Privacy Resources

Table of Contents

Resources

There are many resources for professional development related to privacy issues. Please note that while we have included several Internet-based resources, their addressing information may be subject to change.

  • Privacy Principles
    • OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
    • CSA Model Code for the Protection of Personal Information
  • Canadian Legislation
    • Personal Information Protection and Electronic Documents Act (PIPEDA)
    • Privacy Act
  • United States Legislation
    • Health Insurance Portability and Accountability Act (HIPAA)
    • Legislation, Codes and Standards
    • References
    • Canadian Privacy Overview
    • Privacy Impact Assessments
    • Organizations

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

The Organization for Economic Co-operation and Development (OECD) is composed of 30 member countries that share a commitment to democratic government and the market economy. Through its publications and statistics, the organization covers economic and social issues. The OECD produces internationally agreed instruments; decisions and recommendations to promote a common set of "rules" that foster multilateral agreement.

In September 1980, the OECD issued a set of guidelines designed to protect the privacy of personal information without interrupting the free flow of information between borders. These broad guidelines have become the baseline standard for privacy and data protection initiatives and have influenced most current international agreements, national laws, and self-regulatory policies. The guidelines are broken down into the following eight principles:

  1. Collection Limitation
    • There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
  2. Data Quality
    • Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
  3. Purpose Specification
    • The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
  4. Use Limitation
    • Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle except with the consent of the data subject or by the authority of law.
  5. Security Safeguards
    • Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data.
  6. Openness

    There should be a general policy of openness about developments, practices, and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

  7. Individual Participation

    An individual should have the right:

    • to confirmation of whether the data controller has data relating to the individual;
    • to have communicated, data relating to the individual within a reasonable time, at a charge if any that is not excessive, in a reasonable manner, and in a form that is readily intelligible to the individual;
    • to be given reasons if a request is denied and to be able to challenge such denial; and
    • to challenge data relating to the individual and, if the challenge is successful to have the data erased, rectified, completed or amended.
  8. Accountability

    A data controller should be accountable for complying with measures, which give effect to the principles stated above.

CSA Model Code for the Protection of Personal Information

In 1996, the Canadian Standards Association (CSA) released its Model Code for the Protection of Personal Information. It was designed to add uniformity to Canada's "patchwork" of data protection policies and practices.

The code was developed in consensus with industry, government and business representatives and it quickly became regarded as a de facto national standard. The code closely follows the principals set forth by the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

The Model Code forms the foundation for the majority of Canadian privacy legislation that has subsequently been developed, including POPIA and PIPEDA. The Code establishes ten principles, or fair information practices, for organizations that collect and use personal information. These ten fair information practices can be found on the following page.

Fair Information Practice

  1. Accountability. A public body is responsible for personal information under its control. The chief executive officer of a public body, and his or her designates, are accountable for the public body's compliance with the following principles.
  2. Identifying Purposes. The purposes for which personal information is collected shall be identified by the public body at or before the time the information is collected.
  3. Consent. The consent of the individual is required for the collection, use, or disclosure of personal information, except where inappropriate.
  4. Limiting Collection. The collection of personal information shall be limited to that which is necessary for the purposes identified by the public body. Information shall be collected by fair and lawful means.
  5. Limiting Use, Disclosure and Retention. Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required or expressly authorized by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.
  6. Accuracy. Personal information shall be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
  7. Safeguards. Personal information shall be protected by safeguards appropriate to the sensitivity of the information.
  8. Openness A public body shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
  9. Individual Access. Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information, except where inappropriate. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  10. Challenging Compliance. An individual shall be able to address a challenge concerning compliance with the above principles to the individual or individuals accountable for the public body's compliance.

