Personal information already exists in a wide variety of databases. For example, health and life insurance companies possess personal information such as medical, criminal, motor vehicle, and credit records. The Medical Information Bureau (“MIB”) contains approximately 15 million files in a central database. Every time an insurance claim is filed, a copy of this information is forwarded to the MIB. In addition, governmental agencies such as Medicare and the Social Security Administration collect personal information.
Here are some ways collecting personal information (including DNA) in electronic databases is helpful to society:
- Accurate and fast identification of offenders and potential terrorist threats
- Critical leads for police investigators
- Exonerating innocent suspects
- Increased conviction of offenders
- Earlier detection and treatment of disease; better organized and legible medical files
- With encryption technology, computerized records may actually be more secure than paper records. A fax a copy of a paper record can be stolen without leaving a trace.
However, some potential negative consequences that could arise are:
- Denial of health coverage
- Denial of life insurance
- Discrimination by employers
- Violation of privacy through leakage of information
- A step on the road to a 'Big Brother' state'
- National databases could be massively expensive and bureaucratic
- Digitizing records will allow many more people legitimate access; personal information can easily be misused if it is accessed by so many individuals.
- Some institutions gather medical information and sell it to drug companies.
In the US, the current health care reform debate has centered on methods of reducing costs in the delivery of patient care. One area that is getting strong attention is the implementation of a national medical computerized record keeping system. Legislators and health care policy advocates view eliminating the paperwork burden on practitioners and third-party payers as a potential huge cost savings to society, as well as the means to offer some form of medical coverage for all citizens, if a government health care option is offered.
Already, some health care providers and insurance companies are forming regional information networks to share electronic medical records. Their reasoning for setting up these data banks is to help with the reduction of paperwork, help with billing, identify the most cost-effective treatment, and to fight against false claims.
In this scenario, a person's medical information is immediately available for the attending doctor. Therefore if an individual was injured in another part of the country, the attending physicians would have the patient's entire medical history at their fingertips. Included in this information could be life saving information that would be invaluable to the attending doctor.
Thus, with advances in technology, more personal information being collected and maintained in databases. However, as databases grow, so too have fears about privacy. Many people fear that recording and storing personal information such as DNA samples in a national database violates the Fourth Amendment of the U.S. Constitution, which protects American citizens from unlawful searches and seizures without probable cause. Many argue that DNA databases treat all people with database profiles as potential suspects without probable cause. In other words, you are guilty until proven innocent. If this argument is correct, a national DNA database would be a violation of the Fourth Amendment. Others argue that a DNA database is an effective law enforcement tool.
Another area of concern are Iris scans which have similar privacy issues as DNA collection. The human iris is as distinctive as a fingerprint, and is increasingly used by law enforcement agencies for identification. As such, privacy advocates charge that Iris scans and DNA privacy issues are symptoms of an increasingly surveillance-based society.
Nonetheless, I believe the electronic collection of sensitive personal information is here to stay. Furthermore, emerging technological advances such as virtualization and cloud computing will make it easier and cheaper to collect and maintain an increasing amount of personal information.
So, I believe the collection of personal data should be seen in the context of the personal information that is already held by outside agencies. For example, insurance brokers commonly require an extensive medical history of their clients. Mortgage lenders usually demand a full credit record of each applicant. ( Note: all real estate transactions in California require a notary public to fingerprint the mortgagee). Employers subject their employees to random urine tests for drug and alcohol consumption. However, these actions are governed by the individual’s informed consent. When the citizen releases information to outside agencies he/she receives a service or benefit in return. If not explicit, there is an implied consent.
Thus, I don’t believe we as a society can turn back the clock and there will be an increasing societal need to collect and maintain personal information in electronic databases, as a means of reducing costs and making government more responsive and efficient to its citizens.
In areas like criminal justice and law enforcement, the collection of personal data such as DNA would have to be mandatory, for otherwise those liable to commit crime would simply refuse to provide a sample. In the health care industry, medical records are being computerized into databases, and through HIPPA, are subject to a significant degree of protection. For example, the HIPAA Security and Privacy Rules require all covered entities to protect personal information that they use or disclose to business associates, trading partners or other entities. New standards and technologies have significantly simplified the way in which data is transmitted throughout the healthcare industry and created tremendous opportunities for improvements in the healthcare system. However, these technologies have also created complications and increased the risk of loss and unauthorized use and disclosure of this sensitive information. Furthermore, the use of genetic information by medical insurance companies remains highly controversial, as there is considerable potential for abuse of information that is so private.
On balance, I am inclined to allow collecting personal information as long as it comes with informed consent. Relative to consumer, financial, real estate, employment and insurance transactions, an individual must consent in writing before such information is collected. Initially, this consent is within the application and subsequently in the form of an agreement or contract. The legal issue is one of consideration. That is in consideration for providing this service, I agree to provide or allow you to collect such and such information on me.
However, I do feel there are public policy issues on what type of information should be collected and the appropriate security mechanisms on the data. The invasiveness of the database resides in the information being maintained on file, rather than in the procedure for obtaining the data. The extent of the information collected should be governed by what is reasonable, prudent, and customary in the specific line of business and what is governed by law. Furthermore, the individual should be entitled to “opt-in” and not “opt-out” privileges.
I believe the needs of society for information can be balanced against individual rights to privacy by the security measures taken. This can be addressed through risk analysis and risk management strategies areas such as the access, storage and transmission of personal data. In addition, collectors of personal data should have access policies and procedures ensuring that users only access data for which they are appropriately authorized.
Database information is accessible through a wide variety of devices such as laptops; home-based personal computers; PDAs and Smart Phones; hotel, library or other public workstations and Wireless Access Points (WAPs); USB Flash Drives and Memory Cards; floppy disks; CDs; DVDs; backup media; Email; Smart cards; and Remote Access Devices (including security hardware). The security issue is the vulnerability of such devices. Remote access to should only be granted to authorized users based on their role within the organization and their need for access.
Storage policies and procedures should address the security requirements for media and devices which are moved beyond the covered entity’s physical control. Such media and devices include laptops, hard drives, backup media, USB flash drives and any other data storage item which could potentially be removed from the organization’s facilities.
Transmission policies should be in place ensuring the integrity and safety of data sent over networks, and include both the direct exchange of data (for example, in trading partner relationships) and the provisioning of remote access to applications hosted by the organization (such as a provider’s home access to ePrescribing systems or “web mail” in organizations where personal data might be included in internal communications).
However, no amount of risk analysis will be effective if the collector’s workforce does not have an appropriate security awareness and training program; it is important that a covered entity’s security awareness and training program specifically address any vulnerability associated with remote access. Training should provide, at minimum, clear and concise instructions for accessing, storing and transmitting personal data.
If applicable, collectors’ should include in their workforce awareness and training programs, password management procedures (for changing and safeguarding passwords); remote device/media protection to reinforce policies that prohibit leaving devices/media in unattended cars or public thoroughfares; as well as training on policies prohibiting the transmission over open networks (including email) or downloading information to public or remote computers. Also, when addressing the development and implementation of data security policies, a collecting entity should consider at least requiring employees to sign a statement of adherence to security policies and procedures as a prerequisite to employment.
In summary, collecting sensitive information from individuals(particularly DNA) is a difficult public policy issue where the economic and national security interests of society must be balanced against the privacy rights of the individual under the U.S. Constitution. In the opinion of informed parties, since Sept. 11, 2001, there have been substantial national security benefits to collecting personal information. In the case of an imminent threat, the national interests of defense may have to trump the privacy rights of individuals. But this is still a tough call.
Furthermore, relative to the treatment and prevention of disease, there are tangible economic benefits to the nation through the collection of genetic information. However, there remains the question of how much information is needed? When is enough, enough?
Notwithstanding, I believe unless the individual is receiving a direct service or benefit or for law enforcement purposes, the collection of personal information (specifically DNA) should be voluntary. An example of this situation would be a parent voluntarily having their baby infant fingerprinted in the fear of a stranger abduction.
Nonetheless, this public debate will continue and I foresee these issues and concerns being resolved through future legislative means and judicial review.
Posts
No comments:
Post a Comment