01-14 February 2014

Biometrics

WW – Facial Recognition Tech Used in Sochi; Expanded Uses Expected

Facial recognition software is being used at the international airport in Sochi, Russia. Made by U.S.-based Artec Group, the technology uses a 3D camera to identify individual faces with the intent of improving airport security. Artec Group Chief Executive Artyom Yukhin said the software can differentiate between identical twins, isn’t fooled by disguises and has been tested in airports around the world, the report states. Meanwhile, a World Economic Forum report predicts that facial recognition will be implemented as part of fully automatic check-in systems at airports and border crossings by 2025. And last week, the U.S. NTIA kicked off talks aimed at creating a voluntary code of conduct for facial recognition technology. [San Jose Mercury News] See Also: [Security and privacy; As the balance shifts] and [Exit records: Crossing the border can be a matter of public concern]

US – NTIA Holds 1st Meeting on a Facial-Recognition Code of Conduct

The Department of Commerce’s National Telecommunications and Internet Administration yesterday held the first of a series of meetings aimed at creating a voluntary code of conduct for development and implementation of facial recognition technology. The meeting, which hosted stakeholders spanning advocacy and industry, was primarily a chance for the group, as well as the 100 or so watching the live webcast, to hear from experts on how the technology works, how it’s currently being applied and for what reasons and what it might be capable of accomplishing in the future. [The Privacy Advisor]

US – FBI on Track for Facial Recognition Database;

New documents released by the FBI indicate the agency is headed toward its goal of a fully operational facial recognition database by this summer, the Electronic Frontier Foundation (EFF) reports. The records were obtained in response to an EFF Freedom of Information Act lawsuit over the FBI’s plans for its Next Generation Identification biometric database that may hold records on up to one-third of the U.S. population, the report states. [EFF] See also: [Facial recognition software used to track dingoes]

EU – French DNA Sweep Exposes Differing Cultural Norms

The differing privacy norms in France and the U.S. are illustrated through the prism of a case where a high school student was raped and more than 500 male students and staff willingly submitted to DNA testing to help find the rapist. One expert said that although the French value their privacy, the case has not sparked a mass outcry because of its criminal context. In the U.S., the case likely would have raised civil rights and Fourth Amendment violation concerns, the report states. Pascale Gelly said, “France takes data privacy very seriously,” adding, “Massive testing will always raise privacy issues, and that’s good because it’s always important to (ask) the question, ‘Is it proportionate or not?’” [The Christian Science Monitor]

WW – As Facial Recognition Uses Expand, Privacy Concerns Abound

Companies are working on facial recognition-based “VIP identification” for hotels and other businesses expanding “shoplifter-identification services with parallel programs to help retailers recognize customers eligible for special treatment.” Meanwhile, law enforcement agencies in one California county are “testing facial recognition technology to help identify people in the field. A National Telecommunications and Information Administration event this week is expected to look at issues related to facial recognition technology, the report states, noting that on the topic of facial recognition, the Federal Trade Commission’s Jessica Rich has said, “This is another reason that we need omnibus privacy legislation.” Across the globe, Japan’s National Institute of Information and Communications Technology plans to test facial recognition at Osaka’s train station. [The New York Times]

US – Legislators Considering Regulating Biometrics

Florida lawmakers are considering legislation “to sharply regulate the use of fingerprint, palm print, iris scans and other biometric identification systems.” The legislators are examining the issue in the wake of outrage from parents who learned last year that “students’ eyes were being scanned as a condition of boarding school buses in central Florida’s Polk County School District .” The Florida Senate Education Committee is reviewing a bill “that would require school districts choosing to use biometrics to establish strict policies on the public disclosure, use and maintenance of the stored data, and require parents to choose to participate in the program before their children’s data is taken,” the report states. [Reuters]

Big Data

WW – Coalition Demands Public Involvement on Study

The White House met with a coalition of consumer, civil liberties and privacy groups Monday after the group called on President Barack Obama to review the recently announced study, “Big Data and the Future of Privacy.” EPIC, the Center for Digital Democracy and the ACLU are among the groups that signed a letter to the White House’s Office of Science and Technology Policy requesting public involvement in the process. The meeting was the first in a series the White House has planned to gain varied perspectives. [The Hill]

WW – Scientists Using Tweets to Determine Flu Outbreaks

Scientists from Pennsylvania State University say they’ve developed a way to find Twitter posts that identify viral illnesses. In a recently published paper, “On the Ground Validation of Online Diagnosis with Twitter and Medical Records,” researchers say they’ve created “a system for making an accurate influenza diagnosis based on an individual’s publicly available Twitter data.” The researchers say they were able to determine, with 99-percent accuracy, whether an influenza outbreak was occurring by combining text analysis, anomaly detection and social network analysis. In 2008, similarly, Google began estimating flu infections by tracking flu-related search terms. [InformationWeek]

US – When and How Your Middle Name Could Become “Is a Slut”

How did political writer Lisa McIntire end up with “Is a Slut” as her middle name on the address line of a letter from Bank of America? And how did Mike Seay end up with information about his daughter’s death on his mailing from OfficeMax? “In tort law, we would call it negligence,” writes Ryan Calo. “A data broker collected information about a tragic death and accidentally sold it,” he adds, and the companies’ screening processes didn’t catch these blunders. “The truth is that there are consequences to obsessively compiling information about consumers and promiscuously sharing it.” [Forbes]

Canada

CA – Canada Privacy Officials Seek Changes to Oversee, Limit Government Surveillance

The Canadian government should strengthen its privacy policies to ensure that actions taken in the name of national security don’t have an adverse impact on Canadians’ expectations for personal privacy, Chantal Bernier, the interim chief of the Office of the Privacy Commissioner of Canada said in a Jan. 28 special report to Parliament. Measures to improve transparency, modernize privacy statutes and boost Parliament’s oversight are needed to address privacy in the context of national security, Bernier said in a statement accompanying the report.”While a certain level of secrecy is necessary within intelligence activities, so is accountability within a democracy,” she said. The report recommended that Parliament:

  •  improve oversight and reporting mechanisms, including requiring the agency Communications Security Establishment Canada (CSEC) to disclose annual statistics on its communications interception activities on behalf of other federal agencies;
  •  modernize the federal privacy protection regime through amendments to the Personal Information Protection and Electronic Documents Act and the Privacy Act, including adding stronger provisions on exchanges of personal information with foreign authorities and investigations that exploit online sources and social network sites;
  •  increase legal recourse for individuals under the Privacy Act, which covers information maintained by the government; and
  •  strengthen accountability by increasing the powers of federal bodies that provide oversight for national security operations, clarify and update other legal authorities that govern intelligence operations and enhance Parliament’s oversight of intelligence activities.

The federal privacy office wasn’t the only data protection authority in Canada calling for changes in the wake of surveillance revelations. Ontario Privacy Commissioner Ann Cavoukian Jan. 28 issued a statement calling on the federal government to improve its transparency and accountability, particularly in the activities undertaken by the CSEC. Edward Snowden’s “brave sacrifices” in releasing details of privacy-invasive activities by intelligence agencies in the United States have demonstrated the significant dangers associated with unchecked state powers, Cavoukian said.[Source] See also: [Spy agency’s work with CSIS, RCMP fuels fears of privacy breaches]

CA – Alberta to Update Law

Alberta will “amend one of its main privacy laws this fall to comply with a Supreme Court of Canada judgment that found the legislation unconstitutional.” The court struck down the province’s entire Personal Information Protection Act in November in a case involving a union that photographed individuals crossing a picket line, giving Alberta a year to revise the law. “It is the government’s intention to pass the amendments early in the fall 2014 session to comply with the court’s ruling,” Service Alberta’s Gerald Kastendieck said Wednesday. The amendments will “focus on unions and picketing,” the report states, noting, “There won’t be a general review of the 10-year-old legislation this year.” [The Canadian Press]

CA – Premier Calls for Changes to Restrictions

Newfoundland and Labrador Premier Tom Marshall is calling for the government to launch an “about-face review of access-to-information restrictions that it has staunchly defended.” Bill 29 included changes to the Access to Information and Protection of Privacy Act and was passed in 2012. Critics have described it as “regressive and even dangerous,” the report states. Marshall said, “One of the things I said we were going to do is we’re going to listen to the people of the province. And I think people have real concerns over Bill 29.” Meanwhile, a former inmate at the Ottawa-Carleton Detention Centre who was allegedly attacked by a guard has been denied access to his medical records, Ottawa Citizen reports. [The Globe and Mail]

CA – Gary Dickson Leaves Role as SK Information and Privacy Commissioner

The end of the month brings an end to Gary Dickson’s term as Saskatchewan’s Information and Privacy Commissioner. Dickson took up the position on November 1, 2003 as the first privacy commissioner in Saskatchewan and was reappointed in 2009 for another term. Dickson has done his share of making decisions serving as an MLA in Alberta for nearly ten years. In that time, Dickson helped develop Alberta’s Freedom of Information and Protection of Privacy Act and the Health Information Act. Dickson and his team have issued 94 reports on their website, and handed a lot of information to our government. But not all of his recommendations have been followed over the years and that is something Dickson said never really frustrated him. [Source]

CA – Nova Scotia Commissioner Calls Her Removal ‘A Lack of Respect’

Nova Scotia’s privacy and information watchdog says she was shocked to learn the government is replacing her. Dulcie McCallum has been Nova Scotia’s freedom of information and protection of privacy officer for seven years and said she expected a reappointment. Instead, she was given two weeks’ notice. McCallum said she’s been working “night and day” in the post. “For me personally and for the public, it just kind of shows a lack of respect for me and the office and our work. And if you don’t get reasons, somehow it tends to impugn the character of the person. [It] is unfair to not provide reasons,” she said. “If you are tenacious as an independent office, then often people don’t want that who are the governing party. They don’t want to have that kind of independent, impartial, non-partisan oversight in place.” [Source]

CA – CSEC’s Collection of Metadata Shows Ability to ‘Track Everyone’

Recent allegations about domestic spying and the collection of “metadata” by one of Canada’s security agencies have inspired a great deal of confusion about the precise nature of the surveillance. John Forster, head of the Communications Security Establishment Canada, appeared before the Senate security and defence committee Feb. 3 and answered questions about a CBC report that said CSEC had used airport Wi-Fi to follow the movements of Canadian travellers. In this particular case, Forster denied that CSEC had snooped on Canadians, saying the agency had accessed airport Wi-Fi to capture “a snapshot of historical metadata.” [Source] [Security officials deny violating Canadians’ privacy in airport operation]

Consumer

US – Bank, Retail Groups Combine Efforts to Protect Consumers

Bank and retail industry groups have announced a new partnership focused on sharing information about cybersecurity threats and improving consumer protection technologies, reports Reuters. While Tim Pawlenty, chief executive of the Financial Services Roundtable, notes, “There’s going to continue to be differences on things like the costs of issuing replacement cards” after a breach, the groups can “benefit from learning from each other on internal system resiliency and improvement in best practices” as well as “state-of-the-art cyber defenses.” The associations plan to form working groups and also focus on protecting mobile payments and thefts that don’t involve payment cards. [Reuters]

US – Start-Up Offers Cash to Track Users

Datacoup is a company running a beta trial offering consumers money in exchange for access to their online habits. For $8 a month, users allow the company access to a combination of their social media accounts and the feed of their credit and debit card transactions. Datacoup plans on turning a profit by offering businesses access to mined, anonymized data. CEO Matt Hogan said, “If a consumer wants to make an educated decision, they should be able to sell their data to who they want.” Carnegie Mellon’s Alessandro Acquisti cautions that Datacoup doesn’t really give consumers control of their data because social media and financial sites still retain it, and consumers get money now, but may regret it later. “Measuring privacy trade-offs is exceedingly hard,” Acquisti added. [MIT Technology Review] See also: [Sell Your Personal Data for $8 a Month]

US – Marketer Plans to Build Its Own Database

Kimberly-Clark Co. is aiming to shift from selling its products through retailers and instead build its own “deal database” through a promotion-analytics firm. While the company has been tracking how often and where people redeem digital offers as well as how often they share them with friends via social media, it now wants to collect data—via informed consent—that it can use in less anonymous ways for more engaging promotions and targeting. Meanwhile, Twitter has acquired Gnip—a company that specializes in collecting, organizing and sharing social data, which Twitter says will help it provide “more sophisticated data sets and better data enrichments” for developers and businesses. [Advertising Age]

WW – Microsoft: Notice and Consent Overburden the User

Microsoft’s Scott Charney discusses the future of commercial data privacy models, a topic he also discussed at the IAPP Global Privacy Summit in March. Because the availability of data is “rapidly changing how businesses operate,” a “whole range of new privacy challenges” have presented themselves, while the rules on privacy haven’t kept pace, Charney writes. While notice and consent are important, they are antiquated models that overly burden the user. The way forward? Increased organizational accountability, new enforcement models and a focus on risk assessments, to start. [The Huffington Post]

WW – Google Updates Terms to Reflect Content Analysis

Amidst controversies with privacy groups over its scanning of user e-mail, “Google has updated its terms of service to reflect that it analyzes user content including e-mails to provide users tailored advertising, customized search results and other features.” The report highlights actions around Google’s practices and quotes the new terms of service, which went into effect Monday, as stating, “Our automated systems analyze your content (including e-mails) to provide you personally relevant product features, such as customized search results, tailored advertising and spam and malware detection. This analysis occurs as the content is sent, received and when it is stored.” [PC World]

US – Tips to Determine If Your Printer has Internal Storage

Some high-end printers and copiers retain digital copies of documents in their internal storage. This report offers tips from its lead analyst for printers and scanners, M. David Stone, on how to determine whether your printer is one of those, and if it is, what precautions to take to be sure it’s inaccessible when you get rid of it. If your printer has private printing or the ability to re-order the print queue via an embedded webpage, it may have internal storage capabilities, Stone says. When in doubt, he recommends opening it up and poking around: “Take it out to the street, and bang on it with a hammer until the insides rattle nicely,” says Stone. [PC Magazine]

US – Who Can See My Fitness Data?

Wristband fitness devices carry a potential risk that the data they collect could end up in corporate hands. In a speech last week, the Federal Trade Commission’s Jessica Rich discussed the potential implications, such as that health data could be “collected and then sold to data brokers and other companies she does not know exist”—a concern, considering the devices collect data such as sleep quality, weight and even GPS location at times. Meanwhile, a new mobile app allows users to determine if other mobile apps are collecting their location information. [MotherJones]

E-Government

US – Judge Dismisses EPIC’s Suit on Expanded Data Access

A federal judge has ruled that the Electronic Privacy Information Center (EPIC) lacks standing to challenge the expansion of access of information to public school students’ data. EPIC sued the U.S. Department of Education under the Family Educational Rights and Privacy Act “claiming the government exceeded its statutory capabilities by changing the definitions of key terms within the law,” the report states. Meanwhile, Fordham law Prof. Joel Reidenberg said recently that outsourcing, lack of transparency, vague contracts, outdated laws and new pushes for data analytics are to blame for the current risk to student privacy. [Courthouse News Service] SEE ALSO: [CA – Federal government tweets take weeks to produce]

E-Mail

US – Brill Talks Big Data, Cookies and Mobile Devices

Federal Trade Commissioner Julie Brill took to Twitter yesterday, taking questions on the partnership between the U.S. and EU on data processing, the use of mobile devices in healthcare and a potentially cookie-less web ecosystem. The full conversation is at #FTCpriv. Here at the IAPP, we’ve collected the highpoints of the hour-long chat for your reading pleasure. [Full Story]

Electronic Records

US – Patient Access to Info Strengthened

The Department of Health and Human Services is strengthening patient rights to access laboratory reports. “The right to access personal health information is a cornerstone of the Health Insurance Portability and Accountability Act Privacy Rule,” HHS Secretary Kathleen Sebelius said. The final rule allows labs to give patients or their designees “access to the patient’s completed test reports on request,” the report states. The changes allow patients to “obtain their test reports directly from the laboratory while maintaining strong protections for patients’ privacy.” [UPI] See also: [NS: Electronic health record pilot project attracts thousands] See also: [DOD Electronic Health Records Help VA Disability Claims]

US – Tiger Team Needs Help on Privacy Work

The ONC’s Health IT Policy Committee’s Privacy and Security Tiger Team is calling for public comment on privacy and policy concerns surrounding patients giving access to their health information. Led by committee Chair Deven McGraw the panel is asking for input prior to their next meeting, slated for Feb. 10 at 2 p.m. Because patients can access relevant healthcare information through view/download/transmit, the Tiger Team is considering whether there are additional privacy and security policy issues that need to be resolved when family or friends access the data. Among the questions, the Tiger Team will tackle:

  • Are there policy issues that need further resolution regarding personal representative access to view/download/transmit accounts?
  • How do healthcare providers confirm that an individual is, in fact, a personal representative?
  • How are patients’ friends and family provided with credentialed access to view/download/transmit accounts?
  • Is this access “all or nothing,” or are there more granular options? If the latter, how does this get accomplished? [Source]

US – Courts Tackle Privacy of Delivered Texts, Voicemails

The Oklahoma Court of Criminal Appeals has found that senders of text messages have no expectation of privacy once the text has been delivered. Judge Clancy Smith wrote for the five-judge panel, “This is similar to mailing a letter; there is no expectation of privacy once the letter is delivered. It is like leaving a voicemail message, having the recipient receive and play the message and then claiming the message is private.” Meanwhile, U.S. Magistrate Judge Nathanael M. Cousins has denied a motion to dismiss a case claiming that InterContinental Hotels Group PLC illegally recorded consumers’ phone calls to its reservation hotline, saying the plaintiffs properly stated a claim under California’s Invasion of Privacy Act. [Law360 reports]

Encryption

CA – Two Sites Concede Heartbleed Data Losses

Two websites, Canada’s tax authority and a British parenting website, have said some of their users’ data has been compromised as a result of the Heartbleed bug, and these are the first two admissions stemming from the now infamous OpenSSL security vulnerability that was exposed last week. The Canada Revenue Agency (CRA) blocked online public access to its site last week. “Regrettably, the CRA has been notified … of a malicious breach of taxpayer data that occurred over a six-hour period,” the CRA said. British parenting site Mumsnet assured its more than one million users it “followed all the published steps to protect members’ security … but it seems that the breach occurred prior to that risk becoming known.” [PC World]

EU Developments

EU – MEPs: Trade Deal Should Not Pass Without U.S. Privacy Reforms

The LIBE Committee approved a report stating the European Parliament should not agree to the EU-U.S. trade deal, the TTIP agreement, unless it fully respects EU citizens’ data privacy. The report, which passed the committee by a 33-7 vote, condemns the “vast, systemic, blanket collection of personal data of innocent people, often comprising intimate personal information.” The committee also “voted against calling for asylum protection for former U.S. intelligence agency contractor and whistleblower Edward Snowden,” EUObserver reports. Meanwhile, EDPS Peter Hustinx recently discussed NSA surveillance and the forthcoming reforms of the data protection regulation, and the European Agency for Fundamental Rights has released its official agenda for the EU, which includes recommendations on the EU data protection framework. [Help Net Security]

EU – German Court of Justice Clarifies Rules on Credit Scoring, Access

Germany’s Federal Court of Justice has clarified data subjects’ rights of access to their credit scores under the Federal Data Protection Act. “While credit reference agencies must disclose all personal data referred to in the Federal German Data Protection Act,” they do not have to disclose their methods in determining the score. [Hunton & Williams’ Privacy and Information Security Law Blog]

US – Takeaways from the First Cookie Consent Fines

Last month, Spain’s Data Protection Authority (DPA) issued its first fines since its implementation of the EU “cookie consent” requirement, prompting Nuria Pastor to write of the messages to take away from this case. Among those takeaways, Pastor writes, “Even though cookies are part of our everyday life, European regulators perceive the use of cookies as intrusive—this is explicitly stated in the decision. As a result, time, resources and efforts will be invested to tackle their unlawful use.” She also cautions that “the grace period has long been over. If you have not already done so, it is important to get your house in order now.” [Privacy and Information Law Blog]

WW – Google Fights CNIL Request in Court

Google has asked a French court to suspend an order requiring it to post a message on its French home page notifying users of the privacy fine levied by Frances data protection authority (the CNIL). A Google lawyer has argued that posting the notice of the 150,000 euro ($204,000) fine causes irreparable damage to the company’s reputation. Patrice Spinosi, a lawyer representing Google, said, “This is something we’ve never seen before … Google has always maintained that page in a virgin state.” The CNIL has said that users of Google’s home page have the right to know that Google has been sanctioned. [The Wall Street Journal]

EU – Hawkes Will Not Seek Reappointment as DPC

When his current term comes to an end next year, Data Protection Commissioner (DPC) Billy Hawkes will not be seeking reappointment. In the nine years since he was appointed DPC—back when “Gmail was still in beta; Facebook was only open to a handful of colleges, and Steve Jobs was secretly designing a mobile phone.” Mark Milian writes that although “Hawkes says he won’t seek reappointment in 2015 when his current term as commissioner ends … he should have plenty to do before then” with Twitter and Dropbox operations in Ireland, the current examination of LinkedIn’s policies and the DPC’s placement “in the middle of a tech tug of war.” [Bloomberg BusinessWeek]

EU – Yahoo Moves to Ireland, Preps for DPC’s Audit

Yahoo will undergo a privacy audit by the Irish Data Protection Commissioner (DPC) following the company’s announcement to the DPC that it would move all of its data processing facilities in Europe to Ireland. DPC Billy Hawkes said it’s standard procedure to audit any Internet firms processing personal information in Ireland; Hawkes’ office is now completing an audit of Dublin-based LinkedIn. Hawkes has recently voiced disapproval of public-sector entities’ handling of personal data—even calling out the Department of Social Protection as being “substandard” in its protection methods. [Independent]

Facts & Stats

WW – Tech Giants Publish Updated Government Data Request Stats

Google, Microsoft, Apple, Yahoo, Facebook and LinkedIn published new U.S. government data request statistics this week, following the resolution of a lawsuit with the U.S. Department of Justice. The reports show a dramatic uptick in NSA data requests over the past year, the report states. A representative from the ACLU said though the reports were helpful, “they’re not nearly enough” for the public to assess the scope of the requests. In other surveillance-related headlines, Wired reports on a case involving the government order to Lavabit to hand over its SSL keys, and the Chaos Computer Club is suing the German government for allegedly helping foreign intelligence services—including the NSA and the UK’s GCHQ—monitor German citizens and compromise their privacy, ZDNet reports. [CNet News]

WW – Facebook Addresses New Vulnerability

App privacy firm MyPermissions found this week what it called “a worldwide vulnerability” in Facebook’s mobile apps. Essentially, developers could force the app to crash every time a user tried to revoke that app’s permission to access information. Thus, access was left open to personal data on the tablet or phone. MyPermissions quickly contacted Facebook and Facebook quickly responded to fix the issue. “They did a fantastic job of getting in touch with us very quickly,” said MyPermissions CEO Olivier Amar. “Facebook takes this very seriously, and I’m very impressed by them.” While no official word has been issued, the report states the bug was likely fixed by end of day Thursday. [Yahoo! News]

Finance

US – Audit Finds Most Tax Apps Lacking in Privacy, Security

Hewlett-Packard (HP) has warned consumers that many mobile financial apps contain at least one privacy violation, such as unencrypted data storage and transmission and access to user contact lists and geolocation. “The bottom line is that even with all the best intentions of providing fast tax-filing assistance, mobile tax apps could put users at risk,” said HP’s Maria Bledsoe. Privacy does not appear to be designed from the beginning for many of these apps. “A lot of companies are looking at mobile apps as a fancy user interface, and they’re putting their protection on the back-end behind the firewall,” Bledsoe said, adding, “they’re not realizing yet that this is yet another attack vector and is an entry point for the hackers.” [TechCrunch]

US – Lawyer-Specific App Helps Bolster Attorney-Client Privilege

The importance of keeping communications with clients protected—in this case, in family and employment law—and an app that helps do just that. Privatus, which has been designed with lawyers in mind, is a messaging app that helps keep communications confidential and, according to the report, is not subject to legal discovery. Third parties involved in transmitting the encrypted data never see the content, and such data is not subject to subpoena, the report states. [Inside Counsel]

US – Citing Privacy Concerns, Dentist Now Accepts Bitcoin

A Florida dentist is now offering patients the option of paying for services with Bitcoin, citing recent data breaches at major retailers and “the prevalence of medical identity fraud in the healthcare industry.” Dentist Mitchell A. Pohl explained, “I try to stay on top of cutting-edge technology and thought it was only natural to start accepting Bitcoin.” Bitcoin includes “guaranteed anonymity,” the release states, allowing patients to keep Bitcoin medical payments private from their financial institutions. [PRWEB release] See also [Bitcoin Exchanges Under ‘Massive and Concerted Attack’]

FOI

WW – Pulitzers Awarded for NSA Reporting; Reforms Draw Criticism

The Washington Post and The Guardian have received the top award in U.S. journalism for their coverage of National Security Agency (NSA) surveillance practices. The Pulitzer Prizes announcement hails The Guardian for its “distinguished example of meritorious public service by a newspaper or news site through the use of its journalistic resources” and The Washington Post “for its revelation of widespread secret surveillance … marked by authoritative and insightful reports that helped the public understand how the disclosures fit into the larger framework of national security.” Meanwhile, The Hill reports “the secrecy surrounding (NSA) reforms is getting blowback from tech companies and privacy activists” who believe the Obama administration’s “policy app]ears to be riddled with loopholes and won’t make the Internet any safer.” [Full Story] See also: [Tech’s biggest players hire first NSA lobbyist]

WW – Twitter Wants to Tell Customers More

Though the Department of Justice recently announced a deal with major Internet firms to “allow more detailed disclosures about the number of national security orders and requests,” Twitter says the deal doesn’t go far enough. A blog post by Jeremy Kessel, manager of global legal policy, reads, “While this agreement is a step in the right direction, these ranges do not provide meaningful or sufficient transparency for the public.” Twitter wants to disclose numbers of national security requests of all kinds separately from all other requests and believes the ranges are too broad to be meaningful. Further, Twitter wants to disclose “that we do not receive certain types of requests, if, in fact, we have not received any.” [Full Story]

Genetics

CA – Budget provides for new DNA index, other criminal-justice measures

Ottawa says it wants to create a new DNA index to help police identify human remains and bring closure to the families of people who have disappeared. The plan is among several justice-related initiatives in the 2014 budget, which also contains new funding to deal with provincial court delays and address persistent concerns about missing and murdered aboriginal women. Reforming the criminal-justice system has long been a focus for the Conservative government, which bills itself as a strong advocate for victims’ rights and tough-on-crime measures. Funding for the missing-persons index would allow police forces and coroners to submit DNA samples and other information to a central system whenever unidentified remains are found. The budget does not detail how the new index would work, but advocates suggest it could be set up to automatically test new submissions against samples given by the families of missing persons and data that is already collected from some crime scenes and convicted offenders.[Source]

Health / Medical

US – HIPAA Changes Prompt Lab Data Privacy Priority

Recent changes by the Department of Health and Human Services (HHS) give patients the right to access their laboratory information. “Now that patients are legally entitled to their medical results from the lab,” the article states, “these laboratories must take further steps to ensure data doesn’t get into the wrong hands.” According to an HHS estimate, more than 22,000 laboratories will have to spend between $2 million and $10 million combined to develop interoperability systems to allow secure access, and, each year, labs could see as many as 3.5 million requests from patients or their representatives. [InformationWeek] See also: [Unsecure faxes put health data of Albertans at risk]

US – HIPAA Rule To Allow Direct Access to Lab Data; Papers Discuss Telehealth

The Department of Health and Human Services recently released a final rule amending the Clinical Laboratory Improvement Amendments and the Health Insurance Portability and Accountability Act (HIPAA) giving patients the right to directly access their lab data. As a result, HIPAA-covered laboratories must provide patients with such access within 30 days. Meanwhile, a new report discusses the legal and liability issues of mobile health applications, predicting increased regulatory roles for the Food and Drug Administration and the Federal Trade Commission over health apps. The Center for Democracy & Technology’s Joseph Lorenzo Hall and Deven McGraw write, “For telehealth to succeed, privacy and security risks must be addressed.” [The National Law Review] See also: [Medical ethics overtaken by technology: Goar]

