WorldLII Home | Databases | WorldLII | Search | Feedback

EPIC Alert

You are here:  WorldLII >> Databases >> EPIC Alert >> 1995 >> [1995] EPICAlert 13

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

EPIC Alert 2.13 [1995] EPICAlert 13


Volume 2.13 October 30, 1995

Published by the Electronic Privacy Information Center (EPIC)
Washington, DC

Table of Contents

[1] Special: House Rejects Funding of FBI Wiretap Bill
[2] Bennett Bill Raises Privacy Concerns
[3] Designing a Good Medical Privacy Bill
[4] British Doctors Boycott Medical Network
[5] Mondex: Not So Private After All
[6] USA Today Opts for Opt-In
[7] Medical Privacy Resources On-line
[8] Upcoming Conferences and Events

[1] Special: House Rejects Funding of FBI Wiretap bill

The House of Representatives on October 25 rejected an attempt to
include language in the Omnibus Budget Bill to fund last year's
controversial Communications Assistance for Law Enforcement Act. The
provision would have authorized the establishment of a $500 million
fund generated by a 40% surcharge on all non-civil fines imposed by the
federal government. (See EPIC Alert 2.12
[3] "Status of Wiretap Funding")
The fund would have been be used to pay telecommunications companies to
redesign their networks to facilitate wiretapping. That cost is
estimated to run above $2 billion.

This is simply round one in what is expected to be a long battle betweenCongress and the White House over the federal budget. President Clintonwill probably veto the measure that emerges from Congress. At that
point, another budget proposal will be introduced. Funding provisions
for the FBI wiretap plan are also contained in the terrorism bills and
appropriations bills .

EPIC, VTW, the US Privacy Council, the ACLU, EFF and other civil
liberties organizations have opposed funding of the controversial
measure. More information is available at:

[2] Bennett Bill Raises Privacy Concerns

The introduction of S. 1360, the Medical Records Confidentiality Act of
1995, last week sparked concern among privacy and medical organizations,
with several groups saying that they will actively oppose the measure.

The Coalition for Patients Rights of New England said the bill "abandonsthe central premise that the patient has a basic right to
confidentiality and controls that right through specific informed
consent." The ACLU of Massachusetts also expressed opposition to the
Bennett bill. The group said, "This bill preempts most State
confidentiality statutes, and related common law, the body of law
which has effectively provided legal remedies for violations of
confidentiality in the past."

Finally the Justice Research Institute joined the ranks, charging that
"This bill is particularly dangerous to those individuals living with

Hearings on the measure are expected some time later this year.

[3] Principles for Federal Privacy Protection of Medical Records

With interest in Washington about the development of real privacy
protection for medical records, here are preliminary suggestions
from EPIC for a good medical privacy bill. Your comments are alwayswelcome. Please send email to

> Scope
Legislation must cover all medical information, wherever it is
collected, stored, processed, transferred or used, no matter the form.
Legal coverage should not be limited to only medical information
collected in the provision of health care but should include information
collected for financial, educational, employment, marketing, and other

> Consumer Access
Consumers should have full access to all personally identifiable medicalrecords. No records should be kept secret. Record keepers should berequired to notify patients that they maintain records. Consumers shouldhave the ability to correct or remove any inaccurate, irrelevant or out-
of-date information. Any card-based data system must allow consumeraccess to all personal information contained on the card.

> Enforcement and Oversight
Substantial criminal and civil fines should be imposed for actual or
attempted unauthorized access, disclosure, or use of medical
information. Individuals should be able to enforce rights and obtain
damages and related costs in civil court. An independent agency should
be created to conduct oversight and enforce the provisions of any
federal medical privacy law.

> Third Party Access
Third party access to medical records should be strictly limited to aneed-to-know basis. Law enforcement officials should be required to
obtain a warrant after showing a compelling government interest for
each piece of information sought. Civil litigants should have to show acompelling interest for each piece of information. Privileged
communications should never be disclosed. Use of medical information by
employers or for marketing purposes should be prohibited.

> National Databases
The creation of electronic databases of unified clinical records without
the consent of the patient should be prohibited. Psychiatric records
should not be included in any system of electronic records.

> Research Records
Use of personally identifiable information for research purposes should
require consent from the individual. New technologies that create
pseudo-anonymous records should be used for any personally identifiable
information. Research records should not be used for any other purpose
and should be protected from disclosure by warrant or subpoena.

> Security

Medical information should be protected by the best available physical
and electronic security. Records in storage or transit should be
encrypted. Audit trails should track each access to an individuals file.
Access should be limited to data relevant to the matter at hand.

> Identification Number
The Social Security Number should not be used as a patient recordidentifier. The number that is used for record identification shouldnot be used for any other purpose. Any health care card issued should
not be used for any other purpose, particularly not for determinationof employment eligibility or for personal identification

> Preemption
A federal medical privacy law should set a minimum level of protection
for medical record privacy. States should be provide to higher levels ofprotection given. No state statute should be preempted.

[4] British Doctors Boycott Medical Network

The British Medical Association has urged its members to boycott the
National Health Service's nationwide computer network of medical
information. The BMA has been critical of the network for a number of
reasons but finally came out publicly against it after it was revealed
that the Government Communications Headquarters (GCHQ), the British spy
agency in charge of electronic surveillance, had pressured the NHS to
omit encryption from the design of its networks. According to newspaper
reports, the NHS had intended to include encryption as an integral part
of their system but was overridden when the UK Government's Joint
Intelligence Committee was informed of the decision.

The BMA is urging all its doctors to refrain from sending information
to the network until adequate security is provided. The BMA believes
that use of the data network violates a doctor's duty of care to patientconfidentiality and could subject doctors professional sanctions.
Privacy International is also urging patients to request that their
practitioners not put information on the system.

In the United States, the intelligence agencies pushed the use of the
Clipper Chip for the security of the medical networks set up under
health care reform bill and currently are pushing the Fortezza card
for a variety of government agency uses.

[5] Mondex: Not So Private After All

A British agency in charge of consumer protection has begun a formalinvestigation of Mondex, a company that offers smart card-based paymentsystems, for allegedly falsely advertising that transactions under its
system were anonymous.

In promotional materials, Mondex had claimed that the transactions were
"just like cash." In reality, each card used in the system has a 16
digit identifying number which is captured by the merchant and
transmitted to the bank each day. The merchants readers can retain up to
500 records at one time. Mondex's Swindon manager admitted in Network
Week, a trade publication, that "we can certainly trace where cards have
been used."

The case is being eagerly watched worldwide by banks because of its
implications on the use of the term "digital cash" will have Europe
wide effect.

The investigation began after Simon Davies, a Law Fellow at the
University of Essex and Director General of Privacy International,
filed a complaint. A copy of the letter is available at the Privacy
International Web page at:

[6] USA Today Opts for Opt-In

USA Today last week editorialized in favor of the "opt-in" approach tothe use of personal information, saying that businesses would "then need
the customer's permission before any personal data were rented, sold, orexchanged for direct marketing purposes." (October 24, 1995)

The paper said, "opt-in does not trample on anyone's rights. Consumerscan still get their catalogs and other direct-mail pitches by checkinga box or clicking a mouse. Companies can still get data for marketing
by asking for it. It would cause some inconvenience for businesses,
which face increased costs to persuade customers to give up theirprivacy. But who should bear the burden: the businesses thatglean the profit or the consumers whose information is sold?"

USA Today also faults the voluntary approach recommended by the
Department of Commerce last Monday, saying that "while voluntary
compliance might be preferable in an ideal world, it's not likely to
work in the real world."

"The reality is that the absence of government prodding has resulted
in too many companies doing too little to protect consumers' privacy

USA Today concludes "If a business wants the privilege of marketing
your most private matters, it should be willing to spend the time it
takes to convince you that you'll benefit."

Perhaps the USA Today position is not surprising. A 1991 Time/CNN pollfound that when American adults were asked "should companies that sell
information to others should be required by law to ask permission from
individuals before making the information available," 93% said "yes."

Meanwhile, the Avrahami case (involving the sale of an individual'sname for marketing purposes) goes forward with growing public interest.
Mr. Avrahami appeared last week on CNN and National Public Radio as
favorable articles appeared in newspapers across the country.
US News & World Report must be concerned -- it has hired one ofWashington's largest law firms to defend the magazine.

For current information on the Avrahami case, check out:

[7] Medical Privacy Resources On-line

EPIC has put together a comprehensive page on medical privacy issues,
including hot topics (federal legislation, Supreme court cases, public
polls), background on medical privacy laws, consumer advice, and generalresources. Also included is the letter sent to Hillary Clinton inApril 1993 by leading privacy advocates, computer scientists, and policyexperts recommending that the Social Security Number not be used as apatient record identifier.

[8] Upcoming Privacy Related Conferences and Events

SPECIAL: EPIC's Dave Banisar will discuss the current status of funding for the FBI wiretap bill this week on NPR's Morning Edition. Check

Managing the Privacy Revolution. October 31 - November 1, 1995.
Washington, DC. Sponsored by Privacy & American Business. Speakers
include Mike Nelson (White House) C.B. Rogers (Equifax). Contact Alan
Westin 201/996-1154.

Innovation and the Information Environment. November 3-4. University
of Oregon School of Law in Eugene, Oregon. Contact: Keith

National Privacy and Public Policy Symposium. November 2-4., Hartford,
Cosponsored by the Connecticut Foundation for Open Government. Contact
Richard Akeroyd, 203/566-4301 (tel),
203/566-8940 (fax)

22nd Annual Computer Security Conference and Exhibition. November 6-8,
Washington, DC. Sponsored by the Computer Security Institute.
Contact: 415-905-2626.

Global Security and Global Competitiveness: Open Source Solutions.
November 7-9. Washington, D.C. Sponsored by OSS. Contact: Robert

"The Right to Privacy," November 9. Authors Caroline Kennedy and EllenAlderman discuss their new book on privacy. Lizner Auditorium, George
Washington University, Washington, DC. Contact 202/357-3030.

11th Annual Computer Security Applications Conference: Technicalpapers, panels, vendor presentations, and tutorials that address theapplication of computer security and safety technologies in the civil,
defense, and commercial environments. December 11-15, 1995, New Orleans,
Louisiana. Contact Vince Reed at (205)890-3323 or

RSA 6th Annual Data Security Conference: Cryptography Summit.
Focus on the commercial applications of modern cryptographic technology,
with an emphasis on Public Key Cryptosystems. January 17-19, 1996.
Fairmont Hotel, San Francisco. Contact Layne Kaplan Events, at (415)
340-9300, e-mail at, or register at

Computers Freedom and Privacy '96. March 27-30. Cambridge, Mass.
Sponsored by MIT, ACM and WWW Consortium. Contact or
Conference on Technological Assaults on Privacy, April 18-20, 1996.
Rochester Institute of Technology, Rochester, New York. Papers should
be submitted by February 1, 1996. Contact Wade Robison,
by FAX at (716) 475-7120, or by phone at (716) 475-6643.

Australasian Conference on Information Security and Privacy June24-26, 1996. New South Wales, Australia. Sponsored by AustralasianSociety for Electronic Security and University of Wollongong. Contact:
Jennifer Seberry (

Visions of Privacy for the 21st Century: A Search for Solutions.
May 9-11, 1996. Victoria, British Columbia. Sponsored by The Office
of Information and Privacy Commissioner for the Province of British
Columbia and the University of Victoria. Program at
18th International Conference of Data Protection and Privacy
Commissioners. Sponsored by the Privacy Commissioner of Canada.
September 18-20, 1996. Ottawa, Canada.

Advanced Surveillance Technologies II. Sponsored by EPIC and PrivacyInternational. September 17, 1995. Ottawa, Canada. Contact
International Colloquium on the Protection of Privacy and PersonalInformation. Commission d'acces a l'information du Quebec. May 1997.
Quebec City, Canada.

(Send calendar submissions to

The EPIC Alert is a free biweekly publication of the ElectronicPrivacy Information Center. To subscribe, send the message:

to You may also receive the Alert by reading theUSENET newsgroup

Back issues are available via orFTP/WAIS/Gopher/HTTP from /cpsr/alert/ and on Compuserve (GoNCSA), Library 2 (EPIC/Ethics).

The Electronic Privacy Information Center is a public interestresearch center in Washington, DC. It was established in 1994 tofocus public attention on emerging privacy issues relating to theNational Information Infrastructure, such as the Clipper Chip, theDigital Telephony proposal, medical record privacy, and the sale ofconsumer data. EPIC is sponsored by the Fund for ConstitutionalGovernment and Computer Professionals for Social Responsibility. EPICpublishes the EPIC Alert and EPIC Reports, pursues Freedom ofInformation Act litigation, and conducts policy research on emergingprivacy issues. For more information, email, WWW atHTTP:// or write EPIC, 666 Pennsylvania Ave., SE, Suite
301, Washington, DC 20003. (202) 544-9240 (tel), (202) 547-5482 (fax).

The Fund for Constitutional Government is a non-profit organizationestablished in 1974 to protect civil liberties and constitutionalrights. Computer Professionals for Social Responsibility is anational membership organization of people concerned about the impactof technology on society. For information contact:
If you'd like to support the work of the Electronic Privacy InformationCenter, contributions are welcome and fully tax-deductible. Checks
should be made out to "The Fund for Constitutional Government" and sent
to EPIC, 666 Pennsylvania Ave., SE, Suite 301, Washington DC 20003.

Your contributions will help support Freedom of Information Actlitigation, strong and effective advocacy for the right of privacy andefforts to oppose government regulation of encryption and funding ofthe National Wiretap Plan.

Thank you for your support.

END EPIC Alert 2.13

Marc Rotenberg ( * +1 202 544 9240 (tel)
Electronic Privacy Information Center * +1 202 547 5482 (fax)
666 Pennsylvania Ave, SE, Suite 301 * HTTP://
Washington, DC 20003 *

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback