List of complete International Privacy Laws that affected information security

Although U.S. privacy laws, including SB 1386, are becoming more prevalent, some international privacy legislation is more stringent. Two such laws include the European Directive on the Protection of Personal Data and the Canadian Personal Information Protection and Electronic Documentation Act (PIPEDA).

European Directive on the Protection of Personal Data

In October 1995, the European Union passed the European Directive on the Protection of Personal Data. The directive governs personal information within all member countries of the EU and places minimum protection requirements on it. The directive also prohibits the transmission of information to entities in nonmember states with lesser information privacy protection requirements, including the United States. As with many laws that govern information privacy, the European directive requires entities that collect, transmit, process, or disclose personal information to use appropriate measures to protect such information. Some of the other directive requirements include

- Notification of individuals about the purposes for which their information is collected

- Opt-out provisions regarding third-party disclosure or use beyond the original purpose

- The right of individuals to correct, alter, or delete information pertaining to them that is inaccurate

- Confinement of stored information to that which is relevant to the stated purpose

Canadian Personal Information Protection and Electronic Document Act

Canada enacted a national privacy law in 2004 commonly referred to as PIPEDA, the Personal Information Protection and Electronic Document Act. It sets forth the following provisions to govern the collection, use, and disclosure of personal information:

- Parties engaged in the collection of information must show accountability.

- Information collectors must identify the purposes for the collection of personal information.

- Information collectors must obtain consent from consumers.

- The collection of personal information must be limited.

- The use of personal information must be limited.

- Disclosure and retention of personal information must be limited.

- Information collectors must ensure the accuracy of personal information.

- Information collectors must provide adequate security for the protection of personal information.

- Information collectors must make information management policies readily available.

- Information collectors must provide individuals with access to information about themselves.

- Individuals are given the right to challenge an organization'n compliance with these principles.

Source: IT Auditing: Using Controls to Protect Information Assets by Chris Davis 2007