Blog   Index   Scriba   Consulting   Hobby   Policy   Contact 
Showing posts with label hiv. Show all posts
Showing posts with label hiv. Show all posts

2013-10-02

Information Security: Press release

So Pea Ridge school district made a press release concerning media attention to a specific case. The press release went like this:
    "The Pea Ridge School District is dedicated to providing a safe environment for our students, teachers and staff.

    "As reported in the media, the district has recently required some students to provide test results regarding their HIV status in order to formulate a safe and appropriate education plan for those children. This rare requirement is due to certain actions and behaviors that place students and staff at risk. The district respects the privacy and confidentiality of all students. It's is very unfortunate that information regarding this situation is being released by outside organizations.

    "Our goal is to provide the best education for every student, including those in questions, in a responsible, respectful and confidential manner."
The press release reveals more information than what has previously been known to the media, and also confirms that the incidence has taken place. In terms of personal information security, this is just wrong. A proper press release should be more like this:
    "The Pea Ridge School District is dedicated to providing a safe environment for our students, teachers and staff. As reported in the media, the district has a policy that allows us to demand an HIV test in certain circumstances. The full text of the policy may be found on our web page.

    Our goal is to provide the best education for every student, in a respectful and confidential manner. It is therefore unfortunate when a specific case concerning specific individuals is being printed by media, breaking the rule of confidentiality. This is not an issue that concerns the public at large. It is therefore in our policy not to discuss specific cases involving specific people with the media, as we shall also not comment on this specific case.

    What is in the public's interest is the district's policy, which, again, may be found on our web page. It is also in the public's interest if we have broken a law. The latter is to be decided in the courts of law."
See the difference?
by at No comments:
Tags: , , , ,
Location: Pea Ridge, Arkansas, USA

2013-09-23

Information security: Students banned for being HIV positive.

In Arkansas, students have been banned from attending school for failing to declare their "HIV status". A statement from the school acknowledge that this is the case, and that they have educational purposes for knowing whether or not the students have HIV or not.

From an information security point of view, this is fail. Even though they have not named the students, they have still breached personal information: Within the school, it is visible who has been kicked out. By acknowledging that this has to do with HIV, the connection will be made. The appropriate response still is as simple as "I can not comment on individual students." "So is fear of HIV the reason for kicking them out?" "I can not comment on individual students." "Is it true that they have to give a test?" "I can not comment on individual students."

The correct response from media would then be to ask for the things that are supposed to be public. In this case, the assertion is that students that are suspected of having HIV are suspended or kicked out of school for not making a medical test to document their status. If this is the case, there must be a policy about this in the school. Hence, the question is "what is the school's policy on students with or suspected of having HIV?"

Simply because those things should be unrelated to the public unless the victims themselves takes the issue to the media. It might sound unfair, but even then, it is all at the victim's discretion what gets published. Because the institution can not comment on specific people, only recite policy to the media. Even if the victim lies to the media about an issue, the institution can only recite policy.

This is how a dialogue between journalist and institution would go, if the institution cared about information security:

"The victim says you did A, is this true."
"I can not comment on specific incidences concerning individuals."
"Is it normals for the institution to do A?"
"A is the procedural response to B"
"And has the victim done B?"
"I can not comment on specific incidences concerning individuals."
"But the victim has already said you did A."
"Again, I can not comment on specific incidences concerning individuals."
"The victim also said you did C."
"I can not comment on specific incidences concerning individuals."
"But C would cause B. Why would you do C?"
"It is not in our policy to do C. To my knowledge, we have never done C to anyone."
"Are you saying that the victim is lying?"
"I can not comment on specific incidences concerning individuals."

In the specific case in Arkansas, the combination of B and C lead to A. The victim spoke only of how B lead to A, which seems ridiculous. In a press release, the institution also mentions that there is a factor C, which has previously been unknown to the public. What is known is that A is suspension from shool, that B is a missing HIV test, the public is now free to speculate on what can be combined with HIV to cause suspension. And speculations are really nasty animals.

by at No comments:
Tags: , , ,
Location: Pea Ridge, Arkansas, USA
Subscribe to: Posts (Atom)