eBook - ePub
Data Protection and the Cloud
Are the risks too great?
Paul Ticher
This is a test
Partager le livre
- 83 pages
- English
- ePUB (adapté aux mobiles)
- Disponible sur iOS et Android
eBook - ePub
Data Protection and the Cloud
Are the risks too great?
Paul Ticher
DĂ©tails du livre
Aperçu du livre
Table des matiĂšres
Citations
Ă propos de ce livre
An expert introduction
More than 85% of businesses now take advantage of Cloud computing, but Cloud computing does not sit easily with the DPA. Data Protection and the Cloud addresses that issue, providing an expert introduction to the legal and practical data protection risks involved in using Cloud services. Data Protection and the Cloud highlights the risks an organisationâs use of the Cloud might generate, and offers the kind of remedial measures that might be taken to mitigate those risks.
Topics covered include:
- Protecting the confidentiality, integrity and accessibility of personal data
- Data protection responsibilities
- The data controller/data processor relationship
- How to choose Cloud providers
- Cloud security â including two-factor authentication, data classification and segmentation
- The increased vulnerability of data in transit
- The problem of BYOD (bring your own device)
- Data transfer abroad, US Safe Harbor and EU legislation
- Relevant legislation, frameworks and guidance, including:
Â
- the EU General Data Protection Regulation
- Cloud computing standards
- the international information security standard, ISO 27001
- the UK Governmentâs Cyber Essentials scheme and security framework
- CESGâs Cloud security management principles
- guidance from the Information Commissionerâs Office and the Open Web Application Security Project (OWASP)
Â
Mitigate the security risks
Mitigating security risks requires a range of combined measures to be used to provide end-to-end security. Moving to the Cloud does not solve security problems, it just adds another element that must be addressed. Data Protection and the Cloud provides information on how to do so while meeting the DPAâs eight principles.
Foire aux questions
Comment puis-je résilier mon abonnement ?
Il vous suffit de vous rendre dans la section compte dans paramĂštres et de cliquer sur « RĂ©silier lâabonnement ». Câest aussi simple que cela ! Une fois que vous aurez rĂ©siliĂ© votre abonnement, il restera actif pour le reste de la pĂ©riode pour laquelle vous avez payĂ©. DĂ©couvrez-en plus ici.
Puis-je / comment puis-je télécharger des livres ?
Pour le moment, tous nos livres en format ePub adaptĂ©s aux mobiles peuvent ĂȘtre tĂ©lĂ©chargĂ©s via lâapplication. La plupart de nos PDF sont Ă©galement disponibles en tĂ©lĂ©chargement et les autres seront tĂ©lĂ©chargeables trĂšs prochainement. DĂ©couvrez-en plus ici.
Quelle est la différence entre les formules tarifaires ?
Les deux abonnements vous donnent un accĂšs complet Ă la bibliothĂšque et Ă toutes les fonctionnalitĂ©s de Perlego. Les seules diffĂ©rences sont les tarifs ainsi que la pĂ©riode dâabonnement : avec lâabonnement annuel, vous Ă©conomiserez environ 30 % par rapport Ă 12 mois dâabonnement mensuel.
Quâest-ce que Perlego ?
Nous sommes un service dâabonnement Ă des ouvrages universitaires en ligne, oĂč vous pouvez accĂ©der Ă toute une bibliothĂšque pour un prix infĂ©rieur Ă celui dâun seul livre par mois. Avec plus dâun million de livres sur plus de 1 000 sujets, nous avons ce quâil vous faut ! DĂ©couvrez-en plus ici.
Prenez-vous en charge la synthÚse vocale ?
Recherchez le symbole Ăcouter sur votre prochain livre pour voir si vous pouvez lâĂ©couter. Lâoutil Ăcouter lit le texte Ă haute voix pour vous, en surlignant le passage qui est en cours de lecture. Vous pouvez le mettre sur pause, lâaccĂ©lĂ©rer ou le ralentir. DĂ©couvrez-en plus ici.
Est-ce que Data Protection and the Cloud est un PDF/ePUB en ligne ?
Oui, vous pouvez accĂ©der Ă Data Protection and the Cloud par Paul Ticher en format PDF et/ou ePUB ainsi quâĂ dâautres livres populaires dans Law et Science & Technology Law. Nous disposons de plus dâun million dâouvrages Ă dĂ©couvrir dans notre catalogue.
