Privacy and research involving humans

Human research ethics committees in Australia are required to consider compliance with privacy law as an element of the ethics of research. Recent legislation has introduced federal private sector privacy protection, as well as privacy protection at State and Territory levels. In Victoria, which is used as an example in this article, State privacy legislation covers public sector information and health records. This article considers the implications for research involving human participants and for ethics committees of the new privacy regimes. Although privacy law is a potential barrier to research about humans, the need for exceptions has been dealt with effectively in the context of medical or health research. However, privacy law and its chilling effect could potentially be a serious impediment to some forms of non-health-related research, such as social and socio-legal research.     

Personal Data and the GDPR: Providing a Competitive Advantage for U.S. Companies

The European Union's General Data Protection Regulation (GDPR) became applicable in May 2018. Due to the GDPR's extraterritorial scope, which could result in massive fines for U.S. companies, comparative data privacy law is of great current interest. In June 2018, California passed its own Consumer Privacy Act, echoing some of the provisions of the GDPR. Despite the many articles comparing the two schemes of law, little attention has been given to the foundation of these laws, that is, what exactly encompasses the data referred to by these laws? By understanding how the term “personal data” or “personal information” is defined in both jurisdictions, and why these definitions and the treatment of protected data are so different, companies can strategize to take advantage of these developments in the European Union. After explaining the differences in how data is treated in the United States and the European Union by exploring the definitions, regulations, and court cases, we will explore the five legal strategy pathways that companies might pursue with respect to the legal aspects of data transfer and privacy law compliance. While these strategies range from ignoring the law to adopting the European model worldwide, this analysis of legal strategy reveals a means for companies to gain a competitive advantage through their adoption of a worldwide compliance scheme.     

The human genome: lessons for life, love and the law

In 2003, the Australian Law Reform Commission and the Australian Health Ethics Committee (of the National Health and Medical Research Council) completed a major inquiry into the Protection of Human Genetic Information, focusing on privacy protection; protection against unlawful discrimination based on genetic status; and the establishment and maintenance of high ethical standards. The joint inquiry considered these matters across a wide range of contexts, with the final report, Essentially Yours, making 144 recommendations in such diverse areas as medical research; clinical genetic services; genetic research databases; employment; insurance; immigration; sport; parentage testing; and law enforcement. This article discusses some of the major themes that emerged in the course of the inquiry and underpinned the broad-based strategy adopted to prepare Australia for the challenges of the "New Genetics".     

UK further education sector journey to compliance with the general data protection regulation and the data protection act 2018

The Further Education sector provides training and qualifications to 2.2million young people and adults annually and in the process collect a wealth of data which must be properly managed to ensure it is processed in a fair and transparent manner, maintaining compliance with good information governance and data protection legislation. This article shares the findings of a study which explored the content of General Data Protection Regulation action plans, first hand accounts from data practitioners and the views of students as provides embraced the new legislation.The article demonstrates how a sector which fills the void between schools and universities is unique in the challenges they face when ensuring compliance with data protection laws. These challenges include the application of legislation, noting key differences between the nations of the United Kingdom, and the moral duties placed upon the provider by parents who expect open dialogue with the education provider, consistent as happened with lower levels of education. This must be balanced with the student's right to data privacy and control over who can access their educational records .     

Blurring the dimensions of privacy? Law enforcement and trusted traveler programs

Risk has become a ubiquitous tool for security governance. This paper analyzes the ongoing shift in airport/aviation security from rule-based to risk-based screening. Seeking to explore the effects of data based passenger risk assessment on privacy through the collection and processing of personal data, it is argued that risk is likely to enroll passengers into a partly voluntary, partly enforced membership in trusted traveler schemes in order to enhance the database, thus enabling a more precise assessment of risk levels. In a disciplinary spatial setting, the once distinct privacy dimensions of citizen-state and consumer-market become increasingly blurred, as law enforcement authorities seek to exploit data that was originally obtained for commercial purposes to improve risk calculations.     

Data Breach,Privacy, and Cyber Insurance: How Insurance Companies Act as “Compliance Managers” for Businesses

While data theft and cyber risk are major threats facing organizations, existing research suggests that most organizations do not have sufficient protection to prevent data breaches, deal with notification responsibilities, and comply with privacy laws. This article explores how insurance companies play a critical, yet unrecognized, role in assisting organizations in complying with privacy laws and dealing with cyber theft. My analysis draws from and contributes to two literatures on organizational compliance: new institutional organizational sociology studies of how organizations respond to legal regulation and sociolegal insurance scholars' research on how institutions govern through risk. Through participant observation at conferences, interviews, and content analysis of insurer manuals and risk management services, my study highlights how insurers act as compliance managers for organizations dealing with cyber security threats. Well beyond pooling and transferring risk, insurance companies offer cyber insurance and unique risk management services that influence the ways organizations comply with privacy laws.     

Invocation of coercion context in compliance communication -- power dynamics in psychiatric care

This article draws on observations from ethnographic fieldwork to develop a theoretical understanding of the power dynamics in psychiatric care. The aim is to analyze how psychiatric clinicians solve compliance problems by invoking "coercion context". It is suggested that clinicians take a rather instrumental approach to laws regulating coercive intervention. Clinicians may invoke a coercion context even with voluntary patients. For example, they may use wordings that connote coercion, or they may make use of how treatment wards are set up to accommodate involuntary patients, thus stalling voluntary patients who cannot exit through locked doors. A coercion context can also be invoked to solve mundane practical problems, e.g. when clinicians talk about "coerced showers". The management of information and maintaining a suitable "awareness context" with regards to coercion is an essential feature in clinical attempts to achieve compliance from patients. In conclusion, the notion of coercion context helps explain the confusing findings from previous research about patients' apparent misconceptions of their formal legal status. Furthermore, it is argued that research that rely on decontextualised, objectifications of "coercion" risk to miss the meaning coercion is assigned in everyday clinical practice.     

尊重与保障：刑法如何介入行政法领域——从打击“地沟油”犯罪切入

《刑法》作为后盾法，应当尊重行政法律、法规和行政规范性文件，特别是国务院的规范性文件，否则将会在犯罪行为形式上指鹿为马，不适当地扩张法网。刑法与行政法都由全国人民代表大会或其常务委员会制定，因此“生而平等”，地位没有或者说不应有高下之分。制裁滥用刑法的行为，恰恰能够为充分发挥行政法的作用创造良好的条件。     

The "GeneTrustee": a universal identification system that ensures privacy and confidentiality for human genetic databases

This article describes a generic model for access to samples and information in human genetic databases. The model utilises a "GeneTrustee", a third-party intermediary independent of the subjects and of the investigators or database custodians. The GeneTrustee model has been implemented successfully in various community genetics screening programs and has facilitated research access to genetic databases while protecting the privacy and confidentiality of research subjects. The GeneTrustee model could also be applied to various types of non-conventional genetic databases, including neonatal screening Guthrie card collections, and to forensic DNA samples.     

The Transfer of Personal Data to Third Countries Under EU Directive 95/46/EC

The 1981 Council of Europe Convention 108 and EU Directive 95/46/ EC assert that data protection is privacy protection. Consequently, countries with data protection rules control trans-border data flows to protect the rights of their citizens. Under the Directive, but subject to some derogations, personal data may only be transferred to third countries with adequate protection. 'Adequacy' is to be assessed in the light of all the circumstances. Alternative safeguards can be provided by means such as contractual arrangements. The Data Protection Commissioners have tried to define 'adequacy' as the usual data protection principles plus an assurance of compliance. This can be delivered by self-regulation as well as formal law. The Directive has not made a radical break with the past. The usual principles are those found in Convention 108 and in the 1980 OECD Guidelines. Those instruments also dealt with the control of trans-border data flows because of fears of restrictions on the free flow of information. The flexibility of the effective current UK law, which permits flows whilst preventing those which would lead to a breach of data protection, would have prevented the acrimony of the current debate with third countries. National laws on transborder data flows long pre-date the Directive and data protection authorities can be expected to continue to promote pragmatic methods of protecting exported data such as the use of model contracts either as a basis for derogation from 'adequacy' or as part of a package to satisfy the adequacy test. Work is taking place to build bridges between those with formal law and others relying on self-regulation. In Ottawa last October OECD ministers reaffirmed the 1980 Guidelines and if practical privacy protection can be secured globally, transborder data-flow control is of much less concern.     

The Expanding Use of DNA in Law Enforcement: What Role for Privacy?

DNA identification is being used in ever-widening ways, including databases of greater scope, familial and lowstringency searches, and DNA dragnets. After examining the law enforcement and privacy interests, the article concludes that forensic DNA uses must be consistent with privacy and civil liberties.     

Global Privacy Concerns and Regulation-- Is the United States a World Apart?

The regulatory approach to privacy protection taken by many foreign jurisdictions is markedly different from that of the United States. The European Union (EU) best illustrates the international approach with its comprehensive privacy directive that applies to all EU members. By contrast, the approach regarding data privacy in the United States has been to pass industry-specific laws and often only in response to public outcry over some privacy concern. These fundamental differences have been the source of some conflict in international commercial transacting. Now that the global community is committed to eliminating terrorism, it remains to be seen if these different attitudes toward privacy by the United States and much of the rest of the world will affect global attempts to weed out terrorists. This article discusses the constitutional basis for most US policy approaches to privacy regulation. The article explains how the US constitution is the source for most of the differences between the US and international regulatory approaches to information privacy. Finally, the discussion addresses how new issues regarding privacy in the war on terrorism may be addressed by US Constitutional law.     

The future of privacy certification in Europe: an exploration of options under article 42 of the GDPR

The EU faces substantive legislative reform in data protection, specifically in the form of the General Data Protection Regulation (GDPR). One of the new elements in the GDPR is its call to establish data protection certification mechanisms, data protection seals and marks to help enhance transparency and compliance with the Regulation and allow data subjects to quickly assess the level of data protection of relevant products and services. To this effect, it is necessary to review privacy and data protection seals afresh and determine how data protection certification mechanisms, seals or marks might work given the role they will be called to play, particularly in Europe, in facilitating data protection. This article reviews the current state of play of privacy seals, the EU policy and regulatory thrusts for privacy and data protection certification, and the GDPR provisions on certification of the processing of personal data. The GDPR leaves substantial room for various options on data protection certification, which might play out in various ways, some of which are explored in this article.     

数据安全认证:个人信息保护的第三方规制

契合"放管服"改革理念的数据安全认证,在数字时代整个规制法体系中必将占据日益重要的地位。数据安全认证通过声誉评价机制,可以引导、激励互联网企业守法合规经营,可以增强用户对中小微互联网企业和新兴数字产业的信任感,可以避免"一刀切"的政府规制,可以满足社会公众多元的数据安全需求。数据安全认证机构应具有高度的独立性与专业性,防止其被互联网企业"俘获"或成为政府的"附庸"。宜实行自愿为主、强制为辅的数据安全认证模式。认证程序应强调公正透明性,认证标准应注重评价企业数据合规的制度建设。根据过错责任原则,分别设置数据安全认证机构"相应的赔偿责任"或"连带责任",并加大对数据安全认证违法行为的公法责任追究。科学构建法治化的数据安全认证体制机制,不仅是保障数据安全的现实需要,而且是弥补数字时代政府规制缺陷的迫切需求。     

内化法律之路——以内化禁止性规则为切入点

法律作为一套外在的规则体系,存在规则制定者与遵守者的二元对立,为化解这种对立,本文先将法律限缩为禁止性规则,并将其分为自然禁止性规制和实证禁止性规则.然后借鉴康德的形式道德理论说明服从自律要求是遵守自然禁止性规则的原因,再通过演化博弈理论将遵守实证禁止性规则的动机还原为对利益的追求,分别提出内化两种规则的理论进路.从此法律就不再是对人的外在强加,而变成了自愿选择.     

Direct‐to‐Consumer Genetic Testing,Gamete Donation,and the Law

Once thousands of dollars, direct‐to‐consumer (DTC) genetic testing has become affordable and readily accessible in recent years. The technology can reveal a wealth of information to consumers: health risks, ancestry composition, and connections to genetic matches through relative databases. However, the law has not yet regulated many aspects of this new technology. This article analyzes how the law should regulate DTC genetic testing within the context of gamete donation. It will argue that gamete donors’ privacy interests warrant state regulation of DTC genetic testing kits and their associated genetic relative databases. It will also explore how state regulation should balance the competing interests of gamete donors and of donor‐conceived individuals.     

Restoring Dignity and Harmony to United States-European Union Data Protection Regulation

Global data protection laws can be described, at best, as contradictory in philosophy and practice. The 2015 decision by the Court of Justice for the European Union declaring the mechanism for data transfer between the United States and European Union known as “Safe Harbor” invalid and the criticism of its replacement, Privacy Shield, is representative of the conflict in this area. Such contention often stems from the differences in privacy rationales and theories of the United States and European Union. This article examines the recent developments in data protection regulations, and makes the argument that issues such as data protection, and specifically data shared with intelligence agencies, should be analyzed through the privacy principle of dignity and that the law of confidentiality should be applied to data protection cases, thereby instilling more harmony into the data privacy approaches of the United States and the European Union.     

The need to know versus the right to know: privacy of patient medical data in an information-based society

"Whatever, in connection with my professional practice, or not in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret."(1) "Safeguards to privacy in individual health care information are imperative to preserve the health care delivery relationship and the integrity of the patient record."(2) As early as the fourth and fifth centuries B.C., Hippocrates contemplated the importance of medical information to the care and treatment of patients. His oath suggests that privacy of a patient's medical information creates the foundation upon which a patient reposes trust in his or her physician. While defining the earliest version of the physician-patient privilege, the oath does not envision the extent of modern day access to healthcare information. A patient's relationship with the modern healthcare delivery system often includes a team of physicians, nurses, and other clinical support personnel. This relationship extends beyond direct caregivers and may include healthcare administrators, payor organizations, and persons unfamiliar with a patient's identity, such as researchers and public health officials. Accessing a patient's medical information links these participants to the patient's healthcare delivery relationship. The Hippocratic Oath does not contemplate such broad access, nor does it contemplate the emerging privacy crisis resulting from the application of computer technology to medical record storage and retrieval. The combination of broad access, individual privacy rights, and computer technology requires a rethinking of measures designed to protect the realities of the modern medical information society.     

Singapore's Personal Data Protection legislation: Business perspectives

As global digitalisation of information and interconnecting technologies along with new marketing practices and business processes vastly increase the opportunities for data collection, storage, usage and delivery, there is a corresponding increase in consumer expectations of data privacy. These expectations must be met if business organisations are to promote consumer trust and confidence and maintain their overall competitiveness in a global market. It goes without saying that information is the most valuable business asset and “privacy is good business and information can be the basis of bigger business”. The need to protect data privacy has long been recognised and implemented by major trading nations. Surprisingly, Singapore as a financial centre and nation aspiring to be a trusted data hosting hub has been slow in enacting specific data protection laws. The first piece of legislation that has emerged is a light-touch baseline framework applicable to all organisations except the public sector. This article considers the new legislation from the business perspective and the implications for private sector business organisations facing the challenges of compliance.     

Insurance Discrimination on the Basis of Health Status: An Overview of Discrimination Practices, Federal Law, and Federal Reform Options

Actuarial underwriting, or discrimination based on an individual's health status, is a business feature of the voluntary private insurance market. The term "discrimination" in this paper is not intended to convey the concept of unfair treatment, but rather how the insurance industry differentiates among individuals in designing and administering health insurance and employee health benefit products. Discrimination can occur at the point of enrollment, coverage design, or decisions regarding scope of coverage. Several major federal laws aimed at regulating insurance discrimination based on health status focus at the point of enrollment. However, because of multiple exceptions and loopholes, these laws offer relatively limited protections. This paper provides a brief overview of discrimination practices, the federal law, and federal reform options to manage discriminatory practices in the insurance and employee health benefit markets.