Sensitive Data issues

EU: Article 29 Working Party releases Opinion on social networking sites

Social networking and EU — The Article 29 Working Party has adopted an important Opinion regarding social networking sites as of June 12. The opinion covers privacy, advertising, sensitive information, and other issues relating to online social networking. Regarding sensitive data, the Article 29 Working Party stated: “Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership or data concerning health or sex life is considered sensitive. Sensitive personal data may only be published on the Internet with the explicit consent from the data subject or if the data subject has made the data manifestly public himself.” Regarding use of sensitive data to target advertising, the Article 29 opinion stated: “The Working Party recommends not using sensitive data in behavioral advertising models, unless all legal requirements are met.” The opinion also stated that the EU Data Protection Directive generally applies to the processing of personal data by social networking services, even when their headquarters are outside of the EEA, and that social networking service providers are considered data controllers under the Data Protection Directive.

Public Comments: September 2008 – World Privacy Forum urges more attention to the protection of research study participants

Human Subjects Research Protection (OHRP) — The World Privacy Forum filed comments with the Office of Human Research Protection urging the office to do more to protect the privacy of people who are subjects of research. The comments urge the OHRP to focus more attention on providing privacy-specific training for boards overseeing research, which are often weak in knowledge about the breadth of privacy issues in research. The WPF also voiced its strong support for certificates of confidentiality for research involving human subjects, stating that “nearly all research that involves identifiable health data or other personal data about individuals should have a certificate of confidentiality unless a researcher can state a substantive reason why a certificate is not appropriate for the study.”

WPF Consumer Advisory: The Potential Privacy Risks in Personal Health Records Every Consumer Needs to Know About

Consumer advisory | PHRs and privacy — The World Privacy Forum has issued a consumer advisory about the privacy of PHRs to help consumers understand and approach the complex privacy issues PHRs can raise. Consumers need to know that not all PHRs protect privacy in the same way, and some PHR systems can undermine consumer privacy in serious ways that consumers may not be expecting.

World Privacy Forum files public comments regarding oversight of genetic testing; warns about the privacy risks related to unregulated commercial genetic tests and the need to prevent phantom genetic tests from becoming a new business model for fraudsters

Genetic privacy | SACGHS — The World Privacy Forum filed extensive comments with the Secretary’s Advisory Committee on Genetics, Health and Society (SACGHS) regarding its draft report on genetic testing oversight, U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of HHS. The World Privacy Forum requested SACGHS pay more attention in its final report to the privacy consequences of unregulated genetic testing that occurs outside the health care sector. The WPF comments note that current and proposed remedies for the misuse of genetic information tend to focus on the use of the information within the health care treatment, payment, and insurance systems. What is crucially important is to analyze how to protect genetic information in the realm of commercial collection, maintenance, use and disclosures. Another area the comments discuss is the potential for new forms of fraudulent activity related to genetic testing (Phantom genetic testing, that is, genetic tests marketed to consumers that are not even real or viable genetic tests.) The World Privacy Forum specifically recommended that the National Committee on Vital and Health Statistics be tasked with looking at this matter, that an independent pre-market assessment mechanism is created for genetic tests offered outside the clinical setting, and that privacy be expressly discussed in the overarching recommendations in the final report.

World Privacy Forum requests that the new National Disaster Medical System protect all patient information to standards at least equal to HIPAA

National Disaster Medical System | Privacy Act of 1974 — The World Privacy Forum has filed public comments with the Department of Health and Human Services requesting that its new National Disaster Medical System protect all patient information to at least the baseline protections that HIPAA affords, including the HIPAA security and privacy protections. Currently, the new system does not do this, even though the system is housed at HHS, the agency which promulgated the HIPAA standards. The National Disaster Medical System currently contains overbroad routine uses which could potentially result in significant privacy and even public health issues. For example, public health information will not be able to be disclosed under the National Disaster Medical System as the system is currently organized. Additionally, some of the current routine uses in the system would authorize disclosures that would be illegal under HIPAA. For example, Congressional disclosure of a HIPAA record requires a written authorization, something the new system does not require.