WPF Resource Page: Selected Agency and Public Comments

 

The World Privacy Forum submits privacy-focused public comments in accordance with our core mission to government agencies in response to relevant Notices of Proposed Rulemaking and other public requests for information.

The comments below are a curated list of public comments that WPF has submitted over the years. These comments range from genetic issues, HIPAA and other health privacy issues, RFID in passports, to Drones and many other issues. This is just a selection of exemplar comments

To see a complete list of all WPF public comments, click on the Public Comments category.

—–

Federal Aviation Administration, Commercial Drone Privacy

Comments: 23 April 2013

In comments filed with the FAA, the World Privacy Forum urged the agency to establish a robust privacy committee to focus on drone privacy and to clarify the applicability of the Privacy Act of 1974 to UAS test site operators. WPF also requested the FAA conduct mandatory Privacy Impact Assessments and provide a FIPS-compliant privacy notice. “We have offered our comments to the FAA with the acknowledgement that everyone has much to learn in the area of commercial drone privacy. Our suggestions to the FAA seek to increase general knowledge about drones and their effect on privacy,” said Pam Dixon.

Download the comments (PDF)

Read the comments

 

Presidential Commission for the Study of Bioethical Issues

Comments: 15 May 2012

WPF submitted these public comments in response to a request for comments at 77 Federal Register 18247 on the ethical issues raised by the ready availability of large-scale human genome sequence data, with regard to privacy and data access and the balancing of individual and societal interests.

In these comments , WPF wrote about privacy and identifiability, certificates of confidentiality, and choice and consent in relationship to genomic research. The comments noted that increasing identifiability of genetic data presents major privacy issues for research activities that must be acknowledged and addressed. The World Privacy Forum strongly believes that genomic sequences must be treated as identifiable today.

Download the comments (PDF)

Read the comments

 

Secretary’s Advisory Committee on Genetics, Health and Society (SACGHS) regarding its draft report on genetic testing oversight, U.S. System of Oversight of Genetic Testing

Comments: 19 December 2007

The World Privacy Forum filed extensive comments with the Secretary’s Advisory Committee on Genetics, Health and Society (SACGHS) regarding its draft report on genetic testing oversight, U.S. System of Oversight of Genetic Testing: A Response to the Charge of the Secretary of HHS. The World Privacy Forum requested SACGHS pay more attention in its final report to the privacy consequences of unregulated genetic testing that occurs outside the health care sector. The WPF comments note that current and proposed remedies for the misuse of genetic information tend to focus on the use of the information within the health care treatment, payment, and insurance systems. What is crucially important is to analyze how to protect genetic information in the realm of commercial collection, maintenance, use and disclosures. Another area the comments discuss is the potential for new forms of fraudulent activity related to genetic testing (Phantom genetic testing, that is, genetic tests marketed to consumers that are not even real or viable genetic tests.) The World Privacy Forum specifically recommended that the National Committee on Vital and Health Statistics be tasked with looking at this matter, that an independent pre-market assessment mechanism is created for genetic tests offered outside the clinical setting, and that privacy be expressly discussed in the overarching recommendations in the final report.

Download the comments (PDF)

Read the comments

 

Centers for Medicare and Medicaid Services (CMS) System of Records Notice regarding substantive changes to the Medicare database release policy

Comments: 12 October 2007

The World Privacy Forum filed extensive pubic comments on the substantive changes to the Medicare database release policy that the Centers for Medicare and Medicaid Services (CMS) has proposed in a System of Records Notice. As it currently stands, CMS is planning to release the individually identifiable protected health information of patients in the Medicare database to third parties in some circumstances. CMS has not established strong enough checks and controls on its release policy, and it has not explained how it is able to do this under HIPAA. The comments state that CMS has an obligation to explain how each routine use in its new policy is consistent with the authority in the HIPAA privacy rule. If a routine use allows disclosures that are broader than those permitted by HIPAA, then the routine use must be narrowed so that it is consistent with HIPAA. The comments also note that nothing in the CMS notice discusses substance abuse rules and other legal restrictions of the protected health data. The World Privacy Forum asked CMS to specify that the qualifications of any data aggregators who may potentially receive the data exclude any entity that sells other consumer data for any general business, credit, identification, or marketing purpose.

