When to do a PIA?

Each government department or agency is responsible for conducting the PIA. The procedure is carried out by an appointed assessment team, which includes experts in legal services, privacy, access to information and information technology. A preliminary PIA may be carried out to determine whether or not a full PIA is necessary. The preliminary PIA may find that there are minimal or no privacy risks, in which case a full PIA does not need to be completed.

The following criteria may help to identify situations in which a PIA is necessary:

• If a new program or service is being designed.
• If an existing program or service is undergoing significant changes.
• If a conventional service delivery mode is being converted to an electronic mode.
• If the program involves the collection, use or disclosure of personal information (e.g. name, address, age, education/medical/employment history, etc.).
• If the program is changing from informed consent to indirect collection of personal or sensitive information.
• If the program requires the collection of personal information from other programs within the institution, other institutions, other governments or organizations in the private sector.
• If the program will be used in decision-making processes (e.g. eligibility for programs/services).
• If the personal information will be used for research or statistical purposes.
• If the SIN (social insurance number) will be used without any legislative authority.
• If the public might have privacy concerns regarding the program/service.
• If there will be physical or logical separation of personal information.
• If the infrastructure architecture will affect the security mechanisms used to manage or control access to personal information.

Objectives & Goals

The purpose of a PIA is to establish that privacy principles and legislation are embedded within a new program or service and adhered to throughout its lifecycle. The main goal of a PIA is to effectively communicate any privacy risks that cannot be addressed in any other way. Senior management depends on PIAs to make fully informed decisions regarding policy, system design and procurement. Other goals of PIAs include:

• Build citizens’ trust and confidence.
• Promote awareness and understanding of privacy issues.
• Ensure privacy is a central consideration in the initial design of a project’s objects and activities.
• Identify accountability for privacy concerns.
• Reduce risks of program termination due to privacy requirements.
• Provide decision-makers with necessary information, understanding of privacy threats and a means for mitigating those threats.
• Establish basic documentation regarding business processes and flow of personal information throughout the department.

Ten privacy principles (the Fair Information Principles) regulate the PIA process:

1. Accountability: Is there someone in the department who oversees privacy policies and practices?
2. Identifying Purposes: Is the public informed of the reasons for collection of personal information?
3. Consent: Does the individual give consent to the collection, use and disclosure of his/her personal information?
4. Limiting Collection: Is the information collected absolutely required?
5. Limiting Use, Disclosure & Retention: Is the personal information used or disclosed for the identified purposes? If information is used for other purposes, does the department secure consent? Is the information disposed of when it is no longer necessary?
6. Accuracy: Does the department ensure that inaccurate personal information is not used or disclosed?
7. Safeguards: Does the department protect personal information from loss, theft, unauthorized access, disclosure, copying, use or modification?
8. Openness: Are privacy policies readily available to the public?
9. Individual Access: Can individuals see any of their personal information? Can they challenge the accuracy of their personal information and demand that it be corrected?
10. Challenging Compliance: Can individuals challenge the privacy practices of the department?

PIA Process

The PIA is done as part of a cooperative process, tailored for the operations of a specific department or application. It is made up of four core components:

1. Project initiation: In this step, the scope of the PIA process is defined. Team resources are designated. The required PIA tools are adopted.
2. Data flow analysis: In this step, the proposed business processes are described. Clusters of personal information are identified in the business processes. Detailed data flowcharts showing the path of personal information are also developed.
3. Privacy analysis: This involves either a federal program questionnaire, or a cross-jurisdictional questionnaire. The questionnaire responses are discussed and further details are gathered. The privacy issues and implications are described.
4. Privacy impact analysis report: In this step, privacy risks are summarized. The degree of risk is identified. Any options to mitigate risks are discussed and established.

The result of the PIA process should be a documented evaluation of privacy threats, implications and response strategies. A PIA report should be an effective communication tool for stakeholders. As a result of the process, the assessment team may find one or more of the following common privacy risks:

Data Profiling/Matching

• This refers to the combination of unrelated personal information that may be obtained from a number of different sources.
• The personal information is used to create new information about the individual.
• For example, a person’s preferences and habits are combined to develop a profile.

Identification of Individuals

• This is especially common for services that are delivered electronically.
• Identification and authentication is one way to manage security risks. However, there may be surveillance threats if common identifiers or identification systems can facilitate data sharing, monitoring or profiling.

Transaction Monitoring

• This involves the observation or tracking of an individuals’ interaction history.
• The result is new personal information that reflects the individual’s overall experience.

Lack of/Doubtful Legal Authority

• This involves the failure to identify the program authority to collect, use or disclose personal information.
• This may be a violation of privacy legislation as well as the Charter of Rights and Freedoms.

Physical Observation of Individuals

• This refers to tracking the movement/location of individuals.
• This may involve vehicle transponders, satellite locators, cameras or other recording mechanisms.

Publishing/Redistribution of Personal Information Databases

• This is often done through electronic publishing, which facilitates the misuse of information.
• Electronic publications can easily be manipulated and used for unauthorized purposes.

The Role of the OPC

During the PIA process, the OPC (Office of the Privacy Commissioner) may consult with departments to ensure that all privacy issues are understood, as well as to offer advice and suggestions regarding potential privacy threats and solutions. The OPC receives the final PIA reports before any new programs or services are implemented. During review, the OPC may offer comments and recommendations to the department. These are not binding; the decision to implement the OPC’s recommendations is solely that of the department.

The completion of PIAs is required under Treasury Board Secretariat policy. The OPC hopes to have the PIA process covered under federal legislation, as part of the Privacy Act reform. In doing so, the PIA process would be greatly reinforced. The OPC believes that the Privacy Act should provide a set of principles underlying a curriculum for PIA specialists, which currently does not exist. The OPC would also like the PIA process to be obligatory, not only for new or modified programs, but as a required component of annual reports and department performance reports.

Summary

This article explores PIAs (Privacy Impact Assessments), which ensure that privacy policies and legislation are adhered to at all stages of a program/service. In Canada, PIAs must be completed for new or modified federal government programs or services. The article examines the key components, goals and objectives of PIAs as well as the role of the OPC (Office of the Privacy Commissioner) in developing, responding to and modifying PIAs.

CIPP/C Preparation

In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:

• Canadian government structure (I.A.a.)
• Privacy Impact Assessments (IV.B.a.i.)

A website operator must be concerned with COPPA compliance if:

• The website targets children under the age of 13 through its subject matter, audio/visual content, advertising or use of other child-oriented features.
• The website targets a general audience but has a separate child oriented section.
• The website targets a general audience and children under the age of 13 are known to access the site.
• The website is maintained outside the U.S. but targets children under the age of 13 in the U.S.
• The website is operated by the Federal Government. Under the Office of Management and Budget, the U.S. Federal Government is required to comply with COPPA on all of its websites targeting children

COPPA Compliance

COPPA primarily uses the fair information practice principles of Notice and Consent to protect children’s information.

In order to comply with COPPA, a website operator must:

1.  Provide parents with information about the website’s information collection and privacy practices. A privacy policy must be placed on the home page and on every page where data is collected in order to ensure adequate notice

2.  Obtain verifiable parental consent prior to collecting personal information

3.  Provide parents with a mechanism to access the information on record for their child and the ability to change consent options for future or third party use and disclosure

4.  Participation on the website may not be limited by requiring the collection of information that is not reasonably necessary

A COPPA compliant privacy notice must include:

1. Legitimate contact information for the website operator/data owner
2. The type of information that is collected
3. How the information will be use
4. Notice of any third party disclosure

Verifiable Parental Consent:

Depending on the information that is being collected and its intended use, different levels of parental consent must be obtained.

Prior parental consent is not required to collect a child’s name and email address only if:

• The information is obtained in order to provide notice to the parent or obtain parental consent
• The information is collected to respond once to a specific inquiry by the child and not used for further communications
• The information is used to ensure the safety of a child and is not used for any other purposes
• The information is used to protect the security of the website, protect against liability, participate in a law enforcement investigation or any other matters relating to public safety

In all cases, parental consent should be obtained shortly after the information is collected. If parental consent cannot be obtained, the information may not be used for purposes other than those outlined above and the information must be deleted (with exceptions for ensuring the safety of the child)

Parental Consent for Public Disclosure

If the website publicly links a child’s name or email address with their screen name in chat rooms, message boards, personal home pages, pen pal services or other similar social networking features they must obtain verifiable parental consent of public disclosure. This also applies to site which may disclose personal information to third parties for secondary uses and marketing purposes.

Consent options include:

• A printable form that can be signed then mailed or faxed back to the website operator
• Obtain a parent’s credit card information in connection with a transaction which may include subscription fees, purchases or a credit card processing fee.
• Provide a toll free line staffed by professionals to which parents may call and provide verbal consent
• Obtain consent through an email that contains a digital signature that uses a public key that has been verified by one of the above methods.

Parental Consent for Internal Use

If the website does not publicly disclose the child’s information either through disclosure to third parties or through the posting of information to chat rooms, message boards or similar features then the information will only be used within the site to contact the child.

Consent options include:

• Any of the methods used for public disclosure
• The Email Plus option in which:
  • An initial email is sent containing the privacy notice and asking the parent to respond with a phone, fax or mailing address to confirm consent through one of those methods; or
  • After a reasonable length of time has passed, a second email is sent asking for the parent to confirm consent. The privacy notice should again be included. This email informs the parent that their consent is implicit through their lack of response. The email should provide the the parent with information on how to revoke their consent.

Enforcement of COPPA

COPPA is enforced by the Federal Trade Commission and through the a state’s Attorney General’s Office under SEC. 1305. COPPA allows for the creation of Safe Harbor programs which encourages industry self regulations.

There are several online assurance programs that offer a COPPA compliant Safe Harbor Program including:

• TRUSTe
• The Children’s Advertising Review Unit
• The Entertainment Software Rating Board

Unlike other information privacy laws, the FTC has been diligent in enforcing COPPA. It has a history of investigating privacy complaints and taking action against website and companies violating the rule.

Summary

COPPA protects the privacy of personal information for children. It does not prevent children from accessing mature content. COPPA uses parental notice and consent to prevent the wrongful collection and misuse of children’t personal information. Any website that may be frequented by children under the age of 13, must comply with the COPPA ruling if personal information is collected.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• U.S. Public and Private Sector General Laws including COPPA (I.B.a.ii.)

Why was P3P created?

Many websites and advertising companies use technologies, such as tracker cookies, to monitor a user’s activity on the Internet in order to create unique user profiles and tailored advertising. However, many individuals may see such monitoring as a violation of privacy, especially since many of these cookies may be placed on a user’s computer without the individual’s knowledge. P3P was designed as a way to give web users greater control over what cookies are placed on their computer and what kind of information is released.

How does P3P work?

P3P is a protocol used to turn a website’s text based privacy policies into a machine readable format. A web user sets their browser preferences according to the level of protection they wish to use for their information. When a user attempts to access a website, the P3P privacy policy alerts the user’s web browser of the site’s intended use of cookies and personal information, including what information is collected, how it is used and how long it is stored. When the user navigates to a site which requires more personal information than their privacy preferences allow, the user will be notified and given the option to proceed to the site even though the site may collect information they don’t want to disclose. If a user navigates to a site that uses cookies the user wishes to reject, the cookie will be automatically blocked by the web browser as the user accesses the site.

P3P privacy policies are usually stored in an XML file and in a compact form in the HTTP header or HTML head of a web page. Privacy Bird is a free browser plug in that allows users to control and view P3P privacy policies. Internet Explorer also makes use of P3P to provide cookie blocking features.

Benefits of P3P

• P3P allows web users to view and understand privacy policies in simple terms without the use of technical jargon.
• P3P automatically blocks cookies or websites (and therefore the collection of certain types of information) according to a user’s privacy preferences.
• Builds trust in websites using P3P and in electronic transactions as a whole because privacy policies are more visible and controllable.
• P3P is designed to address and support privacy options on a global level, no matter the level of protection guaranteed by individual privacy laws.

Criticisms of P3P

P3P has faced strong opposition, especially by the Electronic Privacy Information Center which nicknamed it “Pretty Poor Policy.” Criticisms of P3P include:

• P3P is too difficult and confusing for individuals to use and understand.
• Implementing P3P policies on a website is completely voluntary and will prevent or restrict users from accessing sites that do adequately protect their information simply because a P3P policy has not been created.
• P3P uses the privacy principles of Notice and Choice to control privacy options, however there is no enforcement through technical measures or legislation to ensure the user’s information is protected. Some believe the creation of P3P has been used as a way to circumvent or postpone the creation of stronger legislation regarding the use of cookies and personal information on the Internet.

Creating P3P Privacy Policies

For Website owners that wish to implement P3P on their site, there are a number of tools available to help with the creation of such a policy even if the website maintainer does not have a strong understanding of XML.

