ubiquitous biometrics - international association of privacy … · 2012. 2. 29. · biometrics for...

As a security and privacy professional, you understand the critical importanceof solid, enterprise-wide compliance. And you’re sold on the value of com-prehensive training. But how do you get buy-in from the C-suite on down?

That’s the question we asked privacy and security leaders.

Bottom-line business case

Larry Ponemon, CIPP, chairman and founder of the Ponemon Institute, suggests thatprivacy and security professionals start the discussion with senior management bymaking the bottom-line business case for compliance. Ponemon notes that the aver-age total cost of a data breach is $6.65 million, according to the institute’s research.But much more may be lost in terms of damaged reputation, negative publicity, andlost customer goodwill in the event of data theft or a privacy scandal.

At a recent biometricsconference, Dr. MyraGray, the director of

the Department of DefenseBiometrics Task Force, dis-cussed the impending arrivalof “ubiquitous biometrics.“She emphasized that biomet-rics are being widely used fornational security, physicalaccess control, and individualidentification for countless types oftransactions. As this particular confer-ence was focused on implementation ofHomeland Security Directive 24 mandat-ing interoperability between certain gov-ernmental biometric systems, she andothers spoke of the value of ubiquitous

biometrics for national security and everyday con-veniences.

Dr. Gray is correct aboutthe rapid expansion of theuse of biometrics in the pub-lic and private sectors. Yet,risks certainly exist, and thelaws designed to protect indi-vidual privacy vary widely. Insome countries, such as the

U.S., no federal laws mandate specificprotections to mitigate privacy risks inbiometric systems, but states appear tobe stepping in with their own laws. Inothers, biometric use must be expresslyauthorized by data protection authori-ties—and such authorities only allow

certain “no trace“ biometrics whenstringent requirements are met.

Expanding biometric uses: ID

management, fraud prevention, and

customer convenience

Companies tout today’s biometricsystems as scalable, accurate, and cost-effective and as the best practical way toensure the accurate identification of anindividual and minimize identity theft.More than 100 companies in the UK andMiddle East are using a facial recognitionsystem for employee access to construc-tion sites and airports. With a link intothe payroll systems, these companies

June 2010 • Volume 10 • Number 5Editor: Kirk J. Nahra, CIPP

Winning support from senior

management and others

See, Ubiquitous biometrics, page 3

This Month

Notes from the Executive Director....... 2

Promoting Privacy to IT: The CIPP/IT Pilot ................................... 8

Amended German data protection law....................................... 9

Calendar of Events................................ 11

Privacy and the Vancouver Olympics:Games over, cameras going away ....... 12

10 in 2010 ............................................. 13

Surveilled .............................................. 14

CIPP Graduates ..................................... 16

Global Privacy Dispatches .................... 18

Privacy Classifieds ................................ 22

Privacy News ........................................ 22

Ubiquitous biometrics

By Kathy Harman-Stokes, CIPP

See, Winning support page 6

Kathy Harman-Stokes

This article is the third in a series contributed by MediaPro, Inc., in which privacy and data protection thought leaders from leading organizations share best practicesfor addressing the human factor in compliance and data protection programs andimplementing a successful privacy and data security awareness and training initiative.

112843_advisor_Document 3 7/8/10 2:43 PM

THE PRIVACY ADVISOREditorKirk J. Nahra, CIPP, Wiley Rein [email protected]+202.719.7335

Publications DirectorTracey [email protected]+207.351.1500

The Privacy Advisor (ISSN: 1532-1509) is published bythe International Association of Privacy Professionalsand distributed only to IAPP members.

ADVISORY BOARD

Miranda Alfonso-Williams, CIPP, CIPP/IT, Global PrivacyLeader, MDx GE Healthcare

Nathan Brooks, CIPPKim Bustin, CIPP/C, President, Bustin Consulting LimitedDebra Farber, CIPP, CIPP/G, Privacy Officer, The AdvisoryBoard Company

Benjamin Farrar, CIPP, Manager, Privacy Team, Quality &RM, Ethics & Compliance, Ernst & Young LLP

Steven B. Heymann, CIPP, VP, Compliance andInformation Practices, Experian

Michael Kearney, Student/Research Assistant, William& Mary School of Law

Jim Keese, CIPP, CIPP/IT, Global Privacy Officer, VPRecords & Information Mgmt, The Western UnionCompany

Stephen Meltzer, CIPP, Privacy and Corporate Counsel,Meltzer Law Offices

David Morgan, CIPP, CIPP/C, Privacy Officer-SecondaryUses, Newfoundland and Labrador Centre for HealthInformation

Dan Ruch, Chief Operating Officer, Ruch & Associates Inc.Luis Salazar, CIPP, Partner, Infante, Zumpano, Hudson &Miloch, LLC

Heidi Salow, CIPP, Of Counsel, DLA PiperJulie Sinor, CIPP, Director , PricewaterhouseCoopers, LLPEija Warma, Attorney, Castren & Snellman Attorneys LtdFrances Wiet, CIPP, Chief Privacy Officer, HewittAssociates LLC

To Join the IAPP, call:+800.266.6501

Advertising and Sales, call:+800.266.6501

PostmasterSend address changes to:IAPP170 Cider Hill RoadYork, Maine 03909

Subscription PriceThe Privacy Advisor is an IAPP member benefit.Nonmember subscriptions are available at $199 per year.

Requests to ReprintTracey [email protected]

Copyright 2010 by the International Association ofPrivacy Professionals. All rights reserved. Facsimilereproduction, including photocopy or xerographic reproduction, is strictly prohibited under copyright laws.

Increasing complexity

Let no one say that our world is getting less

complex. Our June delegate tour through Europe

revealed quite the opposite.

Data protection laws in France make it a criminal offense to process

data without first registering with the French data protection authority. In

Germany, organizations that fail to appoint a data protection officer can be

fined up to 50,000 euro. And the Article 29 Working Party recently issued

an opinion on cookies that makes clear requirements for prior informed

consent.

These new European developments and others worldwide confirm that

data protection and privacy issues become more challenging as each day passes.

Recently, I spoke with a reporter for CNET News who asked what

companies should do to respond to the growing complexities. My answer

was there is no single answer. Our very best solution is the profession itself--

smart people who understand the issues are the best tools for navigating

increasingly troubled waters of privacy and data protection.

J. Trevor Hughes, CIPPExecutive Director, IAPP

Notes From the Executive Director

2 www.privacyassociation.org

June • 2010

Coming next month

Next month, the Privacy Advisor moves to adigital format. Instead of a printed

newsletter, you will receive an e-mail lettingyou know that the new edition is online.

We are excited about this move to digitalbecause it allows us to invest more in contentgeneration, thereby putting more informationresources in your hands.

Please make sure that your e-mail is current so that you don’t miss themonthly notification. Go to www.privacyassociation.org and click on“Membership” at the top right of the page to make any necessary changes. You may also opt to receive the newsletter via RSS feed.


THE PRIVACY ADVISOR

170 Cider Hill RoadYork, ME 03909 Phone: +800.266.6501 or +207.351.1500Fax: +207.351.1501Email: [email protected]

The Privacy Advisor is the official newsletter of the InternationalAssociation of Privacy Professionals. All active association members automatically receive a subscription to The PrivacyAdvisor as a membership benefit. For details about joining IAPP,please use the above contact information.

BOARD OF DIRECTORSPresidentNuala O’Connor Kelly, CIPP, CIPP/G, Chief Privacy Leader &Senior Counsel, Information Governance, General ElectricCompany, Washington, DC

Vice PresidentBojana Bellamy, LLM, Director of Data Privacy, Accenture,London, UK

TreasurerJeff Green, CIPP/C, VP Global Compliance & Chief PrivacyOfficer, RBC, Toronto, ON, Canada

SecretaryJane C. Horvath, CIPP, CIPP/G, Senior Global Privacy Counsel,Google Inc., Washington, DC

Past PresidentJonathan D. Avila, CIPP, Vice President - Counsel, ChiefPrivacy Officer, The Walt Disney Company, Burbank, CA

Executive Director, IAPPJ. Trevor Hughes, CIPP, York, ME

Allen Brandt, CIPP, Corporate Counsel, Chief Privacy Official,Graduate Management, Admissions Council, McLean, VA

Agnes Bundy Scanlan, Esq., CIPP, Chief Regulatory Officer, TDBank, Boston, MA

Malcolm Crompton, CIPP, Managing Director, InformationIntegrity Solutions Pty/Ltd, Chippendale, Australia

Stan Crosley, Esq., CIPP, Partner, Co-Director, Indiana U. Centerfor Strategic Health Information Provisioning, Indianapolis, IN

Dean Forbes, Senior Director Global Privacy, Schering-PloughCorporation, Kenilworth, NJ

D. Reed Freeman, Jr., CIPP, Partner, Morrison & Foerster, LLP,Washington, DC

Sandra R. Hughes, CIPP, Global Ethics, Compliance and PrivacyExecutive, The Procter & Gamble Company, Cincinnati, OH

Alexander W. Joel, CIPP, CIPP/G, Civil Liberties ProtectionOfficer, Office of the Director of National Intelligence,Bethesda, MD

Brendon Lynch, CIPP, Senior Director, Privacy Strategy,Microsoft Corporation, Redmond, WA

Lisa Sotto, Esq., Partner, Hunton & Williams LLP, New York, NY

Scott Taylor, Chief Privacy Officer, Hewlett-Packard, Palo Alto, CA

Florian Thoma, Chief Data Protection Officer, Siemens, Munich,Germany

Richard Thomas CBE LLD, Centre for Information PolicyLeadership, Hunton & Williams LLP, Surrey, UK

Brian Tretick, CIPP, Executive Director, Advisory Services, Ernst& Young, McLean, VA

Ex Officio Board MemberKirk J. Nahra, CIPP, Partner, Wiley Rein LLP, Washington, DC

International Association of Privacy Professionals 3

claim reduced paperwork, enhancedaccuracy, and elimination of “buddypunching,“ i.e., one person clocking in foranother. One company claims a four percent reduction in wage paymentsresulting from minimized wage fraud. Irisrecognition systems now capture an irisfrom three feet away, with people inmotion walking toward the scanner. Onesystem can capture the irises of 50 peo-ple per minute as they clock in at busyjob sites. Medical centers are using bio-metrics for access to patient records andto confirm patient identity. NationalAustralia Bank is using voice authentica-tion for certain types of phone banking;Middle East banks are using iris recogni-tion at ATMs, and Japanese banks areusing palm vein systems, which arehygienic no-touch systems that useinfrared light to scan the vein patterninside one’s hand at ATMs.

