This update concerns the COVID-19 Health Data Bill, recently introduced to the New York State Senate by State Senator Kevin Thomas (S8448A), and in the State Assembly by Assemblywoman Linda B. Rosenthal (AB 10583). The COVID 19 Bill could have significant implications on businesses that collect information as part of their federal and state COVID-19 compliance measures, including the NYS-Required Safety Plans.
The COVID-19 Bill applies to any company/person that collects, uses, or discloses “emergency health data,” which is defined to include data that is “linked or reasonably linkable to an individual or device, including data inferred or derived about an individual or device from other collected data” and that “concerns the public COVID-19 health emergency.”
Emergency health data includes information that reveals past, present, or future physical or behavioral health or condition of, or provision of healthcare to, an individual including:
• data derived from testing or examination;
• whether or not an individual has contracted or been tested for, or an estimate of the likelihood that a particular individual may contract, such disease or disorder; or
• genetic data, biological samples, and biometrics.
Emergency health data also includes “other data collected in conjunction with other emergency health data that can be used to infer health status, health history, location or associations”. This includes: geolocation data, proximity data, demographic data, contact information, and other data collected from a personal device.
The Bill requires businesses that collect, process, or use emergency health data in connection with the COVID-19 crisis to:
1. Obtain Affirmative Opt-In Consent: The Bill requires that businesses obtain an individual’s “freely given specific, informed, and unambiguous opt-in consent” to process individual emergency health data and prohibits collection without such consent except in certain narrow circumstances.
2. Comply with Data Retention Requirements: The Bill contains rigid data retention time periods (30 days or 14 days for proximity tracing or exposure notification data). If a business stores emergency health data for more than 30 days, The Bill requires the business to “reengage consent” from the individual from whom the information was collected in the first instance.
3. Maintain Written Privacy Policies and Transparency Reports: The Bill requires the posting of Privacy Policies which detail the business’s collection and use of emergency health data and the preparation of written Transparency Reports describing the business’s collection of emergency health data every 90 days.
4. Limit Use: Data collected for responding to the COVID-19 public health emergency (e.g., tracking, screening, monitoring, contact tracing) must be collected “at a minimum level of identifiability reasonably needed for tracking COVID-19”. The Bill clarifies that for covered entities using proximity tracing or exposure notification, this includes changing temporary anonymous identifiers “at least once in a 10-minute period.” The Bill also prohibits the use of emergency health data for any purpose beyond what is adequate, relevant, and necessary to perform the transaction consented to by the individual, or for any purpose not authorized by The Bill (e.g., commercial purposes, advertising, selling, etc.).
5. Provide Individual Right to Access and Correction: The Bill gives individuals the right to access and correct their emergency health data.
6. Maintain Reasonable Security Measures: An entity that collects emergency health data must have reasonable administrative, physical, and technical controls in place to safeguard the information from misuse and unauthorized disclosure.
7. Maintain Minimum Necessary Access Restrictions: The entity must have access restrictions in place limiting access to the emergency health data to authorized essential personnel only.
8. Complete Compliance Audits: Covered entities are subject to data protection audits, which include the requirement for risk assessments and evaluation of the technologies used in connection with the information gathering. The results of the compliance audits shall be made available to the public.
The Bill also has notable enforcement teeth, authorizing the State Attorney General to bring enforcement actions and seek civil penalties of up to $25,000 per violation or up to 4% of a business’s annual revenue. As The Bill is for the purposes of the COVID-19 public health crisis, it purports to expire and be repealed on January 1, 2023.
To date, the bill is not on a committee agenda and there is no scheduled testimony for the COVID-19 Health Data Bill. It is not clear whether the bill will move through committee to the floor for a vote before the legislative session ends. However, we anticipate that legislators will be back in Albany at least a few more times this year, and Senator Thomas has been vocal in his desire to make progress on the Bill.
Octillo will monitor the progress on this and other relevant data privacy bills. Octillo is in communication with lobbyists and is closely monitoring for opportunities to provide input on behalf of the business community. Please do not hesitate to reach out if you are interested in discussing the bill’s potential impact on your business. Octillo is privileged to work with clients in a variety of sectors and industries in building efficient, repeatable, and scalable privacy and security programs.
*Attorney Advertising. Prior results do not guarantee future outcomes.