privacy and Data protection(cloud privacy and security)

profileSangeeth08
ITC568_201860_Wk7_DataAndPrivacy_2.pptx

ITC568 Cloud Privacy and Security

Privacy, Data and Jurisdiction

Week 7

Dr Peter White

Evaluate the privacy requirements for digital identities

Evaluate the privacy requirements for data

Evaluate data for sensitivity, location and jurisdictional issues

Agenda

© Peter White, 2017

2

We’ve looked at some of the privacy requirements for PII data in the previous lecture

But these are the basic requirements and they may differ in different jurisdictions

© Peter White, 2017

3

PII Data and Privacy

Data that is stored in a cloud environment can be easily copied to different locations in order to provide:

Backup

DR & BCP

Archiving

High Availability,

Multi-cloud support, etc.

This may mean that the data is subject to more than one nation’s laws, if the data is moved beyond national boundaries

Additional, and different, legal obligations may apply to the data regarding privacy, data security, breach notification

© Peter White, 2017

4

Jurisdiction

Public Cloud providers rely on a network of data centres in multiple global locations to provide flexibility and cost effectiveness

This can lead organisations to:

Err on the side of caution and keep all data in their home jurisdiction. This can lead to

A loss of flexibility, and

The inability to effectively scale their operations

Become reluctant to migrate into the Cloud because of the fear of an inability to maintain sovereignty over their data, particularly if they have significant legal responsibility

© Peter White, 2017

5

Jurisdiction

Issues:

Data can be moved between locations, and jurisdictions with trivial effort

Foreign litigants, and governments, have easier access to your data if its in their jurisdiction

Differences in laws between jurisdictions

Some jurisdictions have different (worse?) IT & data security protection, or it may be harder to use

Increase in scrutiny and professional liability

© Peter White, 2017

6

Jurisdiction

Data sovereignty analysis is required to implement responsible corporate governance and risk management practices

Organisations must balance the flexibility and potential cost savings of cloud computing with the security and governance risks inherent in storing data off site, beyond the company’s direct control, and possibly even in a foreign country with different laws.

Cloud computing derives efficiencies from economies of scale through the sharing of costly resources by multiple entities, but it is this sharing of resources – particularly with the public cloud – that increases data security concerns.

Another risk involves data sovereignty: The cloud provider may decide, for technical network efficiency reasons, to transfer data from one data centre to another, and these data centres may be located in different countries , or under the control of different jurisdictions

© Peter White, 2017

7

Jurisdiction

The Privacy Reform Act of 2012 requires:

Organisations need to conform to the Australian Privacy Principles

Organisations which outsource to foreign service providers must take reasonable steps to confirm that the recipient complies with Australia’s privacy laws, and (unless an exemption applies) may be held strictly liable for non-compliance.

The law also requires an organisation’s privacy policy to state whether personal information will be disclosed overseas and, if so, in which countries.

Organisations need to obtain detailed information from cloud providers concerning their security programs including:

where the data will be located (country of jurisdiction for evaluation of legal obligations)

technical aspects of the infrastructure, including how the cloud provider enforces security in a multitenant environment,

who will have access to the information,

whether encryption is possible,

whether customers must be notified that their information will be stored in a cloud,

whether the cloud provider has its own adequate insurance coverage (possibly name your company as an “Additional Insured”), and

whether some information is simply too sensitive to turn over to a third party

© Peter White, 2017

8

Jurisdiction - Australia

APP 1 — Open and transparent management of personal information

Organisations must manage PII in an open and transparent manner which includes having a clear APP Privacy Policy

APP 2 — Anonymity and pseudonymity

Individuals have the option to not identify themselves or to provide a pseudonym

APP 3 — Collection of solicited personal information

Outlines when an organisation can collect PII that is solicited

APP 4 — Dealing with unsolicited personal information

Outlines how to deal with PII data that is unsolicited

APP 5 — Notification of the collection of personal information

Outlines when an organisation that collects PII must notify individuals of certain matters

© Peter White, 2017

9

Australian Privacy Principles

APP 6 — Use or disclosure of personal information

Outlines the circumstances when PII data can be disclosed

APP 7 — Direct marketing

Organisations can only use PII data for direct marketing if certain conditions are met

APP 8 — Cross-border disclosure of personal information

Outlines the steps that must be taken to protect PII data before it is disclosed overseas

APP 9 — Adoption, use or disclosure of government related identifiers

Outlines the limited circumstances when an organisation may adopt a government related identifier of an individual as its own identifier, or use or disclose a government related identifier of an individual.

