DIGEST

PRIVACY AND STATE AGENCIES

BACKGROUND

• Connecticut's current information privacy policy is found in a collection of state statutes and regulations, as well as court decisions. There are two central statutory pillars in this collection: the Freedom of Information Act (FOIA) and the Personal Data Act (PDA). In addition, there are numerous specific state statutes that apply to specific types of information maintained by particular agencies, which typically limit disclosure of information in certain circumstances.
• FOIA is based on a presumption of public accessibility to records maintained by state government, where nondisclosure is to be narrowly construed, including for privacy reasons.
• The PDA sets out many "fair information principles", concepts that first appeared in American federal and state statutory law in the mid-seventies and focus on information treatment from the point of view of fairness to the data subject.
• The history of the interplay between the FOIA and the PDA, along with amendments to the FOIA in recent years related to issues of personal privacy, demonstrate that the effectuation of a balance between the two values of open government and personal privacy is a continuing process.

STATUTORY STRUCTURE

FINDINGS

• Connecticut appears to have most of the statutory pieces in place those in the field of information privacy believe are important.
• However, the program review committee believes there are deficiencies that diminish the importance of the privacy value. These include: 1) lack of actual affirmative agency notice to individuals who supply personal data about how their data will be used; 2) a substantive conflict between the FOIA and the PDA; and 3) lack of guidelines for agencies and the public on the application of the invasion of personal privacy exemption.

Personal Data Act

• Repeal of the PDA consent provision excised a significant fair information practices concept out of Connecticut law. Subsequent legislative actions have partially restored the concept.
• In 1987, by giving public employees notice and the right to object to release of their personal information, thereby triggering an FOIC decision on any personal privacy invasion, the legislature gave public employees the opportunity to voice their preferences.
• Trying to put back in a general consent provision with exceptions at this point would seem unwarranted, especially given the objection right for public employees. And laws with consent provisions are not without problems. What could be done more simply, and be of benefit to individuals, is to open up how agencies handle personal data by establishing affirmative notice requirements for state agencies.

RECOMMENDATION

1. The Personal Data Act shall be amended to require each agency develop and provide to every person providing personal information to the agency a written statement that includes:

• the legal authority under which the agency is gathering the information;
• the individual's rights under PDA related to the information;
• known consequences resulting from supplying or refusing to supply the information;
• the proposed use to be made of the information, including the agency specific use and other reasonably known or expected uses (e.g., publication on any government website, sale to nongovernmental vendor, sharing with other governmental agencies); and
• the disclosure treatment of the information under law (i.e., any pertinent confidentiality provisions and disclosability status under the FOIA).

Recordkeeping Requirement Conflict

• The Freedom of Information Commission maintains agencies cannot put "preconditions" on persons seeking information under the FOIA.
• The authority the FOIC cites is ...Any agency rule or regulation, or part thereof, that conflicts with the [general provisions of public records accessibility] or diminishes or curtails in any way the rights granted by [these general provisions] shall be void. C.G.S. Sec. 1-210(a)
• The Personal Data Act contains a recordkeeping requirement for agencies about third party access to personal data, which requires agencies to collect information that could be viewed as a precondition. C.G.S. Sec. 4-193(c)
• Under normal rules of statutory construction, the two provisions, C.G.S. Sec. 1-210(a) and C.G.S. Sec. 4-193(c) are to be read together if possible because the legislature is assumed to not knowingly pass conflicting provisions. In fact, the language of the two sections is not in conflict and can easily be read together. The PDA recordkeeping requirement is a statute, not an agency rule or regulation, and thus cannot be construed as void.
• The program review committee understands the FOIC concern about creating barriers to the exercise of FOIA rights. Of concern is that currently agencies are potentially in an awkward spot where they either have to ignore a statutory provision of the PDA or a directive from the FOIC.

RECOMMENDATION

2. The Personal Data Act shall be amended as follows: Each agency shall...keep a complete record of every individual or entity who has obtained access to personal data, and the reason for access EXCEPT FOR DISCLOSURES MADE UNDER C.G.S. SEC. 1-201, and maintain this record for at least 5 years after access was given or for the life of the record under the agency's retention schedule, whichever is longer.

Invasion of Personal Privacy

• The FOIA exemption for invasion of personal privacy is an important component in the statutory mix that forms the state's information privacy policy.
• There are two problems with the invasion of personal privacy exemption for purposes of understanding the status of information privacy in Connecticut: 1) it requires interpretation; and 2) there is no ongoing compilation and summary of FOIC decisions and court cases for agency and public reference.

RECOMMENDATION

3. The Freedom of Information Commission shall compile a summary of FOIC and court decisions on the invasion of privacy exemption for agencies and the public. This summary should be updated as needed.

ADMINISTRATIVE STRUCTURE

FINDINGS

• Because of the mix of statutory authority related to information privacy, the implementation or administrative framework is varied also. First and foremost, Connecticut's information privacy policy is implemented largely at the individual agency level and, often, even more specifically at the programmatic level.
• The administrative framework question may be divided into two parts - internal agency administration and external agency administration.