To Implement a P3P Privacy Policy:

1.  Create a human-readable privacy policy stating the companies privacy practices and place it on the website.(Most companies should already have one written to follow the Fair Information Practices)

2.  Use a P3P Privacy Policy generator or software program to translate a natural language privacy policy into machine readable format by answering simple questions regarding the use and collection of information. Many programs will also create compact policies. Some generators or programs include:

a.  IBM’s P3P Policy Editor

b.  P3P Wiz

c. P3P Edit

3.  Make sure the P3P policy links back to the human-readable privacy policies. This should be accomplished automatically with

4.  Deploy the P3P policy on the website.

a.  Compact Policies should be placed on the header of every web page

b.  A retrievable XML file should be located in the “well known location” for P3P– /w3c/p3p.xml

Summary

P3P allows web users to gain greater control over the use and disclosure of their information and allows website owners to build confidence with their consumers. However, P3P polices must be backed with privacy practices that are carried out and enforced for P3P to be effective. While P3P does not eliminate or even adequately resolve privacy issues on the Internet, it does begin to address the problem and provides added options for the privacy conscious.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Privacy Considerations for Sensitive Information Online (Foundations III.B.) including Privacy notices and methods of communication (III.B.b) and Choice and consent (III.B.c)

Data Protection in Europe

The European Union has the most extensive and comprehensive data protection laws in the world. In 1995, the European Commission instituted their most significant body of law known as the Data Protection Directive (95/45/EC). The directive applies to all entities that process personal data in all member states of the European Union.

E.U. Data Protection Directive Privacy Principles

The Data Protection Directive outlines privacy principles for the processing of data which include:

1)  Notice– (Article 10) The data subject must be provided with the identity of the data controller, the purposes for which data is collected and third party recipients

2)  Choice– (Article 14) The data subject may object to the processing of their personal data for the purpose of direct marketing and the disclosure of data for third parties or uses.

3)  Access and Correction– (Article 12) The data subject may request to view data an entity has on record about them and rectify, erase of block the processing of data if incorrect or incomplete.

4)  Data Quality–(Article 6) Data should be processed lawfully. It should be collected and processed for specific and legitimate purposes. Data should be timely, accurate and complete. Data that is no longer necessary should be kept in a format that is not personally identifiable.

5)  Data Security– (Article 17) Appropriate steps must be taken to protect against accidental loss, and unauthorized access, use or destruction.

Enforcement

The E.U. data directive requires the creation of a National Data Protection Authority for all member states. This supervisory authority must regulate and implement data protection laws within its country as well as investigate privacy violations. Every data controller must register with a supervisory authority before processing personal data.

Onward Transfer

In order to protect personal data when transferred to countries outside the European Union, the Data Protection Directive prohibits onward transfer to entities in non-member states unless they meet an equivalent level of protection. Agreements like Safe Harbor between the United States and the E.U. allow businesses to participate in a program that allows unrestricted international data flow as long as a businesses institutes similar privacy principles to those of the E.U.

The Data Protection Directive also has special regulations for the transfer of sensitive data such as racial or ethnic origins, political or religious beliefs, sexual orientation, trade union membership and other similar characteristics. The E.U. requires explicit, affirmative consent from a data subject in order to disclose sensitive information to third parties, not matter whether the third party is within or outside the European Union.

Privacy and Electronic Communications Directive

In 2003, the Directive on Privacy and Electronic Communications Directive (2002/58)was developed to complement the Data Protection Directive. It deals specifically with data protection and with regard to marketing messages and the growing use of digital technology and electronic communications. The Privacy and Electronic Communications Directive requires explicit consent from a data subject to send marketing messages unless all of the following criteria are met:

1)  The provider already has information on the data subject on file from a previous service or transaction

2)  The marketing message is in relation to similar services or products

3)  The data subject is given the opportunity to opt-out of further marketing messages.

The E-Privacy Directive also places restrictions on the use of marketing messages through telemarketing, automated telephone calls and faxes. The directive also requires a mechanism to opt-out of the use and receipt of cookies.

Data Protection in Canada

Canada is one of the countries closest to the European Union in terms of comprehensive  information privacy law. It uses a coregulatory framework between the government and the privacy sector to enforce data protection.

The Privacy Act of 1983

The Privacy Act of 1983 regulates the use of personal information by the Canadian Federal Government. The Privacy Act requires:

• Notice– the data subject must be notified of the information collected and its uses
• Access– a data subject has the right to view what personal information is held by a government institution and rectify erroneous information
• Consent–  data subject must provide explicit consent before information is disclosed to parties outside the control of a government institution (with a few exceptions)
• Limited Use– collected information must directly relate to the activities of a government program and may only be used for the purposes it was originally collected (with a few exceptions)
• Enforcement– the Privacy Commissioner of Canada must investigate and complaints it receives regarding privacy violations to data subjects.

The Personal Information Protection and Electronic Documents Act

PIPEDA deals with information privacy in the private sector of Canada which includes financial and health institutions. It protects all information that may identify an individual used in the course of rendering commercial services including those of nonprofit organizations.

PIPEDA incorporates the ten privacy principles outlined by the Canadian Standards Association which include: Accountability, Identifying Purposes, Consent, Limiting collection, Limiting use, disclosure and retention, Accuracy, Safeguards, Openness, Individual Access, Challenging compliance. PIPEDA requires explicit consent from individuals in order to use, process or disclose their personal information (with a few exceptions)

PIPEDA is enforced through the Office of the Privacy Commissioner of Canada or similar territorial privacy commissioners. The Commissioner is required, by PIPEDA, to investigate any privacy complaints lodged against a commercial institution and create a report of their findings.The report is sent to the organization against whom the complaint was filed with recommendations. The report is also returned to the complainant who can then pursue the matter further in the Federal Courts.

Data Protection in Asia

Data Protection across Asia is varied depending on the development and political beliefs of each country, however even counties that grant the least amount of protection have shown a concern for Data Protection and the way it affects the free flow of information.

Japan and the Law Concerning the Protection of Personal Information

Data Protection in Japan is covered under the Law Concerning the Protection of Personal Information. It was put into effect in 2005. Enforcement is regulated by ministries of each industry sector (i.e.: Ministry of Health enforces the Law in the Health industry) Each industry may place additional restrictions on the use of personal information.

Like many data protection laws, Japan’s Law requires specific and limited use of information, adequate data security and integrity, data subject notice of purpose of use, as well as access to and correction of information held by an institution. One major different in Japan’s Law is in their policies regarding disclosure. Explicit consent is required for all disclosure of information to third parties, even if the third party is affiliated with the data controlling entity.

The Asia-Pacific Economic Cooperation

APEC is a non-binding cooperative agreement between countries along the coast of the Pacific to facilitate regional trade. In 2004, APEC developed a Privacy Framework, recognizing the need for strong data protection laws to allow multinational and international business and trade to continue. Members of APEC include: Australia, Canada, Chile, China, Japan, Peru, Russia, the United States, as well as others.

APEC’s Privacy Framework outlines 9 privacy principles:

1)  Preventing Harm– Above all privacy regulations should prevent harm to data subjects from the unauthorized or misuse collection, use or disclosure of personal information.

