<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-GB" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoPlainText">Hi Christopher<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">It was good to meet you earlier and outline the risks you and your associates are potentially running at.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">By way of illustration there are a few links below where the Information Commissioners office has levied financial penalties and not even the Police nor Crown Prosecution Services are given any leniency.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Please note the £100,000 fine is per incident.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><a href="https://ico.org.uk/action-weve-taken/enforcement/the-crown-prosecution-service/">https://ico.org.uk/action-weve-taken/enforcement/the-crown-prosecution-service/</a>
<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">However that is relatively small to the forthcoming GDPR regulations where a 20 million Euro fine or 4% of global turnover for UoS whichever is the larger.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><span style="mso-fareast-language:EN-GB"><img border="0" width="902" height="385" style="width:9.3958in;height:4.0104in" id="Picture_x0020_1" src="cid:image001.png@01D21593.A9C60B30"></span><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><span style="mso-fareast-language:EN-GB"><img border="0" width="851" height="405" style="width:8.8645in;height:4.2187in" id="Picture_x0020_2" src="cid:image002.png@01D21593.FD267EE0"></span><o:p></o:p></p>
<p class="MsoPlainText"><span style="mso-fareast-language:EN-GB"><img border="0" width="882" height="416" style="width:9.1875in;height:4.3333in" id="Picture_x0020_3" src="cid:image003.png@01D21594.8544FE00"></span><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><span style="mso-fareast-language:EN-GB">Kevin Shaw<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="mso-fareast-language:EN-GB">Head of Information Security<o:p></o:p></span></p>
<p class="MsoPlainText"><span style="mso-fareast-language:EN-GB"><o:p> </o:p></span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><span lang="EN-US" style="mso-fareast-language:EN-GB">-----Original Message-----<br>
From: Christopher Gutteridge [mailto:cjg@ecs.soton.ac.uk] <br>
Sent: 23 September 2016 11:38<br>
To: List for users of Mac OS X <osx-users@ecs.soton.ac.uk>; Shaw K.C. <K.C.Shaw@soton.ac.uk><br>
Subject: Re: [OSX-Users] OSX upgrade warning</span></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Hi. I've been to talk to Kevin Shaw who's responsible for iSolutions security and data protection.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">We're going to try to put together some guidelines but the quick take homes were:<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Office365 is far better for data protection than most other cloud solutions.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">When new rules come into force, the maximum fine to the organisation will be 5% of our turnover. We are around a £550m/year business...<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">One thing I'd not really internalised before: In addition to fines for the organisation, those responsible can be prosecuted personally which can result in a criminal record and a maximum fine of £100,000. Eeep.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">(I believe I've got these facts right, but I'll cc him to double check)<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Hopefully we can produce some guidance which is reasonable to follow without absorbing huge tomes of detail, and a list of services which are recommended.<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">On 22/09/2016 09:48, Christopher Gutteridge wrote:<o:p></o:p></p>
<p class="MsoPlainText">> I've written to the security manager in iSolutions. His usual approach
<o:p></o:p></p>
<p class="MsoPlainText">> is that for non legally protected data, like research etc, he'll help
<o:p></o:p></p>
<p class="MsoPlainText">> you understand the risk and you can make a choice. However with
<o:p></o:p></p>
<p class="MsoPlainText">> personal data he's (rightly) much more strict.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> I've asked if there's a recommended easy-to-consume page about good
<o:p></o:p></p>
<p class="MsoPlainText">> practice and any services that are recommended or that we should avoid.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> My current understanding is that we shouldn't send people's personal
<o:p></o:p></p>
<p class="MsoPlainText">> data to countries which do not have suitable data-protection laws.<o:p></o:p></p>
<p class="MsoPlainText">> There are exceptions if a specific company complies to rules, but just
<o:p></o:p></p>
<p class="MsoPlainText">> shoving stuff in the cloud is reckless when it could cause harm if
<o:p></o:p></p>
<p class="MsoPlainText">> leaked.<o:p></o:p></p>
<p class="MsoPlainText">><o:p> </o:p></p>
<p class="MsoPlainText">> Something to think about; would you be happy with the NHS casually
<o:p></o:p></p>
<p class="MsoPlainText">> using dropbox to move patient records?<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">> --<o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">Christopher Gutteridge -- <a href="http://users.ecs.soton.ac.uk/cjg">
<span style="color:windowtext;text-decoration:none">http://users.ecs.soton.ac.uk/cjg</span></a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
<p class="MsoPlainText">University of Southampton Open Data Service: <a href="http://data.southampton.ac.uk/">
<span style="color:windowtext;text-decoration:none">http://data.southampton.ac.uk/</span></a> You should read our Web & Data Innovation blog:
<a href="http://blogs.ecs.soton.ac.uk/webteam/"><span style="color:windowtext;text-decoration:none">http://blogs.ecs.soton.ac.uk/webteam/</span></a><o:p></o:p></p>
<p class="MsoPlainText"><o:p> </o:p></p>
</div>
</body>
</html>