Category Archives: Privacy

Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information

Source: Government Accountability Office, GAO-08-536, May 2008

The centerpiece of the federal government’s legal framework for privacy protection, the Privacy Act of 1974, provides safeguards for information maintained by federal agencies. In addition, the E-Government Act of 2002 requires federal agencies to conduct privacy impact assessments for systems or collections containing personal information.

Increasingly sophisticated ways of obtaining and using personally identifiable information have raised concerns about the adequacy of the legal framework for privacy protection. Although the Privacy Act, the E-Government Act, and related guidance from the Office of Management and Budget set minimum privacy requirements for agencies, they may not consistently protect personally identifiable information in all circumstances of its collection and use throughout the federal government and may not fully adhere to key privacy principles. Based on discussions with privacy experts, agency officials, and analysis of laws and related guidance, GAO identified issues in three major areas:

Applying privacy protections consistently to all federal collection and use of personal information.
Ensuring that collection and use of personally identifiable information is limited to a stated purpose.
Establishing effective mechanisms for informing the public about privacy protections.

Related:
Privacy: Congress Should Consider Alternatives for Strengthening Protection of Personally Indentifiable Information, GAO-08-795, June 18, 2008

Privacy: Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functions, GAO-08-603, May 30, 2008

Center for Democracy and Technology (CDT) Urges Congress to Move This Year to Update Federal Privacy Legislation
Testimony before Senate Government Affairs Committee

REAL ID: Final Regulations

Source: Jeremy Meadows, Molly Ramsdell and Matt Sundeen, National Conference of State Legislatures, LegisBrief, Vol. 16, no. 25, June/July 2008
(subscription required)

In January, the Department of Homeland Security (DHS) issued the long-awaited final regulations on implementation of the REAL ID Act of 2005, a mere four months before the May 11, 2008, statutory implementation date. Under the act, states are required to adopt federal standards for driver’s licenses and identification cards or the federal government will not accept the licenses or identification cards for federal purposes such as boarding commercial aircraft, entering a federal building or nuclear power plant, or other purposes as determined by the secretary of Homeland Security. DHS re-estimated the cost to states of implementation at just under $4 billion over 10 years.

High-Tech Medical Records: Can electronic records transform health care?

Source: Kory Mertz and Donna Folkemer, State Legislatures, June 2008

In the middle of a legislative session, a veteran legislator from an out-county district walks into the ER near the Capitol complaining of a headache and nausea. He is handed a stack of forms to fill out. Unable to recall most of this information, he is forced to leave many fields blank, including the names of his many prescriptions. To fill in all the missing information the doctor has to run a host of tests, some very expensive. The legislator is sent home to await the test results feeling no better than when he arrived. The state foots the bill.

This is the current state of affairs in health care. Now envision this situation transformed by information technology.

The legislator enters the ER and a nurse pulls up his complete electronic health record within seconds. No forms to fill out, no prescriptions to remember. The doctor reviews the lawmaker’s record and notices that his five medications were prescribed by four different specialists. After speaking with the patient, the doctor deduces the symptoms are likely the result of a bad prescription interaction. Checking her findings with a computer system that helps make clinical decisions, the doctor prescribes an alternative medication and updates the patient’s record. The prescription is electronically sent to a pharmacy of the legislator’s choosing. No paper, no agonizing wait for the legislator and no redundant–and expensive–testing.

Former Speaker of the U.S. House of Representatives Newt Gingrich and others see health information technology (IT) as key to fixing a dysfunctional health-care system. “Health information technology is essential if we are to make any meaningful change, from reining in costs to improving the delivery of care to expanding insurance coverage. We simply cannot continue to prop up a 1950s paper-based system and expect anything to change,” says Gingrich, founder of the Center for Health Transformation.

Instant access to vital health information can save time, money and, ultimately, lives. When doctors see a patient’s complete medical history, they can make better decisions by preventing harmful drug interactions and eliminating duplicate tests or procedures. The Center for Information Technology Leadership estimates that this kind of technology would save $77.8 billion a year–or about 4 percent in a $2 trillion health system.

But moving health care into the digital age will be far from easy.

EPIC Report: “REAL ID Implementation Review: Few Benefits, Staggering Costs”

Source: Electronic Privacy Information Center

Throughout its history, the United States has rejected the idea of a national identification system. Yet, the Department of Homeland Security continues to push forward a system of identification that has been widely opposed. The REAL ID Act mandates that State driver’s licenses and ID cards follow federal technical standards and verification procedures issued by Homeland Security. REAL ID also enables tracking, surveillance, and profiling of the American public.

May 11, 2008 was the statutory deadline for implementation of the REAL ID system, but not one State is in compliance with the federal law creating a national identification system. In fact, 19 States have passed resolutions or laws rejecting the national ID program. The Department of Homeland Security has faced so many obstacles that the agency now plans an implementation deadline of 2017 — nine years later than the 2008 statutory deadline.

Homeland Security claims that it is making strides in implementing the national ID program. Homeland Security Secretary Michael Chertoff encourages the use of the REAL ID system for a wide variety of purposes unrelated to the law that authorized the system. In an opinion column written by Secretary Chertoff after the publication of the final rule in January, he said, “embracing REAL ID” would mean it would be used to “cash a check, hire a baby sitter, board a plane or engage in countless other activities.” None of these uses for the REAL ID have a legal basis. Each one creates a new risk for Americans who are already confronting the staggering problem of identity theft.

Last year, EPIC submitted detailed comments to the DHS on the draft proposal for REAL ID. With the assistance of many experts, we attempted to address the enormous challenge in the project proposal. In the following report, EPIC details the many problems with the final plan to implement this vast national identification system. The REAL ID system remains filled with threats to privacy, security and civil liberties that have not been resolved.

Full report (PDF; 450 KB)

Outbound Email and Data Loss Prevention in Today’s Enterprise, 2008

Source: Proofpoint, May 2008

From the press release:
In its fifth-annual study of outbound email and data loss prevention issues, Proofpoint, Inc. found that large enterprises continue to incur risk from–and take action against–information leaks over outbound email, as well as newer communications media such as blogs, message boards, media sharing sites and mobile devices.

41% of Large U.S. Corporations Employ Staff to Read Employee Email; 26% Terminated Employees for Email Policy Violations in the Past Year

11% Of U.S. Companies Disciplined Employees for Improper Use of Blogs/Message Boards; 13% for Social Network Violations; 14% for Improper Use of Media Sharing Sites

Consumers Union Calls For Limits on Social Security Number Use & Availability Identity Thieves Have Easy Access to Social Security Numbers Which Leaves Consumers Vulnerable to Fraud

Source: Consumer’s Union, Press release, December 11, 2007

WASHINGTON, D.C. – The widespread use and availability of Social Security numbers puts Americans at risk for identity theft and should be restricted, according to Consumers Union, nonprofit publisher of Consumer Reports.

The group urged policymakers to take action to protect consumers as part of a public forum on the issue organized by the Federal Trade Commission in conjunction with the President’s Identity Theft Task Force. Social Security numbers are particularly sensitive information because they can provide the key to unlocking a consumer’s financial identity.

See also:
H.R. 3046

REAL ID Final Rule

Source: U.S. Department of Homeland Security

From press release:
The U.S. Department of Homeland Security (DHS) announced today a final rule establishing minimum security standards for state-issued drivers’ licenses and identification cards. The rule sets uniform standards that enhance the integrity and reliability of drivers’ licenses and identification cards, strengthen issuance capabilities, and increase security at drivers’ license and identification card production facilities. The final rule also dramatically reduces state implementation costs by roughly 73 percent.

Final Rule, Part 1 (PDF, 120 pages – 4.2 MB)
Final Rule, Part 2 (PDF, 164 pages – 5.6 MB)
Privacy Impact Assessment for REAL-ID (PDF; 277 KB)

Privacy Rights Clearinghouse

Source: Privacy Rights Clearinghouse

The Privacy Rights Clearinghouse (PRC) is a nonprofit consumer organization with a two-part mission — consumer information and consumer advocacy. It was established in 1992 and is based in San Diego, California. It is primarily grant-supported and serves individuals nationwide.

The PRC’s goals are to:
•Raise consumers’ awareness of how technology affects personal privacy.
•Empower consumers to take action to control their own personal information by providing practical tips on privacy protection.
•Respond to specific privacy-related complaints from consumers, intercede on their behalf, and, when appropriate, refer them to the proper organizations for further assistance.
•Document the nature of consumers’ complaints and questions about privacy in reports, testimony, and speeches and make them available to policy makers, industry representatives, consumer advocates, and the media.
•Advocate for consumers’ privacy rights in local, state, and federal public policy proceedings, including legislative testimony, regulatory agency hearings, task forces, and study commissions as well as conferences and workshops.

Also in Spanish

RFID Technology in Workplace Raises Privacy Concerns

Source: Frederick Lane, IPMA-HR News, June 2007
(subscription required)

Will your next security badge be a small chip in your hand or forearm? Thanks to an emerging technology known as radio-frequency identification (RFID), that’s a distinct possibility. RFID is already in use in a wide range of applications, from electronic toll systems to retail inventory systems, and a number of companies are putting RFID chips on existing security badges. While there are no credible reports of companies or governmental agencies in the United States requiring their employees to get chipped, concerns about the possibility are strong enough that several state legislatures have passed or are considering legislation to outlaw the practice.

The Real ID

Source: Molly Ramsdell and Matt Sundeen, NCSL Legisbrief, Vol. 15 no. 22, April/May 2007
(subscription required)

In early March, the Department of Homeland Security (DHS) issued the long-awaited draft regulations on Real ID Act implementation. The Real ID Act of 2005 requires states to adopt federal standards for driver’s licenses and identification cards by May 11, 2008. If they do not, the federal government will not accept the driver’s licenses or identification cards for federal purposes—boarding commercial aircraft, entering a federal building or nuclear power plant, or other purposes as determined by the secretary of the Department of Homeland Security. DHS estimated the cost of implementation at $23.1 billion over 10 years; the states’ cost is $10 billion to $14 billion.
See also:
NCSL’s Countdown to Real ID
ACLU’s Real Nightmare