1
Privacy in America Your Role as Guardians of
the Publics Data

• Professor Peter P. Swire
• Moritz College of Law
• The Ohio State University
• Ohio Digital Government Summit
• October 1, 2008

2
Theme for Today

• You are the guardians of the publics personal
  data
• The systems you create will enable E-government,
  democracy, public services
• The systems should do it in a way that ensures
  the publics privacy and security
• It is a proud responsibility to build these
  systems for the benefit of our fellow citizens

3
Overview

• My background
• You are the guardians
• HIPAA why privacy security matter
• Public records dont cause theft
• Data breach the most important current
  regulation on data holders
• Privacy Impact Assessments being thoughtful
  about data uses
• Big privacy issues today
• What McCain Obama have said on privacy

4
Swire Background

• Now Ohio State law professor, live in D.C.
• Active in many privacy security activities
• Senior Fellow, Center for American Progress
• Chief Counselor for Privacy, 1999-2001
• U.S. Office of Management Budget
• WH coordinator, HIPAA privacy rule
• Public records privacy
• Federal governments own data
• Computer security
• Other financial, Internet, national security
  FISA

5
Background

• Since 2001
• Many writings and presentations
• www.peterswire.net
• www.americanprogress.org
• Privacy Year in Review distributed to all
  members of the International Association of
  Privacy Professionals
• Lead author of book that is official study guide
  for Certified Information Privacy Professional
  exam

6
Guardians I HIPAA

• The 1996 history
• Administrative simplification in Health
  Insurance Portability Accountability Act
• Half the in medical system are federal
• No more payments by paper
• Standardized transaction and code set rule
• Save many billions with electronic standardized
  payment formats for health care

7
HIPAA History

• If all health payments become electronic, what
  would happen to privacy security?
• No previous federal standards for health privacy
  security
• Congress said should build privacy security in
  at the same time as shift to electronic payments

8
HIPAA History

• Congress didnt pass legislation
• HHS proposed rule in 1999
• Over 53,000 public comments
• Final rule December, 2000
• Bush Administration modest changes 2002
• In effect since 2003

9
Lessons from HIPAA

• Privacy security should be built in to new IT
  systems
• Patching later wont work as well, often wont
  happen will cost a lot more
• HIPAA far from perfect
• Implementation guidance budget cut way back
  from original plans
• Significant success to date clearly better than
  not having these protections in place

10
Next in Health Care

• Electronic health records (EHRs)
• How to connect providers into a National Health
  Information Network
• Personal health records (PHRs)
• Individuals/families manage health records the
  way they do personal finances
• Microsoft HealthVault, Google Health, Dossia
  others
• How to build privacy security into these?

11
Guardians II Public Records

• Strong Ohio tradition of open public records
• Freedom of information transparency lead to
  better government, lower costs for citizens to
  get information many other benefits
• Not every record should become public
• Especially records that can lead to theft or
  identity theft

12
Bankruptcy Study 2000

• When in White House, I helped lead a study on a
  federal records system bankruptcy records
• Proposal was pending simply put all records on
  line
• History of open access to these court records
• New system less expensive if simply shift to
  electronic

13
Bankruptcy Study

• Key data fields
• Bankruptcy records contain details on financial
  assets, so creditors know the claims on the
  estate
• Bank account numbers, security brokerage account
  numbers, etc., and amount in each account (often
  )
• A tempting target for pretexting
• Is it a good idea to put those up on the Internet?

14
Lessons on Public Records

• For data fields that lead to pretexting and
  identity theft, there is significant risk from
  simply posting to the Internet
• As Ohio has done, work through the risks of these
  key data fields in managing your public records
• See Swire NACO presentation, at www.peterswire.net

15
Guardians III Data Breaches

• California history on data breaches
• SSNs and other personal data compromised for
  all/most state of California employees in 2002
• California passed the data breach law, requiring
  notice for breaches in both public and private
  sectors
• The idea swept the nation almost all states
  have such laws today

16
Correcting a Market Failure

• Data is held by government agency or corporation
• If breach happens, the cost is mostly on the
  individuals whose data is put at risk
• Under-investment in protecting the data
• Could have liability on data holder for breach
  (currently none)
• Instead, have publicity on data holder data
  breach laws

17
The Future of Data Breach

• Trend toward broader set of triggers for data
  breach
• Health care data
• Biometrics (once gone )
• Required/encouraged encryption
• Trend toward reporting to a state authority
• Ecosystem can learn more about breaches
• A major responsibility for you as data guardians,
  and that will continue

18
Guardians IV PIAs

• Privacy Impact Assessments
• Best practice for feds by 2000
• Required for new federal IT systems in
  E-Government Act of 2002
• Ohio HB 46, 125.18 Ohio Revised Code
• New requirement of Privacy Impact Assessments

19
PIAs for Cities Counties

• PIA process for federal and state, now
• Emerging best practice for government at all
  levels
• Ohio memo at http//www.oit.ohio.gov/IGD/policy/pd
  fs_bulletins/ITB-2008.02.pdf
• The HIPAA lesson build it right from the start
  for privacy and security

20
August 13 Memo on State PIAs

• Edmondson memo requiring state of Ohio agencies
  to do privacy assessments
• Privacy Threshold Analysis (and then PIA, as
  needed)
• When use information technology to collect new
  information
• When agencies develop, buy, or contract out for
  new information technology systems to handle
  collections of personally identifiable
  information, or
• When agencies conduct ad hoc queries of
  commercial databases containing personally
  identifiable information

21
Views of the Candidates

• McCain released privacy policy paper on Aug. 14
  on campaign site
• My analysis, http//wonkroom.thinkprogress.org/200
  8/08/15/swire-mccain-internet-policy/

22
Limited Role for Government

• For private sector data, basic approach is
  self-regulation limited role for government
• Government -- Government must promote a culture
  of personal security through consumer education
  initiatives, incentives for the development of
  secure technologies, and stronger enforcement of
  laws to protect our citizens, particularly
  children.

23
Obama and Private Sector Data

• Cautious about regulation, but believes
  common-sense measures may be appropriate for
  emerging areas of concern
• Location information (cell phones)
• Electronic health records
• Social networking
• Similar to Clinton approach act first on
  medical, financial, kids
• Similar contrast as the two candidates views on
  financial regulation

24
Government Surveillance

• The other major privacy area concerns rules for
  government surveillance, for law enforcement and
  national security
• McCain has supported Bush approach major focus
  on anti-terrorism, few stated limits on executive
  power, support for Patriot Act
• Obama former constitutional law prof has
  called for more checks balances and oversight
• Obama pushed for broader FISA reform, but voted
  for final passage as better than not having
  authorities in place

25
Concluding Thoughts

• Guardians of the publics data
• HIPAA build privacy security in from the
  start
• Public records avoid theft related harms
• Data breach a major feature in the future
• PIAs an expected practice from now on

26
Finally

• FOIA and open records are crucial values
• That said, here is a simple test about privacy
• How would you want the records of your own family
  treated?
• Do you have the privacy and security practices in
  place that you would want for your spouse and
  children?
• If you meet that test, you can be proud in your
  role of guardian of the public trust
• Good luck in your efforts