Palm-vein and fingerprint biometricsystems are being used for employeecomputer login credentials. In its transi-tion to electronic health records, onemedical center in Florida implemented afingerprint system for employee singlesign-on to 25 different applications, witha net savings from the full transition of$500,000. Another biometric system,BioLock, offers a fingerprint system that,the company states, can literally protectevery mouse click. An employee scans afingerprint to log on and scans again foreach attempt to access a sensitivetransaction, such as a wire transfer, withall attempts logged and users identified.

Schools in the United Kingdom areusing children’s fingerprints in libraries

and cafeterias. Colleges in the UK areusing facial recognition to track classattendance. To minimize fraud in thegraduate school admissions process,the LSAT exam collects fingerprints andthe GMAT exam collects palm-vein bio-metric data in more than 100 countries.Apple® iPhoto® and other photo-shar-ing sites are using facial recognition tomatch all the faces of a particular indi-vidual and group them together into afolder that may conveniently beuploaded to the Web. A company in theNetherlands offers fingerprint biometricsfor customer access to fitness centersand swimming pools, linked into pay-ment systems to deny access to anyonewhose payment is late. The system canbe used by hotels instead of a roomkey; family members may use their fin-gerprints for room access and roomcharges. This system is being used inlieu of loyalty cards; purchases aretracked via fingerprint for coupons andproduct specials.

With all the proclaimed benefits ofbiometrics, risks do exist. After all, if anindividual’s biometric data is stolen, heor she has no real recourse—he cannotchange his fingerprint. Plus, biometricsare being used for automated decision-making in areas that significantly affectour lives, such as boarding a plane,entering a job site, or tracking employeehours for payroll, not to mention lawenforcement activities. A stolen identity,spoofed fingerprint, or a mismatch ofbiometric data to someone else’s per-sonally identifiable information (PII), allof which have occurred, can result insignificant hardship to an individual. Thelaws around biometrics vary widely,from a free-for-all approach with no lawsspecifically related to the privacy of bio-metric data to almost complete bans oncertain biometric systems.

U.S. laws concerning biometrics

In the U.S. public and private sectors,various general privacy laws exist thatalso cover biometrics. For example, theU.S. Government is subject to thePrivacy Act of 1974, E-Government Act,

Ubiquitous biometricscontinued from page 1

See, Ubiquitous biometrics page 4

“The laws around biometricsvary widely, from a free-for-all approach with nolaws…to almost completebans on certain biometricsystems.”


Federal Information SecurityManagement Act (FISMA), and numer-ous OMB memoranda collectively man-date that data only be collected whereit’s necessary and relevant, that agen-cies publish privacy impact assessmentsanalyzing and explaining mitigationmeasures for privacy risks, and that theypublish privacy policies and implementcomprehensive information security programs, among other things. In theprivate sector, sector-specific generallaws would cover biometric data, suchas HIPAA and the Financial ServicesModernization Act (Gramm-Leach BlileyAct). However, no federal law exists thatdirectly addresses privacy issues in theuse of biometric data, e.g., whether chil-dren’s fingerprints should be used inschools or libraries, what security mustsurround biometric data, what noticeshould be given, and whether consentmust be obtained.

Illinois has implemented such a law.The Biometric Information Privacy Act,740 ILCS 14/ (effective 3 Oct. 2008), pro-hibits private companies from collectingmost forms of biometric data unlessrequirements are met. Companies mustdevelop written public policies establish-ing retention schedules for permanentlydestroying biometrics when the initialpurpose for which they were collectedhas been satisfied, or at the latest, three(3) years after the individual’s last inter-action with the company. Before collect-ing biometrics, companies must providecertain notification to data subjects andreceive a written release from the sub-ject. Companies are prohibited from sell-ing or otherwise profiting from biomet-ric data and are prohibited from disclos-ing biometric data to third parties with-out receiving the subject’s explicit con-sent, with few exceptions. Certain secu-rity standards must also be met.

A bill introduced in January 2010 inNew Hampshire, HB1409, was evenmore restrictive. Government agenciesand private entities would have beenprohibited from using identification cards(other than employee identification

cards) and identification systems thatrequire biometric data. They would havebeen prohibited from requiring an individual to provide biometric data as a condition to obtaining services from or doing business with that entity.Virtually all biometrics would have beencovered under the bill, e.g., fingerprints,facial recognition, iris recognition, handgeometry, keystroke dynamics, voicerecognition, and DNA. Trade groupsopposed it and it was ultimately voteddown, yet a proposal of such restrictivelegislation suggests that, in the absenceof federal law, state legislators may stepinto the biometric privacy arena in thesame way they propelled state lawscoast-to-coast concerning data breaches.

European Union laws regarding

biometrics

The EU approach stems from the under-standing that privacy is fundamental to afunctioning civil society and democracy.In addition to identity theft, the authori-ties fear exactly what Dr. Gray spokeof—ubiquitous biometrics and interoper-ability of biometric systems. The moreubiquitous this data becomes and themore systems interoperate, i.e., themore one system can read the data con-tained in other systems, the more likelythat data collected for one purpose willbe used for other purposes unbe-knownst to the data subject. Europeanauthorities are concerned about the trueloss of privacy; for example, with ubiqui-tous facial recognition biometric technol-

ogy, a photo of a peaceful protestercould be matched, one-to-many, againsta central database; the protester couldbe identified, then tracked and retaliatedagainst for his/her beliefs. In continentalEurope, the typical U.S. corporate modelof a biometric system—with an off-the-shelf biometric system collectingimages that are then transferred into acentral database held in the U.S. or in aconveniently offered cloud some-where—is frequently rejected by dataprotection authorities.

Biometric systems in the EU mustcomply with the EU Data ProtectionDirective 95/46/EC, member state lawsimplementing the directive, and, in addition, biometric-specific laws andguidance. The Article 29 Working Partyhas issued guidance, “Working docu-ment on biometrics,“ adopted 1 August2003, as have certain countries, such asFrance, Belgium, and Slovenia. In sever-al countries, the use of biometrics mustbe specifically authorized by the dataprotection authority, e.g., in France,Portugal, and Greece. In many othercountries, even without a requirementof prior authorization, a company wouldbe wise to contact authorities to discussthe biometric system before implemen-tation, e.g., Germany. If not, and if theDPA later finds that the system violateslaw, sanctions could be applied, includ-ing possibly the deletion of the biomet-ric data collected, or criminal penalties ifwillful violations are found.

How to comply with the myriad EUrequirements around biometrics?Setting aside general data protectionrequirements, the authorities tend tofocus on several areas when evaluatingbiometrics:

• Proportionality: “Proportionality hasbeen the main criterion in almost alldecisions“ by data protection authori-ties when evaluating biometrics. Art. 29Working Party “Working document onbiometrics,“ adopted 1 Aug. 2003, §3.2. Proportionality entails an analysisof whether the use in question fulfillsthe desired purpose, whether it is trulynecessary or whether a less intrusivemeasure could achieve the same pur-

Ubiquitous biometricscontinued from page 3


June • 2010

“Trade groups haveopposed the bill and itwas voted down in com-mittee, yet a proposal ofsuch restrictive legisla-tion suggests that, in theabsence of federal law,state legislators may step in...”


THE PRIVACY ADVISOR

pose equally effectively, and whether itis appropriate, i.e., whether the usestands in reasonable relationship to theintrusions it will cause. Chris Kuner,“Proportionality Principle,“ BNA Privacy& Security Law Report, 2008. In coun-tries that rigidly apply this principle,mere customer convenience will likelybe insufficient; authorities seek astrong justification for biometric use,such as nuclear power plants and air-ports. The French Data ProtectionAuthority (CNIL) apparently found thatthe GMAT exam’s use of palm veintechnology, which it considers to be a“no trace“ biometric, met this thresh-old; the GMAT uses the palm vein datato protect graduate business schoolsand school applicants from test imper-sonations to ensure fairness in theadmissions process.

• Biometric types: DPAs are less likelyto approve biometrics that leave atrace, i.e., that the user leaves behindwherever he goes, such as a finger-print or DNA, or that may be collectedwithout a data subject’s knowledge orconsent, as facial recognition systemsnow allow. The CNIL has stated thattrace biometrics are only justified by a“particular imperative requirement forsecurity.“ “Biometric systems and theFrench Data Protection Act,“ byGuillaume Desgens-Pasanau, head ofthe CNIL Legal Department, publishedby DataGuidance, Nov. 2009.Authorities are more likely to accept“leaving trace technologies,“ throughwhich a biometric template is embed-ded into a microchip on a card main-tained by the data subject. Id. “Notrace“ biometrics are most oftenapproved, i.e., biometric systems

where the data subject does not leavea trace behind and for which the datacannot be collected surreptitiously,such as palm vein, hand geometry andvoice recognition.

