PUBLIC RECORDS ACCESS VS. CITIZEN PRIVACY

Linda Hamel

General Counsel

Information Technology Division

Commonwealth of Massachusetts

Executive Leadership Forum

October 18, 2001

OVERVIEW

• PERSONALLY IDENTIFIABLE INFORMATION (“PII”) THAT CONSTITUTES PUBLIC RECORD

• EXAMPLES OF PRIVACY CONCERNS RAISED BY PUBLIC RECORDS CONTAINING PII ON THE WEB

• EVOLUTION OF THE ADMINISTRATION’S POLICY TO ADDRESS THE ACCESS/PRIVACY CONFLICT

DEFINITIONS

PERSONALY IDENTIFIABLE INFORMATION

STATE GOVERNMENT

PERSONALLY IDENTIFIABLE INFORMATION

• Any information that could reasonably be used to identify an individual, including their name, address, e-mail address, Social Security Number, birth date, bank account information, credit cad information, or any combination of information that could be used to identify them

• Laws, regulations and policies regarding public records disclosure and privacy use different labels and significantly different definitions of this term (“personal information”; “personal data”); broad category of personally identifiable information (“PII”) used throughout this presentation

STRUCTURE OF STATE GOVERNMENT

• Legislature• Judiciary• Executive Department• Constitutionals (Attorney General, Treasurer,

Auditor, Secretary of the Commonwealth)• Quasi-governmental organizations (state

authorities)• Sometimes municipalities (in their capacity as

political subdivisions of the state)

Chief Information OfficerMass. Gen. L. ch. 7, sec. 4A

• Efficient and economical administration of information technology systems

• Set information technology standards• Review and approve secretariat and department

information technology plans• Review and approve the planning design,

acquisition and operation of information technology systems

• Manage central information systems

LEGAL BASIS FOR ACCESS TO PUBLIC RECORDS

• Public Records Law, Mass. Gen. L. ch. 66, sec. 10

• First Amendment right to access court records pertaining to criminal and civil cases.

PUBLIC RECORDS LAW

• Applies to documents in any form made or received by any officer or employee

• Covered entities include “any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or of any political subdivision thereof, or of any authority established by the general court to serve a public purpose”

No general exemption for PII under either the PRL (agency

records) or the First Amendment (court records).

Exemptions to definition of public record pertaining to

subcategories of PII:• Section (a) information exempted from disclosure

by some other statute• Section (c) personnel and medical files or

information; also any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy.

• Section (j) records pertaining to applications for gun licenses, firearm I.D.cards and sales and transfers of guns.

(a) Information specifically or by necessary implication exempted

from disclosure by statute(i.e., another law says the data has to

be kept confidential)

(c) Personnel and medical files or information; also any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy

Three categories under subsection (c)

• All medical information

• Personnel files or information which is useful in making employment decisions

• Other materials or data, the disclosure of which may constitute an unwarranted invasion of personal privacy

Medical Files

Absolute exemption

Personnel Files• Any information useful in making employment

decisions. Employment applications, employee work evaluations, disciplinary documentation, and promotion, demotion or termination information.

• Absolute Exemption• NOT information typically included in personnel files,

such as employee’s name, home address, date of birth, salary, and individual absentee records (minus specific reason for absence.). This kind of information has been tested by the courts under next exemption and, because of public sector employees’ diminished expectation of privacy about their jobs, found to be NOT EXEMPT.

Other materials or data relating to a specifically named individual,

the disclosure of which may constitute an unwarranted

invasion of personal privacy.

No absolute exemption; rather a two-part test

• Does the data constitute “intimate details of a highly personal nature”?

• Balancing test: Does the public have a paramount public interest in disclosure?

Intimate Details of a Highly Personal Nature

• Marital status

• Paternity

• Substance Abuse

• Government Assistance

• Family Disputes

• Reputation

(j) Records pertaining to application for gun license,

firearm I.D. card, sale or transfer of guns.

SUMMARY

Public Records Law does not exempt all PII from disclosure, but protects at least these three subcategories of PII

from disclosure in response to a public records request

FIRST AMENDMENT RIGHTS

Absent impoundment order or statute to the contrary, public has a First Amendment Right to access court documents pertaining to civil and

criminal cases. No exemption for PII.

