Summary:
An example of the terminology and expectations of present day legislation.
The importance of being prepared to accommodate evolving Privacy rules,
as strategic way of doing business to benefit all parties.
Purpose:
To provide information on what Privacy Acts entail and
incorporate at the government level and private sector. To provide resources
for persons with Chief Privacy Officer (CPO) responsibilities.
Advice:
People charged with the responsibility for privacy in an organization
should create a solid, consistent Privacy plan. It will pay benefits
to-day & down
the road from within & for Clients- called "Trust!" Implement to anticipate
a broad spectrum of legislation requirements. Start with the toughest
regulations and work your way back. You will
get in the habit of doing business that respect privacy which will meet
most future demands without those
"nasty surprises". For example, a Client file breach in
California requires the organization to disclose the whole event publicly
which exposes you internationally. You can to avoid a breach in the
first place with good procedures.
Staff awareness and training using the right policy and procedures
along with flexible information systems can accommodate these new demands
of your privacy and compliance responsibilities. Make sure everyone
is on the same page
Only
a few government organizations have a enforcement component or specific penalties
for non-compliance. Some are requiring compliance and compulsory discloser
in the European Economic Community (UK) and California (Security
Breach Information Act- SB1386.) If anything, more and more legislation will
follow to tighten up loop holes, force disclosure & assess fines and penalties. Many
Privacy Commissions are at least providing recent consumer education.
A case in point is Ontario which has info for consumers
on Facebook. Another is wehn Google officials recently (Sept. 11, 2008) revealed that "We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users." under pressure from the EEC. In essence, they have been violating everyone's privacy for years- now they will only abuse it- less.
A real comfort!
In the USA, an attempt is being made with the The REAL ID Act of 2005 to create a de facto national identification card. What is disrupting is shear volume of information a person needs to provide to obtain one and the amount of administrative overhead to maintain a national database- date of birth, gender, address, driver's licence, etc. It is a duplication of many of the existing ID system already in place at the State- level of various qualities. A piece of legislation that does not make it mandatory at the state level or to provide adequate funding is useless. Law enforcement personnel we have spoken to suggest it is already illegal to refuse to properly identify yourself when requested. What has been put forward is to impose much stronger & severe penalties for providers that make and for people that carry of false government identification card and documents. Short of placing a smart RFID chip in everyone's head, this approach for voluntary compliance is doomed to failure.
Canada
is considering new laws to protect personal identities by making it
illegal to posses someone else's ID- November 2007. What is not being
proposing is that handlers of personal information require permission
from the owner prior to releasing it. A case in point is the practice
of selling credit information to credit providers and government agencies.
Abuse and poor quality control is rampant since credit report providers
are under no obligation to confirm the integrity of the information
supplied by lenders, service providers, courts,etc. Unfortunately,
a credit report only tells one side of the story-
not yours! Even if you request a correction, your comments do not appear
on a credit grantor's computer screen or improve your overall credit
rating.
Data processing staff do not always look beyond the technology side of
the business process. On the other hand, Chief Privacy Officers (CPO)
are charged with the responsibility for Privacy which can lead to conflicting
objectives. This is an area that needs to be clarified to identify the
special needs of both parties.
Breaches do happen! Compromised
organizations do have a responsibility to inform Clients with some flexibility
on "when".
One large organization waited for five months until charges were
laid on an outside entity at the request of law enforcement. On the other hand,
delay can be interpreted as denial or cover up leading to expensive claims & litigation.
So far, we have not seen one example of where the actual consumer received
direct compensation for blatant or even sloppy practices. Expect a lot more
in 2008!
Be aware that data leaks do happen. A contingency plan is a wise undertaking
since hacking is not usually the primary source. Most times they
come from poor procedure in handing data from within. By anticipating & handling
a breach in a timely fashion, even a major incident can
be handled in a professional manner and minimized. It is in your interest
to be aware of current laws in all jurisdictions you do business in. Take
the toughest model as your blue print to help establish due diligence.
A good starting point is to look at what measures you are taking to
plug the easiest drip. Your own computer system(s).
For
further information see our legal
directory and legislation resources.
