Adam Schwartz writes:
The federal government plans to process more of our personal data, in the name of containing COVID-19, but without showing that this serious privacy intrusion would actually do anything to protect public health. EFF filed comments in opposition to these new plans from the U.S. Department of Health and Human Services (HHS).
The U.S. Centers for Disease Control (CDC) leads our nation’s efforts to contain infectious diseases. Thus, CDC for decades has managed the federal government’s processing of personal data about infection. It did so during the early months of the COVID-19 outbreak. But in July 2020, HHS stripped this tracking authority from the CDC, and transferred it to a new program called “HHS Protect.”
HHS issued two new Systems of Records Notices (SORNs) about this new HHS program. The federal Privacy Act requires federal agencies to issue SORNs to advise people about personally identifiable information that the government maintains about them.
Unfortunately, HHS Protect poses a grave threat to the data privacy of all Americans. As set forth in the SORNs, it would greatly expand how the federal government collects, uses, maintains, and shares all manner of personal information. We highlighted the following ways that HHS Protect would substantially burden privacy without a necessary or proportionate benefit to protecting public health.
New data collection. The SORNs would allow collection of personal information about physical and psychological health history, drug and alcohol use, diet, employment, and more. Data collected would also include “geospatial records,” which countless research has shown is difficult to de-identify. Data would be collected not just about people who test positive, but also about their family members, as well as people who test negative, and perhaps people who have not tested at all. Data would be collected from countless different sources, including federal, state, and local governments, their contractors, the healthcare industry, and patients’ family members.
New data sharing. The SORNs would allow sharing of these vast sets of data with additional federal agencies, unspecified outside contractors, and even “student volunteers.” These additional federal agencies would be allowed, in turn, to share the data with their contractors. Patient consent would not be required for this sharing.
New data use. The SORNs would allow use of this data in litigation and “other proceedings” whenever the federal government has “an interest” in them (such use now is allowed only when HHS is a defendant in litigation).
New data storing. The SORNs would allow permanent retention of data with “significant historical and/or research value” (retention now is limited to four years).
No doubt, the ongoing COVID-19 crisis requires a coordinated governmental response, which in turn requires robust data concerning the spread of the disease. But HHS has made no showing that CDC’s existing epidemiological data systems are not up to the task.
Thus, EFF filed comments with HHS, asking the agency to withdraw these two SORNs. They violate the Privacy Act and create new threats to privacy without any showing of public health benefit.