Cities should be aware that the order, which gives first responders knowledge about potential exposure to COVID-19, has important data privacy components.
Executive Order 20-34, issued by Gov. Tim Walz on April 10, requires the commissioner of the Minnesota Department of Health (MDH) to share with the Safety commissioner the addresses of individuals who have tested positive for COVID-19 and are still contagious.
The Department of Safety (DPS) is then responsible for providing updated information to 911 dispatchers, who may provide the data only to first responders called to one of the addresses.
The measure was requested by organizations representing police officers, firefighters, and emergency medical services providers, who argue first responders will be safer if they know they may be encountering a COVID-19 patient and can take extra precautions.
Implementation of the order
DPS sent the following information to public safety answering points (PSAP) managers about how to implement the executive order:
- The MDH-DPS Protocol, which defines the process that must be followed to ensure strict confidentiality is maintained with respect to the shared private health data.
- Confidentiality agreements for PSAP director/manager and other PSAP employees that must be signed and retained in accordance with the prescribed protocol.
- Training Bulletin to educate 911 telecommunicators and first responders on data management and sharing requirements to include penalties for misuse.
Emergency Communication Networks (ECN), a division of DPS, will host two WebEx meetings on April 21 to review the training bulletin and answer questions. An invitation will be sent to all PSAP managers and directors.
Once the WebEx meetings are completed, DPS will coordinate the information sharing start day with MDH.
The executive order recognizes the many issues raised by the authorized sharing of this data. The order contains provisions to protect the privacy of individuals and ensure the information is not used to publicly identify COVID-19 patients. It also prohibits use of the information as a basis to subject people to discrimination or deny service.
The measure contains the following limitations:
- Unless no other means of communication is available, the shared data must not be disseminated over any channel of communication that could be actively monitored by the public or uninvolved parties. When using channels of communication that could be actively monitored by the public or uninvolved parties, 911 dispatchers and first responders are encouraged to use coded language or other similar methods that would prevent the public or uninvolved parties from obtaining the shared data.
- Only the addresses of those people who MDH has determined to be contagious to others will be shared. MDH must promptly notify DPS when an address is no longer associated with a person who is contagious, and DPS must then promptly cause the shared data to be deleted or removed from 911 dispatch systems.
- Pursuant to the Minnesota Government Data Practices Act (MGDPA), Minnesota Statutes 2019, section 13.03, subdivision 4(c), shared data remains classified as private data on individuals and not public data under Minnesota Statutes 2019, section 13.02, subdivisions 8a and 12, and Minnesota Statutes 2019, section 13.3805, subdivision 1.
- No recipient of this shared data may use the information as a basis to refuse or delay a call for service or cause others to refuse or delay a call for service.
What cities need to know
Cities should expect this data sharing to be halted when the peacetime state of emergency ends. Until then, cities should closely follow the directives provided by DPS.
Additionally, employees should be notified of the important data practices implications of the executive order. The League offers the following guidance:
Data practices classification for this data is private. Any shared data remains private or not public data. Should this data be included in any response to data practices requests, it must be redacted.
Policies and procedures are needed for this data. If none currently exist, cities should consider establishing policies and procedures when receiving health data. As noted in the executive order, this limited, COVID-related health data can only be used as “necessary to control and prevent the spread of COVID-19” and then only by “first responders who have an emergent need to know the shared data to aid in their infection control precautions.” Any city-established policies or procedures must be consistent with the protocol developed by the DPS and MDH.
Consequences of impermissibly sharing this data are significant. Violations of data practices and privacy laws can carry significant consequences. There is potential liability under the Minnesota Government Data Practices Act, which includes a misdemeanor for a person who willfully violates the law and exemplary damages between $1,000 to $15,000 for each willful violation for the city.