Sep 302020
 
 September 30, 2020  Posted by  Featured News, Govt, Laws, Non-U.S.

Sharon Chen and Glenn Haley of Bryan Cave Leighton Paisner have a series of articles concerning Hong Kong’s possible protection-strengthening amendments o the Personal Data (Privacy) Ordinance (“PDPO”). They write:

At present, the PDPO does not require data users to notify data breaches, either to the Privacy Commissioner for Personal Data (“PCPD”) or to the data subjects concerned. To date, reporting to the PCPD has been voluntary and only was encouraged as a matter of good practice. Following recent incidents of personal data privacy breaches (for example, the data breach incident involving Cathay Pacific and Hong Kong Dragon Airlines (as it then was) in 2018 ), public concerns about the adequacy of the PDPO began to find voice.

On 20 January 2020, the Hong Kong Government proposed a series of amendments to the PDPO with a view to strengthening the protection for personal data .

So far, they have posted two parts discussing proposed amendments. The first part covers proposed data breach notification requirements.

Part 1 – Important Changes to HK Data Protection Law Under Way

Part 2 – Amendments to Hong Kong Data Protection Law Regarding Data Retention Policy: requirement for a clearly stated retention period

Sep 292020
 
 September 29, 2020  Posted by  Breaches, Govt

Dean DeChiaro reports:

An inspector general’s report is casting doubt on the Department of Homeland Security’s ability to protect its massive repository of personal data from hackers amid a push by the Trump administration to vastly expand its collection of biometrics through the use of facial recognition and other tools.

The report, released by the DHS inspector general’s office on Sept. 23, found that U.S. Customs and Border Protection failed to protect a collection of 184,000 facial images of cross-border travelers prior to a massive data breach last year. At least 19 of the images, which were collected through a pilot program at the Anzalduas Port of Entry in Texas, were later posted on the dark web.

Read more on Roll Call.

Sep 292020
 
 September 29, 2020  Posted by  Breaches, Healthcare

writes:

There has been a colossal rise of medical apps in the last 12 months or so. Today, mobile users rely on medical apps on their iOS and Androids devices to track and manage their health, fitness and medical history. The COVID-19 pandemic has provided a huge impetus to the global mobile healthcare market in 2020, enabling app developers, app owners and healthcare providers with a huge opportunity to stay connected with the end-users — the patients and fitness enthusiasts. But, like all mobile applications, medical apps face serious threats from cyber criminals and data hackers who target devices / users in the telehealth, medical device, health commerce, and COVID-tracking segments. Data theft groups are targeting Patient-generated health data (PGHD) with code injections / SQL injections, errors and cross-site scripting. Social engineering and corporate hacking through ransomware viruses during this vulnerable lockdown period is also on the rise.

Read more on AIthority.

Sep 292020
 
 September 29, 2020  Posted by  Featured News, Govt, Healthcare, U.S., Youth & Schools

From the U.S. Department of Education Student Privacy Policy Office today, this FAQ:

 

May Schools Disclose Information about Cases of COVID-19?

By: Kevin Herms, Director of the Student Privacy Policy Office

Schools across the nation are working hard to keep students, teachers, and staff safe during the COVID-19 pandemic. However, many schools are wondering whether the Family Educational Rights and Privacy Act (FERPA) allows them to disclose information about cases of COVID-19 to the community. The Student Privacy Policy Office provided answers to these questions in our March 2020 guidance. Subsequent to issuing the guidance, we have seen reports that states, cities, school districts, and schools are continuing to face questions about disclosing COVID-19 cases. Today, we are answering four of the most common questions.

May a school disclose the number of students who have COVID-19 to parents and students in the school community without prior written consent?

Yes, provided that the information the school shares with parents and students does not allow for any individual student to be identified. If a school discloses information about students in a non-identifiable form, then prior written consent from the parent or student (depending on the age of the student) is not needed under FERPA. When determining what information may be shared without consent, the school must take into account other reasonably available information that could potentially enable non-identifiable information to become identifiable.

For example, a school generally could release the fact that five students are absent due to COVID-19 without disclosing the students’ identities. This would be allowed under FERPA as long as there are a sufficient number of other students who attend the school and other students at the school are absent for other reasons. However, we caution schools to ensure that in releasing such facts, they do so in a way that does not reveal information that, alone or in combination with other information, would allow a person in the school community to identify the students who are absent due to COVID-19.

May a school identify a particular student who has COVID-19 to parents and students in the school community without prior written consent?

In most cases, it will be sufficient for a school to report the fact that an individual in the school has COVID-19, rather than identifying the specific student who is infected. However, there may be situations during a health or safety emergency in which a school may determine that it is appropriate to disclose identifiable information to parents or students about a student with COVID-19 if knowledge of such information is necessary to protect their health. For example, if a student with COVID-19 is an athlete and has been in close contact with other students on a sports team or students who have higher health risks, school officials may determine that these other students or their parents need to know the identity of the infected student in order to take protective measures.

Therefore, in these limited situations, school officials may determine that it is appropriate to disclose such information to parents or students if the disclosure is necessary to allow parents and students to take appropriate precautions. School officials should make this determination on a case-by-case basis, taking into account the totality of the circumstances, including the risks presented to the health of students or other individuals, and the need for such individuals to have the information in order to take appropriate actions. Schools officials may want to consult with public health officials when making this determination.

May a school disclose the number of students who have COVID-19 in order to provide general health data to the public (including the media) without prior written consent?

Yes, provided that the information the school shares does not allow for any individual student to be identified. Similar to sharing information with the school community, if a school discloses information about students in a non-identifiable form, then consent is not needed under FERPA. As discussed above, when a school determines what information may be shared without prior written consent, the school must take into account other reasonably available information that might allow non-identifiable information to become identifiable.

May a school identify a particular teacher or other school official as having COVID-19?

Nothing in FERPA prevents a school from telling parents, students, or the public that a specific teacher or other school official has COVID-19. This is because FERPA applies to students’ education records, not records on school officials. However, there may be state laws or other considerations that apply in these situations. Schools may also want to consult with public health officials on these matters.

Schools have a significant role to play in slowing the spread of COVID-19 in the United States. Through appropriate information sharing and coordination with public health departments, schools can help protect their communities while safeguarding student privacy. For additional information about student privacy, please visit the Student Privacy Policy Office website, https://studentprivacy.ed.gov or contact us at [email protected]

Kevin Herms is the Chief Privacy Officer, the Senior Agency Official for Privacy, and the Director of the Student Privacy Policy Office at the U.S. Department of Education.