Greetings!
Since the first humans realized the healing properties of plants, people have been sharing medical remedies. So it should come as no surprise, perhaps, that in today's Information Age, such sharing takes place online.
On sites such as PatientsLikeMe.com and MigraineLiving.com, people post their symptoms, diagnoses, and genetic information for their own benefit and that of others. Recently, more platforms to aid, even encourage such sharing have emerged. LAMsight, a new portal for those who have LAM disease, culls patients' entries into a database that researchers and physicians can use to learn more about the rare and fatal condition. Last month Pfizer announced it will create a site where patients can post personal health information so that researchers, physicians, and drug makers can connect with them on trials that could lead to breakthroughs or cures. And Belgian pharmaceutical company UCB said in June that it will team up to create an online community for those who have epilepsy. Although the research community acknowledges the limitations of the medium, they are simultaneously excited about the potential benefits of all this sharing. Frank Moss, a LAMSight collaborator and director of the famed MIT Media Lab, told the New York Times that aggregating patient data in this way 'could generate new hypotheses and avenues for research.' The health information-sharing movement, however it nets out, parallels another being discussed among some of today's brightest thought leaders. In a March Wired magazine article, writer Daniel Roth suggested a similar kind of "openness" for the financial sector, one where, as he put it, "data empowers the public for the public good." He proposed a new, radical approach to financial disclosures, where everyone is given the "tools to track, analyze, and publicize financial machinations..." This radical transparency, he said, could serve the greater good by helping predict and prevent future financial-sector meltdowns. "Only when we give everyone the tools to see each point of data will the picture become clear," Roth wrote. Assuming privacy fears can be quelled, radical transparency in the health arena, albeit more personal and voluntary than the financial scenario described above, could lead to treatments, cures, and preventative measures we haven't imagined. In this issue of Inside 1to1: Privacy, Larry Dobrow outlines the landscape of health information sharing. Will we "go radical?" Let us know what you think.Also this month we continue our look at global consent requirements with Jay Cline's "Privacy consent glossary." As always, we hope you find this issue of Inside 1to1: Privacy useful to your work.
J. Trevor Hughes, CIPP
Executive Director, IAPP
|
Privacy consent glossary
|
|
By Jay Cline, CIPP
Differing understandings of what "opt in" and "opt out" mean have stymied countless conversations between corporate marketers and privacy officers around the world. Similar confusion over definitions of "marketing" communications versus "administrative" communications have put the brakes on many creative marketing ideas. What are some possible solutions? The following glossary offers some starting points for your company's internal policy deliberations.
1. "Opt in" = express, affirmative, or explicit consent
The gold standard in privacy-consent language is the so-called "opt in" consent. Regulators around the world tend to require this level of consent--alternatively called express, affirmative, and explicit--for collecting sensitive data and for using personal data in ways most individuals might not agree to. For example, the U.S.-EU Safe Harbor principles state: "For sensitive information, affirmative or explicit (opt-in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual."
There are more complicated "opt-in" definitions than the Safe Harbor. The U.S. CAN-SPAM Act, for example, defines this higher level of consent occurs when "(A) the recipient expressly consented to receive the message, either in response to a clear and conspicuous request for such consent or at the recipient's own initiative; and (B) if the message is from a party other than the party to which the recipient communicated such consent, the recipient was given clear and conspicuous notice at the time the consent was communicated that the recipient's electronic mail address could be transferred to such other party for the purpose of initiating commercial electronic mail messages."
It's debatable whether requiring this level of consent is always good policy. What's not as debatable is lawmakers' intent behind this standard: that data subjects' clear and informed consent is required for exceptional uses of their data.
In practice, what should be examples that are widely understood to qualify as opt-in consent?
- An unticked box on a Web page or paper form that says: "Send me promotional e-mail offers." If consumers tick that box, they've provided opt-in consent.
- An unticked "I agree" box below a Web- or paper-based set of terms and conditions in which it is clearly and prominently stated that the consumer will receive direct marketing. If consumers tick that box, they've also provided opt-in consent.
- An optional field on a form that says "e-mail address," and nearby it says: "By providing your e-mail address, you may receive marketing e-mails from us." If consumers provide their e-mail address, they, too, will have provided opt-in consent.
- A "subscribe" button on a Web site "shopping cart" page that, when clicked, uses information from the purchase to subscribe a consumer to a newsletter and use and disclose that information according to the terms of the privacy policy posted on the site.
- An inquiry from a consumer who says or writes: "Please add me to your mailing list."
- A business card that is dropped into a fishbowl that says: "Drop your card and win a free lunch and join our mailing list."
According to Andrew Serwin, chair of the Foley & Lardner LLP Privacy Security & Information Management Practice, in certain cases a "double" opt-in regime is used. "This occurs when a company needs to ensure that there is no issue regarding whether a recipient gave consent," says Serwin.
2. Opt out = soft opt in, default opt in, assumed, deduced, deemed, or implicit consent
Even if consumers haven't explicitly checked an opt-in box, there still may be many situations where companies can assume they have appropriate consent to send direct marketing to their consumers. If it's usual and customary for companies in a certain industry in a certain country to send direct marketing to consumers at addresses listed in public directories or at the contact information provided during a sale, these companies may often be safe to assume they have obtained an appropriate level of consent.
Even the European Union, known for its more restrictive approach to privacy consent, accepts the legitimacy of this opt-out approach. In its Directive on Data Protection, the EU defines a data subject's consent broadly as 'any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.' The EU more directly provides for an opt-out approach to direct marketing in its subsequent Directive on Electronic Communications. Its section on unsolicited communications states: "[W]here a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the context of the sale of a product or a service, in accordance with Directive 95/46/EC, the same natural or legal person may use these electronic contact details for direct marketing of its own similar products or services provided that customers clearly and distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact details when they are collected and on the occasion of each message in case the customer has not initially refused such use."
Canadian legislation similarly sanctions the use of opt-out consent. The Personal Information Protection and Electronic Documents Act (PIPEDA) states: "The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate..." The form of the consent sought by the organization may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, organizations shall take into account the sensitivity of the information."
3. "Marketing" versus "administrative" communications
If consumers don't provide the necessary consent for companies to send them marketing communications--which are usually seen as secondary uses from the original purpose for which the data was originally collected--companies still want to be able to communicate with consumers about their accounts. In some cases, companies are required to communicate with consumers, such as to send them annual privacy notices and other types of administrative correspondence. According to Serwin, companies will often combine marketing material with administrative communications. As a result, debates have unfolded inside many companies over what qualifies as "marketing" communications subject to privacy permissions and what qualifies as "administrative," "transactional," or "service" communications not subject to the same permissions, and how to handle "hybrid" communications.
There are no commonly accepted guidelines for resolving these debates. For its part, the Federation of European Direct and Interactive Marketing defines direct marketing in a broad way as 'the communication by whatever means (including but not limited to mail, fax, telephone, on-line services etc...) of any [emphasis mine] advertising or marketing material, which is carried out by the Direct Marketer itself or on its behalf and which is directed to particular individuals.'
The U.S. CAN-SPAM Act more narrowly defines a "commercial electronic mail message" as any electronic mail message the primary purpose [emphasis mine] of which is the commercial advertisement or promotion of a commercial product or service. The Act also provides a detailed definition for "transactional" or "relationship" message as a message 'the primary purpose of which is (i) to facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender; (ii) to provide warranty information, product recall information, or safety or security information with respect to a commercial product or service used or purchased by the recipient; (iii) to provide (I) notification concerning a change in the terms or features of; (II) notification of a change in the recipient's standing or status with respect to; or (III) at regular periodic intervals, account balance information or other type of account statement with respect to, a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender; (iv) to provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled; or (v) to deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender.'
What could be some possible rules of thumb to harmonize these international terminology variances? These definitions may be starting points for your organization:
- "Marketing" communications are messages sent through any channel to an identifiable individual where the timing of the message, the majority of the content, or the topics of the subject headers have as their primary purpose influencing the consumer to make another commercial transaction.
- "Administrative" communications are non-marketing messages whose purpose is directly related to the original purpose for which the individual's information was first collected.
Other key privacy terms that have acquired slightly different understandings in different regions include "customer" versus "consumer," what qualifies as an "existing business relationship," and what is a "privacy consent" versus a "privacy permission," "privacy preference," or "privacy choice." In all of these cases, a global harmonization of terms will be needed before any global privacy agreement can be successfully negotiated.
Jay Cline is president of Minnesota Privacy Consultants.
|
|
CONNECT WITH THE GLOBAL PRIVACY COMMUNITY
Join us on November 3 in Madrid, Spain for a unique one-day workshop where the global privacy community will come together to discuss the latest solutions for managing today's most challenging data protection obstacles. Leading experts from around the world will share their insights and approaches to some of the most demanding operational issues and risks at the IAPP Data Protection and Privacy Workshop. Topics include notice of security breach, global transfer solutions, cloud computing, online privacy and the future of the profession. See the complete program now.
Register Now |
Health information-sharing environment
|
|
By Larry Dobrow
After enduring migraine headaches for 20 years, Michael Cowden was at the end of his rope. While he'd received treatment advice from tens of physicians, he was no closer to mitigating the debilitating effects of his headaches than he was years earlier. So he decided to get, in his own words, "migraine-aggressive."
Web research yielded a wealth of information, much of it culled from blogs written by fellow migraineurs. Before long, he'd turned his treatment regimen on its ear. "When dealing with healthcare providers, I was educating them about my disease, rather than vice-versa," Cowden says. "The community of migraineurs was providing more information about remedies or treatments I could try--dietary things, environmental things--than my doctors were, even the neurologists."
Hoping to compile all this information in a single place, Cowden built and launched MigraineLiving.com, which serves as both a personal online treatment diary and an online community center of sorts for migraine sufferers. While it may lack the foot traffic of TMZ.com--still in beta version, the site boasts only a few hundred regular visitors and contributors--MigraineLiving.com is one of hundreds of Internet entities that could well change the way everyone from patients to physicians and researchers think about healthcare. And the privacy-be-damned sharing of personal health information and anecdotes is at the core of it.
As more and more individuals with chronic conditions seek out advice and a sympathetic ear online, entities researching balms and remedies have started to regard them as perhaps the healthcare food chain's most underused resource. Patients' stories and experiences about living with illness had largely gone unlogged during the days before the Internet. Now, researchers and the drug industry are taking note, hoping that by aggregating the glut of information they might uncover potential new avenues for research.
To Esther Dyson, who sits on the board of consumer genetics site 23andMe.com and counts herself as an investor in PatientsLikeMe.com, which facilitates data sharing by patients, the only question is why it took so long for physicians and researchers to start tapping this information lode. While she acknowledges potential drawbacks, Dyson believes the pluses far outweigh the minuses.
"For research purposes, you want lots of people contributing, to smooth errors and get a good sample," she explains. "Those early adopters and the intensely interested are often a good canary in the coal mine, detecting things before they become broadly visible. It's like a focus group: You don't use it to sample the population, but rather to get insight."
The benefits of all the information sharing could be huge, especially for sufferers of diseases that plague a smaller number of people (and thus tend not to attract huge time and dollar investments from researchers). The emotional and participatory aspects of it shouldn't be overlooked, either: sympathetic ears are often hard to come by in the offline world, plus the empowerment that comes with finding like-minded individuals could prompt patients to be more proactive in their own treatment.
At the same time, privacy concerns haven't been addressed in even a peripheral manner. For the most part, those with some stake in the matter believe that individuals can decide on their own just how much information they feel comfortable sharing--and that's what worries privacy pundits.
They wonder if sites guaranteeing the sanctity of personal health information are capable of doing so (or truly willing to do so), as well as whether the patient-protection rules to which federally funded researchers are bound should be extended to private businesses in the field. Pfizer, for instance, recently announced plans to launch a site that links patients with pharma firms, doctors, and researchers. The site is designed to help the latter groups find willing subjects for clinical trials based on the personal information, anecdotal or otherwise, submitted by patients.
For now, to share or not to share is a matter of individual choice. "I've worked with some of the most ardent privacy activists in the world, who would not ever share anything that's not completely anonymous. And I've worked with Millennials, who don't seem to mind putting it all out there from the beginning," shrugs Sarah Granger, a new-media consultant who has written about related issues for Ethics in the Computer Age and Security Focus. "I advise people to err on the side of caution, to share what they're comfortable with." Granger knows of what she speaks: She has shared and documented online her experiences dealing with pudendal neuralgia, in which stretched nerves from pregnancy and delivery result in chronic pain.
Dyson, on the other hand, questions if some of the privacy concerns have been overstated. "People need to understand what's happening to their data and then make informed choices," she says. "But most health information just isn't that interesting to other people... it's not up to me to tell people what they consider to be sensitive; that's their choice. Personally, I would like to make disclosure statements in the form of a quiz, so as to be sure people really know what they are signing up for."
Other problems remain, of course, even outside the privacy arena. For one, the information samples aren't random; they come from individuals who took the trouble to come forward on their own. Too, "quicker and less costly" obviously isn't sufficient justification to abandon the usual clinical rigor.
Nonetheless, if all parties involved get past these and the accompanying privacy issues, it would seem that sharing and pooling information in online communities like Cowden's migraine site could eventually help usher in an era of smarter, more reactive disease prediction and prevention.
Dyson believes the technological climate is ripe for just such a revolution. "People encourage one another," she says. "It's not just data they're sharing; it's knowledge about one another's problems and states of mind. It's empathy."
|
|
|
|
|
| Research Update |
|
Forrester's five-year forecast
Forrester Research projects e-mail marketing spending to reach $2 billion in 2014. In its recent report, "U.S. E-mail Marketing Forecast 2009-2014," the firm says that falling CPMs, high return-on-investment, and the growth of social e-mail accounts will propel direct marketers toward the medium.
Among the factors deemed to be driving this increase:
> Consumers will continue choosing to receive communications via electronic means
> Marketing materials will become increasingly tailored to individual consumers
> Spending on ad-sponsored or ad-supported newsletters will continue to increase
Forrester also predicts an increase in e-mail waste, saying that by 2014 direct marketers will throw away $144 million on messages that don't reach their primary target. "Successful direct marketing pros will alter their tactics to overcome inbox clutter and increase relevancy," says Forrester Research Vice President and Principal Analyst David Daniels.
For more information
|
|
|
|
|
| Sponsorship Opportunities |
Sponsorship opportunities are available for this newsletter, the IAPP Practical Privacy Series in Washington, DC, the IAPP Global Privacy Summit, and more.
E-mail |
|
|
|
|
| Privacy Tools |
Privacy Career Postings
Learn More
Useful Privacy Links
Learn More
Publications from Peppers & Rogers Group
Learn More
IAPP Educational Library
Learn More
|
|
|
|
|
| IAPP Certification Testing |
Cincinnati, OH
Weds., September 23
Los Angeles, CA
Weds., September 30
Atlanta, GA
Weds., October 7
Denver, CO
Weds., October 14
Washington, DC
Thurs., October 15
Vancouver, BC
Fri., October 16
Folsom, CA
Mon., October 19
Ottawa, ON
Thurs., October 22
Learn More About CIPP Training and Testing
|
|
|
|
|
UPCOMING IAPP KNOWLEDGENETS
|
Denver, CO
Weds., September 23
11:30 a.m. to 1 p.m.
Speakers: Catherine Kurtz, CIPP, Global Data Privacy Officer, Sterling Commerce; Steve O'Dorisio, CIPP, Associate, Holland & Hart; Rich Spilde, CIPP, Associate, Holland & Hart
Topic: Managing the Risks in a Solid Vendor Due-Diligence Process
Sacramento, CA
Thurs., September 24
5:30 to 7:30 p.m.
Speakers: Sandra Dorsett, Director, Division Compliance Programs, Health Net, Inc. - Government & Specialty Services Division; Amy Flake, Lead Privacy Specialist, Blue Shield of California Privacy Office
Topic: Explanation of Privacy and the Use of Privacy Impact Assessments within Large Organizations
London, UK
Thurs., October 1
9 a.m. to 1:15 p.m.
Speakers: Bojana Bellamy, Accenture; Bridget Treacy, Hunton & Williams; Sue Gold, The Walt Disney Company Limited; Neil Matthews, Acxiom
Topic: Outsourcing and How to Protect Data
Ottawa, ON
Weds., October 7
11:30 a.m. to 1 p.m.
Speaker: Elizabeth Denham, Office of the Privacy Commissioner of Canada
Topic: The OPC's Facebook Investigation: How Canadian Privacy Law Made an International Impact
Minneapolis/St. Paul, MN
Fri., October 2
9:30 to 11 a.m.
Speaker: Jarno Vanto, Vanto Law PLLC
Topic: Latest Trends in International Privacy Law
RSVP Now
(Registration is required.)
|
|
|
|
|
About Us
|
The International Association of Privacy Professionals (IAPP) is the world's largest association of privacy professionals with more than 6,200 members in 47 countries. The IAPP helps define and support the privacy profession through networking, education, and certification.
Read More
Peppers & Rogers Group is a management consulting firm recognized as the world's leading authority on customer-based business strategy. The company is dedicated to helping enterprises identify differences within the customer base and to use that knowledge to gain a competitive advantage.
Read More
|
| |