US – Gov’t Launches Contest; Google Cloud Now HIPAA-Friendly

The Office of the National Coordinator (ONC) for HIT and HHS Office for Civil Rights (OCR) recently developed new model notices of privacy practices and has launched a contest in pursuit of software developers to create an online privacy notice. The Digital Privacy Notice Challenge will award $15,000, $7,000 and $3,000 prizes for first, second and third places, respectively. The submission period closes April 7. Meanwhile, Google has announced its cloud platform will now be “HIPAA-friendly.” [Health Data Management]

WW – BlackBerry Buys Tech Company, Plans Cloud-Linked Medical Device

BlackBerry has purchased “a minority stake in U.S.-based technology company NantHealth.” The partnership will see the two companies working on products including a new BlackBerry device designed for the medical industry that will link to NantHealth’s cloud networks, the report states. NantHealth says all the infrastructure will be “government-level privacy certified and allow healthcare professionals to share information securely.” NantHealth’s Patrick Soon-Shiong said, “The future of the healthcare industry requires the ability to share information securely and quickly, whether device-to-device or doctor-to-doctor anywhere and at any time.” [The Canadian Press]

CA – Researcher-Participant Confidentiality Now a Formal Concept in Cdn Law

The successful quashing of a search warrant for confidential research records has changed the landscape for protecting research participants in Canada, says a research confidentiality expert. John Lowman, a criminology professor at Simon Fraser University in Vancouver, British Columbia, says the court decision made researcher-participant confidentiality privilege a formal concept in Canadian law. However, the privilege won’t apply automatically to all confidential data; the ruling from Quebec Superior Court underscores that it must be argued on a case-by-case basis. [Canadian Medical Association Journal]

Horror Stories

UK – Hackers Infiltrate Computer Hardware Co., Medical Group

Hackers recently accessed the details of 500,000 individuals considering cosmetic surgery. The UK’s Harley Medical Group said it believes the hack was an attempt to extort money from the company, and the information includes potential clients’ names, addresses and telephone numbers. Meanwhile, French computer hardware manufacturer LaCie is notifying customers their personal information may have been compromised after hackers used malware to infiltrate transaction data from its website. Customers who bought products between March 2013 and March 2014 may have been affected. [The Guardian]

US – Store, Healthcare Entities, Hotels, Bank Announce Breaches

A number of brands have announced breaches this month, including Tesco, which was the victim of a breach not because of its own systems but as a result of breaches at various websites in which users employ the same username and password across multiple sites. A U.S. senator recently said data breaches are simply a “fact of life” these days, and a new report explains why brands’ stock prices may actually rise after breaches. The Privacy Advisor examines these and other recent breach reports. [Full Story]

US – FBI Says Target Breach Just a Foreshadow; More Breaches Announced

A Verizon report has found that a vast majority of companies who achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS) annually fail to maintain that status, leaving them exposed to potential breaches and other security risks. The report found that 11 percent maintained compliance status between each PCI DSS assessment. Meanwhile, the FBI recently warned retailers that the recent attacks against Target and other brands foreshadow events to come, and a number of brands have announced new breaches. [Computerword] [PCI Standard Compliance Treated as Annual Hurdle, Not Consistent Practice] See also: [Card Breaches Pose Greatest Fraud Risk]

US – PCI SCSC Says DSS is “Solid”

The Payment Card Industry Security Standards Council’s Bob Russo said the standards are solid, and the Independent Community Bankers of America said at a hearing Monday that retailers should ultimately pay for a breach when hit by one. In healthcare, a recent study revealed that breaches cost healthcare providers $1.6 billion per year. [Computerworld]

US – Hospital Faces Complaint; Device-Makers Hacked

Dignity Health is facing a federal complaint alleging it violated its patients’ privacy by using their records to help leverage a contract dispute with the Nevada Health Insurance Coalition (NHIC). The NHIC alleges hospitals owned by Dignity contacted former patients with NHIC plans to persuade them to take action “with their health plans favorable” to the hospitals, the report states. Meanwhile, hackers infiltrated the computer networks of the country’s top medical device makers—Medtronic, Boston Scientific and St. Jude Medical, San Francisco Chronicle reports. A representative from one of the companies said an investigation is underway. [Las Vegas Review-Journal]

Identity Issues

WW – Microsoft Expands Multi-Factor Authentication to Office 365 Subscribers

All subscribers to Microsoft’s Office 365 suite now have multifactor authentication. Microsoft made the decision to expand the feature’s availability from subscribers with administrative roles to strengthen “the security of user logins for cloud services.” There is no additional cost for the authentication feature. [ZDNet] [GovTech] [CNET] [blogs.office.com]

Internet / WWW

WW – Internet Giants, Users Worldwide Take Part in “The Day We Fight Back”

Protests are happening around the world today as part of “The Day We Fight Back,” a global initiative against governments’ surveillance programs. The Electronic Frontier Foundation is among those calling on Internet users worldwide to participate in the movement, which asserts mass surveillance violates human rights law. Google, Microsoft, Facebook and other tech giants have signed on to the roster of participating groups, National Journal reports. Rep. Matt Salmon (R-AZ) says the U.S. is locked in a “fight of epic proportions” over the constitutional right to privacy, The Hill reports. [Gizmodo]

Law Enforcement

US – NYPD Ends Secret Program

Tthe New York Police Department has shut down a secret program that dispatched plain-clothes detectives into Muslim neighborhoods to spy on conversations and build detailed reports on residents. [EFF]

US – Indiana House To See Bill Restricting Police Surveillance Techniques

The House Committee on Courts and Criminal Procedure voted 6-1 to advance a bill that would limit law enforcement use of drones, GPS tracking and cellphone searches. The bill would require police to obtain a warrant prior to using any of these surveillance methods in most circumstances. Some questioned the need to include GPS tracking in the bill, as police are currently limited to using the technology in investigations and emergency situations, but one representative noted that putting the limits into law may save court battles over evidence in the future. [The Associated Press]

US – Missouri Considers Constitutional Protection for Electronics

Sen. Rob Schaaf (R-St. Joseph) has proposed a bill to amend the Missouri Constitution to include “electronic communications and data” in the items protected against illegal search and seizure.. During a hearing last week, no one testified against the measure. The report states that if approved by the legislature, the measure goes on the state ballot in November. [The Associated Press]

US – Law Enforcement Testing Predictive Analytics, Google Glass

The increased use of predictive analytics by law enforcement helps better identify where crimes will likely be committed, conduct investigations more efficiently and analyze behavioral trends and security threats. Meanwhile, the New York Police Department is testing out Google Glass, The New York Post reports, which could allow officers to see a suspect’s arrest record, mugshot and other profile data. “If it works, it could be very beneficial for a cop on patrol who walks into a building with these glasses on,” one source said, adding, “You can identify the bad guys immediately within seconds.” [InformationWeek]

US – California Assembly Passes Drone Bill, Including Data Retention, Use Provisions

The California Assembly passed a bill that would set strict limits on police use of drones and the data obtained from them. AB 1327 requires police to get a warrant prior to using drones for surveillance, except in emergencies, but it also requires them to notify the public when it plans to use drones and to delete all data collected by drones within six months unless the data collection was authorized by a warrant or is evidence. Other public agencies can also use drones but would have to obtain a warrant in order to share that data with the authorities. The Assembly passed the bill with a 59-5 vote, and it now heads to the Senate. [The Washington Posts ]

US – Georgia General Assembly Considers Two Drone Bills

Rep. Harry Geisinger (R-Roswell) has sponsored HB 846, which “would establish specific situations in which it would be legal for drones to capture images and would make it a misdemeanor for anyone to use a drone to capture an image for surveillance. And Rep. Stephen Allison (R-Blairsville) proposed HB 848, which “would prohibit manned or unmanned aircraft from flying within 100 feet above the surface of a property for surveillance without a search warrant or permission of the property owner.” Hearings are yet to be set on either bill. [The Associated Press]

US – Iowa Considering Drone Privacy Bill

Iowa’s House Public Safety Committee discussed a bill that would prohibit law enforcement from using drone surveillance except in certain emergency situations, reports the Associated Press. The committee plans to make changes to the bill before approving it and will meet again to continue the discussion.

US – Minnesota Bill Would Regulate Police Drone Use

Legislation has been proposed in Minnesota to regulate police use of drones. While Minnesota authorities don’t yet use drones, this bill would require a warrant for drone surveillance except in situations of “imminent” danger. [The Associated Press]

US – New Hampshire Bill Would Restrict Police, Public Use of Drones

New Hampshire Rep. Neal Kurk (R-Weare) has proposed HB 1620 to restrict the use of drones by law enforcement and private individuals. This is the second time in two years he has tried to legislate the use of drones in the state. This bill is causing some controversy because it forbids intentional surveillance even in public places, which may infringe on first amendment rights, according to the director of the NH Civil Liberties Union, which, based on those grounds, does not support the bill. [The Union Leader]

US – Utah Sen. Introduces Drone Privacy Bill

Utah State Sen. Howard Stephenson (R-Draper) has introduced SB 167, which would prohibit state agencies from using drones without a warrant except in emergency situations or with written consent. The bill also puts limits on the retention of data obtained by drones. [Deseret News]

Location

US – Ford Motor Co. Reveals GPS Privacy Practices

After comments from a Ford executive at the Consumer Electronics Show saying that Ford’s GPS system in its vehicles allows it to “know everyone who breaks the law” and a subsequent letter from Sen. Al Franken (D-MN), Ford sent a letter to Franken to reveal its privacy practices. Ford said it “is absolutely committed to protecting our customers’ privacy.” Ford Vice President of U.S. Governmental Affairs Curt Magleby wrote, “No location data is wirelessly transmitted from the vehicle without consumer consent,” and “Location data is used only to support customer requests for services and to troubleshoot and improve our products.” [Mashable]

Offshore

SK – South Korean Commissioner Fines Google Over Street View

South Korea’s communications regulator is fining Google over its Street View operations there. It’s the regulator’s first fine of a global company for privacy violations. The $196,000 fine results from the collection of residents’ personal data while the company took pictures for its Street View service. The move follows similar actions in Canada and France, among other jurisdictions. “This commission will punish those who collect information of the Korean public without exception,” said Korea Communications Commission Chairman Lee Kyung-jae. [The Korean Herald]

Online Privacy

US – Ride-Sharing Suit Alleges Data-Sharing Without Consent

A lawsuit has been filed against ride-sharing company Lyft alleging it transmitted data about users to an analytics company. In a complaint filed Friday in a San Francisco federal court, Miguel Garcia says Lyft’s “decision to disclose its users’ sensitive personal information not only demonstrates a brazen disregard for their privacy rights, it also violates the California Privacy Act.” Garcia’s suit—which seeks class-action status—also names Lyft’s parent company, Enterprise Holdings. [MediaPost News]

WW – Google, comScore Team Up; Alternative Search Traffic on the Rise

Google and comScore have announced a partnership to better determine the effectiveness of web-based ads in real time and help businesses change ads on the fly. A Google representative said, “It’s going to, for the very first time, give advertisers and publishers real-time insights into whether their campaigns are delivering.” In a blog post, Google said it’s part of a larger plan to bring more transparency to advertising. Forbes reports on the rise in traffic to non-Google search sites. The CEO of Startpage and Ixquick said, “The consciousness is only slowly building on the dangers … It is very easy to see how this treasure trove of data can be misused in the future.” [The New York Times]

US – CA AG to Release Best Practices for DNT Compliance

California Attorney General (AG) Kamala Harris is planning to soon release final best practice guidelines for compliance with California’s new Do-Not-Track (DNT) law. AB 370 amends California’s privacy statute by requiring some web companies to disclose how they respond to DNT requests and state in their privacy policies whether third parties have access to tracking data. “Say what you do, and do what you say,” is the bottom line, said Joanne McNabb, the AG’s director of privacy education and policy. [MediaPost News]

Other Jurisdictions

AU – As Deadline Approaches, APPs Continue To Make Headlines

With the 13 Australian Privacy Principles (APPs) set to replace the Information Privacy Principles and National Privacy Principles in March, many articles are offering tips on what organizations should be doing to prepare. Paul Farrell details how the new laws will work, and, Sylvia Pennington writes that those organisations that don’t take “reasonable steps” to comply “face the prospect of a big stick as the Office of the Australian Information Commissioner will have greater powers to investigate and the ability to impose penalties of up to $1.7 million for those found to be in breach.” Pennington highlights seven tips for organisations preparing for the APPs. Meanwhile, Australasian communications firm SenateSHJ predicts privacy will be one of the top issues and trends for 2014. [The Guardian]

NZ – Government Has ‘No Choice’ Over Privacy Info

The New Zealand Parliament is considering legislation that would allow the Inland Revenue Department to collect contact details, bank account numbers and transactions of Americans living in New Zealand to pass on to tax authorities in the US. A report by the Treasury says New Zealand risks damaging its economy if does not supply the information. It says the US could block New Zealand’s financial institutions from investing in America or face a 30% penalty on any profits derived from any investments. From July this year, the US will require all overseas banks and other financial institutions to hand over private financial details of its American customers in a bid to clamp down on tax evasion. Britain, France and Germany have already agreed to supply the information and John Key said on Tuesday that New Zealand has to follow suit. [Source]

NI – Nigerian Bill Would Increase Authorities’ Access to E-Communications

Nigerian President Goodluck Jonathan has submitted a bill to the National Assembly that would allow security agents to “intercept and record electronic communications between individuals and seize usage data from Internet service providers and mobile networks.” The Interception of Electronic Communications bill states, in circumstances where the “content of any electronic communication is reasonably required for the purposes of a criminal investigation or proceedings, a judge may on the basis of information on oath” order a service provider to turn over, record or retain consumer data or assist authorities in doing so. The penalty for noncompliance is N10million for service providers and for company directors, managers or officers, a three-year jail term, N7 million fine or both, the report states. While some see the law as a help in fighting cybercrime and terrorism, others see it as a “direct assault on some of the most important of our individual freedoms.” [AllAfrica.]

TU – Turkish Internet Bill Would See ISPs Retaining Data for Two Years

The Turkish government has proposed a bill that would give the country’s telecommunications authority the ability to block websites deemed to violate privacy and require Internet providers to retain users’ data for two years to be made available to authorities upon request. Some say the bill will bring censorship in Turkey to new heights and worsen press freedoms, but the government denies the accusations and says it will protect privacy. In this Deutsche Welle interview, Istanbul communications instructor Erkan Saka outlines what effect the law may have on citizens, saying, “The government’s access to personal data may be the worst aspect of the law.” [The Associated Press] SEE ALSO: [Turkey approves legislation to block Internet sites]

Privacy (US)

US – PCLOB Testifies Against NSA Tactics; Rand Paul Files Suit Over Them

Members of the Privacy and Civil Liberties Oversight Board (PCLOB) testified Tuesday at a Senate Judiciary Committee meeting that the NSA’s collection of phone records is unlawful. The board condemned the phone surveillance program in a report last month after a 3-2 vote. Sen. Rand Paul (R-KY) has filed a lawsuit against President Barack Obama and the heads of several intelligence agencies over the data collection. Meanwhile, Google is asking Congress to update the Electronic Communications Privacy Act so government would be required to obtain a warrant before accessing private communications. [The Hill] See also: [How Obama Officials Cried ‘Terrorism’ to Cover Up a Paperwork Error]

US – White House Publishes Cybersecurity Framework; Privacy Appendix MIA

A year after issuing an executive order, the Obama administration has released a cybersecurity framework for businesses to strengthen their networks against cyber-attacks. Developed by the Commerce Department’s National Institute of Standards and Technology, the voluntary guidance provides critical infrastructure businesses a roadmap for preventing and responding to cyber-attacks. An earlier draft of the framework was released last October, including a full section on privacy and civil liberties. Based on comments received, however, the appendix was taken out and “integrated into the main body of the framework,” one administration official said. [FierceGovernmentIT]

US – FTC Announces Settlement Over Safe Harbor Claims

The Federal Trade Commission (FTC) has settled with children’s online gaming company Fantage.com after it “falsely claimed to be a certified participant” in the EU-U.S. Safe Harbor agreement. In its settlement announcement this week, the FTC noted the company had let its Safe Harbor certification lapse. “This does not necessarily mean that the company committed any substantive violations of the privacy principles of the Safe Harbor framework or other privacy laws,” the FTC said. The proposed settlement prohibits the site “from making similar false claims in the future,” the report states. The FTC is taking “a more proactive look at this program in terms of enforcement,” FTC Chairwoman Edith Ramirez said at an event this week. [The Hill]

US – Harm Threshold Hard to Meet; Supreme Court May Soon Clarify Class-Action Questions

Dana Post of Freshfields Bruckhaus Deringer writes about the difficulty plaintiffs face in proving “future harm” after a data breach. “Where actual harm is sufficiently alleged—such as identify theft or fraudulent charges—a claim is more likely to proceed,” Post writes. Meanwhile, a Kansas federal judge recently dismissed two proposed class-actions filed over a breach at Nationwide Mutual Insurance Co., stating the plaintiffs couldn’t prove harm . Given the class-actions filed following Target’s recent breach, there is an increased focus on class certification, writes Amy Cadle Hocevar of Squire Sanders, adding the Supreme Court may soon provide guidance on who can and cannot comprise a class member. [The Privacy Advisor]

US – Warrantless Searches of Drug Database Blocked, Judge Rules

A federal judge has ruled that the federal law enforcement’s warrantless searches of a state’s prescription drug database violate the Fourth Amendment. The Oregon Prescription Drug Monitoring Program was set up in 2009 to help pharmacists and doctors track certain prescription drugs covered by the Controlled Substances Act. The state requires law enforcement to obtain a warrant prior to access, but the U.S. Drug Enforcement Agency had argued federal law allowed it access to the data under an “administrative subpoena.” U.S. District Judge Ancer Haggerty said, “It is more than reasonable for patients to believe that law enforcement agencies will not have unfettered access to their records.” [Reuters]

US – SCOTUS to Hear Cellphone Privacy Cases

The Supreme Court has agreed to hear two cases involving warrantless searches by law enforcement of suspects’ cellphones. The two cases—Wurie v. U.S. and Riley v. California—were granted cert by the court last Friday. In Riley, police searched a suspect’s text messages, photos and videos, finding evidence of gang-related activity and images implicating him in a separate crime. In Wurie , law enforcement went through the call logs of the suspect. The Electronic Frontier Foundation’s Hanni Fakhoury said, “These cases give the court the chance to determine to what extent the Fourth Amendment applies to newer technologies and whether the breadth and scope of information stored on a smartphone matters under the Constitution. We think it does and hope the Court agrees with us.” [Politico]

US – Group to Ask Judge to Throw Out Facebook Settlement

Public advocacy group Public Citizen aims to pressure Facebook to change its practices on users’ comments, images and “likes” being used in advertisements. In a legal brief to be filed today at the Ninth Circuit Court of Appeals in San Francisco, the group will ask a judge to throw out a 2012 Facebook settlement on the matter, stating it violates laws in seven states because it doesn’t require Facebook to obtain permission from parents before using teens’ data. Meanwhile, Facebook has banned a couple of vendors from its site for privacy violations. [The New York Times]

US – “The Data Broker Industry Has for Too Long Operated in the Shadows”

