I've noted with interest discussions about privacy invasion in questions being asked by the Minnesota Department of Health (MDH) in its online vaccination appointment registry. Since 1974, the Minnesota Government Data Practices Act has attempted to give Minnesota citizens a way to protect themselves from data privacy intrusions by state and local governments. (See Minnesota Statutes Section 13.04, subdivision 2.)
This notice provision in the Data Practices Act requires MDH to tell citizens a variety of things about the data the department wants to collect from them.
Citizens must be told: Why the data are being collected; how it will be used within the collecting agency; whether the individual can refuse or is required to provide the data; what the consequences are of either providing or not providing the data; and the identity of other or entities authorized to receive the data.
The notice requirement is intended to give citizens the opportunity to make an informed choice about giving data to the government.
One of my former jobs was to critique these notices, so I decided to see how MDH was doing. (On my way to the actual data collection form I was told that the registration would be easy. IT IS NOT. )
MDH does provide a "notice of intent to collect private data." When compared to the statutory requirements, it is clearly deficient.
In general terms the notice does describe why the data are being collected and how it will used in MDH. It says nothing about legal requirements for providing data, which is significant when questions about things like gender identification and sexual orientation are asked.
According to the notice, the only consequence of not providing certain data is that a person will not be able to sign up for vaccination notices. However, the notice itself and the actual questions that are asked are very confusing on what is or is not actually required.
