April 2001 1

EU* Privacy DirectiveEU* Privacy Directive

Andrea L.C. Hoy, CISSPAndrea L.C. Hoy, CISSPChief Information Security DirectorChief Information Security Director

Fluor CorporationFluor Corporation

April 2001 2

European UnionEuropean UnionThe Right to PrivacyThe Right to Privacy

Privacy is a human right in EUPrivacy is a human right in EU COE - Council of EuropeCOE - Council of Europe 15 EU member states 15 EU member states 370 million people370 million people Local Privacy AuthoritiesLocal Privacy Authorities

April 2001 3

BackgroundBackground

Major Business ConcernsMajor Business Concerns Data CollectionData Collection Cross-border Movement of Cross-border Movement of

Personal dataPersonal data

April 2001 4

Why Address This Why Address This Now?Now?

EUPD & Safe Harbor Act sets deadlineEUPD & Safe Harbor Act sets deadline Consumers/Shareholders are awareConsumers/Shareholders are aware Privacy abuses are in the newsPrivacy abuses are in the news

– toysmart.comtoysmart.com Your Company’s reputation - don’t be the Your Company’s reputation - don’t be the

exampleexample Technology Growth - Surveillance & Technology Growth - Surveillance &

AutomationAutomation Create competencyCreate competency Strengthen Company’s brand name Strengthen Company’s brand name E-CommerceE-Commerce

April 2001 5

European Union Privacy European Union Privacy Directive 1998Directive 1998

What is it?What is it?

It regulates “the processing of It regulates “the processing of personal information identified personal information identified

or identifiable” from crossing EU or identifiable” from crossing EU borders without meeting the borders without meeting the

EUPDEUPD

April 2001 6

EUPDEUPD

Passed October 24, 1998Passed October 24, 1998 Stemmed from E-Commerce concernsStemmed from E-Commerce concerns

– Loss of business to US and other countriesLoss of business to US and other countries Companies had control of the review Companies had control of the review

process for complianceprocess for compliance EU centric “Guilty till proven innocent” EU centric “Guilty till proven innocent”

vs. US centric “Innocent till proven vs. US centric “Innocent till proven guilty”guilty”

April 2001 7

Processing of Personal Processing of Personal InformationInformation

Very broad scopeVery broad scope Any electronic transfer, collection, Any electronic transfer, collection,

storagestorage Includes private WANS/LANS Includes private WANS/LANS Back up tapes/archivesBack up tapes/archives WWW cookiesWWW cookies Legal Precedence pendingLegal Precedence pending

– American AirlinesAmerican Airlines

April 2001 8

Personally Identified orPersonally Identified or Identifiable Information Identifiable Information

Identified - Your Name(s)Identified - Your Name(s) Identifiable - Your Social Identifiable - Your Social

Identification# or Social Security# Identification# or Social Security# or Identification #or Identification #

April 2001 9

Personally Identified orPersonally Identified or Identifiable Information Identifiable Information

Any info relating to an identified or Any info relating to an identified or identifiable individual:identifiable individual:– EthnicityEthnicity– Marital StatusMarital Status– Children, Information regardingChildren, Information regarding– MedicalMedical– ReligionReligion

April 2001 10

Key ArticlesKey Articles

Article 25.1Article 25.1– You can take data out of EU if there is You can take data out of EU if there is

adequate protectionadequate protection Article 25.6Article 25.6

– Exceptions if other country has Exceptions if other country has adequate protection as complied to adequate protection as complied to European Commission (e.g. Safe European Commission (e.g. Safe Harbor Act)Harbor Act)

April 2001 11

ExceptionsExceptions

Activities outside of Community Activities outside of Community LawLaw

GovernmentGovernment MilitaryMilitary Other Example: Christmas card Other Example: Christmas card

listslists

April 2001 12

6 Phases of Compliance to the 6 Phases of Compliance to the EUPDEUPD

Development of Awareness of New Development of Awareness of New RequirementsRequirements

Status Assessment of ComplianceStatus Assessment of Compliance Identify Alternate Strategic Direction to Identify Alternate Strategic Direction to

Respond to New RequirementsRespond to New Requirements Creation of Tactical Plan for DeploymentCreation of Tactical Plan for Deployment Deployment of the PlanDeployment of the Plan Compliance MonitoringCompliance Monitoring

April 2001 13

NoticeNotice

Notification to All UsersNotification to All Users Publish a Privacy Policy (signed by CEO) Publish a Privacy Policy (signed by CEO) LogOn BannerLogOn Banner

– Must be seen by all users of your company’s Must be seen by all users of your company’s systemssystems

– Defines ownership of network as your Defines ownership of network as your company’scompany’s

– Requires “OK” by UserRequires “OK” by User Privacy Policy posted on WebsitesPrivacy Policy posted on Websites Computer Usage AgreementComputer Usage Agreement

