1 / 57

PUBLIC RECORDS ACCESS VS. CITIZEN PRIVACY

PUBLIC RECORDS ACCESS VS. CITIZEN PRIVACY. Linda Hamel General Counsel Information Technology Division Commonwealth of Massachusetts Executive Leadership Forum October 18, 2001. OVERVIEW. PERSONALLY IDENTIFIABLE INFORMATION (“PII”) THAT CONSTITUTES PUBLIC RECORD

javan
Télécharger la présentation

PUBLIC RECORDS ACCESS VS. CITIZEN PRIVACY

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PUBLIC RECORDS ACCESS VS. CITIZEN PRIVACY Linda Hamel General Counsel Information Technology Division Commonwealth of Massachusetts Executive Leadership Forum October 18, 2001

  2. OVERVIEW • PERSONALLY IDENTIFIABLE INFORMATION (“PII”) THAT CONSTITUTES PUBLIC RECORD • EXAMPLES OF PRIVACY CONCERNS RAISED BY PUBLIC RECORDS CONTAINING PII ON THE WEB • EVOLUTION OF THE ADMINISTRATION’S POLICY TO ADDRESS THE ACCESS/PRIVACY CONFLICT

  3. DEFINITIONS PERSONALY IDENTIFIABLE INFORMATION STATE GOVERNMENT

  4. PERSONALLY IDENTIFIABLE INFORMATION • Any information that could reasonably be used to identify an individual, including their name, address, e-mail address, Social Security Number, birth date, bank account information, credit cad information, or any combination of information that could be used to identify them • Laws, regulations and policies regarding public records disclosure and privacy use different labels and significantly different definitions of this term (“personal information”; “personal data”); broad category of personally identifiable information (“PII”) used throughout this presentation

  5. STRUCTURE OF STATE GOVERNMENT • Legislature • Judiciary • Executive Department • Constitutionals (Attorney General, Treasurer, Auditor, Secretary of the Commonwealth) • Quasi-governmental organizations (state authorities) • Sometimes municipalities (in their capacity as political subdivisions of the state)

  6. Chief Information OfficerMass. Gen. L. ch. 7, sec. 4A • Efficient and economical administration of information technology systems • Set information technology standards • Review and approve secretariat and department information technology plans • Review and approve the planning design, acquisition and operation of information technology systems • Manage central information systems

  7. LEGAL BASIS FOR ACCESS TO PUBLIC RECORDS • Public Records Law, Mass. Gen. L. ch. 66, sec. 10 • First Amendment right to access court records pertaining to criminal and civil cases.

  8. PUBLIC RECORDS LAW • Applies to documents in any form made or received by any officer or employee • Covered entities include “any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or of any political subdivision thereof, or of any authority established by the general court to serve a public purpose”

  9. No general exemption for PII under either the PRL (agency records) or the First Amendment (court records).

  10. Exemptions to definition of public record pertaining to subcategories of PII: • Section (a) information exempted from disclosure by some other statute • Section (c) personnel and medical files or information; also any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy. • Section (j) records pertaining to applications for gun licenses, firearm I.D.cards and sales and transfers of guns.

  11. (a) Information specifically or by necessary implication exempted from disclosure by statute (i.e., another law says the data has to be kept confidential)

  12. (c) Personnel and medical files or information; also any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy

  13. Three categories under subsection (c) • All medical information • Personnel files or information which is useful in making employment decisions • Other materials or data, the disclosure of which may constitute an unwarranted invasion of personal privacy

  14. Medical Files Absolute exemption

  15. Personnel Files • Any information useful in making employment decisions. Employment applications, employee work evaluations, disciplinary documentation, and promotion, demotion or termination information. • Absolute Exemption • NOT information typically included in personnel files, such as employee’s name, home address, date of birth, salary, and individual absentee records (minus specific reason for absence.). This kind of information has been tested by the courts under next exemption and, because of public sector employees’ diminished expectation of privacy about their jobs, found to be NOT EXEMPT.

  16. Other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy.

  17. No absolute exemption; rather a two-part test • Does the data constitute “intimate details of a highly personal nature”? • Balancing test: Does the public have a paramount public interest in disclosure?

  18. Intimate Details of a Highly Personal Nature • Marital status • Paternity • Substance Abuse • Government Assistance • Family Disputes • Reputation

  19. (j) Records pertaining to application for gun license, firearm I.D. card, sale or transfer of guns.

  20. SUMMARY Public Records Law does not exempt all PII from disclosure, but protects at least these three subcategories of PII from disclosure in response to a public records request

  21. FIRST AMENDMENT RIGHTS Absent impoundment order or statute to the contrary, public has a First Amendment Right to access court documents pertaining to civil and criminal cases. No exemption for PII.

  22. Statutory Exemptions No general exemption for personally identifiable information At least three exemptions for subcategories of personally identifiable information

  23. Exemptions From First Amendment Right of Access • Other statute • Court order to impound • NO exemption for PII

  24. PII on the Web • Few court cases have addressed whether PII contained in public record can be posted on the Web • Courts have uniformly held that PII that is not exempt from disclosure under state or Federal public records law can be posted on the web by government and other entities.

  25. Summary: Some PII is Public Record and can Legally be displayed on the Web

  26. PRIVACY Privacy rights have sources in : U.S. and State Constitutions Federal and State Law

  27. Federal Law • Multiple Subject-Specific Statutes and Regulations • Hot topics: Gramm-Leach-Bliley (financial institutions); Health Insurance Portability and Accountability Act (“HIPPA”)(holders of medical data).

  28. State Law • Many subject-specific state laws and regulations. Example: Mass. Gen. L. ch. 149, sec. 11A, creates a blood lead registry for occupational lead poisoning data. The Department of Labor and Workforce Development must keep the data confidential and can only share with the Department of Public Health for research purposes. • General law: Fair Information Practices Act, Mass. Gen. L. ch. 66A.

  29. FAIR INFORMATION PRACTICES ACT • Protects only PII that is exempted from disclosure under the PRL (such as data subject to one of the three PRL exemptions analyzed in this outline). Therefore, no FIPA protection for PII that is public record. • Applies to executive and constitutional offices but not to Legislature, Judiciary, or municipalities • Applies to private parties holding data for purposes of fulfilling a contract with an executive or constitutional office

  30. Relevance of FIPA to this Discussion • Point out gaps in privacy law • How Administration is using policy to fill those gaps

  31. FIPA Definition of “personal data” • Information concerning an individual which, because of name, identifying number, mark or description can be readily associated with a particular individual; • BUT NOT if such data is contained in a public record or constitutes intelligence information, evaluative information or criminal offender information

  32. GAPS in FIPA • Doesn’t cover PII that is NOT exempt under PRL • Doesn’t apply to Legislature, Judiciary, Municipalities

  33. FIPA’s protections for data that it covers: • Person responsible in agency • Train employees • Limit data access to agency and those authorized by data subject or statute or regulations • Secure data from physical threats • Records of access • Data available to data subject on request

  34. FIPA’s protections, cont. • Accurate, complete, timely, pertinent and relevant • Inform people as to whether they are data subjects, if they ask; • Allow data subject to contest accuracy, completeness, pertinence, etc., to correct where necessary or make record of disagreement with agency • Withhold data from response to legal process until data subject notified, opportunity to quash • Collect minimum amount of data

  35. Specific Access/Privacy conflicts Faced by Government

  36. 3 Common Types of Web Access to Public Record • On the Web, user looks up • User requests using a secure I.D. • User files a request on line for PR that will be mailed or faxed to them (Web-enabled traditional access) Focus on first type

  37. Two types of conflicts • “Primary” conflict---citizens don’t want PII pertaining to them accessible on the Web • “Secondary”—privacy of individual or entity seeking public records on the Web can be compromised

  38. What’s wrong with posting PII-containing public record on the Web, when it is already available to the public through traditional means?

  39. Problems with Posting PR on the Web: • Public records accessed through traditional means “languish in practical obscurity” • Specific barriers imposed on traditional access to PR

  40. Limits on Traditional Access to PR • Time consuming (agency has 10 days to respond) • Affirmative request to agency required • Expense of copying fees • Audit trail of limited, identifiable entities or individuals initially receiving the document • Inflexible format • Rigid time-of-day strictures—government’s limited hours of doing business • Aggregation of public record from different agencies enormously time consuming and expensive

  41. Web access to PII-containing public record sweeps away traditional barriers to access.

  42. Web Access Advantages • Instantaneous—no 10 day wait • No affirmative request to agency---just look it up • No expense over normal cost of hardware, software and connectivity usually already owned by requestor • Agency may or may not know who accesses the information • Flexible electronic format • No time-of-day restrictions—a 24 x7 option • Software permits swift aggregation of vast quantities of public records

  43. Web-available Public Records containing PII that have Troubled Citizens and Privacy Advocates • Civil Service Cases that name individual public employees • Voter registration databases • Property tax databases • Multi-record sites

  44. Secondary Privacy Problems Arising out of Web Access to Public Records • Inconspicuous government tracking of who is viewing what records on-line • Persistent cookies created by the government site can disclose to third parties using data mining software user’s travels through public record • Beacons, Web bugs or clear GIFs present on a government site can transmit information about users visiting public record sites to third parties • Personalization and authentication data used to make visits to a public web site convenient may themselves be public record subject to public scrutiny

  45. The foregoing concerns are not addressed by the PRL, privacy laws or current caselaw. Government must use frequently revisited, broad policies to address these gaps

  46. The Administration’s Privacy Policy Initiatives, in various stages of development • Acting Governor Jane Swift’s Executive Order 412 • Gov. Swift’s Web site privacy policy directive • Enterprise Privacy Policy

  47. Executive Order 412 • Applies to Executive Departments • Acknowledges citizen right to expect PII used only for purposes necessary and intended by agency, securely stored, and disseminated no more widely than necessary • IT has greatly increased possibility of improper dissemination of PII • Requires agencies to review data collection, storage and dissemination policies • Reform data practices so collect and disseminate minimal amount of PII needed to fulfill agency functions.

  48. Merits of Exec. Order 412 • Covers all “personal information”; unlike FIPA, doesn’t exclude information contained in public record. • Emphasizes then-Acting Governor Swift’s privacy priority. Privacy from then on front and center in e-gov efforts

  49. Gov. Swift’s 2001 Web site privacy policy order • Every agency with Web site must have privacy policy • Approved by agency’s and ITD’s legal counsel • Specify contents • Persistent cookies discouraged, and only by permission of CIO • Requires agency head, CIO, and counsel involved • Sites geared to children must comply with COPPA (to which government not technically subject)

  50. Mandatory Contents of Executive Department Web Site Privacy Policies • Model policy: Governor’s Web site http://www.state.ma.us/gov/privacy policy.html • Voluntarily and involuntarily collected information • PRL, Exec. Order 412; other laws; what agency does with PII it collects • Emails not secure • Security technology used with respect to site • Cookie definition and use

More Related