SlideShare ist ein Scribd-Unternehmen logo

Lasa webinar data protection and the cloud

Als PPTX, PDF herunterladen
Miles Maier
Miles Maier

Watch the webinar with data protection expert Paul Ticher at: https://vimeo.com/125553379 A shift towards a greater use of cloud computing is well underway. Cloud services are frequently cited by charities as free or low cost, flexible and easy to use alternatives to replacing their old servers. If you're thinking of adopting cloud based services like Office 365, Google Apps and Dropbox, you still have data protection obligations that make your organisation liable for any breach or loss of personal data. Some of the topics we'll cover are: * using cloud services outside the UK * understanding your obligations and being compliant * tips for selecting a cloud provider This webinar is supported by London for All, a London Councils’ funded project to capacity build London’s voluntary and community sector. More at: www.lvsc.org/londonforall/

Internet
1 von 34
Data Protection & The Cloud We will start the webinar in a just a moment……..
Webinar Presenters Miles Maier @LasaICT Paul Ticher @PaulTicher www.londoncouncils.gov.uk/grants London Councils is committed to fighting for more resources for London and getting the best possible deal for London's 33 councils. London Councils has a website about its grants service. To read about our grants funding and the work of some of the 300 groups we support Supported by:
• London For All – partnership of LVSC, Lasa, ROTA, WRC and HEAR • Only pan-London charity tech advice service • www.lvsc.org/londonforall/
About Lasa • 30 years in the sector • Technology leadership, publications, events and consultancy www.lasa.org.uk • Welfare Rights www.rightsnet.org.uk
Webinar Tips • Ask questions Post questions via chat or raise your virtual hand • Interact Respond to polls during webinar • Focus Avoid multitasking. You may just miss the best part of the presentation • Webinar PowerPoint & Recording PowerPoint and recording links will be shared after the webinar
Paul Ticher • Data Protection expert, author and trainer • Specialist in information management and systems • Many charity clients Twitter: @PaulTicher
Data Protection webinar: Using cloud services 15th April 2015
This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.
Programme  Where are the risks?  Your Data Protection responsibilities  What you should be doing, especially about:  Security  Transfers abroad
Alternative title: Feel the fear Do it anyway (probably)
Cloud computing characteristics  Cheap and flexible, especially for small organisations  Available anywhere there is an internet connection  Suppliers claim good security and service levels  Based on:  Standard offering, usually non-negotiable  Shared facilities, controlled by the supplier  Location of data irrelevant (and may be obscure)  May be layers of sub-contract
Cloud examples  Microsoft 365, Google Apps (office programs)  Huddle, GoToMeeting, Skype (collaboration)  Amazon (storage & processing capacity)  Salesforce (contact management database)  YouTube, Instagram (photo/video storage and sharing)  MailChimp (bulk mailings)  SurveyMonkey (online surveys)  Social networking sites
Data Protection Principles 1. Data ‘processing’ must be ‘fair’ and legal 2. You must limit your use of data to the purpose(s) you obtained it for 3. Data must be adequate, relevant & not excessive 4. Data must be accurate & up to date 5. Data must not be held longer than necessary 6. Data Subjects’ rights must be respected 7. You must have appropriate security 8. Special rules apply to transfers abroad
Ranking the risks Principle Risk rank Comment 1. Fairness Low (Medium) No different from in-house considerations unless cloud provider also captures personal data for own purposes2. Limited purposes 3. Adequacy Medium Minor implications if the design of the cloud application does not support good data quality4. Accuracy 5. Retention Low No different from in-house considerations 6. Data subject rights Medium Possible minor implications for subject access 7. Security Very high Significant additional risks from cloud computing 8. Transfers abroad High Cloud applications may (without making this obvious) locate data outside ‘safe’ jurisdictions
Data Controller / Data Processor  “Data Controller” means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed.  “Data Processor” … means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
Data Processor requirements A contract, ‘evidenced in writing’, covering at least:  Setting out the relationship and how it will work  Underpinning both parties’ security obligations  Allowing the Data Controller to verify the Data Processor’s security See also my checklist that includes:  Limitations on transfers abroad and subcontracting  Clear confidentiality obligations on Data Processor  Requirement to inform of any breach
Principle 7: Security  You must take steps to prevent:  Unauthorised access  Accidental loss or damage  Your measures must be appropriate  They must be technical and organisational  You cannot transfer this responsibility to a Data Processor
The standard aims of security:  Confidentiality  Limits on access, depending on need to know  Integrity  No unintended or unauthorised modification  Availability  No accidental loss  There when you need it
Security in the cloud  ‘Data in transit’ vs ‘Data at rest’  End-to-end – from the device to the depths of the cloud provider’s system  Additional BYOD risks  Personal vs corporate accounts
Cloud security breaches do occur  British Pregnancy Advisory Service  Website ‘contact us’ form  Stored for five years – almost 10,000 records  Admin password not changed from default  Successfully hacked into and personal data stolen  Aberdeen City Council  Social worker working from home, with permission  Computer set to synch with cloud storage location  Cloud location not secure – personal data showed up in search
Security when the Data Processor is a cloud provider  Cannot be an afterthought  Don’t just rely on the provider: you have responsibilities too  Negotiated contract: require your supplier to take security precautions – and check that they have done so  Standard terms and conditions: often non-negotiable – due diligence required  Understand what you are checking  Risk cannot be wholly eliminated
Guidance & recommendations: I  Cyber essentials  UK government scheme – two levels  Information Commissioner’s May 2014 report  Open Web Application Security Project Top Ten  Updated every three years (most recent 2013)  More technical
Common points  Firewalls & gateways -- Malware protection  Secure configuration (including SSL and TLS)  Access control -- Default credentials  Patch management/Software updates  SQL injection  Unnecessary services  Password storage  Inappropriate locations for processing data
Guidance & recommendations: II  International standard -- ISO 27001:2013  check credentials of certifying company  check relevance & scope (ISO 27000 Statement of Applicability)  HMG Security Policy Framework (recently revised)  CESG guidance on cloud security risk management  COBIT  Relates to US Sarbanes-Oxley Act  ISAE3402 and SSAE16 (previously SAS70)  Auditing process, not a security standard
Potential cost of a breach  Notification to potentially affected individuals, if appropriate  Assistance to potentially affected individuals  Compensation for harm and associated distress  Damage to business (including reputation)  Data restoration  Monetary penalty (up to £500,000)
Potential cost of a breach  Notification to potentially affected individuals, if appropriate  Assistance to potentially affected individuals  Compensation for harm and associated distress  Damage to business (including reputation)  Data restoration  Monetary penalty (up to £500,000)
Principle 8: Transfers abroad  Transfers of data outside the European Economic Area are allowed if:  the jurisdiction it is going to has an acceptable law  the recipient in the USA is signed up to Safe Harbor  a few other options
What else can go wrong?  Loss of service  at their end  at your end  Retrieving your data if the service ceases or you get into a dispute (Example: Charity Business)  Proprietary formats for data storage  Processes or contract terms which make the supplier a Data Controller in their own right  Unclear ownership/location of data and the equipment it is stored on  Unilateral changes in policy by provider
And finally …  Most countries have laws allowing authorities to access data  US Patriot Act ostensibly anti-terrorist  applies to US companies, wherever the data is held  has also been used in non-terrorist cases  supplier may not agree (or even be allowed) to inform customer of access  Include in risk assessment
So what do you need to do?  Get your own house in order  Check the contract (or standard terms and conditions) very carefully on areas like:  security and how it is guaranteed  location of data (especially if it could be outside the EEA)  liability/sub contractors  back-up/access  copyright (e.g. Google)  Use your findings to make and record a risk assessment and get authorisation to proceed
Further information  Information Commissioner  Guidance on cloud computing  Analysis of top eight online security issues  Data Protection and the Cloud  Cloud computing: A practical introduction to the legal issues  Watch out for EU updates on cloud computing and possibly standard contract terms
Resources 1 • Lasa Knowledgebase: – www.ictknowledgebase.org.uk/dataprotectionactintroduction – www.ictknowledgebase.org.uk/dataprotectionpolicies • Cyber essentials • UK government scheme – two levels • Information Commissioner’s May 2014 report • Open Web Application Security Project Top Ten • Updated every three years (most recent 2013) • More technical
Resources 2 • Lasa Knowledgebase: – www.ictknowledgebase.org.uk/dataprotectionactintroduction – www.ictknowledgebase.org.uk/dataprotectionpolicies • Cyber essentials • UK government scheme – two levels • Information Commissioner’s May 2014 report • Open Web Application Security Project Top Ten • Updated every three years (most recent 2013) • More technical
Follow-up questions: paul@paulticher.com LINKS TO SLIDES AND RECORDING SOON HELP KEEP THIS SERVICE FREE BY COMPLETING THE EVALUATION Twitter @LasaICT

Empfohlen

Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...
Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...
Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...Neocenter SA de CV
 
Data Protection Webinar
Data Protection WebinarData Protection Webinar
Data Protection WebinarObserveIT
 
CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CMSLondon
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...David Brossard
 
Data is the new oil, privacy is the new green - Eye4Travel Amsterdam
Data is the new oil, privacy is the new green - Eye4Travel AmsterdamData is the new oil, privacy is the new green - Eye4Travel Amsterdam
Data is the new oil, privacy is the new green - Eye4Travel AmsterdamAurélie Pols
 
Todo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXTodo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXPaloSanto Solutions
 
Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016
Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016
Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016FERMA
 
La Blockchain au service de la CyberSécurité - FIC 2017 Lille
La Blockchain au service de la CyberSécurité - FIC 2017 LilleLa Blockchain au service de la CyberSécurité - FIC 2017 Lille
La Blockchain au service de la CyberSécurité - FIC 2017 LilleVidal Chriqui
 

Empfohlen

Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...
Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...
Día Neocenter | FreePBX The best & most complete open source & Commercial PBX...Neocenter SA de CV
 
Data Protection Webinar
Data Protection WebinarData Protection Webinar
Data Protection WebinarObserveIT
 
CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CEE CMS Data Protection webinar series - Part 1
CEE CMS Data Protection webinar series - Part 1CMSLondon
 
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...
OASIS Workshop: Identity, Privacy, and Data Protection in the Cloud – What is...David Brossard
 
Data is the new oil, privacy is the new green - Eye4Travel Amsterdam
Data is the new oil, privacy is the new green - Eye4Travel AmsterdamData is the new oil, privacy is the new green - Eye4Travel Amsterdam
Data is the new oil, privacy is the new green - Eye4Travel AmsterdamAurélie Pols
 
Todo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXTodo lo lo que necesita saber para implementar FreePBX
Todo lo lo que necesita saber para implementar FreePBXPaloSanto Solutions
 
Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016
Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016
Data protection webinar presentation AIG ecoDa FERMA 23 feb 2016FERMA
 
La Blockchain au service de la CyberSécurité - FIC 2017 Lille
La Blockchain au service de la CyberSécurité - FIC 2017 LilleLa Blockchain au service de la CyberSécurité - FIC 2017 Lille
La Blockchain au service de la CyberSécurité - FIC 2017 LilleVidal Chriqui
 
Lasa cyp social media
Lasa cyp social mediaLasa cyp social media
Lasa cyp social mediaMiles Maier
 
Managing ICT
Managing ICTManaging ICT
Managing ICTMiles Maier
 
Social media for service delivery
Social media for service deliverySocial media for service delivery
Social media for service deliveryMiles Maier
 
