Presentation on theme: "THE COMMONWEALTH’S WEB SITE PRIVACY POLICIES Linda Hamel General Counsel Information Technology Division MCLE December 6, 2001."— Presentation transcript:
THE COMMONWEALTH’S WEB SITE PRIVACY POLICIES Linda Hamel General Counsel Information Technology Division MCLE December 6, 2001
Two faces of government web site privacy Privacy of individuals whose personal data may be displayed on the web because it is public record Privacy of users of web sites. Focus of this presentation.
The “Ideal” Web Environment Hierarchy with enterprise Chief Information Officer (“CIO”) at top Administrative access to all Web site servers Homogeneous legal environment with respect to privacy of users
Reality of State Government Balkanized governmental structure CIO lacks access to all Web servers Heterogeneous legal environment with respect to privacy laws
STRUCTURE OF STATE GOVERNMENT Legislature Judiciary Executive Department Constitutionals (Attorney General, Treasurer, Auditor, Secretary of the Commonwealth) Quasi-governmental organizations (state authorities) Constitutionals (Attorney General, Treasurer, Auditor, Secretary of the Commonwealth)
Governance of Commonwealth’s Web Environment No single CIO for Commonwealth (Opinion of the Justices, 365 Mass. 639 (Mass. 1974)). CIO for Executive Department, authorized by ch. 7, sec. 4A Some Executive Branch web sites on ITD servers, some on independent servers, therefore servers not uniformly “transparent” Heterogeneous legal environment
CIO’s Web Role Hosts Web sites for three branches of government, constitutionals, authorities and municipalities Directs E-government effort Hosts central web site, formerly state.ma.us, now Mass.gov, a “portal” site linking all of the above governmental entities and offering shared services to all
The Former www.state.ma.us Most agencies, all three branches, constitutionals and many authorities had web sites Approximately 116 Exec. Department sites Over 2 million hits per month---One for every 3 citizens Well over 1500 pages Publish: 60% of pages; Simple transactions: 33%; Robust Transactions: 5%; Transact business: 2%
PRE-MASS.GOV: COMPARISON TO OTHER STATES Led nation in sophisticated transactions capability Very high rate of usage per citizen Graded “B” for lack of intentions-based portal
MASS.GOV “Your Government Your Way” Organized by intentions-you tell us what you want to do and we send you to the web sites of the agencies you need
Shared Services E-Payments Security (Authentication) Geographic Information Service Customer Relationship Management
Intentions-Based Navigation User indicates what they want to do, rather than choosing the agency they think they need to do it with. Portal guides them to the right agencies, Web pages, transactions and information
Mass.gov can’t solve the Balkanization of state government, but a step in the right direction
Limited Access to Some Servers Approximately 116 Executive Department Web sites hosted by ITD 52% Hosted by ITD on ITD Servers 33% Partially Hosted by ITD on ITD servers 15% On independent servers to which ITD doesn’t have administrative access
Heterogeneous Privacy Laws Fair Information Practices Act, Public Records Law and Executive Order 412 apply throughout Executive Department Subject specific laws like HIPAA, and agency specific laws like Mass. Gen. L. ch. 149, sec. 11A, apply to one or more agencies, but not to all.
No Mass. Law specifically addresses user privacy with respect to state agency Web sites
Comparison (cont.) Email addresses confidential and not subject to public disclosure unless user affirmatively consents to release. Tx. Gen. L. ch. 545 (2001), Sec. 5
PUBLIC RECORDS LAW Applies to documents in any form made or received by any officer or employee Covered entities include “any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or of any political subdivision thereof, or of any authority established by the general court to serve a public purpose”
State Entities Covered by PRL Covered: Executive Department Constitutionals Municipalities Authorities Not Covered: Judiciary. See New Bedford Standard Times Publ. Co. v. Clerk of the Third Dist. Ct, 377 Mass. 404, 407 (1979) Legislature.Westinghouse Broadcasting Co.., Inc. v. Sergeant-at-Arms of the General Court of Mass., 375 Mass. 179 (1978).
Exemptions to definition of public record pertaining to subcategories of PII: Section (a) information exempted from disclosure by some other statute Section (c) personnel and medical files or information; also any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy. Section (j) records pertaining to applications for gun license, firearm id card and sales and transfers of guns.
PRIVACY Privacy rights have sources in : U.S. and State Constitution Federal and State Law
Federal Law Multiple Subject-Specific Statutes and Regulations Hot topics: Gramm-Leach-Bliley (financial institutions); Health Insurance Portability and Accountability Act (“HIPAA”)(holders of medical data).
State Law Many subject-specific state laws and regulations. Example: Mass. Gen. L. ch. 149, sec. 11A, creates a blood lead registry for occupational lead poisoning data. The Department of Labor and Workforce Development must keep the data confidential and can only share with the Department of Public Health for research purposes. General law: Fair Information Practices Act, Mass. Gen. L. ch. 66A.
FAIR INFORMATION PRACTICES ACT Protects only PII that is exempted from disclosure under the PRL Applies to executive and constitutional offices but not to Legislature, Judiciary, or municipalities Applies to private parties holding data for purposes of fulfilling a contract with an executive or constitutional office
Executive Order 412 Applies to Executive Departments Acknowledges citizen right to expect PII used only for purposes necessary and intended by agency, securely stored, and disseminated no more widely than necessary IT has greatly increased possibility of improper dissemination of PII Requires agencies to review data collection, storage and dissemination policies Reform data practices so collect and disseminate minimal amount of PII needed to fulfill agency functions. Issued by then-Acting Governor Swift in 1999
Result: A patchwork of privacy laws and regulations applies to executive departments None tells agencies specifically how to deal with web site user privacy
Web Site Privacy Policies Implemented Through ITD Mandatory for Executive Departments Suggested for Legislature, Judiciary, Constitutionals, Authorities, Quasi- governmental organizations, municipalities
General Rules for Web Site Policies Prominently posted Clear, non-technical English accessible to the ordinary reader Identify information gathered at site, both voluntarily and involuntarily
Rules for Involuntarily Data Collection No cookie use without CIO approval. Cookies discouraged. (CIO permits session, but not hard cookies) Identify all automatic data collection in the form of security logs, cookies, IP logs, etc. Comply with records retention law with respect to how long keep such records (Records disposition is part of privacy strategy)
Information Voluntarily Collected Identify all the ways information is voluntarily collected---email, forms, click- throughs Define PII
Personally identifiable information is any information that could reasonably be used to identify a user personally, including his or her name, address, e-mail address, Social Security number, birth date, bank account information, credit card information, or any combination of information that could be used to identify the user. The term "personally identifiable information" should be used and defined in the policy.
Tell the user Whether PII will be collected through any means What the agency does with the PII it collects
Dissemination of PII No guarantees of privacy (compare with commercial web sites and “opt out/opt in” features) Unless exempted, all subject to disclosure under the Public Records Law With whom will agency share the information (in non-PRL context)? Only Commonwealth employees with a need to know can access
Address privacy protections Compliance with Exec. Order 412 Fair Information Practices Act Other laws applicable to the agency or information (state or Federal)
Additional provisions Voluntary Compliance with COPPA Review and correction of PII Security Procedures Contact Person Policy changes
Additional requirements imposed on agency Legal review in-house Provide copy to new employees and current employees
Steps in Implementation Across the Enterprise Agency writes policy based on standard Approval by ITD’s General Counsel Agency web staff do the html coding to create links on every page, code the policy ITD staff uploads ITD checks number of pages from agency against server records ITD works with agencies to conform number of pages Independent server agencies certify they have gone through a similar process
ITD Counsel’s Role in Reviewing Legal issues—agency disclose special laws? Transparency Conform with model to extent possible Address transactional activities
Project Management General counsel supervising entire effort Director of Internet services (1) using web site to give practical advise to web masters and (2) keeping records using excel spreadsheet available to all Value added of spreadsheets: agency name, url, contact person, transparent as to process
Progress to Date: Approximately 116 Executive Department Web Sites Fewer than 10 had privacy policies To date, all Exec Department agencies have privacy policies, links confirmed with respect to all but a handful of agencies.
Future P3P may help---too soon to tell Compliance and Enforcement? Issue not addressed: PII-containing public record on Web. Law lags behind technology.