1 / 26

“Privacy in America: Your Role as Guardians of the Public’s Data”

Professor Peter P. Swire discusses the importance of privacy and security in E-government systems, public records, data breaches, and privacy impact assessments. Learn about the big privacy issues today and what McCain and Obama have said on privacy.

summersl
Download Presentation

“Privacy in America: Your Role as Guardians of the Public’s Data”

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. “Privacy in America: Your Role as Guardians of the Public’s Data” Professor Peter P. Swire Moritz College of Law The Ohio State University Ohio Digital Government Summit October 1, 2008

  2. Theme for Today • You are the guardians of the public’s personal data • The systems you create will enable E-government, democracy, public services • The systems should do it in a way that ensures the public’s privacy and security • It is a proud responsibility to build these systems for the benefit of our fellow citizens

  3. Overview • My background • You are the guardians: • HIPAA: why privacy & security matter • Public records: don’t cause theft • Data breach: the most important current regulation on data holders • Privacy Impact Assessments: being thoughtful about data uses • Big privacy issues today • What McCain & Obama have said on privacy

  4. Swire Background • Now Ohio State law professor, live in D.C. • Active in many privacy & security activities • Senior Fellow, Center for American Progress • Chief Counselor for Privacy, 1999-2001 • U.S. Office of Management & Budget • WH coordinator, HIPAA privacy rule • Public records & privacy • Federal government’s own data • Computer security • Other: financial, Internet, national security & FISA

  5. Background • Since 2001: • Many writings and presentations • www.peterswire.net • www.americanprogress.org • “Privacy Year in Review” distributed to all members of the International Association of Privacy Professionals • Lead author of book that is official study guide for Certified Information Privacy Professional exam

  6. Guardians I: HIPAA • The 1996 history • “Administrative simplification” in Health Insurance Portability & Accountability Act • Half the $ in medical system are federal • No more payments by paper • Standardized “transaction and code set” rule • Save many billions with electronic & standardized payment formats for health care

  7. HIPAA History • If all health payments become electronic, what would happen to privacy & security? • No previous federal standards for health privacy & security • Congress said should build privacy & security in at the same time as shift to electronic payments

  8. HIPAA History • Congress didn’t pass legislation • HHS proposed rule in 1999 • Over 53,000 public comments • Final rule December, 2000 • Bush Administration modest changes 2002 • In effect since 2003

  9. Lessons from HIPAA • Privacy & security should be built in to new IT systems • Patching later won’t work as well, often won’t happen & will cost a lot more • HIPAA far from perfect • Implementation & guidance budget cut way back from original plans • Significant success to date & clearly better than not having these protections in place

  10. Next in Health Care • Electronic health records (EHRs) • How to connect providers into a National Health Information Network • Personal health records (PHRs) • Individuals/families manage health records the way they do personal finances • Microsoft HealthVault, Google Health, Dossia & others • How to build privacy & security into these?

  11. Guardians II: Public Records • Strong Ohio tradition of open public records • Freedom of information & transparency lead to better government, lower costs for citizens to get information & many other benefits • Not every record should become public • Especially records that can lead to theft or identity theft

  12. Bankruptcy Study 2000 • When in White House, I helped lead a study on a federal records system – bankruptcy records • Proposal was pending – simply put all records on line • History of open access to these court records • New system less expensive if simply shift to electronic

  13. Bankruptcy Study • Key data fields: • Bankruptcy records contain details on financial assets, so creditors know the claims on the estate • Bank account numbers, security brokerage account numbers, etc., and amount in each account (often $$$) • A tempting target for pretexting • Is it a good idea to put those up on the Internet?

  14. Lessons on Public Records • For data fields that lead to pretexting and identity theft, there is significant risk from simply posting to the Internet • As Ohio has done, work through the risks of these key data fields in managing your public records • See Swire NACO presentation, at www.peterswire.net

  15. Guardians III: Data Breaches • California history on data breaches • SSNs and other personal data compromised for all/most state of California employees in 2002 • California passed the data breach law, requiring notice for breaches in both public and private sectors • The idea swept the nation – almost all states have such laws today

  16. Correcting a Market Failure • Data is held by government agency or corporation • If breach happens, the cost is mostly on the individuals whose data is put at risk • Under-investment in protecting the data • Could have liability on data holder for breach (currently none) • Instead, have publicity on data holder – data breach laws

  17. The Future of Data Breach • Trend toward broader set of triggers for data breach • Health care data • Biometrics (once gone …) • Required/encouraged encryption • Trend toward reporting to a state authority • Ecosystem can learn more about breaches • A major responsibility for you as data guardians, and that will continue

  18. Guardians IV: PIAs • Privacy Impact Assessments • Best practice for feds by 2000 • Required for new federal IT systems in E-Government Act of 2002 • Ohio & HB 46, § 125.18 Ohio Revised Code • New requirement of Privacy Impact Assessments

  19. PIAs for Cities & Counties • PIA process for federal and state, now • Emerging best practice for government at all levels • Ohio memo at http://www.oit.ohio.gov/IGD/policy/pdfs_bulletins/ITB-2008.02.pdf • The HIPAA lesson – build it right from the start for privacy and security

  20. August 13 Memo on State PIAs • Edmondson memo requiring state of Ohio agencies to do privacy assessments • Privacy Threshold Analysis (and then PIA, as needed): • When use information technology to collect new information • When agencies develop, buy, or contract out for new information technology systems to handle collections of personally identifiable information, or • When agencies conduct ad hoc queries of commercial databases containing personally identifiable information

  21. Views of the Candidates • McCain released privacy policy paper on Aug. 14 – on campaign site • My analysis, http://wonkroom.thinkprogress.org/2008/08/15/swire-mccain-internet-policy/

  22. Limited Role for Government • For private sector data, basic approach is “self-regulation” – limited role for government • “Government -- Government must promote a culture of personal security through consumer education initiatives, incentives for the development of secure technologies, and stronger enforcement of laws to protect our citizens, particularly children.”

  23. Obama and Private Sector Data • Cautious about regulation, but believes common-sense measures may be appropriate for emerging areas of concern • Location information (cell phones) • Electronic health records • Social networking • Similar to Clinton approach – act first on medical, financial, kids • Similar contrast as the two candidates’ views on financial regulation

  24. Government Surveillance • The other major privacy area concerns rules for government surveillance, for law enforcement and national security • McCain has supported Bush approach – major focus on anti-terrorism, few stated limits on executive power, support for Patriot Act • Obama – former constitutional law prof – has called for more checks & balances and oversight • Obama pushed for broader FISA reform, but voted for final passage as better than not having authorities in place

  25. Concluding Thoughts • Guardians of the public’s data • HIPAA – build privacy & security in from the start • Public records – avoid theft & related harms • Data breach – a major feature in the future • PIAs – an expected practice from now on

  26. Finally • FOIA and open records are crucial values • That said, here is a simple test about privacy: • How would you want the records of your own family treated? • Do you have the privacy and security practices in place that you would want for your spouse and children? • If you meet that test, you can be proud in your role of guardian of the public trust • Good luck in your efforts

More Related