The United States recently became the first country to participate in the new Asia-Pacific Economic Cooperation (“APEC”) Privacy Recognition for Processors (“PRP”) program. Finalized in 2016 and designed to certify privacy compliance for personal information processors within the Asia-Pacific region, the PRP program offers a trustmark certification to processors that demonstrate their capacity to assist data controllers in complying with relevant privacy obligations. According to APEC, the PRP program was created so that (1) data controllers are able to identify qualified data processors to implement data controllers’ data processing obligations, (2) data processors are able to demonstrate their ability to provide effective implementation of a controller’s privacy requirements, and (3) small and medium-sized institutions are able to gain exposure and visibility into a global data processing network. Continue reading “United States Is First Country to Join APEC Privacy Recognition for Processors Program”
Singapore Addresses Confidentiality of Electronic Patient Records in New Healthcare Services Bill
Singapore’s Ministry of Health (MOH) recently drafted a new Healthcare Services (HCS) Bill aimed to bridge the gap between the country’s changing healthcare needs and technological advances. According to the MOH, the healthcare landscape in Singapore is undergoing significant changes, including an ageing population, increased chronic disease prevalence, and advancements in medicine and health technologies. The HCS Bill will “better safeguard the safety and well-being of patients, while enabling new and innovative services that benefit patients to be developed, in the changing healthcare environment.”
Currently, healthcare providers in Singapore are licensed and regulated under the Private Hospitals and Medical Clinics Act (PHMCA), which was designed to protect patient safety through the licensing of physical healthcare premises. But, brick and mortar locations are quickly becoming a thing of the past as more and more healthcare services are delivered through mobile and online channels. MOH intends to respond to this shift by repealing the PHMCA and replacing it with this new HCS Bill.
Battling Botnets – Evolving U.S. Government Policies and Frameworks to Address Security and Resiliency Challenges
The Secretaries of the Department of Commerce and the Department of Homeland Security, through the National Telecommunications and Information Administration (NTIA), in early January 2018 issued a draft report to further public discussion about enhancing the resilience of the Internet and communications ecosystem against botnets and other automated distributed threats. This report continues work initiated under Presidential Executive Order 13800, “Strengthening the Cyber Security of Federal Networks and Critical Infrastructure.” The report seeks additional public comment on known and evolving risks within and to the ecosystem and aims to forge consensus on what approaches warrant consideration for the government either to adopt or to encourage. Commenters are asked to evaluate a range of proposed goals and actions to achieve a more resilient ecosystem as well as to address the roles various stakeholders play in achieving and maintaining resiliency of the ecosystem nationally and globally. Comments are due on the draft report by February 12, 2018 and the final report is due the president by May 11, 2018.
Six principal themes emerged from the government’s analysis of prior comments on identifying and mitigating botnet and other cyber threats, namely that:
- Automated distributed attacks are a global problem;
- While effective tools exist, they are not widely used
- Products should be secured during all stages of their life cycle.;
- Improved education and awareness are necessary;
- Current market incentives are misaligned; and
- Automated distributed attacks are an ecosystem-wide challenge.
Connecticut Supreme Court Establishes Private Right to Sue Over Medical Record Breaches
The Connecticut Supreme Court has joined several other states by holding that health care providers owe patients a common law duty to maintain the confidentiality of their medical records. In a unanimous reversal of the lower court’s ruling, the court determined that the unauthorized disclosure of confidential information obtained in the course of a physician-patient relationship gives rise to a cause of action in tort against the health care provider, unless the disclosure is otherwise allowed by law.
Emily Byrne sued the Avery Center for Obstetrics and Gynecology, P.C. (“Avery”) for negligence and negligent infliction of emotional distress in connection with Avery’s release of her medical records in response to a subpoena issued by her ex-boyfriend, Andro Mendoza, in the course of a paternity action. The subpoena instructed Avery to send the custodian of its records to appear, together with Byrne’s medical records, at the New Haven Regional Children’s Probate Court. Avery did not alert Bryne about the subpoena, file a motion to quash it, or appear in court – it mailed Byrne’s medical records. Bryne alleges that she suffered harassment and extortion threats from Mendoza because Avery gave him access to her medical records without her knowledge or consent.
VTech Settlement Resolves COPPA Allegations in FTC’s First Connected Toy Case
The Federal Trade Commission announced a settlement with VTech Electronics Limited and its U.S. subsidiary in the FTC’s first case involving Internet-connected toys.
VTech had been charged with violating the FTC Act and the Children’s Online Privacy Protection Act (COPPA) by collecting personal information from children without providing direct notice and obtaining their parent’s consent, as well as failing to properly secure the data it collected. The settlement includes a payment of $650,000 in civil penalties, injunctive relief, and the establishment of a comprehensive security program.
Background
VTech, a Hong Kong corporation, and VTech Electronics North America, advertise, market and distribute electronic learning products (ELPs). The companies offer online games available through the ELPs and operate the Learning Lodge Navigator online service, a platform similar to an app store that allows customers to download child-directed apps, games, e-books and other online content. As of November 2015, approximately 2.25 million parents had created accounts with Learning Lodge for nearly 3 million children, according to the FTC.
Continue reading “VTech Settlement Resolves COPPA Allegations in FTC’s First Connected Toy Case”
Article 29 Working Party Releases Guideline WP260 on Transparency under the GDPR
The Article 29 Working Party (WP29) released two guideline documents, WP259 and WP260, on the General Data Protection Regulation (GDPR) concepts of consent and transparency. Comments on both documents will be accepted by the Working Party through January 23, 2018 after which the WP 29 working party will issue final guidance. WP29 is an independent European advisory body on data protection and privacy.
This blog post focuses on WP260, the guideline on transparency. Our companion post on WP259, the guideline on consent can be read here.
Transparency has long been a fundamental feature of EU privacy law and is an overarching obligation under the GDPR. The draft guideline notes that a central consideration of the principle of transparency is that the data subject should be able to determine in advance what the scope and consequences of the processing entails. Transparency applies in three central areas:
- The provision of information to data subjects related to the fair processing of their personal data.
- How data controllers communicate with data subjects in relation to their rights under the GDPR.
- How data controllers facilitate the exercise by data subjects of their rights.
Continue reading “Article 29 Working Party Releases Guideline WP260 on Transparency under the GDPR”