Thursday, January 28, 2010

Will Tricare Pay For Scooter Trailer

EUROPEAN DAY OF PROTECTION DATA


Today January 28, 2010, after three years since the year 2007 will be held for the first time European day of data protection, today celebrated the fourth edition of it, in general, we can say that there is greater awareness among citizens about the responsible use of personal data, however continue to be used so little to recommend some tools like those offered for some time social networking. In them the most vulnerable and most disadvantaged, are them children and teenagers, as many of them unaware of the risks they contain.

Therefore education is key in data protection to be afforded to children and parents about the use of Internet and specifically on the use of social networks, P2P networks etc.., establishing containment measures such as those developed from the Provincial Gipuzkoa www.gipuzkoa.net "Internet Safe" with a tool that performs an audit on the security status of your PC and also includes sub-tools such as content filtering to prevent access to unwanted Internet. There are also other types of manuals and tools like those found on the website of the Basque Data Protection (AVPD). These include a series of episodes of cartoons, such as: the Adventures of Reda and Net: in which is displayed to smaller Internet risks and caution should be taken with personal data. Also for children and adolescents of other ages, there are manuals or guides with various assumptions of daily life in the irresponsibility committed in the transfer of personal data, such as Technology Manual for Young between 9 to 11, 12 to 14 and finally the 15 to 17 years.

from the English Agency for Data Protection (AEPD) there are also various initiatives such as the manual Recommendations under 2008 ", these tools and more are available to citizens, parents, teachers, students .. . so through this post I thought it appropriate on a day like today make them known and disseminated to the extent possible. Lastly

note the new application of self-assessment has been made available to the public the English Agency for Data Protection (AEPD). After testing it a bit yesterday, I must say that I found the least interesting, although you have to spend between 30 and 45 minutes, I think that without doubt this new tool will for at least another post.


Wednesday, January 27, 2010

Can I Use Yaz As Emergency Contraception

"PERSONAL DATA AND CLOUD COMPUTING"


This "Post" comes around the Privacy Policy of the services offered by Google Apps in their adaptation to national and European law on data protection and telecommunications. More than a year, published a report by the consulting "Forrester", "Should Your Email Live In The Cloud? A Comparative Cost Analysis " which declared the virtues and savings of Google services company in the field of the applications used by businesses such as telecommunications systems, messaging etc. This first report was analyzed by the law firm "Almeida.com", in particular by Javier Maestre, in the article "The Tale of the Milk 2.0", published by the world, is in which questioned the legality in telecommunications as well as privacy and data protection services offered by Google Apps. Which elicited immediate response from the director of Google Enterprise Spain and Portugal, Carlos Gracia Armendáriz article "This is not a fairy 2.0", also published by the World .

Therefore the hard and generated controversy around the privacy policy of Google Apps services, I will proceed to analyze the current situation around the Privacy Policy messaging service Google (Gmail) and the approach of possible solutions to issues or questions that may arise.


In this case, if we consider the obligations established by the LGT, we note that in this course if a company decides to install and use Gmail as internal e-mail service or to its employees and / or persons or related third parties with the marketing or development services company use it, not be considered to Gmail or service contracting company as a telecommunications operator, because the service is not disseminated to provide telecommunication services but used as a technological tool most of the company. However, if a stricter interpretation and yes it is applicable Rule 6.2 of LGT ("requirements for the operation of networks and the provision of electronic communications services. 2. Those interested in the exploitation of a given network or the provision of a particular electronic communications service shall, before at the beginning of the activity, by written notice to the Market Commission (CMT) on the terms to be determined by royal decree, subject to the conditions for the exercise of the activity they undertake. are exempt from this requirement those network operators and electronic communications services under a provision ".

LGT also includes among its provisions the following duties:
"must register with the Registry of Operators of Networks and Electronic Communications Services, managed by the CMT, the companies that provide any of the following services"
• Service access to the Internet.
• Email Service (now of course).
• Service access to databases.
• News Service.
In this case, both Google and the service contracting company should be registered in the register of operators of networks and electronic communications services "for e-mail service of CMT. Failure to comply with the provisions described above and if we applied a strict legal precepts laid down in Article 6.2 of the LGT, both Google and the contracting company's email service (Gmail) could be punished for "conduct which are typified as very serious offenses, such offenses are set out in Article 53 a) t), the amount for this type of violation is reflected in turn in Section 56.1 (Penalties) in apartado1 b). The amount of the penalty shall be determined in each case, and will be tied to gross profit, with the sum not less than this amount, not more than five times of it. According to law, the applicable maximum is two million euros to be a very serious infringement is regarded as the LGT. Against this decision may bring an appeal and justification of the documentation submitted for review by the CMT. And if no agreement, the defendants could go to the Provincial Court. However this would be the worst and we must keep in mind that can only be interpreted in this way if the contracting company should give an email address to third parties not belonging to it, it would be sufficient to not give such email to a third party to avoid the penalty. Besides all the above, the CMT difference between the figure of Reseller and distributor of electronic messaging service, the difference is that the first gets direct benefit (direct gain) for providing the service and the second in principle.

However, it would be appropriate that Google's privacy policy or signing contracts with new clients to hire their services to Google Apps or specifically in this case the electronic mail (Gmail), inclusion of a clause expressly prohibiting the hiring company the possibility of providing e-mail accounts (the "Gmail") to non-members of the same, or possibly if I did so expressly providing that it is done at your own risk. Also highly recommended that Google would be monitored to the extent of possible compliance with this clause. In short, we must avoid creating email accounts to clients, partners and other third parties outside the strictly personal member of the staff of the service contracting company, because not choose this path, it must meet the requirements LGT in its Article 6, as we will be acting as providers of telecommunications services and we do not find recorded in the Register of network operators and electronic communications services "for services e-mail, we may be subject to such measure by the CMT. While it is clear that the CMT does not act in office, however there are decisions of the CMT in which penalties were imposed for offenses similar to those described above, so they are recommended to take measures previously established. An example of a penalty provided for violations of Article

Finally note that registration as a telecommunications operator is a free procedure. However, if you perform an economic exploitation of the service these companies will be required to pay annual rates to account for 1.25 per 1,000 of the gross operating income. Is ie if the turnover is not high, the applicable rate will be minimal.

Data Protection / Privacy Policy:

As data protection is concerned, we must consider the legal rules established by the Data Protection Act, which implements the RDLOPD and the 2000 Commission Decision of 26 July in accordance with Directive 95/46/EC of the European Parliament and Council on the protection afforded by the Safe Harbor Principles for the Protection of Privacy and related frequently asked questions published by the U.S. Commerce Department . UU., 2000/540/EC.
For Google to be a company that servers available in different states around the world, should take into account where these servers are located, ie if we speak of member states shall apply the Directive 95/46/EC, but for the servers are located in States that do not belong to the space of the European Community should be observed if they have some kind of agreement or contract, that sets the appropriate security measures and if otherwise express permission must be sought for international transfer of personal data to the Director of the English Agency for Data Protection.
In the present case arise as an example for the reception Data supplied by the company contracting English two countries, Ireland which is a member of the European Union, so it will be covered by Directive 95/46/EC of the European Parliament and Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data. And the U.S., in this case is different because being a non-Member State will be implementing Decision 2000/540/EC of the European Commission of 26 July 2000 under Directive 95/46 / EC of the European Parliament and Council on the protection afforded by the Safe Harbor Principles for the Protection de la Vida Privada y las correspondientes preguntas más frecuentes, publicadas por el Departamento de Comercio de EE.UU. Por lo que para garantizar la efectividad de la decisión, el Departamento de Comercio de Estados Unidos de América, o su representante, debe mantener a disposición del público una lista de entidades que auto certifiquen su adhesión a los principios y a su aplicación y quedar sujetas a la jurisdicción de la “Federal Trade Comission” (FTC Comisión Federal de Comercio), con arreglo a la competencia que le confiere el Artículo 5 de la Ley de la Comisión Federal de Comercio, o del Departamento de Transporte de Estados Unidos, con arreglo a la competencia que le confiere el Artículo 41.712 Title 49 of the United States Code, which shall be empowered to investigate complaints that are submitted and to obtain relief against unfair or deceptive practices, as well as redress for individuals who are subject to the jurisdiction, regardless of their country of residence or nationality.
be considered as well, according to the requirements of Directive 95/46/EC, the safe harbor principles ensuring an adequate level of protection for personal data transferred from the European Community to entities in the United States, provided that the recipient of the data (in this case Google) has advised the Department of Commerce United States or his representative, unequivocal and public commitment to comply with these Safe Harbor Principles and is subjected to the jurisdiction to which we have referred. Notably
adherence to the safe harbor requirements, is voluntary, both to register now to access the public list of institutions subscribing to the safe harbor requirements, can be done by accessing the Department's Web of Commerce USA:
http://www.export.gov/safeharbor/Safe_Harbor_Instructions.asp (on this website we can observe the laws and jurisdictions that are applicable to the Safe Harbor and the content thereof). In this address we can access list of entities subscribed to the requirements established by the Department of Commerce United States in regards to the Port Security:
http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list . Google currently
is registered in the register of the Website (http://www.export.gov/safeharbor) specifically in the "Safe Harbour List or Safe Harbor List, at the following address listed below :

