Information Privacy Laws

From Wikipedia, the free encyclopedia

Information privacy laws cover the protection of information on private individuals from intentional or unintentional disclosure of misuse. The European Union, (EU), has defined privacy principles which are generally more protective of individual privacy than those in the United States. Because of this, the transfer of personal information from the EU to the US is prohibited when equivalent privacy protection is not in place in the US. The basic principles of personal information privacy in the EU are:

Data should be collected in accordance with the law.
Information collected by an individual cannot be disclosed to other organizations of individuals unless authorized by law or by consent of the individual.
Records kept on an individual should be accurate and up to date.
Data should be used only for the purposes for which it was collected, and it should be used only for a reasonable time period.
Individuals are entitled to receive a report on the information that is held about them.
Transmission of personal information to locations where "equivalent" personal data protection cannot be assured is prohibited.

1 HIPAA
2 P3P
3 Computer Security, Privacy and Criminal Law
4 References
5 See Also

[edit] HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. HIPAA is also known as the Kennedy-Kassebaum Health Insurance Portability and Accountability Act (HIPAA-Public Law 104-191), effective August 21, 1996. The basic idea of HIPAA is that an individual who is a subject of individually identifiable health information should have:

Established procedures for the exercise of individual health information privacy rights.
The use and disclosure of individual health information should be authorized or required.

[edit] P3P

The P3P, (P3P), is a protocol designed to give users more control of their personal information when browsing Internet Websites. P3P was developed by the World Wide Web Consortium (W3C) and was officially recommended on April 16, 2002. With P3P an organization can post its information privacy policy in a machine-readable form, XML, on its Web site. The P3P policy statement includes:

Who has access to collected information.
The type of information collected.
How the information is used.
The legal entity making the privacy statement.

P3P supports user agents that enable a user to configure a P3P-enable Web browser, for example Microsoft Internet Explorer v6.0, with the user's privacy preferences. The Electronic Privacy Information Center, (EPIC), has published comments about P3P:

P3P essentially forces a user to accept privacy levels below that of the U.S. Code of Fair Information Practices to gain access to a Web site.
P3P requires pop-up notification warnings, similar to cookies, that overwhelm the user. This often leads to the user setting privacy levels lower than necessary.
P3P is complex and confusing.
P3P, because the standards are below the U.S. Code of Fair Information Practices may actually provide less privacy protection than users have today because of the use of pop-up windows that frustrate the user.
P3P was developed as the W3C as a voluntary standard. W3C includes members that profit from acquiring information from Web sites, hence P3P is, by design, flawed.

Other groups, such as the Center for Democracy & Technology in Washington D.C. and the Privacy Commissioner of Canada, Ontario.