180 likes | 199 Views
Explore information privacy principles, global privacy laws, and specific regulations like medical privacy. Learn about accountability, consent, safeguards, and compliance. Discover how different countries protect personal information and the importance of privacy in various sectors.
E N D
Implementing Privacy:Rules of the Game for Developers Robert Guerra Director, CryptoRights Foundation Mac-Crypto Conference on Macintosh Cryptography & Internet Commerce January 29, 2001
Overview • The Basics: Info-Privacy Principles • General Trends: Global Privacy Law • Getting Specific: Medical Privacy
The Basics: Information Privacy Principles
Information Privacy Principles [1] • Accountability of Data Maintainer • Purpose for Data Collection • Consent for Data Collection • Limits on Data Collection • Limits on Storage, Use & Disclosure
Information Privacy Principles [2] • Accuracy of Information • Safeguards • Openness of Policies & Practices • User Access & Challenges • Compliance & Auditing
General Trends: Global Privacy Law
World: Privacy Law Trends • Countries around the world are: • Adopting comprehensive laws toprotect privacy • Basing them on OECD and Council of Europe models
EU: Standardizing Privacy • EU Privacy Directive prevents unauthorized transmission of personal info to any country that does not adequately protect privacy. • Encourages countries to adopt strong privacy legislation and standardize privacy policy across borders.
Canada: Personal Privacy • 1983 Privacy Act • Protection for information held by Govt. • Covers ~110 Federal Departments • 2000 Personal Information Protection and Electronic Documents Act.
USA: Financial Privacy • 1978: Right to Financial Privacy Act • 1991: Telephone Consumer Protection Act • 1992: Fair Credit Reporting Act • 1996: Electronic Fund Transfer Act • 1999: Gramm-Leach-Biley Act (Title V) • 2000: Safe Harbour Principles (E.U./1998)
Getting Specific: Medical Privacy Regulations “The Only Crypto that Survives is Medical Crypto.”
USA: the HIPAA $tandard • 1996 Health Insurance Portability & Accountability Act • Improves efficiency of healthcare deliveryby standardizing electronic data interchange. • Protects health data confidentiality and securityby setting and enforcing standards. • All Healthcare organizations are affected. • Covers all personally identifiable health infoin electronic form. • Includes paper records and oral communications.
Regulatory Criteria [1] Access • Controlling access and limiting patient info display. Backup • Secure backups to prevent medical data loss. Unique ID • Every patient or practicioner is unique like all the others. Logoff • Automated signoff after period of inactivity. Audits • Capture a historical record of medical data use.
Regulatory Criteria [2] eSignatures & Chart Signing • Replacing paper-based signatures. • Tracking patient-practicioner interactions. Encryption • Protecting, hiding and transmitting confidential records. Patient Access • Patients should can see their chart and know who’s looked. Sensitive Info • Patient data disclosure control & perfect forward secrecy. Locking Data • Original entries cannot be altered or deleted.
Regulatory Comparison criteria:
“I’m a privacy-rights person…the marketplace can function without sacrificing the privacy of individuals.” – George“Dubya”Bush(Business Week, 5 June 2000)
Robert Guerra Robert @ CryptoRights .org CryptoRights Foundation http://CryptoRights.org Mac-Crypto Conference on Macintosh Cryptography & Internet Commerce January 29, 2001