Informations
Sujet
LawSous-sujet
Science & Technology LawCHAPTER 1: BACKGROUND â THE DATA
PROTECTION PRINCIPLES
As most readers probably know, the Data Protection Act is based on eight legally-binding principles. Being principles rather than precise stipulations, these describe the outcome that must be achieved, not the means of doing so. Every organisation has a significant degree of flexibility in deciding how to comply.
The Act applies to the whole lifecycle of information, from its original collection to its final destruction. See the definition of âprocessingâ below.
It is usually necessary to be able to demonstrate, through policies and procedures, staff training and other measures, how an organisation ensures that all of its actions comply with the principles. A failure to comply with the principles is a breach of the Act. Any harm suffered by individuals as a result of a breach could lead to a claim for compensation and the Information Commissioner has powers to impose a financial penalty of up to ÂŁ500,000 or to take other enforcement action in respect of serious breaches of the Act.
Familiarity with the principles is therefore an essential element in assessing the risks that might be posed by the use of cloud services and the mitigating actions that might be necessary.
Data protection principles
These are quoted from the Data Protection Act 1998, Schedule 1, Part I.
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless â
a) at least one of the conditions in Schedule 2 [see below] is met
and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. [Schedule 3, as subsequently amended by Statutory Instrument, contains around 20 conditions, more restrictive than those in Schedule 2. For the purposes of this publication it is sufficient to assume that particularly great care should be taken with records that include âsensitive personal dataâ â defined below.]
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Implications of the data protection principles for cloud computing
All the data protection principles are aimed firstly at preventing harm to individuals, and secondly at ensuring that they are treated fairly whenever their data is used.
Two of the principles are particularly relevant to cloud computing:
âą Principle 7, which says you must have appropriate security, and
âą Principle 8, which controls the transfer of data abroad.
Subsequent chapters look at all of the principles in the context of cloud computing. The table below indicates their relative risk profile in relation to cloud computing. This does not imply that these risks would have the same ranking in other contexts. Principles 7 and 8 are considered first and in detail; the remaining principles are discussed in Chapter 6.
Principle | Risk rank | Comment |
1. Fairness 2. Limited purposes | Low (Medium) | No different from in-house considerations unless cloud provider also captures personal data for own purposes |
3. Adequacy 4. Accuracy | Medium | Minor implications if the design of the cloud application does not support good data quality |
5. Retention | Low | No different from in-house considerations |
6. Data subject rights | Medium | Possible minor implications for subject access |
7. Security | Very high | Significant additional risks from cloud computing |
8. Transfers abroad | High | Cloud applications may (without making this obvious) locate data outside âsafeâ jurisdictions |
Other relevant definitions
This publication is not a treatise on the Act as a whole. It may, however, be useful to clarify a few other relevant definitions from the Act.
Processing: This is defined very broadly, to include effectively any activity involving personal data. The Act defines processing as âobtaining, recording or holdingâ the data, or âcarrying out any operation [on it]â including (but not limited to) âorganisationâ, âalterationâ, âretrievalâ, âconsultationâ, âuseâ, âdisclosureâ, âerasureâ and âdestructionâ. It is hard to see how a cloud application could operate without âprocessingâ data within the terms of the Act.
Personal data: Information in electronic form that relates in some way to a living individual who can be identified from the data (plus, if relevant, any other available information), falls clearly within the definition of personal data. Non-electronic data is obviously outside the scope of this publication.
Data subject: The individual about whom personal data is held, wherever they are located.
Sensitive personal data: Information about an individualâs racial or ethnic origin, political beliefs, religious beliefs, trade union membership, mental or physical health, sex life (including sexuality), offences, alleged offences and court appearances. This information requires special treatment â and often consent for its use. In terms of cloud computing, the loss or compromise of sensitive personal data would be a very serious matter.
Schedule 2 Conditions (at least one of which must be met)
1. The data subject has given his consent to the processing.
2. The processing is necessary â
(a) for the performance of a contract to which the data subject is a party, or
(b) for the taking of steps at the request of the data subject with a view to entering into a contract.
3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
4. The processing is necessary in order to protect the vital interests of the data subject.
5. The processing is necessary â
(a) for the administration of justice,
(b) for the exercise of any functions conferred on any person by or under any enactment,
(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
(d) for the exercise of any other functions of a public nature exercised ...