Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
DATA PRIVACY, CLOUD & PURCHASING DEPARTMENT
1. DATA PRIVACY
&
PURCHASING DEPARTMENT
Jacques
Folon
www.folon.com
Partner
Edge
Consulting
Maître
de
conférences
Université
de
Liège
Chargé
de
cours
ICHEC
Brussels
Professeur
invité
Université
de
Lorraine
ESC
Rennes
IACE
Tunis
IAM
OUagadougou
http://www.nyls.edu/institute_for_information_law_and_policy/conferences/visualizing_law_in_the_digital_age/
3. TABLE OF CONTENT1.THE END OF DATA PRIVACY ?
2.A FEW DEFINITIONS
3.DATA ARCHIVING
4.DATA PRIVACY ISSUES IN SUPPLIER’S CONTRACTS
5.SECURITY ASPECTS & LIABILITY
6.EMPLOYEES ARE THE WEAKEST LINK
7.DATA PRIVACY AND CLOUD COMPUTING
8.CONCLUSION
6. 4
By giving people the power to share, we're
making the world more transparent.
The question isn't, 'What do we want to
know about people?', It's, 'What do
people want to tell about themselves?'
Data privacy is outdated !
Mark Zuckerberg
If you have something that you don’t want
anyone to know, maybe you shouldn’t be
doing it in the first place.
Eric Schmidt
11. Interactions controlled by citizens in the Information Society
http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm
12. Interactions NOT controlled by citizens in the Information Society
http://ipts.jrc.ec.europa.eu/home/report/english/articles/vol79/ICT1E796.htm
13. TABLE OF CONTENT1.THE END OF DATA PRIVACY ?
2.A FEW DEFINITIONS
3.DATA ARCHIVING
4.DATA PRIVACY ISSUES IN SUPPLIER’S CONTRACTS
5.SECURITY ASPECTS & LIABILITY
6.EMPLOYEES ARE THE WEAKEST LINK
7.DATA PRIVACY AND CLOUD COMPUTING
8.CONCLUSION
15. 'personal data' shall mean any information relating to
an identified or identifiable natural person ('data
subject'); an identifiable person is one who can be
identified, directly or indirectly, in particular by
reference to an identification number or to one or
more factors specific to his physical, physiological,
mental, economic, cultural or social identity
16. 'processing of personal data' ('processing') shall mean
any operation or set of operations which is performed
upon personal data, whether or not by automatic means,
such as collection, recording, organization, storage,
adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise
making available, alignment or combination, blocking,
erasure or destruction
17. personal data filing system' ('filing system') shall
mean any structured set of personal data which are
accessible according to specific criteria, whether
centralized, decentralized or dispersed on a
functional or geographical basis
18. 121
controller shall mean the natural or legal person, public authority,
agency or any other body which alone or jointly with others
determines the purposes and means of the processing of personal
data; where the purposes and means of processing are
determined by national or Community laws or regulations, the
controller or the specific criteria for his nomination may be
designated by national or Community law;
19. 19
'the data subject's consent' shall
mean any freely given specific
and informed indication of his
wishes by which the data subject
signifies his agreement to
personal data relating to him
being processed
20. 20
Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not
further processed in a way incompatible with those purposes. Further
processing of data for historical, statistical or scientific purposes shall
not be considered as incompatible provided that Member States
provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes
for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable
step must be taken to ensure that data which are inaccurate or
incomplete, having regard to the purposes for which they were
collected or for which they are further processed, are erased or
rectified;
(e) kept in a form which permits identification of data subjects for no
longer than is necessary for the purposes for which the data were
collected or for which they are further processed. Member States
shall lay down appropriate safeguards for personal data stored for
longer periods for historical, statistical or scientific use.
21. 21
Member States shall provide that personal data may be processed
only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to
which the data subject is party or in order to take steps at the
request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation
to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of
the data subject; or
(e) processing is necessary for the performance of a task carried
out in the public interest or in the exercise of official authority
vested in the controller or in a third party to whom the data are
disclosed
22. 22
Member States shall prohibit the processing of
personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs,
trade-union membership, and the processing of data
concerning health or sex life
23. 125
Member States shall provide that the controller or his representative must
provide a data subject from whom data relating to himself are collected
with at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing for which the data are intended;
(c) any further information such as
- the recipients or categories of recipients of the data,
- whether replies to the questions are obligatory or voluntary, as well as the
possible consequences of failure to reply,
- the existence of the right of access to and the right to rectify the data
concerning him
in so far as such further information is necessary, having regard to the
specific circumstances in which the data are collected, to guarantee fair
processing in respect of the data subject
24. 24
Right of access
Member States shall guarantee every data subject the right to obtain from the
controller:
(a) without constraint at reasonable intervals and without excessive delay or
expense:
- confirmation as to whether or not data relating to him are being processed and
information at least as to the purposes of the processing, the categories of data
concerned, and the recipients or categories of recipients to whom the data are
disclosed,
- communication to him in an intelligible form of the data undergoing processing
and of any available information as to their source,
- knowledge of the logic involved in any automatic processing of data concerning
him at least in the case of the automated decisions referred to in Article 15 (1);
(b) as appropriate the rectification, erasure or blocking of data the processing of
which does not comply with the provisions of this Directive, in particular because of
the incomplete or inaccurate nature of the data;
(c) notification to third parties to whom the data have been disclosed of any
rectification, erasure or blocking carried out in compliance with (b), unless this
proves impossible or involves a disproportionate effort
25. TABLE OF CONTENT1.THE END OF DATA PRIVACY ?
2.A FEW DEFINITIONS
3.DATA ARCHIVING
4.DATA PRIVACY ISSUES IN SUPPLIER’S CONTRACTS
5.SECURITY ASPECTS & LIABILITY
6.EMPLOYEES ARE THE WEAKEST LINK
7.DATA PRIVACY AND CLOUD COMPUTING
8.CONCLUSION
29. TABLE OF CONTENT1.THE END OF DATA PRIVACY ?
2.A FEW DEFINITIONS
3.DATA ARCHIVING
4.DATA PRIVACY ISSUES IN SUPPLIER’S CONTRACTS
5.SECURITY ASPECTS & LIABILITY
6.EMPLOYEES ARE THE WEAKEST LINK
7.DATA PRIVACY AND CLOUD COMPUTING
8.CONCLUSION
32. Sub-contractor’s choice
129
The Member States shall provide that the controller must, where
processing is carried out on his behalf, choose a processor
providing sufficient guarantees in respect of the technical security
measures and organizational measures governing the processing
to be carried out, and must ensure compliance with those
measures
33. 33
The carrying out of processing by way of a processor must be
governed by a contract or legal act binding the processor to the
controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations as defined by the law of the Member State in
which the processor is established, shall also be incumbent on the
processor
34. TABLE OF CONTENT1.THE END OF DATA PRIVACY ?
2.A FEW DEFINITIONS
3.DATA ARCHIVING
4.DATA PRIVACY ISSUES IN SUPPLIER’S CONTRACTS
5.SECURITY ASPECTS & LIABILITY
6.EMPLOYEES ARE THE WEAKEST LINK
7.DATA PRIVACY AND CLOUD COMPUTING
8.CONCLUSION
35. DATA SECURITY IS A KEY ELEMENT
IN SUPPLYER’S CONTRACTS
SOURCE DE L’IMAGE: http://www.techzim.co.zw/2010/05/why-organisations-should-worry-about-security-2/
37. Everything must be transparent
AND YOU NEED TO HAVE THE SYSTEM IN ORDER TO DEFEND
YOUR COMPANY IN COURT
38.
39. Article 16
Confidentiality of processing
Any person acting under the authority of the controller or of the
processor, including the processor himself, who has access to
personal data must not process them except on instructions from
the controller, unless he is required to do so by law
41. Member States shall provide that the controller must implement
appropriate technical and organizational measures to protect
personal data against accidental or unlawful destruction or
accidental loss, alteration, unauthorized disclosure or access, in
particular where the processing involves the transmission of data
over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their
implementation, such measures shall ensure a level of security
appropriate to the risks represented by the processing and the
nature of the data to be protected.
44. TABLE OF CONTENT1.THE END OF DATA PRIVACY ?
2.A FEW DEFINITIONS
3.DATA ARCHIVING
4.DATA PRIVACY ISSUES IN SUPPLIER’S CONTRACTS
5.SECURITY ASPECTS & LIABILITY
6.EMPLOYEES ARE THE WEAKEST LINK
7.DATA PRIVACY AND CLOUD COMPUTING
8.CONCLUSION
49. Where do one steal data?
•Banks
•Hospitals
•Ministries
•Police
•Newspapers
•Telecoms
•...
Which devices are stolen?
•USB
•Laptops
•Hard disks
•Papers
•Binders
•Cars
54. DATA SECURITY IS REQUESTED BY LAW AND IT IS THE
COMPANY’S RESPONSIBILITY
55.
56. Control by the employer
161SOURCE DE L’IMAGE: http://blog.loadingdata.nl/2011/05/chinese-privacy-protection-to-top-american/
57. SO CALLED HIDDEN COSTS
46
http://www.theatlantic.com/technology/archive/2011/09/estimating-the-damage-to-the-us-economy-caused-by-angry-birds/244972/
70. TABLE OF CONTENT1.THE END OF DATA PRIVACY ?
2.A FEW DEFINITIONS
3.DATA ARCHIVING
4.DATA PRIVACY ISSUES IN SUPPLIER’S CONTRACTS
5.SECURITY ASPECTS & LIABILITY
6.EMPLOYEES ARE THE WEAKEST LINK
7.DATA PRIVACY AND CLOUD COMPUTING
8.CONCLUSION
73. Five key characteristics,
¢• A service-oriented technology, where consumer concerns are
abstracted from provider concerns, and that is ready-to-use SERVICE
BASED;
¢• Services scale on-demand to add or remove resources as needed
RAPID ELASTICITY AND SCALABILITY;
¢• Services share a pool of resources to build economies of scale
SHARED RESOURCES;
¢• Services are tracked with usage metrics to enable the “pay-as-you-go
model” PAY PER USE;
¢• Services are delivered through use of Web identifiers, standards,
formats and protocols and with an identical access UBIQUITOUS
NETWORK ACCESS;
Cloud Computing in France – A model that will transform companies,
Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-
computing-in-france
74. 3 types of services
Cloud Computing in France – A model that will transform companies,
Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-
computing-in-france
75. Software as a service (SAAS)
○ The service provided makes use of the provider’s applications
accessible through a client interface, such as a web browser (ex:
Gmail).
○ The consumer doesn’t manage or control the infrastructure, the
network, the servers, the operating system, the storage and cannot
add specific development (even if there are limited user specific
application configuration settings).
○ Offers: Billing, Financials, Legal, Sales, Desktop productivity,
Human Resources, Content Management, Backup &
Recovery, CRM (Customer Relationship Management),
Document Management, Collaboration Tools, Social
Networks.
Cloud Computing in France – A model that will transform companies,
Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-
computing-in-france
76. Platform as a service (PAAS)
The service provided consists in the deployment of
consumercreated applications on the provider’s
infrastructure and the use of programming languages and
tools supported by the platform (ex: Java or Python available
on Google App Engine).
○ The consumer doesn’t manage or control the infrastructure,
the network, the servers, the operating system and the
storage but he has control over the deployed applications, and
occasionally application hosting environment configurations.
○ Offers: General purpose, Business intelligence,
Integration, Development & Testing, Database.
Cloud Computing in France – A model that will transform companies,
Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-
computing-in-france
77. Platform as a Service (PaaS)
Now you don’t need to invest millions of $$$ to get that
development foundation ready for your developers.
The PaaS provider will deliver the platform on the web, and in
most of the cases you can consume the platform using your
browser, i.e. no need to download any software.
It has definitely empowered small & mid-size companies or even
an individual developer to launch their own SaaS leveraging the
power of these platform providers, without any initial investment.
PaaS Examples
Google App Engine and Windows Azure are examples of
Cloud OS. OrangesScape & Wolf PaaS are cloud middleware.
http://www.techno-
pulse.com/
78. INFRASTRUCTURE AS A
SERVICE (IAAS)
The service provided gives the possibility to rent resources, such as
processing, storage or bandwidth, and allows the consumer to deploy
and run anysoftware (operating systems and/or applications).
The consumer doesn’t manage and control the infrastructure but he
controls the operating system, the storage, the deployed applications,
and occasionally networking components (firewall, load balancing).
Some providers offer to manage the application if the latter is not too
specific and is compatible with the perimeter of their offer.
o Offers: Storage, Compute, Services Management.
Cloud Computing in France – A model that will transform companies,
Thesis by Cedric Mora, http://www.slideshare.net/cedricmora/cloud-
computing-in-france
79. Infrastructure as a Service (IaaS)
This is the base layer of the cloud stack.
It serves as a foundation for the other two layers, for their execution. The
keyword behind this stack is Virtualization.
Let us try to understand this using Amazon EC2. In Amazon EC2
(Elastic Compute Cloud) your application will be executed on a
virtual computer (instance). You have the choice of virtual computer,
where you can select a configuration of CPU, memory & storage that
is optimal for your application. The whole cloud infrastructure viz.
servers, routers, hardware based load-balancing, firewalls, storage &
other network equipments are provided by the IaaS provider. The
customer buy these resources as a service on a need basis.
http://www.techno-
pulse.com/
81. No,
they have different
architectures
and business model
Cloud Players
Hosting
Players
Only few can afford billions
dollar
investment on data centers
Hundreds of
them around
the world
83. Hosting Players
Reliability, High Availability,
Capacity Elasticity
Cloud Players
Built-in Redundancy
Virtually unlimited
storage,
computing power
You have to manage
reliability, fail over yourself
Bring your own or
rent
servers to increase
capacity
84. Who controls what ?
Gouvernance et Sécurité dans le Cloud Computing : Avantages et Défis. Yves
LE ROUX
85. Cloud Computing in France – A model that will transform companies, Thesis by
Cedric Mora, http://www.slideshare.net/cedricmora/cloud-computing-in-france
86. CLOUD AND PRIVACY
SOURCE: http://fr.slideshare.net/ISPABelgium/cloud-computing-legal-issues-3195424?qid=18bb64e0-9210-424a-8a67-1d356af61e27&v=qf1&b=&from_
94. TABLE OF CONTENT1.THE END OF DATA PRIVACY ?
2.A FEW DEFINITIONS
3.DATA ARCHIVING
4.DATA PRIVACY ISSUES IN SUPPLIER’S CONTRACTS
5.SECURITY ASPECTS & LIABILITY
6.EMPLOYEES ARE THE WEAKEST LINK
7.DATA PRIVACY AND CLOUD COMPUTING
8.CONCLUSION
95. CONCLUSION
DATA PRIVACY IS AN IMPORTANT ISSUE
FOR ANY PURCHASING DEPARTMENT
BECAUSE IT HAS CONSEQUENCES IN
MANY CONTRACTS AND IN PARTICULAR
FOR CLOUD COMPUTING
95
97. 87
“It is not the strongest of the species that survives,
nor the most intelligent that survives.
It is the one that is the most adaptable to change.”
C. Darwin