APP 10 — Quality of personal information

An organisation must take reasonable steps to ensure the personal information it collects is accurate, up to date and complete

An organisation must also take reasonable steps to ensure the personal information it uses or discloses is accurate, up to date, complete and relevant, having regard to the purpose of the use or disclosure

© Peter White, 2017

10

Australian Privacy Principles

APP 11 — Security of personal information

An organisation must take reasonable steps to protect personal information it holds from misuse, interference and loss, and from unauthorised access, modification or disclosure.

An organisation has obligations to destroy or de-identify personal information in certain circumstances.

APP 12 — Access to personal information

Outlines an organisation’s obligations when an individual requests to be given access to personal information held about them by the entity. This includes a requirement to provide access unless a specific exception applies.

APP 13 — Correction of personal information

Outlines an organisation’s obligations in relation to correcting the personal information it holds about individuals.

© Peter White, 2017

11

Australian Privacy Principles

The European General Data Protection Regulation (GDPR) takes effect on 25 May 2018

The GDPR applies to data processors and controllers:

With an establishment in the EU

Offering good or services to individuals in the EU

Monitoring individual’s behaviour in the EU

Australian businesses that may be covered include:

an Australian business with an office in the EU

an Australian business whose website enables EU customers to order goods or services in a European language (other than English) or enables payment in euros

an Australian business whose website mentions customers or users in the EU

an Australian business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes

© Peter White, 2017

12

Jurisdiction – EU

The GDPR applies to ‘personal data’. This means ‘any information relating to an identified or identifiable natural person’ (Article 4).

Additional protections apply to the processing of ‘special categories’ of personal data, which includes personal data revealing:

racial or ethnic origin,

political opinions,

religious or philosophical beliefs, or trade union membership,

the processing of genetic data or biometric data for the purpose of uniquely identifying a natural person,

data concerning health or data concerning a natural person's sex life or sexual orientation (Article 9).

© Peter White, 2017

13

Jurisdiction – EU

The GDPR sets out expanded accountability and governance requirements. These include that data controllers must:

demonstrate that they comply with the ‘Principles relating to the processing of personal data’ – this is referred to as the ‘accountability principle’ (Article 5).

ensure and demonstrate through the implementation of appropriate technical and organisational measures, including data protection policies, that their processing activities comply with the GDPR (Article 24).

implement technical and organisational measures to show that they have considered and integrated data protection into their processing activities – this is referred to as ‘data protection by design and by default’ (Article 25).

In assessing which technical and organisational measures should be implemented, relevant considerations include

the nature, scope, context and purposes of processing

the risks to the rights and freedoms of individuals.

For data protection by design and default, the ‘state of the art’ and the ‘cost of implementation’ are also relevant considerations.

© Peter White, 2017

14

Jurisdiction – EU

Under the GDPR, data controllers must also:

appoint data protection officers to monitor and advise on compliance with the GDPR and with internal privacy policies and procedures (Article 37).

It has been described as a ‘privacy champion’ role that includes the role of a business advisor on the responsible and innovative use of personal data. This requirement only applies to certain businesses.

While there is no such obligation under the Privacy Act, in its Privacy Management Framework, the OAIC recommends that organisations embed a culture of privacy by appointing key roles and responsibilities for privacy management, including a senior member of staff with overall accountability.

undertake a compulsory data protection impact assessment prior to data processing, where a type of processing is likely to result in a high risk for the rights and freedoms of individuals (Article 35).

While not directly outlined as a legal requirement under the Privacy Act, a privacy impact assessment would be required for many new projects or updated projects involving personal information due to the requirement of APP 1.2.

© Peter White, 2017

15

Jurisdiction – EU

Consent is relevant to the operation of many requirements and restrictions on handling personal data under the GDPR.

The GDPR includes a new definition of consent, which states that it must be:

freely given

Specific

Informed, and

An unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing’ (Article 4(11)).

Consent is not freely given if the individual has no genuine or free choice or is unable to refuse or withdraw consent at any time (Article 7 and recital 42).

Businesses also need to make the withdrawal of consent as easy as giving consent, and, before individuals give consent, must inform individuals about this right to withdraw consent (Article 7(3)).

