DATA MANAGEMENT IN THE CLOUD ERAMichael BishopChief Regional CounselCommvault APAC

2

‘DE-DAUNTING’ (SOME) DATA MANAGEMENT

LEGISLATION

3

DOCUMENT COMPLIANCENOT JUST AN IT ISSUE • Marketing campaigns?• Are IT and legal hand in hand?• Does the business have a data

management strategy?• Who is responsible for outsourced

data?• How do you keep up-to-date?

Failure is disastrous• Loss of benefit of insurance• Contract breach• Criminal liability for individuals and

organisations

4

70+ years20 years

10 years

DOCUMENT RETENTION – FINDING THE BALANCEIncome Tax Assessment Act 1936 (Cwth)Fair Work Act 2009 (Cwth)Corporations Act 2001(Cwth)Occupational Health and Safety Act 2004 (Vic)Australian Charities and Not for Profit Commission Act 2012 (Cwth)Anti-Money Laundering and Counter Financing Act 2006 (Cwth)Financial Transaction Reports Act 1988 (Cwth)Proceeds of Crime Act 1987 (Cwth)Trade Marks Act 1995 (Cwth)Patents Act 1990 (Cwth)Copyright Act 1968 (Cwth)

Privacy Act 1988 (Cwth) When no longer needed for any purpose under the Privacy Act

5-7 years

Spoliation of EvidenceIntentional or negligent withholding, hiding, altering or

destroying evidence relevant to a legal proceedings

6

EVIDENTIAL PRESUMPTION AGAINST THE ‘SPOILER’

Preserve records if…any doubt regarding a record required in potential future legal proceedings

Or… it doesn’t look good for you if you alter or destroy potential or actual evidence

British American Tobacco v McCabe [2002] have been codified into section254 of the Crimes Act 1958.

Breach could result in

up to 5 years in prison,

a fine or both

77

AUSTRALIAN PRIVACY PRINCIPLES (THE APPS)

Applies to most government bodies (agencies) and private businesses with a turnover exceeding $3M

Personal information is an opinion about a reasonably identifiable person • Whether true or not• Whether recorded in a material form

or not• Significant provisions regarding

‘sensitive information’, eg health, genetic and biometric data

8

TODAY’S DATABASES• Agencies and businesses must now

understand how information is and was collected

• Must take reasonable steps to notify the person

• If the APP entity didn’t directly collect information then unless it could have collected the personal information directly, it must destroy or de-identify it ASAP – to the extent lawful and reasonable to do soProblem: How do you contact a

person if you have no contact details?

9

PRIVACY + CLOUD DATA IN A GLOBALISED ECONOMY

• Customers must be notified if personal information is disclosed overseas • No liability if foreign recipient is subject to binding scheme/similar laws• AND there are mechanisms in place for the individual to enforce that

protection • European Recipients would most likely meet the requirement • The US and China are not subject to any substantially similar laws• One way to be sure – gain consent to disclosure early and locally

10

COLLECTION, STORAGE AND RETIREMENT OF PERSONAL INFORMATION

Must be secured from misuse, loss, modification and interference

Inaccurate, irrelevant or misleading data must be corrected – whether requested or not

Data must be deleted or de-identified when no longer required for permitted use

Requested access(from individual) must be prompt, and in the manner requested (to the extent reasonable and practical)

11

PRIVACY AMENDMENT (PRIVACY ALERTS) BILL

• Currently being debated in Parliament• Requires certain organizations to provide a notification to the OAIC when it has

suffered a serious data breach. Currently only ‘recommended’ to notify OAIC• Where organizations do not notify the OAIC then OAIC may commence its own

motion investigation.• Serious data breach – unauthorised access to or disclosure of personal

information, which will result in real risk of serious harm to the individuals• Harm is harm to reputation, economic or financial harm• Threshold to avoid notification fatigue• Expected to come into effect by early 2016.

Lets look at this in detail

13

CASE STUDY 1INSUREYOURSELF HOLDINGSAUSTRALASIA

InsureYourself

GotInsured GmbHPermanent

Assurance Corp

US PARENTPermanent

Assurance Corp

GERMAN PARENTGotInsured GmbH

SUBSIDIARYInsureYourself

Holdings Australasia

Wants to consolidate all documents into one central hubin Germany

1414

INSUREYOURSELF NEEDS TO DISCLOSE ANY PERSONAL INFORMATION HELD OVERSEAS AND IN WHICH COUNTRIES

• Overseas recipient is subject to a binding scheme/ sub similar laws

• Mechanisms can be accessed by the individual to enforce that protection

Take reasonable steps to ensure that GotInsured GmbH does not breach the APPs

Accountable if breach:Less accountable if breach: OR

Must also1. Comply with privacy notification laws if / when passed2. Identify retention time periods and implement destruction protocols

*May be subject to US legislation such as the Patriot Act or Foreign Intelligence Surveillance Act

15

CASE STUDY 2• Manufactures and distributes vending machines in

Australia• Digital and paper records held in Australia

Alleged agreement with Vendo-Chine Pty Ltd to price fix vending machines

2010

2012

2014

Personal injury claim for alleged electric shock

ACCC launched investigation into potential price fixing with Vendo Chine

16

CASE STUDY 3CALM B4 STORM PTY LTD

• Cloud storage provider, Calm B4 Storm Pty Ltd is going into liquidation

• You must extract your data immediately (no later than two weeks) or it will be gone forever

• What should you do?

17

FUTURE-PROOFING YOUR CLOUD STRATEGY?

Business continuity plans should include an articulated data extraction strategy

Business critical data should have a live remote backup

One in four cloud providers will be gone by 2015, mostly due to mergers or acquisition activity1 Check contract terms• Retrieval timeframes?• Is the data easily transferred?• How recent is recovered data?• Support?• If there is a charge for retrieval?

1 NEEDS SUBSTANTIATION

18

SOME EXAMPLES Provider policies Transition Assistance

Amazon Access for 30 days after termination if charges paid

Same as generally available

IBM Provider will return or destroy upon termination.May charge for special requests

Continued for unexpired term or to migrate to another IBM Service

HP Access for 14 days after termination No obligation

Microsoft Provider deletes information unless unlawful

No obligation

Salesforce.com

Access for 30 days after termination No obligation after 30 days

19

METADATA: WHO, WHEN, WHERE AND HOWEffective 13 October 2015 The controversial Mandatory Data Retention Regime (under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015)

1. Subscriber and other relevant service-level account information

2. Communication source3. Communication destination4. Date, time and duration 5. Type6. Location of communication

equipment

Must retain the prescribed and specified subscriber data for a minimum two year period from when it was generated

Data retained under the act is protected under APP

categories must be retained 6

2020

METADATA

• Metadata not defined under new law

• Metadata is information about a communication (the who, when, where and how). It’s not the ‘what’ – the content or substance of a communication.

• Phone calls – metadata includes the phone numbers of the people talking to each other and for how long they talked – not what was said

• Internet activity – metadata is information such as an e-mail address and when it was sent but not the subject line of that e-mail or its content.

• The Australian Government is not requiring industry to retain a person’s web-browsing history or any data that may amount to a persons web-browsing history.

21

US-EU SAFE HARBOR (NO MORE?)

The framework was/is an important cross-border mechanism enabling certified organisations to transfer personal data to the US in compliance with European data protection laws

“ …Safe Harbor “may not be so safe after all” …could be a loophole because it allows data transfers from EU to US companies – although US data protection standards are lower than our European ones.

European Commission VP

“

Next Steps?1. Reassess your data management strategy

2. Use the free ‘healthcheck’ document for self assessment

3. Contact us to arrange an in depth workshop

23

THANK YOU

Q&A