DOCSLIB.ORG

Data Protection 2017

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

ICLG The International Comparative Legal Guide to: Data Protection 2017 4th Edition A practical cross-border insight into data protection law Published by Global Legal Group, with contributions from: Affärsadvokaterna i Sverige AB Hunton & Williams Bae, Kim & Lee LLC Koushos Korfiotis Papacharalambous LLC Bagus Enrico & Partners Lee and Li, Attorneys-at-Law Creel, García-Cuéllar, Aiza y Enríquez, S.C. LPS L@w Cuatrecasas Matheson Dittmar & Indrenius Mori Hamada & Matsumoto Drew & Napier LLC Osler, Hoskin & Harcourt LLP Ecija Abogados Pachiu & Associates ErsoyBilgehan Pestalozzi Attorneys at Law Ltd. Eversheds Sutherland Portolano Cavallo GANADO Advocates Gilbert + Tobin Rato, Ling, Lei & Cortés Lawyers GRATA International Rossi Asociados Hacohen & Co. Subramaniam & Associates (SNA) Herbst Kinsky Rechtsanwälte GmbH Wikborg Rein Advokatfirma AS The International Comparative Legal Guide to: Data Protection 2017 General Chapter: 1 All Change for Data Protection: The European Data Protection Regulation – Bridget Treacy & Anita Bapat, Hunton & Williams 1 Country Question and Answer Chapters: Contributing Editors 2 Australia Gilbert + Tobin: Melissa Fai & Alex Borowsky 7 Anita Bapat and Aaron P. Simpson, Hunton & Williams 3 Austria Herbst Kinsky Rechtsanwälte GmbH: Dr. Sonja Hebenstreit & Dr. Isabel Funk-Leisch 23 Sales Director Florjan Osmani 4 Belgium Hunton & Williams: Wim Nauwelaerts & David Dumont 34 Account Director 5 Canada Osler, Hoskin & Harcourt LLP: Adam Kardash & Brandon Kerstens 43 Oliver Smith 6 Chile Rossi Asociados: Claudia Rossi 53 Sales Support Manager Paul Mochalski 7 China Hunton & Williams: Manuel E. Maisog & Judy Li 60 Sub Editor 8 Cyprus Koushos Korfiotis Papacharalambous LLC: Anastasios Kareklas & Hollie Parker Georgia Charalambous 67 Senior Editors 9 Finland Dittmar & Indrenius: Jukka Lång & Iiris Keino 76 Suzie Levy, Rachel Williams 10 France Hunton & Williams: Claire François 84 Chief Operating Officer Dror Levy 11 Germany Hunton & Williams: Anna Pateraki 93 Group Consulting Editor 12 India Subramaniam & Associates (SNA): Hari Subramaniam Alan Falach & Aditi Subramaniam 105 Publisher 13 Indonesia Bagus Enrico & Partners: Enrico Iskandar & Bimo Harimahesa 117 Rory Smith 14 Ireland Matheson: Anne-Marie Bohan & Andreas Carney 125 Published by Global Legal Group Ltd. 15 Israel Hacohen & Co.: Yoram Hacohen 138 59 Tanner Street London SE1 3PL, UK 16 Italy Portolano Cavallo: Laura Liguori & Adriano D’Ottavio 147 Tel: +44 20 7367 0720 17 Japan Mori Hamada & Matsumoto: Hiromi Hayashi & Rina Shimada 156 Fax: +44 20 7407 5255 Email: [email protected] 18 Kazakhstan GRATA International: Leila Makhmetova & Saule Akhmetova 167 URL: www.glgroup.co.uk 19 Korea Bae, Kim & Lee LLC: Tae Uk Kang & Susan Park 176 GLG Cover Design F&F Studio Design 20 Macau Rato, Ling, Lei & Cortés Lawyers: Pedro Cortés & José Filipe Salreta 185 GLG Cover Image Source 21 Malta GANADO Advocates: Dr. Paul Micallef Grimaud & Dr. Philip Mifsud 194 iStockphoto 22 Mexico Creel, García-Cuéllar, Aiza y Enríquez, S.C.: Begoña Cancino Garín 202 Printed by 23 Norway Wikborg Rein Advokatfirma AS: Dr. Rolf Riisnæs Ashford Colour Press Ltd & Dr. Emily M. Weitzenboeck 209 May 2017 24 Portugal Cuatrecasas: Leonor Chastre 220 Copyright © 2017 Global Legal Group Ltd. 25 Romania Pachiu & Associates: Mihaela Cracea & Alexandru Lefter 231 All rights reserved No photocopying 26 Russia GRATA International: Yana Dianova 242 27 Senegal LPS L@w: Léon Patrice Sarr & Ndèye Khady Youm 255 ISBN 978-1-911367-50-5 ISSN 2054-3786 28 Singapore Drew & Napier LLC: Lim Chong Kin & Charmian Aw 263 Strategic Partners 29 South Africa Eversheds Sutherland: Tanya Waksman 273 30 Spain Ecija Abogados: Carlos Pérez Sanz & Pia Lestrade Dahms 281 31 Sweden Affärsadvokaterna i Sverige AB: Mattias Lindberg 291 32 Switzerland Pestalozzi Attorneys at Law Ltd.: Michèle Burnier & Lorenza Ferrari Hofer 300 33 Taiwan Lee and Li, Attorneys-at-Law: Ken-Ying Tseng & Rebecca Hsiao 310 34 Turkey ErsoyBilgehan: Zihni Bilgehan & Yusuf Mansur Özer 319 35 United Kingdom Hunton & Williams: Anita Bapat & Adam Smith 327 36 USA Hunton & Williams: Aaron P. Simpson & Jenna N. Rode 336 Further copies of this book and others in the series can be ordered from the publisher. Please call +44 20 7367 0720 Disclaimer This publication is for general information purposes only. It does not purport to provide comprehensive full legal or other advice. Global Legal Group Ltd. and the contributors accept no responsibility for losses that may arise from reliance upon information contained in this publication. This publication is intended to give an indication of legal issues upon which you may need advice. Full legal advice should be taken from a qualified professional when dealing with specific