20/09/2013 - scce official site · 20/09/2013 9 the global data protection landscape apec...
TRANSCRIPT
20/09/2013
1
Global Privacy and Data Protection:
Practical Risk Assessment and Governance
9 October 2013
Robert Bond, BA, CCEP, HonMIEx
Head of Data Protection and Info Security,
Speechly Bircham
Marti Arvin, CHC-F, CHPC, CHRC, CCEP-
F
Chief Compliance Officer,
UCLA Health System
Topics
• Understanding the global legal and
regulatory landscape
• OECD Guidelines
• Applying the Guidelines to your business
• Assessing the risks and planning the
compliance program
• Tools and tactics for an effective risk
management regime
20/09/2013
2
3
Case Study – Stage 1
THE GLOBAL DATA PROTECTION LANDSCAPE
1. Background – the OECD Guidance
2. The European Union and other Central Eastern European countries
3. The US (sector based regulations)
4. APEC
5. Canada (PIPEDA)
6. Australia
7. Recent developments – emerging laws
4
20/09/2013
3
THE GLOBAL DATA PROTECTION LANDSCAPE
Background - the OECD Guidance
- The OECD Guidance (Organization for Economic Co-operation and Development Guidelines on the
Protection of Privacy and Trans-border Flows of Personal Data, adopted 23 September 1980)
- OECD is an international economic organization founded in 1961 to stimulate economic progress and
world trade
- Members include the US, European and South American countries, and Australia
• Definitions
- Data controller means any information relating to an identified or identifiable individual (data
subject);
- Personal data means any information relating to an identified or identifiable individual (data subject);
- Transborder data flows means movements of personal data across national borders
5
THE GLOBAL DATA PROTECTION LANDSCAPE
Background - the OECD Guidance
Eight data protection principles
1. Collection Limitation
2. Data Quality
3. Purpose Specification
4. Use Limitation
5. Security Safeguards
6. Openness
7. Individual Participation
8. Accountability
6
20/09/2013
4
Collection limitation
Privacy notice
Consent
Privacy by
default
OBA and
cookies
Data quality
Privacy policy
Information security
Audits
Records managment
20/09/2013
5
Purpose specification
Privacy notice
Consent
Fair use
Data transfer/handling
Use limitation
Privacy notice
Audit
Information security
3rd party processing
20/09/2013
6
Security safeguards
Policies & procedures
Due diligence
Insurance
Training
Openness
Clear and unambiguous
notices
Privacy impact
assessments
Privacy by design
Subject access policy
20/09/2013
7
Individual participation
Subject access request
Data protection officer
Data management
policies
Communication
Accountability
Compliance
Data protection
policy
Transparency
Training
20/09/2013
8
THE GLOBAL DATA PROTECTION LANDSCAPE
The European Union
- The EU Data Protection Directive - Implementing national legislation - Which law applies? - The General Data Protection Regulation
15
THE GLOBAL DATA PROTECTION LANDSCAPE
The US (sector based regulations)
• The Fair Credit Reporting Act (FCRA)
• The Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act “GLBA”)
• California SB1
• Health Insurance Portability and Accountability Act of 1996 (“HIPPA”)
• Children’s Online Privacy Protection Act 1998 (COPPA)
• Junk Fax Prevention Act of 2005
• CAN-SPAM Act Controlling the Assault of Non-Solicited Pornography and Marketing Act of
2003
16
20/09/2013
9
THE GLOBAL DATA PROTECTION LANDSCAPE
APEC (Asia-Pacific Economic Community)
• Forum for facilitating trade and investment in the Asia-Pacific region
• Members include Australia, Canada, China, Japan, Vietnam, the Russian Federation and
the US
• The APEC Framework, is intended to provide a legal basis for facilitating international
• Transfers and providing a minimum standard of privacy protection
• Implementation of the APEC Framework is not mandatory
17
THE GLOBAL DATA PROTECTION LANDSCAPE
Canada (PIPEDA)
The Personal Information Protection and Electronic Documents Act 2000 (PIPEDA)
Ten key privacy principles:
1. Accountability.
2. Identifying purposes.
3. Consent.
4. Limiting collection.
5. Limiting use, disclosure and retention.
6. Accuracy.
7. Safeguards.
8. Openness.
9. Individual access.
10. Challenging compliance.
18
20/09/2013
10
THE GLOBAL DATA PROTECTION LANDSCAPE
Australia
The Privacy Act 1988 contains the ten National Privacy Principles:
1. Collection. Describes what an organisation should do when collecting personal information
2. Use and disclosure. Outlines how organisations may use and disclose individuals' personal information
3. Information quality. An organisation must take steps to ensure the personal information it holds is
accurate and up-to-date
4. Information security. Information must be kept secure from unauthorised use or access
5. Openness. An organisation must have a policy on how it manages personal information, and make it
available to anyone who asks for it
6. Access and correction. Individuals have a right of access to their personal information
7. Identifiers. Generally, an organisation cannot adopt an Australian government identifier for an individual
(for example, Medicare numbers) as its own
8. Anonymity. Where possible, organisations must give individuals the opportunity to do business with them
without the individual having to identify themselves
9. Trans border data flows. Sets out how organisations should protect personal information that they
transfer outside Australia
10. Sensitive information. Sensitive information includes information such as health, racial or ethnic
background, or criminal record. Higher standards apply to the handling of sensitive information
19
THE GLOBAL DATA PROTECTION LANDSCAPE
Recent developments - emerging laws
• Singapore: Personal Data Protection Act 2012 (PDPA); came into force 2nd January 2013;
anticipated 12-18 month ‘sunrise period’
• The Philippines: Data Privacy Act 2012; to come into force in 2013
• Hong Kong: The Personal Data (Privacy) (Amendment) Ordinance (Amendment Ordinance)
was passed into law in June 2012. Most of its provisions came into effect on 1 October 2012,
the remainder in April 2013
• Malaysia: Personal Data and Protection Act 2010 to be enforced in 2013
• China: Currently no comprehensive legal framework for data protection. In late 2012 China’s
legislative body issued new rules on the protection of electronic personal data of Chinese
citizens with immediate effect
• Taiwan: The Personal Data Protection Law was passed in 2011 and came into force in
October 2012
20
20/09/2013
11
THE GLOBAL DATA PROTECTION LANDSCAPE
Recent developments - emerging laws
• South Korea: The Personal Information Protection Act 2011 was passed on 29 March 2011
and came into force on 30 September 2011. There is also the Act on Promotion of
Information and Communication Network Utilization and Information Protection (IT Network
Act) which regulates the collection and use of personal information by IT Service Providers
• Mexico: Federal Law for the Protection of Personal Data in Possession of Private Persons
(Personal Data Protection Law) passed in 2010
• Brazil: There is no specific data protection law in Brazil
• Columbia: A new Data Protection Law was passed on 7 October 2011 and came into force
on 18 April 2013
• India: The Information Technology (Reasonable security practices and procedures and
sensitive personal data or information) Rules 2011 were issued under s. 43A of the
Information Technology Act, 2000
21
THE GLOBAL DATA PROTECTION LANDSCAPE
Russia – a patchwork of laws including the Data Protection Act No. 152 of 2006 and the need for
a DPO, Registration and processing principles similar to EU
Ukraine - Law of Ukraine on Protection of Personal Data; recent fine for failing to update
registration; principles are similar to EU; draft law proposes termination of DPA and
replacement with more powerful Regulator
Serbia – DP Act 2009 with similar principles to EU
Turkey - Turkey's Draft Law on Data Protection (the "Draft Law"), is expected to be passed at the
end of 2013 or in early 2014; similar principles to EU
22
20/09/2013
12
23
Case Study – Stage 2
24
Case Study – Stage 3
20/09/2013
13
What should the audit achieve?
“A systematic and independent examination to determine whether activities involving
the processing of personal data are carried out in accordance with an organisation’s
data protection policies and procedures, and whether this processing meets the
requirements of the [law].” UK Information Commissioner’s Office
• Assess compliance with the law
• Assess compliance with entities’ own policies and procedures
• Assess gaps and weaknesses
• Provide information to ensure compliance
• Ensure awareness
• Minimise risk
Analysing entities and their roles
Ascertain data ‘estate’
• names and locations of all entities in each country
• Purpose of collection - are they controllers or processors
• data subjects and data recipients - employee, customer, supplier, other)
• points of collection of data
• types of data collected – basic contact / detailed profile
• types of systems used – manual / electronic
• notifications / registrations with authorities
20/09/2013
14
Analysing processes and policies
Data processes and policies
• points / methods of data collection (online / offline / social media)
• consent / fair processing information – how is this communicated?
• Data retention / destruction
• websites and terms of use
• business codes of conduct and policies (data protection; IS/IT; electronic media;
portable device policy; whistleblower)
• contracts of employment and staff manuals
• staff knowledge and training (DPO / basic)
• appointments of CPO/DPO
Contracts and Codes
• Audit trans border data flow solutions
• Audit third party processor contracts
• Audit permissions from DPA
• Ensure all policies and procedures comply with local laws (not just data protection –
e.g. employment laws / monitoring rules)
• Monitor ongoing changes to company structures (acquisitions / disposals)
• Changes to data handling practices and notifications (e.g. Outsourcing/Cloud/ CCTV/
vehicle tracking)
20/09/2013
15
29
Case Study – Stage 4
Benefits of a compliance audit
• Facilitates compliance with the law
• Measures and helps improve compliance with policies
• Increases awareness amongst staff and management
• Elevates data protection to a key part of corporate governance
• Minimises risk
• Satisfies insurance requirements
• Improves trust and customer satisfaction
20/09/2013
16
Privacy Impact Assessments
What? An assessment of the impact of the proposed processing upon individuals’ personal
data
Why? A pre-emptive exercise, which seeks to avoid problems arising from new processes
When? At the earliest stage when a new system / activity is first proposed
For example
• Centralised HR system hosted outside the EU
• Use of social media for marketing purposes
• Use of cookies for targeted advertising
• Cloud hosted solutions
• Adoption of bring your own device policy
• Remote working policy
• Due diligence in company sale
Privacy by design
• Designing in privacy and data protection
compliance to information systems
• Requires data protection to be a
consideration at the outset of a new
project
• Personal data should be protected
throughout life cycle – collection,
storage, disclosure and destruction
20/09/2013
17
Practical tips – trans border transfers of personal data
• Understand what personal data goes where and why – use flowcharts
• Consider how is the transfer legitimised – not the same as the contractual relationship
Controller - processor
33
34
20/09/2013
18
35
Define the country and group of companies covered
by the project
Data flows
Assess general
existing
processing
operations
Assess existing
notifications /
authorizations
Assess specific
client concerns Purposes
Databases
Assess general
existing policies
and procedures
Cookies
used?
Send country specific audit questionnaire
Define the required compliance
measures
Implement the required compliance
measures
Compliance bundle
Including list of ongoing compliance
requirements
When complete
Include
Consider Always necessary Probably necessary
Define security measures -
coordinating with client’s IT /
Facilities team
Review of existing
notifications / presenting
new notifications
Data transfer agreements
Liaise with local
counsel
Implement / update existing
training measures
Consider Always necessary Probably necessary
36
Case Study – Stage 5
20/09/2013
19
•
,
For more information on our services,
please contact:
Robert Bond, BA, CCEP, HonMIEx
Partner & Notary Public
+44 (0)20 7427 6660
Tweet me @iinonline