http://web.ita.doc.gov/safeharbor/SHList.nsf/f6cff20f4d3b8a3185256966006f7cde/9d486b16464df0648525709b006df57c?OpenDocument&Highlight=2, GOOGLE (Which leads to the following):


of information displayed on this record it appears that Google has voluntarily subscribed to the Safe Harbor document which details the general principles and obligations adopted by Decision 2000/540/EC of the European Commission of 26 July 2000 under Directive 95/46/EC (in particular Article 25 paragraphs 2 and 6 and Article 26 paragraph 3) of the European Parliament and Council on the protection afforded by the Safe Harbor Principles for the Protection of Private life and related frequently asked questions published by the U.S. Department of Commerce As reflected in paragraph sixteen of the register of the Department of Commerce on Port Security:

"Do you Agree to COOPERATE and Comply with the European Data Protection Authorities? Yes "

Safe Harbor is a decision on adequacy of sector to eligible exclusively US-based companies, so you can not extend its application, and at some point we have tried (and even still pretending) to affiliates of American companies based outside this country.

However, it is important to note that in addition to the qualifications, duties and obligations provided in the documentation that it has entered the safe harbor Google, which also acquires commitment to meet the obligations and duties contained in Decision 2000/540/EC of the European Commission in 2000 of 26 July. Also be taken into account that the Commission has established that all decisions (including Decision 2000/540/EC on the assignment of states to the U.S.) to adapt to third countries approved to date by the Commission are a number of common elements. First, the decision set, exhaustively, that the application of the same concerns only data transfers to the third country from the EU and in any case, the other conditions and obligations under national law of each State member. In the case before us, this means that in addition to the obligations contained in the Safe Harbor requirements to which you have subscribed to Google, you must also comply with English legislation on data protection.

addition, without prejudice to the powers assigned to them by national laws, is given to the supervisory authorities of the Member States the possibility to block a particular transfer when the supervisory authority of the third country has determined that the organization has violated the conditions of the decision or if there is a substantial likelihood that the rules are being violated and data protection supervisory authority of the third country has not taken or will take steps to resolve the case, the continuing transfer would create imminent risk of grave harm to those affected and also the authority of the Member States has made reasonable efforts to provide the party and provide the opportunity to respond.

Having analyzed the general framework of international transfers of personal data in the Directive, we will deal with the U.S. case To begin, we must ask why there is a problem between the U.S. and the EU. The problem stems from the existence of two different understandings of what privacy is and means and mechanisms to be used for its preservation.

For the EU, the protection of personal data is a fundamental right of citizens. This is recognized explicitly some Member States' constitutions (English, among them). In addition, both the EU through various policies and its Member States to transpose them, have adopted mandatory legal rules and general in establishing the principles and rights that citizens have regarding the treatment of personal data. Finally, in all Member States have independent supervisory authorities responsible for overseeing compliance with the relevant legislation.

Meanwhile, U.S. protection data available is considered a part of citizens, partially covered in a multitude of specific and sectoriales8 no connection between them, putting almost all the emphasis on self-regulation and without any authority or authorities responsible for ensuring effective compliance with the rules and the application of universally accepted standards. Therefore, this situation made it impossible to adapt a statement of U.S. by the European Commission.

membership system by companies voluntarily to the requirements of Safe Harbor, is based exclusively on a statement unilateral respect companies that meet Safe Harbor requirements and, subsequently, control of compliance shall be entrusted to an audit can be carried out by the entity's internal staff. That is, is a self-certification scheme, self-regulation and self-evaluation in which they can not ever exist external controls on the activities and data protection practices of companies adhering to the Safe Harbor.
Al
be applicable English law the Safe Harbor addition, we must consider the scope in terms of English legislation on data protection is clarified by Article 2 of the Data Protection Act Scope.
1. The present Act shall apply to personal data recorded on a physical medium that makes them amenable to treatment, and any form of further use of this data by public and private sectors.
is governed by the present Act any processing of personal data:
a) When the processing is carried out on English territory in the framework of the activities of an establishment of the controller.
b) When the controller is not established on English territory, it is applicable English law under rules of public international law.
c) When the controller is not established in the territory of the European Union and used in the data processing means located in English territory, unless such equipment is used only for transit purposes.

Regarding the latter legal document Limiting ourselves to the English case, if you want to transfer data to a third country with the aim of which occur in the same treatment on behalf of the person referred to in Spain, regardless of the mechanisms used to legitimize the transfer (right host country, contractual guarantees, etc.) must fulfilled the obligations under Article 12 of Law 15/1999 of 13 December on the Protection of Personal Data (Act), on the regular compulsory treatment under a contract that includes a number of prerequisites .

