Contact tracing and vaccine development are top priorities in the public health arena during COVID. But what are the privacy implications of contact tracing, and is the risk worth the reward? After reviewing some of the key laws that are in place today to protect individual data privacy, this article explores how contact tracing works, the individual data collected during tracing, and its impact on personal privacy.
The past three decades have witnessed the explosion of big data, sophisticated data base software, and aggressive data collection procedures by large corporations, including credit card companies, internet providers, and social media giants.
Against this backdrop, individual privacy has suffered a huge hit.
Once the data horse was out of the data barn, various regulatory agencies moved, albeit slowly as is their convention, to require that an individual’s data be protected, and its uses be restricted in order to maintain individual privacy.
Individual financial data has traditionally been the most highly-prized asset for financial institutions and other financial service providers, which spawned several weighty regulations for its protection.
The Fair Credit Reporting Act (FCRA) was enacted in the early days of aggressive data collection, in 1970, to safeguard the privacy of individual financial data that is routinely gathered, distributed, and used by consumer reporting companies, such as Experian, Equifax, and TransUnion. As consumer spending inc
Credit card processing companies also collect enormous amounts of data about individual cardholders and their purchases. The protection of this data is governed primarily by the Payment Card Industry (PCI) Security Standards Council, a global organization that defines requirements for the safety of cardholder data. Merchants who process credit card transactions must comply or face large penalties and reputational risks in the event cardholder data is compromised or stolen.
The Gramm-Leach-Bliley Act (GLBA), sometimes called the Financial Modernization Act, was enacted in 1999 to control the ways that financial institutions handle individuals’ personal data. The GLBA Financial Privacy Rule regulates the collection and disclosure of private financial information, while the Safeguards Rule requires financial institutions to implement security measures to protect that information. The Act also prohibits institutions from accessing or acquiring private financial information under false pretenses.
In the late 1990s and early 2000s, the regulatory spotlight turned to individual healthcare data as it became a logical target for digitization. Hospitals, health insurers, healthcare practices, diagnostic centers and labs all played roles in the electronic collection, use, distribution, and maintenance of individuals’ private health information.
The Health Insurance Portability and Accountability Act of 1996 was designed to enable patients to change healthcare providers and insurers over time, with requirements for the protection of documents, images, and other forms of an individual’s healthcare date.
HIPAA was enhanced by the HIPAA Security and Privacy Rules, enacted in 2003 to address privacy and security requirements more clearly and effectively. Patient data can range from social security numbers and birth dates, to credit card and payment data, to medical records and test results. This is all sensitive personal information that most of us would not want to be shared without our authorization or exposed to data theft. Failure to comply with these health data protection rules, whether deliberate or accidental, carries serious penalties as well as the potential for significant reputation damage for violators.
The General Data Protection Regulation (GDPR), enacted in the European Union in 2018, also includes the following identifiers as part of general personal data required to be protected: racial or ethnic origin, genetic and biometric data, political and religious data, sexual orientation and activity data, and even trade union memberships. While the GDPR is specific to European businesses and agencies, it extends to U.S. organizations who do business with European entities.
The GDPR is probably the most powerful set of data protection rules governing how organizations can use personal data, and how individuals can access data about themselves. Currently, the U.S. has no legislation equivalent to Europe’s GDPR, although the California Consumer Privacy Act, also enacted in 2018, is often compared to the GPDR.
The bottom line is that virtually every bit and byte of our individual data is already in the data banks of a wide variety of organizations. Those organizations may collect, use, distribute, and store our data in compliance with federal, state, and EU regulations aimed at protecting the security and privacy of that data.
With so many regulations already in place, could additional protections be necessary to govern the collection and use of data related to COVID contact tracing?
Contact tracing can readily lead to a network of contacts. Think of the concept of six degrees of separation, purporting that anyone on the planet is connected to any other person through a chain of acquaintances with no more than five links, or six degrees.
The theory posits that, because we are all linked by chains of acquaintance, each of us is just six introductions away from any other person on the planet.
It’s an intriguing concept and, during COVID, more than a little scary. Which, of course, is why the CDC is adamant about physical social distancing, mask use, and hand sanitization – and why large gatherings are discouraged. In a large crowd, six degrees of separation can result in a mushrooming spread of disease.
The objective of contact tracing is to reduce infections in the population. Contact tracing consists of a four-step process that includes:
Contact tracing is generally employed in cases of highly infectious diseases, such as tuberculosis, measles, HIV, blood-borne infections, Ebola, and novel viruses such as SARS and H1N1 and now COVID-19.
In addition to helping to diagnose and treat individuals found to be infected, or at risk of becoming infected, the analysis and use of data gathered during the contact tracing process delivers two important benefits:
For these reasons, contact tracing has been a cornerstone of communicable disease control for decades in the public health arena. As just one example of its effectiveness, smallpox was eradicated by exhaustive contact tracing to locate all infected individuals. They were then isolated for treatment, and the surrounding community, as well as other at-risk contacts, were immunized against the disease.
Let’s assume that John Doe has come down with COVID-19. He has been isolated and is being treated and cared for, and his chances for recovery are excellent. A trained contact tracing professional comes to John Doe’s bedside, or telephones him, with an extensive interview questionnaire. The trace begins.
John Doe is asked to remember each person he came in contact with during the incubation period. Where was he? Was he in a public place or a private space? How many people did he come in contact with? Did anyone exhibit symptoms? In cases where he can identify individuals, he is asked to do so, with full names, phone numbers, email addresses, and home addresses if known. Other questions may include recent contacts due to travel or work. To review examples of additional data that may be collected, there are a number of contact tracing templates available online.
If John Doe can provide even a hint of help in identifying and locating his contacts, the contact tracer can employ various databases to further identify and locate each contact. This is similar to the detective or investigative work sometimes required in a legal case.
Clearly, contact tracing is not a perfect process. It relies on individuals knowing who might have infected them, and being willing to share personal information about that contact or contacts. It may rely on database searches to locate the contacts. And, logically, tall of this happens without the prior approval of the contact him/herself.
In most of its forms, Technology Assisted Contact Tracing (TACT) uses smartphone applications with GPS or Bluetooth technology to support proximity tracking electronically. Several Pacific Rim countries have already implemented TACT systems and several U.S. states plan to do so.
Because TACT systems vary widely in their technical specifications and privacy safeguards, privacy advocates have raised several concerns, according to the American Bar Association. Among those concerns are:
As we have seen, a variety of data privacy regulations currently exist to protect an individual’s personal data, financial information, credit card data, and healthcare and medical data.
Just as HIPAA’s Security and Privacy Rules were born of the transition from paper records to electronic medical records, it is possible that new privacy regulations may be spawned by the move from manual to technology assisted contact tracing as the pandemic grinds on.
Does contact tracing gather personal data from and about individuals? Yes.
Does existing privacy legislation govern the use of data collected by electronic location and proximity tools, such as GPS and Bluetooth, that are vital to TACT systems? Not specifically, although the GDPR seeks to protect IP addresses and location data, among other personal information.
Does contact tracing violate individual privacy rights? Potentially, yes, depending on how individual data is used, who has lawful access to it, and how it is protected from unauthorized access and abuse.
The crucial question is this: Will the numerous entities who are invested in the COVID contact tracing process, and in particular technology assisted contact tracing, determine that the existing privacy protections are adequate? Or will they find it necessary to add another version of privacy regulation to an already complex framework of law? This is a question that remains to be answered.