• Security: Biometrics require heightened security measures, but, inaddition, should include the followingfeatures:

- Keep only the numeric template, notthe raw images, to mitigate the riskof another organization misusing theimage for other purposes, from iden-tity theft, to a government agencyapplying their own algorithms tomatch the image one-to-manyagainst others in their databases. Ifthe company only retains the numer-ic template and it’s encrypted, thedata would be useless if stolen. TheGMAT and EasySecure, the companyin the Netherlands offering finger-prints for facility center access andloyalty cards, only retain an encrypt-ed template.

- Use a unique algorithm in the extrac-tion of the template from the rawimage, which limits interoperability.In other words, do not use the off-the-shelf algorithm in template cre-ation, but tweak it so that the datacannot be read and matched byother biometric systems.

- Logically separate the biometric datafrom other PII in databases so that thebiometric data is not associated withPII in the database but only a de-identified unique identifier that, whenappropriate, can be matched with thePII.

Given current technologies, biometricsare rapidly being implemented, but com-panies face risks posed by the inherentsensitivity of a measure of an individ-ual’s behavioral and physiological charac-teristics and the consequences in theevent of data loss, misuse, or accidentalmismatch. Furthermore, they face risks


See, Ubiquitous biometrics page 21

“If the company onlyretains the numeric tem-plate and it’s encrypted,the data would be uselessif stolen.”


Pointing to a study conducted bythe Royal Bank of Canada, RichardPurcell, CIPP, CEO of Corporate PrivacyGroup, says the data supports the bot-tom-line business case for privacy andsecurity training. The study demonstrat-ed that a certain percentage of thebank’s profitability and customer loyaltywas due specifically to data protectionpractices. “Get your management tounderstand that investing $50,000 ayear in privacy training helps reduce thechances you’ll face a million dollar judg-ment from your regulator,“ says Purcell.“Produce metrics that help manage-ment understand that there is a profitfactor in establishing loyalty and depthof service with your customer base,“ headds. “Compliance, then insurance,then profit. That’s the wise way to do it."

The right thing to do

"What we emphasized with our leader-ship—especially in a company where

we’re so focused on customers—is theimportance of the brand,“ says GregoryMaher, director of privacy for U.S.Cellular. His strategy is shared bySandra Hughes, CIPP, the executive incharge of global ethics, compliance, andprivacy for The Procter & GambleCompany. “We did do some researchand focus groups with consumers earlyon to see how they felt about privacy,“Hughes reports. She and her teamshowed the company leadership that

consumers were strongly concernedabout privacy and security issues.Maintaining privacy and security “is justthe right thing to do,“ says Hughes.“We have to build that trust with ourcustomers, and we have to build thattrust with our employees.“

Zoe Strickland, vice president andchief privacy officer of Wal-Mart Stores,Inc. says, “I don’t think you get thesame support for privacy and securitytraining unless leadership understandshow training fits into your corporatemission and culture and that it reflectsyour goals and values."

Significantly increasing training

success

Once a compliance officer identifies thelegitimate business case for privacy andsecurity training, industry leaders weinterviewed emphasized the importanceof cultivating leadership buy-in. JohnBlock, director of compliance curriculumat MediaPro, Inc. says that “engagingthe support for the training initiativefrom managers and stakeholders is one

of the most important tasksfor an information security pro-fessional. It will have moreinfluence on the success (orlack of success) of trainingthan any other factor.“ Blockadds that “Management sup-port can range from endorsingtraining, which is passive sup-port, to actively participating inthe planning and implementa-tion of training. The odds ofyour training being successfulincrease significantly the moreactive managers are in theprocess.”

“Our research consistent-ly shows that C-level executivebuy-in is vital to an organiza-tion’s willingness to allocatesufficient resources for theimplementation of effectivesecurity training,“ says LarryPonemon. “If the executivesuite fails to appreciate therisks, and their role in setting astrong example from the cor-


June • 2010

Winning supportcontinued from page 1

“Get your management tounderstand that investing$50,000 a year in privacytraining helps reduce thechances you'll face a million dollar judgmentfrom your regulator.”


THE PRIVACY ADVISOR


ner office, the information securityteam has a steep, uphill battle.”

This doesn’t appear to be a problemat Microsoft, notes Michael Jernigan,Microsoft’s compliance training managerin the Office of Legal Compliance. “Theimpetus behind the training requirementis actually coming from our board ofdirectors. They have said, ’You will dothis as a company, and this is important.’And they’ve given us a specific amountof time for compliance training that wecan do annually.“ Jernigan continues,“The fact that Microsoft CEO SteveBallmer is supporting it by providing theintroductions to the training in a videoclip…the fact that the executives areinvolved, either on video or throughtraining launch communications…thefact that the executives talk about theimportance of compliance…that’s whatestablishes the importance of complet-ing the training as far as our employeesare concerned.”

Building your team

So, how do you build your team of“white knights“ within the leadershipstructure? How do you identify stake-holder team members? “I think youidentify two, three, four, five key stake-holders and they become your coreteam—and that would include subjectmatter experts for each of the topicsand your technical support people,“ saysMicrosoft’s Jernigan. “You have toknow who your core stakeholders are,who the key players are. I think onemistake that a lot of people make isthey try to involve too many people.And when you do that, you start makingtraining decisions by committee, andpretty soon things start falling apart.”

Wal-Mart’s Zoe Strickland has builtan eclectic team. “As an example, Ihave a team member who has a lawdegree and knows a lot about emerginglaws, emerging technology, emergingstandards, and things of that nature.And another team member has a lot ofstore experience. He can really under-stand how the stores operate and man-age data. You want to think about ablend of skill sets. For Wal-Mart it was

important to get a blend of differentpeople; some who’d been here manyyears and others who brought newblood."

Your elevator speech

When approaching leaders to get theirbuy-in, “have your elevator speechready,“ advises Cara Gorsuch, who isresponsible for Enterprise InformationSecurity Policies and Awareness atSupervalu. “Management is going toask, ’Why is this important?' It is criticalthat they understand the value thattraining and awareness would add tothe organization. Going in unpreparedwhen meeting with executive or seniormanagement means you are wastingtheir time. So do your homework andget to know who your audienceis…that’s part of what you have to doto win support. What are their con-cerns? What are their objectives? Tellthem how your plan helps them meettheir objectives, and come preparedwith answers to their likely concerns.“

And once you do identify the exec-utives and managers you want torecruit to your leadership team, it'simportant to speak to them in their“native tongue,“ says Karen Sutherlandof the Sacramento Municipal UtilityDistrict's QA and IT Training Group. “IfI’m talking to accounting,“ she says,“I’m talking in numbers. If I’m talking tocustomer service, I’m talking in 'cus-

tomer-service-speak.' If I’m talking tobusiness technology, I’m talking'techie'…it doesn’t do any good to go inwith 'training speak,' and talk aboutblended learning styles and role devel-opment and storyboards; none of thatrings true to them.“

Sutherland continues, “What youneed to say to them is, very succinctly:‘At the end of the day you want to haveyour folks do X, Y, and Z to protect infor-mation, and here’s how we’re going tohelp you do that. We owe it to our cus-tomers to maintain their information ina safe and secure manner. It is impera-tive. We also owe it to our employees.How do we minimize their risk? Whatdo they need to do? And, of course,why is it critical to the organization?‘”

They really want to pitch in

“One of the things we’ve learned fromwinning involvement and support frommanagers and stakeholders is that oncewe get them onboard, once we have awin-win relationship with them, theyreally want to pitch in!“ saysSutherland.

“Having designed privacy and secu-rity training for dozens of enterprises,we‘ve seen how important manage-ment and stakeholder support is to theprocess,“ says John Block “The odds oftraining being successful increases sig-nificantly. And support is importantbefore, during, and after the training.Unless managers reinforce the knowl-edge and the expected behaviorchanges, then the impact of the trainingwill be short-lived.”

MediaPro would like to thank Richard Purcell, Karen Sutherland,Larry Ponemon, Gregory Maher,Sandra Hughes, Michael Jernigan,Cara Gorsuch, and Zoe Strickland for their contributions to this article.John Block has worked in the trainingindustry for close to 30 years anddirects the development of compliancecourses at MediaPro, Inc. He can bereached at [email protected].

“One of the things we’velearned from winninginvolvement and supportfrom managers andstakeholders is that oncewe get them onboard,once we have a win-winrelationship with them,they really want to pitch in!”


June • 2010


By Jennifer L. Saunders

“Ifound that by preparing for theCIPP/IT certification I was ableto develop an appreciation and

a level of awareness for privacy I didn’thave before. I believe this awareness willallow me to think broader and considerimpacts beyond the immediate solu-tions.“ — Employee, Walmart Stores, Inc.

“The training heighted my aware-ness when considering data and its sen-sitivity.“ — Employee, California Office ofPrivacy Protection

“It made clear the increasing overlapand interdependence between privacyand IT security.“ — Employee, Hewlett-Packard Corporation

And so has been the response to theCIPP/IT, the IAPP’s newest privacy certifi-cation, which was recently introduced tothe IT departments of various IAPP mem-ber organizations through a pilot projectorganized by the IAPP and profiled at arecent networking session by IAPPAssistant Director Peter Kosmala, CIPP.

Just as the CIPP/G is aimed at U.S.government employees and the CIPP/Cis tailored for the Canadian privacy pro-fessional, the new CIPP/IT designationhas been created to suit a specific audi-ence: IT professionals. The CIPP/IT estab-lishes educational and testing standardsin IT privacy while objectively assessingthe understanding of data protection prin-ciples and practices in the design anddevelopment of IT products and services,Kosmala explained.

The CIPP/IT credential has beendesigned with an eye toward those pro-fessionals who are responsible for thecreation, testing, implementation orauditing of IT products and services—including enterprise system architects,information security professionals, soft-ware developers and risk compliancemanagers, to name a few—for private-and public-sector organizations. It alsobenefits privacy, risk management andcompliance professionals who desiremore knowledge about the intersectionof privacy and IT.

In developing the new credential, theIAPP coordinated its CIPP/IT Case StudyProject to explore the process andresults of bringing the program to variedIT groups. The project involved astate/government agency, the CaliforniaOffice of Privacy Protection, as well asglobal retail corporation Walmart Stores,Inc., and international technology compa-ny Hewlett-Packard Corporation.Participants went through CIPP/IT trainingand tested to receive their certification.The case study included an extensiveinterview process as well as analyses onthe privacy concerns and understandingof the participants both prior to and afterthe CIPP/IT training and testing.

The six-part CIPP/IT program focuseson the information lifecycle from the ITperspective, end-user privacy expecta-tions, privacy protection mechanisms,providing notice and choice, auditing andenforcing IT privacy compliance, andimplementing technologies with privacyimpacts.

Kosmala was joined by WalmartPrivacy Director Sol Bermann, CIPP;Minnesota Privacy Consultants PresidentJay Cline, CIPP, and Susan Smith, CIPP,privacy officer for Hewlett-PackardCompany’s Americas Region, in sharingthe outcomes of the pilot project withIAPP members at the recent GlobalPrivacy Summit in Washington, DC, inApril.

The session was aimed at organiza-tions considering pursuing IT privacy cer-tification as well as those seeking moreinformation on the topic of IT privacy. Thepanelists shared reactions from IT devel-opers and engineers, information securi-ty, physical security and IT compliance

professionals on ways the CIPP/ITinformed the day-to-day work they do aswell as helped them meet the privacyand security challenges they face.

Essentially, Kosmala said, theCIPP/IT is for those responsible for anyphase of the IT process as privacy profes-sionals who want to be better versed ininformation technology.

Smith, too, pointed out that the cre-dential is not just for IT professionals,noting how important it is for marketersand privacy professionals to understandthe IT part of the equation and how itrelates to privacy implications.

When it comes to balancing privacyand technology, Kosmala explained, theCIPP/IT education and assessment pro-vides a way to facilitate dialoguebetween the IT, information security, pri-vacy and compliance groups within anorganization.

The feedback from the pilot partici-pants and the outcome of the trainingand assessments has indicated that theCIPP/IT increases IT professionals’ com-prehension of what constitutes personaldata and privacy incidents and can helpboost their engagement on privacyissues.

Moreover, Kosmala explained, thecase study results demonstrated howthe CIPP/IT measurably improves theability of candidates to spot privacyissues across a variety of common ITfunctions and processes and then esca-late or delegate these as necessary.

In summing up the CIPP/IT for theaudience at the recent Global PrivacySummit, Bermann noted, “It’s been agreat bridge-builder,“ providing a muchhigher level of understanding betweenprivacy and IT.

And in response to audience mem-bers’ questions on how the CIPP/IT willaffect personal opportunities, Cline said,“Having this certification can only helpyou.”

For more information on the CIPP/IT, visitwww.privacyassociation.org/certification/ ore-mail [email protected].

Promoting privacy to your IT group: The CIPP/IT pilot project

“The CIPP/IT made clear theincreasing overlap andinterdependence betweenprivacy and IT security.”


The German data protection lawwas revised in 2009 and obligesparties to data processing agree-

ments to include into their contractsclauses on breach notifications, auditrights, subcontracting, and a couple ofother aspects.

Nonconforming contracts can trig-ger administrative fines of up to50,000. Agreements already in place

should be reviewed and policies imple-mented to ensure the compliance offuture contracts.

Which contractual relationships are

affected?

Any agreement under which a third-party is storing, using, or otherwise pro-cessing personal data for your companymust meet the new requirements, inparticular if entered into, renewed, oramended after September 1, 2009.These so-called controller-processor rela-tionships (Auftragsdatenverarbeitungs-Verhältnisse) exist if a service provider isprocessing personal data for and onbehalf of your company or has access toyour data.

Personal data means any informa-tion that can be linked to an individual,for example, shipping addresses or purchase histories of your customers,contact information of business part-ners, or employee data such as name,position, curriculum vitae, or salary.

The new rules also coverintra-group situations, forexample, if a parent compa-ny is operating a centralizedcustomer database or ahuman resources informationsystem that stores customerdata or employee data of itssubsidiaries.

Examples of possiblyaffected relationships are:

• service agreements with payrollprocessors or archiving service providers

• agreements with call centers or direct marketing serviceproviders (mailings, newsletter deliv-ery, lettershops)

• contracts with companies hostinghuman resources information systems(HRIS) or customer relationship man-agement (CRM) tools

• agreements with external auditors ormaintenance service providers

• other agreements on the provision ofIT resources (e.g. application serviceproviding, cloud computing, softwareas a service, Web site hosting, onlinestorage).

These controller-processor relationshipshave to be distinguished from situationsin which a company has not merely out-sourced the data processing but anentire function (e.g. the customer caredepartment). These cases are referredto as controller-controller relationships[Funktionsübertragungen] and subject todifferent and even stricter data protec-tion regulations. The distinction betweencontroller-processor and controller-con-troller relationships is difficult and mustbe made on a case-by-case analysis.

What does the new

law require?

The old law, which was inforce until August 31, 2009,already contained basicrequirements for controller-processor agreements. Thesehave now been extended anddetailed.

Since September 1, 2009, parties must set forth in a written agreement, in particular:

• the scope of the personal dataprocessed by the provider and theway in and the purpose for which datais collected, used, and processed bythe processor

• the controller's rights to give instruc-tions to the data processor

• technical and organizational measuresto be implemented by the processorto ensure data security

• correction, deletion, and locking ofdata by the data processor

• processor's right to subcontract oroutsource parts of the processing

• processor's obligations to appoint adata protection officer and to oblige itsemployees in writing on the datasecrecy

• audit rights of the controller

• processor's data breach notificationobligations

• the procedure of return and deletionof data at the end of the contract.

THE PRIVACY ADVISOR


See, German data protection law, page 10

Amended German data protection law requires new

agreements with data processors

By Thomas Helbing

“These cases are referredto as controller-controllerrelationships and subjectto even stricter data pro-tection regulations”

Thomas Helbing


The controller is fully responsible for thelawfulness of the data processing by theprocessor and compliance with thesemandatory contractual provisions. Also,the German Federal Data Protection Act(Bundesdatenschutzgesetz) expresslystates that controllers must diligentlyselect processors, taking into accountthe technical and organizational securitymeasures implemented by the con-troller. Controllers must also auditprocessors regularly and record theresults.

If the data processor is establishedoutside the European Economic Area(EEA), additional measures have to bemet in order to ensure an "adequatelevel of data protection" at the proces-sor. To accomplish this, many companiesuse the "EU model clauses for the trans-fer of personal data to processors estab-lished in third countries." Unfortunately,these model clauses do not fully coverthe new strict requirements of theGerman law. For example, the modelclauses contain only vague data breachnotification obligations. Therefore, if dataprocessors outside the EEA processbusiness critical data, the model clausesshould be accompanied by additionalcontractual provisions.

What are possible sanctions and how

likely are they?

Data protection authorities can imposeadministrative fines of up to 50,000 oncompanies having insufficient controller-processor agreements. In case of a databreach at the data processor, the datacontroller can become subject to dam-age claims of concerned individuals.Further, data protection officers negli-gently failing to implement the newrules could become liable vis-à-vis theircompany.

Controller-processor agreementsare usually not audited by data protec-tion authorities without reason, butupon a complaint by an individual,authorities start investigations and inthis course can ask companies to pro-vide applicable agreements.

Investigations can also be initiated incase of a data breach. Since theGerman legislature has recently intro-duced breach notification obligations,privacy violations are more likely tocome to the attention of authorities.

Recommended steps

Short term:• Identify all situations where your com-

pany is a data controller in a controller-processor relationship and rank theserelationships using the following crite-ria: (i) amount of data (ii) sensitivity ofthe data (iii) business relevance of thedata, and (iv) status of the processor(group company, establishment withinor outside the EEA, results of prioraudits)

• Review business-critical agreementsand amend where necessary

Midterm:• Implementation of internal policies,

templates, and checklists to ensurethat future agreements are compliant

• Implement procedures to regularlyaudit processors

• Update old agreements stepwise (e.g.upon contract renewals)

Thomas Helbing is a German lawyerspecializing in data protection, privacy,and IT law. From 2004 to 2009 he practiced at a leading internationalcommercial law firm in the fields oftechnology, media, and telecommuni-cations. He can be reached at [email protected] orwww.thomashelbing.com.


June • 2010

Teens talk to strangers

A Harris Interactive study of 955teenagers ages 13-17 revealedthat 69 percent of respondentsadmitted to divulging their physical location while online.Twenty-eight percent said theychatted with strangers online.

Source: USA Today

Privacy Trust Scores Revealed

The Ponemon Institute probed9,000 U.S. adults about how wellgovernment agencies protecttheir privacy, finding that theU.S. Postal Service is the mosttrusted government agencyamong respondents when itcomes to data protection.

Source: Federal Computer Week

Investing in Privacy

Venture capitalists are seeing the value of investing in privacy-related startups. Recent fundingrounds have resulted in tens of millions of dollars for suchcompanies, and some VC firmsare “actively looking for more(privacy) deals.“

Source: The Wall Street Journal

“Unfortunately, these modelclauses do not fully coverthe new strict require-ments of the German law.”

German data protection lawcontinued from page 9



THE PRIVACY ADVISOR

JULY

1 Privacy Tracker call

www.privacytracker.org

13 IAPP KnowledgeNet–

Minneapolis, MN

www.privacyassociation.org/knowledgenet

15 Privacy Papers for Policy

Makers call for papers deadline

www.futureofprivacy.org/

SEPTEMBER

22-24 OTA Online Trust &

Cybersecurity Forum

Washington DCwww.otalliance.org/dcforum.html

29-1 IAPP Privacy Academy

Oct. Baltimore, MDwww.privacyassociation.org/academy

30 IAPP Privacy Dinner

Baltimore, MDwww.privacyassociation.org

OCTOBER

14 Privacy After Hours

25-26 OECD Conference on Privacy,

Technology and Global Data

Flows

Jeruslem, Israelwww.facebook.com/event.php?eid=307952316566&ref=mf

27-29 32nd International Conference

of Data Protection and Privacy

Commissioners

Jerusalem, Israelwww.facebook.com/pages/Intl-Data-Protection-and-Privacy-Commissioners-Conference-Jerusalem-2010/242523689526

NOVEMBER

29-30 IAPP Europe Data Protection

Congress

Paris, France

DECEMBER

8-9 IAPP Practical Privacy Series

Washington, DCwww.privacyassociation.org

Calendar of Events

For certification testing dates go towww.privacyassociation.org.

For upcoming KnowledgeNet datesgo to www.privacyassociation.org.

What your shredding company doesn’t want you to know…

• How big is the particle size after it is shredded?

• Is it “Unreadable”?

• Talk to the people that know security when it comes to document destruction.

visit THE SHREDDERS at www.theshredders.com



June • 2010

This report marks the first in an ongoing series on balancingprivacy considerations with security concerns at large-scaleinternational events.

By Jennifer L. Saunders

The 2010 Vancouver Winter Olympics marked the firsttime the games would be held on the North Americancontinent in the post-9/11 world of enhanced security

considerations after the terrorist attacks against the UnitedStates. With the games came increased concerns about pro-tecting the international athletes and visitors who wouldflock to Vancouver to take part in the Olympics, and withthose concerns came the need to balance personal privacywith personal safety.

Enter the federal and provincial privacy commissioners,who worked with Olympic officials and the city of Vancouverto ensure that such security measures as the addition ofsome 900 security cameras to the Olympic venues wouldbe removed once the games concluded.

In the months leading up to the games, the Office ofthe Privacy Commissioner of Canada (OPC) and the Officeof the Information and Privacy Commissioner of BritishColumbia (OIPC) issued a release detailing the efforts to balance security and privacy concerns during the 2010Olympic and Paralympic Games.

Keeping attendees safe was to be of “paramount importance,“ the commissioners had announced, but itwould also be crucial that officials respect the “privacy ofindividuals and the integrity of their personal information—before, during, and after the games.“

As Assistant Privacy Commissioner Chantal Bernier putit prior to the games, privacy and security “are not mutuallyexclusive; in fact, they are mutually reinforcing. And that isthe message we are working to convey to security officialsat the Olympics.”

“Throughout the 18 months of planning, our projectmanager provided updates and completed a privacy impactassessment for the provincial privacy commissioner asrequired under provincial privacy laws,“ Vancouver Directorof Emergency Management Kevin Wallinger told the PrivacyAdvisor, explaining that the city’s CCTV system “was devel-oped with the full understanding that it would be a tempo-rary system which would only be used during the Olympics.”

With the games concluded, it appears that the goal of balancing the issues of privacy and security has beenattained.

Nicole Baer of the OPC confirmed that separate videosurveillance cameras were installed by the IntegratedSecurity Unit (ISU) for the Vancouver 2010 Olympics and thecity of Vancouver.

The ISU, which reported to the federal privacy commis-sioner, “has advised us that approximately 900 surveillancecameras that were installed under contract as part of theperimeter intrusion detection system…are in the process ofbeing removed,“ she told the Privacy Advisor following theconclusion of the games.

R. Kyle Friesen, the ISU’s chief privacy officer, explainedthat the RCMP, which was responsible for “retention anddisposal of personal information collected by the perimeterintrusion detection system cameras and existing venuesecurity systems that protected Olympic and Paralympicsecurity zones during the games“ had guidelines in place foraddressing the collection, use, and disposal of the images.

“I can confirm that the approximately 900 surveillancecameras that were part of the V2010 Integrated SecurityUnit contract associated to the perimeter intrusion detectionsystem at competition and non-competition Winter Olympicand Paralympic venues are in the process of being removedas part of the service contract,“ ISU Director of Public Affairsand Media Relations Dawn Roberts confirmed in a state-ment to the Privacy Advisor.

Privacy and the Vancouver Olympics:

Games over, cameras going away


13International Association of Privacy Professionals

THE PRIVACY ADVISOR

Roberts explained that in the small number of instanceswhere cameras captured activities that could be related topossible criminal offenses, “images have been retained forcriminal investigative purposes by the police of localjurisdiction.”

Wallinger, meanwhile, explained that Vancouver’s emergency management office’s system, used in down-town areas during the games, was completely unrelated tosystems put in place by the ISU.

“In the spring of 2009, Vancouver City Council approvedthe use of a temporary CCTV system to assist withenhanced situational awareness for increased public safetyin the city’s entertainment district, pedestrianised corridors,and two celebration sites,“ Wallinger told the PrivacyAdvisor, with the system put into place this past Januaryand becoming operational on Feb. 2. The system’s featuresincluded a state-of-the-art control room that was staffedcontinuously while the games were underway during themonths of February and March.

In instances where a potential incident was detected,personally identifiable information would only be collectedshould follow-up be required, Wallinger noted, and imageswere stored for no more than 21 days, a time period wellwithin the guidelines of privacy laws, which allow for up to30 days in general and up to one year if required as part ofan investigation.

“On completion of the Paralympic Games, the cameras,servers, and related infrastructure were shut down, with thecameras physically removed by April 2,“ Wallinger said.

Neither the city of Vancouver nor the nation can becalled a stranger to large-scale events, but in the post-9/11world, Baer agreed that the OPC may begin looking atguidelines to address privacy and security at such events inthe future.

“We do, in fact, already have the seeds of such guidelines because, in relation to the Olympics, we outlineda framework that ought to guide the ISU in its securitymeasures before, during, and after the games,“ she said.

The framework focuses on striking an appropriate bal-ance between privacy and security, based on Canada’sPrivacy Act, other laws, and a series of Supreme Court deci-sions that show, first and foremost, that, “The inherent rightto privacy can only give way to another equally compellingpublic good, such as public safety, and only under strict con-ditions“ and that any invasion of privacy must be “reason-able and proportionate.”

Jim Burrows of BC’s OIPC agreed that the importanceof balancing security and privacy throughout the planningprocess was evidenced in discussions with the public safetyorganizations and privacy offices involved.

In the end, he said, “It certainly turned out the way wewould have liked it to.“

Privacy Advisor: Was the children's healthcare privacy triumvirate anintentional career path orsomething you fell into?

Kathleen Street: Children’shealthcare privacy was, fortunately, both. I’ve alwayshad a calling to protectpatient confidentiality, andwhen HIPAA Privacy came along, it was a naturalfit. When I began saying HIPAA compliance wasbeing “HIPAA-rific,“ they realized they have a children’s privacy cheerleader too!

Privacy Advisor: Working in children's health-care must pose some unique privacy chal-lenges. How does the fact that children areinvolved in your work impact your concerns?

Kathleen Street: Kids have their whole futureahead of them and are counting on the privacy program to keep that information confidential foryears ahead. When we work with adolescents, amain concern is for our clinicians to reach an agreement up front with the teens and their par-ents on how to handle a teenager’s privacy. Trust is key. The children must be assured that they can confide in us so we can give them the besthealthcare to meet their growing needs.

10 in 2010

Kathleen Street, CIPP

As part of a yearlong celebration of theIAPP’s tenth anniversary, this month thePrivacy Advisor chats with member and privacy officer for Children’s Health Systemin Birmingham, Alabama, Kathleen Street.Children’s Health System is a teaching hospital affiliated with the University ofAlabama School of Medicine and is one ofthe busiest pediatric centers in the country.Kathleen has been an IAPP member since2005 and is a former member of the IAPPPublications Advisory Board.


This year’s IAPP Canada PrivacySymposium was bigger and betterthan ever before. Privacy pros convened at Ryerson University inthe heart of Toronto for three daysof learning, networking, and inspi-ration.

Scenes from the symposium


June • 2010

(Above) A packed house at the opening general session.

(Left) Privacy Commissioner Jennifer Stoddart announcesthe appointment of Robin Gould-Soil (left) to head theToronto office of the federal privacy commissioner.

(Above) A captivated audience surrounded by the architec-ture of Frank Ghery.


The Ryerson halls transformed to house exhibitors.

THE PRIVACY ADVISOR

(Left) Keynote speakerRobin Bienfait, chiefinformation officer atResearch in Motion.

(Right) Great worksand great networkingat the Art Gallery ofOntario during thePrivacy SymposiumSoirée.


Terry McQuay, of Nymity, Inc., instructs attendees during CanadianPrivacy Bootcamp.

Managing director of IAPP Canada, Kris Klein, tries tokeep a straight face while the “newlyweds“ debatethe issues.

Alberta Information and Privacy Commissioner Frank Work (left), MimiLePage, CPO of the Canadian Institute for Health Information, and HoltRenfrew CPO Lorne MacDougal play the newlywed game—privacy style.



June • 2010

Lee Aber, CIPP/ITDon Rene Adams, CIPP/IT

Mohammed Junaid Ahmed, CIPP/ITMurali Krishnan Aiyer, CIPP/IT

Daren Arnold, CIPP Swapan Arora, CIPP

Christopher Avery, CIPP Kerstin Bagus, CIPP/C

Tamara L. Baker, CIPP/GMichael Elliott Baker, CIPP/IT

Brenda G. Bandy, CIPP/GMichael F. Barcena, CIPP/IT

Ryan D. Barker, CIPP/CBarbara Lynn Barnhart, CIPP/G

Courtney R. Barton, CIPP Christopher Adam Bell, CIPP

Nancy Bernstein, CIPPPaul David Bilderback, CIPP/IT

Rose Marie Bird, CIPP/GSandra Marie Black, CIPP

Stacey Cordell Bolton, CIPPKermit H. Bonner III, CIPP/IT

Lori G. Booker, CIPP Jozette Booth, CIPP/G

Saralee Cowles Boteler, CIPP/GCecilia C. Boudreau, CIPP

Meredith L. Bray, CIPP Jennifer Rachel Brinkley, CIPP Kathryn Ryland Brown, CIPP

Sheldon Eisen Brown, CIPP/IT Matthew Thomas Brown, CIPP

Victoria A. Bruce, CIPP/GMarlina Anne Bryant, CIPP/GSharon Alisa Budman, CIPP/IT

Ashley L. Bushore, CIPP

Kirsten A. Busse, CIPP Chad Butler, CIPP/IT

Valerie Pellegrini Calogero, CIPP/GAngelo R. Calvache, CIPP/IT

Edward Josepp Capizzi, CIPP/ITAmy Carlson, CIPP

Kathleen Mary Carroll, CIPP/GCharles Allen Castille, CIPP/IT

Stephanie L. Cervantes, CIPP/ITNikita Lyn Charles, CIPP

Shampa Chatterjee, CIPP/ITElisa Kim Choi, CIPP/IT

Kristie Chon, CIPP Zachary Scott Christie, CIPP Patrick Dean Conley, CIPP/IT

Henry James Corscadden, CIPP Thomas Coskey, CIPP

Riley J. Cowdery, CIPPMarisol Cruz, CIPP/GMichael Cullen, CIPP

Kuo W. David, CIPP/ITNathan James Deahl, CIPP/G

Mike Thomas Deshazer, CIPP/ITCharlene A. Dickerson, CIPP

Jeannette Diglio Wiecks, CIPP Laura Dishman, CIPP

Michael J. Dorrian, CIPP Teresa K. Drabenstadt, CIPP

Joshua Thomas Drumwright, CIPP/GSandra M. D’Souza-Smith, CIPP/G

Matt Edward Dumiak, CIPP Donna J. Durkin, CIPP Emily Hope Dyer, CIPP

Serenity Lynn Edwards, CIPP/GLarrv Elmasian, CIPP/IT

Joshua Alan Estep, CIPP/ITGrace J. Eyiba, CIPP/G

Meghan Kathleen Farmer, CIPPChristopher Allen Farris, CIPP/IT

Anne Marie Fealey, CIPP/GKevin Howard Felder, CIPP/IT

Mike Ferrier, CIPP Andrea M. Flanigan, CIPP

Gregory Charles Foley, CIPP/GHelen Goff Foster, CIPP/GNeal Jones Francom, CIPP

Kyle Friedman, CIPP/ITThomas Lafate Funk, CIPP/IT

John Gamble, CIPP Christopher Edwards Garlington, CIPP/IT

Matthew Paul Garvey, CIPP Mary Garzillo, CIPP

Tamika R. Gatson, CIPP Brian T. Geffert, CIPP/IT

Dona-Marie Geoffrion, CIPP/ITAmelia Morrow Gerlicher, CIPP

Ryan Gibbons, CIPP Anita Todd Gibson, CIPP/G

Sean Gill, CIPP/ITJanine Veronica Grabowski, CIPP

Megan E. Gradek, CIPP John B. Graham, CIPP

Paul H. Gray, CIPP Philip McKinley Greene, CIPP/CDarren Earnest Gunlock, CIPP/G

Richa Johri Gupta, CIPP Katherine Marie Harman-Stokes, CIPP/G

Felix Jose Haro Castillo, CIPPCassandra L. Harris, CIPP/G

Nancy Hendricks, CIPP/G

Congratulations, Certified Professionals!

The IAPP is pleased to announce the latest graduates of our privacy certification programs. The following individuals successfully completed IAPP privacy

certification examinations held in early 2010.



THE PRIVACY ADVISOR

Kimberley N. Hess, CIPP/ITMichael David Hintze, CIPP/GJason Park Ming Ho, CIPP/IT

Daniel Lee Hodge, CIPP/ITJames Adam Holland, CIPP/IT

Neil A. Holloway, CIPP/ITKathryn Lewis Holt, CIPP/IT

Jenny Lee Hoots, CIPPLynette None Hornung Kobes, CIPP

Pamela S. Hrubey, CIPP Terrall E. Hughley, CIPP/G

Gary Glenn Hummel, CIPP/ITCharles Hurr, CIPP

Brian Huseman, CIPP Rebecca Hutchings, CIPP/G

Brandon Ivy, CIPP/ITJanice McFadden Jackson, CIPP/G

Ross T. Janssen, CIPP/ITTara Michelle Jaques, CIPP/IT

Mark Dennis John, CIPP/ITRobin Jones, CIPP/IT

Wendy A. Kacer, CIPP/ITRick L. Kam, CIPP

Victoria Kane, CIPP Stacey Rose Keegan, CIPP Stephanie J. Kelly, CIPP

Michael Martin Kessler, CIPP Ash Khan, CIPP

Jane Kim, CIPP/GBlaine Christopher Kimrey, CIPP

Kimberley Lee Kinsley, CIPP Kirk Benton Koehler, CIPP/IT

Katharina Kopp, CIPP/GDori Anne Kuchinsky, CIPP

David Keith Langston, CIPP/ITPaul Peter Laurino, CIPP

Merri Beth Lavagnino, CIPP/ITLaura Jean Lazarczyk, CIPP/IT

Diem T. Le, CIPP/GAndrea Lisa Leeb, CIPP

Zihua Li, CIPP Jay Libove, CIPP/ITRandy Lima, CIPP/IT

Lori Linck, CIPP Michael S. Lines, CIPP

Judy Lynn Macior, CIPP/ITPatrick Macnamara, CIPP/IT

Varun Maheshwari, CIPP Jane Patricia Maring, CIPP/IT

Timothy John Marley, CIPP James R. McCullagh , CIPP Hattie E. McKelvey, CIPP/ITJoanne B. McNabb, CIPP/ITSarika Sudhir Mehta, CIPP

Denise Sanchez Mellor, CIPP/ITJacqueline E. Miller, CIPP

Richard J. Miller, CIPP

Jessica Marie Miller, CIPP/ITLori Linn Mininger, CIPP/ITDaniel Montoya, CIPP/IT

Todd J. Moore, CIPP Dale Francis Morgan, CIPP/IT

Frank Morgan, CIPP Glenn Hector Morton, CIPP/IT

Dionna A. Moses, CIPP/ITNamrta Moudgil, CIPP

Gus H. Mutscher, CIPP/ITYogesh Haridas Naik, CIPP

Roin Z. Nance, CIPP/ITMichael R. Nealis, CIPP/IT

Vishwanath Thejasvi Nemani, CIPP Jade Nester, CIPP/G

John David Newton, CIPP/GJohn Leslie Nicholson, CIPP

Jeffrey Lee Nicholson, CIPP/GFrank A. Nigro, CIPP

Elaine E. O’brien, CIPP/ITMargareth Opanga, CIPP Debra Jo Orozco, CIPP/IT

Charles Reedy Papas, CIPP/GDeepak Parashar, CIPP

Augustin Keith Parker, CIPP/ITLynn Parker, CIPP/G

Prasad Vithal Patkar, CIPP Catherine A. Penafiel, CIPP/IT

Michelle Perez, CIPP Morgan Elyse Peterson, CIPP/IT

Sharon Philip, CIPP Renee J. Phillips, CIPP

Michael Mitchell Plostock, CIPP/ITMolly A. Plummer, CIPP

Mark William Poole, CIPP/ITStephan Potgieter, CIPP/IT

Christopher R. Preston, CIPP/GTaslimm Gulamhussain Quraishi, CIPP/IT

Kris Otto Radmer, CIPP/ITIshwar Ramsingh, CIPP/IT

Christopher Kevin Rasmussen, CIPP/GMeme Jacobs Rassmussen, CIPP

Komal Rastogi, CIPP David Revuelta, CIPP

Laurie Lee Rhea, CIPP/ITAlex Ricardo, CIPP

Steven P. Richards, CIPP/GLeigh Gordon Riese, CIPP Sarita Rijhwani, CIPP/IT

Michele L. Robinson, CIPP/ITE. Gayle Rucker, CIPP/IT

William O. Rutherford, CIPP/GKarim A. Said, CIPP/G

Vinny T. Sakore, CIPP/ITYvette Hamilton Sanders, CIPP/G

Mark A. Sandler, CIPP James K. Sasaki, CIPP/IT

Eric Allen Sasano, CIPP/ITSudhakar Sathiyamurthy, CIPP

Angela Marie Saverice-Rohan, CIPP Kenneth Henderson Schell, CIPP

Terry M. Schrader, CIPP/ITEdward Sclafani, CIPP/ITChristine A Sevener, CIPP

Michael Sewell, CIPP Siddhartha Sharma, CIPP/G

Robert Daniel Shelby, CIPP/ITMurrell Gene Shields, CIPP/G

Stephanie Maree Showell, CIPP/GMarc Anthony Signorino, CIPP

Alan Michael Silva, CIPP/ITNarayani Sivaprakasapillai, CIPP/IT

Amber Amaretta Smith, CIPPChristina Nicole Smith, CIPP Christy Ann Snider, CIPP/G

