The Privacy Professional

Right on the heels of South Dakota, who passed their data protection bill in February of this year, Alabama is the 50th and final State to pass a data protection bill. Alabama SB 318 was passed this month. The codification of state data protection laws began in 2003 with California. To date all remaining states have followed suit. SB 318 , seemingly incorporates Health Insurance Portability Accountability Act's ( HIPAA ) terminology and some application. Class of protected The statute applies to individuals residing within the state. Individuals rights Individuals are afforded protection from the breach , which is defined as the unauthorized acquisition of personally identifiable information (PII). PII is also referred to as personal data , in some jurisdictions. Data Protected The statute outlines the type of PII that is protected under the statute as “electronic data ” that can be any of the following : Identification number (military, driver’s

Codes of Conduct are another mechanism that can be used in transferring Personal data out of the EU to an area that is deemed not have adequate level of protection. In this article, I will explain how they created, complied with and are enforced. (1) Who Responsible for drawing up codes of conduct (a)    Governments and regulators can encourage the drawing up of codes of conduct. (b)    Codes of conduct may be created by trade associations or representative bodies. (c)    Codes should be prepared in consultation with relevant stakeholders, including individuals (Recital 99). (d)    Codes must be approved by the relevant supervisory authority; and where the processing is cross-border, the European Data Protection Board (the EDPB). (e)     Existing codes can be amended or extended to comply with the requirements under the GDPR. (2)    Codes of conduct may cover topics such as: (a)    fair and transparent processing;        (i)    Processing-means any operation or set of operations that

A cross border transfer is one where the personal data is transferred from the EU to a country that is outside of the EU (EEA*). If the country where the data is transferred to does not have an adequate level of protection, a transfer mechanism must be used. Under GDPR, Model clauses are one of the many mechanism that can use used for cross border transfers . Model Clauses (Also known as Standard Clauses) are contractual clauses that are generally drafted and adopted a Data Protection Authority (DPA).  The Commission (One of the many EU governmental bodies) may also adopt Model Clauses, but have yet to do so. MCs set out the duties and obligations for both Controllers and Processors.  There are several noticeable differences between MCs and Binding Corporate Rules (BCRs): MCs require processors to provide an adequate level of protection of the personal data. MCs maybe used by unrelated entities. MCs do not require approval by the DPA.  MCs can not be altered and tailored.

Privacy impact assessments (PIAs) are a tool that can be used to identify and reduce privacy risks. A PIAs can reduce the risks of harm to individuals by preventing the misuse of their personal information. PIAs are an integral part of taking a privacy by design ( PbD ) approach. They are used to design more efficient and effective processes for handling personal data. The use of PIAs is not something new, in fact the process has been used by a number of companies, entities and governments for over forty years now.  The PIA was created by the United States Office of Technology Assessment. The U.S. office of Management and Budget (OMB) publishes guidance on the implementation the privacy provisions by Federal Agencies under E-Government Act of 2002, including when to conduct a PIA. Under GDPR,  PIAs have become a centerpiece and necessary in certain situations. A PIA must be completed if a company is doing one of the following: Data controller or the data processor o

Risk Assessment Stages  First, we must determine if there is a need for the risk assessment to be performed. Then, we will need to describe the flow of information (data life cycle) such as collection, processing, storage, usage and deletion. Next, we will identify privacy and related risks –including threats and vulnerabilities. Moreover, recording and summarizing risk assessment findings in a digestible, concise and readable format for the end user is necessary step. Finally, implementing the assessment findings and solutions into the project plan is the last step.

Approaching Risk Assessments a.    A privacy risk assessment is a tool used to assess the impact and risks to the privacy of personally identifiable information (PII) stored, used and exchanged by information systems. b.     Risk Analysis involves conducting an accurate and thorough assessment of the potential risks and  vulnerabilities to the confidentiality, integrity, and availability of personal identifiable information held by the organization. c.     Risk analysis process usually involves: reviewing existing polices, identifying any issues/holes, accessing the likelihood of a breach, developing ways to mitigate risks and monitoring the results of the assessment and plan development. This is how I envision approaching risk assessments. d.     For example, health care providers are required to conduct risk assessments under HIPAA and attest to meaningful use criteria of EHR systems under HITECH. These providers must provide also documentation of this process, if audited by DHHS.