Public comments re: health data breaches -- The World Privacy Forum filed comments with the Department of Health and Human Services today regarding the HITECH Act guidance that HHS published along with a request for comments. The Forum urged the Department to tighten its proposed guidance, and to add more protections, oversight, and rules for "limited data set" breaches.
This guide to online job sites is a list of the top job searching sites online. This list gives information about the privacy practices at each site. Because resumes contain such detailed personal and professional information, it is well worth caring about how job search sites handle privacy issues. This guide is updated monthly, and we add new information to the guide monthly.
Job Search Privacy -- The World Privacy Forum's popular and long-standing Job Searcher's Guide has been completely updated. We have a site-by-site comparison of the privacy practices of online job search sites. This guide was originally posted in 2003, and has been updated regularly. This was a major update of this resource. The World Privacy Forum publishes extensive job search privacy resources in addition to the Guide, including a very popular guide to resume posting privacy.
Genetic Privacy | GINA -- The World Privacy Forum filed comments on the proposed regulations on the Genetic Information NonDiscrimination Act, or GINA. The comments request that the Equal Opportunity Employment Commission close down several potential loopholes in consumer protection in the proposed regulations. The Forum specifically asked the EEOC to consider curtailing the amount of commercially available information employers could access about employees, for example, through marketing databases. WPF also requested that those covered under GINA be required to maintain audit trails in certain circumstances, and urged that wellness programs be structured in such a way so as to prevent information leakage through billing and other activities.
The World Privacy Forum filed comments on the proposed regulations on the Genetic Information NonDiscrimination Act, or GINA. The comments request that the Equal Opportunity Employment Commission close down several potential loophole in consumer protection in the regulations. The Forum specifically asked the EEOC to consider curtailing the amount of commercially available information employers could access about employees, for example, through marketing databases. WPF also requested that those covered under GINA be required to maintain audit trails in certain circumstances, and urged that wellness programs be structured in such a way as to prevent information leakage through billing and other activities.
Data broker opt out issue -- The World Privacy Forum sent a letter to the Federal Trade Commission asking it to look into four companies offering online consumers the ability to opt out, then asking those consumers to use a variety of postal-mail-based methods to do so.
New Health Privacy Resource -- The Patient's Guide to HIPAA is the first comprehensive guide to medical privacy written expressly for patients with a practical eye as to how to use the law to protect privacy. It is a major privacy resource for patients, written directly and without legalese. The ...
“This guide is not just a retread of what HIPAA is and does,” said Pam Dixon, executive director of the World Privacy Forum. “Our guide gives patients practical details and strategies on how they can use the law to protect their privacy and navigate the medical system. Best of all, it is easy to use.”
CVS Caremark | FTC proposed consent agreement -- The World Privacy Forum filed comments with the Federal Trade Commission in response to its proposed consent agreement with the CVS Caremark pharmacy chain. The proposed agreement is in resonse to a CVS data breach. The agreement does not impose a monetary penalty on CVS, and does not provide remedies for consumers affected by the data breach.
Resource -- A substantial new resource for individuals seeking to research California laws and regulations regarding health information has come online. The CHILI database is a project of the California Office of Health Information Integrity, and has interfaced with the California Privacy and Security Advisory Board, which the World Privacy Forum co-chairs. The CHILI database can be searched by HIPAA section, California Code section, California health information law keywords, or by statutory scheme.
Tips for consumers: Read the Terms of Service before placing any information in the cloud. If you don’t understand the Terms of Service, consider using a different cloud provider. Don’t put anything in the cloud you would not want the government or a private litigant to see.
WPF report announcement -- The World Privacy Forum's newest report examines the privacy and confidentiality issues of cloud computing that have been largely overlooked to date. It is a thorough analysis with policy findings. Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing was written by Robert Gellman for the World Privacy Forum. Cloud computing tips for consumers and business are also available.
Internet privacy -- The Federal Trade Commission released its self-regulatory principles for behaviorally-targeted advertising today. The World Privacy Forum will be holding a press conference responding to the principles at 12:30 p.m. Eastern.
Biometrics and ID -- The California DMV (Division of Motor Vehicles) has proposed, through an expedited 30- day process, that it begin taking detailed facial scans of drivers and storing the scans in a state-wide database. This change, among other proposed DMV changes, represents a substantial policy shift for the state of California. The World Privacy Forum has urged that this process goes through normal legislative procedures so that there is adequate time for public input and for formal hearings.
International Privacy Day -- The World Privacy Forum celebrated International Privacy Day by joining other privacy and civil liberties organizations in encouraging the U.S. Senate to adopt the Council of Europe Privacy Convention. The U.S. has already ratified the Council of Europe Convention on Cybercrime. International Privacy Day was founded three years ago by the Council of Europe, and is celebrated by privacy, civil liberties, and consumer groups in Europe, North America and elsewhere.
Monster.com | Consumer Alert | Job search privacy -- According to the job site Monster.com, its users' IDs and passwords, email addresses, names, phone numbers, and some "basic demographic data" were compromised in a data breach. Monster notified victims of the security breach through its web site on Friday, January 23, 2009. It is unclear how many people this notice impacts, as Monster.com did not give an estimate. In press reports, however, Monster has admitted that the breach is global, with Asia Pacific and Eastern Europe being spared. Job seekers' information can be used like a road map for criminal ventures, including identity theft, phishing and spamming. User passwords, which Monster.com says were compromised in this breach, are especially valuable as they can potentially be used to access other sites or email accounts, especially if a person regularly uses the same passwords. The World Privacy Forum has published a consumer alert about this data breach with tips for victims. This data breach also impacts USAjobs.com, the government job search site affiliated wiith Monster.com.