Personal Information Protection and Electronic Documents Act V (PIPEDA)

  • PIPEDA, known as Bill C-6 while in Parliament, became law on April 13, 2000.
  • Part One of the bill concerns the privacy of personal information.
  • PIPEDA applies to organizations (including associations, a person, trade unions) that collect, use or disclose personal information in the course of commercial activities.
  • Personal information is defined as any information that could be used in identifying a particular individual beyond his or her name, title, business address or telephone number as an employee of the organization.
  • A commercial activity has a broad definition that includes any transaction or act of a commercial character. This would include the selling or leasing of membership or other fundraising lists.
  • This privacy legislation will be implemented in three separate stages.
  • On January 1, 2001 the law applied to personal information (except personal health information) collected and used by "federal works", these are federally regulated organizations, such as airlines, banks, and telecommunications companies.
  • Certain organizations, such as insurance companies and credit unions, are subject to some federal regulations but are considered to be within provincial jurisdiction under the Constitution and are not "federal works" for purposes of this Act.
  • At this stage, the act also applies to disclosures of personal information for consideration across provincial or national border. The information itself must be the subject of the transaction and the consideration is for the Information. An example could be organizations that lease, sel1 or exchange mailing lists or other personal information.
  • Beginning January 1, 2002 the Act extends to personal health information for the organizations and activities that have been covered in the first stage.
  • Personal health information is defined as information about an individual's mental or physical health, including information concerning health services such as tests and examinations.
  • On January 1, 2004 the law extends to any organization that collects, uses or discloses personal information in the course of any commercial activity within a province.
  • In provinces with substantially similar privacy legislation, the organizations or activities covered by the provincial law will be exempted from PIPEDA privacy regulations within that province.
  • PIPEDA builds on previous privacy best practices. Much of PIPEDA is devoted to codifying the ten privacy principles already set forth in the 1996 Canadian Standards Association (CSA) Model Code for the Protection of Personal Information.
  • These ten principles relate to (1) accountability, (2) identifying purposes, (3) consent, (4) limiting collection, (5) limiting use, disclosure and retention, (6) accuracy, (7) safeguards, (8) openness, (9) individual access, and (10) challenging compliance.
  • All organizations are required to designate an official(s) to deal with privacy issues and will need to have policies and procedures in place relating to the collection, use and dissemination of information. These policies and practices must be made available to the public.
  • One of the most important principles, especially in the health care field, relates to consent. The knowledge and consent of the individual are required for the collection, use or disclosure of personal information.
  • Organizations must identify the purpose for the information they are collecting and how it may be used and disclosed. Only the minimum amount of information necessary to fulfill the purpose required should be collected.
  • Employees who are collecting personal information should be able to explain to individuals the purpose for which the information is being collected.
  • If the information will be used for another purpose than originally identified, consent must be obtained again.
  • An authorized representative such as a legal guardian or a person that has power of attorney can give consent.
  • What a person has consented to must be clearly defined and can be in any form, such as an application form, check-off box or given orally.
  • There are exceptions, but generally consent can be withdrawn at any time.
  • Consent is not needed when an organization uses personal information solely for journalistic, artistic, literary or personal purposes, such as Christmas card lists.
  • Consent would not be needed to use or disclose personal information in certain security or criminal matters, such as warrants and subpoenas.
  • When determining if consent is needed, staff should consider the interest of the individual. Therefore, consent would not be needed if the information was already publicly available or if consent could not be obtained in a timely way.
  • Explicit consent is not required when the individual would reasonably expect their information to be collected, used or disclosed. For example, pharmacists can assume implicit consent when disclosing patient information to the prescribing physician for the purpose of delivering the service requested. However, they would have to obtain the explicit consent of patients to sell personal information to drug manufacturers for marketing purposes.
  • Service cannot be denied as a result of the person's failure to provide their consent for the use of their personal information.
  • Any previously collected information must be used in accordance with the new privacy laws (there is no grandfather clause).
  • Organizations must take reasonable measures to safeguard personal information. The measures taken must reflect the sensitivity of the information. Security measures could include locked cabinets, computer passwords, and ensuring only staff who need personal information have access to it.
  • Under PIPEDA, organizations must use contractual or other means to ensure that third parties with whom they share personal information provide a comparable level of protection.
  • Personal information can only be retained as long as it is needed to fulfill the purposes for which it was collected. After this time it must be made anonymous or destroyed.
  • With a written request an individual has the right to be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information.
  • Organizations must help individuals who request assistance in preparing a written request for access to their information.
  • Individuals can challenge the accuracy and completeness of the information and have it amended as appropriate.
  • In some circumstances, requests to information can be denied. Examples would include information that contains references to other individuals, for legal or security reasons or if granting access to the information would be prohibitively costly.
  • Individuals who believe their personal information has been misused are required to contact the organization's designated privacy official.
  • If not satisfied with an organization's response, individuals can complain to the federal Privacy Commissioner. The Commissioner has the authority to audit an organization's privacy practices and is granted much power in summoning witnesses and to compel evidence in cases where voluntary cooperation is not forthcoming. In the event an organization has obstructed the Commissioner or his delegate, then fines between $10,000 and $100,000 may be applied.
  • If an organization does not comply with the Commissioner's recommendations, the Federal Court may order an organization to correct their privacy practices. The Court can award damages to a complainant, including damages for humiliation. There is no ceiling on monetary damages that the Court may award.