Sens. Jay Rockefeller (D-WV) and Ed Markey (D-MA) introduced legislation that would require data brokers to be transparent about their data collection practices and provide consumers with opt-outs and would give the Federal Trade Commission civil penalty authority to enforce it. The Data Broker Accountability and Transparency Act of 2014 (DATA Act) would also provide consumers with a means to correct data collected on them and prohibit brokers from being deceptive about their data collection. Markey said, “The data broker industry has for too long operated in the shadows, compiling dossiers on millions of Americans,” adding, “It is time to shine a light on this industry.” Last December, Rockefeller held a hearing and published a report on the industry. [Broadcasting & Cable]

US – Retailers Association Urging Privacy Self-Regulation

The leading retail industry trade group, the Retail Industry Leaders Association (RILA), is pushing for a self-regulatory approach to data privacy and cybersecurity. “Improperly conceived privacy regulations have the potential to unduly hamper the consumer experience, stifle innovation and make business practices too inflexible for customers with little, if any, additional privacy protection in return,” the RILA said in its 2014 Public Policy Agenda. Retailers have also asked financial organizations to begin issuing credit cards with chip-and-PIN technology. [The Hill]

US – License-Plate Reading Company Sues Utah

A Utah law aimed at protecting drivers’ privacy is being challenged by license-plate reading technology company Digital Recognition Network. Utah Sen. Todd Weiler (R-District 23), one of the new law’s sponsors, said, “It’s one thing to take a photo … It’s another to take photos every 80th of a millisecond and then store that data you can later be identified by.” According to the lawsuit, the company is invoking its First Amendment rights to defend its business. A Digital Recognition Network attorney said, “People tend to invoke privacy and suspend judgment … We don’t track people.” With several states considering similar legislation, the case could represent a litmus test on surveillance and First Amendment rights. [Associated Press] See also: [California: Lawsuit Filed Over License Plate Reader Secrecy]

US – IAPP Hits 15k Members

In February, the IAPP gained its 15,000th active member, a milestone that was celebrated with a company-wide e-mail containing 72-point font. And then everyone got back to doing the training, certification, education and member support work that got all those members to join us in the first place. We here on the IAPP Publications Team are grateful to all of you members for the trust you place in us by reading our work and the valuable feedback and volunteerism so many of you contribute on a daily basis. [Full Story]

US – Sen. Wants Data Brokers to Name Clients

The head of the Senate Commerce Committee wants data brokers to disclose the names of their clients—especially those that categorize people as financially vulnerable or by their health status. Sen. Jay Rockefeller (D-WV) wrote a letter to Acxiom, Epsilon, LexisNexis, NextMark and MEDbase 200 asking that they name all of their clients for the last five years. Rockefeller’s concerns include that customers are being treated unfairly as a result of the personal data stored on them. He recently said he’s “revolted” by reports that brokers sell such lists as “genetic disease sufferers.” [MediaPos]

US – Legislators Considering Regulating Biometrics

Florida lawmakers are considering legislation “to sharply regulate the use of fingerprint, palm print, iris scans and other biometric identification systems. The legislators are examining the issue in the wake of outrage from parents who learned last year that “students’ eyes were being scanned as a condition of boarding school buses in central Florida’s Polk County School District.” The Florida Senate Education Committee is reviewing a bill “that would require school districts choosing to use biometrics to establish strict policies on the public disclosure, use and maintenance of the stored data, and require parents to choose to participate in the program before their children’s data is taken,” the report states. [Reuters]

US – CA AG to Release Best Practices for DNT Compliance

California Attorney General (AG) Kamala Harris is planning to soon release final best practice guidelines for compliance with California’s new Do-Not-Track (DNT) law. AB 370 amends California’s privacy statute by requiring some web companies to disclose how they respond to DNT requests and state in their privacy policies whether third parties have access to tracking data. “Say what you do, and do what you say,” is the bottom line, said Joanne McNabb, the AG’s director of privacy education and policy. [MediaPost News]

US – Lawmakers Optimistic Data Privacy Law Will Pass

While SC Magazine reports on the current state of global data breach legislation, some U.S. lawmakers are optimistic that a data privacy law will pass this year. Rep. Joe Barton (R-TX) said, “It’s one of the few issues in the next 10 months that the House and Senate can work with the president on … I’ll go out on a limb here and predict that we’ll actually do that.” [The HIll]

US – What the Target Incident Means for the SEC and Cybersecurity

“With the news that Target intends to wait until it files its annual report in March with the Securities and Exchange Commission (SEC) on the investment consequences of its massive cybersecurity intrusion from 2013, the SEC and cybersecurity once again gains attention,” write Jenner & Block’s Mary Ellen Callahan, and Elaine Wolff. Callahan and Wolff look into the SEC’s guidance on cybersecurity, including recent comments by the agency that “underscore the need to disclose costs associated with any preventative or remedial measures that may have a material effect on a company’s results of operations, liquidity and financial condition.” The Target incident, they point out, “highlights some of the limitations in the SEC guidance.” . [Privacy Perspectives]

US – State AGs as Privacy Regulators—Q & A with Maryland AG Doug Gansler

Divonne Smoyer speaks with Maryland AG Doug Gansler, who has been at the forefront of privacy protection efforts by state attorneys general. In 2013, as president of the National Association of Attorneys General, Gansler’s focus was “Privacy in the Digital Age.” He tells Smoyer, “State attorneys general have long been champions of consumers’ privacy in the physical marketplace, where breaches of privacy are more easily contained,” explaining, “if a company improperly disposes of a file with sensitive personal information a consumer shared, it may only be seen by a few people. In the Digital Age, however, the risks of sharing sensitive personal information are far greater.” . [The Privacy Advisor]

US – As DOT Pushes For Connected Cars, Senators Want Privacy Considered

While the Department of Transportation (DOT) is pushing for a mandate on connected cars before President Barack Obama leaves office, there are a number of privacy and security concerns that need to be ironed out. Vehicle-to-vehicle technology could eventually see driverless cars on the road that “virtually never crash,” said DOT Secretary Anthony Foxx. But the Alliance of Automobile Manufacturers’ concerns about privacy are shared by Senate Commerce Chairman Jay Rockefeller (D-WV), who applauds the potentially life-saving features of the technology but worries about driver privacy. Reps. Diana DeGette (D-CO) and Joe Barton (R-TX) have also voiced concerns about privacy. . [Politico] See also: [EU Reportedly Has Secret Plan For Kill-Switch On All New Cars]

US – Courts Tackle Privacy of Delivered Texts, Voicemails

The Oklahoma Court of Criminal Appeals has found that senders of text messages have no expectation of privacy once the text has been delivered. Judge Clancy Smith wrote for the five-judge panel, “This is similar to mailing a letter; there is no expectation of privacy once the letter is delivered. It is like leaving a voicemail message, having the recipient receive and play the message and then claiming the message is private.” Meanwhile, Law360 reports that U.S. Magistrate Judge Nathanael M. Cousins has denied a motion to dismiss a case claiming that InterContinental Hotels Group PLC illegally recorded consumers’ phone calls to its reservation hotline, saying the plaintiffs properly stated a claim under California’s Invasion of Privacy Act. [Courthouse News Service]

US – Maine Committee Quashes Social Media Bill, Opts for Study

The Maine legislature will form a study commission to determine the need for a law barring schools and employers from requiring access to social media and personal e-mail accounts. After three committee meetings, a bill that would have banned this practice was voted down in favor of the study commission. While lawmakers generally agreed on the intrusiveness of requiring online account passwords, the report states ”several wrestled with passing a bill that business leaders opposed because it could limit screening of job applicants, investigation of harassment disputes or protection of proprietary information.” [Portland Press Herald]

US – West Virginia House Passes Social Media Bill

The West Virginia House has passed legislation that would prohibit employers from requiring access to online accounts of employees or prospective employees, reports The Journal. Del. Stephen Skinner (D-Jefferson) sponsored the bipartisan bill, which he based on similar legislation passed in Maryland. The bill now heads to the Senate.

US – HIPAA Rule To Allow Direct Access to Lab Data; Papers Discuss Telehealth

The Department of Health and Human Services recently released a final rule amending the Clinical Laboratory Improvement Amendments and the Health Insurance Portability and Accountability Act (HIPAA) giving patients the right to directly access their lab data. As a result, HIPAA-covered laboratories must provide patients with such access within 30 days. Meanwhile, a new report discusses the legal and liability issues of mobile health applications, predicting increased regulatory roles for the Food and Drug Administration and the Federal Trade Commission over health apps. The Center for Democracy & Technology’s Joseph Lorenzo Hall and Deven McGraw write, “For telehealth to succeed, privacy and security risks must be addressed.” [The National Law Review]

US – Judge: Pedophile Investigators Can Use Metadata

A federal judge has ruled that investigators may use metadata to track sources of inappropriate photos of children. In his order, U.S. District Judge Gregg Costa wrote the metadata embedded in a photo of a four-year-old girl shared online solved the “needle-in-the-haystack problem” investigators face. The perpetrator’s attorney had argued phones retrieve GPS coordinates without notifying users, so “although the image was contraband, the legitimate expectation of privacy as to location and identity is not rendered unreasonable.” Costa disagreed, writing, “He gave up his right to privacy in that image once he uploaded it to the Internet … There is no basis for divvying up the image … into portions that are now public and portions in which he retains a privacy interest.” [Houston Chronicle]

US – Bean Wants Privacy for Rx Database

Opting for stronger privacy controls despite law enforcement concerns, the Senate Health Policy Committee has approved changes to Florida’s prescription drug database. As the News Service of Florida reports, bill sponsor and committee Chairman Aaron Bean said requiring investigators to get a court order to access the database will protect the privacy of patients. Law enforcement officials objected that the process will warn suspects of an investigation before they can be apprehended. The proposal includes a way to pay for the Prescription Drug Monitoring Program, which has had no reliable funding source: using extra funds from pharmacists’ licensure fees. There’s no companion bill in the Florida House. [Source]

