Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.
ITALY—Garante Releases Enforcement Activity Report
The Garante, the Italian Data Protection Authority (IDPA), has released information on enforcement activity in Italy in 2013 and its relevant plan of inspections for the first semester of 2014.
CANADA—Anti-Spam Legislation To Come Into Force
After much discussion and consultation on the accompanying Regulations, Canada’s anti-spam legislation is about to take full effect. While the CRTC had previously published its regulations on March 28, 2012, the Electronic Commerce Protection Regulation was finally published on December 4, 2013.
UK—Government Department Fined 185,000 GBPs After Terrorist Incident Data Sold at Auction
A government department has been fined after a filing cabinet containing personal information relating to victims of a terrorist incident was sold at auction.
NEW ZEALAND—Privacy Reflections/Predictions for 2014
The high-profile privacy breaches of 2012-13 have shed an unprecedented light on personal information in New Zealand. Outgoing Privacy Commissioner Marie Shroff is leaving the role at a time when protecting personal information, a cause she has actively championed over the past 10 years, is at the forefront of public awareness and is top-of-mind for policy analysts, legislators and businesses alike.
NEW ZEALAND—Will the Tide Turn in 2014?
Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.
AUSTRALIA—Australia Legislates for Privacy by Design
In March, Australia will be overhauling its privacy laws. One of the key features of the new regime means Australia will become one of the first jurisdictions to effectively legislate for the concept of Privacy by Design.
ICO Corporate Place (June 1, 2008)
The British Information Commissioner's Office (ICO) has released a corporate plan designed to guide its functions for the next three years. The Corporate Plan 2008-2011 outlines the ICO's direction in four major focus areas: educating and influencing; resolving problems; enforcing; and developing and improving.
Italian Privacy Institute (June 1, 2008)
Privacy advocates and legal experts have launched the Italian Institute for Privacy, says an ITnews.it report. Described as a "public policy think tank," the group will work to improve online privacy protection for Italian and European citizens by informing policy.
PPS (June 1, 2008)
Privacy pros convened in Manhattan earlier this month for the IAPP Practical Privacy Series, which featured events on human resources, financial services, and data breaches.
Innovation Awards (June 1, 2008)
The IAPP is now accepting nominations for the 2008 HP/IAPP Privacy Innovation Award. This prestigious annual award recognizes the organizations that demonstrate the year's most effective integration of privacy programs. Winners will be announced in three categories: large organization (more than 5,000 employees); small organization (fewer than 5,000 employees); and most innovative technology (any size company).
NAID Toolkit (June 1, 2008)
The nonprofit National Association for Information Destruction, Inc. (NAID) has released a toolkit for helping organizations comply with regulations surrounding information destruction. The Information Destruction Policy Compliance Toolkit contains sample policies and procedures for training, authorization and destruction for paper records, computers, magnetic tapes, optical and micro media
New Assistant Commissioner (June 1, 2008)
The Information Commissioner's Office has appointed Aubrey McCrory to lead the ICO's Northern Ireland office in Belfast. McCrory will be responsible for raising awareness surrounding the role and function of the ICO in Northern Ireland, resolving freedom of information complaints and advising on data protection issues in the private, public and community and voluntary sectors.
Hacker Posts Information on Six Million Chileans (June 1, 2008)
A computer hacker in Chile published the confidential records of six million of Chile's 16 million residents on the Internet. The information was allegedly obtained by hacking into government servers, and was posted on a technology-related blog. The data included ID card numbers, addresses, telephone numbers and academic records. The hacker left a message saying the aim was to demonstrate the poor level of data protection in Chile.
GlData Protection Agency of Argentina Issue Enforcement Notices (June 1, 2008)
Data controllers who have not yet adopted security measures for personal databases are receiving their first notices requesting compliance with Disposition 11/2006, which relates to maintaining confidentiality of personal records and databases and avoiding data breaches. The first stage to adopt security ended on September 2007. Penalties for non-compliance include fines and database closure.
CNIL fights inappropriate comments towards employees (June 1, 2008)
Service Innovation Groupe France (SIG) provides sales and marketing task forces to businesses needing staff for promotional events. During an onsite investigation, the CNIL found in SIGs human resources (HR) database various inappropriate comments about personnel, such as "pain in the neck," "hygiene issues (smells)," "toothless and drinking person," "must be overloaded with work--trial before employment court in progress," "would be a thief," "has cancer, won't be able to work," "took [the company] to employment court," "theft in store," "alcoholism problem."
CCTV: A Need For Clarity (June 1, 2008)
While the French government is considering tripling the number of closed circuit television cameras (CCTVs) in public areas within two years (30,000 are expected), the French data protection authority (CNIL) addressed a memo to the Ministry of Interior to stress the need for clarification of the rules applicable to these systems.
Children's Data Protection in Europe: A New Document from WP 29 (June 1, 2008)
The Article 29 Working Party has published its Working Document 1/2008 on the protection of children's personal data (General guidelines and the special case of schools), WP 147, of February, 18, 2008 (http://ec.europa.eu/ justice_home/ fsj/privacy/index_en.htm). The document was prepared with the highly relevant participation of the Portuguese National Commission of Data Protection. The purpose of the document is to analyse the general principles relevant to the protection of children's data, and to explain their relevance in a specific critical area, namely that of school data, and should be seen in the context of the general initiative of the European Commission described in its communication "Towards an EU strategy on the Rights of the Child."
Information Security Notification Laws on the Horizon (June 1, 2008)
Compared to their American colleagues, European privacy professionals have been somewhat spared from the headaches caused by information security breach notification requirements. There are, however, signs on the horizon that this tranquil European climate is about to change. The proposed amendments to the Electronic Communications Privacy Directive 2002/58—already introduced in the autumn of last year—impose security breach notification obligations for network operators and Internet service providers.
Retention of Operational and Localisation Data (June 1, 2008)
On 23 April 2008, the Czech Parliament approved an amendment to the Electronic Communications Act (Act no. 127/2005 Coll.) relating to the retention of operational and localisation data created or processed by the providers of electronic communications services and public communication networks. The amendment still needs to be approved by the Senate and the president of the Czech Republic before it can become effective. Under the amendment, providers must store information about the time and location of telephone calls, even if the call was not ultimately connected (i.e. the person being called did not take the call). The Data Protection Office considers such data retention as excessive.
Australian Privacy Awards (June 1, 2008)
The Australian Privacy Awards and Privacy Medal will be announced in August and the deadline for nominations ends soon. To nominate a business, government agency or nonprofit organization for a privacy award, go to www.privacy.gov.au/about/ awards/index.html. The deadline for nominations is 9 July. The Australian Privacy Awards will recognize organizations that engage in good privacy practices. The Privacy Medal acknowledges an individual who has exhibited an outstanding level of achievement in advancing privacy in Australia.
Student Privacy Comes into Question (June 1, 2008)
The recent apparent suicide death of a Canadian university student in Ontario has fuelled the debate concerning challenges universities face in providing health services to students while also protecting students' privacy rights. The student's parents were upset that the university had only informed them that their daughter had been seeing a campus doctor and counsellor, and that she had been taking anti-depressants, after she went missing.
Ethical Considerations for Attorneys Responding to a Data-Security Breach (June 1, 2008)
Companies experiencing a data breach face significant legal challenges under state and federal statutes and from the threat of civil litigation. It is useful to employ outside counsel in the event of a breach because the results of internal investigations are not always protected by attorney-client privilege. This article offers insight on this and other breach response best practices and ethical considerations in this relatively new and unsettled area of law.
Notes from the Executive Director (June 1, 2008)
It's finally summer here in the northern hemisphere and as the mercury rises, thoughts naturally turn to lazy days at the beach or forest campsites in the cool of the mountains. Perhaps your vacation involves a long car ride (and a significant hit at the gas pump) to visit with relatives and friends, or a flight to somewhere exciting—Vegas, Disney—or to follow your favorite baseball team chasing dreams of post-season glory.
E-mails and the Attorney-Client Privilege: Avoiding Risk When Reviewing Employee Communications (June 1, 2008)
Employees’ use of company e-mail systems for communicating with personal attorneys raises difficult issues. On one side is attorney-client privilege. On the other is a company’s right to monitor employee communications. Andrew Serwin examines the case law, identifies the key factors guiding courts in this area, and outlines what companies should consider when assessing their computer use policies.
Are You in Compliance with COPPA? Recent State Actions Raise the Stakes (June 1, 2008)
In 2007, the Texas Attorney General brought enforcement actions against three Web site operators for violations of the Children’s Online Privacy Protection Act (COPPA). Although the Federal Trade Commission (FTC) has been active in enforcing COPPA, these actions marked the first among state Attorneys General, emphasizing the increasing importance of COPPA compliance.