Privacy and Public Access - PowerPoint PPT Presentation

About This Presentation
Title:

Privacy and Public Access

Description:

FTC is particularly concerned with preventing unfair or deceptive acts or ... Some content on portions of NYC.gov resides on servers run by third parties. ... – PowerPoint PPT presentation

Number of Views:58
Avg rating:3.0/5.0
Slides: 35
Provided by: dinotsi
Category:

less

Transcript and Presenter's Notes

Title: Privacy and Public Access


1
Privacy and Public Access
  • Wednesday, October 6, 2004
  • Dino Tsibouris
  • dino.tsibouris_at_mt-law.com
  • (614) 228-9707

2

3
  • October 22, 2003
  • A Tough Lesson on Medical Privacy
  • BY DAVID LAZARUS
  • "Your patient records are out in the open... so
    you better track that person and make him pay my
    dues."
  • A woman in Pakistan doing cut-rate clerical work
    for UCSF Medical Center threatened to post
    patients' confidential files on the Internet
    unless she was paid more money.
  • The violation of medical privacy - apparently
    the first of its kind - highlights the danger of
    "offshoring" work that involves sensitive
    materials.

4
  • Why Have a Privacy Policy?
  • The Federal Trade Commission (FTC) permits
    companies to use information obtained from
    consumers to the extent it adequately discloses
    its practices.
  • FTC is particularly concerned with preventing
    unfair or deceptive acts or practices in or
    affecting commerce.

5
  • Why Have a Privacy Policy?
  • The FTC Proposed Legislation.
  • Notice Required clear and conspicuous notice
    of the companys information practices
  • Choice Required that consumers be permitted to
    choose how their personal identifying information
    is used beyond the use for which the information
    was provided
  • Access Required companies to provide
    reasonable access to the information the website
    collected about them, including a reasonable
    opportunity to review information and to correct
    inaccuracies or delete information
  • Security Required companies to take reasonable
    steps to protect the security of the information
    they collect from consumers.

6
  • Why Have a Privacy Policy?
  • Industry Proposes Self-Regulation.
  • The Online Privacy Alliance
  • AOL Time Warner Apple Computer ATT Boeing
    Compaq Dell DoubleClick Inc. EarthLink, Inc
    eBay, Inc EDS Equifax Ernst and Young
    Experian Guardent IBM Intuit Keylime
    Software, Inc. Microsoft PricewaterhouseCoopers
    Reed Elsevier SAS Institute Inc. Sun
    Microsystems Verizon Communications
    Websidestory, Inc. WorldCom Yahoo! American
    Advertising Federation American Institute of
    Certified Public Accountants Association for
    Competitive Technology Business Software
    Alliance Association of National Advertisers
    American Association of Advertising Agencies
    Center for Information Policy Leadership
    Electronic Retailing Association Information
    Technology Association of America Interactive
    Digital Software Association Internet Alliance
    Motion Picture Association of America Software
    Information Industry Association The United
    States Chamber of Commerce The United States
    Council for International Business.

7
  • Why Have a Privacy Policy?
  • Industry Proposes Self-Regulation.
  • Adoption and Implementation of a Privacy Policy
  • Notice and Disclosure
  • Choice/Consent
  • Data Security
  • Data Quality and Access

8
  • Privacy Expectations in the Public Sector
  • Citizens expect privacy of information collected
    online
  • 57 of people surveyed would sacrifice some
    online privacy to assist law enforcement Council
    for Excellence in Govt, Nov. 2001.

9

10
  • Privacy Expectations in the Public Sector
  • Oregon Department of Transportation Website
  • Personal Information and NondisclosureMost
    information collected by state government is
    assumed to be open to the public unless
    specifically exempted. ORS Chapter 192 contains
    the Oregon Public Records Law. Under this law,
    individuals are permitted to request that public
    officials not disclose a public record that
    contains their home address and telephone number
    under certain circumstances. ORS 192.445
    specifies how to request non-disclosure.
  • http//www.oregon.gov/ODOT/CS/ODOTEGOV/PrivacyandI
    nformationDisclosureNotice.shtml

11
  • Privacy Expectations in the Public Sector
  • Oregon Department of Transportation Website
  • Public Disclosure All information collected at
    this site becomes a public record unless an
    exemption in law exists. ORS Chapter 192 contains
    the Oregon Public Records Law.
  • In the State of Oregon, laws exist to ensure that
    government is open and that the public has a
    right to access appropriate records and
    information possessed by state government. At the
    same time, there are exceptions to the public's
    right to access public records that serve various
    needs including the privacy of individuals. Both
    state and federal laws provide exceptions.
  • http//www.oregon.gov/ODOT/CS/ODOTEGOV/PrivacyandI
    nformationDisclosureNotice.shtml

12
  • Privacy Expectations in the Public Sector
  • Third party service providers and gateways
  • ASP
  • Payment providers

13
  • Privacy Expectations in the Public Sector
  • NYC.gov Third Party Links
  • NYC.gov provides links to, and may be linked
    from, local, State and federal government
    agencies, and from, or to, other websites. The
    existence and/or provision of those links neither
    constitutes nor implies endorsement of the
    destination or departure website(s) or of the
    content, viewpoint, accuracy, opinions,
    policy(ies), product(s), accessibility or privacy
    policy of said destination or departure
    website(s). Nor does any link between NYC.gov and
    a third-party website imply sponsorship of such
    website, or the creator of such website.

14
  • Privacy Expectations in the Public Sector
  • NYC.gov Third Party Links
  • Some content on portions of NYC.gov resides on
    servers run by third parties. Each agency
    providing content for NYC.gov is bound by
    NYC.gov's privacy policy. Any agency using a
    third-party host, ISP, ASP or other combination
    of third-party transport, storage, content or
    application provision services shall be
    responsible for such third party's compliance
    with NYC.gov's privacy policy.

15
  • Gramm-Leach-Bliley Act (1999)
  • Financial Institutions
  • Banks
  • Credit Unions
  • Brokers
  • State Schools that make student loans

16
  • Gramm-Leach-Bliley Act (1999)
  • Privacy
  • Regulates collection and sharing of nonpublic
    personal information
  • Consumers vs. customers
  • FI cannot share PI with an unrelated company
    unless it first provides a notice allowing the
    individual to opt-out of sharing

17
  • Gramm-Leach-Bliley Act (1999)
  • Privacy
  • Senior level policy required
  • Privacy executive or committee
  • Different from FCRA (credit reporting)

18
  • Gramm-Leach-Bliley Act (1999)
  • Privacy
  • Exemptions
  • Agents
  • Service providers
  • PI used to enforce a transaction
  • Consent

19
  • Gramm-Leach-Bliley Act (1999)
  • Security
  • Must use reasonable security measures
  • Regulations governing technical measures
  • Must limit access to necessary employees
  • Agents must promise to keep information secure
    and confidential

20
  • Gramm-Leach-Bliley Act (1999)
  • Considerations from Banking
  • OCC Advisory Opinion AL 2004-09
  • E-sign merely creates records
  • Only a starting point
  • Litigation rules - Admissibility
  • Audit requirements - COBIT
  • Regulatory compliance

21
  • Health Insurance Portability and Accountability
    Act of 1996
  • Standards for electronic exchange of health
    information
  • Rules to protect privacy of health information
  • Rules to protect against threats, hazards or
    unauthorized access to health information

22
  • HIPAA
  • Protected Health Information (PHI)
  • Individually Identifiable Health Information
  • Electronic, paper, oral
  • Created or received by a health care provider,
    health plan, employer or health care
    clearinghouse

23
  • HIPAA
  • Individually Identifiable Health Information
  • Related to an individual the provision of health
    care to an individual or payment for health care
  • and that identifies the individual

24
  • HIPAA
  • Patient Rights
  • Request restrictions on uses and disclosures of
    health information
  • Obtain documentation of disclosures
  • Inspect and copy heath information
  • Request amendment of health information
  • File a complaint of non-compliance

25
  • HIPAA
  • Provide written notice of privacy policy
  • Explain uses and disclosures of health
    information and give examples
  • Describe the individuals rights
  • Make a good faith effort to obtain a written
    acknowledgment of the patients receipt of the
    notice at the time of first service delivery

26
  • HIPAA
  • Must designate a privacy official
  • Must establish privacy and security policies
  • Must train all personnel that may contact PHI
  • Must ensure staff informed when policy is changed
  • Must have a process to resolve complaints

27
  • HIPAA
  • Must adopt written security procedures
  • Maintain reasonable and appropriate
    administrative, technical, and physical
    safeguards

28
  • HIPAA
  • NYC.Gov
  • Health Care InformationAny agency providing
    personally identifiable health care information
    via NYC.gov will be required to certify that its
    health care data handling and security procedures
    are compliant with the Health Insurance
    Portability and Accountability Act of 1996
    ("HIPAA"). If such data and security services are
    provided to such agency(ies) by a third-party
    provider, the agency(ies) shall be responsible
    for such third party's compliance with HIPAA.
  • http//www.nyc.gov/portal/index.jsp?epi_menuItemID
    b52b1c491d03e607a62fa24601c789a0epi_menuID27579
    af732d48f86a62fa24601c789a0epi_baseMenuID27579af
    732d48f86a62fa24601c789a0

29
  • State Law
  • Online access to court and civil records
  • Privacy becomes personal
  • Identity theft

30
  • Florida
  • Online access to court records
  • Triggered backlash of concern over privacy rights
    and ID theft
  • Civil and criminal documents banned from online
    posting until Supreme Court committee review
  • Probably will not happen for July, 2005

31
  • Florida
  • Proposals
  • Changing the amount of information collected
  • Barring access online
  • Assigning users unique ID numbers
  • Imposing a waiting period for access to court
    information

32
  • Florida
  • Driver Privacy Protection Act (DPPA)
  • Limits public access to social security numbers,
    driver license or identification card numbers,
    names, addresses, telephone numbers, and medical
    or disability information contained in motor
    vehicle and driver license records.
  • Personal information protected under DPPA does
    not include "vehicular crashes, driving
    violations, and driver's status."

33
  • Florida
  • Driver Privacy Protection Act (DPPA) permits
    access for
  • Auto manufacturers conducting a recall of parts
    or vehicles
  • Government agencies or credentialed private
    investigators
  • A legitimate business verifying information for
    employment
  • Insurance agencies
  • Towing companies
  • Companies obtaining information about their
    drivers
  • A person or agency with written permission

34
  • California
  • California Online Privacy Protection Act
  • Applies to website operators that collect
    personal information from California residents
  • Requires the web site operator to conspicuously
    post a privacy policy
  • Policy must describe method of collection and use
    of information
  • Must provide method to correct information on file
Write a Comment
User Comments (0)
About PowerShow.com