United States of America

United States of America Image
LEG-01:

Legislation enacted specifically for data privacy?
– Privacy Act 1974.
– Children’s Online Privacy Protection Act 1998 (COPPA).

LEG-02:

Other legislation enacted that has sections that have some effect on data privacy?
– Federal Trade Commission Act 1914 (FTCA).
– Foreign Intelligence.
– Surveillance Act 1978 (FISA).
– CAN-SPAM Act 2003.
– USA PATRIOT Act 2001.
– Communications Assistance for Law Enforcement Act 1994 (CALEA).
– Wiretap Act (OCC).
– The Communications Act 1934.
Notes: The Wiretap Act is Title III of the Omnibus Crime Control and Safe Streets Act 1968.

LEG-03:

The Country is a member of an organisation that implements guidelines for data privacy.
– OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
– APEC Cross-border Privacy Enforcement Arrangement (CPEA).
– APEC Privacy Framework.
– United Kingdom – United States of America Agreement (UKUSA).
Notes: UKUSA is the multilateral agreement for the “Five Eyes” alliance.

LEG-04:

Local government has any Bills going through the legislative process.
– Student Digital Privacy and Parental Rights Act 2015 (SDP).
– Do Not Track Online Act 2015 (DNT).
– Consumer Privacy Protection Act 2015 (CPP).

LEG-05:

Regulations, standards or guidelines that are implemented and followed that have relation to data privacy.
– Convention on Cyber-crime 2001.
Notes: Signed but not implemented.

LEG-06:

Has other state laws related to privacy.

PRI-01:

There is a requirement to establish a privacy authority to oversee privacy issues.

– FTCA Section 41.
– Communications Act 1934 Section 4 [47 U.S.C 154] (a).
Notes: FTCA – Establishes the Federal Trade Commission (FTC).
Communications Act – Establishes Federal Communications Commission (FCC).

PRI-02:

There is a requirement to establish a privacy commissioner.
– FTCA Section 41.
– Communications Act 1934 Section 4 [47 U.S.C 154] (a).
Notes: Both establishes 5 commissioners.

PRI-03:

The functions of the authority clearly set out.
– FTCA Section 46.
– Communications Act 1934 Section 1 [47 U.S.C 151].

PRI-04:

There is a requirement each company establishes their own privacy officer to ensure the company complies with policy.
– Privacy Act 1974 Section 552a u(1).
Notes: Section 552a u(1) is only for agencies participating in data matching programs.
The assignment of a Chief Privacy Officer and an IT Security Officer is best practice.

PRI-05:

Contact details of the privacy officer are made available.

PRI-06:

Each company to have an internal privacy policy proposed and displayed.
– Privacy Act 1974 Section 552a f.

PRI-07:

An internal audit process is outlined for each company.

PCP-01:

“Personal Information” is defined which gives examples and a clear outline .
– COPPA Section 6501 (8).
Notes: Personal information.

PCP-02:

“Sensitive Information” is defined which gives examples and a clear outline

PCP-03:

Other types of information are defined that is viewed differently to personal or sensitive information.

PCP-04:

Consent is required from the individual involved.
Notes: The USA generally require pre collection notice and an opt out option, so consent is not needed but the abiltity to opt-out is there.

PCP-05:

Type of consent required is either explicit or implicit.

PCP-06:

Consent needs to be written or verbal.

PCP-07:

Level of consent different for different age groups .
– COPPA Section 6501 9, 6502 2 (b)(A)(ii).
Notes: COPPA Section 1302 9 defines “verifiable parental consent”.
A Child is defined in the Act as an individual under the age of 13.

PCP-08:

Consent may be withdrawn at any time.
– COPPA Section 6502 2 (b)(B)(ii).
Notes:The USA generally require pre collection notice and an opt out option, so consent is not needed but the abiltity to opt-out is there.

PCP-09:

The purpose is explained to the individual which must be a lawful purpose.

PRO-01:

Individual has the ability to access their data by request.
– Privacy Act 1974 Section 552a d (1), e (4)(H).
– COPPA Section 6502 a (2).

PRO-02:

Individual has the ability to update or amend their data for accuracy.
– Privacy Act 1974 Section 552a d (2).
– COPPA Section 6502 b (B)(ii).

PRO-03:

Data can be sent to a third party for processing.

PRO-04:

Data is only used for the purposed outlined at pre collection stage.

PRO-05:

Encryption used for processing of data to ensure anonymity

PRO-06:

Unique identifiers can be used .

PRO-07:

Information may not be disclosed, sold or interfered with.
– Privacy Act 1974 Section 552a b, n, o, q.
– SDP Section 3 (a)(3), 3 (a)(5).
– FTCA Section 46 (2) .
– Communications Act 1934 Section 631 [47 U.S.C. 551] (b)(2)(c)(1).

PRO-08:

Offences are set out to deal with disclosure or other interference with data during the processing stage.
– Privacy Act 1974 Section 552a i(1).
– CPP Section 203 (a), (b)(1), (d)(2)(A), 218 (a), (b)(1), (d)(2)(A).
– FTCA Section 50.
– Communications Act 1934 Section 50 [47 U.S.C. 501.
Notes: Most offences and penalties are set out in FTCA.

PRO-09:

A complaints process is setup to deal with any breach of privacy.
– PATRIOT Act Section 1001 (1).
– Communications Act 1934 Section 208 [47 U.S.C. 208].

STO-01:

All data is stored with at least a “reasonable” level of security.
– Privacy Act 1974 Section 552a e(10), o (G).
– CPP Section 202 (a).
– COPPA 6502 (b)(D).

STO-02:

Encryption techniques used to store data.

STO-03:

Data can be transferred to third-parties to use.

STO-04:

Data can be stored off shore in different Country.

STO-05:

Data can be stored off site but in same Country.

STO-06:

Information is only kept by the collection agency for the least amount of time necessary needed for the outlined purpose to be fulfilled.
– Privacy Act 1974 Section 552a (o)(F).
– Communications Act 1934 Section 631 [47 U.S.C. 551] (e).

STO-07:

Policies in place for destroying of data once consent is withdrawn or data is no longer needed.
– Privacy Act 1974 Section 552a (o)(F), (o)(I).

STO-08:

Offences are set out to deal with disclosure or other interference with data while it is stored.
– Privacy Act 1974 Section 552a i(1).
– FTCA Section 50.
– Communications Act 1934 Section 50 [47 U.S.C. 501].
Notes: Most offences and penalties are set out in FTCA.

STO-09:

Notification has to be given to individuals in case of a data breach.
– SDP Section 3 (b)(6).

STO-10:

Policy in place in case data collection agency ceases to operate.

STO-11:

Policy in place in case data collection agency is sold.

SPM-01:

A clear unsubscribe feature is available.
– CAN-SPAM Section 5 (a)(5)(ii)
Notes: Applies opt-out. Meaning the recipient does not need to give consent to receive them.

SPM-02:

Commercial electronic messages contain clear and accurate contact information about the sender.
– CAN-SPAM Section 5 (a)(1)(A),(B),(C), (a)(5)(iii).

SPM-03:

Subject line to be clear and not misleading.
– CAN-SPAM Section 5 (a)(5)(i).

SPM-04:

Addresses are obtained legally, not using means such as address harvesting tools and other software to obtain them.
– CAN-SPAM Section 4 (b)(2)(A)(i).

SPM-05:

A form of a “Do Not Call” register is in place.
Notes: Managed by FTC.

SPM-06:

Unsolicited commercial electronic messages are prohibited within the country.

SPM-07:

Unsolicited commercial electronic messages are prohibited to other countries.

INT-01:

A data collection agency required to notify the individual if they have been requested to hand over personal information.

INT-02:

A data collection agency can refuse to turn over personal information.

INT-03:

A warrant is needed to have the ability to intercept personal data.
– OCC Title III Section 2516 (1).
– CALEA Section 1002 (a)(1).

INT-04:

Network operators and service providers have network design guidelines to follow to allow for interception execution.
– CALEA Section 1002 (b)(1).
Notes: Not a requirement.

INT-05:

External countries have the ability to intercept data with permission from the host country.

United States of America

United States of America Image