Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie"

Transcription

1 Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten MHC.ie

2 Rewriting the Past Oisin Tobin

3 Agenda 1. Background 2. Findings and impact: a) Jurisdiction b) A data controller c) The right to be forgotten 3

4 Background The Timeline 1998 Auction notices published Content digitized, appeared in Google search 2010 Complaint filed with the Spanish Data Protection Authority 4

5 Background - Spanish DPA Decision The original notice was lawfully published However, Google s linking to that notice violated González s data protection rights 5

6 Background CJEU appeal Google appealed decision to CJEU Not within jurisdiction Google search is not a data controller Advocate General Google was not a data controller CJEU Disagreed affirmed Spanish DPA No appeal possible deleting the index cards 6

7 Issue 1: Jurisdiction Applicable law 2 Jurisdictional tests in EU Data Protection Law (Article 4) DC is established in member state and processes personal data in the context of that establishment (Article 4(1)(a)) DC has no EU establishment, but uses equipment in Europe (Article 4(1)(c)) 7

8 Issue 1: Jurisdiction Google s case Google search is provided by Google, Inc. Google, Inc. has no presence in the EU Google Spain promotes the sale of ads (an unrelated activity) No evidence of servers located in EU Therefore: No relevant establishment in the EU (per Article 4(1)(a)) No equipment (per Article 4(1)(c)) No jurisdiction 8

9 Issue 1: Jurisdiction Court s Response An economic link between Google search and the ads sold by Google Spain (one pays for the other) The separate legal personality of Google, Inc. and Google Spain can be disregarded Google Spain deemed to be an establishment of Google Inc. that processes personal data in the context of the activities of Google search Therefore, jurisdiction (per Article 4(1)(a)) 9

10 Issue 1: Jurisdiction Court s Response It cannot be accepted that the processing of personal data carried out for the purposes of the operation of the search engine should escape the obligations and guarantees laid down by Directive 95/46, which would compromise the directive s effectiveness and the effective and complete protection of the fundamental rights and freedoms of natural persons which the directive seeks to ensure 10

11 Issue 1: Jurisdiction Practical Impact The establishment, by a non-eu company, of an EU marketing sub may cause EU privacy law to apply to the operations of the non-eu company. Even where the EU sub is not factually involved in the processing of personal data Risk of overlapping regulators (one per marketing sub) Strategic decision: Concede that an EU data protection law is to apply and have a designated data controller or subsidiary responsible for DP issues in a member state 11

12 Issue 1: Jurisdiction Questions If a multinational company ask: Do we have a clear EU data controller? Where do we have marketing subs? Do our parent s operations comply with applicable local law? Where necessary - consider data protection jurisdiction risk when expanding operations 12

13 Issue 2: Data Controller Applicable Law Data Protection obligations fall on data controllers An entity that determines the purposes and means of processing personal data 13

14 Issue 2: Data Controller Google s case Scan and cache content to provide access No real control over that information. Advocate General agreed A proportionate reading of DP law 14

15 Issue 2: Data Controller Court s finding Google programmed the software that scanned, indexed and cached content (including personal data) Sufficient to show Google was a data controller 15

16 Issue 2: Data Controller Impact Search engines are responsible in data protection law, for the results they return Any business could be treated as a data controller in respect of data it collects/obtains in course of trade Even where the business is not really concerned about the content of that data 16

17 Issue 2: Data Controller Questions Have we considered all circumstances where we may be acting as a data controller? 17

18 Issue 3: Right to be Forgotten Law Controllers need to ensure a pre-condition to processing has been met, e.g. consent, legitimate interests Compliance with general data protection principles (i.e. not excessive, limited retention etc ) 18

19 Issue 3: Right to be Forgotten Google Principle of Proportionality: Any request for removal of content should be made to the website, not Google (a mere intermediary) 19

