440 likes | 588 Views
MODULE D: Privacy Overview Basic Principles of Privacy by Gail Obrycki, MSMT, ASCP, CIPP. Objectives. provide you with an overview of the basic principles of data privacy explain how US and global privacy legislation and law enforcement actions impact business Impact on Clinical Research
E N D
MODULE D: Privacy Overview Basic Principles of Privacyby Gail Obrycki, MSMT, ASCP, CIPP Privacy Overview- ver. Mar. 2010
Objectives • provide you with an overview of the basic principles of data privacy • explain how US and global privacy legislation and law enforcement actions impact business • Impact on Clinical Research • provide an overview of “Security” • provide you with information about Regulators’ inspection activity • provide an overview of Data Transfer requirements e.g. Safe Harbor • provide resource information Privacy Overview- ver. Mar. 2010
What do we mean by Privacy • has a different meanings to differentpeople based on culture and region • core to an individual’s identity, autonomy and freedom • generally involves control over one’s personal information: collection, use, storage, disclosure, access for amending and/or deleting personal information held, Why are companies focusing on “Privacy”: • Comply with Laws • Concerned with ever increasing data threats (identity theft, phishing, botnet attacks), and enforcement activities (e.g. monetary fines, civil penalties) • Build trust and be transparent with its customers, clients and employees (Company Image/Competitive Advantage) Privacy Overview- ver. Mar. 2010
Identity Theft Has Become a Major Concern • Number one complaint to US FTC • $50+ billion in global annual losses • 50+% conducted by employees and contractors • Part-time and temporary workers three times more likely to commit • Medical Identity theft on the rise • results in erroneous entries being put into existing medical records, and can involve the creation of fictitious medical records in the victim’s name. • is a crime that can cause great harm to its victims • leaves a trail of falsified information in medical records that can plague victims’ medical and financial lives for years. • most difficult to fix after the fact • Source: http://www.worldprivacyforum.org/medicalidentitytheft.html Sources: (Javelin/BBB 1/06; Gartner 7/03; Experian-Gallup 8/05; FDIC 2/06; FTC 1/06; SMU 8/04) Privacy Overview- ver. Mar. 2010
Key Vulnerabilities and Risk. Third-party vendor data handling and transfers Lost laptops, portable media and back-up tapes Over collecting or unlawfully using SSNs Improper access or broad access controls Paper handling and dumpster diving Unauthorized software or use of peer-to-peer networks (iPods and file sharing) Phishing, web/email vulnerabilities (if SSNs) Mobile and home-based workforce Call centers and in branch social engineering Use of such information in authentication processes with customers (online, phone, fax) Common Vulnerabilities Privacy Overview- ver. Mar. 2010
Hot Privacy Topics • Issues • E-Medical records • Personal Health Records • Pharmacogenomics (use of genetic markers to develop personalized drugs) • Social Networking e.g. Facebook • Behavioral targeting • Portable device security Privacy Overview- ver. Mar. 2010
Social Origins of Privacy • Rooted in oldest texts and cultures known to man-concept of privacy noted in Qur’an, Bible, laws of classical Greece, Jewish law and ancient culture of China • the context of Human rights evolved after WWII • 1948 as part of the Universal Declaration of Human Rights • 1950 in the European Convention for the Protection of Human Rights and Fundamental Freedom • 1970 in the German state of Hesse the first known modern data protection law • 2 models: Comprehensive law (e.g. EU Data Protection Directive) vs Sectoral law (e.g. HIPAA) Privacy Overview- ver. Mar. 2010
Privacy Concepts • Notice- is the clear and conspicuous disclosure to individuals indicating what personal information is collected, and how it is used and shared. • Choice/Consent-is giving individuals the opportunity to determine what information can be collected, how it is used, and with whom it is shared (e.g. opt-out to receive marketing materials) • Access- is making the personal information about individuals available to them to review, modify, or delete. • Minimization-is collecting only the information needed for the intended purpose. • Disclosure to third parties/Onward Transfer-means the information that is disclosed is what has been described in the notice wherever the information goes. • Data Quality or Integrity-means the information is accurate, complete and relevant to the purposes for which it was collected • Security-is taking reasonable steps to protect personal information from unauthorized access, use, or sharing. The level of protection must be commensurate with the type of personal information being processed • Dispute Resolution-is a process individuals can follow to inquire into and resolve their concerns about how their information has been processed. • Enforcement-having a mechanism for assuring compliance with the principles, recourse for individuals to whom the data relate affected by non-compliance, and consequences when the principles are not followed. Note: • Principles are common to most Privacy laws, Privacy rights built into countries’ constitutions, US Dept. of Commerce Safe Harbor Privacy Overview- ver. Mar. 2010
Privacy Definitions • Personal Information (PI): may also be known as Personal Data or Personally Identifiable Information means any information or set of information that identifies or that can be used to identify, locate or contact an individual. • Under discussion- Personal Information that has been encoded, or anonymized • Protected Health Information (PHI) under HIPAA is a subset of PI • Processing: any operation or set of operations that is performed upon Personal Information, whether or not by automatic means, including, but not limited to, collection, recording, organization, storage, access, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, blocking, deleting, erasure, or destruction Privacy Overview- ver. Mar. 2010
What are we protecting? • Personal information (PI) is data that can identify an individual, such as • Name, Initials • Address • SSN • Phone number • E-mail address • Photographs, fingerprints • Data tied to any of the above, also includes • consumer and employee e-mail, internal reports, expressions of interest on particular topics, IT logs of originating IP addresses, other Internet transmission data, particular web pages viewed, (Behavioral advertising), Sensitive information • Health data-disease history, biometric identifies such as retinal scans, DNA? • Financial data-pin codes, account numbers • As defined by EU Data Protection Directive: race, ethnicity, sex/orientation, religious belief, political opinion, trade union membership, physical/mental health or conditions, criminal record Privacy Overview- ver. Mar. 2010
Privacy Rights • Whenever an organization • Collects Personal Information about an individual • Uses (and secondary use) and discloses Personal Information • Processes it (Maintains, stores, transfers) • Regulator Expectations: • Provide notice of uses and disclosures • Provide choice to opt in or opt out • Provide access to stored data for correction • Use reasonable security measures to protect the information commensurate with the type of Personal Information being processed. Privacy Overview- ver. Mar. 2010
EEA , Argentina, Armenia, Australia, Austria, Bahrain, Belgium, Botswana, Brazil, Bulgaria, Cameroon, Canada, Canada - Northwest Territories and Nunavut, Chile, Cote d'Ivoire, Croatia, Cyprus, Czech Republic, Denmark, Dubai, Egypt, Ethiopia, Finland, France, Germany, Ghana, Greece, Hong Kong, Hungary, Iceland, Ireland, Israel, Italy, Japan, Jordan, Kazakhstan, Kenya, Kuwait, Lebanon, Lithuania, Mauritius, Mexico, Morocco, Netherlands, New Zealand, Nigeria, Norway, Peru, Poland, Portugal, Qatar, Romania, Russia, Saudi Arabia, Singapore, South Africa, South Korea, Spain, Sweden, Switzerland, Taiwan, Tanzania, Thailand, Tunisia, Turkey, Uganda, Ukraine, United Arab Emirates, United Kingdom, United States, Uzbekistan, Zambia Global Laws Increasing Privacy Overview- ver. Mar. 2010
Privacy Laws that Impact Business US-Sectoral Laws • HIPAA-Health Insurance Portability and Accountability Act • HITECH-Health Information Technology for Economic and Clinical Health Act • FCRA-Fair Credit Reporting Act-impacts employment re credit checks • COPPA-Children’s Online Privacy Protection Act-impacts marketing to children • CAN-SPAM-Controlling Assault on Non-Solicited Pornography and Marketing • TSR-Telemarketing Sales Rule, DNC-Do Not Call, DNF-Do Not Fax • GLBA-Gramm-Leach Bliley-impacts Financial information • FTC Act (unfair and deceptive practices) • GINA-Genetic Information Nondiscrimination Act Ex-US • Countries with Comprehensive Privacy laws (e.g. EEA, Japan, Argentina, Canada, Australia) • Some are only recognized as having ”adequate” protections by the EU • Canada and Argentina-yes, Australia and Japan-no • Countries with sectoral laws or as part of their constitution • privacy as part of Medical practice, laws around “communications” e.g. US HIPAA, Taiwan Computer-Processed Personal Data Protection Law, and Taiwan Medical Care Act, • privacy as part of country constitutions ( Colombia, Paraguay, Venezuela, Ecuador, Uruguay) EU- Data Protection Directive • Safe Harbor as it relates to EU Directive Privacy Overview- ver. Mar. 2010
Health Information Portability and Accountability Act (aka HIPAA) • US law that requires health care organizations or covered entities, and providers to meet certain privacy and security standards with respect to protected health information (PHI). • HIPAA sets the floor for privacy protections of PHI. HIPAA requirements are the common national standards for which covered entities must adhere to for the protection of patient’s privacy. • There may be state laws that provide additional stronger privacy protections which a covered entity would need to comply. • Depending on where the covered entity is located will dictate the privacy requirements for that entity. • Other companies that may not be considered a covered entity but may be indirectly affected by privacy regulations if covered entities supply the data. e.g. a company’s sponsored Healthcare plan Privacy Overview- ver. Mar. 2010
Privacy Rule and Security rule • Privacy Rule • regulation went into effect on April 14, 2003. • requires patients be provided with: notice, access to their medical records, control over how their health information is used and disclosed, avenues for recourse if their medical privacy is compromised e.g. Hospital Privacy Office • Covered entities must have in place various processes to support and administer those rights e.g. written procedures, training, Privacy office/officer • Security Rule • Covered entities must have in place policies and procedures to comply with standards for safeguards to protect the confidentiality, integrity and availability of electronic protected health information. Privacy Overview- ver. Mar. 2010
Health Information Technology for Economic and Clinical Health Act (aka HITECH) • Most significant change for Covered Entities for privacy and security since HIPAA’s enactment (under ARRA-American Recovery and Reinvestment Act) • Subjects Business associates of Covered Entities to federal regulation for the first time, requiring compliance to privacy and data security requirements of HIPAA • Fundamentally different enforcement environment under new Administration • New guidance and significant regulatory activity required • Under the watchful eye of US Dept. of HHS-OCR : will be notified of breaches Privacy Overview- ver. Mar. 2010
Impact on Business Associates • What is a Business Associate? • A service provider or vendor, such as a technology company, that has access through its clients to individually identifiable health information covered by HIPAA (“PHI”) • Business Associates participate in, perform for, or assist CEs (health care providers, health insurers or health care clearinghouses) with certain functions or activities • Activities can include claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management Privacy Overview- ver. Mar. 2010
HITECH Breach Notification Requirements • First federal data breach notification requirement • Approx 45 Individual states have own Breach Notification law • Very broad definition of breach • Unauthorized acquisition, access, use or disclosure of PHI which compromises the security or privacy of such PHI • Very broad notice requirement • Fundamental change to healthcare industry • Covered entities (CEs) must notify individuals • Business Associates must notify CEs • Very specific in terms of content of notice, method of notice and timing of notice Privacy Overview- ver. Mar. 2010
The Role of State Law • HITECH Act and HIPAA preempt conflicting state laws, but leave intact state laws with more stringent requirements on the handling of health information • Most States have a Breach Notification law with specific notification requirements, some of which include medical information such as: • California • Effective January 1, 2009, AB 211 and SB 541: • require providers of health care to establish and implement appropriate administrative, technical and physical safeguards to protect privacy of a patient’s medical information • establish new oversight mechanisms and penalties to enforce privacy standards • SB 541 contains breach notification requirements • Note: New Jersey has a Breach notification law re SSN, PIN, credit cards, drivers lic. # but does not include medical information but HIPAA still applies • Companies must meet new common denominator of minimum standards by monitoring and complying with patchwork of laws in every state in which one operates Privacy Overview- ver. Mar. 2010
FTC Breach Notification Effective September 2009, breach notification requirements apply to vendors (e.g. Google) of personal health records (PHRs) A PHR is defined as “an electronic record of individually identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or for the individual.” Example of where this might apply in clinical research Use of e-PRO (eDiaries) Patient enters information on signs and symptoms, quality of life, etc into e-diary during the course of a trial. The data is under the control /entered by the subject. Diaries may be supplied by and the data processed by a vendor who then provides the data back to the Sponsor who them provides data back to trial site. Data becomes part of the subjects medical record. Vendor may provide help desk support for the trial subjects. Privacy Overview- ver. Mar. 2010
Expanded HIPAA Enforcement • New tiered civil penalty structure • Penalties will be based upon “intent” behind the violation • Fines of up to $1.5 million are possible • Explicit authority for state AGs to enforce HIPAA rules • The extent to which AGs will need to follow the enforcement rule is not yet clear • May result in different or inconsistent interpretations of HIPAA • Mandatory audits by HHS Privacy Overview- ver. Mar. 2010
