ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
|
|
- Dustin Sanders
- 8 years ago
- Views:
Transcription
1 ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
2 Terra Incognita Auditing for Privacy Workshop: Chairman s Remarks 2007 International Data Protection and Privacy Commissioner s Conference Montreal, Quebec, Canada Workshop # 3 Audit Wednesday, September 26, :30 4:00 pm ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS Dr. Artemi Rallo Lombarte Director, Spanish Data Protection Agency
3 What is Auditing? Audit vs. Inspection Audit initiated by DPA or data controller proactive overview to establish general compliance, usually results in recommendations Inspection in response to a complaint or DPA concern investigation of a specific area of suspected breach, can result in sanctions Effective enforcement requires both proactive and reactive components In the context of this panel, we ll refer generally to auditing an inclusive idea ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
4 Spanish Auditing Process 20% Preventive Enforcement Systematic audits public and private sectors Results in recommendations, but issue a Resolution too Includes non-audit actions: guidelines, consultations, publicity 80% Reactive Enforcement Law mandates AEPD to resolve every citizen complaint Usually resolved with request for voluntary information submission can search in situ or issue subpoenas fines assessed for violations based on nature of infraction as minor, serious, or very serious as defined by law Inspection by IT experts - submit factual report to Legal Department Legal Department analyzes report, initiates sanction procedures if needed, makes recommendation for Resolution Director approves Resolution; appealable in court ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
5 Collaborative Enforcement: Bilateral Cooperation in the EU 2000 AEPD fines a content provider for posting personal data of police officers on its website No fine to ISP content removed immediately upon injunction 2006 notification that content still exists on a Dutch mirror site Collaboration with NL DPA (CBP) to remove content CBP sent an information request to the Dutch ISP, with attached AEPD Resolution on illegality of data Immediate removal of content by ISP Cooperative strategy and tools Exchange of information on Spanish action and outcomes Investigation of site by CBP, factual (whois) and legal analysis Collaborative development of enforcement strategy Consistent communication of actions and status ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
6 Collaborative Enforcement: Why Synchronized Auditing? Enforcement s goal is to increase compliance Biggest enforcement obstacle is resource limitations Synchronized enforcement can harmonize DP practices Information sharing and cooperation to reduce divergence in MS simplify enforcement, use best practices, more efficient enforcement Unified practices to permit self-regulation like BCR diminish enforcement burdens improve compliance sector-wide Vital to refine approach and pursue joint action ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
7 Collaborative Enforcement: Multilateral Cooperation in the EU Overall positive compliance, with some areas of concern Moving forward: Recommendations to correct gaps in compliance Non-participant data controllers should note findings Analyze and refine methodology for future actions Continue to coordinate joint enforcement with representative organizations like CEA Properly equip DPAs for effective enforcement Improve survey instrument clearer questions, more focused Pursue in-depth follow-up investigations to improve compliance, not just take its temperature ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
8 Collaborative Enforcement: Cooperation with Third Countries Unprecedented enforcement action outside the EU: in situ inspections of data transferred to Colombia Legal basis: model contract clause for international data transfers Where data is transferred internationally, DPA may conduct audits of the importer, using the same techniques and tools that are available for audits of the exporter in the DPA s jurisdiction Telecom company included clause in contract for Colombian tech support outsourcing AEPD awareness that data might be at risk of misuse or vulnerable to security breaches; decision to audit in situ ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
9 Collaborative Enforcement: Cooperation with Third Countries Cooperation and facilitation by exporter (data controller) Coordinated inspections Served as contact point for audits Audited all involved data importers in Colombia 5 days of auditing in Colombia 3 inspectors + Inspection Subdirector Document access and examination in situ checks of technical systems Access to and evaluation of information stored in the system in situ verification of security measures Findings: general compliance with technical and organizational security requirements Importers saw audit as a helpful experience to improve practices ÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
10 Dr. Artemi Rallo Lombarte Director, Spanish Data Protection Agency ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
11 Workshop 3 Panelists Mr. Chris Turner Head of Audit and Remedies, Office of the Information Commissioner, UK Mr. Joel Winston Associate Director of Privacy and Identity Protection Branch, FTC Consumer Protection Bureau, USA Mr. Nicholas Cheung Principal, Assurance Services Development of the Canadian Institute of Chartered Accountants Ms. Yim Chan Global Privacy Executive, IBM and Chief Privacy Officer, IBM Canada ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
12 Data Protection Auditing A UK Perspective Chris Turner Head of Audit & Remedies Information Commissioner s Office ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
13 Background 1998 Data Protection Act Provides a power to audit with consent of the data controller. Mid 2001 Completion of Audit Manual and promotion via our website A major milestone for the Office. Late 2003 new initiative launched to undertake programme of trial audits and consider audit accreditation schemes. Audits conducted by compliance team members. May 2005 permanent Audit Team created as part of a new Regulatory Action Division looking to expand team and increase powers. ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
14 Audit Programme Programme based on: Volunteers Theme Identified Non Compliance / Issues Engagement Invitation / Request Assessment / Remedies Undertaking Make Up Predominantly public authorities, private companies more likely to be as a result of undertakings. ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
15 Audit Methodology Based broadly on the Audit Manual 2/3 man team, compliance background experience Development of key relationships to facilitate cooperation and establish mutual benefits Scoping and planning (background information) Adequacy Audit Policies, Procedures, Guidelines, Training Material Checklist Evaluation Compliance Audit Data Protection System Business (Functional) Processes Computer applications / operations ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
16 Audit Output ICO Methodology Adequacy Audit Summary Report Observations Report (Working document) Compliance Audit On-site Feedback (key findings) Compliance Report (Observations / Evaluation / Recommendations) Follow up ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
17 Challenges No audit without consent Team Experience (Audit / Technical) Questionnaire approach getting the questions right. Availability of adequate background information e.g. process / job descriptions Getting the timetable right! Deep and Narrow v Wide and Shallow Reports & Recommendations Balancing the workload Small team considerations ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
18 Benefits ICO Opportunity to identify / address systemic issues. Provides an alternative to enforcement. Increased ICO understanding of processing. Identifies the need for guidance. Raise the profile of data protection. Organisations Raise data protection awareness at an individual and corporate level. Provides a perspective of the regulator s view Is a catalyst for change. Provides an alternative to enforcement. ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
19 Privacy The USA Model Joel Winston Division of Privacy and Identity Protection September 26, 2007 ÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
20 Meet the FTC U.S. s only general jurisdiction consumer protection agency Mission: promote efficient functioning of the marketplace by protecting consumers from unfair and deceptive practices ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
21 U.S. Legal Framework for Privacy No general privacy law or obligation to have any particular privacy practices Various federal laws and regulations governing specific industries - financial industry - health care industry - credit reporting industry State laws FTC Act unfair or deceptive practices ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
22 U.S. Legal Framework for Data Security No general security law or obligation to have any particular security practices Various federal laws and regulations governing specific industries - financial industry - health care industry - credit reporting industry State laws on data security and breach notification FTC Act unfair or deceptive practices ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
23 FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce deceptive practice one that is likely to mislead reasonable consumers in a material way unfair practice one that causes or is likely to cause substantial consumer injury that is not reasonably avoidable by consumers and is not outweighed by benefits to consumers or competition ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
24 Safeguards Safeguards Rule data security requirements for financial institutions Must have reasonable procedures to safeguard sensitive personal information Flexible and adaptable standards security as a process No specific technical requirements See ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
25 FTC Enforcement Investigations Law enforcement actions - deception cases - Safeguards cases - Fair Credit Reporting Act cases - Gramm-Leach-Bliley Act cases - unfairness cases ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
26 FTC Enforcement Conduct remedies auditing requirements Monetary remedies consumer redress, civil penalties ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
27 Other FTC Efforts Business education Consumer education Rulemaking Legislative assistance See ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
28 Other Government Enforcement Banking agencies (OCC, FDIC, FRB, OTS, NCUA) examination and law enforcement powers State enforcement ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
29 Generally Accepted Privacy Principles A Global Privacy Framework Nicholas F. Cheung, CA, CIPP/C The Canadian Institute of Chartered Accountants ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
30 Why Is the Accounting Profession Involved with Privacy? Privacy is a risk management issue Accountants are trusted business advisors Goes hand in glove with internal control assessments Need for external assurance regarding an organization s privacy practices CAs are recognized for their audit expertise Any audit requires an examination against suitable criteria Standard setting experience CICA sets accounting and assurance standards for businesses, not-for-profit organizations and government ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
31 What are Generally Accepted Privacy Principles (GAPP)? A privacy framework to help both public and private entities develop and assess their privacy program and privacy risk Developed by the CICA and AICPA To create a common North American standard Endorsed and supported by: ISACA Information System and Audit Control Assoc IIA The Institute of Internal Auditors ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
32 Generally Accepted Privacy Principles Management Notice Choice & Consent Collection Use & Retention Access Disclosure to Third Parties Security for Privacy Quality Monitoring & Enforcement ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
33 GAPP Australia Canada PIPEDA EU Data Protection Directive Global Privacy Standard Management Accountability Notification Accountability Notice Openness Identifying Purposes, Openness Choice & Consent Collection Use and Retention Access Disclosure Use and Disclosure Collection, Sensitive Information, Anonymity Identifiers, Use and Disclosure Access and Correction Use and Disclosure, Trans-border Data Flows Consent Limiting Collection Limiting Use, Disclosure, and Retention Individual Access Limiting Use, Disclosure, and Retention Information to be Given to the Data Subject Criteria for Making Data Processing Legitimate, Data Subject s Right to Object Principles Relating to Data Quality, Exemptions and Restrictions Making Data Processing Legitimate, Special Categories of Processing, Principles Relating to Data Quality, Exemptions and Restrictions, The Data Subject s Right to Object The Data Subject s Right of Access to Data Transfer of Personal Data to Third Countries Purposes, Openness Consent Collection Limitation Use, Retention & Disclosure Limitation Access Security Data Security Safeguards Confidentiality and Security of Processing Security Use, Retention & Disclosure Limitation Quality Data Quality Accuracy Principles Relating to Data Quality Accuracy Monitoring & Enforcement (Enforcement by the Office of the Privacy Commissioner) Challenging Compliance ES ET DE LA VIE PRIVÉE E 29 Processing of Personal th Data Judicial Remedies, Liability and Sanctions, Codes of Conduct, Supervisory Authority and Working Party on the Protection of Individuals with Regard to the Compliance th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
34 The Benefits of GAPP Comprehensive Framework of over 60 measurable and relevant criteria Not just a list of principles Objective Developed by the auditing profession to Address international expectations Create a basis for comparability Universally available at no charge Relevant Widespread use and recognition Applicable for evaluating privacy risk enterprise-wide Recognized as suitable criteria for a privacy audit Can also be the basis for an internal assessment ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
35 Ref Example of GAPP Criteria Security for Privacy Criteria Physical Access Controls Physical access is restricted to personal information in any form. Illustrations and Explanations of Criteria Systems and procedures are in place to: Manage logical and physical access to personal information, including hard copy, archival, and backup copies. Log and monitor access to personal information. Prevent the unauthorized or accidental destruction or loss of personal information. Investigate breaches and attempts to gain unauthorized access. Communicate investigation results to appropriate privacy executive. Maintain physical control over the distribution of reports containing personal information. Securely dispose of waste containing ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS confidential information. Additional Considerations Physical safeguards may include the use of: locked file cabinets Card access systems physical keys sign-in logs other techniques to control access to offices, data centers, and other locations in which personal information is processed or stored.
