1 / 24

David Goodis Director of Legal Services and General Counsel Fred Carter

Privacy by Design in the Clouds: You Can’t Outsource Accountability. David Goodis Director of Legal Services and General Counsel Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner of Ontario. ARMA (Toronto Chapter)

zudora
Télécharger la présentation

David Goodis Director of Legal Services and General Counsel Fred Carter

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy by Design in the Clouds: You Can’t Outsource Accountability David Goodis Director of Legal Services and General Counsel Fred Carter Senior Policy & Technology Advisor Information and Privacy Commissioner of Ontario ARMA (Toronto Chapter) Information Management SymposiumApril 18, 2012

  2. Commissioner Ann Cavoukian, Ph.D. Appointed by Ontario legislature Independent from government Oversees 3 privacy & access to information laws Longest serving privacy commissioner in the world Mandated to: Investigate privacy complaints Resolve appeals from refusals to provide access to information Ensure organizations comply with the access and privacy provisions of the Acts Educate public about Ontario access & privacy laws Conduct research on access and privacy issues, provide advice and comment on proposed government legislation & programs. Information & Privacy Commissioner Ontario, Canada

  3. IPC Interest in Cloud Computing • Oversight: information management practices of provincial / municipal public and health care sectors in Ontario • Outsourcing, due diligence and accountability • Design and deployment of new ICTs • Applying Privacy by Design Foundational Principles to technologies, business processes, and networked infrastructures

  4. Cloud Computing Defined “Cloud computing is a model for enabling convenient, on-demand network access to a shared post of configurable computing resources (e.g. networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” Source: National Institute of Standards and Technology (NIST), Special Publication 800-145, The NIST Definition of Cloud Computing, September 2011, Page 3.

  5. Cloud Computing Characteristics • On-demand service • Resource pooling • Service provider control over infrastructure • Measured service

  6. Cloud Computing Delivery Models • Infrastructure as a Service (IaaS) • Platform as a Service (PaaS) • Software as a service (SaaS)

  7. Cloud Computing Deployment Models • Public Cloud • Private Cloud • Community Cloud • Hybrid Cloud

  8. The Power and Promise of Cloud Computing • Flexibility • Better reliability and security • Enhanced collaboration • Efficiency in deployment • Portability • Potential cost savings • Simpler devices

  9. Cloud Computing Risks • Loss of control by customer over technology infrastructure / loss of governance • Possible loss of control over location of data • Concerns about segregation of data • Data retention, destruction and return • Rights to data • Data security

  10. You can outsource services … … but you can’t outsource accountability You always remain accountable

  11. IPC Advice Some things to consider: • Exercise due diligence • Conduct a Privacy Impact Assessment • Use identifying information only when necessary • Identify and minimize privacy and security risks • Use privacy enhancing technological tools • Ensure transparency, notice, education, awareness • Develop a privacy breach management plan • Create and enforce contractual clauses

  12. Contractual Provisions to Consider • Description of Services • Service Level Commitments • Data Ownership and Other IPR issues • Confidentiality, privacy and security • Data confidentiality obligations • Obligations of cloud service provider for protecting customer data • Location of data • Audit provisions • Data return and destruction • Data breach notification

  13. Contractual Provisions to Consider • Representations and Warranties • Insurance Coverage • Liabliity and Indemnity Issues • Termination / transition provisions • Subcontracting by cloud service provider • Assignment by either party • Governing law and forum for resolution of disputes • Dispute resolution

  14. Contractual Provisions to Consider • Service provider should not use PI except as necessary in providing services • Provider should not improperly disclose PI • Provider must employ safeguards to ensure PI is retained, transferred and disposed of securely • Provider must notify the organization immediately of any order or other requirement to compel production of PI • Provider must notify the organization immediately if PI is stolen, lost, accessed by unauthorized persons • Implement oversight and monitoring program, including audits of the provider’s compliance with the terms of the agreement • No one on behalf of provider should have access to PI unless that person agrees to comply with restrictions in the agreement.

  15. USA Patriot Act and Cloud Computing • BC, NS legislation restricts government’s ability to outsource beyond Canadian border • There will always be laws that allow law enforcement to gain access to information in their jurisdictions – the important question is what steps can an organization take to help ensure privacy and security, regardless of jurisdiction • Organizations considering outsourcing or cloud computing should ensure accountability through appropriate contractual provisions and a Privacy by Design approach that ensures privacy is built in as an integral part of the proposed technologies and business practices

  16. Privacy by Design in Action

  17. Privacy by Design Meets the Cloud: Current and Future Privacy Challenges • What is Privacy by Design? building privacy into technologies, business processes, and networked infrastructures from the ground up. • Goal: to establish and achive highest possible standards of accountability, confidence, and trust in management of PII, beyond compliance • Requires: Proactive, capable leadership; Systemic, verifiable methods; Practical, demonstrable results

  18. Privacy by Design:The 7 Foundational Principles • Proactive not Reactive: Preventative, not Remedial; • Privacy as the Default setting; • Privacy Embedded into Design; • FullFunctionality: Positive-Sum, not Zero-Sum; • End-to-End Security: Full Lifecycle Protection; • Visibility and Transparency: Keep it Open; • Respect for User Privacy: Keep it User-Centric. www.ipc.on.ca/images/Resources/7foundationalprinciples.pdf

  19. Privacy in the Clouds The 21st Century Privacy Challenge; Creating a User-Centric Identity Management Infrastructure; Using Technology Building Blocks; A Call to Action. www.ipc.on.ca/images/Resources%5Cprivacyintheclouds.pdf

  20. Cloud Computing Architecture and Privacy Cloud Delivery Models Use cloud in privacy protective manner – user control e.g. encryption, segregation www.ipc.on.ca/images/Resources/pbd-NEC-cloud.pdf

  21. Applied Privacy by Design • Large Ontario educational institution initiative to upgrade, outsource IT infrastructure to a U.S.-based Cloud Service Provider • Evidence of Capable, Proactive Leadership • Open and transparent processes • Evidence of Systemic, Verifiable Methods • World class PIA, TRA and metrics • Expected Practical, Demonstrable Results

  22. Conclusions • Cloud computing has many benefits and risks • You can outsource your operations and services but not your accountability • Conduct proper due diligence on your cloud provider • Ensure you have the appropriate contractual provisions in place • Build PbD into the cloud infrastructure • Embed privacy as a core functionality: the future of privacy may depend on it!

  23. How to Contact Us David Goodis Director of Legal Services and General Counsel Information & Privacy Commissioner of Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario, Canada M4W 1A8 Phone: (416) 326-3948 / 1-800-387-0073 Web: www.ipc.on.ca E-mail: info@ipc.on.ca

More Related