December 2022 – Privacy Design®

December 20, 2022December 20, 2022

NIST Transitioning Away from SHA-1 for All Applications

NIST is introducing a plan to transition away from the current limited use of the Secure Hash Algorithm 1 (SHA-1) hash function. Other approved hash functions are already available. The transition will be completed by December 31, 2030.

NIST responded in 2006 with an announcement encouraging a rapid transition to the use of the SHA-2 family of hash functions for digital signature applications, which were initially specified in FIPS 180-2. NIST began a competitive process to develop an additional hash function, which resulted in the SHA-3 family of hash functions published in 2015 as FIPS 202. In 2011, NIST released SP 800-131A, which announced the deprecation of SHA-1 when generating new digital signatures and restricted further use of SHA-1 to only where allowed in NIST protocol-specific guidance.

Cryptanalytic attacks on the SHA-1 hash function as used in other applications have become increasingly severe in recent years (“SHA-1 is a Shambles” by Leurent and Peyrin, 2020 https://www.usenix.org/conference/usenixsecurity20/presentation/leurent). As a result, NIST will transition away from the use of SHA-1 for applying cryptographic protection to all applications by December 31, 2030.

https://www.nist.gov/news-events/news/2022/12/nist-transitioning-away-sha-1-all-applications

December 15, 2022December 15, 2022

Microsoft offering free DPIA template for Microsoft 365 use

Microsoft is offering a customizable #DPIA document template on the use of Microsoft 365

https://www.microsoft.com/en-us/download/details.aspx?id=102398

December 14, 2022December 14, 2022

OCR Guidance on Use of Tracking Technologies Warrants Review of Website Tech

BakerHostetler commentary on recent HHS OCR guidance

https://www.bakerdatacounsel.com/information-governance-2/ocr-guidance-on-use-of-tracking-technologies-warrants-review-of-website-tech/

December 13, 2022

Paper: “Towards a Better Understanding of Identification, Pseudonymization, and Anonymization ” (2021, Bud P. Bruegger, ULD)

https://www.datenschutzzentrum.de/uploads/projekte/IdentPseudoAnon-320-v1-0-web.pdf

December 8, 2022December 8, 2022

Updated FTC-HHS online tool helps developers understand which federal laws apply

The Federal Trade Commission (FTC) in conjunction with the HHS Office for Civil Rights (OCR), the HHS Office of the National Coordinator for Health Information Technology (ONC), and the Food and Drug Administration (FDA) have updated the Mobile Health App Interactive Tool. This tool is designed to help developers of health-related mobile apps understand what federal laws and regulations might apply to them.

https://www.ftc.gov/business-guidance/resources/mobile-health-apps-interactive-tool

December 6, 2022December 6, 2022

BakerMcKenzie: Global Data Privacy & Security Handbook

https://resourcehub.bakermckenzie.com/en/resources/data-privacy-security

December 2, 2022December 2, 2022

HHS Bulletin: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

– mentions Google Analytics and Meta Pixel by name..

“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”

This Bulletin provides a general overview of how the HIPAA Rules apply to regulated entities’ use of tracking technologies. This Bulletin addresses:

What is a tracking technology?
How do the HIPAA Rules apply to regulated entities’ use of tracking technologies?
- Tracking on user-authenticated webpages
- Tracking on unauthenticated webpages
- Tracking within mobile apps
- HIPAA compliance obligations for regulated entities when using tracking technologies

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html