Tag Archives: data controller

Data Breaches in Cloud Computing

The cloud computing economy is expected to grow to $191 billion by 2020, an increase of $100 billion in five years, according to the analysts at Forrester. After Monday’s mega-leak, Ecuadorians may be a little hesitant to embrace this secular shift to cloud computing.

The advantages of this system for storage and productivity are well-documented, but cloud computer servers come with several serious security risks.

High-profile breaches of cloud platforms at Evernote, Adobe, Slack and LastPass over the last few years have led to extra scrutiny of cloud computing from a security perspective, as these online databases are more and more relied upon for storing sensitive data.

Outrage over cloud platform Ecuador personal and financial data leak

This massive data breach was made possible by a vulnerability on an unsecured AWS Elasticsearch server.  It was discovered on 16th September and caused outrage throughout the Andean state.

Roughly twenty million people, including 6.7mn children, were affected, comprising nearly the entire population. Even the President of Ecuador was affected, as well as Julian Assange, who was given a ‘cedula,’ or national ID number, during his stay at the Ecuadorean embassy in London.

Collectively, the information was described by one journalist “as valuable as gold in the hands of criminal gangs.”

The scale and detail of the 18GB cache of personal information exposed by the leaky server was such that the researchers were actually able to reconstruct entire family trees.

The types of personal and confidential information available on the database included:

  • names;
  • national ID numbers;
  • DOBs;
  • places of birth;
  • home addresses;
  • genders;
  • phone numbers;
  • family and marriage records;
  • education and work records;
  • financial information including tax records.

It is not known whether any agents took advantage of the leaky server before it was plugged by the Ecuador’s computer emergency security team shortly after the discovery.

How did the breach happen?

A local data analytics company, Novaestrat held vast amounts of Ecuadorian data on an Elasticsearch server, which had no password protection, allowing anyone access. 

Though there is no evidence that the government’s database was hacked or breached by Novaestrat, these revelations led to the swift arrest of the company’s executive, and a full investigation over how the company possessed the data it held.

Novaestrat was awarded several government contracts by the former political regime, so it is likely that these were reason the company gained access to the personal data.

Plans for Data Protection Law

This breach has caused the Ecuador’s Ministry of Telecommunications to speed up the process of passing a new data privacy law.  This is intended to match rising international standards of data protection (for example, the GDPR).

Why Data Retention and Deletion Schedules are vital

There is a clear lesson here, both to data controllers and data processors.  You must make sure, whether you are a data controller or a data processor, that you have robust data retention and deletion schedules in place

Data controllers

Data Processors 

1. Make sure your data processors are legally obliged to delete the data

1. Ensure that you have procedures in place to enable you to meet the requirements of your data processor agreement

2. Demand evidence that the deletion has taken place

2. Ensure you have a robust mechanism for the destruction of the data

3. Exercise your audit rights

3. Be prepared to provide evidence of the destruction

a) Once the  purpose of the data sharing has been met and / or

4. Consider backup files as well as live

b) According to your own retention and deletion policies

  

  

If you have any questions about data retention and deletion policies or data processor agreement, please contact us via email team@datacompliant.co.uk or call 01787 277742

Data sharing under GDPR: What you need to know

In this blog, we’re going to explain how the DPA, UK GDPR and EU GDPR affect the way you process and share personal data. First, here’s a quick intro to the terms by which people are labelled in their relation to data protection law:

  • Data controller: a person or organisation who either alone, or jointly, or in common with other persons, determines the purposes for which and the manner in which any personal data are, or are to be, processed.
  • Data processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
  • Data subject: an individual to whom data relates in the context of data protection law; an individual with data protection rights.

Processing

Before you can think about sharing data in the first place, you need to ensure that any data you have (and potentially may wish to share) has been processed and stored lawfully.  The DPA and GDPR apply only to personal data, which is defined as ‘any information relating to an identified or identifiable natural person,’ i.e. a data subject.

Not all of the data you obtain will count as personal data. If data sets are anonymised and an individual can no longer be identified, then the GDPR will not apply, since the information no longer constitutes personal data.

Six Principles

The regulation defines six principles that must be followed when processing personal data. All personal data must:

  1. be processed lawfully, fairly and transparently
  2. be kept to the original purpose
  3. be minimised (i.e. only the personal data that is necessary is collected)
  4. have the accuracy upheld
  5. be removed if they are not necessary
  6. be kept confidential and their integrity maintained

Legal Basis for processing

You will also need to have a legal basis for processing personal data, of which there are six possible grounds.  These are not hierarchical – you use the legal basis that is appropriate.

  1. consent of the data subject
  2. necessary for the performance of a contract
  3. legal obligation placed upon controller
  4. necessary to protect the vital interests of the data subject
  5. carried out in the public interest or is in the exercise of official authority
  6. legitimate interest pursued by controller

The grounds for processing cannot be retroactively adjusted or changed, i.e. you cannot choose to justify the processing or sharing of data in a different way after having done so. Data protection policies must be consistent and trustworthy, regardless of who you are.

Basic things to remember when sharing personal data

Restrictions apply to sharing personal data and therefore not anonymised or pseudonymised data. The latter is often used in healthcare notes, for example.  But remember, the pseudonymisation key itself is personal data.

With whom may I share personal data

Examples of sharing personal data include sharing with:

  • a joint data controller (for joint purposes).
  • another data controller (a third party for their own use).
  • a data processor engaged to store or use data for you (for your purposes)

Before sharing personal data, you must ensure:

  • there is a good reason for the sharing to take place 
  • the individuals have been clearly informed that their personal data is being shared, and the details of the sharing, including:
    • the details of the data to be shared
    • with whom it is to be shared
    • the purpose of the sharing
    • the legal basis for the sharing
    • for how long the data will be held
    • the mechanism by which they can give consent / opt out
  • the volume of personal data that needs to be shared is minimised.
  • the availability of the information is also minimised, or the shared data exists for the minimum time
  • any parties processing the data must therefore have clearly stated retention and deletion policies.
  • the sharing is secure.
  • the sharing is documented.

Contracts and Agreements

Where contracts or other data sharing agreements are required, it is wise to have a data sharing agreement in a framework which can be customised to suit your business needs. A Data Protection Officer (DPO)  can help your team create the appropriate frameworks, and develop bespoke data sharing agreements.

If you are sharing to a country outside the UK or EU that has not been declared ‘adequate’ by the EU Commission, then the new EU standard contractual clauses should normally be used, with supplementary measures.  These were updated in 2021 to meet the needs of the EU GDPR.  The UK has also issued a new “Addendum” enable these SCCs to be used for international transfers from the UK.

Each data sharing process must be considered on a case by case basis.  If in doubt consult your DPO and / or a specialist data protection lawyer.  And remember, it is important to stay up-to-date by following the latest guidance from a DPO and the relevant data protection authorities (the Information Commissioner’s Office for the UK).

New GDPR Guidance in the Data Compliant Data Protection Roundup

Leave a reply

The Information Commissioner’s Office (ICO) releases GDPR guidance on “contracts and liabilities between controllers and processors.”

GDPR 7 Months and Counting

Organisations only have until May 2018 to review, redraft and negotiate controller / processor contracts

Ahead of the May 2018 deadline for GDPR enforcement, the ICO has released a 28-page document providing “detailed, practical guidance for UK organisations on contracts between controllers and processors under the GDPR.” The document aims to explain the requirements and responsibilities of data controllers as well as the new liabilities of processors. The document points out that many of the requirements may already be covered by existing contracts, but that the expansion and clarification of contractual clauses to evidence compliance with all aspects of the new regulations will likely be necessary.

Under the new regulations, contracts will be required between data controllers (the organisations responsible for the holding and use of the data) and data processors (those involved in the collection and ‘processing’ of data). This written contract or “other legal act” is to “evidence and govern” the working relationship of both parties. Under the current rules, these contracts are only advised as a measure to demonstrate compliance when necessary.

iStock_000030770786Medium

EU Commission encourages standard contractual clauses and certification schemes (yet to be drafted)

It is noted that “standard contractual clauses” as well as certification schemes for contractual codes of conduct provided by the EU Commission or a supervisory authority such as the ICO will be allowed and encouraged by the GDPR, but that as yet none have been drafted.

Emphasis is given to the GDPR’s expansion of liability to include data processors as well as controllers, the former now liable to pay damages or become subject to penalties if not found compliant. On top of this, processors will need to have contracts with other processors (sub-processors) if they are to utilise their services, with written authorisation from the controller.

What needs to be included in the contract:

Contracts must explain:

Contract

Contracts must explain several key points – if not, you will be fined!

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data and categories of data subject
  • The obligations and rights of the controller

Contracts must, as a minimum, require the processor to:

  • Only act on the written instructions of the controller
  • Ensure that people processing the data are subject to a duty of confidence
  • Take appropriate measures to ensure the security of processing
  • Only engage sub-processors with the prior consent of the controller and under a written contract
  • Assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR
  • Assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
  • Delete or return all personal data to the controller as requested at the end of the contract
  • Submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

Common Thread Network (CTN) announces Patricia Poku as new co-chair alongside Information Commissioner Elizabeth Denham

The CTN, the forum for data protection and privacy authorities among Commonwealth countries, has appointed a new co-chair to sit alongside the incumbent UK Information Commissioner. The decision was made at the CTN Annual General Meeting on 25th September. The organisation promotes cross-border co-operation for data security and privacy objectives.

Patricia Poku, also recently appointed as Executive Director and Member of the Board for the Data Protection Commission of Ghana, has worked as Head of Data Protection for the 2012 London Olympic Games and Global Director for Data Protection & Privacy at World Vision International.

cyber attack

Increasing cybercrime is driving transational cooperation

With the rise of cybercrime and data abuse as international phenomena, not only on the level of government operative activities but also syndicate-level action usually involving the use of malware and the new universal digital currency Bitcoin, transnational co-operation is more important than ever, and gaining in participants. In July, South Africa joined the CTN and in August, the Cayman Islands issued its first Data Protection Bill, working for “adequacy with the EU directive,” the GDPR.

Policies and Procedures Cropped

Global traction for best-practice polices

That the GDPR necessitates organisations outside the EU fulfilling data protection adequacy standards with EU member states if they wish to do business or in any way process data in Europe indicates that the best-practice policies encouraged by the GDPR may find global traction – and organisations such as the CTN have an important role to play in these processes. GDPR-level policies and practices will be especially desirable given the emphasis the ICO has been putting on the benefits to consumer trust that robust data protection provides. It should be viewed that in a global digital economy, data protection best-practice makes commercial sense.

Written by Harry Smithson

EU Data Protection Regulation – Getting closer?

Leave a reply

EU dpaThe EU Regulation is designed to replace the current multiplicity of EU data protection laws with a single set of rules to be applied throughout all Member States.  Time is moving on so it’s important to keep on top of the discussions and updates being published.

Last month’s proposed revisions to Chapter IV (which deals with data controller and data processor obligations) are summarised below.  However, it is worth remembering that “nothing is agreed until everything is agreed” in relation to the Regulation.

Greater discretion for data controllers – risk-based compliance

Businesses will be relieved to see greater discretion for data controllers in complying with the legislation as recent Chapter IV discussions in Europe have moved towards a risk-based approach to compliance.

A balance between privacy and entrepreneurship

EU balanceThe proposed amendments to Chapter IV suggest that data compliance obligations should be proportional to the organisation’s specific data processing activity and associated risks.

Once these activities and risks have been assessed, appropriate privacy and data protection tools should be instigated by the organisation.

Different activities, even where the same data is involved, may quite often have different consequences, requiring different levels of protection. The risk-based approach allows data controllers a more flexible approach in assessing their data compliance responsibilities within the context of their own particular business.

It appears that most countries welcome the risk-based approach, which they view as providing a good balance between protecting personal data and safeguarding businesses and entrepreneurship.

Chapter IV Proposed Revisions 

Below are some examples of the revisions proposed by the EU Council:

  • Data protection impact assessments are only required where “high” risk (for example identity theft, fraud or financial loss) to the rights and freedoms of individuals is involved
  • The appointment of Data Protection Officers is voluntary (unless individual Member State legislation states otherwise)
  • Only data breaches that are likely to result in “high risk for rights and freedoms of individuals” need be reported
  • If stolen or breached data is encrypted or protected in such a way that the data remains indecipherable, there is no requirement to report the breach.
  • Required levels of security measures will be established by considering multiple factors, including the nature, scope, context and purpose of the data processing to be undertaken, in combination with the cost of implementation and the technology available.
  • Only where a data privacy impact assessment indicates that data processing would result in “high risk” to the rights and freedoms of individuals, the supervisory data protection authority should be consulted prior to the start of such processing

There is also a suggestion that data controllers may use “adherence of the processor to an approved code of conduct or an approved certification mechanism” to demonstrate compliance with the obligations of a controller.  So organisations may find it well worth considering selecting only those data processors who have appropriate data security certification such as ISO 27001 or DMA DataSeal.

If you have any concerns about your data compliance in general or the impact of EU changes in your business, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services