V-Safe Part 5: The Fight to Get the V-Safe Data!
By Aaron Siri
If you have not already read Parts 1, 2, 3 and 4 of the v-safe saga, please read those first!
What did it take to get the data?
We will discuss what the v-safe data shows in the next part of this v-safe Substack series, and when we do, it may explain why CDC fought for so long to keep it hidden. But let’s quickly walk through the circus that CDC put on to avoid having this data go public. This will be a bit of a simplified version of the legal hoops that have been jumped through over the past year and a half, lest you all hit unsubscribe.
So, it all begins with a simple request to our federal health agency made a long time ago. On behalf of ICAN, in June 2021, we sent the following request to CDC asking for all de-identified data submitted to v-safe since January 1, 2020:
The term “de-identified” means data that does not include personally identifying information. The reason we limited the request to “de-identified” data is because CDC is not allowed to release data that is not de-identified, or data that contains personally identifying information. Hence, had we instead asked for all the v-safe data, CDC would have objected to producing it on the grounds it contains personally identifying information. Thus, the more limited request.
We also understood that CDC had already de-identified the v-safe data because their v-safe protocol reflected that they had already provided Oracle, a private company, access to de-identified v-safe data.
It was for these two reasons that, on behalf of ICAN, we requested “all de-identified data submitted to v-safe since January 1, 2020.” And what did we get in return? The incredible response that, “a search of [CDC’s] records failed to reveal any documents pertaining to your request.” Unbelievable.
And so we appealed that response and pointed out that CDC had already admitted in writing that it had provided Oracle access to deidentified v-safe data. Therefore, responsive documents existed.
To make clear that CDC cannot hide from this fact and to point out the absurdity of its response to our first request, we, on behalf of ICAN, submitted another request to CDC asking for “all data submitted to v-safe and subsequently deidentified by CDC and/or Oracle from January 1, 2020 forward.”
With the appeal of the initial request, the additional request, and pointing out their admission regarding Oracle, we figured that CDC’s game had come to an end and it would produce the data. But not so. CDC’s claim that it did not have any responsive documents, incredibly, persisted. So, on behalf of ICAN, we sued CDC in federal court.
The introduction of the complaint put the importance of the request in context:
We hoped, dare I say even assumed, that once the Department of Justice (DOJ) reached out, as they are the ones who represent CDC, they would understand what had happened and knock some sense into CDC regarding the agency’s choice to continue playing this game.
But alas, after numerous phone calls with the DOJ, and many court filings, the DOJ held tight to CDC’s position by claiming that the v-safe data is not already de-identified and hence, there was nothing to produce in response to the requests that were made.
The reality is that it was categorically false for the CDC to claim that it did not already have de-identified v-safe data. To see this, one only has to look at the data dump CDC eventually made without needing to redact a single letter. Not one. Because the check-the-box fields, by their very nature, would never have any personally identifiable information. It was ridiculous for CDC and DOJ to have claimed otherwise. This data could have been produced, at any point over the last two years, within minutes at any time by simply downloading the five files it eventually provided.
We advised the DOJ that to overcome their silly argument, we could (and would) simply file another request from ICAN for all v-safe data, without limiting the request to de-identified data, and then go through the entire process (wherein CDC would object stating that they data contained personally identifying information and could therefore not be produced) which would only waste CDC, judicial, and our client’s resources. The agency clearly did not care. They do, after all, have a lot of our money in the form of taxes to spend.
So, after they still would not relent, we filed yet another FOIA request, this time for “all data submitted to v-safe since January 1, 2020.”
And when CDC still would not produce the data, and in fact would not even respond to the newest FOIA request in a timely manner despite our heads up to the DOJ about it, we had to file a second lawsuit. Here is an excerpt from that complaint again explaining the importance of this lawsuit:
At this point, and after more legal maneuvering and other legal mumbo-jumbo stuff that would bore folks to tears, and after CDC and DOJ had to realize that there was no straight-faced objection they could make to providing the v-safe data, CDC finally capitulated and agreed – in a proposed scheduling order signed by the DOJ, on behalf of CDC, and by my firm, on behalf of ICAN – to produce the data. It provided, in relevant part:
The Court then entered the foregoing in an order on September 8, 2022 which said, in relevant part:
And there it was. Finally, we were going to get ICAN, and hence the public, the data it demanded over 440 days prior in a simple and straightforward request.
And as agreed and ordered by the Court, on September 30, 2022, I received a letter which provided in relevant part as follows:
The letter included five links to download the v-safe data from the check-the-box fields – data which by its very nature is already completely deidentified! It probably took CDC literal minutes to download these five files and create links for them. No need to review a single letter in them and not a single letter was redacted.
As to the second numbered paragraph in the Court’s Order, shown above, we are still litigating the remaining outstanding issues (which include obtaining the data from the free-text fields).
CDC could have and should have produced the check-the-box data 464 days sooner than it did. It didn’t. Why? Well, maybe the answer is in what this data shows. And that will be the subject of the next part in this v-safe Substack series. Until then!
Source: Originally published on Substack.