In considering whether to share personal information with government, businesses must consider whether doing so will attract scrutiny into the origins of the data. Organizations should be able to show that any personal information collected or used as part of their pandemic response plans, such as temperature, travel, diagnosis, family exposure or health data about an employee, service provider or client, was compliant with privacy laws and best practices.
Privacy-law-compliant data handling includes documenting individual consent where possible. For instance, although numerous privacy statutes have health emergency exemptions that allow an organization to disclose information without consent, what constitutes as a heath emergency varies and many exemptions are premised on the assumption that consent is not reasonably available. In the context of COVID, individuals may be able—and willing—to consent to the disclosure of their personal information to serve public health objectives.
Exemptions to consent for the collection, use or sharing of personal information should not replace reasonable efforts to communicate with affected individuals about how their data may be shared, and to seek their cooperation.
Even where consent is not practical in the circumstances, organizations must still comply with other privacy obligations, such as transparency, accountability and access. Private sector businesses must have protocols for informing individuals that their personal information was shared with public agencies as part of the pandemic response, either upon request from the individual or as soon as practical after the disclosure.
Individuals should be given the opportunity to ask questions about what information was shared, and to update or correct their information with the organization and the recipient e.
Given the rapidly shifting landscape, consistency in handling personal information is difficult, yet critical. Businesses should centralize the process for all decisions to disclose personal information relating to COVID, and keep records of what information has been disclosed, to which agencies, and for what purposes. Although multinational organizations must be aware of regional legal and regulatory differences, consistency in disclosure decisions across geographies remains an important tool in mitigating reputational risk.
When the emergency is over, organizations will need to 1 stop the collection, use and disclosure of personal information that is no longer necessary; and 2 apply appropriate retention policies to ensure any personal information collected, used or disclosed for pandemic response purposes is destroyed once it is no longer needed. This means that personal information relating to COVID will need to be stored in a manner that can be easily separated from other data about employees, consumers and business partners and destroyed or archived on a different schedule.
Because electronically-stored information can be difficult to destroy once collected, data governance must be considered at the outset. This should include debriefs with internal teams and external partners, as well as incorporating protocols and privacy analyses used during COVID response into templates for use in other scenarios.
For more information about the use and disclosure of personal information, see the Australian Privacy Principles Guidelines, Chapter 6. Main menu. What is CDR data? Search Submit. Supply Ctr.
In other words, a particular disclosure is unauthorized if it does not fall within the clear terms of the routine use. Walters , F. DHS , No. Ohio Feb. FAA , No. Bechhoefer v. DEA , U. CS, slip op. When interpreting a claimed routine use, courts have generally deferred to agency interpretation.
See Air Force v. United States , 27 F. Stafford , F. But see NLRB v. Tillerson , F. United States, F. Truesdale , F. DHS F. Quinn v. The Court of Appeals for the D. Whatever the merit of the decisions of prior courts that have held …that a finding of a substantial similarity of purpose might be appropriate in the non-labor law context in order to effectuate congressional intent, the compatibility requirement imposed by section a a 7 cannot be understood to prevent an agency from disclosing to a union information as part of the collective bargaining process.
Pontecorvo v. First, in the context of investigations or prosecutions, law enforcement agencies routinely may share law enforcement records with one another. Second, agencies routinely may disclose to law enforcement agencies for purposes of investigation or prosecution any records indicating a possible violation of law regardless of the purpose for collection if the head of the law enforcement agency specifically requests the record in writing from the agency that maintains the record.
These compatible use disclosures to law enforcement agencies have been criticized on the ground that they circumvent the more restrictive requirements of subsection b 7. They never have been challenged successfully on that basis, however.
Indeed, courts routinely have upheld disclosures made pursuant to such routine uses. Pavlock , F. Grimes , No. The courts have found, however, that a disclosure does not fall within a compatible routine use if the agency is not sharing with a law enforcement agency in the context of an investigation or prosecution, there is no possible violation of law, or the law enforcement agency head has not specifically requested the record in writing. For example, a disclosure is not compatible if it is made to agencies other than the appropriate ones.
See Dick v. Similarly, disclosures are not compatible with a routine use if the record does not reveal a potential violation of law. In Covert , F. Covert , F.
EDCV , slip op. Prior to Covert , no other court had required actual notice. Since Krohn v. Although initially agencies published broad routine uses, they have been narrowed since the District Court for the District of Columbia issued its decision in Krohn v.
Britt , F. The courts generally have found that disclosing information is pursuant to a compatible routine use when the information furthered an investigation or enabled either agency to fulfill its mission. IRS , B. Iowa ; Alphin v. Judicial Conference of the United States , F.
Miller , F. Mueller , No. Smith , No. CR, slip op. Sussman v. Similarly, the courts have concluded that where an individual is applying for a benefit, program, or position, an agency may disclose information during the application process as a compatible routine use. Puerta v.
Rice , No. Labor , F. June 12, ; Blazy v. Tenet , F. May 12, ; Magee v. Brunotte v. The courts also have determined that disclosure to other parties in litigation constitutes a compatible routine use.
