Laws and Regulations about Privacy and Confidentiality
There are many
federal and state laws and regulations protecting privacy and confidentiality.
State laws and regulations vary widely, and they are difficult to track down;
see (insert link for paper from NAS SIPP report). Here, we provide links to key
federal laws, acts, and policies relating to confidentiality and privacy
protections as they affect the use of data. We discuss policies and acts
regulating the treatment of human subjects on a separate page, accessible via
the appropriately named link at the top of the page.
A. Legislation and Regulation Affecting Statistical Agencies
The Patient Safety and Quality Improvement Act of 2005 (PSQIA) Patient Safety Rule.
Confidentiality
protections in place to encourage the reporting and analysis of medical errors.
The Confidential Information and Statistical Efficiency Act of 2002 (CIPSEA).
This act ensures that information provided
to statistical agencies for statistical purposes under a pledge of
confidentiality can be used only for statistical purposes, and that individuals'
or organizations' data confidential data should be kept
confidential.
Freedom of Information Act
The site provides
guidelines as to which data may and may not be disclosed under the terms of the
Freedom of Information Act.
Privacy Act of 1974
The site provides an
overview of the Privacy Act, which safeguards personal information held by
government agencies from queries by others.
Section 208 of the E-Government Act of 2002 - enacted to bring the Privacy Act into the digital age. Section 208 ensures "sufficient protections for the privacy of personal information" in government information systems.
OMB Memorandum M-03-22 - provides agencies with specific implementation guidance for conducting Privacy Impact Assessments.
Several statistical agencies have
their own confidentiality statutes, e.g., the Census Bureau, the National Center
for Education Statistics, the National Science Foundation. Search their web
sites for specific details.
B. Laws and Regulation Affecting Both the Public and Private Sectors
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule
National standards to protect the privacy
and confidentiality of personal health information.
The Health Information Technology for Economic
and Clinical Health Act (HITECH
Act) – applies the security regulations directly to the business
associates of HIPAA-covered entities and clarifies restrictions on the
disclosure and sale of health information.
Family Educational Rights and Privacy Act (FERPA) - protects privacy of educational data.
Children's Online Privacy Protection Act (COPPA) - requires specific notices be given to users when collecting personal information from children under the age of 13 and establishes and maintains reasonable procedures to protect the confidentiality, security, and integrity of any collected information.
Financial Services Modernization Act of 1999 (Gramm-Leach-Billey Act) - provides three main requirements on financial institutions: provide notice on how personal information is shared; give consumers the option to opt out of particular sharing; and provide adequate safeguards for personal information.
Bank Secrecy Act - requires certain financial institutions to record, retain, and report certain financial transactions to the federal government.
C. Some International
Legislation
Council of Europe's Personal Data Protection Site
European Union's Index of Legislative Documents on Data Protection
D. General Sites
Library of Congress' Thomas Search Engine for U.S. Federal Legislation
A search engine for the text of bills. You
can search by exact bill number, if known, or by a topic such as "HIPAA,"
"Confidentiality," "Patriot Act," or "E-Government Act of 2002" which will
produce a list of direct links to the legislation.
Legal Information Institute at the Cornell Law School
The site
has materials to make law more accessible to students, teachers, and the general
public. The site can be used in addition to the Library of Congress' Thomas
Search Engine for U.S. Federal legislation for older laws.
The Code of (U.S.) Federal Regulations (CFR)
The
site allows users to access all the Federal regulations issued by any agency.
The CFR is a codification of the general and permanent rules published in the
Federal Register by the Executive departments and agencies of the Federal
Government.
Electronic Frontier Foundation
This site contains
links to news, links, and law cases related to privacy.
Center for Democracy and Technology
Public interest organization concerned
with privacy in communications technologies