Information Technology Reference
In-Depth Information
Personal information collected in these four domains is to be used in the
respective domain only and not to be revealed unlawfully. There are also various
proposed legislative bills defining sensitive data such as health records, ethnic
information, religious beliefs, sexual preferences, geographical and location
information, financial information, biometric data and social security number of the
users and accordingly, for the purposes of protecting personal information [16].
Federal regulations require companies to abide by minimum security rules and they
incentivize them in this respect. For instance, healthcare institutions are obliged to
provide for the security of personal healthcare information, yet they do not have to
store information in an encrypted state. However, if the information is stored by
encryption at an adequate level, institutions shall not be forced to publicly declare the
fact that there has been an unauthorized access to information. Thereby, institutions
will not be faced with unnecessary expenditures, customer attrition and loss of
reputation. Thus, many healthcare institutions prefer data encryption. If a healthcare
institution transfers patient information to a cloud system located in a different
country and information security is violated on this system, then the cloud service
provider is not deemed liable as per the US law and the provider holds liability only
in the framework of the agreement between the provider and the user (while the
health institution is still liable). Furthermore, such healthcare institution is obliged to
declare the information security violation. Although there is not a uniform law on this
issue, every state obliges companies within their borders to inform their users about
security violations in the framework of "data breach notification statutes" [15]. There
are penal sanctions for not abiding by these statutes.
3.2
Legal Environment Regarding Cloud Computing in EU and New Trends
EU has introduced legal regulations in various fields for the protection of personal data.
Among them is Directive 95/46/EC. This is of utmost importance as it is the data
protection directive in effect and lays the basis for the directive drafts prepared to
respond to novel developments. Directive 95/46/EC clarifies the issues with regard to
protection of fundamental rights of the users, limiting company processing of data
(collecting, recording, using and disclosure of information), requiring minimal
recording of personal information, and informing the user about data processing
procedures [17]. The nature of cloud system entails user information to be located on
the server (and maybe abroad, most of the times). However, Directive 95/46/EC
prohibits the transfer of personal information outside the EU economic zone as long as
data security is not maintained by the destination country. There is, however, an
exemption created as per Decision 2000/520/EC of the European Commission dated 26
July 2000 formulated in accordance with the Directive 95/46/EC. The exemption creates
a “Safe Harbour” for companies transferring information from EU to the USA [18].
Since 2009, the EU Commission has been exerting more effort in terms of
reviewing the definition and the scope of EU data protection law and privacy of
personal data. "Strategy on Protecting Personal Data" published on 4 November 2010
(reference no IP/10/1462) and memorandum MEMO/10/542 are important documents
that provide an idea about the reforms to be introduced in data protection law
Search WWH ::
Custom Search