Here is an example of how personnel can take photos and videos and completely invade the privacy of others, particularly those who have no voice to say stop.
A Central Florida fire chief will likely lose his job for widely emailing photos from a crash scene of a female victim that included view of her exposed breasts as paramedics were attending to her.
The 26-year-old woman later died.
Can you imagine how her family and friends felt having to deal with not only her death, but also knowing that these horrible, disrespectful, photos were circulating?
The Fire Chief, Richard Shirk, was told by the emergency workers when he arrived to the crash scene that his services were not needed and that he could leave. However, Shirk instead stayed and took photos of the woman being treated by emergency workers. He then emailed the photos to the members of all the fire departments in the area.
After Shirk was suspended for the incident, he wrote a letter to the city manager, indicating that he did take the photos but “said he never meant for them to be derogatory. In the letter, Shirk said he takes photos at every major fire and accident scene. He called the photos “invaluable investigative tools” and said they were e-mailed for educational purposes.”
Shirk claimed he did not realize there was nudity in the e-mailed photos, and that he often uses photos from accident sites for training purposes.
I can relate to wanting to use real events for training and educational purposes; real life offers lessons that cannot be obtained from hypothetical situations. However, it should never be done at the expense of the privacy of those involved in the accidents.
There are problems here with not only Shirk, but also the fire department.
1) Didn’t the fire department have policies and procedures in place for addressing privacy with accident and fire victims? Considering Shirk is/was the Fire Chief, it is likely they did not. Any type of organization that deals with the public in any way, and gathers information about individuals in any way, including by photos and video, must have policies and procedures in place to protect personally identifiable information (PII), and personnel must receive effective training for the policies and procedures. PII goes beyond just being a half dozen or so specified data items that are commonly referenced within news reports or some narrowly-scoped law. PII is anything that can be used to identify a specific individual. This certainly includes photos and videos.
2) All organizations, including public service departments such as fire departments, police departments, public works, and so on, must have policies and procedures in place for not only protecting information in all forms, but also all types of PII. The public’s tax money supports these public services, and these public services must in turn respect and support the PII and privacy of the public.
3) Sending PII via email messages, or any other type of electronic transmission, is not secure! No organization, including fire stations and other public services, should be sending any type of unencrypted sensitive information via electronic messages. I’ve written about this often. A couple of my papers on the topic include, “What Professionals Should Know About Messaging” (in the January 2008 CSI Alert; I’ll post to my site soon) and “Obscure Email Issues.”
4) Reports about this incident indicated Shirk often sent photos of accident scenes to not only his personnel, but also to other fire station personnel “for educational purposes.” Any type of photo showing accident victims, topless or not, should not be used for purposes outside direct investigation of the accident without the express consent of the individuals involved. If consent cannot be obtained, then the images should be de-identified (all indicators that could link the images blurred or scrambled beyond recognition.)
Tags: awareness and training, Information Security, IT compliance, personal privacy, personally identifiable information, PII, policies and procedures, privacy, risk management, security awareness, security training, Shirk