SlideShare a Scribd company logo

Cloud Computing and the Public Sector

Download as PPT, PDF
M
MHCCloud

This document discusses the legal considerations for adopting cloud computing in the Irish public sector. It summarizes that while cloud computing will disrupt industries, there are risks to overcome like data security, export of data, and long term data retention. It analyzes how other countries like the US and UK are adopting cloud solutions in a controlled way by setting security standards and allowing decentralized purchasing. The main legal issues for Ireland are ensuring data security, avoiding unauthorized data export outside the EEA, and ensuring long term data access and retention, but these issues can be overcome with proper contracting and infrastructure requirements.

Related topics:
Cloud Computing Insights
1 of 26
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
The Irish Public Sector: The Cloud Effect 6 A p r i l 2 0 11 Regulating the Cloud: Legal Considerations for Cloud Computing in the Public Sector Philip Nolan Partner and Head of Commercial Law
Just as the Internet has led to the creation of new business models unfathomable 20 years ago, cloud computing will disrupt and reshape entire industries in unforeseen ways. To paraphrase Sir Arthur Eddington – the physicist who confirmed Einstein’s Theory of General Relativity - cloud computing will not just be more innovative than we imagine; it will be more innovative that we can imagine.
Overview • How are other governments adopting the cloud? •What themes/patterns are emerging? •What are the risks to be overcome? •Data security •Export of data •Long term retention
Survey of leading countries • United States • United Kingdom
United States • Exemplar and global leader for public sector cloud adoption • Policy has been driven directly by White House • Extremely sophisticated implementation
“Cloud First” • Federal Cloud Computing Strategy, 8 February 2011 • All Agencies/Departments to “evaluate safe, secure cloud computing options before making any new investments” • Cloud options must be rejected before procuring traditional IT
“Cloud First” • Requires a “transparent security environment” between the Government and cloud providers • “The environment will move us to a level where the Federal Government’s understanding and ability assess its security posture will be superior to what is provided within agencies today.”
How does it work? • Very controlled process directed by General Services Administration (GSA) • Vendors must seek centralised pre-approval from GSA • Minimum standards: • Full ownership of data hosted in the cloud • Full copies of data downloadable at any time • Hosted within the continental US • 99.95% uptime • Compliance with all applicable laws
How does it work? • Security assured under the Federal Risk and Authorization Management Program (FedRAMP) • Detailed and specified security obligations are set down • All vendors are continually assessed and monitored
How does it work? • Solutions meeting these standards are pre-approved to be offered to US Federal Agencies • Solutions are sold on “apps.gov”, a centralised store • Purchasing officers/CIOs for each agency can purchase services from this site
Free cloud/ web 2.0 services • E.g. Twitter, Facebook, blogs etc… • Special terms of service have been centrally negotiated • Removal of terms that are objectionable, e.g. indemnities, extreme limitations on liabilities • Agency wanting to use web 2.0 services can adopt these terms
Best of All Worlds • procurement pre-screening centralised → legal compliance and security centrally assured • single price must be provided → market power of entire government leveraged • final purchasing decision is made by individual agency → services purchased are suitable for end user
United Kingdom • “G-Cloud” • Project driven by Cabinet Office • Phase 2 reports just published
UK vs US • Suggests a broadly similar approach to US • G-Cloud authority setting basic standards • Applications store for Government • Pre-approval required • Data is to remain with UK • Data is to remain under control of public body • Data to be returned on demand • Differences • All applications must be provided on at least two infrastructure providers to avoid lock in • Government to run its own data centres
UK: Hybrid Cloud Approach • A hybrid cloud model: services will be run on both the UK Government’s own dedicated infrastructure and that of private entities, e.g. Microsoft • Infrastructure used will depend on degree of security required. Differing security standards (matching existing government security levels) will be provided
Emerging themes • A global move to the cloud by public sectors • Some differences in approach, but patterns clearly emerging: • Centralised pre-approval, not a free-for-all! • Variable security standards: public info v tax returns • Public sector “champion” drives the initiative • Purchasing authority remains decentralised • Insistence that sensitive data remain within jurisdiction
Programme for Government: The Challenge • “We will make Ireland a leader in the emerging I.T. market of cloud computing by promoting greater use of cloud computing in the public sector.” • What are the legal impediments to achieving this objective? • Can we overcome them?
Legal Issues • Stem from a myriad of sources, but can be stated simply • Three key issues • Data security • Data export • Data availability • Problems with solutions
Data Security: Problem • Data Protection Acts 1988-2003 • Obligation on a “data controller” to ensure appropriate safeguards are in place • Failure = breach of statutory duty and liability in damages • Duty does not disappear when data is handed over to a “data processor” or put into cloud
Data Security: Solution • Ensure cloud provider has adequate technical safeguards in place (NB: public sector pre- approvals) • Insist that provider agrees, in contract, to comply with Irish law • Require cloud provider to accept liability for data breaches (e.g. LA-Google Contract) • Seek audit rights
Data Export: Problem • Export of personal data outside of EEA is heavily regulated • Generally need consent of data subject or special agreement to export data outside of EEA • Public bodies have specific security concerns – can the data be accessed by foreign states? • USA PATRIOT Act • UK Regulation of Investigatory Powers Act 2000 • High profile but similar powers in most states • Discovery in civil litigation
Data Export: Solution • Geographic location of cloud is key, potential “deal killer” • Insist that cloud is based in EEA to address DPA issues • Where security issues: Irish cloud! • Ireland = European data centre capital! • High level concerns may call for dedicated government cloud infrastructure (e.g. UK) • Issue does not arise for non-personal, non-sensitive information, e.g. publicly available document hosting
Data Retention: Problem • Public sector under far reaching obligations to ensure that data is stored safely and is accessible over longer term: National Archives Act, Freedom of Information Act • Data subjects have a right to access and modify their data under Data Protection Acts • Similar private sector obligations: tax, employment, health and safety law • Does the cloud offer long term storage and access?
Data Retention: Solution • Ability to download any information when needed. • Data back-up and that provider has disaster recovery systems • Ensure access to data in event of insolvency under contract
Conclusion • Cloud is being enthusiastically embraced by neighbouring governments – Ireland is falling behind the curve • However, we can catch up! • Legal issues are surmountable with care and proper contracting • Best practices exist which can be followed
The Irish Public Sector: The Cloud Effect 6 A p r i l 2 0 11 Regulating the Cloud: Legal Considerations for Cloud Computing in the Public Sector Philip Nolan Partner and Head of Commercial Law

More Related Content

PPSX
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Brian Miller, Solicitor
 
PPT
S719a
ecommerce
 
PPTX
Cloud computing : legal , privacy and contract issues
Lilian Edwards
 
PPTX
Data Privacy
Home
 
PDF
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Constantine Karbaliotis
 
PDF
Legal ethics & cloud computing
Patrick Fowler
 
PPTX
Embedding GDPR Within Your Information and Library Service
CILIPScotland
 
PPTX
The GDPR for Techies
Lilian Edwards
 
Data Protection and the Cloud (Part 2) by Brian Miller Solicitor and Vicki Bo...
Brian Miller, Solicitor
 
S719a
ecommerce
 
Cloud computing : legal , privacy and contract issues
Lilian Edwards
 
Data Privacy
Home
 
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Constantine Karbaliotis
 
Legal ethics & cloud computing
Patrick Fowler
 
Embedding GDPR Within Your Information and Library Service
CILIPScotland
 
The GDPR for Techies
Lilian Edwards
 

What's hot (20)

PPTX
GDPR practical info session for development
Tomppa Kuusi (formerly Järvinen)
 
PPT
Data-sharing, individual rights, and the future | Victoria Cetinkaya | Januar...
Department for Communities and Local Government Local Digital Campaign
 
PDF
Cloud Computing: What You Don't Know Can Hurt You
Patrick Fowler
 
PPTX
GDPR security services - Areyou ready ?
Frederick Penaud
 
PPT
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Brian Miller, Solicitor
 
PPTX
GDPR From Implementation to Opportunity
Dean Sappey
 
PPTX
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
PPTX
GDPR - 5 Months On!
BrightPay Payroll and Auto Enrolment Software
 
PDF
Privacy, Drones, and IoT
LAURA VIVET
 
PDF
Data Privacy
cliff_rudolph
 
PDF
Introduction to gdpr
3GDR
 
PDF
GDPR for Dummies
Caroline Boscher
 
PPTX
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
PDF
GDPR what you should know and how to minimize impact on your business
Olivier BARROT
 
PPTX
Quick Introduction to the EU GDPR by Sami Zahran
Dr. Sami Zahran
 
PDF
Cloud computing: Legal and ethical issues in library and information services
e-Marefa
 
PPTX
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
eHealth Forum
 
PPTX
Data Privacy Introduction
Prachi Gulihar
 
PPT
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Anitafin
 
PDF
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert
 
GDPR practical info session for development
Tomppa Kuusi (formerly Järvinen)
 
Data-sharing, individual rights, and the future | Victoria Cetinkaya | Januar...
Department for Communities and Local Government Local Digital Campaign
 
Cloud Computing: What You Don't Know Can Hurt You
Patrick Fowler
 
GDPR security services - Areyou ready ?
Frederick Penaud
 
Cloud Computing: Legal Issues and Safety Risks by Brian Miller Solicitor
Brian Miller, Solicitor
 
GDPR From Implementation to Opportunity
Dean Sappey
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
GDPR - 5 Months On!
BrightPay Payroll and Auto Enrolment Software
 
Privacy, Drones, and IoT
LAURA VIVET
 
Data Privacy
cliff_rudolph
 
Introduction to gdpr
3GDR
 
GDPR for Dummies
Caroline Boscher
 
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
 
GDPR what you should know and how to minimize impact on your business
Olivier BARROT
 
Quick Introduction to the EU GDPR by Sami Zahran
Dr. Sami Zahran
 
Cloud computing: Legal and ethical issues in library and information services
e-Marefa
 
GDPR The New Data Protection Law coming into effect May 2018. What does it me...
eHealth Forum
 
Data Privacy Introduction
Prachi Gulihar
 
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Anitafin
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert
 
Ad

Viewers also liked (8)

PDF
Presentation Overview 3.2011
neptech
 
PPT
Case Study 3: The Tacos are Trouble
jtjogobonito
 
PPTX
The vacation of cal
vicric25
 
PPT
Case Study 5: The Tacos are Trouble
jtjogobonito
 
PPT
Presentación2
duranibas
 
PPTX
Browsers
Victor Augusto Mendez Novoa
 
PPTX
Are You My Father?
brendam2
 
PDF
Boekenwolk voor auteurs
Rikky Schrever
 
Presentation Overview 3.2011
neptech
 
Case Study 3: The Tacos are Trouble
jtjogobonito
 
The vacation of cal
vicric25
 
Case Study 5: The Tacos are Trouble
jtjogobonito
 
Presentación2
duranibas
 
Browsers
Victor Augusto Mendez Novoa
 
Are You My Father?
brendam2
 
Boekenwolk voor auteurs
Rikky Schrever
 
Ad

Similar to Cloud Computing and the Public Sector (20)

PPTX
Understanding Global Data Protection Laws: Webinar
CipherCloud
 
PPTX
The Cloud Computing Contract Playbook: Contracting for Cloud Services
This account is closed
 
PDF
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
This account is closed
 
PPTX
It's More than Cloud - Digital Disruption - your business model is under thre...
David Terrar
 
PPT
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
Livingstone Advisory
 
PPT
Kawser Hamid : ICO and Data Protection in the Cloud
Gurbir Singh
 
PPT
Risks and Benefits of Cloud Computing
DLA Piper (Canada) LLP
 
PPTX
Introdction to Cloud Regulation for Enterprise by 2Bsecure
Idan Tohami
 
PPTX
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers
Jon-Michael C. Brook, CISSP
 
PDF
A Breach Carol: 2013 Review, 2014 Predictions
Resilient Systems
 
PDF
Cloud Regulations and Security Standards by Ran Adler
Idan Tohami
 
PDF
Cloud primer
Zeno Idzerda
 
PDF
State regulation of information protection in the cloud - international and K...
Vsevolod Shabad
 
PDF
Developments in the TMT Sector - Current trends & emerging legal issues
Martyn Taylor
 
PDF
DMA Legal update: autumn 2013 - Tuesday 1 October
Rachel Aldighieri
 
PPTX
Is There Sun Behind Those Clouds
Janine Anthony Bowen, Esq.
 
PPTX
Privacy and Security policies in the cloud
David Wallom
 
PDF
DMA Legal update winter 2013 - 17 december
Rachel Aldighieri
 
PDF
Data Residency: Challenges and the Need for Standards
Cloud Standards Customer Council
 
PDF
Mind Your Business: Why Privacy Matters to the Successful Enterprise
Eric Kavanagh
 
Understanding Global Data Protection Laws: Webinar
CipherCloud
 
The Cloud Computing Contract Playbook: Contracting for Cloud Services
This account is closed
 
The Cloud Computing Contract Playbook - Contracting for Cloud Services, Sept. 30
This account is closed
 
It's More than Cloud - Digital Disruption - your business model is under thre...
David Terrar
 
UTSpeaks Public Lecture: Clearing up the Cloud -19th July 2011 - Rob Living...
Livingstone Advisory
 
Kawser Hamid : ICO and Data Protection in the Cloud
Gurbir Singh
 
Risks and Benefits of Cloud Computing
DLA Piper (Canada) LLP
 
Introdction to Cloud Regulation for Enterprise by 2Bsecure
Idan Tohami
 
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers
Jon-Michael C. Brook, CISSP
 
A Breach Carol: 2013 Review, 2014 Predictions
Resilient Systems
 
Cloud Regulations and Security Standards by Ran Adler
Idan Tohami
 
Cloud primer
Zeno Idzerda
 
State regulation of information protection in the cloud - international and K...
Vsevolod Shabad
 
Developments in the TMT Sector - Current trends & emerging legal issues
Martyn Taylor
 
DMA Legal update: autumn 2013 - Tuesday 1 October
Rachel Aldighieri
 
Is There Sun Behind Those Clouds
Janine Anthony Bowen, Esq.
 
Privacy and Security policies in the cloud
David Wallom
 
DMA Legal update winter 2013 - 17 december
Rachel Aldighieri
 
Data Residency: Challenges and the Need for Standards
Cloud Standards Customer Council
 
Mind Your Business: Why Privacy Matters to the Successful Enterprise
Eric Kavanagh
 

Cloud Computing and the Public Sector

  • 1. The Irish Public Sector: The Cloud Effect 6 A p r i l 2 0 11 Regulating the Cloud: Legal Considerations for Cloud Computing in the Public Sector Philip Nolan Partner and Head of Commercial Law
  • 2. Just as the Internet has led to the creation of new business models unfathomable 20 years ago, cloud computing will disrupt and reshape entire industries in unforeseen ways. To paraphrase Sir Arthur Eddington – the physicist who confirmed Einstein’s Theory of General Relativity - cloud computing will not just be more innovative than we imagine; it will be more innovative that we can imagine.
  • 3. Overview • How are other governments adopting the cloud? •What themes/patterns are emerging? •What are the risks to be overcome? •Data security •Export of data •Long term retention
  • 4. Survey of leading countries • United States • United Kingdom
  • 5. United States • Exemplar and global leader for public sector cloud adoption • Policy has been driven directly by White House • Extremely sophisticated implementation
  • 6. “Cloud First” • Federal Cloud Computing Strategy, 8 February 2011 • All Agencies/Departments to “evaluate safe, secure cloud computing options before making any new investments” • Cloud options must be rejected before procuring traditional IT
  • 7. “Cloud First” • Requires a “transparent security environment” between the Government and cloud providers • “The environment will move us to a level where the Federal Government’s understanding and ability assess its security posture will be superior to what is provided within agencies today.”
  • 8. How does it work? • Very controlled process directed by General Services Administration (GSA) • Vendors must seek centralised pre-approval from GSA • Minimum standards: • Full ownership of data hosted in the cloud • Full copies of data downloadable at any time • Hosted within the continental US • 99.95% uptime • Compliance with all applicable laws
  • 9. How does it work? • Security assured under the Federal Risk and Authorization Management Program (FedRAMP) • Detailed and specified security obligations are set down • All vendors are continually assessed and monitored
  • 10. How does it work? • Solutions meeting these standards are pre-approved to be offered to US Federal Agencies • Solutions are sold on “apps.gov”, a centralised store • Purchasing officers/CIOs for each agency can purchase services from this site
  • 11. Free cloud/ web 2.0 services • E.g. Twitter, Facebook, blogs etc… • Special terms of service have been centrally negotiated • Removal of terms that are objectionable, e.g. indemnities, extreme limitations on liabilities • Agency wanting to use web 2.0 services can adopt these terms
  • 12. Best of All Worlds • procurement pre-screening centralised → legal compliance and security centrally assured • single price must be provided → market power of entire government leveraged • final purchasing decision is made by individual agency → services purchased are suitable for end user
  • 13. United Kingdom • “G-Cloud” • Project driven by Cabinet Office • Phase 2 reports just published
  • 14. UK vs US • Suggests a broadly similar approach to US • G-Cloud authority setting basic standards • Applications store for Government • Pre-approval required • Data is to remain with UK • Data is to remain under control of public body • Data to be returned on demand • Differences • All applications must be provided on at least two infrastructure providers to avoid lock in • Government to run its own data centres
  • 15. UK: Hybrid Cloud Approach • A hybrid cloud model: services will be run on both the UK Government’s own dedicated infrastructure and that of private entities, e.g. Microsoft • Infrastructure used will depend on degree of security required. Differing security standards (matching existing government security levels) will be provided
  • 16. Emerging themes • A global move to the cloud by public sectors • Some differences in approach, but patterns clearly emerging: • Centralised pre-approval, not a free-for-all! • Variable security standards: public info v tax returns • Public sector “champion” drives the initiative • Purchasing authority remains decentralised • Insistence that sensitive data remain within jurisdiction
  • 17. Programme for Government: The Challenge • “We will make Ireland a leader in the emerging I.T. market of cloud computing by promoting greater use of cloud computing in the public sector.” • What are the legal impediments to achieving this objective? • Can we overcome them?
  • 18. Legal Issues • Stem from a myriad of sources, but can be stated simply • Three key issues • Data security • Data export • Data availability • Problems with solutions
  • 19. Data Security: Problem • Data Protection Acts 1988-2003 • Obligation on a “data controller” to ensure appropriate safeguards are in place • Failure = breach of statutory duty and liability in damages • Duty does not disappear when data is handed over to a “data processor” or put into cloud
  • 20. Data Security: Solution • Ensure cloud provider has adequate technical safeguards in place (NB: public sector pre- approvals) • Insist that provider agrees, in contract, to comply with Irish law • Require cloud provider to accept liability for data breaches (e.g. LA-Google Contract) • Seek audit rights
  • 21. Data Export: Problem • Export of personal data outside of EEA is heavily regulated • Generally need consent of data subject or special agreement to export data outside of EEA • Public bodies have specific security concerns – can the data be accessed by foreign states? • USA PATRIOT Act • UK Regulation of Investigatory Powers Act 2000 • High profile but similar powers in most states • Discovery in civil litigation
  • 22. Data Export: Solution • Geographic location of cloud is key, potential “deal killer” • Insist that cloud is based in EEA to address DPA issues • Where security issues: Irish cloud! • Ireland = European data centre capital! • High level concerns may call for dedicated government cloud infrastructure (e.g. UK) • Issue does not arise for non-personal, non-sensitive information, e.g. publicly available document hosting
  • 23. Data Retention: Problem • Public sector under far reaching obligations to ensure that data is stored safely and is accessible over longer term: National Archives Act, Freedom of Information Act • Data subjects have a right to access and modify their data under Data Protection Acts • Similar private sector obligations: tax, employment, health and safety law • Does the cloud offer long term storage and access?
  • 24. Data Retention: Solution • Ability to download any information when needed. • Data back-up and that provider has disaster recovery systems • Ensure access to data in event of insolvency under contract
  • 25. Conclusion • Cloud is being enthusiastically embraced by neighbouring governments – Ireland is falling behind the curve • However, we can catch up! • Legal issues are surmountable with care and proper contracting • Best practices exist which can be followed
  • 26. The Irish Public Sector: The Cloud Effect 6 A p r i l 2 0 11 Regulating the Cloud: Legal Considerations for Cloud Computing in the Public Sector Philip Nolan Partner and Head of Commercial Law