I am increasingly frustrated by the way private companies force people to give up personal information. This goes beyond the “information” for “service” quid pro quo customers enter into somewhat voluntarily, usually unwittingly, when they sign up for loyalty programs and the like. And it is different than the surreptitious capture of personal information by IT companies without our knowledge or consent. What is getting my goat is coerced information collection.
Two examples come to mind. My kids go to private schools which outsource a lot of services. The cafeteria, for example, is run by Sodexo, rather than by a school chef. Recently schools have taken to “outsourcing” the collection of medical information. The straightforward process of collecting forms needed for adherence to state public health laws about vaccination and participation in sports has become into a multi-step on-line process which forcibly extracts information about the child’s current and past physical and mental health, the health status of the immediate family, etc. The information is extensive and similar to what you might submit were you to see a new primary care doc or be admitted to a hospital. Last summer I counted SEVENTEEN separate forms I had to complete online for one child in one school. Companies like Magnus Health sell these digital database services as a way of centralizing student health information and reducing the school’s costs. The time sink for parents is not taken into consideration. There is no opt-out, in general or for specific questions. You have to answer all questions to be “compliant”. The company uses the school’s supposed requirements (which are actually pretty limited in terms of health data) to extract an impressive amount of peripherally relevant data from parents.
Why do I care? Because this is my kid’s medical information that is being GIVEN to an IT company that is probably not subject to HIPAA privacy requirements. Just because a company handles health data does not mean it has to keep that information private and secure. (A point to keep very much in mind when you do ancestry or non-clinical genetic testing or submit health related data to an App.) A company like Magnus does not bill for health services, so for the Feds it is not a “covered entity” which must comply with HIPAA. Nor does the school bill for health services. Moreover, FERPA which regulates the use of student data does not even apply to private schools since they do not receive federal funds. It seems such companies are free to do what they want with their data collections. They have information about which kids have been treated for concussions, eating disorders, allergies, ADHD, cancer, epilepsy... They may claim they do not sell identifiable health information, but I don’t see why I should trust them. I suspect, but don’t know, that they do sell the aggregated, deidentified data. Whatever their business model, I simply do not want to give them the extent of data they ask for. I have no contract with these companies, they are not sufficiently regulated. It feels like the schools are negotiating away my “right” to medical privacy by hiring them.
Much less worrisome, but still coerced, is the information collected by the educational testing companies. To sign up for the SATs and ACTs, for which parents pay upwards of $70 a test, the parent or child has to spend over an hour answering questions about finances, educational aspirations, future work goals, etc. Just to sign up, customers must wade through dozens of questions designed to build a student profile that I suspect is sold to prospective colleges and other companies. The day of the test, the student has up to 30 minutes of additional personal questions they must answer prior to taking the biggest test of their scholastic career! This too is coerced data collection. Is it crazy to think that if corporations want personal data, that collection should be separate from the purchase of the product and somehow limited? Frankly, they should reward the customer for doing them the favor.
Where else is personal data collection coerced? I think that company wellness programs, which collect lots of personal health info, have to be voluntary… But I’m curious about where else people are explicitly being forced to provide personal data to corporations when that data is not central to their “customer” experience or in cases where they are not even the customer. And am I the only one who objects?