U.S. Privacy Shield: Data protection and security

Jamie ArmstrongPosted by Jamie Armstrong

Earlier this year I wrote blog post that summarized some important recent data protection and privacy law developments. Today, I wanted to follow up on that posting by looking particularly at the EU-U.S. Privacy Shield (“Privacy Shield”).

The Privacy Shield came into being to fill the void left by the invalidation of the European Commission decision underpinning the US-EU Safe Harbor Agreement (“Safe Harbor”). From August this year, US organizations have been able to certify compliance to the Privacy Shield – the list of those certified organizations can be viewed here. Questionmark Corporation has certified to the Privacy Shield, and you can view our updated privacy policy here. As was the case for Questionmark’s self-certification to Safe Harbor, our compliance with the Privacy Shield principles is just part of Questionmark’s broader strategy to ensure that relevant international data transfers conform to applicable legal requirements.privcy-shield

The Privacy Shield, as well as other mechanisms such as the EU Model Clauses, provides a way for organizations to comply with EU data protection requirements when personal data is transferred to the US from the EU. Remember that whereas the EU Model Clauses may be relied on for transfers of EU personal data to third countries (i.e. those that are not part of the EEA), the scope of the Privacy Shield is limited to personal data transfers to the US.

The European Commission has produced a helpful guide on the Privacy Shield, aimed at EU citizens, with some key improvements as compared with Safe Harbor being:

  • Greater oversight and monitoring by authorities in the US and EU to ensure compliance, for example by the US Department of Commerce, Department of Transport and Federal Trade Commission;
  • A greater number of ways for individuals to make complaints to enforce their rights without cost, including to an Ombudsman within the US Department of State, via an EU Data Protection Authority, an independent recourse mechanism, and binding arbitration;
  • Additional obligations for participant organizations, like ensuring any third-party transferees provide the same level of protection for personal data as is required by the Privacy Shield.

Although the Privacy Shield includes a number of additional protections for individuals and obligations on organizations, some interest groups remain unconvinced that it is meaningfully different to Safe Harbor and legal challenges in the EU have already been made. With this in mind, organizations that have certified to or may certify to the Privacy Shield will have to monitor EU developments and continue to review their data protection and privacy approaches, so that they are satisfied that there are a sufficient number of means available to them to show adequate protection for EU personal data being transferred to the US. Questionmark’s Privacy Shield certification demonstrates to customers our particular commitment to data protection and security in respect of applicable data.

Check back here for future blog posts on data protection and privacy law issues early next year.

Disclaimer: This blog is provided for general information purposes only and does not constitute legal advice. Any views included are personal to me.

To Your Health! What assessments do regulators require?

John Kleeman HeadshotPosted by John Kleeman

In Questionmark’s white paper, The Role of Assessments in Mitigating Risk for Financial Services Organizations, we shared advice  and requirements from financial services regulators about compliance-related testing for employees.

Do health care regulators also advise or require companies to test their employees to check understanding?

The answer is yes, and here are some examples.

The World Health Organization (WHO) states in its principles for good manufacturing practices for pharmaceutical products:

“Continuing training should also be given, and its practical effectiveness periodically assessed.”WHO | World Health Organization

WHO guidance also states:

“If training is conducted to achieve a goal, it is reasonable to ask if the goals of the
organization’s training programme and the specific training course have been attained or not. Assessment and evaluation are conducted to determine if the goals have been met.

European Commission logo

The European Commission directive 2005/62/EX requires for organizations handling blood that

“Training programmes shall be in place and shall include good
practice. The contents of training programmes shall be periodically assessed and the competence of personnel evaluated regularly.”

The US Department  of Health and Human Services in its Compliance Program Guidance for Medicare Contractors states:

US Department of Health & Human Services“Contractors should consider using tests or other mechanisms to determine the trainees’ comprehension of the training concepts presented.”

Also in the US, the Pharmacy Compounding Accreditation Board (PCAB) gives guidance that

PCAB.org“The pharmacy has SOPs for educating, training, and assessing the competencies of all compounding personnel on an ongoing basis, including documentation that compounding personnel is trained on SOPs.”

Just like in financial services, health care regulators strongly encourage and in some cases require that regulated organizations test their employees to ensure that they have understood training and that they are competent to do their jobs.

One thing health care regulators emphasize more than those overseeing financial services  is the merit of giving  observational assessments  as well as knowledge tests — presumably because skills are often more practical. For example PCAB guidance says that:

“Staff competency can be evaluated by a combination of … direct observation … written tests [and] … other quality control activities”

Previously, in this series on assessments in health care, I’ve covered good practice in competency testing in the health care industry and shared analysis of why errors are made and how testing can help. I hope these examples of regulator guidance and requirements are also useful.