Presentation is loading. Please wait.

Presentation is loading. Please wait.

THE COMMONWEALTH’S WEB SITE PRIVACY POLICIES Linda Hamel General Counsel Information Technology Division MCLE December 6, 2001.

Similar presentations


Presentation on theme: "THE COMMONWEALTH’S WEB SITE PRIVACY POLICIES Linda Hamel General Counsel Information Technology Division MCLE December 6, 2001."— Presentation transcript:

1 THE COMMONWEALTH’S WEB SITE PRIVACY POLICIES Linda Hamel General Counsel Information Technology Division MCLE December 6, 2001

2 Two faces of government web site privacy  Privacy of individuals whose personal data may be displayed on the web because it is public record  Privacy of users of web sites. Focus of this presentation.

3 OVERVIEW IThe Commonwealth’s Web Environment IIGovernor Swift’s Web Site Privacy Policy Initiative IIIImplementing a Web Site Privacy Policy Across a Distributed Web Environment

4 I The Commonwealth’s Web Environment

5 The “Ideal” Web Environment  Hierarchy with enterprise Chief Information Officer (“CIO”) at top  Administrative access to all Web site servers  Homogeneous legal environment with respect to privacy of users

6 Reality of State Government  Balkanized governmental structure  CIO lacks access to all Web servers  Heterogeneous legal environment with respect to privacy laws

7 STRUCTURE OF STATE GOVERNMENT  Legislature  Judiciary  Executive Department  Constitutionals (Attorney General, Treasurer, Auditor, Secretary of the Commonwealth)  Quasi-governmental organizations (state authorities)  Constitutionals (Attorney General, Treasurer, Auditor, Secretary of the Commonwealth)

8 Governance of Commonwealth’s Web Environment  No single CIO for Commonwealth (Opinion of the Justices, 365 Mass. 639 (Mass. 1974)). CIO for Executive Department, authorized by ch. 7, sec. 4A  Some Executive Branch web sites on ITD servers, some on independent servers, therefore servers not uniformly “transparent”  Heterogeneous legal environment

9 CIO’s Web Role  Hosts Web sites for three branches of government, constitutionals, authorities and municipalities  Directs E-government effort  Hosts central web site, formerly state.ma.us, now Mass.gov, a “portal” site linking all of the above governmental entities and offering shared services to all

10 The Former  Most agencies, all three branches, constitutionals and many authorities had web sites  Approximately 116 Exec. Department sites  Over 2 million hits per month---One for every 3 citizens  Well over 1500 pages  Publish: 60% of pages; Simple transactions: 33%; Robust Transactions: 5%; Transact business: 2%

11 PRE-MASS.GOV: COMPARISON TO OTHER STATES  Led nation in sophisticated transactions capability  Very high rate of usage per citizen  Graded “B” for lack of intentions-based portal

12 MASS.GOV “Your Government Your Way” Organized by intentions-you tell us what you want to do and we send you to the web sites of the agencies you need

13 Shared Services  E-Payments  Security (Authentication)  Geographic Information Service  Customer Relationship Management

14 Intentions-Based Navigation User indicates what they want to do, rather than choosing the agency they think they need to do it with. Portal guides them to the right agencies, Web pages, transactions and information

15 Mass.gov can’t solve the Balkanization of state government, but a step in the right direction

16 Limited Access to Some Servers  Approximately 116 Executive Department Web sites hosted by ITD  52% Hosted by ITD on ITD Servers  33% Partially Hosted by ITD on ITD servers  15% On independent servers to which ITD doesn’t have administrative access

17 Heterogeneous Privacy Laws  Fair Information Practices Act, Public Records Law and Executive Order 412 apply throughout Executive Department  Subject specific laws like HIPAA, and agency specific laws like Mass. Gen. L. ch. 149, sec. 11A, apply to one or more agencies, but not to all.

18 No Mass. Law specifically addresses user privacy with respect to state agency Web sites

19 Compare with other states’ gov. Web site privacy laws  Restrictions on data retention beyond Web session unless user approves; agency can’t provide to third party for purposes of marketing or solicitation. MI Pub. Acts of 2000, Act 276, Sec. 719  State agencies cannot collect or disclose info from visitor to Web site unless visitor has received privacy policy and consented; user has to opt-in for disclosure to certain agency staff. NY Assembly Bill 2358, 224 th Legislative Session (2001)(signed by governor?)

20 Comparison (cont.)  addresses confidential and not subject to public disclosure unless user affirmatively consents to release. Tx. Gen. L. ch. 545 (2001), Sec. 5

21 PUBLIC RECORDS LAW  Applies to documents in any form made or received by any officer or employee  Covered entities include “any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or of any political subdivision thereof, or of any authority established by the general court to serve a public purpose”

22 State Entities Covered by PRL Covered: Executive Department Constitutionals Municipalities Authorities Not Covered: Judiciary. See New Bedford Standard Times Publ. Co. v. Clerk of the Third Dist. Ct, 377 Mass. 404, 407 (1979) Legislature.Westinghouse Broadcasting Co.., Inc. v. Sergeant-at-Arms of the General Court of Mass., 375 Mass. 179 (1978).

23 Exemptions to definition of public record pertaining to subcategories of PII:  Section (a) information exempted from disclosure by some other statute  Section (c) personnel and medical files or information; also any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy.  Section (j) records pertaining to applications for gun license, firearm id card and sales and transfers of guns.

