Patrick Sefton | Principal

Privacy and data control in the era of cloud computing

Outline

“cloud computing” definition & examples

information privacy compliance requirements

pre-contract enquiries / capability questions

contracts (including GITC in particular)

standards & certifications

ongoing contract management & reporting

“Cloud computing”

Many names, slightly different meaningsdata / application hosting

ICT managed servicesASP / software-as-a-serviceplatform-as-a-serviceinfrastructure-as-a-serviceutility computing

but the same concept:ICT capabilityprovisioned remotely, delivered as a servicewith abstraction of detail

← less of this

more like this... →

...connected tothese →

Commercial & technical drivers

ubiquitous high-speed communications

leverage economies of scale cost of supporting infrastructure & redundancy energy costs

reduce capital expenditure

flexibility / agility

rapid provisioning / dynamic scalability

Example: Microsoft

Steve Ballmer, 4 March 2010: “literally I will tell you we’re betting our company on it.”

Example: Google

Google Apps (Office workalike, email, storage) USD50/user/year 2M+ clients, including significant government

clients eg City of Los Angeles, City of Washington DC

Google AppEngine Run private software on

Google’s infrastructure

Spanner (announced October 2009) storage and computation system which spans all

datacentres & scales to 10M+ servers, 1B+ clients

The devil is in the details

so ... ICT capability is provided as a service,the details are abstracted and the cost is downso everyone’s happy?

but ... some of those about-to-be-abstracted-away details are really important

information privacy and data control are important details that need to be addressed up front in cloud computing arrangements

statutory essentials pre-contract enquiries contract terms

IPA & service providers to agencies

special provisions about agencies entering service arrangements

if service provider performing agency function... s35: agency must take all reasonable steps to

ensure service provider required to comply with IPPs/NPPs as if it was the agency

s36: “bound contracted service provider” required to comply with IPPs/NPPs (attracts complaint, approval, compliance mechanics of IPA)

s37: failure to bind → agency still has obligation

IPA section 35

s35: agency must take all reasonable steps to ensure service provider required to comply with IPPs/NPPs as if it was the agency

essential minimal requirement for departments & agencies – a low water mark

easy to include:

The Contractor must comply with Parts 1 and 3 of Chapter 2 of the Act, as if it was the Customer, in relation to the discharge of its obligations under this agreement.

IPA & cross-border transfers

special provisions about cross-border transfers by agencies (s33)

consent, or at least 2 of the following:

equivalent treatment necessity individual benefits, consent impracticable & likely reasonable steps to protect

Service providers & the Cth Act

private sector has no provision like s35 IPA: you’re on your own

is the service provider governed by the Act? $3M turnover threshold s6D(4)(c) & (d): collecting/disclosing for payment should contractor “opt in”? (s6EA)

otherwise, contract terms equivalent to NPPs

Pre-contract enquiries

What questions should we ask a potential cloud computing service provider?

location of provider, data (including backups)deletion & disposal process?

who has access? what access controls are used?are any subcontractors involved?

insolvency of supplier? ease of transfer to another supplier? single- or multi-tenanted servers? supplier’s own privacy & security policies (incl. physical security)

awareness of compliance mechanics of IPA reporting / notification / breach response standards compliance & certifications, audit reports?

Contract terms

is GITC sufficient? cl 5.4: broad confidentiality terms cl 5.5: broad privacy terms can obtain deed of confidentiality / privacy from subcontractors,

but only if not reasonably satisfied proper practices in place(query whether this is done as a matter of course)

a good start, but what about ...

Contract terms

what about... supplier’s responses to pre-contract enquiries (incorporate them) more detailed action in response to security / privacy breach

promptness & detail of reportinformation about security / privacy breaches for other clientsaudit right (electronic & physical practices) or periodic audit

awareness of personnel who have access (with ongoing updates) disposal / return of records regular reporting freedom to move (incl. return of data in standard format) limitation of liability: does the normal position work?

Standards & Certifications

FISMA: a framework for managing information security under Federal Information Security Management Act of 2002 (US)

HIPAA: standards for eHealth transactions under Health Insurance Portability and Accountability Act of 1996 (US) extended by HITECH: Health Information Technology for Economic and Clinical Health Act 2009 (US)

SOX: Sarbanes-Oxley Act of 2002 (US) (public companies) &Basel II: international standard for risks in financial sector

PCI DSS: Payment Card Industry Data Security Standard SAS70: Statement on Auditing Standards No.70: an accounting

standard to assess internal controls within a service organisation ISO15489: int’l standard for record and information management

ISO27001: int’l standard for information security systems access to audit/certification reports?

Ongoing management

Don’t forget ongoing management periodic reporting: review & act on issues options under contract including audit, further deed internal process for privacy breaches co-operative & transparent management of privacy

complaints and investigations appropriate escalation of issues:

privacy a critical reputational & political risk

Thank you.

Patrick Seftonpatrick.sefton@brightline.com.au