Archive for the ‘Personal Privacy’ Category

China proposes draft privacy legislation with significant potential implications

ChinaOn July 6, 2015, China’s legislature, the National People’s Congress (NPC), circulated for comment two pieces of draft legislation with significant potential implications for data privacy and data security in China. The key provisions of these two draft laws are summarized below.


Coming closely on the heels of the July 1, 2015 promulgation of a new national security law, the draft Cyber Security Law (网络安全法) has as its stated goal the protection of “cyber sovereignty” and the preservation of cyber security. It includes provisions governing data localization, protection of personal information and other data, and network security.

  • Definition of personal information. Many Chinese regulations that include provisions governing the protection of personal information are unclear on the scope of the term “personal information”. The draft law includes a relatively detailed definition of “citizens’ personal information”, meaning personal information such as a citizen’s name, birth date, ID number, biometric data, profession, residence, or telephone number, recorded electronically or through another method, as well as other kinds of information that, alone or combined with other information, may be used to determine a citizen’s identity.
  • Data localization. Article 31 of the draft law would require an operator of “key information infrastructure” to store personal information and other “significant data” collected and produced in the course of its business operations inside China. It would also require that, before any of that data can be shared with parties overseas or stored overseas, the Chinese company complete a security evaluation in order to evaluate the security risk associated with the data export. The term “key information infrastructure” refers to, among other things, public communications infrastructure and information systems used by public utilities, government at the municipal or higher level; the military, or used in transportation systems, health care, or the financial sector. Notably the term also includes networks and systems owned or managed by network services providers that provide services to “large groups of users”, potentially giving the data localization requirements of the draft law a very broad application. Frustratingly, the term “significant data” is not defined in the draft law. We anticipate the intention is to reinforce exisiting restrictions on the export of state secrets, as well as address other information whose export may have an impact on national security, but further guidance will be needed on this issue, as well as on the nature of the security evaluation required in connection with data exports.
  • Data protection. Chapter 4 of the draft law includes broad provisions governing the protection of network data, including personal information. The term “network data” refers to all kinds of electronic data collected, stored, transmitted, processed, and produced through networks. The personal information protection provisions take a similar approach to personal information protection in sector-specific data privacy rules already in place with respect to the telecommunications sector. The provisions apply to all “network operators”. “Network operator” and the term “network” are both defined broadly so that the obligations apply to the owner of any computer information network, as well as to any party who administers a computer information network or provides services over it. As such, the data protection provisions of the draft law apply broadly to a very wide range of parties who either own or use a computer information network (and effectively to all personal information in electronic form), and not only within the limited sectors covered by current rules. The principal requirements include the following:
    • Collection and use of personal information must comply with the principles of legality, legitimacy, and necessity.
    • The purpose, method, and scope of the collection and use of personal information must be expressly disclosed, and the collection and use of personal information must be based on the individual’s consent.
    • Network operators may collect and use personal information only in connection with their provision of services and should not collect or use personal information outside the scope agreed by the individual.
    • Network operators should disclose to individuals their policies for the collection and use of personal information.
    • Individuals can demand that personal information collected unlawfully be deleted, and they have the right to demand correction of personal information that is inaccurate.
    • No entity or individual may steal or acquire personal information by other unlawful means, or sell or unlawfully provide personal information to others; language that corresponds to language in the Ninth Amendment to the Criminal Law is also discussed in this update.
  • Security certification/inspection. Article 19 of the draft law would require that key network equipment and special- purpose network security products comply with applicable security standards and be subject to a security certification or security inspection before being sold in the market. The security certification/inspection requirement builds on a similar requirement contemplated in regard to equipment used in the telecommunications and Internet sectors in the Guiding Opinions on Strengthening Network Security in the Telecommunications and Internet Sectors. Article 19 makes clear that its implementation is subject to the issuance of a catalogue of key network equipment and special-purpose network security products by the “State network information department”, a reference to the Cyber Administration of China (CAC).
  • National security review. Article 30 of the draft law contemplates a vague national security review requirement, requiring the operator of “key information infrastructure” procuring network products or services to undergo a security review process led by the CAC if the procurement “might have an effect on national security”. This brief provision does not provide further details but states that the implementing measures for this process will be issued by the State Council. This requirement echoes the announcement made by the State Internet Information Office on May 22, 2014, which stated for the first time that all important technology products and services affecting national security or the public interest will be subject to a “cyber security” review. This provision of the draft law would establish the formal statutory basis for implementing such a national security review process for the procurement of IT equipment and services for important IT infrastructure.

