Putting People on the Map Protecting Confidentiality with Linked Social-Spatial Data (2007) / Chapter Skim
Currently Skimming:
Pages 81-122
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 81... ...
Spatial information can have a variety of relationships with personal data. A home address is spatial information that is likely to be personally identifiable and will typically be included within the scope of statutory privacy protections along with name, number, and other personal data.
|
From page 82... ...
For many types of personal information, many categories of record keepers, and many types of information collection and disclosure activities, no privacy rules apply. Furthermore, where regulation exists, information can sometimes be transferred from a regulated to a nonregulated environment.
|
From page 83... ...
However, these laws routinely fail to define the scope of confidentiality, the obligations of record keepers, or the rights of record subjects or third parties. Those who maintain statutorily designated confidential records may have to decide on their own if they can disclose information to contractors, to police, to researchers, when required by other statutes, in response to a subpoena, when requested by the data subject, or otherwise.
|
From page 84... ...
The vagueness of commonly used terminology increases the need for clarity and specificity. IDENTIFIABILITY AND PRIVACY Information privacy laws protect personal privacy interests by regulating the collection, maintenance, use, and disclosure of personal information.
|
From page 85... ...
Factors that affect the identifiability of information about individuals include unique or unusual data elements; the number of available nonunique data elements about the data subject; specific knowledge about the data subject already in the possession of an observer; the size of the population that includes the data subject; the amount of time and effort that an observer is willing to devote to the identification effort; and the volume of identifiable information about the population that includes the subject of the data. In recent decades, the volume of generally available information about individuals has expanded greatly.
|
From page 86... ...
However, the question of when a location qualifies as an identifier is an issue that could arise outside the narrow and somewhat loosely drafted Privacy Act of 1974.11 If a location is unassociated with an individual, then it is less likely to raise a privacy issue. However, it may be possible to associate location information with an individual, so that the addition of location data to other nonidentifiable data elements may make it easier to identify a specific individual.
|
From page 87... ...
A treatise on the act suggests that "caution should be exercised in determining what is truly ‘anonymous' information since the availability of external information in automated format may facilitate the reidentification of information that has been made anonymous."17 Strict Standard The 1978 French data protection law defines information as "nominative" if in any way it directly or indirectly permits the identification of a natural person.18 According to an independent analysis, "the French law makes no distinction between information that can easily be linked to an individual and information that can only be linked with extraordinary means or with the cooperation of third parties."19 The French approach does not appear to recognize any intermediate possibility between identifiable and anonymous. Unless personal data in France are wholly nonidentifiable, they appear to remain fully subject to privacy rules.
|
From page 88... ...
However, the directive's introductory Recital 26 suggests a softer intent when it states that privacy rules will not apply to "data rendered anonymous in such a way that the data subject is no longer identifiable." It also provides that "to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person."22 Thus, the directive offers a reasonableness standard for determining whether data have been adequately deidentified. Variations on a reasonableness standard can be found elsewhere.
|
From page 89... ...
It defines individually identifying to mean when a data subject "can be readily ascertained from the information,"28 and it defines nonidentifying to mean that the identity of the data subject "cannot be readily ascertained from the information."29 This appears to limit the identifiability inquiry to the information itself. Alberta's innovation comes in its regulation of data matching,30 which is the creation of individually identifying health information by combining individually identifying or nonidentifying health information or other information from two or more electronic databases without the consent of the data subjects.
|
From page 90... ...
In order to receive a limited dataset, the recipient must agree to a data use agreement that establishes how the data may be used and disclosed, requires appropriate safeguards, and sets other terms for processing.41 Disclosures under the limited dataset procedure can be made only for activities related to research, public health, and health care operations. A recipient under this procedure is not by virtue of the receipt subject to HIPAA or accountable to the secretary of health and human services, but the agreement might be enforced by the covered entity that disclosed the data or, perhaps, by a data subject.
|
From page 91... ...
However, an appellate court found the reverse and overturned the department policy. Both courts proceeded on the theory that either personal data were identifiable, or they were not.
|
From page 92... ...
Finally, none of the statutes or court cases expressly addresses location information. Location information is just another data element that may contribute to the identifiability of personal data.
|
From page 93... ...
However, much actual and potential personal data collection is unregulated, especially for private parties. For example, many merchants collect transaction and other information from data subjects and from a large industry of data brokers, mailing list purveyors, and other commercial firms.
|
From page 94... ...
Knotts,54 the government surreptitiously attached an electronic beeper to an item purchased by a suspect and transported in his car. The Court held that "a person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another."55 Knotts implies that virtually any type of visual surveillance in a public place is free of Fourth Amendment constraints.
|
From page 95... ...
Privacy Torts Video surveillance can constitute an invasion of privacy that is actionable through a private lawsuit under state laws, but state laws can vary considerably. Many states have adopted some policies from the Restatement of Torts (Second)
|
From page 96... ...
Even in public, however, some matters about an individual "not exhibited to the public gaze" can be actionable. For example, photographing someone's underwear or lack of it could be invasive and actionable as a tort, regardless of a criminal statute.69 The public/private distinction so important to Fourth Amendment jurisprudence is equally important to the tort of intrusion upon seclusion.
|
From page 97... ...
For the most part, however, there is almost no law that regulates visual surveillance in general or in public places. The implication in Knotts that virtually any type of visual surveillance in a public place is free of Fourth Amendment constraints is not an assurance that anything goes for the government, but that may well be the result, at least when an exotic technology is not employed.
|
From page 98... ...
Marketers have voracious appetites for personal data, and they may be a market for using or acquiring location information. EU Data Protection Directive Most national privacy laws implement internationally recognized Fair Information Practice principles.
|
From page 99... ...
Some companies have adopted privacy policies that grant greater rights to data subjects. One distinction that is important when comparing statutory standards across jurisdictions is the breadth of privacy laws.
|
From page 100... ...
Second, it requires agencies to collect information to the greatest extent practicable directly from the data subject if an adverse determination may result. Third, it prohibits the maintenance of information describing how an individual exercises any right guaranteed by the First Amendment, unless authorized by statute or pertinent to an authorized law enforcement activity.81 For a researcher working for a federal agency who collects and links geographic data, the first two restrictions are not likely to be meaningful, and the third would be relevant only in narrow instances (such as tracking individuals at a political demonstration)
|
From page 101... ...
The rule directs a covered entity requesting personal health information from another covered entity to make reasonable efforts to limit the information requested to the minimum necessary to accomplish the intended purpose of the request. Data collection from a data subject or from any source other than another covered entity is not restricted by the minimum necessary rule.
|
From page 102... ...
For many record keepers, the only limits on disclosure come from contracts with data subjects, the possibility of tort lawsuits, or market pressure. Many commercial and other institutions collect and disclose personal information without the knowledge or consent of the data subjects.
|
From page 103... ...
.91 However, the rule allows numerous disclosures without consent of the data subject. Disclosures for research purposes are permitted if an institutional review board or a privacy board approved waiver
|
From page 104... ...
The law's definition of nonstatistical purpose can be read to exclude disclosures for legal process, but any exclusion is not express, and the law has not been tested.95 Driver's Privacy Protection Act In 1994, Congress passed a law that prevents the states from disclosing motor vehicle and drivers' license records. As later amended, the Driver's Privacy Protection Act requires affirmative consent before those records can be disclosed.96 The law allows disclosures for permissible purposes, and one of purposes is for use in research activities and in producing statistical reports.97 Any personal information so used cannot be published, redisclosed, or used to contact individuals.
|
From page 105... ...
. It even provides that a copy of a census submission retained by the data subject is immune from legal process and is not admissible into evidence in court.
|
From page 106... ...
Institute of Education Sciences A law applicable to the recently established Institute of Education Sciences at the U.S. Department of Education severely restricts the disclosure of individually identifiable information and includes immunity from legal process.103 However, this strong protection has a significant limitation added by the USA Patriot Act.
|
From page 107... ...
A confidentiality certificate does not protect against voluntary or consensual disclosure by the researcher or the data subject. It is not certain that a certificate protects data if the data subject's participation in the research is otherwise known.
|
From page 108... ...
There is no overarching theme or policy to be found in the law for disclosure of personal information, and it may require diligent research to determine when or if personal information in public or private hands is subject to disclosure obligations or restrictions. LIABILITY Liability for misuse of personal data is a complex issue, and it can be addressed here only briefly.
|
From page 109... ...
However, other laws, including the Privacy Act of 1974, might provide a basis for a lawsuit for an individual against a federal agency that wrongfully used or disclosed personal data. It is unlikely that the courts would conclude that CIPSEA creates a private right of action for an aggrieved data subject against an agency employee or agent who improperly used or disclosed statistical information, but state law might provide a tort or other remedy.
|
From page 110... ...
If a recipient reidentifies data contrary to a contract or a law, it is possible that an aggrieved data subject could sue either the data supplier or the recipient. For the supplier, the principal question would be whether a breach of a duty of confidentiality resulted from an imprudent transfer of deidentified data.
|
From page 111... ...
No known case or statute clearly addresses the possibility of a lawsuit by a data subject over reidentification of personal data. It is noteworthy, however, that remedies for the misuse and disclosure of identifiable personal information are often weak or absent.
|
From page 112... ...
When a reporter obtained the video rental records of a U.S. Supreme Court nominee, nervous members of Congress quickly passed a privacy law restricting the use and disclosure of video rental records.127 The Driver's Privacy Protection Act also had its origins with a horror story.
|
From page 113... ...
NOTES 1. Collection Limitation Principle: There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
|
From page 114... ...
Data that cannot be reidentified are referred to as wholly nonidentifiable data.
|
From page 115... ...
, Article 54 (allowing the French data protection authority to approve methodologies for health research that do not allow the direct identification of data subjects) , and Article 55 (allowing exceptions to a requirement for coding personal in some medical research activities)
|
From page 116... ...
U.S. Department of Health and Human Services, "Standards for Privacy of Individu ally Identifiable Health Information," 65 Federal Register 82462-82829 (Dec.
|
From page 117... ...
gov/working-papers/wp22.html; "Checklist on Disclosure Potential of Proposed Data Releases," 65 Federal Register 82709 (Dec.
|
From page 118... ...
27 (2001) , the Supreme Court found that police use of heat imaging technology to search the interior of a private home from the outside was a Fourth Amendment search that required a warrant.
|
From page 119... ...
28, on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J.
|
From page 120... ...
who is working under the authority of a government entity with which a contract or other agreement is executed by an executive agency to perform exclusively statistical activities under the control of an officer or employee of that agency; (iii) who is a self-employed researcher, a consultant, a contractor, or an employee of a contractor, and with whom a contract or other agreement is executed by an executive agency to perform a statistical activity under the control of an officer or employee of that agency; or (iv)
|
From page 121... ...
127. Video Privacy Protection Act ("Bork Law")
|
From page 122... ...
Rankin 2001 The Personal Information Protection and Electronic Documents Act: An Anno tated Guide. Toronto, Canada: Irwin Law.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.