Statutory Exemptions

No general exemption for personally identifiable information

At least three exemptions for subcategories of personally

identifiable information

Exemptions From First Amendment Right of Access

• Other statute

• Court order to impound

• NO exemption for PII

PII on the Web

• Few court cases have addressed whether PII contained in public record can be posted on the Web

• Courts have uniformly held that PII that is not exempt from disclosure under state or Federal public records law can be posted on the web by government and other entities.

Summary: Some PII is Public Record and can Legally be

displayed on the Web

PRIVACY

Privacy rights have sources in :

U.S. and State Constitutions

Federal and State Law

Federal Law

• Multiple Subject-Specific Statutes and Regulations

• Hot topics: Gramm-Leach-Bliley (financial institutions); Health Insurance Portability and Accountability Act (“HIPPA”)(holders of medical data).

State Law

• Many subject-specific state laws and regulations. Example: Mass. Gen. L. ch. 149, sec. 11A, creates a blood lead registry for occupational lead poisoning data. The Department of Labor and Workforce Development must keep the data confidential and can only share with the Department of Public Health for research purposes.

• General law: Fair Information Practices Act, Mass. Gen. L. ch. 66A.

FAIR INFORMATION PRACTICES ACT

• Protects only PII that is exempted from disclosure under the PRL (such as data subject to one of the three PRL exemptions analyzed in this outline). Therefore, no FIPA protection for PII that is public record.

• Applies to executive and constitutional offices but not to Legislature, Judiciary, or municipalities

• Applies to private parties holding data for purposes of fulfilling a contract with an executive or constitutional office

Relevance of FIPA to this Discussion

• Point out gaps in privacy law

• How Administration is using policy to fill those gaps

FIPA Definition of “personal data”

• Information concerning an individual which, because of name, identifying number, mark or description can be readily associated with a particular individual;

• BUT NOT if such data is contained in a public record or constitutes intelligence information, evaluative information or criminal offender information

GAPS in FIPA

• Doesn’t cover PII that is NOT exempt under PRL

• Doesn’t apply to Legislature, Judiciary, Municipalities

FIPA’s protections for data that it covers:

• Person responsible in agency• Train employees• Limit data access to agency and those

authorized by data subject or statute or regulations

• Secure data from physical threats• Records of access• Data available to data subject on request

FIPA’s protections, cont.

• Accurate, complete, timely, pertinent and relevant• Inform people as to whether they are data subjects,

if they ask; • Allow data subject to contest accuracy,

completeness, pertinence, etc., to correct where necessary or make record of disagreement with agency

• Withhold data from response to legal process until data subject notified, opportunity to quash

• Collect minimum amount of data

Specific Access/Privacy conflicts Faced by Government

3 Common Types of Web Access to Public Record

• On the Web, user looks up

• User requests using a secure I.D.

• User files a request on line for PR that will be mailed or faxed to them (Web-enabled traditional access)

Focus on first type

Two types of conflicts

• “Primary” conflict---citizens don’t want PII pertaining to them accessible on the Web

• “Secondary”—privacy of individual or entity seeking public records on the Web can be compromised

What’s wrong with posting PII-containing public record on the

Web, when it is already available to the public through traditional

means?

Problems with Posting PR on the Web:

• Public records accessed through traditional means “languish in practical obscurity”

• Specific barriers imposed on traditional access to PR

Limits on Traditional Access to PR

• Time consuming (agency has 10 days to respond)• Affirmative request to agency required• Expense of copying fees• Audit trail of limited, identifiable entities or individuals

initially receiving the document• Inflexible format• Rigid time-of-day strictures—government’s limited

hours of doing business• Aggregation of public record from different agencies

enormously time consuming and expensive

Web access to PII-containing public record sweeps away

traditional barriers to access.

Web Access Advantages

• Instantaneous—no 10 day wait• No affirmative request to agency---just look it up• No expense over normal cost of hardware, software

and connectivity usually already owned by requestor• Agency may or may not know who accesses the

information• Flexible electronic format • No time-of-day restrictions—a 24 x7 option• Software permits swift aggregation of vast quantities of

public records

Web-available Public Records containing PII that have Troubled Citizens and Privacy Advocates

• Civil Service Cases that name individual public employees

• Voter registration databases

• Property tax databases

• Multi-record sites

Secondary Privacy Problems Arising out of Web Access to

Public Records• Inconspicuous government tracking of who is viewing

what records on-line• Persistent cookies created by the government site can

disclose to third parties using data mining software user’s travels through public record

• Beacons, Web bugs or clear GIFs present on a government site can transmit information about users visiting public record sites to third parties

• Personalization and authentication data used to make visits to a public web site convenient may themselves be public record subject to public scrutiny

The foregoing concerns are not addressed by the PRL, privacy

laws or current caselaw. Government must use frequently

revisited, broad policies to address these gaps

The Administration’s Privacy Policy Initiatives, in various

stages of development

• Acting Governor Jane Swift’s Executive Order 412

• Gov. Swift’s Web site privacy policy directive

• Enterprise Privacy Policy

Executive Order 412

• Applies to Executive Departments• Acknowledges citizen right to expect PII used only for

purposes necessary and intended by agency, securely stored, and disseminated no more widely than necessary

• IT has greatly increased possibility of improper dissemination of PII

• Requires agencies to review data collection, storage and dissemination policies

• Reform data practices so collect and disseminate minimal amount of PII needed to fulfill agency functions.

Merits of Exec. Order 412

• Covers all “personal information”; unlike FIPA, doesn’t exclude information contained in public record.

• Emphasizes then-Acting Governor Swift’s privacy priority. Privacy from then on front and center in e-gov efforts

Gov. Swift’s 2001 Web site privacy policy order

• Every agency with Web site must have privacy policy

• Approved by agency’s and ITD’s legal counsel• Specify contents• Persistent cookies discouraged, and only by

permission of CIO• Requires agency head, CIO, and counsel involved• Sites geared to children must comply with COPPA

(to which government not technically subject)

Mandatory Contents of Executive Department Web Site Privacy

Policies • Model policy: Governor’s Web site

http://www.state.ma.us/gov/privacy policy.html• Voluntarily and involuntarily collected information • PRL, Exec. Order 412; other laws; what agency

does with PII it collects• Emails not secure• Security technology used with respect to site• Cookie definition and use

(Mandatory contents, Web site privacy policies, cont.)

• Definition of PII

• State and Federal privacy laws and regulations applicable to agency

• Contact person

• Policy changes

Discussions regarding Enterprise Privacy Policy

• Applicable to Executive Departments, encourage other branches and Constitutionals to adopt

• Mandatory agency privacy policies• Privacy officers• Include inventory of Exec. Order 412 and

other legal privacy requirements• Training

Require Agencies, prior to posting PR containing PII on

Web to: • Consider whether nature of PII is such that it

should only be accessible through a traditional PR request, taking into account who may be harmed by making such information Web-accessible;

• Point out that the PRL does not require that PR be posted on the Web

• Consider erecting some barriers to access for PII-containing PR, making Web access similar to traditional access (fees, timing, etc.)

Other requirements for enterprise privacy policy being discussed

• Require new data collection and holding systems to be reviewed against privacy laws, EO412 and agency privacy policy

• Disclose to citizens purpose for data collection• Maintain privacy of personalization and

authentication data• Secure data transmissions (separate policy for IT

security);• Prohibit secondary use without consent• Extend policy to contractors (cont.)

• Monitor and enforce compliance

• Budget

• Data collection risk assessment

• Review

Challenges

• Budget

• CIO only has authority over Exec. Department, but is hosting a portal used by all state government entities; use diplomacy to persuade them to adopt policies

• Strong public interest in access to PII over the Web, a countervailing force

Contact Information

Linda Hamel

General Counsel

Information Technology Division

(617)-626-4404 (phone)

(617)-727-3766 (fax)

Linda.Hamel@itd.state.ma.us

One Ashburton Place, Room 801, Boston, MA 02108