David W. Stark Name of presenter(s) or subtitle MRIA Alberta Chapter

Slides:



Advertisements
Similar presentations
The HIPAA Colloquium Harvard University August 22, 2002 HIPAA Compliance Strategies for the Pharmaceutical Industry John T. Bentivoglio
Advertisements

International Privacy Laws Ashley Michele Green Sensitive Information in a Wired World October 30, 2003.
Business Management (National 5)
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Texting & HIPAA Compliance in your practice
Inside Rules and Regulations With Legislation and Mental Health Professionals.
Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.
2012, Team-Tiger- Northwestern McCormick MSIT 2013 Confidential 1 ©2011, Cognizant Northwestern McCormick MSIT October 20 th, 2012 Information Security.
Research and the Health Information Act Rachel Hayward Office of the Information and Privacy Commissioner of Alberta.
BGS Customer Relationship Management Chapter 13 Privacy and Ethics Considerations Chapter 13 Privacy and Ethics Considerations Thomson Publishing 2007.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Quebec City February 2005 PUBLIC SECTOR CIO COUNCIL BC - USA Patriot Act Update.
Consumers Online: Privacy, Security and Identity Professor Margaret Jackson and Marita Shelly Presentation to the RMIT Financial Literacy, Banking & Identity.
© 2003 IBM Corporation Privacy 12 th CACR Workshop Yim Y. Chan Chief Privacy Officer & CIO IBM Canada Ltd. w3.ibm.com/Privacy.
Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.
Privacy in Ontario Brian Beamish Office of the Information and Privacy Commissioner/Ontario Presentation to Security Canada Central 2002 International.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Disclaimer This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not.
1 Office of theCommissariat Privacy Commissionerà la protection de of Canadala vie privée du Canada Personal Information Protection and Electronic Documents.
A NEW GOVERNANCE PARADIGM: Canadian Privacy Law Developments March 11, 2004 Haliburton, Ontario Canada Volunteerism Initiative Arts Council for Haliburton.
Information Privacy Policy in Canada Presented By: Sue Wu.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.
Personal Data (Privacy) Ordinance Hong Kong Personal Data (Privacy) Ordinance Hong Kong by Stephen Lau Privacy Commissioner for Personal Data Hong Kong.
Marketing - Best Practice from a Legal Point of View Yvonne Cunnane - Information Technology Law Group 30 November 2006.
Untouchable?: A Canadian Perspective on the Anti- Spam Battle Michael Geist Canada Research Chair in Internet & E- commerce Law University of Ottawa, Faculty.
1 MARKETING RESEARCH AND INTELLIGENCE ASSOCIATION Ottawa Chapter We would like to acknowledge the support of the following organizations: Without their.
Name of presenter(s) or subtitle Privacy laws and their impact on research David W. Stark MRIA B.C. Chapter November 2, 2005.
Forgetting, Non-Forgetting and Quasi-Forgetting: Public Policy and Corporate Practice Colin J. Bennett, Adam Molnar and Christopher Parsons Department.
C4- Social, Legal, and Ethical Issues in the Digital Firm
Eric J. Pritchard One Liberty Place, 46 th Floor 1650 Market Street Philadelphia, Pennsylvania (215)
Marketing Systems Group Southern California MRA Education Seminar Presentation September 17, 2005 Privacy and Current Issues.
Health Insurance Portability and Accountability Act (HIPAA)
Privacy & Personal Information Prepared by the CBC Law Department CONFIDENTIAL – FALL 2011.
The European influence on privacy law and practice Nigel Waters, Pacific Privacy Consulting International Dimension of E-commerce and Cyberspace Regulation.
Part 6 – Special Legal Rights and Relationships Chapter 35 – Privacy Law Prepared by Michael Bozzo, Mohawk College © 2015 McGraw-Hill Ryerson Limited 34-1.
Privacy Issues In Market Research Duane L. Berlin, Esq. General Counsel, CASRO Principal, Lev & Berlin, P.C. PL&B Annual Conference Cambridge, MA 22 August.
2006 SISO Executive Conference Legal Issues in Using Mailing Lists: The CAN-SPAM ACT The Junk Fax Prevention Act The National Do Not Call Registry.
IAPP KnowledgeNet Los Angeles “Thinking Outside the Cookie Jar” The Second Wave of Global Privacy Protection: Why This Year Is Different Peter Swire, Senior.
Prepared by Douglas Peterson, University of Alberta 15-1 Part 3 – The Law of Contract Chapter 15 Electronic Business Law and Data Protection.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
PIPEDA and Receivables Management Robin Gould-Soil Receivables Management Association of Canada November 16, 2011.
BC Public Libraries November, 2008 Privacy Principles.
Federal Agencies and Laws for Consumer Rights
Union-Management Relationships in Perspective
RECENT DEVELOPMENTS IN DIGITAL MEDIA ADVERTISING LAW : CANADIAN EDITION VALERIE WARNER DANIN, ESQ.
1 Canadian Privacy Policy: Customizing E.U. Standards Remarks by Jennifer Stoddart Privacy Commissioner of Canada Privacy Symposium: Summer 2007 August.
PRIVACY, LAW & ETHICS MBA 563. Source: eMarketing eXcellence Chaffey et al. BH Overview: Establishing trust and confidence in the online world.
Intellectual Property. Confidential Information Duty not to disclose confidential information about a business that would cause harm to the business or.
Privacy Information for Advisors. Agenda PIPEDA Advisor Required Privacy Program Our MGA Privacy Program Recommendations for Advisors.
Copyright © 2012, Big I Advantage®, Inc., and Swiss Re Corporate Solutions. All rights reserved. (Ed. 08/12 -1) E&O RISK MANAGEMENT: MEETING THE CHALLENGE.
Privacy Issues - Watch Out! John D.R. Craig ORIMS Professional Development Day March 19, 2013.
Key Points for a Privacy Programme for Multinationals Steve Coope.
Labour and Employment Law SLO: I can understand the terms and conditions associated with fair workplace practices. I can understand the difference between.
E-C OMMERCE : T HE E -C ONSUMER AND THE ATTACKS AGAINST THE PERSONAL DATA Nomikou Eirini Attorney at Law, Piraeus Bar Association Master Degree in Web.
TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,
Data Protection Officer’s Overview of the GDPR
The Citizen in the centre in EU, Bratislava November,2005
Overview General Data Protection Regulation (GDPR)
Contingent Workforce: Global Privacy Laws Overview
E&O Risk Management: Meeting the Challenge of Change
Data Protection & Freedom of Information- An Introduction
Data Privacy: Essentials for Payroll
GENERAL DATA PROTECTION REGULATION (GDPR)
Consumer Privacy An Introduction
Mandatory Breach Reporting (isn’t *that* bad)
On the Cutting Edge – Update on Privacy Legislation
Upcoming PIPEDA Changes
General Data Protection Regulation
Presentation transcript:

Privacy one year later Compliance and industry issues in Canada and the United States David W. Stark Name of presenter(s) or subtitle MRIA Alberta Chapter January 20, 2005

Privacy one year later

Agenda Privacy legislation overview Compliance: is it working? Industry implications Helpful resources Q&A

Privacy legislation overview Freedom of Information Access Privacy and Protection of Personal Data Freedom of Information Act – U.S. Access to Info. Act - Canada Privacy Legislation - Quebec Privacy Act - Canada Privacy Act – U.S. FOIA – first law to establish legal right of access to federal government information Privacy Act – regulates collection, use and dissemination of personal information by federal executive branch agencies Quebec - 1st jurisdiction in N.A. to pass comprehensive privacy legislation affecting private sector EU Privacy Directive - the export of personal information from a European country to a country that does not offer adequate protection of such information is prohibited. Safe Harbor – Commerce Dept’s response to make it possible for U.S. firms to continue cross-border data flows with EU countries. EU Privacy Directive PIPEDA - Canada Safe Harbor – U.S. PIPA - AB & BC 1966 1974 1980 1985 1994 1998 2000 2001-2004

Canadian approach to privacy Federal regulations Competition Act (1985; rev. 1999 and 2001) CRTC Telemarketing Rules (1994; rev. 2004) PIPEDA (2001-2004) Comprehensive law affecting all industries in private sector Bill C-37 (2005?) Would establish a national do-not-call registry Anti-spam legislation (2005?)

Canadian approach to privacy Provincial regulations Personal information protection acts QC, AB, BC Personal health information acts AB, SK, MB, ON With PIPEDA and its provincial counterparts, Canada’s privacy frame-work is closer to Europe than U.S.

U.S. approach to privacy – sectoral Federal regulations Video Privacy Protection Act (1988) Telephone Consumer Protection Act (1991) Driver’s Privacy Protection Act (1994) Telemarketing Sales Rule (1996) VPPA – Passed by Congress in response to controversy surrounding the release of Judge Robert Bork's video rental records during his failed Supreme Court nomination. The Act prohibits video tape service providers from disclosing customer rental records without the informed, written consent of the consumer. TCPA – Restrictions on unsolicited faxes (written opt-in effective 06/05); Restrictions on calling cell phones with auto-dialers; National do-not-call registry for telemarketers (07/03); Requirement for telemarketers to show caller I.D. (01/04); Telephone curfew at 9 p.m. DPPA - Congress enacted the Driver’s Privacy Protection Act after the murder of actress Rebecca Shaeffer. Her assailant had gotten her address from the California Department of Motor Vehicles. The Act generally prohibits states from disclosing personal information that their drivers submit in order to obtain driver’s licenses. TSR – Deceptive telemarketing practices, such as sugging, mugging and frugging, made illegal. Telephone curfew at 9 p.m.

U.S. approach to privacy – sectoral Federal regulations Health Insurance Portability and Accountability Act (1996) Financial Modernization Act (Graham-Leach-Bliley) (1999) Children’s Online Privacy Protection Act (2000) CAN-SPAM Law (2003) HIPPA – Confidentiality of health records. FMA – Regulates the sharing of personal information about individuals who obtain financial products or services from financial institutions. COPPA – Website operators must obtain verifiable parental consent before collecting personal information online from children under 13. CAN-SPAM – “Controlling the Assault of Non-Solicited Pornography and Marketing Act”

U.S. approach to privacy – sectoral Federal regulations Eavesdropping and Taping Laws (FCC) Telephone interviewing, focus groups Federal Trade Commission Act (Section 5) Obligation to abide by one’s posted privacy policies

U.S. approach to privacy – sectoral State regulations Anti-spam laws Do-not-call laws and lists Telephone curfew laws Eavesdropping and taping California’s Online Privacy Protection Act (CA OPPA) Must post privacy policy on website if collecting personally-identifiable information from CA residents. CA OPPA – significant because the law effectively applies to website operators in each of the 50 states. Law stipulates four requirements that must be included in an organization’s privacy policy: Categories of PII collected and third-party organizations with whom information may be shared; Right of access to personal information – must describe process how individual can review and request changes to his/her PII; Must describe how the organization notifies individual of material changes to his/her PII; Must identify effective date of the privacy policy. These are significant because CA’s law more closely resembles the European approach (comprehensive laws affecting all organizations in all sectors) than the U.S. sectoral approach.

What’s driving consumer privacy laws? Most privacy regulations enacted since early 1990s Coincides with digital information age Databases of PII that can be manipulated and moved offshore at click of a button Public opinion Greater intrusion into consumers’ lives – want to be left alone Outsourcing offshore Consumers want greater control over how their personal information is used by organizations Popularity of Do-Not-Call Registry: by Sept./2004, consumers had registered over 64 million phone numbers Outsourcing offshore: EU Privacy Directive is having an impact Lack of national privacy law in India Subcontractor threatened to post Americans’ PII on Internet over an unpaid invoice. Proposed legislation in the U.S. would require U.S. firms to disclose to consumers that their personal information may go offshore for processing Another proposed bill would require offshore call centers to tell Americans where they are calling from and give them the choice of speaking to someone in the U.S.

Compliance: is it working?

Compliance in Canada Low awareness of PIPEDA and provincial privacy laws Federal Privacy Commissioner has treated offending organizations with kid gloves Commissioner’s Office understaffed Still, in general, Canadian firms seem to be more privacy-conscious than their U.S. counterparts

Compliance in the United States Patchwork of privacy laws difficult for organizations Multinationals would prefer a national privacy law (similar to PIPEDA) FTC names offending organizations on its website Private right of action in many U.S. laws gives rise to class action suits EU study suggests several U.S. firms on Safe Harbor list are not in compliance

Industry implications

Industry implications Third-party disclosures Clients’ customer lists Respondent PII shared with clients List brokers / sample providers Qualitative research: recruiter, moderator, facility Online research Explicit opt-in consent Must not spoof message headers ISP shutdowns customer Customer lists for telephone and mail studies – ideally should be based on opt-out consent and such disclosures should be mentioned in client’s privacy policy. Customer lists for online studies – must be based on explicit, opt-in consent for third-party research firm to contact them. Same rules apply above for list brokers / sample providers. Database marketing – should get repsondents’ consent to link their personally-identifiable survey responses with their customer records. Online research carries too many risks if there isn’t opt-in consent (e.g. case of Harris Interactive, ISP shutdowns, CAN-SPAM). research supplier research client

When research firm (RF) sends invitation from its domain… From: RF on behalf of CLIENT <xxxxxx@RF.com> To: Rebecca Smith <rsmith@yahoo.com> Subject: Complete CLIENT’s survey and receive a special offer for your time Date: Fri, 12 Nov 2004 10:51:10 -0500  MUST NOT SPOOF MESSAGE!! From: CLIENT <surveys@CLIENT.com> To: Rebecca Smith <rsmith@yahoo.com> Subject: Complete CLIENT’s survey and receive a special offer for your time Date: Fri, 12 Nov 2004 10:51:10 -0500 Sender authentication systems: Microsoft – Bonded Sender Yahoo! – Domain Keys AOL – Sender Policy Framework Sender I.D. systems check for spoofing and could route such emails to bulk folder or append a warning message. 

Industry implications Data security and retention Physical, electronic and organizational Minimum and maximum retention periods International data flows U.S. state laws could impact Canadian call centres and outsourcing overseas One motive of these laws is protectionism (many U.S. jobs have been outsourced to low-wage countries) Data security and retention – what controls are placed on keeping data secure? Should institute minimum and maximum retention periods. Destroy personal information when it is no longer needed.

Industry implications Contracts with clients that include indemnities and privacy protection clauses Increasing number of multinational clients require completion of comprehensive privacy assessment forms Research is becoming more difficult to conduct TNS Standard terms and conditions (includes clause regarding compliance with privacy) Privacy audit q’aires – receive about one per month

Helpful resources

Helpful resources Federal Privacy Commissioner’s website www.privcom.gc.ca International Association of Privacy Professionals www.privacyassociation.org Nymity (privacy consulting firm) www.nymity.com CAMRO Privacy Protection Handbook

Helpful resources CAMRO Privacy Protection Handbook CD-ROM Version 1.0 released October, 2003 40 sold to date Over 90 pages of advice Includes legal agreements prepared by privacy lawyer (Brian Bowman, Pitblado) Version 2.0 to be MRIA-branded and issued soon Includes expanded policy section and appendices unique to qual. research

Thank you E-mail: david.stark@tns-global.com Tel.: (416) 924-5751