Posts

Cross Border Transfer Mechanism: Model Clauses

A cross border transfer is one where the personal data is transferred from the EU to a country that is outside of the EU (EEA*). If the country where the data is transferred to does not have an adequate level of protection, a transfer mechanism must be used. Under GDPR, Model clauses are one of the many mechanism that can use used for cross border transfers . Model Clauses (Also known as Standard Clauses) are contractual clauses that are generally drafted and adopted a Data Protection Authority (DPA).  The Commission (One of the many EU governmental bodies) may also adopt Model Clauses, but have yet to do so. MCs set out the duties and obligations for both Controllers and Processors.  There are several noticeable differences between MCs and Binding Corporate Rules (BCRs): MCs require processors to provide an adequate level of protection of the personal data. MCs maybe used by unrelated entities. MCs do not require approval by the DPA.  MCs can not be altered a...

Health Insurance Portability Accountability Act (HIPAA) : Notice of Privacy Practices

HIPAA regulations make up two main parts: The Privacy (HIPAA) Rights of individuals related to their Personally Healthcare Information (PHI) and the Security (HITECH) of the healthcare information held by Covered Entities .  The Privacy Rule requires covered entities to provide individuals with a copy of their notice of privacy practices, at the first visit/date of service. Covered Entities must be able to prove that patients received these notices; thus they generally require individuals to sign a document called "receipt of notices of privacy practices." These notices must contain information on how the covered entity's   use   and disclosures of the PHI. For example, there should be   a statement   that the PHI will be used consistent with payment of claims, treatment of the individual and for business operations (quality control, auditing or internal monitoring). In addition, the notice should contain information on instances when a signed release w...

Sample Privacy Risk Assesment Example and Explanation

Image
Privacy impact assessments (PIAs) are a tool that can be used to identify and reduce privacy risks. A PIAs can reduce the risks of harm to individuals by preventing the misuse of their personal information. PIAs are an integral part of taking a privacy by design ( PbD ) approach. They are used to design more efficient and effective processes for handling personal data. The use of PIAs is not something new, in fact the process has been used by a number of companies, entities and governments for over forty years now.  The PIA was created by the United States Office of Technology Assessment. The U.S. office of Management and Budget (OMB) publishes guidance on the implementation the privacy provisions by Federal Agencies under E-Government Act of 2002, including when to conduct a PIA. Under GDPR,  PIAs have become a centerpiece and necessary in certain situations. A PIA must be completed if a company is doing one of the following: Data controller or the data pr...

Cross Border Transfer Mechanisms : Binding Corporate Rules

Outside of consent and contract there are number of mechanisms that a company can use to transfer ( cross border ) personal data from the EU to outside of the EU. One of those mechanisms is Binding Corporate Rules (BCRs). BCRs were developed by the Art. 29 Data Protection Working Party as a transfer mechanism that permits multinational groups to create a contractual instrument that corresponds to their specific data processing needs. Application (a)    Must be uniform throughout organization. (b)    Must be enforceable by data subject. (c)    Must indicate clear cooperation with DPA (Data Protection Authority). (d)    Multinational companies must seek the approval of each DPA located in the country where the data is transferred from. Pros  BCRs allow data transfers to entities located in third countries, irrespective of whether the country can provide for an adequate level of data protection or not . Cons ...

Steps in Risk Assessment Performance

Risk Assessment Stages  First, we must determine if there is a need for the risk assessment to be performed. Then, we will need to describe the flow of information (data life cycle) such as collection, processing, storage, usage and deletion. Next, we will identify privacy and related risks –including threats and vulnerabilities. Moreover, recording and summarizing risk assessment findings in a digestible, concise and readable format for the end user is necessary step. Finally, implementing the assessment findings and solutions into the project plan is the last step.

Approaching Risk Assessments

Approaching Risk Assessments a.    A privacy risk assessment is a tool used to assess the impact and risks to the privacy of personally identifiable information (PII) stored, used and exchanged by information systems. b.     Risk Analysis involves conducting an accurate and thorough assessment of the potential risks and  vulnerabilities to the confidentiality, integrity, and availability of personal identifiable information held by the organization. c.     Risk analysis process usually involves: reviewing existing polices, identifying any issues/holes, accessing the likelihood of a breach, developing ways to mitigate risks and monitoring the results of the assessment and plan development. This is how I envision approaching risk assessments. d.     For example, health care providers are required to conduct risk assessments under HIPAA and attest to meaningful use criteria of EHR systems under HITECH. These...

Data Mapping Template

Image
Data Mapping does not have to be limited to GDPR compliance . It is good idea for a businesses who stores data to map out the data they posses and what it is used for. In doing this, they can determine which data is necessary. For example, a business can effectively save money by deleting old, outdated and unnecessary data. Below you will find a sample data mapping intake form. A more complex form may contain, the types of data being stored (phone numbers, email, SSN, payment information), the data source and or the custodians and or stewards of the data. You can tailor your mapping intake form to your specific needs. Below you will find a sample data mapping intake form. A more complex form may contain, the types of data being stored (phone numbers, email, SSN, payment information), the data source and or the custodians and or stewards of the data. You can tailor your mapping intake form to your specific needs.