Summary - Review of the legal conditions when using cloud computing in the municipal sector feasibility study

Similar documents
What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

Version 1/2018. GDPR Processor Security Controls

Data Processing Agreement

BNetzA therefore requests a BEREC Opinion on the above measures until June 1.

Data Processing Agreement

Data Processing Clauses

Use of data processor (external business unit)

Use of data processor (external business unit)

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

DATA PROCESSING TERMS

Data Processor Agreement

NEWSFLASH GDPR N 8 - New Data Protection Obligations

M T BUCKLEY & Co Chartered Accountants

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

Application Guideline for BOP/Volume Zone Business Support Coordinator UZBEKISTAN in FY 2015

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

Data Protection Policy

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

PRIVACY POLICY. 1. Definitions and Interpretation In this Policy the following terms shall have the following meanings:

Requirements for Certification Bodies operating Certification against the PEFC International Chain of Custody Standard

Company presentation Transition and Transformation

Next-generation Nødnett in commercial networks Approach for further work

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

World Telecommunication Development Conference (WTDC- 14) Dubai, 30 March 10 April 2014

Data protection. 3 April 2018

General Data Protection Regulation

NSF Data Management Plan Template Duke University Libraries Data and GIS Services

PREPARING FOR THE GDPR AT THE UNIVERSITY OF HELSINKI

Data Protection Policy

PRIVACY NOTICE 1. Introduction

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

The checklist is dynamic, not exhaustive, and will be updated regularly. If you have any suggestions or comments, we would like to hear from you.

PS Mailing Services Ltd Data Protection Policy May 2018

Introductory guide to data sharing. lewissilkin.com

Privacy Notice - Stora Enso s Supplier and Stakeholder Register. 1 Purpose

Comprehensive Study on Cybercrime

Regulation for the accreditation of product Certification Bodies

Privacy policy agreement for Mobillett. General information about processing of personal data by AtB

Google Cloud & the General Data Protection Regulation (GDPR)

2. Which personal data is processed by SF Studios and from which source does the personal data originate?

Technical Requirements of the GDPR

You can find a brief summary of this Privacy Policy in the chart below.

NIS Standardisation ENISA view

2.1. Scope of environmental site assessment

Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation)

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Motorola Mobility Binding Corporate Rules (BCRs)

DFARS Cyber Rule Considerations For Contractors In 2018

CHAPTER 13 ELECTRONIC COMMERCE

the processing of personal data relating to him or her.

15 August 2014 FEASIBILITY STUDY REGARDING RESEARCH ACCESS TO NORDIC MICRODATA 1/102

DATA PROCESSING AGREEMENT

Managing Jurisdictional Risks for Public Cloud Services

At Oatly we believe in the importance of protecting personal information and an individual s right to privacy and integrity.

Review of the Canadian Anti-Spam Legislation

WORLD TRADE ORGANIZATION

Contents. Navigating your way to the cloud

UCL Policy on Electronic Mail ( )

Privacy Policy of the products of Ilves Solutions Ltd and Ilves Valmisohjelmistot Ltd / Ilveshaku

Element Finance Solutions Ltd Data Protection Policy

INFS 214: Introduction to Computing

Cooperation with other Certification Systems

Information Security Policy

Error! No text of specified style in document.

TIA. Privacy Policy and Cookie Policy 5/25/18

GDPR: A QUICK OVERVIEW

Application Guideline for BOP Business Support Coordinator BANGLADESH in FY 2013

Guidelines Concerning the Transmission, Etc. of Specified Electronic Mail

CURRICULUM The Architectural Technology and Construction. programme

Chapter 1. Purpose, definitions and application

Information Security Management Criteria for Our Business Partners

Security Management Models And Practices Feb 5, 2008

BENCHMARKING PPP PROCUREMENT 2017 IN ARMENIA

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

Bring Your Own Device Policy

Procurement on modernisation of the server platform of the municipality

Website and Marketing Privacy Policy

Requirements for a Managed System

Privacy Shield Policy

General Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of

Data Processing Agreement

Accreditation Body Evaluation Procedure for AASHTO R18 Accreditation

How to work your cloud around the UK ICO s Data Protection Act

Eco Web Hosting Security and Data Processing Agreement

1.1. Gomilio is a service provided by Activa System Srls (hereinafter referred to as

UKIP needs to gather and use certain information about individuals.

