Sometimes an agency being asked to contribute data within a cross-agency data project may raise legal objections to the sharing of particular fields. It is important to carefully review these objections to address perceived legal barriers and to create consensus around the legality of contributing the data.

The following table outlines the most frequent objections to develop cross-agency sharing along with some sample responses to address those concerns. TDC will include resources and events to help you develop an effective cross-agency sharing.

Table 1: Addressing common legal concerns and myths

Objection Response

A. This is not legal.

This is legal. All federal (and most state) laws authorize data sharing for appropriate governmental and research purposes.

B. This pits individual interests against societal interests.

Well-constructed cross-agency sharing will balance individual and societal interests in a legal, ethical, and politically feasible manner. While individuals have a strong interest in data privacy, they have an equally strong interest in effective and efficient government programs and policies. Cross-agency sharing preserves individual privacy through policies and procedures that include de-identification, as appropriate, and data security, while helping to ensure that government carries out its functions in the most effective, appropriate, and high-quality manner possible.

C. This seems like too big of a project and beyond government’s ambit.

Project sponsors should define a clear scope and articulate systems for how cross-agency sharing will be and will not be used. Cross-agency sharing can make government more efficient and effective at core functions:

Audit
Evaluation
Research
Operations
Budget and policy making

Government continues to own the information it generates or possesses as part of its functions. Government is not giving up control over data; government is simply sharing data to further legitimate governmental purposes.

Note: Government can also elect to partner with universities or other non-profit entities to administer cross-agency sharing based on a determination of what institution is most capable of performing this function.

D. This is uncharted territory.

Integrated data is happening all over the country and is endorsed at the state and federal level. In 2016, the Evidence-Based Policymaking Commission Act of 2016 (H.R. 1831) became law. Its goal is to “focus on the most basic pre-requisite for evidence-based policy: good data.” The National Conference of State Legislatures has prioritized opening government data for public use, including integrated data. The Conference maintains websites devoted to highlighting states that have prioritized expanded use of government data and data transparency on state expenditures or contracts.

E. This requires obtaining individual consent to re-disclose data, which is not administratively feasible.

Most data privacy laws allow the agency holding the data to use or share that data, including personal identifiers, for research or policy-making purposes without obtaining individual consent. While some agencies may wish to update their notice of data privacy or equivalent disclosure to mention the integration of data for public purposes, this is not generally a legal requirement.

F. This makes a data security breach likely.

Data security is always an important consideration whenever government collects and stores data. High-quality cross-agency sharing place a premium on data security. In most cases, the data security provided by cross-agency sharing is stronger and more robust than that applied to the data in their original location. The model MOU and DUL contain rigorous data security requirements to ensure that data are protected.

G. This exposes us to too much liability . . . we are going to get sued.

The major data privacy laws (e.g., Health Insurance Portability and Accountability Act [HIPAA] and Federal Education Rights and Privacy Act [FERPA]) not only allow and encourage data sharing for these purposes, but also do not contain a private right of action for individuals to sue over a data breach or misuse of private data.

Used with permission from AISP Expert Panel Report: Legal Issues for IDS Use: Finding a Way Forward