Upload
prince-trivett
View
216
Download
2
Tags:
Embed Size (px)
Citation preview
PUBLIC RECORDS ACCESS VS. CITIZEN PRIVACY
Linda Hamel
General Counsel
Information Technology Division
Commonwealth of Massachusetts
Executive Leadership Forum
October 18, 2001
OVERVIEW
• PERSONALLY IDENTIFIABLE INFORMATION (“PII”) THAT CONSTITUTES PUBLIC RECORD
• EXAMPLES OF PRIVACY CONCERNS RAISED BY PUBLIC RECORDS CONTAINING PII ON THE WEB
• EVOLUTION OF THE ADMINISTRATION’S POLICY TO ADDRESS THE ACCESS/PRIVACY CONFLICT
PERSONALLY IDENTIFIABLE INFORMATION
• Any information that could reasonably be used to identify an individual, including their name, address, e-mail address, Social Security Number, birth date, bank account information, credit cad information, or any combination of information that could be used to identify them
• Laws, regulations and policies regarding public records disclosure and privacy use different labels and significantly different definitions of this term (“personal information”; “personal data”); broad category of personally identifiable information (“PII”) used throughout this presentation
STRUCTURE OF STATE GOVERNMENT
• Legislature• Judiciary• Executive Department• Constitutionals (Attorney General, Treasurer,
Auditor, Secretary of the Commonwealth)• Quasi-governmental organizations (state
authorities)• Sometimes municipalities (in their capacity as
political subdivisions of the state)
Chief Information OfficerMass. Gen. L. ch. 7, sec. 4A
• Efficient and economical administration of information technology systems
• Set information technology standards• Review and approve secretariat and department
information technology plans• Review and approve the planning design,
acquisition and operation of information technology systems
• Manage central information systems
LEGAL BASIS FOR ACCESS TO PUBLIC RECORDS
• Public Records Law, Mass. Gen. L. ch. 66, sec. 10
• First Amendment right to access court records pertaining to criminal and civil cases.
PUBLIC RECORDS LAW
• Applies to documents in any form made or received by any officer or employee
• Covered entities include “any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or of any political subdivision thereof, or of any authority established by the general court to serve a public purpose”
No general exemption for PII under either the PRL (agency
records) or the First Amendment (court records).
Exemptions to definition of public record pertaining to
subcategories of PII:• Section (a) information exempted from disclosure
by some other statute• Section (c) personnel and medical files or
information; also any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy.
• Section (j) records pertaining to applications for gun licenses, firearm I.D.cards and sales and transfers of guns.
(a) Information specifically or by necessary implication exempted
from disclosure by statute(i.e., another law says the data has to
be kept confidential)
(c) Personnel and medical files or information; also any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy
Three categories under subsection (c)
• All medical information
• Personnel files or information which is useful in making employment decisions
• Other materials or data, the disclosure of which may constitute an unwarranted invasion of personal privacy
Personnel Files• Any information useful in making employment
decisions. Employment applications, employee work evaluations, disciplinary documentation, and promotion, demotion or termination information.
• Absolute Exemption• NOT information typically included in personnel files,
such as employee’s name, home address, date of birth, salary, and individual absentee records (minus specific reason for absence.). This kind of information has been tested by the courts under next exemption and, because of public sector employees’ diminished expectation of privacy about their jobs, found to be NOT EXEMPT.
Other materials or data relating to a specifically named individual,
the disclosure of which may constitute an unwarranted
invasion of personal privacy.
No absolute exemption; rather a two-part test
• Does the data constitute “intimate details of a highly personal nature”?
• Balancing test: Does the public have a paramount public interest in disclosure?
Intimate Details of a Highly Personal Nature
• Marital status
• Paternity
• Substance Abuse
• Government Assistance
• Family Disputes
• Reputation
SUMMARY
Public Records Law does not exempt all PII from disclosure, but protects at least these three subcategories of PII
from disclosure in response to a public records request
FIRST AMENDMENT RIGHTS
Absent impoundment order or statute to the contrary, public has a First Amendment Right to access court documents pertaining to civil and
criminal cases. No exemption for PII.
