If you do business internationally, it is good to track the country-specific privacy commissioner (or whatever the country-specific term happens to be) site. It is also good to track the sites of organizations such as the European Union EU Working Party, Asia Pacific Economic Cooperation (APEC), and so on.
The EU Working Party posted the following notice in March about launching a data protection investigation specifically in the "private health insurance sector":
"The EU- Working Party for data protection is launching an investigation into the processing of personal data in the private health insurance sector early March 2006. It is the first time that the national Data Protection Authorities of the Member States, in the context of their activities in the Article 29 Working Party, undertake a co-ordinated EU-wide investigation. The aim of this investigation is to analyse whether and how the data protection regulations are being complied with in the private health insurance sector across the EU."
BTW, there are currently 25 EU member countries.
"This joint action will take place in the same time period. It starts in March and it is focusing on the processing of data by private health insurance companies offering private medical treatment insurance, in all the Member States. This sector has been selected because the processing of sensitive personal data is a key element of its activities and because of the potential impacts of non compliance upon a significant number of people across the European Union.
European citizens and the insurance sector have a shared interest in careful data management in compliance with the law and this joint investigation aims to contribute to this aim. In order to ensure a fruitful cooperation with the sector involved, the CEA (European Federation of National Insurance Associations) has been regularly informed and an exchange of views has taken place during the preparation of the investigation action.
The investigation will be carried out through a questionnaire which is the same for each EU Member State, with questions focused on six areas in which data processing plays a particularly important role. The responses received will be evaluated both at national and at EU level. Based on the results, the Article 29 Working Party could subsequently decide to issue practical guidance for the sector at large and identify areas for future action with a view to improving compliance in the least burdensome way.
As a background to this, in a declaration of 25 November 20041, the Article 29 Working Party stated that the promotion of harmonised compliance with data protection legislation is one of its strategic and permanent goals. The declaration emphasizes the importance of enforcement as a means of increasing compliance. The Working Party expressed the aim of contributing to a more pro-active stance towards enforcement and announced that EU wide synchronized national enforcement actions would be undertaken in the years to come.
In addition to that, as a result of the first Report on the implementation of the Data Protection Directive in May 2003, the European Commission requested the Article 29 Working Party to consider the launching of sectoral investigations at EU level and the approximation of standards in this regard. These developments have resulted in the investigation action which will currently be undertaken."
There are likely many organizations impacted outside the EU. I found a privacy self-assessment questionnaire on the site; I don’t know if it is the same one being used within this investigation or not. However, even if your organization is not a health insurance company, if you do business in the EU you could benefit from doing this self assessment. Sounds like sooner or later your organization may be part of a future investigation.
Technorati Tags
privacy
EU Data Protection Directive
EU Working Party
health insurance
health information privacy
privacy compliance
privacy self assessment