Health Information in the Background: Justifying Public Health Surveillance Without Patient Consent

  • Lisa M. LeeEmail author
Part of the Law, Governance and Technology Series book series (LGTS, volume 11)


Often we think of collecting, storing, and using health data without patient consent as unethical and illegal. However, there are situations where the collection of health information without consent is not only ethical and legal, it is essential for community and public health. Public health surveillance – the ongoing, systematic collection, analysis, and interpretation of health-related data with the a priori purpose of preventing or controlling disease or injury, or identifying unusual events of public health importance, followed by the dissemination and use of information for public health action – allows the government to meet its ethical obligation to protect the health of the population. By adhering to public health ethics principles, public health surveillance systems, including pervasive information and computing technology (PICT), can be designed and implemented in ways that both honor individuals and protect communities.


Public Health Intervention Public Health Official Public Health Professional Basic Interest Syndromic Surveillance 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

3.1 Introduction

Surreptitious data collection and use is a fact of life for all of us in the global village, whether we are surfing the Internet in a bustling city in the most developed country or texting our kin from a remote village in sub-Saharan Africa. Data capture without our knowledge or consent has become pervasive, leaving people across the planet concerned and in some cases even outraged. Calls abound for laws prohibiting collection and storage of data without consent and for firm punishments for violations. In the United States ethical and legal arguments are made by privacy advocates to limit the collection and use of personally identifiable information. These arguments are backed by this country’s foundational liberal political approach to government, its belief that self-determination far exceeds anything other- or government-determined, and its extreme favor of autonomy.

In spite of the individual-centric stance of the United States, the fact remains that we all – even Americans – live in a society with others; our behavior often affects others, known and unknown; and we relinquish some degree of privacy on a daily basis for the sake of the social good. For example, we tolerate the invasion of privacy that accompanies the use of closed circuit video systems used to reduce the collective costs (in the form of higher prices) of the crime of shoplifting. We provide our social security numbers, dates of birth, and mothers’ maiden names to our credit card companies to reduce the collective cost of theft of credit card information and unauthorized charging.

Often people are sensitive about their privacy with regard to intimate details of their lives, details that many of us would prefer were known only to a very small, select group of close friends and family. For most of us, this particularly sensitive sphere of knowledge encompasses our sex lives, our income, and our health – or, perhaps more accurately, problems with our health.

In the United States, as in many other places, personal health is highly valued and the health of others, including complete strangers, is valued only somewhat less. The value we place on privacy and on health are often in tension. The key question of this chapter is this: How much are we willing to share about our personal health to better the collective health of our communities?1

This chapter is presented in three parts. The first is largely descriptive, giving an overview of the historical and contemporary role of surveillance in public health and legal responsibility for public health. The second part takes a more normative turn, briefly exploring the competing values of privacy and public health. The third section provides ethical justification for public health surveillance without consent, including suggested policies and safeguards necessary to protect both privacy and public health.

3.2 Population Health Surveillance

This section describes two forms of population health surveillance – public health and syndromic surveillance – and the legal responsibility for public health oversight and action in the United States.

3.2.1 Public Health Surveillance

Public health surveillance has been used for hundreds of years to monitor and improve community health at the local, national, and international levels. Recognizable elements of public health surveillance were seen first in the United States in 1741 when the colony of Rhode Island required reports to health officials from tavern keepers about persons with “contagious diseases,” as indicated by coughing, sneezing, and fever (Thacker 2010). Tavern keepers were required to report instead of health care providers, as persons were more often seen by the former than the latter. By 1874 Massachusetts became the first state to enact voluntary weekly reporting of infectious conditions using postcards (Bowditch et al. 1915) – a method that was used by states for over 100 years, replaced by telephone reporting in the late 1980s and digital reporting in the 2000s. It was after two severe epidemics in the early twentieth century – poliomyelitis and influenza – that all states began participating in national morbidity reporting (National Office of Vital Statistics 1953). Public health surveillance is defined as the ongoing, systematic collection, analysis, and interpretation of health-related data with the a priori purpose of preventing or controlling disease or injury, or identifying unusual events of public health importance, followed by the dissemination and use of information for public health action (Lee and Thacker 2011).

Public health surveillance depends on an ongoing, dynamic seven-step process that provides continuous feedback to ensure each step is informing the previous and next (Fig. 3.1).
Fig. 3.1

Ongoing, systematic steps of public health surveillance

Designing the system requires knowledge and precise definition of the condition or behavior to be reported and acted upon. The public health professional, usually an epidemiologist, must understand the source(s) of data – to whom and where the “cases” are likely to present, when during the course of the condition an individual will seek care, or where the behavior might be exhibited, disclosed, or recorded. The epidemiologist must consider the plan for how data will be obtained, whether they will be reported to the health department via notification forms or whether staff will perform active surveillance where cases are sought on a regular basis via phone call, visits, or electronic data exchange.

In addition, the epidemiologist must consider carefully what data elements are necessary to achieve the public health purpose of the system. It is an important ethical principle for the system to contain only the data necessary to achieve its public health purpose. Careful planning ensures that the system does not contain superfluous data that could bring privacy or confidentiality risk to persons about whom data are collected. While deciding what data elements to collect, the epidemiologist also must consider what types of analyses will be necessary to examine the public health question at hand to ensure the needed data are collected about each case. Knowing what an analyst will do with the data is critical to planning, as it serves no one if key data are missing once analyses are started.

Importantly, planning and design also requires engagement of affected communities – both those affected by the condition to promote clear understanding and expectations of the system as well as by those affected by the requirements of the reporting system, usually health care providers. It is often during this stage of system planning and development where public trust is gained or lost. If affected communities are taken by surprise, are unaware of how a new system might impact their privacy and confidentiality and how those risks might be reconciled with the benefits gained by the resulting public health action, there is likely to be little cooperation regardless of any law or policy mandating participation.

The next steps – collecting, collating, analyzing, and interpreting data – are undertaken by experts familiar with the disease, condition, or behavior under surveillance; the case definition; the characteristics of the data and how they are to be collected; and the population from which the data are collected. Knowledge of these important aspects of the system allow the analyst to determine appropriate analytic methods, identify unlikely findings (such as unexpected associations between risk factors and diseases, diseases in atypical places or populations, and false positives), test for data accuracy, and avoid over– or under-interpreting findings.

The final steps in a public health surveillance system require dissemination and communication of findings for public health action. Use of data and findings to affect change for health is considered a key step defining public health surveillance. Collection of data without directed public health action is not public health surveillance, but another form of inquiry, such as research or health surveys. In order to provide the best course of action, findings from the public health surveillance system must be disseminated and communicated to those able to implement change and responsible for ensuring results.

Modern public health surveillance is a cooperative effort that includes health care providers, laboratories, and health facilities, all of which have the legal responsibility to report conditions as indicated by state legislation (see Sect. 3.2.3). Most states adopt a subset of conditions deemed reportable by the Council of State and Territorial Epidemiologists (CSTE), a group constituted by state epidemiologists from each state, in collaboration with the Centers for Disease Control and Prevention (CDC). As of August 2011, CSTE recommended that states require 8 conditions be reported as extremely urgent (within 4 h), including anthrax, botulism, plague, paralytic poliomyelitis, SARS-associated coronavirus, smallpox, tularemia, and viral hemorrhagic fevers. In addition, they recommended 11 urgent conditions to be reported within 24 h and 61 standard conditions to be reported electronically within 7 days ( The list of conditions that are reportable by health care providers to the state health department varies somewhat by state, but a core set of conditions is reported by all jurisdictions. Once collated at the state health department, reports are then deidentified and forwarded to CDC for national-level public health action.

3.2.2 Syndromic Surveillance

Surveillance of early health indicators is called syndromic surveillance and has been defined as “the ongoing, systematic collection, analysis, interpretation, and application of real-time (or near-real time) indicators for diseases and outbreaks that allow for their detection before public health authorities would otherwise note them” (Sosin 2003).

Syndromic surveillance was added to the public health arsenal in the 1990s to facilitate the quickest possible response to urgent health threats. Instead of waiting until a specific condition is diagnosed, public health officials can combine information from signs and symptoms, exposures to infectious agents or environmental conditions, and health-related behaviors to identify unusual patterns in groups or communities that might indicate an impending concern for which planning and decision making can begin before cases are diagnosed. Depending on how closely related these pre-disease indicators are to the development of an actual case of the condition of concern, there will be some proportion of false-positives (persons with the pre-disease indicator who do not develop the condition). The further an indicator is from the development of the condition, the higher the proportion of false-positives.

The concept of collecting information about novel public health events, or events that were not linked to identifiable diagnoses, has been a function of public health surveillance for many years. Numerous ‘syndromes’ have been identified by astute clinicians reporting unusual symptoms to their state epidemiologists and to CDC through their public health surveillance systems (Goodman et al. 2012). In recent history, public health professionals identified a number of important and new conditions using syndromic surveillance including Reye’s syndrome in 1936, Legionnaires’ disease in 1976, Lyme disease in 1977, toxic shock syndrome in 1978, HIV/AIDS in 1981, and SARS in 2003 (Goodman et al. 2012). The definition of public health surveillance and many state statutes specify a requirement to report unusual events of public health importance in addition to the list of conditions a health care provider must report. This allows for the early recognition of unknown syndromes or identification of associated risk factors and etiology that can then be used to initiate public health actions for prevention and control.

3.2.3 Legal Responsibility for Public Health

U.S. Constitutional Law restricts the jurisdiction of the federal government to matters specifically enumerated in the U.S. Constitution; the remaining legal matters are left up to the states. As the Constitution is silent on matters of public health (with the exception of matters falling under the commerce clause and licensing and regulation of drugs, biologics, and devices in some public health situations), matters of controlling the public’s health fall within the police powers of the states (Nesland et al. 2010).

Mandatory reporting of diseases and other health indicators in the United States is established through state legislative action whereby states require, via law, regulation, or rule, certain diseases, conditions, or health indicators, along with personal identifiers, to be reported by certain professionals (such as health care providers, teachers, and pharmacists) or certain entities (such as laboratories, schools, or clinics) (Roush et al. 1999). Which specific diseases and conditions are subject to reporting is decided through an annual consensus process involving state epidemiologist-members of CSTE and subject matter experts at CDC. CSTE maintains the list of recommended reportable conditions and states decide whether to adopt the reporting requirement. Ultimately individual state input determines what conditions make their list and most states have a provision for unusual or unknown conditions of concern. States update their list of reportable conditions in different ways, depending on whether it is law, regulation, or rule that determines reportability. More states are adopting a flexible model that allows easier additions to and subtractions from the list of reportable conditions, by, for example, using a rule change instead of the creation and passage of an entirely new law.

The state-level legislative process required to add reportable conditions acts as a form of checks-and-balances for the boundary between “necessary to know” and “intrusive data collection.” A democratic process allows for public deliberation – through ballot initiatives or election of certain officials – to determine the extent to which collecting information might be considered a ‘greater good’ for the population. While reasonable people might disagree on what constitutes a greater good, deliberating transparently encourages favorable participation even if persons disagree on the final result.

This process is predicated on public trust in public health professionals and their ability to maintain the confidentiality and security of reported data. Public health largely has been successful in gaining and maintaining that public trust.

3.3 Privacy and Health

3.3.1 Privacy

Philosophers and ethicists have argued whether privacy is a normative value itself or is subsumed in the more fundamental value of autonomy and respect for persons. Privacy is recognized as an integral part of the human need for protection of one’s intimate self; control over disclosure of one’s beliefs, desire, and personal history; protection of one’s physical self; and assurance that important and sensitive decisions that affect personal and family life are made, and subsequent disclosure regulated, without interference (DeCew 2012; Allen 2004).

Conceptually, privacy can be subsumed in respect for persons insofar as respect entails honoring a person’s autonomy; by respecting a person’s private decisions and actions, which are assumed to be based on personal and individual judgments of that which is valued in a good life, we respect her self-directed existence. Whether privacy is viewed as an aspect of autonomy or as its own normative value is less important than the broad acknowledgment by most philosophers that privacy is necessary for human dignity.

Privacy has been discussed in the philosophical literature since Aristotle, when he first observed the polis (public or politics) and the oikos (household or family) as separate spheres in our lives. Concerns about technology and privacy are not new. In the late nineteenth century, Samuel Warren and Louis Brandeis ignited public discussion about how new technologies were invading privacy by disseminating details about the private lives of individuals without their knowledge or permission, which ran counter to the population’s expectation of a protected private life. These new technologies – photography and the mass printing and distribution of daily newspapers – led to major changes in how people learned private details about each other’s lives (DeCew 2012). In 1890, Warren and Brandeis promoted a “right to one’s own personality” and asserted that “the existing law affords a principle from which may be invoked to protect the privacy of the individual from invasion” (Warren and Brandeis 1890). Later, as an Associate Justice of the U.S. Supreme Court, Brandies declared in his dissent to Olmstead versus United States (1928) that “the right to be let alone [is] the most comprehensive of rights and the right most valued by civilized men (sic).”

A comprehensive definition of privacy has been elusive. Privacy encompasses many aspects of modern life:
  • Physical privacy, as represented in bodily integrity.

  • Decisional privacy, or freedom from interference with autonomous life choices.

  • Proprietary privacy, including maintaining ownership of one’s identity.

  • Informational, such as maintaining confidentiality of medical information (Allen 2004).

Warren and Brandeis’s pithy description of the “right to be let alone” (Warren and Brandeis 1890) has been used to describe several types of privacy, but scholars disagree about whether privacy is in itself a right or merely a specification of liberty. Either way, the important aspect of privacy with respect to public health surveillance – or surveillance of any kind – is the fact that it involves being observed, generally without the knowledge or consent of the observed, who also knows nothing about how or under what circumstances the observations will be used. How can this type of imposition on autonomy, this invasion of privacy, this violation of liberty, be justified ethically?

3.3.2 Health Data Collection for the Public Good

Scientific justification of data collection for the public good is well documented (Brown 2000; Carrel and Rennie 2008; Tu et al. 2004; Verity and Nicoll 2002). Data are needed for scientific and medical research, such as development of chemotherapies or methods of infection control, as well as biobehavioral research that informs behavioral influences on health. Data are also needed to support a learning health system (Friedman et al. 2010) – a health system that improves by learning from itself by establishing a system of quality improvement that combines health services research and comparative effectiveness analyses of routinely collected clinical data. The aim of the learning health system is to improve both quality and efficiency of health care for all patients. In addition to improving clinical medicine for individuals, medical data are needed to drive recognition of public health threats, implement appropriate interventions, and evaluate effectiveness of action for communities and populations.

Public health surveillance data are the foundation of all public health action. The public expects public health officials to act swiftly to reduce morbidity and mortality as much as possible. To do so, officials must ensure the unbiased, complete, representative, and timely collection of information from the populations they serve. The legal justification for public health data collection has a long history and is clear. Often it occurs in the ‘background’ of the health system with reportable disease notifications sent to local or state health officials by health care providers without individual patient consent per state laws (see Sect. 3.2.3).

3.4 Ethical Justification for Public Health Surveillance Without Consent

3.4.1 Public Health Ethics

Public health ethics developed as a distinct field in the late 1990s as it became clear that the prevailing bioethical approaches were unable to accommodate the increasing complexities of public health responsibilities. Clinical practice differs from public health practice in at least three important ways that create a poor fit of bioethics to public health (Lee 2012).
  1. 1.

    Medicine focuses on the individual as patient, whereas public health focuses on community or population as patient: The health of the individual matters in clinical practice and the health of the community matters in public health practice. By definition, then, clinicians see patients they know (or can come to know), whereas public health practitioners provide interventions for persons most of whom they never see or meet and who remain largely unknown to them.

  2. 2.

    Medicine historically is concerned with curative interventions, either chemotherapeutic or procedural, whereas public health is primarily concerned with prediction, anticipation, and prevention. Public health’s tools are not prescriptions or surgeries, but policy and law, behavioral-change strategies, sanitation, and adjustments to the built environment.

  3. 3.

    Clinical medicine relies on a small number of similar disciplines with similar training to carry out its tasks. In contrast, public health relies on a breadth of professional disciplines with varied training and backgrounds to achieve its mission.


These contrasting characteristics bring different ethical challenges to the forefront of medicine and public health, the most obvious of which is the tension between individual autonomy and public benefit. A fundamental question for many public health activities, including public health surveillance, is how far can public health impinge on an individual’s liberty for the sake of the health of the community?

3.4.2 Mill’s “Harm Principle”

It is nearly universally, albeit naively, held that John Stuart Mill’s “harm principle” serves as the normative justification for any state intervention over individual action – and that such intervention is ethically acceptable only when it prevents harm to others. The use of Mill’s harm principle to support autonomy as the supreme value stems largely from the field of bioethics and its narrow misinterpretation of Mill’s thoughts on liberty (Dawson and Verweij 2008). Mill indeed stated that, “the only purpose for which power can be rightfully exercised over any member of a civilized community, against his will, is to prevent harm to others” (Mill 1859, p. 14). But to stop there is akin to misquoting, as Mill goes on to state:

His own good, either physical or moral, is not sufficient warrant. He cannot rightfully be compelled to do or forbear because it will be better for him to do so, because it will make him happier, because, in the opinions of others, to do so would be wise, or even right. These are good reasons for remonstrating with him, or reasoning with him, or persuading him, or entreating him, but not for compelling him, or visiting him with any evil in case he do otherwise. To justify that, the conduct from which it is desired to deter him, must be calculated to produce evil to someone else. The only part of the conduct of anyone, for which he is amenable to society, is that which concerns others. In the part which merely concerns himself, his independence is, of right, absolute. Over himself, over his own body and mind, the individual is sovereign. (Mill 1859, p. 14)

Persons opposed to public health interventions often claim that Mill’s “harm principle” (as truncated above) requires us to not be paternalistic in any way. This passage clearly shows that Mill acknowledged that we do have good reasons to “reason with” and “persuade” people to “do otherwise,” which is what public health often does. Furthermore, actions that society can rightfully censure are limited to those that are “calculated to produce evil to someone else.” These all clearly are supportive of public health interventions, not in opposition as suggested by the truncated and misleading version of the passage concerning the “harm principle.”