2)  Notice– An individual should be notified regarding the personal information including what, why, how and to whom their information is collected, used or disclosed. They must also be given the choice and means to limit the use and disclosure of their information

3)  Collection Limitation– Collected information should be used for specific and limited purposes.

4)  Uses of Personal Information–Person Information should be collected with consent of the data subject and when necessary to render a service or transaction

5)  Choice– Individuals must be provided with unambiguous mechanisms to control the collection, use and disclosure of their personal information.

6)  Integrity of Personal Information– Personal Information should be complete, timely and accurate

7)  Security Safeguards–Safeguards should be created to protect against data loss as well as unauthorized, access, use, disclosure, destruction and other misuses.

8)  Access and Correction– Individuals must be able to obtain the personal information a data controller may hold about them in a timely and reasonable manner and be allowed to challenge the accuracy of the information.

9)  Accountability– Entities controlling personal information must be accountable for complying with privacy principles.

APEC is non-binding which means that there is no single supervisory authority for enforcing compliance in member states. Each member state is responsible for creating and enforcing their own information privacy regulations that adhere to the APEC Privacy Framework.

Data Protection in Latin America

Like, Asia, data protection in Latin America is inconsistent. However, many Latin American countries along the Pacific are members of APEC and comply with the APEC Privacy Framework. Furthermore, many countries have included some forms of data protection in their constitutions under the writ of Habeas Data

Habeas Data

Habeas Data literally translates to “[we command] you have the data.” It protects the right of an individual file complaints to a constitutional court regarding violations to their image, honor, privacy, and freedom of information. Legally this has translated to information privacy regulations for the government. Often similar regulations have been extended to the private sector. Habeas Data requires that an individual be able to view information on record about their person and correct any false information. Furthermore it holds a data controlling entity accountable for the integrity of data. The 1988 Brazilian Constitution was the first to include the writ of Habeas Data.

Argentina

Argentina is the only Latin American country considered adequate under the E.U. Data Protection Directive. The Argentine Constitution contains the writ of Habeas Data. In 2000, a comprehensive data protection law called the Personal Data Protection Act was implemented to protect personal data in both the public and private sector.

Under the Act, data must be collected for “certain, appropriate, pertinent and not excessive” purposes and must be collected lawfully. Data must be accurate, complete, secure and destroyed once it is no longer necessary for the purposes it was originally collected. Furthermore any activities surrounding personal data must receive explicit consent from the individual with a few specific exceptions (section 5).

The Act also prohibits the creation of files linking sensitive data with identifiable individuals and requires that no person may be compelled to share sensitive data. Much like the E.U. Data protection directive, the Act requires other countries to have adequate levels of protection before transferring data.

Chile

In 1999, Chile was the first Latin American country to implement a data protection law.  Chile uses a comprehensive law called The Law for the Protection of Private Life to govern the public and private sectors. While the Law guarantees the rights of a data subject’s to access, correction, notice, and judicial control, there is no supervisory authority and compliance is largely self enforced. Furthermore, the Law provides no protection for international transfers.

Paraguay

Paraguay includes Habeas Data in Article 135 of its constitutions which states:

“Everyone may have access to information and data available on himself or assets in official or private registries of a public nature. He is also entitled to know how the information is being used and for what purpose. He may request a competent judge to order the updating, rectification, or destruction of these entries if they are wrong or if they are illegitimately affecting his rights.” Paraguay also has its own privacy law to govern information privacy during the course of commercial business. Additionally it protects sensitive data and economic status information by requiring explicit, written consent of the data subject unless it is required by law.

In Conclusion

As technology progresses and the unrestricted flow of information across borders becomes increasingly important, countries will no longer have the luxury of avoiding data protection. In order to protect the data of their citizens, governments like the E.U. and Argentina require similar levels of protection when they transfer their information to other countries. To allow such trade to continue, countries around the globe must implement privacy policies of their own and consider how they will protect the information of their citizens as well as the personal information they receive through onward transfer. With the growth of electronic technology, information privacy has become an international issue that cannot be ignored.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Privacy and Data Protection Regulation (Foundations: I.F.b.ii-v.) including Europe, Canada, Asia and South America

What is Safe Harbor?

In 1995, the E.U. implemented a comprehensive law, the Data Protection Directive, which created strong standards and principles governing the use and protection of data. Any data transferred within the E.U. or the European Economic Area would be protected under the law. However, personal data transferred to other countries would not be guaranteed the same protection. The Data Protection Directive restricts the transfer of data with other countries unless they meet a comparable level of data protection.

Data protection in the United States, which is more commonly known as information privacy, is governed by a number of sectoral laws that protect data within specific industries, ie: HIPAA protects personal health information, FACTA protects personal information in the financial sector. The U.S. has no central or comprehensive data protection regime and therefore, the E.U. finds data protection in the U.S. to be inadequate.

To facilitate unrestricted, data transfer between the United States and the European Union, the Safe Harbor agreement was created to allow U.S. companies the opportunity to raise their level of data protection and achieve “adequate” status, thus meeting the restriction rules for onward transfer to third parties under the E.U. Data Directive.

The Benefits of Safe Harbor Compliance

In 2000, when the Safe Harbor agreement was developed between the E.U. and the U.S., data transfers accounted for over $ 300 Billion dollars in trade. Safe Harbor allows such exportation and importation of data to continue while still protecting the personal data of European citizens. Though the Safe Harbor agreement requires stricter privacy standards for U.S. companies, than is required by U.S. law it is really to the benefit of both sides that such an agreement exists.

Participating U.S. companies enjoy the privilege of the Safe Harbor Agreement which demands that all E.U. member states allow unrestricted data transfers with any and all Safe Harbor certified participants. This means that certified companies may not be denied transfers by individual data controllers or Data Protection Authorities according to their own agendas.

Furthermore, complaints brought against a U.S. entity by European citizens regarding the protection of their personal data are heard in U.S. courts and the Safe Harbor program is under U.S. enforcement.

Safe Harbor also eliminates the need, or grants automatic approval for, data transfers creating a more cost and time efficient system. Companies may choose not to join the Safe Harbor agreement and make individual agreements or model contracts with a Data Protection Authority, but this may increase the time and energy needed to allow for the unrestricted transfer of data.

How Does a Company Become Safe Harbor Compliant?

The Safe Harbor program is voluntary. In order to participate, an entity must complete a self certification process annually with the Department of Commerce. To do this a company may join a self regulatory privacy program such as the BBB online, which audits companies to review their privacy policies and business operations to provide certificates of compliance with Safe Harbor. Or an entity may choose to create their own self-regulatory privacy policy which adheres to all Safe Harbor principles. Furthermore, the entity must publicly state in their privacy notice that they are Safe Harbor compliant.