It is difficult to predict how long it will take for the NPC’s legislation process to be completed after the period for comments closes on August 5, 2015. The draft law is still subject to two readings before the full NPC or its Standing Committee, and we anticipate that a significant amount of debate within government circles has yet to take place on various aspects of the draft law before the law is formally promulgated. Some commentators are predicting that the draft law will be promulgated before the end of 2015.

In the meantime, various other regulatory efforts continue as part of the Chinese government’s campaign to enhance network security, many of which are likely to have an adverse impact on market access by foreign IT companies.


As we reported previously, the NPC’s circulation for public comment Amendment 9 to the Criminal Law of the People’s Republic of China (Draft) (中华人民共和国刑法修正案(九)(草案)), which contemplated a significant broadening of the scope of criminal liability under Article 253 of the Criminal Law for misuse of personal information.

The NPC has circulated a second draft of Amendment 9 (刑法修正案(九)(草案二次审议稿), which while reworking the drafting of the data privacy provisions of the first draft, preserves the scope of criminal liability contemplated in the first draft while increasing related penalties. Now any breach of Article 253 is subject to a prison term of up to three years, with a longer prison term of between three and seven years if the circumstances are especially serious. Under the previous draft, the maximum penalty was three years (two for the new offense of unlawfully “selling or providing personal information to another party” introduced in the first draft).

It is likewise difficult to predict how long it will take for the NPC to complete its legislation process in respect of the Criminal Law amendment completed after the period for comments closes on August 5, 2015. The draft is still subject to one reading before the full NPC or its Standing Committee.

Source: Morrison & Foerster LLPPaul D. McKenzie and Wei Zhang


ICO fines NHS £70,000

May 1, 2012 2 comments

The Information Commissioner’s Office has issued its first, significant monetary penalty following a serious data protection breach by an NHS body

The Information Commissioner’s Office (“ICO”) has taken action following an administrative error by Welsh health board, Aneurin Bevan Health Board (“ABHB”), which led to a serious breach of the Data Protection Act 1998 (“DPA”).

As the ICO gets used to using its new powers to issue substantial fines, all organizations which handle personal data need to ensure they are complying with their obligations under the DPA and have the necessary measures in place to avoid serious breaches occurring.


Section 55 of the DPA came into force on 6 April 2010 and allows the ICO, where there has been a serious contravention of the Act, to serve a monetary penalty notice on data controllers. The maximum penalty that can be imposed is £500,000.

What did they do wrong?

The error, which occurred in March 2011, meant that a highly sensitive report containing details of a patient’s health was sent to a former patient who had a similar name. A letter which had been drafted by a consultant and emailed to his secretary for formatting failed to identify accurately the patient to whom it should have been sent. The draft letter misspelt the name of the patient and did not contain sufficient additional details to identify the patient concerned. Furthermore, the letter was not checked prior to it being sent.

The investigation carried out by the ICO into the incident concluded that ABHB did not have in place sufficient checks to prevent personal data being sent to the wrong person and that the members of staff involved had not received any DPA training. An exacerbating factor was that the inadequate procedures followed in this instance were replicated across ABHB.

What was the penalty?

As a result of this incident ABHB has become the first NHS organization to be fined by the ICO.

