Privacy and State Agencies Sec 2

Privacy and State Agencies

What General Laws Control Informational Privacy in Connecticut?

Connecticut does not have one identifiable informational privacy policy that sets out a framework for the treatment of personally identifiable information under the control of state government. Currently, work is underway on a "comprehensive information policy" for state agencies as part of the state's information and telecommunications system strategic plan.¹ The Department of Information and Technology (DOIT) is responsible for the policy, which is intended to "clearly articulate":

the state's commitment to the sharing of its information resources;
the relationship of such resources to library and other information resources in the state; and
a philosophy of equal access to information.

The concept of informational privacy is not specifically cited in the policy points to be articulated in the state's overall information policy, but would certainly need to be considered at least with respect to equal access to information.

In the absence of one location, Connecticut's current informational privacy policy instead is found in a mixture of statutes, many of which apply to specific types of information maintained by specific agencies. Anchoring the mixture is the state Freedom on Information Act (FOIA). FOIA is based on a presumption of accessibility of records maintained by state government to the public, where nondisclosure is to be narrowly construed, including for privacy reasons. Another state law of general applicability to state agencies is the Personal Data Act. Its current form is significantly different than when it was enacted in 1976, due to conflicts with FOIA. These two main laws, as well as the developing information policy, are highlighted below.

State Information Policy

Per C.G.S. Section 4d-7, Connecticut's Chief Information Officer is to "develop, publish and annually update an information and telecommunication systems strategic plan", which is to include the development of a comprehensive information policy for state agencies. Currently, a Government Information Policy Advisory Committee, made up of representatives of DOIT, Department of Revenue Services (DRS), the Freedom of Information Commission (FOIC), and the State Library, is working to draft what is entitled a Government Information Policy for State Agencies.

In its draft so far, the committee has adopted four policy principles. These principles are:

1) government transparency
- Referred to as freedom of information in Connecticut and, according to the draft policy, requires both affirmative public dissemination and public disclosure upon request; it is under this principle that confidentiality of information and limits on disclosure would be addressed;
2) fair information practices
- This is a term used internationally to refer to concepts about collection and maintenance of personal information, including a person's right to view and contest the accuracy of information collected about him or her, and government's responsibility to only collect and maintain necessary and relevant information about individuals;
3) efficiency of services within a state agency, among government agencies, and between state agencies and the people they serve
- This refers to the ability of agencies to share information and their increased reliance on automated information technology, and includes the notion of making government records and information available on the Internet.

4) the stewardship of government information
- This refers to the concept that in a democratic form of government, government does not own the records it collects, but rather is the custodian of these records for the public, who owns them.

Government transparency expanded. As the draft cites, the principle of government transparency is the purpose of the freedom of information law in Connecticut. The draft policy, in discussing this principle, notes:

Although the overarching government information policy of this state provides for the disclosure of public records, the legislature has determined that in certain limited circumstances, there is a superior interest in confidentiality. It is abundantly clear, however, that such circumstances are extraordinarily limited and that the exceptions to disclosure must be read strictly according to their terms, and not read broadly or expansively to govern situations not specifically contemplated by the legislature.

Six categories of confidentiality provisions are identified in the draft.

Personal Privacy
National Security and Law Enforcement
Litigation
Economic Interests
Administrative Consideration
Personal Safety and Institutional Security

The committee has been meeting with groups of state agencies for input in its work and plans to complete these meetings by the end of the year. It then intends to seek feedback from outside groups before it submits its final proposed policy to the Department of Information Technology.

Freedom of Information Act

The key provision of the state's freedom of information law, enacted in 1975, states:

Except as otherwise provided by any federal law or state statute, all records maintained or kept on file by any public agency, whether or not such records are required by law or by any rule or regulation, shall be public records and every person shall have the right to inspect such records promptly during regular office or business hours or to receive a copy of such records.

As noted by the Connecticut Supreme Court, the overarching legislative policy of FOIA is one that favors "the open conduct of government and free public access to government records."

Along with this general statement of accessibility, though, FOIA provides 20 different exemptions from disclosure, each of which describes a circumstance where an agency is not required (but may) disclose the record in question. Examples of exemptions are: trade secrets; test questions; personal financial data required by a licensing agency; and certain law enforcement records. A list of exemptions may be found in Attachment A.

Figure 1 illustrates the seemingly simple transformation of personal information into an agency record, by virtue of an agency obtaining the information. Once the information has the status as an agency record, in terms of public accessibility, it can fall into one of three basic states. First, the information is totally accessible as a public record under FOI because there is no other pertinent law and no exemptions apply. Second, while the information is accessible as a public record under FOI because no other law pertains, it fits under one of the exemptions, and the agency makes the determination to withhold disclosure. (The exemptions are not confidentiality mandates). Finally, some specific state or federal law covers the accessibility of the information and so it is not public.

Invasion of personal privacy. One of the exemptions allows nondisclosure of "personnel or medical files and similar files the disclosure of which would constitute an invasion of personal privacy." By its terms, this exemption most often comes into play with records related to public employees (the treatment of medical records of patients at state institutions, for example, is handled under other, specific state law).² Over the years, the

Chapter title

Connecticut Supreme Court has decided a variety of cases where the scope of the exemption was at issue. In 1993, in Perkins v. Freedom of Information Commission³, the court established a framework to determine what was an invasion of personal privacy, which remains the standard today.

The privacy exemption initially requires two determinations: 1) that the records in question fall within "personnel or medical files and similar files", and 2) that disclosure of the records would constitute an invasion of personal privacy. In the Perkins case, at issue were sick leave records of sick days taken by a school psychologist, so only the second determination was in dispute.

The Court noted there was no definition of invasion of personal privacy in the FOIA, nor was there any pertinent legislative history. The Court looked to the common law for guidance, and specifically the "aspect of the tort of invasion of privacy that provides a remedy for unreasonable publicity given to a person's private life." Under tort law, a civil suit can be triggered by public disclosure of any matter that "a) would be highly offensive to a reasonable person and b) is not of legitimate concern to the public." The Court adopted this two-pronged test for the FOIA invasion of personal privacy exemption, holding:

disclosure could only be withheld if:
- disclosure was highly offensive to a reasonable person; and
- the information sought by a request did not pertain to legitimate matters of public concern

After determining the school employee hadn't proved the release of the sick time records were highly offensive to the reasonable person, the Court made some final comments about public employment:

we note that when a person accepts public employment, he or she becomes a servant of and accountable to the public. As a result, that person's reasonable expectation of privacy is diminished, especially in regard to the dates and times required to perform public duties. The public has a right to know not only who their public employees are, but also when their public employees are and are not performing their duties.⁴

The most recent case decided by the Supreme Court under the invasion of privacy exemption dealt with addresses of state employees.⁵ Using the two-pronged test set out in Perkins, in this case, the determining factor for the court were the steps the state employees had taken to shield information about where they lived, which appeared to impact how the Court viewed both prongs of the Perkins test. While the Court seemed to indicate that state employee addresses were not matters of legitimate public concern per se, it appears that somehow what these employees did made them even less a matter of public concern. As the court noted:

Public employees are properly subject to increased scrutiny regarding matters that affect their job performance as a result of the public nature of their employment. No public interest is served, however, by exposing aspects of their personal life that do not impact the public, particularly where the employee has taken significant steps to keep nonpublic information private.
It is highly offensive to a reasonably objective person to disclose this information after taking significant steps to keep it private.

As a result of this decision, it appears that on the issue of state employee addresses, if a FOIA request was made, an agency would have to determine for each employee what steps the employee had taken to keep his/her residential address private.⁶

Personal Data Act

The state Personal Data Act (PDA) was enacted in 1976, and was originally named An Act Concerning Confidentiality of Personal Data. The intent of the law was to establish a framework for how personally identifying information held by state agencies would be treated, with an emphasis on the rights of the individual about whom records were maintained. This followed by two years enactment of the Federal Privacy Act, which the Connecticut PDA resembles. One proponent from a group called the Coalition for a Fair Information Practices Act noted one of the "principal motivating forces behind the act [has] been the accrual of large amounts of information by the states on its citizenry....In the spiraling collection of data, there are serious risks to our society".⁷

Personal data under PDA means:

information about a person's education, finances, medical or emotional condition or history, employment or business history, family or personal relationships, reputation or character which because of name, identifying number, mark or description can be readily associated with a particular person.⁸

A key provision of the original act was: "no agency or any of its employees shall disclose any personal data to any other individual, corporation, or municipal, state, or federal agency, without the consent of the person..."⁹ In today's privacy parlance, this was an opt-in provision.

When the Personal Data Act was debated in 1976, questions were raised about the potential conflict between it and FOIA. Specifically, FOIA, enacted one year earlier, established all records were public unless exempted specifically, and the pending Personal Data Act proposed no personal data be released to anyone without the consent of the individual to whom the record pertained. The PDA passed with the consent provision intact.

