privacy and missing persons
DESCRIPTION
TRANSCRIPT
Privacy and Missing Persons in Natural Disasters
Missing Persons Community of Interest
WorkshopWashington, DCOctober 15, 2012
Team Leaders
Joel R. Reidenberg Stanley D. and Nikki Waxberg Chair Founding Academic Director, CLIP Fordham University School of Law
Jamela Debelak Executive Director, Fordham CLIP
Senior Fellow / Lead Author
Robert Gellman Privacy and Information Policy
Consultant
Technical Consultant
Tim Schwartz
Project Fellows
Adam Elewa JD candidate, Fordham
Nancy Liu JD candidate, Fordham
3
Report Sponsors
Woodrow Wilson Center
Edward M. Stroz
Stroz Friedberg
4
Goals for the Report
• Assist MPCI and those involved in privacy policy with respect to MP activities
• Identify and analyze major privacy issues related to information systems associated with missing persons in natural disasters
• Outline several options for addressing privacy needs, regulation and policy
• Focus on US and EU law
5
Brief introduction to privacy
• Varying national laws, no universal agreement• Information privacy / data protection
• Fair Information Practice Standards (FIPS)• Basic principles:
• collection limitation• data quality• purpose specification• use limitation• security• openness, • individual participation• accountability
6
Legal context
• EU Directive 95/46/EC• EU Data Protection Authorities• US Law
• Privacy Act of 1974• Children’s Online Privacy Protection Act• Gramm Leach Bliley• HIPAA privacy and security rules
• US Federal Trade Commission
7
Key definitions, attributes and privacy aspects in the disaster relief context
“Missing Person” “Disaster”
“Personal information”/“Personal Data”
“Data Controller/Record Keeper
“Data Subjects” “Processing”
8
Some trade-offs/balances
• Accessibility of data / data subject consent• Accessibility of data / security• Duration of crisis / duration of data storage• Authentication of submitters / use & security of
profile• Data architecture: push / pull
9
Issues from Recent Experiences: Australia, Canada, New Zealand, USA
2004 Boxing Day Tsunami
Australian Privacy Act reform
Canadian interpretive guidance
2011 Christ Church Earthquake
New Zealand DPA issues Temporary Code
2005 Hurricane Katrina
HHS Sec’y declares public health emergency & waives HIPAA sanctions
10
Analysis of Major Privacy Issues
Data Controllers and Privacy Regulation– US: Law depends on type of controller (e.g. health care– HIPAA, gov’t
agency– Privacy Act) – EU: Law applies to any organization maintaining MP data, conducting
online searches, offering search forms for 3rd party data. Law has data export restrictions
– Choice of law problem
Data Controllers– US: Law applies only to some types of controllers (e.g. Health
care –HIPAA, government agency– Privacy Act). – EU: Law applies to organizations maintaining MP data,
offering search forms for 3rd party data, or conducting online searches. Law imposes data export restrictions
– Choice of law problem
11
Analysis of Major Privacy Issues
Data Controllers and Privacy Regulation– US: Law depends on type of controller (e.g. health care– HIPAA, gov’t
agency– Privacy Act) – EU: Law applies to any organization maintaining MP data, conducting
online searches, offering search forms for 3rd party data. Law has data export restrictions
– Choice of law problem
Collection, Purpose Specification, and Use Limitations– US: Few legal restrictions (exceptions: Privacy Act disclosure
limitations, HIPAA disclosure limitations, but disaster context exceptions to the exceptions)
– EU: Strict legal limitations. Generally data subject consent is required, but exceptions if necessary for ‘protecting vital interests of the data subject’ and ‘tasks carried out in the public interest’
12
Analysis of Major Privacy Issues
Data Controllers and Privacy Regulation– US: Law depends on type of controller (e.g. health care– HIPAA, gov’t
agency– Privacy Act) – EU: Law applies to any organization maintaining MP data, conducting
online searches, offering search forms for 3rd party data. Law has data export restrictions
– Choice of law problem
Notice, Access, Correction and Consent– US: No uniform rights. If data held by gov’t agency, then
Privacy Act accords rights. HIPAA accords rights if data held by health care providers/insurers; consent is always legal basis for disclosures
– EU: Comprehensive legal rights. Complex to apply where data submitter is not data subject
13
Analysis of Major Privacy Issues
Data Controllers and Privacy Regulation– US: Law depends on type of controller (e.g. health care– HIPAA, gov’t
agency– Privacy Act) – EU: Law applies to any organization maintaining MP data, conducting
online searches, offering search forms for 3rd party data. Law has data export restrictions
– Choice of law problem
Sensitive data (health, race, ethnicity, religion, politics)– US: Law does not define sensitive data as such.– EU: Law defines categories and requires special protections
that vary by country. Processing allowed when data subject physically or legally incapable of consent or to protect vital interests of data subject
14
Analysis of Major Privacy Issues
Data Controllers and Privacy Regulation– US: Law depends on type of controller (e.g. health care– HIPAA, gov’t
agency– Privacy Act) – EU: Law applies to any organization maintaining MP data, conducting
online searches, offering search forms for 3rd party data. Law has data export restrictions
– Choice of law problem
Export controls– US: None– EU: Data exports only permitted to countries deemed privacy
“adequate”. US is a problem. Safe Harbor agreement and contractual provisions can be used to satisfy for MP activities. Consent is unlikely to be helpful.
15
Options for Organizations
Missing Persons Community of Interest• Assist in privacy-friendly design choices• Coordinate privacy policies of collaborating organizations• Work with DPAs and government agencies to address MP
privacy issues• Be prepared if MPCI had direct role in processing• Develop privacy policy for MPCI
16
Options for Organizations
Missing Person Organizations• Assure legal compliance• Take responsibility for privacy policy• Coordinate privacy policies, to extent practicable• Share interpretations and guidance
17
Options for Policy-Makers
Data Protection Authorities• Review domestic DP and privacy laws • Check preparation and consider administrative steps in
advance• Provide advance guidance on operation of DP law in
natural disasters• Issue DP response to missing persons/natural disaster
activities• Provide interpretative guidance on legitimate processing,
sensitive information, exports
18
Options for Policy-Makers
Article 29 Working Party• Issue interpretative guidance on legitimate processing,
sensitive information and export controls
19
Options for Policy-Makers
EU Commission• Address missing persons and disaster activities in
proposed regulation• Provide more specific direction on disaster and missing
persons activities
20
Options for Policy-Makers
United States• Authorize missing persons/disaster disclosures using
Executive Branch authority• Amend the Privacy Act of 1974 to allow disclosures
following natural disasters
21
Conclusion