As the year is coming to an end, the industry is speculating the release date of the Health Information Technology for Economic and Clinical Health Act (“HITECH”) final rule. The final rule is expected to address modifications to the Privacy, Security, Enforcement, and Breach Notification Rules, and with the release date yet to be determined, it is important for Covered Entities and Business Associates to be prepared for the upcoming changes.
This post was written by Cynthia O'Donoghue.
With a need for mobile access to data and the influx of innovative and affordable cloud computing products to global markets, organisations are shifting towards a greater use of the cloud. In response to its growing popularity, the Information Commissioner’s Office (ICO) has published guidelines on data protection compliance issues surrounding cloud computing. The practical guidelines not only provide a high-level analysis of how to apply data protection rules to cloud contracts, but also consider the various issues surrounding migration to the cloud and provide a checklist for those organisations adopting cloud services.
The distinction between data controller and data processor is of critical importance to data protection and can be complex in relation to cloud computing. The ICO helps navigate this issue by demonstrating data controller and processor roles in various scenarios. The cloud customer is generally considered the data controller as it determines the purposes and the manner in which any personal data are being processed. The ICO suggests that the precise role of the organisation that owns and operates the cloud service (“Cloud Provider”) should be reviewed in each case in order to determine whether or not it is processing personal data.
Data controllers, to remain compliant with the UK Data Protection Act, must consider the following key areas:
- Assess personal data and the risk to that data by putting it into the cloud.
- Obtain sufficient guarantees from the cloud provider about security measures. The ICO supports the use of industry-recognised standards.
- Protect personal data in transit through use of encryption, especially where sensitive data is being processed.
- Ensure measures are in place to prevent unauthorised access, including individual usernames and passwords for each cloud user.
- Institute a continual cycle of monitoring, review and assessment of the cloud provider’s security controls.
- Data Retention and Deletion
- As most cloud providers are likely to have multiple copies of data stored in various locations for disaster recovery, cloud customers should ensure that all copies of personal data no longer required can be securely and timely deleted.
- If it is not possible to obtain audit rights because of shared cloud services, the ICO recommends an independent third party to avoid the need for each customer to conduct a separate audit.
- The cloud provider should only be permitted to process personal data for specified purposes and not without the agreement of the cloud customer.
- Data Transfer
- Cloud servers may be located outside the UK which can make it difficult to establish where data is being processed. The cloud customer should therefore request from the cloud provider a list of countries where data will be processed and the safeguards in place in each location. Furthermore, the cloud provider should explain when data will be transferred to the locations.
The ICO recognizes the benefit of cloud computing and this new guidance contains pragmatic suggestions to assist organizations in conducting due diligence on a cloud supplier, and in ensuring data protection compliance.
Obama Administration Finalizes Its Privacy Framework: DOC Steams Ahead with Privacy Regulatory Blueprint in the Absence of Federal Privacy Legislation
Today, in a ceremony with much fanfare, Secretary of Commerce John Bryson and Federal Trade Commission Chairman John Liebowitz outlined the Obama administration's privacy blueprint for a "consumer bill of rights." Shortly thereafter, the Department of Commerce released its long-awaited consumer privacy green paper entitled,"Consumer Data Privacy in a Networked World" (the "Final Report"), which follows up on a draft staff report issued well over a year ago [see our previous post, Privacy: A Washington Tale of Two Reports].
Knowing that privacy legislation will be difficult to pass this year, the administration also laid out a set of voluntary privacy standards in the Final Report that could be adopted by industry in the absence of legislation. The Commerce Department indicated today that it is confident industry will adopt this cooperative approach for a privacy public-private partnership. Secretary Bryson also indicated that his office already conducted extensive outreach with Internet companies, data collection companies, retailers, ad networks, privacy advocates, academics and consumer groups to encourage the voluntary adoption of seven data-handling principles:
1. Individual Consumer Control of Data Through Choice Mechanisms
2. Greater Consumer Transparency
3. Respect for Data Context
4. Secure Handling of Data
5. Consumer Data Access & Correction Rights (Data Hygiene)
6. Focused Collection (Data Minimization)
7. Accountability (through audit controls and vendor contractual obligations)
Such a voluntary code, however, comes with a carrot and an eventual stick. The carrot: FTC enforcement actions regarding online privacy matters are ongoing. As indicated in the Final Report, if the industry adopts any voluntary code that is developed, then in any investigation or enforcement action based on an FTC Section 5 unfair and deceptive trade practices action, the FTC would consider a company's adherence to the voluntary codes favorably. The stick comes in a few weeks. The Federal Trade Commission is expected to release its Final Staff Report on Consumer Privacy that will be in sync with the administration's blueprint. Non-adherence to a Final FTC Staff Report could be used as evidence of a Section 5 violation, even in the absence of any general privacy federal legislation.
