Building Trust in the Cloud Era - Protect, Respect Personal Data

Similar documents
Hong Kong s Personal Data (Privacy) Ordinance

Introduction to the Personal Data (Privacy) Ordinance

Introduction to the Personal Data (Privacy) Ordinance

University Privacy Campaign. Introduction to the Personal Data (Privacy) Ordinance

Introduction to the Personal Data (Privacy) Ordinance

A Regulator s Perspective on Accountability and How to Incentivise It

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

ADMA Briefing Summary March

DATA PROTECTION ISACA MALTA CHAPTER BIENNIAL CONFERENCE Saviour Cachia Commissioner for Information and Data Protection

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Islam21c.com Data Protection and Privacy Policy

Data Protection Policy

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Hong Kong Accountability Benchmarking Micro-Study. Nymity Accountability Workshop 10 June 2015, Office of the PCPD, Hong Kong

Cloud Expo Asia, Hong Kong 2018 Hong Kong Convention and Exhibition Centre

Data Protection Policy

Guidance on Preparing Personal Information Collection Statement and Privacy Policy Statement

Data Protection Policy

Data protection legal jungle or common sense Susan Healy. Religious Archives Group 22 Mar 2010

PS Mailing Services Ltd Data Protection Policy May 2018

Data Protection and GDPR

Our Data Privacy Statement Scope Responsibilities

Motorola Mobility Binding Corporate Rules (BCRs)

Guardian Electrical Compliance Ltd DATA PROTECTION GDPR REGULATIONS POLICY

UWC International Data Protection Policy

Safeguards on Personal Data Privacy.

GDPR: A technical perspective from Arkivum

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

A Homeopath Registered Homeopath

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Membership Privacy Notice. 31 August 2018

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Adkin s Privacy Information Notice for Clients, Contractors, Suppliers and Business Contacts

GDPR compliance: some basics & practical to do list

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Within the meanings of applicable data protection law (in particular EU Regulation 2016/679, the GDPR ):

GDPR - Are you ready?

This Privacy Policy applies if you're a customer, employee or use any of our services, visit our website, , call or write to us.

DATA PROTECTION POLICY THE HOLST GROUP

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

Data Processing Agreement

A1 Complete Plumbing and Heating Limited Job Applicant Privacy Notice

ADIENT VENDOR SECURITY STANDARD

Privacy Policy. Information about us. What personal data do we collect and how do we use it?

GDPR: A QUICK OVERVIEW

Government data matching and the Privacy Act 1988 (Cth)

Privacy Policy. Due Diligence Checking Limited ( We or Us ) are committed to protecting and respecting your privacy.

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

NOTICE OF PERSONAL DATA PROCESSING

Element Finance Solutions Ltd Data Protection Policy

20/09/2013. Global Privacy and Data Protection: Practical Risk Assessment and Governance. Topics

This article will explain how your club can lawfully process personal data and show steps you can take to ensure that your club is GDPR compliant.

SCHOOL SUPPLIERS. What schools should be asking!

Data Protection Policy

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

You will see lots of references in the Checklist to the GDPR Pack if you would like to purchase this, go to

NWQ Capital Management Pty Ltd. Privacy Policy. March 2017 v2

EU General Data Protection Regulation (GDPR) Achieving compliance

Our agenda. The basics

Introductory guide to data sharing. lewissilkin.com

BELLISSIMA BEAUTY SALON PRIVACY NOTICE

Subject: Kier Group plc Data Protection Policy

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

M T BUCKLEY & Co Chartered Accountants

Protecting Your Business: Best Practices for Implementing a Legally Compliant Cybersecurity Program Trivalent Solutions Expo June 19, 2014

Learning Management System - Privacy Policy

8. AUTOMATED DECISION MAKING DURING DATA PROCESSING FURTHER INFORMATION FURTHER INFORMATION AND GUIDANCE CONTACT US...

Jeff Wilbur VP Marketing Iconix

BHBIA New Data Protection Rules. Pharma Company Perspective. Guy Murray Director, Market Research & Analytics, GC&BI MR Operations and Compliance, MSD

HPE DATA PRIVACY AND SECURITY

Data Protection Policy

enter into application on 25 May 2018

Introduction to Personal Data Protection DCU Risk & Compliance Office October 2015

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

The Integrity of Personal Data: Some Topical Issues & Implications of PDPO for Business

"PPS" is Private Practice Software as developed and produced by Rushcliff Ltd.

Privacy Notice and Consent Form

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

Privacy by Design and Privacy by Default

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

The GDPR Are you ready?

Accelerate GDPR compliance with the Microsoft Cloud

Creative Funding Solutions Limited Data Protection Policy

Pathways CIC Privacy Policy. Date Issued: May Date to be Reviewed: May Issued by Yvonne Clarke

Unified Communications Phase 2 Presentation to IT Services Users Group

Graff Search Limited ( Graff Search ) is a recruitment agency and recruitment business.

General Legal Requirements under the Act and Relevant Subsidiary Legislations. Personal data shall only be processed for purpose of the followings:

INNOVENT LEASING LIMITED. Privacy Notice

SHELTERMANAGER LTD CUSTOMER DATA PROCESSING AGREEMENT

Dealing with Security and Security Breaches

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

This Privacy Policy governs our processing of all personal data provided to us at Environmental Essentials in relation to our E-learning services.

2014 Luxury & Fashion Industry Conference for Multinationals

Made In Hackney Data Protection Policy Last Updated:

GDPR Compliant. Privacy Policy. Updated 24/05/2018

Google Cloud & the General Data Protection Regulation (GDPR)

Toucan Telemarketing Ltd.

Data Protection Statement. Trinity Development & Alumni

Transcription:

Cloud Expo Asia 18 May 2016 Building Trust in the Cloud Era - Protect, Respect Personal Data Stephen Kai-yi Wong Privacy Commissioner for Personal Data, Hong Kong

The Hong Kong Data Protection Law The Personal Data (Privacy) Ordinance 1995 (the Ordinance) comprehensive and stand-alone covering the public (government) and private sectors referenced to OECD Privacy Guidelines and 1995 EU Directive enforced by an independent statutory regulatory body the Privacy Commissioner for Personal Data 1

The Personal Data (Privacy) Ordinance Collection Retention Use Erasure The Six Data Protection Principles 2

Principle 1 Purpose and Manner of Collection related purpose lawful and fair means adequate but not excessive e.g. collection of fingerprints for attendance is excessive 3

Principle 1 Purpose and Manner of Collection purposes classes of transferees obligatory/voluntary consequences for failure to supply when obligatory contact details for access/correction 4

Principle 2 Accuracy and Duration of Retention practicable steps to ensure accuracy Checked Name Phone Address Gender 5

Principle 2 Accuracy and Duration of Retention personal data not kept longer than necessary for the purpose Erasure Erasure e.g. personal data of unsuccessful insurance applicants should not be retained by insurer indefinitely 6

Principle 3 Use of Personal Data not being used for a new purpose without prescribed consent e.g. posting of compliant letter openly showing details of complainant without consent may contravene DPP3 7

Principle 4 Security of Personal Data practicable steps to ensure no unauthorized or accidental access, processing, erasure, loss, use and transfer security in the storage, processing and transmission of data e.g. loss of unencrypted USB drive with personal data 8

Principle 5 Openness Information be Generally Available policies and practices in relation to personal data kinds of personal data held Privacy policy statement Statement of policy Statement of practice main purposes for which personal data are used e.g. apps accessing data on smartphone should show privacy policy 9

Principle 6 Access to Personal Data access right correction right e.g. patients of the Electronic Health Record scheme may request access to the data shared by all their health care providers 10

11

Cloud Computing and Personal Data Privacy cloud computing leaflet issued 2012 and updated 2015 12

Cloud Computing and Personal Data Privacy consistent with Article 29 Working Party s opinion on Cloud Computing, Berlin Group s Working Paper on Cloud Computing - Privacy and Data Protection Issues 13

Cloud Computing and Personal Data Privacy Bottom lines: organisations need to maintain controls organisations fully responsible for personal data protection outsourcing data processing outsourcing legal responsibility 14

Cloud Computing and Personal Data Privacy Potential privacy issues related to cloud s business model rapid transborder data flow loose outsourcing arrangements standard contract terms 15

Cloud Computing and Personal Data Privacy Rapid transborder data flow. Do organisations know: where personal data will be stored? if and what legal protection is afforded in the location? how to explain to customer the risk of storing data overseas? Data user needs to know storage locations, have consent, ensures comparable law, or exercises due diligence etc. 16

Cloud Computing and Personal Data Privacy Loose outsourcing arrangements. Do organisations know: if there is subcontracting arrangements by the cloud provider? if their requirements on cloud providers are observed by their subcontractors? Cloud service provider needs to be transparent on outsourcing practice and have sufficient controls in place 17

Cloud Computing and Personal Data Privacy Standard contract terms. Do organisations know: what to do if standard contract terms are inferior to requirements? how to monitor the compliance of standard/customised terms? Ensure requirements are addressed in contract and enforced 18

Cloud Computing and Personal Data Privacy personal data Data user 19

Cloud Computing and Personal Data Privacy personal data Data user ISO 27018 20

Cloud Computing and Personal Data Privacy ISO 27018 has two parts: specific ISO 27002 security controls applicable to cloud Specific ISO 29100 privacy framework applicable to cloud 21

Cloud Computing and Personal Data Privacy ISO 27018 addresses (to name a few) personal data privacy: transparency on storage location transparency on outsourcing arrangements commitments on data re-use, retention, disclosure, data breach notification, security, encryption, etc. 22

Cloud Computing and Personal Data Privacy personal data Data user Privacy Management Programme ISO 27018 23

Privacy Management Programme (PMP) encourage organisations to embrace personal data privacy protection as part of their corporate governance responsibilities and apply it as a top-down business imperative throughout the organisation Compliance accountability 24

Privacy Management Programme (PMP) strategic framework good corporate governance trust building transparency 3 organisational commitments, 7 bottom-up controls and 2 review processes 25

PMP Best Practice Guide Framework Three top-down management commitments top management buy-in of the PMP appointment of a Data Protection Officer or Office internal reporting mechanism 26

PMP Best Practice Guide Framework Seven bottom-up programme controls a personal data inventory internal policies (DPPs) risk assessment up-to-date training and education procedure of notification (data breach) obligations for data processor communication with employees and customers Two on-going monitoring processes documented process regular execution 27

Paradigm Shift Compliance approach: passive reactive remedial problem-based handled by legal/compliance minimum legal requirement bottom-up Accountability approach: active proactive preventative based on customer expectation directed by top-management reputation building top-down 28

Effect of Paradigm Shift Liability Asset 29

Effect of Paradigm Shift Enforcement and compliance + Accountability = Trust Culture (Protect and Respect) 30

Building Trust in the Cloud Era Protect, Respect Personal Data 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback