name of presenter(s) or subtitle
DESCRIPTION
Privacy one year later Compliance and industry issues in Canada and the United States. David W. Stark. Name of presenter(s) or subtitle. MRIA Alberta Chapter January 20, 2005. Privacy one year later. Agenda. Privacy legislation overview Compliance: is it working? Industry implications - PowerPoint PPT PresentationTRANSCRIPT
Name of presenter(s) or subtitle
Privacy one year laterCompliance and industry issues in Canada and the United States
David W. Stark
MRIA Alberta Chapter
January 20, 2005
Privacy one year later
3©2004 TNS - Confidential
Agenda
Privacy legislation overview
Compliance: is it working?
Industry implications
Helpful resources
Q&A
4©2004 TNS - Confidential
Privacy legislation overview
Freedom of Information Access
Privacy and Protection of Personal Data
1980 1998 2001-2004
Privacy A
ct - Canada
Access to In
fo. Act -
Canada
1985 1994
Privacy Legislatio
n - Quebec
EU Privacy D
irectiv
e
PIPEDA -
Canada
PIPA -
AB & B
C
1966 1974
Freedom of Inform
ation A
ct – U
.S.
Privacy A
ct – U
.S.
2000
Safe Harb
or – U
.S.
5©2004 TNS - Confidential
Canadian approach to privacy
Federal regulations
Competition Act (1985; rev. 1999 and 2001)
CRTC Telemarketing Rules (1994; rev. 2004)
PIPEDA (2001-2004)• Comprehensive law affecting all
industries in private sector
Bill C-37 (2005?)• Would establish a national do-
not-call registry
Anti-spam legislation (2005?)
6©2004 TNS - Confidential
Canadian approach to privacy
Provincial regulations
Personal information protection acts
• QC, AB, BC
Personal health information acts
• AB, SK, MB, ON
With PIPEDA and its provincial counterparts, Canada’s privacy frame-work is closer to Europe than U.S.
7©2004 TNS - Confidential
U.S. approach to privacy – sectoral
Federal regulations
Video Privacy Protection Act (1988)
Telephone Consumer Protection Act (1991)
Driver’s Privacy Protection Act (1994)
Telemarketing Sales Rule (1996)
8©2004 TNS - Confidential
U.S. approach to privacy – sectoral
Federal regulations
Health Insurance Portability and Accountability Act (1996)
Financial Modernization Act (Graham-Leach-Bliley) (1999)
Children’s Online Privacy Protection Act (2000)
CAN-SPAM Law (2003)
9©2004 TNS - Confidential
U.S. approach to privacy – sectoral
Federal regulations
Eavesdropping and Taping Laws (FCC)
• Telephone interviewing, focus groups
Federal Trade Commission Act (Section 5)
• Obligation to abide by one’s posted privacy policies
10©2004 TNS - Confidential
U.S. approach to privacy – sectoral
State regulations
Anti-spam laws
Do-not-call laws and lists
Telephone curfew laws
Eavesdropping and taping
California’s Online Privacy Protection Act (CA OPPA)
• Must post privacy policy on website if collecting personally-identifiable information from CA residents.
11©2004 TNS - Confidential
What’s driving consumer privacy laws?
Most privacy regulations enacted since early 1990s
Coincides with digital information age
• Databases of PII that can be manipulated and moved offshore at click of a button
Public opinion
• Greater intrusion into consumers’ lives – want to be left alone
Outsourcing offshore
Compliance: is it working?
13©2004 TNS - Confidential
Compliance in Canada
Low awareness of PIPEDA and provincial privacy laws
Federal Privacy Commissioner has treated offending organizations with kid gloves
Commissioner’s Office understaffed
Still, in general, Canadian firms seem to be more privacy-conscious than their U.S. counterparts
14©2004 TNS - Confidential
Compliance in the United States
Patchwork of privacy laws difficult for organizations
Multinationals would prefer a national privacy law (similar to PIPEDA)
FTC names offending organizations on its website
Private right of action in many U.S. laws gives rise to class action suits
EU study suggests several U.S. firms on Safe Harbor list are not in compliance
Industry implications
16©2004 TNS - Confidential
Industry implications
Third-party disclosures
• Clients’ customer lists
• Respondent PII shared with clients
• List brokers / sample providers
• Qualitative research: recruiter, moderator, facility
Online research
• Explicit opt-in consent
• Must not spoof message headers
• ISP shutdowns
customer
research client
research supplier
17©2004 TNS - Confidential
When research firm (RF) sends invitation from its domain…
From: RF on behalf of CLIENT <[email protected]>
To: Rebecca Smith <[email protected]>
Subject: Complete CLIENT’s survey and receive a special offer for your time
Date: Fri, 12 Nov 2004 10:51:10 -0500
From: CLIENT <[email protected]>
To: Rebecca Smith <[email protected]>
Subject: Complete CLIENT’s survey and receive a special offer for your time
Date: Fri, 12 Nov 2004 10:51:10 -0500
MUST NOT SPOOF MESSAGE!!
18©2004 TNS - Confidential
Industry implications
Data security and retention
• Physical, electronic and organizational
• Minimum and maximum retention periods
International data flows
• U.S. state laws could impact Canadian call centres and outsourcing overseas
• One motive of these laws is protectionism (many U.S. jobs have been outsourced to low-wage countries)
19©2004 TNS - Confidential
Industry implications
Contracts with clients that include indemnities and privacy protection clauses
Increasing number of multinational clients require completion of comprehensive privacy assessment forms
Research is becoming more difficult to conduct
Helpful resources
21©2004 TNS - Confidential
Helpful resources
Federal Privacy Commissioner’s website
• www.privcom.gc.ca
International Association of Privacy Professionals
• www.privacyassociation.org
Nymity (privacy consulting firm)
• www.nymity.com
CAMRO Privacy Protection Handbook
22©2004 TNS - Confidential
Helpful resources
CAMRO Privacy Protection Handbook
• CD-ROM Version 1.0 released October, 2003
• 40 sold to date
• Over 90 pages of advice
• Includes legal agreements prepared by privacy lawyer (Brian Bowman, Pitblado)
• Version 2.0 to be MRIA-branded and issued soon
• Includes expanded policy section and appendices unique to qual. research