Privacy Enhancing Technologies (PETs)

WW – Recent App Launches Seize Privacy as Selling Point

MIT’s Jean Yang has released a tool for app developers aimed at helping them relieve some of users’ privacy concerns when it comes to how apps use personal data. The tool reduces the probability of human error in writing code. Meanwhile, a start-up aiming to help app developers comply with COPPA rules has landed funding, and a Florida-based start-up has launched an app that allows users to chat and share photos within a private group. In fact, a number of new apps aim to allow for a more private or anonymous online experience. [MIT Technology Review]

WW – Researchers Create Android App To Show When Other Apps Track You

A team of researchers has developed an Android app to help people better understand when their location is being accessed, something that happens more often than people think. “All apps that access location need to request permission from the Android platform,” Janne Lindqvist [cq], who led the research project, said via email. “The problem is that people don’t pay attention to these default disclosures.” Android phones display a flashing GPS icon when apps are trying to access the user’s location. But few people notice or understand what the icon is telling them, the researchers found. The app they developed is designed to fix that, by making it clearer to users when other apps are accessing their location data. They tried several methods, including a message that flashes on the device’s screen reading, “Your location is being accessed by [app name].” They’re are in the process of readying their app for the Play Store. It doesn’t have an official name yet, but the working title is the RutgersPrivacyApp. “I’m happy to hear suggestions for a better one,” Lindqvist said. [Source]

WW – Apple Cracks Down on Tracking Apps; Developers Unhappy

NBC News reports that Apple has started cracking down on mobile apps that collect Identifiers for Advertisers (IFAs) without actually showing any advertisements to the user. Until this week, a clause Apple added in its developer license agreement had gone unenforced. Mixpanel’s Suhail Doshi said, “I really believe that most developers using IFA are trying to (understand) if spending money on advertising was cost effective—as opposed to ‘spying on their users.’” Doshi also warned, “The new policies around it are now likely to cause app developers, as a last resort, to do things that will be worse for consumer privacy as they work around IFA—with far less transparency.” [Full Story]

Security

US – Cybersecurity Framework Released

The White House has released the first version of the Cybersecurity Framework, a collaborative effort between the National Institute of Standards and Technology (NIST) and companies in the private sector. The guidelines in the framework are voluntary measures that organizations that support elements of the country’s critical infrastructure can use to develop their information security programs. However, because the program offers no financial incentives to help companies reduce the costs of implementing the guidelines, companies may opt not to participate. While the guidelines are voluntary for private industry, it is likely that they will be required for government contractors. [The Register] [GovInfoSecurity] [InformationWeek] [ComputerWorld] [NextGov] [Bloomberg] AND [Cybersecurity Framework]

US – Retailers to Share Cyber-Threat Data

U.S.-based retailers are planning to establish an industry group for collecting and sharing cyber-threat intelligence in an attempt to thwart cyber-attacks similar to the one that compromised Target’s customers. The National Retail Federation will form the Information Sharing and Analysis Center (ISAC) by June. ISACs generally are run by security centers that operate 24 hours per day and alert members about emerging and potential threats, the report states. There are already a dozen such ISAC groups for financial, healthcare and other service industries. One expert said, “It will allow them to talk to each other about things (that) are hitting them, to know quickly if other people are experiencing the same things and if they’ve found good defenses that they can tell each other about.” [Reuters]

US – Platform Allows for Threat-Risk Data Sharing Between Gov’t, Public

A platform for sharing cyber-threat intelligence is being opened to general availability. The Internet Identity’s ActiveTrust platform has been used for the last year by several dozen federal agencies, the report states, and aims to “leverage the convenience of social networking for information sharing while using the power of binding contracts to ensure the control of sensitive information.” The release follows an executive order last year calling for voluntary information-sharing systems between government and the private sector. [GCN] SEE ALSO: [Vancouver baby becomes first person to have three parents named on birth certificate in B.C.]

US – Privacy Appendix Dropped from NIST Framework

Nearly a month prior to the final release of its Cybersecurity Framework, the National Institute of Standards and Technology (NIST) has announced it will not include with it a separate appendix for privacy controls. According to the update from NIST , a separate methodology for privacy and civil liberties “did not generate sufficient support.” Sources said the appendix was added late in the process and caused trepidation and uncertainty. There were also concerns regarding corporate liability, particularly in the face of a data breach. NIST will instead incorporate a methodology developed by Hogan Lovells Partner Harriet Pearson, CIPP/US. In comments submitted to NIST, Pearson wrote, “To incentivize use of the Cybersecurity Framework, the privacy methodology must be clear and straightforward for the private sector to use.” [FierceGovernmentIT]

Surveillance

US – NYC Development Project Aims To Create Quantified Community

An urban informatics collaboration between developers of the Hudson Yards real estate project and researchers at New York University (NYU) to measure and model pedestrian flows, street traffic, air quality, energy use, waste disposal and recycling and the health and activity of laborers and residents, the report states. NYU researchers, aware of potential privacy concerns, back an opt-in regime for individuals whose activities and lifestyles would be measured. Collected data containing personal information will also be anonymized, the researchers said. The project may also help gauge people’s comfort level sharing personal information in such an environment. Meanwhile, a column for InformationWeek calls for a set of common policy principles for the Internet of Things ecosystem. [The New York Times]

US – New Technology “Can Track Everyone” for Hours at a Time

New surveillance cameras can reveal: tracking “every vehicle and person across an area the size of a small city, for several hours at a time.” The cameras are unable to record license plates or faces, but “they provide such a wealth of data that police, businesses and even private individuals can use them to help identify people and track their movements,” the report states. There are clear law enforcement benefits to the technology, as the ACLU’s Jay Stanley acknowledges, stating, “If you turn your country into a totalitarian surveillance state, there’s always some wrongdoing you can prevent.” However, he warns, “The balance struck in our Constitution tilts toward liberty, and I think we should keep that value.” [The Washington Post]

Telecom / TV

US – Verizon Ad Program Will Track Web Habits

Recent changes to Verizon Wireless’ Relevant Mobile Advertising Program allows it “to track your desktop surfing habits on the web and use that information to help advertisers deliver targeted ads to your mobile phone.” In his report, Robert L. Mitchell discusses why he chose to opt out of the program, which will assign users “anonymous unique identifiers” that link back to mobile phones, allowing the company to offer advertisers information to deliver targeted ads. Mitchell writes, “Information is the coin of the realm. So if you have a choice, why give it away? What’s your personal data worth? Are you giving it up? And if so, are you getting value in return?” [Computerworld]

US – Cable Home WiFi Defaults as Public Hotspot

A new program by Comcast adds public hotspots to its users’ home-based modems by default. Customers can turn the signal off by opting out, but, according to the report, a Comcast FAQ does not provide instructions to turn off the service manually. Customers instead must call the company to find out how. Some customers are concerned about data privacy with the new program. Comcast has said “we anticipate minimal impact to the in-home WiFi network.” [Ars Technica]

US – Gov’t Considering Industry Alternative to NSA Data Storage

The government may look to industry as an alternative to National Security Agency (NSA) storage of bulk phone records. The government’s request for information (RFI) seeks information on commercially available services from U.S. industries, the report states, quoting comments from the Office of the Director of National Intelligence that the government is investigating options that would maintain “the current capabilities of that system and the existing protections for U.S. persons” without having the government store the metadata. The RFI follows President Barack Obama’s NSA speech last month calling for a new plan to “establish a mechanism that preserves the capabilities we need without the government holding this bulk metadata.” [IDG News] [NSA Collects Less Than 30 Percent of Phone Call Metadata | ZDNet | Ars Technica ]

US Government Programs

US – As DOT Pushes For Connected Cars, Senators Want Privacy Considered

While the Department of Transportation (DOT) is pushing for a mandate on connected cars before President Barack Obama leaves office, there are a number of privacy and security concerns that need to be ironed out. Vehicle-to-vehicle technology could eventually see driverless cars on the road that “virtually never crash,” said DOT Secretary Anthony Foxx. But the Alliance of Automobile Manufacturers’ concerns about privacy are shared by Senate Commerce Chairman Jay Rockefeller (D-WV), who applauds the potentially life-saving features of the technology but worries about driver privacy. Reps. Diana DeGette (D-CO) and Joe Barton (R-TX) have also voiced concerns about privacy. Editor’s Note: Future of Privacy Forum’s Joshua Harris wrote about the issue of privacy and connected cars in a recent post for Privacy Perspectives. [Politico] SEE ALSO: [How Big Brother’s going to peek into your connected home]

WW – Snowden Used Cheap Web-Crawling Software to Scrape NSA Data

Intelligence officials looking at how Edward Snowden gained access to “a huge trove of the country’s most highly classified documents” say he used inexpensive, widely available software to do so. Snowden used “web crawler” software to scrape data out of systems as he completed his daily tasks as a technology subcontractor for the NSA in a process that a senior intelligence official called “quite automated.” The NSA is currently collecting data on about 30 percent of phone calls in the U.S. [The New York Times] SEE ALSO: [Footage released of Guardian editors destroying Snowden hard drives | Video]

