 Yr droswm y tro yw Cwane Hon yn oed yn ymgyrch i'r ddaeth fydd yma o ddod o'r ddod o gael gweithleisio, rhai ddod o ddod o gael gweithleisio a gael cymryd o ddod o gael gweithleisio. Cwane hon yn ymgyrchaf y cysylltu fydd yn y ddod o gael gweithleisio, ond mae'r cyfrifysgol wedi'i gwaith yn ddod o'r gyfwilio yma, ond mae'n gwybod i'n gwybod i'r cyfrifysgol o'r gyfwilio a'r gyfwilio. Gwybod yna gallai'n adrech ydych chi'n lleol ysgolol a'r cyfeirio'r sydd. Mae'r gweithio'r ddefnyddiaethau ar gyfer yw gwir yw'r amser a'r gweithio'n gyffredinol garae, gyda'r gweithio cymryd a'r dda. Rwy tectnologi ac ymweld cyflawni, mae'r gweithio'n gweithio'n gweithio. Felly ond y cyfan, rwy'n ddefnyddio'n gweithio'n gweithio, ac mae'r gweithio'n gweithio'n gweithio cymryd a'r gweithio cymryd. To this is me. Two hats, four clouds and three weasles. I have God degrees in both law and computing science, but I've done a lot more law than coding. Hopefully I can bridge the gap between the two. The four clouds I work as a consultant to the cloud legal project at centre for commercial law studies in Queen Mary University of London. I'm also working on another printer project. Couple of years ago I was in the commercial work stream for g Cloud. rydyn ni wedi'i cynllunio'r G-Cloud program gennym. Siad amgylchedd cyllid ynglyn hwyl i'ch rai gyda'r rhoi i ddeilig yma yn ei fod yn ei rhoi ar gyfer gyllidei. Y rhai cyfnod yw'r BJYL yw'r jiynbl domesticfad i'w ddechrau. Fyrth, ydych chi eich cynnig i gwneud am y gwein ei wneud, ddaeth am y ddyn nhw i ddweud y tŵr rôl yn dweud i gyda'r prosiect sy'n ddu. El pethau hynny'n i'r gweinionedd, rydyn ni wedi gweld o'r informatio cifentol. a'r third one is that there is no time to do anything but scratch the surface of a few things. I'd be interested to know about you guys, because I was told you mainly IT, is that right? Are there any lawyers here? Data protection, a freedom of information people? Oh, one, okay. So are the rest of you, anybody from the business side? So, are the rest of you IT then? South East is that right? So I've got the slight right. Good. Okay. So with new technologies and indeed with anything else when you're looking at legal risks, obviously it is a pyramid it's not just legal risk you have to think about, there's reputational risk as well and in the case of the public sector, possible breach of public trust, loss of public trust. Now when you're talking to lawyers, there is something about communication and mindsets I want to talk about. scolded people think like this, you think in binary-s wants and zeros or nothing, either or clear dividing lines-but lawyers think anoplogue in shades of grey. So, there is quite a difference in the mindset. And when you have a lawyer's mantra of ëOh it depends,' well, it actually does depend A'w lwya'n cysylltu frysgol a'u gweldau sy'n blynyddian nhw'n i'w rhaglen yw unrhyw yw hefyd i'w ddim yn rhan drwy'u cydnod? Ydw i gael y llwyddaeth perthyn nhw'n eu ddigwyddio ar gyfer lwya'n yn dddangos cymdeithasol i'r bobl mae'r gweinwyr yn ddigwyddio ar wneud cofio ar y cyfnodd, oherwydd ond weithio â ddyleniaeth cydnod o'n ddangos cydnod. but it's not just lawyers but also IT, security, risk, etc.) That you have to involve the expert so you have to involve when you need to and, in terms of when it's as soon as possible. Don't involve the experts after the event, after you've done whatever it is you know one minute before something goes live that's too late. I'm going to throw in terms of what, this is probably the most important part is you have to explain to the real experts ac oedd ydych chi gweithio y dyma sydd y dyn nhw'n ei chweithio. A dyma'r ddechrau hynny, boeddol y gallu ei wneud ei wneud. Rhaid i chi i ni'n gweithio ymlaen i ddweud i chi ddweud yr hynny, a rhaid i chi ddweud i chi ddweud. Felly, ei wneud. Rhaid. Rwy'n fyddon i chi ei ddweud. Rwy'n ddweud i chi'n gweithio ar y internet ac oed. Yn ymgyrchu, rwy'n ddweud i chi ddweud i chi ddweud. ac rwy'n gweithio lath. Mae'n oaf yw'r cyfrifio cilio'r gwaith o'r internet. Felly, yna yw'r cymryd? Mae'n hynny i'r cyfrifio cilio'r law yna, rwy'n credu i'w hynny'n ei wneud i'w gweithio'r cyfrifio cilio'r law. A byddwch chi'n gwneud i'r reall ac rwy'n credu i'w cyfrifio cilio'r wneud i'w gofynu, rydyn ni'n gweithio'r llaw yw'r llaw yw, i'r llwyll gynhyrchu i yw'r ei ddweud o'r polisi a'r llwyll yn ymgyrch. Felly, yw'r llwyth yw'n gweithio'r llwyffau ar gyfer y cyfwilio cynfodol? Felly yw'r llwyffau o'r llwyffau yw'r llwyffau? Mae'r llwyffau, mae'n llwyffau rhaid, rydw i fod yn gallu bod yn fwy o'r piwmau. Felly, mae'r llwyffau o'r llwyffau sydd yn cyfwilio cyfwilio. A rwy'n i'n ddweud yw'r llwyffau i chi'siwyllwyr over a network, typically the internet, when that resource is infrastructure like servers and storage, then it's infrastructure as a service, Amazon. When it's a software application like email, then it's software as a service. And when it's a platform for hosting and developing applications, then it's a platform as a service. Now a key feature about cloud that's very, very relevant to the legal issues is the possible layering of services. And the classic example is Dropbox. Dropbox is software as a service, storage as a service, but it uses Amazon. It's layered on top of Amazon's infrastructure as a service. And this layering of sub-providers and sub-contractors does affect the situation. I've done a couple of articles on basics about cloud computing and the key differences between cloud and traditional outsourcing. I'll put the links there, which you can pass on to your lawyers if you want to. So the other thing that you need to tell your lawyers about is what do you want to use cloud computing for? You can't just say, oh, we just want the service, we haven't quite, we're not going to tell you or we haven't quite decided yet, but you must do that. And that presupposes that you've done a requirements analysis and you know what your risk tolerance is. So you have to tell your lawyers about what your requirements are and your risk tolerance. Now there's tons of legal issues with cloud, I mean intellectual property, competition, et cetera, et cetera. Obviously there's no time to go to all of those, but the cloud legal project that I'm talking to, we have lots of papers on lots of these issues on there so you can download them and there's a book that's coming out in the autumn. But one major issue is that the contract can deal with a lot of these elements. So the checks you do before you enter into a cloud contract and what is in the cloud contract, that's going to be pretty important. And of course for the public sector, you've got government policy to worry about as well, but you do have the lovely cloud store that's going to help make life easier for you. I want to talk about data location because that's quite important. I'm working on data location for my PhD, but obviously it's very, very relevant to cloud and particularly for the public sector, you've got the ICT offshoring guidance that came out a couple of years ago. This says you do not have to keep data in the UK. There is no requirement to keep data in the UK unless there's a national security element or there's some other legal requirement, typically data protection laws. Now on data protection laws, there has been cloud guidance released by EU data protection regulators collectively in the form of the Article 29 Working Party and also by the UK Information Commissioner. But I did want to say that again this is another sort of mindset thing. Law and IT, when you say data protection, you mean different things. So that's my kind of solar flare Venn diagram that shows the differences. But when lawyers say data protection, they mean data protection law. When IT people say data protection, it's narrower in some ways and broader in other ways. So you could be talking like this. You use the same words to mean different things and that's an important point to bear in mind. Now data protection laws, they relate to personal data as defined. So it's binary in some ways and shades of grey in others. It's binary in that if something is personal data, then all the data protection laws apply to it. If it's not personal data, if it's anonymous data, none of them do. But where the shades of grey comes in is deciding is something personal data or isn't it? Now the data export restriction under the data protection directive bans the transfer of personal data outside the European economic area. Unless there's some exception or so-called adequate protection or adequate safeguards but there are problems with these so in practice the safest thing to do is keep personal data in the EEA. That is the easiest solution but it has to be the European economic area, not Europe. Some cloud providers say Europe but that's not good enough because they're not the same thing and I've done this Venn diagram that shows the difference. I like Venn diagrams. So another thing to bear in mind is transfer. You can't transfer personal data outside the EEA. Now this means not just the physical location of storage equipment or servers, edge locations and caches, it's also the location of people because somebody who's outside the EEA who has remote access to personal data in the EEA that would be a transfer to them. So basically the data protection regulations say you must, before you use cloud you must find out all possible data locations and you must find out all possible contractors, subcontractors as well. So the Amazon in the Dropbox case or if you're using something like SkyDocs then it might be, I think it's a Heroku as well. If they're multi-layered then you have to know all those as well. One difficult thing is if you follow this and the other recommendations by the regulators, particularly about passing liability down the chain, actually I think you can't use public cloud for personal data because those requirements are so strict. One of the problems is that current laws are based on traditional outsourcing. So if you liken processing personal data to cooking food because I like food, then the traditional laws assume that you cook food yourself or you hire caterers to cook it for you according to your instructions. But the problem is in cloud it's more like renting a kitchen or getting take-out or ready meals that you cook yourself, self-service. So it's very difficult to apply laws for regulating the use of caterers to renting kitchens. One of the issues is you can have the guarantee of security and liability that the regulators want. I mean it should be possible but of course it's going to cost money and that's at odds with the model of cheap or free public cloud. So I think that whoever controls the whole supply chain and can provide all these guarantees like the big players who can go all the way to data center and equipment level, they might be the likely winners when it comes to personal data. Now some people might say oh well you know this is completely unworkable, forget about it, we're just going to ignore it. And it is true that at the moment millions of emails with personal data are probably sent outside the EEA every day in complete breach of this restriction. But under the draft data protection regulation which is going through European Parliament and Council at the moment, you could be fined up to 2% of annual global turnover if you breach the restriction. So nobody doubts that the EU have got very good intentions when it comes to the reforms on data protection law but the road that that's heading for cloud may not be the most auspicious. Now contracts, I've said contracts are extremely important and obviously the three aspects to cloud contracts, you've got what you do, the checks you do before you enter into the contract, what are the terms of the contract and then what you do after the monitoring in checks you do then. We have an article on negotiated cloud contracts that was based on confidential and anonymous interviews with lots of cloud market players. So cloud providers, users, intermediaries, integrators, law firms, et cetera and some freedom of information requests. And there's a short of Forbes report of that if you're interested. But that provides insight into how people have managed to negotiate cloud contracts, what they've managed to get, what they haven't managed to get. Because the usual starting point is the cloud provider standard terms. So here's our terms, you've got to click and accept. And obviously they might be weighted in favour of the provider and not necessarily appropriate to the customer, especially in regulated industries or government. So the question about whether you can negotiate the cloud provider's contract, well that depends on the customer and the deal size. If you're a big enough customer, if it's worth enough money to them, then they will do it. Even the biggest ones are willing to do it if you're big enough. And this typically means governments and banks. But indeed, governments and banks can go even further and say to some cloud providers, these are our standard terms, we want to enter into this cloud contract with you on these terms, our terms, not yours. And then that has the opposite problem because a lot of these terms are based on traditional outsourcing. So they don't really work in cloud, they're not really appropriate. There's another important contract issue which I think might have affected more of you than you might know, which is to do with internal processes. Because it is so easy to sign up for cloud, you just click and accept maybe a credit card number. A lot of organisations have found that their people have been signing up for cloud services, putting internal data like Dropbox or whatever, and nobody knows about it until they do a review. So this is a problem for a lot of organisations. They don't realise that they're using cloud or their employees are and putting confidential data up there. So about the due diligence you do before the contract, well, if it's personal data, as I've mentioned before, rather like name, rank and serial number, you get names of sub-providers, locations of data and security of the provider. As a practical matter, a lot of people are concerned about lock-in being stuck with the provider and not being able to get out. And obviously it is very sensible to test whether you can export data before you're actually fully committed, but of course don't use real data, especially personal data, test with fake data. Now, on the security side, some customers have been able to get the provider to agree to let them do pen testing, find out about what their certifications are and possibly even look at some of the documentation behind that. You also have to think about backups. Are you going to pay the provider to do backup for you? Because in some cases you have to charge extra, they'll charge you extra for that, or will you do your own backups internally or to another cloud? But you have to think about that. And after the contract, if you have audit rights and so on, you might have to actually exercise those rights and carry out those audits. I would mention the EU security agency, ANISA, because they've got a lot of papers out there on cloud and risk assessment, but you do have to hunt around a bit because they're not all in the same place, this kind of scattered around their site. So the terms of the contract themselves for personal data, a controller of personal data who wants to use cloud computing has to choose a provider that provides sufficient guarantees effectively on security, and the contract has to contain certain terms about the provider following instructions and taking security measures. More generally, if you're not talking about personal data but just other data as well, there has been a big issue about provider liability because a lot of providers refuse to have any liability whatsoever, and a lot of customers do want liability. So in many ways, this is a pricing issue. The more you're willing to pay, the more willing the provider will be to accept liability. Lock-in, I've already discussed what the term is, in what circumstances can you terminate, can they terminate, what happens on exit, what is the data format, can you get the data back, how long do you have to get the data back, will they delete it, et cetera? And security, I've already mentioned, a lot of providers reserve the rights to disclose their data, your data, I should say, to authorities on request or at least on a legal being served in order. And audit rights are another contentious aspect. A lot of providers have the right to change their terms unilaterally. They just change their terms and they tell you or you're supposed to check and find out about it. At least in G-Cloud, they do freeze the terms at the date that the provider is accepted onto the G-Cloud program. So just a bit about G-Cloud, you cannot carry out a mini-competition. You do a search, you have to base it on price or most economically advantageous tender. No mini-competition, no negotiation with a provider, although there is some scope to fill in some of the blanks. The G-Cloud site has got lots of information, they're very helpful on Twitter, and they are having so-called bi-camp events for public sector buyers. There's one tomorrow, there's one on 17 June, all over the country so you can just sign up and go there. But one thing to bear in mind is that the G-Cloud, G123 so far, they take what's called the overlay approach where you contract on the supplier's terms, but you have an overlay of particular terms that the G-Cloud program has specified which override it in case of conflict. So the issue is if there is no conflict, if there's an area that's covered by the supplier's terms but not covered in the G-Cloud document, then the supplier's terms are going to win out and they will apply, and in fact that's why they changed it in the first G1. They had to change it during the process because of liability wasn't covered. You do need to get your own advice on the specific situation, on the specific terms in question. I've done a paper on G-Cloud which is also available online. It's on the first iteration but a lot of it is still relevant. Open data, I'm not going to say much about because Jenny already has, she's already mentioned the Protection of Freedoms Act which will require data sets to be produced in electronic reusable form and under an open licence. But I would mention is that there might be fees that you can charge for reuse but we don't know the details yet as to exactly what fees you can charge and when. It's supposed to come in this month, next month, but again have you heard anything further? So we don't know when but it's going to be pretty soon. There is a draft code of practice that's out for consultation and the Information Commissioner is going to be changing their publication scheme and providing guidance. But I suppose the key message is you have to think about now, think about what data sets have you got which might be asked for, how you're going to handle requests and start thinking now because there's not much time. Another important point about open data is the tension between open data and personal data. As I mentioned before, anonymous data, the data protection laws do not apply. Personal data it does. So if you are going to be releasing anything which might be personal data, you've got to make sure it's anonymised. Now it is tricky, for example, Professor Sweeney in the US has shown that you can identify maybe 80-90% of the US population just from date of birth, gender and zip code. That's enough to uniquely identify that many people. And she recently re-identified people on a genome project, a DNA project. So it can be very difficult to do and it is a big issue, for example, last weekend, the Sunday Times revealed that everything everywhere was supposedly selling data to a research outfit which was supposedly selling it to the police and saying we can give you information about individual people's movements and so on. I don't know whether it's that granular and they said this, that, so we don't know exactly what's behind it, but obviously it is a big issue. Now the Information Commissioner have produced a code of practice and anonymisation is like a phenomenon. Anonymisation. But I should say I did comment on some various drafts before it came out. But it is a useful document to look at and obviously a limited controlled release is not going to be the same as making information fully public so you have to think about all that. Now the UK anonymisation network has been set up and funded by the Information Commissioner for two years and they have anonymisation clinics and they're trying to develop best practices for anonymisation. So the next one's on 28th June and you can sign up. Shakespeare review again, which Jenny has mentioned, I'm not going to say much about that except that I'm going to just look at the personal data element. He's saying yes, following best practices should be enough as long as we prosecute people who misuse data, we should have increased penalties, we should have increased imprisonment as well. I'm kind of a bit pessimistic about this because under the data protection legislation there is the power to send people to jail for unlawfully obtaining personal data but the government has refused to bring it in and Leveson, lots of parliamentary committees and so on and now Shakespeare are saying look, make it the threat of jail time and Leveson hasn't done that and I don't know whether they're ever going to do it but that's what we really need, I think, we need to have the threat of prison. So big data, again I'm not going to say a huge amount about except that you've still got data protection compliance issues, anonymisation as Ian has mentioned in some ways maybe too much data is not necessarily a good thing because it's too much to manage but there are also other issues like intellectual property but it's early days for that yet. So really in summary current laws are based on outdated assumptions they may not be appropriate to new paradigms but they're still the law so until they're properly updated really the sensible strategy is what I call 4Rs and 4Es evaluate your requirements for your real life use review and understand the technologies and the models that you are going to use make a risk assessment not just IT but legal etc for your particular use case and then the 4Es you get expert advice again not just legal but IT risk security etc based on your exact intended use explain the technology and model property to them so they know how to advise you and do that early, not at the last minute or after. Thank you very much.