Standard Post with Image

UK government publishes initial code of conduct for data-driven health and care technology

On September 5, at the NHS Expo in Manchester, UK health minister James O’Shaughnessy announced the launch of a code of conduct for data-driven health and care technology. The latter was issued in order to encourage companies to “meet a gold-standard set of principles” to protect patient data. It aims to create a trustworthy structure held strong by 10 principles, which contains guidelines on how NHS data should be protected: “10 principles which set out the rules of engagement between industry and the health and care system. These principles provide a basis to deepen the trust between patients, clinicians, researchers and innovators”. Other major topics include using artificial intelligence and machine learning to fight against diseases. The code is only at its initial stage and it will develop over time through feedback from the public.

Link to the UK government code of conduct publication
Standard Post with Image

Barbados government presents its Data Protection Act draft

The Barbados government has published a draft of its Data Protection Act seeking public comment before it will pass into law. The bill represents the government’s second effort to pass data protection legislation, after a prior draft was issued without positive results in 2005. The draft contains clarifications on Barbados’ data protection rules’ limited scope of application and highlights important key features. The latter provides an interesting perspective on the data protection provisions chosen to be part of the Bill. Some aspects of the Act tend to be similar to the provisions of the EU General Data Protection Regulation. For instance, between the eight data principles covered, the data processing is limited to certain specified and lawful purposes; personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed; it must also be accurate and, where necessary, kept up-to-date. As with the GDPR, any transfer of personal data is forbidden unless an adequate level of protection of the rights and freedoms of data subjects is ensured.

A link to the Barbados governments’ draft is available here
Standard Post with Image

Italian government, Italian privacy decree for adaptation to the GDPR to be implemented from September 19, 2018

On September 4, the Italian government published the text of the decree for adaptation to the GDPR, which will come into force on September 19, 2018, and represents a work of harmonization to create a text that does not conflict with the GDPR. According to the decree, on one hand, the Italian Data Protection Authority has kept its primary role and, in some cases, still must be consulted. On the other hand, the decree aims to promote simplified procedures for the fulfilment of the obligations of the data controller. Some provisions were eagerly anticipated, such as the obligations of the data controller in cases of receipt of a CV for the purpose of establishing an employment relationship. If that is the case, clarifies the decree, the information to be provided according to article 13 of the GDPR must be provided at the time of the first useful contact after sending. Other relevant novelties include disposition on deceased persons’ data and the age limit for consent.

A link to the decree text (in Italian language) is attached below
Standard Post with Image

Facebook, Twitter and Google to go before U.S. Senate Intelligence Committee

September kicks off a series of critical congressional hearings for Facebook, Twitter and Google focused on how these companies intend to protect against foreign meddling during the 2018 midterm elections and beyond. The tech companies will also be questioned by the Senate Intelligence Committee and the Senate Judiciary subcommittee about their plans to more broadly protect consumer data and privacy by more responsibly controlling content on their platforms, increasing transparency to the consumer and allowing for competition among internet providers. While both Facebook Inc. COO Sheryl Sandberg and Twitter Inc. CEO Jack Dorsey attended the Sept. 5th Senate Intelligence Committee hearing, Google, a unit of Alphabet Inc., left its chair empty, refusing to send its CEO Sundar Pichao or its co-founder and Alphabet CEO Larry Page.  In a letter sent to the Federal Trade Commission in late August 2018, Sen. Orrin G. Hatch (R., Ut.), a member of the Senate Judiciary Committee and its antitrust subcommittee, defined Google’s anti-competitive conduct as “disquieting.”  Consumer data breaches and/or perceived lack of protection by these platforms have caused sufficient concern that it is believed Congress could follow EU lawmakers by creating more stringent online privacy laws to protect users later this year, as the state of California has already done.

A link to the WSJ original article is available here (subscription needed)
Standard Post with Image

Cybersecurity requirements for financial services companies law to come into force on September 3, 2018

On September 3 all financial service companies operating in the State of New York must face the deadline to ensure their compliance with the New York State Cybersecurity Requirements for Financial Services Companies law (23 NYCRR Part 500) which came into effect on March 1, 2017. The requirements of its various sections are designed to promote the protection of customer information as well as the information technology systems of regulated entities. Under 23 NYCRR Part 500, the most consequential duty for financial services companies is that “each Covered Entity shall implement controls, including encryption, to protect Non-public Information held or transmitted by the Covered Entity both in transit over external networks and at rest.” “Non-public information” is defined as sensitive information such as identifying information and/or financial information such as account numbers, security codes or passwords. “Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes,” and therefore “a regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.”

Link to “23 nycrr 500 - Cybersecurity requirements for financial services companies”
    Page 1 of 81