US/EU Privacy Laws
Source: Traillhead: US Privacy Law Basics
- List the government agencies involved in US privacy law.
- Describe the framework of US privacy laws.
- Explain key US privacy statutes.
Privacy Overview
- How personal information can be collected
- How personal information can be used
- How and with whom personal information can be shared
- Where an how personal information can be stored
- How personal information must be secured
- When to delete or amend personal information
- If and how personal information can be transferred to other countries
- How breaches of personal information are reported
- Wheat rights individuals have regarding their personal information.
List of Personally Identifiable Information (PII)
* Address
* birthdate
* first last name
* SSN
* location date
* IP addresses
* Username
Federal Trade Commission (FTC)
HIPPA – Health Insurance an Accountability Act
Department of Health and Human Services (HHS)
PROTECT HEALTH INFORMATION — HHS’ HIPAA Resources for Professionals
— Access their own PHI
— Direct the disclosure of their PHI to a third party
— Request amendment of inaccurate or incomplete PHI
— Receive a list of the PHI disclosures made by the covered entity
— Request restrictions on the use or disclosure of their PHI
— Request specific requirements or restrictions on the means of communication of their PHI
— Combined Text of the HIPAA Regulations (45 CFR Parts 160, 162, and 164)
Financial Service Industry
* List the types of financial services companies subject to federal privacy law
* Describe the provisions and obligations of financial services privacy laws.
Terms:
Consumer Reporting Agency (CRA)
Consumer Report
Investigative Consumer Report
User – A person or an entity that purchases a consumer report from a CRA
Furnisher – An entity that provides credit history or information to a CRA for use in a consumer report
FCRA [Fair Credit Reporting Act]
FACTA [Fair and Accurate Credit Transactions Act]
Gramm-Leach-Biley Act (GLBA)
– GLBA imposed requirements on financial institutions with regard to the use and disclosure of their customers’ nonpublic, personally identifiable financial information.
Q: What is personally identifiable information [PII]?
1. It was provided by a consumer to a financial institution
2. It results from a transaction or service performed for the consumer
3. It was otherwise obtained by a financial institution
Examples of nonprublic personal information:
* Basic Contact Information
* Social Security Number
* Account Information
* Application Information
* Internet Cookie Information
* Consumer report information obtained by the financial institution
* Whether a consumer is a consumer of the financial institution.
- Text of the Gramm-Leach-Bliley Act (15 U.S. § 6801, et seq.)
- New York State Department of Financial Services Cybersecurity Resource Center
- Salesforce Privacy—Financial Services
California Online Privacy Protection Act ( CalOPPA)
the law defines personally identifiable information to include all details collected about an individual visitor to the website – everything from name to hair color.
The Shine the Light Act
When a Californian resident requests if, for profit companies must disclose any personal information they shared with third parties, and who those third parties are.
The Song-Beverly Credit Card Act
Under this law, retailers and other businesses cannot ask a customer for personal identification information during a credit card transaction, personal identification information under the law consist of any information regarding the customer other than the information on the credit card.
The California Consumer PRivacy Law (CCPA)
CCPA protects the data privacy rights of Californian residents and affects businesses that collect or use personal information of Californians
Salesforce Platforms
data processing addendum
Trust and Compliance documentation
- Text of the Massachusetts General Law Chapter 93H
- Text of CalOPPA (Cal. Bus. & Prof. Code § 22575, et seq.)
- Text of the Shine the Light Act (Cal. Civ. Code § 1798.83)
- Text of the Song-Beverly Credit Card Act (Cal. Civ. Code § 1747.08)
- Salesforce Data Processing Addendum
- Trust and Compliance Documentation
European Union Privacy Law
- General Data Protection Regulation (GDPR)
- Key privacy terms
- How GDPR changes EU privacy law
Key Terms
Data Subject: A “natural person” who can be identified with PII data
Personal Data: Any information relating an identified or identifiable data subject
Sensitive Personal Data: Personal data pertaining to the racial or ethical origin, political opinions, or religious or philosophical beliefs, trade-union membership…
Processing: Anything that is done to or with personal data
Controller: an entity that determines the purposes and means of the processing of personal data
Processor: an entity that processes personal data based on the instructions of a controller.
Pseudonymous Data: Personal data that cannot be tied to a specific data subject without additional information that is stored separately, with technological measures to ensure the data s not combined with that additional information.
Anonymous Data: Data that cannot ever be connected to an identified or identifiable person.
- Basis of data processing
- Compliance obligations
- Breach notification
- Data protection officer
- Enforcement
- Use of processors
- Profiling
- Data subject right
- One-stop-shop
Methods to protect personal data
1. Encryption
2. Pseudonymization
3. Anonymization
Institution’s Accountability over Personal data
1. Privacy by Design
2. Privacy by Default
3. Data Protection Impract Assessments