dt p t ti &pidata protection & privacy data privacy in ... › wp-content › uploads ›...
TRANSCRIPT
D t P t ti & P iData Protection & Privacy
Data Privacy in Cloud environmentKjell Ohlsson7th March 2013
Who?
Presenter:Presenter:• Kjell Ohlsson - AstraZeneca
Audience:Audience:• Swedish Association of Research Quality Assurance – SARQA – annual meeting.
Timing:• 45 minutes including Q&A
2 Kjell Ohlsson | March 2013 R&D | R&D Information
Objectives
• Give basic understanding of Data Protection & Privacy + Cloud Computing
• Raise awareness around Data Privacy risks in Cloud environments
3 Kjell Ohlsson | March 2013 R&D | R&D Information
Basic understanding of Data Protection & Privacy +Data Protection & Privacy +
Cloud Computingp g
4 Kjell Ohlsson | March 2013 R&D | R&D Information
Data PrivacyImportant Definitions
Data subject(Den registrerade)
Identifiable natural person. I.e. not a legal entity.
5 Kjell Ohlsson | March 2013 R&D | R&D Information
Data PrivacyImportant Definitions
Sensitive Personal Data(Känslig personuppgift)------Examples-------------
Personal Data(Personuppgift)------Examples-------------
Data subject(Den registrerade)
p•Health•Labour relations•Racial or ethnic origin
p•Name•Identification numbers•Gender g
•Political opinions•Religious beliefs•Criminal history
•Age•Nationality •Language(s) spoken
•Sexual preferences•Private/home address•Telephone number•Email address
Data that makes the Data Subject identifiable
6 Kjell Ohlsson | March 2013 R&D | R&D Information
Data PrivacyImportant Definitions
Sensitive Personal DataPersonal DataData subject Sensitive Personal Data(Känslig personuppgift)
Personal Data(Personuppgift)
Data subject(Den registrerade)
D t C t llData Controller(Personuppgiftsansvarig)
Typically a company
7 Kjell Ohlsson | March 2013 R&D | R&D Information
Data PrivacyImportant Definitions
D t bj t S iti P l D tP l D tData subject(Den registrerade)
Sensitive Personal Data(Känslig personuppgift)
Personal Data(Personuppgift)
) räde
(n))
esso
r(s)
pgift
sbitr
D t C t ll
Proc
ers
onup
pData Controller(Personuppgiftsansvarig)
Typically a company
(Per
8 Kjell Ohlsson | March 2013 R&D | R&D Information
Data Privacy Principles
Ensuring Transparency and Notification about intended data useabout intended data use
9 Kjell Ohlsson | March 2013 R&D | R&D Information
Data Privacy Principles
Using Personal Data for a known purpose only. Keep usage in order and no “cheating”!Keep usage in order and no cheating !
??
10 Kjell Ohlsson | March 2013 R&D | R&D Information
Data Privacy Principles
Ensuring Data Quality, meaning data isaccurate and up-to-dateaccurate and up to date
??
11 Kjell Ohlsson | March 2013 R&D | R&D Information
Data Privacy Principles
Retention. Don’t keep data longer than necessaryRetention. Don t keep data longer than necessary
??
12 Kjell Ohlsson | March 2013 R&D | R&D Information
Data Privacy Principles
Honouring individual’s rights. Data subjects must have right to access their data and if necessary correct itaccess their data and if necessary, correct it.
??
13 Kjell Ohlsson | March 2013 R&D | R&D Information
Data Privacy PrinciplesTaking appropriate security measures to
protect data from loss, damage and unauthorized disclosureunauthorized disclosure
??
14 Kjell Ohlsson | March 2013 R&D | R&D Information
Data Privacy Principles
3rd parties must adopt appropriate security3 parties must adopt appropriate security measures
15 Kjell Ohlsson | March 2013 R&D | R&D Information
Data Privacy Principles
Overseas Transfers must be controlled and data adequately protectedq y p
??
16 Kjell Ohlsson | March 2013 R&D | R&D Information
Data Privacy Principles
Sensitive Personal Data must be especially protected and only used with consent (if no
exception applies)
??
17 Kjell Ohlsson | March 2013 R&D | R&D Information
Global Data Privacy Lawsyas of October 2012
PrivacyHIPAA +Safe Harbor
PrivacyProtection
std
Banisar, David, National Right to Information Laws, Regulations and Bills 2012 Map (October 8, 2012). Available at SSRN: http://ssrn com/abstract=1857498 or http://dx doi org/10 2139/ssrn 1857498
18 Kjell Ohlsson | March 2013 R&D | R&D Information
http://ssrn.com/abstract 1857498 or http://dx.doi.org/10.2139/ssrn.1857498
Cloud ComputingIntroductionCloud computing is a style of computing in which ”elastic” IT-enabled capabilities are delivered as a service to external customers using Internet technologiesInternet technologies
The name comes from the use of a cloud-shaped symbol as ancloud shaped symbol as an abstraction for the complex infrastructure it contains in system diagrams. Cloud computing entrusts remote services with a user's data, software and/or computation. Source: Wikipedia
Source: Wikipedia+Gartner
Common examples of services include:• Dropbox.com, iCloud.com, skydrive.live.com (e.g. for info-sharing)• gmail.com, outlook.com, me.com (mail services)
19
• Netflix (streaming video)Kjell Ohlsson | March 2013 R&D | R&D Information
Cloud computingValue proposition (detailed in backup slides)
1. Elastic Capacity.
2. Quick and easy deployment.
3 No Capital expenditure No initial investment3. No Capital expenditure, No initial investment.
4. Pay as you go, for what you use.4. Pay as you go, for what you use.
5. Focus on your business!
20 Kjell Ohlsson | March 2013 R&D | R&D Information
Cloud ComputingDeployment Models
Public CloudPrivate Cloud
Infrastructure dedicatedInfrastructure availableto “anyone” via Internet.This is typically whati d t d “Th Cl d”
to an individual organisation. Complicated. Doubtful financial and
H b id Cl d
is denoted “The Cloud”. management savings.
Hybrid CloudDedicated and publicly available infra-structure co-exist. This is most likelywhere most organizations will end up when “going for the cloud”.
21 Kjell Ohlsson | March 2013 R&D | R&D Information
Cloud ComputingServices (subset of “XaaS”=Anything as a Svc)
22 Kjell Ohlsson | March 2013 R&D | R&D Information
Cloud ComputingServices (subset of “XaaS”=Anything as a Svc)
Kjell Ohlsson | March 2013 R&D | R&D Information23
Objectives
Data Privacy risks in Cloud environmentsenvironments
24 Kjell Ohlsson | March 2013 R&D | R&D Information
Data Privacy and Cloud ComputingIntroduction
25 Kjell Ohlsson | March 2013 R&D | R&D Information
Data Privacy and Cloud ComputingIntroduction
26 Kjell Ohlsson | March 2013 R&D | R&D Information
Cloud ComputingPrivacy Risks Overview
There are 3 main Privacy related risks associated with Cloud Services:
• Lack of control over the Personal Data – Where is it? How is it? Can we get to it?
• Lack of information about the processing of the Personal Data – What is being done with it? By whom?
• Lack of, or insufficient ability to, influence the contract with the cloud service provider – Not trivial to do anything about the previous risksanything about the previous risks.
27 Kjell Ohlsson | March 2013 R&D | R&D Information
Cloud ComputingPrivacy Risks – Lack of Control over Data
E.g. due to weak interoperability because of vendor relying on A cloud provider may use
Lack ofLack of
proprietary technology, or due to lack of appropriate backup /
Disaster Recovery arrangements
its physical control over data from different clients to link Personal Data
Lack of availability
Lack of isolation
E.g. due to sharing of resources – Personal Data emanating from a wide range
A cloud provider may not provide the necessary
ALack of integrity
Lack of data subject rights
of sources in terms of data subjects and organisations mean there could be conflicting interests/ different objectives
provide the necessary measures and tools to assist in responding to access, deletion or correction requests C
I
Lack of confidentiality
Lack of intervenability
objectives
E g due to lawE.g. due to law enforcement requests made directly to a cloud provider from foreign governments.
