Sunday, February 25, 2007

Everyday Privacy and Security: The Drug Store

After a conversation with a friend, I thought I'd cite some examples of how privacy and security impact day-to-day life. Here's the first in the series; though I admit, dissecting the CMEA would take more effort than I have time to fully understand. My ear is still ringing and Battlestar is on in 20 minutes.

The scenario:
Last week I went to see the doctor about my tendinitis and a persistent ringing in my right ear. I rarely go to the doctor, so you must take my word that these were annoying, persistent and painful condititions, resulting in grouchiness, restlessness, nonsensicalitude and Irritable Spouse Syndrome (ISS). I was processed through the HMO machine like a burger at Jack in the Box, with a shot of cortisone in my arm and an Rx for some OTC pseudo-ephedrine.

At Walgreens, I scan the aisles for Sudafed, a rare purchase since I'm not normally an allergy sufferer. I pick up a card for the store-branded Wal-Phed and head over to the pharmacy. The pharmacist asked for my drivers license. I show it to her, figuring it was an age requirement. She asks me to take it out of my wallet. I hand it to her, and she types my information into the cash register. She asks me to sign what looks like a receipt. What for? I'm paying cash. It's the law. It's for the Wal-Phed. So I pay her the $3.50 or so, grab the receipt, my license and leave.

What Just Happened Here:
An ingredient in the Wal-Phed is used to manufacture bathtub methamphetamines (speed/crank). To stem this scourge, the Combat Methamphetamine Epidemic Act (CMEA: part of the USA PATRIOT Act Reauthorization of 2005) placed additional controls on retail sale of ephedrine, pseudoephedrine, and phenylpropanolamine.
Consumers have to show ID and be tracked by retailers so they get just enough to take care of their stuffy nose, but not enough to start up a meth lab. The retailers have to protect the privacy of their congested customers according to the law, thusly:

C) PRIVACY PROTECTIONS.—In order to protect the privacy of individuals who purchase scheduled listed chemical products, the Attorney General shall by regulation establish restrictions on disclosure of information in logbooks under subparagraph (A)(iii). Such regulations shall— ‘‘(i) provide for the disclosure of the information as appropriate to the Attorney General and to State and local law enforcement agencies; and ‘‘(ii) prohibit accessing, using, or sharing information in the logbooks for any purpose other than to ensure compliance with this title or to facilitate a product recall to protect public health and safety.

The Data the Walgreens Now Has On Me:
Well, my name and my Texas Drivers License information (DOB, address, glasses wearer, motorcycle rider). According to the DEA website, I could also show my passport, or, if I were under 18, my report card. They also know that I bought Wal-Phed and paid cash.


What About the Data Now?
Good question. The CMEA states that the retailer has to keep it for 2 years. There is also a raft of conflicting state laws, some requiring the logbooks to be kept electronically. The retailers' association raises concerns regarding HIPAA, tracking consumer behavior (e.g., can Walgreens send me a coupon for Wal-Phed now?) and real-time tracking versus logbook maintenance. Ever since it went behind the counter, pseudoephedrine sales have decreased, so does it really matter anymore?

Everyday Privacy For Me?
Walgreens knows I ride a motorcycle because my ear rings.
This data for a cash transaction will be maintained for two years.
It may or may not be subject to any privacy rules, depending on when/if the DEA writes the regulation.
I may have no recourse if Walgreens decides to use the information in a way to which I haven't consented.
I may have no recourse if Walgreens loses, misplaces, or sells the information to unsavory third parties.

No comments: