Privacy and missing persons
-
Upload
mpcislides -
Category
Documents
-
view
243 -
download
3
description
Transcript of Privacy and missing persons
![Page 1: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/1.jpg)
Privacy and Missing Persons in Natural Disasters
Missing Persons Community of Interest
WorkshopWashington, DCOctober 15, 2012
![Page 2: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/2.jpg)
Team Leaders
Joel R. Reidenberg Stanley D. and Nikki Waxberg Chair Founding Academic Director, CLIP Fordham University School of Law
Jamela Debelak Executive Director, Fordham CLIP
Senior Fellow / Lead Author
Robert Gellman Privacy and Information Policy
Consultant
Technical Consultant
Tim Schwartz
Project Fellows
Adam Elewa JD candidate, Fordham
Nancy Liu JD candidate, Fordham
![Page 3: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/3.jpg)
3
Report Sponsors
Woodrow Wilson Center
Edward M. Stroz
Stroz Friedberg
![Page 4: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/4.jpg)
4
Goals for the Report
• Assist MPCI and those involved in privacy policy with respect to MP activities
• Identify and analyze major privacy issues related to information systems associated with missing persons in natural disasters
• Outline several options for addressing privacy needs, regulation and policy
• Focus on US and EU law
![Page 5: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/5.jpg)
5
Brief introduction to privacy
• Varying national laws, no universal agreement• Information privacy / data protection
• Fair Information Practice Standards (FIPS)• Basic principles:
• collection limitation• data quality• purpose specification• use limitation• security• openness, • individual participation• accountability
![Page 6: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/6.jpg)
6
Legal context
• EU Directive 95/46/EC• EU Data Protection Authorities• US Law
• Privacy Act of 1974• Children’s Online Privacy Protection Act• Gramm Leach Bliley• HIPAA privacy and security rules
• US Federal Trade Commission
![Page 7: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/7.jpg)
7
Key definitions, attributes and privacy aspects in the disaster relief context
“Missing Person” “Disaster”
“Personal information”/“Personal Data”
“Data Controller/Record Keeper
“Data Subjects” “Processing”
![Page 8: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/8.jpg)
8
Some trade-offs/balances
• Accessibility of data / data subject consent• Accessibility of data / security• Duration of crisis / duration of data storage• Authentication of submitters / use & security of
profile• Data architecture: push / pull
![Page 9: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/9.jpg)
9
Issues from Recent Experiences: Australia, Canada, New Zealand, USA
2004 Boxing Day Tsunami
Australian Privacy Act reform
Canadian interpretive guidance
2011 Christ Church Earthquake
New Zealand DPA issues Temporary Code
2005 Hurricane Katrina
HHS Sec’y declares public health emergency & waives HIPAA sanctions
![Page 10: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/10.jpg)
10
Analysis of Major Privacy Issues
Data Controllers and Privacy Regulation– US: Law depends on type of controller (e.g. health care– HIPAA, gov’t
agency– Privacy Act) – EU: Law applies to any organization maintaining MP data, conducting
online searches, offering search forms for 3rd party data. Law has data export restrictions
– Choice of law problem
Data Controllers– US: Law applies only to some types of controllers (e.g. Health
care –HIPAA, government agency– Privacy Act). – EU: Law applies to organizations maintaining MP data,
offering search forms for 3rd party data, or conducting online searches. Law imposes data export restrictions
– Choice of law problem
![Page 11: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/11.jpg)
11
Analysis of Major Privacy Issues
Data Controllers and Privacy Regulation– US: Law depends on type of controller (e.g. health care– HIPAA, gov’t
agency– Privacy Act) – EU: Law applies to any organization maintaining MP data, conducting
online searches, offering search forms for 3rd party data. Law has data export restrictions
– Choice of law problem
Collection, Purpose Specification, and Use Limitations– US: Few legal restrictions (exceptions: Privacy Act disclosure
limitations, HIPAA disclosure limitations, but disaster context exceptions to the exceptions)
– EU: Strict legal limitations. Generally data subject consent is required, but exceptions if necessary for ‘protecting vital interests of the data subject’ and ‘tasks carried out in the public interest’
![Page 12: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/12.jpg)
12
Analysis of Major Privacy Issues
Data Controllers and Privacy Regulation– US: Law depends on type of controller (e.g. health care– HIPAA, gov’t
agency– Privacy Act) – EU: Law applies to any organization maintaining MP data, conducting
online searches, offering search forms for 3rd party data. Law has data export restrictions
– Choice of law problem
Notice, Access, Correction and Consent– US: No uniform rights. If data held by gov’t agency, then
Privacy Act accords rights. HIPAA accords rights if data held by health care providers/insurers; consent is always legal basis for disclosures
– EU: Comprehensive legal rights. Complex to apply where data submitter is not data subject
![Page 13: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/13.jpg)
13
Analysis of Major Privacy Issues
Data Controllers and Privacy Regulation– US: Law depends on type of controller (e.g. health care– HIPAA, gov’t
agency– Privacy Act) – EU: Law applies to any organization maintaining MP data, conducting
online searches, offering search forms for 3rd party data. Law has data export restrictions
– Choice of law problem
Sensitive data (health, race, ethnicity, religion, politics)– US: Law does not define sensitive data as such.– EU: Law defines categories and requires special protections
that vary by country. Processing allowed when data subject physically or legally incapable of consent or to protect vital interests of data subject
![Page 14: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/14.jpg)
14
Analysis of Major Privacy Issues
Data Controllers and Privacy Regulation– US: Law depends on type of controller (e.g. health care– HIPAA, gov’t
agency– Privacy Act) – EU: Law applies to any organization maintaining MP data, conducting
online searches, offering search forms for 3rd party data. Law has data export restrictions
– Choice of law problem
Export controls– US: None– EU: Data exports only permitted to countries deemed privacy
“adequate”. US is a problem. Safe Harbor agreement and contractual provisions can be used to satisfy for MP activities. Consent is unlikely to be helpful.
![Page 15: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/15.jpg)
15
Options for Organizations
Missing Persons Community of Interest• Assist in privacy-friendly design choices• Coordinate privacy policies of collaborating organizations• Work with DPAs and government agencies to address MP
privacy issues• Be prepared if MPCI had direct role in processing• Develop privacy policy for MPCI
![Page 16: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/16.jpg)
16
Options for Organizations
Missing Person Organizations• Assure legal compliance• Take responsibility for privacy policy• Coordinate privacy policies, to extent practicable• Share interpretations and guidance
![Page 17: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/17.jpg)
17
Options for Policy-Makers
Data Protection Authorities• Review domestic DP and privacy laws • Check preparation and consider administrative steps in
advance• Provide advance guidance on operation of DP law in
natural disasters• Issue DP response to missing persons/natural disaster
activities• Provide interpretative guidance on legitimate processing,
sensitive information, exports
![Page 18: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/18.jpg)
18
Options for Policy-Makers
Article 29 Working Party• Issue interpretative guidance on legitimate processing,
sensitive information and export controls
![Page 19: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/19.jpg)
19
Options for Policy-Makers
EU Commission• Address missing persons and disaster activities in
proposed regulation• Provide more specific direction on disaster and missing
persons activities
![Page 20: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/20.jpg)
20
Options for Policy-Makers
United States• Authorize missing persons/disaster disclosures using
Executive Branch authority• Amend the Privacy Act of 1974 to allow disclosures
following natural disasters
![Page 21: Privacy and missing persons](https://reader033.fdocuments.us/reader033/viewer/2022061108/544f45b0af7959c4068b7918/html5/thumbnails/21.jpg)
21
Conclusion