Over the past few years, and especially since the early days of COVID-19, workplaces have seen a huge increase in the use of electronic messaging and communications programs. Apps such as Zoom, WhatsApp, Microsoft Teams, and Slack are widely used for daily business and intra-office communications. This is especially true for financial businesses such as broker-dealers and traders, who routinely conduct their business and communications remotely and electronically.

While these modes of electronic communication provide ease and convenience, they present a robust challenge to companies when it comes to properly capturing and keeping electronic communications as records. This challenge is amplified for communications on personal devices. Difficulties retaining records of electronic communications were made painfully evident when in September of 2022, the SEC fined more than a dozen financial firms over $1 billion for failure to properly preserve records of their electronic “off-channel” communications.

Shortly after levying these sanctions, the SEC voted on Oct. 12, 2022, to adopt rule amendments to the electronic recordkeeping, prompt production of records, and third-party recordkeeping service requirements applicable to broker-dealers, security-based swap dealers (SBSDs), and major security-based swap participants. The SEC explained in its press release that the amendments “are designed to modernize recordkeeping requirements given technological changes over the last two decades and to make the rule adaptable to new technologies in electronic recordkeeping.”

Previously, firms subject to SEC broker-dealer regulation were required to keep electronic records exclusively in a non-rewriteable, non-erasable (WORM) format. This can be challenging to comply with when preserving electronic communications (such as emails, text messages/chats, etc.), especially when they are generated from remote or personal mobile devices. The amendments, now codified in 17 CFR 240.17a-4(f)(2)(i)(A), are designed to allow firms greater flexibility in how they keep such records, allowing for an “audit trail alternative.” In other words, firms will have the option to keep electronic records in a manner that allows original records to be recreated if they are altered, overwritten, or erased. This will help firms to configure their electronic recordkeeping systems to be in line with current practices and protect the authenticity and reliability of original records. Now, firms have a choice between the previously mandated WORM format or the new audit trail alternative, depending on their needs and preferences. If they choose the audit trail option, they must:

Preserve a record for the duration of its applicable retention period in a manner that maintains a complete time-stamped audit trail that includes:

(1) All modifications to and deletions of the record or any part thereof;

(2) The date and time of actions that create, modify, or delete the record;

(3) If applicable, the identity of the individual creating, modifying, or deleting the record; and

(4) Any other information needed to maintain an audit trail of the record in a way that maintains security, signatures, and data to ensure the authenticity and reliability of the record and will permit the re-creation of the original record if it is modified or deleted[.]

These rule amendments became effective Jan. 3, 2023, with a compliance date set for May 3, 2023.

If nothing else, the recent sanctions levied by the SEC as well as the amendments to the electronic recordkeeping requirements should signal to firms the seriousness and importance the SEC is placing on proper recordkeeping of electronic communications.  The SEC’s division of enforcement director commented that the sanctions: both in terms of the firms involved and the size of the penalties ordered – underscore the importance of recordkeeping requirements: they’re sacrosanct. If there are allegations of wrongdoing or misconduct, we must be able to examine a firm’s books and records to determine what happened… Other broker-dealers and asset managers who are subject to similar requirements under the federal securities laws would be well-served to self-report and self-remediate any deficiencies.

Given how much focus the SEC currently is putting on electronic communications recordkeeping, firms – especially those in the financial field that are under the governance of the SEC and CFTC – would be wise to review their policies regarding the use and retention of electronic communications, and make sure such policies are in line with current regulatory requirements.  Adjustments should be made as necessary to such policies to ensure consistent, company-wide compliance. A well-defined and uniformly adhered to record retention policy will go a long way to mitigate operational and legal risks, including liability for hefty fines for regulatory noncompliance.

As CFTC Commissioner Kristin N. Johnson noted in a press release: relevant technologies are evolving quickly. Today’s resolutions reveal a need for entities operating within our markets to address imminent operational challenges. Increased reliance on simple, easy-to-access but unauthorized chat and text platforms will pose a significant challenge for many types of entities operating in our markets. Internal compliance programs must adopt internal controls consistent with this new landscape. Firms must inculcate a culture of compliance at all levels of their organization to mitigate the risks associated with using unauthorized chat and text platforms.

Being mindful of these new and emerging communications technologies and the unique recordkeeping challenges they bring, the time to act for companies is now. With some careful planning and strategic implementation of recordkeeping policies, companies can set themselves up for long-term success and compliance, while avoiding fines, legal issues, and other potential negative consequences down the road.

Disclaimer: The purpose of this post is to provide general education on records management software. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Since our previous post discussing plans for the European Union-U.S. Trans-Atlantic Data Privacy Framework, the United States has taken a significant step toward setting this new framework into action.

On Oct. 7, 2022, President Joe Biden signed an “Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities,” which lays out steps the U.S. will take to implement its commitments under the new framework. It was the U.S.’s signals intelligence activities and a lack of adequate safeguards in place to protect personal data involved in such activities, after all, that led to the European Court of Justice’s decision to strike down the prior Privacy Shield framework in 2020. Biden’s executive order also comes after the U.S. and the EU this past March reached an agreement in principle on the new framework.

In a nutshell, the executive order strengthens privacy and civil liberty safeguards in the execution of U.S. signals intelligence activities. As summarized by the accompanying factsheet, the executive order:

• Adds further safeguards for U.S. signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.
• Mandates handling requirements for personal information collected through signals intelligence activities and extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance.
• Requires U.S. Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the [executive order].

Perhaps more notably, the executive order also provides for a two-tiered redress mechanism, in which a (“CLPO”) and ultimately, a (“DPRC”)—an independent binding authority—can adjudicate “qualifying complaints transmitted by the appropriate public authority in a qualifying state concerning the United States signals intelligence activities.” In other words, individuals can send qualifying complaints to the CLPO through appropriate public authorities if they feel their data privacy rights have been violated by the conduct of U.S. signals intelligence activities. The CLPO can then investigate, review, and order remediation as appropriate. If necessary, such cases may escalate to the DPRC, which has the authority to review CLPO determinations. This redress mechanism addresses European Court of Justice concerns over a current lack of appropriate legal recourse for data subjects seeking judicial protection of their data rights in cross-border data flows from the EU to the U.S. It is also a crucial step toward the official implementation of a new framework.

Cross-border data flows are essential for many U.S. and EU companies across all industries and sectors as these companies seek to grow and participate in the global digital economy. Having a new framework for transatlantic data flows will help ensure greater protection of personal data. It will also bolster trust and stability between the U.S. and EU when it comes to transatlantic data flows.

While the executive order is a promising development for a new framework and matters of EU-U.S. data transfers and privacy, the process has just begun. As any new framework must be a collaborative effort, the EU must sign off on it. Accordingly, the ball is now in the EU’s court, as the next step is for the European Commission to assess the proposed framework as well as the U.S.’s commitments under it. The Commission must then adopt a new adequacy determination, allowing the new framework to become operative under EU law.

Contact Zasio to explore how our technology solutions and consulting services can help fulfill your data privacy and information governance needs.P

On Friday, March 25^th, the United States and European Commission issued a joint statement announcing their agreement in principle on a Trans-Atlantic Data Privacy Framework (the “Framework”). If finalized, the new framework would allow cross-border transfers of personal data from Europe to the United States.

This agreement is the culmination of over a year of negotiations between the U.S. and E.U. It comes after the previous trans-Atlantic data flow framework known as “Privacy Shield”—which was an arrangement allowing companies to share EU personal data to the U.S.—was invalidated by the European Court of Justice in July 2020 for lack of adequate privacy protections. Specifically, the court noted that Privacy Shield did not limit the access and use of personal data by U.S. authorities for surveillance purposes in line with EU principles of necessity and proportionality. The court also found that Privacy Shield did not provide data subjects adequate redress mechanisms for improper use of their data by U.S. intelligence agencies.

In a press statement, the White House outlined steps the United States will take under a new Framework (referred to by some as “Privacy Shield 2.0”) to ensure appropriate protection of EU personal data, including commitments to:

• Strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities;
• Establish a new redress mechanism with independent and binding authority; and
• Enhance its existing rigorous and layered oversight of signals intelligence activities.

President Biden stated in a joint press statement that the new Framework underscores the EU/U.S. “shared commitment to privacy, to data protection, and to the rule of law” and that it will allow for “transatlantic data flows that help facilitate $7.1 trillion in economic relationships with the EU.”

This development in EU/U.S. data privacy cooperation is welcome news both for companies that routinely handle personal data flowing from the EU to the U.S., and EU citizens whose data is being transferred to the U.S. Under the Framework, participating U.S. companies will have the ability to more freely facilitate EU/U.S. data flows, and EU data subjects will be able to seek redress from a “multi-layer redress mechanism,” which includes an independent data protection review court consisting of individuals outside the U.S. Government, with full authority to handle claims and oversee remedial measures.

The Framework is still in its preliminary stages, with few details available at this initial phase. The goal, as outlined by the joint statement, is to “translate [the] arrangement into legal documents that will need to be adopted on both sides.” It will be interesting to see how this new Framework will differ from the previous Privacy Shield framework, and what measures will be implemented to accomplish the intended objectives. As the Framework continues to develop and more details are released, it is important for companies to be aware of its specific provisions, and to accurately assess how these might impact their business and the way they collect and store personal data from the E.U..

Contact Zasio to explore how our technology solutions and consulting services can help fulfill your data privacy and information governance needs.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

On August 20, 2021, China adopted the Personal Information Protection Law of the People’s Republic of China (“PIPL”), its first comprehensive national data privacy law and one of the most sweeping and restrictive national privacy laws to date. Modeled largely off the GDPR and set to go into effect on November 1, the PIPL regulates personal information collected or transferred both inside and outside of China. It also comes with harsh penalties for non-compliance and gives broad powers to China’s state authorities to enforce the law.

The PIPL is expected to significantly impact how companies (especially tech companies) do business in China. Aimed at protecting the online user data of Chinese citizens, the law will directly affect companies located in China that handle personal data. But even companies operating outside of China may be subject to the law if they provide products or services to people in China, analyze or evaluate activities of people in China, or fall under circumstances described in certain other laws or administrative regulations.

Without further ado, let’s quickly dive into some of the law’s major provisions:

In General

The PIPL defines personal information to include, similar to the GDPR, “all kinds of information related to an identified or identifiable natural person, recorded electronically or by other means, excluding anonymized information.”

The handling of personal information includes “collection, storage, use, processing, transmission, provision, disclosure, or deletion of personal information.”

Under the PIPL, personal information should only be processed for a clear and reasonable purpose, to the smallest scope possible related to that purpose, and in a method with the least impact on personal rights. Personal information processing must also follow principles of openness and transparency, as well as rules of disclosure. These general principles largely mirror GDPR principles of fairness, transparency, and limitations on processing of personal data.

Personal Consent

Personal information handlers (the PIPL equivalent of data processors under the GDPR) must obtain personal consent from the data subject to process personal information, unless the data is processed under a specific listed exception. Those exceptions include contract performance, statutory duties or obligations, public health emergencies, news reports or public interest, legally disclosed information, or other circumstances stipulated by laws and regulations.

Personal consent must also be obtained for any cross-border transfer of personal information (for more on this, see the section below that discusses notification requirements).

These express consent requirements break from the GDPR, which technically doesn’t require personal consent to use personal data unless (i) it is relied upon as one of the six legal bases to process personal data under Article 6 of the GDPR, or (ii) is used as an exemption to transfer personal data abroad (in absence of one of the required transfer mechanisms laid out in Chapter 5 of the GDPR).

Data Retention

Similar to the GDPR, the retention of personal information under the PIPL must be the shortest time necessary to achieve the purpose of processing. This time may vary depending on the data processed and any laws or regulations that specify specific periods.

Notification Requirements

Before processing personal information, personal information handlers must inform the data subject of the information being processed and the data subject’s rights concerning this information. For sensitive information, personal information handlers must also notify the data subject of the processing’s necessity.

For any information processed outside of China, a personal information handler must inform the data subject of the overseas recipient, their contact information, and certain processing information such as processing purpose, processing method, and the types of personal information being processed. The personal information handler must also obtain the individual’s specific consent to process after giving notice.

Cross-border Transfer of Information

Before a handler can transfer personal information outside of China, they must first meet one of the following requirements:

• pass a security assessment organized by the Cyberspace Administration of China (“CAC”), the country’s central internet control agency;
• conduct a personal information protection certification;
• form a contract with the overseas recipient that stipulates the rights and obligations of both parties, or
• meet other conditions required by law, administrative regulations, or the CAC.

Further, personal information handlers must ensure that any personal information processing by overseas recipients meets PIPL standards.

Also, operators of “critical information infrastructure” and personal information handlers processing personal information up to an as-of-yet unspecified threshold (which will be prescribed by the national cybersecurity and informatization department) must store the personal information collected and generated within the territory of the People’s Republic of China. This information may not leave China unless it first passes a security assessment organized by the national cybersecurity and informatization department.

Moreover, personal information handlers may not provide personal data stored in China to foreign judicial or law enforcement agencies without first receiving approval from a competent authority within the Chinese government. This requirement will certainly result in conflicts between Chinese authorities and non-Chinese courts as well as plenty of judicial wrangling among litigants in lawsuits involving Chinese companies.

Individual rights

Just like under the GDPR, data subjects in China have various rights concerning their personal information. These include the right to: know and make decisions about their information’s processing; consult and copy their personal information; request that personal information be corrected or supplemented; request deletion (in certain cases); and request the personal information processing rules of personal information handlers.

Obligations of personal information handlers

Personal information handlers must implement internal management systems and security measures to protect personal data. Processors of personal information up to the threshold must appoint a person in charge of personal information protection. Processors outside of China must establish designated agencies or representatives within Chinese territories to handle intra-territorial personal data processing matters.

Personal information handlers must also regularly conduct compliance audits as well as impact assessments for things like processing sensitive personal data, using personal data in automated decision-making, or providing information to other personal information handlers. These impact assessments must be kept for at least 3 years.

Breach notification

If any personal information has been leaked, tampered with, or lost, the personal information handler must immediately notify the relevant departments (the CAC or relevant departments of the State Council) and individuals performing personal information protection duties. In some cases, personal information subjects might also be notified.

Legal Liability and Penalties

The department performing personal information protection duties has the power to order corrections, give warnings, confiscate illegal gains, and issue fines for information processed in violation of the law. Fines can range to up to 1 million yuan for offenders who refuse to make corrections, and between 10,000 and 100,000 yuan for directly responsible persons.

For serious violations, fines can be issued for up to 50 million yuan or up to 5 percent of the processor’s previous year turnover. Furthermore, the department can order the suspension of a business or notify a relevant competent authority to revoke a business permit or license, in addition to issuing additional fines.

Moreover, foreign organizations that violate the personal information rights of Chinese citizens or harm China’s national security or public interests can be blacklisted by the CAC. This also will result in the offending organization being restricted or prohibited from possessing personal information. In addition to everything else, illegal acts will be recorded in the social credit system and publicized.

In some cases, where the rights and interests of many individuals have been infringed, certain entities may file a lawsuit in the people’s court. These entities include the people’s procuratorate, consumer organizations specified in the PIPL, and organizations identified by the CAC.

Exceptions

The law does not apply to natural persons handling personal information for personal or family affairs.

Final Thoughts

We have yet to see exactly how the PIPL will impact the way we conduct business generally, but it is on course to significantly affect companies large and small, both inside and outside of China. If you are doing business in China or with people in China, it may well be worth your while to proactively study up on the law, determine what type of impact it might have on your business, seek legal guidance as necessary, and prepare and implement PIPL-compliant policies and strategies to manage Chinese personal data processed within your organization. A bit of up-front planning can go a long way in giving peace of mind – not to mention helping to avoid costly legal or compliance concerns down the road.

Contact Zasio to explore the various software and consulting solutions we offer, to address your personal data and privacy needs.

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

For US taxpayers, May 17 (Tax Day) is fast approaching, and the question is often asked – How long should I keep my tax records?

Here is a brief rundown of required or suggested recordkeeping periods for income tax records in the United States and other jurisdictions around the globe. These time periods do not account for business needs, industry practice, or other legal requirements or exceptions applying to various tax-related records that could potentially increase the required time to keep such records.

United States:

As we have previously discussed, the general IRS-suggested records retention period for US citizens starts at three years, and fluctuates to up to seven years (and in some cases, indefinitely), depending on various circumstances and limitation periods.

Source

Canada:

Keep supporting tax documents for six years after the end of the tax year to which they relate.

Source

Mexico:

Keep tax and accounting records five years from the date taxes were filed or due.

Source

United Kingdom:

Individuals (not carrying on a business): keep records for 22 months from the end of the tax year to which the records relate.

Self-employed or in a partnership: keep records for at least five years from 31 January following the tax year to which the return relates.

Companies: typically, accounting records must be kept for six years from the end of the accounting period.

Source

Japan:

Individuals (Under the Income Tax Act): generally need to keep tax records for seven years, but some documents may be stored for five years. Companies also will need to store tax and accounting records for seven years, but the Companies Act requires records to be kept for ten years, regardless of tax law requirements.

Source

Brazil:

Tax records are to be kept for a general period of five years, which mirrors the standard tax limitation period.

Source

Germany:

Generally, taxpayers need to keep accounting and tax-related records for six years (trade or business letters sent or received, other relevant tax-related documents) or ten years (accounting records, inventories, annual financial statements, opening balance sheets, etc.).

Source: Fiscal Code of Germany  

India:

Accounting and tax-related records for people in a variety of professions are to be kept for six years from the end of the relevant assessment year.

Source: Income Tax Rules, Rule 6F 

France:

Tax records must be kept for six years, with records of certain transactions to be kept for ten years.

Source

China:

Accounting and tax records need to be kept for ten years, except as otherwise stipulated in other laws or regulations.

Source

It is wise to carefully consider the tax laws, regulations, and recordkeeping requirements in your jurisdiction to make sure you remain legally compliant and prepared for audits or other circumstances requiring access to these records. Proper recordkeeping along with a well-crafted records retention plan helps to avoid possible legal, compliance, or other issues down the road.

Contact Zasio today to see how our innovative products and services can meet your recordkeeping and information governance needs.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Since the GDPR passed in 2018, we have seen an ongoing worldwide ripple effect, as other jurisdictions have begun passing their own data protection laws that mirror, or in many respects comply with GDPR requirements. Here are a few such new or upcoming laws worth noting:

 

Brazil – General Data Protection Law (LGPD) (Law No. 13,709/2018) – Approved in August 2018, the law originally was supposed to take effect on August 15, 2020. However, due to COVID-19 concerns, the majority of the law will not go into effect until May 2021, with the enforcement of sanctions beginning August 1, 2021. Similar in many respects to the GDPR, the LGPD is Brazil’s first comprehensive data protection law bringing clarification and consolidation to data protection requirements spread across a variety of Brazilian laws and regulations. It has the stated purpose of safeguarding “the fundamental rights of freedom and privacy and the free development of the personality of the natural person.”

This law sets forth the rights of data subjects and covers many of the same issues covered in the GDPR, including setting up an enforcement authority and penalties for those who don’t comply.

The LGPD broadly applies to natural persons as well as legal entities (including any public or private business or organization) that process personal data of people in Brazil, even if the processing entity is based outside of Brazil.

Link to the law (English version):  https://www.lgpdbrasil.com.br/wp-content/uploads/2019/06/LGPD-english-version.pdf

 

Dubai International Financial Centre (DIFC) – Dubai International Financial Centre (“DIFC”) Data Protection Law No. 5 of 2020:  In effect on July 1, 2020, this law replaces DIFC Law No. 1 of 2007. Due to COVID-19 considerations, it grants a three-month grace period for companies to start complying by October 1, 2020. This law (and its accompanying regulations) is intended to help make sure the DIFC, which is a major financial hub in the Middle East, Africa, and South Asia, stays up-to-date with data protection best practices. It incorporates various provisions from the GDPR and the CCPA (California Consumer Privacy Act) to achieve this objective. This new law also helps ensure the DIFC has adequate data protection in place to receive “adequacy” recognition from the UK and European Commission, which eases compliance requirements for personal data being transferred to the DIFC.

Among other things the law beefs up the accountability of data controllers and processors, clarifies enhanced rights of individuals, removes permit options for cross-border data transfer and special category personal data processing, allows data sharing between government authorities, and introduces new penalties and fines.

The law applies to companies both incorporated in the DIFC, and those incorporated elsewhere who process personal data in the DIFC as a part of “stable arrangements.”

Link to the enacted law:  https://www.difc.ae/files/6115/9358/6486/Data_Protection_Law_DIFC_Law_No.5_of_2020.pdf

 

Egypt – Personal Data Protection Law (“PDPL”): Passed on July 13, 2020, this law comes into effect on October 14, 2020, with its attached Executive Regulations expected to follow in April 2021. Largely modeled off the GDPR, the PDPL aims to “keep pace with the current international standard for the protection of personal data”, as stated in its preamble. It aims specifically to protect online or electronically processed personal data of persons/consumers. This law is a major development in Egypt’s data protection framework, as prior to its passage, Egypt had no specific legislation regulating the protection of personal data.

Taking cues from the GDPR, the PDPL law introduces a number of compliance requirements and penalty provisions for data processors and controllers, with respect to any personal data or “sensitive” data processed. It prohibits processing personal data except with the consent of the data subject or where otherwise permitted by law. It sets forth various rights of data subjects. It also appoints a data protection authority and implements significant sanctions for non-compliance.

The PDPL applies to Egyptian citizens and non-Egyptian citizens who reside in Egypt.

Link to the law (in Arabic):  https://www.cc.gov.eg/i/l/404171.pdf

 

Thailand – Personal Data Protection Act (PDPA) B.E. 2562: This law was passed on May 28, 2019, but has granted deferred compliance for certain data controllers (as enumerated in the Royal Decree on Agencies and Business Not Subject to the PDPA B.E. 2563) until May 31, 2021, giving organizations another year to come into compliance with the law. The law aims to protect data owners (similar to “data subjects” referred to in the GDPR) in Thailand and applies to data processors located both inside and outside of Thailand, that process personal data of individuals in Thailand.

Most provisions in the PDPA are similar to GDPR requirements. It includes various requirements such as setting forth lawful purposes for the processing of personal data, rights of data owners, obligations of data controllers, restrictions on cross border data transfer, breach notification requirements, and penalties for non-compliance. The PDPA also sets up a Personal Data Protection Committee (PDPC) to enforce and provide guidance for the PDPA.

Link to the law:  https://www.etda.or.th/app/webroot/content_files/13/files/The%20Personal%20Data%20Protection%20Act.pdf

Contact Zasio today to see how our host of software solutions and consulting services can help you stay compliant with your data retention policies and practices.

In light of the COVID-19 (coronavirus) viral disease officially being classified as a pandemic, nations around the world are grappling with how to best manage and prevent further spreading of the disease. One such measure we see being taken, especially in early stages of the fight, is contact tracing, where persons infected with the virus and those they have been in contact with are closely monitored, to help predict and prevent further transmission of the disease.

While contact tracing can be vital to helping control the spread of a disease, it can also raise significant personal data concerns. During this process, information is gathered and potentially shared amongst employers, health officials and government agencies. This might include information such as a person’s health data, address, family members, employment details, travel schedules, and even personal contacts. To what extent can this personal information be gathered? Is consent required? How long will it be kept? What rights and protections does an individual have regarding such data that has been collected?

As things currently stand, here is a snapshot of how several governments are dealing with data protection concerns with respect to COVID-19 data gathering:

European Union

Generally, members of the EU are required to comply with the GDPR. However, Article 6 of the law allows for processing of data without consent in special cases, including cases where “processing is necessary for the performance of a task carried out in the public interest…” Article 9 prohibits processing of many categories of personal data (such as race, ethnicity, genetic and health) unless a specific exception is met. One such exception is when processing is “necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health…”

As COVID-19 and GDPR priorities begin to intersect, we are starting to see data protection authorities in EU countries issue data processing guidance and even pass emergency measures allowing for data processing by governmental personnel in order to track and combat the disease.

Italy’s civil protection department passed Decree 630 of 3 February 2020, (these provisions also being included in Decree-Law 14 of 9 March 2020) which essentially suspends certain data protection rights in order for various entities to process personal data in carrying out civil protection activities to fight the disease. This is effective until July 30, 2020, unless otherwise provided for.

France’s CNIL issued guidance outlining what organizations and employers can and can’t do, with respect to processing personal data during the coronavirus crisis .

Ireland’s Data Protection Commission issued supervisory guidance on March 6, outlining rights and obligations of personal data processing by governments and organizations (including employers) during the crisis.

In Denmark, the DPA published brief guidance on personal data that is justifiable for employers to collect and share, in connection with the coronavirus.

