Presentation on theme: "PUBLIC RECORDS ACCESS VS. CITIZEN PRIVACY Linda Hamel General Counsel Information Technology Division Commonwealth of Massachusetts Executive Leadership."— Presentation transcript:
PUBLIC RECORDS ACCESS VS. CITIZEN PRIVACY Linda Hamel General Counsel Information Technology Division Commonwealth of Massachusetts Executive Leadership Forum October 18, 2001
OVERVIEW PERSONALLY IDENTIFIABLE INFORMATION (“PII”) THAT CONSTITUTES PUBLIC RECORD EXAMPLES OF PRIVACY CONCERNS RAISED BY PUBLIC RECORDS CONTAINING PII ON THE WEB EVOLUTION OF THE ADMINISTRATION’S POLICY TO ADDRESS THE ACCESS/PRIVACY CONFLICT
DEFINITIONS PERSONALY IDENTIFIABLE INFORMATION STATE GOVERNMENT
PERSONALLY IDENTIFIABLE INFORMATION Any information that could reasonably be used to identify an individual, including their name, address, address, Social Security Number, birth date, bank account information, credit cad information, or any combination of information that could be used to identify them Laws, regulations and policies regarding public records disclosure and privacy use different labels and significantly different definitions of this term (“personal information”; “personal data”); broad category of personally identifiable information (“PII”) used throughout this presentation
STRUCTURE OF STATE GOVERNMENT Legislature Judiciary Executive Department Constitutionals (Attorney General, Treasurer, Auditor, Secretary of the Commonwealth) Quasi-governmental organizations (state authorities) Sometimes municipalities (in their capacity as political subdivisions of the state)
Chief Information Officer Mass. Gen. L. ch. 7, sec. 4A Efficient and economical administration of information technology systems Set information technology standards Review and approve secretariat and department information technology plans Review and approve the planning design, acquisition and operation of information technology systems Manage central information systems
LEGAL BASIS FOR ACCESS TO PUBLIC RECORDS Public Records Law, Mass. Gen. L. ch. 66, sec. 10 First Amendment right to access court records pertaining to criminal and civil cases.
PUBLIC RECORDS LAW Applies to documents in any form made or received by any officer or employee Covered entities include “any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or of any political subdivision thereof, or of any authority established by the general court to serve a public purpose”
No general exemption for PII under either the PRL (agency records) or the First Amendment (court records).
Exemptions to definition of public record pertaining to subcategories of PII: Section (a) information exempted from disclosure by some other statute Section (c) personnel and medical files or information; also any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy. Section (j) records pertaining to applications for gun licenses, firearm I.D.cards and sales and transfers of guns.
(a) Information specifically or by necessary implication exempted from disclosure by statute (i.e., another law says the data has to be kept confidential)
(c) Personnel and medical files or information; also any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy
Three categories under subsection (c) All medical information Personnel files or information which is useful in making employment decisions Other materials or data, the disclosure of which may constitute an unwarranted invasion of personal privacy
Medical Files Absolute exemption
Personnel Files Any information useful in making employment decisions. Employment applications, employee work evaluations, disciplinary documentation, and promotion, demotion or termination information. Absolute Exemption NOT information typically included in personnel files, such as employee’s name, home address, date of birth, salary, and individual absentee records (minus specific reason for absence.). This kind of information has been tested by the courts under next exemption and, because of public sector employees’ diminished expectation of privacy about their jobs, found to be NOT EXEMPT.
Other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy.
No absolute exemption; rather a two-part test Does the data constitute “intimate details of a highly personal nature”? Balancing test: Does the public have a paramount public interest in disclosure?
Intimate Details of a Highly Personal Nature Marital status Paternity Substance Abuse Government Assistance Family Disputes Reputation
(j) Records pertaining to application for gun license, firearm I.D. card, sale or transfer of guns.
SUMMARY Public Records Law does not exempt all PII from disclosure, but protects at least these three subcategories of PII from disclosure in response to a public records request
FIRST AMENDMENT RIGHTS Absent impoundment order or statute to the contrary, public has a First Amendment Right to access court documents pertaining to civil and criminal cases. No exemption for PII.
Statutory Exemptions No general exemption for personally identifiable information At least three exemptions for subcategories of personally identifiable information
Exemptions From First Amendment Right of Access Other statute Court order to impound NO exemption for PII
PII on the Web Few court cases have addressed whether PII contained in public record can be posted on the Web Courts have uniformly held that PII that is not exempt from disclosure under state or Federal public records law can be posted on the web by government and other entities.
Summary: Some PII is Public Record and can Legally be displayed on the Web
PRIVACY Privacy rights have sources in : U.S. and State Constitutions Federal and State Law
Federal Law Multiple Subject-Specific Statutes and Regulations Hot topics: Gramm-Leach-Bliley (financial institutions); Health Insurance Portability and Accountability Act (“HIPPA”)(holders of medical data).
State Law Many subject-specific state laws and regulations. Example: Mass. Gen. L. ch. 149, sec. 11A, creates a blood lead registry for occupational lead poisoning data. The Department of Labor and Workforce Development must keep the data confidential and can only share with the Department of Public Health for research purposes. General law: Fair Information Practices Act, Mass. Gen. L. ch. 66A.
