THOMAS R FINNERAN PRINCIPAL CONSULTANT - IDENNEDY PROJECT



Similar documents
Council Policy. Records & Information Management

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

Protecting Official Records as Evidence in the Cloud Environment. Anne Thurston

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

Electronic Documents: is any electronic media content that is intended to be used in either an electronic form or as printed output.

Scotland s Commissioner for Children and Young People Records Management Policy

SOUTHWEST VIRGINIA COMMUNITY COLLEGE RECORDS MANAGEMENT POLICY

What We ll Cover. Defensible Disposal of Records and Information Litigation Holds Information Governance the future of records management programs

3. Ensure the management of information is compliant with legislative requirements to maximise the benefits and minimise risks;

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policies. Version 6.1

Cloud Computing and Records Management

Data Governance Policy. Staff Only Students Only Staff and Students. Vice-Chancellor

From Information Management to Information Governance: The New Paradigm

California State University, Sacramento INFORMATION SECURITY PROGRAM

Life Cycle of Records

Management: A Guide For Harvard Administrators

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

State of Michigan Records Management Services. Frequently Asked Questions About E mail Retention

Privacy Policy Version 1.0, 1 st of May 2016

Information Circular

ADRI. Advice on managing the recordkeeping risks associated with cloud computing. ADRI v1.0

Cloud Service Contracts: An Issue of Trust

Retention & Disposition in the Cloud Do you really have control?

Online Lead Generation: Data Security Best Practices

Information and Compliance Management Information Management Policy

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Staffordshire County Council. Records Retention and Disposal Policy

OFFICIAL. NCC Records Management and Disposal Policy

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

XIT CLOUD SOLUTIONS LIMITED

This agreement applies to all users of Historica Canada websites and other social media tools ( social media tools or social media channels ).

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

Legal Issues Associated with Cloud Computing. Laurin H. Mills May 13, 2009

TERRITORY RECORDS OFFICE BUSINESS SYSTEMS AND DIGITAL RECORDKEEPING FUNCTIONALITY ASSESSMENT TOOL

The potential legal consequences of a personal data breach

Data Protection Act Bring your own device (BYOD)

DATA PROTECTION REQUIREMENTS FOR ATTENDANCE VERIFICATION SYSTEMS (AVSs)

Rowan University Data Governance Policy

Considerations for Outsourcing Records Storage to the Cloud

Third Party Security Requirements Policy

The Use of Cloud Computing for the Storing and Accessing of Client Information: Some Practical and Ethical Considerations

DISCIPLINE DATA GOVERNANCE GOVERN PLAN IMPLEMENT

Privacy and Cloud Computing for Australian Government Agencies

5 FAM 630 DATA MANAGEMENT POLICY

Information Governance Framework. June 2015

Management of Research Data Procedure

Cloud Computing: Legal Risks and Best Practices

Big Data for Mutuals. Marc Dautlich 25 November 2013

Privacy Policy. If you have questions or complaints regarding our Privacy Policy or practices, please see Contact Us. Introduction

Central Agency for Information Technology

Information and records management. Purpose. Scope. Policy

This form may not be modified without prior approval from the Department of Justice.

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

Enterprise Data Governance

Business Associate Agreement

Data Processing Agreement for Oracle Cloud Services

Cloud Computing. Cloud Computing An insight in the Governance & Security aspects

The Manitoba Child Care Association PRIVACY POLICY

Guideline 1. Cloud Computing Decision Making. Public Record Office Victoria Cloud Computing Policy. Version Number: 1.0. Issue Date: 26/06/2013

ESI Incident Response Procedures 1

John Essner, CISO Office of Information Technology State of New Jersey

The legal admissibility of information stored on electronic document management systems

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Gatekeeper PKI Framework. February Registration Authority Operations Manual Review Criteria

Information Security Program Management Standard

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Approved By: Agency Name Management

Troy Cablevision, Inc. Subscriber Privacy Policy

WEST LOTHIAN COUNCIL RECORDS MANAGEMENT POLICY. Data Label: Public

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

Real World Strategies for Migrating and Decommissioning Legacy Applications

Zinc Recruitment Pty Ltd Privacy Policy

ASSURANCE OF DISCONTINUANCE. The Office of the Attorney General of the State of New York (sometimes referred to as

How Microsoft is taking Privacy by Design to Work. Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015

Document Management Policy

Fundamentals of Information Governance:

Transcription:

Privacy Engineering for Cloud and Geolocation and Data Governance THOMAS R FINNERAN PRINCIPAL CONSULTANT - IDENNEDY PROJECT