Using technology to help deliver advice services
Using technology to help deliver advice servicesUsing technology to help deliver advice services
Using technology to help deliver advice servicesMiles Maier
 
New Media
New MediaNew Media
New MediaMiles Maier
 
Writing a wining ict grant proposal in an hour
Writing a wining ict grant proposal in an hourWriting a wining ict grant proposal in an hour
Writing a wining ict grant proposal in an hourMiles Maier
 
ICT for development workers
ICT for development workersICT for development workers
ICT for development workersMiles Maier
 
Shining On A Shoestring
Shining On A ShoestringShining On A Shoestring
Shining On A ShoestringMiles Maier
 
Free ICT Resources and Social Media
Free ICT Resources and Social MediaFree ICT Resources and Social Media
Free ICT Resources and Social MediaMiles Maier
 
Help! I'm an accidental techie
Help! I'm an accidental techieHelp! I'm an accidental techie
Help! I'm an accidental techieMiles Maier
 
Where to go for ICT Help and Support
Where to go for ICT Help and SupportWhere to go for ICT Help and Support
Where to go for ICT Help and SupportMiles Maier
 
Accidental Techies Half Day Session
Accidental Techies Half Day SessionAccidental Techies Half Day Session
Accidental Techies Half Day SessionMiles Maier
 
Fundraising Using The Internet
Fundraising Using The InternetFundraising Using The Internet
Fundraising Using The InternetMiles Maier
 
Social Media 101
Social Media 101Social Media 101
Social Media 101Miles Maier
 
Lasa Circuit Rider development
Lasa Circuit Rider developmentLasa Circuit Rider development
Lasa Circuit Rider developmentMiles Maier
 
SIP to Win: VOIP telephony
SIP to Win: VOIP telephonySIP to Win: VOIP telephony
SIP to Win: VOIP telephonyMiles Maier
 
Visualising opportunities - from vBase to Google Maps
Visualising opportunities - from vBase to Google MapsVisualising opportunities - from vBase to Google Maps
Visualising opportunities - from vBase to Google MapsMiles Maier
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 

Weitere ähnliche Inhalte

Mehr von Miles Maier

Lasa cyp social media
Lasa cyp social mediaLasa cyp social media
Lasa cyp social mediaMiles Maier
 
Social media for service delivery
Social media for service deliverySocial media for service delivery
Social media for service deliveryMiles Maier
 
Using technology to help deliver advice services
Using technology to help deliver advice servicesUsing technology to help deliver advice services
Using technology to help deliver advice servicesMiles Maier
 
Writing a wining ict grant proposal in an hour
Writing a wining ict grant proposal in an hourWriting a wining ict grant proposal in an hour
Writing a wining ict grant proposal in an hourMiles Maier
 
ICT for development workers
ICT for development workersICT for development workers
ICT for development workersMiles Maier
 
Shining On A Shoestring
Shining On A ShoestringShining On A Shoestring
Shining On A ShoestringMiles Maier
 
Free ICT Resources and Social Media
Free ICT Resources and Social MediaFree ICT Resources and Social Media
Free ICT Resources and Social MediaMiles Maier
 
Help! I'm an accidental techie
Help! I'm an accidental techieHelp! I'm an accidental techie
Help! I'm an accidental techieMiles Maier
 
Where to go for ICT Help and Support
Where to go for ICT Help and SupportWhere to go for ICT Help and Support
Where to go for ICT Help and SupportMiles Maier
 
Accidental Techies Half Day Session
Accidental Techies Half Day SessionAccidental Techies Half Day Session
Accidental Techies Half Day SessionMiles Maier
 
Fundraising Using The Internet
Fundraising Using The InternetFundraising Using The Internet
Fundraising Using The InternetMiles Maier
 
Social Media 101
Social Media 101Social Media 101
Social Media 101Miles Maier
 
Lasa Circuit Rider development
Lasa Circuit Rider developmentLasa Circuit Rider development
Lasa Circuit Rider developmentMiles Maier
 
SIP to Win: VOIP telephony
SIP to Win: VOIP telephonySIP to Win: VOIP telephony
SIP to Win: VOIP telephonyMiles Maier
 
Visualising opportunities - from vBase to Google Maps
Visualising opportunities - from vBase to Google MapsVisualising opportunities - from vBase to Google Maps
Visualising opportunities - from vBase to Google MapsMiles Maier
 

Mehr von Miles Maier (17)

Lasa cyp social media
Lasa cyp social mediaLasa cyp social media
Lasa cyp social media
 
Managing ICT
Managing ICTManaging ICT
Managing ICT
 
Social media for service delivery
Social media for service deliverySocial media for service delivery
Social media for service delivery
 
Using technology to help deliver advice services
Using technology to help deliver advice servicesUsing technology to help deliver advice services
Using technology to help deliver advice services
 
New Media
New MediaNew Media
New Media
 
Writing a wining ict grant proposal in an hour
Writing a wining ict grant proposal in an hourWriting a wining ict grant proposal in an hour
Writing a wining ict grant proposal in an hour
 
ICT for development workers
ICT for development workersICT for development workers
ICT for development workers
 
Shining On A Shoestring
Shining On A ShoestringShining On A Shoestring
Shining On A Shoestring
 
Free ICT Resources and Social Media
Free ICT Resources and Social MediaFree ICT Resources and Social Media
Free ICT Resources and Social Media
 
Help! I'm an accidental techie
Help! I'm an accidental techieHelp! I'm an accidental techie
Help! I'm an accidental techie
 
Where to go for ICT Help and Support
Where to go for ICT Help and SupportWhere to go for ICT Help and Support
Where to go for ICT Help and Support
 
Accidental Techies Half Day Session
Accidental Techies Half Day SessionAccidental Techies Half Day Session
Accidental Techies Half Day Session
 
Fundraising Using The Internet
Fundraising Using The InternetFundraising Using The Internet
Fundraising Using The Internet
 
Social Media 101
Social Media 101Social Media 101
Social Media 101
 
Lasa Circuit Rider development
Lasa Circuit Rider developmentLasa Circuit Rider development
Lasa Circuit Rider development
 
SIP to Win: VOIP telephony
SIP to Win: VOIP telephonySIP to Win: VOIP telephony
SIP to Win: VOIP telephony
 
Visualising opportunities - from vBase to Google Maps
Visualising opportunities - from vBase to Google MapsVisualising opportunities - from vBase to Google Maps
Visualising opportunities - from vBase to Google Maps
 

Kürzlich hochgeladen

Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...kumargunjan9515
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.krishnachandrapal52
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Balliameghakumariji156
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查ydyuyu
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsMonica Sydney
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 

Kürzlich hochgeladen (20)

Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 

Lasa webinar data protection and the cloud

  • 1. Data Protection & The Cloud We will start the webinar in a just a moment……..
  • 2. Webinar Presenters Miles Maier @LasaICT Paul Ticher @PaulTicher www.londoncouncils.gov.uk/grants London Councils is committed to fighting for more resources for London and getting the best possible deal for London's 33 councils. London Councils has a website about its grants service. To read about our grants funding and the work of some of the 300 groups we support Supported by:
  • 3. • London For All – partnership of LVSC, Lasa, ROTA, WRC and HEAR • Only pan-London charity tech advice service • www.lvsc.org/londonforall/
  • 4. About Lasa • 30 years in the sector • Technology leadership, publications, events and consultancy www.lasa.org.uk • Welfare Rights www.rightsnet.org.uk
  • 5. Webinar Tips • Ask questions Post questions via chat or raise your virtual hand • Interact Respond to polls during webinar • Focus Avoid multitasking. You may just miss the best part of the presentation • Webinar PowerPoint & Recording PowerPoint and recording links will be shared after the webinar
  • 6. Paul Ticher • Data Protection expert, author and trainer • Specialist in information management and systems • Many charity clients Twitter: @PaulTicher
  • 7. Data Protection webinar: Using cloud services 15th April 2015
  • 8. This presentation is intended to help you understand aspects of the Data Protection Act 1998 and related legislation. It is not intended to provide detailed advice on specific points, and is not necessarily a full statement of the law.
  • 9. Programme  Where are the risks?  Your Data Protection responsibilities  What you should be doing, especially about:  Security  Transfers abroad
  • 10. Alternative title: Feel the fear Do it anyway (probably)
  • 11. Cloud computing characteristics  Cheap and flexible, especially for small organisations  Available anywhere there is an internet connection  Suppliers claim good security and service levels  Based on:  Standard offering, usually non-negotiable  Shared facilities, controlled by the supplier  Location of data irrelevant (and may be obscure)  May be layers of sub-contract
  • 12. Cloud examples  Microsoft 365, Google Apps (office programs)  Huddle, GoToMeeting, Skype (collaboration)  Amazon (storage & processing capacity)  Salesforce (contact management database)  YouTube, Instagram (photo/video storage and sharing)  MailChimp (bulk mailings)  SurveyMonkey (online surveys)  Social networking sites
  • 13. Data Protection Principles 1. Data ‘processing’ must be ‘fair’ and legal 2. You must limit your use of data to the purpose(s) you obtained it for 3. Data must be adequate, relevant & not excessive 4. Data must be accurate & up to date 5. Data must not be held longer than necessary 6. Data Subjects’ rights must be respected 7. You must have appropriate security 8. Special rules apply to transfers abroad
  • 14. Ranking the risks Principle Risk rank Comment 1. Fairness Low (Medium) No different from in-house considerations unless cloud provider also captures personal data for own purposes2. Limited purposes 3. Adequacy Medium Minor implications if the design of the cloud application does not support good data quality4. Accuracy 5. Retention Low No different from in-house considerations 6. Data subject rights Medium Possible minor implications for subject access 7. Security Very high Significant additional risks from cloud computing 8. Transfers abroad High Cloud applications may (without making this obvious) locate data outside ‘safe’ jurisdictions
  • 15. Data Controller / Data Processor  “Data Controller” means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are … processed.  “Data Processor” … means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller.
  • 16. Data Processor requirements A contract, ‘evidenced in writing’, covering at least:  Setting out the relationship and how it will work  Underpinning both parties’ security obligations  Allowing the Data Controller to verify the Data Processor’s security See also my checklist that includes:  Limitations on transfers abroad and subcontracting  Clear confidentiality obligations on Data Processor  Requirement to inform of any breach
  • 17. Principle 7: Security  You must take steps to prevent:  Unauthorised access  Accidental loss or damage  Your measures must be appropriate  They must be technical and organisational  You cannot transfer this responsibility to a Data Processor
  • 18. The standard aims of security:  Confidentiality  Limits on access, depending on need to know  Integrity  No unintended or unauthorised modification  Availability  No accidental loss  There when you need it
  • 19. Security in the cloud  ‘Data in transit’ vs ‘Data at rest’  End-to-end – from the device to the depths of the cloud provider’s system  Additional BYOD risks  Personal vs corporate accounts
  • 20. Cloud security breaches do occur  British Pregnancy Advisory Service  Website ‘contact us’ form  Stored for five years – almost 10,000 records  Admin password not changed from default  Successfully hacked into and personal data stolen  Aberdeen City Council  Social worker working from home, with permission  Computer set to synch with cloud storage location  Cloud location not secure – personal data showed up in search
  • 21. Security when the Data Processor is a cloud provider  Cannot be an afterthought  Don’t just rely on the provider: you have responsibilities too  Negotiated contract: require your supplier to take security precautions – and check that they have done so  Standard terms and conditions: often non-negotiable – due diligence required  Understand what you are checking  Risk cannot be wholly eliminated
  • 22. Guidance & recommendations: I  Cyber essentials  UK government scheme – two levels  Information Commissioner’s May 2014 report  Open Web Application Security Project Top Ten  Updated every three years (most recent 2013)  More technical
  • 23. Common points  Firewalls & gateways -- Malware protection  Secure configuration (including SSL and TLS)  Access control -- Default credentials  Patch management/Software updates  SQL injection  Unnecessary services  Password storage  Inappropriate locations for processing data
  • 24. Guidance & recommendations: II  International standard -- ISO 27001:2013  check credentials of certifying company  check relevance & scope (ISO 27000 Statement of Applicability)  HMG Security Policy Framework (recently revised)  CESG guidance on cloud security risk management  COBIT  Relates to US Sarbanes-Oxley Act  ISAE3402 and SSAE16 (previously SAS70)  Auditing process, not a security standard
  • 25. Potential cost of a breach  Notification to potentially affected individuals, if appropriate  Assistance to potentially affected individuals  Compensation for harm and associated distress  Damage to business (including reputation)  Data restoration  Monetary penalty (up to £500,000)
  • 26. Potential cost of a breach  Notification to potentially affected individuals, if appropriate  Assistance to potentially affected individuals  Compensation for harm and associated distress  Damage to business (including reputation)  Data restoration  Monetary penalty (up to £500,000)
  • 27. Principle 8: Transfers abroad  Transfers of data outside the European Economic Area are allowed if:  the jurisdiction it is going to has an acceptable law  the recipient in the USA is signed up to Safe Harbor  a few other options
  • 28. What else can go wrong?  Loss of service  at their end  at your end  Retrieving your data if the service ceases or you get into a dispute (Example: Charity Business)  Proprietary formats for data storage  Processes or contract terms which make the supplier a Data Controller in their own right  Unclear ownership/location of data and the equipment it is stored on  Unilateral changes in policy by provider
  • 29. And finally …  Most countries have laws allowing authorities to access data  US Patriot Act ostensibly anti-terrorist  applies to US companies, wherever the data is held  has also been used in non-terrorist cases  supplier may not agree (or even be allowed) to inform customer of access  Include in risk assessment
  • 30. So what do you need to do?  Get your own house in order  Check the contract (or standard terms and conditions) very carefully on areas like:  security and how it is guaranteed  location of data (especially if it could be outside the EEA)  liability/sub contractors  back-up/access  copyright (e.g. Google)  Use your findings to make and record a risk assessment and get authorisation to proceed
  • 31. Further information  Information Commissioner  Guidance on cloud computing  Analysis of top eight online security issues  Data Protection and the Cloud  Cloud computing: A practical introduction to the legal issues  Watch out for EU updates on cloud computing and possibly standard contract terms
  • 32. Resources 1 • Lasa Knowledgebase: – www.ictknowledgebase.org.uk/dataprotectionactintroduction – www.ictknowledgebase.org.uk/dataprotectionpolicies • Cyber essentials • UK government scheme – two levels • Information Commissioner’s May 2014 report • Open Web Application Security Project Top Ten • Updated every three years (most recent 2013) • More technical
  • 33. Resources 2 • Lasa Knowledgebase: – www.ictknowledgebase.org.uk/dataprotectionactintroduction – www.ictknowledgebase.org.uk/dataprotectionpolicies • Cyber essentials • UK government scheme – two levels • Information Commissioner’s May 2014 report • Open Web Application Security Project Top Ten • Updated every three years (most recent 2013) • More technical
  • 34. Follow-up questions: paul@paulticher.com LINKS TO SLIDES AND RECORDING SOON HELP KEEP THIS SERVICE FREE BY COMPLETING THE EVALUATION Twitter @LasaICT