FAIR INFORMATION PRACTICES ACT Protects only PII that is exempted from disclosure under the PRL (such as data subject to one of the three PRL exemptions analyzed in this outline). Therefore, no FIPA protection for PII that is public record. Applies to executive and constitutional offices but not to Legislature, Judiciary, or municipalities Applies to private parties holding data for purposes of fulfilling a contract with an executive or constitutional office
Relevance of FIPA to this Discussion Point out gaps in privacy law How Administration is using policy to fill those gaps
FIPA Definition of “personal data” Information concerning an individual which, because of name, identifying number, mark or description can be readily associated with a particular individual; BUT NOT if such data is contained in a public record or constitutes intelligence information, evaluative information or criminal offender information
GAPS in FIPA Doesn’t cover PII that is NOT exempt under PRL Doesn’t apply to Legislature, Judiciary, Municipalities
FIPA’s protections for data that it covers: Person responsible in agency Train employees Limit data access to agency and those authorized by data subject or statute or regulations Secure data from physical threats Records of access Data available to data subject on request
FIPA’s protections, cont. Accurate, complete, timely, pertinent and relevant Inform people as to whether they are data subjects, if they ask; Allow data subject to contest accuracy, completeness, pertinence, etc., to correct where necessary or make record of disagreement with agency Withhold data from response to legal process until data subject notified, opportunity to quash Collect minimum amount of data
Specific Access/Privacy conflicts Faced by Government
3 Common Types of Web Access to Public Record On the Web, user looks up User requests using a secure I.D. User files a request on line for PR that will be mailed or faxed to them (Web-enabled traditional access) Focus on first type
Two types of conflicts “Primary” conflict---citizens don’t want PII pertaining to them accessible on the Web “Secondary”—privacy of individual or entity seeking public records on the Web can be compromised
What’s wrong with posting PII- containing public record on the Web, when it is already available to the public through traditional means?
Problems with Posting PR on the Web: Public records accessed through traditional means “languish in practical obscurity” Specific barriers imposed on traditional access to PR
Limits on Traditional Access to PR Time consuming (agency has 10 days to respond) Affirmative request to agency required Expense of copying fees Audit trail of limited, identifiable entities or individuals initially receiving the document Inflexible format Rigid time-of-day strictures—government’s limited hours of doing business Aggregation of public record from different agencies enormously time consuming and expensive
Web access to PII-containing public record sweeps away traditional barriers to access.
Web Access Advantages Instantaneous—no 10 day wait No affirmative request to agency---just look it up No expense over normal cost of hardware, software and connectivity usually already owned by requestor Agency may or may not know who accesses the information Flexible electronic format No time-of-day restrictions—a 24 x7 option Software permits swift aggregation of vast quantities of public records
Web-available Public Records containing PII that have Troubled Citizens and Privacy Advocates Civil Service Cases that name individual public employees Voter registration databases Property tax databases Multi-record sites
Secondary Privacy Problems Arising out of Web Access to Public Records Inconspicuous government tracking of who is viewing what records on-line Persistent cookies created by the government site can disclose to third parties using data mining software user’s travels through public record Beacons, Web bugs or clear GIFs present on a government site can transmit information about users visiting public record sites to third parties Personalization and authentication data used to make visits to a public web site convenient may themselves be public record subject to public scrutiny
The foregoing concerns are not addressed by the PRL, privacy laws or current caselaw. Government must use frequently revisited, broad policies to address these gaps
Executive Order 412 Applies to Executive Departments Acknowledges citizen right to expect PII used only for purposes necessary and intended by agency, securely stored, and disseminated no more widely than necessary IT has greatly increased possibility of improper dissemination of PII Requires agencies to review data collection, storage and dissemination policies Reform data practices so collect and disseminate minimal amount of PII needed to fulfill agency functions.
Merits of Exec. Order 412 Covers all “personal information”; unlike FIPA, doesn’t exclude information contained in public record. Emphasizes then-Acting Governor Swift’s privacy priority. Privacy from then on front and center in e-gov efforts
Mandatory Contents of Executive Department Web Site Privacy Policies Model policy: Governor’s Web site policy.html Voluntarily and involuntarily collected information PRL, Exec. Order 412; other laws; what agency does with PII it collects s not secure Security technology used with respect to site Cookie definition and use
(Mandatory contents, Web site privacy policies, cont.) Definition of PII State and Federal privacy laws and regulations applicable to agency Contact person Policy changes
Require Agencies, prior to posting PR containing PII on Web to: Consider whether nature of PII is such that it should only be accessible through a traditional PR request, taking into account who may be harmed by making such information Web-accessible; Point out that the PRL does not require that PR be posted on the Web Consider erecting some barriers to access for PII- containing PR, making Web access similar to traditional access (fees, timing, etc.)
Monitor and enforce compliance Budget Data collection risk assessment Review
Challenges Budget CIO only has authority over Exec. Department, but is hosting a portal used by all state government entities; use diplomacy to persuade them to adopt policies Strong public interest in access to PII over the Web, a countervailing force
Contact Information Linda Hamel General Counsel Information Technology Division (617) (phone) (617) (fax) One Ashburton Place, Room 801, Boston, MA 02108