I am talking to increasing numbers of privacy and information security pros who are concerned about not only getting their pandemic plans in place, but also wanting to know what kinds of privacy issues need to be addressed within the plans.
For nice resources on planning for H1N1 and other types of pandemics, the Centers for Disease Control and Prevention (CDC), the Department of Health and Human Services (HHS), and other U.S. agencies have published some great resources on pandemic response and preparedness here.
A very nice, succinct 2-page checklist is here.
The topic of addressing privacy within pandemic plans would make a great chapter or white paper, wouldn’t it?
Here are some musings about privacy issues organizations of all types should address within their plans:
- What kind of screening processes are in your pandemic plans? Some organizations plan to require individuals to complete and sign screening forms to provide information about their health and related symptons.
- What kind of work area cleaning activities are you initiating in your pandemic prevention plans? Some companies are removing certain shared telephones; what voice mails or other data were stored on those phones? Some companies are propping open doors; what areas containing personal information, of any kind in any form, now have lost this basic physical security barrier? Some elevators are being programmed to stop at every floor to avoid having people press the buttons; how many people will be getting off onto secured floors and gaining access to information they shouldn’t? More invasive cleaning at desk areas are being implemented; will information on desktops, and even within desk drawers, be seen or even taken that could result in a privacy breach?
- What kind of social distancing practices are being implemented? Many companies are already using video conferences instead of live meetings as a way to reduce costs, along with increased use of phones, interactive websites and even kiosks. as well. Social distancing technique increases the privacy risks from the many ways in which mobile computing occurs. Do your plans address those privacy risks?
- What are your quarantine plans? Companies are requiring huge amounts of personal information for such events, not only about workers, but also about family members and non-family individuals who share he same liviing quarters. They are collecting all sorts of medical and diagnosis information. What kind of information is your company requiring for quarantines? Do they really need all that information? Limit collection to the minimum necessary to document the quarantine event. And then make sure plans are in place to protect all that information while you have it, then then irreversibly destroy it all following the quarantine.
Make sure that your plans are in line with the applicable laws. And there are many:
- In Europe, Canada, Australia and other countries with strong data protection laws, be sure to comply with all the requirements necessary for special categories of information, and make sure you address the registration of data processing activities and authorization requirements for information transfers.
- US federal laws governing health and employee nformation include, but are not limited to, HIPAA, the HITECH Act, labor and employment laws, the Americans with Disabilities Act, and anti-discrimination laws.
- Many US state and territory breach notice laws (e.g., Texas, California, Arkansas, just to name a few) apply to health information.
- Also be aware of your labor union, collective bargaining and works councils agreements.
Tags: awareness and training, breach law, breach notification, breach response, employee privacy, HIPAA, HITECH Act, Information Security, IT compliance, IT training, pandemic, patient privacy, personally identifiable information, PII, policies and procedures, privacy training, security training