Versions Compared

Old Version 5

changes.mady.by.user Former user

Saved on

compared with

New Version 6

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

Call not at quorum; notes include several quote from mailing list discussion

...

As i mentioned in the call I have been working with a group called Open Notice.  
In this regard we have worked on a problem list for current notice practices, which I believe is out of scope of the PAC works.   As well as an ontological approach to notices, some of which is summarised  below. This provides a another point of approach that may be useful in contrast. 
Ultimately the Open Notice workgroup is trying to address the larger issues that underly some of the issues we are addressing in the PAC. 
Here is some of the work done so far in my research on notice requirements.  (its a work in progress) 
- Mark
  • (Legal) Notice Requirements By Jurisdiction
    • General Requirements
      • Privacy Notice typically Covers Effective Date Scope Information Collected (both actively and passively), Choices Available, How To Modify information or preferences, How to contact or register a dispute, How policy changes will be communicated
    • USA
      • FCRA (Financial Credit Reporting Act)
        • Consumers must receive notice when third party data is used to make adverse decisions
        • Notice Requirements
          • All reporting Must have
            • a permissible purpose,
            • must be Consumer initiated,
            • explicit permission, implied in an application .
              • E.g. for employment consumer has given written permission Certified permissible purpose for access to credit report
      • HIPPA
        • Privacy Notice not necessary when healthcare provider has an indirect treatment relationship.
        • Privacy Rule permits covered agents to use PHI, but also requires entitites to give individuals detailed notice about the intended collection and use of their health information.
      • GLBA
        • Requires the Right to opt out of information sharing practices
        • No private right of action, but financial institutions are obliged to give notice and could face liability under deceptive trade practices statutes if the notice are deceptive or inaccurate.
        • Financial institutions that fail to comply are subject to penalties under Financial Institution Reform Recovery Act (FIRREA) Provided this standard is met Financial institutions may share any information (Notice standard enables the sharing of information - How to make infrastructure to share information?)
      • COPPA
        • Privacy policy link on every page
        • Give parents notice about collection practices
        • Obtain verifiable consent from parent
        • Parents get to delete childs info
        • Parent gets choice about child data being given to 3rd parties and opt out of future use of data
        • Notice to Include
          • contact info
          • Type of info
          • how the info will be used
          • purpose of 3rd parties
          • option of consent to collection but not disclosure
      • TSR (tele-marketing sales rules)
        • Display caller ID
        • Identify themselves
        • Disclose all material information and terms
        • Exceptions
          • Consent in writing from the consumer, stating a number calls can be made and include the signature
          • Consent must be clear and conspicuous
          • DNC Safe Harbour Seller has procedures implemented written and procedures to honour customer requests
      • Unfair and Deceptive Trade Practices (UDTP)
        • Unfair - defined as commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumer cannot reasonable avoid (unfair notice-broken consent arguments)
    • Canada
      • Federal Privacy Act
        • gov must inform any individual about collection of PI and the purpose
        • Notice defied as:
          • act of informing indiviuals that personal information about them is being collected,
          • how it will be used, stored and disclosed; and how long the information will be retained
        • Fed Privacy Act 5(2)Notice online needs sufficent information to decide if they want to proceed: use another method for submitting PI (reasonable security); or opt out entirely General Privacy Notice, CLF Standard 5.3http://www.tbs-sct.gc.ca/clf2-nsi2/index-eng.asp
        • A general privacy notice contains only information that is common to the entire website, while a the Privacy Notice Statement provides information that is specific to each point where personal information is collected. (general privacy notice is not enough)
      • PiPPEDA (TBD)
      • Consent
        • Consent is the informed, voluntary agreement of an individual to the collection of his or her perosnal infomration and to the subsequent uses, disclosure and retention of that infomration.
        • “Informed” Consent is only achieved by first providing the individual with appropriate Notice.
        • words privacy notice statement should be linked to the privacy notice statement page Agree button is used to ensure that a person has accessed the Privacy Notice Statement Page
      • Combining Notice & Consent
        • Recommended sequence is that visitors are asked to click (or access keyboard) two times before proceeding further.
          • (Note: Increase access if notice and consent is accessible post transaction)
        • purpsose for the description and collection of personal information should be consistent with info source Model Privacy Statement for Canada.
        • Links:
        • http://www.tbs-sct.gc.ca/pgol-pged/nandc-aetc/nandc-aetc07-eng.asp
        • Privacy Notices often reviewed via Privacy Impact Assessment which is then linked from the privacy notice statement
      • Sample Privacy Statement
        • Title,
        • Explanation of Privacy Notice, Purpose
          • If Using Cookies expirey of cookie,
            • e.g. when (at end of session) Do or dont enable identity of user, Keeps login info Compiled for Statistical For info about cookies - insert link Contact info - right to access and correct process to do this (should be very easy - link to persoanlly kept priv profile)for clarification call-email-tweet to us Cancel at anytimeinfo neeeded to interact with this priv notice in the future
            • (TBD)
    • EU
      • Processed Fairly & Lawfully
        • (note: Challenge fairly)Adequate means to enforce rights? (note: are they adequate? Measurements?)
        • Components of Online Notices
          • Effective Date scope information collected (both active and passive)information uses choices available how to modify information or preferences how to contact or register a dispute how policy changes will be communicated Cookie Policies, Data Breach Information, Data Retention (in canada but not US ??)
        • Common Notice Components of Email
          • (from text p.910) No false or misleading hearder informationNo deceptive subject linesopt out mechanism in each messageNotice that the email contains advertisementinformation about sending organization (weak -not mandatory digital contact method) (OSR)
      • Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
        • (TBD)
          • UK
          • France
          • Germany
    • APEC
    • Austrailia



...