Teresa Soria, CIPP/ITRichard H. Speidel, CIPP/G

Toby Allen Spry, CIPP Lakshminarayanan Srinivasan, CIPP

Praveen Srivastava, CIPP Tushar Srivastava, CIPP

David Murray Starler, CIPP Andrew J. Stevenson, CIPP/GJennifer Ann Stewart, CIPP/IT

Ruth Strebe-Motes, CIPP/ITZoe Claire Strickland, CIPP/ITKathleen M. Styles, CIPP/G

Eileen Mary Sullivan, CIPP/GOwen M. Sweeney, Jr., CIPP

Michael Wayne Tabor, CIPP/ITScott Taylor, CIPP

Kathy Reaves Tennessee, CIPP/GCheryl Tomlinson, CIPP Christina Totaro, CIPP

Robert Kurt Tucker, CIPP/ITWilliam A. Turner, CIPP/IT

Lisa A. Tuttle, CIPP/ITAngela Van Veckhoven, CIPP/G

Daniel Vigano, CIPP/GCindy Wamsley, CIPP/G

Kenneth Casey Watkins, CIPP/ITMark S. Wegehaupt, CIPP

Christopher J. Weldon, CIPP Timothy Hugh West, CIPP

Dale Wilson White, CIPP/ITFrederick Eugene Whiteside, CIPP/G

Ronald Paul Whitworth, CIPP Brent Aron Williams, CIPP/IT

Lisia Williams, CIPP/GTaylor Erin Williams, CIPP/G

Jeffrey William Woodward, CIPP/GMelissa Ann Yandell, CIPP/IT

Jimmy Chee Ming Yip, CIPP/ITChris Zoladz, CIPP/G


CANADA

By John Jager

Cloud computing paper

In March 2010, theOffice of the PrivacyCommissioner ofCanada (OPC) pub-lished a paper thatdiscusses the priva-cy issues raised bythe increasing useof cloud computing,including issuesrelated to jurisdic-tion, security, misuse of data, dataretention, and lawful access.

The OPC notes that problems ofjurisdiction can arise as the data may becollected, used or stored in more thanone jurisdiction. Organizations that usecloud computing applications need to befully aware to which jurisdictions the per-sonal information of their customersand/or employees may become subjectto the laws of multiple countries.

As cloud computing is by nature anInternet-based application, the securityof information transferred becomes asignificant concern. Experts note thatencryption should be used to protectdata; however, in most cases such security features are not being used.Data in storage should also be encrypt-ed to ensure that it is not accessible bythose without proper authorization.

Data held in organizations’ mainframedatabases are directly within the controlof the organization, however, in the cloudcomputing model the cloud computingservice provider may be able to accessthe information without the knowledge orconsent of the organizations or the indi-vidual. Therefore, there are risks of thecloud computing provider using the infor-mation for its own, and unapproved, pur-poses, such as data mining.

Personal information held in thecloud raises additional concerns relatingto lawful access by organizations such aslaw enforcement agencies. For example,if many organizations use a centralizedcloud computing infrastructure, a lawfulaccess request to the cloud computingservice provider may expose the informa-tion held by all the organizations usingthat service provider. In addition, lawfulaccess requests to cloud computingservice providers significantly increasethe likelihood that individuals and theorganizations to which individuals haveprovided their personal information willbe unaware of such access to their data.

Organizations are required by thePersonal Information Protection andElectronic Documents Act (PIPEDA) toretain personal information for only aslong as the information is required forthe purposes for which it was collectedor as required by law. When storing datain the cloud, organizations must ensurethat the cloud computing serviceproviders have measures in place toproperly dispose of all records in thecloud infrastructure. Contracts withcloud service providers should includespecific requirements as to when andhow information will be removed fromthe cloud.

Cloud service providers should beconsidered as outsourcers. Therefore,organizations must put in place specificcontractual measures with the serviceprovider to secure the information,require the service provider to provideprivacy controls equal to or greater thanof the organization sharing the data, and

to ensure access and right of correctionto individuals whose information isstored on the service provider’s cloudinfrastructure.

The OPC noted that its jurisdictionover personal information can extendacross national borders where there isthe presence of a real and substantialconnection between the wrongdoingand the jurisdiction. The paper providesan overview of the case of Lawson v.Accusearch, Inc., and noted that“Accusearch, then, establishes thatnotwithstanding the extraterritoriality ofa company or Web site, where the priva-cy commissioner of Canada has jurisdic-tion over the subject matter of a com-plaint and can establish a real and sub-stantial connection to Canada, she mayexert jurisdiction over the complaint.”

The OPC noted that complaintsabout cloud computing are likely to arisefrom one of the four following situa-tions:

• an organization choosing to use cloudinfrastructure for data storage and/orprocessing;

• an organization or government bodycreating a private cloud infrastructureto facilitate information sharing withinits environs;

• an individual user who interacts with acloud application; or

• the misuse of data by a cloud infra-structure provider to whom it hasbeen provided.

In the first situation, this action wouldbe considered a transfer for processing.Principle 4.1.3 requires that the serviceprovider provide a comparable level ofprotection for the information.

Global Privacy Dispatches

John Jager


June • 2010

“The paper provides an overview of the caseof Lawson v. Accusearch,Inc.”


In the second, third, and fourth situ-ations, the provisions of the applicablelegislation (i.e. PIPEDA or the PrivacyAct ) would apply to the complaint.

In summary, while cloud computingcreates significant benefits for organiza-tions, those organizations need to befully aware of all of the risks associatedwith these applications and put in placeappropriate measures to fully protectthe personal information being entrust-ed to the cloud.

John Jager, CIPP/C, is vice president ofresearch services at Nymity, Inc., whichoffers Web-based privacy support to help organizations control their privacyrisk. He can be reached at [email protected].

GERMANY

By Flemming Moos

Federal Ministry of the Interior:

Guidelines for new employee

privacy law

As announced by the GermanFederalGovernment in itsprivacy work pro-gram that formedpart of its coalitionagreement (seethe Global PrivacyDispatch in theJanuary issue ofthe PrivacyAdvisor), theGerman Federal Ministry of the Interior(Bundesinnenministerium - BMI) pub-lished on March 31 first guidelines for anew section on employee privacy rulesto be introduced into the GermanFederal Data Protection Act (FDPA).

The new provisions are intended tohelp both companies and employeesbetter understand their respective rightsand duties and produce more legal cer-

tainty with respect to the collection andprocessing of employee data. All in all,the amendments shall focus on imple-menting existing case law by theGerman labour courts and on closingloopholes in the legislation.

According to the guidelines, thenew legislation will centre around thefollowing issues:

• Information from applicants:According to existing case law, anemployer can only ask the candidatequestions that are reasonable, legiti-mate, and do not amount to a dispro-portionate invasion of the candidate’sprivacy. These limitations will be intro-duced into the amended FDPA

• Medical examinations: it will be regulated in detail what kind of medicalexaminations and drug screening anemployer might require a candidate toundergo

• Compliance: the new provisions shallprovide more clarity to the conditionsunder which an employer may collectand process data for compliance purposes

• Video surveillance: the permissibility ofvideo surveillance at the workplace shallbe generally limited to what is requiredfor vital interests of the employer

• Location-based services: locatingemployees by technical means (e.g.GPS) shall only be lawful during work-ing hours and with a view to safetyinterests of the employee or for thepurpose of coordinating the assign-ment of personnel

• Biometric procedures: biometric procedures shall be limited to what isrequired for identifying individuals (inparticular access controls etc.)

• Internet and e-mail: the employershall be entitled to reasonably monitorInternet and e-mail use at the work-place (in particular for security reasons as well as for compliance purposes and combating corruption)

The BMI has declared that a firstdraft bill shall be presented before parlia-mentary recess in summer 2010.

Flemming Moos is an attorney at DLA Piper in Germany and a certified specialist for information technology law. He chairs the IAPP KnowledgeNetin Hamburg and can be reached at [email protected].

POLAND

By Jan Dhont

Internet privacy in Poland:

Best practices code in the making

The Polish celebra-tion of the FourthInternational DataProtection Day onJanuary 28 wasmarked by the sign-ing of an agreementbetween theInspector Generalfor Personal DataProtection (DPA)and ‘the InteractiveAdvertising Bureau Polska’ (IABPoland), the Internet industry employ-ers’ association in Poland. The agree-ment aims at developing a best prac-tices code for Internet privacy. By con-cluding this agreement, both the DPAand IAB Poland aim to increase aware-ness about data privacy and undertakejoint educational and promotional activi-ties in Internet privacy. Mr. MichałSerzycki, president of the DPA and cur-rent vice-chairman of the Article 29Working Party), expressed his hopethat, thanks to this agreement, theInternet will be used in a better andsafer way.

Both parties are currently workingon the best practice code, which isexpected to be finalized in the comingmonths. The code will be published onthe DPA’s Web site. More information on


THE PRIVACY ADVISOR

Jan Dhomt

Flemming Moos

See, Global Privacy Dispatches, page 20


this development can be found at:www.giodo.gov.pl/259/id_art/631/j/en.

EUROPE

By Jan Dhont

Mandatory data-wipe for electronic

devices?

Manufacturers of electronic equipmentshould be forced to integrate into theirdevices an easy and free way to deleteall personal data, says the EuropeanData Protection Supervisor (EDPS). Inaddition, the sale of used devices thathave not been properly wiped should beprohibited.

