Recent changes to the political landscape in the wake of the reversal of Roe v. Wade means that privacy is now a bigger issue than ever. Regardless of your feeling about abortion, the data issues regarding collecting, storing, protecting, and sharing information about those seeking abortions should be headline news as well. Let me explain.
Data about individuals have always been a touchy subject. Who gets to know what about whom and why are questions at the center of multitudes of privacy discussions. I have always found it interesting that there are cultural differences between the US and Europe in these opinions. Acknowledging that I am painting with a broad brush, Europeans seem to be much more concerned about the information gathering and usage activities of private corporations, especially big tech. Multiple lawsuits are being filed and court battles are being fought over how companies collect and use data on people. In fact, the concern has been so great that it led to the creation of the first fairly comprehensive privacy and data rights law, the General Data Protection Regulation (GDPR), which outlines in detail the expectations for data handling and asserts the rights of individuals to manage the use of data about themselves. What Europeans seem to be far less concerned about is what their government knows about them. The operation of social safety nets in many European countries requires a great deal of information about individuals and European citizens seem to be okay with the trade off they are making there.
Contrast that with the United States. We have no national privacy law and the patchwork of state privacy laws is sparse. According to the IAPP, only 5 states have passed privacy laws with just 6 more actively considering bills. Even if all those active bills pass, then only 36% of US residents will have any kind of privacy protection for their data. Surprisingly, the majority of the population seems to be okay with that. (Again, acknowledging broad generalizations here.) The arguments that I’ve seen indicate that either people are unaware of the data being collected about them by private companies, or they think it’s fine. Many likely feel that it’s a price they are willing to pay to get so many technology services for “free”. What Americans do seem to mind, however, is their government having information about them. I have personally been involved in calls with Senate staffers who wanted detailed accounts of what data a particular agency was collecting on individuals because the Senator for whom they worked was very concerned about “government overreach” and had heard from constituents that they did not like the rumored data collection that was supposedly taking place. (It wasn’t and we were able to assuage some of the staffers’ concerns.)
These concerns were even more publicly aired during the worst phases of the pandemic. Public health officials tried to collect information about testing results and were often rebuffed. The concern about who knew that someone had Covid – and in the early days even just knowing that someone had gotten a test! – was real and the protests vociferous. Same with vaccine status: reports abounded of people who refused to get the vaccine and didn’t want anyone to know. As employers started allowing for time off for vaccine reactions or enacting vaccine requirements, human resource departments across the country had to start collecting information about who was vaccinated, who had exemptions (and what kind), and other personal health related information. And everyone assumed that these data were protected. Usually the assumption was that the data couldn’t be shared or disclosed because it would be a violation of the Health Insurance Portability and Accountability Act (HIPAA). HIPAA was enacted to limit the amount of information that “covered entities” could share about a patient without their consent. In general, a covered entity is a health care provider or insurance company. It says nothing about what employers, colleagues, service providers, or others can share about you or your health status. Data on testing, infections, or vaccine status collected by employers in general were not protected by HIPPA. And for 80% of the country, there was no specific privacy protection for this information at all.
What does this have to do with Roe v Wade? Given the changing landscape of state regulations about what is allowed and who might be able to take legal action for those seeking an abortion, the data collected about those activities will be front and center in the fight. More and more companies are issuing statements supporting their employees’ right to abortion and even volunteer to fund out of state travel in states where the procedure is now banned or seriously limited. The data collection that is required to actually implement these policies is extensive and invasive. HR departments will now need to know who is seeking this procedure, and possibly the stage of the pregnancy, in order to confer the financial benefit to a medical provider in the appropriate state. Depending on how the benefit is structured, employee records may include information on the cost of the procedure, who performed it, and when, as part of payment or reimbursement processing. There may even be a need to create a new kind of leave code, similar to what many organizations did for Covid, to indicate why someone is taking time off. All of this information may be stored in an employee’s record and in most cases will not be covered by any kind of legal protection. Only 1 of the states that has banned or mostly banned abortion is also a state with an active privacy bill being considered.
I understand that I see everything through a data lens in a way that others don’t. However in this case, I strongly urge organizations who have not been overly concerned about privacy, especially in the states without legal data protections, to really focus on it now. You don’t have to be in a state where abortion restrictions are a political issue. I believe the data privacy implications from some of the laws being proposed will be felt far beyond those state’s borders. If you care about your employees, please make sure you are taking whatever steps are necessary to protect these data. Covid testing and vaccines were politically divisive but no one was ever going to jail based on their test results or booster schedule. In these uncertain times, very personal information can (and I predict will) be used to enforce laws that are arguably unfair. It is even more important now to take privacy seriously.