In this section

 

Day 2 – Tuesday July 12th, 2011

08.30-17.30 Registration in the Fisher Building

09.00 Information is power – balancing strategic business aims with privacy requirements                      
Chair: Valerie Taylor, Consultant, Privacy Laws & Business
Peter Gooch, Senior Manager, Information & Technology Risk, Deloitte LLP, London

9.25 Discussion

9.35 Information rights in the balance: Where do transparency and accountability end and privacy and data protection start?
Chair: Stewart Dresner, Chief Executive, Privacy Laws & Business
Christopher Graham, Information Commissioner, United Kingdom

10.05 Discussion

10.35 Coffee - Sponsored by SNR Denton (www.snrdenton.com)

11.00 Poland's data protection plans for its EU Presidency, July to December 2011
Dr. Wojciech Wiewiórowski, Inspector General for Personal Data Protection, Poland (www.giodo.gov.pl)

  • Digital Agenda for Europe - state of play in trust and security
  • General review of the data protection regulatory framework
  • Privacy aspects of the Directive on Re-Use of Public Sector Information
  • Personal data in public registers - eGovernmental cooperation in Europe
  • Privacy and RFID - resume of national actions
  • Mandatory retention of data in Internet and telecom sectors
  • European PNR

11.10 Discussion

11.15 Update on the revised EU Data Protection Directive: En route to greater harmonisation via a Regulation or a Directive
Peter Hustinx, European Union Data Protection Supervisor, Brussels

Brief comments by:
11.45 Christopher Graham, Information Commissioner, United Kingdom
11.50 Dr. Wojciech Wiewiórowski, Inspector General for Personal Data Protection, Poland (www.giodo.gov.pl)

11.55 Discussion

12.15. The role of the Data Protection Officer in 10 countries in Europe
Chair: Laura Linkomies, Editor, Privacy Laws & Business International and UK Reports
Pascale Gelly, Cabinet Gelly, Paris

12.30 Data Protection Officers required by law? More compliance or a counter-productive exercise?
Stewart Room, Partner, Field Fisher Waterhouse, London

In this session, Stewart Room, partner at Field Fisher Waterhouse and President of the National Association of Data Protection Officers, offers his views on why current proposals for mandatory data protection officers may be counter-productive, leading to the creation of 'islands of isolation' across our businesses, where the DPO incumbent will carry the can for organisational failures which they may not be empowered to control. Drawing upon his research for his next book, on the causes of corporate failures on risk, Room will explain why mandatory Data Protection Officers are not the route forward on compliance.

12.45 Discussion on the role of Data Protection Officers required by law by a future EU Data Protection Directive or Regulation

13.00 Lunch

Parallel 1: International

Chair: Richard Cumbley, Partner, Linklaters, London, UK

14.00 Changes to data protection law in Spain: Lighter penalties possible but more discretion for the Data Protection Agency
Dr. José-Luis Piñar Mañas. Professor of Administrative Law, San Pablo-CEU University, Madrid, Lawyer, and former Spanish Commissioner

Spanish Data Protection Act (LOPD) has recently been amended (the reform came into force on 6th March this year). 

The reform was a long-standing aim among the private sector, that considered that regime to be a highly disturbing element for controllers and processors. 

Amendment of the LOPD is articulated around the following major themes:

1. - Substantial amendment of the classification of infringements. There is a considerable reduction in the type and number of very serious infringements (in Spain the LOPD foresees the existence of very serious, serious and minor infringements); and diverse offenses change classification.

2. - A new regime has been established with the scales and setting the amount of the penalty. Without any doubt whatsoever, the amendment is of extraordinary importance and with major practical transcendence. Now, the new text obliges the Spanish Data Protection Agency (AEPD) to establish the amount of the penalty by applying a scale related to the type of infringements that immediately precedes that comprising those considered in the case concerned (these indeed being rated).

3. - The newly introduced figure of admonition also has an enormous scope. Now, exceptionally, the AEPD may not resolve to open penalisation proceedings and, instead of these, to issue an admonition to the subject responsible, in order that, within the term determined by the Agency, he may accredit adoption of the relevant corrective measures. It is an extraordinary discretionary power of the AEPD, that may only be exercised whenever specific cases arise. Consider that, for instance, in the case of a serious offence, the possible actions range from simple admonition to issuing a fine of 300,000 euros.

4. - There is a slight amendment in the amounts of the penalties. The minimum limit of the fines rises to € 900 (€ 601 before the reform), and the maximum remain unchanged at € 600,000.
 However, the reform is only partial. It has not included some of the matters now proposed for debate by the European Commission in order to review the legal framework of data protection in Europe. For example, there is still no general obligation to notify security breaches.

Discussion

Changes to Poland's data protection law in force in 2011
Dr. Wojciech Wiewiórowski, Inspector General for Personal Data Protection, Poland (www.giodo.gov.pl)

  • Active role in legislation
  • New rules on consent
  • Enforcement procedures
  • General review of privacy law in 2012. Ongoing consultations with stakeholders

Discussion

Changes to data protection law in France
Florence Raynal, Head, European and International Affairs, CNIL, (Data Protection Commission), France

Discussion

Parallel 2: Privacy by Design


Chair: Laura Linkomies, Editor, Privacy Laws & Business International and UK Reports

14.00 What does it mean in practice?
Clara Westbrook, Privacy Director, Global, IMS Health, London
Eduardo Ustaran, Partner, Field Fisher Waterhouse, London

  • The European Commission is looking at how to incorporate 'Privacy by Design' as a principle into the new legislative framework
  • Most organisations do not know what it means for them
  • IMS Health has identified instances where it has incorporated this principle into its day to day business activities
  • How all types of organisations can implement this principle in practice

14.30 The Canadian Privacy Impact Assessment Experience: From Legislative Compliance to Governance and Accountability
Anita Fineberg, Barrister and Solicitor, Ontario, Canada
Pat Jeselon, Consultant, Ontario, Canada

1. Drivers for PIAs:
a. Legislation, government directives, best practices (encouraged by Privacy Commissioners)
b. Complex information sharing environments

2. Types of PIAs:
a. Conceptual, Physical/Logical and Delta
b. Increasing complexity of PIA analysis
    i. multi-party sharing of personal information and personal health information in federated environments

3. Key Foci for PIAs:
a. Legislative analysis
b. Governance
c. Accountability
d. Data flows and process maps
e. Technical architecture and security protections

4. Frameworks:
a. CSA Model Code for the Protection of Personal Information
b. GAPP  and Maturity Model

5. Future Directions:
a. Privacy by Design PIA
b. Cloud computing PIA

15.00 Privacy Impact Assessment in practice – lessons from 20 years experience in Australasia
Nigel Waters, Principal, Pacific Privacy Consulting, Australia

  • Scope of PIA?
  • Process issues – who commissions, undertakes and uses PIA?
  • Role of stakeholder consultation and publication?
  • How PIA fits into the wider privacy toolkit
15.30 Tea - Sponsored by SNR Denton (www.snrdenton.com)

Parallel 1: International

Chair: James Michael, Legal Editor, Privacy Laws & Business Reports

16.00 Pre-trial Discovery for Cross Border Civil Litigation and law enforcement requests from the USA v. national data protection laws in other countries
Gail Crawford, Partner Latham & Watkins, London;
Wolter Wefers Bettink, Partner and head of IT/Privacy department, Houthoff Buruma, the Netherlands;
Pascale Gelly, Avocat à la Cour, Cabinet Gelly, Paris

Comments from:
Peter Schaar, Federal Data Protection Commissioner, Germany;
Rafael Garcia Gozalo, Director, International, Data Protection Agencia, Spain

17.00 Discussion

Parallel 2: Privacy by Design Workshop

16.00 How Microsoft integrates Privacy by Design into its products, services and organisation
Jean Gonié, Director of Privacy, EU Affairs, Microsoft Europe, Brussels

16.10 Validsoft’s European Privacy Seal: Our best guarded secret?
Pat Carroll, CEO, ValidSoft, UK

16.20 Applying the Privacy by Design principles to your own organization
With help from the Privacy by Design speakers

17.00 Internal audit, FSA fine: What Zurich did next
Chair: Stewart Dresner, Chief Executive, Privacy Laws & Business
Rosemary Bubb, Data Protection Manager, Zurich Financial Services, UK

17.20 Discussion

17.30 Close

18.00 Punting on the River Cam – Sponsored by Morrison & Foerster (www.mofo.com)

18.45 Drinks

19.30 Dinner in The Hall – Sponsored by ValidSoft (www.validsoft.com)

Day 1: Monday 11th July
Day 3: Wednesday 13th July
Annual Conference details