Coronavirus Relief Package Needs Privacy Focus, Groups Tell Congress

Thirteen civil-society groups are urging Congress to keep patient privacy protections center stage in any drafted Coronavirus relief packages, and any waivers of these protections must exclusively serve the nation’s overall public health.

Over the weekend, the Senate worked to come to a compromise as to just what elements would be included in relief legislation, but to no avail. However, the Trump Administration, the Department of Health and Human Services, and the Office for Civil Rights are all moving to expand telehealth use during the national emergency.

In a letter to Congress, Amnesty International-USA, Center for Human Rights and Privacy, Public Citizen, and U.S. PIRG, among others, stressed that the use of personal data during the COVID-19 crisis could benefit the overall public health. But fueling data sharing during the crisis could dramatically increase privacy and security risks.

“Allowing access to personal data, particularly health data, without guardrails could threaten fundamental rights and liberties and open the door to data exploitation that could violate civil rights and harm vulnerable populations,” the groups warn.

“While some extraordinary necessary and proportionate measures may be taken during a time of crisis, those measures must be taken thoughtfully and fully withdrawn at the earliest moment after the emergency has passed,” they added.

In light of those concerns, Congress should include language that would bar the marketing or commercial efforts of data collected or shared during the pandemic.

Further, individuals must be able to retain their fundamental rights over their own information collected from them during or as a result of the pandemic. And if data access is increased during the crisis, the government must reinstate those rights once the emergency has passed, the groups argued.

Congress should not just simply take the word of those companies, but instead employ federal protections for data collected, processed, and shared during the emergency. That should also included real consequences for violations.

For example, the Trump Administration touted a new COVID-19 screening website hosted by Google. However, language contained in the privacy policies raised several concerns, which a group of Democratic Senators are now investigating.

To avoid potential privacy violations, the groups made eight key recommendations around language Congress should add to any relief legislation.

To start, any collection or processing of individuals’ personal data – both health and geolocation data – must be necessary and proportionate for the protection of public health and pandemic response. It must also respect existing laws and fundamental constitutional rights.

Any collection of and processing of data will need to be transparent, including providing concise and reader-friendly information about data collection and how long the information will be retained. The collection and processing must also be limited to the minimum necessary amount of data for the purpose of responding to the pandemic.

Further, any data collected for public health purposes related to the pandemic will need to be automatically deleted once the emergency subsides and not repurposed, unless by “narrowly-defined medical research purposes and pandemic preparedness subject to informed and explicit consent of the individual.”

“Special protections will be afforded regarding the collection and use of the data of children,” the groups wrote. “Any data processing or remote technology deployment should not minimize needed security protections in the context of pandemic response. Data shall be maintained in a secure environment and transmitted through secure methods.”

“There must be limits on processing newly-collected or acquired personal data for purposes unconnected to public health and service delivery,” they added. “Those prohibitions must include limits on commercial and advertising activity, and should include heightened penalties for inappropriately targeting vulnerable populations while the health crisis is ongoing, and during any resulting economic slowdown. This includes closing loopholes that allow for marketing use of data outside of HIPAA.”

Lastly, decision-making related to data collection and processing during the pandemic must be informed by guidance and documented. The groups recommended individuals be allowed access to their data and be granted due process rights.

Any alterations made to existing laws should be temporary in nation, limited in scope, and only adopted as a COVID-19 response.

“There shall be real, commensurate consequences for companies that fail to protect personal data or to abide by these privacy rules,” the groups argued. “The consequences for unjustified data collection and processing and data breaches shall be tough enough ensure that companies are accountable, data is held securely, and that the financial benefits of violating this law never exceed the consequences.”