On December 3, 2008, the EuropeanCommission adopted a proposal aimed atamending the EC Directive of January 27,2003 on waste electrical and electronicequipment (WEEE). On April 14, 2010,the EDPS, Peter Hustinx, issued an opin-ion on the proposed changes to theWEEE Directive.

According to the EDPS, the com-mission proposal focuses solely onenvironmental risks and does not takeinto account other additional risks toindividuals and organisations associat-ed with the disposal, reuse or recyclingof WEEE. The EDPS refers, in particular,to the likelihood of improper acquisi-tion, disclosure and dissemination ofpersonal data stored in the electricaland electronic equipment (EEE), suchas personal computers, laptops, andcell phones.

In view of such risks, the EDPSemphasizes the importance of adoptingappropriate security measures at everystage of the processing of personaldata, including during the phase of dis-posal or recycling. “It would be inconsis-tent to introduce the duty to put in place(sometimes costly) security measures inthe ordinary course of processing opera-tions of personal data…and then simplyomit to consider the introduction of ade-quate safeguards regarding the disposalof the WEEE.“

Those in charge of WEEE disposaloperations are in a situation allowingthem to make autonomous decisionsregarding the data held on the EEE andcould be considered data controllersunder the applicable data privacy laws.They are therefore required to complywith security obligations to preventimproper disclosure of personal dataand should adopt appropriate policies fordisposal of WEEE containing such data.Where data controllers disposing ofWEEE would not have the required skillsand/or technical know-how to erase thepersonal data, they should entrust thistask to qualified third-party processors(e.g. assistance centers, manufacturers,or distributors).

In addition, the EDPS recommendsthat manufacturers of EEE be forced bylaw to integrate privacy and data protec-tion into the design of electrical andelectronic equipment “by default,“ inorder to allow users to delete—usingsimple, free of charge means—personaldata that may be present on devices, inthe event of their disposal.

Finally, the EDPS recommends thatlegislators prohibit the marketing ofused devices which have not previouslyundergone appropriate security meas-ures in compliance with state-of-the-arttechnical standards, in order to eraseany personal data they may contain.

The Opinion can be found here:www.edps.europa.eu/EDPSWEB/webdav/.

Jan Dhont heads the privacy practice ofLorenz Brussels. He specializes in dataprotection and privacy, telecommunica-tions, media, and technology law. He canbe reached at [email protected].

Global Privacy Dispatchescontinued from page 19


June • 2010

The IAPP Welcomes our Newest

Corporate Members

Facebook

RR Donnelley

Kamberlaw, LLC

“They are thereforerequired to comply with security obligationsto prevent improper disclosure of personaldata…”


THE PRIVACY ADVISOR

21

Repr

inte

d wi

th p

erm

issi

on f

rom

Sla

ne C

arto

ons

Lim

ited

.

Earn CPE credits with Privacy Tracker

Earn up to 12 Continuing Privacy Education (CPE) credits each year justby dialing in to monthly Privacy Tracker audio conferences. Each call istailored to the bills and developments you ask for.

Privacy Tracker keeps you up to date on all federal and state privacylegislation. Subscribers receive weekly e-mails highlighting privacy billson the move and access to the monthly audio calls. Privacy Trackersubscribers also enjoy exclusive access to feature stories and expertcommentary on the latest legislative privacy developments.

Subscribe now at:www.privacytracker.org/

E-mail us to get a free weeklong demo [email protected]

Inside the Privacy TrackerUbiquitous biometrics

continued from page 5

posed by the variety of applicable lawsand the unknown future laws that couldbe enacted, such as that proposed inNew Hampshire. These risks can bemitigated with careful planning.Companies should design the morestringent privacy and security controlsinto new biometric systems. Theyshould choose the least intrusive bio-metric to fit their particular needs,retain only numeric templates, properlysecure data with encryption, avoid inter-operability, and of course, fulfill theusual requirements, such as implement-ing comprehensive information securityprograms, providing effective notice todata subjects, and capturing consentbefore biometric collection. In doing so,companies may confidently discusstheir systems with European regulatorsand U.S. legislators, explaining thepromise of their biometric system toactually protect identity and enhanceconsumer convenience.

Kathy Harman-Stokes is a CIPP, attorney, and consultant on U.S. andinternational data privacy and protectionlaws, advising a wide variety of clientson privacy compliance program gover-nance, risk mitigation, data processing,and transfers from the EU, onwardtransfer issues, and biometric laws. Forsix years, she was the associate generalcounsel and a corporate officer at thecompany that owns the GMAT, whereshe led her team to achieve the CNIL’sfirst authorization for a private companyto collect biometrics and transfer themto the U.S. Previously, she was an attorney at Hogan & Hartson LLP.

International Association of Privacy Professionals

“These risks can be mitigated with carefulplanning.”


www.privacyassociation.org22

Privacy Classifieds

The Privacy Advisor is an excellentresource for privacy professionalsresearching career opportunities. For more information on a specificposition, or to view all the listings,visit the IAPP’s Web site, www.privacyassociation.org.

ONLINE BEHAVIORAL ADVERTISINGACCOUNTABILITY PROGRAMMANAGERCouncil of BBBsArlington, VA

HEALTH RESEARCH PRIVACYCOMPLIANCE COORDINATORUCLA Center for Health Policy ResearchLos Angeles, CA

PRIVACY COMPLIANCE ANALYSTCUNA Mutual GroupMadison, WI

NORTH AMERICAN DATA PRIVACYMANAGERAccentureReston, VA or Chicago, IL

ATTORNEYMicrosoftRedmond, WA

NORTH AMERICA PRIVACY MANAGERMicrosoftBellevue, WA

SENIOR DIRECTOR, PRIVACY ANDCOMMUNICATIONSLexisNexisWashington, DC

PRIVACY OFFICER, SENIOR RISKMANAGERCitizens Financial Group, Inc.Providence, RI

IN-HOUSE PRIVACY COUNSELAxiom New York, Chicago, or San Francisco

PRIVACY OFFICER – MARKETSNokia, FarnboroughUK or Espoo, Finland

JPCA launches Puraken test

The Japan Privacy Consultants Association (JPCA), in collaboration with academic and industry interests, has launched a new privacy test—Puraken.

The test is designed to help consumers, especially younger consumers, gainknowledge about online privacy.

According to JPCA execu-tive director Isao Idota, cyber-crime involving young people isbecoming a serious social issue.Idota hopes the test will helpyoung people protect them-selves.

The JPCA administered thefirst Puraken test at junior andsenior high schools on June 1.

Privacy papers for policy makers

Future of Privacy Forum launches competition

The Future of Privacy Forum has launched aproject designed to inform policymakers about

important privacy issues. The FPF will accept submissions for the “Privacy Papers for PolicyMakers” project through July 15. The submissionswill be reviewed by academics, privacy advocates,and CPOs and will be judged on clarity, practicali-ty, and overall utility. Those deemed most usefulfor policy makers will be compiled, bound, andforwarded to lawmakers and other officials in the U.S. and abroad.

Submissions should clearly analyze current and emerging privacy issues andshould propose achievable short-term solutions or new means of analysis thatcould lead to solutions.

Send papers by July 15 to: [email protected] (use subjectline “Privacy Papers Project”)

or Future of Privacy Forum919 18th Street NWSuite 925Washington, DC 20006

Submissions should include the author’s full name, phone number, and postaland e-mail addresses.

For more information, visit: www.futureofprivacy.org.

June • 2010

Privacy News


Kelley Drye & Warren LLP has elected AlysaZeltzer Hutnik as a partner at the firm’s

Washington, DC offices. Zeltzer Hutnik is a member of Kelley Drye’s

advertising and marketing, and privacy and information security practice groups. She specializes in compliance with federal and statelaws on privacy and information security, includ-ing developing enterprise-wide privacy and

information security programs, data breachresponse and mitigation, and information securi-ty audits.

She is the current chair of the American BarAssociation’s Privacy and Information SecurityCommittee (within the Section of Antitrust) andeditor-in-chief of the ABA’s Data SecurityHandbook.

Later this year,we’ll sing the

praises of thosewhose work inthe data privacyfield rises abovethat of most.Please tell uswho you thinkdeserves this year’s innovation andvanguard awards.

The IAPP Privacy Vanguard Awardrecognizes the privacy professionalwho has demonstrated exemplaryknowledge and leadership. The HP-IAPP Privacy Innovation Award recog-nizes the three organizations thatdemonstrate the year’s most effectiveintegration of privacy programs.

Nominations will be acceptedthrough August 13. Please visitwww.privacyassociation.org and click on “About the IAPP” to find outmore or to nominate a person ororganization.

The 2010 award recipients willbe recognized at the Privacy Dinneron September 30 in Baltimore. AllIAPP members are invited to attend.

Find out more at www.privacyassociation.org.


THE PRIVACY ADVISOR

Zeltzer Hutnik named partner

Seeking excellent

people, organizations


www.privacyassociation.org

IAPP members:

Does your organization offerfree or discounted products orservices to other IAPP members?

If so, let them know!

Advertise at a DISCOUNTED RATEhere in our new member-to-memberbenefits section.

MEMBER to MEMBER Benefit

Contact Wills Catling [email protected] +1.207.351.1500, ext. 118

MEMBER to MEMBER Benefit enefit

IAPP members:

ganization ofDoes your oree or discounted prfr

vices to other IAPP members?ser


tise at a Advere in our new memberher

ferganization ofoducts oree or discounted pr

vices to other IAPP members?


DISCOUNTED RATTEA-to-membere in our new member

e in our new memberherbenefits section.

Contact wills@pror +1.207.351.1500,

-to-membere in our new memberbenefits section.

ills Catling atWContact gassociation.oracyviivwills@pr

118ext..+1.207.351.1500,,

24
