Privacy’s future tense

In 2009, Vermont implemented VPMS, the Vermont Prescription Monitoring System, creating a database of all controlled-substance prescriptions issued within the state. As with similar systems around the country, the purpose of VPMS is to allow physicians, pharmacists, and other health-care providers to detect patients who might be addicted to or otherwise abusing prescription drugs.

The VPMS law, passed in 2006, was very clear that only health-care professionals would have access to the database. Even so, the bill generated strong feelings. As reported by The Vermont Times Argus (online access limited to paid subscribers):

Rep. Anne Donahue still remembers the tense walk to the House floor “to vote on something I was more scared about than anything we’ve ever done in this building. We were emphatic that this be used only as a tool for public health — that we never, ever allow this deeply personal data to be subject to review by law enforcement agencies. And here we are today, our worst fears realized.”

Donahue’s “worst fears” stem from a proposal by Gov. Peter Shumlin, State Health Commissioner Harry Chen, and representatives of various law enforcement agencies to modify the rules and allow police to access the VPMS database. The change, officials say, would help narcotics officers combat a “prescription drug epidemic”. Allen Gilbert of the Vermont ACLU has lodged a strong objection to the proposal:

This isn’t about prescription drugs, this is about the government collecting data and promising the information will be kept private and when the government promises to protect our private information in an area as sensitive as medical information, I think it’s reasonable that citizens should be able to trust that government will keep its word.

This dispute — regardless of its conclusion — is part of a broader trend, where government agencies take sensitive information collected under one set of guidelines and change the rules, allowing the data to be used in ways originally forbidden. When corporations act this way it’s called breach of faith, breach of contract, or worse. When the government does so it’s called business as usual.

Several other current and ongoing examples:

  • The “Belfast Project” at Boston College: Several dozen participants in “the Troubles” in Northern Ireland provided detailed oral histories to Boston College researchers with the understanding that the material would remain secret until their death. About a year ago, as part of the investigation of a 40-year-old murder, the government of Britain requested immediate access to some of the material, and a U.S. District Court judge granted the request. The case is currently under appeal.
  • Scanning license plates in Connecticut: A number of cities in Connecticut have deployed automated license-plate scanners in police patrol cars to allow immediate identification of stolen or unregistered vehicles. Once a plate has been checked and cleared, there is no need to retain the information about where and when that plate was scanned. Nonetheless, the scanning data across 10 municipalities has been aggregated into a database comprising 3.1 million records on 1.3 million vehicles, enabling what the ACLU has called “retroactive surveillance without probable cause”.

The lesson here is that sincere commitments and honest plans won’t keep data, once collected, from being misused. However trustworthy today’s data steward has proven to be, tomorrow’s may have a different agenda.

As they say on Wall Street, past performance does not guarantee future results.

/Steve/