Public Comments: March 2007 Commercial drivers’ license applicants requesting exemption from the diabetes standard have their personal medical information, name, age, and more published in the Federal Register; World Privacy Forum urges changes to the practice

Comments of the World Privacy Forum Regarding Department of Transportation DMS Docket No. FMCSA–2006–26600

VIA FAX and electronic submission to <http://dmses.dot.gov>

March 20, 2007

The World Privacy Forum submits these comments in response to the Federal Motor Carrier Safety Administration’s (FMCSA) request for comments on its notice of applications for exemption from the diabetes standard. The notice appeared in the March 1, 2007 Federal Register at page 9399.

The World Privacy Forum is a non-profit, non-partisan public interest research organization that focuses on in-depth research and analysis of privacy topics. Our website is available at <https://www.worldprivacyforum.org>.

We found the March 1 notice during a routine scan of the Federal Register for matters of interest. The Forum does not typically become involved in transportation issues, but the notice caught our attention because the publication included detailed personal medical information on individual drivers who were identified by name, age, and location.

Our concerns about the March 1 notice relate exclusively to the privacy consequences of the publication of the notice. We take no position on the legality of the procedure FMCSA is using to consider requests for exemption, on the application of the Privacy Act of 1974 to the disclosure, on the granting of exemptions in general, or on the qualifications of the drivers identified in the notice.

We are appalled at the publication in the Federal Register of the medical information of identifiable individuals. The March 1 notice included the full first and last name, the age of the applicant, the middle initial when available (most were), as well as the individual’s medical details, and finally, the state the individual is licensed in. With this information, it was a simple matter to locate a number of the home addresses and telephone numbers of these individuals to a very high degree of confidence by conducting a brief search of the web using the name and state that the individuals were licensed in as keywords.

The published, personally identifiable medical information of individuals combined with their name and age does not belong in the Federal Register, in any public agency document, or on an agency website. The publication makes the information available to virtually anyone who has access to the web and an Internet search engine. Unfortunately for these individuals and their families (see below for more on why other members of the families can be impacted by this publication), the data will remain available indefinitely. We doubt that federal employees would be happy if, for example, as a condition of obtaining or keeping their jobs, details regarding their personal medical information were published in the Federal Register along with their ages and names.

The disclosure of the medical status of these individuals can have consequences for them in other activities, including employment and insurance. Not only are these individuals affected by the publication, but their family members may be affected as well. There is a genetic component to diabetes, and one can make inferences about the health status of the blood relatives of each individual identified in the notice. It is not inconceivable, for example, that the employment prospects of a parent or the child of an applicant could be influenced if an employer learned that there is a family history of diabetes. Similarly, an employer might be less interested in hiring the spouse of a driver if the employer knew that its health plan might be burdened by a family member with diabetes.

While there are laws limiting the use of medical information in hiring decisions, those laws do not always work as they should. When medical information is available from non-medical, public sources – such as the Federal Register – it is possible for employers to factor that information into their employment decisions without the knowledge of the job candidate. Published information may also be used for marketing and profiling purposes by the various companies that aggressively search for, collect, compile, and sell or share personal information.

We assume that the drivers whose health information was published in the March 1 notice had applied for an exemption and presumably knew of the consequences of their applications. Our point is not that the publication was done without their consent (although we doubt that the consent of all potentially affected family members was obtained). Our point is that personal medical information tied to identifiable individuals does not belong in the Federal Register at all. We do not understand how any member of the public is competent to comment on the medical qualifications of these individuals based on the information provided. The description of the medical status of each driver is nearly identical and does not appear to offer any basis for making individual judgments.

We recognize that there are policy questions about whether and how exemptions are granted to drivers with diabetes or with any other medical condition. These policy questions are appropriate subjects for public comment, and we are aware that FMSCA published an advanced notice of public rulemaking on March 17, 2006, Docket No. FMCSA-2005-23151-2. We urge that the rulemaking proceed as rapidly as possible, and we urge that the results include a new method for considering requests for exemption that involve medical determinations. Any method must be more respectful of privacy interests than the current procedures, and should not involve the publication of the personal medical information of applicants.

FMSCA should treat individuals subject to regulation with greater sensitivity and should find another way to address decisions about drivers that are based on personal medical characteristics. The pages of the Federal Register are not the right place to publish the personal medical information of these individuals, where they and their families can suffer potentially negative consequences of such publications for many years.

Thank you for the opportunity to comment.

Respectfully submitted,

Pam Dixon
Executive Director,
World Privacy Forum