In Arkansas, students have been banned from attending school for failing to declare their "HIV status". A statement from the school acknowledge that this is the case, and that they have educational purposes for knowing whether or not the students have HIV or not.
From an information security point of view, this is fail. Even though they have not named the students, they have still breached personal information: Within the school, it is visible who has been kicked out. By acknowledging that this has to do with HIV, the connection will be made. The appropriate response still is as simple as "I can not comment on individual students." "So is fear of HIV the reason for kicking them out?" "I can not comment on individual students." "Is it true that they have to give a test?" "I can not comment on individual students."
The correct response from media would then be to ask for the things that are supposed to be public. In this case, the assertion is that students that are suspected of having HIV are suspended or kicked out of school for not making a medical test to document their status. If this is the case, there must be a policy about this in the school. Hence, the question is "what is the school's policy on students with or suspected of having HIV?"
Simply because those things should be unrelated to the public unless the victims themselves takes the issue to the media. It might sound unfair, but even then, it is all at the victim's discretion what gets published. Because the institution can not comment on specific people, only recite policy to the media. Even if the victim lies to the media about an issue, the institution can only recite policy.
This is how a dialogue between journalist and institution would go, if the institution cared about information security:
"The victim says you did A, is this true."
"I can not comment on specific incidences concerning individuals."
"Is it normals for the institution to do A?"
"A is the procedural response to B"
"And has the victim done B?"
"I can not comment on specific incidences concerning individuals."
"But the victim has already said you did A."
"Again, I can not comment on specific incidences concerning individuals."
"The victim also said you did C."
"I can not comment on specific incidences concerning individuals."
"But C would cause B. Why would you do C?"
"It is not in our policy to do C. To my knowledge, we have never done C to anyone."
"Are you saying that the victim is lying?"
"I can not comment on specific incidences concerning individuals."
In the specific case in Arkansas, the combination of B and C lead to A. The victim spoke only of how B lead to A, which seems ridiculous. In a press release, the institution also mentions that there is a factor C, which has previously been unknown to the public. What is known is that A is suspension from shool, that B is a missing HIV test, the public is now free to speculate on what can be combined with HIV to cause suspension. And speculations are really nasty animals.
No comments:
Post a Comment