The ICO has not only issued a fine of £70,000 to ABHB (which will be reduced to £56,000 if early payment is received) but also required it to sign an undertaking with a view to ensuring that all personal data it holds is processed in accordance with the DPA.

Following its investigation into this matter; the ICO had particular concerns about ABHB’s internal practices and the undertaking also includes measures to deal with these, including implementing:

  • new checks across the organization to ensure that a patients’ identities are established before any documentation containing personal data is issued;
  • the provision of training for staff;
  • putting in place and maintaining appropriate IT and other security measures; and
  • regular monitoring of compliance with the DPA.

This decision comes shortly after the ICO indicated that it would be focusing on, amongst others, the health sector in respect of responses to subject access requests. It has highlighted that notice should be taken of this decision by those operating within the health sector and stated that it is vital that the health service ensures that it has appropriate DPA compliance procedures in place.

The future

The Information Rights Strategy that was published by the ICO at the end of 2011 made clear that it would be taking a robust approach to DPA compliance over the coming year. This decision, reflects that approach and should be seriously considered by those organizations and employers operating within the health sector.

Future enforcement action by the ICO is likely to be significant, particularly in view of the European Commission’s proposals for reforming the approach to data protection across the European Economic Area.

Tips for organizations

  • Ensure that all your employees are trained on handling personal data particularly those who process it on a day to day basis.
  • Consider carrying out a data protection audit to establish the level of compliance with the DPA within your organization and, if necessary, to decide how this can be improved.
  • Ensure that you actively promote, implement and monitor compliance – it is not enough to have written policies in place if they are not enforced.

Source: Shoosmiths.

Serbia set to start Personal Data Protection Project

April 23, 2012 Leave a comment

The implementation of a project funded by the EU and meant to improve the protection of personal data in Serbia officially started last Wednesday.

The implementation of a project funded by the EU and meant to improve the protection of personal data in Serbia officially started on Wednesday.

The project began with a meeting between Rodoljub Sabic, Serbian commissioner for information of public importance and protection of personal data, and Slovenian commissioner for information Natasa Pirc Musar.

Sabic said the project would take six months to complete and would include numerous important activities, “starting with an evaluation of how harmonized our regulations are with the EU standards on the protection personal information.”

He added the project would include “strengthening the institution of the commissioner by educating and training personnel to monitor and improve data protection in accordance with those standards,” Sabic’s office stated.

He said he was pleased to work with Slovenian colleagues, because the team led by Pic Musar had gained recognition “not only in Slovenia, but in the EU also, as a team of excellent experts.”

The protection of identity data in Serbia is still in its first stage, even with the efforts invested by the commissioner and some initial results in the field, he noted.

According to Sabic, it is an issue of extreme significance in terms of respecting constitutionally guaranteed human rights, and it is also an issue “that will be one of the first the EU will inquire about once the start date for the negotiations is set.”

Source: As reported by Ekonom:east Media Group

Ghanaian Parliament Passes Data Protection Bill

April 19, 2012 1 comment

After reports last July that the Data Protection Bill had been withdrawn from Ghana’s Parliament for adjustments, the bill was re-introduced and Parliament has passed the bill on February 10.  The Act, said to be awaiting presidential assent to be fully operational, is modeled upon European precedents and will set out the rights and responsibilities of data controllers, data processors and data subjects in relation to personal data, under the supervisory authority of a Data Protection Commission.  Ghana swore in a new President, John Atta Mills, a 64-year-old law professor, on January 8.

How to establish the reliability of International Background Check data

February 27, 2012 Leave a comment

Today I’d like to share a recent discussion that has been taking place the last few weeks on our LinkedIn Forum, the International Background Screening Forum that I think our readers will find resourceful.

The discussion provides an interesting primer and an insight into the rather fragmented nature of the global background check market and the challenges faced by screening companies outside of their geographic location (country of domicile) that look to source U.S. or overseas based clients international background check research either through direct to source i.e. a government agency abroad or to third-parties whether they are global wholesale providers or even in-country providers.

In summary a rather thought provoking statement and question was made that not all countries are equal when it comes to the reliability and accuracy of records around the globe. It was also  expressed that clients (multinational employers) are paying a premium for international searches and that there is a growing concern from a US based background screening company’s point of view as to how one should go about evaluating the reliability and accuracy of such results on a country basis. From a practical point of view it is believed that there might be countries that may not be worth performing a records search because… “there are no records to search”, or “70% of the people in a country can pay officials to lose the record”, or “50% of the records become “nonexistent” for political or religious reasons,” etc.

These are all very valid questions, (1) what is the reliability / accuracy and (2) if based on available information, local records might not necessarily provide at least a certain level of accuracy should an organization even attempt such research? As a global advisory firm specializing in this area we receive these types of questions more often than you would think. We’ll discuss both of these points.

How to Establish Reliability / Accuracy in International Background Check results

In many respects even after 12 years of specializing in the global background check market many would agree that it is still very much considered “The Wild West” and at its emerging stage due to the fragmented nature of differing laws, availability and access to local records and data required to undertake a legitimate check, costs, and most importantly differing points of view on what is legally permissible versus folks that just want to turn a quick buck for less than ethical work product. In the end the latter has done more harm than good but it’s getting better through education and the effects of increased global trade (increased demand) but also increased enforcement action of those that flagrantly violate compliance and personal privacy.

Unfortunately there is no public available resource that details by country each of these aspects of background screening on a country basis, at least at this time. This type of information is generally closely held by companies that actually specialize in this area of the market and many may feel that it is considered part of the “secret sauce” that differentiates them from their competitors (particularly global specialists). Aletheia Consulting has in fact conducted such research on a number of geographies around the globe.

With that in mind we will discuss the guiding principles we apply when working with our CRA (background screening) clients no matter whether they may be a US based or overseas based provider (ie. a screening provider located in Bangladesh as an example) looking to expand their geographic footprint and design their international background check product portfolio.

We carefully examine each local data source (i.e. criminal records, credit, etc..) by country and by product type with the following 8 specific questions in mind:

  1. Existence of information in target country? (locate possible sources of the data)
  2. How is information maintained?
  3. Reliability and credibility of information? (whether held directly by gov agency but also how credible the third party that may be in conducting the search on the customers behalf)
  4. Legality of using consumer information for employment purposes? (can it even be used for employment purposes?, if so
  5. If based on answers related to No. 4 that it is legally permissible for employment – how can research be accomplished? Direct to source or through a third-party?)
  6. What is required in order to obtain the information?
  7. Timeliness of delivery?
  8. Affordable cost of information?

Questions 1-5 can then be applied to a Risk Matrix and conclusions drawn as to the quality and credibility.

This of course assumes one also factors in the cultural and environmental factors involving a country’s level of corruption (i.e. the practice of paying bribes in order to get out of being arrested or to pay off a claimant prior to court in order to avoid a trial which is actually a common practice in some countries).

A country’s level of corruption and actual fundamental issues around the quality of source data will always be potential factors in international background investigations that one should consider but should never be a deterrent or an excuse for not conducting an adequate level due diligence on a potential non-US or local employee, contractor, or trading partner. Remember many countries including the U.S. have enacted various anti-corruption/bribery and terrorism statutes (Foreign Corrupt Practices Act) as well as various industry specific guidelines (US Federal Sentencing Guidelines for Organizations) such as within the financial services, IT, healthcare, and many other industries that require a reasonable/responsible level of due diligence be applied when making a business decision.

What to expect from your local or global background check provider

When working through a 3rd party (in-country partner or even one of the “wholesale international providers”) aside from the usual production guidance i.e. what they require from you to undertake the search and what to expect in return I recommend you require them to demonstrate a sufficient working knowledge of the geographies they claim to be able to support. This needs to be supported by their willingness to educate you and or provide sufficient guidance for you to be able to communicate the local cultural and legal provisions governing access and use of the data to your clients or even candidates. You should then have this information cross referenced and verified independent and directly with the source agency and the relevant privacy commission (if applicable).