Mill calls attention not only to the liberty a state owes individuals, but also clearly asserts that individuals owe their community:

Those interests, I contend, authorize the subjection of individual spontaneity to external control, only in respect to those actions of each, which concern the interest of other people. If any one does an act harmful to others, there is a prima facie case for punishing him, by law, or, where legal penalties are not safely applicable, by general disapprobation. There are also many positive acts for the benefit of others, which he may rightfully be compelled to perform; such as, to give evidence in a court of justice; to bear his fair share in the common defence, or in any other joint work necessary to the interest of the society of which he enjoys the protection; and to perform certain acts of individual beneficence, such as saving a fellow creature’s life, or interposing to protect the defenceless against ill-usage, things which whenever it is obviously a man’s duty to do, he may rightfully be made responsible for not doing. A person may cause evil to others not only by his actions but by his inaction, and in either case he is justly accountable to them for the injury. (Mill 1859, p. 15)

Mill was not writing about public health or propriety of the state’s prohibition of super-sized portions of fast food. His essay makes it clear from the opening pages that he was deeply concerned with the importance of liberty with respect to the tyranny of the majority. The complexity and nuance of his thoughts on liberty are done a grave disservice by the simplification that occurs when these ideas are reduced to the “harm principle” and by the dismissal of the remainder of the essay, which describes the responsibilities we have to each other.

There is a long history of those in opposition to public health interventions holding up the “harm principle” as the reason to reject any public health action other than those that prevent direct harm to another. Many ethicists and scholars who believe in the primacy of autonomy hold Mill’s abbreviated principle high as proof of great thinkers supporting an entirely autonomous life.

However, the seminal case, which remains key in defending public health interventions today, is the 1905 case of Jacobson versus Massachusetts in which Henning Jacobson refused the required smallpox vaccination and was ordered to pay a $5 fine or face imprisonment. The U.S. Supreme Court held that when there is “great danger” the state has compelling interest in using its police powers to enforce the “social compact” it has with its citizens to protect the common good and to do so even when it at times intrudes on the free will of any one man (Jacobson v Commonwealth of Massachusetts 1905). The text of the Court’s proceedings articulate the delicate balance of personal liberty and societal best interests on both the ethical and legal fronts.

Today scholars are calling for a closer look at Mill to reconsider his notions in the context of public health ethics, where the focus is not on the health of individuals, rather on the health of the population (Jennings 2009). They are asking for a thorough and nuanced look into Mill’s writings to better understand the role of liberty vis-à-vis societal interests in a democratic state (Powers et al. 2012).

Early scholars such as Dan Beauchamp (1980) began outlining the tensions between public health and personal liberty in the 1980s, but it was not until alternative frameworks for ethical problem solving in public health were proffered in the 2000s that the field began to separate itself from medical and bioethics. These alternative frameworks have sorted themselves into two broad categories (Lee 2012) – those that come from a very practical perspective focused on the observed needs of public health professionals struggling with ethical questions in their daily practice; and those that come from a theoretical perspective, a specific ethical school of thought aimed at maintaining philosophical rigor regardless of its applicability.

While over a dozen distinct public health ethics frameworks have been offered by various authors over the past couple of decades, all of them, whether they come from a practical or theoretical perspective, specify the need to balance personal liberty with the obligation to protect the community’s health (Lee 2012). Reconciling autonomy with the greater good requires a move from the highly liberal ethical stance where autonomy is considered not a prima facie value, but the supreme value that trumps all others, toward a more collective perspective where our obligations to each other are demanded by principles such as justice, equity, and transparency, each of which may moderate autonomy.

3.4.3 Justifying Public Health Surveillance Without Consent

It is in the center of this dilemma – when can the state override individual liberty for the sake of improving health – that the ethics of public health surveillance is argued.

In the case of public health surveillance, competing ethical priorities include the prima facie values of autonomy in the sense of personal informational privacy, and beneficence in a broad sense, encompassing governmental responsibility in the form of the public health enterprise’s obligation to improve population health. This mismatch between bioethics, with its primacy of autonomy, and public health ethics, with its obligation to both benefit the population and not harm the individual, demands resolution.

In the context of popular belief in the primacy of autonomy, much has been written about the need to use health data generally to support the claim that governments and other health care providing institutions are morally obligated to provide the most effective and efficient care to the greatest number of citizens possible. This collection and use of data requires that the public participate, and public participation requires public trust. Gostin proposed national-level policy changes that support collecting health data under uniform rules that protect individual privacy to reconcile the “equally compelling public and private claims from the ethical and constitutional perspectives” (Gostin 2001, p. 332). Scientists and clinicians cannot maximize public health or clinical care benefits without access to public health data, and access to those data depends on the public’s trust that they are protected from both rogue access and inappropriate use. The secure space for private information to be used for public good is provided by policies that constrain the use of data to those purposes for which they were intended and protect data from unauthorized access.

Gostin and I have proposed a framework for national privacy protection of public health data collected for any legitimate public health use – including public health surveillance – at all levels of government (Lee and Gostin 2009). These policy protections should be attached to and travel with the data, regardless of where and by whom they are stored or used, for the life of the public health data. The policy protections should be predicated on values of interdependence, ethical oversight, and scientific evidence and include guidance such as mandates to
  • collect the minimum amount of data necessary to achieve the public health objective, including leaving off personal identifiers when possible,

  • engage affected communities when developing data collection and data dissemination plans, especially when data release might add burdens to an already stigmatized group, and

  • ensure that public health professionals who have contact with data are active and responsible stewards ultimately accountable for the protection of data and information (Lee and Gostin 2009, p. 83).

We recommend that such a policy be operationalized with ten basic requirements (Lee and Gostin 2009).

The first two requirements entail ensuring that data are collected only for legitimate public health purposes and that only the minimum necessary data are collected. Quite the opposite of a researcher who can collect whatever data a consenting participant agrees to share, public health officials must collect data judiciously and include only those data that support the public health purpose for which it is needed. Agencies should not hold data they will not need or use. Since nothing of use will come from these data, only two outcomes are possible: nothing or a breach. This type of risk cannot be ethically justified. This principle of data parsimony also dictates the destruction of data that have ceased to be useful for a public health purpose as well as any data that are inadvertently or incorrectly collected, such as those false-positive reports collected in syndromic surveillance systems.

The third requirement is to implement strong policies and practices for data security to ensure privacy of personally identifiable information. These policies must include procedures for swift corrective action and appropriate sanctions for violators. The creation and enforcement of such constraints engender public trust.

The fourth requirement includes careful consideration of the rights of individuals and communities. Policies should reflect respect for individuals as well as communities, both in terms of data collection and data release.

Fifth, data collected must be of high enough quality to meet the public health goals of the activity. They should yield accurate evidence that can be applied justly.

Sixth, data must be disseminated to relevant stakeholders for action. Public health officials should share with stakeholders information about how data are collected, how they will be used, and the findings they make possible.

Seventh, if data are to be used for other public health purposes consistent with the intent of their collection, clear data use agreements should be signed by all parties, specifying intent, scope, and disposition of data.

The next two requirements involve data security: Data, paper or electronic, must be held securely at all times, while in use and at rest. Security should be reviewed annually and the latest security measures put in place to secure the information from possible intrusions. In order to minimize risk, only those persons with a need to know should have access to identifiable data, and this should be the smallest number possible.

Finally, all persons involved with the collection, storage, and use of public health data must be active, responsible stewards of the data to which they have access. Authorized persons must be aware of their personal responsibility to protect the data and the need to protect the privacy of the individuals whose data are entered into the system (Lee and Gostin 2009).

Guidelines for protecting public health data are helpful only if they are adopted. Adopting and implementing consistent policies, however, has proven challenging given the legal structure under which public health is practiced in the United States, but this fragmentation only increases the need for such consistent approaches.

In an attempt to reconcile the common good and individual rights, Fairchild and Johns consider it time to “[embrace] a new approach for research in public interest domains” (Fairchild and Johns 2012, p. 1449), including public health. It behooves us to recognize that there are issues that different ethical paradigms will resolve in different ways; it is essential that we apply the right paradigm, then, in the right circumstances.

With more than a dozen public health ethics frameworks, how does one ensure application of the right paradigm in the circumstance of public health surveillance? My colleagues and I examined the question of whether public health surveillance without patient consent is supported by the principles of public health ethics (Lee et al. 2012). We posited that public health surveillance would be ethically justified if its practices “[met] the affirmative and refrain[ed] from violating negative operating principles” of the existing public health ethics frameworks (Lee et al. 2012, p. 41). Although based on different theoretical underpinnings, several common operating principles emerged from the 13 public health ethics frameworks we reviewed. The common ethical principles included community, justice, interdependence, duty, human rights, autonomy, imposing minimal interference, ensuring intervention is necessary and effective, providing evidence that benefits outweigh infringement, reducing inequities, transparency, and inclusiveness. We then evaluated the best practices for the seven steps of public health surveillance and concluded that “a well-designed public health surveillance system that engages affected communities, collects the minimum data necessary, stores data securely, and uses data for public health action (Lee et al. 2012, p. 43)” is supported by contemporary public health ethics frameworks even when conducted without explicit patient consent.

Rubel, finding no adequate guide to the conflicts between privacy and public health surveillance, takes a “basic interests” approach to justifying the collection of public health data without patient consent (Rubel 2012). The foundation for this approach is Rawls’s view that persons living in a pluralistic society have basic interests regardless of their conception of a good life and that therefore supersede personal interests based solely on their conception of a good life (Rawls 2001). Health, maximized in large part through public health, is one of these interests, and unless another person’s basic interests are at stake, activities that promote society’s basic interests are generally justifiable, perhaps obligatory. Rubel offers several conditions that temper the permissibility of public health interventions that promote health as a basic interest, and calls this the “unreasonable exercise argument” (Rubel 2012, p. 12). This argument allows for conditions where persons could justify a privacy claim over a public health good, specifically where there are important personal interests the exercise of which would not unreasonably burden the basic health interest. Using this approach, Rubel argues that public health interventions – including public health surveillance – that are necessary to further the basic interest of health are justified when implementation does not impose on another person’s basic interests.

3.5 Conclusion

Collecting and using data without one’s knowledge or consent does not always constitute an ethical affront. In the context of health – considered a human right by some, a basic interest by others – pursuing the best possible outcomes is not possible on an individual level; population health is critical for individual health and the role of public health surveillance in population health is indispensable. The role of a government in protecting and enhancing the health of its people, thus meeting a basic interest of its population, is clear when the activities necessary are those that individuals cannot implement themselves. In a pluralistic society there will be disparate views on how much information the government ought to collect and store about its citizens, but there is no argument that it is possible to collect, store, and use public health surveillance data under ethical circumstances to better the health of a nation.


  1. 1.

    While the chapter focuses on the United States, most modern public health systems conduct similar surveillance and confront issues related to reconciling privacy and public health.



The author would like to acknowledge Dr. Frances McCarty for her thoughtful comments on the chapter.

The findings and conclusions in this report are those of the author and do not necessarily represent the official position of CDC.


  1. Allen, A. 2004. Privacy in healthcare. In Encyclopedia of bioethics, 3rd ed, ed. S.G. Post, 2120–2130. New York: Macmillan Reference USA.Google Scholar
  2. Beauchamp, D.E. 1980. Public health and individual liberty. Annual Review of Public Health 1: 121–136.CrossRefGoogle Scholar
  3. Bowditch, H.I., D.L. Webster, J.C. Hoadley, et al. 1915. Letter from the Massachusetts State Board of Health to physicians. Public Health Reports 12(Suppl): 31.Google Scholar
  4. Brown, P. 2000. Cancer registries fear imminent collapse. BMJ 321(7265): 849.CrossRefGoogle Scholar
  5. Carrel, M., and S. Rennie. 2008. Demographic and health surveillance: Longitudinal ethical considerations. Bulletin of the World Health Organization 86(8): 577–656.CrossRefGoogle Scholar
  6. Dawson, A., and M. Verweij. 2008. The steward of the Millian state. Public Health Ethics 1(3): 193–195.CrossRefGoogle Scholar
  7. DeCew, J. 2012. Privacy. The Stanford Encyclopedia of Philosophy (Fall 2012 Edition), Edward N. Zalta (ed.), Available at
  8. Fairchild, A.L., and D.M. Johns. 2012. Beyond bioethics: Reckoning with the public health paradigm. American Journal of Public Health 102(8): 1447–1450.CrossRefGoogle Scholar
  9. Friedman, C.P., A.K. Wong, and D. Blumenthal. 2010. Achieving a nationwide learning health system. Science Translational Medicine 2(57): 1–3.CrossRefGoogle Scholar
  10. Goodman, R.A., J.M. Posid, and T. Popovic. 2012. Investigation of selected historically important syndromic outbreaks: Impact and lessons learned for public health preparedness and response. American Journal of Public Health 102(6): 1079–1090.CrossRefGoogle Scholar
  11. Gostin, L.O. 2001. Health information: Reconciling personal privacy with the public good of human health. Health Care Analysis 9: 321–335.CrossRefGoogle Scholar
  12. U.S. Supreme Court. 1905. Jacobson v Commonwealth of Massachusetts, 197 U.S. 11.Google Scholar
  13. Jennings, B. 2009. Public health and liberty: Beyond the Millian paradigm. Public Health Ethics 2(2): 123–134.CrossRefGoogle Scholar
  14. Lee, L.M., and L.O. Gostin. 2009. Ethical collection, storage, and use of public health data: A proposal for a national privacy protection. Journal of the American Medical Association 302(1): 82–84.CrossRefGoogle Scholar
  15. Lee, L.M., and S.B. Thacker. 2011. Public health surveillance and knowing about health in the context of growing sources of health data. American Journal of Preventive Medicine 41(6): 636–640.CrossRefGoogle Scholar
  16. Lee, L.M. 2012. Public health ethics theory: Review and path to convergence. The Journal of Law, Medicine & Ethics 40(1): 85–98.CrossRefGoogle Scholar
  17. Lee, L.M., C.M. Heilig, and A. White. 2012. Ethical justification for conducting public health surveillance without patient consent. American Journal of Public Health 102(1): 38–44.CrossRefGoogle Scholar
  18. Mill, J.S. 2008 [1859]. On liberty. In John Stuart Mill: On liberty and other essays, ed. J. Gray, 5–128. London: Oxford University Press.Google Scholar
  19. National Office of Vital Statistics. 1953. Reported incidence of selected notifiable diseases: United States, each division and state, 1920–1950. Vital Statistics Special Report 37: 1180–1181. Washington, DC: US Department of Health, Education and WelfareGoogle Scholar
  20. Nesland, V.S., R.A. Goodman, J.G. Hodge, and J.P. Middaugh. 2010. Legal considerations in public health surveillance in the United States. In Principles and practice of public health surveillance, 3rd ed, ed. L.M. Lee, S.M. Teutsch, S.B. Thacker, and M.E. St Louis, 217–235. New York: Oxford University Press.CrossRefGoogle Scholar
  21. Powers, M., R. Faden, and Y. Saghai. 2012. Liberty, Mill and the framework of public health ethics. Public Health Ethics 5(1): 6–15.CrossRefGoogle Scholar
  22. Rawls, J. 2001. Justice as fairness. Cambridge: Harvard University Press.Google Scholar
  23. Roush, S., G.S. Birkhead, D. Koo, A. Cobb, and D. Fleming. 1999. Mandatory reporting of diseases and conditions by health care professionals and laboratorians. Journal of the American Medical Association 282(2): 164–170.CrossRefGoogle Scholar
  24. Rubel, A. 2012. Justifying public health surveillance: Basic interests, unreasonable exercise, and privacy. Kennedy Institute of Ethics Journal 22(1): 1–33.CrossRefGoogle Scholar
  25. Sosin, D.M. 2003. Syndromic surveillance: The case for skillful investment. Biosecurity and Bioterrorism: Biodefense Strategy, Practice, and Science 1(4): 247–253.CrossRefGoogle Scholar
  26. Thacker, S.B. 2010. Historical development. In Principles and practice of public health surveillance, 3rd ed, ed. L.M. Lee, S.M. Teutsch, S.B. Thacker, and M.E. St Louis, 1–17. New York: Oxford University Press.CrossRefGoogle Scholar
  27. Tu, J.V., D.J. Willison, F.L. Silver, et al. 2004. Impracticability of informed consent in the Registry of the Canadian Stroke Network. The New England Journal of Medicine 350(14): 1414–1421.CrossRefGoogle Scholar
  28. Verity, C., and A. Nicoll. 2002. Consent, confidentially, and the threat to public health surveillance. BMJ 324: 1210–1213.CrossRefGoogle Scholar
  29. Warren, S., and L. Brandeis L. 1890. The right to privacy. Harvard Law Review 4: 193–220.CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media Dordrecht (outside the USA) 2014

Authors and Affiliations

  1. 1.Office of Surveillance, Epidemiology, and Laboratory ServicesCenters for Disease Control and PreventionAtlantaUSA

Personalised recommendations