Enforcement • Congress provided civil and criminal penalties for covered entities that misuse PHI. • OCR may impose monetary penalties up to $100 per violation, up to $25,000 per year, for each requirement or prohibition violated. Criminal penalties apply for certain actions such as knowingly obtaining PHI in violation of the law. • Criminal penalties can range up to $50,000 and one year in prison for certain offenses; up to $100,000 and up to five years in prison if the offenses are committed under “false pretenses”; and up to $250,000 and up to 10 years in prison if the offenses are committed with the intent to sell, transfer or use the PHI for commercial advantage, personal gain or malicious harm. • Office of Civil Rights can investigate • Civil monetary penalties imposed by OCR • Dept of Justice can prosecute • Criminal penalties imposed by DOJ • Local State AGs can investigate and prosecute as well • Link to OCR to enforcement activity: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html Privacy Overview- ver. Mar. 2010
Noted FTC Enforcement Cases • Petco Case (2005)-failure to encrypt data and thus was accessible to persons other than the consumer • Gateway Learning Case (2004)-change in privacy policy with failure to notify and receive consumer consent • Microsoft Case (2002)-Security misrepresentation and lack of data minimization • DSW Case (2006)-unauthorized access to PI and failure to employ reasonable and appropriate security measures • ChoicePoint Case (2006)-disclosure of sensitive information-violated Fair Credit Reporting Act-failed to have reasonable procedures to screen subscribers-$10 M in penalties plus additional $5 M for consumer redress • Eli Lilly Settles FTC Charges Concerning Security Breach • unauthorized and unintentional disclosure of sensitive personal information collected from consumers through its Web sites • Lilly to implement an information security program to protect consumers' privacy • Fines and 20 year FTC Order Privacy Overview- ver. Mar. 2010
Privacy in Clinical Research • Global Privacy laws and regulations apply • Site Personnel and subject Personal Information • Enforcement by Health Regulators and local DPAs • ICH/GCPs/CFR requirements for notice and consent, patient confidentiality • IRB/EC responsible for protecting subject’s rights • In US, HIPAA authorization required in addition to subject informed consent • HIPAA has section on Clinical Research and has potential impacts Privacy Overview- ver. Mar. 2010
Impact of HIPAA on Clinical Research • Vendors working on behalf of a sponsor may contact investigators to confirm or clarify reported information. • Laboratories send test results back to the covered entity. • Recruitment vendors identify patients potentially meeting study eligibility criteria who are interested in participating in the study and provide this information to investigators. These activities may involve the disclosure of PHI for purposes of determining the number of / identify patients meeting study eligibility criteria. • Electronic data capture vendors may allow investigators to access previous information entries. • Communications to potential subjects Privacy Overview- ver. Mar. 2010
Impact: Communications to potential trial subjects funded by Pharma Companies • Written communications made on or after February 2010 about a product or service that encourage recipients to purchase that product or service will be classified as “marketing” if a covered entity receives direct or indirect remuneration (payment) for making the communication. • Exception: Communications that describe a drug or biologic that is currently being prescribed for the recipient of the communication and any payment received by the covered entity is reasonable in amount. • Concern has been expressed that this could prohibit a pharmaceutical company from paying a healthcare provider or health plan to send communications to patients encouraging enrollment in a clinical trial. • Can a communication about a clinical trial be construed as encouraging the purchase or use of a product or service? • What if the communication highlights the potential benefits of participation? Privacy Overview- ver. Mar. 2010
Impact: Minimum Necessary Previously • CEs required to limit use and disclosure of PHI to the “minimum necessary” to accomplish the intended purpose. • Does not apply to disclosures for treatment. • Does not apply to uses or disclosures pursuant to an authorization. • “Minimum necessary” not defined. HITECH Act • No later than August 2010, HHS must issue guidance on what constitutes “minimum necessary.” • Until guidance issued, CEs must “to the extent practicable” limit disclosures to a limited data set. • A limited data set requires removal of direct identifiers such as name, contact info, SSN, account numbers, etc. • A CE disclosing PHI must determine what constitutes the ‘minimum necessary’ to accomplish the intended purpose of the disclosure. Privacy Overview- ver. Mar. 2010