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

SCHOOL SUPPLIERS. What schools should be asking!

PECB Change Log Form

Lex Mundi Telecommunications Regulation Multi-Jurisdictional Survey

Data Processing Agreement

A Homeopath Registered Homeopath

Contract regarding consultant service for Analysis of options for increased use of Renewable Energy in the Heating Sector in Ukraine. j.nr.

Regulatory Notice 10-21

World Wide Jobs Ltd t/a Findmyexpert.com Privacy Policy 12 th April 2018

UNDAF ACTION PLAN GUIDANCE NOTE. January 2010

User Control Mechanisms for Privacy Protection Should Go Hand in Hand with Privacy-Consequence Information: The Case of Smartphone Apps

Wye Valley NHS Trust. Data protection audit report. Executive summary June 2017

Transcription:

KS FoU-project 144008: Summary - Review of the legal conditions when using cloud computing in the municipal sector feasibility study April 2015 Advokatfirmaet Føyen Torkildsen AS -1-

1 Introduction Use of cloud computing is about to be established in the public sector, however there are still unclear legal aspects regarding procurement and use. Suppliers of cloud computing services are often major companies who deliver standardized services. KS the Norwegian Association of Local and Regional Authorities (hereinafter KS) has received several requests from municipalities and county authorities regarding the municipalities use of cloud computing, and whether it is legal and defensible to take such services in use. The law firm Føyen Torkildsen AS has thus been asked to undertake a feasibility study of the legal conditions when using cloud computing in the municipal sector. The final report is a result of a number of legal investigations and responses to surveys that have been sent to 30 municipalities and some county authorities. In addition in-depth interviews of three municipalities and four cloud computing suppliers have been conducted. The main purpose of this report is to provide the municipal sector an understanding of the regulations regarding cloud computing and provide practical advice on what possibilities the municipal sector has to make use of cloud computing. Initially it must be emphasized that there are significant possibilities to make use of cloud computing, however this possibility may be further improved by making some changes in the administrative practices, particularly by the National Archives and Record Administration. During this feasibility study we have focused on what the current legislation actually allows and what the municipalities actually can and should do to meet the requirements of the current legislation, when using cloud computing. Furthermore, the report address whether there is a need for change in the legislation, and in that case what changes this should be. Cloud computing is a collective term for everything from data processing and data storage, software on servers that are accessible from external server parks connected to the internet. It is common to distinguish between Software as a Service, Platform as a Service and Infrastructure as a Service. These services can be delivered in the form of Public Cloud, Private Cloud (used within a company or group), or a Hybrid Cloud (which is a combination of the other two delivery methods). The legal and information security issues will to a great extent be the same, regardless of the service- or delivery method, although specific assessments and the measures that must be implemented may differ. 2 Legal basis It is common for major procurements of both IT and cloud services that there is a variety of legal framework conditions that needs to be fulfilled. Especially cloud computing is for many companies uncharted territory and you do not always know which aspects should be emphasized and thus not how much time and effort must be allocated to make the necessary assessments. In addition you often meet major suppliers with a strong market position and often also a strong power of conviction. The purpose of this study was to examine which laws that is an obstacle, or is perceived as an obstacle to the use of cloud computing, and whether there is a need for change in the legislation. Cloud computing has touch point with several laws and therefore raises several complex legal issues. -2-

The report examines both the Administration Act, the Public Procurement Act and the GPA Agreement, the rules on protection of personal data, the Security Act, the Bookkeeping Act and the Archives Act. The biggest challenge relates to the Archive Act and the Accounting Act. The other regulations does not in principal, preclude the use of cloud computing in the municipal sector, but sets specific requirements that must be met. It is important to point out that a municipality, before they adopt a specific cloud service must perform a sufficient risk assessment in accordance with the Personal Data Act and the Personal Data Regulations. It is also important that the municipality ensures that they enter into a sufficient and adequate data processor agreement with the supplier. The checklist in appendix 5 in the final report specifies what should be regulated in the data processor agreement. The Archive Act According to the Archives Act (LOV-1992-12-04-126) section 9 letter b, public archival material cannot be transferred out of the country without a special permission from the Central Office of the National Archives of Norway. This provision is of great importance for the municipality s possibilities to implement cloud computing. It may be questioned to what extent this provision including the exceptions - according to the main purpose of the provision fits, and shall apply to the use of cloud services delivered from other countries. This rule was written more than 20 years ago i.e. long before cloud computing in its current form, or processing and storage of data in other countries was a reality. In September 2014 the National Archive directed an inquiry to the Ministry of Culture regarding the storage of electronic archives on servers abroad. In the letter the National Archive stated that because of section 9 letter b, archives cannot be stored on servers located outside Norway. This also applies to backup of the archives. The way the act is today, it is thus, according to the National Archive not possible to use cloud computing to store archive materials. However, as long as the archive and the backup are located in Norway, other copies may be stored outside Norway. In our view this statement from the National Archive is inconsistent with the law, when they consider that the archival material cannot be transferred out of the country. In the Archival Act section 9, which the National Archive refers to, it is stated that the National Archive may make exceptions through consent. This means that the National Archive actually may consent to transfer the archive out of the country. The Norwegian Data Protection Authority was initially sceptical to the use of cloud computing, but has gradually become more familiar with the technology and sets reasonable criteria s for how the technology should be used, instead of prohibiting the use of cloud computing. We believe that the National Archive has legal latitude to select a similar approach. We consider it to be unfortunate that the National Archive chooses not to utilize this option, especially considering that the purpose of this provision in the act is to ensure that the data is not lost for future generations. This can be done in a satisfactory manner, by laying down requirements relating to the use of cloud computing. -3-

The Bookkeeping Act The provisions of the Bookkeeping Act regarding storage of accounting materials shall also apply to accounting materials in municipalities and county authorities c.f. the Regulations regarding annuals accounts and annual reports (for municipalities and county authorities) FOR-2000-12-15-1424 section 2. According to the Bookkeeping Act section 13, second paragraph, as a general rule accounting materials shall be stored in Norway. This limits the ability to use cloud computing where the suppliers does not have servers in Norway. There are however some exceptions, accounting material may be stored in Denmark, Sweden and Finland, and in other countries by exemptions from the Tax Inspectorate. Despite the excemptions, the Bookkeeping Act will preclude certain types of cloud computing. Part of the reason for this is that the major suppliers often do not offer the possibility to store the information in the above mentioned EEA countries, but on servers elsewhere in the world. In addition the Tax Inspectorate is restrictive in granting an exemption. 3 Main findings in the interviews Municipalities During this feasibility study we have carried out in-depth interview of Alta, Narvik and Moss municipality. On the basis of these interviews, it is clear that the municipalities have different views on the use of cloud computing. Inter alia, Alta municipality has assessed that it is too expensive to adopt cloud computing, because it is not possible to move everything to the cloud, and the IT department in the municipality wants to focus on operations and stability of their IT systems. It was also a great skepticism to the use of cloud computing because data will be transferred to other countries. Narvik municipality has however to a great extent taken cloud computing in use, and the use of cloud computing is part of their strategy. According to their strategy the use of internet based services shall be assessed when it is adequate and cost saving. In their municipality they distinguish between what can and cannot be processed in the cloud, sensitive personal data shall for example not be processed in the cloud. There are several reasons why Narvik has taken cloud computing in use, such as; economy, standardization, scalability, sharing of resources and flexibility. Moss municipality has to a great extent placed large parts of their systems into the cloud. They believe that in the short term it will not be cost effective to take cloud computing in use, however in the long term it will be worthwhile. To be able to implement the project Moss has had a close dialogue with the Norwegian Data Protection Authority during the process. Moss is of the opinion that the biggest obstacle to get the full benefit of using cloud computing is the Archive Act. To be able to implement cloud computing the municipality has regularly been undertaking a risk assessment of the individual elements that has been transferred as they increasingly have adopted cloud computing. 4 Main findings in the interviews Suppliers In connection with this feasibility study we have also carried out in-depth interviews of four suppliers of cloud computing; Evry, Microsoft, Visma and Google Norway. -4-

The supplier s main point of view was that it is a great variation in the municipalities regarding their knowledge regarding the use of cloud computing and that it is a varying understanding of what cloud computing means. Some of the suppliers believe that there is a lot of uncertainty and unfounded perceptions in the municipalities regarding the legality of the use of cloud computing and that this is mainly due to fear, uncertainty and doubt. The uncertainty around cloud computing does not necessarily have basis in whether the legislation allows the use of cloud computing or not. The suppliers also expressed clearly that they want to deliver cloud computing to the municipalities, and that they to a greater extent than today will deliver services based on cloud. Today there is a very small number of public procurement that opens up for the supplier s possibility to offer their cloud services. The way the tender documentation is formulated, it will be impossible or difficult for the individual customer to compare the prices for cloud computing and IT-services based on a more traditional platform. This makes it difficult for the suppliers to offer cloud computing by public procurement. However the suppliers have seen that changes has begun to happen in this area, especially in the public procurement where the customer enquires functionality instead of technical requirements. Further the suppliers point out that according to the regulations it is essentially the Archive Act which is the biggest problem, this is partly one of the reasons that a couple of the suppliers offers storage in Norway instead of in other countries. 5 Guidelines regarding the use of cloud computing The report also contains guidelines regarding which assessments that should be performed when using cloud computing, including; the Personal Data Act s requirements for the assessment of the data to be transferred to the cloud and the risk analysis that has to be carried out, security requirements, risk assessments, assessment of country risk etc. These guidelines specify, among other things, what the municipalities should think about in the preparatory phase and at the conclusion of an agreement when procuring cloud computing. Moreover what conditions the municipality should especially be aware of regarding privacy and the use of cloud computing. The guidelines also specify the type of information which usually may be relevant to transfer to the cloud, such as information of internal administrative nature in the municipality. Also the requirements in the Personal Data Act to establish and comply with an internal control system and security measurements is examined. Among other things, that it is a requirement to establish a system for information security, in addition the municipalities has to set goals for their information security, which security level they should have and how the company should work with risk management. It the company shall adopt cloud computing for services, the information security system should include assessments and measures which also includes the supplier of the cloud services and their subcontractors so that whole chain of suppliers and not at least subcontractors are covered. The guidelines also contain a matrix for risk assessment, including an example of a risk table and an example of a risk assessment. These guidelines have been prepared as an assistance tool for the municipalities that can be used both in the preparations and the implementation of procurement of cloud computing. -5-

6 Summary It is clear that there is a significant possibility for adopting cloud computing in the municipal sector, but this possibility can be made even larger by some changes in the administrative practices, particularly at the National Archive. When evaluating whether to adopt cloud computing, there are a series of assessments that has to be carried out. The first thing to do is to identify which sets of rules that are relevant for the information to be transferred to the cloud. The way the Archive Act and the Bookkeeping Act are interpreted today, it will be easier not to transfer information covered by these regulations. If these authorities change their practice, the scope of the information that can be transferred to the cloud will increase. -6-

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback