DATA MANAGEMENT IN THE CLOUD ERA Michael Bishop Chief Regional Counsel Commvault APAC
DATA MANAGEMENT IN THE CLOUD ERAMichael BishopChief Regional CounselCommvault APAC
2
‘DE-DAUNTING’ (SOME) DATA MANAGEMENT
LEGISLATION
3
DOCUMENT COMPLIANCENOT JUST AN IT ISSUE • Marketing campaigns?• Are IT and legal hand in hand?• Does the business have a data
management strategy?• Who is responsible for outsourced
data?• How do you keep up-to-date?
Failure is disastrous• Loss of benefit of insurance• Contract breach• Criminal liability for individuals and
organisations
4
70+ years20 years
10 years
DOCUMENT RETENTION – FINDING THE BALANCEIncome Tax Assessment Act 1936 (Cwth)Fair Work Act 2009 (Cwth)Corporations Act 2001(Cwth)Occupational Health and Safety Act 2004 (Vic)Australian Charities and Not for Profit Commission Act 2012 (Cwth)Anti-Money Laundering and Counter Financing Act 2006 (Cwth)Financial Transaction Reports Act 1988 (Cwth)Proceeds of Crime Act 1987 (Cwth)Trade Marks Act 1995 (Cwth)Patents Act 1990 (Cwth)Copyright Act 1968 (Cwth)
Privacy Act 1988 (Cwth) When no longer needed for any purpose under the Privacy Act
5-7 years
Spoliation of EvidenceIntentional or negligent withholding, hiding, altering or
destroying evidence relevant to a legal proceedings
6
EVIDENTIAL PRESUMPTION AGAINST THE ‘SPOILER’
Preserve records if…any doubt regarding a record required in potential future legal proceedings
Or… it doesn’t look good for you if you alter or destroy potential or actual evidence
British American Tobacco v McCabe [2002] have been codified into section254 of the Crimes Act 1958.
Breach could result in
up to 5 years in prison,
a fine or both
77
AUSTRALIAN PRIVACY PRINCIPLES (THE APPS)
Applies to most government bodies (agencies) and private businesses with a turnover exceeding $3M
Personal information is an opinion about a reasonably identifiable person • Whether true or not• Whether recorded in a material form
or not• Significant provisions regarding
‘sensitive information’, eg health, genetic and biometric data
8
TODAY’S DATABASES• Agencies and businesses must now
understand how information is and was collected
• Must take reasonable steps to notify the person
• If the APP entity didn’t directly collect information then unless it could have collected the personal information directly, it must destroy or de-identify it ASAP – to the extent lawful and reasonable to do soProblem: How do you contact a
person if you have no contact details?
9
PRIVACY + CLOUD DATA IN A GLOBALISED ECONOMY
• Customers must be notified if personal information is disclosed overseas • No liability if foreign recipient is subject to binding scheme/similar laws• AND there are mechanisms in place for the individual to enforce that
protection • European Recipients would most likely meet the requirement • The US and China are not subject to any substantially similar laws• One way to be sure – gain consent to disclosure early and locally
10
COLLECTION, STORAGE AND RETIREMENT OF PERSONAL INFORMATION
Must be secured from misuse, loss, modification and interference
Inaccurate, irrelevant or misleading data must be corrected – whether requested or not
Data must be deleted or de-identified when no longer required for permitted use
Requested access(from individual) must be prompt, and in the manner requested (to the extent reasonable and practical)
11
PRIVACY AMENDMENT (PRIVACY ALERTS) BILL
• Currently being debated in Parliament• Requires certain organizations to provide a notification to the OAIC when it has
suffered a serious data breach. Currently only ‘recommended’ to notify OAIC• Where organizations do not notify the OAIC then OAIC may commence its own
motion investigation.• Serious data breach – unauthorised access to or disclosure of personal
information, which will result in real risk of serious harm to the individuals• Harm is harm to reputation, economic or financial harm• Threshold to avoid notification fatigue• Expected to come into effect by early 2016.
Lets look at this in detail
13
CASE STUDY 1INSUREYOURSELF HOLDINGSAUSTRALASIA
InsureYourself
GotInsured GmbHPermanent
Assurance Corp
US PARENTPermanent
Assurance Corp
GERMAN PARENTGotInsured GmbH
SUBSIDIARYInsureYourself
Holdings Australasia
Wants to consolidate all documents into one central hubin Germany
1414
INSUREYOURSELF NEEDS TO DISCLOSE ANY PERSONAL INFORMATION HELD OVERSEAS AND IN WHICH COUNTRIES
• Overseas recipient is subject to a binding scheme/ sub similar laws
• Mechanisms can be accessed by the individual to enforce that protection
Take reasonable steps to ensure that GotInsured GmbH does not breach the APPs
Accountable if breach:Less accountable if breach: OR
Must also1. Comply with privacy notification laws if / when passed2. Identify retention time periods and implement destruction protocols
*May be subject to US legislation such as the Patriot Act or Foreign Intelligence Surveillance Act
15
CASE STUDY 2• Manufactures and distributes vending machines in
Australia• Digital and paper records held in Australia
Alleged agreement with Vendo-Chine Pty Ltd to price fix vending machines
2010
2012
2014
Personal injury claim for alleged electric shock
ACCC launched investigation into potential price fixing with Vendo Chine
16
CASE STUDY 3CALM B4 STORM PTY LTD
• Cloud storage provider, Calm B4 Storm Pty Ltd is going into liquidation
• You must extract your data immediately (no later than two weeks) or it will be gone forever
• What should you do?
17
FUTURE-PROOFING YOUR CLOUD STRATEGY?
Business continuity plans should include an articulated data extraction strategy
Business critical data should have a live remote backup
One in four cloud providers will be gone by 2015, mostly due to mergers or acquisition activity1 Check contract terms• Retrieval timeframes?• Is the data easily transferred?• How recent is recovered data?• Support?• If there is a charge for retrieval?
1 NEEDS SUBSTANTIATION
18
SOME EXAMPLES Provider policies Transition Assistance
Amazon Access for 30 days after termination if charges paid
Same as generally available
IBM Provider will return or destroy upon termination.May charge for special requests
Continued for unexpired term or to migrate to another IBM Service
HP Access for 14 days after termination No obligation
Microsoft Provider deletes information unless unlawful
No obligation
Salesforce.com
Access for 30 days after termination No obligation after 30 days
19
METADATA: WHO, WHEN, WHERE AND HOWEffective 13 October 2015 The controversial Mandatory Data Retention Regime (under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015)
1. Subscriber and other relevant service-level account information
2. Communication source3. Communication destination4. Date, time and duration 5. Type6. Location of communication
equipment
Must retain the prescribed and specified subscriber data for a minimum two year period from when it was generated
Data retained under the act is protected under APP
categories must be retained 6
2020
METADATA
• Metadata not defined under new law
• Metadata is information about a communication (the who, when, where and how). It’s not the ‘what’ – the content or substance of a communication.
• Phone calls – metadata includes the phone numbers of the people talking to each other and for how long they talked – not what was said
• Internet activity – metadata is information such as an e-mail address and when it was sent but not the subject line of that e-mail or its content.
• The Australian Government is not requiring industry to retain a person’s web-browsing history or any data that may amount to a persons web-browsing history.
21
US-EU SAFE HARBOR (NO MORE?)
The framework was/is an important cross-border mechanism enabling certified organisations to transfer personal data to the US in compliance with European data protection laws
“ …Safe Harbor “may not be so safe after all” …could be a loophole because it allows data transfers from EU to US companies – although US data protection standards are lower than our European ones.
European Commission VP
“
Next Steps?1. Reassess your data management strategy
2. Use the free ‘healthcheck’ document for self assessment
3. Contact us to arrange an in depth workshop
23
THANK YOU
Q&A