– New Hire & Performance Appraisal periodsNew Hire & Performance Appraisal periods

April 2001 14

ConsentConsent

Unambiguous ConsentUnambiguous Consent– subject has consented in advance - OKsubject has consented in advance - OK

Opt OutOpt Out– Log on banner - Logon or stopLog on banner - Logon or stop– Direct marketing uses at websiteDirect marketing uses at website

Opt InOpt In– BofA - Direct agreements for ATMBofA - Direct agreements for ATM– Explicit ConsentExplicit Consent

April 2001 15

Purpose/Use LimitationPurpose/Use Limitation

Data cannot be used beyond scope of Data cannot be used beyond scope of noticenotice

3rd party mailing lists3rd party mailing lists MarketingMarketing Need to consider business practicesNeed to consider business practices

– 3rd party outsourcers3rd party outsourcers– PerksAtWorkPerksAtWork– SAP and Outsourced implementorsSAP and Outsourced implementors

Any time “use” changed must readdress!Any time “use” changed must readdress!

April 2001 16

ProcessingProcessing

CollectionCollection RecordingRecording OrganizationOrganization Storage/ArchivalStorage/Archival RetrievalRetrieval Consultation ofConsultation of UseUse ErasureErasure DestructionDestruction

April 2001 17

Security/Data IntegritySecurity/Data Integrity

C.I.A. of Info SecurityC.I.A. of Info Security Encryption during transferEncryption during transfer

– Web Solution: SSLWeb Solution: SSL– Remote/Intranet: VPNRemote/Intranet: VPN– Extranet/Intranet: PKIExtranet/Intranet: PKI

Data IntegrityData Integrity– What is sent/collected is what is What is sent/collected is what is

received/storedreceived/stored

April 2001 18

OpennessOpenness

Data ClassificationData Classification– General, Public, Confidential, RestrictedGeneral, Public, Confidential, Restricted

Better controls on Data AccessBetter controls on Data Access System/Network Administrators/ISSOsSystem/Network Administrators/ISSOs

– Special Briefings/ S.Admin. AgreementSpecial Briefings/ S.Admin. Agreement– Background investigationsBackground investigations

Data Access RulesData Access Rules– SAPSAP

HR & IT Must be able to identify who has HR & IT Must be able to identify who has access and whyaccess and why

April 2001 19

AccessAccess

The individual’s access to their The individual’s access to their personal informationpersonal information

Ability to correctAbility to correct Ability to delete inaccurate Ability to delete inaccurate

informationinformation Ability to amendAbility to amend Except where burden of expense is Except where burden of expense is

disproportionate to the risk of disproportionate to the risk of individual privacy or rights of others individual privacy or rights of others would be violatedwould be violated

April 2001 20

ComplaintsComplaints

Ethics HotlineEthics Hotline HRHR Corporate Information SecurityCorporate Information Security Corporate LegalCorporate Legal Privacy Council ?Privacy Council ?

April 2001 21

Privacy Compliance Privacy Compliance RequirementsRequirements

1) 1) Accountability Accountability

2)2) Purpose Purpose

3) Notice3) Notice

4) Consent4) Consent

5) Processing5) Processing

6) Security 6) Security

7)7) Data Data IntegrityIntegrity

8) Openness8) Openness

9) Access9) Access

10) Complaints10) Complaints

Source: Information Privacy in the E-Universe, M. Colonna, KPMG

April 2001 22

What are our Partners What are our Partners doing?doing?

Formulating worldwide policiesFormulating worldwide policies Consistent with EUPDConsistent with EUPD Using “safe harbor” principlesUsing “safe harbor” principles Direct AgreementsDirect Agreements Dupont, Shell announced June Dupont, Shell announced June

20002000 AmEx, IBM, Citicorp AmEx, IBM, Citicorp

April 2001 23

UK Data Protection ActUK Data Protection ActCompliance stepsCompliance steps

1) Publish privacy policy on compliance 1) Publish privacy policy on compliance

- signed by CEO- signed by CEO

2) Detail scope of the policy2) Detail scope of the policy

- contractors, home use- contractors, home use

3) Write procedures to ensure maintenance of 3) Write procedures to ensure maintenance of accurate registration and notificationaccurate registration and notification

4) Security of info appropriate to the risks to the 4) Security of info appropriate to the risks to the data subjectdata subject

5) Inclusion of contracts w/3rd parties of Info 5) Inclusion of contracts w/3rd parties of Info Security requirementsSecurity requirements

Source: UK Stationery OfficeSource: UK Stationery Office

April 2001 24

UK Data Protection ActUK Data Protection ActCompliance stepsCompliance steps

6) Documents & Procedures ensuring the fair collection of 6) Documents & Procedures ensuring the fair collection of personal datapersonal data