School privacy | FERPA -- In May 2008 the World Privacy Forum submitted detailed comments on proposed changes to the Family Educational Rights and Privacy Act regulations (FERPA). The FERPA regulations are the rules that control how schools treat and release student information. The final FERPA regulations have now been published and reveal that the World Privacy Forum comments had a positive impact. The new regulations agreed with WPF's comment that if a school requests a Federal tax return from a parent, that the parent has the right to redact all financial information from the form, and affirmed that the school does not have a requirement to ask for the tax form in the first place. The regulations also agreed with the WPF comment that the risk of re-identification of published student information is cumulative, and made recommendations that educational institutions take into account all releases of student information it has made, not just new releases.
GINA - Genetic Information Nondiscrimination Act -- In comments regarding the recently passed GINA (Genetic Information Nondiscrimination Act), the World Privacy Forum said that some aspects of GINA need clarification to enhance privacy. The comments focus on a number of privacy issues the RFI raised, including model privacy notices and the issue of what the GINA statute calls "incidental collection" of genetic information. Currently, GINA states that some kinds of information are exempted from being considered as regulated for medical underwriting purposes. For example, medical information gleaned about patients for underwriting purposes from medical databases is regulated. But medical information gleaned about patients for underwriting purposes from, for example, marketing lists containing robust patient information may be unregulated if the law is not clarified in the regulatory process. The World Privacy Forum urged HHS and the Department of Labor to substantially clarify what constitutes "incidental collection," and urged the agencies to consider lists containing identifiable patient information to be considered in the same category as a "medical database."
Genetic privacy -- The World Privacy Forum presented a talk at the World Congress in Washington D.C. today on the intersection between genetic privacy and marketing, and on genetic issues and medical identity theft. The presentation exposed the list marketing activities surrounding health care data, and examined how the current loopholes in the recently passed Genetic Information Nondiscrimination Act (GINA) would not necessarily ease issues with incidental collection and use of genetic information.
HITSP -- World Privacy Forum executive director Pam Dixon was elected to be the consumer representative on the HITSP board (Health Information Technology Standards Panel). HITSP is a national standards-setting body that is part of ANSI (The American National Standards Institute) and is working on specifications and standards for the National Health Information Network. The term will begin in January of 2009.
Telemarketing | Top Ten Opt Out List -- Beginning today, pre-recorded telemarketing phone calls must come with an easy opt-out for consumers. If a pre-recorded telemarketing call is left on an answering machine, it must also include opt-out information. These rules will apply to telemarketers already subject to the Federal Trade Commission's Telemarketing Sales Rule and Do Not Call List. There are some exemptions to the rule. For more details about the changes, see our Top Ten Opt Out List, which has been updated with the new information.
Human Subjects Research Protection (OHRP) -- The World Privacy Forum filed comments today with the Office of Human Research Protection urging the office to do more to protect the privacy of people who are subjects of research. The comments urge the OHRP to focus more attention on providing privacy-specific training for boards overseeing research, which are often weak in knowledge about the breadth of privacy issues in research. The WPF also voiced its strong support for certificates of confidentiality for research involving human subjects, stating that"nearly all research that involves identifiable health data or other personal data about individuals should have a certificate of confidentiality unless a researcher can state a substantive reason why a certificate is not appropriate for the study." OHRP will be accepting comments until Sept. 29.
National Health Information Network (NHIN) -- The National Health Information Network timeline and chronology that the World Privacy Forum maintains has been updated. Materials from the April/May public forum in Dallas are now online and linked, as are key upcoming events regarding the NHIN. Notably, in September the nine existing NHIN trial implementation projects that have been running and exchanging health data in California, North Carolina, New York, and other states are set to be demonstrated in Washington DC. These demonstrations are pivotal for the NHIN and how it takes shape going forward.
Border Crossing Information System, DHS -- The World Privacy Forum submitted public comments today to the Department of Homeland Security regarding its proposed Border Crossing Information System. The BCI system would set up a database of all border crossings via car, rail, air and other means, including collecting identifiable data on the activities of American citizens. Information collected includes biographical and other information such as name, date of birth, gender, a photograph, itinerary information, and the time and location of the border crossing. The WPF comments focus entirely on the proposed Routine Uses of the system. As currently written, the DHS proposal contains some Routine Uses that directly contravene the Privacy Act of 1974 and are illegal. Other Routine Uses are overbroad and vague, and still others contravene guidance from the Office of Management and Budget (OMB). One example of an overbroad Routine Use is Routine Use J, which will allow DHS to release data collected for the Border Crossing Information System for hiring decisions or contract awards. This information may be requested by Federal, state, local, tribal, foreign, or international agencies. Another Routine Use, G, impermissibly duplicates and weakens the Privacy Act's condition of requirement for notice when information is disclosed in certain circumstances.
Privacy and the class of 2012 -- Each year Beloit College publishes a "Mindset List" to share incoming college students' rapidly changing cultural frames of reference with the faculty. For the class of 2012, several privacy-related items made the Mindset List for the first time. The list notes that these students' frames of privacy references are that "Personal privacy has always been threatened" (#43) and "Employers have always been able to do credit checks on employees" (# 39).