Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Privacy Breach Index (September 1, 2008)
The Ponemon Institute and Hilb Rogal & Hobbs Company (HRH) have developed a Privacy Breach Indexâ„¢ (PBI), a benchmarking tool that helps measure organizations' responses to data loss or theft. The index is expected to help companies safeguard against a breach, assess areas of vulnerability and benchmark data breaches responses.
Argentine Authority Hosts Seminar (September 1, 2008)
The Argentine data protection authority will host the national and international data protection seminar, V Seminario Nacional e Internacional, October 7-8 at the Colegio de Escribanos de la Ciudad de Buenos Aires.
Health Information Trust Alliance (September 1, 2008)
A group of nine healthcare companies interested in enhancing the privacy and security of electronic patient information above and beyond what the Health Insurance Portability and Accountability Act (HIPAA) requires have created a consortium dedicated to delivering best practices on electronic medical records. Charter members of the Health Information Trust Alliance (HITRUST), including GE Healthcare, Highmark Inc., Pitney Bowes Inc., Cisco Systems Inc. and others, will deliver a Common Security Framework—a toolkit for protecting information and managing risks—early next year.
Michael Kirby (September 1, 2008)
The Honorable Justice Michael Kirby received Australia's inaugural Privacy Medal at a gala dinner during Privacy Awareness Week last month. Among many other contributions in the area of privacy, Kirby was recognized for his development of the 1980 OECD on the protection of privacy and the trans-border flows of personal data.
Safe Harbor Certification Mark (September 1, 2008)
The U.S. Department of Commerce has developed a certification mark to identify companies that are certified under the U.S.-European Union (EU) Safe Harbor Framework. Companies appearing on the Department of Commerce's official Safe Harbor list can display the certification mark on their Web sites for one year and annually thereafter if they renew their Safe Harbor certification.
Global Privacy Dispatches- Czech Republic- Biometric Data (September 1, 2008)
On the basis of Council Regulation (EC) No. 2252/2004, the Czech Parliament approved and implemented the amendment to Act no. 329/1999 to allow for the use of biometric data (digital photographs and fingerprints) in travel documents.
Global Privacy Dispatches- Israel- Revoked Registration of Controversial Database (September 1, 2008)
Advocate Yoram Hacohen, the head of the Israeli Law, Information and Technology Authority (ILITA) and the Databases Registrar (the Israeli privacy and data protection agency), has ordered the registration revocation of two sensitive databases.
FTC and RFID (September 1, 2008)
In a continuing exploration of the impact of radio frequency identification (RFID) technology, the Federal Trade Commission (FTC), in conjunction with the Transatlantic Symposium on the Societal Benefits of RFID, will host another workshop on RFID privacy concerns and contactless payments this month in Washington, D.C.
Spotlight On: Consumer Financial Services (September 1, 2008)
The Fair and Accurate Credit Transactions (FACT) Act requires financial institutions to create programs to identify “red flags”—key indicators of possible identity theft. Jennifer Rossi outlines the Act’s Red Flag Rules here—who is covered, what is required, and potential implementation pitfalls.
Workplace Monitoring Present and Future (September 1, 2008)
Traditionally, courts and legislatures have been unwilling to find a general right to privacy in the workplace. Accordingly, employers have enjoyed a fair amount of latitude in monitoring their employees. However, with continued advancements in the area of biometrics, workplace monitoring may be moving beyond what courts, legislatures, and employees have seen to date. The challenge for privacy officers will be balancing new employee-monitoring capabilities with employees’ privacy rights, and doing so in a way that doesn’t degrade worker productivity.
Global Privacy Dispatches- Canada- Blood Tribe (September 1, 2008)
While investigating an access request complaint (access denied), the assistant commissioner ordered the Blood Tribe Department of Health (Blood Tribe) to produce certain documents, for which it claimed solicitor-client privilege in order to determine whether there had been a breach of its access request obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA).
IAPP Privacy Academy 2008: A Disney Classic in the Making (September 1, 2008)
…And we're not talking about mouse ears. Get ready to hear from the three major U.S. presidential campaigns at this month's IAPP Privacy Academy at Disney World. Representatives from the McCain and Obama campaigns, and Libertarian candidate Bob Barr will take the stage to discuss privacy.
Ontario Privacy Commissioner Recommends Generally Accepted Privacy Principles to Toronto Transit Com (September 1, 2008)
Ontario Information and Privacy Commissioner Ann Cavoukian hopes that publicity surrounding a Toronto Transit Commission (TTC) audit will lead to increased use of the Generally Accepted Privacy Principles (GAPP) framework. Cavoukian’s office undertook the review after UK-based human rights group, Privacy International, filed a complaint about the deployment of security cameras throughout TTC’s system. In this article, Nancy Cohen and Nicholas Cheung discuss the commissioner’s findings and describe the GAPP framework.
Accenture Case May Prove Value of Security Contract Clauses (September 1, 2008)
The case of Connecticut v. Accenture LLP demonstrates the need for companies to negotiate data privacy provisions when contracting for services that involve personal information. Such provisions would strengthen their legal position in the event a vendor loses or mishandles sensitive data. Attorneys Justine Young Gottshall and Patrick Mueller provide specific examples of terms companies should include in vendor contracts.
Notes from the Executive Director (September 1, 2008)
For many, September means back to the books, and that's certainly true for the privacy pros who will take the IAPP Certified Information Privacy Professional (CIPP) exam this month. The CIPP is fast becoming de rigueur in the marketplace and we look forward to rolling out our newest certification, the CIPP/IT, in just a couple of weeks.