1 / 10

Marilyn Prosch, Ph.D., CIPP Arizona State University

Marilyn Prosch, Ph.D., CIPP Arizona State University. Pierre in France Division B. Maria in Germany Division A. Credit Memo. Order. Pierre’s house. Division X Spain. Customer. Vendor. Multiple Divisions Multiple Countries

kalani
Download Presentation

Marilyn Prosch, Ph.D., CIPP Arizona State University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Marilyn Prosch, Ph.D., CIPP Arizona State University

  2. Pierre in France Division B Maria in Germany Division A Credit Memo Order Pierre’s house Division X Spain Customer Vendor

  3. Multiple Divisions • Multiple Countries • Internal Audit will likely want to transfer employee data into a central repository

  4. Vendor Information (address) Employee Personal Information (address) Customer Information (address) Cross-Referencing

  5. Anjuli’s house Pierre’s house 2008 2000-2007 Address 1 Address 1 Pierre’s house 2008 Address 2

  6. Vendor Information (address) Employee Personal Information (address) Pierre – Address 2 Anjuli – Address 1 Customer Information (Address 1) False Positive Cross-Referencing

  7. EU law, until recently, restricted the transfer of personal data to countries not on the short list of those deemed to have adequate protections in place. • US is not considered “adequate” • EU data protection authorities have just amended the rules for overseas data transfers. • The Article 29 Working Party has created Binding Corporate Rules (BCRs) that will allow companies to send data within an organization, but outside EU borders and into countries whose data protection standards the European Commission has not found adequate.

  8. “In determining reasonableness, considerations include the breadth of the information collected, the extent of the intrusion, whether the collection and use relates to a specific investigation or whether it is an ongoing surveillance program of the employer implemented on the off chance that it might find something. • Canadian law is in general not friendly to intrusive ongoing monitoring that is not incident or investigation based but might rather be characterized as a “fishing expedition.” It would come down to the employer’s situation, the demonstrated necessity for the program etc and proportionality vis a vis the employer’s needs and the employee’s right to privacy.”

  9. One would need to ask questions such as: • Would the database and data matching include all employees or is it more targeted • Will there be any sensitive personal information involved • Is the program likely to be effective in achieving its stated purpose? • Conflict of interest/fraud detection – is there another less privacy intrusive way to monitor • Is it the data matching ongoing or a one off or annual program? • Is the program incident related? Incident activated? • Is it reasonable and proportionate given the employer needs and purposes.

  10. Descriptive research: What are companies actually doing? Are they aware of the issues? If so, how are they handling these issues? Are they using some kind of data masking during these processes? • Normative research: How can we build privacy protection into processes? • Data tagging and masking • Data replication (logging) • Security around possession and handling • Data life and destruction techniques (poison pills)

More Related