Impact: Source Document Verification and Adverse Event Reporting • Concern that new rules around “minimum necessary” standard, in combination with increased enforcement penalties, could have effect on ability to source document verify subject’s records and adverse event reporting. • Possibly could lead some healthcare providers and health plans to be less willing to provide all the information relevant to the trial or an adverse event Privacy Overview- ver. Mar. 2010
Impact: Psychotherapy Notes Previously • A CE was required to obtain an authorization for any use or disclosure of psychotherapy notes, other than for treatment. • An authorization for use or disclosure of psychotherapy notes could not be combined with any other authorization. • “Psychotherapy notes” defined as notes recorded by a mental health professional documenting or analyzing the contents of conversation during a counseling session. HITECH Act • HHS is required to study the definition of “psychotherapy notes” with regard to including in such definition “test data that is related to direct responses, scores, items, forms, protocols, manuals, or other materials that are part of a mental health evaluation” and to revise the definition based on this study. • Broadening of the “psychotherapy notes” definition could impact disclosure of such information as part of a limited data set, pursuant to an IRB waiver, as preparatory to research, or for public health activities (e.g., reporting adverse events). Privacy Overview- ver. Mar. 2010
Best Privacy Practices for Trial Sites • Have a designated privacy officer/privacy office to manage incidents and report to agency or IRB as required • Have an understanding of local privacy laws impact on what they do • If using a vendor, have appropriate contractual protections and ensure vendor understands breach reporting requirements • Have an understanding of local IRB requirements regarding PHI breaches to Sponsor and policy around review of site’s medical records for potential trial subjects • Have documented processes re Informed consent process (and HIPAA authorization), access to medical records, secure transmission of subject information to Sponsor, de-Identification process, and secure storage and destruction of subject’s files • Have training records for site personnel re local privacy requirements and site’s policies and procedures • Have security safeguards in place with regards to subject’s study file and medical records • Have an escalation process in place for Breaches and handling Regulatory Inspection activities Privacy Overview- ver. Mar. 2010
EU Commission-EU Data Protection Directive • 5 institutions involved-Council, Commission, Parliament, Courts of Justice and Auditors • EU Directive 95/46/EC-multiple Articles within Directive reference DP-Article 29 most important for privacy • Commission (Internal Market Directorate) most important for DP-”Working Party” (DPA) • Directive focus on protection of individuals with regard to the processing of personal data and on the free movement of such data • Directive outlines minimum privacy requirements and requirements for cross border transfers to countries without recognized privacy practices e.g. US, Australia, • Enforcement by Data Protection Agencies in each Country Privacy Overview- ver. Mar. 2010
EU Data Protection Directive • Sets the floor for privacy, local countries may have stricter interpretation • Principles of Notice, Choice, Legitimate purpose, Access/ Rectification, Data Quality, Confidentiality/Security • Specific rules for Sensitive data: legitimate purpose, explicit consent, contract requirements, security controls e.g. encryption • Enforcement mechanism: Data Protection Authorities • Data Transfer Mechanisms: model contracts, BCRs, Safe Harbor • Local Privacy requirements for Data processing: consents, Notifications to DPA, works councils, inter-company agreements Privacy Overview- ver. Mar. 2010
International Enforcement trends • General trends • Convergence of medicines regulatory/DPA enforcement and regional collaboration among authorities • Increasing awareness of industry practices among regulators • Proliferation of National & Regional Data Privacy Laws- Over 70 countries worldwide & growing • Greater Enforcement by Regulators-More DPA activity generally • Health-sector specific audits • Denmark, Sweden • Risks increasing for Pharmaceutical companies conducting clinical research • medical health data; vulnerable data subjects; data transfers and disclosures; use of multiple vendors and consultants • Sanctions include monetary fines, criminal liability; imprisonment, invalidation of study data, halting of data flows Privacy Overview- ver. Mar. 2010
Medicines Regulators Inspection Activity • Post 2004 - focus on privacy-aspects of clinical trials in light of Directive 2001/20 • Review of consent documentation, transfer of patient data, security measures, etc. • Inspection activity reported in: • France, UK, Denmark, Netherlands • Expect similar trends in non-EU jurisdictions based on ICH GCP Privacy Overview- ver. Mar. 2010
DPA Inspections • Most common triggers • National notifications • Individual complaints • Targeted sector reviews • DPA to DPA referrals • Pharma-specific investigations in CR, Poland, Portugal and Spain • DPA inspections on the rise • Dawn raids reported in Italy, France, Privacy Overview- ver. Mar. 2010
Pharma-specific developments • Outsourcing to vendors of trial activities • Pharmacogenomics to create designer drugs • The struggle to define “personal data” relating to bio-samples and concerns with genetic data • Medicines regulators/ECs focusing on privacy • Appropriateness of consent, secondary uses, breaches Privacy Overview- ver. Mar. 2010
Data Transfers • Mechanisms to transfer Personal Information out of a country • Safe Harbor (EEA region and Switzerland) • Binding Corporate Rules • Model Contracts • Consent • Many companies going the Safe Harbor route or a combination of the above depending on type of data Privacy Overview- ver. Mar. 2010
Safe Harbor • Background: • October 1998 – EU Data Protection Directive goes into effect prohibiting the transfer of personal data to non-EU countries that do not provide “adequate” privacy protection • US and the EU committed to bridging the privacy gap and maintaining high levels of privacy protection thus enabling trans-border data flows • FTC Act permitted both sides to maintain their positions: • US companies made voluntary commitments • EU was satisfied that those commitments were legally binding The Safe Harbor Framework Includes: • 7 Privacy Principles: Notice, Choice, Onward Transfer, Access, Data Integrity, Security, Enforcement • 15 FAQ’s • EU’s “adequacy” determination • Series of letters between the European Commission, Department of Commerce, Federal Trade Commission, and Department of Transportation Why is this Important • Allows for the transfer of data out of a EU or Switzerland to US for processing; HOWEVER local privacy requirements must still be met such as providing notice and choice • Allows companies to contract with vendors to process data on their behalf Privacy Overview- ver. Mar. 2010
Sample list of Pharmaceutical companies with Safe Harbor certifications • Amersham Health • Baxter International • Eli Lilly & Co • Ethicon Endo Surgery • LifeScan • Merck & Co., • Pharmacia Corporation • Pfizer • Protcor & Gamble • Wyeth Pharmaceuticals • Novartis Privacy Overview- ver. Mar. 2010
Basic Security Requirements • Administrative controls (e.g. privacy oversight, written policies, training) • Physical controls (e.g. secure access to records) • Logical/Technical controls ( e.g. Disaster recovery, password protections, encryption, access/authentication controls) Privacy Overview- ver. Mar. 2010
Privacy and Security Tips at Home→ • If asked for personal data, find out how it will be used and how it will be protected. • If you shop online, do not provide personal data to a website until you have checked for indicators that the site is secure, like a padlock icon on the browser’s status bar or a website URL that begins with “https”. • Read privacy policies of the Web sites you visit to discover how your data is used and with whom it will be shared • Beware of “phishing.” If you receive an email from an address that you do not recognize, do not open it. It may be an email from what appears to be a legitimate company asking for your personal data. Never reply to, or click on links or pop-ups in email that ask for personal data unless you are sure it is the business that is supposed to receive it. Do some checking first before you provide your personal data. • Protect passwords. Never share them. Change them often. Ensure they have at least 8 characters and include numbers and symbols. Do not use common words. Privacy Overview- ver. Mar. 2010
Privacy and Security Tips at Home • Know what personal data you have in your home files and on your computer. • Lock it away. Secure your laptop at home and in your car. Secure your important personal paper records at home in a locked desk draw when you are away from home. Secure mail and your portable storage devices. Secure your laptop in the trunk not the back seat of your car. • Be mindful of your cash withdrawal machine transactions and where the machines are located. . • Use a credit card from a reputable company. The credit card company monitors activities and will notify you if something appears wrong. They will also cover certain expenses in event of a theft. A bank debit card may not do this. • Encrypt electronic files and folders containing personal data. Privacy Overview- ver. Mar. 2010
Resource Information Links • In the US,contact theFederal Trade Commission at 1-877-382-4357 or visit ftc.gov to file a complaint or get additional information on consumer issues • Consumer information on children’s privacy, identity theft, and privacy and security, is available on the FTC’s Web site at: • http://www.ftc.gov/bcp/menus/consumer/data/child.shtm • http://www.ftc.gov/bcp/menus/consumer/data/idt.shtm • http://www.ftc.gov/bcp/menus/consumer/data/privacy.shtm • HIPAA Privacy Rule: http://privacyruleandresearch.nih.gov/ • Data Privacy Day: http://dataprivacyday2010.org/ • IAPP-International Association of Privacy Professionals: https://www.privacyassociation.org/ • AICPA.org • HHS- http://www.hhs.gov/ocr/privacy/ Privacy Overview- ver. Mar. 2010