Over the next three years, attempts were made to reconcile the two acts. Examples were cited about unintended consequences of inappropriate information being shielded by state agencies citing PDA, such as public officials' salaries. In 1979, the consent provision was stripped from the law. With the consent provision gone, the argument was made there was no need for another PDA requirement, that an agency keep a log of requests seeking access to personal data (accessible to the person to whom the information pertained) That attempt failed, out of concern people at least know who has sought information about them. Proponents of the change said that the 90 or so confidentiality statutes applicable to specific records, as well as the FOIA exemptions, addressed any concerns about privacy.

While the remaining parts of PDA exercise no authority over actual information disclosure to third parties, it continues to give individuals the right to access their own data (except in certain, very limited circumstances). The PDA also continues to impose certain requirements on state agencies about their handling of personal information. Under PDA, each agency must:

1. Inform each employee who operates or maintains a personal data system or who has access to personal data of the provisions of the Personal Data Act; agency regulations required by PDA (see item 9 below); the Freedom of Information Act; and any other state or federal law concerning maintenance or disclosure of personal data kept by the agency;

2. Take reasonable precautions to protect personal data from the dangers of fire, theft, flood, natural disaster or other physical threats;

3. Keep a complete record of every individual or entity who has obtained access to personal data, and the reason for access, and maintain this record for at least 5 years after access was given or for the life of the record under the agency's retention schedule, whichever is longer;

4. Make available to the person to whom the personal data pertains the record kept in item 3, upon written request.

5. Maintain only relevant and necessary information about a person to accomplish the lawful purposes of the agency;

6. Inform an individual in writing whether the agency maintains personal data concerning him or her, upon written request;

7. Disclose to a person, upon written request, all personal data concerning him or her maintained by the agency (but the agency cannot disclose personal data about other persons in this process);

8. Establish procedures that 1) allow a person to contest the accuracy, completeness or relevancy of his or her personal data; 2) allow personal data to be corrected upon request of a person when the agency agrees with the proposed correction; 3) allow a person who believes the agency maintains inaccurate or incomplete personal data concerning him or her to add a statement setting out what he or she believes to be an accurate or complete version of the personal data. (The statement becomes a permanent part of the agency's personal data system and must be disclosed to anyone to whom the disputed personal data is disclosed.)

9. Adopt regulations that describe: the general nature and purpose of the agency's personal data systems; the categories of personal and other data kept in the agency's personal data systems; the agency's procedures regarding the maintenance of personal data; and the uses to be made of the personal data maintained by the agency.

Finally, an agency may refuse to disclose medical, psychiatric or psychological data to a person to whom the data pertains if an agency believes disclosure would be detrimental to the person, or if nondisclosure is allowed or required by law. (In this situation, the agency must advise the person of his or her right to appeal the decision to court).

PDA regulations. Most agencies have adopted the regulations required by PDA. Interestingly, although not required by the statute, many agencies as part of their regulations require themselves to give individuals supplying personal data the following information (if the person asks):

The legal authority under which the agency is gathering the information;
The individual's rights under PDA related to the information;
Known consequences resulting from supplying or refusing to supply the information; and
The proposed use to be made of the information.

¹This plan has been a statutory requirement since 1989.

²FOIA includes a process allowing state employees to object to requests for their records, prompted by a notice from the pertinent agency that a request has been made that might be an invasion of personal privacy under the act.

³228 Conn.158 (1993)

⁴Id. at 177

⁵Director, Retirement and Benefits Services Division v. Freedom of Information Commission (SC 16462) (July 17, 2001)

⁶The following public officials and employees are allowed to maintain their residential addresses confidentially under FOIA: a federal court judge, federal court magistrate, judge of the Superior Court, Appellate Court or Supreme Court of the state, or family support magistrate; a sworn member of a municipal police department or a sworn member of the State Police; a Department of Correction employee; an attorney who represents or has represented the state in a criminal prosecution, or who is or has been employed by the Public Defender Services Division; a Division of Criminal Justice inspector; a firefighter; a Department of Children and Families employee; and a Board of Parole member or employee.

⁷Testimony of Dr. Herbert Sacks, Judiciary Comm., 3/25/76 Hearing Transcript, pg. 12

⁸Criminal history was deleted from the definition of personal data in 1978 when the state's comprehensive criminal records security and privacy act was passed.

⁹Under the act, individual consent was not required for the disclosure of personal data when 1) the disclosure was to an employee of the agency who has a need for the personal data in the performance of his duties; 2) the agency determined there was a substantial risk of imminent physical injury by the person to himself or to others and that disclosure or transmission of personal data is necessary to reduce that risk; 3) disclosure without consent was otherwise authorized by statute; or 4) the transmission was made per a subpoena, order of court or other judicial process.

Return to Year 2001 studies

Return to Table of Contents