Chapter 1 - Introduction to Privacy

Data Processing

"Almost anything that someone may do with personal information might constitute processing under privacy and data protection laws. The term processing refers to the collection, recording, organization, storage, updating or modification, retrieval, consultation and use of personal information. It also includes the disclosure by transmission, dissemination or making available in any other form, linking, alignment or combination, blocking, erasure, or destruction of personal information."

Data processor

"Individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller. Under the Health Insurance Portability and Accountability Act (HIPAA) medical privacy rule, these data processors are called "business associates." A data controller might not have the employees or expertise in-house to do some types of activity, or might find it more efficient to get assistance from other organizations. For instance, a data controller may hire another organization to do accounting and back-office operations. The first data processor, in turn, might hire other organizations to act as data processors on its behalf, for example, if a company providing back-office operations hired a subcontractor to manage its website. Each organization in the chain—from data controller, to data processor, to any subsequent data processor acting on behalf of the first data processor—is expected to act in a trusted way, doing operations that are consistent with the direction of the data controller. The data processors are not authorized to do additional data processing outside of the scope of what is permitted for the data controller itself."

Data Subject

"The individual about whom information is being processed, such as the patient at a medical facility, the employee of a company or the customer of a retail store."

Territorial Privacy

Territorial privacy is concerned with placing limits on the ability to intrude into another individual's environment. "Environment" is not limited to the home; it may be defined as the workplace or public space. Invasion into an individual's territorial privacy typically takes the form of monitoring such as video surveillance, ID checks, and use of similar technology and procedures.

"The Co-Regulatory and Self-Regulatory Models"

"Co-regulation and self-regulation are quite similar, with co-regulation generally referring to laws such as those in Australia, which are closer to the comprehensive model, and self-regulation generally referring to approaches such as those in the United States, where there are no general laws applying to personal information. Under both approaches, a mix of government and nongovernment institutions protects personal information. The co-regulatory model emphasizes industry development of enforceable codes or standards for privacy and data protection against the backdrop of legal requirements by the government. Co-regulation can exist under both comprehensive and sectoral models. One U.S. example is the Children's Online Privacy Protection Act in the United States (COPPA), which allows compliance with codes to be sufficient for compliance with the statute once the codes have been approved by the FTC. The self-regulatory model emphasizes creation of codes of practice for the protection of personal information by a company, industry or independent body. In contrast to the co-regulatory model, there may be no generally applicable data protection law that creates a legal framework for the self-regulatory code. A prominent example that affects the wide range of businesses that process credit card data is the Payment Card Industry Data Security Standard (PCI-DSS), which enhances cardholder data security and facilitates the broad adoption of consistent data security measures globally. Seal programs are another form of self-regulation. A seal program requires its participants to abide by codes of information practices and submit to some variation of monitoring to ensure compliance. Companies that abide by the terms of the seal program are then allowed to display the program's privacy seal on their website. Seal programs recognized by the FTC for the COPPA are Aristotle International Inc., Children's Advertising Review Unit (CARU), Entertainment Software Rating Board (ESRB), iKeepSafe, kidSAFE, PRIVO, and TrustArc (formerly TRUSTe). Supporters of a self-regulatory approach tend to emphasize the expertise of the industry to inform its own personal information practices, and thus use the most efficient ways to ensure privacy and security. Self-regulatory codes may also be more flexible and quick to adjust to new technology without the need for prior governmental approval. Critics of the self-regulatory approach often express concerns about adequacy and enforcement. Industry-developed codes can provide limited data protection, and may not adequately incorporate the perspectives"and interests of consumers and other stakeholders who are not part of the industry. The strength of enforcement can also vary. In some cases, where an organization has signed up for a code, any violation is treated just like a violation of a statute. In others, however, penalties can be weak, and there may be no effective enforcement authority.

Support and Criticism of Sectoral DP Model

"Supporters of the sectoral approach emphasize that different parts of the economy face different privacy and security challenges; it is appropriate, for instance, to have stricter regulation for medical records than for ordinary commerce. Supporters also underscore the cost savings and lack of regulatory burden for organizations outside of the regulated sectors. Critics of the sectoral approach express concern about the lack of a single data protection authority to oversee personal information issues. They also point out the problems of gaps and overlaps in coverage. Gaps can occur when legislation lags technological change, and unregulated segments may suddenly face privacy threats with no legislative guidance. Whereas laws under the comprehensive approach apply to new technologies, there are no similar governmental rules under the sectoral approach until the legislature or other responsible body acts. As a recent example, drones are becoming more common in the United States, but there have not been any national privacy rules governing surveillance by drones. Moreover, there can be political obstacles to creating new legislation if industry or other stakeholders oppose such laws. An example of a gap being filled is the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, which"which introduced a breach notification requirement for vendors of personal health records vendors. These were not "covered entities" under HIPAA. The new law addressed a gap, where entities not traditionally involved in healthcare offered services involving the collection and use of large volumes of healthcare information. Similarly, overlaps can exist in a sectoral approach. For instance, HIPAA-covered entities such as medical healthcare providers are subject to enforcement either by the U.S. Department of Health and Human Services under HIPAA or by the FTC under its general authority to take action against unfair and deceptive practices. As the boundaries between industries change over time, previously separate industries can converge, potentially leading to different legal treatment of functionally similar activities."

1950 European Convention for the Protection of Human Rights and Fundamental Freedoms- Article 8 .

"[e]veryone has the right to respect for his private and family life, his home and his correspondence," with this right conditioned where necessary to protect national security and other goals, as necessary to preserve a democratic society."

Criticisms of Comprehensive Data Protection Laws

1. "the costs of the regulations can outweigh the benefits. One-size-fits-all "rules may not address risk well. If the rules are strict enough to ensure protection for especially sensitive data, such as medical data or information that can lead to identity theft, that same level of strictness may not be justified for less sensitive data. Along with the strictness of controls, comprehensive approaches can involve costly paperwork, documentation, audit and similar requirements even for settings where the risks are low." 2. May provide insufficient opportunity for innovation in data processing. With the continued evolution of IT, individuals have access today to many products and services that were unimaginable a decade or two ago, from smartphones to social networks and the full range of services that have developed since the Internet emerged in the 1990s. To the extent that comprehensive laws may discourage the emergence of new services involving personal information or require prior approval from regulators, the pace and diversity of technological innovation may slow."

What are the key models of Privacy Protection:

1. Comprehensive (UK) 2. Sectoral (US) 3. a. Self-regulatory (US) b. Co-regulatory (Australia) 4. Technology models. (Google/Apple)

Non-personal Information a. Pseudonymized Data- unique number code b. de-identified c. anonymized

1. Data elements used to identify an individual are removed. 2. Now Privacy and DP laws usually do not apply. 3. Typically info used as an aggregate or for a statistical purpose

Classes of Privacy

1. Information privacy 2. Bodily privacy 3. Territorial privacy 4. Communications privacy

"What are the Sources of Privacy Protection"

1. Law 2. Market 3. Technology 4. Self Regulation and Co-Regulation - a. Legislation -who defines the requirements - companies privacy policy, industry association. b. Enforcement-which organization brings enforcement action -DPA, industry code, other government agencies, affected individual. c. Adjudication -who actually makes the judicial decision industry org, government or judicial officer

Personal Information

1. PII -Information that makes it possible to identify an individual. SSN-Passport#- 2. Information about an identified or identifiable individual. Street#Tel#Email-

"APEC Privacy Framework (2004)"