China

To help protect personal data during the coronavirus outbreak, The National Health Commission of China and the PRC Cyberspace Administration of China (CAC) have issued notices and circulars providing guidance and outlining requirements with respect to the collection and management of personal data. Among other things, the guidance emphasizes the importance of protecting personal data according to Chinese laws and regulations, and it discusses parameters for collecting data pursuant to epidemic prevention and mitigation efforts.

Singapore

The Personal Data Protection commission issued an advisory concerning personal data that organizations may collect without consent for purposes of COVID-19 contact tracing.

United States

Currently there is no comprehensive federal-level data protection law, but there are several federal and state laws that address data privacy and protection. With the COVID-19 situation continuing to evolve, we are seeing bulletins, waivers, and other documents and notices being released at the federal level, addressing issues of HIPAA privacy and the coronavirus.

As the COVID-19 situation continues to roll out, it will be interesting to see how governments handle the balance between persona data rights and public need to access and use such data to mitigate large-scale health crises such as pandemics.

Bringing this down to a company level – at all times, and especially in times of widespread public health emergencies when it is possible if not likely that personal data might be processed or shared, it is important for businesses to understand their jurisdictional data protection laws and rules. Also crucial is the need for companies to be forthwith and transparent with their clients and employees about what, when, and how personal or sensitive data is being processed. A robust information governance program that is already in place can significantly help in these efforts.

For your current information governance and data compliance needs, contact Zasio today.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

As technology continues to advance at a dizzying pace in nearly every aspect of our lives, this holds true for data storage solutions as well. Coming down the pipeline are some big (or, more accurately – minuscule) and exciting developments in the ways we store our digital data!

DNA storage

In a prior post, we discussed the fascinating possibilities of storing data on strands of DNA. The basic rundown of the process involves digital data being chopped up and stored as synthetic DNA molecules in sequenced strands. These strands are synthesized into actual DNA, which can be preserved for long periods of time (potentially thousands, or even a million years). DNA sequences are encoded with location markers for the data, allowing one to later reorder, convert and retrieve the data from the pool of stored DNA.

While the ability to realistically use this technology is perhaps years away, it is not science fiction, and scientists currently are developing and advancing the technology.

Metabolite data storage

DNA isn’t the only thing competing to replace hard drives, however. Let’s get even more microscopic! Even smaller and simpler molecules, known as metabolites, have shown the ability to store and allow for extraction of digital data. Metabolites are sugars, amino acids, and other molecules used by people and other living things to metabolize, or digest food. The idea is that these molecules are significantly smaller than DNA strands and with a large variety of such molecules, they can represent small amounts of data in a denser way than DNA. The presence or absence of certain metabolites in a mixture would act as binary 1s and 0s, allowing one to encode various types of data.

This was demonstrated recently by a research team from Brown University, who successfully stored and retrieved pictures of an anchor, an Egyptian cat, and an ibex, using solutions containing 6 different metabolites. After encoding the pictures using the binary process of utilizing the presence or absence of the metabolites in the solutions, the team was then able to reconstruct the data with close to 100% accuracy.

While use of this technology, like DNA storage, is still in its infancy, it holds huge potential. Similar to DNA storage, metabolite or molecular storage allows data to be stored for potentially long periods of time, in a stable format. Data would be more secure from threats such as data breaches or environmental disasters, as it could be stored offline rather than in the cloud, and the molecules would be more resistant to extreme physical forces (such as temperature or pressure) than current data storage technology.

Aside from metabolites, similar molecular data storage research is being done using peptides (short chains of amino acids), with encouraging results.

These emerging technologies point to an intriguing future for data storage. It will be interesting to see what technologies develop the quickest for feasible consumer use, and how long it will take us to get there.

For your current information governance and data compliance needs, contact Zasio today.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

Need to do some legal research? Are you having trouble locating a specific requirement, page or article on a website? Here are a couple of ways to leverage Google and its tools to make your life easier and your research more effective:

Use advanced search operators

We all know and have used Google to search for things, and by-and-large, it is a powerful and sophisticated search engine that gets the job done. If you want to take your searches to the next level, however, it is all about “search operators.” Search operators are special characters or commands used in a search query to expand on simple text searches. Depending on the operators used, search results can be streamlined, focused and limited in many ways. For our purposes, let’s focus on one such search operator – the “site” operator.

Say you are looking for specific data retention requirements or hard-to-find information on a particular website. Maybe you aren’t getting good results using the website’s search function, or, heaven forbid, the website doesn’t even have a built-in search function! Time to put Google’s search engine to work, using the “site” operator.

On the main Google search page, type in your search term, followed by a space, and then type site:website URL (or a URL file path, if you want to search in a more specific area of the website).

So, for example, you are on Zasio’s website and are searching for certain information mentioning the term “GDPR.” On Google, type the following: gdpr site:https://zasio.com

Or if you are searching for pages containing an exact phrase, such as “GDPR compliance,” type: “gdpr compliance” site:www.zasio.com

The results will pull up all found pages with the term “GDPR” (or “GDPR compliance” as the case may be) from the specified website (in this case – https://zasio.com), helping you to better locate what you are looking for, without having to wade through thousands of results on unrelated websites.

Also, as you can see, adding quotes around a phrase or grouping of words forces an exact search for that specific phrase or snippet of text. This holds true for any general Google searching, regardless of whether advanced search operators are used or not.

There are many other search operators and other search hacks that can be used in Google, to help you expand your search abilities and narrow your search results in a variety of ways.

Use web browser extensions

Browser extensions or “add-ons” are small pieces of software that attach to and customize a web browser, giving it additional capabilities and features. There are thousands of extensions (many free) that accomplish all sorts of things, but here we will focus on the Pearls extension.

Pearls extension—The Pearls extension is available as a free extension for the Chrome web browser. Essentially, this tool automatically highlights pre-defined search terms on a webpage. While you can always manually perform keyword searches one-at-a-time using CTRL+F, with this extension a webpage will automatically highlight your pre-selected terms, without you needing to do anything. This saves a lot of time searching through a large law, regulation, or web page, as you can quickly hone in visually on the pertinent or desired information. This tool allows you to save lists of search terms for both specific web pages and generally. It works best for HTML-based pages but does not currently work on pdf documents. Chrome, as well as Firefox, has a variety of similar and additional search tool-related add-ons, that might prove useful in your web search efforts.

We have just scratched the surface of Google’s capabilities, but these tips are a great starting point to help you more effectively use Google to your advantage. For further solutions regarding your legal research, information governance and data compliance needs, contact Zasio today.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.

We are in an age of unprecedented digital technology and connectivity. As a result, businesses face an ever-increasing risk of cyber-attacks and security breaches. Just glance at the news to see how frequently such incidents occur. These attacks and breaches can be extremely costly and debilitate a business’s vitality and reputation. One of the most commonly exploited areas of a security system is the password. Attacks on passwords can occur physically on-site or through online brute-force attacks.

Consider the following five points to create and maintain a more secure password:

• Keep it long: The length of a password is much more important than its complexity. A lengthy password takes much longer to crack than a shorter one, even if a short password has complex characters. Experts suggest a minimum length of between 12 to 15 characters. Avoid single words. It may help to use a phrase or sentence to reach a beneficial length.
• Add some complexity: While length is key, adding complexity to your password (such as uppercase letters, numbers, dashes, spaces, and other special characters) will strengthen it. Complexity adds an additional obstacle for would-be hackers. Hackers look for simple words, phrases, and patterns. As noted above, consider using a pass-phrase instead of a word. This adds to both the complexity of the password and your ability to remember it.
• Make it unique: Don’t use personal data, general details about your life, or any information that could be reasonably guessed in your passwords. Avoid common words and phrases, such as common dictionary words, sequential letters or numbers, the word “password,” etc. As a general rule, stay away from these commonly used passwords.
• Switch it up: Don’t use the same password for every account/login point. If you use multiple passwords, make sure your passwords are sufficiently different from each other. While there is debate as to how often you should change a password (especially in the case of a strong/complex password), consider changing it periodically, or as directed by your IT manager. Consider changing it if you suspect that your password is compromised, if you use the same password on multiple accounts, if you use a shared password, if your password seems weak, or you just feel it’s time to change it.
• Store it securely: Consider using a password manager program or app to store or manage your passwords—especially if you use multiple or complex passwords. Avoid writing down your passwords. For an extra layer of security, you might also look for multi-factor authentication.

Creating a strong password is just the start of securing your information against data intrusions and cyber-attacks. Depending on the needs of your organization, you should implement sound data protection procedures and policies as part of your information governance program to better protect yourself and your business.

 

Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.