H&H Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan & Hartson Law Firm : Data Security, E-Commerce & Technology

The UK government has announced plans to launch a new website www.data.gov.uk , which will allow public access to official data, and has called on web-founder Sir Tim Berners-Lee, to assist.  The website aims to improve transparency and will be similar to the US site 'data.gov', which already includes information from the US defense department and NASA.

The plan, initiated by PM Gordon Brown last year, is to develop a website for the public to find information and to make reports to public service providers, including traffic and crime statistics.  In addition, various applications will be available to enable users to discover details of planning applications (in PlanningAlerts), or report potholes (in FillThatHole).

So far, the site has been in test mode, for developers to try out its features and provide feedback, but once 'live', it is hoped that public users will benefits from having the information and services in one place and see it as an alternative to requesting disclosure under the Freedom of Information Act, as BBC News reports - http://news.bbc.co.uk/1/hi/technology/8470797.stm

• Email This
• Print

We regularly advise clients that the starting point for privacy and data security risk management is to understand what data is being held.  Knowing what data is being held (and preserving it) also is a key component of  compliance in litigation.  Indeed, the need for companies to data map their information long before litigation arises has increased urgency in light of a recent ruling.

In Pension Committee , the judge who issued the series of seminal Zubulake opinions, which essentially defined electronic document retention and discovery nation-wide, calls for litigants not only to identify key data keepers but to identify key data very early in litigation. Some of the new holdings described in Hogan & Hartson's Litigation Alert (link below) are likely to become as influential as the discovery-altering Zubulake decisions.

In Pension Committee Judge Scheindlin finds, among other things, that the failure to issue a written litigation hold for relevant individuals and data constituted gross negligence because that failure is likely to result in the destruction of relevant information. Severe sanctions, such as dismissal, monetary sanctions, and adverse inference instructions, were therefore presumptively appropriate absent contrary indications of good faith. Failure to appropriately collect and preserve electronically stored information from all key players may now also be considered gross negligence, and even failure to collect and preserve from less-involved employees may be considered negligent. Additionally, companies must be even more conscious of the fate of, and process in place to handle, former-employee data for fear of being found grossly-negligent if a preservation duty has attached. For more information about this important decision please see the attached Litigation Alert which was drafted by two members of our Electronic Information Group.

• Email This
• Print

• Email This
• Print

The Federal Communications Commission released a Public Notice this week seeking further comment on numerous privacy issues as part of its National Broadband Plan proceeding.  Based on questions raised in a recent Center for Democracy & Technology filing, some of the broad issues that the Notice seeks comment on include:

• Consumer expectations of privacy, and how to meet those expectations as new technologies are deployed;
• Building Privacy by Design;
• Concerns surrounding the collection, use, and storage of transactional data; and
• The regulation of third-party applications.

The FCC, which is working to complete the Plan and submit it to Congress by March 17, has thus far not focused extensively on how to protect consumer privacy and personal information in the broadband ecosystem.  This Notice, however, indicates that the FCC may be planning to highlight a number of privacy-related consumer protection issues in the Plan.  Moreover, depending in part on the comments received in response to the Notice, it could also open the door to future privacy and data protection proceedings at the FCC.

Comments are due on January 22, 2010, just over a week after the Commission issued the Notice.

• Email This
• Print
• Trackbacks

In the first HIPAA action filed by a state attorney general, Connecticut Attorney General Richard Blumenthal filed a lawsuit yesterday against Health Net of Connecticut for failing to secure private medical and financial information concerning 446,000 of its Connecticut enrollees, and for subsequently neglecting to promptly notify affected individuals. Blumenthal is also seeking a court order to prevent Health Net from continued violations by requiring the company to encrypt any protected health information (“PHI”) contained on portable electronic devices. The lawsuit is the first action by a state attorney general to enforce HIPAA since the Health Information Technology for Economic and Clinical Health Act (“HITECH”) provided state attorneys general with the power to initiate civil actions on behalf of state residents for violations of HIPAA.

In May 2009, Health Net discovered that a portable computer disk drive containing social security numbers, health claim forms and bank account numbers for approximately 446,000 Connecticut enrollees was missing. According to Blumenthal, Health Net subsequently failed to promptly notify appropriate authorities and consumers of the incident. Blumenthal further alleges that Health Net failed to comply with its own policies and federal law regarding the protection of personal information, and failed to effectively train and supervise its workforce on the proper policies for maintaining, using, and disclosing PHI.

• Email This
• Print

The Article 29 working party of European data protection authorities (the “WP29”) published in early January a roadmap charting the future of privacy legislation in the EU.  Entitled “The Future of Privacy – Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to protection of personal data,” the WP29 roadmap contains insight in to areas of likely reform of European privacy law in the coming years.  After an introduction describing the history and constitutional underpinnings of privacy legislation in the EU, the Future of Privacy roadmap outlines nine areas of needed reform:

1. Extend EU privacy legislation to law enforcement, former “third pillar” areas, which were heretofore excluded from the EU Data Protection Directive.

2. Consider modifying the criteria for determining when EU privacy law applies to controllers located outside the EU, particularly where non-EU established controllers target their activities at EU residents, through advertising and local language sites.  WP29 says it is currently preparing a detailed opinion on the applicability of EU law.

3. Support global standards, in furtherance of the so-called Madrid Resolution adopted on November 6, 2009, and increase international cooperation between data protection authorities.

4. Include “Privacy by Design” as an obligation applicable to all actors in the ICT (information and communications technology) sector.  Privacy by design should focus on principles such as data minimization, controllability, transparency, user friendly systems, data confidentiality, data quality and use limitations.

5. Empower citizens by increasing their ability to enforce privacy rules, including via class actions and alternative dispute resolution (ADR) mechanisms. Increase transparency obligations for the benefit of users and clarify the concept of user “consent.”

6. Increase accountability obligations for data controllers by imposing across-the-board data breach notification obligations (currently data breach obligations apply only in the electronic communications sector), and by encouraging self-audits, privacy impact assessments, and external certification procedures.  

7. In exchange for increased self-enforcement and accountability measures, WP29 suggests lifting many administrative filing obligations with data protection authorities, reserving filing only for cases where there is a serious risk to privacy.  Even in those cases, filing could be streamlined where organizations have conducted privacy audits or privacy impact assessments.

8. Impose minimum requirements to ensure that national data protection authorities are sufficiently independent and effective, including that they have sufficient funding.

9. Require the implementation of privacy impact assessments and related accountability measures for law enforcement organizations.

Adopted on December 1, 2009, but made available on the WP29 website only recently, the  WP 29 Future of Privacy roadmap is a contribution to the European Commission’s consultation on reform of EU privacy legislation, consultation which closed on December 31, 2009. Other contributions can be viewed here.

• Email This
• Print

By Jun Wei

On January 3, 2010, the Guangdong Provincial Higher People's Court announced the first enforcement action following the extension of Chinese criminal law to include the protection of personal information.  In that action, the Zhuhai Xiangzhou District Court sentenced an individual to one and a half years in prison and imposed a fine on him in the amount of  RMB 2,000 (approximately US $295) for the crime of illegally obtaining the personal information of citizens.  This is the first known case in China regarding the infringement of personal information security. 

The law upon which the action was based, the 7th Amendment to the PRC Criminal Law, was promulgated on February 28, 2009 by the Standing Committee of the National People’s Congress.  It includes provisions imposing criminal penalties for the infringement of personal information security, specifically targeting two types of infringement:  (i) the sale or illegal disclosure of information obtained by personnel in government agencies or financial, telecommunications, transportation, educational or medical institutions in the process of performing their duties; and (ii) the theft or illegal access of personal information by other individuals. 

In both types of conduct there are severe consequences for infringement, including imprisonment for less than three years, detention for less than six months, and/or the imposition of a fine (as a single penalty or concurrently with other penalties).   In the event that an entity is convicted of infringement, a monetary penalty shall be imposed on that entity, and the officer directly responsible and any other persons who may be directly responsible for such illegal acts shall be subject to the same criminal penalties that are applicable to natural persons.

According to news reports, in December 2008 the defendant in this case, Zhou Jianping, a resident of Zhuhai, Guangdong Province, illegally obtained the phone numbers and call history records of 14 government officials and sold these phone numbers and call histories for RMB 16,000 (approximately US $2,353).  The purchaser, in conspiracy with six other people, then used this information to impersonate the government officials and extract RMB 830,000 ( approximately US $122,060) from a variety of relatives.

The defendant did not appeal and the judgment took effect December 14, 2009.

• Email This
• Print

Hogan Privacy and Data Security Co-Chair Chris Wolf recently gave an interview on recent developments under the EU-US Safe Harbor to Nymity that was published in its free online newsletter.  In the interview, Chris discusses the recent FTC enforcement efforts under the Safe Harbor as well as alternative methods available to parties seeking to transfer data from the EU to the US other than through the Safe Harbor framework  The interview can be accessed here.

• Email This
• Print

Today the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) released two regulations relating to the Medicare and Medicaid incentives authorized by the American Recovery and Reinvestment Act of 2009 (ARRA).  Both rules have public comment periods of 60 days and are scheduled to be published in the Federal Register on January 13, 2010.  Final rules are expected to be issued in the spring of 2010.

EHR Incentives for “Meaningful Use”

The CMS Proposed Rule defines the criteria for “meaningful use” of certified electronic health record (EHR) technology. “Eligible professionals” (EPs) and hospitals that meet this criteria will be eligible for incentive payments beginning in 2011.

CMS proposes to phase in meaningful use criteria in three stages. The Proposed Rule focuses on the Stage 1 criteria, and CMS plans to propose Stage 2 and Stage 3 criteria in future rulemaking, with a goal of issuing proposed Stage 2 standards by the end of 2011 and proposed Stage 3 standards by the end of 2013. 

For Stage 1, which begins in 2011, CMS has proposed 25 objectives, or measures, for EPs and 23 objectives for eligible hospitals, all of which must be met in order for a provider to be deemed a meaningful EHR user.

Standards, Implementation and Certification Criteria

The ONC Interim Final Rule sets forth initial standards, implementation specifications and certification criteria for EHR technology.  These provisions specify the capabilities and related standards that certified EHR technology must include in order to support the proposed Stage 1 requirements for meaningful use.  This Rule goes into effect 30 days after publication in the Federal Register.

According to ONC, the standards set forth in the Rule “rely heavily on existing standards for the interoperability of health information technologies, including those established and/or promoted by Health Level 7 (HL7), the National Institute of Standards and Technology (NIST) and Integrating the Healthcare Enterprise (IHE).”  The standards, which fall into the categories of vocabulary, content exchange, transport and privacy/security, also rely upon classification and nomenclature systems such as SNOMED CT, ICD-9 and 10, X12, LOINC, NCPDP and RxNorm. 

ONC will issue a separate Notice of Proposed Rulemaking relating to the testing and certification process for EHRs and EHR Modules in early 2010. 

• Email This
• Print