OECD Privacy Guidlines
Organzation for Economic Cooperation and Development (OECD) – contitutes 30 nations EU, US, Mexico, Australia, Japan and Czeck Republic. The OECD framework contains eight driving principles.
- Collection Limitation principle – Personal data collection should have limits.
- Data Quality Principle – Personal data should be complete, accurate and maintained
- Purpose specification principle – Purpose should be known and use should be limited to purposes outlined a the time of collection
- Use limitation Principle – Data should never be disclosed without consent
- Security Safeguards Principle – Data should be reasonable protected against unauthorized use, disclosure or alteration
- Openness Principle – General policy concerning collection and use of personal data should be readily available
- Individual Participation Principle – individuals should be: able to find out if entity holds their data, made aware of personal data held, given reason for any denial to data held and process for challenging any denials, able to challenge the content of any personal data being used and have process for updating their personal data if found inaccurate or incomplete
- Accountability Principle – The entity using the personal data should be accountable to principles above
EU-US Safe Harbour
Personal data of EU citizens may not be transmitted to countries outside of EU even with user consent. US based organizations must voluntarily consent to EU data protection directive in order to obtain this data.
US Privacy Act of 1974
Defines how US citizens PII is used by the federal government. The act provides users individuals with access to the data being maintained related to them with some national security exceptions.
There will always be jurisdiction challenge as countries differ in laws making prosecution difficult. The most significant progress in international progress in computer crime is the council of europe convention. It has been signed by the 47 EU countries as well as US focusing on standards in cybercrime policy.
There are import and export restrictions in cryptographic technologies. In the 90s US was the one of the primary instigators of banning the export of cryptographic technologies especially to those who are considered a political threat.
Trans-border data flow
See OECD Privacy Guildlines.
Important Laws and regulations
- HIPAA – Health Insurance Portability and Accountability Act – The privacy and security portions seek to guard protected health information (PHI) from unauthorized use or disclosure for entities such as Health plans, Healthcare providers, and clearing houses. The HITECH (Health Information Technology for Economic and Clinical Health) act extended privacy and security requirements of HIPAA to those that serve as business associates to those entities
- Computer Fraud and Abuse Act Title 18 Section 1030 – Attacks on US protected computers, government, financial processing in foreign or interstate commerce that results in $5000 in damages in one year is criminalized
- ECPA – Electronic Communications Privacy Act – Protected electronic communications from warrantless wiretapping
- USA PATRIOT act of 2001 – Full name Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act – Passed due to September 11 terrorist attack. Weakened the ECPA by expanding law enforcement electronic monitoring capabilities
- Gramm-Leach-Bliley Act (GLBA) – Requires financial insitutions to protect the confidentiality and integrity of consumer financial information and to notify consumers of privacy practices.
- California Senate Bill 1386 SB1386 – US State level breach notification law requiring organization to notify California residents if there is there is potential disclosure of personal data
- Sarbanes-Oxley Act of 2002 (SOX) – As a result of major accounting scandals SOX was passed. The act mandates public companies to ensure adequate financial disclosure, auditor independence and internal security controls such as risk assessment. Intentional violation can lead to criminal penalties.
- PCI – Payment Card industry Data Security Standard (PCI-DSS) – Requires merchants that process credit card data to adhere to PCI-DSS standards to ensure better protection of cardholder data by mandating security policy, security devices, control techniques and monitoring of systems and networks comprising of card holder data environments.