Jun 152019
 June 15, 2019  Posted by  Breaches, Online

Andrew Gilligan reports:

They were some of the most private emails any mother of a nine-year-old could write. Her son, she said, had fully transitioned from girl to boy but was not coping — fighting fellow pupils, stealing from his parents and in emotional turmoil.

“I have wondered if we have done the right thing — allowing him to transition before accessing the clinic,” she wrote. “But I didn’t feel that I had a choice. He was telling me how much he hated himself and tugging at his clothes.”

In another message, a different mother recounted her trans son’s journey.

Read more on The Sunday Times (subscription or free trial required). If you can’t access it, just jump over to Daily Mail, were you can read the details of what appears to be an insider-error by Mermaids.

Jun 152019
 June 15, 2019  Posted by  Featured News, Healthcare

From the while-you-were-looking-over-there-here’s-what-they-were-doing-over-here dept., Rebecca Pifer reports:

Debate around establishing a country-wide method to link patients to their records has been going on for some time now, pitting the medical community, IT vendors and payers against some lawmakers and third-party groups concerned about privacy.

The House nod on the measure by Rep. Bill Foster, D-Illinois, to reverse the 23-year-old ban drew further warnings about the risk to privacy.


Opponents argue that, unless HHS creates and maintains rigorous safeguards, patient identifiers could be stolen or misplaced, leading to fraud, black market ID sales and long-term damaging effects on a victim’s personal, professional and financial lives.

Read more on Healthcare Dive. This opens up so many ways to misuse data or harm patients that it’s downright scary to me. I know that there may be times and situations in which a national identifier that could pull up all of a patient’s records could be life-saving, but does that justify the increased risk to everyone else?

Your thoughts?

Jun 142019
 June 14, 2019  Posted by  Business, Govt

The Federal Trade Commission reached a settlement with a background screening company over allegations it falsely claimed to be a participant in the EU-U.S. Privacy Shield program. In separate actions, the FTC also sent warning letters to more than a dozen companies for falsely claiming participation in other international privacy agreements.

In its complaint, the FTC alleges that SecurTest, Inc., falsely claimed on its website that it participated in the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, which establish processes to allow companies to transfer consumer data from European Union countries and Switzerland to the United States in compliance with EU and Swiss law, respectively.

While the company initiated a Privacy Shield application in September 2017 with the U.S. Department of Commerce, SecurTest did not complete the steps necessary to be certified as complying with the frameworks. By failing to complete certification, SecurTest was not a certified participant in the frameworks, despite representations to the contrary on its website. The Department of Commerce administers both frameworks, while the FTC enforces the promises companies make when joining those programs.

As part of its proposed settlement with the FTC, SecurTest is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government or self-regulatory or standard-setting organization, including the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks.

FTC Warns Other Companies

The FTC also sent warning letters to 13 companies that falsely claimed they participate in the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor frameworks, which were replaced in 2016 by the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, respectively. These Safe Harbor agreements are no longer in force, and the last valid self-certifications for either agreement have expired.

The FTC called on the 13 companies to remove from their websites, privacy policies, or any other public documents any statements claiming they participate in either Safe Harbor agreement. If the companies fail to take action within 30 days, the FTC warned it would take appropriate legal action.

The FTC also sent warning letters to two companies for claiming in their privacy policies that they are participants in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system even though they are not certified participants. The APEC CBPR system is a self-regulatory initiative to enhance the protection of consumer data that moves among the APEC member economies through a voluntary but enforceable code of conduct implemented by participating businesses. To become a certified participant, a designated third party, known as an APEC-recognized Accountability Agent, must review and certify that the company is compliant with the CBPR program requirements.

The FTC’s letter instructed the companies to remove from their websites, privacy policies, or any other public documents or statements that might be construed as claiming participation or involvement in the APEC CBPR system unless they prove that they have undergone the requisite review and certification. The FTC warned it would take appropriate legal action if the companies fail to provide a timely and satisfactory response.

The Commission vote to issue the administrative complaint and to accept the proposed consent agreement with SecurTest was 5-0. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register, after which the Commission will decide whether to make the proposed consent order final. Once processed, comments will be posted on Regulations.gov.

Source: Federal Trade Commission

Jun 142019
 June 14, 2019  Posted by  Laws, Non-U.S.

Yan Luo, Zhijing Yu and Nicholas Shepherd of Covington & Burling write:

On June 13, 2019, the Cyberspace Administration of China (“CAC”) issued the draft Measures on Security Assessment of the Cross-border Transfer of Personal Information (“Draft Measures”) for public comment. (The official Chinese version of the Draft Measures is available here, and an unofficial English translation is available here.) The comment period ends on July 13, 2019.

Read more on Inside Privacy.