privacy and missing persons

Privacy and Missing Persons in Natural Disasters

Missing Persons Community of Interest

WorkshopWashington, DCOctober 15, 2012

Team Leaders

Joel R. Reidenberg Stanley D. and Nikki Waxberg Chair Founding Academic Director, CLIP Fordham University School of Law

Jamela Debelak Executive Director, Fordham CLIP

Senior Fellow / Lead Author

Robert Gellman Privacy and Information Policy

Consultant

Technical Consultant

Tim Schwartz

Project Fellows

Adam Elewa JD candidate, Fordham

Nancy Liu JD candidate, Fordham

3

Report Sponsors

Woodrow Wilson Center

Edward M. Stroz

Stroz Friedberg

4

Goals for the Report

• Assist MPCI and those involved in privacy policy with respect to MP activities

• Identify and analyze major privacy issues related to information systems associated with missing persons in natural disasters

• Outline several options for addressing privacy needs, regulation and policy

• Focus on US and EU law

5

Brief introduction to privacy

• Varying national laws, no universal agreement• Information privacy / data protection

• Fair Information Practice Standards (FIPS)• Basic principles:

• collection limitation• data quality• purpose specification• use limitation• security• openness, • individual participation• accountability

6

Legal context

• EU Directive 95/46/EC• EU Data Protection Authorities• US Law

• Privacy Act of 1974• Children’s Online Privacy Protection Act• Gramm Leach Bliley• HIPAA privacy and security rules

• US Federal Trade Commission

7

Key definitions, attributes and privacy aspects in the disaster relief context

“Missing Person” “Disaster”

“Personal information”/“Personal Data”

“Data Controller/Record Keeper

“Data Subjects” “Processing”

8

Some trade-offs/balances

• Accessibility of data / data subject consent• Accessibility of data / security• Duration of crisis / duration of data storage• Authentication of submitters / use & security of

profile• Data architecture: push / pull

9

Issues from Recent Experiences: Australia, Canada, New Zealand, USA

2004 Boxing Day Tsunami

Australian Privacy Act reform

Canadian interpretive guidance

2011 Christ Church Earthquake

New Zealand DPA issues Temporary Code

2005 Hurricane Katrina

HHS Sec’y declares public health emergency & waives HIPAA sanctions

10

Analysis of Major Privacy Issues

Data Controllers and Privacy Regulation– US: Law depends on type of controller (e.g. health care– HIPAA, gov’t

agency– Privacy Act) – EU: Law applies to any organization maintaining MP data, conducting

online searches, offering search forms for 3rd party data. Law has data export restrictions

– Choice of law problem

Data Controllers– US: Law applies only to some types of controllers (e.g. Health

care –HIPAA, government agency– Privacy Act). – EU: Law applies to organizations maintaining MP data,

offering search forms for 3rd party data, or conducting online searches. Law imposes data export restrictions


11






Collection, Purpose Specification, and Use Limitations– US: Few legal restrictions (exceptions: Privacy Act disclosure

limitations, HIPAA disclosure limitations, but disaster context exceptions to the exceptions)

– EU: Strict legal limitations. Generally data subject consent is required, but exceptions if necessary for ‘protecting vital interests of the data subject’ and ‘tasks carried out in the public interest’

12






Notice, Access, Correction and Consent– US: No uniform rights. If data held by gov’t agency, then

Privacy Act accords rights. HIPAA accords rights if data held by health care providers/insurers; consent is always legal basis for disclosures

– EU: Comprehensive legal rights. Complex to apply where data submitter is not data subject

13






Sensitive data (health, race, ethnicity, religion, politics)– US: Law does not define sensitive data as such.– EU: Law defines categories and requires special protections

that vary by country. Processing allowed when data subject physically or legally incapable of consent or to protect vital interests of data subject

14






Export controls– US: None– EU: Data exports only permitted to countries deemed privacy

“adequate”. US is a problem. Safe Harbor agreement and contractual provisions can be used to satisfy for MP activities. Consent is unlikely to be helpful.

15

Options for Organizations

Missing Persons Community of Interest• Assist in privacy-friendly design choices• Coordinate privacy policies of collaborating organizations• Work with DPAs and government agencies to address MP

privacy issues• Be prepared if MPCI had direct role in processing• Develop privacy policy for MPCI

16

Options for Organizations

Missing Person Organizations• Assure legal compliance• Take responsibility for privacy policy• Coordinate privacy policies, to extent practicable• Share interpretations and guidance

17

Options for Policy-Makers

Data Protection Authorities• Review domestic DP and privacy laws • Check preparation and consider administrative steps in

advance• Provide advance guidance on operation of DP law in

natural disasters• Issue DP response to missing persons/natural disaster

activities• Provide interpretative guidance on legitimate processing,

sensitive information, exports

18


Article 29 Working Party• Issue interpretative guidance on legitimate processing,

sensitive information and export controls

19


EU Commission• Address missing persons and disaster activities in

proposed regulation• Provide more specific direction on disaster and missing

persons activities

20


United States• Authorize missing persons/disaster disclosures using

Executive Branch authority• Amend the Privacy Act of 1974 to allow disclosures

following natural disasters

21

Conclusion

privacy and missing persons

Documents

offering search

health care

3rd party

agency privacy

legitimate

sensitive

law applies

law depends