““Privacy in America: Your Role Privacy in America: Your Role as Guardians of the Public’s as Guardians of the Public’s

Data”Data”

Professor Peter P. SwireProfessor Peter P. Swire

Moritz College of LawMoritz College of Law

The Ohio State UniversityThe Ohio State University

Ohio Digital Government SummitOhio Digital Government Summit

October 1, 2008October 1, 2008

Theme for TodayTheme for Today

You are the guardians of the public’s personal You are the guardians of the public’s personal datadata

The systems you create will enable E-The systems you create will enable E-government, democracy, public servicesgovernment, democracy, public services

The systems should do it in a way that ensures The systems should do it in a way that ensures the public’s privacy and securitythe public’s privacy and security

It is a proud responsibility to build these systems It is a proud responsibility to build these systems for the benefit of our fellow citizensfor the benefit of our fellow citizens

OverviewOverview My backgroundMy background You are the guardians:You are the guardians:

HIPAA: why privacy & security matterHIPAA: why privacy & security matter Public records: don’t cause theftPublic records: don’t cause theft Data breach: the most important current Data breach: the most important current

regulation on data holdersregulation on data holders Privacy Impact Assessments: being thoughtful Privacy Impact Assessments: being thoughtful

about data usesabout data uses Big privacy issues todayBig privacy issues today

What McCain & Obama have said on privacyWhat McCain & Obama have said on privacy

Swire BackgroundSwire Background

Now Ohio State law professor, live in D.C.Now Ohio State law professor, live in D.C. Active in many privacy & security activitiesActive in many privacy & security activities Senior Fellow, Center for American ProgressSenior Fellow, Center for American Progress

Chief Counselor for Privacy, 1999-2001Chief Counselor for Privacy, 1999-2001 U.S. Office of Management & BudgetU.S. Office of Management & Budget WH coordinator, HIPAA privacy ruleWH coordinator, HIPAA privacy rule Public records & privacyPublic records & privacy Federal government’s own dataFederal government’s own data Computer securityComputer security Other: financial, Internet, national security & FISAOther: financial, Internet, national security & FISA

BackgroundBackground

Since 2001:Since 2001: Many writings and presentationsMany writings and presentations

• www.peterswire.net• www.americanprogress.org

““Privacy Year in Review” distributed to all Privacy Year in Review” distributed to all members of the International Association of members of the International Association of Privacy ProfessionalsPrivacy Professionals

Lead author of book that is official study guide Lead author of book that is official study guide for Certified Information Privacy Professional for Certified Information Privacy Professional examexam

Guardians I: HIPAAGuardians I: HIPAA

The 1996 historyThe 1996 history ““Administrative simplification” in Health Administrative simplification” in Health

Insurance Portability & Accountability ActInsurance Portability & Accountability Act Half the $ in medical system are federalHalf the $ in medical system are federal No more payments by paperNo more payments by paper Standardized “transaction and code set” ruleStandardized “transaction and code set” rule Save many billions with electronic & Save many billions with electronic &

standardized payment formats for health carestandardized payment formats for health care

HIPAA HistoryHIPAA History

If If allall health payments become electronic, health payments become electronic, what would happen to privacy & security?what would happen to privacy & security?

No previous federal standards for health No previous federal standards for health privacy & securityprivacy & security

Congress said should build privacy & Congress said should build privacy & security in at the same time as shift to security in at the same time as shift to electronic paymentselectronic payments

HIPAA HistoryHIPAA History

Congress didn’t pass legislationCongress didn’t pass legislation HHS proposed rule in 1999HHS proposed rule in 1999 Over 53,000 public commentsOver 53,000 public comments Final rule December, 2000Final rule December, 2000 Bush Administration modest changes Bush Administration modest changes

20022002 In effect since 2003In effect since 2003

Lessons from HIPAALessons from HIPAA

Privacy & security should be built in to new Privacy & security should be built in to new IT systemsIT systems Patching later won’t work as well, often won’t Patching later won’t work as well, often won’t

happen & will cost a lot morehappen & will cost a lot more HIPAA far from perfectHIPAA far from perfect

Implementation & guidance budget cut way Implementation & guidance budget cut way back from original plansback from original plans

Significant success to date & clearly better Significant success to date & clearly better than not having these protections in placethan not having these protections in place

Next in Health CareNext in Health Care

Electronic health records (EHRs)Electronic health records (EHRs) How to connect providers into a National How to connect providers into a National

Health Information NetworkHealth Information Network Personal health records (PHRs)Personal health records (PHRs)

Individuals/families manage health records Individuals/families manage health records the way they do personal financesthe way they do personal finances

Microsoft HealthVault, Google Health, Dossia Microsoft HealthVault, Google Health, Dossia & others& others

How to build privacy & security into these?How to build privacy & security into these?

