Privacy and State Agencies Ch 2

Chapter II

Statutory Framework

As described in the committee's briefing report, Connecticut's current information privacy policy is found in a collection of state statutes and regulations, as well as court decisions. There are two central statutory pillars in this collection: the Freedom of Information Act and the Personal Data Act.

FOIA is based on a presumption of public accessibility of records maintained by state government, where nondisclosure is to be narrowly construed, including for privacy reasons. The PDA sets out many "fair information principles", concepts that first appeared in American federal and state statutory law in the mid-seventies and focus on information treatment from the point of view of fairness to the data subject. This treatment includes having the right to access and challenge the accuracy of agency records about oneself. (It is important to recall the current PDA does not give an individual any control over disclosure of personal information to third parties. The use of the term "personal" data does not mean they are per se "private" data). In addition, there are numerous specific state statutes that apply to specific types of information maintained by particular agencies, which typically limit disclosure of information in certain circumstances.

As can be seen from the brief descriptions of the two statutes above, information privacy is not a singular concept - it has at least three separately distinguishable elements:

public disclosability of personal data¹ (covered by the Freedom of Information Act (FOIA) and various specific statutes);

the handling of personal data by state agencies, including access by the data subject but excluding public disclosability concerns (covered by the Personal Data Act (PDA)²; and

physical security of personal data (PDA).

The history of the interplay between the FOIA and the PDA, along with amendments to the FOIA in recent years related to issues of personal privacy, demonstrate that the effectuation of a balance between the two values of open government and personal privacy is a continuing process. Based on program review research, Connecticut appears to have most of the statutory pieces in place those in the field of information privacy believe are important. However, the program review committee believes there are deficiencies that diminish the importance of the privacy value in the balance. These include:1) lack of actual affirmative agency notice to individuals who supply personal data about how their data will be used; 2) a substantive conflict between the FOIA and the PDA; and 3) lack of guidelines for agencies and the public on the application of the invasion of personal privacy exemption. This chapter provides an analysis of the statutory structure and how it has evolved to illuminate its current status and lay the basis for committee recommendations.

Personal Data Act

In the late 1960s and early 1970s, the growth of large federal government data banks full of information about individuals raised concerns about the impact on personal privacy. In 1973, an advisory committee to the federal Department of Health Education and Welfare (HEW) issued a report entitled Records, Computers and the Rights of Citizens, which called for the enactment of a Code of Fair Information Practices. The Code has five principles.

There must be no personal data record-keeping systems whose very existence is secret.
There must be a way for an individual to find out what information about him is in a record and how it is used.
There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent.
There must be a way for an individual to correct or amend a record of identifiable information about him.
Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of data.

The U.S. Congress enacted the federal Privacy Act in 1974, which incorporated the principles of the 1973 HEW Code. The Connecticut Personal Data Act, patterned after the federal law, was enacted in 1976; only 13 other states have adopted the concept of fair information practices in statute since the mid 1970s.

Connecticut's current version of the PDA was described in the briefing report and its provisions are set out in Appendix A of this report. As noted in the briefing, the Connecticut PDA as originally enacted had a consent provision (with exceptions) reflecting the third principle above: the ability of the individual to have some control over use and disclosure of his personal data. That provision was repealed in 1979 on the grounds it conflicted with the FOIA. The arguments for and against the repeal are reviewed in some detail in this chapter because the program review committee believes repeal of the consent provision excised a significant fair information practices concept out of Connecticut law. Subsequent legislative actions have partially restored the concept.

Repeal of consent provision. When first enacted in 1976, the PDA contained the following two provisions:

1. No agency or any of its employees shall disclose or transmit any personal data to any other individual, corporation, or municipal, state, or federal agency, without the consent of the person, except as provided in [the next section].

2. Consent of the person shall not be required for the disclosure or transmission of personal data when:

_ a) the disclosure is to an employee of the agency who has a need for the personal data in the performance of his duties;

_ b) the agency determines there was a substantial risk of imminent physical injury by the person to himself or to others and that disclosure or transmission of personal data is necessary to reduce that risk;

_ c) disclosure without consent is otherwise authorized by statute;

_ d) the transmission is made per a subpoena, order of court or other judicial process; or

_ e) disclosure or transmission is related to collecting student loans or other obligations to the state.

In 1979, legislation was proposed to remove the consent provision on the grounds it conflicted with the FOIA. The Connecticut Civil Liberties Union (CCLU) acknowledged there was tension between the two acts and supported a revision of "the Freedom of Information Act and the Personal Data Act in such a way as to make them compatible". However, CCLU offered a different approach, objecting to the consent repeal proposal because it "eliminates all protection against disclosure by government agencies of private data."

The CCLU recommendation was to add another permissible reason to disclose personal data without the consent of the data subject: required disclosures under the Freedom of Information Act. This proposal was identical to the way the federal version of the personal data act and the federal freedom of information act were and still are harmonized. The Federal Privacy Act prohibits an agency from disclosing any personal record without the "prior written consent of the individual to whom the record pertains", but similar to the original Connecticut law, has exceptions to the consent rule, 12 in fact.

The proponents of the repeal argued:

The individual consent provision did not provide any new needed protection.
Personal privacy was already protected either by specific confidentiality statutes pertaining to specific records or the invasion of personal privacy exemption under the FOIA, which permitted agencies to withhold disclosure of "personnel or medical or similar files if the disclosure would be an invasion of personal privacy.

The CCLU counter argument was:

Since all the FOIA exemptions were applicable at the discretion of the agencies, the invasion of privacy exemption under the FOIA did not prohibit an agency from giving out information, even if it was an invasion of someone's personal privacy.
Thus, by eliminating the consent provision, the only statute prohibiting disclosure of private personal data was gone.

Figure II-1 sets out a hypothetical case to illustrate how the CCLU proposal would work.

Figure II-1. Illustration of How CCLU Proposal Would Affect FOIA Decisions

Assume a state employee had filed a sexual harassment complaint against her manager, and the state agency investigated the complaint. A newspaper reporter found out about the complaint and investigation and asked the agency for the name of the complainant.
There is no specific state statute shielding the name of a sexual harassment complainant.
In the absence of the consent provision, the agency could make one of three decisions:

_ Releasing the complainant's name would be an invasion of personal privacy so the agency would choose not to release the information (agency choice - not required under FOIA)

_ Releasing the complainant's name would be an invasion of personal privacy, but the agency decides to release it anyway at its discretion. (agency choice- not required under FOIA)

_ Releasing the information would not be an invasion of personal privacy so the agency has to release the complainant's name. (No agency choice -required under FOIA)

With the CCLU consent proposal and exemption for required disclosures under FOIA, the third decision would not require the consent of the individual because the finding of no invasion of personal privacy would require the agency to release the information.

_ In the first two decision scenarios, the individual consent would have to be sought, as neither of those actions is required by the FOIA

What the hypothetical shows is that under the CCLU proposal, individual consent would only be required when an agency determines there would be an invasion of personal privacy, but decides to disclose the information anyway. This point may seem to be minor as one might wonder why an agency would release information it considered an invasion of personal privacy. But as a matter of principle, the balance between the open records law and personal privacy protection without the consent provision as proposed by the CCLU shifts control unnecessarily away from the individual.

The CCLU was not successful in arguing its proposal in committee; the bill that reached and passed the Senate repealed the consent provision. The Senate also deleted another PDA requirement, that agencies were to keep a record of all third-party requests of personal data and the reasons for the requests. The argument was the recordkeeping requirement was no longer necessary after the consent section was repealed.

In the House, the CCLU proposal was offered as an amendment. After much debate, the amendment failed on a close vote of 67-78. However, another amendment, this one successful, was offered to restore the reporting requirement. The amendment's proponent argued:

think that each and every individual in this State who has information in the state agencies' possession regarding their personal matters, their personal affairs, their personnel records, at least have the right to know who's looking into those records if someone does choose to look into those records...It would hold onto that one tangible right that we have left now, at least allow an individual who may be the subject of an investigation from whatever source to at least find out about the investigation, number one, and find out who is conducting it ...I think it's a reasonable thing to ask our agencies to do. If nothing else, it may provide the individual with the right to make a clarification of something that exists in that record.... Let's give the people of the state at least one protection against invasion of their privacy.

This amendment passed 85-61 and the bill as amended passed both chambers. (The recordkeeping requirement is discussed later in this section).

Eight years later, concern bubbled up about the breadth of disclosure of personal information regarding public employees under the FOIA. This concern resulted in legislative change that shifted some rights back to the public employees, or data subjects.

1987 public employee right to notice and object. In 1987, legislation was introduced to exempt all public employee personnel records excluding wage information from disclosure under the FOIA. The bill was very controversial and raised concerns about shielding information about public employees legitimately within the realm of public interest. As a compromise, legislation passed providing a mechanism of notice and opportunity to object to disclosure of information contained in a personnel or medical or similar file.³ This process involves the following steps.

A public agency receives a request to inspect or copy records contained in any of its employees' personnel or medical files and similar files.
The agency determines it reasonably believes the disclosure of such records would legally constitute an invasion of privacy. The agency is not required to withhold from disclosure the contents of personnel, medical, or similar files when it does not reasonably believe that such disclosure would legally constitute an invasion of personal privacy.
The agency immediately notifies in writing (a) each employee concerned, although these written notices are not required where impractical due to the large number of employees concerned and (b) the union representative, if any, of each employee concerned.
A public agency after providing the above notice to employees must disclose the records requested unless it receives a written objection from the employee or the employee's union representative, if any, within seven business days from when the employee or the union representative received the notice.
Upon the filing of an objection, the agency shall not disclose the requested records unless ordered to do so by the Freedom of Information Commission (FOIC) through its appeal process.

Interestingly, this provision may in effect do for public employees what the CCLU tried to do for all persons with personal data in the custody of state agencies. By giving public employees notice and the right to object, thereby triggering an FOIC decision on any personal privacy invasion, public employees have the opportunity to voice their preferences. The agency cannot release the record at issue without an FOIC order, that is, unless required under FOIA. This control is of course tempered by the threshold provision that the agency must reasonably believe disclosure would legally constitute an invasion of privacy.

While the CCLU proposal to exempt "disclosures required under FOIA" from the PDA consent provision seems to have been a reasonable solution to the rub between FOIA and the PDA, it was not successful. As the repeal proponents argued, though, it is true many of the specific statutes with confidentiality provisions have consent options. Further, records of public employees, covered by the notice and objection provision just discussed, are the most common records sought under the personal privacy exemption. However, anyone with personal data in the possession of a state agency not covered by one of those two situations has no similar protections.

Trying to put back in a general consent provision with exceptions at this point would seem unwarranted, especially given the objection right for public employees. Laws with consent provisions are not without problems. The Federal Privacy Act has its share of critics, in particular about the way agencies overuse the "routine use" exception. What could be done more simply, and be of benefit to individuals, is to open up how agencies handle personal data by establishing affirmative notice requirements for state agencies. Specifically agencies would be required, at the time an individual supplies information to the agency, to give the individual specific written information about the uses for the information and how it will be handled.

Theoretically, the PDA already requires agencies to provide that information to individuals, but the information is either in the form of general agency regulations or requires an individual to have the wherewithal to ask. Agency regulations describe:

the general nature and purpose of the agency's personal data systems;
the categories of personal and other data kept in the agency's personal data systems;
the agency's procedures regarding the maintenance of personal data; and
the uses to be made of the personal data maintained by the agency.

Additionally agency regulations require agencies to give individuals supplying personal data the following information, if the person asks:

The legal authority under which the agency is gathering the information;
The individual's rights under the PDA related to the information;
Known consequences resulting from supplying or refusing to supply the information; and
The proposed use to be made of the information.

While regulations are better than no information⁴, for the average citizen, the notice they provide is more constructive than actual. The program review committee believes this information should be more easily accessible to persons giving personal information to state agencies.

The Personal Data Act shall be amended to require each agency develop and provide to every person providing personal information to the agency a written statement that includes:

the legal authority under which the agency is gathering the information;
the individual's rights under PDA related to the information;
known consequences resulting from supplying or refusing to supply the information;
the proposed use to be made of the information, including the agency specific use and other reasonably known or expected uses (e.g., publication on any government website, sale to nongovernmental vendor, sharing with other governmental agencies); and
the disclosure treatment of the information under law (i.e., any pertinent confidentiality provisions and disclosibility status under the FOIA).

This recommendation is similar to the federal Privacy Act and Paperwork Reduction Act Notice required by the federal government. Some agencies, such as DSS, already provide such information to persons in certain programs due to the federal requirement.

The recommendation is also in line with how Connecticut is approaching its internet website information policy. The advent of the internet and ConneCT, the state's official website, gives state government a very visible and accessible way to communicate with citizens-in a way that hard copies of statutes and regulations cannot. In general, the accessibility of the internet has made people very aware of possible privacy concerns. In February 2001, the state's website privacy policy become effective and available to anyone who logged on to the ConneCT. It is noteworthy that the internet privacy policy is not just available "upon request" of the person using the internet, but it is available as an affirmative act of government. (See Appendix B for a copy of the policy).

Although prompted and made instantly accessible by a technological tool, the ConneCT privacy policy serves to alert people, albeit in a very general way and if they choose to read the policy, to the status of their personal information maintained by state agencies regardless of how it was gathered, in a way not possible before. Presented in a question and answer format, the policy covers questions such as Can I Access and Correct My Personal Information? and Do I Have a Choice about Whether or Not My Personal Information Is Provided to Others? These are key fair information practice questions. In effect, state use of the internet exposes in a way not available before how personal information in the custody of state agencies is treated.

Record-Keeping Requirement Conflict

During the study, the program review committee became aware of a conflict between the FOIA and the PDA. As noted in the briefing, the Personal Data Act contains a recordkeeping requirement for agencies.⁵ This was the provision almost stripped in 1979 when the consent provisions were deleted from the PDA.

Specifically, agencies are required to:

keep a complete record, concerning each person [the agency has personal data about], of

_ every individual or entity who has obtained access to personal data, and

_ the reason for access, and

maintain this record for at least five years after access was given or for the life of the record under the agency's retention schedule, whichever is longer.

Another PDA provision requires this record be made available to the data subject upon written request.⁶

The Freedom of Information Commission maintains agencies cannot put "preconditions" on persons seeking information under the FOIA. The authority the FOIC cites is the highlighted sentence below, part of a core FOIA section:

as otherwise provided by any federal law or state statute, all records maintained or kept on file by any public agency, whether or not such records are required by law or by any rule or regulation, shall be public records and every person shall have the right to inspect such records promptly during regular office or business hours or to receive a copy of such records...Any agency rule or regulation, or part thereof, that conflicts with the provisions of this subsection or diminishes or curtails in any way the rights granted by this subsection shall be void⁷

An example of an agency practice the FOIC ruled to be a violation of the FOIA involved the state Liquor Control Commission. The liquor commission asked persons seeking to inspect liquor permittee files to fill out "File Information Request" forms, which asked among other things about the reason for the request and the name and address of the person making the request. The Freedom of Information Commission ordered the liquor commission to stop requiring persons to complete any form as a precondition to providing him or her access to public records.

However, if the liquor commision was trying to comply with the PDA recordkeeping requirement, as liquor permits contain personal data, how else would it be able to compile the required information without asking the very questions it was asking on its form?