36 External Reports for Privacy Benefits of third-party assurance Independent Objective Trained in audit techniques Why Is This Important Strengthen customer confidence Provide useful reports to internal and external stakeholders Required as part of a contract ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
37 Specified Procedures Engagement What Is It? A special type of engagement where the procedures are agreed upon by the client and the public accountant Accountant provides a report listing any exceptions found Not an audit opinion Limited distribution of report When Would This Be Useful? Organization may not be ready for an audit, but want to provide a third-party report on privacy Could use selected criteria from GAPP More cost effective than an audit ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
38 External Audit What Is It? Similar to auditor s report used for financial statements (GAPP vs. GAAP) Provides reasonable assurance Unlimited distribution of report When Would This Be Useful? Provide assurance to Customers and prospective customers Employees / Board of Directors Regulatory and government bodies To obtain assurance over privacy practices of a 3rdparty vendor (outsourcing contract requirement) ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
39 Other Uses of GAPP Privacy Risk Assessment Diagnose new or current privacy program Cannot be relied upon for legal compliance Benchmarking Against GAPP criteria or compare results against prior GAPP assessments Can be used in a local, national or international context Privacy Notice Development ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
40 Contact Info Nicholas F. Cheung, CA, CIPP/C Principal, Assurance Services Development CICA (416) ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS
ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS Terra Incognita Auditing for Privacy Workshop: Chairman s Remarks 2007 International Data Protection and Privacy
More informationES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS
ES ET DE LA VIE PRIVÉE E 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISS Privacy The USA Model Joel Winston Division of Privacy and Identity Protection September 26, 2007 ÉE E 29
More informationPrivacy Risk Assessments
Privacy Risk Assessments Michael Hulet Principal November 8, 2012 Agenda Privacy Review Definition Trends Privacy Program Considerations Privacy Risk Assessment Risk Assessment Tools Generally Accepted
More informationAUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION
AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION CONFERENCE ON CROSS-BORDER DATA FLOW & PRIVACY October 15 16, 2007 Washington,
More informationAn Executive Overview of GAPP. Generally Accepted Privacy Principles
An Executive Overview of GAPP Generally Accepted Privacy Principles Current Environment One of today s key business imperatives is maintaining the privacy of your customers personal information. As business
More informationThe HR Skinny: Effectively managing international employee data flows
The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study
More informationE-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY
E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY Oana Dolea 7 th Annual Leg@l.IT Conference March 26th, 2013 Montreal, Canada INTRODUCTION Mobile e-commerce vs. E-commerce Mobile e-commerce:
More informationOVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.
Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in
More informationAlign Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:
More informationGenerally Accepted Privacy Principles. August 2009
Generally Accepted Privacy Principles August 2009 Acknowledgments The AICPA and Canadian Institute of Chartered Accountants (CICA) appreciate the contribution of the volunteers who devoted significant
More informationProcessor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries
Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.
More informationAuditing data protection a guide to ICO data protection audits
Auditing data protection a guide to ICO data protection audits Contents Executive summary 3 1. Audit programme development 5 Audit planning and risk assessment 2. Audit approach 6 Gathering evidence Audit
More informationBinding Corporate Rules ( BCR ) Summary of Third Party Rights
Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting
More informationData, Privacy, Cookies and the FTC in 2013. Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller
Data, Privacy, Cookies and the FTC in 2013 Kevin Stark - ExactTarget Maltie Maraj - ExactTarget Nicholas Merker - Ice Miller BIOS Kevin Stark: Product Manager at ExactTarget. Focused on data security,
More informationBBB Wise Giving Alliance & The International Committee of Fundraising Organizations Advancing Trust in the Charitable Sector Federal Trade
BBB Wise Giving Alliance & The International Committee of Fundraising Organizations Advancing Trust in the Charitable Sector Federal Trade Commission, Bureau of Consumer Protection Allison M. Lefrak, Attorney,
More informationAssist Members in developing their own national arrangements through being able to draw on and hence benefit from the experience of other members;
Introduction IFIAR is an organization of independent audit regulators (hereinafter, audit regulators ). The organization s primary aim is to enable its Members to share information regarding the audit
More informationCLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
More informationCredit Union Code for the Protection of Personal Information
Introduction Canada is part of a global economy based on the creation, processing, and exchange of information. The technology underlying the information economy provides a number of benefits that improve
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationData Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005
Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad Toronto, Ontario June 14, 2005 Outsourcing Update: New Contractual Options and Risks Lisa K. Abe June 14, 2005
More informationBRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS
BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and
More informationData Protection HEADLINE PART Developments: Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance
Data Protection HEADLINE PART Developments: 1 Implications HEADLINE for the PART Insurance 2 Sector Strategies for Compliance Sub-headline Arial 18pt dark gray Optional Name Arial 13pt italic white Venue
More informationAccountability: Data Governance for the Evolving Digital Marketplace 1
Accountability: Data Governance for the Evolving Digital Marketplace 1 1 For the past three years, the Centre for Information Policy Leadership at Hunton & Williams LLP has served as secretariat for the
More informationIndex All entries in the index reference page numbers.
