privacy in america: your role as guardians of the publics data professor peter p. swire moritz...
TRANSCRIPT
““Privacy in America: Your Role Privacy in America: Your Role as Guardians of the Public’s as Guardians of the Public’s
Data”Data”
Professor Peter P. SwireProfessor Peter P. Swire
Moritz College of LawMoritz College of Law
The Ohio State UniversityThe Ohio State University
Ohio Digital Government SummitOhio Digital Government Summit
October 1, 2008October 1, 2008
Theme for TodayTheme for Today
You are the guardians of the public’s personal You are the guardians of the public’s personal datadata
The systems you create will enable E-The systems you create will enable E-government, democracy, public servicesgovernment, democracy, public services
The systems should do it in a way that ensures The systems should do it in a way that ensures the public’s privacy and securitythe public’s privacy and security
It is a proud responsibility to build these systems It is a proud responsibility to build these systems for the benefit of our fellow citizensfor the benefit of our fellow citizens
OverviewOverview My backgroundMy background You are the guardians:You are the guardians:
HIPAA: why privacy & security matterHIPAA: why privacy & security matter Public records: don’t cause theftPublic records: don’t cause theft Data breach: the most important current Data breach: the most important current
regulation on data holdersregulation on data holders Privacy Impact Assessments: being thoughtful Privacy Impact Assessments: being thoughtful
about data usesabout data uses Big privacy issues todayBig privacy issues today
What McCain & Obama have said on privacyWhat McCain & Obama have said on privacy
Swire BackgroundSwire Background
Now Ohio State law professor, live in D.C.Now Ohio State law professor, live in D.C. Active in many privacy & security activitiesActive in many privacy & security activities Senior Fellow, Center for American ProgressSenior Fellow, Center for American Progress
Chief Counselor for Privacy, 1999-2001Chief Counselor for Privacy, 1999-2001 U.S. Office of Management & BudgetU.S. Office of Management & Budget WH coordinator, HIPAA privacy ruleWH coordinator, HIPAA privacy rule Public records & privacyPublic records & privacy Federal government’s own dataFederal government’s own data Computer securityComputer security Other: financial, Internet, national security & FISAOther: financial, Internet, national security & FISA
BackgroundBackground
Since 2001:Since 2001: Many writings and presentationsMany writings and presentations
• www.peterswire.net• www.americanprogress.org
““Privacy Year in Review” distributed to all Privacy Year in Review” distributed to all members of the International Association of members of the International Association of Privacy ProfessionalsPrivacy Professionals
Lead author of book that is official study guide Lead author of book that is official study guide for Certified Information Privacy Professional for Certified Information Privacy Professional examexam
Guardians I: HIPAAGuardians I: HIPAA
The 1996 historyThe 1996 history ““Administrative simplification” in Health Administrative simplification” in Health
Insurance Portability & Accountability ActInsurance Portability & Accountability Act Half the $ in medical system are federalHalf the $ in medical system are federal No more payments by paperNo more payments by paper Standardized “transaction and code set” ruleStandardized “transaction and code set” rule Save many billions with electronic & Save many billions with electronic &
standardized payment formats for health carestandardized payment formats for health care
HIPAA HistoryHIPAA History
If If allall health payments become electronic, health payments become electronic, what would happen to privacy & security?what would happen to privacy & security?
No previous federal standards for health No previous federal standards for health privacy & securityprivacy & security
Congress said should build privacy & Congress said should build privacy & security in at the same time as shift to security in at the same time as shift to electronic paymentselectronic payments
HIPAA HistoryHIPAA History
Congress didn’t pass legislationCongress didn’t pass legislation HHS proposed rule in 1999HHS proposed rule in 1999 Over 53,000 public commentsOver 53,000 public comments Final rule December, 2000Final rule December, 2000 Bush Administration modest changes Bush Administration modest changes
20022002 In effect since 2003In effect since 2003
Lessons from HIPAALessons from HIPAA
Privacy & security should be built in to new Privacy & security should be built in to new IT systemsIT systems Patching later won’t work as well, often won’t Patching later won’t work as well, often won’t
happen & will cost a lot morehappen & will cost a lot more HIPAA far from perfectHIPAA far from perfect
Implementation & guidance budget cut way Implementation & guidance budget cut way back from original plansback from original plans
Significant success to date & clearly better Significant success to date & clearly better than not having these protections in placethan not having these protections in place
Next in Health CareNext in Health Care
Electronic health records (EHRs)Electronic health records (EHRs) How to connect providers into a National How to connect providers into a National
Health Information NetworkHealth Information Network Personal health records (PHRs)Personal health records (PHRs)
Individuals/families manage health records Individuals/families manage health records the way they do personal financesthe way they do personal finances
Microsoft HealthVault, Google Health, Dossia Microsoft HealthVault, Google Health, Dossia & others& others
How to build privacy & security into these?How to build privacy & security into these?
Guardians II: Public Records Guardians II: Public Records
Strong Ohio tradition of open public Strong Ohio tradition of open public recordsrecords Freedom of information & transparency lead Freedom of information & transparency lead
to better government, lower costs for citizens to better government, lower costs for citizens to get information & many other benefitsto get information & many other benefits
Not Not everyevery record should become public record should become public Especially records that can lead to theft or Especially records that can lead to theft or
identity theftidentity theft
Bankruptcy Study 2000Bankruptcy Study 2000
When in White House, I helped lead a When in White House, I helped lead a study on a federal records system – study on a federal records system – bankruptcy recordsbankruptcy records
Proposal was pending – simply put all Proposal was pending – simply put all records on linerecords on line History of open access to these court recordsHistory of open access to these court records New system less expensive if simply shift to New system less expensive if simply shift to
electronicelectronic
Bankruptcy StudyBankruptcy Study
Key data fields:Key data fields: Bankruptcy records contain details on Bankruptcy records contain details on
financial assets, so creditors know the claims financial assets, so creditors know the claims on the estateon the estate
Bank account numbers, security brokerage Bank account numbers, security brokerage account numbers, etc., and amount in each account numbers, etc., and amount in each account (often $$$)account (often $$$)
A tempting target for pretextingA tempting target for pretexting Is it a good idea to put those up on the Internet?Is it a good idea to put those up on the Internet?
Lessons on Public RecordsLessons on Public Records
For data fields that lead to pretexting and For data fields that lead to pretexting and identity theft, there is significant risk from identity theft, there is significant risk from simply posting to the Internetsimply posting to the Internet
As Ohio has done, work through the risks As Ohio has done, work through the risks of these key data fields in managing your of these key data fields in managing your public recordspublic records
See Swire NACO presentation, at See Swire NACO presentation, at www.peterswire.netwww.peterswire.net
Guardians III: Data BreachesGuardians III: Data Breaches
California history on data breachesCalifornia history on data breaches SSNs and other personal data compromised SSNs and other personal data compromised
for all/most state of California employees in for all/most state of California employees in 20022002
California passed the data breach law, California passed the data breach law, requiring notice for breaches in both public requiring notice for breaches in both public and private sectorsand private sectors
The idea swept the nation – almost all states The idea swept the nation – almost all states have such laws todayhave such laws today
Correcting a Market FailureCorrecting a Market Failure
Data is held by government agency or Data is held by government agency or corporationcorporation
If breach happens, the cost is mostly on the If breach happens, the cost is mostly on the individuals whose data is put at riskindividuals whose data is put at risk
Under-investment in protecting the dataUnder-investment in protecting the data Could have liability on data holder for breach Could have liability on data holder for breach
(currently none)(currently none) Instead, have publicity on data holder – data Instead, have publicity on data holder – data
breach lawsbreach laws
The Future of Data BreachThe Future of Data Breach
Trend toward broader set of triggers for Trend toward broader set of triggers for data breachdata breach Health care dataHealth care data Biometrics (once gone …)Biometrics (once gone …) Required/encouraged encryptionRequired/encouraged encryption
Trend toward reporting to a state authorityTrend toward reporting to a state authority Ecosystem can learn more about breachesEcosystem can learn more about breaches
A major responsibility for you as data A major responsibility for you as data guardians, and that will continueguardians, and that will continue
Guardians IV: PIAsGuardians IV: PIAs
Privacy Impact AssessmentsPrivacy Impact Assessments Best practice for feds by 2000Best practice for feds by 2000 Required for new federal IT systems in E-Required for new federal IT systems in E-
Government Act of 2002Government Act of 2002 Ohio & HB 46, § 125.18 Ohio Revised Ohio & HB 46, § 125.18 Ohio Revised
CodeCode New requirement of Privacy Impact New requirement of Privacy Impact
AssessmentsAssessments
PIAs for Cities & CountiesPIAs for Cities & Counties
PIA process for federal and state, nowPIA process for federal and state, now Emerging best practice for government at Emerging best practice for government at
all levelsall levels Ohio memo at Ohio memo at
http://www.oit.ohio.gov/IGD/policy/pdfs_bulletins/ITB-2008.02.pdf
The HIPAA lesson – build it right from the The HIPAA lesson – build it right from the start for privacy and securitystart for privacy and security
August 13 Memo on State PIAsAugust 13 Memo on State PIAs
Edmondson memo requiring state of Ohio agencies to Edmondson memo requiring state of Ohio agencies to do privacy assessmentsdo privacy assessments
Privacy Threshold Analysis (and then PIA, as needed):Privacy Threshold Analysis (and then PIA, as needed): When use information technology to collect new When use information technology to collect new
informationinformation When agencies develop, buy, or contract out for new When agencies develop, buy, or contract out for new
information technology systems to handle collections information technology systems to handle collections of personally identifiable information, or of personally identifiable information, or
When agencies conduct ad hoc queries of When agencies conduct ad hoc queries of commercial databases containing personally commercial databases containing personally identifiable information identifiable information
Views of the CandidatesViews of the Candidates
McCain released privacy policy paper on McCain released privacy policy paper on Aug. 14 – on campaign siteAug. 14 – on campaign site
My analysis, My analysis, http://wonkroom.thinkprogress.org/2008/08/15/swire-mccain-internet-policy/
Limited Role for GovernmentLimited Role for Government
For private sector data, basic approach is “self-For private sector data, basic approach is “self-regulation” – limited role for governmentregulation” – limited role for government
““Government -- Government must promote a Government -- Government must promote a culture of personal security through consumer culture of personal security through consumer education initiatives, incentives for the education initiatives, incentives for the development of secure technologies, and development of secure technologies, and stronger enforcement of laws to protect our stronger enforcement of laws to protect our citizens, particularly children.”citizens, particularly children.”
Obama and Private Sector DataObama and Private Sector Data
Cautious about regulation, but believes common-Cautious about regulation, but believes common-sense measures may be appropriate for emerging sense measures may be appropriate for emerging areas of concernareas of concern Location information (cell phones)Location information (cell phones) Electronic health recordsElectronic health records Social networkingSocial networking
Similar to Clinton approach – act first on medical, Similar to Clinton approach – act first on medical, financial, kidsfinancial, kids
Similar contrast as the two candidates’ views on Similar contrast as the two candidates’ views on financial regulationfinancial regulation
Government SurveillanceGovernment Surveillance
The other major privacy area concerns rules for The other major privacy area concerns rules for government surveillance, for law enforcement and government surveillance, for law enforcement and national security national security
McCain has supported Bush approach – major McCain has supported Bush approach – major focus on anti-terrorism, few stated limits on focus on anti-terrorism, few stated limits on executive power, support for Patriot Actexecutive power, support for Patriot Act
Obama – former constitutional law prof – has called Obama – former constitutional law prof – has called for more checks & balances and oversightfor more checks & balances and oversight Obama pushed for broader FISA reform, but Obama pushed for broader FISA reform, but
voted for final passage as better than not having voted for final passage as better than not having authorities in placeauthorities in place
Concluding ThoughtsConcluding Thoughts
Guardians of the public’s dataGuardians of the public’s data HIPAA – build privacy & security in from the HIPAA – build privacy & security in from the
startstart Public records – avoid theft & related harmsPublic records – avoid theft & related harms Data breach – a major feature in the futureData breach – a major feature in the future PIAs – an expected practice from now onPIAs – an expected practice from now on
FinallyFinally
FOIA and open records are crucial valuesFOIA and open records are crucial values That said, here is a simple test about privacy:That said, here is a simple test about privacy:
How would you want the records of your own How would you want the records of your own family treated?family treated?
Do you have the privacy and security practices Do you have the privacy and security practices in place that you would want for your spouse in place that you would want for your spouse and children?and children?
If you meet that test, you can be proud in your role If you meet that test, you can be proud in your role of guardian of the public trustof guardian of the public trust
Good luck in your effortsGood luck in your efforts