Similarly, if the transfer constitutes a transfer or communication of data, in order to do be to sit in the presence of any of the cases lawfully present in Article 11 of the Data Protection Act.
Also, in addition to the two articles cited, should also be taken into account in order to comply with its obligations under the English legislation on protection personal data Article 10 of RDLOPD, which lays down the cases in which legitimizes the use or transfer of data. Also must comply with the legal provisions contained in Article 21 RDLOPD in the event that Google outsources part of its service to other companies, as might happen if the information maintained in Ireland and U.S. because this leads to a service contract, so that should meet the provisions of that Article. Shall also apply Article 22 for the retention of data by the processor (in this case Google).
Article 12 of RDLOPD (Principles general), the application will also be indirectly:
1. The controller must obtain the individual's consent for the processing of personal data except in those cases where it is not enforceable under the provisions of the law.
The application for consent must be referred to a treatment or series of specific treatments, with delineation of the purpose for which it collects and the other conditions attending the treatment or series of treatments.
2. When requesting the consent of affected for the transfer of your data, it must be informed in order to know unequivocally to which data will be used for the disclosure of which consent is sought and the type of activity conducted by the transferee. Otherwise, the consent shall be void.
3. Controller correspond to the proof of the existence of the consent of affected by any form of evidence admissible in law.
Finally it is noteworthy that as the Article 12 Data Protection Act obligations as a manager referred to treatment, also the owner of the file (hiring company) must be watchful and diligent in choosing to charge for treatment by It must verify that the treatment charge (in this case Google), complies with the measures established by the RDLOPD 1720/2007, in particular as to the security measures laid down in Article 88 of RDLOPD referred. This article provides the following measures that the contracting company should ask Google through timely periodic checks, for that Google should procedimento current security processes in which compliance with technical security measures laid down in Article 88 the RDLOPD (Security Document), including:
1. The data controller responsible produce a security document shall address the technical and organizational keeping with current safety standards will be compulsory compliance staff with access to information systems.
2. The security document may be unique and comprehensive of all the files or processing, or individually for each file or treatment. It also may be developed by grouping various security documents as files or processing the treatment system used for your organization, or organizational basis of the official criteria. In any case, will have an internal document of the organization.

3. The document must contain at least the following aspects:
a) Scope of the document containing detailed specification of the protected resources.
b) measures, standards, operating procedures, rules and standards aimed at ensuring the security level required by these regulations.
c) roles and responsibilities of staff in relation to the processing of personal data included in the files.
d) Structure of the files with personal data and description of information systems that treat them.
e) Procedure for reporting, managing and responding to incidents.
f) The procedures for performing backup and recovery of data files or automated processing.
g) The measures to be necessary for media transport and documents, as well as the destruction of documents and media, or where appropriate, reuse of the latter.
4. If that would be applied to files security measures or measures average level of high-level security provided for in this title, the security document must also contain:
a) The identification of the person or persons responsible for safety .
b) Periodic inspections to be carried out to verify compliance with the provisions of the document itself.
5. Where a data processing for third parties, the security document must contain the identification of the files or treatments that are addressed by way of charge with specific reference to the contract or document governing the conditions of the order, as well as identifying the controller and the duration of the assignment.
6. In cases in which personal data of a data controller will be retained exclusively in the systems manager, the manager should note this in your document security. When such circumstances affect some or all of the files or treatment of the head, may be delegated the responsibility for keeping the security document, except for those data in its own resources. This shall be expressly in the contract under Article 12 Law 15/1999 of December 13, specifying the files or treatments affected.
In this case, we will attend to the security document manager for the purpose of compliance with the provisions of this regulation.
7. The security document shall be maintained at all times updated and reviewed whenever there are significant changes in the information system in the treatment system used in its organization, the content of the information contained in files or treatment, where, as a result of periodic inspections performed. In any case, it is understood that a change is relevant when it may affect compliance with the measures implemented security.
8. The contents of the security document must comply at all times, to the existing provisions on security of personal data.

All these obligations may be further specified in various ways, for example through codes Guys like those contained in the Website of the AEPD, in which privately establishing the obligations of the parties with respect to legal obligations on the protection of personal data would be more advisable to correct any defects that might result from inappropriate adaptation of legal provisions of English legislation adopts measures to Google now Another option is to include them in contracts to sign for Google and its customers or the inclusion of those legal measures in Google Privacy Policy.


Google the company to keep pace with the English and European legislation fully in the protection of personal data should be signed with its customers Treatment Contract Manager in setting out its duties and responsibilities.