US – Reactions to Obama’s Plans for NSA Reform

Reaction to President Barack Obama’s speech announcing plans for National Security Agency (NSA) reforms on Friday swirled over the weekend. For the next stage of the reform process, much reform would have to come from Congress—an institution already divided—meaning “the future shape of the surveillance apparatus … remains far from certain.” The Times also broke down the proposed changes in relation to the NSA review panel recommendations. Obama’s speech also did little to reassure private industry. “The most interesting part of this speech was not how the president weighed individual privacy against the NSA,” said Indiana University Prof. Fred Cate, “but that he said little about what to do about the agency’s practice of vacuuming up everything it can get its hands on.” On Sunday, NBC’s “Meet the Press“ devoted a segment to the future of the NSA programs. And, according to a new study, the NSA revelations could cost the U.S. cloud computing industry between $22 billion and $35 billion. [The New York Times]

US Legislation

US – DMA Says Data Broker Bill Would Weaken InfoSec

The Direct Marketing Association (DMA) believes a new bill introduced by Sens. Jay Rockefeller (D-WV) and Ed Markey (D-MA) would create a security headache for companies that collect and share consumer data. DMA Senior VP of Government Affairs Peggy Hudson said, “Imposing an access-and-correction regime on marketing data is not necessary to protect consumer privacy, and doing so would make it harder for companies to keep data secure at a time when consumers are more concerned about identity theft than ever before.” Rockefeller has called the data broker sector a “ booming shadow industry“ and recently said, “Consumers deserve to know what information about their personal lives is being collected and sold to marketers by data brokers.” [AdAge]

US – FTC Approves COPPA Self-Reg Program

The Federal Trade Commission (FTC) has approved the kidSAFE Seal Program “as a safe harbor program under the Children’s Online Privacy Protection Act (COPPA) and the agency’s COPPA Rule.” The FTC is required by COPPA to review and approve all self-regulatory programs that would serve as safe harbors, according to an FTC press release. The commission determined in a 4-0 decision that the kidSAFE program provides “the same or greater protections for children” as those required in the COPPA Rule. [FTC Press Release]

US – Sens. Introduce Data Breach, Privacy Rights Legislation

A number of U.S. senators have introduced data security and breach notification legislation following the Target and Neiman Marcus incidents. Sens. Diane Feinstein (D-CA), John Rockefeller (D-WV), Mark Pryor (D-AR) and Bill Nelson (D-FL) have introduced the Data Security and Breach Notification Act. The bill would require the Federal Trade Commission to release a set of security standards for businesses holding consumer data. Sens. Richard Blumenthal (D-CT) and Ed Markey (D-MA) introduced the Personal Data Protection and Breach Accountability Act prior to Tuesday’s NTIA hearing. The act aims to deter preventable breaches, minimize consumer harm and promote information-sharing between federal agencies, law enforcement and the private sector, reports Dark Reading. Sen. Robert Menendez (D-NJ) has announced plans to introduce the Commercial Privacy Bill of Rights. The bill aims to “give consumers the protections they need, create common-sense accountability measures for businesses so our personal information is not held hostage to the power of our technology, place limits on both the type of information businesses may collect and limit how long they can retain that information,” Menendez said in his announcement.

US – California AG Sues Over Delayed Breach Response

The California Attorney General’s Office (CA AG) has filed a complaint against Kaiser Foundation Health Plan, Inc., saying the company’s data breach and subsequent delayed notification violate the state’s unfair competition law. The CA AG alleges that prior to the completion of Kaiser’s analysis of the breach, ”it had sufficient information to notify at least some affected individuals,” Navetta writes, adding, “In the eyes of the CA AG, the failure of Kaiser to provide notice on a rolling basis, even if its investigation was not complete, amounted to a failure to provide notice ‘in the most expedient time possible and without unreasonable delay’ under California’s breach notice law.” [InfoLaw Group]

US – California Assemblywoman Proposes Victim Privacy Bill

Assemblywoman Toni Atkins (D-San Diego) has introduced AB 1623, which would ensure that victims of domestic violence are not denied help at family justice centers if they are undocumented immigrants or have a criminal history. The bill would also mean family justice centers would not be allowed to share certain information on victims with law enforcement or other agencies without the victims’ consent. [The San Diego Union-Tribune]

US – Kentucky Bill Would Prohibit Selling of Student Data

The Kentucky Senate Education Committee has unanimously approved a bill that would prevent the sale of student data by technology companies, require school districts to post lists of all third-party web-based services they use and provide for agency audits of schools’ data collection practices. Sen. Jimmy Higdon (R-Lebanon) notes that these protections are similar to those used to protect government data in the state, adding, students do not “have a choice when it comes to the online services they use … No company in a position to store private, school data should be able to sell that data for profit.” [The Associated Press]

US – Minnesota DPS Privacy Policy Brings Concerns for Insurance Costs

The Minnesota Department of Public Safety’s (DPS) new privacy policy means that it will not share drivers’ data in bulk anymore, as all other states do. The DPS will now charge $5 per record and records will only be available during business hours through a secure online system. While the state says, “This will increase data security, improve accountability and ensure that DPS will be able to audit all users,” Mark Kulda of the Insurance Federation of Minnesota says these are costs that will be passed on to customers and has concerns that residents will not be informed of recalls or be able to prove driving history for better insurance premiums. [KAALtv

US – New Hampshire Considering Student Social Media Bill

A New Hampshire Senate committee held a hearing on Tuesday to consider a bill that would prohibit colleges and universities from asking for access to students’ and prospective students’ social media sites [Associated Press].

US – NJ Bill Would Require Cos to Contact Consumers Directly After Breach

New Jersey Assemblywoman Linda Stender (D-Union) has introduced legislation to toughen data breach notification standards by removing the ability of companies to use “substitute notice” as a means to notify customers affected by a large data breach, among other provisions. A New Jersey currently requires companies to notify residents upon reasonable belief that an unauthorized person accessed their data but provides for notice in the form of “contacting statewide media and posting a notice on its website” in the event of breaches affecting more than 500,000 people or costing more than $250,000. [Law360]

US – Montana Allows Review of Post-Suicide Medical Records

In response to the high number of suicides in the state, Montana legislators have passed a measure to allow a team to review the medical records of all suicide victims as of January 1 of this year. While HB 583 easily passed the House, Rep. Kirk Wagoner (R-Montana City) has concerns about the opt-out nature of the law. The team doesn’t have to ask permission to delve into the medical history of the victims but instead will take into consideration family objections. The Montana Suicide Review Team will look for patterns and make recommendations to lower suicide rates, and Montana’s Suicide Prevention Coordinator Karl Rosston says “None of this stuff is going to be isolating or be able to identify a specific case. This will be a comprehensive of all the suicides and patterns of behaviors. We’re not going to take one isolated incident and say ‘this is what happens’.” [KRTV]

US – South Dakota House Considering Student Privacy Bill

South Dakota’s House Education Committee will revisit SB 63 this week to protect the privacy of students who take educational assessments. South Dakota Secretary of Education Melody Schopp wrote a letter to U.S. Education Secretary Arne Duncan explaining the state cannot and does not link identifiable information to test scores. “We are prohibited to share any personally identifiable information with the federal government,” Schopp said, adding that the education department is in favor of the privacy policy. [South Dakota Public Broadcasting]

US – CA Senate Passes Bill To Protect, Limit Online Data Collection, Retention

The California Senate has passed SB 383, which would limit online retailers “in the amount and type of personal information they could collect” from consumers related to content they purchase and download online. It would also require them to dispose of the data once they don’t need it. Sen. Hanna-Beth Jackson (D-Santa Barbara), the bill’s author, says it would protect consumers from fraud, but online retailers say they need to retain the data in order to spot irregular transactions and allow consumers the convenience of sharing downloaded data between devices, among other reasons. [the Associated Press]

US – Nebraska Citizens Voice Privacy Concerns Over Wages Bill

The McCook Area Chamber of Commerce has voiced concerns over a bill recently introduced by Sen. Tanya Cook (I-District 13) that would see Nebraska companies with more than 50 employees posting the salaries of all their employees annually. The listings would be made without the identities of the individuals but would list salaries, job title, gender, age and years of service. [The McCook Daily Gazette]

Workplace Privacy

WW – Virtual Boss Keeps Workers on a Short Leash

Gr8Apes writes “Hitachi has created a ‘perfect virtual boss.’ The company is manufacturing and selling a device intended to increase efficiency in the workplace called the Hitachi Business Microscope (paywalled). ‘The device looks like an employee ID badge that most companies issue. Workers are instructed to wear it in the office. Embedded inside each badge, according to Hitachi, are “infrared sensors, an accelerometer, a microphone sensor and a wireless communication device.” Hitachi says that the badges record and transmit to management “who talks to whom, how often, where and how energetically.” It tracks everything. If you get up to walk around the office a lot, the badge sends information to management about how often you do it, and where you go. If you stop to talk with people throughout the day, the badge transmits who you’re talking to (by reading your co-workers’ badges), and for how long. Do you contribute at meetings, or just sit there? Either way, the badge tells your bosses.’“ [Source] SEE ALSO: [Background checks for jobs raise privacy concerns] and [FL: Former Mount Sinai Medical Center Temporary Employee Sentenced In Identity Theft Tax Refund Scheme Involving The Theft Of Patient Information]

CA – Opinion: Employee PI Decision Noteworthy

Meghan Cowan examines a recent decision by the Office of the Alberta Information and Privacy Commissioner on the collection, use and disclosure of employees’ personal information. Cowan suggests the December decision, which stems from a complaint an employee filed under the Personal Information Protection Act (PIPA), “provides a noteworthy lesson for employers when managing sensitive employee medical information.” The information in question related to medical leave and disability benefits, the report states, meeting the definition of personal employee information under PIPA. “This decision is significant not only for delineating the consent and disclosure requirements around employee medical information in Alberta, but for privacy legislation in other Canadian jurisdictions,” Cowan writes. [Canadian Employment Law Today]

+++

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: