Privacy and State Agencies Sec 3

Privacy and State Agencies

Agency Activities: Preliminary Analysis

To find out how state agencies are handling information, program review staff surveyed 42 executive branch agencies (including two constitutional offices, the Offices of the State Treasurer and the Secretary of the State). In addition, similar information from eight agencies was gathered through interviews (this group included the Office of Comptroller). The analysis so far is based on the response from 36 surveyed agencies and 8 interviewed agencies - altogether, 44 agencies.

The areas of inquiry included: what information is collected by an agency; what confidentiality laws apply to agency records and what agency procedures exist to ensure confidentiality; what information, if any, does an agency provide to a nongovernmental entity on a volume basis; any publication of personal data on the Internet; and agency implementation of Personal Data Act provisions. The review of these areas is ongoing, but preliminary analyses are highlighted here.

Array of Information

As noted earlier, the state engages in hundreds of activities in which information about individuals is gathered. As a way of seeing what information is actually collected, program review staff requested from each state agency surveyed or interviewed copies of all forms the agency uses in carrying out its responsibilities that capture personal information. While not every piece of information requested in the hundreds of forms program review staff received has been catalogued, here is a sample from three agencies. As would be expected, the type of personal information sought varies by the nature of the program involved.

The Department of Agriculture's Bureau of Aquaculture licenses commercial shellfish operations, including harvesting seed oysters and transplanting shellfish.
- Information requested in shellfish license applications includes: names and addresses of persons in the business; the business structure (i.e., sole proprietor, LLC, corporation); types of equipment used and identification numbers (e.g., boat registrations and motor vehicle marker plates); social security numbers or federal employer identification numbers (FEIN); and the physical locations in which business will be carried out.
The Department of Social Services provides a wide range of programs, including: Medicaid, State Assisted General Assistance, Child Support Enforcement, Temporary Assistance to Families (successor to AFDC), Food Stamps, and Child Care.
The information required of individuals seeking assistance in these programs (and for each household member) includes:
- name, maiden name of applicant, residential address, applicant's previous addresses in last 36 months; date of birth; place of birth; education information; social security number; marital status; personal circumstances such as disabled, pregnant, or on strike; and ability to work;
- whether anyone is expecting an inheritance; whether anyone is suing anyone; medical insurance information; legally liable relative information; information about any assets owned by household members, including cash on hand, bank accounts, life insurance policies, annuities, stocks, motor vehicles, or real estate;
- information about transfer of assets during the last 36 months; how the applicant has paid his or her bills during the last 6 months; current and previous employment income (and reasons for leaving jobs); dependent care; other income; living arrangement and shelter expenses; child support payment information; and circumstances of any students over 18.
The Department of Banking is responsible for the regulation and examination of financial institutions and various related entities chartered, licensed, or registered by the state. The areas of regulation cover banks and credit unions, consumer credit, securities and business investments.
- The application for a first mortgage lender/broker license asks for: name, office address, FEIN or social security number; name, residence, date of birth and other occupation of the owner (or partners in the case of a corporation); whether the applicant has ever been convicted of a crime, ever been the subject of regulatory actions by any state or federal agency, ever been refused any license by any department or withdrew an application, or ever been a defendant in litigation in connection with the granting or arranging of first mortgage loans (explaining each circumstance fully.)

Specific Confidentiality Statutes

Almost every agency reviewed by program review staff (32 of the 44 responses to date) has one or more specific statutes requiring it to keep some information it holds confidential. A statute search by program review staff has identified over a hundred separate state statutes requiring certain types of records be kept confidential. This means public disclosure of information that would personally identify a person is prohibited. Most of these statutes allow disclosure to other government agencies and for audit and research purposes, with the condition that confidentiality be maintained by those users. Examples of these are the statutes covering tax returns at the Department of Revenue Services, program eligibility records of Department of Social Service programs, and child protection case records at the Department of Children and Families.

In terms of how confidential information is handled at agencies, the responses were varied. Where automated databases are involved, many agencies have systems of limited employee password access to these databases. A few agencies have confidentiality agreements employees must sign; some other agencies have confidentiality policy statements of which employees are made aware. In general, agencies with the most comprehensive and wide-reaching confidentiality statutes have the most developed written operating procedures.

Social security numbers. Every agency maintains their employees' social security numbers. Most agencies also collect social security numbers of individuals with whom they interact in the conduct of their responsibilities. State law requires agencies with licensing functions to collect social security numbers to assist the Department of Revenue Services in its tax collection efforts. All agencies consider social security numbers confidential.

Volume Data Requests

Ten agencies noted they get volume requests for information.


Table 1. Agencies that Provide Volume Data to Nongovernmental Entities
Department of Motor Vehicles	Motor vehicle record information; written agreements prohibit redisclosure
Comptroller	Names and addresses of state employees to benefits vendors under contract with state; names and salaries to media
Chief Medical Examiner	Media
Commission on Human Rights and Opportunities	Information to various unions representing CHRO employees
Consumer Protection	Monthly updates on all basic licensee information to wine and spirits wholesalers
Department of Environmental Protection	Requests for sportsmen (deer and turkey hunter list) and commercial fishing information (names and addresses) to commercial entities (e.g. Equifax) Also for Boating Safety Certificate holders
Office of Policy and Management	Personal service agreement database
Public Health	Death registry to media and genealogists
Public Utility Control	Consumer complaints
Secretary of the State	Voter registration compilation on a CD (voter registration information for over 140 participating towns); lists of newly appointed notaries public; corporate and UCC filing information; and CPA lists.

Personal Information on the Internet

Ten agencies indicate they put material containing personal information on their Internet Web sites.


Table 2: Agencies with Personal Information on the Internet
Banking	Administrative orders related to regulation of securities, debt collectors and lending businesses
Consumer Protection	License information (plans to put on complaints filed)
Education	Names, addresses and phone numbers of state mediators, arbitrators, and review panel arbitrators
Ethics Commission	Lobbyist Information (required by state statute)
Insurance	Licensing division puts the name and type of license, effective date and/or termination date of such license and authority under such license
State Library	Names, addresses, and phone numbers of members of various boards
Office of Policy and Management	Statewide real estate assessments
Public Health	Physician profiles, regulatory action reports
Public Utility Control	DPUC formal filings
Secretary of the State	Corporate and UCC filings

Until earlier this year, the Department of Public Safety published a sexual assault registry on the Internet, which is a compilation of persons required to register with local police departments because of their convictions for sexual offenses. A federal court ordered the Internet registry removed because of due process concerns related to persons on the registry. That decision is on appeal.

The Office of Attorney General also has published information about persons owing child support.

Implementation of Personal Data Act

Agencies were asked about three areas addressed in the Personal Data Act: collecting and maintaining only necessary and relevant information; allowing individuals to correct any inaccurate information about themselves; and maintaining a log of all inquiries for personal data. Below is a summary of agency survey responses; this is an area committee staff will follow up on to further refine what agencies are actually doing.

Relevant and necessary information

All agencies reported they only maintain information about a person that is relevant and necessary to accomplish the lawful purposes of the agency, a PDA requirement.
The ways agencies reported they ensured this varied:
- Irrelevant and unnecessary information is never collected
- Data collected were dictated by law
- Data collection forms limit what information collected
- Adherence to record retention laws
- Only a few agencies indicated any formal process

Accuracy challenge procedure

Most agencies reported they had a procedure to allow a person about whom an agency maintains personal data to challenge the accuracy of such personal data and correct that information, a PDA requirement.
- Some agencies cited formal hearing processes to contest agency decisions as a way to challenge inaccurate information
- Agencies noted employees could review their own files
- A few agencies reported annual requests for updated information in some programs

Recordkeeping for personal data requests

Most agencies reported they keep a record of any individual, agency, or organization who has obtained access to or to whom disclosure has been made of another person's personal data and the reason for each such disclosure, a PDA requirement.
- One agency that reported it did not keep such a record noted that asking an individual his or her purpose in seeking agency data was in conflict with FOIA and the First Amendment to the U.S. Constitution
- Some agencies noted they did not have a centralized recording system, but rather kept any such records in individual files

This provision highlights a conflict for agencies. The Freedom of Information Commission advises agencies they cannot ask the identity of a person requesting information under FOIA, yet agencies are still mandated by the PDA to keep a record that would not only necessitate knowing the identity of a requester, but the reason for the request as it relates to personal information about another person.

Return to Year 2001 Studies

Return to Table of Contents