Index All entries in the index reference page numbers. A Audit of organizations, 37-38, Access to personal information 162-163 by individual, 22, 31, 151-154 B assistance by organization, Biometrics, 123-125
More informationConsumer Protection Electronic Commerce
for Principles of Consumer Protection Electronic Commerce A Canadian Framework Working Group on Electronic Commerce and Consumers for Principles of Consumer Protection Electronic Commerce A Canadian Framework
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationWhite Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationPassenger Protect Program Transport Canada
AUDIT REPORT OF THE PRIVACY COMMISSIONER OF CANADA Passenger Protect Program Transport Canada Section 37 of the Privacy Act 2009 AUDIT OF PASSENGER PROTECT PROGRAM, TRANSPORT CANADA The audit work reported
More informationThe Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems
Privacy PRESENTATION vs Data TITLE Protection: GOES HERE The Impact of EU Data Protection Legislation Thomas Rivera Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted
More informationHacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows
Hacks, apps and espionage - how protected are you against cyber crime? Top 10 Legal Need-to-Knows 24 February 2015 Callum Sinclair Faith Jayne Agenda Top 10 legal need-to-knows, including: What is cyber
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1
Protection of Personal Data RPC001147_EN_WB_L_1 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Responsibility of Employees
More informationPrivacy by Design Setting a new standard for privacy certification
Privacy by Design Setting a new standard for privacy certification Privacy by Design is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure,
More informationInternational Data Safeguards & Infrastructure Workbook. United States Internal Revenue Service
International Data Safeguards & Infrastructure Workbook United States Internal Revenue Service March 20, 2014 FOR FATCA IMPLEMENTATION Table of Contents 1.1 Purpose of Document... 4 1.2 Current State of
More informationThe Manitoba Child Care Association PRIVACY POLICY
The Manitoba Child Care Association PRIVACY POLICY BACKGROUND The Manitoba Child Care Association is committed to comply with the legal obligations imposed by the federal government's Personal Information
More informationThe U.S.-EU Safe Harbor Guide to Self-Certification
U.S.-EU Safe Harbor Framework A Guide to Self-Certification Table of Contents Introduction.............................................................1 Overview...............................................................3
More informationEU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.
EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update By Stephen H. LaCount, Esq. Overview The European Union Data Protection Directive 95/46/EC ( Directive ) went effective in
More informationINFORMATION SECURITY MANAGEMENT POLICY
INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June
More informationAustralian Charities and Not-for-profits Commission: Regulatory Approach Statement
Australian Charities and Not-for-profits Commission: Regulatory Approach Statement This statement sets out the regulatory approach of the Australian Charities and Not-for-profits Commission (ACNC). It
More informationThe reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012
The reform of the EU Data Protection framework - Building trust in a digital and global world 9/10 October 2012 Questionnaire addressed to national Parliaments Please, find attached a number of questions
More informationBig Data, Big Risk? Data Management and Privacy. Presented by: Timothy Banks, Heather Innes, and Colonel Vihar Joshi
Big Data, Big Risk? Data Management and Privacy Presented by: Timothy Banks, Heather Innes, and Colonel Vihar Joshi Data Management & Privacy Compliance Heather Innes Chief Privacy Officer, General Motors
More information7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data
Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal
More informationState of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO
Policy: Information Security Audit Program Issued by the CTO Policy No: WVOT-PO1008 Issue Date: 08.01.09 Revised: Page 1 of 12 1.0 PURPOSE The West Virginia Office of Technology (WVOT) will maintain an
More informationManaging your data processors: legal requirements and practical solutions
Managing your data processors: legal requirements and practical solutions Peggy Eisenhauer Privacy & Information Management Services This article has been published in the August 2007 issue of BNAI s World
More informationData Protection Act. Conducting privacy impact assessments code of practice
Data Protection Act Conducting privacy impact assessments code of practice 1 Conducting privacy impact assessments code of practice Data Protection Act Contents Information Commissioner s foreword... 3
More informationChecklist for Customer Protection Management
Checklist for Customer Protection Management I. Development and Establishment of Customer Management System by the Management Checkpoints - Customer Protection as referred to in this checklist covers (1)
More informationProtection. Code of Practice. of Personal Data RPC001147_EN_D_19
Protection of Personal Data RPC001147_EN_D_19 Table of Contents Data Protection Rules Foreword From the Data Protection Commissioner Introduction From the Chairman Data Protection Rules Responsibility
More informationCloud Computing Contracts. October 11, 2012
Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best
More informationPIPEDA and Online Backup White Paper
PIPEDA and Online Backup White Paper The cloud computing era has seen a phenomenal growth of the data backup service industry. Backup service providers, by nature of their business, are compelled to collect
More informationINTERNATIONAL SOS. Data Protection Policy. Version 1.05
INTERNATIONAL SOS Data Protection Policy Document Owner: LCIS Division Document Manager: Group General Counsel Effective: December 2008 Revised: 2015 All copyright in these materials are reserved to AEA
More informationFIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS
FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS As a world leader in electronic commerce and payment services, First Data Corporation and its subsidiaries ( First Data entity or entities ),
More informationConsumer Confidence Trustmarks
Consumer Confidence Trustmarks September 14, 2001 Issue Chair Contact Point (Europe/Africa) Contact Point (Asia/Oceania) Carleton S. Fiorina Chairman & CEO Hewlett-Packard Dr. Klaus Mangold CEO DaimlerChrysler
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationOSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data
OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data Terms Adopting company an OSRAM associated company in Germany or overseas
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationOffice of Personnel Management. Policy Policy Number: Definitions. Communicate: To give a verbal or written report to an appropriate authority.
