public records access vs citizen privacy l.
Skip this Video
Download Presentation

Loading in 2 Seconds...

play fullscreen
1 / 57


  • Uploaded on

PUBLIC RECORDS ACCESS VS. CITIZEN PRIVACY. Linda Hamel General Counsel Information Technology Division Commonwealth of Massachusetts Executive Leadership Forum October 18, 2001. OVERVIEW. PERSONALLY IDENTIFIABLE INFORMATION (“PII”) THAT CONSTITUTES PUBLIC RECORD

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'PUBLIC RECORDS ACCESS VS. CITIZEN PRIVACY' - javan

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
public records access vs citizen privacy


Linda Hamel

General Counsel

Information Technology Division

Commonwealth of Massachusetts

Executive Leadership Forum

October 18, 2001





personally identifiable information
  • Any information that could reasonably be used to identify an individual, including their name, address, e-mail address, Social Security Number, birth date, bank account information, credit cad information, or any combination of information that could be used to identify them
  • Laws, regulations and policies regarding public records disclosure and privacy use different labels and significantly different definitions of this term (“personal information”; “personal data”); broad category of personally identifiable information (“PII”) used throughout this presentation
structure of state government
  • Legislature
  • Judiciary
  • Executive Department
  • Constitutionals (Attorney General, Treasurer, Auditor, Secretary of the Commonwealth)
  • Quasi-governmental organizations (state authorities)
  • Sometimes municipalities (in their capacity as political subdivisions of the state)
chief information officer mass gen l ch 7 sec 4a
Chief Information OfficerMass. Gen. L. ch. 7, sec. 4A
  • Efficient and economical administration of information technology systems
  • Set information technology standards
  • Review and approve secretariat and department information technology plans
  • Review and approve the planning design, acquisition and operation of information technology systems
  • Manage central information systems
legal basis for access to public records
  • Public Records Law, Mass. Gen. L. ch. 66, sec. 10
  • First Amendment right to access court records pertaining to criminal and civil cases.
public records law
  • Applies to documents in any form made or received by any officer or employee
  • Covered entities include “any agency, executive office, department, board, commission, bureau, division or authority of the commonwealth, or of any political subdivision thereof, or of any authority established by the general court to serve a public purpose”
No general exemption for PII under either the PRL (agency records) or the First Amendment (court records).
exemptions to definition of public record pertaining to subcategories of pii
Exemptions to definition of public record pertaining to subcategories of PII:
  • Section (a) information exempted from disclosure by some other statute
  • Section (c) personnel and medical files or information; also any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy.
  • Section (j) records pertaining to applications for gun licenses, firearm and sales and transfers of guns.
a information specifically or by necessary implication exempted from disclosure by statute

(a) Information specifically or by necessary implication exempted from disclosure by statute

(i.e., another law says the data has to be kept confidential)


(c) Personnel and medical files or information; also any other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy

three categories under subsection c
Three categories under subsection (c)
  • All medical information
  • Personnel files or information which is useful in making employment decisions
  • Other materials or data, the disclosure of which may constitute an unwarranted invasion of personal privacy
medical files

Medical Files

Absolute exemption

personnel files
Personnel Files
  • Any information useful in making employment decisions. Employment applications, employee work evaluations, disciplinary documentation, and promotion, demotion or termination information.
  • Absolute Exemption
  • NOT information typically included in personnel files, such as employee’s name, home address, date of birth, salary, and individual absentee records (minus specific reason for absence.). This kind of information has been tested by the courts under next exemption and, because of public sector employees’ diminished expectation of privacy about their jobs, found to be NOT EXEMPT.

Other materials or data relating to a specifically named individual, the disclosure of which may constitute an unwarranted invasion of personal privacy.

no absolute exemption rather a two part test
No absolute exemption; rather a two-part test
  • Does the data constitute “intimate details of a highly personal nature”?
  • Balancing test: Does the public have a paramount public interest in disclosure?
intimate details of a highly personal nature
Intimate Details of a Highly Personal Nature
  • Marital status
  • Paternity
  • Substance Abuse
  • Government Assistance
  • Family Disputes
  • Reputation
j records pertaining to application for gun license firearm i d card sale or transfer of guns

(j) Records pertaining to application for gun license, firearm I.D. card, sale or transfer of guns.



