08.30-17.30 Registration in the Fisher Building

09.00 Data Security and Data Protection Audits after HMRC
(The disappearance of 2 CDs with personal data on 25 million people when dispatched from the UK government department, Her Majesty’s Revenue and Customs)

Nicholas Graham, Partner, Denton Wilde Sapte
Scott Singer, Partner, Denton Wilde Sapte
www.dentonwildesapte.com/en/Sector/TechnologyMediaTelecoms/Home%20Page/technologymediatelecoms.aspx
Janine Aston, Data Protection Manager – EMEA,Verizon
Chair: Stewart Dresner, Chief Executive, Privacy Laws & Business

In November 2007, HMRC admitted that it had lost data relating to 25 million people. The disks in question have not been found. There have been numerous other examples in both the private and public sectors of data security breaches.  Increasingly, businesses are now considering data protection compliance audits in order to identify and manage data protection and privacy risk.  This session examines the developments and implications including:

• recent data security breaches
• incident response issue
• the benefits of conducting a DP audit
• aim/scope of DP audits
• the ICO Audit Manual
• practical guidance

10.00  France's data protection priorities for its Presidency of the European Union,
July to December 2008
Yann Padova, Secretary General, CNIL, France
Chair: James Michael, Editor, Privacy Laws & Business International Newsletter

---

10.45 Coffee

---

11.10 Be careful where you store your data: the growing importance of information architectures for privacy professionals
Christopher Millard, Partner, Linklaters, London
Chair: Bojana Bellamy, Global Data Privacy Compliance Lead, Accenture, UK

Parallel 1 – International

Chair: Stewart Dresner, Editor, Privacy Laws & Business UK Newsletter

12.05 The role of Spain's DPA in safeguarding privacy in Spain and its influence in the wider world
Professor Artemi Rallo Lombarte, President, Data Protection Agency, Spain
Commentator: Eduardo Ustaran, Partner, Field Fisher Waterhouse, UK

Parallel 2 - UK

Chair: Stuart Lynch, Consultant, Privacy Laws & Business

12.05 Grappling with the fluid definitions of personal data: The definition of personal data in light of recent case law
Renzo Marchini, Counsel, Dechert, UK
www.dechert.com/practiceareas/practiceareas.jsp?pg=detail&pa_id=43

• When is the Directive/DPA engaged?
• Exploration of the key concepts of "identified", "identifiable" and "relating to"
• Article 29 Working Party Guidance
• UK ICO Guidance: a retreat from post-Durant position
• Recent cases adding confusion

---

13.00 Lunch

---

Parallel 1 - International

Chair: Laura Linkomies, Editor, Privacy Laws & Business UK Newsletter

12.05 When do outsourced service providers become data controllers? What about responsibility and liability?
Boris Wojtan, EMEA Data Privacy Lead, Accenture, UK

14.40 The prospects of European data breach laws:
Results of PL&B’s European survey on attitudes of European national Data Protection Authorities towards an EU legal requirement and European national laws on action organizations must take when personal data is lost or stolen.
 
Stewart Dresner, Chief Executive, Privacy Laws & Business
Amy Norcup, Researcher, Privacy Laws & Business

• Have US laws set a trend for Europe or are the current data protection laws sufficient?
• All national laws in the US and EU cover data security – is there a need for specific provisions on action to be taken when personal data is lost or stolen?
• Advantages & disadvantages of data breach provisions for DPAs, companies and individuals.  What would be an appropriate and proportionate response for data subjects?
• Next steps for data breaches and the law

Policy of the EU Data Protection Supervisor towards incorporating data breach legal requirements into EU law
Rosa Barcelo, Legal Adviser to the European Data Protection Supervisor, Belgium

• Security breaches in the ePrivacy Directive
• Notification to subscribers and to data protection authorities
• Need to broaden the obligation to include electronic commerce service providers
• The addressees of the notification of security breaches
• Need to define procedures and conditions for the notification

Parallel 2 - Management

Chair: tbc

14.00 No, that's not what I meant:" The dance between your organisation's lawyer and outside data privacy counsel
Dan Cooper, Partner, Covington & Burling, London
Chris Foster, Assistant General Counsel, Data Privacy, Honeywell International, USA

United Kingdom

14.45 The view from central government on the Data Protection Act and the Freedom of Information Act
Belinda Crowe, the Ministry of Justice, UK

15.15 Identity, privacy and the need of others to know who you are
A discussion paper on identity issues prepared for the Privacy Commissioner of Canada
Eugene Oscapella, Report's Principal Consultant and Consultant, Privacy Laws & Business, Canada
www.privcom.gc.ca/information/pub/ID_Paper_e.asp

• What is identity and how is it relevant to privacy?
• How we identify ourselves to individuals, businesses and government has profound implications for our relationships with society
• Identity plays a central role in the tug of war between efforts to protect privacy and efforts to push us toward a surveillance society

---

15.45 Tea

---

Parallel 1 - International

Chair: James Michael, Editor, Privacy Laws & Business International Newsletter

16.10 Binding Corporate Rules as "Safe Harbor on Wheels" - a new approach to BCRs for  US-centric multinationals
Eduardo Ustaran, Partner, Field Fisher Waterhouse, UK
Comments by Rosa Barcelo, Legal Adviser to the European Data Protection Supervisor, Belgium

• The challenge: Adapting a European concept to other privacy cultures
• The solution - Part 1: Using Safe Harbor as a starting point for BCR
• The solution - Part 2: Distinguishing between internal EU requirements and an adequate level of protection outside Europe
• Dealing with EU authorities concerns and overcoming scepticism

16.40 The APEC Asia-Pacific Privacy Initiative – a new route to effective data protection or a trojan horse for self-regulation?
Nigel Waters, Principal, Pacific Privacy Pty, Australia

Parallel 2 - Mobile marketing

Chair: Valerie Taylor, Consultant, Privacy Laws & Business

16.10 Choosing and maintaining a permission based privacy policy on mobile marketing
Mikko Niva, Senior Legal Counsel, Nokia Group, Finland
Alisa Bergman, Partner, Sonnenschein Nath and Rosenthal, Belgium

---

Plenary: Introduction to the European Privacy Seal
Chair: Stewart Dresner, Chief Executive, Privacy Laws & Business

17.10 How a European Privacy Seal provides your product with a competitive advantage by showing that it complies with the requirements of the EU Data Protection Directive
Kirsten Bock, Project Manager, European Privacy Seal, Independent Centre for Privacy Protection, Schleswig-Holstein, Germany

17.20 Why Microsoft applied for and won a Privacy Seal for Windows XP Update
Sue Glueck, Senior Attorney, Microsoft, Redmond, Washington State, USA

• Why did MS choose to get the Seal
• How do you decide what products to put through the process
• Minimizing the work on the product team
• Leveraging the seal for marketing

---

17.55 Close

18.15 Punting on the River Cam or St John's College 17th Century Library Tour

18.30 Drinks

19.30 Dinner in The Hall

---

Day 1: Monday 7th July
Day 3: Wednesday 9th July
Annual Conference details