20 Issue 3: Right to be Forgotten Court Google lacks consent Must rely on legitimate interests Balancing test Public interest v privacy rights Must also comply with general DP principles (data not excessive, up to date etc ) As a rule privacy rights take precedence over public s interest in accessing information Where a data subject objects to search results those should be removed, save in limited circumstances (e.g. public figures) 20

21 Issue 3: Right to be Forgotten Impact Does not create a general right to demand deletion of data Ruling was based on Articles 12 and 14 of the Directive Article 12 allows deletion where a breach of DP law (akin to Section 6 of Irish DP Act) Article 14 - a right to object where processing based on legitimate interests (akin to Section 6A of Irish DP Act) 21

22 Issue 3: Right to be Forgotten Impact Right to be forgotten does not arise where: Data is being lawfully processed; AND There is an alternative basis to justify the processing including: Consent Necessary to perform a contract with data subject (NB for difficult customers) Necessary to comply with a legal obligation 22

23 Issue 3: Right to be Forgotten Questions If a right to be forgotten request comes in, check: What s our justification for keeping this data? Are we happy that this data generally complies with data protection law? If: Relying on consent, contract or legal obligations as a justification; and Satisfied that data otherwise complies with the DP Acts Deletion should not be required No proactive screening requirement 23

24 Issue 3: Right to be Forgotten Policy Increased ability of individuals to manage their online reputations Broader trends towards human rights style data protection decisions: SABAM; Digital Rights Ireland; Schrems Likely to lead to more litigation in this space Potential Trade implications TTIPs Divergence between US and EU law 24

25 Conclusions Marketing subs can ground data protection jurisdiction over parent An expansive definition of data controller has been adopted The right to be forgotten only arises in limited circumstances Seminal judgment will shape future policy and case law. 25

26 Defending your Data Rob McDonagh

27 Some Quick Facts Average cost is $3.5 million / 145 per record Biggest hit from loss of reputation and customers Incident response plan shown to reduce cost = take security breaches seriously 27

28 Managing a Security Incident You cannot be prepared for a security incident without having prepared for it! 28

29 3 Important Points Data controller primarily responsible, even if caused by data processor what are you? Security breach: not necessarily a breach of dp law could still be a breach of contract You need to consider laws of other countries too 29

30 Key Management Tools Security Breach Policy (and training) IT Security Policy Acceptable Usage Policy Firewalls Logs / red flags Supplier due diligence Contractual measures Insurance 30

31 Security Breach Policy Create a Security Breach Policy Reporting lines Incident management team (and deputies) compliance/audit/legal/it/security/pr/business control etc include senior officer so can make quick decisions Third party advisers Include contact details Identify key action points Training for incident management team 31

32 Key Action Points Initial Steps Act quickly Assemble incident response team Internal escalation Stop or mitigate breach Information lockdown Preserve evidence NB. remember litigation is possible 32

33 Key Action Points - Investigation Identify data controller Determine your status Investigate facts data affected individuals affected cause resulting harm / damage use legal counsel legal privilege? Remember things move and change quickly 33

34 Key Action Points - Implications Consider exposure liability and fines contract termination audit / escalation Contractual obligations? Consider any wider business critical implications Tolling agreement 34

35 Key Action Points - Notifications Notify insurers if required under policy Consider regulatory notifications in Ireland and abroad, e.g. DPC, Gardai, foreign DPC etc Consider data subject / customer / dc notifications Check relevant contracts confidentiality preservation of rights 35

36 Key Action Points Customer Relations Create customer relations strategy Press release Customer relationship management Mitigation measures: hotline, online helpdesk, monitoring service, discounts etc 36

37 Key Action Points Corrective Action Audit Disaster recovery / business continuity etc Implement corrective / disciplinary action 37

38 Should you Notify DPC? No express obligation (except ECSPs / ECNPs) No fines in Ireland (except ECNPs / ECSPs) different in other countries Negative PR resulting from failure to disclose can incident be contained? Have you notified other regulators? Draft EU Regulation 38

39 Should you Notify DPC? DPC has a statutory obligation of confidentiality General practice not to disclose except in response to inquiry by media or concerned person However, may issue press release or notify other DPCs if significant incident 39

