Last Week In Privacy- August 14, 2018

Welcome to “Last Week in Privacy!” Each week, OneTrust’s in-house privacy experts will give you the top international privacy industry highlights from last week.


Here’s a quick recap of last week’s top privacy industry headlines:

  1. Alberta, Canada’s new breach notification and reporting law for breaches of personal health information is set to go into effect on August 31st. The law takes a risk-based approach to breach notification, requiring notification to affected individuals, the Minister of Health, and the Office of the Information and Privacy Commissioner, when a breach could create a risk of harm to the individual. The law also includes a non-exhaustive list of factors for covered entities to consider when assessing risk, including the likelihood of whether unauthorized access or disclosure will occur, whether the information will be misused or could adversely affect the provision of health care to the individual, and more. Additionally, the law allows for certain mitigating factors to be taken into account by the organization when determining whether notification is required, and provides for several safe harbors such as where it can be shown that information was recovered before unauthorized access occurred. The law does not specify a timeline for notification to occur, but states that it must be made “as soon as practicable.” Failure to comply can result in fines of up to ten-thousand dollars for individual providers, and up to five-hundred-thousand dollars for organizations.
  2. The U.S. Federal Trade Commission has published a notice for public comment on whether it should have more enforcement authority over corporate privacy and data security practices. Comments will be accepted by the FTC until August 20th. After the comment period, the Commission plans to host a series of public hearings this fall on whether changes are needed to competition and consumer protection law, enforcement priorities and policy. The notice comes after FTC Chairman Joseph Simons stated in a July House subcommittee hearing that the FTC’s current enforcement powers were inadequate to handle today’s privacy and security issues. The notice requests the views of a broad spectrum of interested parties, ranging from consumers and businesses, to lawyers and IT professionals.
  3. The U.S. Department of Health and Human Services Office for Civil Rights has published guidance on secure disposal of technology containing sensitive information. The guidance covers proper disposal of equipment such as desktop and laptop computers, mobile devices, servers, USBs and other types of electronic storage, as well paper and other hard copy media. The guidance includes ten questions for organizations to address when planning the disposal of such devices, including the importance of removing asset tags and corporate identifying marks, ensuring that disposal is handled by certified and trained individuals, as well as the logistics and security controls involved in disposal.
  4. France’s data protection authority, the CNIL, has released guidelines on consent under the GDPR. The guidelines discuss the importance of determining whether other legal bases for processing are more appropriate for a given activity, rather than systematically relying on consent, provides examples of the four elements of valid consent, breaks down how consent requirements have changed under the GDPR, and clarifies that consent obtained prior to GDPR can still be relied upon if they already meet, or are “refreshed” or “supplemented” to meet GDPR requirements.

That’s all for this week, be sure to join us next week for Last Week in Privacy.

Wanting more from our privacy team? Read Brian Philbrook and Andrew Clearwater’s latest posts in CPO Magazine and in IAPP The Privacy Advisor.