SENATE, No. 2539

STATE OF NEW JERSEY

219th LEGISLATURE

 

INTRODUCED JUNE 8, 2020

 


 

Sponsored by:

Senator  LINDA R. GREENSTEIN

District 14 (Mercer and Middlesex)

 

 

 

 

SYNOPSIS

     Restricts use of certain data collected for purposes of contact tracing related to COVID-19 pandemic.

 

CURRENT VERSION OF TEXT

     As introduced.

 


An Act concerning data privacy related to certain health information.

 

     Be It Enacted by the Senate and General Assembly of the State of New Jersey:

 

     1.    a.   To the extent that any public health entity collects data regarding an individual for the purposes of contact tracing related to the coronavirus disease 2019 (COVID-19) pandemic, including digital data from Bluetooth devices or global positioning systems, such health and location data shall only be used by the public health entity for the purposes of completing contact tracing, and the public health entity shall ensure the data is deleted from the entity's records no later than 30 days after the date the data is received by the entity.  If a public health entity shares data collected for the purposes of contact tracing related to the COVID-19 pandemic with a third party entity, the public health entity shall publish the name of the third party entity on its Internet website or on the Internet website of the Department of Health, and shall require that the third party entity only use the data for the purposes of completing contact tracing related to the COVID-19 pandemic and that the third party entity delete the data by the date on which the public health entity is required to delete the data.  To this end, the Commissioner of Health shall require that systems using health and location data for contact tracing purposes automatically delete the data no later than 30 days after the data is entered into the system. 

     b.    A third party entity that misuses or unlawfully discloses COVID-19 contact tracing data shared with it by a public health entity, or that retains the data beyond the date on which the data is required to be deleted, shall be liable to a civil penalty of up to $10,000, which shall be collected by and in the name of the Commissioner of Health in a summary proceeding before a court of competent jurisdiction pursuant to the "Penalty Enforcement Law of 1999," P.L.1999, c.274 (C.2A:58-10 et seq.).

     c.     As used in this section:

     "Contact tracing" means the process of identifying individuals who were in contact with a person who has tested positive for COVID-19 or who was likely exposed to COVID-19, as well as providing support services to the individual.  Contact tracing may include:  verbal interviews with individuals and those they may have had contact with, as well as any other individual who may have knowledge of potential exposure situations; to the extent authorized by applicable State and federal laws, accessing an individual's digital data from a Bluetooth or global positioning system to identify potential exposures; and any other means utilized by a public health entity to track potential exposures to, and the potential spread of, COVID-19 among individuals and population groups within the State.

     "Public health entity" means the Department of Health, any county or local board of health, and any other entity conducting contact tracing in response to the COVID-19 pandemic.

 

     2.    No later than 30 days after the effective date of this act, the Commissioner of Health shall publish on its Internet website proposed guidance on how public health entities and third party entities may use data collected for contact tracing related to the COVID-19 pandemic, and how those entities will be required to ensure the security and confidentiality of that data, including any specific internal audit requirements those entities will be required to implement to guard against misuse or unauthorized disclosure of the data.  The commissioner shall create a mechanism for members of the public to submit comments on the proposed guidance, allow for a public comment period of at least 30 days, and, no later than 30 days after the public comment period closes, publish final guidance on the use of data collected for the purposes of contact tracing related to the COVID-19 pandemic, which final guidance may incorporate appropriate revisions based on public comments received.  Nothing in this section shall be construed to prohibit or delay the implementation of section 1 of this act immediately upon the effective date of this act.

 

     3.    This act shall take effect immediately and shall expire one year after the end of both the state of emergency and the public health emergency declared in response to the coronavirus disease 2019 pandemic.

 

 

STATEMENT

 

     This bill provides that public health entities, including the Department of Health, county and local boards of health, and other entities that collect data regarding an individual for the purposes of contact tracing related to the coronavirus disease 2019 (COVID-19) pandemic, may only use the data for the purposes of completing contact tracing.

     Contact tracing is the process of identifying, and providing support services to, individuals who may have been exposed to COVID-19 through contact with a person who has tested positive for COVID-19 or who has had a serious risk exposure.  Contact tracing may include both verbal interviews with individuals and the use of digital data, such as Bluetooth data and data from global positioning systems, to conduct proximity investigations and identify when individuals may have been in close contact with others.

     The bill requires public health entities to ensure that health and location data collected for contact tracing is deleted from the entity's records no later than 30 days after the date the data is received by the entity.  If the public health entity shares contact tracing data with a third party entity, the public health entity will be required to publish the name of third party entity on the public health entity's Internet website or on the Internet website of the Department of Health.  The third party entity will be subject to the same restrictions on the use of the data as apply to public health entities, and will be required to delete the data by the date on which the public health entity is required to delete the data.  To this end, the Commissioner of Health is to require that systems using health and location data for contact tracing automatically delete the data no later than 30 days after the data is entered into the system.

     A third party entity that misuses or unlawfully discloses COVID-19 contact tracing data shared with it by a public health entity, or that retains the data beyond the date on which the data is required to be deleted, will be liable to a civil penalty of up to $10,000, which will be collected by and in the name of the Commissioner of Health in a summary proceeding before a court of competent jurisdiction.

     The bill requires that, no later than 30 days after the effective date of the bill, the Commissioner of Health will be required to publish on its Internet website proposed guidance on how public health entities and third party entities may use data collected for contact tracing related to the COVID-19 pandemic, and how those entities will be required to ensure the security and confidentiality of that data, including any specific internal audit requirements those entities will be required to implement to guard against misuse or unauthorized disclosure of the data.  The commissioner is to create a mechanism for members of the public to submit comments on the proposed guidance, allow for a public comment period of at least 30 days, and, no later than 30 days after the public comment period closes, publish final guidance on the use of data collected for the purposes of contact tracing related to the COVID-19 pandemic, which final guidance may incorporate appropriate revisions based on public comments received.  The process of adopting data use guidance under the bill will not prohibit or delay the implementation of the remaining provisions of the bill restricting the use of COVID-19 contact tracing data, which requirements will take effect immediately upon enactment.

     The bill will expire one year after the end of both the state of emergency and the public health emergency declared in response to the COVID-19 pandemic.