2.3 Kenya Data Protection Bill 2013
The Data Protection Bill 2013 is an Act of parliament that gives consequence to Article 31 ( degree Celsius ) and ( vitamin D ) of the fundamental law to roll up, recover, procedure, shop, usage and revelation personal informations for the relevant intent ( The Data Protection Bill 2013 ) The Data Protection Bill 2013 was tabled in Parliament in May 2014. The Bill introduced definitions such as informations accountant informations topic and information processor. In the Bill, personal information is defined as information about a individual, including ‘information associating to race, gender…an placing figure, symbol or other peculiar assigned to the individual and correspondence sent by the individual that is implicitly or explicitly of a private or confidential nature ( The Data Protection Bill 2013 ) . Principles such as proportionality, purpose restriction and informations security would besides be introduced
The East African Community ( EAC ) , a regional group of five East African states ( Kenya, Tanzania, Uganda, Rwanda and Burundi ) has taken assorted enterprises that encourage the member provinces to follow informations privateness statute law. Such enterprises include the current treatment ofA Draft Bill of Rights for the East African Communitywhich unlike the African Charter on Human and Peoples’ Rights incorporates the right to privateness. Besides, although non adhering, the EAC has adoptedEAC Framework for CyberlawsPhases I and II in 2008 and 2011 severally, turn toing multiple cyber jurisprudence issues including informations protection. Yet as of now merely Kenya is sing a bill of exchange measure on informations protection ( Greenleaf, 2012 ) .
2.4 International Data Privacy Laws
Privacy and informations protection issues confront all organisations in a planetary graduated table. This applies if you are managing employee information, recognition card informations, sensitive fiscal information, or trade secrets ( Baker Hostetler, 2014 ) . Procuring informations is a disputing undertaking that is farther complicated by cross-border transportation issues and the differences in privateness Torahs around the universe. These Torahs are complex and can present many conflicting duties to a transnational endeavor ( Baker Hostetler, 2014 ) . Historically, privateness Torahs started with the U.S. Privacy Act of 1974. The
Organization for Economic Cooperation and Development ( OECD ) Privacy Principles were created in 1980 ( Gunasekara, 2007 ) . The content was developed by 23 states, including the U.S. , and provided guidelines for protecting, restricting, and procuring the gathered PII of persons ( Swire & A ; Bermann, 2007 ) . ISO/IEC 27001:2005 and ISO/IEC 27002:2013 are based on the OECD Privacy Principles ( Humphreys, 2007 ) . The Asia Pacific Economic Cooperation ( APEC ) Privacy Principals are expressed informations privateness Torahs ( Swire & A ; Bermann, 2007 ) . Harmonizing to Wugmeister et Al. ( 2007 ) , the APEC Privacy Principals incorporate OECD privateness rules of “notice, pick, aggregation restriction, usage of personal information, information unity, security precautions, entree and rectification, and accountability” ( p. 483 ) . Wugmeister et Al. ( 2007 ) further province that the APEC Privacy Principal outlooks go above and beyond the OECD Privacy Principles by necessitating the ethical handling of any and all PII when PII is being transferred even those points that are non needfully required to be protected.
U.S. Laws focal point on turn toing abuse of information and seek to protect persons from peculiar injury ( Rich, Ordikhani, & A ; Wugmeister, 2010 ) . U.S. is besides an opt-out society, intending personal informations can be used until the individual requests his/her informations non be used, many other states, including those in the EU are opt-in societies wherein the person’s consent is required prior to utilize of PII for any intent ( Swire & A ; Bermann, 2007 ) . In the EU states, Canada, Australia, and Japan, informations privateness is taken rather earnestly. By manner of illustration, the followers is an overview of some cardinal international privateness Torahs.
2.4.1. U.S. Data Privacy Laws
In the U.S. , province privateness Torahs require the reappraisal of security policies on an on-going footing to guarantee conformity with security breach presentment demands ( Lin, 2006 ; Metzler, 2007 ; Verdon, 2006 ) .There are security informations breach presentment Torahs in assorted provinces, every bit good as kids protection Torahs and subdivisions of federal Torahs protecting consumer’s PII in finance and health care. Currently, no comprehensive federal informations privateness Torahs in the U.S. directed specifically at private industries exist ( Cassini, Medlin, & A ; Romaniello, 2008 ; Jones, 2008 ; Otto, Anton, & A ; Baumer, 2007 ) .
Several provinces have passed specific informations privateness Torahs ( Worthen, 2008 ) . Nevada passed Nevada Revised Statutes ( NRS ) 597.970, a information privateness jurisprudence that went into consequence on October 1, 2008 ( Greenberg, 2008 ) . This jurisprudence mandates encoding for the transmittal of Nevada client PII through electronic means other than via a facsimile or on an internal secured system ( Worthen, 2008 ) . Massachusetts General Law ( M.G.L. ) sing security breach presentments became effectual October 31, 2007. In concurrence with this jurisprudence, on September 19, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation issued a set of Regulations, referred to as “201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the
Commonwealth” took consequence on March 1, 2010 ( Lefferts, 2009 ) , modulating PII of
Massachusetts occupants, whether or non that concern maintains a presence within
Massachusetts ( Worthen, 2008 ) . The development of a written comprehensive information security program that includes security policies and security breach presentments is outlined in Massachusetts ordinance ( Massachusetts OCAB, 2009 ) . Like all concerns, jurisprudence houses must follow with this Massachusetts jurisprudence by coding laptops and removable media devices incorporating PII, every bit good as coding e-mail messages incorporating PII. Therefore, if the jurisprudence house collects recognition card payments or SSNs from their Nevada or Massachusetts clients, they must follow with these Torahs. 2006 ) .
220.127.116.11 PCI Data Security Standards ( PCI DSS )
The Payment Card Industry Data Security Standards ( PCI DSS ) outline the security measures that must be implemented with respect to recognition card information. These criterions are required for safeguarding all recognition card purchases ( PCI Security Standards Council, 2008 ) . Pursuant to PCI DSS, it is required that jurisprudence houses non hive away any more cardholder informations than is necessary, non store sensitive hallmark informations subsequent to mandate ( even if encrypted ) , and dissemble the PAN ( primary history figure ) when displayed ( Berg et al, 2008 ) . The first six and last four figures are the maximal figure of figures to be displayed ( Berg et al. ) . Law houses by and large accept recognition card payments for their services and must follow with the PCI DSS.
18.104.22.168 Health Insurance Portability and Accountability Act ( HIPAA ) of 1996
The passage of the HIPAA of 1996 imposes limitations on health care suppliers to guarantee that patient medical records remain confidential, private, and secure ( Greene, 2006 ; Kahn & A ; Sheshadri, 2008 ; Li & A ; Shaw, 2008 ; Wiant, 2005 ) . HIPAA requires that distant entree to any medical records have proper security precautions in topographic point ( Baker & A ; Wallace, 2007 ; Kahn & A ; Sheshadri ; Wiant ) . The HIPAA Security Rule dated February 20, 2003 requires that all ePHI whether at remainder or transferred electronically, be encrypted and protected from interception by unauthorised parties ( CMS, 2003 ; Li & A ; Shaw ) . Covered entities include wellness attention suppliers, health care programs, and clearinghouses ( Holloway & A ; Fensholt, 2009 ) .
HIPAA imposes limitations on health care suppliers to guarantee that patient medical records remain confidential, private, and secure through the usage of administrative, physical, and proficient precautions ( CMS, 2003 ; Johnston & A ; Warkentin, 2008 ) . Protected wellness information ( PHI ) can include paper paperss, verbal communications, and electronic communications, such as electronic wellness records ( EHRs ) , with merely the electronic format of ePHI necessitating administrative, physical, and proficient precautions ( Cassini et al. , 2008 ; Kahn & A ; Sheshadri, 2008 ; Medlin et al. , 2008 ) . Patient name with medical diagnosing, research lab consequences, medical history, SSNs, recognition card Numberss, names of physicians, and contact information are considered ePHI ( Li & A ; Shaw, 2008 ; Medlin etal. ) .
While the HIPAA Final Opinion does non necessitate specific security steps ( engineering neutral ) , it provides guidelines with respect to what is sensible and appropriate. The HIPAA Security Rule consists of 18 criterions, which include 42 execution specifications ( CMS, 2003 ) . Of the 42 execution specifications, 20 are required specifications and 22 are addressable specifications. While a figure of these demands are listed as addressable, it does non intend they are optional. Rather, addressable agencies that if the hazard appraisal indicates they are necessary so these specifications should be addressed ( CMS, 2003 ) .
Covered entities must follow with the HIPAA Security Standards with regard to
ePHI ( Nahra, 2008 ) . Covered entities are required to reexamine, modify, and/or develop security steps that will supply sensible and appropriate protection of ePHI by guaranting the confidentiality, unity, and handiness of the ePHI that is captured, maintained, and/or transmitted ( Li & A ; Shaw, 2008 ) . Additionally, ePHI must be protected against moderately awaited menaces, jeopardies, and unauthorised revelations and security policies must be updated on an one-year footing ( Kahn & A ; Sheshadri, 2008 ; Nahra ) . Anyone associated with the primary health care supplier as a 3rd party supplier of services is considered a Business Associate and besides must follow with the HIPAA security commissariats ( CMS, 2003 ; Li & A ; Shaw ) . For illustration, if the jurisprudence house receives patient identifiable information, such as ePHI from a health care client, the jurisprudence house would go a concern associate under HIPAA and must portion in supplying protections to the ePHI while it is in their ownership ( Li & A ; Shaw ) . The punishments for revelation to unauthorised parties are significant and can destroy the repute of the jurisprudence house ( Bisel, 2007 ) .
The Health Information Technology for Economic and Clinical Health ( HITECH ) Act part of the American Recovery and Reinvestment Act ( ARRA ) of 2009 ( Congress, 2009 ) requires that any unauthorised entree to PHI must be reported to the affected person within 60 yearss of the security breach find ( Holloway & A ; Fensholt, 2009 ) . The 60 twenty-four hours clip period begins upon the find of the unauthorised entree by anyone in the organisation ( Congress ) . The notice demands include an account of what happened, day of the month of breach, what PHI was accessed, and the security countermeasures taken to extenuate the breach ( Holloway & A ; Fensholt, 2009 ) . The HITECH Act besides outlines new punishments depending on the fortunes of the breach as $ 100 per misdemeanor up to $ 1.5 million associated with HIPAA privateness and security breaches ( Holloway & A ; Fensholt, 2009 ) .
2.4.2. European Union ( EU ) Privacy Laws
The EU has explicit informations privateness Torahs that are all embracing with respect to smartly protecting sensitive personal informations ( Swire & A ; Bermann, 2007 ) . Pursuant to the European Commission’s Directive, the EU definition sing personal informations refers to anything that can place an person and harm their self-respect ( Cassini et al. , 2008 ) . No sensitive informations sing any EU occupant can be disseminated without written consent from the person ( Swire & A ; Bermann ) . Employee informations are classified as the most sensitive informations that must be protected pursuant to the EU Data Directive. Data include concern reference, concern phone figure, rubric, sexual orientation, day of the month of birth, trade brotherhood rank, political sentiments, national designation or societal security figure, credit/debit/charge card figure, PIN, and exposure ( Swire & A ; Bermann ) . Employment applications, public presentation ratings, drug trials, and expirations are besides considered sensitive informations. No PII or other sensitive informations about an EU occupant can be transferred to the U.S. without express written consent ( Wugmeister et al. , 2007 ) . Law houses with planetary offices must be cognizant of the single Torahs for each province belonging to the EU and how each EU state’s Torahs relate to a information security breach of the jurisprudence house orbiter office or offices located in that EU province ( Goldberg, 2008 ) . Raether ( 2008 ) further indicated if a breach of information from the European Economic Area of Iceland, Norway, and Liechtenstein occurs, that these Torahs would besides refer to jurisprudence houses in these countries every bit good ( Wugmeister et al. 2007 ) .
2.4.3. Canadian Privacy Laws
Canada besides takes the privateness of their citizens really earnestly. The Personal Information Protection and Electronic Documents Act ( PIPEDA ) of 1998 screens all industries and protects the aggregation, use, and revelation of personal information ( Wugmeister et al. , 2007 ) . Similar to the European Directive, this jurisprudence mandates a person’s consent to let his/her personal information to be used in any manner, excluding condemnable probes ( Swire & A ; Bermann, 2007 ) . PIPEDA is based on the OECD Privacy Principles of answerability, intent, consent, aggregation restrictions, use, revelation and keeping restrictions, truth, precautions, openness, single entree, and disputing conformity ( Wugmeister et al. , 2007 ) . The load is on the aggregator to protect the PII collected and retained to guarantee that the information is used merely for the intent it was collected ( Gunasekara, 2007 ) .
2.4.4 Safe Harbor
The EU and Canada have strict Torahs commanding 3rd party transportations of informations ( Wugmeister et al. , 2007 ) . Therefore, informations can non be removed from European states or Canada without following with many rigorous criterions. A jurisprudence house with satellite offices in European states must obtain Safe Harbor enfranchisement prior to reassigning any private informations to their offices in any other state, including the U.S. ( Wugmeister et al. , 2007 ) . Safe Harbor enfranchisement is a arduous and expensive procedure ( U. S. Department of Commerce, 2014 ) . However, it aids with being able to direct jurisprudence house payroll check information every bit good as transmission of other sensitive information back to the U.S. Supplier contact databases, contract information and 3rd party entree to sensitive informations, every bit good as client databases and contract information, are all signifiers of personal information in Europe and must be protected ( Swire & A ; Bermann, 2007 ) . Consequently, if the jurisprudence firm’s EU orbiter office wants to interchange this type of information with their U.S. office, they must go Safe Harbor certified ( Wugmeister et al.2007 ) .