Privacy for the City Attorney - Importance and Guidelines

This presentation delves into the critical aspects of privacy and ethics concerning city attorneys, covering key topics like legal compliance, confidentiality, competence, and supervision. It emphasizes the ethical responsibilities and implications related to virtual legal practice, confidential information handling, and the evolving landscape of online security measures. The content also highlights the significance of adhering to professional conduct rules and staying updated with state laws.

• Privacy
• City Attorney
• Legal Ethics
• Confidentiality
• Professional Conduct

giu_ma Follow

Uploaded on Sep 21, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. PRIVACY FOR THE CITY ATTORNEY April 28, 2022

2. K Royal, PhD Privacy Counsel Outschool kroyal@outschool.com

3. AGENDA Why this matters Privacy basics US state law overview Key issues with Contracts Practical takeaways

4. WHY THIS MATTERS

5. DRIVERS FOR ATTORNEYS Comply with laws addressing personal data Be proficient and responsible Understand implications Professional ethics and responsibilities

6. AMERICAN BAR ASSOCIATION FORMAL OPINION 498 MARCH 10, 2021 1. The ABA Model Rules of Professional Conduct permit virtual practice, which is technologically enabled law practice beyond the traditional brick-and-mortar law firm. When practicing virtually, lawyers must particularly consider ethical duties regarding competence, diligence, and communication, especially when using technology. 2. In compliance with the duty of confidentiality, lawyers must make reasonable efforts to prevent inadvertent or unauthorized disclosures of information relating to the representation and take reasonable precautions when transmitting such information. 3. Additionally, the duty of supervision requires that lawyers make reasonable efforts to ensure compliance by subordinate lawyers and nonlawyer assistants with the Rules of Professional Conduct, specifically regarding virtual practice policies

7. COMMONLY IMPLICATED RULES OF PROFESSIONAL CONDUCT Competence, diligence, and communication Confidentiality Supervision

8. ARIZONA ETHICS OPINION 09-04 Lawyers providing an online file storage and retrieval system for client access of documents must take reasonable precautions to protect the security and confidentiality of client documents and information. Lawyers should be aware of limitations in their competence regarding online security measures and take appropriate actions to ensure that a competent review of the proposed security measures is conducted. As technology advances over time, a periodic review of the reasonability of security precautions may be necessary.

9. ARIZONA ETHICS OPINION 05-04 ER's 1.6 and 1.1 require that an attorney act competently to safeguard client information and confidences. It is not unethical to store such electronic information on computer systems whether or not those same systems are used to connect to the internet. However, to comply with these ethical rules as they relate to the client's electronic files or communications, an attorney or law firm is obligated to take competent and reasonable steps to assure that the client's confidences are not disclosed to third parties through theft or inadvertence. In addition, an attorney or law firm is obligated to take reasonable and competent steps to assure that the client's electronic information is not lost or destroyed. In order to do that, an attorney must be competent to evaluate the nature of the potential threat to client electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end. An attorney who lacks or cannot reasonably obtain that competence is ethically required to retain an expert consultant who does have such competence.

10. THE LAWS (BASICS AND US)

11. TERMINOLOGY Personal data Personally Identifiable Informationor PII Personal Information Information linked to a person Public or private Business or home information not interchangeable terms; used interchangeably

12. IS THERE ANY REQUIREMENT FOR AN ACTUAL IDENTIFIER? Even pictures? 12

13. GLOBALLY

14. COMMONALITIES FAIR INFORMATION PRACTICING PRINCIPLES Transparency Individual Participation Purpose Specification Data Minimization Use Limitation Data Quality and Integrity Security Accountability and Auditing https://www.dhs.gov/sites/default/files/publications/privacy-policy-guidance-memorandum-2008-01.pdf https://www.dhs.gov/sites/default/files/publications/dhsprivacy_fippsfactsheet.pdf

16. CALIFORNIA CALIFORNIA PRIVACY RIGHTS ACT (CPRA) CCPA CPRA Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices. Buy, sell, or share the personal information of 100,000 or more California residents or households. Threshold Application Right to Know/Access Right to Delete Right to Opt-out of Sale Right to Non-Discrimination Same rights as the CCPA, and an addition of: Right to Rectification Right to Limit Use and Disclosure of Sensitive Personal Information Consumer Rights Enforcement by the State Attorney General. Creation of the California Privacy Protection Agency for enforcement and guidance. Enforcement Not defined under the CCPA It is defined as personal information, which includes a consumer s SSN, driver s license, state ID card, etc. Sensitive Information

17. CPRA V-CDPA CO-CPA U-CPA Effective Date 1/1/2023 1/1/2023 7/1/2023 12/31/2023 $25M rev PLUS data on 100k consumers or Data on 25k consumers plus 50% rev or discount from selling Triggers $25M rev, buy/sell/ share data 100k consumers or households, or 50% rev from selling/sharing Data on 100k consumers, or Data on 25k consumers plus 50% rev from selling Data on 100k consumers, or Data on 25k consumers plus rev or discount from selling In addition to doing business in state with residents, must generally meet at least one trigger Regulations Yes No No No Privacy Notice Yes Yes Yes Yes DSAR Response Time 45, +45 45, +45 / appeal 45/+45 / appeal 45/+45 Sale / Sharing Data Expansive Sell for $$ Expansive Sell for $$ Opt-outs Sell, Share, TBA Sell, TBA, Profiling Sell, TBA, Profiling Sell, TBA, Profiling Vendor Cont. Requirements Yes Yes Yes Yes Security Audits No Yes No No DPIA / PIAs No Yes Yes No Applies to B2B / Empl. No No No No

18. SENSITIVE PERSONAL DATA U-CPA V-CDPA CPRA CO CPA GDPR Racial or ethnic origin Religious beliefs Philosophical beliefs Political opinions Union membership Mental or physical health Sexual orientation or sex life Citizenship or immigration status Genetic or biometric data to identify a person X X X X X X X X X X X X X X X X X X X X X (diagnosis) X (-sex life) X X X X X X X (-sex life) X X X X Personal data from a known child Precise geolocation Govt-issued ID numbers (SSN, DL, ID, passport) Account access credentials Content of messages unless a business is the recipient X X X X X Art. 8 for child X X X X

19. TRENDS Include Debatable / Discussable Exclude / Don t Include Privacy notice (consumable) Individual rights 45-day response time Right to appeal Define sensitive data Minors < 13 Vendor contract requirements DPIAs / PIAs Security requirements Individual right to portability Controller / processor concepts Security audits Allow cure period Universal opt-out mechanism Security program safe harbor Consumer privacy agency Private right of action Lookback period Business-to-Business - explicit exemption Employment context - explicit exemption Reporting metrics

20. PRACTICAL TAKEAWAYS

21. CONTRACT TERMS Definitions Understanding the product or service Reps and warranties Data ownership Confidentiality Privacy laws do not equal attorney-client privilege Security program Breach notifications Audit of vendor performance Remedies / insurance Termination Limitation of liability and indemnification Business continuity

22. VENDOR OVERSIGHT All privacy laws require some level of vendor oversight Contract Provisions Security / Privacy questionnaires Risk assessments Due diligence Data security planning

23. PRIVACY NOTICES Consider Mobile-optimized notices Apps Including mobile app store requirements Requirements of platform Search engines, ad generators, social media Translations Certified, which version rules Doing business in other countries Presentation of notice (layered) Click for more details (country specific, etc.) What to avoid Legalese Lengthy (make navigation easy) Not mobile optimized Overly broad statements Too many versions on various affiliated sites Buried in legal link or terms of use More than 1 click to reach it Pre-check opting-in https://az.gov/ https://app.readable.com/text/ (also went to a city app)

24. questions? K Royal, JD, PhD kroyal@outschool.com