The American Privacy and Data Protection Act (ADPPA) is considered the best opportunity in a generation for comprehensive federal privacy legislation. The future of population health informatics depends on the participation of public health professionals in the debate about new privacy laws like the ADPPA. The 2017 World Health Organization (WHO) Guidelines on Ethical Issues in Public Health Surveillance provide excellent guiding principles for identifying and communicating public health needs and priorities in proposed privacy legislation. Carefully crafted protections can establish a new social contract: when an individual provides data to help their community, that data will not be used against the individual.
First and foremost, public health stakeholders must speak up to ensure that any new law does not harm existing public health data flows. Second, they must ensure that any new laws allow for the development and growth of public health informatics under appropriate governance. Finally, they should seek laws that meet ethical standards for public health data use.
Possibility of comprehensive federal privacy legislation
Recently, draft federal privacy legislation—the American Privacy and Data Protection Act—was introduced in Congress with broad support from the House and Senate. Like recent federal and state privacy bills, however, the ADPPA drafting process unfortunately lacks guidance from the public health community, which is already burdened with the challenges of pandemic response. Among other things, the ADPPA clearly lacks express provisions that legitimize the collection or transfer of data for public health purposes and may impose new legal restrictions, including restrictions on the use of secondary data on demographic data collected by non-profit organizations to promote population health. Although proponents of general privacy legislation have rightly focused on providing robust protections for the use of sensitive health data in the commercial sector, the legislative process has lacked strong public health voices to help ensure that new legislative safeguards for data use do not inadvertently burden public health informatics.
Data privacy laws that allow the use of personal information, outside of health records, for public health purposes are essential to enable cross-sector data sharing and promote population health. The future of public health informatics—such as precision public health care applied to chronic, acute, and infectious conditions—depends on the ability to use and connect nontraditional and heterogeneous data sources for public health purposes. These connections require reconciling the different legal protections applied to different data, such as HIPAA-regulated data, non-HIPAA health data (eg, mobile health apps), and health-related data (eg, social determinants). However, general privacy legislation is becoming increasingly fragmented, with five countries already having comprehensive privacy laws, each different from the others. A comprehensive national privacy law—such as ADPPA—provides an opportunity to address public health data sharing challenges by partially harmonizing a patchwork of US data privacy laws that often impede data integration across silos and sectors.
The current flurry of legislative activity—at both the state and federal levels—also threatens to block avenues for codifying public health ethical principles in privacy law. But public health professionals, experts and stakeholders can still join the debate.
Ethical framework for data protection and public health
The 2017 WHO Guidelines on Ethical Issues in Public Health Surveillance provide excellent guiding principles for identifying and communicating public health needs and priorities in proposed privacy legislation. They impose an ethical obligation on governments to conduct public health surveillance. Therefore, public health stakeholders must be vigilant so that proposed privacy legislation does not interrupt or impede existing legitimate public health data flows. The best way to protect and enable public health analytics is to include exceptions that explicitly allow the reuse of protected data for public health purposes. The WHO guidelines also emphasize the importance of community values and concerns at all stages of public health surveillance. Notably, a 2020 survey of the US public found that the use of data to promote population health is significantly more acceptable than other uses of data—such as commercial and law enforcement—that are generally permitted by privacy laws. privacy. This and similar evidence can be persuasive for politicians who are concerned about the needs and views of their constituents.
Good governance and policy safeguards are central to many of the WHO guidelines to ensure that public health professionals use data ethically and only for legitimate public health purposes. For example, transparency measures – such as public disclosure requirements – empower individuals to make decisions and enable accountability for organizations and government institutions. Therefore, public health stakeholders must ensure that new privacy laws do not unduly favor public health uses and allow data to be used without appropriate protections and restrictions.
Similarly, the WHO guidelines take a strong position on the secondary use of public health data for non-public health purposes. Specifically, the guidance states that public health data should not be shared with “agencies likely to take action against individuals.” In post-Roe v. Wade there is growing concern and mistrust around the world that governments will acquire and use personal data against individuals; for example, by using data from a period tracking app to determine whether a pregnancy has occurred. To prevent overuse by law enforcement, additional protections may need to be considered for data that public health authorities receive. For example, there are strong protections against law enforcement uses in the legal framework for substance use disorder treatment records. In fact, a group of 30 senators asked the administration to update HIPPA regulations to prevent such an overreach. Similar and carefully crafted protections in new privacy legislation could serve as the basis for a new social contract: when an individual provides data to help their community, that data will not be used against the individual.
The state’s actions so far have been disappointing
Unfortunately, the comprehensive state privacy laws enacted to date fall short of these expectations of ethical access. As of this writing, the following states have enacted comprehensive data privacy legislation (listed in chronological order of adoption): California, Virginia, Colorado, Utah, and Connecticut. A recent analysis of the California, Virginia, and Colorado acts found that while the California and Colorado acts broadly support public health data practices, Virginia’s law risks restricting them in important ways, and Colorado’s law may fall short of ethical standards to provide notice to data subjects.
There is still time for public health to get a foot in the door
There is still time for public health to get a foot in the door and thus enter the debate and ensure effective and ethical public health provisions in the new legislation. Although the ADPPA passed the House Energy and Commerce Committee on a solid bipartisan vote of 52 to 2, Sen. Nancy Pelosi withheld the bill from a vote, citing concerns that the law did not provide the broad protections she argued the California law provides. The Federal Trade Commission also recently issued a notice of proposed rulemaking, inviting the public and interest groups to comment on whether it “should implement new trade regulation rules or other regulatory alternatives regarding the ways in which companies collect, collect, protect, use . analyze and store user data.”
In the flurry of debate over new US data protection laws, public health has opportunities for greater access to critical data. But the legislative debate so far has been driven by divergent views between industry and privacy advocates about the appropriate scope of commercial data practices and about the preemption scope of state laws (such as California’s) governing the use of commercial data. Public health perspectives are largely lacking. Without public health engagement, new laws may not improve access to data for public health purposes and may actually impede access.
Immediate action for stakeholders
First and foremost, public health stakeholders must speak up to ensure that any new law does not harm existing public health data flows. Second, they must ensure that any new laws allow for the development of public health informatics – under appropriate governance – as information technology evolves or as new resources dedicated to public health infrastructure allow public health to expand current capabilities . One example is the current initiative to modernize public health data. Finally, public health stakeholders must ensure that legislation respects the ethical constraints placed on the use of public health data that the WHO and others have articulated.
The authors would like to thank Professor James G. Hodge, Jr., Dr. Michael Morrissey, and Dr. William Sage for their insightful comments on this work. This work was supported in part by the Texas A&M University T3 Program. Charles Curran is an independent consultant who advises industry members on data policy issues, including consent. Relationships with industry members are only tangential to the subject of this article (encouraging public health to participate in legislative privacy debates). However, the authors note that these industry members will be subject to the ADPPA rules.