7) Procedures guaranteeing that subject access is granted 7) Procedures guaranteeing that subject access is granted and where appropriate, exemptions are applied and where appropriate, exemptions are applied

8) An appointed Info Security (Data Protection) Officer 8) An appointed Info Security (Data Protection) Officer within the organization w/overall responsibility for within the organization w/overall responsibility for ensuring compliance with current legislationensuring compliance with current legislation

9)9)Defined business mgr’s responsibilities for data Defined business mgr’s responsibilities for data protectionprotection

10) Evidentiary proof that active steps are being taken to 10) Evidentiary proof that active steps are being taken to move towards compliance w/the 1998 regulationmove towards compliance w/the 1998 regulation

Source: UK Stationery OfficeSource: UK Stationery Office

April 2001 25

CanadaCanada

Traditionally - Privacy is a human Traditionally - Privacy is a human rights issuerights issue

Matches US in concernsMatches US in concerns Presently leans towards EU Presently leans towards EU

standard in Quebecstandard in Quebec 1978 Federal Privacy 1978 Federal Privacy

CommissionCommission– Bruce PhillipsBruce Phillips

April 2001 26

CanadaCanada

C54 - Personal Information C54 - Personal Information Protection ActProtection Act

Expands Privacy RightsExpands Privacy Rights Enforcement expected by June 2001Enforcement expected by June 2001 House of Commerce & SenateHouse of Commerce & Senate Nutshell:Nutshell:

– Applies to all businesses foreign or Applies to all businesses foreign or Canadian ownedCanadian owned

April 2001 27

CanadaCanada

Nutshell:Nutshell:– Applies to all businesses foreign or Applies to all businesses foreign or

Canadian ownedCanadian owned– To protect & enhance E-commerce To protect & enhance E-commerce

(not an HR bill)(not an HR bill)– Created to meet EUPDCreated to meet EUPD– 3yrs for all personal info3yrs for all personal info– Immediate for E-commerceImmediate for E-commerce

April 2001 28

Other Country Other Country ConsiderationsConsiderations

Most Strict in InterpretationMost Strict in Interpretation– FranceFrance– NetherlandsNetherlands

Ondernemingsraad (Work Council)Ondernemingsraad (Work Council) HR dept of local officeHR dept of local office

– GermanyGermany LeastLeast

– AustraliaAustralia– South AfricaSouth Africa

April 2001 29

Info SecurityInfo SecurityWhat Steps To TakeWhat Steps To Take

Banner noticeBanner notice Privacy Policy icon on WebpagesPrivacy Policy icon on Webpages Intranet PostingIntranet Posting

– http://www.yourcompany.com/securhttp://www.yourcompany.com/securityity or privacy or privacy

Employee handbook & Training Employee handbook & Training materialmaterial– New hire pamphletNew hire pamphlet– Value added topic for staff meetingsValue added topic for staff meetings

April 2001 30

Info SecurityInfo SecurityMore Steps To TakeMore Steps To Take

User Agreement & Privacy User Agreement & Privacy StatementStatement– Annual Ethics BriefingAnnual Ethics Briefing– Request for UserIDRequest for UserID– One for Employee, One for Employee One for Employee, One for Employee

filefile Establish a Privacy CouncilEstablish a Privacy Council Monitor & Enforce ComplianceMonitor & Enforce Compliance Consider industry group standardsConsider industry group standards

April 2001 31

Info SecurityInfo SecurityMore Steps To TakeMore Steps To Take

TrustETrustEhttp://www.truste.orghttp://www.truste.org

BBBOnlineBBBOnline

April 2001 32

Questions Your Company Questions Your Company Should Be Prepared to AnswerShould Be Prepared to Answer

What happens if an employee What happens if an employee does not want to consent?does not want to consent?

Will Safe Harbor make it?Will Safe Harbor make it? What will my company do if they What will my company do if they

are criticized by an EU member?are criticized by an EU member?

April 2001 33

Latest InformationLatest Information

The REAL election resultsThe REAL election results Standard clausesStandard clauses

– 12 days for draft review12 days for draft review– 8 days for second review8 days for second review

April 2001 34

Related WebsitesRelated Websites

European Union Commission decision of 26 July European Union Commission decision of 26 July 20002000

www.eurunion.org/partner/SafeHarbor.pdfwww.eurunion.org/partner/SafeHarbor.pdf European Union OnlineEuropean Union Online

europa.eu.int/indexeuropa.eu.int/index Safe HarborSafe Harbor

www.export.gov/safeharborwww.export.gov/safeharbor HIPAA Information Site, GuidesHIPAA Information Site, Guides

www.hipaadvisory.comwww.hipaadvisory.com

Hipaa.wpc-edi.com/HIPAA_40aspHipaa.wpc-edi.com/HIPAA_40asp