20/09/2013. Global Privacy and Data Protection: Practical Risk Assessment and Governance. Topics. Case Study Stage 1

Transcription

1 Global Privacy and Data Protection: Practical Risk Assessment and Governance 9 October 2013 Robert Bond, BA, CCEP, HonMIEx Head of Data Protection and Info Security, Speechly Bircham Marti Arvin, CHC-F, CHPC, CHRC, CCEP- F Chief Compliance Officer, UCLA Health System Topics Understanding the global legal and regulatory landscape OECD Guidelines Applying the Guidelines to your business Assessing the risks and planning the compliance program Tools and tactics for an effective risk management regime Case Study Stage 1 3 1

2 1. Background the OECD Guidance 2. The European Union and other Central Eastern European countries 3. The US (sector based regulations) 4. APEC 5. Canada (PIPEDA) 6. Australia 7. Recent developments emerging laws 4 Background - the OECD Guidance - The OECD Guidance (Organization for Economic Co-operation and Development Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data, adopted 23 September 1980) - OECD is an international economic organization founded in 1961 to stimulate economic progress and world trade - Members include the US, European and South American countries, and Australia Definitions - Data controller means any information relating to an identified or identifiable individual (data subject); - Personal data means any information relating to an identified or identifiable individual (data subject); - Transborder data flows means movements of personal data across national borders 5 Background - the OECD Guidance Eight data protection principles 1. Collection Limitation 2. Data Quality 3. Purpose Specification 4. Use Limitation 5. Security Safeguards 6. Openness 7. Individual Participation 8. Accountability 6 2

3 Privacy notice OBA and cookies Collection limitation Consent Privacy by default Privacy policy Records managment Data quality Information security Audits Privacy notice Data transfer/handling Purpose specification Consent Fair use 3

4 Privacy notice 3 rd party processing Use limitation Audit Information security Policies & procedures Training Security safeguards Due diligence Insurance Clear and unambiguous notices Subject access policy Openness Privacy impact assessments Privacy by design 4

5 Subject access request Communication Individual participation Data protection officer Data management policies Compliance Training Accountability Data protection policy Transparency The European Union - The EU Data Protection Directive - Implementing national legislation - Which law applies? - The General Data Protection Regulation 15 5

6 The US (sector based regulations) The Fair Credit Reporting Act (FCRA) The Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act GLBA ) California SB1 Health Insurance Portability and Accountability Act of 1996 ( HIPPA ) Children s Online Privacy Protection Act 1998 (COPPA) Junk Fax Prevention Act of 2005 CAN-SPAM Act Controlling the Assault of Non-Solicited Pornography and Marketing Act of APEC (Asia-Pacific Economic Community) Forum for facilitating trade and investment in the Asia-Pacific region Members include Australia, Canada, China, Japan, Vietnam, the Russian Federation and the US The APEC Framework, is intended to provide a legal basis for facilitating international Transfers and providing a minimum standard of privacy protection Implementation of the APEC Framework is not mandatory 17 Canada (PIPEDA) The Personal Information Protection and Electronic Documents Act 2000 (PIPEDA) Ten key privacy principles: 1. Accountability. 2. Identifying purposes. 3. Consent. 4. Limiting collection. 5. Limiting use, disclosure and retention. 6. Accuracy. 7. Safeguards. 8. Openness. 9. Individual access. 10. Challenging compliance. 18 6

7 Australia The Privacy Act 1988 contains the ten National Privacy Principles: 1. Collection. Describes what an organisation should do when collecting personal information 2. Use and disclosure. Outlines how organisations may use and disclose individuals' personal information 3. Information quality. An organisation must take steps to ensure the personal information it holds is accurate and up-to-date 4. Information security. Information must be kept secure from unauthorised use or access 5. Openness. An organisation must have a policy on how it manages personal information, and make it available to anyone who asks for it 6. Access and correction. Individuals have a right of access to their personal information 7. Identifiers. Generally, an organisation cannot adopt an Australian government identifier for an individual (for example, Medicare numbers) as its own 8. Anonymity. Where possible, organisations must give individuals the opportunity to do business with them without the individual having to identify themselves 9. Trans border data flows. Sets out how organisations should protect personal information that they transfer outside Australia 10. Sensitive information. Sensitive information includes information such as health, racial or ethnic background, or criminal record. Higher standards apply to the handling of sensitive information 19 Recent developments - emerging laws Singapore: Personal Data Protection Act 2012 (PDPA); came into force 2 nd January 2013; anticipated month sunrise period The Philippines: Data Privacy Act 2012; to come into force in 2013 Hong Kong: The Personal Data (Privacy) (Amendment) Ordinance (Amendment Ordinance) was passed into law in June Most of its provisions came into effect on 1 October 2012, the remainder in April 2013 Malaysia: Personal Data and Protection Act 2010 to be enforced in 2013 China: Currently no comprehensive legal framework for data protection. In late 2012 China s legislative body issued new rules on the protection of electronic personal data of Chinese citizens with immediate effect Taiwan: The Personal Data Protection Law was passed in 2011 and came into force in October Recent developments - emerging laws South Korea: The Personal Information Protection Act 2011 was passed on 29 March 2011 and came into force on 30 September There is also the Act on Promotion of Information and Communication Network Utilization and Information Protection (IT Network Act) which regulates the collection and use of personal information by IT Service Providers Mexico: Federal Law for the Protection of Personal Data in Possession of Private Persons (Personal Data Protection Law) passed in 2010 Brazil: There is no specific data protection law in Brazil Columbia: A new Data Protection Law was passed on 7 October 2011 and came into force on 18 April 2013 India: The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 were issued under s. 43A of the Information Technology Act,