40 Should you Notify DPC? Before making disclosure, also consider: is disclosure permitted by contract? must you notify insurers first? implications of DPC finding for third party litigation? other implications? similar issues apply to other notifications, e.g. to individuals Notification based on current information Remember DPC has statutory enforcement powers 40

41 Voluntary Code Applies if personal data put at risk Also earlier DoF public sector guidance Code only applicable if DC or DP subject to DPA Code is not legally binding (unless incorporated into contract) Not applicable to ECNP / ECSP as separate legislation applies 41

42 Voluntary Code DC and DPC Notifications DP must report to DC all incidents of loss of control of data DC must report to DPC incidents in which data put at risk within 2 working days unless: individuals already informed; no more than 100 data subjects; and does not include sensitive personal data or financial data Keep summary record even if don t notify DPC brief description why chose not to notify 42

43 Voluntary Code Notifying Individuals DC must give immediate consideration to informing those affected No obligation if no risk to data due to technological measures of high standard Risk of over notification or more harm than good Audit trail for reasons not to notify 43

44 Steps in a DPC Investigation 1. Initial call / 2. Written submission - amount and nature of personal data - action to secure / recover personal data - action to inform those affected or reasons for the decision not to do so - action to limit damage or distress to those affected - chronology of events leading up to incident - measures to prevent repetition 44

45 Steps in a DPC Investigation 3. Additional Materials - Contract - Recruitment process - Relevant policies - Training documents - Log of training for relevant staff - expressly state it is confidential and commercially sensitive NB: remember your confidentiality obligations 45

46 Steps in a DPC Investigation 4. Site visit - systems - procedures - live demonstrations - questions - (enforcement notice?) 5. Draft finding or report / recommendations 6. Right of reply 7. Final finding or report 46

47 Third Party Contracts Diligence Notification of incident Control of incident Co-operation / information / preservation obligations Right to interrogate devices / data Right to interview personnel 47

48 Third Party Contracts Notification of policies to others Restoration of data Confidentiality clause Indemnity / cap subject to law qualifications 48

49 Covering your bases Ailbhe Gilvarry

50 Civil Liability for Breach Michael Collins v FBD DP complaint and investigation Circuit Court High Court 50

51 Insurance Third Party Claims First Party Expenses

52 Third Party Claims Disclosure Content Reputational Conduit Impaired Access

53 First Party Claims Notification Regulator Reputation and Response Costs Cyber Extortion Network Interruption

54 Q&A

Mitigating and managing cyber risk: ten issues to consider

Mitigating and managing cyber risk: ten issues to consider Mitigating and managing cyber risk: ten issues to consider The board of directors is responsible for managing and mitigating risk exposure. A recent study conducted by the Ponemon Institute 1 revealed

More information

HIPAA Privacy Rule Policies

HIPAA Privacy Rule Policies DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Processor Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Processor Policy Confidential Contents INTRODUCTION TO THIS POLICY 3 PART I: BACKGROUND AND ACTIONS 4 PART II: PROCESSOR OBLIGATIONS 6 PART III:

More information

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules Professional Solutions Insurance Company Business Associate Agreement re HIPAA Rules I. Purpose of Agreement This Agreement reflects Professional Solutions Insurance Company s agreement to comply with

More information

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide

Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide Introduction to Data Security Breach Preparedness with Model Data Security Breach Preparedness Guide by Christopher Wolf Directors, Privacy and Information Management Practice Hogan Lovells US LLP christopher.wolf@hoganlovells.com

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer OUR TEAM Speechly Bircham is an ambitious, full-service law firm with

More information

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries Sopra HR Software as a Data Processor Sopra HR Software, 2014 / Ref. : 20141120-101114-m 1/32 1.

