Presentation is loading. Please wait.

Presentation is loading. Please wait.

David W. Stark Name of presenter(s) or subtitle MRIA Alberta Chapter

Published byDrusilla Beasley Modified over 8 years ago

Similar presentations

Presentation on theme: "David W. Stark Name of presenter(s) or subtitle MRIA Alberta Chapter"— Presentation transcript:

1 Privacy one year later Compliance and industry issues in Canada and the United States
David W. Stark Name of presenter(s) or subtitle MRIA Alberta Chapter January 20, 2005

2 Privacy one year later

3 Agenda Privacy legislation overview Compliance: is it working?
Industry implications Helpful resources Q&A

4 Privacy legislation overview
Freedom of Information Access Privacy and Protection of Personal Data Freedom of Information Act – U.S. Access to Info. Act - Canada Privacy Legislation - Quebec Privacy Act - Canada Privacy Act – U.S. FOIA – first law to establish legal right of access to federal government information Privacy Act – regulates collection, use and dissemination of personal information by federal executive branch agencies Quebec - 1st jurisdiction in N.A. to pass comprehensive privacy legislation affecting private sector EU Privacy Directive - the export of personal information from a European country to a country that does not offer adequate protection of such information is prohibited. Safe Harbor – Commerce Dept’s response to make it possible for U.S. firms to continue cross-border data flows with EU countries. EU Privacy Directive PIPEDA - Canada Safe Harbor – U.S. PIPA - AB & BC 1966 1974 1980 1985 1994 1998 2000

5 Canadian approach to privacy
Federal regulations Competition Act (1985; rev and 2001) CRTC Telemarketing Rules (1994; rev. 2004) PIPEDA ( ) Comprehensive law affecting all industries in private sector Bill C-37 (2005?) Would establish a national do-not-call registry Anti-spam legislation (2005?)

6 Canadian approach to privacy
Provincial regulations Personal information protection acts QC, AB, BC Personal health information acts AB, SK, MB, ON With PIPEDA and its provincial counterparts, Canada’s privacy frame-work is closer to Europe than U.S.

7 U.S. approach to privacy – sectoral
Federal regulations Video Privacy Protection Act (1988) Telephone Consumer Protection Act (1991) Driver’s Privacy Protection Act (1994) Telemarketing Sales Rule (1996) VPPA – Passed by Congress in response to controversy surrounding the release of Judge Robert Bork's video rental records during his failed Supreme Court nomination. The Act prohibits video tape service providers from disclosing customer rental records without the informed, written consent of the consumer. TCPA – Restrictions on unsolicited faxes (written opt-in effective 06/05); Restrictions on calling cell phones with auto-dialers; National do-not-call registry for telemarketers (07/03); Requirement for telemarketers to show caller I.D. (01/04); Telephone curfew at 9 p.m. DPPA - Congress enacted the Driver’s Privacy Protection Act after the murder of actress Rebecca Shaeffer. Her assailant had gotten her address from the California Department of Motor Vehicles. The Act generally prohibits states from disclosing personal information that their drivers submit in order to obtain driver’s licenses. TSR – Deceptive telemarketing practices, such as sugging, mugging and frugging, made illegal. Telephone curfew at 9 p.m.

8 U.S. approach to privacy – sectoral
Federal regulations Health Insurance Portability and Accountability Act (1996) Financial Modernization Act (Graham-Leach-Bliley) (1999) Children’s Online Privacy Protection Act (2000) CAN-SPAM Law (2003) HIPPA – Confidentiality of health records. FMA – Regulates the sharing of personal information about individuals who obtain financial products or services from financial institutions. COPPA – Website operators must obtain verifiable parental consent before collecting personal information online from children under 13. CAN-SPAM – “Controlling the Assault of Non-Solicited Pornography and Marketing Act”

9 U.S. approach to privacy – sectoral
Federal regulations Eavesdropping and Taping Laws (FCC) Telephone interviewing, focus groups Federal Trade Commission Act (Section 5) Obligation to abide by one’s posted privacy policies

10 U.S. approach to privacy – sectoral
State regulations Anti-spam laws Do-not-call laws and lists Telephone curfew laws Eavesdropping and taping California’s Online Privacy Protection Act (CA OPPA) Must post privacy policy on website if collecting personally-identifiable information from CA residents. CA OPPA – significant because the law effectively applies to website operators in each of the 50 states. Law stipulates four requirements that must be included in an organization’s privacy policy: Categories of PII collected and third-party organizations with whom information may be shared; Right of access to personal information – must describe process how individual can review and request changes to his/her PII; Must describe how the organization notifies individual of material changes to his/her PII; Must identify effective date of the privacy policy. These are significant because CA’s law more closely resembles the European approach (comprehensive laws affecting all organizations in all sectors) than the U.S. sectoral approach.

11 What’s driving consumer privacy laws?
Most privacy regulations enacted since early 1990s Coincides with digital information age Databases of PII that can be manipulated and moved offshore at click of a button Public opinion Greater intrusion into consumers’ lives – want to be left alone Outsourcing offshore Consumers want greater control over how their personal information is used by organizations Popularity of Do-Not-Call Registry: by Sept./2004, consumers had registered over 64 million phone numbers Outsourcing offshore: EU Privacy Directive is having an impact Lack of national privacy law in India Subcontractor threatened to post Americans’ PII on Internet over an unpaid invoice. Proposed legislation in the U.S. would require U.S. firms to disclose to consumers that their personal information may go offshore for processing Another proposed bill would require offshore call centers to tell Americans where they are calling from and give them the choice of speaking to someone in the U.S.

12 Compliance: is it working?

13 Compliance in Canada Low awareness of PIPEDA and provincial privacy laws Federal Privacy Commissioner has treated offending organizations with kid gloves Commissioner’s Office understaffed Still, in general, Canadian firms seem to be more privacy-conscious than their U.S. counterparts

14 Compliance in the United States
Patchwork of privacy laws difficult for organizations Multinationals would prefer a national privacy law (similar to PIPEDA) FTC names offending organizations on its website Private right of action in many U.S. laws gives rise to class action suits EU study suggests several U.S. firms on Safe Harbor list are not in compliance

15 Industry implications

16 Industry implications
Third-party disclosures Clients’ customer lists Respondent PII shared with clients List brokers / sample providers Qualitative research: recruiter, moderator, facility Online research Explicit opt-in consent Must not spoof message headers ISP shutdowns customer Customer lists for telephone and mail studies – ideally should be based on opt-out consent and such disclosures should be mentioned in client’s privacy policy. Customer lists for online studies – must be based on explicit, opt-in consent for third-party research firm to contact them. Same rules apply above for list brokers / sample providers. Database marketing – should get repsondents’ consent to link their personally-identifiable survey responses with their customer records. Online research carries too many risks if there isn’t opt-in consent (e.g. case of Harris Interactive, ISP shutdowns, CAN-SPAM). research supplier research client

17 When research firm (RF) sends invitation from its domain…
From: RF on behalf of CLIENT To: Rebecca Smith Subject: Complete CLIENT’s survey and receive a special offer for your time Date: Fri, 12 Nov :51: MUST NOT SPOOF MESSAGE!! From: CLIENT To: Rebecca Smith Subject: Complete CLIENT’s survey and receive a special offer for your time Date: Fri, 12 Nov :51: Sender authentication systems: Microsoft – Bonded Sender Yahoo! – Domain Keys AOL – Sender Policy Framework Sender I.D. systems check for spoofing and could route such s to bulk folder or append a warning message.

18 Industry implications
Data security and retention Physical, electronic and organizational Minimum and maximum retention periods International data flows U.S. state laws could impact Canadian call centres and outsourcing overseas One motive of these laws is protectionism (many U.S. jobs have been outsourced to low-wage countries) Data security and retention – what controls are placed on keeping data secure? Should institute minimum and maximum retention periods. Destroy personal information when it is no longer needed.

19 Industry implications
Contracts with clients that include indemnities and privacy protection clauses Increasing number of multinational clients require completion of comprehensive privacy assessment forms Research is becoming more difficult to conduct TNS Standard terms and conditions (includes clause regarding compliance with privacy) Privacy audit q’aires – receive about one per month

20 Helpful resources

21 Helpful resources Federal Privacy Commissioner’s website
International Association of Privacy Professionals Nymity (privacy consulting firm) CAMRO Privacy Protection Handbook

22 Helpful resources CAMRO Privacy Protection Handbook
CD-ROM Version 1.0 released October, 2003 40 sold to date Over 90 pages of advice Includes legal agreements prepared by privacy lawyer (Brian Bowman, Pitblado) Version 2.0 to be MRIA-branded and issued soon Includes expanded policy section and appendices unique to qual. research

23 Thank you Tel.: (416)

Download ppt "David W. Stark Name of presenter(s) or subtitle MRIA Alberta Chapter"

Similar presentations

The HIPAA Colloquium Harvard University August 22, 2002 HIPAA Compliance Strategies for the Pharmaceutical Industry John T. Bentivoglio 202.942.5508

The HIPAA Colloquium Harvard University August 22, 2002 HIPAA Compliance Strategies for the Pharmaceutical Industry John T. Bentivoglio
International Privacy Laws Ashley Michele Green Sensitive Information in a Wired World October 30, 2003.

International Privacy Laws Ashley Michele Green Sensitive Information in a Wired World October 30, 2003.
Business Management (National 5)

Business Management (National 5)
Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.

Privacy Laws & Higher Education. Agenda 1.Five Privacy Laws a.FERPA b.HIPAA c.GLB d.FACTA Disposal Rule e.CAN-SPAM 2.Overview of the Laws a.What does.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Texting & HIPAA Compliance in your practice

Texting & HIPAA Compliance in your practice
Inside Rules and Regulations With Legislation and Mental Health Professionals.

Inside Rules and Regulations With Legislation and Mental Health Professionals.
Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.

Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.
2012, Team-Tiger- Northwestern McCormick MSIT 2013 Confidential 1 ©2011, Cognizant Northwestern McCormick MSIT- 2013 October 20 th, 2012 Information Security.

2012, Team-Tiger- Northwestern McCormick MSIT 2013 Confidential 1 ©2011, Cognizant Northwestern McCormick MSIT October 20 th, 2012 Information Security.
Research and the Health Information Act Rachel Hayward Office of the Information and Privacy Commissioner of Alberta.

Research and the Health Information Act Rachel Hayward Office of the Information and Privacy Commissioner of Alberta.
BGS Customer Relationship Management Chapter 13 Privacy and Ethics Considerations Chapter 13 Privacy and Ethics Considerations Thomson Publishing 2007.

BGS Customer Relationship Management Chapter 13 Privacy and Ethics Considerations Chapter 13 Privacy and Ethics Considerations Thomson Publishing 2007.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Quebec City February 2005 PUBLIC SECTOR CIO COUNCIL BC - USA Patriot Act Update.

Quebec City February 2005 PUBLIC SECTOR CIO COUNCIL BC - USA Patriot Act Update.
Consumers Online: Privacy, Security and Identity Professor Margaret Jackson and Marita Shelly Presentation to the RMIT Financial Literacy, Banking & Identity.

Consumers Online: Privacy, Security and Identity Professor Margaret Jackson and Marita Shelly Presentation to the RMIT Financial Literacy, Banking & Identity.
© 2003 IBM Corporation Privacy 12 th CACR Workshop Yim Y. Chan Chief Privacy Officer & CIO IBM Canada Ltd. w3.ibm.com/Privacy.

© 2003 IBM Corporation Privacy 12 th CACR Workshop Yim Y. Chan Chief Privacy Officer & CIO IBM Canada Ltd. w3.ibm.com/Privacy.
Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.

Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.
Privacy in Ontario Brian Beamish Office of the Information and Privacy Commissioner/Ontario Presentation to Security Canada Central 2002 International.

Privacy in Ontario Brian Beamish Office of the Information and Privacy Commissioner/Ontario Presentation to Security Canada Central 2002 International.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Disclaimer This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not.

Disclaimer This Presentation is provided “as is” without any express or implied warranty. This Presentation is for educational purposes only and does not.

Similar presentations

Ads by Google