Privacy Flashcards
Organization for Economic Cooperation and Development (OECD)
Issued guidelines on the Protection of Privacy and Trans-border Flows of personal data which have been classified privacy principles
OECD Privacy Guidelines/Principles
Notice - data subjects should be given notice when their data is being collected
Purpose - data should only be used for purpose stated and for no other purpose
Consent - data should not be disclosed without the data subjects consent
Security - collected data should be kept secure from any potential abuses
Disclosure - data subjects should be informed as to who is collecting their data
Access - data subjects should be allowed to access their data and make corrections to any inaccurate data
Accountability - data subjects should have a method available to them to hold data collectors accountable for not following the other principles
No Purple Car Sold, Do Act Alarmed
General Data Protection Regulation (GDPR)?
Who must enact?
Who is penalized for violations and what penalties do they face?
Privacy regs enacted by the EU to protect citizens from data breaches resulting in loss of privacy of PII
Includes 9 EU Privacy Principles - Supersedes and strengthens EU Data Protection Directives
All EU members states were required to enact
Consequences for companies that control or process PII for EU citizens including heavy fines for violation
EU Privacy Principles
- Collection Limitation Principle
- Data Quality Principle
- Purpose Specification
- Use Limitation Principle
- Security Safeguard Principle
- Open Principle
- Individual Participation Principle
- Accountable Principle
- Right to be Forgotten or Erased
U COPS RAID
EU Data Protection Directive 95/46/EC
in 1995 EU directive enacted concerning protection for individuals WRT processing personal data and the free movement of such data
2012 The Right to be Forgotten was added
Penalties for GDPR
Can be fined a rate of 2% annual global profit or 10M Euro for initial breach
Subsequent breach cost up to 4% annual global profit or 20M Euro
Self reporting is mandatory, violators usually incur heaviest fines - data breaches must be reported to the DPA (Data Protection Authority) within 72 hours of discovery
Additional EU Privacy Subjects
- E-Privacy Directive - deals with regulation of information confidentiality, treatment of traffic data, spam, and use of cookies
- Safe Harbor Program - a program that required US companies processing EU citizens PII to meet various standards developed by US Dept of Commerce
- Model Contracts - EU approved contracts which create a bond between multinational companies that process EU citizen PII
- Privacy Shield - provides companies with a mechanism to comply with EU data protection requirements when transferring data from the EU to the US
- EU Data Retention Directive - a currently discontinued directive that required ISPs and phone providers to track connection information.
National Laws Compliant with EU GDPR
- All EU countries
- Argentina
- Canada - Personal Information Protection and Electronic Documents Act (PIPEDA)
- Israel
- Singapore
- Andorra
- Australia - Privacy Act 1988, Australian Privacy Principles 2014
- European Free Trade Association - Iceland, Lichtenstein, Norway, Switzerland
- Japan
- Uruguay
Other Countries/Regions Data Privacy Regulations
- African Personal Data Protection Regulations
- Asia - Pacific Economic Cooperation (APEC)
- Australia and New Zealand Privacy Principles
African Personal Data Protection Regulations
About 2/3rds of African Nations have adopted these regulations
Data protections include:
- Notice
- Choice and consent
- Data Security
- Data access and correction
- Data quality
- Data retention and destruction
- Registration with a Data Protection Authority (DPA)
- Cross border transfer
- Personal data breach notification
- Appointment of a Data Protection Officer (DPO)
Asia - Pacific Economic Cooperation (APEC)
ensure the free flow of information and open conduct of business within the region, while protecting privacy
not as stringent as the GDPR
includes 9 privacy principles
Australia and New Zealand Privacy Principles
Makes it difficult to move sensitive information to a CSP that stores the data outside Australia and New Zealand
Australian National Privacy provides guidelines on how to collect, store, secure, process and disclose PII and PHI
Replaced by Australian Privacy Principles focuses on handling personal information with 13 principles
Health Information Portability and Accountability Act - HIPAA
A national standard for electronic Heath care transactions and national identifiers for providers, health plans, and employers
Defines rules around handling and treatment of PHI
PHI can be stored in the cloud as long as it is stored in a manner compliant with HIPAA
Gramm-Leach Bliley Act (GLBA)
a law to control the ways financial organizations deal with individual private information
requires financial organizations to give their customers written privacy notices that explain their information sharing practices
3 sections
- Financial Privacy Rules - regulates collection and disclosure of private information
- Safeguards Rule - requires financial institutions to implement security programs to protect individuals private information
- Pretexting Provisions - prohibits accessing private information using false pretenses
Family Education Rights and Privacy (FERPA)
Protects student data, including adult students
Once a person turns 18 parents can’t get student data without consent from the student