Citation: Arkansas Code Annotated 21-1-601 through 608, 21-1-610; 21-1-123 and 124 Office of Personnel Management Policy 1 Forms: Fraud Reporting Complaint Form Definitions Adverse action: To discharge,
More informationAccredited Body Report CPA Australia. For the period ended 30 June 2013
Accredited Body Report CPA Australia For the period ended 30 June 2013 Financial Markets Authority Website: www.fma.govt.nz Auckland Office Level 5, Ernst & Young Building 2 Takutai Square, Britomart PO
More information3/17/2015. Overview HIPAA. Who s Covered? Who s Not Covered? PRIVACY & SECURITY. Regulatory Patchwork: Mobile Health
PRIVACY & SECURITY Regulatory Patchwork: Mobile Health Anna Watterson, Davis Wright Tremaine, LLP Overview When HIPAA applies to mobile apps When FTC has jurisdiction over mobile apps Other considerations:
More informationNational Cyber Security Policy -2013
National Cyber Security Policy -2013 Preamble 1. Cyberspace 1 is a complex environment consisting of interactions between people, software and services, supported by worldwide distribution of information
More informationSSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch
SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,
More informationData Protection Working Group. Final Report on the Draft Data Protection Bill
Data Protection Working Group Final Report on the Draft Data Protection Bill Background In August 2009, upon a request from the Hon. Attorney General, the Governor-in-Cabinet established a Data Protection
More informationResponsibilities of Custodians and Health Information Act Administration Checklist
Responsibilities of Custodians and Administration Checklist APPENDIX 3 Responsibilities of Custodians in Administering the Each custodian under the Act must establish internal processes and procedures
More informationArticle 29 Working Party Issues Opinion on Cloud Computing
Client Alert Global Regulatory Enforcement If you have questions or would like additional information on the material covered in this Alert, please contact one of the authors: Cynthia O Donoghue Partner,
More informationAlign Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.
Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION
More informationCOUNCIL OF THE EUROPEAN UNION. Brussels, 22 November 2006 15644/06 DATAPROTECT 45 EDPS 3
COUNCIL OF THE EUROPEAN UNION Brussels, 22 November 2006 15644/06 DATAPROTECT 45 EDPS 3 COVER NOTE from: Secretary-General of the European Commission, signed by Mr Jordi AYET PUIGARNAU, Director date of
More informationU. S. EU SAFE HARBOR FRAMEWORK GUIDE TO SELF-CERTIFICATION MARCH 2009
U. S. EU SAFE HARBOR FRAMEWORK GUIDE TO SELF-CERTIFICATION MARCH 2009 U.S.- EU Safe Harbor Framework A Guide to Self-Certification Table of Contents Introduction... 1 Overview... 3 Helpful Hints Guide...
