brightline.com.au
Download
Report
Transcript brightline.com.au
Privacy and data
control in the era of
cloud computing
Patrick Sefton | Principal
Outline
“cloud computing” definition & examples
information privacy compliance requirements
pre-contract enquiries / capability questions
contracts (including GITC in particular)
standards & certifications
ongoing contract management & reporting
“Cloud computing”
Many names, slightly different meanings
data / application hosting
ICT managed services
ASP / software-as-a-service
platform-as-a-service
infrastructure-as-a-service
utility computing
but the same concept:
ICT capability
provisioned remotely, delivered as a service
with abstraction of detail
← less of this
more like this... →
...connected to
these →
Commercial & technical drivers
ubiquitous high-speed communications
leverage economies of scale
cost of supporting infrastructure & redundancy
energy costs
reduce capital expenditure
flexibility / agility
rapid provisioning / dynamic scalability
Example: Microsoft
Steve Ballmer, 4 March 2010: “literally I will
tell you we’re betting our company on it.”
Example: Google
Google Apps (Office workalike, email, storage)
USD50/user/year
2M+ clients, including significant government
clients eg City of Los Angeles, City of Washington
DC
Google AppEngine
Run private software on
Google’s infrastructure
Spanner (announced October 2009)
storage and computation system which spans all
datacentres & scales to 10M+ servers, 1B+ clients
The devil is in the details
so ... ICT capability is provided as a service,
the details are abstracted and the cost is down
so everyone’s happy?
but ... some of those about-to-be-abstracted-away
details are really important
information privacy and data control are important
details that need to be addressed up front in cloud
computing arrangements
statutory essentials
pre-contract enquiries
contract terms
IPA & service providers to agencies
special provisions about agencies entering
service arrangements
if service provider performing agency function...
s35: agency must take all reasonable steps to
ensure service provider required to comply with
IPPs/NPPs as if it was the agency
s36: “bound contracted service provider” required to
comply with IPPs/NPPs (attracts complaint,
approval, compliance mechanics of IPA)
s37: failure to bind → agency still has obligation
IPA section 35
s35: agency must take all reasonable steps to
ensure service provider required to comply with
IPPs/NPPs as if it was the agency
essential minimal requirement for departments &
agencies – a low water mark
easy to include:
The Contractor must comply with Parts 1 and 3
of Chapter 2 of the Act, as if it was the
Customer, in relation to the discharge of its
obligations under this agreement.
IPA & cross-border transfers
special provisions about cross-border transfers
by agencies (s33)
consent, or at least 2 of the following:
equivalent treatment
necessity
individual benefits, consent impracticable & likely
reasonable steps to protect
Service providers & the Cth Act
private sector has no provision like s35 IPA:
you’re on your own
is the service provider governed by the Act?
$3M turnover threshold
s6D(4)(c) & (d): collecting/disclosing for payment
should contractor “opt in”? (s6EA)
otherwise, contract terms equivalent to NPPs
Pre-contract enquiries
What questions should we ask a potential cloud
computing service provider?
location of provider, data (including backups)
deletion & disposal process?
who has access? what access controls are used?
are any subcontractors involved?
insolvency of supplier? ease of transfer to another supplier?
single- or multi-tenanted servers?
supplier’s own privacy & security policies (incl. physical security)
awareness of compliance mechanics of IPA
reporting / notification / breach response
standards compliance & certifications, audit reports?
Contract terms
is GITC sufficient?
cl 5.4: broad confidentiality terms
cl 5.5: broad privacy terms
can obtain deed of confidentiality / privacy from subcontractors,
but only if not reasonably satisfied proper practices in place
(query whether this is done as a matter of course)
a good start, but what about ...
Contract terms
what about...
supplier’s responses to pre-contract enquiries (incorporate them)
more detailed action in response to security / privacy breach
promptness & detail of report
information about security / privacy breaches for other clients
audit right (electronic & physical practices) or periodic audit
awareness of personnel who have access (with ongoing updates)
disposal / return of records
regular reporting
freedom to move (incl. return of data in standard format)
limitation of liability: does the normal position work?
Standards & Certifications
FISMA: a framework for managing information security under
Federal Information Security Management Act of 2002 (US)
HIPAA: standards for eHealth transactions under Health
Insurance Portability and Accountability Act of 1996 (US)
extended by HITECH: Health Information Technology for
Economic and Clinical Health Act 2009 (US)
SOX: Sarbanes-Oxley Act of 2002 (US) (public companies) &
Basel II: international standard for risks in financial sector
PCI DSS: Payment Card Industry Data Security Standard
SAS70: Statement on Auditing Standards No.70: an accounting
standard to assess internal controls within a service organisation
ISO15489: int’l standard for record and information management
ISO27001: int’l standard for information security systems
access to audit/certification reports?
Ongoing management
Don’t forget ongoing management
periodic reporting: review & act on issues
options under contract including audit, further deed
internal process for privacy breaches
co-operative & transparent management of privacy
complaints and investigations
appropriate escalation of issues:
privacy a critical reputational & political risk
Thank you.
Patrick Sefton
[email protected]