Teresa,
To add to Simonıs comments
From the point of view of data privacy/security consultant in the US
(myself)...
You need to review the cloud providers as well as the ³IT Solutions² US-EU
Safe Harbor program and compliance (assuming there different entities).
You should also ask for certifications that the provider(s) may have (like
ISO 27001 or SSAE 16, SOC 2).
If the number of transfer arrangements you have are not large, I also
suggest that you consider the Model Contracts approach.
Thank you,
Peter
--
Peter Milla
[log in to unmask]
+1 917-881-2947
www.linkedin.com/pub/peter-milla/0/228/522
<http://www.linkedin.com/pub/peter-milla/0/228/522>
On 11/3/14, 2:32 PM, "Simon Howarth" <[log in to unmask]> wrote:
>You need to put suitable mitigations in place concerning the risks to
>information outside of the EU and also ensure that the FPN does not
>mislead in anyway.
>
>You will need to ensure that the supplier/processor has suitable controls
>in place via Safe Harbour and maybe Binding Corporate Rules
>
>Read up here -
>http://ico.org.uk/for_organisations/data_protection/overseas
>
>Of course, there is a school of thought that asks the question - does
>information REALLY have to go to the States?
>
>Simon Howarth.
>-----Original Message-----
>From: This list is for those interested in Data Protection issues
>[mailto:[log in to unmask]] On Behalf Of Teresa Gudge
>Sent: 03 November 2014 11:20
>To: [log in to unmask]
>Subject: [data-protection] Collection / Transfer / Storage of data
>
>Hello all,
>
>I've been on the periphery of data protection for a couple of years - but
>have recently changed jobs and would just like some reassurance from
>jismailers if possible :-)
>
>I have been asked a question about an IT solution to a situation where
>completed web forms are submitted and subscriptions requested. The
>solution is for the webforms to be held in a cloud - and of course that
>cloud is in the states (signed up to safe harbour).
>
>My first response is that if the fair processing notice states
>categorically that the data will be held in a cloud, in the states and
>the subscriber agrees to that then all is well.
>
>Obviously existing data has the issue of transferring securely - and
>again retrospective consent from the contributors.
>
>Am I missing anything ? I know that these two statements sounds pretty
>simple and obviously there are issues such as risk assessments, agreement
>from management etc. etc. but I just want to be sure.
>
>Thanks for your help
>
>Teresa
>
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask] All user commands
>can be found at http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list
>owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
>needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
>^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
>All user commands can be found at
>http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving messages please send to the list
>owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your
>needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|