eBook - ePub
Data Protection and the Cloud
Are the risks too great?
Paul Ticher
This is a test
Share book
- 83 pages
- English
- ePUB (mobile friendly)
- Available on iOS & Android
eBook - ePub
Data Protection and the Cloud
Are the risks too great?
Paul Ticher
Book details
Book preview
Table of contents
Citations
About This Book
An expert introduction
More than 85% of businesses now take advantage of Cloud computing, but Cloud computing does not sit easily with the DPA. Data Protection and the Cloud addresses that issue, providing an expert introduction to the legal and practical data protection risks involved in using Cloud services. Data Protection and the Cloud highlights the risks an organisationās use of the Cloud might generate, and offers the kind of remedial measures that might be taken to mitigate those risks.
Topics covered include:
- Protecting the confidentiality, integrity and accessibility of personal data
- Data protection responsibilities
- The data controller/data processor relationship
- How to choose Cloud providers
- Cloud security ā including two-factor authentication, data classification and segmentation
- The increased vulnerability of data in transit
- The problem of BYOD (bring your own device)
- Data transfer abroad, US Safe Harbor and EU legislation
- Relevant legislation, frameworks and guidance, including:
Ā
- the EU General Data Protection Regulation
- Cloud computing standards
- the international information security standard, ISO 27001
- the UK Governmentās Cyber Essentials scheme and security framework
- CESGās Cloud security management principles
- guidance from the Information Commissionerās Office and the Open Web Application Security Project (OWASP)
Ā
Mitigate the security risks
Mitigating security risks requires a range of combined measures to be used to provide end-to-end security. Moving to the Cloud does not solve security problems, it just adds another element that must be addressed. Data Protection and the Cloud provides information on how to do so while meeting the DPAās eight principles.
Frequently asked questions
How do I cancel my subscription?
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoās features. The only differences are the price and subscription period: With the annual plan youāll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weāve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Data Protection and the Cloud an online PDF/ePUB?
Yes, you can access Data Protection and the Cloud by Paul Ticher in PDF and/or ePUB format, as well as other popular books in Law & Science & Technology Law. We have over one million books available in our catalogue for you to explore.
Information
CHAPTER 1: BACKGROUND ā THE DATA
PROTECTION PRINCIPLES
As most readers probably know, the Data Protection Act is based on eight legally-binding principles. Being principles rather than precise stipulations, these describe the outcome that must be achieved, not the means of doing so. Every organisation has a significant degree of flexibility in deciding how to comply.
The Act applies to the whole lifecycle of information, from its original collection to its final destruction. See the definition of āprocessingā below.
It is usually necessary to be able to demonstrate, through policies and procedures, staff training and other measures, how an organisation ensures that all of its actions comply with the principles. A failure to comply with the principles is a breach of the Act. Any harm suffered by individuals as a result of a breach could lead to a claim for compensation and the Information Commissioner has powers to impose a financial penalty of up to Ā£500,000 or to take other enforcement action in respect of serious breaches of the Act.
Familiarity with the principles is therefore an essential element in assessing the risks that might be posed by the use of cloud services and the mitigating actions that might be necessary.
Data protection principles
These are quoted from the Data Protection Act 1998, Schedule 1, Part I.
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless ā
a) at least one of the conditions in Schedule 2 [see below] is met
and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. [Schedule 3, as subsequently amended by Statutory Instrument, contains around 20 conditions, more restrictive than those in Schedule 2. For the purposes of this publication it is sufficient to assume that particularly great care should be taken with records that include āsensitive personal dataā ā defined below.]
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Implications of the data protection principles for cloud computing
All the data protection principles are aimed firstly at preventing harm to individuals, and secondly at ensuring that they are treated fairly whenever their data is used.
Two of the principles are particularly relevant to cloud computing:
ā¢ Principle 7, which says you must have appropriate security, and
ā¢ Principle 8, which controls the transfer of data abroad.
Subsequent chapters look at all of the principles in the context of cloud computing. The table below indicates their relative risk profile in relation to cloud computing. This does not imply that these risks would have the same ranking in other contexts. Principles 7 and 8 are considered first and in detail; the remaining principles are discussed in Chapter 6.
Principle | Risk rank | Comment |
1. Fairness 2. Limited purposes | Low (Medium) | No different from in-house considerations unless cloud provider also captures personal data for own purposes |
3. Adequacy 4. Accuracy | Medium | Minor implications if the design of the cloud application does not support good data quality |
5. Retention | Low | No different from in-house considerations |
6. Data subject rights | Medium | Possible minor implications for subject access |
7. Security | Very high | Significant additional risks from cloud computing |
8. Transfers abroad | High | Cloud applications may (without making this obvious) locate data outside āsafeā jurisdictions |
Other relevant definitions
This publication is not a treatise on the Act as a whole. It may, however, be useful to clarify a few other relevant definitions from the Act.
Processing: This is defined very broadly, to include effectively any activity involving personal data. The Act defines processing as āobtaining, recording or holdingā the data, or ācarrying out any operation [on it]ā including (but not limited to) āorganisationā, āalterationā, āretrievalā, āconsultationā, āuseā, ādisclosureā, āerasureā and ādestructionā. It is hard to see how a cloud application could operate without āprocessingā data within the terms of the Act.
Personal data: Information in electronic form that relates in some way to a living individual who can be identified from the data (plus, if relevant, any other available information), falls clearly within the definition of personal data. Non-electronic data is obviously outside the scope of this publication.
Data subject: The individual about whom personal data is held, wherever they are located.
Sensitive personal data: Information about an individualās racial or ethnic origin, political beliefs, religious beliefs, trade union membership, mental or physical health, sex life (including sexuality), offences, alleged offences and court appearances. This information requires special treatment ā and often consent for its use. In terms of cloud computing, the loss or compromise of sensitive personal data would be a very serious matter.
Schedule 2 Conditions (at least one of which must be met)
1. The data subject has given his consent to the processing.
2. The processing is necessary ā
(a) for the performance of a contract to which the data subject is a party, or
(b) for the taking of steps at the request of the data subject with a view to entering into a contract.
3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
4. The processing is necessary in order to protect the vital interests of the data subject.
5. The processing is necessary ā
(a) for the administration of justice,
(b) for the exercise of any functions conferred on any person by or under any enactment,
(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
(d) for the exercise of any other functions of a public nature exercised ...