Data Breach | HHS HITECH Breach Notification — The World Privacy Forum filed comments on the HHS data breach rulemaking and asked for substantive changes in several areas. In particular, WPF asked HHS to expressly state a requirement for a breach risk assessment in the final rule itself, and to set a requirement that the risk assessment must be conducted by an independent organization. The WPF also asked that HHS set breach risk assessment standards so that there is some uniformity and guidance as to what constitutes an appropriately rigorous risk assessment when a breach occurs. In the comments, WPF also discussed the relationship between medical identity theft and medical data breach and how this impacts patients and consumers.
Self regulation — The Interactive Advertising Bureau has released its self-regulatory guidelines for online advertisers. There are some bright spots in the new guidelines. In the area of sensitive information, especially regarding health privacy, the guidelines are weak and need improvement. The IAB definition of sensitive health information is weaker than the definition of sensitive information already adopted by industry in the formal NAI agreement. Additionally, the new IAB guidelines rely on weak accountability standards. WPF urges the IAB to re-examine the sensitive health definition, provide more accountability, and to include consumer input in a meaningful way into the drafting process.
Social networking and EU — The Article 29 Working Party has adopted an important Opinion regarding social networking sites as of June 12. The opinion covers privacy, advertising, sensitive information, and other issues relating to online social networking. Regarding sensitive data, the Article 29 Working Party stated: “Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or data concerning health or sex life is considered sensitive. Sensitive personal data may only be published on the Internet with the explicit consent from the data subject or if the data subject has made the data manifestly public himself.” Regarding use of sensitive data to target advertising, the Article 29 opinion stated: “The Working Party recommends not using sensitive data in behavioral advertising models, unless all legal requirements are met.” The opinion also stated that the EU Data Protection Directive generally applies to the processing of personal data by social networking services, even when their headquarters are outside of the EEA, and that social networking service providers are considered data controllers under the Data Protection Directive.
Human Subjects Research Protection (OHRP) — The World Privacy Forum filed comments with the Office of Human Research Protection urging the office to do more to protect the privacy of people who are subjects of research. The comments urge the OHRP to focus more attention on providing privacy-specific training for boards overseeing research, which are often weak in knowledge about the breadth of privacy issues in research. The WPF also voiced its strong support for certificates of confidentiality for research involving human subjects, stating that “nearly all research that involves identifiable health data or other personal data about individuals should have a certificate of confidentiality unless a researcher can state a substantive reason why a certificate is not appropriate for the study.”
Consumer advisory | PHRs and privacy — The World Privacy Forum has issued a consumer advisory about the privacy of PHRs to help consumers understand and approach the complex privacy issues PHRs can raise. Consumers need to know that not all PHRs protect privacy in the same way, and some PHR systems can undermine consumer privacy in serious ways that consumers may not be expecting.