[arin-ppml] Policy Proposal: Customer Confidentiality

Tom Vest tvest at pch.net
Wed Jun 10 11:01:50 EDT 2009 

On Jun 10, 2009, at 10:12 AM, Milton L Mueller wrote:

>> -----Original Message-----
>> From: arin-ppml-bounces at arin.net [mailto:arin-ppml- 
>> bounces at arin.net] On
>> Public actions have public accountability.  If you don't want your  
>> picture
>> taken going in to a strip club then don't go to a strip club.
>>
>
> This doctrine bears no relationship to actual law regarding privacy  
> and freedom of association. Sorry, guys, but there's more at stake  
> here than your convenience as network admins, and even as network  
> admins there are appropriate limits to place on indiscriminate  
> public access to sensitive information, especially when  
> contractually agreed between provider and customer. When you get  
> elected as a legislator, Kevin, then you and 250 other elected reps  
> can change that under due process if you wish; until then, don't try  
> to make law via ARIN.
>
> --MM


Neither does "actual law" impose a strict, uniform interpretation on  
how information collected and maintained for *authorization and  
accountability purposes* can and cannot be used in all situations. An  
arguably relevant, if US-centric, illustration:

"HIPAA requires healthcare providers to obtain patients' authorization  
before disclosing their information to third parties for marketing  
purposes. However, healthcare providers do not need authorization to  
disclose information for marketing their own health-related services.  
HIPAA also allows disclosure of health-related information for a  
variety of social purposes such as public health activities, suspicion  
of abuse or neglect, health oversight activities, and for law  
enforcement purposes, along with a court order, subpoena, or  
"administrative request." HIPAA does not include a requirement to  
provide notice toconsumers in the event of a data breach. Finally,  
lawsuits to enforce HIPAA requirements can only be brought by the  
secretary of the Department of Health and Human Services and not by  
individuals."*

So, in some contexts at least, one man's "indiscriminate public  
access" may be another man's access/disclosure to fulfill a  
"legitimate social purpose."

If that doesn't suit you, you can always take your own advice and try  
to author some new "actual laws" that more closely fit your own views.

TV

*George H. Pike, "HIPAA Gets New Privacy Rules" (Information Today,  
April 1, 2009), p. 13.

An online version is available at:
http://goliath.ecnext.com/coms2/gi_0199-10387318/HIPAA-gets-new-privacy-rules.html

More information about the ARIN-PPML mailing list