More informationOnline Lead Generation: Data Security Best Practices
Online Lead Generation: Data Security Best Practices Released September 2009 The IAB Online Lead Generation Committee has developed these Best Practices. About the IAB Online Lead Generation Committee:
More informationCloud Service Contracts: An Issue of Trust
Cloud Service Contracts: An Issue of Trust Marie Demoulin Assistant Professor Université de Montréal École de Bibliothéconomie et des Sciences de l Information (EBSI) itrust 2d International Symposium,
More informationBHF Southern African Conference
BHF Southern African Conference Navigating the complexities of the new legislative framework Peter Hill, Director: IT Governance Network TOPICS TO BE COVERED The practical implementation of the PPI Act
More informationROHIT GROUP OF COMPANIES PRIVACY POLICY This privacy policy is subject to change without notice. It was last updated on July 23, 2014.
ROHIT GROUP OF COMPANIES PRIVACY POLICY This privacy policy is subject to change without notice. It was last updated on July 23, 2014. The Rohit Group of Companies ( Rohit Group, Company, our, we ) understands
More informationOrganisation de Coopération et de Développement Economiques Organisation for Economic Co-operation and Development
Organisation de Coopération et de Développement Economiques Organisation for Economic Co-operation and Development RECOMMENDATION OF THE OECD COUNCIL CONCERNING GUIDELINES FOR CONSUMER PROTECTION IN THE
More informationSTANDARDS PROGRAM For Canada s Charities & Nonprofits
STANDARDS PROGRAM For Canada s Charities & Nonprofits Released April 2012 Lions Foundation of Canada Dog Guides SickKids Foundation World Vision Enhancing governance and effectiveness Founding and presenting
More information1. LIMITATIONS ON ACCESS TO, OR DISCLOSURE OF, PERSONALLY IDENTIFIABLE INFORMATION.
MODEL MASSACHUSETTS PRIVACY LEGISLATION 1 1. LIMITATIONS ON ACCESS TO, OR DISCLOSURE OF, PERSONALLY IDENTIFIABLE INFORMATION. (A) AUTHORIZED REPRESENTATIVES. 2 The Department of Elementary and Secondary
More informationPRIVACY BREACH POLICY
Approved By Last Reviewed Responsible Role Responsible Department Executive Management Team March 20, 2014 (next review to be done within two years) Chief Privacy Officer Quality & Customer Service SECTION
More informationProposed Public Records Legislation Consultation
Proposed Public Records Legislation Consultation Question 1 Do you agree that a public record is one that is created or received by a publicly funded authority, or do you think that the public status of
More informationNetwork Certification Body
Network Certification Body Scheme rules for assessment of railway projects to requirements of the Railways Interoperability Regulations as a Notified and Designated Body 1 NCB_MS_56 Contents 1 Normative
More informationFRANCE. Chapter XX OVERVIEW
Chapter XX FRANCE Merav Griguer 1 I OVERVIEW France has an omnibus privacy, data protection and cybersecurity framework law. As a member of the European Union, France has implemented the EU Data Protection
More informationGSK Public policy positions
Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable
More informationAUDIT AND RISK MANAGEMENT COMMITTEE CHARTER
MASTERMYNE GROUP LIMITED AUDIT AND RISK MANAGEMENT COMMITTEE CHARTER Purpose of Charter 1. The Audit and Risk Management Committee Charter (Charter) governs the operations of the Audit and Risk Management
More informationLIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 3 February 2012 5999/12 LIMITE JAI 53 USA 2 DATAPROTECT 13 RELEX 76
COUNCIL OF THE EUROPEAN UNION Brussels, 3 February 2012 5999/12 LIMITE JAI 53 USA 2 DATAPROTECT 13 RELEX 76 NOTE from: Commission services to: JHA Counsellors No. prev. doc.: 17480/10 JAI 1049 USA 127
More informationPrivacy & Data Security: The Future of the US-EU Safe Harbor
Privacy & Data Security: The Future of the US-EU Safe Harbor NAOMI MCBRIDE, LISA J. SOTTO AND BRIDGET TREACY, HUNTON & WILLIAMS LLP, WITH PRACTICAL LAW US INTELLECTUAL PROPERTY & TECHNOLOGY AND UK IP&IT
More informationMr. Craig Mokhiber Chief Development and Economic and Social Issues Branch UN Office of the High Commissioner for Human Rights (OHCHR) April 12, 2013
