Agree. The way I usually end up talking about this is: Though in the EU the official phrase is "data protection" (GDPR has it right in the name), this phrase seems to imply mostly "not accidentally letting stuff out" -- the security part. But it's clear that organizations must also choose to act in certain ways. It often goes to the very core of why they choose to exist (business models). And note that GDPR, and increasingly other regs, include way more than what I would put in the bucket of "mere data protection"...yeah, I know I'm abusing the official phrase when I say that.

But it proves that UMAnitarians have been right all along when we've said that privacy isn't secrecy, it's not encryption, but rather context, control, choice, and respect. :)


Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrl


On Thu, May 18, 2017 at 12:51 AM, Adrian Gropper <agropper@healthurl.com> wrote:
Hey John,

Thanks for pointing this out. It's a spectacular example of why we should not confuse security and privacy. What sounds "reasonable" for security (per the article) is gibberish for privacy. Privacy, as NIST very nicely explains, is different from security in that the system is behaving as designed. The sale or misuse of data is intentional and hidden, sometimes at additional cost, by the entity. (This is also why I think the construct "Privacy by Design" does more harm than good.)

So, as John says, it's important for us to be mindful of "best efforts" and be very clear when diluting the responsibility of the entity with respect to privacy.

Adrian


On Sun, May 14, 2017 at 3:03 PM John Wunderlich <john@wunderlich.ca> wrote:
​In UMA legal and the Information Sharing workgroups, it will be important to be mindful of 'best practices' vs 'reasonable efforts'.

http://www.dataprotectionreport.com/2017/05/do-promises-to-use-best-efforts-to-protect-data-really-require-unreasonable-action/


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma
--

Adrian Gropper MD

PROTECT YOUR FUTURE - RESTORE Health Privacy!
HELP us fight for the right to control personal health data.

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma