III. Contact Tracing
Digital contact tracing aided some countries in managing the COVID-19 pandemic. Because of the prevalence of Apple and Android smartphones, the most readily available platforms for contact tracing apps have been the Apple and Google APIs. Google and Apple made their jointly created contact tracing API available only to public health authorities, as a platform upon which they could develop their own contact tracing apps.
Several features of these platforms that emphasized individual decisional privacy and data privacy over public health goals meant that contact-tracing apps have proven not to be an effective tool for U.S. public health authorities. Individuals had to choose to download the contact tracing app, rather than having it pushed to their devices. Individuals who downloaded the app then would have to choose to enter their COVID-19 status, thereby preserving individuals’ decisional privacy about whether to share their COVID-19 status with public health authorities. The API only allows use of Bluetooth beacons alone, and not in combination with other location data, thereby preserving greater data privacy by limiting the amount and type of location data collected about individual app users. This and other potentially relevant data is stored on users’ devices, not in a centralized location, where it might be more easily correlated with other data relevant to stopping the spread of COVID-19. Only then could public health authorities use the app to alert individuals that they have potentially been exposed to someone who may been infected with the coronavirus.
Due to their emphasis on decisional privacy and data privacy, “the [U.S.] COVID-19 apps in operation today are underpowered and undersubscribed.” In short, contact tracing apps in the United States did not have a negative impact on people’s privacy because they were designed to prioritize decisional privacy. Though private entities may have been able to require employees or customers to use contact tracing apps (even ones with more effective, data-intensive options), public sentiment would likely be against it.
IV. Vaccines, Data, and Privacy
According to public health officials, if a large enough percentage of the U.S. population receives a COVID-19 vaccine then “herd immunity” will stop the spread of the virus. The vaccination program generates a tremendous amount of new data in the form of digital records of every vaccination. To date, no level of government in the United States has required every resident in its jurisdiction to receive a COVID-19 vaccine. The lack of a government-enforced vaccine mandate prioritizes decisional privacy. In preserving decisional privacy, efforts at achieving herd immunity use personal data from other sources to target populations with lower vaccination rates.
In the absence of vaccine mandates from governments, privacy considerations play an important role not only in administering vaccines but also in communicating vaccine status to help communities reopen without COVID-19-related limitations. Current activities relating to vaccine administration, vaccine mandates, and vaccine passports all raise interrelated decisional privacy and data privacy issues. From one perspective, an individual’s vaccination status constitutes personal healthcare information. But information about vaccine status is also relevant to public health authorities working to end a pandemic. Considering the strong protections for healthcare information under U.S. law, the COVID-19 vaccination program must operate with careful attention to data privacy issues.
State, federal, and tribal programs have made COVID-19 vaccines widely available across the United States. Vaccination rates, though, vary greatly across sensitive demographic criteria such as race and income levels. Persons of color have suffered higher mortality rates from exposure to the coronavirus than white Americans. Efforts to address these disparities involve consideration of at least two types of sensitive personal information—ethnicity and medical information. From a privacy best practices perspective this may constitute a new instance of data processing and therefore would necessitate a reexamination of the privacy risk for the individuals potentially affected.
The case of Stanford Medical Center highlights how a proposed vaccine distribution system could have exacerbated the disparate racial and social impact of COVID-19. The Stanford Medical Center proposed a vaccine distribution formula that prioritized age as a risk factor. The result was a proposed distribution schedule that deprioritized vaccinations for front-line healthcare workers, often the group that has the highest percentage of medical professionals who happen to be people of color.
Private employers and educational institutions have issued vaccine mandates. Decisional privacy is less of a legal issue in these established relationships because individuals lose some privacy protections to receive the benefits of employment or a formal education. In many contexts employees and students must submit themselves to drug testing as a condition of their employment or education, thereby limiting the number of otherwise legal substances they might consume. Employees and students might choose to limit their communications because technology use policies grant employers and schools access to electronic communications that would be considered private in other contexts. In the same vein, nothing under federal law prevents “an employer from requiring all employees physically entering the workplace to be vaccinated for COVID-19.” If an employer imposes such a vaccine mandate the Equal Employment Opportunity Commission cautions that information about an employee’s COVID-19 vaccination is confidential medical information under the Americans with Disabilities Act. This information “must be kept confidential and stored separately from the employee’s personnel files.”
Consistent with privacy best practices, the separate storage of employees’ COVID-19 information calls for a reexamination of the privacy risks for at least two reasons. For many employers, this may be a new type of data. Employers who do not typically collect medical information will have to set up data governance separate from employees’ personnel files to collect and store vaccination information. Some vaccine data repositories run by states have extensive policies and safeguards, such as de-identification and privacy audits, to help protect people’s privacy interests. Employers who fail to institute similar policies and safeguards may adversely impact their employees’ privacy interests.
Additionally, vaccination rates have not been equal across protected classes under the federal employment laws. The EEOC cautions that a vaccine mandate from an employer may have a discriminatory disparate impact. Personnel files often contain information about employees’ age, race, color, religion, sex, or national origin. But because vaccine information must be kept confidential and stored separately from personnel files, an employer may not be able to correlate the two data sets to determine if in fact a vaccine mandate is having a disparate impact. These circumstances essentially pit privacy protection against discrimination avoidance. Employers with vaccine mandates can make reasonable accommodations or offer incentives aimed at limiting the potential discriminatory impact of the vaccine mandate, but the potential privacy impact of the proliferation of new data sets remains.
From a privacy perspective vaccine mandates are effectively a single exchange of data. An employee, for example, delivers proof of vaccination once and the employer makes a record of that event. Privacy protections apply to that single data record. Vaccine passports, though, are not limited to a single exchange of data. They require people to demonstrate their vaccination status to entities with whom they do not have established relationships. Privacy protections, therefore, need to cover any records created from each of these data exchanges.
The easiest way to protect privacy while proving vaccine status is to have no record of the data exchange. The entity that administers each vaccine provides recipients with a physical COVID-19 Vaccination Record Card (“Vaccine Card”). Just as a person might present her ID to a bouncer at a bar who visually inspects but does not retain it, so might she present her Vaccine Card and a form of identification for visual inspection by someone at the entrance to an establishment requiring vaccination. The establishment keeps no record of this data exchange. In this way the physical Vaccine Card serves as a vaccine passport.
This approach to vaccine passports has several drawbacks. Vaccine Cards are too large for most wallets and medical experts advise against laminating them. Additionally, official Vaccine Cards can be difficult to replace. For these reasons, people are reluctant to carry their Vaccine Cards around with them. Physical Vaccine Cards are easy to forge. Establishments, therefore, have reason not to trust them. Digital vaccine passports address many of these concerns, but also have the potential to create a new data set—records of where someone presented a digital vaccine passport. This proliferation of data means that digital vaccine passports have potentially significant privacy implications.
New York’s Excelsior Pass program serves as a useful example. Built on IBM’s Digital Health Pass technology, Excelsior Pass’s privacy-protecting features include decentralized data storage and data minimization. When scanned at an establishment, “the Excelsior Pass Scanner app collects analytics about the type of Pass and the result of the scan. No personal information from Passes is collected or stored.”
Policy makers have weighed these privacy concerns against the social and public health need to end the COVID-19 pandemic. Some states, like New York, believe that their vaccine passport programs will produce public health benefits that outweigh the privacy impacts. New York’s program has taken particular steps to address data privacy risks. Other states like Montana and Arkansas find the privacy costs of vaccine passports too great to bear, even considering the continued social and public health impact of the pandemic.
V. Conclusion
As long COVID-19 is part of daily life in the United States, choices balancing privacy and public health will need to be made. Only time and history will judge if the privacy impact of certain policies outweighed the public health consequences. New data related to the virus, its treatment, and policy outcomes will continue to be generated. Additionally, technologies that helped approximate in-person interactions have created new data streams. The privacy impact from this new data remains to be seen.