In the end there must be transparency with your overseas background check providers. If not than you or your organization may be placed in a risky situation of possibly violating an applicant’s personal privacy rights or even worse an organization failing to be able to demonstrate that they applied the necessary level of due diligence in their background screening process.

I am not a firm believer in “blind faith” or “blind trust” as someone mentioned in the discussion about relying on their provider without verifying the facts.  This is an unwise practice and creates significant risk for you and your client. Our clients come to us for expert advice and if we don’t know the answer to their question than we should know how to derive the right (accurate/truthful) answer or tell them we simply don’t know.

Some folk’s spoke of records not being available in certain geographies and that is absolutely accurate. In fact one of my most famous recommendations to clients is that “any firm that purports to offer and deliver criminal records for employment purposes from every country on the planet, don’t walk away, run away!” This simply isn’t legally permissible in a multitude of countries and is an outright criminal offense. As a provider of international background screening services however it is our job to be able to speak to both the local environment as well as our experience to be able to offer best practice advice for our clients in order to address and in some cases offer next best available options to consider.

In conclusion, just because criminal records in a country may be paperwork intensive, expensive, take an extremely long time to accomplish, or worst case scenario not very accurate due to the reasons discussed today as long as the organization has applied that reasonable level of due diligence..meaning that if it is legally permitted and available for employment the organization should have the check done by a responsible provider. The question then may become what source and as long as you’ve applied the guidelines we discussed above during the sourcing and selection process you should be okay. If as a provider you don’t have the in-house expertise of the local geographies than we believe you have one of two options (1) spend the time to research the various geographies on your own (although it will be a very long, painful, and expensive process), or (2) hire or partner with local and or global subject matter expert that has already done the leg work and who is able and willing to be your subject matter specialist.

International Background Check Market Outlook

All and all the international background check market even with its rather interesting challenges continues to grow and further develop in leaps and bounds nearly by the month. I am a firm believer that through continued education of our buyers, providers, applying best practice concepts, and striving to do the right thing as a business owner and as an industry will many of these challenges have less of an impact on the emerging international background check market.

For more information about Aletheia Consulting Group’s advisory services in international background screening please feel free to visit our website or email us at .

EU Data Protection Proposals: Outsourcing and Employee Data Issues

February 17, 2012 Leave a comment

The following article by  Matthew Howse, Partner, and Celia Kendrick, Associate, at Morgan Lewis should serve as a great primer for US as well as other multinational organizations that deal with human resource data of EU citizens. The EU’s proposed new revisions to data privacy could have broad ramifications for the unwary.

Outsourcing arrangements often require the transfer of employees’ personal data from the customer to the supplier or vice versa.  For example, an outsourcing of payroll functions will involve the transfer of employee data.

Particular issues arise if the data is to be transferred outside of the EU.  In addition, notwithstanding that most data protection legislation within the EU derives from the EU Data Protection Directive, there are important differences between countries on how personal data can be processed.  The UK rules are currently contained in the Data Protection Act 1998.

In January 2012, the European Commission published its proposal for a new General Data Protection Regulation.  The extensive proposals would overhaul this area of law and significantly increase data protection across Europe.

The key proposals are:

Harmonization: A single set of rules will apply across Europe.

Scope extends beyond Europe: The new rules will apply to EU businesses and businesses based outside the EU that process European citizens’ personal data for the sale of goods or services or the monitoring of behavior.

Fines: Penalties for non-compliance will be significant, with businesses facing proposed fines of up to €1 million or up to 2% of their annual worldwide turnover (depending on whether the organization is an ‘enterprise’).

Explicit consent: The new definition of “consent” will include a requirement that individuals’ consent must be explicitly obtained; it cannot be assumed.

Notification requirements: Organizations will be required to notify their supervisory authority of a security breach without undue delay, meaning within 24 hours if that is feasible.  If not, the notification must be accompanied by a reasoned justification.

Right to be forgotten: Individuals will be able to ask to be forgotten and have their data deleted unless there is a legitimate ground for keeping it.

Data protection officers: Organizations with over 250 employees will be required to have a designated data protection officer who will have specific duties in relation to monitoring and advising the organization.

These changes are probably long overdue – the current law was drafted when recent technological advances could not have been contemplated.  However, preparing for the changes and ensuring compliance will place a large administrative and financial burden on businesses with a European presence, including businesses involved in outsourcing.

The next step is for the proposed Regulation to be considered by the European Parliament and Council.  It is expected there will be widespread debate on the proposals, and that the Regulation will be amended.  Once the Regulation is approved, it is likely to be a further two years before it comes into force.

If the current drafting of the Regulation is approved, there will be a significant change in data protection obligations for both customers and suppliers.  Under the current law, only data controllers – organizations that control the purposes and manner for which personal data is processed – are subject to the obligations and restrictions on personal data.  Most suppliers are data processors as they process personal data on behalf of the customer (the data controllers).  However, the proposal is to impose restrictions and obligations directly on data processors (i.e. suppliers) for the first time.

Currently, it is important for all parties to establish who the data controller is and for the data controller to impose contractual obligations on the other party to ensure compliance with data protection legislation.  It is also key to ensure that, if personal data will be moved outside of the EU, this is done in compliance with the strict restrictions on exporting data.  Arguably, by extending the scope of data protection legislation to cover data processors and organizations based outside the EU which process EU citizens’ data, these considerations will become less significant for EU-based data controllers (i.e. customers).  However, the effect on data processors and international organizations will be much more significant.  The more stringent rules will place a tougher administrative burden on suppliers, which could lead to an increase in the overall cost of outsourcing.

Organizations that are about to enter into new outsourcing arrangements should be aware that their data protection obligations may change during the course of the arrangements.  Contractual provisions should be drafted accordingly, for example to make data protection provisions subject to amendment to comply with legislative changes.

The key message for customers and suppliers is: watch this space.  It will be some time before the measures are implemented, but the scope and effect of data protection legislation is likely to change significantly.

As published by © 2012

Dubai data protection law expected to be in force by July 2012

January 23, 2012 Leave a comment

The Data Protection Commissioner of the Dubai International Financial Centre Authority (DIFCA) launched – on 15 December 2011 – Consultation Paper No 3 sought public comment on DIFCA’s proposals to amend the Data Protection Law, DIFC Law No 1 of 2007 and the Data Protection Regulations. The consultation closed on 14 January 2012.

It is expected the amended Law will come into effect by June or July of 2012, The newly amended Law embodies international best practice standards, and it is consistent with EU Directives and OECD guidelines, and is designed to balance the legitimate needs of businesses and organizations to process personal data while upholding individuals’ rights to privacy. It should be noted that the Law and the newly amended Law apply only to individuals and organizations established in the Dubai International Financial Centre (DIFC)’.

The proposed amendments will require a data controller to notify the Commissioner of any changes to the particulars of a licensee as soon as possible and in any event within a period of 14 days from the date upon which the entry becomes inaccurate or incomplete. A maximum fine of US$ 25,000 could also be introduced for failing to register with the Commissioner’s Office.

The proposed amendments will also grant powers to the Commissioner to delegate functions and powers to the officers and employees of the DIFCA and powers to the DIFCA Board of Directors to pass regulations exempting certain data controllers.

It is believed that the changes are not so significant on their face, but the combination of amendments to make the rules more practical and more specific enforcement powers suggest some examples may be made of non-compliant DIFCA licensees to encourage better compliance.

Source: As published by DataGuidance

%d bloggers like this: