Exclusive: US Demands Log-In Credentials for Other Countries' Health Data Systems
US "Data Sharing Agreements" tied to foreign aid for health require 25 years of sweeping access
Countries signing Memoranda of Understanding with the US for health financing will be asked to sign a data sharing agreement that could provide the US with login credentials to a sweeping array of national systems for the next twenty five years. Expansive and overwhelmingly US-centered, the Data Sharing Agreement (reproduced in full below1 ) reveals the unprecedentedly extractive nature of these ongoing negotiations.
The form template lists seven different data systems to which the US can require access: national health warehouses, health management and information systems, outbreak response and surveillance data systems, health commodity inventory management systems, lab management systems, pharmacy management systems and electronic medical records. Any of these systems can be included in the agreement if they are classified as “used in support of health programs and supported through financial, technical or other assistance from the US government.”
The title “Data Sharing Agreement” is misleading. Sharing is an exchange in which both parties have agency. This agreement affords the US at-will visibility into digital systems, including those, like electronic medical records, that include personal identifiable information. The MoUs will last for two or five years. These data-sharing agreements will endure for a quarter century. Should a country decide to terminate the MoU (or, it seems, the Data Sharing Agreement) the US retains access to the data systems for ten years from the date of termination.
The agreement is solely covered by US law, with no reference to adhering to the co-signatory’s laws regarding data use and privacy. If, for instance, the US Health Insurance Portability and Accountability (HIPAA) law were repealed, there would be no restrictions on American disclosure of the personal health information of any individual in the country’s electronic medical record system.
If the US were the co-signatory to this agreement with another country, that nation would be entitled to login credentials for our Veterans Affairs system, the dashboards, databases and metadata associated with our national stockpiles of medical countermeasures for outbreaks and bioterrorism, our data from wastewater and other disease surveillance measures—for the next quarter century.
The Memorandum of Understanding sets out metrics for a range of health outcomes including polio immunization, maternal mortality, number of people living with HIV on antiretrovirals. It is appropriate and precedented to ask for routine reports on data related to these outcomes, and to establish terms by which the data can be independently verified for accuracy. The metrics are basic and, as I’ve written before, insufficient for assessing progress towards stated goals. (The average number of antenatal visits a woman attends will not indicate whether funding is helping to reduce maternal mortality.)
The discrepancy between America’s off-the-shelf metrics and its appetite for data access is, to say the absolute least, striking.
I have not been able to review the comparable agreement on pathogen access “sharing” that also accompanies the MoUs. Frankly, I am not sure that I want to as it may employ comparably one-sided, over-reaching terms to another country’s information about circulating pathogens.
It is exceedingly hard to imagine how a national government could accept these terms. It is also quite likely that some will. I have confirmed with several countries that Ministries of Health have received this agreement along with the draft Memorandum of Understanding. To my knowledge, no government has brought these demands up with national stakeholders. At the close of this week’s negotiations, the Kenyan Ministry of Health enthused in a social media post proclaiming that the engagement “reaffirmed the deepening Kenya-US relationship in priority areas of mutual interest.”2
In the last few days, I’ve been told by stakeholders within and outside of USG that the “real work” of designing programs will happen after the MoUs are signed, and that individuals seeking to influence the future should focus on this post-signing, pre-implementation system. Before I read the Data “Sharing” Agreement, I found the suggestion to focus on the period after signing somewhat far-fetched. Having seen the document, I’m left wondering if this newly-circulating storyline isn’t a little bit of misdirection. Do not be distracted. MoUs are not yet signed. Do not share your user name and password in advance.
I’ve altered the appearance of these photos, but not the text.
https://x.com/MOH_Kenya/status/1988907280469803048?s=08
So much for privacy regs. Why wouldn’t US privacy regs apply. What about EU privacy regs?