Download the comments (PDF)

Read the comments

 

Federal Trade Commission

Comments: November 2007 Do Not Track (Origin of DNT)

The World Privacy Forum led a collection of national civil liberties, consumer, and privacy groups in creating a consensus document regarding Do Not Track protections in the behavioral advertising sector. The document is directed toward the Federal Trade Commission, and urges the FTC to take proactive steps to adequately protect consumers as online and other forms of behavioral tracking and targeting become more ubiquitous. The consensus document was filed with the Secretary of the FTC and its commissioners. Behavioral advertising is the focus of the FTC’s eHavioral Advertising Town Hall meeting taking place November 1-2 in Washington, D.C. The network advertising sector has a self-regulatory plan, the Network Advertising Initiative, in place, and has had this plan in place since 2000. The consensus document addresses the many areas where the NAI plan has failed to protect consumers.

Download the consensus document (PDF)

Read the consensus document

 

AHRQ Joint Comments …..World Privacy Forum and EFF submit comments on AHRQ plan for national healthcare database

Comments: 23 August 2007

In June, the Agency for Healthcare Research and Quality (AHRQ) published a request for information about its plan to create a “public/private” national database of healthcare information tentatively called the “National Health Data Stewardship entity.” WPF and EFF raised questions about ownership and management of the proposed database (Would this database fall under HIPAA? Would it fall under the Privacy Act of 1974?), questions about identifiability of patients in the database, and suggested that a full-time, independent privacy officer should be established for the program from the inception of the planning stages. The comments also discussed the numerous questions relating to data security (including medical identity theft) and data quality, as well as consent, access, and opt-out procedures for patients that the proposed national database raises.Download a PDF of the comments here:

Download the joint comments (PDF)

Read the joint comments

 

iPledge Program / FDA ….. World Privacy Forum testifies at FDA advisory committee hearing on the iPledge program; requests attention to privacy issues

Comments: 01 August 2007

The World Privacy Forum testified before the Dermatologic and Ophthalmic Drugs Advisory Committee and the Drug Safety and Risk Management Advisory Committee of the Food and Drug Administration regarding privacy issues related to iPledge, a mandatory program for patients taking the drug Accutane or isotretinoin generics. The FDA has stated that the program, which it requires four drug manufacturers to have in place, does not fall under HIPAA. The program collects substantive amounts of patient information. The Forum urged the FDA to set privacy standards for all RiskMAPs in general, and to resolve privacy issues in the iPledge program specifically. The Forum requested that all marketing provisions of the iPledge program privacy policy be removed, that patients be expressly informed the program does not fall under HIPAA, and that patients be given a printed copy of the iPledge program privacy policy, among other requests.

Download the written testimony (PDF)

Read the written testimony

 

FDA privacy standards – RiskMAPs…..Testimony… The FDA needs to set privacy standards to protect patients in drug risk programs

Comments: 10 July 2007

World Privacy Forum executive director Pam Dixon testified at an FDA/AHRQ joint public workshop about the need for the FDA to set robust privacy standards for drug risk minimization programs, which are put in place for drugs the FDA has determined to be high risk in some way. Drug risk minimization programs (like the iPledge program for the acne drug Accutane) are not typically covered by HIPAA, and some programs have a privacy policy that allows marketing use of patient information collected as part of the risk program. This kind of marketing activity would not be allowable if the programs fell under HIPAA, and Dixon’s testimony stated that patients in these programs should have the same kinds of privacy protections as HIPAA covered programs, and that marketing activities involving patient information should not be allowable in these programs.

Download the testimony (PDF)

Read the testimony

 

NIH….World Privacy Forum files public comments and recommendations on pharmacogenomics privacy (PGx Research)

Comments: 24 May 2007

The World Privacy Forum believes that the capability of identifying individuals from subsets of genetic information will expand greatly in the future. In public comments filed with the National Institutes of Health on pharmacogenomics (PGx) research, or research using genetic information to create highly personalized medicine, the World Privacy Forum recommended that all research activities that involve any type of patient-specific genetic information be required to have certificates of confidentiality, whether that information appears identifiable or not. The WPF also urged the NIH to require strong data use agreements to protect individuals’ privacy. The WPF also urged NIH and the Department of Health and Human Services to reinstate the position of “privacy advocate” so as to provide oversight in this area.

Download the comments (PDF)

Read the comments

 

Medicare Part D CMS Medicare Part D Data Activities

Comments: 14 December 2006

In comments filed with the Centers for Medicare and Medicaid Services, the World Privacy Forum requested that CMS give effect to data restrictions that Congress has expressly included in the law. WPF also requested that CMS include in its standard agreements for use of CMS data a requirement that the recipient obtain a certification of confidentiality for all identifiable CMS data. WPF also requested that CMS perform a regulatory impact analysis and publish a system of records notice.

Download the comments (PDF)

Read the comments

 

Comments to National Institutes of Health regarding its Request for Information for Genome Wide Association Studies repository policy.

Comments: 29 October 2006

Genome-wide association studies present complex and challenging privacy issues. The National Institutes of Health, in a published request for information, asked for public comment on its proposed policy regarding its support and management of a central genomic repository for genome-wide association studies. In comments filed with the National Institutes of Health, the World Privacy Forum raised concerns about the proposed NIH policy in the specific areas of genetic identifiability, secondary uses of the genetic data, oversight, legal protections, and informed consent.

Download the comments (PDF)

Read the comments

 

Comments on draft report “Policy Issues Associated with Undertaking a Large U.S. Population Cohort Project on Genes, Environment, and Disease.

Comments: 20 July 2006

The collection of DNA material from 500,000 to 1,000,000 or more individuals as part of a large U.S. medical research project raises many challenging ethical, legal, and privacy issues. An advisory committee reporting to the Office of the Secretary of Health and Human Services ( the Secretary’s Advisory Committee on Genetics, Health and Society) has published a detailed analysis of the issues such a project would raise in a draft report. The committee’s final report and policy recommendations will be submitted to the Secretary of HHS. The World Privacy Forum has submitted public comments on the draft report; the comments include key policy recommendations. The Forum’s recommendations include the need to provide protection from compelled disclosure of information, the necessity for a full-time project privacy officer with enforcement power, and the need for a far-reaching and robust privacy policy that exceeds the requirements of HIPAA, among other recommendations.

Download the comments (PDF)

Read the comments on the web

 

Medicaid Program and State Children’s Health Insurance Program Systems Notice

Comments: 15 June 2006

The World Privacy Forum submitted comments to the Centers for Medicare & Medicaid Services requesting that it amend a Systems of Records Notice to address an oversight and address other privacy issues in the notice. The Forum requested that the system of records reference Executive Order 13181 of December 20, 2000, “To Protect the Privacy of Protected Health Information in Oversight Investigations.” The Forum also requested that the routine uses for this system of records be revised to reflect the HIPAA requirements as appropriate when the disclosures involve HIPAA records.

Download the comments (PDF)

Read the comments

 

NHIN Request for Information

Comments: 15 November 2004

The World Privacy Forum and the Electronic Frontier Foundation submitted comments in response to the U.S. government’s “Request for Information” about its plan to digitize all patient medical records and create an electronic “National Health Information Network” or NHIN. The comments urge caution in designing the NHIN and call for the government to build privacy, security, and open source technologies into the system from the beginning of the project.

Download the comments (PDF)

Read the comments

 

Department of Homeland Security

Border Crossing Information, System of Records Notice, DHS-2007-0040

Comments: 21 August 2008

The World Privacy Forum filed comments regarding DHS’s proposed Border Crossing Information system of records, finding that many of the Routine Uses proposed for the system were impermissible and illegal under the Privacy Act of 1974. The comments focus on the Routine Uses, rather than the system itself.

Download the comments (PDF)

Read the comments

 

Department of Homeland Security REAL ID

Comments: 08 May 2007 …. Joint Comments ….

The World Privacy Forum and the Electronic Frontier Foundation (EFF) filed joint comments with the Department of Homeland Security about the proposed national ID system, REAL ID. The comments discuss the substantial flaws in the proposed REAL ID system including concerns about the overall structure of the program, the cards, the databases attached to the cards, the lack of controls on “function creep,” the possibilities for discrimination, the potential for increased risk of identity theft, issues related to potential gaps in coverage for recipients on Federal programs, among other issues.

Download the comments (PDF)

Read the comments

See the EFF REAL ID pages for background about REAL ID.

 

Department of Justice

Comments: 27 November 2006

Privacy Act of 1974 Department of Justice Proposes Making Changes to Routine Uses of its Systems and Databases; World Privacy Forum Files Comments on Problematic Privacy Act Issues with the Proposed Changes

The Department of Justice published a notice proposing to update the Routine Uses of its systems and databases under the Privacy Act of 1974. The proposal was not precise enough, and was written in such a way as to allow sensitive Privacy Act systems such as the Criminal Division Witness Security File (CRM-002), the Witness Immunity Records (CRM-022), and the National Instant Criminal Background Check System (NICS, FBI-018) to be disclosed to almost anyone in certain circumstances, including to individuals working outside of law enforcement. The World Privacy Forum is requesting that the DOJ significantly tighten its language in the proposal, and to specify what individuals or entities may have access to these sensitive records, under what specific conditions. The World Privacy Forum is also requesting the DOJ republish all of its up-to-date system of records notices in their entirety immediately and at least every two years thereafter.

Read the comments (PDF)

Read the comments

 

Federal Communications Commission

Comments: 29 July, 2005

In comments filed with the Federal Communications Commission, the World Privacy Forum urged the Commission to maintain state telemarketing regulations.

Download the comments (PDF)

Read the comments

 

Federal Trade Commission

eHavioral FTC workshop

Comments: 2 November 2007

The World Privacy Forum published a report, The Network Advertising Initiative: Failing at Consumer Protection and at Self-Regulation. The report is an in-depth analysis of the history and current operations of the National Advertising Initiative (NAI) self-regulatory agreement. The NAI was created to protect consumers’ online privacy in the behavioral advertising arena. The report finds that the NAI has failed. The report discusses the failure of the NAI opt-out cookie, the uses of persistent consumer tracking technologies that go beyond cookies, such as Flash cookies, browser cache cookies, XML super cookies, and other issues. The report also discusses the practice of re-setting cookies after cookie deletion. The report gathers the details of the difficult membership history of the NAI, as well as the enforcement history of TRUSTe regarding NAI. Executive director Pam Dixon will be testifying before the FTC eHavioral Town Hall meeting Nov. 2 to discuss the findings of this report, which will be submitted to the FTC.

Download the comments (PDF)

Read the comments

 

Red Flag Rule

Comments: 18 September 2006

The World Privacy Forum filed comments with the Federal Trade Commission, the Treasury, and other federal agencies regarding the draft rule on “Red Flags” for identity theft. In its comments, the Forum requested that medical identity theft be added to several aspects and portions of the proposed joint rule. Adding medical identity theft to the proposed rule is essential to help close gaps in agency protection for consumers.

Download the comments (PDF)

Read the comments

 

National Institute of Standards and Technology

Federal ID Card Biometrics

Comments: 23 December 2004

Contactless ID cards for federal employees — WPF, EFF, Privacy Rights Clearinghouse, and PrivacyActivism called for greater attention to privacy provisions of the proposed new Federal ID card, which will be “contactless.”

Download the comments (PDF)

Read the comments

 

State Department

RFID in Passports

Comments: 04 April 2005

Extensive, joint comments with EFF and other groups regarding difficulties and issues with RFID in U.S. passports.

Download the comments (PDF)

Read the comments