24 PRIVACY Privacy rights have sources in : U.S. and State Constitution Federal and State Law

25 Federal Law  Multiple Subject-Specific Statutes and Regulations  Hot topics: Gramm-Leach-Bliley (financial institutions); Health Insurance Portability and Accountability Act (“HIPAA”)(holders of medical data).

26 State Law  Many subject-specific state laws and regulations. Example: Mass. Gen. L. ch. 149, sec. 11A, creates a blood lead registry for occupational lead poisoning data. The Department of Labor and Workforce Development must keep the data confidential and can only share with the Department of Public Health for research purposes.  General law: Fair Information Practices Act, Mass. Gen. L. ch. 66A.

27 FAIR INFORMATION PRACTICES ACT  Protects only PII that is exempted from disclosure under the PRL  Applies to executive and constitutional offices but not to Legislature, Judiciary, or municipalities  Applies to private parties holding data for purposes of fulfilling a contract with an executive or constitutional office

28 Executive Order 412  Applies to Executive Departments  Acknowledges citizen right to expect PII used only for purposes necessary and intended by agency, securely stored, and disseminated no more widely than necessary  IT has greatly increased possibility of improper dissemination of PII  Requires agencies to review data collection, storage and dissemination policies  Reform data practices so collect and disseminate minimal amount of PII needed to fulfill agency functions.  Issued by then-Acting Governor Swift in 1999

29 Result: A patchwork of privacy laws and regulations applies to executive departments None tells agencies specifically how to deal with web site user privacy

30 Intensified Need for Web Site Privacy Policy  External forces: Public and private sector standard for web sites; Public wants it  Internal forces: Executive Order 412 puts privacy front and center for e-government; policies remind host agencies of user- oriented web site privacy issues

31 Web Site Privacy Policies Implemented Through ITD  Mandatory for Executive Departments  Suggested for Legislature, Judiciary, Constitutionals, Authorities, Quasi- governmental organizations, municipalities

32 Process  Governor Swift’s Mandatory Web Site Privacy Policy Order issued through Secretary of Administration and Finance Stephen Crosby on April 27th, 2001  Required ITD approved Web site privacy policy be posted on the web site.  Set specific standards for agency web site privacy policies

33 Specifics of the order  Adopt, post and enforce a Web site privacy policy  Policy must be based on Administration’s model policy  Baseline standards must be met

34 General Rules for Web Site Policies  Prominently posted  Clear, non-technical English accessible to the ordinary reader  Identify information gathered at site, both voluntarily and involuntarily

35 Rules for Involuntarily Data Collection  No cookie use without CIO approval. Cookies discouraged. (CIO permits session, but not hard cookies)  Identify all automatic data collection in the form of security logs, cookies, IP logs, etc.  Comply with records retention law with respect to how long keep such records (Records disposition is part of privacy strategy)

36 Information Voluntarily Collected  Identify all the ways information is voluntarily collected--- , forms, click- throughs  Define PII

37 Personally identifiable information is any information that could reasonably be used to identify a user personally, including his or her name, address, address, Social Security number, birth date, bank account information, credit card information, or any combination of information that could be used to identify the user. The term "personally identifiable information" should be used and defined in the policy.

38 Tell the user  Whether PII will be collected through any means  What the agency does with the PII it collects

39 Dissemination of PII  No guarantees of privacy (compare with commercial web sites and “opt out/opt in” features)  Unless exempted, all subject to disclosure under the Public Records Law  With whom will agency share the information (in non-PRL context)?  Only Commonwealth employees with a need to know can access

40 Address privacy protections  Compliance with Exec. Order 412  Fair Information Practices Act  Other laws applicable to the agency or information (state or Federal)

41 Additional provisions  Voluntary Compliance with COPPA  Review and correction of PII  Security Procedures  Contact Person  Policy changes

42 Additional requirements imposed on agency  Legal review in-house  Provide copy to new employees and current employees

43 Steps in Implementation Across the Enterprise  Agency writes policy based on standard  Approval by ITD’s General Counsel  Agency web staff do the html coding to create links on every page, code the policy  ITD staff uploads  ITD checks number of pages from agency against server records  ITD works with agencies to conform number of pages  Independent server agencies certify they have gone through a similar process

44 ITD Counsel’s Role in Reviewing  Legal issues—agency disclose special laws?  Transparency  Conform with model to extent possible  Address transactional activities

45 Project Management  General counsel supervising entire effort  Director of Internet services (1) using web site to give practical advise to web masters and (2) keeping records using excel spreadsheet available to all  Value added of spreadsheets: agency name, url, contact person, transparent as to process

46 Progress to Date: Approximately 116 Executive Department Web Sites Fewer than 10 had privacy policies To date, all Exec Department agencies have privacy policies, links confirmed with respect to all but a handful of agencies.

47 What I learned at the Privacy Policy Revolution  Regardless of challenges, when leadership comes from the very top, project can be accomplished  Legal counsel, business people and Web people must be involved every step of the way in web site development—contracting, privacy, access, security, etc.  Enterprise project requiring project management

48 Future  P3P may help---too soon to tell  Compliance and Enforcement?  Issue not addressed: PII-containing public record on Web. Law lags behind technology.

49


Download ppt "THE COMMONWEALTH’S WEB SITE PRIVACY POLICIES Linda Hamel General Counsel Information Technology Division MCLE December 6, 2001."

Similar presentations


Ads by Google