Kansas Introduces the COVID-19 Contact Tracing Privacy Act

A new Kansas emergency bill passed earlier this week includes the COVID-19 Contact Tracing Privacy Act, which aims to protect the privacy of persons whose information is collected through contact tracing and the confidentiality of contact data.

Some of the guidelines include:

The bill prohibits the state or any municipality, or any officer or official or agent thereof, from conducting or authorizing contact tracing, except whenever the Secretary or a local health officer determines contact tracing is necessary to perform a public health duty assigned by statute to the official, the Secretary or local health officer may conduct or authorize contact tracing, as provided in the section.
The bill requires each person acting as a contact tracer, before collecting any contact data, to execute under oath, on a form prescribed by rules and regulations of the Secretary, an acknowledgment of familiarity with the Privacy Act and the duties it imposes, including the duty of confidentiality.
The bill prohibits a contact tracer from disclosing the identity of an infected person to a contact, and only contact data specifically authorized by the Secretary pursuant to rules and regulations could be collected as a part of contact tracing. The Secretary, a local health officer, or a contact tracer would be prohibited from producing data pursuant to a subpoena unless the subpoena is issued by a court and is accompanied by a valid protective order preventing further disclosure of such information.
The bill prohibits contact tracing from being conducted through the use of any service or means that uses cellphone location data to identify or track, directly or indirectly, the movement of persons.
The bill states no third party shall be required to collect or maintain data regarding infected persons or contacts for the purpose of contact tracing. Contact tracers would be prohibited from obtaining contact data related to an infected person or contact from any third party, except that contact data voluntarily collected or maintained by a third party could be obtained by a contact tracer only if the third party provides such information voluntarily and with the consent of the infected person or contact whose information is disclosed, or such information is provided pursuant to a valid warrant.

In addition, the bill would require contact data to be used only for the purposes of contact tracing and not for any other purpose; confidential and not disclosed, produced in response to any Kansas Open Records Act (KORA) request, or made public, unless the disclosure is necessary to conduct contact tracing; and safely and securely destroyed when no longer necessary for contact tracing, pursuant to rules and regulations of the Secretary.

Chris Hazelton, Director of Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions, says, “Apple and Google partnered to create tracking services for iOS and Android, but do not capture user identities or GPS location data. However, this does not prevent government and public health authorities from doing so."

"The Kansas Legislature is seeking to avoid issues that have been faced in some digital tracking deployments where users that have COVID-19 are easily identified by piecing together location data and personal information shared publicly. Banning the use of GPS tracking or connecting results to identity services will limit users from being identified by agencies, fellow citizens or any other party," Hazelton explains. "Putting privacy at the forefront of policy will increase adoption by users which in itself will improve accuracy of any tracking programs. Implemented correctly with a priority on privacy, mobile tracking apps are one of the best ways to track infections. They can scale quickly and provide constant monitoring of interactions with others, without requiring users to remember where they were and when. This will become increasingly important as cities and states reopen, providing better analytics for local governments and organizations to decide how quickly they can get back to business.”

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.