Under normal rules of statutory construction, the two provisions, C.G.S. Sec. 1-210(a) and C.G.S. Sec. 4-193(c) are to be read together if possible because the legislature is assumed to not knowingly pass conflicting provisions. In fact, the language of the two sections is not in conflict and can easily be read together. Sec. 1-210(a) says that "any agency rule or regulation, or part thereof, that conflicts with the provisions of this subsection or diminishes or curtails in any way the rights granted by this subsection shall be void". The PDA recordkeeping requirement is a statute, not an agency rule or regulation, and thus cannot be construed as void.

It is not certain how critical a problem this is in reality. As noted in the October 2001 briefing report, the program review committee asked agencies in a study survey whether they kept records on personal data disclosures; most agencies replied they did. However, what is not clear is how detailed the records were and if the agencies in fact asked the reason for the disclosure. Of concern is that agencies are potentially in an awkward spot where they either have to ignore a statutory provision of the PDA or a directive from the FOIC.

Is there a reason to be keeping such records? By the language of the statute, at least one reason to maintain such records is to be able to show the data subject what third parties had been given access to the data subject's records and the reasons for the access. If a consent provision was still in the statute, this record would allow a data subject to see whether the agency had complied with the consent provision with respect to his or her data. With that no longer present, the compliance check rationale is gone. This was in fact the argument for repealing the recordkeeping provision back in 1979, but that repeal failed.

A general impression the program review committee draws from this study is the Personal Data Act has never been a high priority for state agencies. This is somewhat understandable in that agencies handling the most sensitive types of personal data are already operating under specific state and federal statutes that govern how they handle data, e.g., the Departments of Social Services, Mental Health and Addiction Services, and Revenue Services. However, if one believes there is a public value in individuals knowing how their personal data have been used, even though they individually have no control over the data once given, there remains a reason for agencies to maintain records.

However, the program review committee understands the FOIC concern about creating barriers to the exercise of FOIA rights. Thus the program review committee borrows in part from the Federal Privacy Act and recommends the recordkeeping requirement be maintained, with an exemption for collecting the reason for access for FOIA requests.

The program review committee recommends Sec. 4-193(c) shall be amended as follows:

Each agency shall...keep a complete record of every individual or entity who has obtained access to personal data, and the reason for access EXCEPT FOR DISCLOSURES MADE UNDER C.G.S. SEC. 1-201, and maintain this record for at least 5 years after access was given or for the life of the record under the agency's retention schedule, whichever is longer.

Invasion of Personal Privacy

The final statutory structure area the program review committee found a problem in related to the FOIA exemption for invasion of personal privacy. Clearly, the FOIA exemption for invasion of personal privacy is an important component in the statutory mix that forms the state's information privacy policy. As described above, unless the personal information in question is covered by a specific state or federal statute, it is presumed to be publicly disclosable unless it fits within one of 20 FOIA exemptions, and withheld at the discretion of the pertinent agency. The so-called "personal privacy exemption" is a frequently cited exemption. Specifically, it allows nondisclosure of "personnel or medical files and similar files the disclosure of which would constitute an invasion of personal privacy."

There are two problems with the invasion of personal privacy exemption for purposes of understanding the status of information privacy in Connecticut: 1) it requires interpretation; and 2) there is no ongoing compilation and summary of FOIC decisions and court cases for agency and public reference.

As noted in the briefing, over the years, the Connecticut Supreme Court has decided a variety of cases where the application of the privacy exemption was at issue. In 1993, in Perkins v. Freedom of Information Commission⁸, the court established a framework to determine what was an invasion of personal privacy, which remains the standard today.

The privacy exemption requires two determinations: 1) that the records in question fall within "personnel or medical files and similar files", and 2) that disclosure of the records would constitute an invasion of personal privacy. The Court adopted a two-pronged test for finding an invasion of personal privacy based on the tort law of privacy. If the information sought by a request did not pertain to legitimate matters of public concern and if disclosure was highly offensive to a reasonable person, it would be an invasion of personal privacy. Both conditions must be present.

Although FOIC has prepared a document called Highlights of the Freedom of Information Act, it is not very detailed. One needs to review actual FOIC and court decisions to see what types of information in what circumstance meet, or don't meet, the standard.

The program review committee recommends the Freedom of Information Commission compile a summary of FOIC and court decisions on the invasion of privacy exemption for agencies and the public. This summary shall be updated as needed.

To get a sense of what a summary might show, the program review committee reviewed five years of FOIC cases in which the personal privacy exemption was at issue. The figures below give a sampling of what the commission or the Connecticut Supreme Court has determined constitutes an invasion of privacy. As it turns out, the FOIC infrequently finds an invasion of personal privacy. When it does, there is the practical problem that to specify what is an invasion is to essentially reveal the information. Clues may be gleaned from a review of the decisions, though.

Figure II-2 . Information Determined to Be Invasion of Personal Privacy

►State employee's driver's license number, bank account number, information concerning designated retirement beneficiaries, and medical insurance identification number. (FOIC decision)

►Identity of state employee complainant in sexual harassment investigation against manager; not legitimate matter of public concern because name not necessary to examine or evaluate department's sexual harassment investigative process, in this particular case. (CT Supreme Court decision)

►Sexually descriptive material pertaining to complainant's intimate relationships (same case as above)

►Social Security numbers ( According to FOIC, "Social security numbers are used by both the public and private sector for a wide range of personal identification purposes including but not limited to use of this number for state and federal taxpayer identification. It is found that disclosure of social security numbers would allow persons with knowledge of such numbers to access a wealth of data, including personal, financial, and tax data concerning the individual assigned that number." (Since cases involving social security numbers do not always involve "personnel, medical or similar files", the FOIC has based this decision on its discretion (C.G.S. Sec. 1-206(b)(2)) (FOIC decision)

►Names of spouses, children, financial lending institutions, and details of illnesses in connection with sick leave requests. (FOIC decision)

►Personally identifiable information on resumes and cover letters for unsuccessful candidates, including present employment (details of applicant's qualifications are public, along with past employers) (FOIC decision)

►Residential addresses of state employees, where the state employees have taken steps to protect them. (CT Supreme Court decision)

Figure II-3. Information Determined to Not Be Invasion of Personal Privacy

►Mayor letter of reprimand to town planner (FOIC decision)

►Written summary of findings of agency affirmative action division following investigation of an allegation of sexual harassment; details sexual harassment and contains some answers of individuals who were interviewed; does not contain sexually explicit or descriptive information such as allegations of sexual contact and sexual improprieties or details of intimate personal relationships (FOIC decision)

►Written complaint of complainant; complainant's detailed statement to investigating officer, and interview notes of agency investigation into sexual harassment charge; letter from assistant commissioner to complainant seeking her cooperation (CT Supreme Court decision)

►Budgets containing individual payroll records; employee applications; verification of employee's education and training (FOIC decision)

►Internal affairs investigations (except where "such documents contain the kind of intimate details of an individual's life that are normally private matters" (FOIC decision)

-includes result of polygraph test result taken in reference to internal affairs investigations.

¹Personal data under PDA means: any information about a person's education, finances, medical or emotional condition or history, employment or business history, family or personal relationships, reputation or character which because of name, identifying number, mark or description can be readily associated with a particular person.

²The state's record retention laws play a indirect role.

³C.G.S. Sec. 1-214

⁴The status of the regulations will be discussed in Chapter 3.

⁵C.G.S. Sec. 4-193 (c)

⁶C.G.S. Sec. 4-193 (d)

⁷C.G.S. Sec. 1-210(a)

⁸228 Conn.158 (1993)

Return to Year 2001 Studies

Return to Table of Contents