Edited by E. Michael Power

Contents

  • Bulgaria: Business Spam to Face Fines
  • FDA Releases RFID Recommendations
  • HIPAA Effectiveness Questioned
  • Indiana: Security Breach Legislation Enacted
  • U.S.: Accounting Organization Says Drive with Member Data Missing
  • U.S.: Informed Consent Waived in Public Crisis
  • Privacy Commission of Canada: Case Summaries

No. 326: Credit bureau Sets Retention Period for Positive Information

No. 325: Personal Information Practices Considered in Sale of Dental Practice

No. 324: Consumer Complains About Requirement to Provide Identification in Order to Obtain Credit Report

Bulgaria: Business Spam To Face Fines

Under the E-Trade Act, passed by Parliament on June 9, providers of business emails spamming deliverers who have not agreed to receive them will be imposed fines ranging from BGN 250 to BGN 1500. Repetitive spamming will be sanctioned with BGN 500-2,500 for natural persons, and BGN 1,000-4,000 for legal entities.
http://www.novinite.com/view_news.php?id=64742

FDA Releases RFID Recommendations

The Food and Drug Administration's Counterfeit Drug Task Force announced June 9 its recommendations for the pharmaceutical industry regarding the use of radio-frequency identification technology to fight the proliferation of some 35 million counterfeit drugs in America.

The report recommends that the FDA remove its "hold" on its so-called pedigree act, reinstating the 2007 deadline for those in the pharmaceutical supply chain to implement some form of electronic tracking technology, be that RFID, bar codes or a combination of both.

While the Task Force didn't actually mandate the use of RFID to track and trace drugs through the pharmaceutical distribution chain—from manufacturer to wholesaler to retailer to consumer—it did point to RFID as "the most promising technology for implementing electronic track and trace in the drug supply chain," and suggested that "stakeholders move quickly to implement this technology."

The concept of utilizing RFID to track drugs stems from the FDA's 1987 Prescription Drug Marketing Act that requires drug distributors to provide a "pedigree" for pharmaceuticals—documentation of the chain of custody of drug products.

Full press report is available at:
http://www.eweek.com/article2/0,1759,1974892,00.asp?kc=EWRSS03119TX1K0000594

HIPAA Effectiveness Questioned

In the three years since the federal privacy rule was enacted, 20,124 complaints have been filed with the U.S. Department of Health and Human Services' Office of Civil Rights.

But not one fine has been levied against hospitals, clinics, pharmacies, doctors or other health-care providers. And just two cases have been prosecuted.

About 75 per cent of the complaints have been closed, the government says. The problems were resolved, or the law didn't apply.

Full press report is available at:
http://www.tmcnet.com/usubmit/2006/06/11/1677069.htm

Indiana: Security Breach Legislation Enacted

Indiana is the latest American state to enact a breach notification law. H.R. 1101, effective on July 1, will require disclosure of security breaches and encryption of data by companies holding customers' and clients' personal identification information in computer databases if it could cause identity theft, identity deception, or fraud. This would help protect consumers by making them aware when their personal information may have been stolen. People would then be able to take the necessary steps to protect themselves from any further damage.

Full press release is available at:
http://www.in.gov/attorneygeneral/press/NewLawRequiresCompaniesNotifyHoosiersifPersonalInformationisCompromised.html

Full text of legislation is available at:
http://www.in.gov/legislative/bills/2006/PDF/HE/HE1101.1.pdf

U.S.: Accounting Organization Says Drive With Member Data Missing

Adding to the lengthening list of organizations reporting data compromises, the American Institute of Certified Public Accountants (AICPA) confirmed on June 7 that a computer hard drive containing the unencrypted names, addresses and Social Security numbers of nearly all of its 330,000 members has been missing since February.

The hard drive had been accidentally damaged by an AICPA employee and was sent out for repair to an external data-recovery service in violation of the AICPA's policies. It was on its way back to the AICPA via FedEx but failed to arrive. Allegretti did not say when exactly the drive went missing except to note that the package containing it was due back at the AICPA "towards the end of February."

It took the organization until March 31 to "recreate the drive" and determine what data it contained. The AICPA began notifying affected members of the potential compromise of their personal data on May 8 and has since completed the task.

Based on investigations so far, it does not appear that information on the hard drive has been misused. Following the loss, the AICPA is offering affected members a year's worth of free credit-monitoring services. The incident has also prompted the group to begin deleting all Social Security numbers from its member database.

Full press report is available at:
http://www.computerworld.com.au/index.php?id=1799791142

U.S.: Informed Consent Waived in Public Crisis

In a public health emergency, suspected victims would no longer have to give permission before experimental tests could be run to determine why they're sick, under a federal rule published Wednesday. Privacy experts called the exception unnecessary, ripe for abuse and an override of state informed-consent laws.

Health care workers will be free to run experimental tests on blood and other samples taken from people who have fallen sick as a result of a bioterrorist attack, bird flu outbreak, detonation of a dirty bomb or any other life-threatening public health emergency, according to the rule issued by the Food and Drug Administration.

In all other cases, the use of an experimental test still requires the informed consent of a patient, as well as the review and approval of an outside panel.

Determining what constitutes a life-threatening public health emergency would be left up to the laboratories doing the testing. That creates the potential for conflicts of interest and other abuses, critics said.

The FDA said it published the rule to ensure the ability to identify quickly whatever chemical, biological, radiological or nuclear agent is involved in a terrorist attack or natural outbreak of disease. Doing so could save the lives of those being tested as well as of others exposed, the FDA said.

The rule took effect Wednesday but remains subject to public comment until August 7. The FDA said it published the rule without first seeking comments because it would hinder the response to an outbreak of bird flu or other public health emergency.

Full press report is available at:
http://www.newsday.com/news/politics/wire/sns-ap-informed-consent,0,4929539.story

Full text of rule is available at:
http://www.fda.gov/OHRMS/DOCKETS/98fr/E6-8790.htm

Privacy Commission of Canada: Case Summaries

PCC: 326

Credit Bureau Sets Retention Period for Positive Information

Two individuals complained that a credit bureau was keeping positive credit information beyond a reasonable time limit. During the Office's investigation, the credit bureau recognized that it needed to establish a maximum retention period for such information, and the Privacy Commissioner concluded that the matter was resolved.

The retention period for negative information on credit reports is mandated by provincial legislation. It is up to the credit reporting agency, however, to set its own retention policy for positive information. At the time of the complaints, the credit bureau did not have a written policy regarding the retention of positive data. The credit bureau has since evaluated its retention policy, and conducted consultations with various stakeholders, such as clients, suppliers, and its data centre. It informed the Office that, effective immediately, it will maintain positive information for 20 years.

According to the bureau, in the course of evaluating the length of time positive information should be retained, it discovered that thousands of individuals' credit files only contained positive information that was over 15 years old. This situation can occur when an individual has declared bankruptcy, and the negative information has been deleted in compliance with provincial legislation. Thus, if the retention period was 15 years or less, their entire credit histories would be deleted. Retaining information longer than 15 years is therefore of benefit to those thousands of individuals.

The Commissioner therefore concluded that the complaints were resolved .

Full finding is available at:
http://www.privcom.gc.ca/cf-dc/2006/326_20060118_e.asp

PCC: 325

Personal Information Practices Considered in Sale of Dental Practice

After reading the consent form given to him by his dentist's office, a patient became concerned about his personal information being disclosed to potential purchasers of the dentist's practice. The Commissioner, however, was satisfied that the purpose for such a disclosure was appropriate in the circumstances.

Although the Personal Information Protection and Electronic Documents Act (PIPEDA) does not specifically contemplate any such collection, use or disclosure of personal information as described in the consent form, the Privacy Commissioner noted that it was likely that a reasonable person would consider it appropriate for a dental office to disclose patient personal information to prospective buyers in order for the buyer to evaluate the practice, as per subsection 5(3).

Given the above, the Commissioner was satisfied that the purpose, as described in the consent form, was an appropriate one and concluded that the complaint was not well-founded.

Full finding is available at:
http://www.privcom.gc.ca/cf-dc/2006/325_20060118_e.asp

PCC: 324

Consumer Complains About Requirement to Provide Identification in Order to Obtain Credit Report

An individual was unhappy that a credit bureau asked him to provide two pieces of identification before it would send him a copy of his credit report. Since he refused to provide the information, the bureau would not send him the report. He in turn complained to the Office that he had been denied access to his personal information.

The Privacy Commissioner, however, agreed with the bureau that it was necessary to verify the requestor's identity before releasing such sensitive information. She noted that under the Personal Information Protection and Electronic Documents Act, organizations can ask for sufficient information prior to providing access. She pointed out that such a request was also a means of protecting the individual's information from unauthorized access.

In making her determinations, the Privacy Commissioner disagreed with the complainant's view that the credit bureau should not be allowed to ask for two pieces of identification from a requestor, noting that Principle 4.9.2 of the Act allows organizations to require sufficient information of individuals so that they may provide the individual with access to his or her personal information. She was therefore satisfied that the credit bureau's request was in keeping with this Principle.

Although the credit bureau did not provide the complainant with the information he was seeking, the Commissioner agree that the bureau first needed to authenticate the complainant's identity before it could provide him with access. Consumer reporting legislation requires identification verification. Moreover, she noted, it is a means by which the credit bureau may protect the personal information it has from unauthorized access, which is also required under Principle 4.7.1 of the Act. She therefore found that the credit bureau had not contravened Principle 4.9 and concluded that the complaint was not well-founded.

Full finding available at:
http://www.privcom.gc.ca/cf-dc/2006/324_20060109_e.asp

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.