Managing Jurisdictional Risks for Public Cloud Services

Similar documents
Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Workday s Robust Privacy Program

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

METHODOLOGY AND CRITERIA FOR THE CYBERSECURITY REPORTS

Deloitte Audit and Assurance Tools

TIX NZ Privacy Policy

SYDNEY FESTIVAL PRIVACY POLICY

Submission to the International Integrated Reporting Council regarding the Consultation Draft of the International Integrated Reporting Framework

Accelerate GDPR compliance with the Microsoft Cloud

Data Preservation Checklists

How to work your cloud around the UK ICO s Data Protection Act

GENERAL PRIVACY POLICY

DATA PROTECTION POLICY THE HOLST GROUP

Data protection policy

Magento GDPR Frequently Asked Questions

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

DATA PROCESSING AGREEMENT

OSIsoft PI Cloud Services Privacy Statement

Data protection. 3 April 2018

TIX Privacy Policy. 1. Scope of this Privacy Policy. 2. What personal information does TIX collect? Updated 7 September 2015

Whitepaper on EU Data Protection October 2014

Privacy Policy KPMG Australia

Blue Alligator Company Privacy Notice (Last updated 21 May 2018)

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

DATA PROTECTION AND PRIVACY POLICY

CEM Benchmarking Privacy Policy

The Role of the Data Protection Officer

Law & Policy Meets Data in the Cloud: Data Sovereignty Across Asia. Bernie Trudel Chairman, Asia Cloud Computing Association

G8 Lyon-Roma Group High Tech Crime Subgroup

Privacy Policy. LAST UPDATED: 23 June March 2017

DATA PROTECTION POLICY

UKAS Guidance for Bodies Offering Certification of Anti-Bribery Management Systems

This report was prepared by the Information Commissioner s Office, United Kingdom (hereafter UK ICO ).

PRIVACY POLICY Last Updated May, 2018

Member of the County or municipal emergency management organization

Google Cloud & the General Data Protection Regulation (GDPR)

A Homeopath Registered Homeopath

Level Access Information Security Policy

Startup Genome LLC and its affiliates ( Startup Genome, we or us ) are committed to protecting the privacy of all individuals who ( you ):

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Spring Mobile Mini UK Ltd. Privacy Policy Spring 2018

Enviro Technology Services Ltd Data Protection Policy

PRIVACY POLICY. Personal Information We Collect

A guide to requests made through fyi.org.nz and social media

Polemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.

HEALTH INFORMATION INFRASTRUCTURE PROJECT: PROGRESS REPORT

UKIP needs to gather and use certain information about individuals.

Wonde may collect personal information directly from You when You:

Guiding principles on the Global Alliance against child sexual abuse online

Information Security Controls Policy

Consolidated Privacy Notice

A Strategy for the Implementation of IPv6 in Australian Government Agencies

1. Right of access. Last Approval Date: May 2018

Data Processing Agreement

Trough a cyber security lens

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

Inspiring Insights Ltd Privacy Policy - May Important Information. 2. The data we collect and how we store it.

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

VISTRA NETHERLANDS PRIVACY NOTICE

2017 RIMS CYBER SURVEY

One Sector Community Limited ACN ( OSC ) Privacy Policy

Vistra International Expansion Limited PRIVACY NOTICE

Privacy Policy May 2018

2.1 The type of personal information that auda collects about you depends on the type of dealings you have with us. For example, if you:

Cellular Solutions and Services Limited and Cellular Solutions and Network Services Privacy Policy

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

RESPONSE TO 2016 DEFENCE WHITE PAPER APRIL 2016

BCS Practitioner Certificate in Information Risk Management Syllabus

Cova Security Gates Ltd Privacy Notice. Unit C1, Sussex Manor Business Park, Crawley, West Sussex, RH10 9NH, United Kingdom

At Sound United, we re committed to protecting and respecting your privacy.