The Safe Harbor Principles

The following principles must be included in a Safe Harbor compliant privacy policy.

Notice

• The data subject must be notified about the purposes for which personal information is collected and used.
• The data subject must be notified about contact methods to file inquiries and complaints.
• The data subject must be notified about the types of third parties to whom personal information may be disclosed.
• The data subject must be provided with their choices and means of limiting disclosure of their personal data.
• Notice should be provided at the time when information is first collected or shortly thereafter and must be provided before data is processed or disclosed.

Choice

• The data subject must be able to opt-out of third party disclosures.
• The data subject must be able to opt-out of secondary usage of information.
• The data subject must give affirmative consent (opt-in) for the disclosure or use of sensitive information.

Onward Transfer

• All third parties to whom data may be transferred must follow the Safe Harbor principles or Data Directive compliant. The same level of protection must be guaranteed no matter how many times data is transferred.

Security

• Entities that process data in any stage of its life cycle (collection, use, analysis, storage) must take reasonable measures to protect against data loss, destruction, misuse and unauthorized access.

Data Integrity

• Data may only be processed or used as it is related and proportional to the purposes for which it was originally collected.
• An entity should take reasonable steps to ensure data is accurate, timely and complete.

Access

• Data subjects must be able to view the information an organization holds about them.
• Data subjects must be able to correct, add to, or delete inaccurate information.

Enforcement

• A recourse mechanism must be in place for data subjects to file complaints, have disputes investigated, and resolved.
• An entity must have a mechanism to verify that the stated privacy policy and business operations are compliant with the Safe Harbor agreement. Audits should be completed annually.
• It is the obligation and responsibility of the entity to remedy any problems with compliance in a timely fashion.

Enforcing Safe Harbor

U.S. compliance with Safe Harbor is largely self regulated. Entities may choose to complete self verification of compliance and investigate complaints internally. Companies also have the option of using private, third party dispute resolution mechanisms, that have gained a reputation of trustworthiness to verify their compliance and investigate disputes.

Some well known, third party dispute resolution service providers include:

• The Better Business Bureau Online
• The Direct Marketing Association
• The Entertainment Software Rating Board

Third party dispute resolution providers are self regulated and not certified by the Department of Commerce or the FTC. Therefore, it is the legal responsibility of the entity to choose a program that is Safe Harbor compliant.

Though, Safe Harbor has not been strictly enforced in the past, there are regulations within the privacy and trade law to punish violators. Misuse of the Safe Harbor agreement can qualify as “unfair or deceptive trade practices” under Section 5 of the Federal Trade Commission Act. The FTC may take action against offenders including conducting formal hearings, and issuing cease and desist or temporary restraining orders. Failing to comply with an FTC order may carry a penalty of up to $11,000 for every day of continued violation and any entity that knowingly violates an FTC rule may be subject to the same penalty.

Safe Harbor in the News

Historically, the FTC has done very little to enforce Safe Harbor compliance. However, that has begun to change. In August 2009, the FTC publicly announced a suit against a California based company, Balls of Kryptonite, which purposely misled UK consumers to believe it was an E.U. company by using a .co.uk domain address. Furthermore, the company stated in its privacy policy that it was Safe Harbor compliant though no certification had ever been filed.

Then, in October 2009, the FTC filed settlement complaints against six multinational companies that had lapsed in their compliance but failed to alter their privacy policies to notify data subjects of the change. The recent enforcement has sent the message to business owners that the FTC may no longer rely on private, self-regulation to provide adequate enforcement. Since Safe Harbor compliance requires a public statement in privacy notices stating participation in the program, the FTC needs only to compare their current list of Safe Harbor participants with the privacy notice of an entity to gain evidence of unfair or deceptive trade practices. There is also speculation that the audits may be conducted in the future for companies with current certifications, to verify full compliance with all Safe Harbor regulations.

Data protection, especially with regard to onward transfer, continues to remain a significant issue in International politics. In the first week of November 2009, the United States and European Union, recognizing the weaknesses in current regulation, joined together to create a common set of principles to govern the transfer of personal data. That same week, privacy representatives from around the world met in Madrid for the International Data Protection and Privacy to create a universal standard of privacy and data protection, in the hopes of eventually creating a universal data protection law.

In Conclusion:

Companies wishing to conduct legal and successful business on a multinational level must be concerned with the protection of data both when it is transferred to and from the United States. Agreements, like Safe Harbor, allow the United States and the European Union to continue a mutually beneficial trade relationship, however, the agreement alone does not guarantee data protection. Participating U.S. companies need to ensure Safe Harbor compliance to build trust in their organization, as well as in the program to allow such agreements to continue in the future, despite the differing approaches the U.S. and the E.U. take regarding data protection.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• The Collective View of Privacy Principles (Foundations I.E) including Notice, Consent, Access, Security, and Quality
• Privacy and Data Protection Regulation (Foundations: I.F) including Onward Transfer, Safe Harbor, and the E.U. Data Protection Directive

This also opens the company to privacy violations – dependent on the industry, will you face indictment by the FCC, FTC, EU DPAs, etc.

My phone battery was on the fritz, so needed to find a replacement. I visited an electronic’s store currently trying to rebrand itself as “the Shack” looking for a new battery. They had an off brand labeled for my phone type. I explained the situation with the cashier – I tried this solution before with another battery retailer, and there’s a very real possibility would similarly fail. I paid cash, thinking why go through the hassle of having the same charge card to make the return. Maybe, I’d just have my wife stop by while running errands?

That night, my hunch was right, and a large X appeared over the phone’s status icon. I went in the following day, where the same cashier immediately recognized what must have happened. “No problem, we’ll give you a refund. We just need a little information.” This included much more than just my name – address, phone number, photo ID. All of this because I used a green piece of paper. Maybe the company is trying to combat fraud, but for less than US$50, at what cost? I didn’t ask what protections corporate had in place, and even if they had literature, I was on my way to the airport and in no shape to read it…

No matter what the rationale, this is simply too much information in the wake of the numerous network breaches sparked by TJX. Jennifer Stoddart, former privacy commissioner of Canada saying “The company collected too much personal information, kept it too long and relied on weak encryption to protect it.”

Good companies have opt-in policies, clearly define how the data will be used, and who it may be shared with. Great companies don’t collect information without a specific purpose. The ideas are not new; they fall in line with US Department of Health, Education and Welfare’s “The Code of Fair Information Practices” from the 1970′s and the Organization for Economic Cooperation and Development’s (OECD) principles laid out in 1980 for collection limitations, methods and relevance. These same ideas are echoed throughout the EU’s Data Protection Directive. Today’s Payment Card Industry’s Data Security Standard, HIPAA, and Federal Rules of Civil Procedure reemphasize collection limitation’s importance, placing specific regulations on how data are treated. PCI mandates encryption and physical access restrictions, while FRCP’s e-discovery suggests retaining volumes of data indefinitely could create massive evidentiary headaches and unexpected costs.

