eBook - ePub
Data Protection and the Cloud
Are the risks too great?
Paul Ticher
This is a test
Condividi libro
- 83 pagine
- English
- ePUB (disponibile sull'app)
- Disponibile su iOS e Android
eBook - ePub
Data Protection and the Cloud
Are the risks too great?
Paul Ticher
Dettagli del libro
Anteprima del libro
Indice dei contenuti
Citazioni
Informazioni sul libro
An expert introduction
More than 85% of businesses now take advantage of Cloud computing, but Cloud computing does not sit easily with the DPA. Data Protection and the Cloud addresses that issue, providing an expert introduction to the legal and practical data protection risks involved in using Cloud services. Data Protection and the Cloud highlights the risks an organisation’s use of the Cloud might generate, and offers the kind of remedial measures that might be taken to mitigate those risks.
Topics covered include:
- Protecting the confidentiality, integrity and accessibility of personal data
- Data protection responsibilities
- The data controller/data processor relationship
- How to choose Cloud providers
- Cloud security – including two-factor authentication, data classification and segmentation
- The increased vulnerability of data in transit
- The problem of BYOD (bring your own device)
- Data transfer abroad, US Safe Harbor and EU legislation
- Relevant legislation, frameworks and guidance, including:
- the EU General Data Protection Regulation
- Cloud computing standards
- the international information security standard, ISO 27001
- the UK Government’s Cyber Essentials scheme and security framework
- CESG’s Cloud security management principles
- guidance from the Information Commissioner’s Office and the Open Web Application Security Project (OWASP)
Mitigate the security risks
Mitigating security risks requires a range of combined measures to be used to provide end-to-end security. Moving to the Cloud does not solve security problems, it just adds another element that must be addressed. Data Protection and the Cloud provides information on how to do so while meeting the DPA’s eight principles.
Domande frequenti
Come faccio ad annullare l'abbonamento?
È semplicissimo: basta accedere alla sezione Account nelle Impostazioni e cliccare su "Annulla abbonamento". Dopo la cancellazione, l'abbonamento rimarrà attivo per il periodo rimanente già pagato. Per maggiori informazioni, clicca qui
È possibile scaricare libri? Se sì, come?
Al momento è possibile scaricare tramite l'app tutti i nostri libri ePub mobile-friendly. Anche la maggior parte dei nostri PDF è scaricabile e stiamo lavorando per rendere disponibile quanto prima il download di tutti gli altri file. Per maggiori informazioni, clicca qui
Che differenza c'è tra i piani?
Entrambi i piani ti danno accesso illimitato alla libreria e a tutte le funzionalità di Perlego. Le uniche differenze sono il prezzo e il periodo di abbonamento: con il piano annuale risparmierai circa il 30% rispetto a 12 rate con quello mensile.
Cos'è Perlego?
Perlego è un servizio di abbonamento a testi accademici, che ti permette di accedere a un'intera libreria online a un prezzo inferiore rispetto a quello che pagheresti per acquistare un singolo libro al mese. Con oltre 1 milione di testi suddivisi in più di 1.000 categorie, troverai sicuramente ciò che fa per te! Per maggiori informazioni, clicca qui.
Perlego supporta la sintesi vocale?
Cerca l'icona Sintesi vocale nel prossimo libro che leggerai per verificare se è possibile riprodurre l'audio. Questo strumento permette di leggere il testo a voce alta, evidenziandolo man mano che la lettura procede. Puoi aumentare o diminuire la velocità della sintesi vocale, oppure sospendere la riproduzione. Per maggiori informazioni, clicca qui.
Data Protection and the Cloud è disponibile online in formato PDF/ePub?
Sì, puoi accedere a Data Protection and the Cloud di Paul Ticher in formato PDF e/o ePub, così come ad altri libri molto apprezzati nelle sezioni relative a Law e Science & Technology Law. Scopri oltre 1 milione di libri disponibili nel nostro catalogo.
Informazioni
Argomento
LawCategoria
Science & Technology LawCHAPTER 1: BACKGROUND – THE DATA
PROTECTION PRINCIPLES
As most readers probably know, the Data Protection Act is based on eight legally-binding principles. Being principles rather than precise stipulations, these describe the outcome that must be achieved, not the means of doing so. Every organisation has a significant degree of flexibility in deciding how to comply.
The Act applies to the whole lifecycle of information, from its original collection to its final destruction. See the definition of ‘processing’ below.
It is usually necessary to be able to demonstrate, through policies and procedures, staff training and other measures, how an organisation ensures that all of its actions comply with the principles. A failure to comply with the principles is a breach of the Act. Any harm suffered by individuals as a result of a breach could lead to a claim for compensation and the Information Commissioner has powers to impose a financial penalty of up to £500,000 or to take other enforcement action in respect of serious breaches of the Act.
Familiarity with the principles is therefore an essential element in assessing the risks that might be posed by the use of cloud services and the mitigating actions that might be necessary.
Data protection principles
These are quoted from the Data Protection Act 1998, Schedule 1, Part I.
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
a) at least one of the conditions in Schedule 2 [see below] is met
and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. [Schedule 3, as subsequently amended by Statutory Instrument, contains around 20 conditions, more restrictive than those in Schedule 2. For the purposes of this publication it is sufficient to assume that particularly great care should be taken with records that include ‘sensitive personal data’ – defined below.]
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Implications of the data protection principles for cloud computing
All the data protection principles are aimed firstly at preventing harm to individuals, and secondly at ensuring that they are treated fairly whenever their data is used.
Two of the principles are particularly relevant to cloud computing:
• Principle 7, which says you must have appropriate security, and
• Principle 8, which controls the transfer of data abroad.
Subsequent chapters look at all of the principles in the context of cloud computing. The table below indicates their relative risk profile in relation to cloud computing. This does not imply that these risks would have the same ranking in other contexts. Principles 7 and 8 are considered first and in detail; the remaining principles are discussed in Chapter 6.
Principle | Risk rank | Comment |
1. Fairness 2. Limited purposes | Low (Medium) | No different from in-house considerations unless cloud provider also captures personal data for own purposes |
3. Adequacy 4. Accuracy | Medium | Minor implications if the design of the cloud application does not support good data quality |
5. Retention | Low | No different from in-house considerations |
6. Data subject rights | Medium | Possible minor implications for subject access |
7. Security | Very high | Significant additional risks from cloud computing |
8. Transfers abroad | High | Cloud applications may (without making this obvious) locate data outside ‘safe’ jurisdictions |
Other relevant definitions
This publication is not a treatise on the Act as a whole. It may, however, be useful to clarify a few other relevant definitions from the Act.
Processing: This is defined very broadly, to include effectively any activity involving personal data. The Act defines processing as ‘obtaining, recording or holding’ the data, or ‘carrying out any operation [on it]’ including (but not limited to) ‘organisation’, ‘alteration’, ‘retrieval’, ‘consultation’, ‘use’, ‘disclosure’, ‘erasure’ and ‘destruction’. It is hard to see how a cloud application could operate without ‘processing’ data within the terms of the Act.
Personal data: Information in electronic form that relates in some way to a living individual who can be identified from the data (plus, if relevant, any other available information), falls clearly within the definition of personal data. Non-electronic data is obviously outside the scope of this publication.
Data subject: The individual about whom personal data is held, wherever they are located.
Sensitive personal data: Information about an individual’s racial or ethnic origin, political beliefs, religious beliefs, trade union membership, mental or physical health, sex life (including sexuality), offences, alleged offences and court appearances. This information requires special treatment – and often consent for its use. In terms of cloud computing, the loss or compromise of sensitive personal data would be a very serious matter.
Schedule 2 Conditions (at least one of which must be met)
1. The data subject has given his consent to the processing.
2. The processing is necessary –
(a) for the performance of a contract to which the data subject is a party, or
(b) for the taking of steps at the request of the data subject with a view to entering into a contract.
3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
4. The processing is necessary in order to protect the vital interests of the data subject.
5. The processing is necessary –
(a) for the administration of justice,
(b) for the exercise of any functions conferred on any person by or under any enactment,
(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
(d) for the exercise of any other functions of a public nature exercised ...