Privacy Policy. When you create an account or use our Service, we collect the following types of information from you:

Eagles Charitable Foundation Privacy Policy

Cyber Security Strategy

ecare Vault, Inc. Privacy Policy

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Oblong Europe Ltd- UK Data Privacy Policy

ITU-ACMA Asia Pacific Regulators Roundtable July 2014

Information Technology Branch Organization of Cyber Security Technical Standard

Cloud Security Standards Supplier Survey. Version 1

ELTA GROUP ASIA PACIFIC (EGAP) COMPANIES

GDPR AMC SAAS AND HOSTED MODULES. UK version. AMC Consult A/S June 26, 2018 Version 1.10

EIT Health UK-Ireland Privacy Policy

01.0 Policy Responsibilities and Oversight

Build confidence in the cloud Best practice frameworks for cloud security

NATIONAL GUIDELINES ON CLOUD COMPUTING FOR GOVERNMENT, MINISTRIES, DEPARTMENTS AND AGENCIES

BIOEVENTS PRIVACY POLICY

IDENTITY THEFT PREVENTION Policy Statement

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

VISTRA (CYPRUS) LTD. PRIVACY NOTICE

Policy on Privacy and Management of Personal Information

PRIVACY POLICY. What personal data we collect and why we collect it IN ORDER TO: (Date of last update: 1 st January 2019)

Policy Objectives (the Association) Privacy Act APPs Policy Application ACTU The Police Association Website

CASE STUDY CHIEF INFORMATION OFFICER GROUP

Protecting your data. EY s approach to data privacy and information security

Global Specification Protocol for Organisations Certifying to an ISO Standard related to Market, Opinion and Social Research.

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation)

Regulation P & GLBA Training

Privacy Notice for Business Partners

Transcription:

Managing Jurisdictional Risks for Public Cloud Services Version 1.0 July 2017 1

Contents Executive summary 3 Definitions 4 Assessing jurisdictional risk 5 Commonly-used jurisdictions 8 2

Executive summary Purpose This guidance has been produced by the Government Chief Information Officer to help New Zealand public sector agencies manage jurisdictional risks for public cloud services. It should be used by agencies as an input into their risk assessments of public cloud services. Additional guidance on risk assessments is available from: ict.govt.nz Background In July 2016, Cabinet confirmed new measures to accelerate the adoption of public cloud services across government. These measures were a response to the reduced costs and improved resilience and security of these services compared with other technology delivery models. These services also have the ability to drive digital transformation within agencies. Jurisdictional risks In the context of public cloud services, jurisdictional risks occur where data is subject to the laws of the country where cloud services providers store, process, or transmit data. Data sovereignty is often used interchangeably with jurisdictional risks. Assessment frameworks This guidance contains frameworks for assessing jurisdictional risks in relation to both jurisdictions and cloud services providers. Agencies are encouraged to use these frameworks to inform their risk assessments of public cloud services. After completing their risk assessments, agencies may decide that their appetite to use a public cloud service is limited to specific cloud services providers, specific jurisdictions, and specific data sets. Jurisdictional assessments This guidance assesses the following eight jurisdictions: United States, Netherlands, Germany, Singapore, United Kingdom, Ireland, Australia, and Canada. These are the most commonly-used jurisdictions and were identified from an analysis of public cloud services that agencies intend to use. Agencies may use public cloud services hosted in jurisdictions outside of these eight jurisdictions. However, they should use the assessment framework from this guidance to inform their risk assessments. Basis of assessments The assessments in this guidance are based on open source information. These assessments were made in June 2017 and will be reviewed periodically or if significant changes occur that warrant a review. Release of guidance Note that this version of this guidance omits the jurisdictional assessments (pages 9-29). The full version is available to agencies via: ict.govt.nz 3

Definitions Jurisdictional risks In the context of public cloud services, jurisdictional risks occur where data is subject to the laws of the country where cloud services providers store, process, or transmit data. Data sovereignty is often used interchangeably with jurisdictional risks. Jurisdictional risks may lead to situations which are disadvantageous to New Zealand s national interests or inconsistent with New Zealand s laws as it is not possible to fully contract out of the legal framework of another country. For this reason it is important that agencies engage with cloud providers to ensure they know in which country their data is transmitted, processed, or stored (a concept sometimes referred to as data residency) and are aware of the laws of the country to which their data will be subject. Extra-territorial reach Extra-territorial reach is where a government lawfully endeavours to access data from a cloud services provider outside its territory. While this is a complex and evolving area of international law, recent court rulings suggest that there are significant limitations on the exercise of extra-territorial reach. Data surveillance This guidance is concerned with lawful access to data by other governments. It does not address the risks of data surveillance (espionage) or data theft by other governments or actors. The risks posed by data surveillance are out of scope of this advice. 4

Assessing jurisdictional risks Case-by-case risk assessments Agencies are required by Cabinet to undertake case-by-case risk assessments before using public cloud services. These risk assessments include an assessment of jurisdictional risks. Consider jurisdictions and providers As jurisdictional risks are impacted by which jurisdictions and cloud service providers are used, assessments of jurisdictional risks should include both of the following considerations: how governments lawfully access data which is stored, processed, or transmitted in their territory how cloud services providers respond to requests by other governments for access to the data they store, process or transmit. After completing their risk assessments, agencies may decide that their appetite to use a public cloud service is limited to specific cloud services providers, specific jurisdictions, and specific data sets. 5

Assessing jurisdictions Rationale Agency risk assessments of public cloud services should be informed by an assessment of how governments lawfully access data which is stored, processed, or transmitted in their territory. Implications After completing their risk assessments, agencies may decide that some jurisdictions are only appropriate for some types of data. Assessment framework It is recommended that agencies assess jurisdictions using all of the following three criteria: Lawful access An assessment of the laws that regulate a government s lawful access to data. Legal institutions An assessment of the robustness of legal institutions that oversee a government s lawful requests for access to data. Privacy frameworks An assessment of the protections available to personally identifiable information. 6

Assessing cloud services providers Rationale In addition to assessing jurisdictions, agency risk assessments of public cloud services should be informed by an assessment of how cloud services providers respond to requests by other governments for access to the data they store, process or transmit. Implications After completing their risk assessments, agencies may decide that some public cloud services are only appropriate for some types of data. Assessment framework It is recommended that agencies assess cloud services providers using all of the following five criteria: Location An assessment of whether the provider identifies the location of where customer data is stored and backed-up. Informed An assessment of whether the cloud provider informs its customers in the event of lawful requests to access customer data. Disclosure An assessment of whether the provider only discloses customer data when required by a warrant. Reviewed An assessment of whether the provider dedicates resources to reviewing lawful requests to access customer data. Deletion An assessment of whether the provider deletes customer data after the termination of contract. RESTRICTED NOT GOVERNMENT POLICY Best practice service terms A best practice cloud service provider will: Commit in its service terms to never disclose customer data except as directed by the customer or required by the law (noting any potential exceptions, such as imminent threat to life, and the processes that must be followed in these cases). Set out a process for responding to government requests that includes: always attempting to redirect the requesting agency to contact the customer if possible, seeking to narrow the scope of government demands always contacting the user when information is released (unless legally prevented from doing so) disclosing only that information which is specified in the legal order. Have a dedicated team for reviewing government demands for user data. Report publicly on the frequency of data requests by country and the results of data requests (particularly for commercial services). Allow the customer to determine where their content will be stored, and specify the circumstances when it may be moved to another jurisdiction. 7

Commonly-used jurisdictions Commonly-used jurisdictions For practical reasons, such as latency, it is anticipated that New Zealand public sector agencies will want to use public cloud services hosted in jurisdictions that are in close geographical proximity to New Zealand: Australia, Singapore, and the United States. Based on the demand for public cloud services from the October 2016 survey of CIOs, it is possible that agencies will also use several other jurisdictions: Netherlands, Germany, United Kingdom, Ireland, and Canada. Other jurisdictions These eight jurisdictions are not an approved list of jurisdictions. Agencies may use public cloud services hosted in other jurisdictions. However, where agencies do so, it is recommended that they use the criteria outlined above to inform their risk assessment. Analysis and assessment of jurisdictions Using a range of open source material, each of these eight jurisdictions are analysed in terms of the three criteria from the assessment framework for jurisdictions: lawful access, legal institutions, and privacy frameworks. An overall assessment of this analysis is also provided for each of these eight jurisdictions. It is recommended that agencies use this overall assessment as an input into their assessment of jurisdictional risk and this should, in turn, form part of their case-by-case assessment of public cloud services. Please note that the country-by-country analysis is not included in the version of this guidance. 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback