Privacy and missing persons

381 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
381
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Privacy and missing persons

  1. 1. Missing Persons Community of Interest Workshop Washington, DC October 15, 2012Privacy and Missing Persons in Natural Disasters
  2. 2. Team Leaders Senior Fellow / Lead Author Project Fellows Joel R. Reidenberg Robert Gellman Adam ElewaStanley D. and Nikki Waxberg Chair Privacy and Information Policy JD candidate, Fordham Founding Academic Director, CLIP Consultant Fordham University School of Law Nancy Liu JD candidate, Fordham JamelaDebelakExecutive Director, Fordham CLIP Technical Consultant Tim Schwartz
  3. 3. Report SponsorsWoodrow Wilson Center Edward M. Stroz Stroz Friedberg 3
  4. 4. Goals for the Report• Assist MPCI and those involved in privacy policy with respect to MP activities• Identify and analyze major privacy issues related to information systems associated with missing persons in natural disasters• Outline several options for addressing privacy needs, regulation and policy• Focus on US and EU law 4
  5. 5. Brief introduction to privacy• Varying national laws, no universal agreement • Information privacy / data protection• Fair Information Practice Standards (FIPS)• Basic principles: • collection limitation • data quality • purpose specification • use limitation • security • openness, • individual participation 5 • accountability
  6. 6. Legal context• EU Directive 95/46/EC• EU Data Protection Authorities• US Law • Privacy Act of 1974 • Children‟s Online Privacy Protection Act • Gramm Leach Bliley • HIPAA privacy and security rules• US Federal Trade Commission 6
  7. 7. Key definitions, attributes and privacy aspects in the disaster relief context“Missing Person” “Disaster” “Personal information”/“Personal Data” “Data Controller/Record Keeper “Data Subjects” “Processing” 7
  8. 8. Some trade-offs/balances• Accessibility of data / data subject consent• Accessibility of data / security• Duration of crisis / duration of data storage• Authentication of submitters / use & security of profile• Data architecture: push / pull 8
  9. 9. Issues from Recent Experiences:Australia, Canada, New Zealand, USA2004 Boxing Day Tsunami Australian Privacy Act reform Canadian interpretive guidance2011 Christ Church Earthquake New Zealand DPA issues Temporary Code2005 Hurricane Katrina HHS Sec‟y declares public health 9 emergency & waives HIPAA sanctions
  10. 10. Analysis of Major Privacy Issues Data Controllers and Privacy RegulationData Controllerstype of controller (e.g. health care– HIPAA, gov‟t – US: Law depends on –agency– Privacy Act) only to some types of controllers (e.g. Health US: Law applies – EU: Law applies togovernment agency– Privacy data, conducting care –HIPAA, any organization maintaining MP Act). online searches, offering search forms for 3rd party data. Law has data –export Law applies to organizations maintaining MP data, EU: restrictions offering search forms for 3rd party data, or conducting online – Choice of law problem searches. Law imposes data export restrictions – Choice of law problem 10
  11. 11. Analysis of Major Privacy Issues Data Controllers and Privacy RegulationCollection,depends on type of controller (e.g. health care– HIPAA, gov‟t – US: Law Purpose Specification, and Use Limitations –agency– Privacy Act) US: Few legal restrictions (exceptions: Privacy Act disclosure – EU: Law applies to any organization maintaining MP data, conducting limitations, HIPAA disclosure limitations, but disaster context online searches, offering search forms for 3rd party data. Law has data exceptions to the exceptions) export restrictions – EU: Strict legal limitations.Generally data subject consent is – Choice of law problem required, but exceptions if necessary for „protecting vital interests of the data subject‟ and „tasks carried out in the public interest‟ 11
  12. 12. Analysis of Major Privacy Issues Data Controllers and Privacy RegulationNotice,Law depends on type of controllerConsent care– HIPAA, gov‟t – US: Access, Correction and (e.g. health –agency– Privacy Act) rights. If data held by gov‟t agency, then US: No uniform – EU: Law appliesaccords rights. HIPAA accordsdata, conducting held Privacy Act to any organization maintaining MP rights if data by health care providers/insurers; rd party data. Law has data online searches, offering search forms for 3consent is always legal basis export restrictions for disclosures – Choice of law problem – EU: Comprehensive legal rights. Complex to apply where data submitter is not data subject 12
  13. 13. Analysis of Major Privacy Issues Data Controllers and Privacy RegulationSensitive data (health, of controller (e.g. health care– HIPAA, gov‟t – US: Law depends on type race, ethnicity, religion, politics) –agency– Privacy Act) define sensitive data as such. US: Law does not – –EU: Law applies to any organization maintaining MP data, protections EU: Law defines categories and requires special conducting 3rd party when data subject online searches, offering search forms for allowed data. Law has data that vary by country. Processing export restrictions physically or legally incapable of consent or to protect vital – Choice of law problem interests of data subject 13
  14. 14. Analysis of Major Privacy Issues Data Controllers and Privacy RegulationExportLaw depends on type of controller (e.g. health care– HIPAA, gov‟t – US: controls –agency– Privacy Act) US: None – –EU: Law applies to anyonly permitted to countries deemed privacy EU: Data exports organization maintaining MP data, conducting online searches, offeringa problem. for 3rdHarbor agreementdata “adequate”. US is search forms Safe party data. Law has and export restrictions contractual provisions can be used to satisfy for MP activities. – Choice of law problem Consent is unlikely to be helpful. 14
  15. 15. Options for OrganizationsMissing Persons Community of Interest • Assist in privacy-friendly design choices • Coordinate privacy policies of collaborating organizations • Work with DPAs and government agencies to address MP privacy issues • Be prepared if MPCI had direct role in processing • Develop privacy policy for MPCI 15
  16. 16. Options for OrganizationsMissing Person Organizations • Assure legal compliance • Take responsibility for privacy policy • Coordinate privacy policies, to extent practicable • Share interpretations and guidance 16
  17. 17. Options for Policy-MakersData Protection Authorities • Review domestic DP and privacy laws • Check preparation and consider administrative steps in advance • Provide advance guidance on operation of DP law in natural disasters • Issue DP response to missing persons/natural disaster activities • Provide interpretative guidance on legitimate processing, sensitive information, exports 17
  18. 18. Options for Policy-MakersArticle 29 Working Party • Issue interpretative guidance on legitimate processing, sensitive information and export controls 18
  19. 19. Options for Policy-MakersEU Commission • Address missing persons and disaster activities in proposed regulation • Provide more specific direction on disaster and missing persons activities 19
  20. 20. Options for Policy-MakersUnited States • Authorize missing persons/disaster disclosures using Executive Branch authority • Amend the Privacy Act of 1974 to allow disclosures following natural disasters 20
  21. 21. Conclusion 21

×