I've noted with interest discussions about privacy invasion in questions being asked by the Minnesota Department of Health (MDH) in its online vaccination appointment registry. Since 1974, the Minnesota Government Data Practices Act has attempted to give Minnesota citizens a way to protect themselves from data privacy intrusions by state and local governments. (See Minnesota Statutes Section 13.04, subdivision 2.)
This notice provision in the Data Practices Act requires MDH to tell citizens a variety of things about the data the department wants to collect from them.
Citizens must be told: Why the data are being collected; how it will be used within the collecting agency; whether the individual can refuse or is required to provide the data; what the consequences are of either providing or not providing the data; and the identity of other or entities authorized to receive the data.
The notice requirement is intended to give citizens the opportunity to make an informed choice about giving data to the government.
One of my former jobs was to critique these notices, so I decided to see how MDH was doing. (On my way to the actual data collection form I was told that the registration would be easy. IT IS NOT. )
MDH does provide a "notice of intent to collect private data." When compared to the statutory requirements, it is clearly deficient.
In general terms the notice does describe why the data are being collected and how it will used in MDH. It says nothing about legal requirements for providing data, which is significant when questions about things like gender identification and sexual orientation are asked.
According to the notice, the only consequence of not providing certain data is that a person will not be able to sign up for vaccination notices. However, the notice itself and the actual questions that are asked are very confusing on what is or is not actually required.
Some items are starred, but no explanation of the stars is provided. An opportunity to not provide an answer is sometimes given but in a very confusing way.
Another provision of the Data Practice Act makes it clear that the government can only ask for data if it has the legal authority to do so. It is unclear to me what sexual orientation and gender identity have to do with receiving vaccine notices.
The notice states, among other things, that the data will be provided to persons or entities authorized by law. Most people do not know what authority exists in all of state or federal law that agencies can rely on to share data. For that reason, this statement is meaningless. It does not give anyone the information needed to make an informed choice as to whether one wishes to provide this data.
I was unable to review the entire questionnaire because the design of the form did not allow a complete review unless you completed a section before trying to go to the next section.
This feature makes the privacy notice meaningless. I can only see all of the data that MDH actually wants from me after I have filled out the entire form.
MDH continually emphasizes the privacy of our medical data. If it really believes in this MDH should go back to the drawing board and produce a privacy notice that helps us make informed choices and a questionnaire that is actually easy to complete.
Don Gemberling, of St. Paul, is retired from state government and is an expert on privacy and data practices.