Mr. Craig Mokhiber Chief Development and Economic and Social Issues Branch UN Office of the High Commissioner for Human Rights (OHCHR) April 12, 2013 Dear Mr Mokhiber, We welcome the commitment of the
More informationTHE FORTY RECOMMENDATIONS OF THE FINANCIAL ACTION TASK FORCE ON MONEY LAUNDERING
THE FORTY RECOMMENDATIONS OF THE FINANCIAL ACTION TASK FORCE ON MONEY LAUNDERING 1990 A. GENERAL FRAMEWORK OF THE RECOMMENDATIONS 1. Each country should, without further delay, take steps to fully implement
More informationMoving the Needle: Making Canadian Farmers More Competitive The Role of Intellectual Property Protection
CANADIAN SEED TRADE ASSOCIATION L ASSOCIATION CANADIENNE DU COMMERCE DES SEMENCES 39 Robertson Road Suite 505 Ottawa, Ontario K2H 8R2 Tel: 613-829-9527 Fax: 613-829-3530 www.cdnseed.org Email: csta@cdnseed.org
More informationYEAR END ISSUANCES BY FEDERAL REGULATORS ADDRESS A MULTITUDE OF PRIVACY ISSUES Jane Hils Shea January 23, 2008
YEAR END ISSUANCES BY FEDERAL REGULATORS ADDRESS A MULTITUDE OF PRIVACY ISSUES Jane Hils Shea January 23, 2008 The final weeks of 2007 saw a flurry of regulatory activity by the federal banking regulatory
More informationCHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems
Date(s) of Evaluation: CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems Assessor(s) & Observer(s): Organization: Area/Field
More informationBCS, The Chartered Institute for IT Consultation Response to:
BCS, The Chartered Institute for IT Consultation Response to: A Comprehensive Approach to Personal Data Protection in the European Union Dated: 15 January 2011 BCS The Chartered Institute for IT First
More informationCOMPLIANCE FRAMEWORK AND REPORTING GUIDELINES
COMPLIANCE FRAMEWORK AND REPORTING GUIDELINES DRAFT FOR CONSULTATION June 2015 38 Cavenagh Street DARWIN NT 0800 Postal Address GPO Box 915 DARWIN NT 0801 Email: utilities.commission@nt.gov.au Website:
More informationHow To Respect The Agreement On Trade In Cyberspace
CHAPTER 14 ELECTRONIC COMMERCE Article 14.1: Definitions For the purposes of this Chapter: computing facilities means computer servers and storage devices for processing or storing information for commercial
More informationAudit, Business Risk and Compliance Committee Charter
Charter Audit, Business Risk and Compliance Committee Charter Lovisa Holdings Limited ACN 602 304 503 Adopted by the Board on 21 st November 2014 Committee Charter 1 Membership of the Committee The Committee
More informationtechnical factsheet 176
technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationROEHAMPTON UNIVERSITY DATA PROTECTION POLICY
ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY Originated by: Data Protection Working Group: November 2008 Impact Assessment: (to be confirmed) Recommended by Senate: 28 January 2009 Approved by Council:
More informationDoing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance
About Canada Dispute Resolution Forms of Business Organization Aboriginal Law Competition Law Real Estate Securities and Corporate Finance Foreign Investment Public- Private Partnerships Restructuring
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationCFPB Consumer Laws and Regulations
General Principles and Introduction Supervised entities within the scope of CFPB s supervision and enforcement authority include both depository institutions and non-depository consumer financial services
More informationALTA Title Insurance & Settlement Company Best Practices
ALTA Title Insurance & Settlement Company Best Practices N e w C a s t l e T i t l e 7 5 0 N o r t h 3 r d S t r e e t, S u i t e B ( 6 0 8 ) 7 8 3-9 2 6 5 ( 6 0 8 ) 7 8 3-9 2 6 6 5 / 2 2 / 2 0 1 5 0 5/22/15
More informationARTICLE 29 DATA PROTECTION WORKING PARTY
ARTICLE 29 DATA PROTECTION WORKING PARTY 00658/13/EN WP 204 Explanatory Document on the Processor Binding Corporate Rules Adopted on 19 April 2013 This Working Party was set up under Article 29 of Directive
More informationThe eighth data protection principle and international data transfers
Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue
More information立 法 會 Legislative Council
立 法 會 Legislative Council Ref : CB1/PL/FA LC Paper No. CB(1)1401/12-13(03) Panel on Financial Affairs Meeting on 5 July 2013 Background brief on proposed establishment of an independent Insurance Authority
More information