German DPA takes GDPR implementing steps

The North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen) has published the draft Standard Data Protection Model adopted in November 2016 at the Conference of the German Federal and State Data Protection Commissioners.  The model represents a step in the implementation of the requirements of the EU GDPR.

The guidelines can be found, in English and German, at this page

European Open Data Champions Programme

The European Data Portal reports that “the Open Data Champions Programme calls for applicants working with Open Data in the public sector in Europe to take part in an exciting three-day programme of training and peer support in London.  The programme equips participants with tools and knowledge to be effective leaders in Open Data”.

Read more

Swiss-US Privacy Shield FAQs

The US International Trade Administration has published the Swiss-US Privacy Shield FAQs.  The FAQs sheet provides guidance on when an organization can self-certify to the Swiss-U.S. Privacy Shield starting from today.  The sheet also provides guidance on the following questions:  How can an organization that is already participating in the EU-U.S. Privacy Shield self-certify to the Swiss-U.S. Privacy Shield?  How can an organization that is not already participating in the EU-U.S. Privacy Shield self-certify to the Swiss-U.S. Privacy Shield or both frameworks?  Does an organization that participated in the U.S.-Swiss Safe Harbor need to update its privacy policy before self-certifying to Privacy Shield?  Does the Department of Commerce have sample language that can be used in an organization’s privacy policy to refer to its participation in the Privacy Shield?  What are the differences between the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks?

Click here to visit the FAQs in the US International Trade Administration website

Why a risk analysis and risk management is fundamental

The Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services HHS has entered into a resolution agreement with Metro Community Provider Network (MCPN) based on its lack of a risk analysis and risk management plan that addressed risks and vulnerabilities to protected health information.  The MCPN submitted a breach report to the OCR in January 2012, reporting a breach due to a phishing incident that affected 3,200 patients.  The following investigation revealed that, while MCPN had taken corrective measures following the breach, it actually failed to conduct a preventive risk analysis or implement a risk management plan.  The resolution agreement costs $ 400,000 to MCPN and the adoption of a Corrective Action Plan.

The agreement is available here

China publishes the draft Measures for Security Assessment of Data Transfer

On November 7, 2016 China passed its Cybersecurity Law.  The Cyberspace Administration of China has now issued draft Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data.  The draft provides further guidance to the security assessment to be operated by companies that are in genuine need, for a business necessity, of transferring critical data or personal information abroad .  The Chinese people have time until May 11 to comment to the draft, after which date it might become a regulation.  The draft foresees two types of assessment: self-assessments, and assessments conducted by the competent authority.

The website of the Cyberspace Administration of China is accessible here