More information

Factsheet on the Right to be

Factsheet on the Right to be 101010 100101 1010 101 Factsheet on the Right to be 100 Forgotten ruling (C-131/12) 101 101 1) What is the case about and what did 100 the Court rule? 10 In 2010 a Spanish citizen lodged a complaint against

More information

Data and Cyber Laws Up-date 9 July 2015

Data and Cyber Laws Up-date 9 July 2015 Data and Cyber Laws Up-date 9 July 2015 Janine Regan Alexia Zuber Viktoria Protokova Simon Holdsworth charlesrussellspeechlys.com Topics Updates on the key aspects of, and commentary on, the proposed GDPR

More information

IG: Third Party Contracts and Contractors Policy

IG: Third Party Contracts and Contractors Policy IG: Third Party Contracts and Contractors Policy Document Summary This policy provides guidance on the Information Governance arrangements that need to be considered and / or implemented when engaging

More information

THE TRANSFER OF PERSONAL DATA ABROAD

THE TRANSFER OF PERSONAL DATA ABROAD THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE

More information

BHF Southern African Conference

BHF Southern African Conference BHF Southern African Conference Navigating the complexities of the new legislative framework Peter Hill, Director: IT Governance Network TOPICS TO BE COVERED The practical implementation of the PPI Act

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

AlixPartners, LLP. General Data Protection Statement

AlixPartners, LLP. General Data Protection Statement AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection

More information

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES:

CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential

More information

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements

Policy and Procedure for approving, monitoring and reviewing personal data processing agreements Policy and Procedure for approving, monitoring and reviewing personal data processing agreements 1 Personal data processing by external suppliers, contractors, agents and partners Policy and Procedure

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005 Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad Toronto, Ontario June 14, 2005 Outsourcing Update: New Contractual Options and Risks Lisa K. Abe June 14, 2005

More information

Linde Integrity Line. Process and Data Protection Policy. 1 July 2007

Linde Integrity Line. Process and Data Protection Policy. 1 July 2007 Linde Integrity Line Process and Data Protection Policy 1 July 2007 Page 2 of 10 Table of Contents Preamble 3 1 Scope of application 3 2 Definitions 3 3 Submitting Reports Regular Channels 3 4 Submitting

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

Data protection issues on an EU outsourcing

Data protection issues on an EU outsourcing Data protection issues on an EU outsourcing Saam Golshani, Alastair Gorrie and Diego Rigatti, Orrick Herrington & Sutcliffe www.practicallaw.com/8-380-8496 Outsourcing can mean subcontracting a process

More information

Privacy and Electronic Communications Regulations

Privacy and Electronic Communications Regulations ICO lo Notification of PECR security breaches Privacy and Electronic Communications Regulations Contents Introduction... 2 Overview... 2 Relevant security breaches... 3 What is a service provider?... 3

More information

technical factsheet 176

technical factsheet 176 technical factsheet 176 Data Protection CONTENTS 1. Introduction 1 2. Register with the Information Commissioner s Office 1 3. Period protection rights and duties remain effective 2 4. The data protection

More information

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers

More information

Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 )

Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 ) Sample Employee Agreement for Business Use of Employee-Owned Personal Computing Devices (Including Wearables 1 ) Overview: The Bring Your Own Device (BYOD) program allows employees to use their own computing

More information

Evolution of HB 300. HIPAA passed in 1996 Originally, HIPAA only directly impacted certain covered entities :

Evolution of HB 300. HIPAA passed in 1996 Originally, HIPAA only directly impacted certain covered entities : Texas HB 300 HB 300: Background Texas House Research Organizational Bill Analysis for HB 300 shows state legislators believed HIPAA did not provide enough protection for private health information (PHI)

More information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information INTRODUCTION Privacy legislation establishes legal privacy rights for individuals and sets enforceable

More information

Data Privacy & Security: Essential Questions Every Business Must Ask

Data Privacy & Security: Essential Questions Every Business Must Ask Data Privacy & Security: Essential Questions Every Business Must Ask Presented by: Riddell Williams P.S. Riddell Williams P.S. May 6, 2015 #4841-4703-9779 Innocent? 2 Overview 3 basic questions every business

