1. Privacy in America: Your Role as Guardians of the Publics Data Professor Peter P. Swire Moritz College of Law The Ohio State University Ohio Digital Government Summit October 1, 2008

2. Theme for Today You are the guardians of the publics personal data You are the guardians of the publics personal data The systems you create will enable E- government, democracy, public services The systems you create will enable E- government, democracy, public services The systems should do it in a way that ensures the publics privacy and security The systems should do it in a way that ensures the publics privacy and security It is a proud responsibility to build these systems for the benefit of our fellow citizens It is a proud responsibility to build these systems for the benefit of our fellow citizens

3. Overview My background My background You are the guardians: You are the guardians: HIPAA: why privacy & security matter HIPAA: why privacy & security matter Public records: dont cause theft Public records: dont cause theft Data breach: the most important current regulation on data holders Data breach: the most important current regulation on data holders Privacy Impact Assessments: being thoughtful about data uses Privacy Impact Assessments: being thoughtful about data uses Big privacy issues today Big privacy issues today What McCain & Obama have said on privacy What McCain & Obama have said on privacy

4. Swire Background Now Ohio State law professor, live in D.C. Now Ohio State law professor, live in D.C. Active in many privacy & security activities Active in many privacy & security activities Senior Fellow, Center for American Progress Senior Fellow, Center for American Progress Chief Counselor for Privacy, 1999-2001 Chief Counselor for Privacy, 1999-2001 U.S. Office of Management & Budget U.S. Office of Management & Budget WH coordinator, HIPAA privacy rule WH coordinator, HIPAA privacy rule Public records & privacy Public records & privacy Federal governments own data Federal governments own data Computer security Computer security Other: financial, Internet, national security & FISA Other: financial, Internet, national security & FISA

5. Background Since 2001: Since 2001: Many writings and presentations Many writings and presentations www.peterswire.net www.peterswire.netwww.peterswire.net www.americanprogress.org www.americanprogress.org www.americanprogress.org www.americanprogress.org Privacy Year in Review distributed to all members of the International Association of Privacy Professionals Privacy Year in Review distributed to all members of the International Association of Privacy Professionals Lead author of book that is official study guide for Certified Information Privacy Professional exam Lead author of book that is official study guide for Certified Information Privacy Professional exam

6. Guardians I: HIPAA The 1996 history The 1996 history Administrative simplification in Health Insurance Portability & Accountability Act Administrative simplification in Health Insurance Portability & Accountability Act Half the $ in medical system are federal Half the $ in medical system are federal No more payments by paper No more payments by paper Standardized transaction and code set rule Standardized transaction and code set rule Save many billions with electronic & standardized payment formats for health care Save many billions with electronic & standardized payment formats for health care

7. HIPAA History If all health payments become electronic, what would happen to privacy & security? If all health payments become electronic, what would happen to privacy & security? No previous federal standards for health privacy & security No previous federal standards for health privacy & security Congress said should build privacy & security in at the same time as shift to electronic payments Congress said should build privacy & security in at the same time as shift to electronic payments

8. HIPAA History Congress didnt pass legislation Congress didnt pass legislation HHS proposed rule in 1999 HHS proposed rule in 1999 Over 53,000 public comments Over 53,000 public comments Final rule December, 2000 Final rule December, 2000 Bush Administration modest changes 2002 Bush Administration modest changes 2002 In effect since 2003 In effect since 2003

9. Lessons from HIPAA Privacy & security should be built in to new IT systems Privacy & security should be built in to new IT systems Patching later wont work as well, often wont happen & will cost a lot more Patching later wont work as well, often wont happen & will cost a lot more HIPAA far from perfect HIPAA far from perfect Implementation & guidance budget cut way back from original plans Implementation & guidance budget cut way back from original plans Significant success to date & clearly better than not having these protections in place Significant success to date & clearly better than not having these protections in place

10. Next in Health Care Electronic health records (EHRs) Electronic health records (EHRs) How to connect providers into a National Health Information Network How to connect providers into a National Health Information Network Personal health records (PHRs) Personal health records (PHRs) Individuals/families manage health records the way they do personal finances Individuals/families manage health records the way they do personal finances Microsoft HealthVault, Google Health, Dossia & others Microsoft HealthVault, Google Health, Dossia & others How to build privacy & security into these? How to build privacy & security into these?

11. Guardians II: Public Records Strong Ohio tradition of open public records Strong Ohio tradition of open public records Freedom of information & transparency lead to better government, lower costs for citizens to get information & many other benefits Freedom of information & transparency lead to better government, lower costs for citizens to get information & many other benefits Not every record should become public Not every record should become public Especially records that can lead to theft or identity theft Especially records that can lead to theft or identity theft

12. Bankruptcy Study 2000 When in White House, I helped lead a study on a federal records system – bankruptcy records When in White House, I helped lead a study on a federal records system – bankruptcy records Proposal was pending – simply put all records on line Proposal was pending – simply put all records on line History of open access to these court records History of open access to these court records New system less expensive if simply shift to electronic New system less expensive if simply shift to electronic

13. Bankruptcy Study Key data fields: Key data fields: Bankruptcy records contain details on financial assets, so creditors know the claims on the estate Bankruptcy records contain details on financial assets, so creditors know the claims on the estate Bank account numbers, security brokerage account numbers, etc., and amount in each account (often $$$) Bank account numbers, security brokerage account numbers, etc., and amount in each account (often $$$) A tempting target for pretexting A tempting target for pretexting Is it a good idea to put those up on the Internet? Is it a good idea to put those up on the Internet?

14. Lessons on Public Records For data fields that lead to pretexting and identity theft, there is significant risk from simply posting to the Internet For data fields that lead to pretexting and identity theft, there is significant risk from simply posting to the Internet As Ohio has done, work through the risks of these key data fields in managing your public records As Ohio has done, work through the risks of these key data fields in managing your public records See Swire NACO presentation, at www.peterswire.net See Swire NACO presentation, at www.peterswire.net

15. Guardians III: Data Breaches California history on data breaches California history on data breaches SSNs and other personal data compromised for all/most state of California employees in 2002 SSNs and other personal data compromised for all/most state of California employees in 2002 California passed the data breach law, requiring notice for breaches in both public and private sectors California passed the data breach law, requiring notice for breaches in both public and private sectors The idea swept the nation – almost all states have such laws today The idea swept the nation – almost all states have such laws today

16. Correcting a Market Failure Data is held by government agency or corporation Data is held by government agency or corporation If breach happens, the cost is mostly on the individuals whose data is put at risk If breach happens, the cost is mostly on the individuals whose data is put at risk Under-investment in protecting the data Under-investment in protecting the data Could have liability on data holder for breach (currently none) Could have liability on data holder for breach (currently none) Instead, have publicity on data holder – data breach laws Instead, have publicity on data holder – data breach laws

17. The Future of Data Breach Trend toward broader set of triggers for data breach Trend toward broader set of triggers for data breach Health care data Health care data Biometrics (once gone …) Biometrics (once gone …) Required/encouraged encryption Required/encouraged encryption Trend toward reporting to a state authority Trend toward reporting to a state authority Ecosystem can learn more about breaches Ecosystem can learn more about breaches A major responsibility for you as data guardians, and that will continue A major responsibility for you as data guardians, and that will continue

18. Guardians IV: PIAs Privacy Impact Assessments Privacy Impact Assessments Best practice for feds by 2000 Best practice for feds by 2000 Required for new federal IT systems in E- Government Act of 2002 Required for new federal IT systems in E- Government Act of 2002 Ohio & HB 46, § 125.18 Ohio Revised Code Ohio & HB 46, § 125.18 Ohio Revised Code New requirement of Privacy Impact Assessments New requirement of Privacy Impact Assessments

19. PIAs for Cities & Counties PIA process for federal and state, now PIA process for federal and state, now Emerging best practice for government at all levels Emerging best practice for government at all levels Ohio memo at http://www.oit.ohio.gov/IGD/policy/pdfs_bu lletins/ITB-2008.02.pdf Ohio memo at http://www.oit.ohio.gov/IGD/policy/pdfs_bu lletins/ITB-2008.02.pdf http://www.oit.ohio.gov/IGD/policy/pdfs_bu lletins/ITB-2008.02.pdf http://www.oit.ohio.gov/IGD/policy/pdfs_bu lletins/ITB-2008.02.pdf The HIPAA lesson – build it right from the start for privacy and security The HIPAA lesson – build it right from the start for privacy and security

20. August 13 Memo on State PIAs Edmondson memo requiring state of Ohio agencies to do privacy assessments Edmondson memo requiring state of Ohio agencies to do privacy assessments Privacy Threshold Analysis (and then PIA, as needed): Privacy Threshold Analysis (and then PIA, as needed): When use information technology to collect new information When use information technology to collect new information When agencies develop, buy, or contract out for new information technology systems to handle collections of personally identifiable information, or When agencies develop, buy, or contract out for new information technology systems to handle collections of personally identifiable information, or When agencies conduct ad hoc queries of commercial databases containing personally identifiable information When agencies conduct ad hoc queries of commercial databases containing personally identifiable information

21. Views of the Candidates McCain released privacy policy paper on Aug. 14 – on campaign site McCain released privacy policy paper on Aug. 14 – on campaign site My analysis, http://wonkroom.thinkprogress.org/2008/0 8/15/swire-mccain-internet-policy/ My analysis, http://wonkroom.thinkprogress.org/2008/0 8/15/swire-mccain-internet-policy/ http://wonkroom.thinkprogress.org/2008/0 8/15/swire-mccain-internet-policy/ http://wonkroom.thinkprogress.org/2008/0 8/15/swire-mccain-internet-policy/

22. Limited Role for Government For private sector data, basic approach is self- regulation – limited role for government For private sector data, basic approach is self- regulation – limited role for government Government -- Government must promote a culture of personal security through consumer education initiatives, incentives for the development of secure technologies, and stronger enforcement of laws to protect our citizens, particularly children. Government -- Government must promote a culture of personal security through consumer education initiatives, incentives for the development of secure technologies, and stronger enforcement of laws to protect our citizens, particularly children.

23. Obama and Private Sector Data Cautious about regulation, but believes common-sense measures may be appropriate for emerging areas of concern Cautious about regulation, but believes common-sense measures may be appropriate for emerging areas of concern Location information (cell phones) Location information (cell phones) Electronic health records Electronic health records Social networking Social networking Similar to Clinton approach – act first on medical, financial, kids Similar to Clinton approach – act first on medical, financial, kids Similar contrast as the two candidates views on financial regulation Similar contrast as the two candidates views on financial regulation

24. Government Surveillance The other major privacy area concerns rules for government surveillance, for law enforcement and national security The other major privacy area concerns rules for government surveillance, for law enforcement and national security McCain has supported Bush approach – major focus on anti-terrorism, few stated limits on executive power, support for Patriot Act McCain has supported Bush approach – major focus on anti-terrorism, few stated limits on executive power, support for Patriot Act Obama – former constitutional law prof – has called for more checks & balances and oversight Obama – former constitutional law prof – has called for more checks & balances and oversight Obama pushed for broader FISA reform, but voted for final passage as better than not having authorities in place Obama pushed for broader FISA reform, but voted for final passage as better than not having authorities in place

25. Concluding Thoughts Guardians of the publics data Guardians of the publics data HIPAA – build privacy & security in from the start HIPAA – build privacy & security in from the start Public records – avoid theft & related harms Public records – avoid theft & related harms Data breach – a major feature in the future Data breach – a major feature in the future PIAs – an expected practice from now on PIAs – an expected practice from now on

26. Finally FOIA and open records are crucial values FOIA and open records are crucial values That said, here is a simple test about privacy: That said, here is a simple test about privacy: How would you want the records of your own family treated? How would you want the records of your own family treated? Do you have the privacy and security practices in place that you would want for your spouse and children? Do you have the privacy and security practices in place that you would want for your spouse and children? If you meet that test, you can be proud in your role of guardian of the public trust If you meet that test, you can be proud in your role of guardian of the public trust Good luck in your efforts Good luck in your efforts