The Privacy Act

  • The Privacy Act took effect on July 1, 1983 and applies to over 150 federal government departments and agencies.
  • Federal government records such as employment insurance files, tax records and military records are covered by the Act.
  • The Act places limits on the collection, use and disclosure of personal information. For example, the Act limits the collection of personal information to the minimum details needed to operate programs or activities; requires that individuals are informed why their information is being collected and how it will be used; and restricts the use of information to only those purposes specified, unless otherwise allowed by law.
  • Personal information is any factual or subjective information about an identifiable individual. This would include an individual's age, name, medical records, and evaluations (e.g. job performance evaluation).
  • Personal information is protected regardless of the form it is in, such as video and audiotape of information held "electronically".
  • Personal information does not include information that could be found through publicly available resources such as the telephone book.
  • The Act allows individuals the right to access and correct personal information about them held by the covered federal government departments and agencies.
  • The Privacy Commissioner of Canada is responsible for ensuring that the covered agencies and departments comply with the Privacy Act and individuals may make complaints to the Commissioner's office.
  • In his role as an ombudsman, the commissioner attempts to resolve complaints through negotiation and mediation. However, the Commissioner has the power to summon witnesses, administer oaths and compel the production of evidence.

Health Insurance Portability and Accountability

  • HIPAA was passed in 1996, motivated by a desire to make health insurance more affordable and accessible.
  • Title II of HIPAA includes a section called Administrative Simplification. This section includes provisions designed to save money for health care businesses by encouraging electronic transactions and at the same time requires new safeguards to protect the security and confidentiality of that information. Administrative Simplification specifically calls for the following standards:
    • Electronic transaction standards
    • Health information privacy (the "Privacy Rule")
    • Security requirements
    • Unique identifiers for employers, providers, health plans and individuals
    • Enforcement procedures
  • HIPAA gave congress until August 21, 1999 to pass these Administrative Simplification provisions; when this did not happen the law required the Department of Health and Human Services (DHHS) to craft these standards by regulations.
  • HIPAA covers all healthcare providers (e.g. doctors, hospitals and pharmacists) who electronically transmit health claims, health plans (e.g. traditional insurers and HMO's) and "clearinghouses" (those that process health claims information for providers and insurers). Those that contract with other "business associates" to perform some of their essential functions must also comply.
  • Those that must comply with HIPAA are called "covered entities".
  • For each set of standards, HHS first adopts proposed requirements for public comment; based on this feedback the requirements are revised and final regulations are issued.
  • Final regulations have been issued for electronic transaction standards and health information privacy (the "Privacy Rule").
  • DHHS issued final electronic transaction standards in August 17, 2000. Covered entities have until October 16, 2003 to comply with these standards.
  • All health care providers will be able to use the electronic format to bill for their services and all health plans will be required to accept these standard electronic claims, referral authorizations and other transactions.
  • The Privacy Rule was published on December 28, 2000 and compliance is required for the Privacy Rule on April 14, 2003 (small plans have until April 14, 2000).
  • HIPAA's Privacy Rule limits the use and release of personal health information and gives patients the right to access and amend their medical records.
  • The Privacy Rule provides the first comprehensive federal protection for the privacy of health information and establishes a federal floor of protection or safeguards. State laws that provide stronger protections will continue to apply over and above the new federal privacy standards.
  • The Privacy Rule is intended to do the following:
    • Limit the non-consensual use and release of private health information