Statutory Exemptions
No general exemption for personally identifiable information
At least three exemptions for subcategories of personally
identifiable information
Exemptions From First Amendment Right of Access
• Other statute
• Court order to impound
• NO exemption for PII
PII on the Web
• Few court cases have addressed whether PII contained in public record can be posted on the Web
• Courts have uniformly held that PII that is not exempt from disclosure under state or Federal public records law can be posted on the web by government and other entities.
Federal Law
• Multiple Subject-Specific Statutes and Regulations
• Hot topics: Gramm-Leach-Bliley (financial institutions); Health Insurance Portability and Accountability Act (“HIPPA”)(holders of medical data).
State Law
• Many subject-specific state laws and regulations. Example: Mass. Gen. L. ch. 149, sec. 11A, creates a blood lead registry for occupational lead poisoning data. The Department of Labor and Workforce Development must keep the data confidential and can only share with the Department of Public Health for research purposes.
• General law: Fair Information Practices Act, Mass. Gen. L. ch. 66A.
FAIR INFORMATION PRACTICES ACT
• Protects only PII that is exempted from disclosure under the PRL (such as data subject to one of the three PRL exemptions analyzed in this outline). Therefore, no FIPA protection for PII that is public record.
• Applies to executive and constitutional offices but not to Legislature, Judiciary, or municipalities
• Applies to private parties holding data for purposes of fulfilling a contract with an executive or constitutional office
Relevance of FIPA to this Discussion
• Point out gaps in privacy law
• How Administration is using policy to fill those gaps
FIPA Definition of “personal data”
• Information concerning an individual which, because of name, identifying number, mark or description can be readily associated with a particular individual;
• BUT NOT if such data is contained in a public record or constitutes intelligence information, evaluative information or criminal offender information
GAPS in FIPA
• Doesn’t cover PII that is NOT exempt under PRL
• Doesn’t apply to Legislature, Judiciary, Municipalities
FIPA’s protections for data that it covers:
• Person responsible in agency• Train employees• Limit data access to agency and those
authorized by data subject or statute or regulations
• Secure data from physical threats• Records of access• Data available to data subject on request
FIPA’s protections, cont.
• Accurate, complete, timely, pertinent and relevant• Inform people as to whether they are data subjects,
if they ask; • Allow data subject to contest accuracy,
completeness, pertinence, etc., to correct where necessary or make record of disagreement with agency
• Withhold data from response to legal process until data subject notified, opportunity to quash
• Collect minimum amount of data
3 Common Types of Web Access to Public Record
• On the Web, user looks up
• User requests using a secure I.D.
• User files a request on line for PR that will be mailed or faxed to them (Web-enabled traditional access)
Focus on first type
Two types of conflicts
• “Primary” conflict---citizens don’t want PII pertaining to them accessible on the Web
• “Secondary”—privacy of individual or entity seeking public records on the Web can be compromised
What’s wrong with posting PII-containing public record on the
Web, when it is already available to the public through traditional
means?
