dt p t ti &pidata protection & privacy data privacy in ... › wp-content › uploads ›...

D t P t ti & P iData Protection & Privacy

Data Privacy in Cloud environmentKjell Ohlsson7th March 2013

Who?

Presenter:Presenter:• Kjell Ohlsson - AstraZeneca

Audience:Audience:• Swedish Association of Research Quality Assurance – SARQA – annual meeting.

Timing:• 45 minutes including Q&A

2 Kjell Ohlsson | March 2013 R&D | R&D Information

Objectives

• Give basic understanding of Data Protection & Privacy + Cloud Computing

• Raise awareness around Data Privacy risks in Cloud environments


Basic understanding of Data Protection & Privacy +Data Protection & Privacy +

Cloud Computingp g


Data PrivacyImportant Definitions

Data subject(Den registrerade)

Identifiable natural person. I.e. not a legal entity.



Sensitive Personal Data(Känslig personuppgift)------Examples-------------

Personal Data(Personuppgift)------Examples-------------


p•Health•Labour relations•Racial or ethnic origin

p•Name•Identification numbers•Gender g

•Political opinions•Religious beliefs•Criminal history

•Age•Nationality •Language(s) spoken

•Sexual preferences•Private/home address•Telephone number•Email address

Data that makes the Data Subject identifiable



Sensitive Personal DataPersonal DataData subject Sensitive Personal Data(Känslig personuppgift)

Personal Data(Personuppgift)


D t C t llData Controller(Personuppgiftsansvarig)

Typically a company



D t bj t S iti P l D tP l D tData subject(Den registrerade)

Sensitive Personal Data(Känslig personuppgift)

Personal Data(Personuppgift)

) räde

(n))

esso

r(s)

pgift

sbitr

D t C t ll

Proc

ers

onup

pData Controller(Personuppgiftsansvarig)

Typically a company

(Per


Data Privacy Principles

Ensuring Transparency and Notification about intended data useabout intended data use



Using Personal Data for a known purpose only. Keep usage in order and no “cheating”!Keep usage in order and no cheating !

??



Ensuring Data Quality, meaning data isaccurate and up-to-dateaccurate and up to date

??



Retention. Don’t keep data longer than necessaryRetention. Don t keep data longer than necessary

??



Honouring individual’s rights. Data subjects must have right to access their data and if necessary correct itaccess their data and if necessary, correct it.

??


Data Privacy PrinciplesTaking appropriate security measures to

protect data from loss, damage and unauthorized disclosureunauthorized disclosure

??



3rd parties must adopt appropriate security3 parties must adopt appropriate security measures



Overseas Transfers must be controlled and data adequately protectedq y p

??



Sensitive Personal Data must be especially protected and only used with consent (if no

exception applies)

??


Global Data Privacy Lawsyas of October 2012

PrivacyHIPAA +Safe Harbor

PrivacyProtection

std

Banisar, David, National Right to Information Laws, Regulations and Bills 2012 Map (October 8, 2012). Available at SSRN: http://ssrn com/abstract=1857498 or http://dx doi org/10 2139/ssrn 1857498


http://ssrn.com/abstract 1857498 or http://dx.doi.org/10.2139/ssrn.1857498

Cloud ComputingIntroductionCloud computing is a style of computing in which ”elastic” IT-enabled capabilities are delivered as a service to external customers using Internet technologiesInternet technologies

The name comes from the use of a cloud-shaped symbol as ancloud shaped symbol as an abstraction for the complex infrastructure it contains in system diagrams. Cloud computing entrusts remote services with a user's data, software and/or computation. Source: Wikipedia

Source: Wikipedia+Gartner

Common examples of services include:• Dropbox.com, iCloud.com, skydrive.live.com (e.g. for info-sharing)• gmail.com, outlook.com, me.com (mail services)

19

• Netflix (streaming video)Kjell Ohlsson | March 2013 R&D | R&D Information

Cloud computingValue proposition (detailed in backup slides)

1. Elastic Capacity.

2. Quick and easy deployment.

3 No Capital expenditure No initial investment3. No Capital expenditure, No initial investment.

4. Pay as you go, for what you use.4. Pay as you go, for what you use.

5. Focus on your business!


Cloud ComputingDeployment Models

Public CloudPrivate Cloud

Infrastructure dedicatedInfrastructure availableto “anyone” via Internet.This is typically whati d t d “Th Cl d”

to an individual organisation. Complicated. Doubtful financial and

H b id Cl d

is denoted “The Cloud”. management savings.

Hybrid CloudDedicated and publicly available infra-structure co-exist. This is most likelywhere most organizations will end up when “going for the cloud”.


Cloud ComputingServices (subset of “XaaS”=Anything as a Svc)


Cloud ComputingServices (subset of “XaaS”=Anything as a Svc)

Kjell Ohlsson | March 2013 R&D | R&D Information23

Objectives

Data Privacy risks in Cloud environmentsenvironments


Data Privacy and Cloud ComputingIntroduction


Cloud ComputingPrivacy Risks Overview

There are 3 main Privacy related risks associated with Cloud Services:

• Lack of control over the Personal Data – Where is it? How is it? Can we get to it?

