Genetic non-discrimination regulations (GINA) — The World Privacy Forum filed comments on proposed regulations for implementing Title I of GINA, the Genetic Non-Discrimination Act. The WPF requested a change to the proposed regulations, asking the Department of Health and Human Services require immediate posting of revised notices of privacy practices on the web sites of affected health plans. Under the proposed regulations, written notice of revised privacy practices to individuals could be delayed due to the cost of postal mailing. The WPF noted that a revised privacy notice posted on a health plan’s web site would not incur postal costs, and that regulated entities should take this minimum step to inform consumers of any changes regarding privacy practices affecting genetic non-discrimination.
Congressional testimony — WPF executive director Pam Dixon testified at a joint subcommittee hearing focused on privacy and the collection and use of online and offline consumer information. Dixon’s testimony focused on the new “modern permanent record” and how it is used and created. Dixon said “The merging of offline and online data is creating highly personalized, granular profiles of consumers that affect consumers’ opportunities in the marketplace and in their lives. Consumers are largely unaware of these profiles and their consequences, and they have insufficient legal rights to change things even if they did know.” The testimony explored concrete examples of problematic consumer profiling activities.
FTC Privacy Roundtable — The World Privacy Forum filed comments last week for the FTC Privacy Roundtables, the first of which will be held December 7, 2009. The WPF comments urged the FTC to consider the Fair Credit Reporting Act as a key privacy model to apply to additional areas, to use the full version of Fair Information Practices, and discussed how a rights-based framework was the key to advancing consumers’ interests. The comments discussed list brokers at length, and explained how even the most informationally cautious consumer will land on numerous marketing lists and databases. The WPF comments noted that not all marketing lists are used to target ads to consumers; some lists and databases are used to deny consumers goods and services. The comments contain a detailed section on privacy frameworks, a section on direct marketing, and an appendix with supporting information.
Data Breach | HHS HITECH Breach Notification — The World Privacy Forum filed comments on the HHS data breach rulemaking and asked for substantive changes in several areas. In particular, WPF asked HHS to expressly state a requirement for a breach risk assessment in the final rule itself, and to set a requirement that the risk assessment must be conducted by an independent organization. The WPF also asked that HHS set breach risk assessment standards so that there is some uniformity and guidance as to what constitutes an appropriately rigorous risk assessment when a breach occurs. In the comments, WPF also discussed the relationship between medical identity theft and medical data breach and how this impacts patients and consumers.
A credit freeze (sometimes called a security freeze) lets you stop the disclosure of your credit report by a credit bureau. Currently, the three credit bureaus are allowing all consumers nationwide to set a security freeze for a fee. Some states have specific security freeze laws; a list of states with security freeze laws may be found below. However, even if you live in a state without a security freeze law, you can still set a security freeze.