Guardians II: Public Records Guardians II: Public Records

Strong Ohio tradition of open public Strong Ohio tradition of open public recordsrecords Freedom of information & transparency lead Freedom of information & transparency lead

to better government, lower costs for citizens to better government, lower costs for citizens to get information & many other benefitsto get information & many other benefits

Not Not everyevery record should become public record should become public Especially records that can lead to theft or Especially records that can lead to theft or

identity theftidentity theft

Bankruptcy Study 2000Bankruptcy Study 2000

When in White House, I helped lead a When in White House, I helped lead a study on a federal records system – study on a federal records system – bankruptcy recordsbankruptcy records

Proposal was pending – simply put all Proposal was pending – simply put all records on linerecords on line History of open access to these court recordsHistory of open access to these court records New system less expensive if simply shift to New system less expensive if simply shift to

electronicelectronic

Bankruptcy StudyBankruptcy Study

Key data fields:Key data fields: Bankruptcy records contain details on Bankruptcy records contain details on

financial assets, so creditors know the claims financial assets, so creditors know the claims on the estateon the estate

Bank account numbers, security brokerage Bank account numbers, security brokerage account numbers, etc., and amount in each account numbers, etc., and amount in each account (often $$$)account (often $$$)

A tempting target for pretextingA tempting target for pretexting Is it a good idea to put those up on the Internet?Is it a good idea to put those up on the Internet?

Lessons on Public RecordsLessons on Public Records

For data fields that lead to pretexting and For data fields that lead to pretexting and identity theft, there is significant risk from identity theft, there is significant risk from simply posting to the Internetsimply posting to the Internet

As Ohio has done, work through the risks As Ohio has done, work through the risks of these key data fields in managing your of these key data fields in managing your public recordspublic records

See Swire NACO presentation, at See Swire NACO presentation, at www.peterswire.netwww.peterswire.net

Guardians III: Data BreachesGuardians III: Data Breaches

California history on data breachesCalifornia history on data breaches SSNs and other personal data compromised SSNs and other personal data compromised

for all/most state of California employees in for all/most state of California employees in 20022002

California passed the data breach law, California passed the data breach law, requiring notice for breaches in both public requiring notice for breaches in both public and private sectorsand private sectors

The idea swept the nation – almost all states The idea swept the nation – almost all states have such laws todayhave such laws today

Correcting a Market FailureCorrecting a Market Failure

Data is held by government agency or Data is held by government agency or corporationcorporation

If breach happens, the cost is mostly on the If breach happens, the cost is mostly on the individuals whose data is put at riskindividuals whose data is put at risk

Under-investment in protecting the dataUnder-investment in protecting the data Could have liability on data holder for breach Could have liability on data holder for breach

(currently none)(currently none) Instead, have publicity on data holder – data Instead, have publicity on data holder – data

breach lawsbreach laws

The Future of Data BreachThe Future of Data Breach

Trend toward broader set of triggers for Trend toward broader set of triggers for data breachdata breach Health care dataHealth care data Biometrics (once gone …)Biometrics (once gone …) Required/encouraged encryptionRequired/encouraged encryption

Trend toward reporting to a state authorityTrend toward reporting to a state authority Ecosystem can learn more about breachesEcosystem can learn more about breaches

A major responsibility for you as data A major responsibility for you as data guardians, and that will continueguardians, and that will continue

Guardians IV: PIAsGuardians IV: PIAs

Privacy Impact AssessmentsPrivacy Impact Assessments Best practice for feds by 2000Best practice for feds by 2000 Required for new federal IT systems in E-Required for new federal IT systems in E-

Government Act of 2002Government Act of 2002 Ohio & HB 46, § 125.18 Ohio Revised Ohio & HB 46, § 125.18 Ohio Revised

