Industry-Specific Privacy Issues

Access to Financial Records Is Denied to Government Agencies

Title 12 United States Code Section 3402, access to financial records by U.S. government authorities is prohibited except in the following circumstances:

• The customer of financial records has authorized the disclosure.

• The relevant financial records are disclosed in response to an administrative subpoena or summons.

• The relevant financial records are disclosed in response to a judicial subpoena.

• The relevant financial records are disclosed in response to formal written request in conformity with the provisions of Section 3408 of Title 12.

Gramm-Leach-Bliley Act

This is a law intended to provide information privacy protection obligating each financial institution to respect the privacy of its customers and protect the security and confidentiality of the customers' nonpublic personal information, Title 15 United States Code Sections 6801-6810.

• Financial institutions may not disclose a customer's account number for the purpose of marketing by a third party.

• Financial institutions must develop procedures to protect information from unauthorized access that could result in harm to customers.

• Financial institutions must advise customers in a clear and timely manner of their policies regarding the disclosure of information with third parties.

• Financial institutions must provide a vehicle for customers to opt out of arrangements refusing permission to disclose their nonpublic information to third parties.

Health Insurance Portability and Accountability Act

HIPAA governs health care communications and practices knowing they play an essential role in ensuring individuals receive effective health care (45 CFR 160-164). HIPAA has the goal of improving the effectiveness and efficiency of the health care system including comprehensive measures not the least of which are provisions for protecting the privacy of individual health information. To this end, HIPAA mandates the adoption of privacy protections for individually identifiable health information.

Most health plans and health care providers are covered by the new rule (HIPAA) and must have complied with the new requirements by April 14, 2003. For the first time, HIPAA creates national standards safeguarding the privacy of individuals' health information:

• It provides patients with more control over the use and disclosure of their health records.

• It establishes safeguards that health care providers must achieve protecting the privacy of individuals' health information.

• It makes covered entities accountable, with civil and criminal laws when a patient's privacy rights are violated.

• It empowers patients to discover how their information might be used and about disclosures of their information that have been made.

• HIPAA limits the release of information reasonably needed for the specific purpose of the disclosure.

• HIPAA grants individuals the right to examine and obtain copies of their own health records, request corrections, and limit how they might be released.

• HIPAA grants individuals control over uses and disclosures of their health information.

Due to the nature of these types of communications and the environment in which individuals receive care, the potential for a person's health-related information to be disclosed is great. For example, a patient's conversation with their physician may be overheard in the confines of a two-patient hospital room.

HIPAA privacy rules are not intended to preclude customary or essential communications in the administration of patient care, nor does it require that all risk of disclosure be eliminated to satisfy its requirements. HIPAA privacy rules permit certain types of incidental uses or disclosures of protected health information when the covered health care entity has installed reasonable safeguards with required policies and procedures safeguarding privacy.

Generally HIPAA privacy rules require the following of the average health care provider or covered health plan:

• Notify individuals of their privacy rights and how their health care information can be used.

• Implement privacy procedures for covered entities, e.g., clinics, hospitals, health care plans, etc.

• Train employees of covered entities to understand and implement privacy procedures.

• Designate at least one individual to be responsible for the adoption and compliance with privacy procedures under HIPAA.

• Secure health records containing individually identifiable health information so they are not accessible to those not needing to know.

There are many important aspects of HIPAA, including the patient's right to file complaints regarding privacy to the covered health care entity or the Office of Inspector General, Department of Health and Human Services.

Compliance with the new HIPAA privacy standards is required of the covered entities:

• Health care plans

• Health care clearinghouses

• Health care providers who conduct certain financial and administrative transactions such as billing and fund transfers. These entities are bound by HIPAA privacy standards even if they contract with third parties to perform some functions.

• HIPAA Privacy rules compliance became effective April 14, 2003, with small health plans compliant by April 14, 2004.

Fair Credit Reporting Act

The federal Fair Credit Reporting Act (FCRA) was created to promote fairness, accuracy, and privacy of information relating to consumer credit histories held by Credit Reporting Agencies (15 United States Code Sections 1681-1681). As a matter of background, most credit reporting agencies are credit bureaus that collect and sell credit histories. Under provisions of the FCRA, consumers have very specific rights and in some cases, these rights have been expanded under state laws.

These are a few of the rights granted under the FCRA to consumers:

• Individuals and organizations have the right to review the information held in their file including a list of anyone who has requested to see the information. Credit reporting agencies are required to provide report copies for a nominal charge after proper request.

• Consumers must be advised if information from their credit file has been used to deny credit, insurance, or employment. This notification must include the name, address, and telephone number of the credit-reporting agency providing the credit history report.

• Consumers have the right to dispute inaccurate information with the credit-reporting agency. If notified of inaccuracies, it is the credit-reporting agency's responsibility to investigate the disputed items by presenting to its credit source all relevant evidence provided by the consumer unless it is determined the dispute is frivolous. The information source must review the consumer's evidence and report its findings to the credit-reporting agency that must deliver a written report of the investigation to the consumer. If the dispute cannot be resolved, then the consumer may add a statement to his file, and credit reports must normally include a summary of this statement in future reports.

• If a consumer disputes an item with the source of the information, they may not report the credit information to the credit-reporting agency without including notice of the dispute. Once the source of credit information is notified of an inaccuracy, it may not continue to report the identified inaccurate information.

• Access to credit history information is limited. The credit reporting agency may only provide information to individuals recognized by the FCRA: creditors, insurers, employers, landlords, and other relevant businesses.

• Consumers must provide consent for their credit history reports to be provided to employers or for reports that contain medical information. Credit reporting agencies may not provide information to employers, prospective employers, or reports containing medical information without the consumer's consent.

Penalties for failing to comply with FCRA tenets include:

• Civil liabilities for willful and negligent noncompliance including actual damages, attorneys' fees, punitive and statutory damages.

• Class actions can be brought under standards of civil liability.

• Criminal penalties for obtaining information under false pretenses and unauthorized disclosures. Of course, penalties include incarceration, fines, and restitution.

• Administrative actions may be sought by the Federal Trade Commission resulting in financial penalties against any person knowingly violating the FCRA.

Family Education Privacy Rights

Family educational and privacy rights are guaranteed by this federal law found at Title 20, United States Code, Section 1232g. Contingent upon the continued receipt of federal funding, it sets conditions for the availability of student records to parents who have children in school or for adults attending school. It grants the right to inspect and review education records of children and mandates that each institution establish appropriate procedures for granting requests by parents to inspect records. Under the tenets of this law, parents have the right to have a hearing challenging the content of such student's education records ensuring that the records are accurate or otherwise not in violation of the student's privacy rights. Such challenges may serve to correct, delete inaccuracies, or delete misleading or inappropriate data contained in the student's education records. Parents also have a right to insert into such records a written explanation respecting the content of these records. When a student has attained the age of eighteen or is attending post-secondary educational institutions, the permission or rights of the parents are accorded to the student.

Educational institutions have the right to disclose educational records to teachers and school officials including teachers and school officials in other schools having legitimate educational interest in the behavior and performance of the student.

By way of enforcement, the Secretary of Education must take appropriate actions enforcing this law and address violation. Failing to voluntarily comply can result in the Secretary terminating federal assistance to the educational institution.

Cable TV Privacy Act

Under the provisions of this law, 47 U.S. Code 551, at least yearly a cable TV operator must provide written notice to subscribers clearly and conspicuously advising of the nature of personally identifiable information collected with respect to the subscriber and the use of such information.

Cable operators are required to notify subscribers of the nature, frequency, and purpose of any disclosures, including the identification of persons to whom disclosure is made, the period during which this information is maintained by the operator, and the times and places at which the subscriber may have access to this information.

Cable operators cannot use the cable system to collect personally identifiable information about subscribers without the prior written consent of the subscriber.

Operators are prohibited from disclosing personally identifiable information concerning subscribers without their written consent. However, cable operators may use collected information or go about the process of collecting sufficient information in order to render services and conduct legitimate business. Operators may disclose personally identifiable information pursuant to a court order and must notify the subscriber of such orders. Disclosure of personally identifiable information to governmental entities will require a court order if there is clear and convincing evidence that the subscriber is reasonably suspected of engaging in criminal activity and the information sought is material to the case. In such cases, the law allows the subscriber to appear and contest the entity's claim.

A cable subscriber must be provided access to all personally identifiable information in the possession of the operator at reasonable times and places. Subscribers are provided reasonable opportunities to correct any errors. Cable operators may destroy personally identifiable information if the information is no longer necessary to conduct business.

Civil actions are directed to the United States district courts with damages, costs, and attorney's fees possibly awarded as part of any remedy.

Wrongful Disclosure of Videotape Rental or Sale Records (18 U.S. Code 2710)

Vendors engaged in the rental and sales of videotapes or similar products are prohibited from knowingly disclosing personally identifiable information concerning any consumer unless the following is met:

• There is informed written consent from the consumer given at the time the disclosure is sought.

• There is a warrant issued under the Federal Rules of Criminal Procedure, equivalent state warrant, grand jury subpoena, or court order.

• Pursuant to a court order in a civil proceeding, that is based on a showing of compelling need for the information that cannot be accommodated by any other means.

• Court orders authorizing personally identifying information disclosure shall only be issued with prior notice to the consumer and if the law enforcement agency shows there is probably cause to believe that the records or other information are relevant to a legitimate law enforcement inquiry.

If videotape service providers knowingly disclose to any person, personally identifiable information concerning any consumer of video tape sales or rentals, they can be held liable to the aggrieved person (consumer). Any person (plaintiff) alleging violations of this law by filing civil actions in U.S. District Court may seek financial remedies. The court may award actual damages to the plaintiff amounting to not less than $2,500, punitive damages in any appropriate amount, and other equitable relief the court determines to be appropriate and other reasonable fees including attorney's fees.

Children's Online Privacy Protection Act (COPPA)

Effective April 21, 2000, COPPA became law, addressing the online collection of personal information about children under the age of 13 must be safeguarded and limited (15 U.S. Code 6501). This law applies to the commercial operation of a Web site, online services, or general audience Web sites where vendors have knowledge these children are going to be providing personal information. There are actually several tests, applied by the Federal Trade Commission, responsible for this law's enforcement, to determine if the Web site is directed to children:

• Visual or audio content of the Web site

• Age of the models on the site

• Language of the site

• Advertising on the site appealing to children

• Information regarding the age of the actual or intended audience

• Use of animated characters

• Child-oriented features

Web site operators are defined as the persons responsible for ownership and control of the online services, individuals paying for the collection and maintenance of the information, individuals whose roles are defined by contract with respect to the collected information, and the role the target Web site has in collecting or maintaining the information.

Personal information, for the purposes of COPPA, is basically defined as a child's individually identifiable information collected through online services. Items such as name, home address, e-mail address, telephone numbers, age, or any other information permitting identification or making contact possible, are covered under the law. There are other items that frequently escape notice considered part of this pool of identifiable information:

• Hobbies

• Interests

• Tracking mechanisms such as cookies

• School attendance

On Web sites, operators must have links to privacy policies on their home page advising of information privacy practices and on each Web page where personally identifiable information is collected from children. Links to privacy notices must be clear and easy to see. They must be clearly written and plainly understandable and include:

• Name and contact information, address, telephone number, and e-mail address of Web site operator(s) collecting or maintaining children's information.

• If more than one Web site operator is collecting information at the Web site, the site may provide contact information for only one operator who is designated to respond to all inquiries from parents about the Web site's privacy, policies, and procedures.

• Kinds of personal information collected from children, e.g., name, address, etc.

• Means by which the information is collected, e.g., directly from children or indirectly using a mechanism such as cookies.

• Uses of the information by the operator. For example, is the information used for marketing purposes, contest participation, etc.?

• Operators must disclose whether the child's information is transmitted to third parties. If this is the case, the operator must disclose the kinds of business in which the information recipients are engaged, the general purposes they intend to use the information, and if the recipients have agreed to maintain the confidentiality and security of the personal information.

• Parents must have the option to agree to the collection and use of children's information without consenting to the disclosure of the information to third parties.

• Parents can review the child's personal information, requesting to have it deleted and refusing to permit any further collection or use of the child's information. The Web page's notice must also declare the procedures for parents to follow if they wish to take any action or make any inquiry.

The notice to parents must have the same information included on the notice on the Web site. Operators must notify parents that they wish to collect personal information from children, that the parent's consent is necessary for the collection, use and disclosure of the information, and of the means by which the parent can provide consent. The notice to parents must be written clearly and understandably.

It may not contain any unrelated or confusing information. Operators are allowed to use different methods of parental notification including sending an e-mail message to the parent, telephone call or by sending a notice by conventional mail. Operators must obtain verifiable parental consent, from the child's parent, before collecting or disclosing a child's personal information. In short, operators must take reasonable steps ensuring that a child's parent receives notice of the operator's information practices and consents to those practices before collecting, using, or disclosing a child's personal information.

Parental consent is not necessary in the following conditions:

• Operator collects an e-mail address belonging to a child or parent to provide notice to obtain consent.

• Operator collects an e-mail address to respond to a one-time request from a child, and then deletes it.

• Operator collects an e-mail address to respond more than once to specific requests. In this case, the operator must notify parents that it is communicating with the child and provide the parent with the opportunity to halt the communication before transmitting a second communication to the child.

• Operator collects a child's name or other contact information to protect the safety of the child who is participating on the site. In this fashion, the operator must notify parents and provide them the opportunity to prevent further use of the information.

• Operator collects a child's name or contact information to protect the security or liability of the Web site or to respond to law enforcement. The operator may not use the information for any other purpose.

Operators are required to send notices and seek consent from parents if there are material changes in their collection, use or change disclosure practices to which parents had consented previously. Operators must send parental notices and seek new consent, if the third parties materially change or if they change their information handling practices.

Operators must disclose the types of personal information they collect from children to parents when requested by the parents. Operators are legally required to employ reasonable procedures ensuring they are, in fact, communicating with the child's parents before they provide access to the child's personal information.

Experience Note

Web site operators, appealing to young children, should have extensive documentation of their privacy policies and procedures. They must document their communications with parents and their children thoroughly if they wish to avoid legal actions. Vendors are wise to include the scope and existence of this documentation as part of their audit procedures.

Operators may deploy a variety of means in verifying parents' identities:

• Obtaining a personally signed form from the parent received by the operator via conventional mail or facsimile

• Operators may accept and verify a credit card number

• Operators may accept telephone calls from parents

• Operators may accept e-mail accompanied by the parent's digital signature

  Operators may accept an e-mail with a PIN or password obtained through a verification method

Web site operators following prudent and reasonable procedures, acting in good faith to a request for parental access to a child's personal information, may be protected from liability under federal law for inadvertent disclosures of a child's information to someone purporting to be a parent.

Parents may revoke their consent refusing to permit operators to further collect or use their child's information. They may advise operators they wish to have the information deleted and request operators to cease communicating further with their child.

COPPA enforcement is the responsibility of the Federal Trade Commission who examines operator's practices for deception and a lack of fairness. Their enforcement actions are pursued through civil processes and usually target representations, omissions, fraud, or deceptions where operators mislead consumers affecting behavior or decisions about the product or services.

Federal Privacy Act

In 1974, the federal government became bound by the Privacy Act, 5 U.S. Code 552. With the passage of this law, Congress established controls over the collection and disclosure of personal information. The federal government has a voracious personal information appetite collecting an incredibly wide range of individual information through military records, social security records, welfare programs, health care programs, federal employment, food stamps, farm subsidies, emergency assistance, government financial instruments, tax records, court records, grants, student loans, etc.

There are certain rights and controls within this law:

• Right to see one's records (there are certain exemptions)

• Right to amend that record if it contains inaccurate, irrelevant, untimely, or incomplete information

• Right to sue the government for violations of the statute, including unauthorized access, etc.

The Right to Privacy law mandates certain constraints on informational practices of federal agencies by requiring them to ensure their records are relevant, accurate, and complete. Federal agencies are prohibited in collecting or maintaining information about the way individuals exercise their First Amendment rights. Of course, agencies may collect this type of information if the individual consents to the practice or is within the scope of a legitimate law enforcement investigation.

Individuals may request to review their information but there are some conditions to this request. Requests only apply to information within the statutory definition of a "system of records." The system of records refers to records that can be retrieved by the individual's name, Social Security number, date of birth, or some other unique personal identifier. The Privacy Act does not apply to information about individuals contained in records that are filed under other subjects. For example, if a person purchased federal government bonds but they were purchased in the name of a business, it is likely the person actually making the purchase would not be indexed and her information would not likely be recoverable.

Any federal, state, or local government agency requesting an individual's Social Security number is required to advise that individual whether that information is mandatory or voluntary. If mandatory, they are required to cite the statutory or other authority by which the number is requested and their intended uses of it.

There are exemptions described in the Act under which an agency can withhold certain types of individual information. Such examples of exempted information are classified information or information contained in certain criminal investigations. Information relating to a confidential informant is exempted for obvious reasons as are individuals requesting confidentiality when they provide background information about someone seeking federal employment.

Information relating to an individual's name and address may not be sold, traded, or rented by an agency unless specifically authorized by law.

Safe Harbor Issues in the United States

In 2000, the European Union (EU) adopted the European Commissions Directive on Data Protection (Safe Harbor) prohibiting the transfer of personal data to non-EU nations that do not meet the EU standard for privacy protection. The United States has taken a different route to secure privacy protection adopting a combination of legislation, regulation, and self-regulation where the EU has adopted a stance of data protection agencies; registration of databases, and in some cases approval before personal data processing can be begun.

The Department of Commerce, acting with the European Commission, has developed a framework for "safe harbor" where U.S. businesses can avoid experiencing interruptions in their business operations with the EU or possibly face prosecution under EU privacy laws. The Department of Commerce has established a means certifying to the EU that U.S. registered companies provide adequate privacy safeguards as defined by the directive. ^[2]

Data controllers in Europe know which U.S. companies can receive data by the fact that the U.S. Department of Commerce, on this Web site, publicly posts those organizations that have joined Safe Harbor. By self-certification, U.S. companies can become placed on the Safe Harbor Web list. Through the self-certification process, U.S. organizations declare they will comply with Safe Harbor privacy requirements. European Union Data Protection Directive (95/46/EC) mandates that organizations provide adequate protection of data relevant to EU residents. If a U.S. organization publicly declares its compliance to Safe Harbor principles, it is presumed to provide adequate information protection. In their most basic form, Safe Harbor principles basically consist of the following:

• Notice of the purpose the information is being collected, its uses, and disclosures.

• Individual personal information may be reviewed making corrections, deletions, amendments, and modifications. The individual also has right to determine to whom the information might be revealed and which parts will be disclosed. The collector of the information is bound to safeguard the information for the time it is stored, whether it is being used or not.

• Entities receiving personal information from the original collector are bound to comply with the privacy principles of Safe Harbor.

• The collector of personal information is bound to adequately protect the information from unauthorized access, disclosure, or use.

After they certify, businesses are subject to oversight and enforcement by the Federal Trade Commission or the Department of Transportation dealing with unfair and deceptive practices. Subscribing organizations are required to identify an independent body whose purpose it is to resolve disputes so anyone with a complaint knows where to file.

One of the guiding principles of Safe Harbor is that the transfer of data to U.S. participants cannot be transmitted to others outside the Safe Harbor confines. The only exception to this rule is if the disclosure is made to a third party acting as an agent under the direction of a member of Safe Harbor. It is a requirement that receiving third parties have to observe similar information privacy protections as the member-business.

Experience Note

Becoming a member of Safe Harbor is voluntary with the rules applying only to those who enlist.

Enforcement of Safe Harbor privacy requirements in the United States is essentially driven by filed complaints. Resolution forums established for that purpose address initial disputes. It is expected these entities will investigate and attempt to resolve complaints as an initial step. However, if members fail to adhere to rulings, then cases will be transmitted to the Federal Trade Commission or Department of Transportation who have the ability to legally obligate them into compliance. If there are more serious cases of noncompliance, then they will be removed from the membership list, meaning they can no longer receive personal information data transfers from the EU under Safe Harbor.

Compliance with Safe Harbor membership has Federal Trade Commission enforcement through the Federal Trade Commission Act, making it unlawful to make misrepresentations or engage in deceptive practices misleading consumers. If businesses declare they are providing a specific set of information privacy protections and fail to do so, this is going to be interpreted as a deceptive practice resulting in civil or administrative enforcement actions from the Federal Trade Commission.

Organizations undergo the self-certify process by providing a letter, signed by an officer on behalf of the organization that it is joining Safe Harbor, containing the following information:

• Name of organization, mailing address, e-mail address, telephone and facsimile numbers

• Description of the organization's activities relating to personal information received from the EU

• Description of the organization's privacy policies for personal information protection including:

  • Where is the organization's privacy policy available for public viewing?

  • What is the privacy policy's effective date of implementation?

  • What is the organization's official contact for addressing complaints, information access requests, and other issues under Safe Harbor?

  • What is the statutory body having jurisdiction to hear complaints against the organization regarding allegations of unfair, deceptive practices, violations of laws and regulations?

  • What is the name of any privacy program in which the petitioning organization is a member?

  • What is the method of compliance verification?

  • What is the mechanism available to investigate unresolved complaints?

Adherence to the Safe Harbor rules is not limited to the time the organization is exchanging data with the EU. It means that the member-organization continues to observe and apply Safe Harbor rules to the EU data as long as the organization stores, uses, or discloses the information even if it leaves Safe Harbor membership.