Due to the complexity and dynamics of an outsourcing chain
28
(E,g FISAAA in USA)
Kjell Ohlsson | March 2013 R&D | R&D Information
Cloud ComputingPrivacy Risks – Lack of Information about processing• Insufficient information about a cloud service provider’s processing
operations poses a risk to Data Controllers and Data Subjects. We may not be aware of potential threats and risks, and thereforeWe may not be aware of potential threats and risks, and therefore can’t take measures to mitigate them.
• Potential threats include:• Chain processing is taking place involving multiple processors
and subcontractors (sub-processors).• Personal Data are processed in different geographic locations
within the EEA (=EU + Iceland, Liechtenstein & Norway) – this impacts on the law applicable to any data protection disputes which may arise between user and provider.
• Personal Data is transferred to 3rd countries outside the EEA 3rd• Personal Data is transferred to 3rd countries outside the EEA. 3rd
countries may not provide an adequate level of protection and transfers may not be safeguarded by appropriate measures (e.g. standard contractual clauses / binding corporate rules) and therefore g p )may be illegal.
29 Kjell Ohlsson | March 2013 R&D | R&D Information
Cloud ComputingPrivacy Risks – Lack of Influence over Contract
• Under privacy legislation in many countries, Company X will remain the data controller of the personal data and therefore will be liable for anypersonal data and therefore will be liable for any privacy breaches caused by any 3rd party processors.
• Despite this, Company X may not have the ability to
Company X Authorities
Despite this, Company X may not have the ability to negotiate the contractual terms of the cloud service as standardised contracts are a feature of many cloud service providers (e.g. Google, y p ( g g ,Amazon and Apple).
• It is also difficult to ensure that any contracts
Big Cloud provider
ybetween the cloud service provider and their sub-contractors have appropriate protection for Personal Data.
30 Kjell Ohlsson | March 2013 R&D | R&D Information
To summarize
• Basic concepts of Data Protection & Privacy + Cloud Computing
• Reasoning around Data Privacy in Cloud environments and the risks introduced
31 Kjell Ohlsson | March 2013 R&D | R&D Information
Questions?
32 Kjell Ohlsson | March 2013 R&D | R&D Information
Backup slides
• Privacy/Cloud Information from Swedish Data Inspection Board (Datainspektionen)
A ti l b t l i l ti th t ff t i• Article about legislation that affects privacy
• Detailed “Value proposition” for Cloud computing
33 Kjell Ohlsson | March 2013 R&D | R&D Information
Attached documentation
• Data Inspection Board (Datainspektionen) information material
faktablad-molntjanster.pdf
faktablad-cloudservices.pdfinformation material
• Article about legislation that potentially affects privacy euobserver.com_justice_118857....
34 Kjell Ohlsson | March 2013 R&D | R&D Information
1. Elastic capacity
• Scaling up and down in minutes• No need to provision• Optimize resources based on your needs• Can easily manage unexpected peaks
35 Kjell Ohlsson | March 2013 R&D | R&D Information
2. Quick deployment
• IT infrastructure is no longer a barrier• Easier to test different solution• No need to wait for provisioning• Shorter development cycles
36 Kjell Ohlsson | March 2013 R&D | R&D Information
3. No Capital expenditure
• No initial investment needed• No commitments
37 Kjell Ohlsson | March 2013 R&D | R&D Information
4. Pay as you go
• Clear pricing models• Pay for compute power by the hour• Pay for storage by the gb• Pay for transfer per gb• Pay per end user• Pay per end user
• ….pay as you go…….pay as you go…
• Remember, this is all elastic. Easy to turn on/off resources
38 Kjell Ohlsson | March 2013 R&D | R&D Information
5. Focus on business
• No need to build from scratch,• Services are out there to ”reuse”• Much is automated – no waiting
• You can spend more time on value add activities• You can spend more time on value add activities
39 Kjell Ohlsson | March 2013 R&D | R&D Information
Confidentiality NoticeConfidentiality Notice This file is private and may contain confidential and proprietary information. If you have received this file in error, please notify us andremove it from your system and note that you must not copy, distribute or take any action in reliance on it. Any unauthorized use or disclosure of the contents of this file is not permitted and may be unlawful. AstraZeneca PLC, 2 Kingdom Street, London, W2 6BD, UK, T: +44(0)20 7604 8000, F: +44 (0)20 7604 8151, www.astrazeneca.com
40 Kjell Ohlsson | March 2013 R&D | R&D Information