In all, keep in mind, if you don’t collect it, you can’t lose it.  Do you really need to log my personal information to make a $50 return?

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Introduction to Privacy:  “Guidelines Governing the Protection of Privacy and Trans-border Data Flows
  of Personal Data” (Foundations: I.D.iv.1),  The European Union (“EU”) Data Protection Directive (95/46/EC) (Foundations: I.D.ii.2)

http://twitter.com/link_click_count?url=http%3A%2F%2Fbit.ly%2F3omd6p&linkType=web&tweetId=3541772256&userId=12798452.

If you look at this link, it turns out that twitter is redirecting to bit.ly.  Apparently, these links previously were completely handled by bit.ly.  bit.ly is a “simple link shortener”, that “offers URL redirection service with real-time link tracking”.  In addition, it includes a complete history of links shortened. Why would Twitter look to track links when they have a perfectly working relationship with their URL redirection provider?

At 140 characters, tweets don’t provide much past commentary.  While you may update your location or time of arrival in such a small space, you won’t be writing War and Peace or unveiling details of the latest scientific finding.  You do use it to add a bit of social commentary to a YouTube video – “check this out, it’s funny”, or “shhh, don’t tell wifey” while sending a picture.

Tracking links fits in to the company’s long term goals, where Twitter will provide business services including market research and customer prospecting.   Information analysis only works when you hold the data. In order to provide some of the analytical services, such as which marketing tweets are promoting customer interest, Twitter will need to pull the bit.ly services in house.

Is collecting this information, and better still providing it to a third party outside a violation of a customer’s privacy?  We are not going to have the agreement between Twitter and bit.ly – they simply don’t publish those things.  However, we can examine selected passages from Twitter’s privacy policy to glean the types and uses of information they collect, and a bit of what they may transfer to 3rd parties including bit.ly.

Let’s delve a little deeper into Twitter’s privacy policy…

Selections from Twitter’s privacy policy

By using our Site you are consenting to our processing of your information as set forth in this Privacy Policy now and as amended by us. “Processing” means using cookies on a computer or using or touching information in any way, including, but not limited to, collecting, storing, deleting, using, combining and disclosing information,

Twitter may slice, dice and distribute any information you put into their system to anyone, anywhere.

all of which activities will take place in the United States. If you reside outside the U.S. your personally identifiable information will be transferred to the U.S., and processed and stored there under U.S. privacy standards. By visiting our Site and providing information to us, you consent to such transfer to, and processing in, the US.

Twitter is very clear that all information collected and processed occurs in the United States.  This allows citizens of the European Union and other like minded countries notice that they are opting in to monitoring and marketing – the protections afforded by local EU Data Protection Directive style laws will not apply.

Information Collection and Use

Our primary goals in collecting personally identifiable information are to provide you with the product and services made available through the Site, including, but not limited, to the Service, to communicate with you, and to manage your registered user account, if you have one.

“The Service” is quite broad, and likely includes provisions for third party tracking and marketing (i.e. bit.ly).  Obviously, when Twitter introduces their own business services, this will extend “the Service” definition.

Information Collected Upon Registration. If you desire to have access to certain restricted sections of the Site, you will be required to become a registered user, and to submit certain personally identifiable information to Twitter. This happens in a number of instances, such as when you sign up for the Service, or if you desire to receive marketing materials and information. Personally identifiable information that we may collect in such instances may include your IP address, full user name, password, email address, city, time zone, telephone number, and other information that you decide to provide us with, or that you decide to include in your public profile.

This section does imply that you must opt-in to receive marketing materials.  Obviously, anything placed on a public profile is not longer private, but apparently information it will not be disclosed.  Your user ID is not considered PII.

Additional Information Your full user name and your photo, if you decide to upload one … you may provide additional information in the profile section, including but not limited to your bio, your location, as well as your personal web site, if you have one. Providing additional information beyond what is required at registration is entirely optional, but enables you to better identify yourself and find new friends and opportunities in the Twitter system. If you activate the mobile phone options per the Terms of Service at www.twitter.com/tos, we will collect your cellular phone number account information. … If you contact us by email through the Site, we may keep a record of your contact information and correspondence, and may use your email address, and any information that you provide to us in your message, to respond to you.

Again, anything provided past the required registration username is optional, but will be recorded and associated with the non-identifiable information Twitter collects.

Use of Contact Information In addition, we may use your contact information to market to you, and provide you with information about, our products and services, including but not limited to our Service. If you decide at any time that you no longer wish to receive such information or communications from us, please follow the unsubscribe instructions provided in any of the communications.

This suggests an opt-out for marketing and additional product information.  This seems like it may be in conflict with the earlier opt-in statement.

Log Data When you visit the Site, our servers automatically record information that your browser sends whenever you visit a website (“Log Data” ). This Log Data may include information such as your IP address, browser type or the domain from which you are visiting, the web-pages you visit, the search terms you use, and any advertisements on which you click. For most users accessing the Internet from an Internet service provider the IP address will be different every time you log on. We use Log Data to monitor the use of the Site and of our Service, and for the Site”™s technical administration. We do not associate your IP address with any other personally identifiable information to identify you personally, except in case of violation of the Terms of Service

Here’s the part directly affecting bit.ly and the new click redirect service.  You do not own the clicks – Twitter will record your Log Data, and although not directly associated with your PII, your IP address could be put together with your user ID, which does not constitute PII.

Cookies

Like many websites, we also use “cookie” technology to collect additional website usage data and to improve the Site and our service…

Google recently faced scrutiny regarding their behavioral advertising using cookies, and Facebook’s Beacon program, which used a more nefarious technique, caused quite a stir late in 2008.

Information Sharing and Disclosure

Service Providers We engage certain trusted third parties to perform functions and provide services to us, including, without limitation, hosting and maintenance, customer relationship, database storage and management, and direct marketing campaigns. We will share your personally identifiable information with these third parties, but only to the extent necessary to perform these functions and provide such services, and only pursuant to binding contractual obligations requiring such third parties to maintain the privacy and security of your data.

This is where bit.ly (for now) comes in.   PII will be transferred, and the information updates will likely flow down to these third parties.  It does not mention anything regarding third parties updating Twitter’s information.

Business Transfers Twitter may sell, transfer or otherwise share some or all of its assets, including your personally identifiable information, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy. You will have the opportunity to opt out of any such transfer if the new entity’s planned processing of your information differs materially from that set forth in this Privacy Policy.

This is a big one.  The registered traveler program that allowed people to move through a special, faster line at the airports, hosted by the company Clear, went bankrupt. They want to sell the information they collected on users to the original parent company, Verified Identity Pass, or possibly a third party.  They are being fought tooth and nail by the users, for the simple fact that this is not just a user name, password and IP address or phone number.  Clear collected information such as Social Security Numbers, and even biometric info, like fingerprints and iris scans.  These data allowed Clear to perform such risk mitigation strategies as background investigations, criminal history checks and government watch list comparisons.  It is unclear what will happen to the data for users of Clear, but according to their privacy policy, the information may only be used for a similar registered traveler program.

Our Policy Towards Children

The Site is not directed to persons under 13. If a parent or guardian becomes aware that his or her child has provided us with personally identifiable information without their consent, he or she should contact us at privacy at twitter dot com. We do not knowingly collect personally identifiable information from children under 13. If we become aware that a child under 13 has provided us with personal identifiable Information, we will delete such information from our files.

Twitter, as well as any other online business, must follow the Federal Trade Commission’s COPPA, the Children’s Online Privacy Protection Act.  The idea being children will easily share much more information than necessary, potentially placing themselves in danger.

In all, Twitter’s well within their privacy policy and terms of service when sharing information.  Now, it’s just a question of how many people actually read it, or just skip it because it’s cool to be on Twitter.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Introduction to Privacy:  Privacy as a factor in business risk management (Foundations: I.C.a.i.2),  Elements of Effective Privacy Management (Foundations: I.G.b.i) and Threats & Vulnerabilities
• Online Privacy:  Cookies (III.B.g.i) and Web Beacons (III.B.g.ii)

There are numerous guidelines, best practices and regulations for collecting information on customers, patients or other data subjects (for this article, let’s generally call them consumers) in the United States.  The most regularly visited is probably HIPAA, where nearly everyone signs some sort of disclosure notification that a primary care physician, pharmacy, lab, hospital or some other medical office will share your Personal Health Records with third parties that handle administrative tasks for the provider.  There’s a decent sized list of who constitutes a health care provider, a third party and what information between all parties involved may be exchanged for transactions such as an insurance claim.  The financial sector also regularly distributes privacy policy notifications, although most times inaccurate information doesn’t affect anyone outside the credit reporting industry.  What happens when the collected data aren’t right?  How can a consumer even discover the inconsistencies?  What course of action does a consumer take, and what should a corporation do to respect the rights of their customers?

Historical Perspective

This is not a new issue, and has been tackled in multiple symposia and expanded several times over the past decades.  In 1973, the US Department of Health and Human Services introduced the Code of Fair Information Practices.  The 1981 Organization for Economic Cooperation and Development (OECD) guidelines and the comprehensive 1995 European Union Data Protection Directive 95/46/EC both deal with this issue.  They define two topics – “Individual Participation” and “Data Quality”.  Individual participation centers on consumer access, or the right to view any collected information and the ability to correct errors.  The EU expounds upon individual participation, where access must be at reasonable intervals and rectification without excessive delay or expense.  The Federal Trade Commission (FTC) released an advisory on online access and security in 2000. The CIPP defines these scenarios as customer access and redress.

Problems in credit reporting

Let’s first examine the US credit reporting world.  Information collected by the credit bureaus is used by banks and other money lenders to determine an applicant’s credit worthiness, or more important to the lender, their risk of default.  The credit bureaus have reason to keep the information collected as unavailable as possible – between the three main companies they had a monopoly on the compiled credit history the lenders need and each one tries to glean every ounce of data on an individual to justify ordering their credit report product.  The bureaus were charging consumers for every access to their credit reports, by what some would consider an inordinate amount.  A 1998 survey by the Public Interest Research Group underscored the customer redress situation:

• Of the consumers that did obtain their credit reports, at least 14% of them were forced to call back 3 or more times after receiving busy signals or had to write a letter in order to receive their report;
• And 12% of the consumers waited two weeks or longer to receive their report once they finished requesting it. It took more than a month for one California man to receive his report.
• Overall, 15% of consumers who attempted to participate in the survey either made at least 3 phone calls and never got through or requested their reports but never received them.

This treatment went against the privacy principles laid out in the OECD and Fair Information Practices.  Plus, mistakes were reportedly found on 79% of consumer credit reports.  Without more readily available customer access, the system was in jeopardy.  To compound these problems, there was simultaneously a rise in identity theft.

Congress steps in

In response, the US Congress passed the Fair and Accurate Credit Transactions Act (FACT Act or FACTA) in 2003.  The FACTA amended the 1970 Fair Credit Reporting Act (FCRA), and gave rise to a free annual credit report requirement from each of the major bureaus… and the slew of funny commercials about guys in pirate hats. Congress decided the credit bureaus’ reporting was simply too important to the US financial systems stating their rationale for the legislation:

(a)Accuracy and fairness of credit reporting. The Congress makes the following findings:

1. The banking system is dependent upon fair and accurate credit reporting. Inaccurate credit reports directly impair the efficiency of the banking system, and unfair credit reporting methods undermine the public confidence which is essential to the continued functioning of the banking system.
2. An elaborate mechanism has been developed for investigating and evaluating the credit worthiness, credit standing, credit capacity, character, and general reputation of consumers.
3. Consumer reporting agencies have assumed a vital role in assembling and evaluating consumer credit and other information on consumers.
4. There is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.

(b)Reasonable procedures. It is the purpose of this title to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this title.

Unintended Consequences

It is interesting to note, that in response to the FACTA, “imposter” domains sprang up, with a World Privacy Forum study calling out 96 specific known sites.  The web site touted in the pirate hat commercials is not the free annual credit report required by Congress, but actually one of the imposter domains belonging to Experian.  The World Privacy Forum study, “Call Don’t Click: Why It’s Smarter to Order a Federally Mandated Credit Report via Phone Instead of the Internet,” found:

• 28 of the imposter domains belong to Experian, a credit bureau.
• 68 of the imposter domains belong to or are hosted at “pay per click” companies.
• 50 of the “pay per click” domains are live, and some are luring consumers to inappropriate and risky Web sites. Some of    the “pay per click” sites lead consumers to Experian and other credit companies’ commercial sites in order to cash in on the credit bureaus’ affiliate marketing programs.

Electronic Health Records & HIPAA

Consumer access is probably not as obvious of a problem with the health care community.  Most of the work currently happens on the back end, where insurance companies and health care provider’s offices wrangle over receiving the right amount of money for procedures.  As an uninsured American, you may have to pick up the torch of dealing with doctor’s office blunders, but in those cases, you’re likely handling them at the time of service and wont pay until they get it right.  Most people simply don’t see the man behind the curtain.

