20/09/2013 - SCCE Official Site · 20/09/2013 9 THE GLOBAL DATA PROTECTION LANDSCAPE APEC (Asia-Pacific Economic Community) •Forum for facilitating trade and investment in the Asia-Pacific

20/09/2013

1

Global Privacy and Data Protection:

Practical Risk Assessment and Governance

9 October 2013

Robert Bond, BA, CCEP, HonMIEx

Head of Data Protection and Info Security,

Speechly Bircham

Marti Arvin, CHC-F, CHPC, CHRC, CCEP-

F

Chief Compliance Officer,

UCLA Health System

Topics

• Understanding the global legal and

regulatory landscape

• OECD Guidelines

• Applying the Guidelines to your business

• Assessing the risks and planning the

compliance program

• Tools and tactics for an effective risk

management regime

20/09/2013

2

3

Case Study – Stage 1

THE GLOBAL DATA PROTECTION LANDSCAPE

1. Background – the OECD Guidance

2. The European Union and other Central Eastern European countries

3. The US (sector based regulations)

4. APEC

5. Canada (PIPEDA)

6. Australia

7. Recent developments – emerging laws

4

20/09/2013

3


Background - the OECD Guidance

- The OECD Guidance (Organization for Economic Co-operation and Development Guidelines on the

Protection of Privacy and Trans-border Flows of Personal Data, adopted 23 September 1980)

- OECD is an international economic organization founded in 1961 to stimulate economic progress and

world trade

- Members include the US, European and South American countries, and Australia

• Definitions

- Data controller means any information relating to an identified or identifiable individual (data

subject);

- Personal data means any information relating to an identified or identifiable individual (data subject);

- Transborder data flows means movements of personal data across national borders

5


Background - the OECD Guidance

Eight data protection principles

1. Collection Limitation

2. Data Quality

3. Purpose Specification

4. Use Limitation

5. Security Safeguards

6. Openness

7. Individual Participation

8. Accountability

6

20/09/2013

4

Collection limitation

Privacy notice

Consent

Privacy by

default

OBA and

cookies

Data quality

Privacy policy

Information security

Audits

Records managment

20/09/2013

5

Purpose specification

Privacy notice

Consent

Fair use

Data transfer/handling

Use limitation

Privacy notice

Audit

Information security

3rd party processing

20/09/2013

6

Security safeguards

Policies & procedures

Due diligence

Insurance

Training

Openness

Clear and unambiguous

notices

Privacy impact

assessments

Privacy by design

Subject access policy

20/09/2013

7

Individual participation

Subject access request

Data protection officer

Data management

policies

Communication

Accountability

Compliance

Data protection

policy

Transparency

Training

20/09/2013

8


The European Union

- The EU Data Protection Directive - Implementing national legislation - Which law applies? - The General Data Protection Regulation

15


The US (sector based regulations)

• The Fair Credit Reporting Act (FCRA)

• The Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act “GLBA”)

• California SB1

• Health Insurance Portability and Accountability Act of 1996 (“HIPPA”)

• Children’s Online Privacy Protection Act 1998 (COPPA)

• Junk Fax Prevention Act of 2005

• CAN-SPAM Act Controlling the Assault of Non-Solicited Pornography and Marketing Act of

2003

16

20/09/2013

9


APEC (Asia-Pacific Economic Community)

• Forum for facilitating trade and investment in the Asia-Pacific region

• Members include Australia, Canada, China, Japan, Vietnam, the Russian Federation and

the US

• The APEC Framework, is intended to provide a legal basis for facilitating international

• Transfers and providing a minimum standard of privacy protection

• Implementation of the APEC Framework is not mandatory

17


Canada (PIPEDA)

The Personal Information Protection and Electronic Documents Act 2000 (PIPEDA)

Ten key privacy principles:

1. Accountability.

2. Identifying purposes.

3. Consent.

4. Limiting collection.

5. Limiting use, disclosure and retention.

6. Accuracy.

7. Safeguards.

8. Openness.

9. Individual access.

10. Challenging compliance.

18

20/09/2013

10


Australia

The Privacy Act 1988 contains the ten National Privacy Principles:

1. Collection. Describes what an organisation should do when collecting personal information

2. Use and disclosure. Outlines how organisations may use and disclose individuals' personal information

3. Information quality. An organisation must take steps to ensure the personal information it holds is

accurate and up-to-date

4. Information security. Information must be kept secure from unauthorised use or access

5. Openness. An organisation must have a policy on how it manages personal information, and make it

available to anyone who asks for it

6. Access and correction. Individuals have a right of access to their personal information

7. Identifiers. Generally, an organisation cannot adopt an Australian government identifier for an individual

(for example, Medicare numbers) as its own

8. Anonymity. Where possible, organisations must give individuals the opportunity to do business with them

without the individual having to identify themselves

9. Trans border data flows. Sets out how organisations should protect personal information that they

transfer outside Australia

10. Sensitive information. Sensitive information includes information such as health, racial or ethnic

background, or criminal record. Higher standards apply to the handling of sensitive information

19


Recent developments - emerging laws

• Singapore: Personal Data Protection Act 2012 (PDPA); came into force 2nd January 2013;

anticipated 12-18 month ‘sunrise period’

• The Philippines: Data Privacy Act 2012; to come into force in 2013

• Hong Kong: The Personal Data (Privacy) (Amendment) Ordinance (Amendment Ordinance)

was passed into law in June 2012. Most of its provisions came into effect on 1 October 2012,

the remainder in April 2013

• Malaysia: Personal Data and Protection Act 2010 to be enforced in 2013

• China: Currently no comprehensive legal framework for data protection. In late 2012 China’s

legislative body issued new rules on the protection of electronic personal data of Chinese

citizens with immediate effect

• Taiwan: The Personal Data Protection Law was passed in 2011 and came into force in

October 2012

20

20/09/2013

11


Recent developments - emerging laws

• South Korea: The Personal Information Protection Act 2011 was passed on 29 March 2011

and came into force on 30 September 2011. There is also the Act on Promotion of

Information and Communication Network Utilization and Information Protection (IT Network

Act) which regulates the collection and use of personal information by IT Service Providers

• Mexico: Federal Law for the Protection of Personal Data in Possession of Private Persons

(Personal Data Protection Law) passed in 2010

• Brazil: There is no specific data protection law in Brazil

• Columbia: A new Data Protection Law was passed on 7 October 2011 and came into force

on 18 April 2013

• India: The Information Technology (Reasonable security practices and procedures and

sensitive personal data or information) Rules 2011 were issued under s. 43A of the

Information Technology Act, 2000

21


Russia – a patchwork of laws including the Data Protection Act No. 152 of 2006 and the need for

a DPO, Registration and processing principles similar to EU

Ukraine - Law of Ukraine on Protection of Personal Data; recent fine for failing to update

registration; principles are similar to EU; draft law proposes termination of DPA and

replacement with more powerful Regulator

Serbia – DP Act 2009 with similar principles to EU

Turkey - Turkey's Draft Law on Data Protection (the "Draft Law"), is expected to be passed at the

end of 2013 or in early 2014; similar principles to EU

22

20/09/2013

12

23


24


20/09/2013

13

What should the audit achieve?

“A systematic and independent examination to determine whether activities involving

the processing of personal data are carried out in accordance with an organisation’s

data protection policies and procedures, and whether this processing meets the

requirements of the [law].” UK Information Commissioner’s Office

• Assess compliance with the law

• Assess compliance with entities’ own policies and procedures

• Assess gaps and weaknesses

• Provide information to ensure compliance

• Ensure awareness

• Minimise risk

Analysing entities and their roles

Ascertain data ‘estate’

• names and locations of all entities in each country

• Purpose of collection - are they controllers or processors

• data subjects and data recipients - employee, customer, supplier, other)

• points of collection of data

• types of data collected – basic contact / detailed profile

• types of systems used – manual / electronic

• notifications / registrations with authorities

20/09/2013

14

Analysing processes and policies

Data processes and policies

• points / methods of data collection (online / offline / social media)

• consent / fair processing information – how is this communicated?

• Data retention / destruction

• websites and terms of use

• business codes of conduct and policies (data protection; IS/IT; electronic media;

portable device policy; whistleblower)

• contracts of employment and staff manuals

• staff knowledge and training (DPO / basic)

• appointments of CPO/DPO

Contracts and Codes

• Audit trans border data flow solutions

• Audit third party processor contracts

• Audit permissions from DPA

• Ensure all policies and procedures comply with local laws (not just data protection –

e.g. employment laws / monitoring rules)

• Monitor ongoing changes to company structures (acquisitions / disposals)

• Changes to data handling practices and notifications (e.g. Outsourcing/Cloud/ CCTV/

vehicle tracking)

20/09/2013

15

29


Benefits of a compliance audit

• Facilitates compliance with the law

• Measures and helps improve compliance with policies

• Increases awareness amongst staff and management

• Elevates data protection to a key part of corporate governance

• Minimises risk

• Satisfies insurance requirements

• Improves trust and customer satisfaction

20/09/2013

16

Privacy Impact Assessments

What? An assessment of the impact of the proposed processing upon individuals’ personal

data

Why? A pre-emptive exercise, which seeks to avoid problems arising from new processes

When? At the earliest stage when a new system / activity is first proposed

For example

• Centralised HR system hosted outside the EU

• Use of social media for marketing purposes

• Use of cookies for targeted advertising

• Cloud hosted solutions

• Adoption of bring your own device policy

• Remote working policy

• Due diligence in company sale

Privacy by design

• Designing in privacy and data protection

compliance to information systems

• Requires data protection to be a

consideration at the outset of a new

project

• Personal data should be protected

throughout life cycle – collection,

storage, disclosure and destruction

20/09/2013

17

Practical tips – trans border transfers of personal data

• Understand what personal data goes where and why – use flowcharts

• Consider how is the transfer legitimised – not the same as the contractual relationship

Controller - processor

33

34

20/09/2013

18

35

Define the country and group of companies covered

by the project

Data flows

Assess general

existing

processing

operations

Assess existing

notifications /

authorizations

Assess specific

client concerns Purposes

Databases

Assess general

existing policies

and procedures

Cookies

used?

Send country specific audit questionnaire

Define the required compliance

measures

Implement the required compliance

measures

Compliance bundle

Including list of ongoing compliance

requirements

When complete

Include

Consider Always necessary Probably necessary

Define security measures -

coordinating with client’s IT /

Facilities team

Review of existing

notifications / presenting

new notifications

Data transfer agreements

Liaise with local

counsel

Implement / update existing

training measures

Consider Always necessary Probably necessary

36


20/09/2013

19

•

,

For more information on our services,

please contact:

Robert Bond, BA, CCEP, HonMIEx

Partner & Notary Public

+44 (0)20 7427 6660

[email protected]

Tweet me @iinonline