In the coming weeks we will be releasing more granular guidance on how companies should begin evaluating their respective privacy practices, as well as other elements of the staff report (i.e., international harmonization, the role of U.S. state attorneys general, and DOC support of national data breach standard legislation).
Please click here to view additional information from the Reed Smith Teleseminar "The Department of Commerce Steams Ahead with Privacy Regulatory Blueprint: What you Need to Know."
This post was written by Amy S. Mushahwar.
Today, in response to the controversy surrounding cellphone tracking software from Carrier IQ, U.S. Representative Edward Markey (D-MA) released a draft of a cellphone privacy bill.
As background, the Carrier IQ software first made headlines in November, when a researcher posted a YouTube video claiming to show that the Carrier IQ software records users' every keystroke, including the websites they visit, the contents of their text messages and their location. Carrier IQ, a California-based software company, says its software is installed on 140 million phones, but the company does not track keystrokes or user's locations. Carrier IQ now faces a federal investigation and multiple lawsuits on this matter.
The Markey legislation aims to remedy the perceived privacy deficiencies. In its present form, the Markey discussion draft would require companies to:
- Disclose any mobile tracking software when a consumer buys a device (or after sale if it is later installed by a carrier or placed within a mobile application downloaded).
- Notify consumers what information may be collected, any third parties to which the information would be disclosed and how such information will be used.
- Obtain express consent before the tracking software collects or transmits information.
- Require any third party receiving collected personal information to have policies in place to secure the information.
- Require any third parties to prepare and file agreements on information with the Federal Trade Commission (FTC) and Federal Communications Commission (FCC).
Additionally, the legislation contemplates outlining an enforcement regime for the FTC and FCC, along with State Attorney General enforcement and a private right of action. Representative Markey is the co-chair of the Bi-Partisan Congressional Privacy Caucus, and he has previously investigated the privacy and data security practices of Google, Apple, Facebook, Amazon, and others.
A few days following the concession made by BlackBerry manufacturers, Research in Motion (RIM), to provide Indian security agencies access to their encrypted data, India’s Home Minister P. Chidambaram held “security to be more important than privacy”.
Security concerns in India have certainly risen following the terror attack on Mumbai in November 2008, the worsening violence in the disputed region of Kashmir and a rising Maoist insurgency in a mineral-rich territory of the East. And certainly, such concerns may be flared by the fact that attacks are often coordinated using mobile phones, satellite phones and voice over internet calls. These mounting fears over terrorism have led the Indian Government to demand from their first target, RIM, full access to the encrypted data of BlackBerry users in India.
Canadian company RIM refused this request on technical grounds, arguing that the information would be impossible to provide. However, in the knowledge that data is provided by RIM to other countries the Indian Government stuck firm to their demand: then why not India? While the private service, Blackberry Internet Service (BIS), offered by RIM uses their own servers for communication, RIM maintained it is not possible for them to access the business service (Blackberry Enterprise Service (BES)). Indeed, the level of privacy afforded to RIM’s corporate customers is a strong selling point and providing governments with access to email communication for surveillance purposes has the potential to breach a fundamental principle of RIM's business approach: customers' trust in the confidentiality of their communications.
Following RIM's refusal to grant access, the Indian Government issued an ultimatum: if they did not grant full access to all data (encrypted or not), India would block the mail service of the smart phone manufacturer entirely. Fearing this ban on their business in India, one of the fastest growing smart phone markets of the world, RIM conceded to the Indian Government's requests and made several suggestions to resolve the issue of providing access to their data. The decision made by Nokia, RIM’s main competitor in the region, to set up servers in India to facilitate government monitoring, may well have weakened any bargaining position that RIM were hoping to play on.
The measures to be adopted by RIM have yet to be made public but the proposals are seemingly sufficient for the Indian government to grant a two-month grace period to evaluate RIM’s suggestions. While the reprieve offers Blackberry users in India some breathing space, it is unclear whether RIM will be in a position to satisfy the interests of both the Indian Government in security and surveillance and their customers in ensuring the privacy of their communications. India’s Home Secretary is due to meet officials from the Department of Telecommunications, the Intelligence Bureau and the National Technical Research Organisation on Monday the 6th of September to discuss Blackberry security issues.
In light of this development and the Indian Government’s priority on national security over privacy, there is likely to be mounting fear amongst similar online communications companies that they may be the next target and have to provide access to encrypted data transmitted online. RIM has faced similar issues in other countries, including Saudi Arabia, the United Arab Emirates, Lebanon and Indonesia.