Uncategorized Archives - OF DIGITAL INTEREST

Uncategorized

OMB Reviewing Common Rule Overhaul

by Chelsea M. Rutherford and Jennifer S. Geetter | Jan 6, 2017 | Data Privacy, General Interest, Uncategorized

On January 4, 2017, the Department of Health and Human Services (HHS) submitted a draft final rule to amend the federal human research regulations to the Office of Management and Budget (OMB). These regulations, often referred to as the Common Rule, were originally developed in 1991 and have been adopted by multiple federal departments and agencies. OMB review is the last step before final publication and suggests that HHS is trying to release a final rule before President Obama leaves office on January 20, 2017.

Through its Office for Human Research Protections (OHRP), HHS initially published an Advanced Notice of Proposed Rulemaking in July 2011. The Advanced Notice generated significant controversy and OHRP did not publish a notice of proposed rulemaking (Proposed Rule) for over four years, ultimately doing so on September 8, 2015. The Proposed Rule, like its earlier Advanced Notice counterpart, suggested major changes to the Common Rule, including changes to its overall jurisdictional scope, requirements relating to secondary use of biospecimens and individually identifiable information, and the general research review and oversight process.

Since the Proposed Rule’s publication, OHRP has received significant feedback from both industry and expert advisory groups about the proposed changes and their overall impact. While certain proposed changes have been applauded, the Proposed Rule has also generated considerable concern and uncertainty among stakeholders.

The current status of OMB’s review is pending.

The Joint Commission Puts the Brakes on Text Messaging Patient Orders

by Sandra M. DiVarco | Dec 28, 2016 | Data Privacy, General Interest, Telehealth, Text Messaging, Uncategorized

The Joint Commission (TJC) recently clarified that licensed independent providers (LIPs) or other practitioners may not utilize secure text messaging platforms to transmit patient care orders. TJC’s earlier position provided that use of secure text messaging platforms was an acceptable method to transmit such orders, provided that the use was in accordance with professional standards of practice, law and regulation, and policies and procedures.

TJC identified the rationale for the reinstated prohibition against secure text messaging for patient care orders as one of patient safety—after “weighing the pros and cons” TJC and the Centers For Medicare and Medicaid Services (CMS) concluded that as the impact of the modality on patient safety remained unclear, and determined that approving its use was premature.

Read more here about how this clarification impacts health care organizations.

The FTC Continues to Flex its Safe Harbor Enforcement Muscles

by McDermott Will & Emery | Aug 26, 2015 | Data Transfers/Safe Harbor/Privacy Shield, Uncategorized

On August 17, 2015, the Federal Trade Commission (FTC) announced settlements with 13 companies on charges that they misled consumers by claiming that they were certified members of the U.S.-EU or U.S.-Swiss Safe Harbor programs when in fact their certifications had lapsed or never existed in the first place. The FTC’s announcement comes on the heels of two previous settlements reached in late May 2015 with companies that had lapsed certifications despite representations to the contrary made to online consumers. This recent activity by the FTC serves as yet another reminder to businesses to monitor their Safe Harbor program certification renewal dates and to exercise care when making representations in privacy policies related to Safe Harbor program certification.

The Safe Harbor programs provide a method for U.S. companies to transfer personal data outside of the European Union (EU) or European Economic Area (EEA) consistent with the requirements of the European Union Directive on Data Protection or the Swiss Federal Act on Data Protection. To participate in a Safe Harbor program, a company must self-certify to the U.S. Department of Commerce that it complies with seven privacy principles and related requirements. Once certified, a company is required to renew its certification with the Department of Commerce each year to maintain its status as a current member of the Safe Harbor program.

The companies at the center of the recent enforcement actions represent a variety of industries, including app development, pharmaceutical and biotechnology research, medical waste processing and wholesale food manufacturing. This broad industry representation suggests to us that the FTC is committed to ongoing enforcement. Accordingly, we want to remind readers of these tips:

Check your company’s certification status to ensure that it is marked “current” on the Department of Commerce website: https://safeharbor.export.gov/list.aspx;
Review any privacy policies and online statements referencing the Safe Harbor programs to ensure that they properly reflect the certification status and the company’s actual privacy and data security practices;
Institute a systemic reminder six months prior to the recertification date that triggers compliance review activity with a due date for completion prior to the recertification deadline, together with a requirement that the actual online recertification be completed prior to the annual deadline;
Remove all references to the Safe Harbor programs from publicly available privacy policies and statements if the company’s certification status is unclear; and
Review substantive compliance with the Safe Harbor programs and institute corrective action and controls to ensure that compliance is maintained.

Amendment to the Personal Information Protection Act Passed in the National Assembly July 6, 2015

by Kwang Bae, partner, Lee & Ko | Aug 3, 2015 | Consumer Protection, Cybersecurity, Data Privacy, Uncategorized

On July 6, 2015, the Korean National Assembly passed a bill containing several amendments to the Personal Information Protection Act (PIPA). This bill (the Amendment Bill) combines a number of major provisions from nine previous different bills – e.g., one introduced in 2013 and eight proposed in 2014 following the massive data breach of three major credit card companies that occurred in January 2014 (the Credit Card Company Data Breach). Although the amended version of the PIPA (the Amended Act) will take effect upon its promulgation (yet to be determined), most of the provisions that will significantly affect the obligations and responsibilities of data handlers are scheduled to take effect either a year after the Amended Act’s promulgation or on January 1, 2016. For timely compliance with the amended law, companies processing customer or employee data need to keep an eye on the respective effective dates of provisions of the Amended Act that are particularly applicable to them.

1. Significance of the Amendment

The PIPA was adopted in 2011, among others, to protect the privacy of individuals and their personal information from unlawful collection, leakage, appropriation and misuse. However, even after the PIPA’s enactment in 2011, large-scale data breaches were not uncommon, and the Credit Card Company Data Breach last year was the final straw that prompted a call for stricter data protection and privacy regulations across the board to raise awareness of the significance of data protection and security and potential serious risks. The Amendment Bill keeps pace with the stricter rules of the recently amended version of the Utilization and Protection of Credit Information Act.

More specifically, the Amendment Bill extends stronger protection measures to individuals affected by data breaches by providing for punitive damages and statutory damages. Further, heavier penalties are imposed on those who violate certain provisions of the PIPA, and illegal proceeds generated from such violations are subject to forfeiture and collection. Whereas the current version of the PIPA provided for the recovery of damages in the event an individual’s personal information was stolen, lost, leaked, falsified or damaged, the Amendment Bill explicitly prescribes “fabrication” of personal information as an additional type of data breach, so that affected individuals will also be able to claim damages if their personal information is fabricated. The Amendment Bill also awards broader authority to the Personal Information Protection Committee (PIPC) to address loopholes relating to the practical operation of the PIPC in the PIPA, and provides for the legal grounds for the designation of institutions for data protection certification. Overall, the Amendment Bill contains provisions that increase the level of penalties imposed on violators.

Some of the key changes to the PIPA pursuant to this amendment are summarized below.

2. Adoption of Punitive Damages and Statutory Damages Provisions

The Amendment Bill deletes Article 39(2) of the PIPA which sets forth the mitigating circumstances of a data handler’s liability for damages incurred by a data subject whose personal information is mishandled. Furthermore, under the Amendment Bill, if a person suffers [...]

Continue Reading

Argentina Adopts New Data Protection Regulations for the Use of Do Not Call Registry and CCTV

by Effie D. Silva | Apr 24, 2015 | Consumer Protection, Data Privacy, Uncategorized

The Argentinian Data Protection Authority (DPA) beefs up penalties to fight robocalls and unconsented-to video surveillance by enacting Do Not Call and CCTV regulations.

Because robocalls are cheap and efficient, they have become a quite popular form of advertising in Argentina. In order to curb the variety of abuses that can come from robocalling–such as deceptive and abusive marketing–Argentina is injecting into their regulatory regime penalty-driven regulations that will address the problems presented by robocalls. This will preserve their beneficial use while still complying with Argentina’s privacy law requirements. Specifically, the February 2015 sanctions regulation addresses the recently adopted national Do Not Call registry that was implemented at the start of this year.

To comply with the Do Not Call regulations, companies need to register and download the database of individuals who do not want to be called. If companies fail to do so, they can be subject to various serious fines of up to USD $12,000. Examples of serious breaches include the processing of personal data without the DPA registration or breach of the Do Not Call regulation in marketing campaigns (even if the caller is located abroad). Any international transfers in breach of the Data Protection Act and its regulations would be considered a more serious breach. Indeed, the DPA has already issued 60 enforcement notices based on this new sanctions regulation.

In February, the DPA also enacted a law regulating the use of closed-circuit television (CCTV) cameras for video surveillance in the private and public sphere. The new CCTV regulation requires data controllers to apply, if possible, notice and consent provisions to CCTV-related data processing. It also requires that a conspicuous sign be included for the purpose of informing the data subject of the name and domicile of the data controller, as well as where to exercise the data protection rights. Additionally, CCTV databases must be registered and the personal data collected shall not be used for any purpose incompatible with that which gives rise to their collection. It is important to note that some CCTV processing is exempted from consent, such as public government databases and processing data within private property for private purposes.

These regulations were enacted in an effort to round out and complete Argentina’s privacy legal framework.