This cartoon depicts the challenges of complying with GDPR’s requirements for vendor management. Under the GDPR, there are serious responsibilities when using a vendor to process personal data. Broadly, there are three things that data controllers must do:
1. Data controllers must perform due diligence in selecting vendors and that are complaint with GDPR.
2. Data controllers must have a contract with their vendors that includes certain provisions to ensure that GDPR is being followed.
3. Data controllers must monitor vendors for compliance.
Vendors must also comply with the GDPR.
This post is a reprise of a post I wrote many years ago that has remained popular. I thought I’d repost it now, during exam grading season, to help professors who want to learn the science and art of grading exams.
It’s that time of year again. Students have taken their finals, and now it is time to grade them. It is something professors have been looking forward to all semester. Exactness in grading is a well-honed skill, taking considerable expertise and years of practice to master. The purpose of this post is to serve as a guide to young professors about how to perfect their grading skills and as a way for students to learn the mysterious science of how their grades are determined.
This cartoon is about snooping, one of the most common HIPAA violations. HIPAA prohibits accessing information that people don’t need to do their jobs. It can be easy to look at electronic medical records, and people who snoop in this way might not perceive it as wrong. But the cartoon invites people to imagine how creepy the snooping would appear if it were occurring right in front of patients. Computers remove the interpersonal dynamic, making it harder for people to fully appreciate the wrongfulness of their conduct.
Though the high-profile, celebrity snooping incidents garner all the media attention, smaller cases affecting everyday individuals make up the bulk of the cases and legal activity. A large number of inappropriate access claims involve people checking on protected health information (PHI) about family and friends. Snooping is not intended maliciously. Often a concerned staff member will access the patient records of a family member or acquaintance out of worry or concern. In one case, a nurse in New York was fired for disclosing a patient’s medical history to warn a family member who was romantically involved with the patient of the patient’s STD.
Here’s a cartoon on HIPAA and social media use to jump start your week. You can’t think enough about HIPAA these days. HIPAA audits are back, and OCR is having a vigorous enforcement year this year, something I plan to post about soon.
It’s Data Privacy Day — January 28, 2016 — and to celebrate, here’s a cartoon I created about the Internet of Things.
Professor Woodrow Hartzog and I have just published our new article, The Ultimate Unifying Approach to Complying with All Laws and Regulations, 19 Green Bag 2d 223 (2016). Our article took years of research and analysis, intensive writing, countless drafts, and endless laboring over every word. But we hope we achieved a monumental breakthrough in the law. Here’s the abstract:
There are countless laws and regulations that must be complied with, and the task of figuring out what to do to satisfy all of them seems nearly impossible. In this article, Professors Daniel Solove and Woodrow Hartzog develop a unified approach to doing so. This approach (patent pending) was developed over the course of several decades of extensive analysis of every relevant law and regulation.
I’ve been going through my blog posts from 2015 to find the ones I most want to highlight. Here are some selected humor posts about privacy and security:
I’ve been following the recent controversy over the TSA’s body imaging X-ray machines, otherwise known as the “backscatter” or “exhibit-yourself-in-the-nude” devices. It made me reminisce about an old post I wrote about the Playmobil airline screening playset.
I had not used the playset for a while. Five long years have elapsed since my post, and I had outgrown this toy and moved on to more advanced ones. But this recent controversy made me regress. . . .
After blogging a few weeks ago about the airline screening playset, I went ahead and ordered one.
Each day, I would check my mailbox, eager with excitement about its arrival. Today, it finally arrived. I rushed to open it and began what would be hours of exciting play. Here’s what came in the playset:
I was a bit disappointed in the toy’s lack of realism. There was only one passenger to be screened. Where were the long lines? The passenger’s clothing wasn’t removable for strip searching. The passenger’s shoes couldn’t be removed either. Her luggage fit easily inside the X-ray machine. There were no silly warning signs not to carry guns or bombs onto the plane. And there was no No Fly List or Selectee List included in the playset.
Another oddity was that the toy came with two guns, one for the police officer and one that either belonged to the X-ray screener or the passenger. The luggage actually opened up, and the gun fit inside. I put it through the X-ray machine, and it went through undetected. Perhaps this is where the toy came closest to reality.
The biggest departure from reality was that the passenger had a cheery smile on her face.