The US Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization raises important questions about data privacy. Fears that sensitive personal data could be used to identify and prosecute abortion ban violations were among the first questions raised by women, reproductive healthcare providers, employers, and a number of data aggregators. But organizations can take steps now to maximize compliance with data privacy laws and principles, and later to minimize the risk of disclosing this sensitive data post-Dobbs.
It is difficult to predict whether the rhetoric and early actions of some legislatures will in fact lead to aggressive enforcement of state abortion bans, but smart employers will anticipate the possibility of information requests, subpoenas, and warrants implicating sensitive personal data. Every organization should be aware of the threat such requests pose to personal information and data privacy more broadly. Given the many developments in this space, it is a good time in any event for employers to take a second look at their data policies to protect personal information and have an enhanced data security environment.
Information governance is an important, but often neglected, operational and compliance function of many organizations. Information governance (IG) programs are intended to manage, protect, and optimize the use of information that organizations retain for legal, regulatory, and business reasons. An effective IG program controls the information lifecycle of an organization and sets forth guidelines for the creation, use, storage, security, privacy, retention, and disposition of the organization's information.
Retention and disposition of information are usually guided by federal and state laws, industry regulations, best practices, business needs, and an organization's culture. Only recently did US states, most notably California, begin to enact specific data privacy laws that apply to personal identifying information (PII) collected by organizations within their jurisdiction and to generally limit its use and minimize its retention. Federal data privacy legislation is pending, but its fate is uncertain in the near term.
Moreover, most US organizations are subject to only a modest number of legal and regulatory retention obligations. In the absence of specific laws and regulations requiring retention of information, most organizations enjoy broad latitude in determining what information to retain and for how long they retain it.
Many organizations retain much more data (and for longer periods) than their business or legal and regulatory obligations require. This tendency has been encouraged by the emergence of cheap storage, big data, and the proliferation of applications and devices that instigate ever more creation, consumption, and storage of data. While inertia may have been a prevailing approach to IG before Dobbs, the demise of Roe v. Wade and the prospect of aggressive enforcement of state abortion bans provide a powerful incentive to upgrade your organization’s IG program now.
A good IG program is well documented and well managed in the ordinary course of business. Program documentation should include, at a minimum, a record retention policy and schedule defining the business records of the organization and specifying how long they are retained.
A data privacy policy is a must-have addition in states that have enacted data privacy laws, but also an increasingly important policy that all organizations should have to establish a process and rationale for data minimization. Additional policies to consider might include an acceptable use policy, BYOD (bring your own device) mobile device policy, social media policy, and legal hold policy.
Someone in the organization needs to own the program, and with this ownership comes the responsibility for educating, training, and delivering the tools and instructions that enable everyone in the organization to comply.
With updated documentation, organizations should then turn to implementation and compliance. Implementation of record retention requires a plan for establishing a sanctioned repository of official business records, scheduling the routine disposal of non-records, and enforcing the regular purge of expired records. Among the most challenging aspects of implementation is applying retention to user-controlled data, such as email and messaging.
The most important steps an organization can take to enhance data privacy are (1) limiting the PII it collects; (2) when it does collect PII, knowing where it goes; and (3) aggressively minimizing it. Ideally, organizations will limit the type and amount of PII it collects and will enact policies that minimize the length of time this information is retained.
The impending California Privacy Rights Act (CPRA),[1] which will likely influence state privacy laws across the country, requires data minimization. Among other requirements, the CPRA provides:
[A] business shall not retain a consumer’s personal information or sensitive personal information for each disclosed purpose for which the personal information was collected for longer than is reasonably necessary for that disclosed purpose. CPRA § 1798.100(a)(3).
A business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed. CPRA § 1798.100(c).
A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.[2] CPRA § 1798.100(e).
As a practical matter, tracking where an organization stores its PII is among the most important steps the organization can take in order to implement data minimization. Tracking is necessary to identify the PII the organization collects and to properly protect it, minimize its retention, and defensibly purge it once it has expired. Where PII is retained, consider anonymizing it by, for example, only retaining demographic information that may be needed for reporting or other business purposes.
Tracking and purging are also helpful in effectively assessing and responding to requests for information that may be issued by law enforcement and citizens exercising private rights of action under some state abortion bans. After all, the recipient of an information request, subpoena, or warrant cannot produce data it does not possess. In the absence of a legal, regulatory, or business critical need requiring retention, and in order to comply with data privacy laws, an organization’s PII should be minimized and regularly purged.
As state laws and regulation of abortion become clearer in the months and years following the Dobbs decision, personal data will likely become central to efforts to enforce them. The ubiquity of personal data may implicate information in the possession of any organization and should urge every organization to evaluate and take steps now to ensure that this information is protected. IG policies provide the means to lawfully and defensibly minimize, track, and purge personal data in the ordinary course of business.
Program Documentation
Data Minimization Critical Steps
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:
Philadelphia
Kristin M. Hadgis
April L. Sherwood
Washington, DC
Sharon Perley Masling
Jonathan Zimmerman
Chicago
Saghi (Sage) Fattahian
San Francisco
W. Reece Hirsch
[1] The CPRA will apply to employee and applicant data as of January 1, 2023.
[2] Cal. Civ. Code § 1798.81.5 (b) provides: “A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”