Privacy and security considerations for EHR incentives and ... › media › pdf › publications...

In February 2010, the EuropeanCommission approved new StandardContractual Clauses for the transfer of

personal data to processors outside theEuropean Economic Area (NewProcessor Clauses). At the same time,the commission repealed its 2001 deci-sion approving a predecessor version ofsuch clauses (Old Processor Clauses)effective May 15, 2010. As a result,multinational organizations will considerupdating their group-internal and externalcontracts relating to data processing andservice providers can expect requestsfrom their customers to sign updatedforms. Companies should start thisprocess immediately given the amount

of information thatis required by theNew ProcessorClauses and thefact that new con-tracts andchanges to exist-ing arrangementsusually triggernegotiations, such as those relating torisk allocation, pricing, and other com-mercial terms. This article is intended toprovide background, a brief summary ofwhat is new, practical guidance as towhen the new clauses are required or

One of the AmericanRecovery andReinvestment Act of

2009’s (ARRA) (Pub. L. No.111-5) areas of emphasis isexpanding the use of healthinformation technology, both interms of storing and managingmedical records in electronicform and in terms of facilitat-ing the exchange of informa-tion contained in such records. TheRecovery Act included significant fundingto provide incentive payments to health-care providers to adopt electronic healthrecord (EHR) technology; these incen-

tives require eligible providersnot only to acquire and installsystems, but also to demon-strate “meaningful use” ofelectronic health records(§4101). The criteria neededto show meaningful usewere defined in a Notice ofProposed Rulemakingreleased on December 30and subsequently published

in the Federal Register (Proposed Rule,75 Fed. Reg. 1858 (Jan. 13, 2010)) alongwith an Interim Final Rule detailing stan-dards, specifications, and certification cri-teria for EHR systems used by providers

(Interim Final Rule, 75 Fed. Reg. 2028(Jan. 13, 2010)). Following a 60-day com-ment period (through March 15, 2010),the meaningful use criteria will be final-ized as the mechanisms to implementthe incentive payment provisions in theHealth Information Technology forEconomic and Clinical Health (HITECH)Act portion of the Recovery Act.(Comment period notwithstanding, theInterim Final Rule became effective onFebruary 12, 2010.) The rules are organ-ized according to a set of five policy pri-orities specified by the Health IT Policy

New European Standard Contractual

Clauses for data processors

See, Meaningful Use, page 3

This Month

Notes from the Executive Director ...... 2

Risks associated with creating a new information asset ......................... 10

Privacy Classifieds ............................... 12

10 in 2010 ............................................ 13

Surveilled ............................................. 14

What’s a former commissioner to do? ................................................... 16

Global Privacy Dispatches .................... 18

Calendar of Events................................ 22

Privacy and security considerations for EHR incentives

and “meaningful use”

By Stephen Gantz, CIPP/G

See, New Processor Clauses, page 6

Stephen Gantz

By Lothar Determann

Lothar Determann

112272_advisor_Document 3 5/20/10 7:44 PM Page 1

THE PRIVACY ADVISOREditorKirk J. Nahra, CIPP, Wiley Rein [email protected]+202.719.7335

Publications DirectorTracey [email protected]+207.351.1500

The Privacy Advisor (ISSN: 1532-1509) is published bythe International Association of Privacy Professionalsand distributed only to IAPP members.

ADVISORY BOARD

Miranda Alfonso-Williams, CIPP, CIPP/IT, Global PrivacyLeader, MDx GE Healthcare

Nathan Brooks, CIPP

Kim Bustin, CIPP/C, President, Bustin Consulting Limited

Debra Farber, CIPP, CIPP/G, Privacy Officer, The AdvisoryBoard Company

Benjamin Farrar, CIPP, Manager, Privacy Team, Quality &RM, Ethics & Compliance, Ernst & Young LLP

Steven B. Heymann, CIPP, VP, Compliance andInformation Practices, Experian

Michael Kearney, Student/Research Assistant, William& Mary School of Law

Jim Keese, CIPP, Global Privacy Officer, VP Records &Information Mgmt, The Western Union Company

Stephen Meltzer, CIPP, Privacy and Corporate Counsel,Meltzer Law Offices

David Morgan, CIPP, CIPP/C, Privacy Officer-SecondaryUses, Newfoundland and Labrador Centre for HealthInformation

Dan Ruch, Privacy and Data Protection Consultant, KPMG

Luis Salazar, CIPP, Partner, Infante, Zumpano, Hudson &Miloch, LLC

Heidi Salow, CIPP, Of Counsel, DLA Piper

Julie Sinor, CIPP, Information Management Consultant,PricewaterhouseCoopers, LLP

Eija Warma, Attorney, Castren & Snellman Attorneys Ltd

Frances Wiet, CIPP, Chief Privacy Officer, HewittAssociates LLC

To Join the IAPP, call:+800.266.6501

Advertising and Sales, call:+800.266.6501

PostmasterSend address changes to:IAPP170 Cider Hill RoadYork, Maine 03909

Subscription PriceThe Privacy Advisor is an IAPP member benefit.Nonmember subscriptions are available at $199 per year.

Requests to ReprintTracey [email protected]

Copyright 2010 by the International Association ofPrivacy Professionals. All rights reserved. Facsimilereproduction, including photocopy or xerographic reproduction, is strictly prohibited under copyright laws.

Gathering no moss

As I write, we are busy with final preparations

for the IAPP Canada Privacy Symposium in

Toronto. Soon after, we’ll head to Silicon Valley

and then Berlin, Brussels and Paris for this year’s

European delegate tour. A year that started off with

a bang continues to gain momentum. By the end of 2010, we’ll have

hosted more events and programs than in any other year in our decade-

long history.

This is a reflection of the increased need for information and edu-

cation in our field and we will continue building our member offerings

to satisfy it. This summer we will take a big step in this direction by

bringing the Privacy Advisor online. Starting in July, the newsletter will

move to a digital format. This change comes in response to the requests

of many of you who have, in recent years, expressed an interest in

receiving the monthly newsletter electronically. In our 2009 member

survey, 70 percent of you stated your preference for a digital newsletter.

The online edition will continue to deliver the elements you are

accustomed to—expert-written feature articles, news items, and the

popular Global Privacy Dispatches—and will be available to members

only on our Web site.

Importantly, moving the Privacy Advisor online allows us to invest

more in content generation, thereby putting more information

resources in your hands through the e-newsletter and the new

Knowledge Center on our Web site. In the coming months you will

notice more articles, reports, news stories, and other knowledge

resources such as whitepapers, original research, and news analysis as

a result of this.

We are excited to bring these changes to you.

J. Trevor Hughes, CIPP

Executive Director, IAPP

Notes From the Executive Director

2 www.privacyassociation.org

May • 2010


170 Cider Hill RoadYork, ME 03909 Phone: +800.266.6501 or +207.351.1500Fax: +207.351.1501Email: [email protected]

The Privacy Advisor is the official newsletter of the InternationalAssociation of Privacy Professionals. All active association members automatically receive a subscription to The PrivacyAdvisor as a membership benefit. For details about joining IAPP,please use the above contact information.

BOARD OF DIRECTORSPresidentNuala O’Connor Kelly, CIPP, CIPP/G, Chief Privacy Leader &Senior Counsel, Information Governance, General ElectricCompany, Washington, DC

Vice PresidentBojana Bellamy, LLM, Director of Data Privacy, Accenture,London, UK

TreasurerJeff Green, CIPP/C, VP Global Compliance & Chief PrivacyOfficer, RBC, Toronto, ON, Canada

SecretaryJane C. Horvath, CIPP, CIPP/G, Senior Global Privacy Counsel,Google Inc., Washington, DC

Past PresidentJonathan D. Avila, CIPP, Vice President - Counsel, ChiefPrivacy Officer, The Walt Disney Company, Burbank, CA

Executive Director, IAPPJ. Trevor Hughes, CIPP, York, ME

Allen Brandt, CIPP, Corporate Counsel, Chief Privacy Official,Graduate Management, Admissions Council, McLean, VA

Agnes Bundy Scanlan, Esq., CIPP, Chief Regulatory Officer, TDBank, Boston, MA

Malcolm Crompton, CIPP, Managing Director, InformationIntegrity Solutions Pty/Ltd, Chippendale, Australia

Stan Crosley, Esq., CIPP, Partner, Co-Director, Indiana U. Centerfor Strategic Health Information Provisioning, Indianapolis, IN

Dean Forbes, Senior Director Global Privacy, Schering-PloughCorporation, Kenilworth, NJ

D. Reed Freeman, Jr., CIPP, Partner, Morrison & Foerster, LLP,Washington, DC

Sandra R. Hughes, CIPP, Global Ethics, Compliance and PrivacyExecutive, The Procter & Gamble Company, Cincinnati, OH

Alexander W. Joel, CIPP, CIPP/G, Civil Liberties ProtectionOfficer, Office of the Director of National Intelligence,Bethesda, MD

Brendon Lynch, CIPP, Senior Director, Privacy Strategy,Microsoft Corporation, Redmond, WA

Lisa Sotto, Esq., Partner, Hunton & Williams LLP, New York, NY

Scott Taylor, Chief Privacy Officer, Hewlett-Packard, Palo Alto, CA

Florian Thoma, Chief Data Protection Officer, Siemens, Munich,Germany

Richard Thomas CBE LLD, Centre for Information PolicyLeadership, Hunton & Williams LLP, Surrey, UK

Brian Tretick, CIPP, Executive Director, Advisory Services, Ernst& Young, McLean, VA

Ex Officio Board MemberKirk J. Nahra, CIPP, Partner, Wiley Rein LLP, Washington, DC

International Association of Privacy Professionals 3

Committee, one of two advisory bodies(the other is the Health IT StandardsCommittee) created through provisionsin the Recovery Act. These priorities are:

1. Improving quality, safety, efficiencyand reducing health disparities

2. To engage patients and families intheir healthcare

3. To improve care coordination

4. Improving population and public health

5. Ensure adequate privacy and securityprotections for personal health infor-mation

This article focuses on the criteria asso-ciated with the fifth policy priority, whichaddresses security and privacy protec-tions for personal health informationand, in particular, on the lack of privacy-specific requirements in the meaningfuluse rules. For 2011, there is a singlemeaningful use measure for privacy andsecurity: “Conduct or review a securityrisk analysis per 45 CFR 164.308(a)(1)and implement security updates as nec-essary.” The part of the federal codecited is part of the statutory require-ments associated with the HealthInsurance Portability and AccountabilityAct of 1996 (HIPAA); more familiarly therequirement for HIPAA-covered entitiesto conduct regular risk analyses is oneof the administrative safeguardsaddressed in the HIPAA Security Rule.The reference to HIPAA requirements isintentional—by aligning certification cri-teria to existing HIPAA requirements,the intent is to try to help the eligibleprofessionals and eligible hospitals thatare the focus of the meaningful userules to improve their privacy and securi-ty practices in general.

