TACD -- The World Privacy Forum participated in the Trans Atlantic Consumer Dialogue meetings in Brussels this June, and is pleased to announce that WPF is now a full member of the TACD. The TACD is a network of 80 EU and U.S. consumer organizations that develop joint consumer policy recommendations for the EU and U.S. in an effort to promote the consumer interest in transatlantic policymaking.
Data Breach of Health Records - FTC -- The World Privacy Forum filed extensive comments with the Federal Trade Commission today regarding its notice of proposed rulemaking for data breaches of information containing actual health care information or health care-related information. The FTC rulemaking will apply to a variety of record holders, especially vendors of personal health records. The Forum supported much of the FTC's proposed rulemaking, finding the rulemaking generally thoughtful and careful. In some areas, the Forum urged the FTC to narrow and further define and strengthen the proposed rule. The World Privacy Forum urged the FTC to tighten language around scope, the definition of "personal health record," law enforcement delays of consumer notification, and urged the FTC to further clarify the definition of what falls under the category of "de-identified data." Citing the research of Dr. LaTanya Sweeney and others, the Forum urged the FTC to require commercial companies and others holding health care data that has been partially de-identified to still report those breaches to the FTC and the public, and to monitor for re-identification.
The World Privacy Forum filed comments with the Department of Health and Human Services today regarding the HITECH Act guidance that HHS published along with a request for comments. The Forum urged the Department to tighten its proposed guidance, and to add more protections, oversight, and rules for "limited data set" breaches.
Public comments re: health data breaches -- The World Privacy Forum filed comments with the Department of Health and Human Services today regarding the HITECH Act guidance that HHS published along with a request for comments. The Forum urged the Department to tighten its proposed guidance, and to add more protections, oversight, and rules for "limited data set" breaches.
World Privacy Forum information and materials on Genetic Privacy.
Information about job search privacy issues.
This guide to online job sites is a list of the top job searching sites online. This list gives information about the privacy practices at each site. Because resumes contain such detailed personal and professional information, it is well worth caring about how job search sites handle privacy issues. This guide is updated monthly, and we add new information to the guide monthly.
Job Search Privacy -- The World Privacy Forum's popular and long-standing Job Searcher's Guide has been completely updated. We have a site-by-site comparison of the privacy practices of online job search sites. This guide was originally posted in 2003, and has been updated regularly. This was a major update of this resource. The World Privacy Forum publishes extensive job search privacy resources in addition to the Guide, including a very popular guide to resume posting privacy.
Consumer resource -- We have updated the World Privacy Forum's state-by-state guide on how to place a credit, or security, freeze. Only a few states are lacking a security or credit freeze law now.
Genetic Privacy | GINA -- The World Privacy Forum filed comments on the proposed regulations on the Genetic Information NonDiscrimination Act, or GINA. The comments request that the Equal Opportunity Employment Commission close down several potential loopholes in consumer protection in the proposed regulations. The Forum specifically asked the EEOC to consider curtailing the amount of commercially available information employers could access about employees, for example, through marketing databases. WPF also requested that those covered under GINA be required to maintain audit trails in certain circumstances, and urged that wellness programs be structured in such a way so as to prevent information leakage through billing and other activities.
The World Privacy Forum filed comments on the proposed regulations on the Genetic Information NonDiscrimination Act, or GINA. The comments request that the Equal Opportunity Employment Commission close down several potential loophole in consumer protection in the regulations. The Forum specifically asked the EEOC to consider curtailing the amount of commercially available information employers could access about employees, for example, through marketing databases. WPF also requested that those covered under GINA be required to maintain audit trails in certain circumstances, and urged that wellness programs be structured in such a way as to prevent information leakage through billing and other activities.
Data broker opt out issue -- The World Privacy Forum sent a letter to the Federal Trade Commission asking it to look into four companies offering online consumers the ability to opt out, then asking those consumers to use a variety of postal-mail-based methods to do so.
The Commission has laid down specific examples of what constitutes unreasonable opt- out procedures, particularly in its Affiliate Marketing Rule, which describes three distinct types of opt-out methods the Commission considers to be unreasonable. Some companies are ignoring the standards the Commission has set, and are requiring consumers whom they have notified online of an opt-out opportunity to then use paper and postal mail processes to accomplish the opt out.
New Health Privacy Resource -- The Patient's Guide to HIPAA is the first comprehensive guide to medical privacy written expressly for patients with a practical eye as to how to use the law to protect privacy. It is a major privacy resource for patients, written directly and without legalese. The ...
“This guide is not just a retread of what HIPAA is and does,” said Pam Dixon, executive director of the World Privacy Forum. “Our guide gives patients practical details and strategies on how they can use the law to protect their privacy and navigate the medical system. Best of all, it is easy to use.”
CVS Caremark | FTC proposed consent agreement -- The World Privacy Forum filed comments with the Federal Trade Commission in response to its proposed consent agreement with the CVS Caremark pharmacy chain. The proposed agreement is in resonse to a CVS data breach. The agreement does not impose a monetary penalty on CVS, and does not provide remedies for consumers affected by the data breach.
Resource -- A substantial new resource for individuals seeking to research California laws and regulations regarding health information has come online. The CHILI database is a project of the California Office of Health Information Integrity, and has interfaced with the California Privacy and Security Advisory Board, which the World Privacy Forum co-chairs. The CHILI database can be searched by HIPAA section, California Code section, California health information law keywords, or by statutory scheme.
The World Privacy Forum filed comments with the Federal Trade Commission in response to its proposed consent agreement with the CVS Caremark pharmacy chain. The proposed agreement is in resonse to a CVS data breach. The agreement does not impose a monetary penalty on CVS, and does not provide remedies for consumers affected by the data breach. The World Privacy Forum urged the FTC to reconsider the agreement.
This is an annotated timeline documenting the activities of the National Health Information Network. Related documents, when available, are linked. Additional source documents follow the timeline.
The National Health Information Network (NHIN) is an ambitious modernization plan proposed by the U.S. government. The idea is to move as an entire nation from paper medical files to electronic medical files that are shared. Specifically, the government goal is to digitize patients' health records and medical files and create a national network to place the information in. The network, called the NHIN, would be a sophisticated network that hospitals, insurers, doctors, and others could potentially access. Such a network brings patient privacy, security, and confidentiality issues into sharp relief.
Tips for consumers: Read the Terms of Service before placing any information in the cloud. If you don’t understand the Terms of Service, consider using a different cloud provider. Don’t put anything in the cloud you would not want the government or a private litigant to see.
WPF report announcement -- The World Privacy Forum's newest report examines the privacy and confidentiality issues of cloud computing that have been largely overlooked to date. It is a thorough analysis with policy findings. Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing was written by Robert Gellman for the World Privacy Forum. Cloud computing tips for consumers and business are also available.
Risks to Privacy and Confidentiality from Cloud Computing
Cloud computing has significant implications for the privacy of personal information as well as for the confidentiality of business and governmental information. A principal goal of this analysis is to identify privacy and confidentiality issues that may be of interest or concern to cloud computing participants. While the storage of user data on remote servers is not new, current emphasis on and expansion of cloud computing warrants a more careful look at its actual and potential privacy and confidentiality consequences.
The United States has several privacy laws applicable to particular types of records or businesses. Some of these laws establish privacy standards that have bearing on a decision by a business to use a cloud provider. Others laws do not. Some laws specifically allow a business to share personal information with another company that provides support services to the business. Specific statutory references to the use of a service provider have no apparent pattern in privacy laws. Some privacy laws have them; some do not.