8 Russia a patchwork of laws including the Data Protection Act No. 152 of 2006 and the need for a DPO, Registration and processing principles similar to EU Ukraine - Law of Ukraine on Protection of Personal Data; recent fine for failing to update registration; principles are similar to EU; draft law proposes termination of DPA and replacement with more powerful Regulator Serbia DP Act 2009 with similar principles to EU Turkey - Turkey's Draft Law on Data Protection (the "Draft Law"), is expected to be passed at the end of 2013 or in early 2014; similar principles to EU 22 Case Study Stage 2 23 Case Study Stage

9 What should the audit achieve? A systematic and independent examination to determine whether activities involving the processing of personal data are carried out in accordance with an organisation s data protection policies and procedures, and whether this processing meets the requirements of the [law]. UK Information Commissioner s Office Assess compliance with the law Assess compliance with entities own policies and procedures Assess gaps and weaknesses Provide information to ensure compliance Ensure awareness Minimise risk Analysing entities and their roles Ascertain data estate names and locations of all entities in each country Purpose of collection - are they controllers or processors data subjects and data recipients - employee, customer, supplier, other) points of collection of data types of data collected basic contact / detailed profile types of systems used manual / electronic notifications / registrations with authorities Analysing processes and policies Data processes and policies points / methods of data collection (online / offline / social media) consent / fair processing information how is this communicated? Data retention / destruction websites and terms of use business codes of conduct and policies (data protection; IS/IT; electronic media; portable device policy; whistleblower) contracts of employment and staff manuals staff knowledge and training (DPO / basic) appointments of CPO/DPO 9

10 Contracts and Codes Audit trans border data flow solutions Audit third party processor contracts Audit permissions from DPA Ensure all policies and procedures comply with local laws (not just data protection e.g. employment laws / monitoring rules) Monitor ongoing changes to company structures (acquisitions / disposals) Changes to data handling practices and notifications (e.g. Outsourcing/Cloud/ CCTV/ vehicle tracking) Case Study Stage 4 29 Benefits of a compliance audit Facilitates compliance with the law Measures and helps improve compliance with policies Increases awareness amongst staff and management Elevates data protection to a key part of corporate governance Minimises risk Satisfies insurance requirements Improves trust and customer satisfaction 10

11 Privacy Impact Assessments What? An assessment of the impact of the proposed processing upon individuals personal data Why? A pre-emptive exercise, which seeks to avoid problems arising from new processes When? At the earliest stage when a new system / activity is first proposed For example Centralised HR system hosted outside the EU Use of social media for marketing purposes Use of cookies for targeted advertising Cloud hosted solutions Adoption of bring your own device policy Remote working policy Due diligence in company sale Privacy by design Designing in privacy and data protection compliance to information systems Requires data protection to be a consideration at the outset of a new project Personal data should be protected throughout life cycle collection, storage, disclosure and destruction Practical tips trans border transfers of personal data Understand what personal data goes where and why use flowcharts Consider how is the transfer legitimised not the same as the contractual relationship Controller - processor 33 11

12 34 Define the country and group of companies covered by the project Databases Assess existing notifications / authorizations Assess specific client concerns Assess general existing policies and procedures Assess general existing processing Purposes operations Data flows Cookies used? Send country specific audit questionnaire Data transfer agreements When complete Define the required compliance measures Include Review of existing notifications / presenting new notifications Implement / update existing training measures Implement the required compliance measures Define security measures - coordinating with client s IT / Facilities team Compliance bundle Liaise with local counsel Including list of ongoing compliance requirements 35 Case Study Stage

13 For more information on our services, please contact: Robert Bond, BA, CCEP, HonMIEx Partner & Notary Public, +44 (0) Tweet 13