Professional Documents
Culture Documents
identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity
(Data Protection Directive 95/46/EC, A2)
Who is Responsible?
The Data Controller (the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data) Data Controller remains responsible if data outsourced to Data Processor ( a person who processes personal data on behalf of a data controller)
Cloud Provider
What Responsibilities?
Transparency (A. 10,11)
adequate information
Consent, contract, legal obligation, vital interests, public interest task, legitimate interests (A.7)
Accurate, up-to-date (A.6) Retain for no longer than is necessary (A.6) Right of Access (A. 12) Data Security (A. 17)
Intl. Transfers
Specified , explicit and legitimate purpose (A.6) Adequate, Relevant & not excessive (A. 6)
Marketing, Other
..governed by a contract or legal act binding the processor to the controller and stipulating in particular that- the processor shall act only on instructions from the controller - the (security) obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.
The controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures
Outsourcing Obligations?
To Approved countries: Switzerland, Canada, Argentina, Isle of Man, Guernsey, Jersey, Faroe Islands, Israel, USA [Safe Harborites & PNR data only] [soon New Zealand and Uruguay] Covered by Model Contracts or Binding Corporate Rules (BCRs) Article 26 (1) Exceptions (contract requirements etc)
Privacy by Design
Requirement for retention policy On request, delete unless clash with other rights (freedom of expression etc) Data Breach Notification
International Transfers:
are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost-effective
European Network and Information Security Agency (ENISA) Report on Cloud Computing, November 2009 http://www.enisa.europa.eu/act/rm/files/deliverables/cloudcomputing-risk-assessment
for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of multiple transfers of data, e.g., between federated clouds. On the other hand, some cloud providers do provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g., SAS70 certification
security certification: ISO 27001, SAS 70/SSAE 16 Access controls, data recoverability, data breaches Right to Audit Location of Data (inside or outside EEA)
Ultimately, you can outsource responsibility but you can't outsource accountability (ENISA)
More information on potential data security breaches more balanced contractual clauses to promote data portability and data control by cloud users
Thank You
Office of the Data Protection Commissioner Canal House Station Road Portarlington Co Laois Phone: LoCall 1890 252231 057 8684800 Fax: 057 8684757 Email: info@dataprotection.ie Website: www.dataprotection.ie