More information

Vermont Information Technology Leaders

Vermont Information Technology Leaders Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:

More information

HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU

HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU HOW TO HANDLE A WHISTLEBLOWER REPORT IN THE EU 10 April 2014 Monica Salgado Advogada registered with the Portuguese Ordem dos Advogados Registered European Lawyer with the SRA Kirsti Laird Solicitor, (qualified

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

A s a covered entity or business associate, you have

A s a covered entity or business associate, you have Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)

More information

Cybersecurity y Managing g the Risks

Cybersecurity y Managing g the Risks Cybersecurity y Managing g the Risks Presented by: Steven L. Caponi Jennifer Daniels Gregory F. Linsin 99 Cybersecurity The Risks Are Real Perpetrators are as varied as their goals Organized Crime: seeking

More information

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and

More information

005ASubmission to the Serious Data Breach Notification Consultation

005ASubmission to the Serious Data Breach Notification Consultation 005ASubmission to the Serious Data Breach Notification Consultation (Consultation closes 4 March 2016 please send electronic submissions to privacy.consultation@ag.gov.au) Your details Name/organisation

More information

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen

Cyber Security : preventing and mitigating incidents. Alexander Brown Robert Allen Cyber Security : preventing and mitigating incidents Alexander Brown Robert Allen 07 & 08 October 2015 Cyber Security context of the threat The magnitude and tempo of [cyber security attacks], basic or

More information

Cloud Computing Contracts. October 11, 2012

Cloud Computing Contracts. October 11, 2012 Cloud Computing Contracts October 11, 2012 Lorene Novakowski Karam Bayrakal Covering Cloud Computing Cloud Computing Defined Models Manage Cloud Computing Risk Mitigation Strategy Privacy Contracts Best

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document Data Protection Processing and Transfer of Personal Data in Kvaerner Binding Corporate Rules Public Document 1 of 19 1 / 19 Table of contents 1 Introduction... 4 1.1 Scope... 4 1.2 Definitions... 4 1.2.1

More information

Cyber and data Policy wording

Cyber and data Policy wording Please read the schedule to see whether Breach costs, Cyber business interruption, Hacker damage, Cyber extortion, Privacy protection or Media liability are covered by this section. The General terms and

More information

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS Mat Wright www.britishcouncil.org CONTENTS Purpose of the code 1 Scope of the code 1 The British Council s data protection commitment and

More information

Data protection in Switzerland: overview

Data protection in Switzerland: overview Page 1 of 8 Data protection in Switzerland: overview Resource type: Country Q&A Status: Law stated as at 01-Aug-2014 Jurisdiction: Switzerland A Q&A guide to data protection in Switzerland. This Q&A guide

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana

Data Protection Act. Privacy & Security in the Information Age. April 26, 2013. Ministry of Communications, Ghana Data Protection Act Privacy & Security in the Information Age April 26, 2013 Agenda Privacy in The Information Age The right to privacy Why We Need Legislation Purpose of the Act The Data Protection Act

More information

The potential legal consequences of a personal data breach

The potential legal consequences of a personal data breach The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.

More information

Office of Personnel Management. Policy Policy Number: Definitions. Communicate: To give a verbal or written report to an appropriate authority.

Office of Personnel Management. Policy Policy Number: Definitions. Communicate: To give a verbal or written report to an appropriate authority. Citation: Arkansas Code Annotated 21-1-601 through 608, 21-1-610; 21-1-123 and 124 Office of Personnel Management Policy 1 Forms: Fraud Reporting Complaint Form Definitions Adverse action: To discharge,

More information

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved.

Align Technology. Data Protection Binding Corporate Rules Controller Policy. 2014 Align Technology, Inc. All rights reserved. Align Technology Data Protection Binding Corporate Rules Controller Policy Contents INTRODUCTION 3 PART I: BACKGROUND AND ACTIONS 4 PART II: CONTROLLER OBLIGATIONS 6 PART III: APPENDICES 13 2 P a g e INTRODUCTION

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Corporate Policy. Data Protection for Data of Customers & Partners.

