EU Privacy Directive

1
EU Privacy Directive

• Andrea L.C. Hoy, CISSP
• Chief Information Security Director
• Fluor Corporation

2
European UnionThe Right to Privacy

• Privacy is a human right in EU
• COE - Council of Europe
• 15 EU member states
• 370 million people
• Local Privacy Authorities

3
Background

• Major Business Concerns
• Data Collection
• Cross-border Movement of Personal data

4
Why Address This Now?

• EUPD Safe Harbor Act sets deadline
• Consumers/Shareholders are aware
• Privacy abuses are in the news
• toysmart.com
• Your Companys reputation - dont be the example
• Technology Growth - Surveillance Automation
• Create competency
• Strengthen Companys brand name
• E-Commerce

5
European Union Privacy Directive 1998

• What is it?
• It regulates the processing of personal
  information identified or identifiable from
  crossing EU borders without meeting the EUPD

6
EUPD

• Passed October 24, 1998
• Stemmed from E-Commerce concerns
• Loss of business to US and other countries
• Companies had control of the review process for
  compliance
• EU centric Guilty till proven innocent vs. US
  centric Innocent till proven guilty

7
Processing of Personal Information

• Very broad scope
• Any electronic transfer, collection, storage
• Includes private WANS/LANS
• Back up tapes/archives
• WWW cookies
• Legal Precedence pending
• American Airlines

8
Personally Identified or Identifiable Information

• Identified - Your Name(s)
• Identifiable - Your Social Identification or
  Social Security or Identification

9
Personally Identified or Identifiable Information

• Any info relating to an identified or
  identifiable individual
• Ethnicity
• Marital Status
• Children, Information regarding
• Medical
• Religion

10
Key Articles

• Article 25.1
• You can take data out of EU if there is adequate
  protection
• Article 25.6
• Exceptions if other country has adequate
  protection as complied to European Commission
  (e.g. Safe Harbor Act)

11
Exceptions

• Activities outside of Community Law
• Government
• Military
• Other Example Christmas card lists

12
6 Phases of Compliance to the EUPD

• Development of Awareness of New Requirements
• Status Assessment of Compliance
• Identify Alternate Strategic Direction to Respond
  to New Requirements
• Creation of Tactical Plan for Deployment
• Deployment of the Plan
• Compliance Monitoring

13
Notice

• Notification to All Users
• Publish a Privacy Policy (signed by CEO)
• LogOn Banner
• Must be seen by all users of your companys
  systems
• Defines ownership of network as your companys
• Requires OK by User
• Privacy Policy posted on Websites
• Computer Usage Agreement
• New Hire Performance Appraisal periods

14
Consent

• Unambiguous Consent
• subject has consented in advance - OK
• Opt Out
• Log on banner - Logon or stop
• Direct marketing uses at website
• Opt In
• BofA - Direct agreements for ATM
• Explicit Consent

15
Purpose/Use Limitation

• Data cannot be used beyond scope of notice
• 3rd party mailing lists
• Marketing
• Need to consider business practices
• 3rd party outsourcers
• PerksAtWork
• SAP and Outsourced implementors
• Any time use changed must readdress!

16
Processing

• Collection
• Recording
• Organization
• Storage/Archival
• Retrieval
• Consultation of
• Use
• Erasure
• Destruction

17
Security/Data Integrity

• C.I.A. of Info Security
• Encryption during transfer
• Web Solution SSL
• Remote/Intranet VPN
• Extranet/Intranet PKI
• Data Integrity
• What is sent/collected is what is received/stored

18
Openness

• Data Classification
• General, Public, Confidential, Restricted
• Better controls on Data Access
• System/Network Administrators/ISSOs
• Special Briefings/ S.Admin. Agreement
• Background investigations
• Data Access Rules
• SAP
• HR IT Must be able to identify who has access
  and why

19
Access

• The individuals access to their personal
  information
• Ability to correct
• Ability to delete inaccurate information
• Ability to amend
• Except where burden of expense is
  disproportionate to the risk of individual
  privacy or rights of others would be violated

20
Complaints

• Ethics Hotline
• HR
• Corporate Information Security
• Corporate Legal
• Privacy Council ?

21
Privacy Compliance Requirements

• 1) Accountability
• 2) Purpose
• 3) Notice
• 4) Consent
• 5) Processing

6) Security 7) Data Integrity 8)
Openness 9) Access 10) Complaints
Source Information Privacy in the E-Universe, M.
Colonna, KPMG
22
What are our Partners doing?

• Formulating worldwide policies
• Consistent with EUPD
• Using safe harbor principles
• Direct Agreements
• Dupont, Shell announced June 2000
• AmEx, IBM, Citicorp

23
UK Data Protection ActCompliance steps

• 1) Publish privacy policy on compliance
• - signed by CEO
• 2) Detail scope of the policy
• - contractors, home use
• 3) Write procedures to ensure maintenance of
  accurate registration and notification
• 4) Security of info appropriate to the risks to
  the data subject
• 5) Inclusion of contracts w/3rd parties of Info
  Security requirements
• Source UK Stationery Office

24
UK Data Protection ActCompliance steps

• 6) Documents Procedures ensuring the fair
  collection of personal data
• 7) Procedures guaranteeing that subject access is
  granted and where appropriate, exemptions are
  applied
• 8) An appointed Info Security (Data Protection)
  Officer within the organization w/overall
  responsibility for ensuring compliance with
  current legislation
• 9) Defined business mgrs responsibilities for
  data protection
• 10) Evidentiary proof that active steps are being
  taken to move towards compliance w/the 1998
  regulation
• Source UK Stationery Office

25
Canada

• Traditionally - Privacy is a human rights issue
• Matches US in concerns
• Presently leans towards EU standard in Quebec
• 1978 Federal Privacy Commission
• Bruce Phillips

26
Canada

• C54 - Personal Information Protection Act
• Expands Privacy Rights
• Enforcement expected by June 2001
• House of Commerce Senate
• Nutshell
• Applies to all businesses foreign or Canadian
  owned

27
Canada

• Nutshell
• Applies to all businesses foreign or Canadian
  owned
• To protect enhance E-commerce (not an HR bill)
• Created to meet EUPD
• 3yrs for all personal info
• Immediate for E-commerce

28
Other Country Considerations

• Most Strict in Interpretation
• France
• Netherlands
• Ondernemingsraad (Work Council)
• HR dept of local office
• Germany
• Least
• Australia
• South Africa

29
Info SecurityWhat Steps To Take

• Banner notice
• Privacy Policy icon on Webpages
• Intranet Posting
• http//www.yourcompany.com/security or privacy
• Employee handbook Training material
• New hire pamphlet
• Value added topic for staff meetings

30
Info SecurityMore Steps To Take

• User Agreement Privacy Statement
• Annual Ethics Briefing
• Request for UserID
• One for Employee, One for Employee file
• Establish a Privacy Council
• Monitor Enforce Compliance
• Consider industry group standards

31
Info SecurityMore Steps To Take

• TrustE
• http//www.truste.org
• BBBOnline

32
Questions Your Company Should Be Prepared to
Answer

• What happens if an employee does not want to
  consent?
• Will Safe Harbor make it?
• What will my company do if they are criticized by
  an EU member?

33
Latest Information

• The REAL election results
• Standard clauses
• 12 days for draft review
• 8 days for second review

34
Related Websites

• European Union Commission decision of 26 July
  2000
• www.eurunion.org/partner/SafeHarbor.pdf
• European Union Online
• europa.eu.int/index
• Safe Harbor
• www.export.gov/safeharbor
• HIPAA Information Site, Guides
• www.hipaadvisory.com
• Hipaa.wpc-edi.com/HIPAA_40asp