•  Summary 
  •  Actions 
  •  Committee Votes 
  •  Floor Votes 
  •  Memo 
  •  Text 
  •  LFIN 
  •  Chamber Video/Transcript 

A10583 Summary:

SPONSORRules (Rosenthal L)
COSPNSRDickens, Barron, Simon, Epstein, Seawright
Imposes requirements for the collection and use of emergency health data and personal information and the use of technology to aid during the COVID-19 public health emergency; requires entities using technology to get consent from individuals and to disclose certain information including the right to privacy and who will have access to the data.
Go to top    

A10583 Actions:

06/04/2020referred to health
06/10/2020amend and recommit to health
06/10/2020print number 10583a
07/09/2020amend (t) and recommit to health
07/09/2020print number 10583b
07/24/2020amend and recommit to health
07/24/2020print number 10583c
Go to top

A10583 Memo:

submitted in accordance with Assembly Rule III, Sec 1(f)
SPONSOR: Rules (Rosenthal L)
  TITLE OF BILL: An act in relation to the collection of emergency health data and personal information and the use of technology to aid during COVID-19; and providing for the repeal of such provision upon the expiration ther- eof   PURPOSE: The purpose of this bill is to create ethical guidelines for entities using technology to track, screen, monitor, contact trace, mitigate, or respond to the COVID-19 health emergency.   SUMMARY OF SPECIFIC PROVISIONS: Section one of the bill is definitions. Section two of the bill requires entities using technology assisted contact tracing to disclose the following information to individuals: the individual's right to opt in, the individual's right to privacy, the covered entity's privacy policy, the time limitation on data retention, and access rights. Section three of the bill requires covered entities to implement securi- ty measures. Section four of the bill requires covered entities to be subject to data protection audits. Section five of the bill allows for enforcement by the attorney general. Section six is the effective date.   JUSTIFICATION: A significant issue in tracking the spread of coronavirus is determining who has come in contact with an individual who tested positive. As states move to reopen their economies, governments are looking at tech- nology to simplify the process of contact tracing. Contract tracing is a technique used by health departments to identify and support individ- uals with suspected or confirmed infections and to prevent further spread of the infection. Traditional contact tracing techniques are labor intensive and slow compared to a fast-moving virus like COVID-19. The new methods of contact tracing being proposed would rely on location or proximity detection by mobile phones to selectively deliver alerts about potential exposures. These systems have the ability to aid in the collection of crucial data to help fight the pandemic, but they also pose significant risks to privacy, civil rights, and civil liberties. Any technology that involves the collection, use, and sharing of sensi- tive personal data can put consumers at increased risk of exploitation. Efforts to combat the coronavirus should not undermine New Yorker's privacy rights. The legislature has a responsibility to protect the privacy of consumers' personal information during the COVID-19 public health crisis.   LEGISLATIVE HISTORY: New bill.   FISCAL IMPLICATIONS: None.   EFFECTIVE DATE: This act shall take effect immediately.
Go to top

A10583 Text:

                STATE OF NEW YORK
                   IN ASSEMBLY
                                      June 4, 2020
        Introduced  by  COMMITTEE  ON RULES -- (at request of M. of A. L. Rosen-
          thal, Dickens, Barron, Simon, Epstein) -- read once  and  referred  to
          the Committee on Health -- committee discharged, bill amended, ordered
          reprinted  as  amended  and  recommitted  to  said  committee -- again
          reported from said committee with  amendments,  ordered  reprinted  as
          amended  and  recommitted  to  said committee -- committee discharged,
          bill amended, ordered reprinted as amended  and  recommitted  to  said
        AN  ACT  in  relation  to  the  collection  of emergency health data and
          personal information and the use of technology to aid during COVID-19;
          and providing for the repeal of such  provision  upon  the  expiration
          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
     1    Section 1. For the purposes of this act:
     2    1. "Collect" means to buy, rent, gather, obtain,  receive,  or  access
     3  any  personal  information  pertaining  to  an  individual by any means,
     4  online or offline, including but not limited to,  receiving  information
     5  from  the  individual  or  from a third party, actively or passively, or
     6  obtaining information by observing an individual's behavior.
     7    2. "Covered entity" means any person, including a government entity:
     8    (a) that collects, processes, or discloses emergency health  data,  as
     9  defined  in this act, electronically or through communication by wire or
    10  radio; or
    11    (b) that develops or  operates  a  website,  web  application,  mobile
    12  application,  mobile  operating system feature, or smart device applica-
    13  tion for the purpose of tracking, screening, monitoring,  contact  trac-
    14  ing,  or  mitigation,  or  otherwise  responding  to the COVID-19 public
    15  health emergency.
    16    3. "De-identified information" means information that  cannot  reason-
    17  ably identify, relate to, describe, be capable of being associated with,
    18  or be linked, directly or indirectly, to a particular individual, house-
    19  hold, or device.  A covered entity that uses de-identified information:
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.

        A. 10583--C                         2
     1    (a)  has implemented technical safeguards that prohibit re-identifica-
     2  tion of the individual to whom the information may pertain;
     3    (b)  has  implemented  business  processes  that specifically prohibit
     4  re-identification of the information;
     5    (c)  has  implemented  business  processes  that  prevent  inadvertent
     6  release of de-identified information; and
     7    (d) makes no attempt to re-identify the information.
     8    4. "Disclose" means any action, set of actions, or omission in which a
     9  covered  entity  makes personal information available to another person,
    10  intentionally or unintentionally, including but not limited to, sharing,
    11  publishing, releasing, transferring,  disseminating,  making  available,
    12  selling, leasing, providing access to, failing to restrict access to, or
    13  otherwise  communicating  orally,  in writing, electronically, or by any
    14  other means.
    15    5. "Emergency health data" means data linked or reasonably linkable to
    16  an individual, household, or device, including data inferred or  derived
    17  about  the  individual,  household,  or device from other collected data
    18  provided such data is still linked or reasonably linkable to  the  indi-
    19  vidual,  household,  or device, that concerns the public COVID-19 health
    20  emergency. Such data includes:
    21    (a) Information that reveals the past, present, or future physical  or
    22  behavioral  health  or  condition  of, or provision of healthcare to, an
    23  individual including:
    24    (i) data derived from the testing or examination;
    25    (ii) whether or not an individual has contracted or been  tested  for,
    26  or  an  estimate  of  the  likelihood  that  a particular individual may
    27  contract, such disease or disorder; and
    28    (iii) genetic data, biological samples and biometrics; and
    29    (b) Other data collected in conjunction with  other  emergency  health
    30  data  that  can be used to infer health status, health history, location
    31  or associations, including:
    32    (i) geolocation data, when such term means data capable of determining
    33  the past or present precise physical location  of  an  individual  at  a
    34  specific  point in time, taking account of population densities, includ-
    35  ing cell-site location  information,  triangulation  data  derived  from
    36  nearby  wireless  or  radio  frequency  networks  and global positioning
    37  system data;
    38    (ii) proximity data, when such term means information that  identifies
    39  or estimates the past or present physical proximity of one individual or
    40  device  to  another, including information derived from Bluetooth, audio
    41  signatures, nearby wireless networks, and near field communications;
    42    (iii) demographic data;
    43    (iv) contact information for identifiable individuals or a history  of
    44  the individual's contacts over a period of time, such as an address book
    45  or call log; and
    46    (v) any other data collected from a personal device.
    47    6.  "Individual"  means a natural person whom the covered entity knows
    48  or has reason to know is located in New York state.
    49    7. "Personal information" means information that  identifies,  relates
    50  to,  describes, is capable of being associated with, or could reasonably
    51  be linked, directly or  indirectly,  with  a  particular  individual  or
    52  household, or device.
    53    8.  "Process"  means  any  operation  or  set  of  operations that are
    54  performed on personal data by either automated or not automated means.
    55    9. "Public health authority" means the New York  state  department  of
    56  health,  a  county  health department or the New York city department of

        A. 10583--C                         3
     1  health and mental hygiene, or a person or entity acting under a grant of
     2  authority from or  contract  with  such  public  agency,  including  the
     3  employees  or agents of such public agency or its contractors or persons
     4  to  entities  to  whom it has granted authority, that is responsible for
     5  public health matters as part of its official mandate.
     6    § 2. Individual rights.
     7    1. The individual's right to opt-in. (a) A covered entity shall obtain
     8  freely given, specific, informed, and unambiguous opt-in consent from an
     9  individual to:
    10    (i) process the individual's personal information or emergency  health
    11  data; and
    12    (ii)  make  any changes in the processing of the individual's personal
    13  information or emergency health data.
    14    (b) It shall be unlawful for a covered entity to collect, process,  or
    15  disclose emergency health data or personal information unless:
    16    (i) the individual to whom the data pertains has freely given, specif-
    17  ic, informed, and unambiguous consent to such collection, processing, or
    18  disclosure; or
    19    (ii)  such  collection, processing, or disclosure is necessary and for
    20  the sole purpose of:
    21    (A) protecting against malicious, deceptive,  fraudulent,  or  illegal
    22  activity; or
    23    (B)  detecting,  responding  to,  or  preventing security incidents or
    24  threats.
    25    (c) To the extent that a covered entity must process internet protocol
    26  addresses, system configuration information, URLs  of  referring  pages,
    27  locale and language preferences, keystrokes, and other personal informa-
    28  tion  in  order to obtain individuals' freely given, specific, informed,
    29  and unambiguous opt-in consent, the entity:
    30    (i) shall only process the personal information necessary  to  request
    31  freely given, specific, informed, and unambiguous opt-in consent;
    32    (ii)  shall  process the personal information solely to request freely
    33  given, specific, informed, and unambiguous opt-in consent; and
    34    (iii) shall immediately delete the personal information if consent  is
    35  withheld or withdrawn.
    36    2.  The  individual's  right to privacy. (a) All emergency health data
    37  and personal information shall be collected at a minimum level of  iden-
    38  tifiability  reasonably  needed  for  the  completion of the transaction
    39  disclosed to, affirmatively consented to, and requested by the  individ-
    40  ual.  For a covered entity using proximity tracing or exposure notifica-
    41  tion this includes changing temporary  anonymous  identifiers  at  least
    42  once in a 20 minute period.
    43    (b)  A  covered entity shall not process personal information or emer-
    44  gency health data beyond what is adequate, relevant, and  necessary  for
    45  the  completion of the transaction disclosed to, affirmatively consented
    46  to, and requested by the individual.
    47    (c) A covered entity  shall  not  process  emergency  health  data  or
    48  personal  information  for  any  purpose  not authorized under this act,
    49  including:
    50    (i) commercial advertising,  recommendation  for  e-commerce,  or  the
    51  training  of machine learning algorithms related to, or subsequently for
    52  use in, commercial advertising and e-commerce;
    53    (ii)  soliciting,  offering,  selling,  leasing,  licensing,  renting,
    54  advertising,   marketing,  or  otherwise  commercially  contracting  for
    55  employment, finance, credit, insurance, housing, or education; or

        A. 10583--C                         4
     1    (iii) segregating, discriminating in, or otherwise making  unavailable
     2  the  goods,  services,  facilities,  privileges, advantages, or accommo-
     3  dations of any place of public accommodation (as such term is defined in
     4  section 301 of the Americans with Disabilities Act of 1990),  except  as
     5  authorized  by  a state or federal government entity for a public health
     6  purpose; provided that a covered  entity  shall  not  process  emergency
     7  health  data or personal information to make categorical decisions about
     8  the allocation of care based on disability.
     9    3. Covered entity privacy policy. (a) A covered entity  shall  provide
    10  to  the  individual a privacy policy, at a fourth grade reading level or
    11  below and in the language the entity regularly uses to communicate  with
    12  the  individual,  prior  to  or  at the point of collection of emergency
    13  health data or personal information:
    14    (i) detailing how and for what purpose the  covered  entity  collects,
    15  processes, and discloses emergency health data and personal information;
    16    (ii)  describing the covered entity's data retention and data security
    17  policies and practices for emergency health data and  personal  informa-
    18  tion; and
    19    (iii)  describing  how  an  individual  may exercise rights under this
    20  section.
    21    (b) A covered entity shall create transparency reports, at least  once
    22  every 90 days, that include:
    23    (i)  the number of individuals whose emergency health data or personal
    24  information the covered entity collected or processed;
    25    (ii) the categories of emergency health data and personal  information
    26  collected, processed, or disclosed;
    27    (iii) the purposes for which each category of emergency health data or
    28  personal information was collected, processed, or disclosed;
    29    (iv)  the number of requests for individuals' emergency health data or
    30  personal information, including information on who the emergency  health
    31  data or personal information was disclosed to; and
    32    (v)  the  number  of instances where emergency health data or personal
    33  information was produced, in whole or in part, without  prior,  explicit
    34  consents by the individuals specified in the request.
    35    (c) The covered entity shall make each transparency report persistent-
    36  ly available and readily accessible on such entity's website.
    37    4.  Time  limitation  on  retention.  (a)  Emergency  health  data and
    38  personal information shall be  deleted  when  the  initial  purpose  for
    39  collecting  or obtaining such data has been satisfied or within 30 days,
    40  whichever occurs  first,  except  that  proximity  tracing  or  exposure
    41  notification data which shall be automatically deleted every 14 days.
    42    (b) This subdivision shall not apply to de-identified information.
    43    5.  Access  rights. (a) Emergency health data and personal information
    44  shall be disclosed only as necessary to provide the service requested by
    45  an individual.
    46    (b) A covered entity may  share  aggregate,  de-identified  data  with
    47  public health authorities.
    48    (c)  A  covered  entity  shall  not  disclose emergency health data or
    49  personal information to  a  third  party  unless  that  third  party  is
    50  contractually  bound  to the covered entity to meet the same privacy and
    51  security obligations as the covered entity.
    52    (d) No covered entity  in  possession  of  emergency  health  data  or
    53  personal  information may disclose, redisclose, or otherwise disseminate
    54  an individual's emergency health data or personal information unless the
    55  subject of the emergency health data  or  personal  information  or  the

        A. 10583--C                         5
     1  subject's  legally  authorized representative consents in writing to the
     2  disclosure or redisclosure.
     3    (e)  Without  consent under subdivision one of this section, emergency
     4  health data, personal information, and any  evidence  derived  therefrom
     5  shall  not be subject to or provided in response to any legal process or
     6  be admissible for any purpose in any judicial or  administrative  action
     7  or proceeding.
     8    (f)  Individuals  shall  have the right to access the emergency health
     9  data and personal information collected on them and correct any  inaccu-
    10  racies.
    11    (i)  A  covered  entity  must  comply  with an individual's request to
    12  correct emergency health data or personal information not later than  30
    13  days after receiving a verifiable request from the individual or, in the
    14  case of a minor, the individual's parent or guardian.
    15    (ii)  Where  the covered entity has reasonable doubts or cannot verify
    16  the identity of the individual making a request  under  this  paragraph,
    17  the  covered entity may request additional information necessary for the
    18  specific purpose of confirming the identity of the individual.  In  such
    19  cases, the additional information shall not be processed for any purpose
    20  other  than verifying the identity of the individual and must be deleted
    21  immediately upon verification or failure to verify the individual.
    22    § 3. 1. A covered entity shall implement reasonable measures to ensure
    23  confidentiality, integrity, and availability of  emergency  health  data
    24  and personal information.
    25    2.  A  covered  entity  that collects an individual's emergency health
    26  data or personal information shall  implement  and  maintain  reasonable
    27  security  procedures  and practices, including administrative, physical,
    28  and technical safeguards, appropriate to the nature of  the  information
    29  and  the  purposes  for  which  that  information  will be processed, to
    30  protect  that  information  from  unauthorized  processing,  disclosure,
    31  access, destruction, or modification.
    32    3.  A  covered  entity shall limit access to emergency health data and
    33  personal information to authorized essential personnel whose use of  the
    34  data  is  reasonably necessary to operate the program and record who has
    35  accessed emergency health data or  personal  information,  the  date  of
    36  access, and for what purposes.
    37    §  4.  1.  All  covered  entities  shall  be  subject  to  annual data
    38  protection audits, conducted by a neutral third party auditor,  evaluat-
    39  ing  the  technology  utilized and the development processes for statis-
    40  tical impacts on classes protected under section 296 of  article  15  of
    41  the  executive law, as well as for impacts on privacy and security, that
    42  includes at a minimum:
    43    (a) a detailed description of the  technology,  its  design,  and  its
    44  purpose;
    45    (b) an assessment of the relative benefits and costs of the technology
    46  in  light of its purpose, taking into account relevant factors including
    47  data minimization practices; the duration for which personal information
    48  and emergency health data and the  results  of  the  data  analysis  are
    49  stored;  what  information  about  the  technology  is  available to the
    50  public; and the recipients of the results of the technology;
    51    (c) an assessment of the risk of harm posed  by  the  technology;  the
    52  risk  that  the  technology  may  result in or contribute to inaccurate,
    53  unfair, biased, or discriminatory decisions; the risk that the technolo-
    54  gy may dissuade New Yorkers from participating  in  contact  tracing  or
    55  obtaining  medical  testing  or  treatment;  and  the risk that personal
    56  information or emergency health data can be accessed by  third  parties,

        A. 10583--C                         6
     1  including,  but  not  limited to law enforcement agencies and U.S. Immi-
     2  gration and Customs Enforcement; and
     3    (d)  the measures the covered entity will employ to minimize the risks
     4  described in paragraph (c) of this subdivision, including technological,
     5  legal and physical safeguards;
     6    (e) an assessment of whether the covered entity has  followed  through
     7  on the promises made in its privacy notice regarding collection, access,
     8  sharing, retention, deletion and sunsetting; and
     9    (f) if the technology utilizes machine-learning systems, a description
    10  of the training data information.
    11    2.  The covered entity shall make the audit persistently available and
    12  readily accessible on such entity's website.
    13    3. The cost of the audit shall be paid by the covered entity.
    14    § 5. The attorney general may bring an  action  in  the  name  of  the
    15  state,  or as parens patriae on behalf of persons residing in the state,
    16  to enforce the provisions of this act.  In  an  action  brought  by  the
    17  attorney  general,  the  court  may  award  injunctive relief, including
    18  preliminary injunctions, to prevent further  violations  of  and  compel
    19  compliance  with  this  act;  civil penalties up to twenty-five thousand
    20  dollars per violation or up to four percent  of  annual  revenue;  other
    21  appropriate  relief, including restitution, to redress harms to individ-
    22  uals or to mitigate all substantial risk of harm; and any  other  relief
    23  the court determines.
    24    §  6.  Severability.  If any clause, sentence, paragraph, subdivision,
    25  section or part of this act shall be adjudged by any court of  competent
    26  jurisdiction  to  be invalid, such judgment shall not affect, impair, or
    27  invalidate the remainder thereof, but shall be confined in its operation
    28  to the clause, sentence, paragraph, subdivision, section or part thereof
    29  directly involved in the controversy in which such judgment  shall  have
    30  been rendered. It is hereby declared to be the intent of the legislature
    31  that  this  act  would have been enacted even if such invalid provisions
    32  had not been included herein.
    33    § 7. This act shall take effect on the thirtieth day  after  it  shall
    34  have  become  a  law  and shall expire and be deemed repealed January 1,
    35  2023.
Go to top