Throughout 2021, Access has been pleased to provide you with quarterly updates on the latest legislation and regulatory news happening around the world. As previously described, our intent with these briefs, published chiefly for information governance and legal professionals, is to help keep you abreast of the industry’s latest regulatory updates and provisions. Our areas of Research Focus include financial services, payment processing, workplace safety, and back office refresh.
This quarter, just as we set out to do when we first launched in May, is to help ensure that you have all the latest information to do your job as efficiently as possible and with the utmost confidence.
We also include notations, where applicable, if the regulatory updates have been added to our IG and retention management software, Virgo™, as a courtesy to active clients. We look forward to continuing to provide these updates in 2022 and beyond. So without further ado, following is the latest on that front.
CHINA – Updates on China’s new Personal Information Protection Law (PIPL):
- Personal Information Protection Law (PIPL)
- Applicability: Covers processing of personal information by processors carried out within the PRC, and also has extraterritorial application to cover processing of personal information of people located within the PRC, where such processing is undertaken outside the PRC under any of the following circumstances:
- for providing a product or service to natural persons located within China;
- for analyzing or assessing the behavior of natural persons located within China; or
- any other circumstance as provided by law or regulations.
- Cross-border Transfers: the PIPL requires that Critical Infrastructure Information operators, as well as processors who process personal information that reaches a certain threshold (which the PIPL does not specify), must store personal information within the territory of China. Where cross-border transfer of personal information is indeed necessary, such transfer must pass a security assessment administered by the Cyberspace Administration of China (“CAC”) and other enforcement authorities.
- Other personal information processors may conduct cross-border transfer of personal information upon satisfying one of the following requirements: (a) passing the security assessment by the CAC; (b) obtaining certification of data security by a professional body recognized by the CAC; (c) entering into an agreement with the overseas recipient with provisions governing the rights and obligations of the parties based on a template contract to be released by the CAC; or (d) other requirements as provided by relevant laws and regulations.
- Key Articles:
- Art. 19 – Unless otherwise provided by laws and administrative regulations, the retention period of personal information shall be the shortest time necessary to achieve the processing purpose.
- Art. 47 – In any of the following circumstances, the personal information processor shall take the initiative to delete personal information; if the personal information processor has not deleted, the individual has the right to request deletion:
- The processing purpose has been achieved, cannot be achieved, or is no longer necessary to achieve the processing purpose;
- The personal information processor ceases to provide products or services, or the retention period has expired;
- Individuals withdraw their consent;
- The personal information processor violates laws, administrative regulations, or violates the agreement to handle personal information;
- Other circumstances stipulated by laws and administrative regulations.
- If the retention period stipulated by laws and administrative regulations has not expired, or the deletion of personal information is technically difficult to achieve, the personal information processor shall stop processing other than storing and taking necessary security protection measures.
- Art. 56 – Conduct a personal information protection impact assessment (and retain the assessment for 3 years) in advance of:
- Processing sensitive personal information
- Using personal information to make automated decision-making
- Entrust the processing of personal information, provide personal information to other personal information processors, and disclose personal information
- Providing personal information abroad
- Other personal information processing activities that have a significant impact on personal rights and interests.
New York – NY HERO ACT:
- N.Y. COMP. CODES R. & REGS. 12 § 840.1(d)(1)(iv)
- Anti-Retaliation: No employer, or his or her agent, or person, acting as or on behalf of a hiring entity, or the officer or agent of any entity, business, corporation, partnership, or limited liability company, shall discriminate, threaten, retaliate against, or take adverse action against any employee for:
- Refusing to work where such employee reasonably believes, in good faith, that such work exposes him or her, or other workers or the public, to an unreasonable risk of exposure to an airborne infectious disease due to the existence of working conditions that are inconsistent with laws, rules, policies, orders of any governmental entity, including but not limited to, the minimum standards provided by the model airborne infectious disease exposure prevention standard, provided that the employee, another employee, or employee representative notified the employer, of the inconsistent working conditions and the employer failed to cure the conditions or the employer had or should have had reason to know about the inconsistent working conditions and maintained the inconsistent working conditions.
- Notification of a violation by an employee may be made verbally or in writing, and without limitation to format including electronic communications.
- To the extent that records exist between the employer and employee regarding a potential risk of exposure, without limitation to format including electronic communications, they shall be maintained by the employer for two years after the conclusion of the designation of a high-risk disease from the Commissioner of Health.
Oregon – Rules for the administration of the Oregon Safe Employment Act:
- Rule Addressing COVID-19 Workplace Risks – OR. ADMIN. R. 437-001-0744(3)(f)(A)
- All employers with more than 10 employees statewide and an existing HVAC system must certify in writing that they are operating that system in accordance with the rule, to the best of their knowledge. Although not required, such certifications can be made using the sample format provided by Oregon OSHA.
- The certification must be dated and must include the name of the individual making the certification; and
- Such certification records must be maintained as long as this rule is in effect.
To learn more about how to help your team manage privacy compliance, Check out our eBook: Data Privacy for the Information Management Professional.