CodeCode New requirement of Privacy Impact New requirement of Privacy Impact

AssessmentsAssessments

PIAs for Cities & CountiesPIAs for Cities & Counties

PIA process for federal and state, nowPIA process for federal and state, now Emerging best practice for government at Emerging best practice for government at

all levelsall levels Ohio memo at Ohio memo at

http://www.oit.ohio.gov/IGD/policy/pdfs_bulletins/ITB-2008.02.pdf

The HIPAA lesson – build it right from the The HIPAA lesson – build it right from the start for privacy and securitystart for privacy and security

August 13 Memo on State PIAsAugust 13 Memo on State PIAs

Edmondson memo requiring state of Ohio agencies to Edmondson memo requiring state of Ohio agencies to do privacy assessmentsdo privacy assessments

Privacy Threshold Analysis (and then PIA, as needed):Privacy Threshold Analysis (and then PIA, as needed): When use information technology to collect new When use information technology to collect new

informationinformation When agencies develop, buy, or contract out for new When agencies develop, buy, or contract out for new

information technology systems to handle collections information technology systems to handle collections of personally identifiable information, or of personally identifiable information, or

When agencies conduct ad hoc queries of When agencies conduct ad hoc queries of commercial databases containing personally commercial databases containing personally identifiable information identifiable information

Views of the CandidatesViews of the Candidates

McCain released privacy policy paper on McCain released privacy policy paper on Aug. 14 – on campaign siteAug. 14 – on campaign site

My analysis, My analysis, http://wonkroom.thinkprogress.org/2008/08/15/swire-mccain-internet-policy/

Limited Role for GovernmentLimited Role for Government

For private sector data, basic approach is “self-For private sector data, basic approach is “self-regulation” – limited role for governmentregulation” – limited role for government

““Government -- Government must promote a Government -- Government must promote a culture of personal security through consumer culture of personal security through consumer education initiatives, incentives for the education initiatives, incentives for the development of secure technologies, and development of secure technologies, and stronger enforcement of laws to protect our stronger enforcement of laws to protect our citizens, particularly children.”citizens, particularly children.”

Obama and Private Sector DataObama and Private Sector Data

Cautious about regulation, but believes common-Cautious about regulation, but believes common-sense measures may be appropriate for emerging sense measures may be appropriate for emerging areas of concernareas of concern Location information (cell phones)Location information (cell phones) Electronic health recordsElectronic health records Social networkingSocial networking

Similar to Clinton approach – act first on medical, Similar to Clinton approach – act first on medical, financial, kidsfinancial, kids

Similar contrast as the two candidates’ views on Similar contrast as the two candidates’ views on financial regulationfinancial regulation

Government SurveillanceGovernment Surveillance

The other major privacy area concerns rules for The other major privacy area concerns rules for government surveillance, for law enforcement and government surveillance, for law enforcement and national security national security

McCain has supported Bush approach – major McCain has supported Bush approach – major focus on anti-terrorism, few stated limits on focus on anti-terrorism, few stated limits on executive power, support for Patriot Actexecutive power, support for Patriot Act

Obama – former constitutional law prof – has called Obama – former constitutional law prof – has called for more checks & balances and oversightfor more checks & balances and oversight Obama pushed for broader FISA reform, but Obama pushed for broader FISA reform, but

voted for final passage as better than not having voted for final passage as better than not having authorities in placeauthorities in place

Concluding ThoughtsConcluding Thoughts

Guardians of the public’s dataGuardians of the public’s data HIPAA – build privacy & security in from the HIPAA – build privacy & security in from the

startstart Public records – avoid theft & related harmsPublic records – avoid theft & related harms Data breach – a major feature in the futureData breach – a major feature in the future PIAs – an expected practice from now onPIAs – an expected practice from now on

FinallyFinally

FOIA and open records are crucial valuesFOIA and open records are crucial values That said, here is a simple test about privacy:That said, here is a simple test about privacy:

How would you want the records of your own How would you want the records of your own family treated?family treated?

Do you have the privacy and security practices Do you have the privacy and security practices in place that you would want for your spouse in place that you would want for your spouse and children?and children?

If you meet that test, you can be proud in your role If you meet that test, you can be proud in your role of guardian of the public trustof guardian of the public trust

Good luck in your effortsGood luck in your efforts