After the public health attorney or privacy officer collects all of the facts involving the proposed data collection, access or sharing, review criteria are addressed. Privacy requirements must be determined at each data transfer point, so that all governing laws are identified. Laws may specify whether the proposed action with deidentified data is lawful, as well as how it must occur. Factual information may reflect increased risk to individuals or the public health agency and application of additional privacy controls may be appropriate. Collection of a new data stream should be evaluated in light of Freedom of Information laws, particularly where the proposed data stream is highly sensitive or potentially stigmatizing to a community. The checklist below is intended to guide public health practitioners in identifying appropriate review criteria to analyze factual information concerning de-identified data collection, access and sharing.