Corporate Policy. Data Protection for Data of Customers & Partners. Corporate Policy. Data Protection for Data of Customers & Partners. 02 Preamble Ladies and gentlemen, Dear employees, The electronic processing of virtually all sales procedures, globalization and growing

More information

Information Integrity & Data Management

Information Integrity & Data Management Group Standard Information Integrity & Data Management Serco recognises its responsibility to ensure that any information and data produced meets customer, legislative and regulatory requirements and is

More information

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data Akzo Nobel N.V. Executive Committee Rules 7.08.2 Privacy Rules for Customer, Supplier and Business Partner Data Source Directive Content Owner Directive 7.08 Protection of Personal Data AkzoNobel Legal

More information

Information security due diligence

Information security due diligence web applications and websites W A T S O N H A L L Watson Hall Ltd London 020 7183 3710 Edinburgh 0131 510 2001 info@watsonhall.com www.watsonhall.com Identifying information security risk for web applications

More information

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Proposed guidance for firms outsourcing to the cloud and other third-party IT services Guidance consultation 15/6 Proposed guidance for firms outsourcing to the cloud and other third-party IT services November 2015 1. Introduction and consultation 1.1 The purpose of this draft guidance is

More information

International Investigations: Issues to Consider When Conducting or Defending Against an FCPA Investigation Outside the United States

International Investigations: Issues to Consider When Conducting or Defending Against an FCPA Investigation Outside the United States International Investigations: Issues to Consider When Conducting or Defending Against an FCPA Investigation Outside the United States Presentation to: Ninth Annual Pharmaceutical Regulatory and Compliance

More information

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions

235.1. Federal Act on Data Protection (FADP) Aim, Scope and Definitions English is not an official language of the Swiss Confederation. This translation is provided for information purposes only and has no legal force. Federal Act on Data Protection (FADP) 235.1 of 19 June

More information

The HR Skinny: Effectively managing international employee data flows

The HR Skinny: Effectively managing international employee data flows The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version November 3, 2015 1. Scope and order of precedence This agreement (the Data Processing Agreement ) applies to Oracle s Processing of Personal

More information

STANDARD ADMINISTRATIVE PROCEDURE

STANDARD ADMINISTRATIVE PROCEDURE STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019

More information

NOBLE TRUST COMPANY LTD. GENERAL TERMS OF BUSINESS. The following definitions and rules of interpretation shall apply:

NOBLE TRUST COMPANY LTD. GENERAL TERMS OF BUSINESS. The following definitions and rules of interpretation shall apply: NOBLE TRUST COMPANY LTD. GENERAL TERMS OF BUSINESS 1. Definitions and interpretation The following definitions and rules of interpretation shall apply: 1.1 Agent means any person appointed by a Client

More information

Requirements made under the Intermediaries Byelaw

Requirements made under the Intermediaries Byelaw Chapter 2 Requirements made under the Intermediaries Byelaw Section 1 Delegated Underwriting Registers of coverholders and registered binding authorities Part B of the Intermediaries Byelaw Format and

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Cloud Software Services for Schools Supplier self-certification statements with service and support commitments Supplier name Address Contact name Contact email Contact telephone Parent Teacher Online

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES

More information

what your business needs to do about the new HIPAA rules

what your business needs to do about the new HIPAA rules what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or

More information

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law

More information

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage

Dean Bank Primary and Nursery School. Secure Storage of Data and Cloud Storage Dean Bank Primary and Nursery School Secure Storage of Data and Cloud Storage January 2015 All school e-mail is disclosable under Freedom of Information and Data Protection legislation. Be aware that anything

More information

Data Protection and Cloud Computing: an Overview of the Legal Issues

Data Protection and Cloud Computing: an Overview of the Legal Issues Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,

More information

Coverage is subject to a Deductible

Coverage is subject to a Deductible Frank Cowan Company Limited 75 Main Street North, Princeton, ON N0J 1V0 Phone: 519-458-4331 Fax: 519-458-4366 Toll Free: 1-800-265-4000 www.frankcowan.com CYBER RISK INSURANCE DETAILED APPLICATION Notes:

More information

Guidelines for. Directors of wholly-owned subsidiary companies

Guidelines for. Directors of wholly-owned subsidiary companies Guidelines for Directors of wholly-owned subsidiary companies March 2014 Introduction These guidelines summarise the basic legal and regulatory framework for directors of wholly-owned subsidiaries. The

More information

Ethical hotlines and whistleblowing ensuring businesses are not in conflict. with EU laws 10 May 2012. James Castro-Edwards, solicitor.

Ethical hotlines and whistleblowing ensuring businesses are not in conflict. with EU laws 10 May 2012. James Castro-Edwards, solicitor. James Castro-Edwards, solicitor and Alexia Zuber, solicitor Data Protection & Information Law Group Ethical hotlines and whistleblowing ensuring businesses are not in conflict with EU laws 10 May 2012

More information

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations Health Care Litigation Webinar Series March 22, 2012 Spence Pryor Paula Stannard Jason Popp 1 HIPAA/HITECH

More information

Anatomy of a Cloud Computing Data Breach

Anatomy of a Cloud Computing Data Breach Anatomy of a Cloud Computing Data Breach Sheryl Falk Mike Olive ACC Houston Chapter ITPEC Practice Group September 18, 2014 1 Agenda Ø Cloud 101 Welcome to Cloud Computing Ø Cloud Agreement Considerations

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq. EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update By Stephen H. LaCount, Esq. Overview The European Union Data Protection Directive 95/46/EC ( Directive ) went effective in

More information

New EU Data Protection legislation comes into force today. What does this mean for your business?

New EU Data Protection legislation comes into force today. What does this mean for your business? 24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )

More information

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner

More information

Definitions. Catch-all definition:

Definitions. Catch-all definition: BUSINESS ASSOCIATE AGREEMENT THESE PROVISIONS MAY STAND ALONE AS A BUSINESS ASSOCIATE AGREEMENT, OR MAY BE INCORPORATED INTO A LARGER, MORE COMPREHENSIVE CONTRACT WITH THE BUSINESS ASSOCIATE TO COVER OTHER

More information

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures

TODAY S AGENDA. Trends/Victimology. Incident Response. Remediation. Disclosures TODAY S AGENDA Trends/Victimology Incident Response Remediation Disclosures Trends/Victimology ADVERSARY CLASSIFICATIONS SOCIAL ENGINEERING DATA SOURCES COVERT INDICATORS - METADATA METADATA data providing

More information

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda? Dr. Jörg Hladjk Counsel European Data Protection & Privacy Practice Hunton & Williams, Brussels Cyber Security

More information

Sub. H.B. 9 * 126th General Assembly (As Reported by H. Civil and Commercial Law)

Sub. H.B. 9 * 126th General Assembly (As Reported by H. Civil and Commercial Law) Aida S. Montano Bill Analysis Legislative Service Commission Sub. H.B. 9 * 126th General Assembly (As Reported by H. Civil and Commercial Law) Reps. Oelslager, Flowers, Buehrer, White, Trakas BILL SUMMARY

More information

Managing Cyber Risk through Insurance

Managing Cyber Risk through Insurance Managing Cyber Risk through Insurance Eric Lowenstein Aon Risk Solutions This presentation has been prepared for the Actuaries Institute 2015 ASTIN and AFIR/ERM Colloquium. The Institute Council wishes

More information

Appendix 11 - Swiss Data Protection Act

Appendix 11 - Swiss Data Protection Act GLEIF- LOU Restricted Appendix 11 - Swiss Data Protection Act GLEIF Revision Version: 1.0 2015-09-23 Master Copy page 2 of 11 Applicable Provisions of the Swiss Data Protection Act (DPA) including the