Public Records Law does not exempt all PII from disclosure, but protects at least these three subcategories of PII from disclosure in response to a public records request

first amendment rights


Absent impoundment order or statute to the contrary, public has a First Amendment Right to access court documents pertaining to civil and criminal cases. No exemption for PII.

statutory exemptions

Statutory Exemptions

No general exemption for personally identifiable information

At least three exemptions for subcategories of personally identifiable information

exemptions from first amendment right of access
Exemptions From First Amendment Right of Access
  • Other statute
  • Court order to impound
  • NO exemption for PII
pii on the web
PII on the Web
  • Few court cases have addressed whether PII contained in public record can be posted on the Web
  • Courts have uniformly held that PII that is not exempt from disclosure under state or Federal public records law can be posted on the web by government and other entities.

Privacy rights have sources in :

U.S. and State Constitutions

Federal and State Law

federal law
Federal Law
  • Multiple Subject-Specific Statutes and Regulations
  • Hot topics: Gramm-Leach-Bliley (financial institutions); Health Insurance Portability and Accountability Act (“HIPPA”)(holders of medical data).
state law
State Law
  • Many subject-specific state laws and regulations. Example: Mass. Gen. L. ch. 149, sec. 11A, creates a blood lead registry for occupational lead poisoning data. The Department of Labor and Workforce Development must keep the data confidential and can only share with the Department of Public Health for research purposes.
  • General law: Fair Information Practices Act, Mass. Gen. L. ch. 66A.
fair information practices act
  • Protects only PII that is exempted from disclosure under the PRL (such as data subject to one of the three PRL exemptions analyzed in this outline). Therefore, no FIPA protection for PII that is public record.
  • Applies to executive and constitutional offices but not to Legislature, Judiciary, or municipalities
  • Applies to private parties holding data for purposes of fulfilling a contract with an executive or constitutional office
relevance of fipa to this discussion
Relevance of FIPA to this Discussion
  • Point out gaps in privacy law
  • How Administration is using policy to fill those gaps
fipa definition of personal data
FIPA Definition of “personal data”
  • Information concerning an individual which, because of name, identifying number, mark or description can be readily associated with a particular individual;
  • BUT NOT if such data is contained in a public record or constitutes intelligence information, evaluative information or criminal offender information
gaps in fipa
  • Doesn’t cover PII that is NOT exempt under PRL
  • Doesn’t apply to Legislature, Judiciary, Municipalities
fipa s protections for data that it covers
FIPA’s protections for data that it covers:
  • Person responsible in agency
  • Train employees
  • Limit data access to agency and those authorized by data subject or statute or regulations
  • Secure data from physical threats
  • Records of access
  • Data available to data subject on request
fipa s protections cont
FIPA’s protections, cont.
  • Accurate, complete, timely, pertinent and relevant
  • Inform people as to whether they are data subjects, if they ask;
  • Allow data subject to contest accuracy, completeness, pertinence, etc., to correct where necessary or make record of disagreement with agency
  • Withhold data from response to legal process until data subject notified, opportunity to quash
  • Collect minimum amount of data
3 common types of web access to public record
3 Common Types of Web Access to Public Record
  • On the Web, user looks up
  • User requests using a secure I.D.
  • User files a request on line for PR that will be mailed or faxed to them (Web-enabled traditional access)

Focus on first type

two types of conflicts
Two types of conflicts
  • “Primary” conflict---citizens don’t want PII pertaining to them accessible on the Web
  • “Secondary”—privacy of individual or entity seeking public records on the Web can be compromised

What’s wrong with posting PII-containing public record on the Web, when it is already available to the public through traditional means?

problems with posting pr on the web
Problems with Posting PR on the Web:
  • Public records accessed through traditional means “languish in practical obscurity”
  • Specific barriers imposed on traditional access to PR
limits on traditional access to pr
Limits on Traditional Access to PR
  • Time consuming (agency has 10 days to respond)
  • Affirmative request to agency required
  • Expense of copying fees
  • Audit trail of limited, identifiable entities or individuals initially receiving the document
  • Inflexible format
  • Rigid time-of-day strictures—government’s limited hours of doing business
  • Aggregation of public record from different agencies enormously time consuming and expensive
web access advantages
Web Access Advantages
  • Instantaneous—no 10 day wait
  • No affirmative request to agency---just look it up
  • No expense over normal cost of hardware, software and connectivity usually already owned by requestor
  • Agency may or may not know who accesses the information
  • Flexible electronic format
  • No time-of-day restrictions—a 24 x7 option
  • Software permits swift aggregation of vast quantities of public records
web available public records containing pii that have troubled citizens and privacy advocates
Web-available Public Records containing PII that have Troubled Citizens and Privacy Advocates
  • Civil Service Cases that name individual public employees
  • Voter registration databases
  • Property tax databases
  • Multi-record sites
secondary privacy problems arising out of web access to public records
Secondary Privacy Problems Arising out of Web Access to Public Records
  • Inconspicuous government tracking of who is viewing what records on-line
  • Persistent cookies created by the government site can disclose to third parties using data mining software user’s travels through public record
  • Beacons, Web bugs or clear GIFs present on a government site can transmit information about users visiting public record sites to third parties
  • Personalization and authentication data used to make visits to a public web site convenient may themselves be public record subject to public scrutiny

The foregoing concerns are not addressed by the PRL, privacy laws or current caselaw. Government must use frequently revisited, broad policies to address these gaps

the administration s privacy policy initiatives in various stages of development
The Administration’s Privacy Policy Initiatives, in various stages of development
  • Acting Governor Jane Swift’s Executive Order 412
  • Gov. Swift’s Web site privacy policy directive
  • Enterprise Privacy Policy
executive order 412
Executive Order 412
  • Applies to Executive Departments
  • Acknowledges citizen right to expect PII used only for purposes necessary and intended by agency, securely stored, and disseminated no more widely than necessary
  • IT has greatly increased possibility of improper dissemination of PII
  • Requires agencies to review data collection, storage and dissemination policies
  • Reform data practices so collect and disseminate minimal amount of PII needed to fulfill agency functions.
merits of exec order 412
Merits of Exec. Order 412
  • Covers all “personal information”; unlike FIPA, doesn’t exclude information contained in public record.
  • Emphasizes then-Acting Governor Swift’s privacy priority. Privacy from then on front and center in e-gov efforts
gov swift s 2001 web site privacy policy order
Gov. Swift’s 2001 Web site privacy policy order
  • Every agency with Web site must have privacy policy
  • Approved by agency’s and ITD’s legal counsel
  • Specify contents
  • Persistent cookies discouraged, and only by permission of CIO
  • Requires agency head, CIO, and counsel involved
  • Sites geared to children must comply with COPPA (to which government not technically subject)
mandatory contents of executive department web site privacy policies
Mandatory Contents of Executive Department Web Site Privacy Policies
  • Model policy: Governor’s Web site policy.html
  • Voluntarily and involuntarily collected information
  • PRL, Exec. Order 412; other laws; what agency does with PII it collects
  • Emails not secure
  • Security technology used with respect to site
  • Cookie definition and use
mandatory contents web site privacy policies cont
(Mandatory contents, Web site privacy policies, cont.)
  • Definition of PII
  • State and Federal privacy laws and regulations applicable to agency
  • Contact person
  • Policy changes
discussions regarding enterprise privacy policy
Discussions regarding Enterprise Privacy Policy
  • Applicable to Executive Departments, encourage other branches and Constitutionals to adopt
  • Mandatory agency privacy policies
  • Privacy officers
  • Include inventory of Exec. Order 412 and other legal privacy requirements
  • Training
require agencies prior to posting pr containing pii on web to
Require Agencies, prior to posting PR containing PII on Web to:
  • Consider whether nature of PII is such that it should only be accessible through a traditional PR request, taking into account who may be harmed by making such information Web-accessible;
  • Point out that the PRL does not require that PR be posted on the Web
  • Consider erecting some barriers to access for PII-containing PR, making Web access similar to traditional access (fees, timing, etc.)
other requirements for enterprise privacy policy being discussed
Other requirements for enterprise privacy policy being discussed
  • Require new data collection and holding systems to be reviewed against privacy laws, EO412 and agency privacy policy
  • Disclose to citizens purpose for data collection
  • Maintain privacy of personalization and authentication data
  • Secure data transmissions (separate policy for IT security);
  • Prohibit secondary use without consent
  • Extend policy to contractors (cont.)
Monitor and enforce compliance
  • Budget
  • Data collection risk assessment
  • Review
  • Budget
  • CIO only has authority over Exec. Department, but is hosting a portal used by all state government entities; use diplomacy to persuade them to adopt policies
  • Strong public interest in access to PII over the Web, a countervailing force
contact information

Contact Information

Linda Hamel

General Counsel

Information Technology Division

(617)-626-4404 (phone)

(617)-727-3766 (fax)

One Ashburton Place, Room 801, Boston, MA 02108