Oct 312013
 October 31, 2013  Posted by  Youth & Schools

Sheila Kaplan (@EducationNY) testified before the NYS Senate Standing Committee Hearing on Public Education this week. You can read her written testimony here (pdf).  Here’s part of her testimony:

In order to address these challenges comprehensively, each state would benefit from a Chief Privacy Officer in its Department of Education. The broad goal of a CPO is to promote the implementation of fair information practices for privacy and security of personally identifiable information (PII). Working with privacy experts, I drafted the model bill Chief Privacy Officer for Education Act that can easily be adapted to meet states’ needs. [See Exhibit 4, Chief Privacy Officer for Education Act; attached.] 

Under the proposed model bill, the CPO would advise students, parents and other individuals about options and actions that they can take to protect the privacy and security of PII; make recommendations on privacy and security to the governor, state legislatures and agencies, schools, parents and students; and conduct oversight of privacy and security activities of organizations handling and storing student data.

Read more here or watch:

Oct 312013
 October 31, 2013  Posted by  Breaches

Over on PHIprivacy.net, I’ve been covering a HIPAA privacy complaint concerning Monroeville, Pennsylvania’s EMS operations. At the heart of the complaint, people who had no current reason to receive EMS alerts by text or email were receiving notifications on medical emergency calls.  Charges and counter-charges have rocked the community, with the police chief being demoted and then fired, and the assistant chief of police – the individual who filed the complaint with HHS – being promoted. HHS is still  investigating his HIPAA complaint (as far as I know), but there was another issue at the same time: that people in EMS were able to access the police databases – which they should not have been able to do.  Although that situation posed a significant security and privacy issue in its own right, that is not a matter for HHS, and was only investigated by Monroeville internally.

But now Paul van Osdol reports:

The state Attorney General’s Office is investigating whether Monroeville officials violated state law by improperly accessing criminal history information, WTAE has learned.

In an Oct. 28 letter to Monroeville Manager Lynette McKinney, Deputy Attorney General Lawrence Cherba said he planned to meet with municipality officials to discuss “infractions of the Criminal History Records Information Act.”

Cherba said he would be accompanied by David Peifer, who heads the Bureau of Special Investigations at the AG’s office.

Mayor Greg Erosenko said he does not believe Monroeville officials are the targets of a criminal investigation.

Read more on WTAE. It’s not clear to me whether this is related to EMS personnel accessing the police database or something else. If the latter, it would be the third privacy and/or security issue within the last year or so.

Oct 312013
 October 31, 2013  Posted by  Court, Laws

Kate Crockford writes:

Can the government force you to decrypt your hard drive? Do the Fifth Amendment of the United States Constitution and Article 12 of the Massachusetts Declaration of Rights protect us from being compelled to disclose or enter our encryption keys, and thereby potentially incriminate ourselves? The answer to these questions in Massachusetts hinges on the Supreme Judicial Court’s upcoming decision about whether decrypting a computer is like giving someone a key or a combination to a safe, or instead, if it’s like translating words from one language to another.

Read more on ACLU’s blog.