New DPIA and DTIA on AWS for the Dutch government: all high risks solved
Commissioned by the strategic vendor management for Microsoft, Google and Amazon Web Services at the central Dutch government (SLM Rijk), Privacy Company investigated the data protection and data transfer risks of the use of three key cloud services from Amazon Web Services Inc. The outcome of this Data Protection Impact Assessment (DPIA) is that there are no more known high risks if Dutch government organisations follow the recommended mitigating measures in this DPIA.
As a result of the negotiations between SLM Rijk and AWS, AWS has taken organisational and contractual measures to mitigate 7 previously identified high data protection risks.
To mitigate the high risks of data transfer to the United States, government organisations can encrypt special or very sensitive personal data with a self-managed key, and pseudonymise the admin account data. The transfer risks are described separately in a Data Transfer Impact Assessment (DTIA).
Government organisations can also mitigate or accept the 9 remaining low data protection risks included in the table at the end of this blog.
With the permission of SLMMicrosoft, Google and Amazon Web Services, we are publishing this blog about our findings. For questions about the research, please contact the press spokesperson at the Dutch Ministry of Justice and Security, +31 (0)70 370 73 45
________________________________________________________________________________________________________________________________________________________________
What is a DPIA and a DTIA?
When organisations plan a new processing activity that is likely to result in a high risk for individuals, such as engaging a cloud provider for large scale data processing, they have to perform a Data Protection Impact Assessment, or DPIA. There are additional data protection risks if the personal data are transferred to countries outside the EU that do not offer the same legal protection for personal data, such as the United States. If an American intelligence service would compel a cloud provider to disclose personal data of Dutch citizens, those people will not be informed, have no right to a fair trial and no access to an independent supervisory authority. Therefore, organisations must also assess the risks that the transferred personal data will be used in an unlawful manner. This is called a Data Transfer Impact Assessment, or DTIA.
________________________________________________________________________________________________________________________________________________________________
AWS services
AWS provides many different cloud services, as infrastructure, as platform and as software. The DPIA assesses the risks of the use of Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Relational Database Service (Amazon RDS, in this case with a MySQL database).
The report distinguishes between 5 categories of personal data processed by AWS:
1. Content Data (customer uploaded Content Data in the VMs and storage spaces)
2. Account Data (including Contact Data)
3. Diagnostic Data (including Configuration and Security Data)
4. Support Data
5. Website Data (the restricted access Admin Console)
AWS data processor for most personal data
AWS contractually qualifies as data processor for the personal data in the Content Data, Account, Diagnostic, Support and restricted access Website Data.
The contract with the Dutch government includes a limitative list of 3 purposes, with identified sub purposes, for which AWS may process personal data as a processor. The 3 main purposes are:
1. Providing and maintaining the Services used by Customer and its Authorised Users, including through Customer's use of settings, administrator controls or other Service functionality (such as the AWS management console and APIs made available by AWS for the Services).
2. Securing the Services and the AWS Network, including by providing security features and services.
3. Providing Customer-requested support and perform basic troubleshooting.
The Dutch government specifically authorises AWS to further process limited personal data as an independent data controller for an exhaustive list of compatible purposes, when such processing is strictly necessary and proportionate. These purposes range from billing and calculating employee compensation to combatting fraud, and from responding to data subject access requests for personal data in AWS's controller role to improving the performance and core functionality of the services. Where possible, AWS will use pseudonymised data for these purposes.
9 low data protection risks and mitigating measures