POLICIES & PROCEDURES

Google Agreement with UK Information Commissioner Relating to Data Protection Act Issues in Wi-Fi Capture in Street View Process Highlights the Importance of Employee Training Measures

The undertaking between Google and the UK data protection authority shows that the FIRST element of corrective action by the search engine giant is to provide extensive information security training of all relevant employees. This is yet another example of the regulators and authorities demonstrating the clear and proven position that information security awareness training for employees is the best protection against data protection lapses or incidents.



The Preliminary Federal Trade Commission Report with Proposed Framework for Businesses to Protect Consumer Privacy

The framework from the FTC is intended to apply to all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device. Companies should promote consumer privacy throughout their organizations and at every stage of the development of their products and services. This policy document provides a good foundation for building internal privacy and data protection measures within your organization.



The US Department of Commerce Report on Protection of Commercial Data Privacy

The report recommends advancing Consumer Privacy through a focus on transparency, purpose specification, use limitation, and auditing. The report also proposes maintaining privacy protections through FTC-Approved codes (see above). The report specifically states that organizations should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure. Further, the report strongly suggests that organizations should be accountable for complying with these principles, providing training to all employees and contractors who use PII, and auditing the actual use of PII to demonstrate compliance with these principles and all applicable privacy protection requirements



Checklist for Massachusetts Data Protection Law 201 CMR 17.00 Compliance with a Comprehensive Written Information Security Program

The State/Commonwealth of Massachusetts requires that businesses that process any “personal information” concerning a Massachusetts resident must comply with 201 CMR 17.00 and implement a Written Information Security Program — even if your business is not located in Massachusetts. This document is one aid for the development of a written information security program for a small business or individual that handles “personal information.”