Privacy and State Agencies Ch 1

Chapter I

Introduction

This study focuses on how information privacy is handled at state executive branch agencies. Information privacy relates to the treatment of personally identifiable information about individuals contained in agency records. (These individuals will be referred to as data subjects in this report).

The program review study asks three questions:

What conditions of privacy, if any, accompany the large amounts of information collected by state agencies about individuals?
How are these conditions being implemented by state agencies?
Is there a state framework to develop and carry out the appropriate treatment of agency information?

The questions are of course interrelated. Answers to the first two inform the conclusions related to the third question. The first question goes to the adequacy of the state's substantive, or statutory, framework, for handling information privacy. The second question goes to the adequacy of the state's administrative, or implementation, framework for carrying out those laws. This report makes findings and recommendations related to these two aspects of the state's information privacy framework-statutory and administrative.

In terms of the statutory structure and "conditions of privacy," based on its research, the program review committee finds Connecticut has almost all of the necessary substantive elements in place the literature on information privacy supports, and has had for many years. There are some deficiencies, though, that the program review committee finds diminish the importance of the privacy value in the statutory balance between open records and personal privacy. These include: 1) lack of actual affirmative agency notice to individuals who supply personal data about how their data will be used; 2) a substantive conflict between two significant information statutes, the Freedom of Information Act (FOIA) and the Personal Data Act (PDA); and 3) lack of guidelines for agencies and the public on the application of the invasion of personal privacy exemption. The statutory structure will be discussed in Chapter II.

The administrative structure is diverse and lacks internal and external agency oversight tools. The administrative structure will be discussed in Chapter III.

A quarter century ago Connecticut enacted the comprehensive Freedom of Information act and the Personal Data Act, in 1975 and 1976 respectively. Since then, government has only increased its collection and use of information about persons to carry out new programs and administer existing ones. Further, automation has made sharing large amounts of data easy. And the state's website ConneCT is poised to put information maintained by state agencies on the world wide web. Thus, it is more important than ever there be a coordinated, comprehensive, and affirmative approach to how personally identifying information is handled by state government.

Return to Year 2001 Studies

Return to Table of Contents