April 20011 EU* Privacy Directive Andrea L.C. Hoy, CISSP Chief Information Security Director Fluor...
-
Upload
audrey-bell -
Category
Documents
-
view
216 -
download
4
Transcript of April 20011 EU* Privacy Directive Andrea L.C. Hoy, CISSP Chief Information Security Director Fluor...
April 2001 1
EU* Privacy DirectiveEU* Privacy Directive
Andrea L.C. Hoy, CISSPAndrea L.C. Hoy, CISSPChief Information Security DirectorChief Information Security Director
Fluor CorporationFluor Corporation
April 2001 2
European UnionEuropean UnionThe Right to PrivacyThe Right to Privacy
Privacy is a human right in EUPrivacy is a human right in EU COE - Council of EuropeCOE - Council of Europe 15 EU member states 15 EU member states 370 million people370 million people Local Privacy AuthoritiesLocal Privacy Authorities
April 2001 3
BackgroundBackground
Major Business ConcernsMajor Business Concerns Data CollectionData Collection Cross-border Movement of Cross-border Movement of
Personal dataPersonal data
April 2001 4
Why Address This Why Address This Now?Now?
EUPD & Safe Harbor Act sets deadlineEUPD & Safe Harbor Act sets deadline Consumers/Shareholders are awareConsumers/Shareholders are aware Privacy abuses are in the newsPrivacy abuses are in the news
– toysmart.comtoysmart.com Your Company’s reputation - don’t be the Your Company’s reputation - don’t be the
exampleexample Technology Growth - Surveillance & Technology Growth - Surveillance &
AutomationAutomation Create competencyCreate competency Strengthen Company’s brand name Strengthen Company’s brand name E-CommerceE-Commerce
April 2001 5
European Union Privacy European Union Privacy Directive 1998Directive 1998
What is it?What is it?
It regulates “the processing of It regulates “the processing of personal information identified personal information identified
or identifiable” from crossing EU or identifiable” from crossing EU borders without meeting the borders without meeting the
EUPDEUPD
April 2001 6
EUPDEUPD
Passed October 24, 1998Passed October 24, 1998 Stemmed from E-Commerce concernsStemmed from E-Commerce concerns
– Loss of business to US and other countriesLoss of business to US and other countries Companies had control of the review Companies had control of the review
process for complianceprocess for compliance EU centric “Guilty till proven innocent” EU centric “Guilty till proven innocent”
vs. US centric “Innocent till proven vs. US centric “Innocent till proven guilty”guilty”
April 2001 7
Processing of Personal Processing of Personal InformationInformation
Very broad scopeVery broad scope Any electronic transfer, collection, Any electronic transfer, collection,
storagestorage Includes private WANS/LANS Includes private WANS/LANS Back up tapes/archivesBack up tapes/archives WWW cookiesWWW cookies Legal Precedence pendingLegal Precedence pending
– American AirlinesAmerican Airlines
April 2001 8
Personally Identified orPersonally Identified or Identifiable Information Identifiable Information
Identified - Your Name(s)Identified - Your Name(s) Identifiable - Your Social Identifiable - Your Social
Identification# or Social Security# Identification# or Social Security# or Identification #or Identification #
April 2001 9
Personally Identified orPersonally Identified or Identifiable Information Identifiable Information
Any info relating to an identified or Any info relating to an identified or identifiable individual:identifiable individual:– EthnicityEthnicity– Marital StatusMarital Status– Children, Information regardingChildren, Information regarding– MedicalMedical– ReligionReligion
April 2001 10
Key ArticlesKey Articles
Article 25.1Article 25.1– You can take data out of EU if there is You can take data out of EU if there is
adequate protectionadequate protection Article 25.6Article 25.6
– Exceptions if other country has Exceptions if other country has adequate protection as complied to adequate protection as complied to European Commission (e.g. Safe European Commission (e.g. Safe Harbor Act)Harbor Act)
April 2001 11
ExceptionsExceptions
Activities outside of Community Activities outside of Community LawLaw
GovernmentGovernment MilitaryMilitary Other Example: Christmas card Other Example: Christmas card
listslists
April 2001 12
6 Phases of Compliance to the 6 Phases of Compliance to the EUPDEUPD
Development of Awareness of New Development of Awareness of New RequirementsRequirements
Status Assessment of ComplianceStatus Assessment of Compliance Identify Alternate Strategic Direction to Identify Alternate Strategic Direction to
Respond to New RequirementsRespond to New Requirements Creation of Tactical Plan for DeploymentCreation of Tactical Plan for Deployment Deployment of the PlanDeployment of the Plan Compliance MonitoringCompliance Monitoring
April 2001 13
NoticeNotice
Notification to All UsersNotification to All Users Publish a Privacy Policy (signed by CEO) Publish a Privacy Policy (signed by CEO) LogOn BannerLogOn Banner
– Must be seen by all users of your company’s Must be seen by all users of your company’s systemssystems
– Defines ownership of network as your Defines ownership of network as your company’scompany’s
– Requires “OK” by UserRequires “OK” by User Privacy Policy posted on WebsitesPrivacy Policy posted on Websites Computer Usage AgreementComputer Usage Agreement
– New Hire & Performance Appraisal periodsNew Hire & Performance Appraisal periods
April 2001 14
ConsentConsent
Unambiguous ConsentUnambiguous Consent– subject has consented in advance - OKsubject has consented in advance - OK
Opt OutOpt Out– Log on banner - Logon or stopLog on banner - Logon or stop– Direct marketing uses at websiteDirect marketing uses at website
Opt InOpt In– BofA - Direct agreements for ATMBofA - Direct agreements for ATM– Explicit ConsentExplicit Consent
April 2001 15
Purpose/Use LimitationPurpose/Use Limitation
Data cannot be used beyond scope of Data cannot be used beyond scope of noticenotice
3rd party mailing lists3rd party mailing lists MarketingMarketing Need to consider business practicesNeed to consider business practices
– 3rd party outsourcers3rd party outsourcers– PerksAtWorkPerksAtWork– SAP and Outsourced implementorsSAP and Outsourced implementors
Any time “use” changed must readdress!Any time “use” changed must readdress!
April 2001 16
ProcessingProcessing
CollectionCollection RecordingRecording OrganizationOrganization Storage/ArchivalStorage/Archival RetrievalRetrieval Consultation ofConsultation of UseUse ErasureErasure DestructionDestruction
April 2001 17
Security/Data IntegritySecurity/Data Integrity
C.I.A. of Info SecurityC.I.A. of Info Security Encryption during transferEncryption during transfer
– Web Solution: SSLWeb Solution: SSL– Remote/Intranet: VPNRemote/Intranet: VPN– Extranet/Intranet: PKIExtranet/Intranet: PKI
Data IntegrityData Integrity– What is sent/collected is what is What is sent/collected is what is
received/storedreceived/stored
April 2001 18
OpennessOpenness
Data ClassificationData Classification– General, Public, Confidential, RestrictedGeneral, Public, Confidential, Restricted
Better controls on Data AccessBetter controls on Data Access System/Network Administrators/ISSOsSystem/Network Administrators/ISSOs
– Special Briefings/ S.Admin. AgreementSpecial Briefings/ S.Admin. Agreement– Background investigationsBackground investigations
Data Access RulesData Access Rules– SAPSAP
HR & IT Must be able to identify who has HR & IT Must be able to identify who has access and whyaccess and why
April 2001 19
AccessAccess
The individual’s access to their The individual’s access to their personal informationpersonal information
Ability to correctAbility to correct Ability to delete inaccurate Ability to delete inaccurate
informationinformation Ability to amendAbility to amend Except where burden of expense is Except where burden of expense is
disproportionate to the risk of disproportionate to the risk of individual privacy or rights of others individual privacy or rights of others would be violatedwould be violated
April 2001 20
ComplaintsComplaints
Ethics HotlineEthics Hotline HRHR Corporate Information SecurityCorporate Information Security Corporate LegalCorporate Legal Privacy Council ?Privacy Council ?
April 2001 21
Privacy Compliance Privacy Compliance RequirementsRequirements
1) 1) Accountability Accountability
2)2) Purpose Purpose
3) Notice3) Notice
4) Consent4) Consent
5) Processing5) Processing
6) Security 6) Security
7)7) Data Data IntegrityIntegrity
8) Openness8) Openness
9) Access9) Access
10) Complaints10) Complaints
Source: Information Privacy in the E-Universe, M. Colonna, KPMG
April 2001 22
What are our Partners What are our Partners doing?doing?
Formulating worldwide policiesFormulating worldwide policies Consistent with EUPDConsistent with EUPD Using “safe harbor” principlesUsing “safe harbor” principles Direct AgreementsDirect Agreements Dupont, Shell announced June Dupont, Shell announced June
20002000 AmEx, IBM, Citicorp AmEx, IBM, Citicorp
April 2001 23
UK Data Protection ActUK Data Protection ActCompliance stepsCompliance steps
1) Publish privacy policy on compliance 1) Publish privacy policy on compliance
- signed by CEO- signed by CEO
2) Detail scope of the policy2) Detail scope of the policy
- contractors, home use- contractors, home use
3) Write procedures to ensure maintenance of 3) Write procedures to ensure maintenance of accurate registration and notificationaccurate registration and notification
4) Security of info appropriate to the risks to the 4) Security of info appropriate to the risks to the data subjectdata subject
5) Inclusion of contracts w/3rd parties of Info 5) Inclusion of contracts w/3rd parties of Info Security requirementsSecurity requirements
Source: UK Stationery OfficeSource: UK Stationery Office
April 2001 24
UK Data Protection ActUK Data Protection ActCompliance stepsCompliance steps
6) Documents & Procedures ensuring the fair collection of 6) Documents & Procedures ensuring the fair collection of personal datapersonal data
7) Procedures guaranteeing that subject access is granted 7) Procedures guaranteeing that subject access is granted and where appropriate, exemptions are applied and where appropriate, exemptions are applied
8) An appointed Info Security (Data Protection) Officer 8) An appointed Info Security (Data Protection) Officer within the organization w/overall responsibility for within the organization w/overall responsibility for ensuring compliance with current legislationensuring compliance with current legislation
9)9)Defined business mgr’s responsibilities for data Defined business mgr’s responsibilities for data protectionprotection
10) Evidentiary proof that active steps are being taken to 10) Evidentiary proof that active steps are being taken to move towards compliance w/the 1998 regulationmove towards compliance w/the 1998 regulation
Source: UK Stationery OfficeSource: UK Stationery Office
April 2001 25
CanadaCanada
Traditionally - Privacy is a human Traditionally - Privacy is a human rights issuerights issue
Matches US in concernsMatches US in concerns Presently leans towards EU Presently leans towards EU
standard in Quebecstandard in Quebec 1978 Federal Privacy 1978 Federal Privacy
CommissionCommission– Bruce PhillipsBruce Phillips
April 2001 26
CanadaCanada
C54 - Personal Information C54 - Personal Information Protection ActProtection Act
Expands Privacy RightsExpands Privacy Rights Enforcement expected by June 2001Enforcement expected by June 2001 House of Commerce & SenateHouse of Commerce & Senate Nutshell:Nutshell:
– Applies to all businesses foreign or Applies to all businesses foreign or Canadian ownedCanadian owned
April 2001 27
CanadaCanada
Nutshell:Nutshell:– Applies to all businesses foreign or Applies to all businesses foreign or
Canadian ownedCanadian owned– To protect & enhance E-commerce To protect & enhance E-commerce
(not an HR bill)(not an HR bill)– Created to meet EUPDCreated to meet EUPD– 3yrs for all personal info3yrs for all personal info– Immediate for E-commerceImmediate for E-commerce
April 2001 28
Other Country Other Country ConsiderationsConsiderations
Most Strict in InterpretationMost Strict in Interpretation– FranceFrance– NetherlandsNetherlands
Ondernemingsraad (Work Council)Ondernemingsraad (Work Council) HR dept of local officeHR dept of local office
– GermanyGermany LeastLeast
– AustraliaAustralia– South AfricaSouth Africa
April 2001 29
Info SecurityInfo SecurityWhat Steps To TakeWhat Steps To Take
Banner noticeBanner notice Privacy Policy icon on WebpagesPrivacy Policy icon on Webpages Intranet PostingIntranet Posting
– http://www.yourcompany.com/securhttp://www.yourcompany.com/securityity or privacy or privacy
Employee handbook & Training Employee handbook & Training materialmaterial– New hire pamphletNew hire pamphlet– Value added topic for staff meetingsValue added topic for staff meetings
April 2001 30
Info SecurityInfo SecurityMore Steps To TakeMore Steps To Take
User Agreement & Privacy User Agreement & Privacy StatementStatement– Annual Ethics BriefingAnnual Ethics Briefing– Request for UserIDRequest for UserID– One for Employee, One for Employee One for Employee, One for Employee
filefile Establish a Privacy CouncilEstablish a Privacy Council Monitor & Enforce ComplianceMonitor & Enforce Compliance Consider industry group standardsConsider industry group standards
April 2001 31
Info SecurityInfo SecurityMore Steps To TakeMore Steps To Take
TrustETrustEhttp://www.truste.orghttp://www.truste.org
BBBOnlineBBBOnline
April 2001 32
Questions Your Company Questions Your Company Should Be Prepared to AnswerShould Be Prepared to Answer
What happens if an employee What happens if an employee does not want to consent?does not want to consent?
Will Safe Harbor make it?Will Safe Harbor make it? What will my company do if they What will my company do if they
are criticized by an EU member?are criticized by an EU member?
April 2001 33
Latest InformationLatest Information
The REAL election resultsThe REAL election results Standard clausesStandard clauses
– 12 days for draft review12 days for draft review– 8 days for second review8 days for second review
April 2001 34
Related WebsitesRelated Websites
European Union Commission decision of 26 July European Union Commission decision of 26 July 20002000
www.eurunion.org/partner/SafeHarbor.pdfwww.eurunion.org/partner/SafeHarbor.pdf European Union OnlineEuropean Union Online
europa.eu.int/indexeuropa.eu.int/index Safe HarborSafe Harbor
www.export.gov/safeharborwww.export.gov/safeharbor HIPAA Information Site, GuidesHIPAA Information Site, Guides
www.hipaadvisory.comwww.hipaadvisory.com
Hipaa.wpc-edi.com/HIPAA_40aspHipaa.wpc-edi.com/HIPAA_40asp