Senate Bill S8448B

2019-2020 Legislative Session

Relates to requirements for the collection and use of emergency health data and personal information and the use of technology to aid during COVID-19

download bill text pdf

Archive: Last Bill Status - In Assembly Committee

Introduced
- In Committee Assembly
- In Committee Senate
- On Floor Calendar Assembly
- On Floor Calendar Senate
- Passed Assembly
- Passed Senate
Delivered to Governor
Signed By Governor

Please enter your contact information

First Name

Last Name

Email Address

A valid email address is required.

Home address is used to determine the senate district in which you reside. Your support or opposition to this bill is then shared immediately with the senator who represents you.

Optional services from the NY State Senate:

Create an account. An account allows you to officially support or oppose key legislation, sign petitions with a single click, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Include a custom message for your Senator? (Optional)

Enter a message to your senator. Many New Yorkers use this to share the reasoning behind their support or opposition to the bill. Others might share a personal anecdote about how the bill would affect them or people they care about.

Actions

View Actions

Date of Action	Assembly Actions - Lowercase Senate Actions - UPPERCASE
Jul 23, 2020	referred to health delivered to assembly passed senate
Jul 22, 2020	ordered to third reading cal.907
Jul 20, 2020	reported and committed to rules
Jul 17, 2020	print number 8448d
Jul 17, 2020	amend and recommit to health committee discharged and committed to health
Jul 13, 2020	print number 8448c
Jul 13, 2020	amend (t) and recommit to internet and technology
Jun 09, 2020	print number 8448b
Jun 09, 2020	amend and recommit to internet and technology
Jun 04, 2020	print number 8448a
Jun 04, 2020	amend (t) and recommit to internet and technology
Jun 03, 2020	referred to internet and technology

Votes

- Jul 23, 2020 - Floor Vote
  S8448B
  
  Aye
  
  55
  
  Nay
  
  5
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  
  0
  - - Floor Vote: Jul 23, 2020
      
      aye (55)
      
      Addabbo Jr.
      
      Amedore
      
      Bailey
      
      Benjamin
      
      Biaggi
      
      Borrello
      
      Boyle
      
      Breslin
      
      Brooks
      
      Carlucci
      
      Comrie
      
      Felder
      
      Funke
      
      Gallivan
      
      Gaughran
      
      Gianaris
      
      Gounardes
      
      Harckham
      
      Helming
      
      Hoylman-Sigal
      
      Jackson
      
      Jordan
      
      Kaminsky
      
      Kaplan
      
      Kavanagh
      
      Kennedy
      
      Krueger
      
      LaValle
      
      Lanza
      
      Little
      
      Liu
      
      Martinez
      
      May
      
      Mayer
      
      Metzger
      
      Montgomery
      
      Myrie
      
      O'Mara
      
      Parker
      
      Persaud
      
      Ramos
      
      Ranzenhofer
      
      Ritchie
      
      Rivera
      
      Robach
      
      Salazar
      
      Sanders Jr.
      
      Savino
      
      Sepúlveda
      
      Serrano
      
      Seward
      
      Stavisky
      
      Stewart-Cousins
      
      Tedisco
      
      Thomas
      
      nay (5)
      
      Akshar
      
      Griffo
      
      Ortt
      
      Serino
      
      Skoufis
  Jul 22, 2020 - Rules Committee Vote
  S8448B
  
  Aye
  
  14
  
  Nay
  
  1
  
  Aye with Reservations
  
  4
  
  Absent
  
  0
  
  Excused
  
  0
  
  Abstained
  
  0
  - - Rules Committee Vote: Jul 22, 2020
      
      aye (14)
      
      Benjamin
      
      Breslin
      
      Comrie
      
      Gianaris
      
      Hoylman-Sigal
      
      Kennedy
      
      Krueger
      
      Little
      
      Liu
      
      Martinez
      
      Parker
      
      Robach
      
      Savino
      
      Stewart-Cousins
      
      nay (1)
      
      Ortt
      
      aye wr (4)
      
      Griffo
      
      LaValle
      
      Lanza
      
      Seward
  Jul 20, 2020 - Health Committee Vote
  S8448B
  
  Aye
  
  12
  
  Nay
  
  1
  
  Aye with Reservations
  
  1
  
  Absent
  
  1
  
  Excused
  
  0
  
  Abstained
  
  0
  - - Health Committee Vote: Jul 20, 2020
      
      aye (12)
      
      Benjamin
      
      Biaggi
      
      Carlucci
      
      Gallivan
      
      Hoylman-Sigal
      
      Kaminsky
      
      Little
      
      Metzger
      
      Montgomery
      
      Rivera
      
      Salazar
      
      Stavisky
      
      nay (1)
      
      Ortt
      
      aye wr (1)
      
      Ritchie
      
      absent (1)
      
      Jacobs

Bill Amendments

Original

D (Active)

2019-S8448 - Details

Current Committee:: Assembly Health
Law Section:: Health
Versions Introduced in 2021-2022 Legislative Session:: S301

2019-S8448 - Summary

Imposes requirements for the collection and use of emergency health data and personal information and the use of technology to aid during the COVID-19 public health emergency; requires entities using technology to get consent from individuals and to disclose certain information including the right to privacy and who will have access to the data.

2019-S8448 - Sponsor Memo

                                
 
BILL NUMBER: S8448

SPONSOR: THOMAS
 
TITLE OF BILL:

An act in relation to the collection of emergency health data and the
use of technology assisted contact tracing to aid during COVID-19; and
providing for the repeal of such provision upon the expiration thereof

 
PURPOSE:

The purpose of this bill is to create ethical guidelines for entities
using technology to track, screen, monitor, contact trace, mitigate or
respond to the COVID-19 health emergency.

 
SUMMARY OF SPECIFIC PROVISIONS:

Section one of the bill is definitions.

Section two of the bill requires entities using technology assisted
contact tracing to disclose the following information to individuals:

the individual's right to opt in, the individual's right to privacy, the
covered entity's privacy policy, the time limitation on data retention,
and access rights.

Section three of the bill requires covered entities to implement securi-
ty measures.

Section four of the bill requires covered entities to be subject to data
protection audits.

Section five of the bill allows for a private right of action and
enforcement by the attorney general.

Section six is the effective date.

 
JUSTIFICATION:

A significant issue in tracking the spread of coronavirus is determining
who has come in contact with an individual who tested positive. As
states move to reopen their economies, governments are looking at tech-
nology to simplify the process of contact tracing.

Contract tracing is a technique used by health departments to identify
and support individuals with suspected or confirmed infections and to
prevent further spread of the infection. Traditional contact tracing
techniques are labor intensive and slow compared to a fast moving virus
like COVID-19.

The new methods of contact tracing being proposed would rely on location
or proximity detection by mobile phones to selectively deliver alerts
about potential exposures. These systems have the ability to aid in the
collection of crucial data to help fight the pandemic but they also pose
significant risks to privacy, civil rights, and civil liberties.

Any technology that involves the collection, use, and sharing of sensi-
tive personal data can put consumers at increased risk of exploitation.
Efforts to combat the coronavirus should not undermine New Yorker's
privacy rights. The legislature has a responsibility to protect the
privacy of consumers' personal information during the COVID-19 public
health crisis.

 
PRIOR LEGISLATIVE HISTORY:

New bill.

 
FISCAL IMPACT ON THE STATE:

None.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2019-S8448 - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                   8448
 
                             I N  S E N A T E
 
                               June 3, 2020
                                ___________
 
 Introduced  by  Sen.  THOMAS -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology
 
 AN ACT in relation to the collection of emergency health  data  and  the
   use of technology assisted contact tracing to aid during COVID-19; and
   providing for the repeal of such provision upon the expiration thereof

   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. For the purposes of this act:
   1. "Covered entity" means any person, including a government entity:
   (a) that collects,  uses,  or  discloses  emergency  health  data,  as
 defined  in this act, electronically or through communication by wire or
 radio; or
   (b) that develops or  operates  a  website,  web  application,  mobile
 application,  mobile  operating system feature, or smart device applica-
 tion for the purpose of tracking, screening, monitoring,  contact  trac-
 ing,  or  mitigation,  or  otherwise  responding  to the COVID-19 public
 health emergency.
   2. "De-identified information" means information that  cannot  reason-
 ably identify, relate to, describe, be capable of being associated with,
 or  be  linked,  directly  or  indirectly, to a particular individual. A
 covered entity that uses de-identified information:
   (a) has implemented technical safeguards that prohibit  re-identifica-
 tion of the individual to whom the information may pertain;
   (b)  has  implemented  business  processes  that specifically prohibit
 re-identification of the information;
   (c)  has  implemented  business  processes  that  prevent  inadvertent
 release of de-identified information; and
   (d) makes no attempt to re-identify the information.
   3. "Emergency health data" means data linked or reasonably linkable to
 an  individual  or  device, including data inferred or derived about the
 individual or device from other collected data  provided  such  data  is
 still  linked  or  reasonably linkable to the individual or device, that
 concerns the public COVID-19 health emergency. Such data includes:
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD16478-01-0

 S. 8448                             2
 
   (a) Information that reveals the past, present, or future physical  or
 behavioral  health  or  condition  of, or provision of healthcare to, an
 individual including:
   (i) data derived from the testing or examination;
   (ii)  whether  or not an individual has contracted or been tested for,
 or an estimate of  the  likelihood  that  a  particular  individual  may
 contract, such disease or disorder; and
   (iii) genetic data, biological samples and biometrics; and
   (b)  Other  data  collected in conjunction with other emergency health
 data or for the purpose  of  tracking,  screening,  monitoring,  contact
 tracing,  mitigation,  or  otherwise  responding  to the COVID-19 public
 health emergency including:
   (i) geolocation data, when such term means data capable of determining
 the past or present precise physical location  of  an  individual  at  a
 specific  point in time, taking account of population densities, includ-
 ing cell-site location  information,  triangulation  data  derived  from
 nearby  wireless  or  radio  frequency  networks  and global positioning
 system data;
   (ii) proximity data, when such term means information that  identifies
 or estimates the past or present physical proximity of one individual or
 device  to  another, including information derived from Bluetooth, audio
 signatures, nearby wireless networks, and near field communications;
   (iii) demographic data;
   (iv) contact information for identifiable individuals or a history  of
 the individual's contacts over a period of time, such as an address book
 or call log; and
   (v) any other data collected from a personal device.
   4. "Technology assisted contact tracing" means technology that sends a
 steady  supply of information, including location information, movement,
 social encounters, phone numbers, and health data, to a central authori-
 ty.
   5. "Personal information" means information that  identifies,  relates
 to,  describes, is capable of being associated with, or could reasonably
 be linked, directly or indirectly, with a particular consumer or  house-
 hold.
   6.  "Process"  means  any  operation  or  set  of  operations that are
 performed on personal data by either automated or not automated means.
   § 2. Any entity creating, developing, or marketing technology assisted
 contact tracing to aid during the COVID-19 public health emergency  must
 disclose  the  following  information at a fourth grade reading level or
 below and in the language the entity regularly uses to communicate  with
 the individual:
   1. The individual's right to opt-in. (a) A covered entity shall obtain
 freely given, specific, informed, and unambiguous opt-in consent from an
 individual to:
   (i) process the individual's emergency health data; and
   (ii)  make any changes in the processing of the individual's emergency
 health data.
   (b) It shall be unlawful for a covered  entity  to  collect,  use,  or
 disclose emergency health data unless:
   (i) the individual to whom the data pertains has freely given, specif-
 ic,  informed,  and  unambiguous  consent  to  such  collection, use, or
 disclosure; or
   (ii) such collection, use, or disclosure is necessary and for the sole
 purpose of:

 S. 8448                             3
 
   (A) protecting against malicious, deceptive,  fraudulent,  or  illegal
 activity; or
   (B)  detecting,  responding  to,  or  preventing security incidents or
 threats; or
   (iii) the covered entity is compelled to do so by  a  court  order  or
 other legal obligation.
   (c) To the extent that a covered entity must process internet protocol
 addresses,  system  configuration  information, URLs of referring pages,
 locale and language preferences, keystrokes, and other personal informa-
 tion in order to obtain individuals' freely given,  specific,  informed,
 and unambiguous opt-in consent, the entity:
   (i)  shall  only process the personal information necessary to request
 freely given, specific, informed, and unambiguous opt-in consent;
   (ii) shall process the personal information solely to  request  freely
 given, specific, informed, and unambiguous opt-in consent; and
   (iii)  shall immediately delete the personal information if consent is
 withheld.
   2. The individual's right to privacy. (a) All data collected  for  the
 purpose  of  tracking,  screening, monitoring, contact tracing, or miti-
 gation, or otherwise responding to the COVID-19 public health  emergency
 shall  be  collected  at  a  minimum level of identifiability reasonably
 needed for tracking COVID-19. For a covered entity using proximity trac-
 ing or exposure notification this includes changing pseudonyms or tempo-
 rary anonymous identifiers at least once in a twelve hour period.
   (b) A covered entity shall not  process  personal  information  beyond
 what  is  adequate,  relevant,  and  necessary for the completion of the
 transaction disclosed to, affirmatively consented to, and  requested  by
 the individual.
   (c)  A  covered  entity  shall not collect, use, or disclose emergency
 health data for any purpose not authorized under this act, including:
   (i) commercial advertising,  recommendation  for  e-commerce,  or  the
 training  of machine learning algorithms related to, or subsequently for
 use in, commercial advertising and e-commerce;
   (ii)  soliciting,  offering,  selling,  leasing,  licensing,  renting,
 advertising,   marketing,  or  otherwise  commercially  contracting  for
 employment, finance, credit, insurance, housing, or  education  opportu-
 nities  in  a manner that discriminates or otherwise makes opportunities
 unavailable on the basis of data; or
   (iii) segregating, discriminating in, or otherwise making  unavailable
 the  goods,  services,  facilities,  privileges, advantages, or accommo-
 dations of any place of public accommodation (as such term is defined in
 section 301 of the Americans with Disabilities Act of 1990),  except  as
 authorized  by  a state or federal government entity for a public health
 purpose.
   3. Covered entity privacy policy. (a) A covered entity  shall  provide
 to  the  individual  a  privacy  policy,  prior  to  or  at the point of
 collection of emergency health data:
   (i) detailing how and for what purpose the  covered  entity  collects,
 uses, and discloses emergency health data;
   (ii)  describing the covered entity's data retention and data security
 policies and practices for emergency health data; and
   (iii) describing how an individual  may  exercise  rights  under  this
 section.
   (b)  A covered entity must develop a written policy, made available to
 the public, establishing a retention schedule and guidelines for  perma-
 nently  destroying  emergency  health  data when the initial purpose for

 S. 8448                             4
 
 collecting or obtaining such data has been satisfied or within two years
 of the individual's last interaction with the covered entity,  whichever
 occurs  first.  A  covered entity in possession of emergency health data
 must  comply  with  its  established  retention schedule and destruction
 guidelines.
   (c) A covered entity shall create transparency reports, at least  once
 every 90 days, that include:
   (i)  the number of individuals whose emergency health data the covered
 entity collected or used;
   (ii) the categories of  emergency  health  data  collected,  used,  or
 disclosed;
   (iii)  the  purposes  for which each category of emergency health data
 was collected, used, or disclosed;
   (iv) the number of requests for  individuals  emergency  health  data,
 including information on who the emergency health data was disclosed to;
 and
   (v)  the number of instances where emergency health data was produced,
 in whole or in part, without prior, explicit consents by the individuals
 specified in the request.
   4. Time limitation on retention. (a) Emergency data collected for  the
 purpose  of  tracking,  screening, monitoring, contact tracing, or miti-
 gation, or otherwise responding to the COVID-19 public health  emergency
 shall  be deleted within 30 days, except that proximity tracing or expo-
 sure notification data which shall be  automatically  deleted  every  14
 days.
   (b)  A  covered  entity  that stores data for longer than 30 days must
 re-engage consent every 30 days. Data shall automatically delete  in  30
 days unless consent is properly re-engaged.
   (c) This subdivision shall not apply to de-identified information.
   5.  Access  rights.  (a) Emergency health data shall be shared only as
 necessary to provide the service requested by an individual.
   (b) A covered entity may  share  aggregate,  de-identified  data  with
 public  health  authorities  solely  for  the limited purposes for which
 information can be collected in the first place. No information shall be
 shared with law enforcement without a valid court  order,  subpoena,  or
 search warrant.
   (c)  A  covered  entity  shall not disclose emergency health data to a
 third party unless that  third  party  is  contractually  bound  to  the
 covered  entity to meet the same privacy and security obligations as the
 covered entity.
   (d) No covered entity in  possession  of  emergency  health  data  may
 disclose, redisclose, or otherwise disseminate an individual's emergency
 health data unless:
   (i)  the  subject of the personal information or the subject's legally
 authorized representative consents  in  writing  to  the  disclosure  or
 redisclosure;
   (ii)  the  disclosure  or redisclosure is required by state or federal
 law; or
   (iii) the disclosure is required pursuant to a  valid  warrant,  court
 order, or subpoena issued by a court of competent jurisdiction.
   (e)  Individuals  shall  have the right to access the emergency health
 data collected on them and correct any inaccuracies.
   (i) A covered entity must  comply  with  an  individual's  request  to
 correct  emergency  health data not later than 30 days after receiving a
 verifiable request from the individual or, in the case of a  minor,  the
 individual's parent or guardian.

 S. 8448                             5
 
   (ii)  Where  the covered entity has reasonable doubts or cannot verify
 the identity of the individual making a request  under  this  paragraph,
 the  covered entity may request additional information necessary for the
 specific purpose of confirming the identity of the individual.  In  such
 cases, the additional information shall not be processed for any purpose
 other  than verifying the identity of the individual and must be deleted
 immediately upon verification or failure to verify the individual.
   § 3. 1. A covered entity shall implement reasonable measures to ensure
 confidentiality, integrity, and availability of data.
   2. A covered entity that collects  an  individual's  emergency  health
 data  shall  implement  and  maintain reasonable security procedures and
 practices, including administrative, physical, and technical safeguards,
 appropriate to the nature of the information and the purposes for  which
 that  information  will  be used, to protect that information from unau-
 thorized use, disclosure, access, destruction, or modification.
   3. A covered entity shall limit access to  emergency  health  data  to
 authorized  essential  personnel  whose  use  of  the data is reasonably
 necessary to operate the program and record who has  accessed  emergency
 health data, the date of access, and for what purposes.
   §  4.  1.  All  covered  entities  shall be subject to data protection
 audits evaluating the technology assisted contact tracing  utilized  and
 the  development  processes, including the design and training data, for
 statistical impacts on classes protected under section 296 of article 15
 of the executive law, as well as for impacts on  privacy,  and  security
 that includes at a minimum:
   (a) a detailed description of the technology assisted contact tracing,
 its design, its training, data, and its purpose;
   (b) an assessment of the relative benefits and costs of the technology
 assisted  contact  tracing  in light of its purpose, taking into account
 relevant factors including data minimization practices; the duration for
 which personal information and the results  of  the  data  analysis  are
 stored;  what  information about the technology assisted contact tracing
 is available to the public; and the recipients of  the  results  of  the
 technology assisted contact tracing;
   (c) an assessment of the risk of harm posed by the technology assisted
 contact  tracing and the risk that the technology assisted contact trac-
 ing may result in  or  contribute  to  inaccurate,  unfair,  biased,  or
 discriminatory decisions impacting individuals; and
   (d)  The  measures  the state agency will employ to minimize the risks
 described in paragraph (c) of this subdivision, including  technological
 and physical safeguards.
   2.  The audits required by this subdivision shall be made available to
 the public.
   § 5. 1. An individual may bring a private right of action in  a  court
 of  competent  jurisdiction  to  enforce  any right under this act or to
 enjoin any violation of this act.
   2. The attorney general may bring an action in the name of the  state,
 or  as  parens  patriae  on  behalf of persons residing in the state, to
 enforce the provisions of this act. In an action brought by the attorney
 general, the court may award injunction  relief,  including  preliminary
 injunctions, to prevent further violations of and compel compliance with
 this  act;  civil  penalties  up  to  twenty-five  thousand  dollars per
 violation or up to four percent of  annual  revenue;  other  appropriate
 relief,  including  restitution,  to  redress harms to individuals or to
 mitigate all substantial risk of harm; and any other  relief  the  court
 determines.

 S. 8448                             6
 
   §  6.  This  act shall take effect on the thirtieth day after it shall
 have become a law and shall expire and be  deemed  repealed  January  1,
 2023.

2019-S8448A - Details

Current Committee:: Assembly Health
Law Section:: Health
Versions Introduced in 2021-2022 Legislative Session:: S301

2019-S8448A - Summary

2019-S8448A - Sponsor Memo

                                
 
BILL NUMBER: S8448A

SPONSOR: THOMAS
 
TITLE OF BILL:

An act in relation to the collection of emergency health data and the
use of technology to aid during COVID-19; and providing for the repeal
of such provision upon the expiration thereof

 
PURPOSE:

The purpose of this bill is to create ethical guidelines for entities
using technology to track, screen, monitor, contact trace, mitigate or
respond to the CO7ID-19 health emergency.

 
SUMMARY OF SPECIFIC PROVISIONS:

Section one of the bill is definitions.

Section two of the bill requires entities collecting, using, or disclos-
ing emergency health data to disclose the following information to indi-

viduals: the individual's right to opt in, the individual's right to
privacy, the covered entity's privacy policy, the time limitation on
data retention, and access rights.

Section three of the bill requires covered entities to implement securi-
ty measures.

Section four of the bill requires covered entities to be subject to data
protection audits.

Section five of the bill allows for a private right of action and
enforcement by the attorney general.

Section six is the effective date.

 
JUSTIFICATION:

A significant issue in tracking the spread of coronavirus is determining
who has come in contact with an individual who tested positive. As
states move to reopen their economies, governments are looking at tech-
nology to simplify the process of contact tracing.  Contract tracing is
a technique used by health departments to identify and support individ-
uals with suspected or confirmed infections and to prevent further
spread of the infection. Traditional contact tracing techniques are
labor intensive and slow compared to a fast moving virus like COVID-19.

The new methods of contact tracing being proposed would rely on location
or proximity detection by =bile phones to selectively deliver alerts
about potential exposures- These systems have the ability to aid in the
collection of crucial data to halt fight the pandemic but they also pose
significant risks to privacy, civil rights, and civil liberties.

Any technology that involves the collection, use, and sharing of sensi-
tive personal data can put consumers at increased risk or exploitation.
Efforts to co--bat the coronavirus should not undermine New Yorker's
privacy rights. The legislature has a responsibility to protect the
privacy of consumers personal information during the COVID-19 public
health crisis.
 
PRIOR LEGISLATIVE HISTORY:

New bill.

 
FISCAL IMPACT ON THE STATE:

None.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2019-S8448A - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  8448--A
 
                             I N  S E N A T E
 
                               June 3, 2020
                                ___________
 
 Introduced  by  Sen.  THOMAS -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology --
   committee discharged, bill amended, ordered reprinted as  amended  and
   recommitted to said committee
 
 AN  ACT  in  relation to the collection of emergency health data and the
   use of technology to aid during COVID-19; and providing for the repeal
   of such provision upon the expiration thereof
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. For the purposes of this act:
   1. "Covered entity" means any person, including a government entity:
   (a)  that  collects,  uses,  or  discloses  emergency  health data, as
 defined in this act, electronically or through communication by wire  or
 radio; or
   (b)  that  develops  or  operates  a  website, web application, mobile
 application, mobile operating system feature, or smart  device  applica-
 tion  for  the purpose of tracking, screening, monitoring, contact trac-
 ing, or mitigation, or  otherwise  responding  to  the  COVID-19  public
 health emergency.
   2.  "De-identified  information" means information that cannot reason-
 ably identify, relate to, describe, be capable of being associated with,
 or be linked, directly or indirectly,  to  a  particular  individual.  A
 covered entity that uses de-identified information:
   (a)  has implemented technical safeguards that prohibit re-identifica-
 tion of the individual to whom the information may pertain;
   (b) has implemented  business  processes  that  specifically  prohibit
 re-identification of the information;
   (c)  has  implemented  business  processes  that  prevent  inadvertent
 release of de-identified information; and
   (d) makes no attempt to re-identify the information.
   3. "Emergency health data" means data linked or reasonably linkable to
 an individual or device, including data inferred or  derived  about  the
 individual  or  device  from  other collected data provided such data is

  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD16478-03-0

 S. 8448--A                          2
 
 still linked or reasonably linkable to the individual  or  device,  that
 concerns the public COVID-19 health emergency. Such data includes:
   (a)  Information that reveals the past, present, or future physical or
 behavioral health or condition of, or provision  of  healthcare  to,  an
 individual including:
   (i) data derived from the testing or examination;
   (ii)  whether  or not an individual has contracted or been tested for,
 or an estimate of  the  likelihood  that  a  particular  individual  may
 contract, such disease or disorder; and
   (iii) genetic data, biological samples and biometrics; and
   (b)  Other  data  collected in conjunction with other emergency health
 data that can be used to infer health status, health  history,  location
 or associations, including:
   (i) geolocation data, when such term means data capable of determining
 the  past  or  present  precise  physical location of an individual at a
 specific point in time, taking account of population densities,  includ-
 ing  cell-site  location  information,  triangulation  data derived from
 nearby wireless or  radio  frequency  networks  and  global  positioning
 system data;
   (ii)  proximity data, when such term means information that identifies
 or estimates the past or present physical proximity of one individual or
 device to another, including information derived from  Bluetooth,  audio
 signatures, nearby wireless networks, and near field communications;
   (iii) demographic data;
   (iv)  contact information for identifiable individuals or a history of
 the individual's contacts over a period of time, such as an address book
 or call log; and
   (v) any other data collected from a personal device.
   4.  "Individual" means a natural person whom the covered entity  knows
 or has reason to know is located in New York state.
   5.  "Personal  information" means information that identifies, relates
 to, describes, is capable of being associated with, or could  reasonably
 be  linked,  directly  or  indirectly,  with  a particular individual or
 household, or device.
   6. "Process" means  any  operation  or  set  of  operations  that  are
 performed on personal data by either automated or not automated means.
   § 2. All covered entities must disclose the following information at a
 fourth grade reading level or below and in the language the entity regu-
 larly uses to communicate with the individual:
   1. The individual's right to opt-in. (a) A covered entity shall obtain
 freely given, specific, informed, and unambiguous opt-in consent from an
 individual to:
   (i) process the individual's emergency health data; and
   (ii)  make any changes in the processing of the individual's emergency
 health data.
   (b) It shall be unlawful for a covered  entity  to  collect,  use,  or
 disclose emergency health data unless:
   (i) the individual to whom the data pertains has freely given, specif-
 ic,  informed,  and  unambiguous  consent  to  such  collection, use, or
 disclosure; or
   (ii) such collection, use, or disclosure is necessary and for the sole
 purpose of:
   (A) protecting against malicious, deceptive,  fraudulent,  or  illegal
 activity; or
   (B)  detecting,  responding  to,  or  preventing security incidents or
 threats; or

 S. 8448--A                          3
 
   (iii) the covered entity is compelled to do so by  a  court  order  or
 other legal obligation.
   (c) To the extent that a covered entity must process internet protocol
 addresses,  system  configuration  information, URLs of referring pages,
 locale and language preferences, keystrokes, and other personal informa-
 tion in order to obtain individuals' freely given,  specific,  informed,
 and unambiguous opt-in consent, the entity:
   (i)  shall  only process the personal information necessary to request
 freely given, specific, informed, and unambiguous opt-in consent;
   (ii) shall process the personal information solely to  request  freely
 given, specific, informed, and unambiguous opt-in consent; and
   (iii)  shall immediately delete the personal information if consent is
 withheld or withdrawn.
   2. The individual's right to privacy. (a) All  emergency  health  data
 and  personal information shall be collected at a minimum level of iden-
 tifiability reasonably needed for tracking COVID-19. For a covered enti-
 ty using proximity tracing or exposure notification this includes chang-
 ing temporary anonymous identifiers at least once in a 10 minute period.
   (b) A covered entity shall not  process  personal  information  beyond
 what  is  adequate,  relevant,  and  necessary for the completion of the
 transaction disclosed to, affirmatively consented to, and  requested  by
 the individual.
   (c)  A  covered entity shall not process emergency health data for any
 purpose not authorized under this act, including:
   (i) commercial advertising,  recommendation  for  e-commerce,  or  the
 training  of machine learning algorithms related to, or subsequently for
 use in, commercial advertising and e-commerce;
   (ii)  soliciting,  offering,  selling,  leasing,  licensing,  renting,
 advertising,   marketing,  or  otherwise  commercially  contracting  for
 employment, finance, credit, insurance, housing, or education; or
   (iii) segregating, discriminating in, or otherwise making  unavailable
 the  goods,  services,  facilities,  privileges, advantages, or accommo-
 dations of any place of public accommodation (as such term is defined in
 section 301 of the Americans with Disabilities Act of 1990),  except  as
 authorized  by  a state or federal government entity for a public health
 purpose.
   3. Covered entity privacy policy. (a) A covered entity  shall  provide
 to  the  individual  a  privacy  policy,  prior  to  or  at the point of
 collection of emergency health data:
   (i) detailing how and for what purpose the  covered  entity  collects,
 uses, and discloses emergency health data;
   (ii)  describing the covered entity's data retention and data security
 policies and practices for emergency health data; and
   (iii) describing how an individual  may  exercise  rights  under  this
 section.
   (b)  A covered entity shall create transparency reports, at least once
 every 90 days, that include:
   (i) the number of individuals whose emergency health data the  covered
 entity collected or used;
   (ii)  the  categories  of  emergency  health  data collected, used, or
 disclosed;
   (iii) the purposes for which each category of  emergency  health  data
 was collected, used, or disclosed;
   (iv)  the  number  of  requests for individuals emergency health data,
 including information on who the emergency health data was disclosed to;
 and

 S. 8448--A                          4
 
   (v) the number of instances where emergency health data was  produced,
 in whole or in part, without prior, explicit consents by the individuals
 specified in the request.
   4.  Time  limitation  on  retention.  (a)  Emergency  health  data and
 personal information shall be  deleted  when  the  initial  purpose  for
 collecting  or obtaining such data has been satisfied or within 30 days,
 whichever occurs  first,  except  that  proximity  tracing  or  exposure
 notification data which shall be automatically deleted every 14 days.
   (b) This subdivision shall not apply to de-identified information.
   5. Access rights. (a) Emergency health data shall be disclosed only as
 necessary to provide the service requested by an individual.
   (b)  A  covered  entity  may  share aggregate, de-identified data with
 public health authorities.
   (c) A covered entity shall not disclose emergency  health  data  to  a
 third  party  unless  that  third  party  is  contractually bound to the
 covered entity to meet the same privacy and security obligations as  the
 covered entity.
   (d)  No  covered  entity  in  possession  of emergency health data may
 disclose, redisclose, or otherwise disseminate an individual's emergency
 health data unless:
   (i) the subject of the personal information or the  subject's  legally
 authorized  representative  consents  in  writing  to  the disclosure or
 redisclosure; or
   (ii) the disclosure or redisclosure is required by  state  or  federal
 law.
   (e)  Individuals  shall  have the right to access the emergency health
 data collected on them and correct any inaccuracies.
   (i) A covered entity must  comply  with  an  individual's  request  to
 correct  emergency  health data not later than 30 days after receiving a
 verifiable request from the individual or, in the case of a  minor,  the
 individual's parent or guardian.
   (ii)  Where  the covered entity has reasonable doubts or cannot verify
 the identity of the individual making a request  under  this  paragraph,
 the  covered entity may request additional information necessary for the
 specific purpose of confirming the identity of the individual.  In  such
 cases, the additional information shall not be processed for any purpose
 other  than verifying the identity of the individual and must be deleted
 immediately upon verification or failure to verify the individual.
   § 3. 1. A covered entity shall implement reasonable measures to ensure
 confidentiality, integrity, and availability of  emergency  health  data
 and personal information.
   2.  A  covered  entity  that collects an individual's emergency health
 data shall implement and maintain  reasonable  security  procedures  and
 practices, including administrative, physical, and technical safeguards,
 appropriate  to the nature of the information and the purposes for which
 that information will be used, to protect that  information  from  unau-
 thorized use, disclosure, access, destruction, or modification.
   3.  A  covered  entity  shall limit access to emergency health data to
 authorized essential personnel whose  use  of  the  data  is  reasonably
 necessary  to  operate the program and record who has accessed emergency
 health data, the date of access, and for what purposes.
   § 4. 1. All covered entities  shall  be  subject  to  data  protection
 audits  evaluating the technology utilized and the development processes
 for statistical impacts on classes protected under section 296 of  arti-
 cle  15  of  the  executive  law, as well as for impacts on privacy, and
 security that includes at a minimum:

 S. 8448--A                          5
 
   (a) a detailed description of the  technology,  its  design,  and  its
 purpose;
   (b) an assessment of the relative benefits and costs of the technology
 in  light of its purpose, taking into account relevant factors including
 data minimization practices; the duration for which personal information
 and the results of the data analysis are stored; what information  about
 the  technology  is  available  to the public; and the recipients of the
 results of the technology;
   (c) an assessment of the risk of harm posed  by  the  technology;  the
 risk  that  the  technology  may  result in or contribute to inaccurate,
 unfair, biased, or discriminatory decisions; the risk that the technolo-
 gy may dissuade New Yorkers from participating  in  contact  tracing  or
 obtaining  medical  testing  or  treatment;  and  the risk that personal
 information or emergency health data can be accessed by  third  parties,
 including,  but  not  limited to law enforcement agencies and U.S. Immi-
 gration and Customs Enforcement; and
   (d) the measures the covered entity will employ to minimize the  risks
 described in paragraph (c) of this subdivision, including technological,
 legal and physical safeguards;
   (e)  an  assessment of whether the covered entity has followed through
 on the promises made in its privacy notice regarding collection, access,
 sharing, retention, deletion and sunsetting; and
   (f) if the technology utilizes machine-learning systems, a description
 of the training data information.
   2. The audits required by this subdivision shall be made fully  avail-
 able to the public.
   §  5.  1. An individual may bring a private right of action in a court
 of competent jurisdiction to enforce any right  under  this  act  or  to
 enjoin any violation of this act.
   (a)  Any  individual  alleging a violation of this act or a regulation
 promulgated under this act may bring a civil  action  in  any  court  of
 competent jurisdiction.
   (b) A violation of this act or a regulation promulgated under this act
 with  respect to the personal information of an individual constitutes a
 rebuttable presumption of harm to that individual.
   (c) In a civil action in which the plaintiff prevails, the  court  may
 award:
   (i)  liquidated  damages  of  ten  thousand dollars or actual damages,
 whichever is greater;
   (ii) punitive damages; and
   (iii) any other relief, including an injunction, that the court deter-
 mines is appropriate.
   (d) In addition to any relief awarded pursuant  to  paragraph  (c)  of
 this  subdivision,  the court shall award reasonable attorney's fees and
 costs to any prevailing plaintiff.
   2. The attorney general may bring an action in the name of the  state,
 or  as  parens  patriae  on  behalf of persons residing in the state, to
 enforce the provisions of this act. In an action brought by the attorney
 general, the court may award injunctive  relief,  including  preliminary
 injunctions, to prevent further violations of and compel compliance with
 this  act;  civil  penalties  up  to  twenty-five  thousand  dollars per
 violation or up to four percent of  annual  revenue;  other  appropriate
 relief,  including  restitution,  to  redress harms to individuals or to
 mitigate all substantial risk of harm; and any other  relief  the  court
 determines.

 S. 8448--A                          6
 
   §  6.  This  act shall take effect on the thirtieth day after it shall
 have become a law and shall expire and be  deemed  repealed  January  1,
 2023.

co-Sponsors

View additional co-sponsors

2019-S8448B - Details

Current Committee:: Assembly Health
Law Section:: Health
Versions Introduced in 2021-2022 Legislative Session:: S301

2019-S8448B - Summary

2019-S8448B - Sponsor Memo

                                
 
BILL NUMBER: S8448b

SPONSOR: THOMAS
 
TITLE OF BILL:

An act in relation to the collection of emergency health data and the
use of technology to aid during COVID-19; and providing for the repeal
of such provision upon the expiration thereof

 
PURPOSE:

The purpose of this bill is to create ethical guidelines for entities
using technology to track, screen, monitor, contact trace, mitigate or
respond to the C071D-19 health emergency.

 
SUMMARY OF SPECIFIC PROVISIONS:

Section one of the bill is definitions.

Section two of the bill requires entities collecting, using, or disclos-
ing emergency health data to disclose the following information to indi-

viduals: the individual's right to opt in, the individual's right to
privacy, the covered entity's privacy policy, the time limitation on
data retention, and access rights.

Section three of the bill requires covered entities to implement securi-
ty measures.

Section four of the bill requires covered entities to be subject to data
protection audits.

Section five of the bill allows for a private right of action and
enforcement by the attorney general.

Section six is the effective date.

 
JUSTIFICATION:

A significant issue in tracking the spread of coronavirus is determining
who has come in contact with an individual who tested positive. As
states move to reopen their economies, governments are looking at tech-
nology to simplify the process of contact tracing. Contract tracing is a
technique used by health departments to identify and support individuals
with suspected or confirmed infections and to prevent further spread of
the infection. Traditional contact tracing techniques are labor inten-
sive and slow compared to a fast moving virus like COVID-19.

The new methods of contact tracing being proposed would rely on location
or proximity detection by mobile phones to selectively deliver alerts
about potential exposures. These systems have the ability to aid in the
collection of crucial data to halt fight the pandemic but they also pose
significant risks to privacy, civil rights, and civil liberties.

Any technology that involves the collection, use, and sharing of sensi-
tive personal data can put consumers at increased risk or exploitation.
Efforts to combat the coronavirus should not undermine New Yorker's
privacy rights. The legislature has a responsibility to protect the
privacy of consumers personal information during the COVID-19 public
health crisis.
 
PRIOR LEGISLATIVE HISTORY:

New bill.

 
FISCAL IMPACT ON THE STATE:

None.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2019-S8448B - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  8448--B
 
                             I N  S E N A T E
 
                               June 3, 2020
                                ___________
 
 Introduced  by  Sen.  THOMAS -- read twice and ordered printed, and when
   printed to be committed to the Committee on Internet and Technology --
   committee discharged, bill amended, ordered reprinted as  amended  and
   recommitted  to  said committee -- committee discharged, bill amended,
   ordered reprinted as amended and recommitted to said committee

 AN ACT in relation to the collection of emergency health  data  and  the
   use of technology to aid during COVID-19; and providing for the repeal
   of such provision upon the expiration thereof
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. For the purposes of this act:
   1. "Covered entity" means any person, including a government entity:
   (a) that collects,  uses,  or  discloses  emergency  health  data,  as
 defined  in this act, electronically or through communication by wire or
 radio; or
   (b) that develops or  operates  a  website,  web  application,  mobile
 application,  mobile  operating system feature, or smart device applica-
 tion for the purpose of tracking, screening, monitoring,  contact  trac-
 ing,  or  mitigation,  or  otherwise  responding  to the COVID-19 public
 health emergency.
   2. "De-identified information" means information that  cannot  reason-
 ably identify, relate to, describe, be capable of being associated with,
 or be linked, directly or indirectly, to a particular individual, house-
 hold, or device.  A covered entity that uses de-identified information:
   (a)  has implemented technical safeguards that prohibit re-identifica-
 tion of the individual to whom the information may pertain;
   (b) has implemented  business  processes  that  specifically  prohibit
 re-identification of the information;
   (c)  has  implemented  business  processes  that  prevent  inadvertent
 release of de-identified information; and
   (d) makes no attempt to re-identify the information.
   3. "Emergency health data" means data linked or reasonably linkable to
 an individual or device, including data inferred or  derived  about  the
 individual, household, or device from other collected data provided such
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets

                       [ ] is old law to be omitted.
                                                            LBD16478-04-0

 S. 8448--B                          2
 
 data  is  still  linked or reasonably linkable to the individual, house-
 hold, or device, that concerns the  public  COVID-19  health  emergency.
 Such data includes:
   (a)  Information that reveals the past, present, or future physical or
 behavioral health or condition of, or provision  of  healthcare  to,  an
 individual including:
   (i) data derived from the testing or examination;
   (ii)  whether  or not an individual has contracted or been tested for,
 or an estimate of  the  likelihood  that  a  particular  individual  may
 contract, such disease or disorder; and
   (iii) genetic data, biological samples and biometrics; and
   (b)  Other  data  collected in conjunction with other emergency health
 data that can be used to infer health status, health  history,  location
 or associations, including:
   (i) geolocation data, when such term means data capable of determining
 the  past  or  present  precise  physical location of an individual at a
 specific point in time, taking account of population densities,  includ-
 ing  cell-site  location  information,  triangulation  data derived from
 nearby wireless or  radio  frequency  networks  and  global  positioning
 system data;
   (ii)  proximity data, when such term means information that identifies
 or estimates the past or present physical proximity of one individual or
 device to another, including information derived from  Bluetooth,  audio
 signatures, nearby wireless networks, and near field communications;
   (iii) demographic data;
   (iv)  contact information for identifiable individuals or a history of
 the individual's contacts over a period of time, such as an address book
 or call log; and
   (v) any other data collected from a personal device.
   4.  "Individual" means a natural person whom the covered entity  knows
 or has reason to know is located in New York state.
   5.  "Personal  information" means information that identifies, relates
 to, describes, is capable of being associated with, or could  reasonably
 be  linked,  directly  or  indirectly,  with  a particular individual or
 household, or device.
   6. "Process" means  any  operation  or  set  of  operations  that  are
 performed on personal data by either automated or not automated means.
   7.  "Public  health  authority" means the New York state department of
 health, a county health department or the New York  city  department  of
 health and mental hygiene, or a person or entity acting under a grant of
 authority  from  or  contract  with  such  public  agency, including the
 employees or agents of such public agency or its contractors or  persons
 to  entities  to  whom it has granted authority, that is responsible for
 public health matters as part of its official mandate.
   § 2. All covered entities must disclose the following information at a
 fourth grade reading level or below and in the language the entity regu-
 larly uses to communicate with the individual:
   1. The individual's right to opt-in. (a) A covered entity shall obtain
 freely given, specific, informed, and unambiguous opt-in consent from an
 individual to:
   (i) process the individual's personal information or emergency  health
 data; and
   (ii)  make  any changes in the processing of the individual's personal
 information or emergency health data.
   (b) It shall be unlawful for a covered  entity  to  collect,  use,  or
 disclose emergency health data unless:

 S. 8448--B                          3
 
   (i) the individual to whom the data pertains has freely given, specif-
 ic,  informed,  and  unambiguous  consent  to  such  collection, use, or
 disclosure; or
   (ii) such collection, use, or disclosure is necessary and for the sole
 purpose of:
   (A)  protecting  against  malicious, deceptive, fraudulent, or illegal
 activity; or
   (B) detecting, responding to,  or  preventing  security  incidents  or
 threats.
   (c) To the extent that a covered entity must process internet protocol
 addresses,  system  configuration  information, URLs of referring pages,
 locale and language preferences, keystrokes, and other personal informa-
 tion in order to obtain individuals' freely given,  specific,  informed,
 and unambiguous opt-in consent, the entity:
   (i)  shall  only process the personal information necessary to request
 freely given, specific, informed, and unambiguous opt-in consent;
   (ii) shall process the personal information solely to  request  freely
 given, specific, informed, and unambiguous opt-in consent; and
   (iii)  shall immediately delete the personal information if consent is
 withheld or withdrawn.
   2. The individual's right to privacy. (a) All  emergency  health  data
 and  personal information shall be collected at a minimum level of iden-
 tifiability reasonably needed for tracking COVID-19. For a covered enti-
 ty using proximity tracing or exposure notification this includes chang-
 ing temporary anonymous identifiers at least once in a 10 minute period.
   (b) A covered entity shall not  process  personal  information  beyond
 what  is  adequate,  relevant,  and  necessary for the completion of the
 transaction disclosed to, affirmatively consented to, and  requested  by
 the individual.
   (c)  A  covered entity shall not process emergency health data for any
 purpose not authorized under this act, including:
   (i) commercial advertising,  recommendation  for  e-commerce,  or  the
 training  of machine learning algorithms related to, or subsequently for
 use in, commercial advertising and e-commerce;
   (ii)  soliciting,  offering,  selling,  leasing,  licensing,  renting,
 advertising,   marketing,  or  otherwise  commercially  contracting  for
 employment, finance, credit, insurance, housing, or education; or
   (iii) segregating, discriminating in, or otherwise making  unavailable
 the  goods,  services,  facilities,  privileges, advantages, or accommo-
 dations of any place of public accommodation (as such term is defined in
 section 301 of the Americans with Disabilities Act of 1990),  except  as
 authorized  by  a state or federal government entity for a public health
 purpose.
   3. Covered entity privacy policy. (a) A covered entity  shall  provide
 to  the  individual  a  privacy  policy,  prior  to  or  at the point of
 collection of emergency health data:
   (i) detailing how and for what purpose the  covered  entity  collects,
 uses, and discloses emergency health data;
   (ii)  describing the covered entity's data retention and data security
 policies and practices for emergency health data; and
   (iii) describing how an individual  may  exercise  rights  under  this
 section.
   (b)  A covered entity shall create transparency reports, at least once
 every 90 days, that include:
   (i) the number of individuals whose emergency health data the  covered
 entity collected or used;

 S. 8448--B                          4
 
   (ii)  the  categories  of  emergency  health  data collected, used, or
 disclosed;
   (iii)  the  purposes  for which each category of emergency health data
 was collected, used, or disclosed;
   (iv) the number of requests for  individuals  emergency  health  data,
 including information on who the emergency health data was disclosed to;
 and
   (v)  the number of instances where emergency health data was produced,
 in whole or in part, without prior, explicit consents by the individuals
 specified in the request.
   4. Time  limitation  on  retention.  (a)  Emergency  health  data  and
 personal  information  shall  be  deleted  when  the initial purpose for
 collecting or obtaining such data has been satisfied or within 30  days,
 whichever  occurs  first,  except  that  proximity  tracing  or exposure
 notification data which shall be automatically deleted every 14 days.
   (b) This subdivision shall not apply to de-identified information.
   5. Access rights. (a) Emergency health data shall be disclosed only as
 necessary to provide the service requested by an individual.
   (b) A covered entity may  share  aggregate,  de-identified  data  with
 public health authorities.
   (c)  A  covered  entity  shall not disclose emergency health data to a
 third party unless that  third  party  is  contractually  bound  to  the
 covered  entity to meet the same privacy and security obligations as the
 covered entity.
   (d) No covered entity in  possession  of  emergency  health  data  may
 disclose, redisclose, or otherwise disseminate an individual's emergency
 health  data  unless  the  subject  of  the  personal information or the
 subject's legally authorized representative consents in writing  to  the
 disclosure or redisclosure.
   (e)  Individuals  shall  have the right to access the emergency health
 data collected on them and correct any inaccuracies.
   (i) A covered entity must  comply  with  an  individual's  request  to
 correct  emergency  health data not later than 30 days after receiving a
 verifiable request from the individual or, in the case of a  minor,  the
 individual's parent or guardian.
   (ii)  Where  the covered entity has reasonable doubts or cannot verify
 the identity of the individual making a request  under  this  paragraph,
 the  covered entity may request additional information necessary for the
 specific purpose of confirming the identity of the individual.  In  such
 cases, the additional information shall not be processed for any purpose
 other  than verifying the identity of the individual and must be deleted
 immediately upon verification or failure to verify the individual.
   § 3. 1. A covered entity shall implement reasonable measures to ensure
 confidentiality, integrity, and availability of  emergency  health  data
 and personal information.
   2.  A  covered  entity  that collects an individual's emergency health
 data shall implement and maintain  reasonable  security  procedures  and
 practices, including administrative, physical, and technical safeguards,
 appropriate  to the nature of the information and the purposes for which
 that information will be used, to protect that  information  from  unau-
 thorized use, disclosure, access, destruction, or modification.
   3.  A  covered  entity  shall limit access to emergency health data to
 authorized essential personnel whose  use  of  the  data  is  reasonably
 necessary  to  operate the program and record who has accessed emergency
 health data, the date of access, and for what purposes.

 S. 8448--B                          5
 
   § 4. 1. All covered entities  shall  be  subject  to  data  protection
 audits, conducted by a neutral third party auditor, evaluating the tech-
 nology utilized and the development processes for statistical impacts on
 classes  protected under section 296 of article 15 of the executive law,
 as well as for impacts on privacy, and security that includes at a mini-
 mum:
   (a)  a  detailed  description  of  the technology, its design, and its
 purpose;
   (b) an assessment of the relative benefits and costs of the technology
 in light of its purpose, taking into account relevant factors  including
 data minimization practices; the duration for which personal information
 and  the results of the data analysis are stored; what information about
 the technology is available to the public; and  the  recipients  of  the
 results of the technology;
   (c)  an  assessment  of  the risk of harm posed by the technology; the
 risk that the technology may result  in  or  contribute  to  inaccurate,
 unfair, biased, or discriminatory decisions; the risk that the technolo-
 gy  may  dissuade  New  Yorkers from participating in contact tracing or
 obtaining medical testing or  treatment;  and  the  risk  that  personal
 information  or  emergency health data can be accessed by third parties,
 including, but not limited to law enforcement agencies  and  U.S.  Immi-
 gration and Customs Enforcement; and
   (d)  the measures the covered entity will employ to minimize the risks
 described in paragraph (c) of this subdivision, including technological,
 legal and physical safeguards;
   (e) an assessment of whether the covered entity has  followed  through
 on the promises made in its privacy notice regarding collection, access,
 sharing, retention, deletion and sunsetting; and
   (f) if the technology utilizes machine-learning systems, a description
 of the training data information.
   2.  The audits required by this subdivision shall be made fully avail-
 able to the public.
   § 5. 1. Private right of action.
   (a) Any individual alleging a violation of this act  or  a  regulation
 promulgated  under  this  act  may  bring a civil action in any court of
 competent jurisdiction.
   (b) A violation of this act or a regulation promulgated under this act
 with respect to the personal information of an individual constitutes  a
 rebuttable presumption of harm to that individual.
   (c)  In  a civil action in which the plaintiff prevails, the court may
 award:
   (i) liquidated damages of ten  thousand  dollars  or  actual  damages,
 whichever is greater;
   (ii) punitive damages; and
   (iii) any other relief, including an injunction, that the court deter-
 mines is appropriate.
   (d)  In  addition  to  any relief awarded pursuant to paragraph (c) of
 this subdivision, the court shall award reasonable attorney's  fees  and
 costs to any prevailing plaintiff.
   2.  The attorney general may bring an action in the name of the state,
 or as parens patriae on behalf of persons  residing  in  the  state,  to
 enforce the provisions of this act. In an action brought by the attorney
 general,  the  court  may award injunctive relief, including preliminary
 injunctions, to prevent further violations of and compel compliance with
 this act;  civil  penalties  up  to  twenty-five  thousand  dollars  per
 violation  or  up  to  four percent of annual revenue; other appropriate

 S. 8448--B                          6
 
 relief, including restitution, to redress harms  to  individuals  or  to
 mitigate  all  substantial  risk of harm; and any other relief the court
 determines.
   §  6.  This  act shall take effect on the thirtieth day after it shall
 have become a law and shall expire and be  deemed  repealed  January  1,
 2023.

co-Sponsors

View additional co-sponsors

2019-S8448C - Details

Current Committee:: Assembly Health
Law Section:: Health
Versions Introduced in 2021-2022 Legislative Session:: S301

2019-S8448C - Summary

2019-S8448C - Sponsor Memo

                                
 
BILL NUMBER: S8448C

SPONSOR: THOMAS
 
TITLE OF BILL:

An act in relation to the collection of emergency health data and
personal information and the use of technology to aid during COVID-19;
and providing for the repeal of such provision upon the expiration ther-
eof

 
PURPOSE:  The purpose of this bill is to create ethical guidelines for
entities using technology to track, screen, monitor, contact trace,
mitigate or respond to the C071D-19 health emergency.

 
SUMMARY OF SPECIFIC PROVISIONS:

Section one of the bill defines covered entities as any person that
electronically collects, processes or discloses emergency health data or
that develops or operates a website, application, or operating system
feature for tracking, screening, monitoring, contact tracing, miti-
gation, or otherwise responding to the COVID-19 public health emergency.

Emergency health data is information that reveals the past, present, or
future physical or behavioral health or condition of, or provision of
healthcare to, an individual and other data collected in conjunction
with emergency health data that can be used to infer health status,
health history, location or associations.

Section two of the bill establishes individual rights of users who enter
into transactions with a covered entities.

* An individual has the right to opt in the collection, processing, and
disclosure of personal information or emergency health information.

* An individual has the right to have emergency health data and personal
information collected at the minimum level of identifiability reasonably
needed for the completion of the transaction consented to and requested
by the individual.

* An individual has the right to know, through a privacy policy, what
emergency health data or personal information is being collected, proc-
essed, and disclosed about them and for what reasons. An individual has
the right to be given that information in a way that is understandable
and at a 4th grade reading level or below. A covered entity must publish
on its website transparency reports every 90 days with the following
information: the number of individuals the covered entity has collected
and processed information on; the categories of information collected,
processed, and disclosed; the purpose for collection, processing, and
disclosure; the number of requests for information and who information
was disclosed to; and the number of instances where information was
produced without explicit consent from individuals.

* An individual has a right to have personal information and emergency
health data deleted when the initial purpose for the transaction is
satisfied or within 30 days, whichever occurs first. Except exposure
notification information should automatically delete every 14 days.
Deletion does not apply to de-identified information.


* An individual has the right to have emergency health data and personal
information disclosed only as necessary to complete the requested trans-
action or if consented to in writing. Emergency health data and personal
information can never be disclosed in response to a legal process or
admissible in any judicial or administrative proceeding. De-identified
information may be shared with public health authorities. An individual
has the right to correct any inaccuracies in the information collected
about them.

Section three of the bill requires covered entities to implement securi-
ty procedures and practices that ensure confidentiality, integrity, and
availability of emergency health data and personal information. A
covered entity must limit access to emergency health data and personal
information to personnel whose use of the data is necessary to operate
the program. A covered entity must record who accessed the date, the
date of access, and for what purpose.

Section four of the bill requires covered entities to hire a neutral
third party audit to conduct annual data protection audits. The purpose
of an audit is to provide transparency about the technology used, to
assess the covered entity's level of compliance with its own data
protection policies and to identify gaps and weaknesses in the covered
entity's data protection policies and implementation. A covered entity
must make transparency reports readily and persistently available on its
website.

Section five of the bill allows for a private right of action and
enforcement by the attorney general.

Section six of the bill contains a severability clause. Section seven of
the bill is the effective date.

 
JUSTIFICATION:

Many states have implement orders to limit the spread of COVID-19. The
Center for Disease Control and Prevention (CDC) has advocated that
public health authorities implement contact tracing procedures to
prevent the reoccurrence of widespread infection after these orders are
relaxed or lifted it. The federal government may advise on procedure but
state and local public health authorities will be responsible for
contact tracing operations.

Contract tracing is a technique used by health departments to identify
and support individuals with suspected or confirmed infections and to
prevent further spread of the infection. Traditional contact tracing
techniques are labor intensive and slow compared to a fast moving virus
like COVID-19. As states move to reopen their economies, governments are
looking at technology to simplify the process of contact tracing.

The new methods of contact tracing being proposed would rely on location
or proximity detection by mobile phones to selectively deliver alerts
about potential exposures. These systems have the ability to aid in the
collection of crucial data to halt fight the pandemic but they also pose
significant risks to privacy, civil rights, and civil liberties.

Any technology that involves the collection, processing, and disclosure
of sensitive information can put consumers at increased risk or exploi-
tation. Efforts to combat the coronavirus should not undermine New
Yorker's privacy rights. The legislature has a responsibility to protect
the privacy of consumers' personal information during the COVID-19
public health crisis.

 
PRIOR LEGISLATIVE HISTORY:

New bill.

 
FISCAL IMPACT ON THE STATE:

None.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2019-S8448C - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  8448--C
 
                             I N  S E N A T E
 
                               June 3, 2020
                                ___________
 
 Introduced  by  Sens. THOMAS, BAILEY, CARLUCCI, GOUNARDES, HOYLMAN, MAY,
   RAMOS, STAVISKY -- read twice and ordered printed, and when printed to
   be committed to the Committee on Internet and Technology --  committee
   discharged, bill amended, ordered reprinted as amended and recommitted
   to  said  committee  --  committee  discharged,  bill amended, ordered
   reprinted as amended and recommitted to said  committee  --  committee
   discharged, bill amended, ordered reprinted as amended and recommitted
   to said committee
 
 AN  ACT  in  relation  to  the  collection  of emergency health data and
   personal information and the use of technology to aid during COVID-19;
   and providing for the repeal of such  provision  upon  the  expiration
   thereof
 
   THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. For the purposes of this act:
   1. "Collect" means to buy, rent, gather, obtain,  receive,  or  access
 any  personal  information  pertaining  to  an  individual by any means,
 online or offline, including but not limited to,  receiving  information
 from  the  individual  or  from a third party, actively or passively, or
 obtaining information by observing an individual's behavior.
   2. "Covered entity" means any person, including a government entity:
   (a) that collects, processes, or discloses emergency health  data,  as
 defined  in this act, electronically or through communication by wire or
 radio; or
   (b) that develops or  operates  a  website,  web  application,  mobile
 application,  mobile  operating system feature, or smart device applica-
 tion for the purpose of tracking, screening, monitoring,  contact  trac-
 ing,  or  mitigation,  or  otherwise  responding  to the COVID-19 public
 health emergency.
   3. "De-identified information" means information that  cannot  reason-
 ably identify, relate to, describe, be capable of being associated with,
 or be linked, directly or indirectly, to a particular individual, house-
 hold, or device.  A covered entity that uses de-identified information:
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD16478-12-0

 S. 8448--C                          2
 
   (a)  has implemented technical safeguards that prohibit re-identifica-
 tion of the individual to whom the information may pertain;
   (b)  has  implemented  business  processes  that specifically prohibit
 re-identification of the information;
   (c)  has  implemented  business  processes  that  prevent  inadvertent
 release of de-identified information; and
   (d) makes no attempt to re-identify the information.
   4. "Disclose" means any action, set of actions, or omission in which a
 covered  entity  makes personal information available to another person,
 intentionally or unintentionally, including but not limited to, sharing,
 publishing, releasing, transferring,  disseminating,  making  available,
 selling, leasing, providing access to, failing to restrict access to, or
 otherwise  communicating  orally,  in writing, electronically, or by any
 other means.
   5. "Emergency health data" means data linked or reasonably linkable to
 an individual, household, or device, including data inferred or  derived
 about  the  individual,  household,  or device from other collected data
 provided such data is still linked or reasonably linkable to  the  indi-
 vidual,  household,  or device, that concerns the public COVID-19 health
 emergency. Such data includes:
   (a) Information that reveals the past, present, or future physical  or
 behavioral  health  or  condition  of, or provision of healthcare to, an
 individual including:
   (i) data derived from the testing or examination;
   (ii) whether or not an individual has contracted or been  tested  for,
 or  an  estimate  of  the  likelihood  that  a particular individual may
 contract, such disease or disorder; and
   (iii) genetic data, biological samples and biometrics; and
   (b) Other data collected in conjunction with  other  emergency  health
 data  that  can be used to infer health status, health history, location
 or associations, including:
   (i) geolocation data, when such term means data capable of determining
 the past or present precise physical location  of  an  individual  at  a
 specific  point in time, taking account of population densities, includ-
 ing cell-site location  information,  triangulation  data  derived  from
 nearby  wireless  or  radio  frequency  networks  and global positioning
 system data;
   (ii) proximity data, when such term means information that  identifies
 or estimates the past or present physical proximity of one individual or
 device  to  another, including information derived from Bluetooth, audio
 signatures, nearby wireless networks, and near field communications;
   (iii) demographic data;
   (iv) contact information for identifiable individuals or a history  of
 the individual's contacts over a period of time, such as an address book
 or call log; and
   (v) any other data collected from a personal device.
   6.  "Individual"  means a natural person whom the covered entity knows
 or has reason to know is located in New York state.
   7. "Personal information" means information that  identifies,  relates
 to,  describes, is capable of being associated with, or could reasonably
 be linked, directly or  indirectly,  with  a  particular  individual  or
 household, or device.
   8.  "Process"  means  any  operation  or  set  of  operations that are
 performed on personal data by either automated or not automated means.
   9. "Public health authority" means the New York  state  department  of
 health,  a  county  health department or the New York city department of

