marilyn prosch ph d cipp arizona state university n.
Download
Skip this Video
Download Presentation
Marilyn Prosch, Ph.D., CIPP Arizona State University

Loading in 2 Seconds...

play fullscreen
1 / 10

Marilyn Prosch, Ph.D., CIPP Arizona State University - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

Marilyn Prosch, Ph.D., CIPP Arizona State University. Pierre in France Division B. Maria in Germany Division A. Credit Memo. Order. Pierre’s house. Division X Spain. Customer. Vendor. Multiple Divisions Multiple Countries

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Marilyn Prosch, Ph.D., CIPP Arizona State University' - kalani


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
marilyn prosch ph d cipp arizona state university
Marilyn Prosch, Ph.D., CIPP

Arizona State University

slide2

Pierre in

France

Division B

Maria in

Germany

Division A

Credit

Memo

Order

Pierre’s house

Division X

Spain

Customer

Vendor

slide3

Multiple Divisions

  • Multiple Countries
  • Internal Audit will likely want to transfer employee data into a central repository
slide4

Vendor

Information

(address)

Employee

Personal Information

(address)

Customer

Information

(address)

Cross-Referencing

slide5

Anjuli’s

house

Pierre’s house

2008

2000-2007

Address 1

Address 1

Pierre’s house

2008

Address 2

slide6

Vendor

Information

(address)

Employee

Personal Information

(address)

Pierre – Address 2

Anjuli – Address 1

Customer

Information

(Address 1)

False

Positive

Cross-Referencing

slide7

EU law, until recently, restricted the transfer of personal data to countries not on the short list of those deemed to have adequate protections in place.

  • US is not considered “adequate”
  • EU data protection authorities have just amended the rules for overseas data transfers.
  • The Article 29 Working Party has created Binding Corporate Rules (BCRs) that will allow companies to send data within an organization, but outside EU borders and into countries whose data protection standards the European Commission has not found adequate.
slide8

“In determining reasonableness, considerations include the breadth of the information collected, the extent of the intrusion, whether the collection and use relates to a specific investigation or whether it is an ongoing surveillance program of the employer implemented on the off chance that it might find something.

  • Canadian law is in general not friendly to intrusive ongoing monitoring that is not incident or investigation based but might rather be characterized as a “fishing expedition.” It would come down to the employer’s situation, the demonstrated necessity for the program etc and proportionality vis a vis the employer’s needs and the employee’s right to privacy.”
slide9

One would need to ask questions such as:

  • Would the database and data matching include all employees or is it more targeted
  • Will there be any sensitive personal information involved
  • Is the program likely to be effective in achieving its stated purpose?
  • Conflict of interest/fraud detection – is there another less privacy intrusive way to monitor
  • Is it the data matching ongoing or a one off or annual program?
  • Is the program incident related? Incident activated?
  • Is it reasonable and proportionate given the employer needs and purposes.
slide10

Descriptive research: What are companies actually doing? Are they aware of the issues? If so, how are they handling these issues? Are they using some kind of data masking during these processes?

  • Normative research: How can we build privacy protection into processes?
    • Data tagging and masking
    • Data replication (logging)
    • Security around possession and handling
    • Data life and destruction techniques (poison pills)