© Peter White, 2017

16

Jurisdiction – EU

Mandatory data breach notification

Data controllers must advise the relevant supervisory authority of a data breach within 72 hours of becoming aware of the breach unless the breach is unlikely to impact the rights and freedoms of individuals.

Data processors must notify the controller of a breach without undue delay (Article 33). In addition, when a data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must notify the individual without undue delay (Article 34)

Privacy notices

The GDPR requires data controllers to give individuals a range of prescribed information about the processing of their personal data (Articles 13 and 14). This information must be:

concise,

transparent,

intelligible and easily accessible, and

use clear and plain language (Article 12)

The GDPR supports combining this information with the use of standardized icons to give an easily visible, meaningful overview of processing to individuals

© Peter White, 2017

17

Jurisdiction – EU

Expanded rights for individuals

The right to erasure (known as the ‘right to be forgotten’) gives individuals a right to require data controllers to delete their data in certain circumstances, including where the information is no longer necessary for the purpose for which it was collected, or where the individual withdraws their consent and there is no other legal ground for processing their data (Article 17).

There are exceptions to this right, including where data processing is necessary to exercise the right of freedom of expression and information

A right to ‘data portability’ – a right to receive personal data an individual has provided to an online service provider in a ‘structured, commonly used, machine-readable format’ and to transmit that data to another online service provider (Article 20)

A right to object at any time to the processing of an individual’s personal data (including profiling). If an objection is made, the processing generally must be stopped.

This right only applies to certain types of processing, such as where the legal basis for processing is legitimate business interests, or for direct marketing (including profiling).

© Peter White, 2017

18

Jurisdiction – EU

The United States has no nationwide data protection law, but it does regulate disclosure of certain categories of personal information to third parties through a variety of laws.

The US government notoriously asserts extraterritorial claims on data that potentially affect non-­US entities through the controversial USA PATRIOT Act.

Even companies which try to require their cloud providers to keep their data within the geographic borders of their own country cannot assume that they are subject only to their home country’s laws because, in certain circumstances, cloud providers may be legally obliged to communicate information, including confidential personal information, to authorities.

For instance, if a company is based in a country which prohibits disclosure of personal information without the subject’s consent, it could conceivably violate its own nation’s laws if it complies with a demand by the US FBI to turn over information stored in a US company’s cloud or in a cloud located within US boundaries.

© Peter White, 2017

19

Jurisdiction – US

The US Department of Commerce and the European Commission jointly developed a “Safe Harbor” to streamline the process for companies to comply with the EU’s Data Directive. Intended for EU and US companies which store data, the Safe Harbor is available for companies which adhere to the seven privacy principles outlined in the EU Directive.

A similar Safe Harbor framework exists between the US and Switzerland.

Of particular concern to cloud computing customers are the requirements that data subjects be informed of data transfers to third parties, and be provided the opportunity to opt out.

The EU GDPR includes increased emphasis on effective consent rights for data subjects,

There have also been criticisms of the effectiveness of Safe Harbor from a compliance perspective.

© Peter White, 2017

20

Jurisdiction – US

© Peter White, 2017

21

Assessing a PII data set

From: Vaile, D., Kalinich, K., Fair, P., & Lawrence, A. (2013). Data Sovereignty and the Cloud. A Board and Executive Officer’s Guide. Sydney: UNSW Faculty of Law

Read:

Gray, A. (2013). Conflict of laws and the cloud. Computer Law and Security Review, 29(2013), 58-65. https://ezproxy.csu.edu.au/login?url=http://dx.doi.org/10.1016/j.clsr.2012.11.004

Office of the Australian Information Commissioner, (2016). Australian businesses and the EU General Data Protection Regulation. Retrieved from https://www.oaic.gov.au/resources/engage-with-us/consultations/australian-businesses-and-the-eu-general-data-protection-regulation/consultation-draft-australian-businesses-and-the-eu-general-data-protection-regulation.pdf

Vaile, D., Kalinich, K., Fair, P., & Lawrence, A. (2013). Data Sovereignty and the Cloud. A Board and Executive Officer’s Guide. Sydney: UNSW Faculty of Law. Retrieved from http://www.bakercyberlawcentre.org/data_sovereignty/CLOUD_DataSovReport_Full.pdf

Watch:

Continue watching the Bruce Schneier videos. They are about an hour long, but definitely worth watching

© Peter White, 2017

22

Tasks