    • Give patients the right to access their medical records and to know who else has access to them
    • Restrict most disclosures of health information to the minimum needed for the intended purpose
    • Establish new criminal and civil sanctions for improper use or disclosure
  • The Privacy Rule protects all medical records and other individually identifiable health information (health information that could be linked to a person) that is transmitted or maintained by a covered entity in any form, whether electronically, on paper, or orally. This information is called "protected health information" (PHI).
  • A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI).
  • Policies and procedures with respect to PHI must be designed to comply with the standards outline in the Privacy Rule. These policies and procedures must be reasonably designed based on the size and type of activities the covered entity is engaged in.
  • These policies and procedures need to be available to the organization's patients in the form of a "notice".
  • A covered entity must obtain patient consent before using or disclosing their health care information. Patients must be given the covered entity's notice before consent is obtained.
  • Disclosures of health information must be restricted to the minimum needed for the intended purpose.
  • Patients must be able to see and get copies of their records, request amendments and see reports of what non-routine disclosures have been made. Generally, a non-routine disclosure is one that is for something other than treatment, payment or health care operations (TPO).
  • Covered entities must designate a Privacy Official, train their staff for HIPAA compliance and establish a complaints process.
  • The steps taken to comply with the Privacy Rules requirements need to be documented, such as who the privacy officer is and the training that has been developed and implemented.
  • The Department of Health and Human Services (DHHS) Office of Civil Rights (OCR) will enforce HIPAA standards, including the Privacy Rule, and access rights for consumers under the rule.
  • Improper use or disclosure of PHI is subject to both criminal and civil sanctions. There is civil liability of $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated.
  • Criminal penalties for knowingly violating patient privacy are as follows:
    • Up to a $50,000 fine and one (1) year in prison for obtaining or disclosing PHI
    • Up to a $100,000 fine and five (5) years in prison for obtaining PHI under false pretenses
    • Up to a $250,000 fine and ten (10) years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.

Legislation, Codes and Standards

American Society for Testing and Materials (ASTM)

American Society for Testing and Materials (ASTM)

COACH Guidelines for the Protection of Health Information

COACH: Canadian Organization for Advancement of Computers in Health

CSA Model Code for the Protection of Personal Information

Canadian Standards Association (CSA)

Text of the Code

European Union (EU) Directive on Data Protection

The European Union Online

Text of the Directive

U.S. Department of Commerce

Gramm-Leach-Bliley Act

The U.S. Federal Trade Commission website will provide you with an extensive list of information and resources on the Gramm-Leach Bliley Act.

Full text of the Act

Health Insurance Portability and Accountability Act (HIPAA)

US Department of Health and Human Services (HHS)

HHS Office of Civil Rights (OCR)

Full Text of the Privacy Rule

ISO 17799:2000 Code of Practice for Information Security Management

Standards Council of Canada

International Organization for Standardization

OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data

Organization for Economic Co-operation and Development (OECD)

Personal Information Protection and Electronic Documents Act (PIPEDA)

Parliament of Canada

Office of the Privacy Commissioner of Canada

Privacy Act (Australia)

The Office of the Privacy Commissioner

Privacy Act (Canada)

Parliament of Canada

Office of the Privacy Commissioner of Canada

Text of the Privacy Act

Privacy Act (U.S.)

U.S. Department of Justice

Full text of the Act

Privacy of Personal Information Act (Ontario)
(consultation draft released on February 27, 2002)

"What's New" section of the Information and Privacy Commissioner of Ontario website

References

Barrados, Angie, Making Privacy Policies Work. Public Interest Advocacy Centre, Public Interest Advocacy Centre (PIAC), 2001

Brandeis, Louis and Samuel Warren, "The Right to Privacy", 4 Harvard Law Review 193 (1890).

Cavoukian, Ann, and Don Tapscott, Who Knows: Safeguarding Your Privacy in a Networked World, Toronto: Random House, 1995.

  • This book explores how technology growth and the networked world have facilitated the collection and storage of personal information. The authors' detail how societal and personal privacy has been compromised and measures that can be taken to reverse this trend.

Federal Privacy Commissioner ruling on disclosure of physician information.

Freedom of Information in the Digital Age. The American Society of Newspaper Editors and the First Amendment Center, April 200l.

McInerney vs. MacDonald ruling - patient access

Privacy Impact Assessment Guidelines -Information and Privacy Office of Ontario

Surveying the Digital Future, UCLA Center for Communication Policy, 2000

Surviving the Privacy Revolution, Forrester Research, 2001.

Canadian Privacy Overview

Privacy Commissioner of Canada

  • The Privacy Commissioner of Canada, George Radwanski, is an Officer of Parliament who reports directly to the House of Commons and the Senate. The Commissioner is an advocate for the privacy rights of Canadians. This website has numerous privacy resources including information on privacy legislation, fact sheets and a "What's New" section.
  • Office of the Privacy Commissioner of Canada

Alberta

  • Freedom of Information and Protection of Privacy Act
  • Health Information Act

Information and Privacy Commissioner of Alberta
Phone: (780) 422-6860
Fax: (780) 422-5682
Email: ipcab@.planet.eon.net
Website: Office of the Information and Privacy Commissioner Alberta

British Columbia

  • Freedom of Information and Protection of Privacy Act

Information and Privacy Commissioner of British Columbia
Phone: (250) 387-5629
Toll-free: 1 (800) 663- 7867 (free within B.C.)
Fax: (250) 387-1696
Email: info@oipcbc.org
Website: Office of the Information and Privacy Commissioner

Manitoba

  • Freedom of Information and Protection of Privacy Act
  • Personal Health Information Act

Office of the Ombudsman
Phone: (204) 982-9.130
Toll-free: 1 (800) 665-0531
Fax: (204) 942-7803
Email: ombusman@ombudsman.mb.ca
Website: Manitoba Ombudsman

New Brunswick

  • Protection of Personal Information Act

Ombudsman, Province of New Brunswick
Phone: (506) 453-2789
Toll-free: 1 (800) 561-4021 (free within N.B.)
Fax: (506) 457- 7896
Email: nbombud@gov.nb.ca

Newfoundland

  • Freedom of Information Act Privacy Act

Department of Justice of Newfoundland
Phone: (709) 729-2893
Fax: (709) 729-2129
Email: chrisc@.mail.gov.nf.ca
Website: Department of Justice of Newfoundland

Northwest Territories

  • Access to Information and Protection of Privacy Act

Information and Privacy Commissioner of the Northwest Territories
5018, 47th Street
Yellowknife, Northwest Territories XIA 2N2
Phone: (867) 669-0976
Fax: (867) 920-2511
Email: atippcomm@theedge.ca

Nova Scotia

  • Freedom of Information and Protection of Privacy Act

Freedom of Information and Privacy Review Office
Phone: (902) 424-4684
Fax: (902) 424-8303
Email: uarb.dfardv@gov.ns.ca
Website: Freedom of Information and Protection of Privacy Review Office

Nunavut

  • Access to Information and Protection of Privacy Act

Information and Privacy Commissioner of Nunavut
Phone: (867) 669-0976
Fax: (867) 920-2511
Email: atippcomm@theedge.ca

Ontario

  • Freedom of Information and Protection of Privacy Act
  • Municipal Freedom of Information and Protection of Privacy Act
  • Privacy of Personal Information Act (Consultation Draft released Feb. 27, 2002)

