There are numerous guidelines, best practices and regulations for collecting information on customers, patients or other data subjects (for this article, let’s generally call them consumers) in the United States.  The most regularly visited is probably HIPAA, where nearly everyone signs some sort of disclosure notification that a primary care physician, pharmacy, lab, hospital or some other medical office will share your Personal Health Records with third parties that handle administrative tasks for the provider.  There’s a decent sized list of who constitutes a health care provider, a third party and what information between all parties involved may be exchanged for transactions such as an insurance claim.  The financial sector also regularly distributes privacy policy notifications, although most times inaccurate information doesn’t affect anyone outside the credit reporting industry.  What happens when the collected data aren’t right?  How can a consumer even discover the inconsistencies?  What course of action does a consumer take, and what should a corporation do to respect the rights of their customers?

Historical Perspective

This is not a new issue, and has been tackled in multiple symposia and expanded several times over the past decades.  In 1973, the US Department of Health and Human Services introduced the Code of Fair Information Practices.  The 1981 Organization for Economic Cooperation and Development (OECD) guidelines and the comprehensive 1995 European Union Data Protection Directive 95/46/EC both deal with this issue.  They define two topics – “Individual Participation” and “Data Quality”.  Individual participation centers on consumer access, or the right to view any collected information and the ability to correct errors.  The EU expounds upon individual participation, where access must be at reasonable intervals and rectification without excessive delay or expense.  The Federal Trade Commission (FTC) released an advisory on online access and security in 2000. The CIPP defines these scenarios as customer access and redress.

Problems in credit reporting

Let’s first examine the US credit reporting world.  Information collected by the credit bureaus is used by banks and other money lenders to determine an applicant’s credit worthiness, or more important to the lender, their risk of default.  The credit bureaus have reason to keep the information collected as unavailable as possible – between the three main companies they had a monopoly on the compiled credit history the lenders need and each one tries to glean every ounce of data on an individual to justify ordering their credit report product.  The bureaus were charging consumers for every access to their credit reports, by what some would consider an inordinate amount.  A 1998 survey by the Public Interest Research Group underscored the customer redress situation:

• Of the consumers that did obtain their credit reports, at least 14% of them were forced to call back 3 or more times after receiving busy signals or had to write a letter in order to receive their report;
• And 12% of the consumers waited two weeks or longer to receive their report once they finished requesting it. It took more than a month for one California man to receive his report.
• Overall, 15% of consumers who attempted to participate in the survey either made at least 3 phone calls and never got through or requested their reports but never received them.

This treatment went against the privacy principles laid out in the OECD and Fair Information Practices.  Plus, mistakes were reportedly found on 79% of consumer credit reports.  Without more readily available customer access, the system was in jeopardy.  To compound these problems, there was simultaneously a rise in identity theft.

Congress steps in

In response, the US Congress passed the Fair and Accurate Credit Transactions Act (FACT Act or FACTA) in 2003.  The FACTA amended the 1970 Fair Credit Reporting Act (FCRA), and gave rise to a free annual credit report requirement from each of the major bureaus… and the slew of funny commercials about guys in pirate hats. Congress decided the credit bureaus’ reporting was simply too important to the US financial systems stating their rationale for the legislation:

(a)Accuracy and fairness of credit reporting. The Congress makes the following findings:

1. The banking system is dependent upon fair and accurate credit reporting. Inaccurate credit reports directly impair the efficiency of the banking system, and unfair credit reporting methods undermine the public confidence which is essential to the continued functioning of the banking system.
2. An elaborate mechanism has been developed for investigating and evaluating the credit worthiness, credit standing, credit capacity, character, and general reputation of consumers.
3. Consumer reporting agencies have assumed a vital role in assembling and evaluating consumer credit and other information on consumers.
4. There is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.

(b)Reasonable procedures. It is the purpose of this title to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this title.

Unintended Consequences

It is interesting to note, that in response to the FACTA, “imposter” domains sprang up, with a World Privacy Forum study calling out 96 specific known sites.  The web site touted in the pirate hat commercials is not the free annual credit report required by Congress, but actually one of the imposter domains belonging to Experian.  The World Privacy Forum study, “Call Don’t Click: Why It’s Smarter to Order a Federally Mandated Credit Report via Phone Instead of the Internet,” found:

• 28 of the imposter domains belong to Experian, a credit bureau.
• 68 of the imposter domains belong to or are hosted at “pay per click” companies.
• 50 of the “pay per click” domains are live, and some are luring consumers to inappropriate and risky Web sites. Some of    the “pay per click” sites lead consumers to Experian and other credit companies’ commercial sites in order to cash in on the credit bureaus’ affiliate marketing programs.