Internal Administration

• Because some information privacy laws affect all state executive branch agencies, with some agencies operating under very detailed confidentiality requirements, the committee staff implementation review is necessarily at a broad level.
• Almost every agency reviewed by the program review committee has one or more specific statutes requiring it to keep some information it holds confidential.
• Many agencies have systems of limited employee password access to automated databases. Some agencies have internal audit programs to check the appropriateness of employee record access. A few agencies have confidentiality agreements employees must sign; some other agencies have confidentiality policy statements of which employees are made aware. In general, agencies with the most comprehensive and wide-reaching confidentiality statutes have the most developed written operating procedures.
• Most agencies have adopted PDA regulations; some have not. Few agency regulations have been updated as required.
• Regarding other aspects of the PDA, agencies were asked in the committee survey about two requirements of the Personal Data Act. While most agencies responded yes to fulfilling the PDA requirement, the variation in methods to ensure compliance raises questions about agency consistency.
• There are no reporting or auditing mechanisms in place for the PDA or the FOIA. Especially for the PDA, which has no visible enforcement presence like the FOIC, the lack of oversight dilutes the original policy impulse of the PDA, to provide individuals with rights and information about how government was handling personally identifying information about themselves.

External Administration

• There is no administrative entity responsible for general oversight purposes. However, for enforcement purposes, the FOIC, a quasi-judicial body, exists to handle appeals of agency decisions related to implementation of FOIA. In contrast, no such body exists to handle complaints about agency implementation of the PDA; a different remedial mechanism is provided.
• A centralized information privacy entity would elevate the importance and visibility of personal privacy at a time when issues and concerns related to personal privacy and agency records are only going to increase, not decrease, due largely to technological advances. These advances include increased government data automation, data sharing, and internet publication.
• Relatively speaking, there is not a lot of agency activity at this point related to providing volume data to nongovernmental entities and publishing agency data that contain personal information on the state's website, that activity will most likely increase.

RECOMMENDATIONS

4. Creation of Oversight Entity

There shall be established an independent Office of Information Privacy Advocate (OIPA). The Governor with the approval of the General Assembly shall appoint a person with knowledge of information privacy as Privacy Advocate.

Responsibilities. Within available appropriations, the Privacy Advocate may:

• receive and review annual agency information privacy activity reports;
• evaluate and monitor agency compliance with laws related to information privacy;
• recommend legislation and administrative practices related to information privacy;
• receive complaints about agency compliance with the PDA and may refer them to the Attorney General;
• develop and promote educational materials for Connecticut citizens on information privacy issues, coordinating with other state agencies where appropriate (e.g., Department of Consumer Protection);
• assist the Department of Information Technology in carrying out its responsibilities for the state's information infrastructure;
• consult with the Freedom of Information Commission on issues of mutual concern;
• form and coordinate a working group of privacy compliance officers to develop guidelines for publication of agency records on the internet; and
• review and comment on the notice provisions developed by state agencies for persons from whom agencies collect personal data (See recommendation in Chapter II).

The Information Privacy Advocate shall annually submit to the governor and the General Assembly a detailed report describing the work of the Information Privacy Advocate.

5. Creation of Internal Agency Accountability Mechanisms

Each agency shall appoint a privacy compliance officer. This person shall report to the commissioner and be responsible for ensuring the agency is implementing the personal data act and other information privacy requirements.

For each fiscal year, the agency, through the privacy compliance officer, shall prepare a report on or provide information about:

• specific activities related to ensuring pertinent agency employees are knowledgeable about the various laws pertaining to the maintenance and disclosure of personal data in the custody of the agency;
• the current status of agency security provisions regarding both automated and manual records, including use of limited access mechanisms;
• specific activities related to ensuring the agency is only maintaining relevant and necessary personal data to accomplish the lawful purposes of the agency;
• a written up-to-date list of individuals entitled to access each of the agency's personal data systems;
• the number of requests for personal data by data subjects and the outcomes, including the specific reasons for any denials;
• the number of requests involving personal data by persons other than the data subject, including the outcomes, along with the agency's determination of whether the invasion of personal privacy exemption applied or not;
• each governmental agency with which the agency shares data, the type of data shared, the purpose of the data sharing, and whether there is a written agreement between the two entities; and
• any provision of personal data on a volume basis to any nongovernmental entity, including a description of the information provided, to whom provided, any written agreement covering the transaction, and the total amount of any payments for such transaction.

This report shall be submitted to the OPIA and the Connecticut General Assembly by October 1 or each year for the fiscal year ending the preceding June 30.

6. The program review committee recommends each agency that currently has regulations review them to see if they are still timely and appropriate to agency circumstances and agencies that have not yet adopted regulations do so as soon as possible.

Department of Motor Vehicles

• Personal information is distributed in three ways under Connecticut's version of the Driver Privacy Protection Act at the Department of Motor Vehicles (DMV). The common factor for information distribution is that any request must fit into one of the acceptable statutory reasons for disclosure.

• According to DMV, until a year ago, little to no contract compliance monitoring occurred due to resource constraints. In the last year, one DMV employee has done some compliance testing, but the department believes more should be done. Likewise, there is no systematic check of the non-volume request process.
• The Department of Motor Vehicles collects millions of dollars a year for the state from selling motor vehicle record information, and program review committee staff finds the effort to ensure compliance with the restrictions that accompany these sales needs to increase

7. The Department of Motor Vehicles should develop and implement a systematic method of reviewing contract compliance for volume sales, as well as a system of spot-checking nonvolume sale activities.

Return to Year 2001 Studies