Information and Privacy Commissioner of Ontario
Phone: (416) 326-3333
Toll-free: 1 (800) 387-0073 (free within Ontario)
Fax: (416) 325-9195
Email: info@ipc.on.ca
Website: Information and Privacy Commissioner of Ontario

Prince Edward Island

  • Freedom of Information and Protection of Privacy Act (Effective November 2002)
  • Freedom of Information/Protection of Privacy Implementation

Phone: (902) 569-0567
Fax: (902) 569-7632
Email: slwood@gov.pe.ca
Website: reedom of Information and Protection of Privacy Act

Québec

  • Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information
  • Act Respecting the Protection of Personal Information in the Private Sector

La Commission d'accès à l'information du Québec
Phone: (418) 528-7741
Fax: (418) 529-3102
Toll-free: 1 (888) 528-7741 (free within Québec)
Email: Cai.Communications@cai.gouv.qc.ca
Website: Accès à l'information du Québec

Saskatchewan

  • Freedom of Information and Protection of Privacy Act
  • Local Freedom of Information and Protection of Privacy Act
  • Health Information Protection Act (delayed to allow time for trustees to prepare for compliance)

Information, Privacy and Conflict of Interest
Commissioner of Saskatchewan
Phone: (306) 522-3030
Fax: (306) 522-3555
Email: grj@gerrandrj.com
Website: Legislative Assembly

Yukon

  • Access to Information and Protection of Privacy Act

Ombudsman and Information and Privacy Commissioner of the Yukon
Phone: (867) 667-8468
Fax: (867) 667-8469
Email: email.ombudsman@ombudsman.vk.ca
Website: Yukon Ombudsman and Information and Privacy Commissioner

Privacy Impact Assessments

Treasury Board of Canada Secretariat

Information and Privacy Commissioner for Alberta

Information and Privacy Commissioner of British Columbia

Information and Privacy Commissioner of Ontario
(MBS Guidelines)

Organizations

Canadian Consumer Information

  • A Canadian government sponsored website with extensive information for consumers, including issues regarding privacy and security.
  • Consumer Information

Canadian Institute for Health Information (CIHI)

Canadian Organization for Advancement of Computers in Health (COACH)

  • Canada's Health Informatics Association promotes understanding and effective utilization of information technologies in the Canadian Healthcare environment.
  • Canada's Health Informatics Association

Center for Democracy & Technology

  • This organization works to promote democratic values and constitutional liberties in the digital age. The site has a resource library, privacy guide and overviews of privacy legislation.
  • Center for Democracy & Technology

Electronic Privacy Information Center

  • A public interest research center in Washington, D.C established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values
  • Electronic Privacy Information Center

Office of Health and the Information Highway (OHIH)

  • The Office was created by Health Canada to serve a key role in matters related to the use of information and communications technologies (ICTs) in the health sector. In this capacity OHIH coordinates, facilitates and manages health infostructure-related activities.

Online Privacy Alliance

  • The Online Privacy Alliance is a cross-industry coalition of companies and associations committed to promoting the privacy of individuals online and the respect for consumer privacy. The website contains information with regards to consumer privacy.
  • Online Privacy Alliance

Privacy.Org

  • Privacy.Org contains daily news, information, and initiatives on privacy. This web page is a joint project of the Electronic Privacy Information Center (EPIC) and Privacy International.
  • Privacy.Org

Privacy Exchange

  • A global information resource focusing on data protection as it relates to consumers and commerce. Extensive information on privacy across the world can be found here.
  • Privacy Exchange

Privacy International (PI)

  • PI is a human rights group formed in 1990 as a watchdog on surveillance by governments and corporations. PI is based in London, England, and has an office in Washington, D.C. PI has conducted campaigns throughout the world on privacy issues and its website contains numerous resources, including privacy reports.
  • Privacy International

Privacy Law

  • A website with extensive resources on all major privacy laws. The website has a US focus but also has international resources.
  • Privacy Law

Privacy Rights Clearinghouse

  • A non-profit consumer education, research, and advocacy program whose website resources are aimed at educating the public on privacy protection.
  • Privacy Rights Clearinghouse