The US Safe Harbor - Fact or Fiction? (2008)
5.6. Participation in privacy programs
The self-certification form asks organisations to ‘List any privacy programs in which your organization is a member for Safe Harbor purposes’. This is followed by a box where free text can be entered.
The exact purpose of this part of the self-certification is not clear. There is no requirement to join a privacy program. However, if text is entered here then it is important that the information is accurate. Care needs to be taken not to raise expectations that the ‘privacy programs’ play any formal role in the Safe Harbor arrangements (there is another box later in the form covering dispute resolution providers – who do play a formal role in the Safe Harbor).
Common entries in this section are TRUSTe (176), BBB (93) and DMA (67).
A range of additional organisations are listed as ‘privacy programs in which your organization is a member for Safe Harbor purposes’. However, none of these appear to be programs that cover privacy issues relevant to the Safe Harbor. Some entries are irrelevant or difficult to explain. Many entries appear to confuse privacy compliance with security compliance – and these entries generally indicate a lack of understanding about the Safe Harbor program. Entries include:
Privacy Program |
Comments |
American Arbitration Association |
No relevant privacy program |
American Society for Industrial Security (ASIS) |
No relevant privacy program |
Center for Internet Security |
No relevant privacy program |
Comodo |
Comodo is a firewall provider |
European Privacy Officers Network |
No relevant privacy program |
Gramm-Leach-Bliley Act (GLBA) |
GLBA is federal legislation |
HIPAA |
HIPAA is federal legislation |
International Association of Privacy Professionals |
No relevant privacy program |
International Security Forum |
No relevant privacy program |
ISO 9001 |
Not relevant |
Privacy Alliance |
Inactive |
Statement on Auditing Standards No. 70: Service Organizations (SAS 70) |
Not relevant |
Tulsa Metro Chamber of Commerce |
No relevant privacy program. |
US Council for International Business (USCIB) |
No relevant privacy program |
Equifax |
? |