1. Preventing Harm. Recognizing the interests of the individual to legitimate expectations of privacy, personal information protection should be designed to prevent the misuse of such information. Further, acknowledging the risk that harm may result from such misuse of personal information, specific obligations should take account of such risk and remedial measures should be proportionate to the likelihood and severity of the harm threatened by the collection, use and transfer of personal information. 2. Notice. Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal information that should include: a. the fact that personal information is being collected; b. the purposes for which personal information is collected; c. the types of persons or organizations to whom personal information might be disclosed; d. the identity and location of the personal information controller, including information on how to contact it about its practices and handling of personal information; e. the choices and means the personal information controller offers individuals for limiting the use and disclosure of personal information, and for accessing and correcting it. All reasonably practicable steps shall be taken to ensure that such information is provided either before or at the time of collection of personal information. Otherwise, such information should be provided as soon after as is practicable. It may not be appropriate for personal information controllers to provide notice regarding the collection and use of publicly available information. 3. Collection Limitation. The collection of personal information should be limited to information that is relevant to the purposes of collection and any such information should be obtained by lawful and fair means, and, where appropriate, with notice to, or consent of, the individual concerned. 4. Uses of Personal Information. Personal information collected should be used only to fulfill the purposes of collection and other compatible purposes except: a. with the consent of the individual whose personal information is collected; b. when necessary to provide a service or product requested by the individual; or, c. by the authority of law and other legal instruments, proclamations and pronouncements of legal effect. 5. Choice. Where appropriate, individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation to the collection, use and disclosure of their personal information. It may not be appropriate for personal information controllers to provide these mechanisms when collecting publicly available information. 6. Integrity of Personal Information. Personal information should be accurate, complete and kept up-to-date to the extent necessary for the purposes of use. 7. Security Safeguards. Personal information controllers should protect personal information that they hold with appropriate safeguards against risks, such as loss or unauthorized access to personal information, or unauthorized destruction, use, modification or disclosure of information or other misuses. Such safeguards should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the information and the context in which it is held, and should be subject to periodic review and reassessment. 8. Access and Correction. Individuals should be able to: a. obtain from the personal information controller confirmation of whether or not the personal information controller holds personal "nformation about them b. have communicated to them, after having provided sufficient proof of their identity, personal information about them i. within a reasonable time; ii. at a charge, if any, that is not excessive; iii. in a reasonable manner; iv. in a form that is generally understandable; and, c. challenge the accuracy of information relating to them and, if possible and as appropriate, have the information rectified, completed, amended or deleted. d. such access and opportunity for correction should be provided except where: i. the burden or expense of doing so would be unreasonable or disproportionate to the risks to the individual's privacy in the case in question; ii. the information should not be disclosed due to legal or security reasons or to protect confidential commercial information; or iii. the information privacy of persons other than the individual would be violated If a request under (a) or (b) or a challenge under (c) is denied, the individual should be provided with reasons why and be able to challenge such denial. 9. Accountability. A personal information controller should be accountable for complying with measures that give effect to the principles stated above. When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these principles.

Fair Information Practices

1. Rights of Individuals a. Notice. Organizations should provide notice about their privacy policies and procedures, and should identify the purpose for which personal information is collected, used, retained and disclosed. b. Choice and consent. Organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention and disclosure of personal information. Consent is often considered especially important for disclosures of personal information to other data controllers. c.Data subject access. Organizations should provide individuals with access to their personal information for review and update. 2. Controls on the Information a. Information security. Organizations should use reasonable administrative, technical and physical safeguards to protect personal information against unauthorized access, use, disclosure, modification and destruction. b. Information quality. Organizations should maintain accurate, complete and relevant personal information for the purposes identified in the notice. 3. Information Lifecycle a. Collection. Organizations should collect personal information only for the purposes identified in the notice. b. Use and retention. Organizations should limit the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. Organizations should also retain personal information for only as long as necessary to fulfill the stated purpose. c.Disclosure. Organizations should disclose personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. 4. Management a.Management and administration. Organizations should define, document, communicate and assign accountability for their privacy policies and procedures. b.Monitoring and enforcement. Organizations should monitor compliance with their privacy policies and procedures and have procedures to address privacy-related complaints and disputes.

Sensitive Personal Information

1. Subset of PI. 2. Definition of SPI varies by jurisdiction and particular regulations. 3. SSN- Financial Info- Health Info- Drivers License info. 4. In general require additional safeguards to protect this info.

What are the 5 important codification of FIP

1. The 1973 U.S. Department of Health, Education and Welfare Fair Information Practice Principles 2. The 1980 Organisation for Economic Co-operation and Development Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data ("OECD Guidelines") 3. The 1981 Council of Europe Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data ("Convention 108") 4. The Asia-Pacific Economic Cooperation (APEC), which in 2004 agreed to a Privacy Framework 5. The 2009 Madrid Resolution—International Standards on the Protection of Personal Data and Privacy"

List the FIP principles that can be conceived in 4 categories:

1. rights of individuals, 2. controls on the information, 3. information lifecycle, and 4. management."

What was the 1st US National Privacy Law + What Year?

1970- FCRA or Fair Credit Reporting Act-Focused solely on information about consumer credit.

Where can you find Privacy related provisions in the US constitution

3rd Amendment- Banning quartering of soldiers in a person's home; 4th Amendment- Generally requiring a search warrant before the police can enter a home or business; 5th Amendment, prohibiting persons from being compelled to testify against themselves; 14th Amendment, with its requirement of due process under the law, including for intrusions into a person's bodily autonomy."

Data Controller

An organization that has the authority "to decide how and why personal information is to be processed. This entity is the focus of most obligations under privacy and data protection laws—it controls the use of personal information by determining the purposes for its use and the manner in which the information will be processed. The data controller may be an individual or an organization that is legally treated as an individual, such as a corporation or partnership."

Bodily Privacy

Bodily privacy- is focused on a person's physical being and any invasion thereof. Such an invasion can take the form of genetic testing, drug testing or body cavity searches. It also encompasses issues such as birth control, abortion and adoption.

Communication Privacy

Communications privacy encompasses protection of the means of correspondence, including postal mail, telephone conversations, email, and other forms of communicative behavior and apparatus."

Comprehensive Data Protection Laws

Comprehensive data protection laws are those in which the government has defined requirements throughout the economy. They govern the collection, use dissemination of personal information in public and private sectors. Generally speaking, a country that has enacted such laws hosts an official or agency responsible for overseeing enforcement. This official or agency, often referred to as a data protection authority (DPA) in Europe, ensures compliance with the law and investigates alleged breaches of the law's provisions. In many countries, the official also bears responsibility for educating the public on data protection matters and acts as an international liaison for data protection issues. Enforcement and funding are two critical issues in a comprehensive data protection scheme. Data protection officials are granted varying degrees of enforcement power from country to country. Further, countries choose to allocate varying levels of resources to the enforcement of data protection laws, leaving some countries inadequately funded to meet the laws' stated goals. Over time, countries have adopted comprehensive privacy and data protection laws for a combination of at least three reasons: a. Remedy past injustices. b. Ensure consistency with European Privacy Law c. Promote Electronic commerce.

Is IP address Personal Data in EU and US

EU- Yes - IP addresses are identifiable. Ireland- No- IP address did not constitute PD US- No under Federal agency rules. US- Yes FTC- In connection with breaches in health care data IP address are PI.

Technology Based DP

Individuals and organizations in some settings can use technical measures that reduce the relative importance of administrative measures for overall privacy protection. For example, global web email providers such as Google and Microsoft have increased their use of encryption between the sender and recipient.

Information Privacy

Information privacy - is concerned with establishing rules that govern the collection and handling of personal information. Examples include financial information, medical information, government records and records of a person's activities on the Internet.

Sectoral Data Protection Laws (US)

Sectoral laws, such as those in the United States, exist in selected market segments, often in response to a particular need or problem. "This framework protects personal information by enacting laws that address a particular industry sector. For example, in the United States, different laws delineate conduct and specify the requisite level of data protection for video rental records, consumer financial transactions, credit records, law enforcement and medical records. In a comprehensive model, laws addressing specific market segments may be enacted to provide more specific protection for data particular to that segment, such as the healthcare sector.

Privacy

The desire of people to freely choose the circumstances and the degree to which individuals will expose their attitudes and behavior to others. It has been connected to the human personality and used as a means to protect an individual's independence, dignity and integrity."

1948 Universal Declaration of Human Rights.

This declaration formally announced that "[n]o one shall be subjected to arbitrary interference with his privacy, family, home or correspondence.

OECD Guidelines (1980) - "Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data." Updated in 2013

a. Collection Limitation Principle. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. b. Data Quality Principle. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date. c. Purpose Specification Principle. The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. d. Use Limitation Principle. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the Purpose Specification Principle] except: (a) with the consent of the data subject or (b) by the authority of law. e. Security Safeguards Principle. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. f. Openness Principle.There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller. g. Individual Participation Principle. An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him, within a reasonable time, at a charge, if any, that is not excessive, in a reasonable manner, and in a form that is readily intelligible to him; (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended. h. Accountability Principle. A data controller should be accountable for complying with measures which give effect to the principles stated above.

" Sources of Privacy Protection"

a. Markets b. Technology c. Law d.Self-regulation and co-regulation.

Madrid Resolution (2009) to define a set of principles and rights guaranteeing (1) the effective and internationally uniform protection of privacy with regard to the processing of personal data and (2) the facilitation of the international flows of personal data needed in a globalized world.

a. Principle of lawfulness and fairness. Personal data must be fairly processed, respecting the applicable national legislation as well as the rights and freedoms of individuals. Any processing that gives rise to unlawful or arbitrary discrimination against the data subject shall be deemed unfair. b. Purpose specification principle. Processing of personal data should be limited to the fulfillment of the specific, explicit and legitimate purposes of the responsible person; processing that is non compatible with the purposes for which personal data was collected requires the unambiguous consent of the data subject. c. Proportionality principle. Processing of personal data should be limited to such processing as is adequate, relevant and not excessive in relation to the purposes. Reasonable efforts should be made to limit processing to the minimum necessary. d. Data quality. The responsible person should at all times ensure that personal data is accurate, sufficient and kept up to date in such a way as to fulfill the purposes for which it is processed. The period of retention of the personal data shall be limited to the minimum necessary. Personal data no longer necessary to fulfill the purposes that legitimized its processing must be deleted or rendered anonymous. e. Openness principle.The responsible person shall provide to the data subjects, as a minimum, information about the responsible person's identity, the intended purpose of processing, the recipients to whom their personal data will be disclosed, and how data subjects may exercise their rights. When data is collected directly from the data subject, this information must be provided at the time of collection, unless it has already been provided. When data is not collected directly from the data subject, the responsible person must inform him or her about the source of personal data. This information must be provided in an intelligible form, using clear and plain language, in particular for any processing addressed specifically to minors. f. Accountability. The responsible person shall take all the necessary measures to observe the principles and obligations set out in the resolution and in the applicable national legislation and have the necessary internal mechanisms in place for demonstrating such observance both to data subjects and to the supervisory authorities in the exercise of their powers.

What are the sources of Personal Information

a. Public Records- Info collected and maintained by govt my be available to the Public. Example- Property ownership b. Publicly available Information - Info available to a wide range of people- Traditional phone books have names and ph.#Search engines-News stories. c. Nonpublic information- Not generally available to public -Example - Financial info, medical records, adoption records. "Organizations should be alert to the possibility that the same information may be public record, publicly available and nonpublic. For example, a name and address may be a matter of public record on a real estate deed, publicly available in the telephone book, and included in nonpublic databases, such as in a healthcare patient file. To understand how to handle the name and address, one must understand the source that provided it—restrictions may apply to use of the name and address in the patient file, but not to public records or publicly available information."

Council of Europe Convention (1981) "Automatic Processing of Personal Data ("Convention 108")"

a. Quality of data. Data of a personal nature that is automatically processed should be obtained and stored only for specified and legitimate purposes. Data should be stored in a form that permits identification of the data subject no longer than needed for the required purpose. b. Special categories of data. Unless domestic law provides appropriate safeguards, personal data revealing the following categories cannot be automatically processed: racial origin, political opinions, religious beliefs, health, sex life or criminal convictions. c. Data security. Appropriate security measures should be taken for files containing personal data. These measures must be adapted for the particular function of the file as well as for risks involved. d. Transborder data flows. When transferring data from one party of the Convention to another party, privacy concerns shall not prohibit the transborder flow of data. Exceptions to this provision include special regulations concerning certain categories of personal data.

U.S. Health, Education and Welfare FIPs (1973)

a. There must be no personal data record-keeping systems whose very existence is secret b. There must be a way for a person to find out what information about the person is in a record and how it is used c. There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the individual's consent d. There must be a way for a person to correct or amend a record of identifiable information about the person e. Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for its intended use and must take precautions to prevent misuse of the data