WPF Resource Page: Selected Agency and Public Comments
The World Privacy Forum submits privacy-focused public comments in accordance with our core mission to government agencies in response to relevant Notices of Proposed Rulemaking and other public requests for information.
The comments below are a curated list of public comments that WPF has submitted over the years. These comments range from genetic issues, HIPAA and other health privacy issues, RFID in passports, to Drones and many other issues. This is just a selection of exemplar comments.
To see a complete list of all WPF public comments, click on the Public Comments category.
Federal Aviation Administration, Commercial Drone Privacy
Comments: 23 April 2013
In comments filed with the FAA, the World Privacy Forum urged the agency to establish a robust privacy committee to focus on drone privacy and to clarify the applicability of the Privacy Act of 1974 to UAS test site operators. WPF also requested the FAA conduct mandatory Privacy Impact Assessments and provide a FIPS-compliant privacy notice. “We have offered our comments to the FAA with the acknowledgement that everyone has much to learn in the area of commercial drone privacy. Our suggestions to the FAA seek to increase general knowledge about drones and their effect on privacy,” said Pam Dixon.
Presidential Commission for the Study of Bioethical Issues
Comments: 15 May 2012
WPF submitted these public comments in response to a request for comments at 77 Federal Register 18247 on the ethical issues raised by the ready availability of large-scale human genome sequence data, with regard to privacy and data access and the balancing of individual and societal interests.
In these comments , WPF wrote about privacy and identifiability, certificates of confidentiality, and choice and consent in relationship to genomic research. The comments noted that increasing identifiability of genetic data presents major privacy issues for research activities that must be acknowledged and addressed. The World Privacy Forum strongly believes that genomic sequences must be treated as identifiable today.
Secretary’s Advisory Committee on Genetics, Health and Society (SACGHS) regarding its draft report on genetic testing oversight, U.S. System of Oversight of Genetic Testing
Comments: 19 December 2007
The World Privacy Forum filed extensive comments with the Secretary’s Advisory Committee on Genetics, Health and Society (SACGHS) regarding its draft report on genetic testing oversight, U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of HHS. The World Privacy Forum requested SACGHS pay more attention in its final report to the privacy consequences of unregulated genetic testing that occurs outside the health care sector. The WPF comments note that current and proposed remedies for the misuse of genetic information tend to focus on the use of the information within the health care treatment, payment, and insurance systems. What is crucially important is to analyze how to protect genetic information in the realm of commercial collection, maintenance, use and disclosures. Another area the comments discuss is the potential for new forms of fraudulent activity related to genetic testing (Phantom genetic testing, that is, genetic tests marketed to consumers that are not even real or viable genetic tests.) The World Privacy Forum specifically recommended that the National Committee on Vital and Health Statistics be tasked with looking at this matter, that an independent pre-market assessment mechanism is created for genetic tests offered outside the clinical setting, and that privacy be expressly discussed in the overarching recommendations in the final report.
Centers for Medicare and Medicaid Services (CMS) System of Records Notice regarding substantive changes to the Medicare database release policy
Comments: 12 October 2007
The World Privacy Forum filed extensive pubic comments on the substantive changes to the Medicare database release policy that the Centers for Medicare and Medicaid Services (CMS) has proposed in a System of Records Notice. As it currently stands, CMS is planning to release the individually identifiable protected health information of patients in the Medicare database to third parties in some circumstances. CMS has not established strong enough checks and controls on its release policy, and it has not explained how it is able to do this under HIPAA. The comments state that CMS has an obligation to explain how each routine use in its new policy is consistent with the authority in the HIPAA privacy rule. If a routine use allows disclosures that are broader than those permitted by HIPAA, then the routine use must be narrowed so that it is consistent with HIPAA. The comments also note that nothing in the CMS notice discusses substance abuse rules and other legal restrictions of the protected health data. The World Privacy Forum asked CMS to specify that the qualifications of any data aggregators who may potentially receive the data exclude any entity that sells other consumer data for any general business, credit, identification, or marketing purpose.
Federal Trade Commission
Comments: November 2007 Do Not Track (Origin of DNT)
The World Privacy Forum led a collection of national civil liberties, consumer, and privacy groups in creating a consensus document regarding Do Not Track protections in the behavioral advertising sector. The document is directed toward the Federal Trade Commission, and urges the FTC to take proactive steps to adequately protect consumers as online and other forms of behavioral tracking and targeting become more ubiquitous. The consensus document was filed with the Secretary of the FTC and its commissioners. Behavioral advertising is the focus of the FTC’s eHavioral Advertising Town Hall meeting taking place November 1-2 in Washington, D.C. The network advertising sector has a self-regulatory plan, the Network Advertising Initiative, in place, and has had this plan in place since 2000. The consensus document addresses the many areas where the NAI plan has failed to protect consumers.
AHRQ Joint Comments …..World Privacy Forum and EFF submit comments on AHRQ plan for national healthcare database
Comments: 23 August 2007
In June, the Agency for Healthcare Research and Quality (AHRQ) published a request for information about its plan to create a “public/private” national database of healthcare information tentatively called the “National Health Data Stewardship entity.” WPF and EFF raised questions about ownership and management of the proposed database (Would this database fall under HIPAA? Would it fall under the Privacy Act of 1974?), questions about identifiability of patients in the database, and suggested that a full-time, independent privacy officer should be established for the program from the inception of the planning stages. The comments also discussed the numerous questions relating to data security (including medical identity theft) and data quality, as well as consent, access, and opt-out procedures for patients that the proposed national database raises.Download a PDF of the comments here:
iPledge Program / FDA ….. World Privacy Forum testifies at FDA advisory committee hearing on the iPledge program; requests attention to privacy issues
Comments: 01 August 2007
FDA privacy standards – RiskMAPs…..Testimony… The FDA needs to set privacy standards to protect patients in drug risk programs
Comments: 10 July 2007
NIH….World Privacy Forum files public comments and recommendations on pharmacogenomics privacy (PGx Research)
Comments: 24 May 2007
The World Privacy Forum believes that the capability of identifying individuals from subsets of genetic information will expand greatly in the future. In public comments filed with the National Institutes of Health on pharmacogenomics (PGx) research, or research using genetic information to create highly personalized medicine, the World Privacy Forum recommended that all research activities that involve any type of patient-specific genetic information be required to have certificates of confidentiality, whether that information appears identifiable or not. The WPF also urged the NIH to require strong data use agreements to protect individuals’ privacy. The WPF also urged NIH and the Department of Health and Human Services to reinstate the position of “privacy advocate” so as to provide oversight in this area.
Medicare Part D CMS Medicare Part D Data Activities
Comments: 14 December 2006
In comments filed with the Centers for Medicare and Medicaid Services, the World Privacy Forum requested that CMS give effect to data restrictions that Congress has expressly included in the law. WPF also requested that CMS include in its standard agreements for use of CMS data a requirement that the recipient obtain a certification of confidentiality for all identifiable CMS data. WPF also requested that CMS perform a regulatory impact analysis and publish a system of records notice.
Comments to National Institutes of Health regarding its Request for Information for Genome Wide Association Studies repository policy.
Comments: 29 October 2006
Genome-wide association studies present complex and challenging privacy issues. The National Institutes of Health, in a published request for information, asked for public comment on its proposed policy regarding its support and management of a central genomic repository for genome-wide association studies. In comments filed with the National Institutes of Health, the World Privacy Forum raised concerns about the proposed NIH policy in the specific areas of genetic identifiability, secondary uses of the genetic data, oversight, legal protections, and informed consent.
Comments on draft report “Policy Issues Associated with Undertaking a Large U.S. Population Cohort Project on Genes, Environment, and Disease.
Comments: 20 July 2006
Medicaid Program and State Children’s Health Insurance Program Systems Notice
Comments: 15 June 2006
The World Privacy Forum submitted comments to the Centers for Medicare & Medicaid Services requesting that it amend a Systems of Records Notice to address an oversight and address other privacy issues in the notice. The Forum requested that the system of records reference Executive Order 13181 of December 20, 2000, “To Protect the Privacy of Protected Health Information in Oversight Investigations.” The Forum also requested that the routine uses for this system of records be revised to reflect the HIPAA requirements as appropriate when the disclosures involve HIPAA records.
NHIN Request for Information
Comments: 15 November 2004
The World Privacy Forum and the Electronic Frontier Foundation submitted comments in response to the U.S. government’s “Request for Information” about its plan to digitize all patient medical records and create an electronic “National Health Information Network” or NHIN. The comments urge caution in designing the NHIN and call for the government to build privacy, security, and open source technologies into the system from the beginning of the project.
Department of Homeland Security
Border Crossing Information, System of Records Notice, DHS-2007-0040
Comments: 21 August 2008
The World Privacy Forum filed comments regarding DHS’s proposed Border Crossing Information system of records, finding that many of the Routine Uses proposed for the system were impermissible and illegal under the Privacy Act of 1974. The comments focus on the Routine Uses, rather than the system itself.
Department of Homeland Security REAL ID
Comments: 08 May 2007 …. Joint Comments ….
The World Privacy Forum and the Electronic Frontier Foundation (EFF) filed joint comments with the Department of Homeland Security about the proposed national ID system, REAL ID. The comments discuss the substantial flaws in the proposed REAL ID system including concerns about the overall structure of the program, the cards, the databases attached to the cards, the lack of controls on “function creep,” the possibilities for discrimination, the potential for increased risk of identity theft, issues related to potential gaps in coverage for recipients on Federal programs, among other issues.
See the EFF REAL ID pages for background about REAL ID.
Department of Justice
Comments: 27 November 2006
Privacy Act of 1974 Department of Justice Proposes Making Changes to Routine Uses of its Systems and Databases; World Privacy Forum Files Comments on Problematic Privacy Act Issues with the Proposed Changes
The Department of Justice published a notice proposing to update the Routine Uses of its systems and databases under the Privacy Act of 1974. The proposal was not precise enough, and was written in such a way as to allow sensitive Privacy Act systems such as the Criminal Division Witness Security File (CRM-002), the Witness Immunity Records (CRM-022), and the National Instant Criminal Background Check System (NICS, FBI-018) to be disclosed to almost anyone in certain circumstances, including to individuals working outside of law enforcement. The World Privacy Forum is requesting that the DOJ significantly tighten its language in the proposal, and to specify what individuals or entities may have access to these sensitive records, under what specific conditions. The World Privacy Forum is also requesting the DOJ republish all of its up-to-date system of records notices in their entirety immediately and at least every two years thereafter.
Federal Communications Commission
Comments: 29 July, 2005
In comments filed with the Federal Communications Commission, the World Privacy Forum urged the Commission to maintain state telemarketing regulations.
Federal Trade Commission
eHavioral FTC workshop
Comments: 2 November 2007
The World Privacy Forum published a report, The Network Advertising Initiative: Failing at Consumer Protection and at Self-Regulation. The report is an in-depth analysis of the history and current operations of the National Advertising Initiative (NAI) self-regulatory agreement. The NAI was created to protect consumers’ online privacy in the behavioral advertising arena. The report finds that the NAI has failed. The report discusses the failure of the NAI opt-out cookie, the uses of persistent consumer tracking technologies that go beyond cookies, such as Flash cookies, browser cache cookies, XML super cookies, and other issues. The report also discusses the practice of re-setting cookies after cookie deletion. The report gathers the details of the difficult membership history of the NAI, as well as the enforcement history of TRUSTe regarding NAI. Executive director Pam Dixon will be testifying before the FTC eHavioral Town Hall meeting Nov. 2 to discuss the findings of this report, which will be submitted to the FTC.
Red Flag Rule
Comments: 18 September 2006
The World Privacy Forum filed comments with the Federal Trade Commission, the Treasury, and other federal agencies regarding the draft rule on “Red Flags” for identity theft. In its comments, the Forum requested that medical identity theft be added to several aspects and portions of the proposed joint rule. Adding medical identity theft to the proposed rule is essential to help close gaps in agency protection for consumers.
National Institute of Standards and Technology
Federal ID Card Biometrics
Comments: 23 December 2004
Contactless ID cards for federal employees — WPF, EFF, Privacy Rights Clearinghouse, and PrivacyActivism called for greater attention to privacy provisions of the proposed new Federal ID card, which will be “contactless.”
RFID in Passports
Comments: 04 April 2005
Extensive, joint comments with EFF and other groups regarding difficulties and issues with RFID in U.S. passports.