Some Privacy Requirement Questions related to the Cloud How does Cloud Provider handle encryption and encrypted data? Does our user have exclusive access to his or her data? Does our data get commingled with other people s data? Is the commingling managed effectively? Can our user access all of his or her data whenever needed? Does the cloud provider satisfy all compliance requirements including OEDC, FIPPS, GAPP, specific statutory regulations for all jurisdictions, or all enterprise privacy policies? Is data stored so as to be physically protected? Can data be transferred without the knowledge of the cloud provider or the data manager/owner? Are the laws and regulations of all relevant jurisdictions satisfied? 2ta

Some Privacy Requirement Questions (Continued) Can our archiving strategies the enforced within the cloud? Can we be assured that appropriate data is deleted whereever stored so as not to be subject to a subpoena or a search warrant? Does the cloud provider manage the data that it stores for its own or someone else s purposes? Is the cloud provider fully auditable? Does a cloud provider provide breach notification according to our privacy policies as well as statutory requirements of all jurisdictions affected? Is the overall cloud provider authentication and authorization sufficient? Can a cloud provider provide data transfer capability and sufficient security to satisfy data transfer requirements, including to third parties? 3

Some Privacy Requirement Questions related to the Geolocation Data Purpose / Necessity: Collection and use of geolocation data limited only for the necessary and appropriate use of our systems. Ensure that no data use will damage or embarrass a person impacted by our systems. Openness / Notice: Define a Notice Statement explaining to system users how geolocation data will be used, collected, protected, retained, kept accurate, accessed, corrected, and otherwise processed. All notice requirements satisfy statutory or regulatory requirements of all jurisdictions. Choice/Consent: Choices concerning geolocation collection and use must be clear and not easily ignored. Defaults must be explained clearly and limit not broaden collection and use of geolocation data. Transfer: Geolocation data transferred to and from a third-party must be adequately protected like contract, administrative, technical, logical and physical means. Ensure all data transfer complies with laws and regulations of all jurisdictions where transfer is from or to. Ensure third parties to whom data is transferred to our vetted from a privacy and security controls perspective. 4

Some Privacy Requirement Questions related to the Geolocation Data (Cont d) Access, Correction, Deletion: Ensure that users have a means of accessing personal geolocation information that has been collected about them. Ensure that rules concerning correction and deletion are in compliance with laws and regulations of all jurisdictions. Security: Ensure that all system users are authenticated and can only perform functions for which they are authorized. Use every technology, statistical methodology, and physical security procedure at our disposal to protect the geolocation data of all data subjects. Minimization/Proportionality: Collect and process only the minimum necessary geolocation data to achieve the identified, legitimate intended purposes. Collect and process geolocation data that is proportional to need, purpose, and sensitivity of the information sought. Retention: Retain geolocation data only as long as it is required. Ensure that the archiving rules for each date attribute are well-established. Consider data destruction tactics such as degaussing or permanently encrypting and destroying keys or overwriting data after the specific deadline. 5

Data Governance / Stewardship ensures Privacy Requirements are included within our systems 6

What is Data Governance? Management is the decisions you make. Governance is the structure for making them. CIO Magazine September 2002 Data Governance: Is a strategic, top-down program in which leadership communicates the core value of data quality and integrity. Includes development and enforcement of standards and procedures. Requires broad understanding of upstream and downstream stakeholders, systems, and processes for all decisions and issue-resolution. Requires executive sponsors to provide support for their business data stewards.

What is Data Stewardship? Data stewardship increases business communications and productivity through business driven and commonly defined data." - Larry English Data Stewardship The willingness to be accountable for a set of business information for the wellbeing of the larger organization by operating in service of those around us rather than in control. Stewardship is not ownership. An owner possesses the rights to something. A steward has accountability for managing something that belongs to someone else. Shareholders who own the tangible assets of the corporation also own the information assets. All employees, then, are stewards of the information assets.

Stewardship The key to Data Quality Data Quality can be maintained by means of: Data Producer Stewards are Business People responsible for: Appropriate Data Content Maintenance Quality Appropriate Business Rules Data Usage Stewards are Business People responsible for: Appropriate Data Content Use Quality Appropriate Business Rules Appropriate Presentation Vehicle (e.g., Would graphical representation or even video be better?) Aesthetics Data Administration are IT responsible for: Data Acquisition Data Organizing/Classifying Data Storage & Distribution Data Archiving Data Management (Metadata) Tool Administration Including Privacy Rules Including Privacy Rules

Data Governance / Stewardship Include Privacy Knowledge throughout Data Stewardship Process Data Stewards Data Analysts / Modelers Management

Questions and More Questions

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information