Monday, October 28, 2013

Privacy, Shmivacy

This story has been making the rounds, and it's bad enough. If and/or when one finally does manage to log on to the ObamaTax website, if one looks closely enough, one will find this disclaimer:

"You have no reasonable expectation of privacy regarding any communication or data transiting or stored on this information system"

Now there are actually two things terribly wrong with this picture:

First, the disclaimer is itself hidden inside the Terms & Conditions agreement (to which one must consent before moving forward with the process); it's available only by "using a web browser's "View Source" feature."

Talk about passing it to find out what's in it.

But that's not even the most egregious part: after all, if one is resourceful enough (and aware of its existence) one may find the CYA clause fairly easily.

No, what's truly scary is this:

Not long ago, I suffered through underwent the training and certification process which allows me to sell new "metal" plans on the Exchange (someday, maybe). Fully 30% of that training was focused exclusively on privacy and security measures that agents must take in order to be compliant.

Section 5 promised that its completion would allow me to:

■ Define PII (Personally Identifiable Information)
■ Identify the extent to which PII may be used and disclosed
■ Identify key privacy responsibilities and restrictions associated with PII under the Marketplaces

Specifically:
Two key points to remember about this definition:

1. This definition may be different than definitions provided under other laws. It is important that you are familiar with this federal definition and how it applies to Marketplace information.

2. A key component to the definition is that PII involves information that is linked or linkable to a specific individual. Therefore, if it is possible to link information to an individual, this information would be considered PII, even if it has not yet been linked to that individual.
Now compare that with what the Navigators on the phone at the actual government-run web-site have privy to, and yet are completely exempted from, and the web-site itself, which is also exempted from these burdensome requirements.

The purpose of Section 6, we're told, is to enable us to:

■ Define the term "information security"
■ Identify three key elements to protecting information
■ Identify the differences between threats, vulnerabilities, and risks to information
■ Identify certain controls that agents and brokers can take to protect information within the Marketplaces
■ List steps that agents and brokers can take to help promote information security in the Marketplaces
■ Identify types of security incidents
■ List steps for responding to a privacy breach as it relates to information security management

And here's a snippet from that section:
• Information security is achieved through implementing technical, management, and operational measures designed to protect the confidentiality, integrity, and availability of information

• The goal of an information security program is to understand, manage, and reduce the risk to information under the control of the organization.

• In today’s work environment, many information systems are electronic; however the Department of Health and Human Services (HHS) has a media neutral policy towards information. This means that any data must be protected — whether it is in electronic, paper, or oral format.
Both "snippets" are culled from the actual on-line coursework, which is available by clicking the highlighted sections. I figure Ms Shecantbeserious is entitled to just as much privacy as the rest of us.
blog comments powered by Disqus