For HIPAA-covered entities seekingto qualify for health IT incentives, the factthat the privacy and security measure isalready an obligation under HIPAA shouldin theory make it easy to satisfy; the

HIPAA Security Rule has been in forcesince April 2003 and the deadline for enti-ties to fully comply with the rule elapsedin April 2006. Despite this requirement,however, not all healthcare organizationscomply; the results of a 2009 securitysurvey of 196 senior-level healthcare pro-fessionals conducted by the HealthcareInformation Management and SystemsSociety (HIMSS) found that only 74 per-cent of these organizations actually per-form risk analyses, and of those just overhalf (55 percent) do so with at least annu-al frequency. This suggests that as manyas 40 percent of healthcare organizationsdo not conduct risk analyses on a regularbasis (and perhaps a quarter do not con-duct them at all), and further suggeststhat similar proportions of healthcareorganizations do not appear prepared tosatisfy the privacy and security measurefor meaningful use.

Privacy and meaningful use

Despite the inclusion of the word privacyin the fifth policy priority, as the mean-ingful use measures and certification cri-teria currently stand, there are no specif-ic privacy requirements that must bemet in order to demonstrate meaningfuluse. However, the healthcare providers,professionals, and organizations eligibleto seek incentive funding to which themeaningful use determination appliesare, without exception, HIPAA-coveredentities, so there is an assumption thatthese entities’ obligations under theHIPAA Privacy Rule serve to make a sep-arate meaningful use privacy require-ment redundant.

The Privacy and Security Policyworkgroup of the Health IT PolicyCommittee has proposed, within itscomments and recommendations onthe meaningful use rules, that an explicitrequirement should be added obligatingeligible entities to demonstrate compli-ance with HIPAA Security and PrivacyRules as a stage one objective for 2011.The rationale behind this recommenda-tion is less about strengthening privacyprovisions in the rules and more aboutmaking sure an entity cannot be consid-

Meaningful Use

continued from page 1

See, Meaningful Use, page 4

THE PRIVACY ADVISOR


ered to have met meaningful userequirements if they have been foundliable or fined for a HIPAA violation. Asomewhat broader recommendation isnoted in the Notice of ProposedRulemaking (Proposed Rule, 75 Fed.Reg. 1858 (Jan. 13, 2010)) to include language requiring compliance with boththe HIPAA Privacy and Security Rulesand the fair data sharing practices in theNationwide Privacy and SecurityFramework for Electronic Exchange ofIndividually Identifiable HealthInformation, released by the Office ofthe National Coordinator (ONC) inDecember 2008. However, HHS deter-mined that meaningful use is not theappropriate regulatory tool to ensuresuch compliance, choosing to omit com-pliance as a formal requirement asrequested by the Health IT PolicyCommittee, while acknowledging thatthe use of certified EHR technologyshould support compliance. There are nospecific meaningful use measures asso-ciated with this compliance, in partbecause covered entities are alreadyobligated to comply whether or not theyseek EHR incentives, and also becausethe assessment of meaningful use oruse of certified EHR technology is notby itself indicative of compliance withHIPAA privacy or security requirements.

At the end of the day, at least for2011, this means the meaningful userules will not impose any additional pri-vacy requirements on HIPAA-coveredentities or business associates beyondwhat is already required under HIPAA asstrengthened by the HITECH Act.However, organizations that are not cur-rently fully compliant with those require-ments may put themselves at risk ofbeing found ineligible for EHR incen-tives, particularly if they have been thesubject of any complaints or claims ofviolations.

Notably absent from meaningfuluse rules—as stressed by privacy advo-cates such as the Coalition for PatientPrivacy—are criteria to ensure that indi-viduals (patients) can control the use or

disclosure of the information in theirelectronic health records. Closely relat-ed to this is the ability for EHR systemsand the providers that use them to cap-ture, manage, and respect consumerpreferences about information disclo-sure, but this functionality is also notamong the criteria published in the inter-im final rule. Statutory language alreadyexists (42 CFR Part 2, Subpart C) speci-fying practices for health record informa-tion disclosure with consent, as well asprohibiting re-disclosure absent suchconsent, but these rules only apply torecords concerning alcohol and drugabuse, not healthcare in general. TheONC has been working on consumerpreferences since at least 2008 and hasproduced a Consumer Preferences DraftRequirements Document that is likely toserve as a key input should ONC moveto add consumer preferences criteria toany of the meaningful use stages.

Impacts and implications

For healthcare providers or organizationsinterested in qualifying for EHR incen-tives in order to acquire, implement, andadopt EHR systems and related healthinformation technologies, the meaningfuluse criteria will likely have both externaland internal impacts.

The externally facing implicationsare the constraints that the EHR certifi-cation criteria and technical standardswill put on the selection and acquisitionof health IT solutions, and also in termsof environment configuration, technicalarchitecture, and systems integration.From an internal organizational perspec-tive, it is imperative for healthcareproviders to ensure that their informationsecurity and privacy practices includeregular risk analyses.

Although the meaningful use stan-dards do not come into effect until late2011, healthcare providers and otherHIPAA-covered entities and businessassociates who expect to participate inthe movement towards electronichealth records have several reasons toact now to take appropriate steps to beable to demonstrate compliance withmeaningful use requirements. Firstamong these are the financial incen-

tives tied to meaningful use, qualifica-tion factors for which will be added andstrengthened in two additional phasesin 2013 and 2015. The subsequent eligi-bility criteria are intended to be additive,so organizations that fall behind or areunable to demonstrate meaningful useagainst the first phase criteria for 2011may find themselves in an ongoingstruggle to catch up as new and morerobust requirements come into effect.Second, many of the requirements andobligations in the HIPAA Privacy andSecurity Rules were made tougherunder the provisions of the HITECH Actand those provisions generally applydirectly to business associates just asthey do to covered entities. Thesestricter rules are already in effect, butthe HHS Office of Civil Rights (OCR)has suggested the requirements willnot yet be enforced—as much or moredue to OCR’s lack of readiness to beginenforcement and still pending auditstandards to be applied than to coveredentities or business associates lack ofreadiness to comply. This gives organi-zations a temporary opportunity toclose any gaps in their conformancebefore they will be formally heldaccountable. Third, many of the privacyand security practices healthcare organ-izations should be following underHIPAA and HITECH to demonstratemeaningful use of EHR technology arethe same as those needed to complywith non-health-specific legal require-ments such as those in Massachusetts’new Standards for the Protection ofPersonal Information (201 CMR 17),which went into effect on March 1.Even for organizations without anyMassachusetts residents among theirpatients or customers, the require-ments in the Massachusetts law arelikely to be replicated in other state-level laws, raising the probability that agiven organization will find itself subjectto one or more of these state laws,even if no federal-level legislation isenacted.

For organizations that do not alreadyroutinely conduct risk analyses, or whodo so but are concerned that theirprocesses may not be sufficiently robust

Meaningful Use



May • 2010


to pass muster under meaningful use,the Health IT Policy Committee is con-sidering recommendations from its ownPrivacy and Security Policy Workgroupand multiple outside commenters thathealthcare professionals and hospitalsbe given explicit guidance on performingrisk analyses. The most likely source forsuch guidance is existing documentationfrom the National Institute of Standardsand Technology (NIST) and the Centerfor Medicare and Medicaid Servicesrelated to complying with the HIPAASecurity Rule where the required riskanalysis is codified. Both the NISTSpecial Publication 800-66, “AnIntroductory Resource Guide forImplementing the Health InsurancePortability and Accountability Act(HIPAA) Security Rule” and CMS’Security Rule Education Paper on“Basics of Risk Analysis and RiskManagement” direct organizations to astandard security risk assessmentprocess, documented in detail in NISTSpecial Publication 800-30, “RiskManagement Guide for InformationTechnology Systems.”

For those preferring to seek guid-ance outside the U.S. federal standards,the ISO/IEC 27000 series of internationalstandards covers risk assessment andrisk management for information sys-tems, particularly in ISO/IEC 27005(Information security risk management)and the risk assessment section ofISO/IEC 27002 (Code of practice forinformation security management).Those seeking to follow any of this guid-ance on risk management or performingrisk analyses should be aware that sub-stantially all of the guidance is written ina way that focuses on risk assessmentsof individual information systems, not onorganizations overall. This limitation isimportant because the risk analysisrequirement under the HIPAA SecurityRule is not limited to systems used bycovered entities, so it is reasonable toassume that despite the emphasis ofthe meaningful use rules on EHR sys-tems, the scope for a risk analysis con-ducted to satisfy the meaningful usemeasure should address all potentialrisks to health information the organiza-

tion has, not just the data associatedwith an EHR system. Organizations looking for more enterprise-level per-spectives on assessing and managingrisk can find relevant guidance in ISO31000 (Risk management—Principlesand guidelines), and within major IT gov-ernance frameworks such as ISACA’s Risk IT Framework based on COBIT® orthe risk management section of theInformation Technology InfrastructureLibrary (ITIL®).

Looking at risk analysis from a privacy perspective, organizations havefew options in terms of official guidancefor privacy risk assessments or evenauditing compliance with the HIPAAPrivacy Rule. While not health-specific,the American Institute of Certified PublicAccountants (AICPA) developed andmaintains a set of “generally acceptedprivacy principles“ (GAPP), most recentlyupdated in April 2009, which addressesrisk assessment among many other cri-teria. AICPA also produced a spread-sheet-based Privacy Risk AssessmentTool that addresses 66 criteria across the10 principles in the GAPP.

While some healthcare organiza-tions may respond with a sense ofrelief that the meaningful use rules donot contain more specific requirementsabout privacy, it seems highly unlikelythat this will remain the case for futurestages in 2013 and 2015. These organi-zations should instead look to theabsence of new requirements as anopportunity to either validate existingprivacy protections and practices, or toaugment or establish appropriate secu-rity controls and privacy practicesbefore organizations become subject toaudit or are otherwise held accountablefor them.

Stephen Gantz, CISSP-ISSAP CEH,CGEIT, CIPP/G, is an associate professorin information assurance at University ofMaryland University College and directssecurity and privacy services for theHealth Solutions division of Vangent, lnc.He can be reached at [email protected] or through his Web site,www.securityarchitecture.com.


THE PRIVACY ADVISOR


recommended, as well as considerationsas to the pros and cons and alternativesto adopting the New Processor Clauses.

I. BACKGROUND AND CONTEXT

1. Data subjects, controllers, and

processors

The EC Data Protection Directive and thevarious national implementation laws andregulations distinguish between data sub-jects (i.e., the individuals to whom per-sonal data relates), data controllers (i.e.,companies and other entities that deter-mine the purposes and means of dataprocessing) and data processors (i.e.,companies and entities that process per-sonal data on behalf of others, namelythe data controllers). The terms “personaldata” and “processing” are defined verybroadly: Any information relating to anidentifiable individual is “personal data”and any collection, use, and transfer—even the redaction and deletion thereof—constitutes “processing.” As a result,many businesses and functions within anorganization qualify as “data processor,”including software-as-a-service compa-nies, outsourcing service businesses,payroll providers, and shared servicesentities within a group of affiliated compa-nies (e.g., a U.S. parent company hostingan e-mail or voice mail server for its globalsubsidiaries). The exact demarcation linesbetween data controllers, data processorsand neither-entities are still subject to con-troversy and very little case law and clearguidance is available to date. But it seemsrelatively clear that a service providerrisks becoming a data controller if it con-tractually reserves or exercises too muchcontrol over the purposes or means ofdata processing, server locations, engage-ment of sub-processors and other keyaspects of data processing arrangements.This typically has adverse effects forprovider and customer, as filings, con-sent, notice, and other compliancerequirements can be triggered in con-troller-controller transfer situations thatmay not apply in controller-processor sce-narios. Also, companies risk becoming

data processors by reserving rights orsecuring technical possibilities to accesstheir customers’ personal data. Therefore,from a data protection law perspective, itis generally in both parties’ interests—customer and service provider alike—tokeep the customer in control and mini-mize the amount of discretion and dataaccess service providers have. In techno-logically complex situations, serviceproviders can proactively prompt theirless tech-savvy customers to give certainpre-formulated instructions or approveproposals by the service provider, but thecustomer and data controller shouldretain the right to withhold consent orissue different instructions (which mayhave to come at a hefty price point in thecontext of standardized services).

2. Three hurdles

Under national laws implementing theEC Data Protection Directive, companiesin the European Economic Area (EEA)that collect and use data for their ownpurposes (i.e., act as “data controllers”)have to cross three hurdles before theycan share personal data with dataprocessors outside the EEA. Firstly, theEuropean data controllers must complywith formal and substantive require-ments of local data protection laws,including notifications to data protectionauthorities and data subjects, appoint-ment of data protection officers, mini-mization of data collection, usage andretention, data security, and variousother data protection law principles.These laws apply regardless of whetherthe data controller transfers any datawithin or outside the EEA.

Secondly, the data controller mustconfirm that the selected data processorprovides sufficient data protection guar-antees and conclude a contract providingthat the processor shall act only onbehalf of and pursuant to instructionsfrom the data controller and in compli-ance with all data security requirementsthat apply to the data controller; thisrequirement applies whenever a datacontroller transfers any data to a dataprocessor, regardless of whether suchdata processor is established within oroutside the EEA.

Thirdly, the European data controllerhas to ensure an adequate level of dataprotection if the data processor is estab-lished outside the EEA. With the NewProcessor Clauses, European companiescan take this third hurdle, but only thisthird hurdle. Companies should not losesight of the fact they have to address thefirst two hurdles separately and if they failto do so, any subsequent data processingactivities will be illegal even if the NewProcessor Clauses are signed.

3. (Limited) effect of commission

decision

The EC decision is addressed to theMember States of the EEA, but individ-ual companies or citizens are not directlybound. Based on the decision, nationaldata protection authorities in the EEAhave to accept agreements incorporatingthe New Processor Clauses as sufficientto take the third of the three hurdlesdescribed in Section 2 of this article.And, after May 15, 2010, national authori-ties no longer have to—but could contin-ue to—accept the Old ProcessorClauses. National authorities have toaccept that the New Processor Clausesprovide adequate safeguards withrespect to transfers of personal data toprocessors outside the EEA. The dataprotection authorities may still prohibit aparticular data transfer under nationallaw if the data controller has failed totake the first or second hurdle.

Also, the decision allows data pro-tection authorities to take action in caseof serious concerns regarding a particu-lar data processor or destination jurisdic-tion. Moreover, the data protectionauthorities can apply and enforce nation-al laws to the extent EC law does notapply or lacks jurisdiction. And the deci-sion does not prohibit the national dataprotection authorities from establishingstricter standards for data transfers with-in the EEA (although this would appearto be hard to justify for the nationalauthorities from a policy and perhaps EClaw perspective, given the resulting bur-den for multinational enterprises thatwould be prevented from establishingthe New Processor Clauses as a stan-dard). Data transfers from controllers to


May • 2010

New Processor Clauses




THE PRIVACY ADVISOR

controllers are not covered by the NewProcessor Clauses but are governed bytwo other commission decisions approv-ing two sets of standard contractualclauses for data transfers to controllers.

II. NEW AND OLD CLAUSES

1. What is new?

Most notably, the New ProcessorClauses expressly mention and restrictdata transfers from one processor toanother (referred to as “sub-processor”).A processor who wants or needs totransfer data to a sub-processor must:

• obtain written consent from the datacontroller,

• conclude a data transfer agreementwith the sub-processor based on theNew Processor Clauses under thelaws of the jurisdiction where the datacontroller is based,

• assume unlimited liability for anyactions and inactions of any sub-processor (even those selected by the data controller or another sub-processor) vis-à-vis the data controllerand the data subjects, and

• keep a list of sub-processing agree-ments and make the list and copies of the agreements available to datasubjects, the data controller, and thedata controller's data protection supervisory authority.

This change had been proposed by theInternational Chamber of Commerce andvarious other pro-business organizations,and its adoption has been praised as animprovement. However, from a practicalperspective it seems difficult to perceivea benefit to companies—either to dataprocessors or data controllers—com-pared to the situation under the OldProcessor Clauses: The EuropeanCommission already acknowledged inthe recitals of its 2001 decision on theOld Processor Clauses that data proces-sors may transfer data “under certainconditions.” The operative text of the OldProcessor Clauses did not impose any

specific additional conditions, thus,processors were permitted to transferdata to sub-processors so long as allother legal requirements were compliedwith. The Old Processor Clauses did notdictate any particular content or formatfor sub-processor agreements, whichgave the parties a flexibility that hasbeen eliminated by the New ProcessorClauses. For example, under the OldProcessor Clauses companies involved inpayment processing may have been able

to rely on a combination of bank secrecylaws and industry-standard non-disclo-sure agreements with respect to inter-mediary payment processors and clear-inghouses to provide for adequate safe-guards. Under Clause 11.1 of the NewProcessor Clauses, however, data con-trollers and processors now have to signthe New Processor Clauses with eachand every member of the data transmis-


The World of Privacy Professionals is Gathering Are You Ready? Experian Is.

Engage in the conversation about

privacy at the 2010 IAPP Global

Summit.

Tackling a data breach can be like weathering a per fect storm. With a proven track record of servicing over 1,500 data breach incidents in virtually every industry, Experian has the experience and resources to help you steer the way to calm waters. Join us at the Global Summit to

understand how we can help you.

Experian is proud to be a Gold Sponsor of the 2010 IAPP Global Summit!

VISIT us at Booth #1LEARN more at www.experian.com/databreachCALL 866 751 1323 for your FREE consultation

THE POWER OF EXPERIENCE

EXPERIAN®


sion chain. Similar concerns apply inother industries, e.g., telecom providers(who have to send data via cables,routers, switches, and other equipmentoperated by myriad other serviceproviders) and providers of technological-ly complex services that rely on subcon-tractors for some of their functionality.

In the more than four-year-longprocess of deciding on what ultimatelyturned out to be very few changes to theOld Processor Clauses, the Article 29Working Group of national data protec-tion authorities noted that onward datatransfers were already permissible underthe Old Processor Clauses and thatonward transfer agreements could beconcluded by imposing similar terms onthe subcontractors (without a strictrequirement to sign up sub-processorsto the Old Processor Clauses. The Article29 Working Group noted that Clause 11in the New Processor Clauses afford bet-ter protections to data subjects (which,conversely, means more obligations ondata controller and processor relating todata processing).

Another change is that in addition tothe cooperation and notification dutiesalready contained in the Old ProcessorClauses (which were slightly reinforcedhere and there), data processors nowagree to “abide by the advice of thesupervisory authority” in Section 5(e) ofthe New Processor Clauses. Based onthis clause, companies may now findthat through the backdoor of contractualagreements, otherwise non-binding guid-ance or opinions generally published orspecifically provided by data protectionauthorities can now receive legally bind-ing character. This is particularly worri-some as the data protection authoritiesin some EEA Member States have beenquite active in publishing more or lessformal opinions and guidance that doesnot always appear to be supported byexisting legislation and rarely receivesreality checks in courts because the dataprotection authorities enforce their opin-ions relatively rarely.

On the positive side, the New

Processor Clauses clarify that dataimporters are exempt from liabilityunless the data exporter goes out ofbusiness and no successor-in-interestassumes its liabilities, the arbitrationrequirement was abolished and the sam-ple indemnification clause was moved toan Exhibit to clarify its optional characterthat was already specified in the OldProcessor Clauses.

2. What did not change?

The International Chamber of Commerceand other organizations that had request-ed changes to the Old ProcessorClauses had proposed a number of rea-sonable changes that would have madelife easier for businesses, for exampleallowing for multi-party agreementsunder one choice of law (so that multina-tional organizations can reduce the num-ber of contracts they have to sign andmaintain), eliminating bureaucraticrequirements in the context of govern-ment approvals or notifications (e.g., sig-nature notarization), striking the clauseinviting enforcement actions by an“association or other body,” and clarify-ing that the parties have to provide onlyexemplary, not exhaustive descriptionsof their security measures and proce-dures in the appendix to the clauses.However, the European Commissiondoes not have legislative jurisdiction toregulate administrative process details inthe EEA Member States, and where ithad jurisdiction, it nevertheless optedagainst most of the changes.

As a result, the New ProcessorClauses continue to (with some minormodifications):

• require the data processor to act onlyon behalf of the data controller,

• require the data processor to complywith data security obligations underthe law of the jurisdiction where thedata controller is based and grant auditrights to the data controller,

• grant third-party beneficiary rights todata subjects, who can bring lawsuitsunder local law and in local courts con-venient to them,

• impose relatively harsh liability on thedata controller (for any actions or omis-sions by the data processor and itsagent) whereas the data processorremains liable only for its own (or itssubcontractor’s) breaches, and only ifthe data controller has gone out ofbusiness, and

• require the data processor to notify thedata controller and in certain circum-stances the data protection authoritiesabout security breaches, changes inlegislations, law enforcement actionsand certain other events that couldhave an adverse impact on the datasubjects or data controller and thatmay allow the data controller to termi-nate the agreement.

III. ALTERNATIVES

1. Safe Harbor

If a service provider in the United Statesis registered under the EU-U.S. SafeHarbor program, European data con-trollers do not have to take a third hur-dle. As a matter of EC law, national dataprotection authorities have to accept aSafe Harbor registration as providingadequate safeguards. The EU-U.S. SafeHarbor principles in turn allow onwarddata transfers to sub-processors that arein the EEA, registered under the EU-U.S.Safe Harbor program or sign a writtenagreement requiring the sub-processorto provide at least the same level of pri-vacy protection as is required by the rel-evant Safe Harbor Principles. Under theSafe Harbor Principles, data controllersand processors do not have to use thestandard contractual clauses approved bythe European Commission, but they arefree to draft the language for the onwardcontracts and have relatively few specificadditional requirements or obligations tocope with. Also, the Safe HarborPrinciples contain less draconian com-mercial risk allocation mechanisms.Overall, the Safe Harbor route seems tobe preferable for data controllers andprocessors alike. But only U.S.-basedcompanies that are subject to FTC juris-diction can register, and in situationswhere data is transferred from the EEA




May • 2010



to processors in countries other than theUnited States, a Safe Harbor filing is notavailable. In cases where data is sentfrom the EEA to the U.S. and othercountries, controller and processorshould consider whether it is technicallyand operationally possible to route alldata through the United States.

2. Modified, custom-made Old

Processor Clauses

Companies are not prohibited fromkeeping data transfer agreements basedon the Old Processor Clauses in placebeyond May 15, 2010, or from modifyingthe New Processor Clauses or fromconceiving and implementing entirelydifferent data transfer agreements.Neither the Data Protection Directive,the commission decisions on the stan-dard contractual clauses, nor nationaldata protection laws expressly rule thisout. But in EEA Member States wherecompanies have to notify or obtain gov-ernment approval for international datatransfers, or in any EEA Member Statein case of an audit or controversy, com-panies would have to persuade theauthorities why and how the modified oralternate clauses are sufficient to pro-vide adequate safeguards. This shouldbe relatively compelling with respect tothe Old Processor Clauses becausethese have been found to be sufficientfor nearly 10 years and should not havebecome insufficient overnight. However,it has been and likely will remain verydifficult to persuade authorities toaccept modifications or entirely newagreements. In any event, it is time- andresource-consuming to seek approval orjustify non-standard approaches.Authorities may accept modifications ifthey protect the data subjects equally orbetter than the New Processor Clauses,but companies that are willing to agreeto increased protections might as wellsign the New Processor Clauses with-out modifications and include the modi-fications in an attachment or separateagreement; so long as the additionalclauses do not take precedent over theNew Processor Clauses, the nationaldata protection authorities would bebound by the commission decision and

have to accept the agreement as suffi-cient.

3. Binding Corporate Rules

Companies cannot rely on BindingCorporate Rules (BCRs) for any data pro-cessing arrangements with unaffiliatedservice providers because BCRs can onlylegitimize data transfers between entitiesthat subscribe to the same set of terms.For group-internal transfers of humanresources data, companies could rely onBCRs, but they would still have to signgroup-internal agreements to satisfy thesecond of the three hurdles described inSection 2 of this article. Despite somerecent improvements, most companiesshy away from pursuing the BCR routegiven the costs and delays following fromthe need to obtain government approvalfor the BCRs and the fact that the dataprotection authorities tend to insist onthe same types of protections in theBCRs that are contained in the standardcontractual clauses.

IV. OUTLOOK AND PRACTICAL

RECOMMENDATIONS

It remains to be seen whether, in prac-tice, the stricter requirements in theNew Processor Clauses will actuallytranslate into additional liabilities forcompanies and protections for data sub-jects, and whether the majority of com-panies will accept and implement theproposed multilayered structure of bilat-eral agreements incorporating the NewProcessor Clauses, or whether compa-nies will try to pursue alternatives or fallfurther behind on compliance because ofa perceived unreasonableness andimpossibility of compliance require-ments. The author is not aware of anypublicized cases in which any of thestandard contractual clauses approved bythe European Commission or the SafeHarbor Principles have been asserted orenforced by authorities, individuals, or incourts in the near 10-year history of theirrespective existence.

Data processing service providersoutside the EEA are or will very soon beconfronted with customer requests tosign contracts based on the New

Processor Clauses. Smaller providers willlikely bow to pressure and sign theforms, whether they like it or not. To pre-pare for such requests and secure acompetitive advantage, providers will tryto pass on the New Processor Clauses(and/or Safe Harbor registration require-ments, where possible) to their subcon-tractors, or reduce the number of sub-contractors that qualify as “data proces-sors” under the European rules. As aconsequence, the New ProcessorClauses can be expected to spread“virally” like the Old Processor Clausesand Safe Harbor registrations.

Providers that do not subcontract orthat are able to secure their subcontrac-tor’s agreement to the New ProcessorClauses should consider preparing stan-dard contracts adopting the NewProcessor Clauses, ideally along withclauses addressing similar requirementsarising under other jurisdictions’ laws,e.g., under the California Civil Code, theMassachusetts regulations, and HIPAA.

Providers that believe they do notqualify as “data processors” becausethey are too tangentially involved in theprocessing of personal data or withoutaccess at all can either insist on thisposition vis-à-vis their customers (andpossibly suffer consequences of lostbusiness or delayed sales cycles wherecustomers prove hard to be persuaded),or they can accept the clauses condition-ally (i.e., based on a contractual agree-ment that the New Processor Clausesapply only in case the provider qualifiesas a data processor).

In the contract terms incorporatingthe New Processor Clauses by refer-ence, and without derogating from theNew Processor Clauses, customers andservice providers should consider includ-ing details on processes and additionalsafeguards to protect their respectiveinterests; for example, service providersshould insist that customers cannotapprove additional subprocessors with-out the service provider’s consent, giventhat the service provider will automatical-ly become liable vis-à-vis data subjectsfor actions and omissions of all sub-

THE PRIVACY ADVISOR



The creation of newinformation assets (e.g.databases) offers the

potential for greater collabora-tion, efficient work, new dis-coveries, and accomplishedobjectives. These benefitsoften overshadow the risksarising from a lack of due con-sideration about resourceavailability, privacy, businesscontinuity, and organizational reputa-tion.

Before a new information asset iscreated, it is important to properly eval-uate the associated risks. Once theserisks have been enumerated and esti-mated, they can be weighed againstthe potential benefits. Depending onthe outcome of this risk assessment, itmight be more appropriate to seekapproval to repurpose an existing assetor to identify an alternative activity toachieve the same objective.

This article is intended to offer astarting point from which to evaluatethe risks associated with the creationof an information asset. It is not meantto replace other valuable risk-manage-ment tools.

Accountability

Information assets must have a clearaccountability structure. This structurebegins with a person who is responsi-ble for day-to-day activities, and endswith a person who is accountable forthe asset. Within this governance structure, there must be designatedauthority for making decisions aboutwho can have access, what constitutesan acceptable use, what informationthe asset will contain, and when it willbe destroyed. It is also important forthe accountable person to know aboutother information assets that could belinked to the new asset, including publicdatabases and other information assetsheld by the accountable person or custodian.

Questions for consideration:

Has a sufficient governance

structure been established

for the information asset?

Do the stakeholders support

the governance structure?

Hosting and maintenance

Consideration should also begiven to who will host and maintain theinformation asset. Hosting and mainte-nance can be done either internally orexternally. Each option has its pros andcons; however, this choice will affectmany other risks associated with thecreation of the asset.


Can sufficient resources be allocated

to host and maintain the information

asset internally?

Is it less expensive or more conven-

ient to have it hosted externally?

Are there considerations that rule out

one of the hosting options?

Are there organization policies that

place restrictions on hosting informa-

tion assets externally?

If it is hosted externally, have the roles

of the custodian and the information

manager been agreed upon in writing?

Does this agreement specify who is

the custodian of the asset and the

information contained within?

What provisions must be found in a

contract for external hosting?

Protection

Every information asset contains usefulinformation that reveals facts aboutsomething; as such, it should be pro-

tected accordingly. Sufficient resourcesmust be allocated to ensure protection,whether the asset is hosted internally orexternally.


What physical, administrative, and

technical safeguards will need to be

placed on the information asset?

Have sufficient resources been

allocated to protect the asset?

How will access be restricted to those

who are authorized?

Will authorized individuals need to

complete confidentiality agreements?

What protocol must be followed if

there is a security breach?

If the asset is hosted externally, how

do you ensure that any claims made

about information protection are

being met?

Copying

Information assets are copied withalarming frequency. Every copy madeincreases the likelihood of informationtheft or loss, or inappropriate use or disclosure.


Can the number of copies of the

information asset be controlled?

Can a protocol be established to

regulate when a copy can be made?

Can copies be protected to the same

extent as the original?

Backups

To ensure business continuity, informa-tion assets need to be backed up. If theloss of the asset has the potential to


Risks associated with creating a new information asset

By David Morgan, CIPP/C

May • 2010

David Morgan


cause harm to an individual or group ofindividuals, backup procedures shouldbe established and sufficient time, per-sonnel, and storage resources shouldbe allotted. In addition, since the back-up is a copy of the asset, it will alsorequire sufficient protection.


Has a backup strategy been

established for the information asset?

Does it allocate sufficient time,

personnel, and storage resources?

Can sufficient measures be taken to

protect the backup from theft, loss,

or destruction?

Accuracy and updates

Some information assets are meant torepresent a moment of time: once theinformation is added, it never changes.Other information assets are intendedto be dynamic—their utility depends onregular updates. Compared to staticinformation assets, dynamic assetsrequire significantly more effort toensure that the information is up to dateand accurate. Conclusions drawn frominaccurate information are incorrect and,in some cases, harmful.


Can the amount of work required to

maintain the accuracy of the informa-

tion in a dynamic information asset

be forecasted and budgeted?

What possible damage could be

done by drawing incorrect conclu-

sions from inaccurate information?

Linkages

By itself, the content of an informationasset may present little threat to individ-ual privacy or corporate confidentiality;however, when the information is linkedwith information from other sources,some of which might be publicly avail-able, the level of threat can increasesubstantially.


Has the information asset been exam-

ined to enumerate potential data link-

ages and the associated risks?

Can suitable mechanisms be estab-

lished to prevent or reduce the num-

ber of linkages?

Inappropriate, unintended, and

unforeseen uses

Information assets are valued differentlyby different people. Even after all the pos-sible uses of an asset have been consid-ered, there may be others that arise, notall of which may be appropriate.


Has sufficient consideration been

given to the possible uses for the

information asset?

Can inappropriate uses be controlled?

Disclosures

Once an information asset is created,others will want to have access to itscontents. Before information can beshared, it is important to understandwhat regulations and policies provideauthority to disclose information; as well,it is important to understand what agree-ments might limit the ability to disclosecertain information. In some cases, regu-lations and policies might compel certaininformation to be disclosed to authoritiesor reporting organizations.


Are the regulations and policies

authorizing disclosure well-under-

stood?

Is individual consent required before

information is disclosed?

What conditions might need to be

placed on disclosures?

Is the party receiving the information

allowed to disclose it to someone

else?

Has a process been established to

respond to, vet, and audit requests to

disclose information?

Does the process allocate sufficient

time and personnel resources?

What agreements might govern the

ability to disclose certain information?

Are the original sources of informa-

tion known?

What regulations and policies might

compel disclosure?

If the asset is hosted externally, can it

be accessed to facilitate disclosure?

Transparency

Depending on the nature of the informa-tion asset and the custodian’s policiesaround transparency, a profile may needto be made public or disclosed to a reg-ulating body. Some individuals or groupsmay not understand why the informa-tion asset has been created, or theymight disagree with the reasoning, pos-sibly causing damage to the custodian’sreputation. Moreover, if the asset isdynamic, this profile may need to beupdated on a regular basis.


Does the information asset require

the creation and maintenance of a

profile? If so, who will do this?

Might individuals or groups disagree

with the creation or proposed uses of

the asset?


THE PRIVACY ADVISOR

See, Information asset risks, page 12

“Before information can

be shared, it is important

to understand what

regulations and policies

provide authority to

disclose information.”



May • 2010

Individual access

With very few exceptions, individualshave the right to see the informationheld about them whenever that infor-mation is available in an identifiable orre-identifiable format. Procedures mustbe established to allow an individual toreceive a copy of this information uponrequest.


Has a process been established to

respond to access requests?

Does the process allocate sufficient

time and personnel resources?

Are the regulations and response

timelines pertaining to access

requests well-understood?

Can sufficient measures be taken

to confirm the identity of individuals

who request access?

Is it necessary to record when

someone accesses an individual’s

information and/or when the

information is disclosed?

Bankruptcy, insolvency, or closure

In the event of bankruptcy, insolvency,or closure, a custodian may want orneed to sell or transfer its informationassets. In some cases, selling or trans-ferring information assets might beprohibited, while in others it may berequired. The level of risk associatedwith closure will depend on the natureof the information asset and who is inpossession of it; if the asset is hostedexternally or on infrastructure ownedby another organization, contractualarrangements may be necessary toensure that it is safely returned and toprevent it from being sold.


Can appropriate mechanisms be

established with respect to the

information asset in order to ensure

privacy, security, and business

continuity in the event that the owner

or hosting organization closes?

Destruction

There may come a time when the information asset is no longer needed orpermitted; at that time, the asset shouldbe destroyed. Unfortunately, informationdestruction is complex: assets are regularly copied and backed-up, andinformation may have been extracted to share with others.


Can the information asset be

destroyed when it reaches the end

of its life?

Will all copies, backups, and extracts

of the asset need to be destroyed

as well?

The author acknowledges Brian Foranand Lucy McDonald for their contribu-tions to this article. Brian Foran is a privacy specialist with Canada HealthInfoway. Lucy McDonald is a privacyconsultant.

David Morgan is the privacy officer-secondary uses at the Newfoundlandand Labrador Centre for HealthInformation, where he provides privacyguidance on provincial Electronic HealthRecord initiatives. He also oversees theorganization’s program on secondaryuse of health information for researchand policy development. David has aPhD in computing science fromUniversity of Alberta and holds CertifiedInformation Privacy Professional designations from the InternationalAssociation of Privacy Professionals. He serves on the IAPP PublicationsAdvisory Board and a number of provincial and national health information privacy committees. Find David on LinkedIn at:http://ca.linkedin.com/in/dmorgan-linkedin.

Information asset risks

continued from page 11Privacy Classifieds

The Privacy Advisor is an excellentresource for privacy professionalsresearching career opportunities. For more information on a specificposition, or to view all the listings,visit the IAPP’s Web site, www.privacyassociation.org.

SENIOR COUNSEL AND DEPUTY CHIEFPRIVACY OFFICERSprint NextelReston, VA

CORPORATE COUNSEL FOR PRIVACYT-MobileBellevue, WA

DIRECTOR, CHIEF PRIVACY OFFICERAlliance DataEaston, OH

EBUSINESS COMPLIANCE AND RISK MANAGERSunTrust Banks, Inc.Atlanta, GA

PRIVACY COUNSELThe Walt Disney CompanyTokyo, Japan

LEAD ANALYST - INFORMATIONGOVERNANCEGeneral ElectricVan Buren Township, MI

COUNSEL, EUROPEAN PRIVACY ANDREGULATORY AFFAIRS, EU PRIVACYLEADERGeneral ElectricBrussels

DIRECTOR, PLATFORM PRIVACYYahoo!Sunnyvale, CA

CSMB GLOBAL DATA PROTECTIONAND PRIVACYDell Computers UK

PRIVACY MANAGERWestern UnionVictoria, BC


13International Association of Privacy Professionals

THE PRIVACY ADVISOR

Privacy Advisor: What privacy-related advancements are

you working on currently?

Suzanne Rodway: Our main advancement is in relationto the Th!nk Privacy Awareness Consortium, which weare a member of. We have joined with a number of otherorganizations to collaborate on ways to improve staffawareness of privacy issues. One of the essential ele-ments for improving privacy compliance levels within anorganization is engineering cultural change amongstemployees. Awareness is a key part of getting that mes-sage out to staff. We do not see this as a competitiveissue; instead, we see it as a way of improving levels ofprivacy compliance across organizations, benefiting all ofour customers and employees.

The consortium will, through a creative agency, shareconcepts, awareness materials, and ideas about how tomeasure the effectiveness of awareness initiatives. One ofthe first actions of the consortium was to produce a set ofgeneric Th!nk Privacy materials that could be used by anyorganization, but particularly those smaller and medium-sized organizations with fewer resources.

The consortium approached the InformationCommissioner’s Office (the UK privacy regulator) to see if it would include these materials on its Web site fororganizations to download and use free of charge. The ICO agreed and the materials are now on the Web site(www.ico.gov.uk/).

We are now focusing on theother ways the consortium canhelp improve privacy aware-ness and encourage more people to “Think Privacy.”

Privacy Advisor: What do you

see as the next big challenge

for privacy professionals in

the financial sector?

Suzanne Rodway: I think oneof the greatest challenges forthe privacy professional in the

financial services sector is in relation to balancing privacyprinciples with implementation of new technology andnew business practices. A prime example of this wouldbe the utilization of suppliers who employ cloud comput-ing technology. Many financial institutions must complywith not only data protection laws, but also complexbanking secrecy laws, too.

The use of technologies like cloud computing withinthe current legal framework we have to operate in is veryproblematic. Similar issues are found with suppliers whoutilize a follow-the-sun model, whereby the financial orga-nization's data may be transferred to/accessible from anumber of jurisdictions. The current laws relating to inter-national data transfers are not really compatible with suchmodels of free-flowing personal data. Many articles havebeen written and discussions had about the privacyissues involved in the use of these supplier models, with-out any clear conclusions. So I think as more suppliersstart to utilize the cloud environment this will continue tobe an area that lacks clarity and proves challenging forprivacy professionals, especially those in the financialservices sector.

For more information about the Th!nk Privacy AwarenessConsortium, e-mail Suzanne [email protected].

10 in 2010

A chat with Suzanne Rodway, Group Privacy Director, Barclays Bank

Suzanne Rodway

In our continuing series to celebrate the IAPP’s tenth anniversary, this month we check in with Suzanne Rodway. As group privacy director for Barclays Bank, Suzanne is responsible for overseeing compliance with privacy, data protection, and freedom of information laws worldwide. Barclays received the HP- IAPP 2009 Privacy Innovation Award in the large organization category for its cross-company approach to privacy. The Privacy Advisor chatted with Suzanneabout new privacy challenges and how she’s helping her organization—and others—rise to meet them.

“ I think one of the greatest challenges

for the privacy professional in the

financial services sector is in relation to

balancing privacy principles with the

implementation of new technology and

new business practices.”


Despite certain geological

disruptions, more than 1,700

privacy pros attended this year’s

Global Privacy Summit in

Washington, DC.

Scenes from the IAPP Global Privacy Summit 2010


May • 2010

(Above) Three-minute mixers were abig hit among new and not-so-newmembers.

(Left) This year’s event featured morethan 70 breakout sessions covering avariety of topics. In this session,Rebecca Herold of Rebecca Herold &Associates discussed the privacyimplications of the smart power grid.


(Above) In his keynote address, Dan Arielysaid that whoever controls the defaultcontrols, controls behavior.

THE PRIVACY ADVISOR

(Above) The IAPP mobile bookstore

(Right) Viktor Mayer Schöenbergerexplained the biological importance of“forgetting” in an age where it’ssometimes hard to do so.


THE PRIVACY ADVISOR

(Left) This year’s Global Privacy Summit scholarship recipients at lunch in the exhibit hall with their KPMG mentor.


Privacy Advisor: What would you say

are the most significant changes you

have witnessed over these past years?

Pamela Jones Harbour: I am gratifiedthat, as I leave the commission, bothprivacy and data security have become aprimary focus of the agency—whethermeasured by the allocation ofresources, the depth and breadth ofstaff’s expertise, or the amount ofenforcement and advocacy in which thecommission engages. When I arrived atthe commission in August 2003, theDivision of Privacy and IdentityProtection did not even exist yet; that isdifficult to believe, given that DPIP isnow so integral to the agency’s con-sumer protection mission.

In some sense, the commission’sapproach to privacy has come full circle.Shortly after I arrived at the commission,then-Chairman Muris challenged head-on the Fair Information Practices. Heargued that consumers did not exerciseinformed choices because the costs ofweighing and exercising their choiceswere too high, compared to any per-ceived benefits. As such, the FIPsmodel did not accurately reveal con-sumer preferences and might actuallyimpede the development of new andbeneficial uses of information.

As an alternative, Chairman Murischampioned a harm-based screen forprivacy-related enforcement by the com-mission. Under this approach, commis-sion enforcement actions focused pri-marily on misuses of information leadingto actual physical or economic harm toconsumers.

But by June 2009, with its Searssettlement, the commission had movedbeyond a narrow view of the notice and

choice model as well as theconventional economic harm-based approach. The commis-sion’s complaint againstSears alleged that the compa-ny failed to adequately dis-close the scope of personalinformation it collected via adownloadable research soft-ware application. The com-mission argued that, despiteproviding notice in a lengthylicense agreement, Sears had not pro-vided notice that was adequate ormeaningful. Arguably, there was noobvious economic harm to consumers,since Sears had paid consumers $10 todownload the research software. Ibelieve the Sears settlement signaledthe beginning of the commission’s shiftto a broader interpretation of notice andchoice, one that would go beyond theeconomic-based harm approach. I sug-gest that practitioners review carefullythe lessons of Sears.

On the heels of the Sears settle-ment, Bureau of Consumer ProtectionDirector David Vladeck launched a seriesof Privacy Roundtables, which recentlyconcluded. One of the purposes behindthe roundtables was to gather publicinput on current models for protectingconsumer privacy. As technologyevolves, existing analytical models maynot fully capture the wide range of con-sumer expectations and privacy-relatedharms—including, for example, reputa-tional harm or a fear of being monitored.As demonstrated by the Sears case,truly informed consent may be difficultto achieve when consumers never reallyunderstand how much information theyare sharing, or how much of it is beingcollected and disclosed to third parties.

While the commission’sapproach has changed overthe years and under differentleadership, I want to empha-size that the commission’sultimate goal of protectingconsumers has alwaysremained the same. As mar-kets evolve, data proliferate,and new data uses emerge,the commission constantlyreconsiders how to strike the

right balance between privacy protectionand data-driven innovation.

With respect to data security, I haveobserved increased attention to theseissues, and more enforcement activity,during my term. In recent years, thecommission has brought 26 enforce-ment actions. The commission has beeninstrumental in raising the public con-sciousness regarding data securitythrough its public awareness campaignsas well as its enforcement actions, manyof which have been pursued in tandemwith the 46 states that have enactedsome form of data security laws.

PA: What are your plans for the future?

Would you consider pursuing a career

in the data privacy field, for example?

PJH: I absolutely plan to build a lawpractice that reflects my growing expert-ise and strong interest in data privacyissues, as well as other competition andconsumer protection topics. In particu-lar, I hope to further refine my conceptof a consumer-focused nexus betweencompetition and privacy, two areas that Istrongly believe are interrelated. I beganto develop these ideas in my dissentingstatement when, in December 2007, thecommission decided not to challenge


May • 2010

What’s a former commissioner to do?

Pamela Jones Harbour looks forward and back

Pamela Jones

May • 2010

Pamela Jones Harbour ended her term as a Federal Trade Commissioner on April 6. In the weeks leading up to her departureshe reflected on the changes she has seen during her term, shared some of her plans for the future and discussed how the privacy landscape may look in the years to come. Harbour’s responses to these questions reflect her own views and not necessarily those of the FTC or any other individual commissioner.


the Google/DoubleClick merger. As thecommission’s review of that transactionprogressed, I began to appreciate thatdata companies increasingly competeon non-price dimensions, such as priva-cy protections and data security meas-ures. In a forthcoming article in theAntitrust Law Journal, I further developthis concept of privacy competition, aswell as the idea of relevant antitrustmarkets for data (separate and apartfrom markets for services fueled bythose data).

I am also committed to helpingbusinesses incorporate privacy and datasecurity principles into their corporatecultures and everyday ways of doingbusiness. Good privacy makes goodbusiness sense, no matter where a firmoperates. One challenge that business-es face, however, is a complicatedpatchwork of regulations wherever theyoperate around the globe. As a commis-sioner, I have served as part of the U.S.delegation to the Electronic CommerceSteering Group of the Asia PacificEconomic Cooperation forum (APEC),where we have engaged in importantefforts to develop cross-border privacyrules. I hope to expand upon the work Istarted as a commissioner, by helpingclients to navigate the complex andever-present issues surrounding datatransfer across borders.

PA: What experiences, lessons or

challenges do you expect to take away

from your six-and-a-half years serving

as an FTC commissioner?

PJH: One of the biggest challenges fac-ing the commission during my term wasto recognize the need for a dynamic, flex-ible, and technology-neutral regulatoryframework that addresses and protectsconsumer needs. Ideally, such a frame-work (1) fosters, rather than inhibits, theprocompetitive benefits of technologicalinnovation, and (2) can keep pace withexponential changes that accompany thegrowth and evolution of technology. Iplan to be one of many contributorsseeking workable solutions, and I lookforward to facing these challenges froma new perspective.

Another important lesson I will takewith me is that while privacy is person-al, it is not local. Cloud computing is aprime example of this concept. Cloudcomputing promises huge economies ofscale, but these efficiencies areunachievable unless data are transferredacross borders. The economic benefitsof cloud computing are, therefore, indirect tension with the jurisdictionalcomplexities of cross-border data trans-fers, given that different legal regimesprovide varying levels of data protection.Realizing the full benefits of cloud com-puting, while maintaining rigorous priva-cy and data protections, will require thatcompanies look internally at their globalcompliance, while at the same time,governments look externally at howtheir own regulatory choices may impactglobal competition and innovation.

PA: What are your most memorable

accomplishments?

PJH: International Privacy: I workedrelentlessly to develop robust relation-ships with the commission’s data privacy counterparts in North America,Europe, and Asia. I was particularly gratified that I, as a representative ofthe commission, was included in thehighest-level meetings of theInternational Conference of DataProtection and Privacy Commissioners.While our international colleagues viewmany issues differently, we all recognizethat the dialogue must be increasingly global and that the commission must bepart of the conversation.

Nexus of Privacy and Competition: Mydissent from the commission’s decisionnot to challenge the Google/DoubleClick

merger served as a catalyst forCommission Staff’s BehavioralAdvertising Principles. My commentsand subsequent speeches furthered therecognition that building privacy intoproducts and services creates competi-tive advantages for businesses, whilealso protecting consumers. I am hopefulthat my commentary will spur the priva-cy community to consider further theintersection between privacy and com-petition, and that my remarks also mightinform future investigations.

Behavioral Advertising: My concurrencewith Commission Staff’s report on Self-Regulatory Principles for OnlineBehavioral Advertising provided an aspirational roadmap for commissionand industry initiatives. I have been anoutspoken advocate for consumer privacy protections in the wake ofincreased on and offline consumer datacollection and storage.

PA: Looking forward, what do you

hope the online privacy landscape will

look like six years from now?

PJH: Six years from now, I hope theonline privacy landscape in the UnitedStates has progressed toward omnibusprivacy legislation that not only respectsconsumer expectations but also furthersconvergence toward a cohesive globalframework.

I would also like to see companiestaking a more holistic approach in theirproduct design and development byimplementing default privacy and datasecurity protections.

Ideally, consumers will becomemore educated about their online inter-actions—preferably as a result ofimproved transparency from productand service providers rather thanincreased levels of well-publicizedenforcement actions.

Lastly, I hope to see both leadingtechnology companies and breakthroughinnovators using their substantial tech-nological and innovative prowess to provide consumers with better tools tomanage their online and cloud comput-ing experiences.


“We all recognize that

the dialogue must be

increasingly global and that

the commission must be

part of the conversation.”

THE PRIVACY ADVISOR


ARGENTINA

By Pablo Palazzi

Argentine judge holds Google and

Yahoo liable for posting of third-party

content

An Argentine civiljudge held Googleand Yahoo liable forcontent posted bythird parties to aWeb site, rejectingthe companies’defenses that theywere mere interme-diaries, thereforenot responsible forthe actions of the Web site linking thename of the plaintiff to pornographicand female-escort Web sites without her consent (Rodriguez Maria Belen v.Google Inc, Juzg. N. 95, No.99613/2006, March 4 2010). The courtawarded USD $100,000 in damages.

This new case sets a different standard from one decided last year (Da Cunha v. Google) where a strict lia-bility rule was applied to hold Yahoo andGoogle liable under a similar fact sce-nario. This case was appealed to theCivil Court of Appeals and there is nodecision yet.

The judge held that the searchengines are liable since they had knowl-edge of the illegality of the content anddid not act to remove it expeditiously.The content in question was the pictureand name of the plaintiff included in cer-

tain adult Web sites without her con-sent. The lawsuit is based on the rightof image protected by a specific statutein Argentina. The judge also ordered thecompanies to remove the plaintiff’sname, image, likeness, and photos inthe search engines’ indexes.

Pablo A. Palazzi is an attorney in thelaw firm of Allende & Brea, based inBuenos Aires, Argentina, with an exten-sive practice in intellectual property andinformation technology law. He is admit-ted to practice law in New York andArgentina. He may be reached [email protected].

GERMANY

By Flemming Moos

Federal Constitutional Court ruling

on data retention

The German FederalConstitutional Court(Bundesverfassungs-gericht) on March 2,2010 rejected thelegislation requiringthe general six-month retention ofall electronic com-munications traffic.The data retentionobligations implemented EC Directive2006/24/EC and entered into force onJanuary 1, 2008. The constitutional com-plaint was brought to the court byapproximately 35,000 citizens (the largestnumber of plaintiffs ever involved in aGerman court case), one of the plaintiffsbeing current Minister of Justice SabineLeutheusser-Schnarrenberger.

The court found in particular that thedata storage was not secure enough andthat the purposes of the data usages

were not defined clearly enough. Thejudges considered "such retention anespecially grave intrusion" into citizens'privacy. As a consequence, the courtordered immediate deletion of the dataalready collected. Furthermore, a compre-hensive modification of the law is neces-sary in order to provide stricter conditionsfor the use and storage of the data.According to the decision, the data shouldbe encoded and there should be "trans-parent control" of the information usage.Now, the lawmaker will have to revise thedata retention provisions in order to com-ply with the EC directive as well asGerman constitutional guarantees.

ECJ declares German data protection

supervision unlawful

On March 9, 2010 the European Court ofJustice ruled that by making the stateauthorities responsible for monitoringthe processing of personal data by non-public bodies subject to state scrutiny,and by thus incorrectly transposing therequirement that those authorities per-form their functions “with completeindependence,” Germany failed to fulfillits obligations under Directive 95/46/EC.

Contrary to the position taken bythe Federal Republic of Germany (andalso the Attorney General), the conceptof “independence” shall imply a deci-sion-making power independent of anydirect or indirect external influence onthe supervisory authority. The court stat-ed that the guarantee of independenceof national supervisory authorities isintended to ensure the effectivenessand reliability of the supervision of com-pliance with the provisions on protectionof individuals with regard to the pro-cessing of personal data and must beinterpreted in the light of that aim.Therefore, when carrying out their

Flemming Moos

Global Privacy Dispatches

Pablo Palazzi


May • 2010

“The lawsuit is based

on the right of image

protected by a specific

statute in Argentina.”


duties, the supervisory authorities mustact objectively and impartially. For thatpurpose, they must remain free fromany external influence, including thedirect or indirect influence of the stateor the Länder, and not of the influenceonly of the supervised bodies.

Accordingly, Germany will have torevise the supervisory structure in sev-eral Länder, inter alia in Hesse, wherethe supervisory authority is subject tostate scrutiny.

Burden of proof re faulty address data

On February 17, 2010, the RegionalCourt of Duesseldorf issued a judgmenton the requirements for proving defectsof address data that have been pur-chased for telephone marketing purpos-es. The defendant who had been suedfor paying the purchase price for thedata claimed that the data was faultybecause no opt-in consents to tele-phone marketing activities had beendeclared by the affected individuals. Thecourt held that this unspecified objec-tion was not enough to prove the defec-tiveness of the data. It would have hadto be demonstrated and proven in detail:

• which data had actually been used bythe defendant

• which individuals had actually opposedthe usage of the data, and

• in which specific cases eventually adeclaration to cease and desists wasrequired from the user of the data

.

Flemming Moos is an attorney at DLA Piper in Germany and a certified specialist for information technology law. He chairs the IAPP KnowledgeNetin Hamburg and can be reached at [email protected].

ISRAEL

By Omer Tene

Supreme Court: anonymity is

constitutional right

The Israeli SupremeCourt settled a longstanding DistrictCourt split in March,holding that onlineanonymity is a constitutional rightderived from theright to privacy andfree speech.

The court pro-hibited an Internet service provider fromdisclosing a user’s identity based on hisor her IP address. The user was sued as“John Doe” in a libel action based on anIP address obtained from the Web sitethat published his or her allegedlylibelous comments.

The court wrote:

Alongside online platforms which pro-vide user anonymity, the Internet maynegate the anonymity of those whosepersonal data are stored in its massivedatabase. In the past, there was no pub-lic access to personal and sensitive dataand actions taken within the confines ofone’s home remained far from the pub-lic eye; now the Internet provides directand indirect access into the very heartand mind of users. The shattering ‘illusion of privacy’ online, a realitywhere the sense of user privacy is amyth, raises the disturbing specter of“big brother.” This invasion of privacymust be minimized. The shelter ofonline anonymity must be preservedwithin reasonable bounds as a basis foronline culture. To a great extent,anonymity makes the Internet what it is today; without it there would be noliberty in the virtual world. As theprospect of digital surveillance increas-es, users’ behavior will radically change.

http://elyon1.court.gov.il/files/07/470/044/p10/07044470.p10.pdf (Decision in Hebrew).

Omer Tene is an Israeli legal consultantand an associate professor at theCollege of Management School of Law.He can be reached [email protected].

MEXICO

By Lina Ornelas

Mexico passes Federal Data

Protection Act

After nine years ofintense efforts andconstant lobbying,the Federal DataProtection Act hasbeen approved inMexico. On April 27,2010, the Senateunanimouslyapproved theFederal DataProtection Act fulfilling the duty of theMexican Constitution and internationalstandards on the matter.

In Mexico, the Federal Act onTransparency and Access toGovernment Public Information (FOIA)recognises the right to personal dataprotection and establishes the rightsand principles of protection that mustbe observed by all government entities.However, up to this point Mexico didnot have a specific legal document ondata protection to regulate the privatesphere.

Further to the constitutional amend-ments to articles 16 and 73 that recog-nized the right to data protection as afundamental and autonomous right,there was a clear social demand for dataprotection. Previous amendments point-ed out the existence of fundamentalprinciples for which all treatments ofpersonal data should be ruled.

As a result, data protection inMexico has undergone several develop-ments in recent years. In 2009, thedevelopments reached relevant successwith the main constitutional amend-ments cited and related directly to personal data protection and the privacy regime.

Taking into account the previousdata protection initiatives, the FederalInstitute of Access to Public Information

See, Global Privacy Dispatches, page 20


THE PRIVACY ADVISOR

Linda Ornelas

Omer Tene


(IFAI) collaborated with the Congress tocreate a new and innovative act. Thedraft of the act was also discussed withrepresentatives of the federal govern-ment and with the private sector inorder to have a balance between regula-tors and the regulated entities.

With the Federal Data ProtectionAct the current Federal Institute ofAccess to Public Information changesits name to Federal Institute of Accessto Information and Data Protection.Therefore, from now on, the institute sjurisdiction will expand to include theprotection of personal information ofprivate individuals and entities as wellas the access to information right. Withthis act and the FOIA, the institutebecomes the guarantee institution fordata protection in both public and pri-vate spheres at the federal level inMexico.

In this sense, the newly born actprotects third-generation rights andtakes into account the development ofthe international recognized principles ofdata protection. Furthermore, it protectsexplicitly sensitive personal data andincorporates OECD and APEC s PrivacyFramework elements as well as estab-lishes a free and speedy procedure toexercise the rights of individuals(access, rectification, cancellation andopposition). It also includes a procedureof tutelage for the rights of the citizensand has the attribution to impose fines(taking into consideration economiccapacity of the controller, technology,type of data and so on).

The Mexican model provides bal-ance between free movement of datafor trade whilst protecting information.Hence, the model is flexible and repre-sents an effective tool to increase eco-nomic transactions making Mexico morecompetitive in the economic community.

Last but not least, with the FederalData Protection Act and the FOIA,Mexico will continue to engage in inter-national and regional relations on privacyand data protection in order to not only

keep pace with the latest recommenda-tions, policies and best practices, butalso to cooperate at the multilateral andregional level in the enforcement of dataprotection laws as a result of cross-bor-der online activities.

Mexico walks through the path ofdemocracy and the right to personal dataprotection enforcement is of the utmostimportance. Along with the majorimprovements in the matter, this insti-tute now counts with the legal structureto protect personal data protection.

Lina Ornelas is general director of clas-sified information and data protection atthe Federal Institute of Access to PublicInformation in Mexico. She may bereached at [email protected].

(Read Lina Ornelas’s story about theMemorandum of Montevideo in theMarch 2010 issue of the Privacy Advisor,available on the IAPP Web site).

UNITED KINGDOM

By Eduardo Ustaran

The Privacy Dividend Report

The UK InformationCommissioner,Christopher Graham,has launched thePrivacy DividendReport, which pro-vides organizationswith a financial casefor data protectionbest practice. Thereport explains howto put a value on personal informationand assess the benefits of protectingprivacy. It includes practical tools to helporganizations prepare a business casefor investing in privacy protection.

In launching the report,Commissioner Graham urged organiza-tions to put a value on personal informa-tion and invest in privacy protection. Hesaid “no organization can neglect to

Global Privacy Dispatches



May • 2010

Eduardo Ustaran

The IAPP Welcomes our Newest

Corporate Members

SVB



Reprinted with permission from Slane Cartoons Limited.

THE PRIVACY ADVISOR

The Privacy Advisor is now available in an easy-to-read format on the IAPP Web site. Check out the current issue or search thearchives for topics of interest.

www.privacyassociation.org/privacy_advisor

Based on member demand, starting this summer the PrivacyAdvisor will move to a digital format. Members will receive thesame exclusive content, but in an electronic, easily searchableand printable layout. See page two for more information.

Privacy Advisor newsprotect people’s privacy. Not only is itthe law, but there is also a hard-headedbusiness imperative.”

Criminal case against BT being

considered

Following the European Commission’slegal proceedings against the UK for failing to take any action over behavioraltargeting, the Crown ProsecutionService is working on a potential crimi-nal case against BT over its trials ofPhorm’s system.

The CPS has reportedly said “wehave requested and received technicaland expert evidence, some of which wehave only recently received, and whichis being very carefully considered. Weare currently awaiting advice from a sen-ior barrister which we will review beforecoming to a conclusion. We are givingthe matter meticulous attention and willreach a proper and considered decisionas soon as it is possible for us to do so.”

Parliament Committee issues privacy

recommendations

The House of Commons’ Culture Mediaand Sport Committee has released areport on press standards, privacy, andlibel. The report makes recommenda-tions aimed at balancing privacy andfreedom of expression, and concludesthat a new privacy law is not necessary.However, the committee has recom-mended the introduction of a require-ment that journalists notify the subjectof their articles prior to publication. Therequirement would not be mandatory,but rather an aggravating factor inassessing damages. The ICO welcomedthe report.

Eduardo Ustaran is head of the Privacyand Information Law Group at FieldFisher Waterhouse LLP, based inLondon. He is a member of the IAPPEducation Advisory Board, co-chair ofKnowledge-Net London, editor of DataProtection Law & Policy and co-authorof E-Privacy and Online Data Protection.He may be reached [email protected].

Editor: Kirk J. Nahra, CIPP


processors. Moreover, the parties shouldconsider including transition and pay-ment obligations in case the data con-troller issues (costly) instructions to thedata processor or terminates the agree-ment early because the controller doesnot want to pay for costs caused by itsinstructions, or because the data con-troller can no longer transfer data to thejurisdiction where the processor is located, e.g., because of changes in lawor law enforcement practices. Also, theparties should address commercial riskallocation as between themselves, e.g.,who foots the bill and to what amountsin case one party is sued or sanctionedfor violations or breaches by the otherparty. Further, it might be helpful toestablish a procedural roadmap and substantive rules on how to address and cooperate in case of data securitybreaches, notifications, and compensa-tion of data subjects.

Customers should consider the relative benefits of transferring databased on a Safe Harbor filing by U.S.-based service providers. Conversely,providers should consider a Safe Harborregistration and point out to their cus-tomers the relative benefits of relying onthe Safe Harbor mechanism for bothdata controllers and processors.

Companies and business associa-tions should think twice before askingfor changes to data protection laws orseeking guidance: As a general trend,the legal and procedural requirementstend to get stricter and more burden-some for businesses in this area. Andunder the New Processor Clauses, serv-ice providers now have to “abide byadvice” by the authorities.

Lothar Determann practices data privacy, technology, and internationalbusiness law at Baker & McKenzie LLP (www.bakernet.com) in San Francisco/Palo Alto, and teaches data privacy, e-commerce, and computer law at Univer-sity of California, Berkeley School of Law(Boalt Hall) and Freie Universität Berlin.

www.privacyassociation.org

May • 2010



MAY

19-21 EuroPriSe Expert Workshop

Kiel, Germanywww.european-privacy-seal.eu/experts/expert-workshops

20-21 4th Annual DataGuidance

European Data Protection

Intensive

London, UKwww.dataprivacyeurope.com/

21 Children, Young People and

Privacy Conference

Melbourne, Australia

26-28 IAPP Canada Privacy

Symposium 2010

Toronto, ON

27-28 Belgian e-Youth Conference

Antwerp, Belgiumwww.ua.ac.beBerlin, Brussels, Paris

JUNE

10-11 2010 Access and Privacy

Conference

Edmonton, ABsites.google.com/site/accessandpriva-cy/home

14-15 IAPP Practical Privacy Series

Santa Clara, Californiawww.privacyassociation.org

21-25 IAPP Delegate Tour Europe

Berlin, Brussels, Paris

SEPTEMBER

22-24 OTA Online Trust &

Cybersecurity Forum

Washington DCotalliance.org/dcforum.html

29-1 IAPP Privacy Academy

Oct. Baltimore, MDwww.privacyassociation.org/academy

30 IAPP Privacy Dinner

Baltimore, MDwww.privacyassociation.org

OCTOBER

14 Privacy After Hours

27-29 32nd International Conference

of Data Protection and Privacy

Commissioners

Jerusalem, Israel

NOVEMBER

29-30 IAPP Europe Data Protection

Congress

Paris, France

DECEMBER

8-9 IAPP Practical Privacy Series

Washington, DCwww.privacyassociation.org

Calendar of Events

22

For certification testing dates go

to www.privacyassociation.org.

Exams are coming up in New York,

Toronto, St. Louis, Chicago, Dallas,

Denver, and Columbus.

For upcoming KnowledgeNet dates

go to www.privacyassociation.org.

KnowledgeNet events are coming

up in Seattle, Austin, Paris, New

York, and Columbus.


didn’t harm your customers. Now you can didn’t harm your customers. Now you can Regulators want to know your breach

didn’t harm your customers. Now you can Regulators want to know your breach

didn’t harm your customers. Now you can Regulators want to know your breach

P OR E IVOOVE ITP OR E IVOOVE IT

consumer protection is workingPROOF

your breach caused no harmPROOF

your customers and your brand are safe. With Debix OnCall Attack Reports you have proof

consumer protection is working

your breach caused no harm



your breach caused no harm


the Debix OnCall Challenge and see if you agree. www.DebixOnCallChallenge.com

9 out of 10 Privacy Professionals prefer Debix over ordinary credit monitoring. Take

for your regulators PROOF

consumer protection is workingPROOF



for your regulators









www.debix.com Breach Hotline: www.debix.com 57-569-008Breach Hotline: 465y Ptithe IdenT orkwtion Netecotry P



IAPP members:

Does your organization offer

free or discounted products or

services to other IAPP members?

If so, let them know!

Advertise at a DISCOUNTED RATE

here in our new member-to-member

benefits section.

MEMBER to MEMBER Benefit

Contact Wills Catling [email protected] +1.207.351.1500, ext. 118

toBERMME enefitBRBEMME enefit

e in our new memberher

tise at a Adver


vices to other IAPP members?ser

ee or discounted prfr

ganization ofDoes your or

IAPP members:

-to-membere in our new member

TEAAT RDSCOUNTEDI


vices to other IAPP members?

oducts oree or discounted pr

ferganization of

benefits section.

e in our new memberher

or +1.207.351.1500,wills@prContact

benefits section.

-to-membere in our new member

118ext..+1.207.351.1500,,gassociation.oracyviivwills@pr

ills Catling atWContact


Date post:	31-May-2020
Category:	Documents
Upload:	others
View:	5 times
Download:	0 times

Privacy and security considerations for EHR incentives and ... › media › pdf › publications...

Documents