• Lack of information about the processing of the Personal Data – What is being done with it? By whom?

• Lack of, or insufficient ability to, influence the contract with the cloud service provider – Not trivial to do anything about the previous risksanything about the previous risks.


Cloud ComputingPrivacy Risks – Lack of Control over Data

E.g. due to weak interoperability because of vendor relying on A cloud provider may use

Lack ofLack of

proprietary technology, or due to lack of appropriate backup /

Disaster Recovery arrangements

its physical control over data from different clients to link Personal Data

Lack of availability

Lack of isolation

E.g. due to sharing of resources – Personal Data emanating from a wide range

A cloud provider may not provide the necessary

ALack of integrity

Lack of data subject rights

of sources in terms of data subjects and organisations mean there could be conflicting interests/ different objectives

provide the necessary measures and tools to assist in responding to access, deletion or correction requests C

I

Lack of confidentiality

Lack of intervenability

objectives

E g due to lawE.g. due to law enforcement requests made directly to a cloud provider from foreign governments.

Due to the complexity and dynamics of an outsourcing chain

28

(E,g FISAAA in USA)

Kjell Ohlsson | March 2013 R&D | R&D Information

Cloud ComputingPrivacy Risks – Lack of Information about processing• Insufficient information about a cloud service provider’s processing

operations poses a risk to Data Controllers and Data Subjects. We may not be aware of potential threats and risks, and thereforeWe may not be aware of potential threats and risks, and therefore can’t take measures to mitigate them.

• Potential threats include:• Chain processing is taking place involving multiple processors

and subcontractors (sub-processors).• Personal Data are processed in different geographic locations

within the EEA (=EU + Iceland, Liechtenstein & Norway) – this impacts on the law applicable to any data protection disputes which may arise between user and provider.

• Personal Data is transferred to 3rd countries outside the EEA 3rd• Personal Data is transferred to 3rd countries outside the EEA. 3rd

countries may not provide an adequate level of protection and transfers may not be safeguarded by appropriate measures (e.g. standard contractual clauses / binding corporate rules) and therefore g p )may be illegal.


Cloud ComputingPrivacy Risks – Lack of Influence over Contract

• Under privacy legislation in many countries, Company X will remain the data controller of the personal data and therefore will be liable for anypersonal data and therefore will be liable for any privacy breaches caused by any 3rd party processors.

• Despite this, Company X may not have the ability to

Company X Authorities

Despite this, Company X may not have the ability to negotiate the contractual terms of the cloud service as standardised contracts are a feature of many cloud service providers (e.g. Google, y p ( g g ,Amazon and Apple).

• It is also difficult to ensure that any contracts

Big Cloud provider

ybetween the cloud service provider and their sub-contractors have appropriate protection for Personal Data.


To summarize

• Basic concepts of Data Protection & Privacy + Cloud Computing

• Reasoning around Data Privacy in Cloud environments and the risks introduced


Questions?


Backup slides

• Privacy/Cloud Information from Swedish Data Inspection Board (Datainspektionen)

A ti l b t l i l ti th t ff t i• Article about legislation that affects privacy

• Detailed “Value proposition” for Cloud computing


Attached documentation

• Data Inspection Board (Datainspektionen) information material

faktablad-molntjanster.pdf

faktablad-cloudservices.pdfinformation material

• Article about legislation that potentially affects privacy euobserver.com_justice_118857....


1. Elastic capacity

• Scaling up and down in minutes• No need to provision• Optimize resources based on your needs• Can easily manage unexpected peaks


2. Quick deployment

• IT infrastructure is no longer a barrier• Easier to test different solution• No need to wait for provisioning• Shorter development cycles


3. No Capital expenditure

• No initial investment needed• No commitments


4. Pay as you go

• Clear pricing models• Pay for compute power by the hour• Pay for storage by the gb• Pay for transfer per gb• Pay per end user• Pay per end user

• ….pay as you go…….pay as you go…

• Remember, this is all elastic. Easy to turn on/off resources


5. Focus on business

• No need to build from scratch,• Services are out there to ”reuse”• Much is automated – no waiting

• You can spend more time on value add activities• You can spend more time on value add activities


Confidentiality NoticeConfidentiality Notice This file is private and may contain confidential and proprietary information. If you have received this file in error, please notify us andremove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorized use or disclosure of the contents of this file is not permitted and may be unlawful. AstraZeneca PLC, 2 Kingdom Street, London, W2 6BD, UK, T: +44(0)20 7604 8000, F: +44 (0)20 7604 8151, www.astrazeneca.com


dt p t ti &pidata protection & privacy data privacy in ... › wp-content › uploads ›...

Documents