situations. WWW.ICLG.COM Chapter 1 All Change for Data Protection: The European Bridget Treacy Data Protection Regulation Hunton & Williams Anita Bapat law. This will streamline and harmonise EU data protection law to a Introduction significant extent. Local variances will still remain in a number of areas, such as processing personal data for health, employment and statistical After a long process to update Europe’s data protection laws, purposes. Additionally, Member States may decide to impose further the General Data Protection Regulation will enter into force on obligations under national law. For example, in February 2017, the 25 May 2018 (“Regulation”) [1]. The advent of the Regulation German federal cabinet adopted a draft data protection bill in order follows a lengthy legislative process which took over three years to supplement the Regulation and provide further requirements in to complete. Whilst most were agreed on the need to reform the relation to, amongst other things, data protection officers, restrictions current Data Protection Directive (EC/95/46/EC) and replace it on penalties for non-compliance and exemption from the notice with a law that was appropriate for the complex and sophisticated requirements. Other Member States may well follow suit and so data-driven world in which we live, the content of the new law was organisations will still need to be aware of other relevant local laws. heavily negotiated. The Regulation will significantly increase the compliance obligations of organisations that process personal data, strengthen the rights of individuals in relation to their data, and One Stop Shop and Consistency Mechanism extend the enforcement powers of regulators, including the ability to impose fines of up to €20 million or 4% of global revenue. With just One of the cornerstones of the Regulation is the ‘One Stop Shop’. over a year until the Regulation takes effect, organisations should be At present, organisations may be subject to the supervisory powers assessing their compliance posture now, and taking steps to prepare of the data protection authorities of several Member States, each for implementation. This chapter offers a practical perspective for of which may have a different approach to an issue and differing organisations preparing for change. powers of enforcement. For organisations with business operations in several Member States, it is time-consuming to deal with multiple regulators, and difficult (and expensive) to accommodate the Overview of Key Changes differing approaches that regulators may take in relation to the same issue. The One Stop Shop was designed to overcome these practical In many ways, the Regulation is an enhanced, more rigorous version difficulties and allow for the supervisory authority of a business’ of the existing Data Protection Directive, using much of the same main establishment (i.e., the place where the main processing terminology and many of the concepts with which data protection activities take place), or its only establishment in Europe, to be the practitioners are familiar. For example, conditions for processing ‘lead’ authority for cross-border data processing [2]. In theory, this personal data, consent for processing and notice requirements all should mean less duplication and time spent dealing with multiple remain. Where apparently small tweaks have been made to the text, regulators. Draft guidance released by the Article 29 Working Party organisations should be cautious: in many cases, minor tweaks (such in December 2016 for public consultation [3] makes it clear that it as the strengthened requirements for consent) will have a significant is possible to have different main establishments, and therefore lead practical impact on internal processes, and may take some time to supervisory authorities, for different processing activities, e.g., HR socialise within organisations. Other concepts, such as the ‘One processing, customer data, etc. It should be noted, however, that the Stop Shop’, data portability and breach reporting are brand new appointment of a lead supervisory authority does not prevent other and will require careful analysis to implement. A number of key supervisory authorities from asserting jurisdiction over matters that provisions are explained below. concern them, such as complaints made within their jurisdiction [4]. This, combined with the fact that Member States have carve outs for Harmonisation certain matters, such as employment law, and may impose further legal requirements in addition to the Regulation (see above), means The existing European Data Protection Directive has required local that the One Stop Shop may have limited practical benefit. implementation by each Member State, and individual Member In order to ensure that the
Recommended publications
  • ICO – Privacy Impact Assessment Handbook

    ICO – Privacy Impact Assessment Handbook

    Using this handbook Part 1 – Background information Part 2 – The PIA process Appendix 1 – The PIA screening questions Appendix 2 – Data protection compliance checklist template Appendix 3 – PECR compliance checklist template Appendix 4 – Privacy strategies Using this handbook Back to ICO homepage Advice on using this handbook Because organisations vary greatly in size, the extent to which their activities intrude on privacy, and their experience in dealing with privacy issues makes it difficult to write a ‘one size fits all’ guide. The purpose of this handbook is to be comprehensive. It is important to note now that not all of the information provided in this handbook will be relevant to every project that will be assessed. The handbook is split into two distinct parts. Part I (Chapters I and II) are designed to give background information on the privacy impact assessment (PIA) process and privacy. Part II is a practical “how to” guide on the PIA process. The handbook’s structure is intended to enable a reader who is knowledgeable about privacy to quickly start working on the PIA. Background information on privacy and PIAs is provided for other readers who would like some general information prior to starting the PIA process. It is also important to note that some of the recommendations in this handbook may overlap with work which is being done to satisfy other requirements, such as information security and assurance, other forms of impact assessment or requirements to carry out broader consultations during the development of a project. A PIA does not have to be conducted as a completely separate exercise and it can be useful to consider privacy issues in a broader policy context.
  • Anonymity and Encryption in Digital Communications, February 2015

    Anonymity and Encryption in Digital Communications, February 2015

    Submission to the UN Special Rapporteur on freedom of expression – anonymity and encryption in digital communications, February 201 1! Introduction Privacy International submits this information for the Special Rapporteur's report on the use of encryption and anonymity in digital communications. Anonymity and the use of encryption in digital communications engage both the right to freedom of expression and right to privacy very closely: anonymity and encryption protects privacy, and ithout effective protection of the right to privacy, the right of individuals to communicate anonymously and ithout fear of their communications being unla fully detected cannot be guaranteed. As noted by the previous mandate holder, !rank #aRue, $the right to privacy is essential for individuals to express themselves freely. Indeed, throughout history, people%s illingness to engage in debate on controversial sub&ects in the public sphere has al ays been linked to possibilities for doing so anonymously.'( Individuals' right to privacy extends to their digital communications.) As much as they offer ne opportunities to freely communicate, the proliferation of digital communications have signi*cantly increased the capacity of states, companies and other non+state actors to interfere ith individual's privacy and free expression. Such interference ranges from mass surveillance of communications by state intelligence agencies, to systematic collection and storage of private information by internet and telecommunication companies, to cybercrime. Anonymity and encryption are essential tools available to individuals to mitigate or avert interferences ith their rights to privacy and free expression. In this ay, they are means of individuals exercising to the fullest degree their rights hen engaging in digital communications.
  • CASE REPORT Medical Identity Theft in the Emergency Department

    CASE REPORT Medical Identity Theft in the Emergency Department

    UC Irvine Western Journal of Emergency Medicine: Integrating Emergency Care with Population Health Title Medical Identity Theft in the Emergency Department: Awareness is Crucial Permalink https://escholarship.org/uc/item/9qw8t7zk Journal Western Journal of Emergency Medicine: Integrating Emergency Care with Population Health, 15(7) ISSN 1936-900X Author Mancini, Michelino Publication Date 2014 DOI 10.5811/westjem.2014.8.22438 License https://creativecommons.org/licenses/by-nc/4.0/ 4.0 Peer reviewed eScholarship.org Powered by the California Digital Library University of California CASE REPORT Medical Identity Theft in the Emergency Department: Awareness is Crucial Michelino Mancini, DO Lakeland Healthcare, Department of Emergency Medicine, St. Joseph, Michigan Supervising Section Editor: Rick McPheeters, DO Submission history: Submitted April 24, 2014; Revision received July 24, 2014; Accepted August 15, 2014 Electronically published September 24, 2014 Full text available through open access at http://escholarship.org/uc/uciem_westjem DOI: 10.5811/westjem.2014.8.22438 Medical Identity theft in the emergency department (ED) can harm numerous individuals, and many frontline healthcare providers are unaware of this growing concern. The two cases described began as typical ED encounters until red flags were discovered upon validating the patient’s identity. Educating all healthcare personnel within and outside the ED regarding the subtle signs of medical identity theft and implementing institutional policies to identify these criminals will discourage further fraudulent behavior. [West J Emerg Med. 2014;15(7):899–901.] INTRODUCTION with the combined efforts of multiple healthcare associates, The crime of medical identity theft is a growing concern including registration clerks, nursing staff, security officers in healthcare institutions.
  • Anonymity in a Time of Surveillance

    Anonymity in a Time of Surveillance

    LESSONS LEARNED TOO WELL: ANONYMITY IN A TIME OF SURVEILLANCE A. Michael Froomkin* It is no longer reasonable to assume that electronic communications can be kept private from governments or private-sector actors. In theory, encryption can protect the content of such communications, and anonymity can protect the communicator’s identity. But online anonymity—one of the two most important tools that protect online communicative freedom—is under practical and legal attack all over the world. Choke-point regulation, online identification requirements, and data-retention regulations combine to make anonymity very difficult as a practical matter and, in many countries, illegal. Moreover, key internet intermediaries further stifle anonymity by requiring users to disclose their real names. This Article traces the global development of technologies and regulations hostile to online anonymity, beginning with the early days of the Internet. Offering normative and pragmatic arguments for why communicative anonymity is important, this Article argues that anonymity is the bedrock of online freedom, and it must be preserved. U.S. anti-anonymity policies not only enable repressive policies abroad but also place at risk the safety of anonymous communications that Americans may someday need. This Article, in addition to providing suggestions on how to save electronic anonymity, calls for proponents of anti- anonymity policies to provide stronger justifications for such policies and to consider alternatives less likely to destroy individual liberties. In
  • Privacy in Atlantis*

    Privacy in Atlantis*

    Harvard Journal of Law & Technology Volume 18, Number 1 Fall 2004 PRIVACY IN ATLANTIS* Jerry Kang & Benedikt Buchner** TABLE OF CONTENTS INTRODUCTION.................................................................................230 SCENE I: PRIVACY’S FORM...............................................................231 A. Market-Talk..............................................................................231 B. Dignity-Talk .............................................................................234 SCENE II: PRIVACY’S SUBSTANCE....................................................236 A. The Core Similarities ...............................................................237 1. Dignity’s Consent (or the Market’s Initial Allocation) .........237 2. Data Protection Regulations (or Intangible Property Regulations) ....................................................................240 B. Too Little Control.....................................................................244 1. The Problem: Hard Choices ..................................................244 2. The Response: Fortifying the Individual...............................246 C. Too Much Control....................................................................251 1. The Problem: Societal Overrides ..........................................251 2. The Response: Interest Balancing .........................................252 CONCLUSION ....................................................................................255 APPENDIX .........................................................................................257
  • 617 Charlotte A. Tschider* Although the First Legal Conceptions Of

    617 Charlotte A. Tschider* Although the First Legal Conceptions Of

    NORTH CAROLINA JOURNAL OF LAW & TECHNOLOGY VOLUME 22, ISSUE 4: MAY 2021 MEANINGFUL CHOICE: A HISTORY OF CONSENT AND ALTERNATIVES TO THE CONSENT MYTH Charlotte A. Tschider* Although the first legal conceptions of commercial privacy were identified in Samuel Warren and Louis Brandeis’s foundational 1890 article, The Right to Privacy, conceptually, privacy has existed since as early as 1127 as a natural concern when navigating between personal and commercial spheres of life. As an extension of contract and tort law, two common relational legal models, U.S. privacy law emerged to buoy engagement in commercial enterprise, borrowing known legal conventions like consent and assent. Historically, however, international legal privacy frameworks involving consent ultimately diverged, with the European Union taking a more expansive view of legal justification for processing as alternatives to consent. Unfortunately, consent as a procedural substitute for individual choice has created a number of issues in achieving legitimate and effective privacy protections for Americans. The problems with consent as a proxy for choice are well known. This Article explores the twin history of two diverging bodies of law as they apply to the privacy realm, then introduces the concept of legitimate interest balancing as an alternative to consent. Legitimate interest analysis requires an organization to formally assess whether data collection and use ultimately result in greater benefit to individuals than the organization with input from actual consumers. This model shifts responsibility from individual consumers having to protect their * Assistant Professor of Law, Loyola University Chicago School of Law and the Beazley Institute for Health Law & Policy. Professor Tschider would like to extend her heartfelt thank you to Professor Anne Klinefelter and the rest of the participants of the N.C.J.L.
  • No. 16-3588 in the UNITED STATES COURT of APPEALS for THE

    No. 16-3588 in the UNITED STATES COURT of APPEALS for THE

    Case: 16-3588 Document: 003112605572 Page: 1 Date Filed: 04/26/2017 No. 16-3588 IN THE UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT ______________________ UNITED STATES OF AMERICA, Appellee v. GABRIEL WERDENE, Appellant ______________________ On Appeal from the United States District Court for the Eastern District of Pennsylvania ______________________ BRIEF OF AMICUS CURIAE PRIVACY INTERNATIONAL IN SUPPORT OF APPELLANT AND IN SUPPORT OF REVERSAL OF THE DECISION BELOW ______________________ Of counsel: Caroline Wilson Palow* Lisa A. Mathewson Scarlet Kim* The Law Offices of PRIVACY INTERNATIONAL Lisa A. Mathewson, LLC 62 Britton Street 123 South Broad Street, Suite 810 London EC1M 5UY Philadelphia, PA 19109 Phone: +44 (0) 20 3422 4321 Phone: (215) 399-9592 [email protected] [email protected] Counsel for Amicus Curiae, *Counsel not admitted to Third Circuit Bar Privacy International Case: 16-3588 Document: 003112605572 Page: 2 Date Filed: 04/26/2017 CORPORATE DISCLOSURE STATEMENT Pursuant to Federal Rule of Appellate Procedure 26.1 and Local Appellate Rule 26.1.1, amicus curiae Privacy International certifies that it does not have a parent corporation and that no publicly held corporation owns 10% or more of its stock. i Case: 16-3588 Document: 003112605572 Page: 3 Date Filed: 04/26/2017 TABLE OF CONTENTS TABLE OF AUTHORITIES ................................................................................... iii STATEMENT OF INTEREST .................................................................................
  • Spotlight On… Protection of Sensitive Data Including Personal Information

    Spotlight On… Protection of Sensitive Data Including Personal Information

    Spotlight On… Protection of Sensitive Data including Personal Information Purpose On Sept. 7, 2017 media reports indicated that a large American credit score bureau had been breached, exposing the personal information of millions of consumers in the U.S. and in the U.K. and potentially affecting 8,000 individuals in Canada. On November 28, 2017 the Canadian arm of this U.S. company posted information on its website indicating that an additional 11,670 Canadians had been affected by the breach, bringing the total number of Canadians affected to about 19,000. In response to CCIRC partner questions concerning this event, this product provides information on what organizations can do to reduce the risk of sensitive data, such as personal information, being exfiltrated from their organization. Information in this note includes: . The Canadian statutory definitions of personal information . Upcoming regulatory changes to data breach reporting in Canada . Examples of reported breaches of Canadian personal information . Tactics, techniques, and procedures employed to target Canadian personal information . Tips for safeguarding sensitive information . Advice from the Royal Canadian Mounted Police (RCMP) for individuals who believe their personal information may have been compromised What is “Personal Information”? According to the Office of the Privacy Commissioner of Canada (OPC), these are the statutory provisions relevant to the meaning of “Personal Information” in Canada: Section 2(1) of the Personal Information Protection and Electronic Documents
  • Ohio's “Aggressive” Attack on Medical Identity Theft

    Ohio's “Aggressive” Attack on Medical Identity Theft

    OHIO’S “AGGRESSIVE” ATTACK ON MEDICAL IDENTITY THEFT * STANLEY C. BALL I. INTRODUCTION .................................................................... 111 II. DATA BREACH, IDENTITY THEFT, AND MEDICAL IDENTITY THEFT .................................................................................. 113 A. Data Breach................................................................. 113 B. Identity Theft................................................................ 115 C. Medical Identity Theft.................................................. 117 III. FEDERAL LEGISLATION TO PREVENT MEDICAL IDENTITY THEFT .................................................................................. 122 A. HIPAA.......................................................................... 123 B. The HITECH Act Amends HIPAA ............................... 126 C. Federal Preemption of State Laws .............................. 129 IV. OHIO’S DATA BREACH LAW DOES NOT COVER HIPAA COVERED ENTITIES.............................................................. 131 V. OHIO SHOULD AMEND ITS DATA BREACH NOTIFICATION LAW..................................................................................... 133 A. Ohio’s Data Breach Notification Law Should Apply to HIPAA Covered Entities ............................... 133 B. Ohio’s Data Breach Notification Law Should Have an Acquisition-Based Trigger........................................... 138 C. Ohio’s Data Breach Notification Law Should Require Healthcare Providers to Destroy or Encrypt Discarded Medical Records.........................................................
  • Aiding Surveillance an Exploration of How Development and Humanitarian Aid Initiatives Are Enabling Surveillance in Developing Countries

    Aiding Surveillance an Exploration of How Development and Humanitarian Aid Initiatives Are Enabling Surveillance in Developing Countries

    Privacy International Aiding Surveillance An exploration of how development and humanitarian aid initiatives are enabling surveillance in developing countries Gus Hosein and Carly Nyst 01 October 2013 www.privacyinternational.org Aiding Surveillance — Privacy International Contents Executive Summary 04 Section 1 Introduction 05 Section 2 Methodology 15 Section 3 Management Information Systems 17 and electronic transfers Section 4 Digital identity registration and biometrics 28 Section 5 Mobile phones and data 42 Section 6 Border surveillance and security 50 Section 7 Development at the expense of human rights? 56 The case for caution Endnotes 59 03/80 Aiding Surveillance — Privacy International Executive Summary Information technology transfer is increasingly a crucial element of development and humanitarian aid initiatives. Social protection programmes are incorporating digitised Management Information Systems and electronic transfers, registration and electoral systems are deploying biometric technologies, the proliferation of mobile phones is facilitating access to increased amounts of data, and technologies are being transferred to support security and rule of law efforts. Many of these programmes and technologies involve the surveillance of individuals, groups, and entire populations. The collection and use of personal information in these development and aid initiatives is without precedent, and subject to few legal safeguards. In this report we show that as development and humanitarian donors and agencies rush to adopt new technologies that facilitate surveillance, they may be creating and supporting systems that pose serious threats to individuals’ human rights, particularly their right to privacy. 04/80 Section 1 Aiding Surveillance — Privacy International Introduction 1.0 It is hard to imagine a current public policy arena that does not incorporate new technologies in some way, whether in the planning, development, deployment, or evaluation phases.
  • Privacy in the Employment Relationship, Practical Law Practice Note 6-517-3422 (2017)

    Privacy in the Employment Relationship, Practical Law Practice Note 6-517-3422 (2017)

    Privacy in the Employment Relationship, Practical Law Practice Note 6-517-3422 (2017) Privacy in the Employment Relationship by Thomas H. Wilson, Vinson & Elkins LLP and Corey Devine with Practical Law Labor & Employment Maintained • USA (National/Federal) This Practice Note provides an overview of privacy issues in employment, which may arise in various contexts, such as background checks, drug testing, email and other electronic surveillance and tracking by GPS. Invasion of privacy claims are highly fact-intensive and largely dependent on state law. This Note contains information that is general and not jurisdiction-specific. Contents Overview of Privacy Laws Background Checks Background Checks Conducted Internally by the Employer Background Checks Conducted Externally by a Third Party Employment Testing of Applicants or Employees Drug Testing Polygraph Tests HIV or AIDS Tests Medical and Physical Examinations Other Types of Testing Employee Personnel Records Employee Medical Records Sensitive Personally Identifiable Information Employee Electronic Communications Monitoring of Emails and Internet Usage Requiring Disclosure of Electronic Account Access Information Monitoring of Telephone Calls Video Surveillance of Employee Behavior on the Job Searching Employee Surroundings on the Job No Expectation of Privacy in Common Areas Employer Limits © 2017 Thomson Reuters. No claim to original U.S. Government Works. 1 Privacy in the Employment Relationship, Practical Law Practice Note 6-517-3422 (2017) Employees' Lawful, Off-Duty Activities Tracking Employee Movements by GPS Privacy Concerns Consent and Notice Other Considerations Monitoring and Employee Rights Under the National Labor Relations Act Information about Employees Relevant to Health and Safety This Note provides a general overview of the key legal principles involved in employee privacy in the private employment context.
  • Annual Privacy Report

    Annual Privacy Report

    U.S. DEPARTMENT OF JUSTICE ANNUAL PRIVACY REPORT THE CHIEF PRIVACY AND CIVIL LIBERTIES OFFICER AND THE OFFICE OF PRIVACY AND CIVIL LIBERTIES OCTOBER 1, 2016 – SEPTEMBER 30, 2020 1 (MULTI) ANNUAL PRIVACY REPORT MESSAGE FROM THE CHIEF PRIVACY AND CIVIL LIBERTIES OFFICER I am pleased to present the Department of Justice’s (Department or DOJ) Annual Privacy Report, describing the operations and activities of the Chief Privacy and Civil Liberties Officer (CPCLO) and the Office of Privacy and Civil Liberties (OPCL), in accordance with Section 1174 of the Violence Against Women and Department of Justice Reauthorization Act of 2005. This report covers the period from October 1, 2016, through September 30, 2020. The Department’s privacy program is supported by a team of dedicated privacy professionals who strive to build a culture and understanding of privacy within the complex and diverse mission work of the Department. The work of the Department’s privacy team is evident in the care, consideration, and dialogue about privacy that is incorporated in the daily operations of the Department. During this reporting period, there has been an evolving landscape of technological development and advancement in areas such as artificial intelligence, biometrics, complex data flows, and an increase in the number of cyber security events resulting in significant impacts to the privacy of individuals. Thus, the CPCLO and OPCL have developed new policies and guidance to assist the Department with navigating these areas, some of which include the following: