SERVER is no more possible it is CLIENT - CLOUD - SERVER for legal, contractual, technology considerations for data protection and privacy considerations Yet there is a big difference encryption/crypto-based confidentiality hardly possible user control on the physical level non-existent

Cloud impacting eid? New approaches (like eid) must be cloud compatible From the point of view of security From the point of view of privacy and intellectual property protection We might possibly need to twist on both ends In the eid domain In the cloud domain To yield contractual, legal/regulatory, commercial and technical acceptance

National strategy alone? Digital Agenda for Europe www.oasis-open.org

STORK on EU eid interop. Interoperability framework on top of national eid infrastructure To a large extend relies on MS-to-MS trust SP trusting MS PEPS MS-to-MS protocol shielding IdPs Different in MW-model How can a Cloud fit in?

Conclusions Cloud Computing on E-Government radar Promises of cost reductions Thus might assist getting efficiency gains Legal, technical, organizational issues Citizen s personal data in transactional services May not interfere with citizen fundamental rights Challenging with current public cloud contracts Quality eid in the Cloud to be addressed

Thank You! Herbert.Leitold@a-sit.at

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information