The scary part will surround electronic health records (EHR) and the push to incorporate them through ARRA.  As digital bits, EHR integrity could become more questionable.  It will also uncover a slew of inconsistencies that have yet to reach the light of day – the proverbial Garbage In, Garbage Out.  A recent adopter of Google Health recounts his experience utilizing his hospital’s auto-migrate feature.  Some of his revelations:

• [T]he docs in the back room… quickly figured out what was going on… the system transmitted insurance billing codes to Google Health, not doctors’ diagnoses. [I]nsurance billing codes bear no resemblance to reality… if a doc needs to bill insurance for something and the list of billing codes doesn’t happen to include exactly what your condition is, they cram it into something else so the stupid system will accept it.
• EMR pontificators are saying “Online data in the hospital won’t do any good at the scene of a car crash.” Well, GOOD: you think I’d want the EMTs to think I have an aneurysm, anxiety, migraines and brain mets?? Yet if I hadn’t punched that button, I never would have known my data in the system was erroneous.
• [M]y 12/6/2003 x-ray identified me as a 53 year old woman… it took me months to get that error corrected, because nobody’s in the habit of actually fixing errors…

This was a contemporary hospital.  Their CIO touted the EHR revolution and already took steps embracing customer advocacy.  There will undoubtedly be push back with older hospitals or stodgier doctors.  The documented excavations are inevitable, especially with so many people involved in providing healthcare.  An article in Fast Company chronicled the clinical staff access associated with the writer’s medical care:

… a list of everybody that accessed the medical record from the time he was seen in the clinic to two weeks post-op.’There were 113 people listed — and every one had an appropriate reason to be in that chart. It shocked all of us. We all knew this was a team sport, but to recognize it was that big a team,every one of whom is empowered to screw it up — that makes me toss and turn in my sleep.”

To top it all off, there are already questions as to how older, paper records might be brought into the digital realm.  Who’s to handle the scanning?  What’s to be had of the old records?  Will the security provisions be in place to prevent EHR compromise?  It’s already time consuming to update a digitized hospital’s records – how about those of a newly computer literate doctor’s office?

International Example

The US doesn’t have a lock on the access and redress problem.  Even with the heavy emphasis placed on privacy in the EU and a separate Information Commissioner’s Office (ICO) responsible for privacy, the United Kingdom has had it’s share of reporting and correction problems, most recently with their national health database.  Until late May, citizens only had the option of opting out of the National Healthcare System (NHS) electronic health database or masking their data in the system.  With the socialized health care in the UK, there were instances where the opt out had serious consequences.  In British health care, a summary care record (SCR) includes information such as allergy information, current medications, medical conditions and resuscitation preferences.  There is obviously personal information included in the SCRs, and security of the communications medium between the hospitals (called the Spine) has been called into question.  Additionally, access controls on the system allow any authorized users to view any patient’s information, not just those currently being treated.

The NHS agency Connecting for Health (CfH) runs the records system.  An ICO spokeswoman confirmed medical record deletion would now be possible after discussions with the ICO privacy watchdogs and CfH managers.

People want the assurance that they can restrict who can access their personal details in NHS electronic records.  We met recently with Connecting for Health (CfH) to discuss the permanent deletion of summary care records once a patient requests their summary record no longer appears on the database.  We are pleased that as a result of these discussions CfH have found a way to ensure that these records are permanently removed from the database when appropriate and we are continuing to talk to them about how this is put into practice.

Summary

When drawing corporate or group policies, general best practices dictate data subjects should have the ability to review all information an organization holds on them and have the right to change any errors.  Those changes must be reconciled across the organization, either pushed upward from third party partners or downward from the main collecting organization.  By adhering to this standard, nearly every organization will be kept in lock step with multi-national laws with regard to data subject access and redress.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Privacy Regulations (Foundations:I.F.b, CIPP: I.B) and Compliance Requirements (Foundations:II.B)
• Data Subject Access & Redress (Foundations: III.B.d)

Each EU country elects or appoints a data protection authority (“DPA”) who heads the compliance and regulation of privacy. The UK passed the Data Protection Act of 1998 to comply with the EU’s Directive, establishing an Information Commissioner as their DPA.  The Commissioner is appointed by the Queen and reports directly to Parliament.

The current commissioner, Richard Thomas began prosecution of Ian Kerr, a private investigator used extensively within the UK construction business. An investigation of Mr. Kerr revealed he compiled a database of 3,213 workers used by 40 construction companies for vetting potential employees. The very prominent construction companies would pay Mr. Kerr £3,000 annually for access to the database and use the information to make decisions on hiring. After an eight month ICO investigation, Commissioner Thomas said he has documents which

“… show that files on individuals included comments on individuals such as ‘communist party’, ‘ex-shop steward, definite problems, no go’, ‘do not touch’, ‘orchestrated strike action’ and ‘lazy and a trouble-stirrer’.”

In a statement, Deputy Information Commissioner, David Smith, said:

“This is a serious breach of the Data Protection Act. Not only was personal information held on individuals without their knowledge or consent but the very existence of the database was repeatedly denied. The covert system enabled Mr Kerr to unlawfully trade personal information on workers for many years helping the construction industry to vet prospective employees. The Data Protection Act clearly states that organisations must be open about how they process personal information, and in most cases those processing personal information must register with the ICO – Mr Kerr did not comply with the law on either count.

British intellectual property lawyer Steve Kuncewicz said:

“What employers cannot do is use data in the way they have. If they’re not careful, the directors of the construction company concerned could end up facing a criminal charge as well as a civil action.” The EU Directive gives employees the right to see and correct inaccurate personal data their employer may hold about them.

This case suggests the Phorm incident is simply a discrepancy or oversight rather than a disrespect for British Citizens’ privacy.  Commissioner Thomas snared a clear violator and a large sampling of the UK construction companies.  Deputy Commissioner Smith states quite clearly,

“We will prosecute Mr Kerr and we are also considering what regulatory action to take against construction firms who have been using the system. I remind business leaders that they must take their obligations under the Data Protection Act seriously. Trading people’s personal details in this way is unlawful and we are determined to stamp out this type of activity.”

The complete list of construction companies may be found at the end of the ICO’s statement on the matter. For a privacy professional or CIPP candidate, a quick review of several of Mr. Kerr and the construction companies’ violations of the Data Protection Directive is in order.

The Section I, Article 6, of the Data Protection Directive requires private data collected be

• (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
• (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

While Section II, Article 7, states that, as criteria for making data processing legitimate, personal data may not be processed unless:

• (a) the data subject has unambiguously given his consent; or
• (d) processing is necessary in order to protect the vital interests of the data subject; or

In Section V, Article 12, data subjects are guaranteed specific rights:

• (a) without constraint at reasonable intervals and without excessive delay or expense:
  • confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
  • communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,
  • knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred .to in Article 15 (1);

• (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;
• (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.