CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES



Similar documents
How To Protect Your Data In European Law

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Data protection policy

ATMD Bird & Bird. Singapore Personal Data Protection Policy

How To Understand The Data Protection Act

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

Data Compliance. And. Your Obligations

Guidelines on Data Protection. Draft. Version 3.1. Published by

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

Data Processing Agreement for Oracle Cloud Services

GUIDE TO THE ISLE OF MAN DATA PROTECTION ACT. CONTENTS PREFACE 1 1. Background 2 2. Data Protections Principles 3 3. Notification Requirements 4

Privacy Policy for Data Collected by Blue State Digital s Clients

The supplier shall have appropriate policies and procedures in place to ensure compliance with

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group

Corporate ICT & Data Management. Data Protection Policy

HERTSMERE BOROUGH COUNCIL

Data Protection Standard

POLICY ON DATA PROTECTION AND PRIVACY OF PERSONAL DATA

on the transfer of personal data from the European Union

PRIVACY POLICY Personal information and sensitive information Information we request from you

Data Protection Policy

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

Data Protection Good Practice Note

Data Protection Policy

Follow the trainer s instructions and explanations to complete the planned tasks.

Article 29 Working Party Issues Opinion on Cloud Computing

Personal Data Act (1998:204);

The potential legal consequences of a personal data breach

Index. Definitions. What is Data Protection? Rights of Individuals. The 8 Principles of Data Protection

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

Policy Document Control Page

University of Limerick Data Protection Compliance Regulations June 2015

Data Protection Policy.

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

DATA PROTECTION POLICY

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

CORK INSTITUTE OF TECHNOLOGY

Little Marlow Parish Council Registration Number for ICO Z

Office of the Data Protection Commissioner of The Bahamas. Data Protection (Privacy of Personal Information) Act, A Guide for Data Controllers

Corporate Policy. Data Protection for Data of Customers & Partners.

Information Governance Policy

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Data protection compliance checklist

CROATIAN PARLIAMENT 1364

DATA PROTECTION POLICY

Data controllers and data processors: what the difference is and what the governance implications are

Give Your Mobile App

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

Privacy Policy for Data Collected by Blue State Digital

TABLE OF CONTENTS. Maintaining the Quality and Integrity of Information. Notification of an Information Security Incident

Data Security and Extranet

Data Protection Act a more detailed guide

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

10 DATABASE PRACTICE

20. Exercise: CERT participation in incident handling related to Article 4 obligations

DATA PROTECTION POLICY

Merthyr Tydfil County Borough Council. Data Protection Policy

UNIVERSITY OF ABERDEEN POLICY ON DATA PROTECTION

A guide for in-house lawyers

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

The Manitowoc Company, Inc.

Dublin City University

TERMS AND CONDITIONS OF USE

SAFE HARBOR PRIVACY NOTICE EFFECTIVE: July 1, 2005 AMENDED: July 15, 2014

Appendix 11 - Swiss Data Protection Act

Recommendations for companies planning to use Cloud computing services

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Table of contents: ***

Scottish Rowing Data Protection Policy

AlixPartners, LLP. General Data Protection Statement

Our Client Agreement for Mortgages & Insurance

White Paper Security. Data Protection and Security in School Management Systems

University of Liverpool Online Programmes - Privacy Policy for Visitors and Students

This Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE

Data Protection in Ireland

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

European Commission initiatives on e- and mhealth

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

CPA Global North America LLC SAFE HARBOR PRIVACY POLICY. Introduction

Directive. for the transfer of personal data. to third countries outside the EEA

Data Protection A Guide for Users

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

HIPSSA Project. Support for Harmonization of the ICT Policies in Sub-Sahara Africa, Second Mission -Namibia

Cloud Computing Legal Considerations for Data Controllers

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

Data Protection Act. Privacy & Security in the Information Age. April 26, Ministry of Communications, Ghana

Information Privacy Policy

Data Protection Policy

PERSONAL INJURIES ASSESSMENT BOARD DATA PROTECTION CODE OF PRACTICE

FRANCE. Chapter XX OVERVIEW

ENISA and Cloud Security

Privacy Statement. April 2015

Cloud Computing and Risk: A look at the EU and the application of. Protection Directive to cloud computing

Transcription:

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES GLOBAL FORUM 2009 ICT & The Future of the Internet - Monday, October 19 th 2009 paolo.balboni@bakernet.com

Introduction & Structure ENISA Working Group on Cloud Computing Risk Assessment www.enisa.europa.eu Step 1: The ehealth scenario Step 2: Legal issues Step 3: Focus on data protection issues Step 4: How to deal with them [change title in Slide Master] 2

ehealth Scenario Home Patient with Multiple Chronic Disease b. Personalised ehealth Prevention and Intervention Service Composition ehealth Service Providers a. Monitoring Multimodal and Adaptable user interface c. Interaction Cloud Computing Services Infrastructure Federation Cloud Computing Services Infrastructure [change title in Slide Master] 3

Legal Key Issues - Data Protection ( Privacy ) - Confidentiality - Intellectual Property - Professional Negligence - Outsourcing Services / Changing of Control [change title in Slide Master] 4

Focus on Data Protection Issues Data Protection Directive 95/46/EC EU Member States provisions by which the Directive has been implemented apply: Place of processing of the personal data or habitual - to the processing of personal data, including data held abroad, where the processing residence is performed of the by data any entity subject established are not either relevant in the Member!!! State territory or in a place that is under the member State sovereignty; - to the processing of personal data performed by an entity established outside the EU, that for purposes of processing makes use of equipment, automated or otherwise, situated in the territory of a Member State, unless such equipment is used only for purposes of transit through said territory. [change title in Slide Master] 5

Definitions (1/3) 'Personal Data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. Sensitive data shall mean personal data allowing the disclosure of racial or ethnic origin, religious, philosophical or other beliefs, political opinions, membership of parties, trade unions, associations or organizations of a religious, philosophical, political or trade-unionist character, as well as personal data disclosing health and sex life. [change title in Slide Master] 6

Definitions (2/3) 'Processing shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. [change title in Slide Master] 7

Definitions (3/3) Controller' shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. Controller -> ehealth Service Provider External Processor / Controller -> Cloud Provider Processor shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. Clarifications are needed on this Art.29 Data Protection Working Party [change title in Slide Master] 8

Data Protection Roles Data subjects Home Patient with Multiple Chronic Disease b. Personalised ehealth Prevention and Intervention Service Composition ehealth Service Providers Controllers a. Monitoring Multimodal and Adaptable user interface c. Interaction Cloud Computing Services Infrastructure Federation Cloud Computing Services Infrastructure [change title in Slide Master] 9 External Processors

Controller s Duties & Obligations Principles of lawfulness, finality, proportionality, and data minimization Information notice and consent Data security measures Data subject s rights Data transfer to 3 rd parties/countries (Consent / Standard Model Clauses) [change title in Slide Master] 10

Possible Sanctions Failure to comply with data protection law may lead to administrative, civil and also criminal sanctions, which varies from country to country, for the Data Controller. Such sanctions are mainly detailed in the relevant statutory instruments by which the Directive 95/46/EC has been implemented in the various EU Member States. [change title in Slide Master] 11

How to deal with data protection issues The issues defined above may all be dealt with contractually. In the contract between the ehealth Service Provider and the Cloud Provider, a Data Protection/Privacy clause has to be included. This clause should set forth the relevant parties duties and obligations. In such clause there should be a reference to: Scope(s) of the processing Information notice and consent Data security measures (SLAs / Annexes) Data subject s rights Data transfer to 3 rd parties/countries (Consent / Standard Model Clauses) Penalties (possibly) Termination clause (possibly) [change title in Slide Master] 12

Q & A Thank you very much for your attention & Keep an eye on the output of the ENISA Working Group on Cloud Computing www.enisa.europa.eu paolo.balboni@bakernet.com www.paolobalboni.eu [change title in Slide Master] 13

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information