Privacy Laws & Business 12th Annual International Conference
New Data Protection Law: Issues, Solutions, Action
St. John's College, Cambridge, United Kingdom, 28th - 30th June, 1999
Programme
Day 1 - Monday, June 28th, 1999
Time
10.00
11.00
11:15
Speaker
Title of Session
Registration in the Fisher Building
(till 18.00)
Coffee
Chairman's introduction to the conference
Stewart Dresner, Director, Privacy Laws & Business
themes
11:30 Multinational Consumer Privacy Survey: US, Dr. Alan Westin, Editor, Privacy & American Business
UK, and Germany compared
12:00 UK Data Protection Act 1998: Starting point - Rosemary Jay, Legal Adviser, Office of the Data Protection
Individuals' rights, the new Human Rights
Registrar (ODPR) UK
context and the impact on enforcement action
12:45 Lunch in the Hall
Parallel Sessions
14.00
UK Basic Training
Negotiating European Sectoral Codes
Chair: Michael Heavey, Director, IRMS (PL&B
How to prepare a European Sectoral Code that conforms
with the European Union's Data Protection Directive: the
Associate, Scotland)
The UK's new Data Protection Act for beginners and experience of the direct marketing and the airline
recently appointed data protection staff
industries
A Compliance Officer, Office of the Data Protection
Peter Hustinx, Chairman, European Union's Article 29
Registrar, UK
Working Party, President Regstratiekamer, The Netherlands
(This session will be repeated at 09:45 on Wednesday
 Art. 27 - Rules of procedure
the 30th of June)
 Admissibility of draft codes
15:00 Training Videos
 Conformity with national law
Produced by Television Education Network
 Requirement of "added value"
Alastair Tempest, Director-General, Federation of European
Direct Marketing, Brussels
 Council of Europe's 1984 Recommendation on Data
Protection and Direct Marketing
 Experience of codes of conduct at national level
 Importance of clear guidelines for direct marketing at
the European level
Monique de Smet, Assistant Director, Government &
Industry Affairs, Europe, International Air Transport
Association, Brussels (invited)
Human Resources Data
16:00 The case for the adequacy of data protection Dr Donald Harris, HR Privacy Solutions, New York
provisions for Human Resources data in the
Chair: Bojana Bellamy, Principal Consultant, Privacy Laws &
USA
Business
David Smith, Assistant Registrar and Head, Private Sector
16:20 Impact of the new Data Protection Act for
Human Resources Management: Developing Compliance, ODPR, UK
the UK Data Protection Registrar's new HR
Code of Practice
 Why a Human Resources Code?



17:00
17:45
18.00
18.45
19.30
Practical advice or legal analysis?
Identifying the key issues
Consulting Data Controllers and Data
Subjects.
Opt-ins and Opt-outs
The role and changing legal status of opt-ins Rosemary Jay, Legal Adviser, Office of the Data Protection
and opt-outs. Comparing them in print and by Registrar (ODPR) UK
telephone. How best to achieve the balance
Alastair Tempest, Director-General, Federation of European
between meeting the requirements of the new Direct Marketing, Brussels
law and keeping wording to a minimum
Bojana Bellamy, Consultant, Privacy Laws & Business
(Please send in your own and/or your favourite
good and bad examples for assessment/advice)
Close
Guided walks
Drinks in St. John's College Garden
Dinner in The Hall
Day 2 - Tuesday, June 29th, 1999
Time
07.30
08.30
09.00
Title of Session
Speaker
Breakfast
(till 08.45)
Registration in the Fisher Building
(till 13.00)
How will the European Commission decide
Peter Hustinx, Chairman, European Union's Article 29
which countries may pass the adequacy test
Working Party, President Regstratiekamer, The
for international transfers of personal data
Netherlands
outside the European Union?
Chair: Bojana Bellamy, Principal Consultant, Privacy Laws
& Business
 Who decides about what?
 Substantive requirements
 Effectiveness of protection
 Possible elements of a solution
Parallel Sessions
09:30
UK
International
The Data Protection Registrar's new enforcement
Chair: Bojana Bellamy, Principal Consultant, Privacy Laws
powers: how might they be used and how might data & Business
controllers respond? Some scenarios
Which countries may pass the adequacy test for
Angus Hamilton, Solicitor, Hamiltons and prosecuting
international transfers of personal data outside the
EU? Canada? Which countries might be next in the
solicitor representing the Data Protection Registrar
Simon Chalton, Solicitor and consultant, Bird & Bird,
Asia-Pacific region?
Blair Stewart, Assistant Privacy Commissioner, New
London
Zealand
 The new enforcement notice power
An overview of New Zealand's Privacy Act 1993
 Information notices
 The information privacy principles and other key
 Powers of entry and inspection
features of the Act
 Police and Criminal Evidence Act powers
 Complaints mechanisms and redress for
 The right to silence?
interferences with privacy
 The roles of the Privacy Commissioner and the
Complaints Review Tribunal Adequacy
 Residency/citizenship standing requirement to
exercise access and correction rights
 Absence of a data export prohibition
 Delays in investigating complaints
 Processing of sensitive categories of data
Bruce Philips, Federal Privacy Commissioner, Canada
 The relationship between the Personal Information
Protection and Electronic Documents Bill, the
current Federal Privacy Act and the provincial
privacy laws
 The sectors covered by the Bill
 Organisations' duties
 Individuals' rights
 Complaints resolution
 Limitations of the Bill
 Timetable
David Main, Manager, Promotion and Education Office of
the Privacy Commissioner, Australia
 Where does Australia currently stand in terms of
the adequacy test?
 The recent privacy protection developments in the
private sector in Australia
 Prospects for legislation - when will it happen and
will it pass the adequacy test?
Concluding comments:
Francis Aldhouse, Deputy Data Protection Registrar, UK
10.45 Coffee
Parallel Sessions
11.15
Internal Marketing of data protection
International
How to communicate your data protection policy and Chair: Bojana Bellamy, Principal Consultant, Privacy Laws
procedures within your organisation
& Business
Bring examples of your internal training materials such as The case for model contracts and other arrangements
to facilitate international transfers of personal data staff newsletters, posters and in-house videos.
A brainstorming session for sharing your ideas with and the EU's Article 29 Committee's response
other conference participants. Be prepared to speak Francis Aldhouse, Deputy Data Protection Registrar and
about your more and less successful training
UK member, Article 29 Committee
initiatives
Professor Peter Swire, Chief Counsellor for Privacy, Office
Sharon Rowland, Data Protection Manager, Royal
of Management and Budget, USA, and advisor to the US
Society for the Prevention of Cruelty to Animals
government on its Safe Harbor Policy
Dr. Alan Westin, Editor, Privacy & American Business
 The role of the Data Protection Officer
Graham Sutton, UK Member, EU's Article 31 Committee
 Marketing data protection training
 Training methods and materials
 Maintaining awareness
Parallel Sessions
12.15
Internal Marketing of data protection
International
Using your network or Intranet to raise, maintain and How EDS is tackling international data transfers with
audit data protection awareness
inter-company arrangements
Philip Marshall, Director of Business Development, Easy i Geofrey Master, General Counsel, Europe, Middle East
and Africa,Electronic Data Systems
Concluding comments:
Peter Hustinx, Chairman, European Union's Article 29
Working Party
12.45 Lunch in the Hall
14.00 Registration in the Fisher Building
(till 17.30)
Parallel Sessions
14.00
Data Protection and Marketing
From Registration to Notification
Chair: Adrienne Walker, Data Protection Officer, Greater
1. Distance Selling
The impact on business of the EU's Distance Selling Manchester Police
Directive and the Distance Selling Financial Services How to handle the transition successfully
Draft Directive
A Registration Officer, ODPR, UK
Lucy Inger, Solicitor, Masons, Leeds
David Smith, Assistant Registrar and Head, Private
Sector Compliance, ODPR, UK
14.30 2. Telephone Marketing
Essential data protection law for call centres and
telemarketing:
The new UK Telecommunications Data Protection
Regulations implementing the EU
Telecommunications Data Protection Directive
Gill Andrews, Partner and Solicitor, Sidley and Austin,
London
15:00 3. Data Warehousing
How NCR attempts to combine business efficiency
with respect for individuals' privacy in its data
warehousing programme for retailers and financial
services companies
Paul Nielsen, Senior Attorney, NCR, London
15:30 Tea
4: Internet and E-Commerce
16.00 Data Protection aspects of the Internet and E- Christopher Millard, Partner and Solicitor, Clifford Chance,
commerce
London
Laura Linkomies, Associate Editor, Privacy Laws &
16.30 The key elements which you should include
when designing a privacy statement on your
Business
website
 Why websites which collect personal data
must have a clear privacy statement
 How good privacy statements create
consumer trust in electronic commerce
 How to create a good privacy statement
 Examples of the type of information
privacy statements should convey to
consumers
Francis Aldhouse, Deputy Data Protection Registrar and
16.50 Applying the Data Protection Act 1998 to the
Internet and E-commerce
UK member on the OECD E-commerce policy initiative
17.30 Close
18.45 Drinks in River Court, St. John's College Garden
and punting on the River Cam
19.30 Dinner in The Hall
Day 3 - Wednesday, June 30th, 1999
Time Title of Session
07.30 Breakfast
08.30 Registration in the Fisher Building
09.00
UK Data Security
Speaker
(till 08.45)
(till 13.00)
Parallel Sessions
Data Protection Auditing and Assessing Costs
Chair: Michael Heavey, Director, IRMS (PL&B Associate,
Scotland)
Is the BS 7799 information security standard the key
to principled and secure accreditation and
compliance with the 1998 Data Protection Act?
Barry Anderson, Industry Chairman, DTI/BS 7799 User
Group and Information Security Compliance Manager,
Halifax
UK Basic Training
9.45 The UK's new Data Protection Act for beginners
and recently appointed data protection staff
A Compliance Officer, Office of the Data Protection
Registrar, UK
(This session is also available at 14:00 on Monday the
28th of June)
Progress report on developing an audit methodology
for the UK Data Protection Registrar resulting from the
DPR's new powers
Stewart Dresner, Director, Privacy Laws & Business
9.10 Advantages and disadvantages of conducting
compliance audits
Bruce Phillips, Federal Privacy Commissioner, Ottawa,
Canada
9.25 Helping organisations world-wide implement their
privacy policies across their operational processes
and systems, taking into account costs, benefits and
opportunities
 How companies make decisions concerning their
privacy policies and practices
 The range of privacy responses from compliance
with legislation to positioning for competitive
considerations
 The business issues related to privacy responses
 How risk management tailored to business
objectives can be used to implement an effective
privacy strategy
 The IBM Privacy Consulting Methodology
Albert Decker, Managing Principal, IBM Security and
Privacy Consulting Services, USA
Rebecca Whitener, Senior Consultant, IBM Security and
Privacy Consulting Services, USA
10.00 The Data Protection Act 1998: Assessing the
costs of compliance
 Examining areas of substantial cost in
implementing the new Act
 A specific look at the implications of the new Act for
IT systems and the changes that will be required
 Balancing costs and risk
Shelagh Gaskill, Partner and Solicitor, Masons, Leeds
10.30 Coffee
Into the Future - Making the UK Primary and Secondary Legislation Work Together
Francis Aldhouse, Deputy Data Protection Registrar,
11.00 The key issues in the secondary legislation,
the Data Protection Commissioner's extended ODPR, UK
role and what you must do in future to keep
David Smith, Assistant Registrar and Head, Private Sector
within the law
Compliance, ODPR, UK
Chair: Bojana Bellamy, Principal Consultant, Privacy Laws
& Business
Stewart Dresner, Director, Privacy Laws & Business
12.30 Conference feedback and planning ahead
13.00 Lunch in the Hall
Parallel Sessions
14.00
How should the Public Sector Balance the Data
Visit to the British Telecommunications Research
Protection Act 1998 with other Public Interests?
Laboratories
Balancing the Data Protection Act and the Freedom
13.45 A visit to BT's laboratory at Martlesham will give
of Information Bill: The public's right to know - where you a unique insight into future products and services
should it end?
and will provide an opportunity to assess their privacy
Maurice Frankel, Director, The Campaign for Freedom of protection features.
Information
Martlesham is near Ipswich, Suffolk (about an hour and a
Rosemary Jay, Legal Advisor, ODPR, UK
14.45 Balancing the Data Protection Act and the
Crime and Disorder Act
How the police are working with other agencies using
ACPO Protocol to share personal data to fight crime
Michael Argent, Chairman ACPO Data protection
Working Group, Chief Constable, North Wales
 The role and scope of the ACPO Data Protection
Working Group
 ACPO's views on the relationship between the
two acts
 The need for a protocol for sharing of personal
data between the police and the other
organisations
 Outline of the Data Protection Act/Crime and
Disorder Act protocol
 Practical impact of implementing the protocol
 The way forward
Speakers from other sectors to be announced
16.00 Close and tea
half from Cambridge). Transport to and from Martlesham
will be provided. Return to Cambridge at approximately
18.45. Numbers are limited.
Host: Marek Rejman-Greene, senior Researcher, BT
Laboratories