 S. 8448--C                          3
 
 health and mental hygiene, or a person or entity acting under a grant of
 authority from or  contract  with  such  public  agency,  including  the
 employees  or agents of such public agency or its contractors or persons
 to  entities  to  whom it has granted authority, that is responsible for
 public health matters as part of its official mandate.
   § 2. Individual rights.
   1. The individual's right to opt-in. (a) A covered entity shall obtain
 freely given, specific, informed, and unambiguous opt-in consent from an
 individual to:
   (i) process the individual's personal information or emergency  health
 data; and
   (ii)  make  any changes in the processing of the individual's personal
 information or emergency health data.
   (b) It shall be unlawful for a covered entity to collect, process,  or
 disclose emergency health data or personal information unless:
   (i) the individual to whom the data pertains has freely given, specif-
 ic, informed, and unambiguous consent to such collection, processing, or
 disclosure; or
   (ii)  such  collection, processing, or disclosure is necessary and for
 the sole purpose of:
   (A) protecting against malicious, deceptive,  fraudulent,  or  illegal
 activity; or
   (B)  detecting,  responding  to,  or  preventing security incidents or
 threats.
   (c) To the extent that a covered entity must process internet protocol
 addresses, system configuration information, URLs  of  referring  pages,
 locale and language preferences, keystrokes, and other personal informa-
 tion  in  order to obtain individuals' freely given, specific, informed,
 and unambiguous opt-in consent, the entity:
   (i) shall only process the personal information necessary  to  request
 freely given, specific, informed, and unambiguous opt-in consent;
   (ii)  shall  process the personal information solely to request freely
 given, specific, informed, and unambiguous opt-in consent; and
   (iii) shall immediately delete the personal information if consent  is
 withheld or withdrawn.
   2.  The  individual's  right to privacy. (a) All emergency health data
 and personal information shall be collected at a minimum level of  iden-
 tifiability  reasonably  needed  for  the  completion of the transaction
 disclosed to, affirmatively consented to, and requested by the  individ-
 ual.  For a covered entity using proximity tracing or exposure notifica-
 tion this includes changing temporary  anonymous  identifiers  at  least
 once in a 20 minute period.
   (b)  A  covered entity shall not process personal information or emer-
 gency health data beyond what is adequate, relevant, and  necessary  for
 the  completion of the transaction disclosed to, affirmatively consented
 to, and requested by the individual.
   (c) A covered entity  shall  not  process  emergency  health  data  or
 personal  information  for  any  purpose  not authorized under this act,
 including:
   (i) commercial advertising,  recommendation  for  e-commerce,  or  the
 training  of machine learning algorithms related to, or subsequently for
 use in, commercial advertising and e-commerce;
   (ii)  soliciting,  offering,  selling,  leasing,  licensing,  renting,
 advertising,   marketing,  or  otherwise  commercially  contracting  for
 employment, finance, credit, insurance, housing, or education; or

 S. 8448--C                          4
 
   (iii) segregating, discriminating in, or otherwise making  unavailable
 the  goods,  services,  facilities,  privileges, advantages, or accommo-
 dations of any place of public accommodation (as such term is defined in
 section 301 of the Americans with Disabilities Act of 1990),  except  as
 authorized  by  a state or federal government entity for a public health
 purpose; provided that a covered  entity  shall  not  process  emergency
 health  data or personal information to make categorical decisions about
 the allocation of care based on disability.
   3. Covered entity privacy policy. (a) A covered entity  shall  provide
 to  the  individual a privacy policy, at a fourth grade reading level or
 below and in the language the entity regularly uses to communicate  with
 the  individual,  prior  to  or  at the point of collection of emergency
 health data or personal information:
   (i) detailing how and for what purpose the  covered  entity  collects,
 processes, and discloses emergency health data and personal information;
   (ii)  describing the covered entity's data retention and data security
 policies and practices for emergency health data and  personal  informa-
 tion; and
   (iii)  describing  how  an  individual  may exercise rights under this
 section.
   (b) A covered entity shall create transparency reports, at least  once
 every 90 days, that include:
   (i)  the number of individuals whose emergency health data or personal
 information the covered entity collected or processed;
   (ii) the categories of emergency health data and personal  information
 collected, processed, or disclosed;
   (iii) the purposes for which each category of emergency health data or
 personal information was collected, processed, or disclosed;
   (iv)  the number of requests for individuals' emergency health data or
 personal information, including information on who the emergency  health
 data or personal information was disclosed to; and
   (v)  the  number  of instances where emergency health data or personal
 information was produced, in whole or in part, without  prior,  explicit
 consents by the individuals specified in the request.
   (c) The covered entity shall make each transparency report persistent-
 ly available and readily accessible on such entity's website.
   4.  Time  limitation  on  retention.  (a)  Emergency  health  data and
 personal information shall be  deleted  when  the  initial  purpose  for
 collecting  or obtaining such data has been satisfied or within 30 days,
 whichever occurs  first,  except  that  proximity  tracing  or  exposure
 notification data which shall be automatically deleted every 14 days.
   (b) This subdivision shall not apply to de-identified information.
   5.  Access  rights. (a) Emergency health data and personal information
 shall be disclosed only as necessary to provide the service requested by
 an individual.
   (b) A covered entity may  share  aggregate,  de-identified  data  with
 public health authorities.
   (c)  A  covered  entity  shall  not  disclose emergency health data or
 personal information to  a  third  party  unless  that  third  party  is
 contractually  bound  to the covered entity to meet the same privacy and
 security obligations as the covered entity.
   (d) No covered entity  in  possession  of  emergency  health  data  or
 personal  information may disclose, redisclose, or otherwise disseminate
 an individual's emergency health data or personal information unless the
 subject of the emergency health data  or  personal  information  or  the

 S. 8448--C                          5
 
 subject's  legally  authorized representative consents in writing to the
 disclosure or redisclosure.
   (e)  Without  consent under subdivision one of this section, emergency
 health data, personal information, and any  evidence  derived  therefrom
 shall  not be subject to or provided in response to any legal process or
 be admissible for any purpose in any judicial or  administrative  action
 or proceeding.
   (f)  Individuals  shall  have the right to access the emergency health
 data and personal information collected on them and correct any  inaccu-
 racies.
   (i)  A  covered  entity  must  comply  with an individual's request to
 correct emergency health data or personal information not later than  30
 days after receiving a verifiable request from the individual or, in the
 case of a minor, the individual's parent or guardian.
   (ii)  Where  the covered entity has reasonable doubts or cannot verify
 the identity of the individual making a request  under  this  paragraph,
 the  covered entity may request additional information necessary for the
 specific purpose of confirming the identity of the individual.  In  such
 cases, the additional information shall not be processed for any purpose
 other  than verifying the identity of the individual and must be deleted
 immediately upon verification or failure to verify the individual.
   § 3. 1. A covered entity shall implement reasonable measures to ensure
 confidentiality, integrity, and availability of  emergency  health  data
 and personal information.
   2.  A  covered  entity  that collects an individual's emergency health
 data or personal information shall  implement  and  maintain  reasonable
 security  procedures  and practices, including administrative, physical,
 and technical safeguards, appropriate to the nature of  the  information
 and  the  purposes  for  which  that  information  will be processed, to
 protect  that  information  from  unauthorized  processing,  disclosure,
 access, destruction, or modification.
   3.  A  covered  entity shall limit access to emergency health data and
 personal information to authorized essential personnel whose use of  the
 data  is  reasonably necessary to operate the program and record who has
 accessed emergency health data or  personal  information,  the  date  of
 access, and for what purposes.
   §  4.  1.  All  covered  entities  shall  be  subject  to  annual data
 protection audits, conducted by a neutral third party auditor,  evaluat-
 ing  the  technology  utilized and the development processes for statis-
 tical impacts on classes protected under section 296 of  article  15  of
 the  executive law, as well as for impacts on privacy and security, that
 includes at a minimum:
   (a) a detailed description of the  technology,  its  design,  and  its
 purpose;
   (b) an assessment of the relative benefits and costs of the technology
 in  light of its purpose, taking into account relevant factors including
 data minimization practices; the duration for which personal information
 and emergency health data and the  results  of  the  data  analysis  are
 stored;  what  information  about  the  technology  is  available to the
 public; and the recipients of the results of the technology;
   (c) an assessment of the risk of harm posed  by  the  technology;  the
 risk  that  the  technology  may  result in or contribute to inaccurate,
 unfair, biased, or discriminatory decisions; the risk that the technolo-
 gy may dissuade New Yorkers from participating  in  contact  tracing  or
 obtaining  medical  testing  or  treatment;  and  the risk that personal
 information or emergency health data can be accessed by  third  parties,

 S. 8448--C                          6
 
 including,  but  not  limited to law enforcement agencies and U.S. Immi-
 gration and Customs Enforcement; and
   (d)  the measures the covered entity will employ to minimize the risks
 described in paragraph (c) of this subdivision, including technological,
 legal and physical safeguards;
   (e) an assessment of whether the covered entity has  followed  through
 on the promises made in its privacy notice regarding collection, access,
 sharing, retention, deletion and sunsetting; and
   (f) if the technology utilizes machine-learning systems, a description
 of the training data information.
   2.  The covered entity shall make the audit persistently available and
 readily accessible on such entity's website.
   3. The cost of the audit shall be paid by the covered entity.
   § 5. 1. Private right of action.
   (a) Any individual alleging a violation of this act  or  a  regulation
 promulgated  under  this  act  may  bring a civil action in any court of
 competent jurisdiction.
   (b) A violation of this act or a regulation promulgated under this act
 with respect to the personal information of an individual constitutes  a
 rebuttable presumption of harm to that individual.
   (c)  In  a civil action in which the plaintiff prevails, the court may
 award:
   (i) liquidated damages of ten  thousand  dollars  or  actual  damages,
 whichever is greater;
   (ii) punitive damages; and
   (iii) any other relief, including an injunction, that the court deter-
 mines is appropriate.
   (d)  In  addition  to  any relief awarded pursuant to paragraph (c) of
 this subdivision, the court shall award reasonable attorney's  fees  and
 costs to any prevailing plaintiff.
   2.  The attorney general may bring an action in the name of the state,
 or as parens patriae on behalf of persons  residing  in  the  state,  to
 enforce the provisions of this act. In an action brought by the attorney
 general,  the  court  may award injunctive relief, including preliminary
 injunctions, to prevent further violations of and compel compliance with
 this act;  civil  penalties  up  to  twenty-five  thousand  dollars  per
 violation  or  up  to  four percent of annual revenue; other appropriate
 relief, including restitution, to redress harms  to  individuals  or  to
 mitigate  all  substantial  risk of harm; and any other relief the court
 determines.
   § 6. Severability. If any clause,  sentence,  paragraph,  subdivision,
 section  or part of this act shall be adjudged by any court of competent
 jurisdiction to be invalid, such judgment shall not affect,  impair,  or
 invalidate the remainder thereof, but shall be confined in its operation
 to the clause, sentence, paragraph, subdivision, section or part thereof
 directly  involved  in the controversy in which such judgment shall have
 been rendered. It is hereby declared to be the intent of the legislature
 that this act would have been enacted even if  such  invalid  provisions
 had not been included herein.
   §  7.  This  act shall take effect on the thirtieth day after it shall
 have become a law and shall expire and be  deemed  repealed  January  1,
 2023.

co-Sponsors

View additional co-sponsors

2019-S8448D (ACTIVE) - Details

Current Committee:: Assembly Health
Law Section:: Health
Versions Introduced in 2021-2022 Legislative Session:: S301

2019-S8448D (ACTIVE) - Summary

2019-S8448D (ACTIVE) - Sponsor Memo

                                
 
BILL NUMBER: S8448D

SPONSOR: THOMAS
 
TITLE OF BILL:

An act in relation to the collection of emergency health data and
personal information and the use of technology to aid during COVID-19;
and providing for the repeal of such provision upon the expiration ther-
eof

 
PURPOSE:

The purpose of this bill is to create ethical guidelines for entities
using technology to track, screen, monitor, contact trace, mitigate or
respond to the C071D-19 health emergency.

 
SUMMARY OF SPECIFIC PROVISION:

Section one of the bill defines covered entities as any person that
electronically collects, processes or discloses emergency health data or
that develops or operates a website, application, or operating system

feature for tracking, screening, monitoring, contact tracing, miti-
gation, or otherwise responding to the COVID-19 public health emergency.

Emergency health data is information that reveals the past, present, or
future physical or behavioral health or condition of, or provision of
healthcare to, an individual and other data collected in conjunction
with emergency health data that can be used to infer health status,
health history, location or associations.

Section two of the bill establishes individual rights of users who enter
into transactions with a covered entities.

* An individual has the right to opt in the collection, processing, and
disclosure of personal information or emergency health information.

* An individual has the right to have emergency health data and personal
information collected at the minimum level of identifiability reasonably
needed for the completion of the transaction consented to and requested
by the individual.

* An individual has the right to know, through a privacy policy, what
emergency health data or personal information is being collected, proc-
essed, and disclosed about them and for what reasons. An individual has
the right to be given that information in a way that is understandable
and at a 4th grade reading level or below. A covered entity must publish
on its website transparency reports every 90 days with the following
information: the number of individuals the covered entity has collected
and processed information on; the categories of information collected,
processed, and disclosed; the purpose for collection, processing, and
disclosure; the number of requests for information and who information
was disclosed to; and the number of instances where information was
produced without explicit consent from individuals.

* An individual has the right to know, through a privacy policy, what
emergency health data deleted when the initial purpose for the trans-
action is satisfied or within 30 days, whichever occurs first. Except
exposure notification information should automatically delete every 14
days.  Deletion does not apply to de-identified information.
* An individual has the right to have emergency health data and personal
information disclosed only as necessary to complete the requested trans-
action or if consented to in writing. Emergency health data and personal
information can never be disclosed in response to a legal process or
admissible in any judicial or administrative proceeding. De-identified
information may be shared with public health authorities. An individual
has the right to correct any inaccuracies in the information collected
about them.

Section three of the bill requires covered entities to implement securi-
ty procedures and practices that ensure confidentiality, integrity, and
availability of emergency health data and personal information. A
covered entity must limit access to emergency health data and personal
information to personnel whose use of the data is necessary to operate
the program. A covered entity must record who accessed the date, the
date of access, and for what purpose.

Section four of the bill requires covered entities to hire a neutral
third party audit to conduct annual data protection audits. The purpose
of an audit is to provide transparency about the technology used, to
assess the covered entity's level of compliance with its own data
protection policies and to identify gaps and weaknesses in the covered
entity's data protection policies and implementation. A covered entity
must make transparency reports readily and persistently available on its
website.

Section five of the bill allows for a private right of action and
enforcement by the attorney general.

Section six of the bill contains a severability clause. Section seven of
the bill is the effective date.

 
JUSTIFICATION:

Many states have implement orders to limit the spread of COVID-19. The
Center for Disease Control and Prevention (CDC) has advocated that
public health authorities implement contact tracing procedures to
prevent the reoccurrence of widespread infection after these orders are
relaxed or lifted it. The federal government may advise on procedure but
state and local public health authorities will be responsible for
contact tracing operations.

Contract tracing is a technique used by health departments to identify
and support individuals with suspected or confirmed infections and to
prevent further spread of the infection. Traditional contact tracing
techniques are labor intensive and slow compared to a fast moving virus
like COVID-19. As states move to reopen their economies, governments are
looking at technology to simplify the process of contact tracing.

The new methods of contact tracing being proposed would rely on location
or proximity detection by mobile phones to selectively deliver alerts
about potential exposures. These systems have the ability to aid in the
collection of crucial data to halt fight the pandemic but they also pose
significant risks to privacy, civil rights, and civil liberties.

Any technology that involves the collection, processing, and disclosure
of sensitive information can put consumers at increased risk or exploi-
tation. Efforts to combat the coronavirus should not undermine New
Yorker's privacy rights. The legislature has a responsibility to protect
the privacy of consumers' personal information during the COVID-19
public health crisis.

 
PRIOR LEGISLATIVE HISTORY:

New bill.

 
FISCAL IMPACT ON THE STATE:

None.

 
EFFECTIVE DATE:
This act shall take effect immediately.

2019-S8448D (ACTIVE) - Bill Text download pdf

                            
 
                     S T A T E   O F   N E W   Y O R K
 ________________________________________________________________________
 
                                  8448--D
 
                             I N  S E N A T E
 
                               June 3, 2020
                                ___________
 
 Introduced  by  Sens. THOMAS, BAILEY, CARLUCCI, GOUNARDES, HOYLMAN, MAY,
   RAMOS, STAVISKY -- read twice and ordered printed, and when printed to
   be committed to the Committee on Internet and Technology --  committee
   discharged, bill amended, ordered reprinted as amended and recommitted
   to  said  committee  --  committee  discharged,  bill amended, ordered
   reprinted as amended and recommitted to said  committee  --  committee
   discharged, bill amended, ordered reprinted as amended and recommitted
   to  said  committee -- committee discharged and said bill committed to
   the Committee on Health -- committee discharged, bill amended, ordered
   reprinted as amended and recommitted to said committee
 
 AN ACT in relation to  the  collection  of  emergency  health  data  and
   personal information and the use of technology to aid during COVID-19;
   and  providing  for  the  repeal of such provision upon the expiration
   thereof
 
   THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
 BLY, DO ENACT AS FOLLOWS:
 
   Section 1. For the purposes of this act:
   1.  "Collect"  means  to buy, rent, gather, obtain, receive, or access
 any personal information pertaining  to  an  individual  by  any  means,
 online  or  offline, including but not limited to, receiving information
 from the individual or from a third party,  actively  or  passively,  or
 obtaining information by observing an individual's behavior.
   2. "Covered entity" means any person, including a government entity:
   (a)  that  collects, processes, or discloses emergency health data, as
 defined in this act, electronically or through communication by wire  or
 radio; or
   (b)  that  develops  or  operates  a  website, web application, mobile
 application, mobile operating system feature, or smart  device  applica-
 tion  for  the purpose of tracking, screening, monitoring, contact trac-
 ing, or mitigation, or  otherwise  responding  to  the  COVID-19  public
 health emergency.
   3.  "De-identified  information" means information that cannot reason-
 ably identify, relate to, describe, be capable of being associated with,
 
  EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                       [ ] is old law to be omitted.

                                                            LBD16478-14-0

 S. 8448--D                          2
 
 or be linked, directly or indirectly, to a particular individual, house-
 hold, or device.  A covered entity that uses de-identified information:
   (a)  has implemented technical safeguards that prohibit re-identifica-
 tion of the individual to whom the information may pertain;
   (b) has implemented  business  processes  that  specifically  prohibit
 re-identification of the information;
   (c)  has  implemented  business  processes  that  prevent  inadvertent
 release of de-identified information; and
   (d) makes no attempt to re-identify the information.
   4. "Disclose" means any action, set of actions, or omission in which a
 covered entity makes personal information available to  another  person,
 intentionally or unintentionally, including but not limited to, sharing,
 publishing,  releasing,  transferring,  disseminating, making available,
 selling, leasing, providing access to, failing to restrict access to, or
 otherwise communicating orally, in writing, electronically,  or  by  any
 other means.
   5. "Emergency health data" means data linked or reasonably linkable to
 an  individual, household, or device, including data inferred or derived
 about the individual, household, or device  from  other  collected  data
 provided  such  data is still linked or reasonably linkable to the indi-
 vidual, household, or device, that concerns the public  COVID-19  health
 emergency. Such data includes:
   (a)  Information that reveals the past, present, or future physical or
 behavioral health or condition of, or provision  of  healthcare  to,  an
 individual including:
   (i) data derived from the testing or examination;
   (ii)  whether  or not an individual has contracted or been tested for,
 or an estimate of  the  likelihood  that  a  particular  individual  may
 contract, such disease or disorder; and
   (iii) genetic data, biological samples and biometrics; and
   (b)  Other  data  collected in conjunction with other emergency health
 data that can be used to infer health status, health  history,  location
 or associations, including:
   (i) geolocation data, when such term means data capable of determining
 the  past  or  present  precise  physical location of an individual at a
 specific point in time, taking account of population densities,  includ-
 ing  cell-site  location  information,  triangulation  data derived from
 nearby wireless or  radio  frequency  networks  and  global  positioning
 system data;
   (ii)  proximity data, when such term means information that identifies
 or estimates the past or present physical proximity of one individual or
 device to another, including information derived from  Bluetooth,  audio
 signatures, nearby wireless networks, and near field communications;
   (iii) demographic data;
   (iv)  contact information for identifiable individuals or a history of
 the individual's contacts over a period of time, such as an address book
 or call log; and
   (v) any other data collected from a personal device.
   6. "Individual" means a natural person whom the covered  entity  knows
 or has reason to know is located in New York state.
   7.  "Personal  information" means information that identifies, relates
 to, describes, is capable of being associated with, or could  reasonably
 be  linked,  directly  or  indirectly,  with  a particular individual or
 household, or device.
   8. "Process" means  any  operation  or  set  of  operations  that  are
 performed on personal data by either automated or not automated means.

 S. 8448--D                          3
 
   9.  "Public  health  authority" means the New York state department of
 health, a county health department or the New York  city  department  of
 health and mental hygiene, or a person or entity acting under a grant of
 authority  from  or  contract  with  such  public  agency, including the
 employees  or agents of such public agency or its contractors or persons
 to entities to whom it has granted authority, that  is  responsible  for
 public health matters as part of its official mandate.
   § 2. Individual rights.
   1. The individual's right to opt-in. (a) A covered entity shall obtain
 freely given, specific, informed, and unambiguous opt-in consent from an
 individual to:
   (i)  process the individual's personal information or emergency health
 data; and
   (ii) make any changes in the processing of the  individual's  personal
 information or emergency health data.
   (b)  It shall be unlawful for a covered entity to collect, process, or
 disclose emergency health data or personal information unless:
   (i) the individual to whom the data pertains has freely given, specif-
 ic, informed, and unambiguous consent to such collection, processing, or
 disclosure; or
   (ii) such collection, processing, or disclosure is necessary  and  for
 the sole purpose of:
   (A)  protecting  against  malicious, deceptive, fraudulent, or illegal
 activity; or
   (B) detecting, responding to,  or  preventing  security  incidents  or
 threats.
   (c) To the extent that a covered entity must process internet protocol
 addresses,  system  configuration  information, URLs of referring pages,
 locale and language preferences, keystrokes, and other personal informa-
 tion in order to obtain individuals' freely given,  specific,  informed,
 and unambiguous opt-in consent, the entity:
   (i)  shall  only process the personal information necessary to request
 freely given, specific, informed, and unambiguous opt-in consent;
   (ii) shall process the personal information solely to  request  freely
 given, specific, informed, and unambiguous opt-in consent; and
   (iii)  shall immediately delete the personal information if consent is
 withheld or withdrawn.
   2. The individual's right to privacy. (a) All  emergency  health  data
 and  personal information shall be collected at a minimum level of iden-
 tifiability reasonably needed for  the  completion  of  the  transaction
 disclosed  to, affirmatively consented to, and requested by the individ-
 ual. For a covered entity using proximity tracing or exposure  notifica-
 tion  this  includes  changing  temporary anonymous identifiers at least
 once in a 20 minute period.
   (b) A covered entity shall not process personal information  or  emer-
 gency  health  data beyond what is adequate, relevant, and necessary for
 the completion of the transaction disclosed to, affirmatively  consented
 to, and requested by the individual.
   (c)  A  covered  entity  shall  not  process  emergency health data or
 personal information for any purpose  not  authorized  under  this  act,
 including:
   (i)  commercial  advertising,  recommendation  for  e-commerce, or the
 training of machine learning algorithms related to, or subsequently  for
 use in, commercial advertising and e-commerce;

 S. 8448--D                          4
 
   (ii)  soliciting,  offering,  selling,  leasing,  licensing,  renting,
 advertising,  marketing,  or  otherwise  commercially  contracting   for
 employment, finance, credit, insurance, housing, or education; or
   (iii)  segregating, discriminating in, or otherwise making unavailable
 the goods, services, facilities,  privileges,  advantages,  or  accommo-
 dations of any place of public accommodation (as such term is defined in
 section  301  of the Americans with Disabilities Act of 1990), except as
 authorized by a state or federal government entity for a  public  health
 purpose;  provided  that  a  covered  entity shall not process emergency
 health data or personal information to make categorical decisions  about
 the allocation of care based on disability.
   3.  Covered  entity privacy policy. (a) A covered entity shall provide
 to the individual a privacy policy, at a fourth grade reading  level  or
 below  and in the language the entity regularly uses to communicate with
 the individual, prior to or at the  point  of  collection  of  emergency
 health data or personal information:
   (i)  detailing  how  and for what purpose the covered entity collects,
 processes, and discloses emergency health data and personal information;
   (ii) describing the covered entity's data retention and data  security
 policies  and  practices for emergency health data and personal informa-
 tion; and
   (iii) describing how an individual  may  exercise  rights  under  this
 section.
   (b)  A covered entity shall create transparency reports, at least once
 every 90 days, that include:
   (i) the number of individuals whose emergency health data or  personal
 information the covered entity collected or processed;
   (ii)  the categories of emergency health data and personal information
 collected, processed, or disclosed;
   (iii) the purposes for which each category of emergency health data or
 personal information was collected, processed, or disclosed;
   (iv) the number of requests for individuals' emergency health data  or
 personal  information, including information on who the emergency health
 data or personal information was disclosed to; and
   (v) the number of instances where emergency health  data  or  personal
 information  was  produced, in whole or in part, without prior, explicit
 consents by the individuals specified in the request.
   (c) The covered entity shall make each transparency report persistent-
 ly available and readily accessible on such entity's website.
   4. Time  limitation  on  retention.  (a)  Emergency  health  data  and
 personal  information  shall  be  deleted  when  the initial purpose for
 collecting or obtaining such data has been satisfied or within 30  days,
 whichever  occurs  first,  except  that  proximity  tracing  or exposure
 notification data which shall be automatically deleted every 14 days.
   (b) This subdivision shall not apply to de-identified information.
   5. Access rights. (a) Emergency health data and  personal  information
 shall be disclosed only as necessary to provide the service requested by
 an individual.
   (b)  A  covered  entity  may  share aggregate, de-identified data with
 public health authorities.
   (c) A covered entity shall  not  disclose  emergency  health  data  or
 personal  information  to  a  third  party  unless  that  third party is
 contractually bound to the covered entity to meet the same  privacy  and
 security obligations as the covered entity.
   (d)  No  covered  entity  in  possession  of  emergency health data or
 personal information may disclose, redisclose, or otherwise  disseminate

 S. 8448--D                          5
 
 an individual's emergency health data or personal information unless the
 subject  of  the  emergency  health  data or personal information or the
 subject's legally authorized representative consents in writing  to  the
 disclosure or redisclosure.
   (e)  Without  consent under subdivision one of this section, emergency
 health data, personal information, and any  evidence  derived  therefrom
 shall  not be subject to or provided in response to any legal process or
 be admissible for any purpose in any judicial or  administrative  action
 or proceeding.
   (f)  Individuals  shall  have the right to access the emergency health
 data and personal information collected on them and correct any  inaccu-
 racies.
   (i)  A  covered  entity  must  comply  with an individual's request to
 correct emergency health data or personal information not later than  30
 days after receiving a verifiable request from the individual or, in the
 case of a minor, the individual's parent or guardian.
   (ii)  Where  the covered entity has reasonable doubts or cannot verify
 the identity of the individual making a request  under  this  paragraph,
 the  covered entity may request additional information necessary for the
 specific purpose of confirming the identity of the individual.  In  such
 cases, the additional information shall not be processed for any purpose
 other  than verifying the identity of the individual and must be deleted
 immediately upon verification or failure to verify the individual.
   § 3. 1. A covered entity shall implement reasonable measures to ensure
 confidentiality, integrity, and availability of  emergency  health  data
 and personal information.
   2.  A  covered  entity  that collects an individual's emergency health
 data or personal information shall  implement  and  maintain  reasonable
 security  procedures  and practices, including administrative, physical,
 and technical safeguards, appropriate to the nature of  the  information
 and  the  purposes  for  which  that  information  will be processed, to
 protect  that  information  from  unauthorized  processing,  disclosure,
 access, destruction, or modification.
   3.  A  covered  entity shall limit access to emergency health data and
 personal information to authorized essential personnel whose use of  the
 data  is  reasonably necessary to operate the program and record who has
 accessed emergency health data or  personal  information,  the  date  of
 access, and for what purposes.
   §  4.  1.  All  covered  entities  shall  be  subject  to  annual data
 protection audits, conducted by a neutral third party auditor,  evaluat-
 ing  the  technology  utilized and the development processes for statis-
 tical impacts on classes protected under section 296 of  article  15  of
 the  executive law, as well as for impacts on privacy and security, that
 includes at a minimum:
   (a) a detailed description of the  technology,  its  design,  and  its
 purpose;
   (b) an assessment of the relative benefits and costs of the technology
 in  light of its purpose, taking into account relevant factors including
 data minimization practices; the duration for which personal information
 and emergency health data and the  results  of  the  data  analysis  are
 stored;  what  information  about  the  technology  is  available to the
 public; and the recipients of the results of the technology;
   (c) an assessment of the risk of harm posed  by  the  technology;  the
 risk  that  the  technology  may  result in or contribute to inaccurate,
 unfair, biased, or discriminatory decisions; the risk that the technolo-
 gy may dissuade New Yorkers from participating  in  contact  tracing  or

 S. 8448--D                          6
 
 obtaining  medical  testing  or  treatment;  and  the risk that personal
 information or emergency health data can be accessed by  third  parties,
 including,  but  not  limited to law enforcement agencies and U.S. Immi-
 gration and Customs Enforcement; and
   (d)  the measures the covered entity will employ to minimize the risks
 described in paragraph (c) of this subdivision, including technological,
 legal and physical safeguards;
   (e) an assessment of whether the covered entity has  followed  through
 on the promises made in its privacy notice regarding collection, access,
 sharing, retention, deletion and sunsetting; and
   (f) if the technology utilizes machine-learning systems, a description
 of the training data information.
   2.  The covered entity shall make the audit persistently available and
 readily accessible on such entity's website.
   3. The cost of the audit shall be paid by the covered entity.
   § 5. The attorney general may bring an  action  in  the  name  of  the
 state,  or as parens patriae on behalf of persons residing in the state,
 to enforce the provisions of this act.  In  an  action  brought  by  the
 attorney  general,  the  court  may  award  injunctive relief, including
 preliminary injunctions, to prevent further  violations  of  and  compel
 compliance  with  this  act;  civil penalties up to twenty-five thousand
 dollars per violation or up to four percent  of  annual  revenue;  other
 appropriate  relief, including restitution, to redress harms to individ-
 uals or to mitigate all substantial risk of harm; and any  other  relief
 the court determines.
   §  6.  Severability.  If any clause, sentence, paragraph, subdivision,
 section or part of this act shall be adjudged by any court of  competent
 jurisdiction  to  be invalid, such judgment shall not affect, impair, or
 invalidate the remainder thereof, but shall be confined in its operation
 to the clause, sentence, paragraph, subdivision, section or part thereof
 directly involved in the controversy in which such judgment  shall  have
 been rendered. It is hereby declared to be the intent of the legislature
 that  this  act  would have been enacted even if such invalid provisions
 had not been included herein.
   § 7. This act shall take effect on the thirtieth day  after  it  shall
 have  become  a  law  and shall expire and be deemed repealed January 1,
 2023.

Comments

Open Legislation is a forum for New York State legislation. All comments are subject to review and community moderation is encouraged.

Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity, hate or toxic speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Attempts to intimidate and silence contributors or deliberately deceive the public, including excessive or extraneous posting/posts, or coordinated activity, are prohibited and may result in the temporary or permanent banning of the user. Comment moderation is generally performed Monday through Friday. By contributing or voting you agree to the Terms of Participation and verify you are over 13.

Create an account. An account allows you to sign petitions with a single click, officially support or oppose key legislation, and follow issues, committees, and bills that matter to you. When you create an account, you agree to this platform's terms of participation.

Find your Senator and share your views on important issues.

Do you support this bill?

Senate Bill S8448B

Sponsored By

Archive: Last Bill Status - In Assembly Committee

Actions

Votes

Jul 23, 2020 - Floor Vote

Floor Vote: Jul 23, 2020

Jul 22, 2020 - Rules Committee Vote

Rules Committee Vote: Jul 22, 2020

Jul 20, 2020 - Health Committee Vote

Health Committee Vote: Jul 20, 2020

Bill Amendments

2019-S8448 - Details

2019-S8448 - Summary

2019-S8448 - Sponsor Memo

2019-S8448 - Bill Text download pdf

2019-S8448A - Details

2019-S8448A - Summary

2019-S8448A - Sponsor Memo

2019-S8448A - Bill Text download pdf

co-Sponsors

2019-S8448B - Details

2019-S8448B - Summary

2019-S8448B - Sponsor Memo

2019-S8448B - Bill Text download pdf

co-Sponsors

2019-S8448C - Details

2019-S8448C - Summary

2019-S8448C - Sponsor Memo

2019-S8448C - Bill Text download pdf

co-Sponsors

2019-S8448D (ACTIVE) - Details

2019-S8448D (ACTIVE) - Summary

2019-S8448D (ACTIVE) - Sponsor Memo

2019-S8448D (ACTIVE) - Bill Text download pdf

Comments

Do you support this bill?

Get Status Alerts for 2019-S8448B

Senate Bill S8448B

Share this bill

Sponsored By

Archive: Last Bill Status - In Assembly Committee

Actions

Votes

Bill Amendments

2019-S8448 - Details

2019-S8448 - Summary

2019-S8448 - Sponsor Memo

2019-S8448 - Bill Text download pdf

2019-S8448A - Details

2019-S8448A - Summary

2019-S8448A - Sponsor Memo

2019-S8448A - Bill Text download pdf

co-Sponsors

2019-S8448B - Details

2019-S8448B - Summary

2019-S8448B - Sponsor Memo

2019-S8448B - Bill Text download pdf

co-Sponsors

2019-S8448C - Details

2019-S8448C - Summary

2019-S8448C - Sponsor Memo

2019-S8448C - Bill Text download pdf

co-Sponsors

2019-S8448D (ACTIVE) - Details

2019-S8448D (ACTIVE) - Summary

2019-S8448D (ACTIVE) - Sponsor Memo

2019-S8448D (ACTIVE) - Bill Text download pdf

Comments