Electronic Health Records & HIPAA

Consumer access is probably not as obvious of a problem with the health care community.  Most of the work currently happens on the back end, where insurance companies and health care provider’s offices wrangle over receiving the right amount of money for procedures.  As an uninsured American, you may have to pick up the torch of dealing with doctor’s office blunders, but in those cases, you’re likely handling them at the time of service and wont pay until they get it right.  Most people simply don’t see the man behind the curtain.

The scary part will surround electronic health records (EHR) and the push to incorporate them through ARRA.  As digital bits, EHR integrity could become more questionable.  It will also uncover a slew of inconsistencies that have yet to reach the light of day – the proverbial Garbage In, Garbage Out.  A recent adopter of Google Health recounts his experience utilizing his hospital’s auto-migrate feature.  Some of his revelations:

• [T]he docs in the back room… quickly figured out what was going on… the system transmitted insurance billing codes to Google Health, not doctors’ diagnoses. [I]nsurance billing codes bear no resemblance to reality… if a doc needs to bill insurance for something and the list of billing codes doesn’t happen to include exactly what your condition is, they cram it into something else so the stupid system will accept it.
• EMR pontificators are saying “Online data in the hospital won’t do any good at the scene of a car crash.” Well, GOOD: you think I’d want the EMTs to think I have an aneurysm, anxiety, migraines and brain mets?? Yet if I hadn’t punched that button, I never would have known my data in the system was erroneous.
• [M]y 12/6/2003 x-ray identified me as a 53 year old woman… it took me months to get that error corrected, because nobody’s in the habit of actually fixing errors…

This was a contemporary hospital.  Their CIO touted the EHR revolution and already took steps embracing customer advocacy.  There will undoubtedly be push back with older hospitals or stodgier doctors.  The documented excavations are inevitable, especially with so many people involved in providing healthcare.  An article in Fast Company chronicled the clinical staff access associated with the writer’s medical care:

… a list of everybody that accessed the medical record from the time he was seen in the clinic to two weeks post-op.’There were 113 people listed — and every one had an appropriate reason to be in that chart. It shocked all of us. We all knew this was a team sport, but to recognize it was that big a team,every one of whom is empowered to screw it up — that makes me toss and turn in my sleep.”

To top it all off, there are already questions as to how older, paper records might be brought into the digital realm.  Who’s to handle the scanning?  What’s to be had of the old records?  Will the security provisions be in place to prevent EHR compromise?  It’s already time consuming to update a digitized hospital’s records – how about those of a newly computer literate doctor’s office?

International Example

The US doesn’t have a lock on the access and redress problem.  Even with the heavy emphasis placed on privacy in the EU and a separate Information Commissioner’s Office (ICO) responsible for privacy, the United Kingdom has had it’s share of reporting and correction problems, most recently with their national health database.  Until late May, citizens only had the option of opting out of the National Healthcare System (NHS) electronic health database or masking their data in the system.  With the socialized health care in the UK, there were instances where the opt out had serious consequences.  In British health care, a summary care record (SCR) includes information such as allergy information, current medications, medical conditions and resuscitation preferences.  There is obviously personal information included in the SCRs, and security of the communications medium between the hospitals (called the Spine) has been called into question.  Additionally, access controls on the system allow any authorized users to view any patient’s information, not just those currently being treated.

The NHS agency Connecting for Health (CfH) runs the records system.  An ICO spokeswoman confirmed medical record deletion would now be possible after discussions with the ICO privacy watchdogs and CfH managers.

People want the assurance that they can restrict who can access their personal details in NHS electronic records.  We met recently with Connecting for Health (CfH) to discuss the permanent deletion of summary care records once a patient requests their summary record no longer appears on the database.  We are pleased that as a result of these discussions CfH have found a way to ensure that these records are permanently removed from the database when appropriate and we are continuing to talk to them about how this is put into practice.

Summary

When drawing corporate or group policies, general best practices dictate data subjects should have the ability to review all information an organization holds on them and have the right to change any errors.  Those changes must be reconciled across the organization, either pushed upward from third party partners or downward from the main collecting organization.  By adhering to this standard, nearly every organization will be kept in lock step with multi-national laws with regard to data subject access and redress.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Privacy Regulations (Foundations:I.F.b, CIPP: I.B) and Compliance Requirements (Foundations:II.B)
• Data Subject Access & Redress (Foundations: III.B.d)

The scheduled drug raid was a joint operation with MI5, MI6, the US Drug Enforcement Agency and organized by the Serious Organized Crime Agency.  SOCA received £416 million in funding for 2006 (about $625 million), but did not release how much of that budget went for the covert operation.  An internal source claimed to The Times – London that the aborted operation cost over £100m ($150M). The agent responsible for the loss, referred to only as ‘T’, lost her purse somewhere between the airline terminal, the immigrations checkpoint and a bus from El Dorado airport in Bogota, Columbia.  She was heading to her new office at the British Embassy.

A Soca spokeswoman said: “Soca has introduced its own clearly defined data handling and security policies. During the year to March 2009 — the first year we have been required to report any breaches — there wasn’t a single breach of personal or sensitive data by Soca staff.”

The agencies took the first steps by defining data handling policies and measuring/reporting against them.  An inquiry and formal investigation into the event occurred, and remedies put in place appear to be working.  The obvious question – why was encryption not used for this sort of situation?

The secure computer on a USB key was developed for just this sort of cloak and dagger thing. There are encryption routines built into every commercial operating system available today.  Dozens of security vendors sell encryption software, ranging from Full Disk Encryption, to mobile device encryption, to file level and storage encryption.  The US National Security Agency helped Microsoft with Windows Vista. They designed a security enhanced version of Linux.  The British Intelligence folks have their hands in a few secured systems as well.

Encryption ought to be just another wicket in the engrained security processes of an intelligence operation.  In fact, encryption ought to be a requirement for every organization that processes private or mission critical information.  Security product provider Checkpoint points out the dire situtation best in a February 2009 UK survey: “…less than 50% of the UK public and private sector organisations use any form of data encryption.”

As a privacy professional, knowledge of information security and its ramifications to privacy are paramount to successful data protection.  Personally Identifiable Information, Private Health Records, Personal Financial Information – it’s all only as confidential as the protections surrounding it.  If the security provisions do not guarantee the data are available and the integrity’s intact, there could be more than fines or company reputation at stake.

The BBC reports Amazon UK spokesman Craig Berman released a statement: “We have contacted Webwise requesting that we opt out for all of our domains.”  The company declined further comment on the decision rationale.  “All we’re saying is we’ve chosen to opt out,” he said. “I don’t know if they’ve even implemented anything yet.”

In an email posted to the Wikimedia tech blog Thursday, Wikimedia stated:

“The Wikimedia Foundation requests that our web sites including Wikipedia.org and all related domains be excluded from scanning by the Phorm / BT Webwise system, as we consider the scanning and profiling of our visitors’ behavior by a third party to be an infringement on their privacy.”

In a statement, Phorm said: “There is a process in place to allow publishers to contact Phorm and opt out of the system, but we do not comment on individual cases.”

The Open Rights Group urged major Internet companies to opt out of Phorm each time more circumstances come to light, said it was very pleased with Amazon’s move.

“By choosing to block the contentious online advertising system from scanning its Web pages, these firms have taken the positive choice to protect their users’ privacy and their own brands.  We expect more sites to block Webwise in the near future and ISPs to drop plans to snoop on Web users.”

As the European Commission moves further with their case against the United Kingdom, and more publicity surrounds Phorm and Webwise, everyone should expect more companies trying to distance themselves from the situation.

Each EU country elects or appoints a data protection authority (“DPA”) who heads the compliance and regulation of privacy. The UK passed the Data Protection Act of 1998 to comply with the EU’s Directive, establishing an Information Commissioner as their DPA.  The Commissioner is appointed by the Queen and reports directly to Parliament.

The current commissioner, Richard Thomas began prosecution of Ian Kerr, a private investigator used extensively within the UK construction business. An investigation of Mr. Kerr revealed he compiled a database of 3,213 workers used by 40 construction companies for vetting potential employees. The very prominent construction companies would pay Mr. Kerr £3,000 annually for access to the database and use the information to make decisions on hiring. After an eight month ICO investigation, Commissioner Thomas said he has documents which

“… show that files on individuals included comments on individuals such as ‘communist party’, ‘ex-shop steward, definite problems, no go’, ‘do not touch’, ‘orchestrated strike action’ and ‘lazy and a trouble-stirrer’.”

In a statement, Deputy Information Commissioner, David Smith, said:

“This is a serious breach of the Data Protection Act. Not only was personal information held on individuals without their knowledge or consent but the very existence of the database was repeatedly denied. The covert system enabled Mr Kerr to unlawfully trade personal information on workers for many years helping the construction industry to vet prospective employees. The Data Protection Act clearly states that organisations must be open about how they process personal information, and in most cases those processing personal information must register with the ICO – Mr Kerr did not comply with the law on either count.

British intellectual property lawyer Steve Kuncewicz said:

“What employers cannot do is use data in the way they have. If they’re not careful, the directors of the construction company concerned could end up facing a criminal charge as well as a civil action.” The EU Directive gives employees the right to see and correct inaccurate personal data their employer may hold about them.

This case suggests the Phorm incident is simply a discrepancy or oversight rather than a disrespect for British Citizens’ privacy.  Commissioner Thomas snared a clear violator and a large sampling of the UK construction companies.  Deputy Commissioner Smith states quite clearly,

“We will prosecute Mr Kerr and we are also considering what regulatory action to take against construction firms who have been using the system. I remind business leaders that they must take their obligations under the Data Protection Act seriously. Trading people’s personal details in this way is unlawful and we are determined to stamp out this type of activity.”

The complete list of construction companies may be found at the end of the ICO’s statement on the matter. For a privacy professional or CIPP candidate, a quick review of several of Mr. Kerr and the construction companies’ violations of the Data Protection Directive is in order.

The Section I, Article 6, of the Data Protection Directive requires private data collected be

• (b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
• (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;

While Section II, Article 7, states that, as criteria for making data processing legitimate, personal data may not be processed unless:

• (a) the data subject has unambiguously given his consent; or
• (d) processing is necessary in order to protect the vital interests of the data subject; or

In Section V, Article 12, data subjects are guaranteed specific rights:

• (a) without constraint at reasonable intervals and without excessive delay or expense:
  • confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
  • communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,
  • knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred .to in Article 15 (1);

• (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;
• (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.

Member States shall provide that personal data may be processed only if:

• (a) the data subject has unambiguously given his consent; or
• (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
• (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
• (d) processing is necessary in order to protect the vital interests of the data subject; or
• (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
• (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).

This treatment of personal information held quite a bit of headache for multi-national companies with sensitive HR data or customer relationship information. These problems were eventually ironed out between the EU and the US Department of Commerce through the passage of the Safe Harbor program in 2000. The Center for Democracy and Technology gives a tidy summary of the Directive and international responses.

Intra-EU privacy was supposed to be quite well understood. Except by the British it appears. The European Commission began legal action against the United Kingdom Tuesday for failure to “ensure, among other things, the confidentiality of communications by prohibiting interception and surveillance without the user’s consent.”  In other words, not following Article 7.  To be fair, the 27 EU Members have had 90 cases of some sort of action brought against them, so the British are not in the minority.

The action, says EU Telecoms Commissioner Viviane Reding, relates to behavioral advertising company Phorm, and Internet Service Providers (ISPs) usage of the technology.  Apparently, British Internet users complained about interception and surveillance of their surfing habits.  The Federal Trade Commission brought similar behavioral US marketing problems to light in February.

“Technologies like Internet behavioural advertising can be useful for businesses and consumers but they must be used in a way that complies with EU rules,” Reding said in a statement. “We have been following the Phorm case for some time and have concluded that there are problems in the way the UK has implemented parts of the EU rules on the confidentiality of communications.”

For the United Kingdom, there has to be some question of sovereignty mixed in with the privacy lapses. EU Member States “cede part of their sovereignty under treaties which empower the EU institutions to adopt laws”. If Britain fails to come in line with the privacy protections from the Directive, Reding has the power to force the country to appear before the EU’s highest court, the European Court of Justice. The Court of Justice can thereby force Britain’s compliance.