Problems with Posting PR on the Web:
• Public records accessed through traditional means “languish in practical obscurity”
• Specific barriers imposed on traditional access to PR
Limits on Traditional Access to PR
• Time consuming (agency has 10 days to respond)• Affirmative request to agency required• Expense of copying fees• Audit trail of limited, identifiable entities or individuals
initially receiving the document• Inflexible format• Rigid time-of-day strictures—government’s limited
hours of doing business• Aggregation of public record from different agencies
enormously time consuming and expensive
Web Access Advantages
• Instantaneous—no 10 day wait• No affirmative request to agency---just look it up• No expense over normal cost of hardware, software
and connectivity usually already owned by requestor• Agency may or may not know who accesses the
information• Flexible electronic format • No time-of-day restrictions—a 24 x7 option• Software permits swift aggregation of vast quantities of
public records
Web-available Public Records containing PII that have Troubled Citizens and Privacy Advocates
• Civil Service Cases that name individual public employees
• Voter registration databases
• Property tax databases
• Multi-record sites
Secondary Privacy Problems Arising out of Web Access to
Public Records• Inconspicuous government tracking of who is viewing
what records on-line• Persistent cookies created by the government site can
disclose to third parties using data mining software user’s travels through public record
• Beacons, Web bugs or clear GIFs present on a government site can transmit information about users visiting public record sites to third parties
• Personalization and authentication data used to make visits to a public web site convenient may themselves be public record subject to public scrutiny
The foregoing concerns are not addressed by the PRL, privacy
laws or current caselaw. Government must use frequently
revisited, broad policies to address these gaps
The Administration’s Privacy Policy Initiatives, in various
stages of development
• Acting Governor Jane Swift’s Executive Order 412
• Gov. Swift’s Web site privacy policy directive
• Enterprise Privacy Policy
Executive Order 412
• Applies to Executive Departments• Acknowledges citizen right to expect PII used only for
purposes necessary and intended by agency, securely stored, and disseminated no more widely than necessary
• IT has greatly increased possibility of improper dissemination of PII
• Requires agencies to review data collection, storage and dissemination policies
• Reform data practices so collect and disseminate minimal amount of PII needed to fulfill agency functions.
Merits of Exec. Order 412
• Covers all “personal information”; unlike FIPA, doesn’t exclude information contained in public record.
• Emphasizes then-Acting Governor Swift’s privacy priority. Privacy from then on front and center in e-gov efforts
Gov. Swift’s 2001 Web site privacy policy order
• Every agency with Web site must have privacy policy
• Approved by agency’s and ITD’s legal counsel• Specify contents• Persistent cookies discouraged, and only by
permission of CIO• Requires agency head, CIO, and counsel involved• Sites geared to children must comply with COPPA
(to which government not technically subject)
Mandatory Contents of Executive Department Web Site Privacy
Policies • Model policy: Governor’s Web site
http://www.state.ma.us/gov/privacy policy.html• Voluntarily and involuntarily collected information • PRL, Exec. Order 412; other laws; what agency
does with PII it collects• Emails not secure• Security technology used with respect to site• Cookie definition and use
(Mandatory contents, Web site privacy policies, cont.)
• Definition of PII
• State and Federal privacy laws and regulations applicable to agency
• Contact person
• Policy changes
Discussions regarding Enterprise Privacy Policy
• Applicable to Executive Departments, encourage other branches and Constitutionals to adopt
• Mandatory agency privacy policies• Privacy officers• Include inventory of Exec. Order 412 and
other legal privacy requirements• Training
Require Agencies, prior to posting PR containing PII on
Web to: • Consider whether nature of PII is such that it
should only be accessible through a traditional PR request, taking into account who may be harmed by making such information Web-accessible;
• Point out that the PRL does not require that PR be posted on the Web
• Consider erecting some barriers to access for PII-containing PR, making Web access similar to traditional access (fees, timing, etc.)
Other requirements for enterprise privacy policy being discussed
• Require new data collection and holding systems to be reviewed against privacy laws, EO412 and agency privacy policy
• Disclose to citizens purpose for data collection• Maintain privacy of personalization and
authentication data• Secure data transmissions (separate policy for IT
security);• Prohibit secondary use without consent• Extend policy to contractors (cont.)
Challenges
• Budget
• CIO only has authority over Exec. Department, but is hosting a portal used by all state government entities; use diplomacy to persuade them to adopt policies
• Strong public interest in access to PII over the Web, a countervailing force
Contact Information
Linda Hamel
General Counsel
Information Technology Division
(617)-626-4404 (phone)
(617)-727-3766 (fax)
One Ashburton Place, Room 801, Boston, MA 02108