Burnett v. Holde r, WL D. United States , WL N. OPM , F. Frank , No. Disclosures to Congress also have been deemed compatible routine uses by the courts. See Gowan v. Runyon , 60 F. The Ninth and D. Circuits also require that an agency give actual notice to an individual at the time the information is collected in accordance with the notice requirements of subsection e 3 C. Stafford v. Donley , F. Thompson v.
Some, but not all, courts of appeals have required agencies to invoke the routine use disclosure exception to disclose certain records to unions. Four courts have required an agency to invoke a routine use to permit disclosure to unions of names of employees on the theory that refusal to so disclose was an unfair labor practice under the National Labor Relations Act.
See NLRB v. NLRB v. Circuit has held that the routine use disclosure exception does not permit disclosures solely based on a federal subpoena, as such disclosures are not permitted under the court order disclosure exception. Circuit concluded that a routine use for complying with a subpoena was inconsistent with the Privacy Act. See Doe v. Notwithstanding the required FOIA disclosure and the consumer reporting agency disclosure exceptions, the Privacy Act disclosure provision does not provide for nonconsensual disclosures that are governed by other statutes, and agencies should rely on the routine use disclosure exception for such disclosures.
The Privacy Act does not provide for nonconsensual disclosures that are governed by other statutes except for the FOIA subsection b 2 and the Debt Collection Act subsection b Zahedi v. The law enforcement request disclosure exception allows certain disclosures, upon written request, to another agency or instrumentality for civil or criminal law enforcement purposes.
A request for records under the subsection b 7 exception must be for civil or criminal law enforcement purposes. See United States v. Collins , F. The request must be submitted in writing and generally must be from the head of the agency or instrumentality.
Naval Air Station , F. Supervisor of DEA , F. Lora v. INS , No. See Schwarz v. May 10, ; DePlanche v. This construction, while sensible as a policy matter, appears to conflict with the actual wording of subsection b 8 , although the wording of this provision is not precise. The congressional disclosure exception does not authorize the disclosure of a record to an individual Member of Congress acting on his or her own behalf, or on behalf of a constituent.
This exception allows for disclosure of records to Congress but does not authorize the disclosure of a Privacy Act-protected record to an individual Member of Congress acting on his or her own behalf or on behalf of a constituent.
Dearment , No. June 3, ; cf. Chang v. See generally U. The Second Circuit has held that an agency may disclose records consistent with the congressional disclosure exception, even if the agency knew or reasonably should have known that the information would subsequently become public. Subsection b 11 permits a court of competent jurisdiction to order disclosure of Privacy Act protected information that would otherwise be prohibited from disclosure without prior written consent of the individual to whom the record pertains.
As a general proposition, the Privacy Act does not act as a shield against discovery of relevant records that are otherwise protected under the Privacy Act, and the records may become discoverable through litigation if ordered by a court. Laxalt v. Great Lakes Edu. Loan Services, Inc. Sotelo , No. June 18, ; Ayers v. Lee , No. Brennan , No. Ohio July 6, ; United States v.
Revland, No. Gowrish , No. June 27, ; Rogers v. England , F. June 23, ; Martin v. United States , 1 Cl. The court order disclosure exception does not, itself, confer federal jurisdiction or create a right of action to obtain a court order. Nor does this exception confer federal jurisdiction or create a right of action to obtain a court order for the disclosure of records.
See Sheetz v. Marti , No. Contracting, Inc. To constitute a court order under subsection b 11 , a judge must approve the order. In Doe v. Ricoma v. Standard Fire Ins. Astrue , No. Prior to Doe v. DiGenova , the courts were split on this point. Compare Bruce v.
Atlanta Gas Light Co. United States Lines , No. Moore v. Note that an agency cannot avoid the result in Doe v. DiGenova by relying on a routine use that seeks to authorize disclosure pursuant to a subpoena. These considerations include:.
See Laxalt v. Wal-Mart , No. July 22, ; Ala. May 13, citing Laxalt in determining relevance of personnel files ; Bosaw v. NTEU , F. Gilead Science, Inc. June 6, ; Meyer v. Safeco Insurance Co.
CV 14—, WL D. Vanderbilt Co. July 8, ; SEC v. May 12, ; Stiward v. May 12, ; Lynn v. Radford , No. Cornejo , No. May 6, ; Forrest v. Sullivan , F. Engels , F. Shad , F. United States , 68 F. Courts have also assessed whether orders should be granted by balancing the potential harm to the affected party from disclosure without restrictions and the need of the requesting party for the particular information.
See Perry v. BlackBerry Ltd. Israel , No. June 28, balancing need for disclosure of information with potential harm to subjects of disclosure and determining that information was relevant, but in order to protect interests of individuals in case, documents would be reviewed in camera and only produced what is relevant to matter ; Abidor v.
June 2, ; Verrill v. Battelle Energy All. Idaho Oct. Benavides , F. Modern Select Ins. Sutherland , No. Meyer , No.
0コメント