More information

Statutory Liability Insurance

Statutory Liability Insurance Statutory Liability Insurance December 2015 Statutory Liability Insurance is designed to provide cover to the company and its directors, officers and employees for defence costs and fines/penalties in

More information

Corporate Policy and Procedure

Corporate Policy and Procedure Page Page 1 of 9 TAB: SECTION: SUBJECT: ROADS AND TRAFFIC TRAFFIC OPERATIONS CLOSED CIRCUIT TELEVISION (CCTV) TRAFFIC MONITORING SYSTEMS POLICY STATEMENT POLICY PURPOSE The City of Mississauga may install

More information

FRAMEWORK AGREEMENT FOR PROCUREMENT OF LEGAL SERVICES

FRAMEWORK AGREEMENT FOR PROCUREMENT OF LEGAL SERVICES FRAMEWORK AGREEMENT FOR PROCUREMENT OF LEGAL SERVICES DATE [2009] PARTIES The Legal Services Board, a statutory non-departmental public body of 7th floor, Victoria House, Southampton Row, London, WC1B

More information

Hong Kong High Court Procedure E-Discovery: Practice Direction Effective September 1, 2014

Hong Kong High Court Procedure E-Discovery: Practice Direction Effective September 1, 2014 CLIENT MEMORANDUM Hong Kong High Court Procedure E-Discovery: Practice Direction Effective September 1, 2014 August 28, 2014 Mandatory application of e-discovery Mandatory application of e-discovery to

More information

Evergreen Solar, Inc. Code of Business Conduct and Ethics

Evergreen Solar, Inc. Code of Business Conduct and Ethics Evergreen Solar, Inc. Code of Business Conduct and Ethics A MESSAGE FROM THE BOARD At Evergreen Solar, Inc. (the Company or Evergreen Solar ), we believe that conducting business ethically is critical

More information

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015

Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 2 September 2015 Position of the retail and wholesale sector on the Draft Data Protection Regulation in view of the trilogue 2015 We support the efforts of EU legislators to create a harmonised data protection

More information

Effective Date: Oct. 27, 2009... 1

Effective Date: Oct. 27, 2009... 1 Policy Title: Office of Information Technology Email Usage and Retention Policy Policy No.: 7010 Rev.: 0 Effective Date: Oct. 27, 2009 Last Revision: Oct. 27, 2009 Responsible Office: Responsible Official:

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope March 6, 2014 Victoria King UPS (404) 828-6550 vking@ups.com Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com

More information

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. PRIVACY POLICY 1. Introduction Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect. We will only collect information that

More information

Big Data for Mutuals. Marc Dautlich 25 November 2013

Big Data for Mutuals. Marc Dautlich 25 November 2013 Big Data for Mutuals Marc Dautlich 25 November 2013 Agenda BIG DATA What is it? OPPORTUNITIES What are they? LEGAL CHALLENGES How do we overcome them? LEGAL REFORM What can we do now to minimise impact?

More information

Johnson Controls Privacy Notice

Johnson Controls Privacy Notice Johnson Controls Privacy Notice Johnson Controls, Inc. and its affiliated companies (collectively Johnson Controls, we, us or our) care about your privacy and are committed to protecting your personal

More information

Information Security Policy

Information Security Policy Information Security Policy Policy Title Responsible Executive Responsible Office Information Security Policy Vice President for Information Technology and CIO, Jay Dominick Office of Information Technology,

More information

Insurance for Data Breaches in the Hospitality Industry

Insurance for Data Breaches in the Hospitality Industry The Academy of Hospitality Industry Attorneys The Pl Palmer House Hilton Chicago, IL April 25, 2014 Insurance for Data Breaches in the Hospitality Industry Presenters: David P. Bender, Jr. dbender@andersonkill.com

More information

Cloud Software Services for Schools

Cloud Software Services for Schools Request for information on the document re: cloud and secure storage posted on the DfE website, response provided by DfE and Schools Commercial team: The focus of the project is on data security/safety

More information