Chapter III

Implementation Framework

The second study question noted in the introduction is how the substantive conditions of privacy -- the statutes, regulations, and court decisions -- are being implemented by state agencies. Because of the mix of statutory authority related to information privacy, the implementation or administrative framework is varied also. First and foremost, Connecticut's information privacy policy is implemented largely at the individual agency level and, often, even more specifically at the programmatic level. However, as will be discussed later, the FOIC, a quasi-judicial body, exists to handle appeals of agency decisions related to implementation of FOIA. In contrast, no such body exists to handle complaints about agency implementation of the PDA; a different remedial mechanism is provided.

The administrative framework question may be divided into two parts - internal agency administration and external agency administration. This chapter looks at both these areas. As will be discussed in this chapter, the program review committee finds improvements can be made in both internal and external administration. As a note, because some information privacy laws affect all state executive branch agencies, with some agencies operating under very detailed confidentiality requirements, the committee implementation review is necessarily at a broad level.

Internal Agency Administration

During the study, the program review committee inquired into how agencies administratively insured any specific confidential statutory provisions were followed. Also reviewed were specific aspects of PDA implementation. In assessing implementation the program review committee surveyed 42 executive branch agencies (including two constitutional offices, the Offices of the State Treasurer and the Secretary of the State). In addition, similar information from eight agencies was gathered through interviews (this group included the Office of Comptroller).

Specific confidentiality statutes. As noted in the briefing report, almost every agency reviewed by the program review committee has one or more specific statutes requiring it to keep some information it holds confidential. A statute search by the program review committee identified over a 100 separate state statutes requiring certain types of records be kept confidential. This means public disclosure of information that would personally identify a person is prohibited. Most of these statutes allow disclosure to other government agencies and for audit and research purposes, with the condition confidentiality be maintained by those users. Examples of these are the statutes covering tax returns at the Department of Revenue Services, program eligibility records of Department of Social Service programs, and child protection case records at the Department of Children and Families.

In terms of how confidential information is handled at agencies, the responses were varied. Where automated databases are involved, many agencies have systems of limited employee password access to these databases. A few agencies have confidentiality agreements employees must sign; some other agencies have confidentiality policy statements of which employees are made aware. Some agencies have internal audit programs to check the appropriateness of employee record access. In general, agencies with the most comprehensive and wide-reaching confidentiality statutes have the most developed written operating procedures.

Implementation of Personal Data Act. Under the Personal Data Act, agencies among other items are to adopt regulations identifying their personal data systems and describing certain of their characteristics, such as the uses to which the personal data will be put. Most agencies have adopted these regulations; some have not. Few agency regulations have been updated as required.

From the time the PDA was enacted, the implementation of the regulation requirement, or lack thereof, offers evidence the PDA has not been a high priority for state agencies. It is possible the initial controversy regarding the consent provision in the original PDA, discussed in Chapter II, clouded the importance of other parts of the act for agencies. The original act passed in 1976 with an effective date of July 1, 1977. Agencies were required to adopt regulations about their personal data systems by January 1978. Six years later, in 1984, due to the fact that almost no agency had adopted such regulations, the PDA was amended requiring the attorney general to adopt uniform standards for regulations. At that time, any agency that had drafted regulations was to review them to "determine whether they conformed to such standards." Most agency regulations were adopted in the late eighties, with others in the early and mid-1990s. As noted earlier, some agencies still do not have regulations.

Regarding other aspects of the PDA, agencies were asked in the committee survey about two requirements of the Personal Data Act: 1) maintaining only necessary and relevant information; and 2) allowing individuals to correct any inaccurate information about themselves. (The survey also asked about the requirement to keep a record of all inquiries for personal data, an issue discussed in Chapter II). For these two requirements, agencies were asked to respond either yes or no to whether they fulfilled the mandates. Agencies were then asked to follow up with ways they used to ensure they met the PDA requirement, if they answered yes to the first question. The format of the questions is noted because although most agencies responded yes to fulfilling the PDA requirement, the variation in methods to ensure compliance raises questions about agency consistency. Below is a summary of agency survey responses.

Relevant and necessary information

• All agencies reported they only maintain information about a person that is relevant and necessary to accomplish the lawful purposes of the agency, a PDA requirement.
• The ways agencies reported they ensured this varied:

_ Irrelevant and unnecessary information is never collected

_ Data collected were dictated by law

_ Data collection forms limit what information collected

_ Adherence to record retention laws

_ Only a few agencies indicated any formal process

Accuracy challenge procedure

• Most agencies reported they had a procedure to allow a person about whom an agency maintains personal data to challenge the accuracy of such personal data and correct that information, a PDA requirement.

_ Some agencies cited formal hearing processes to contest agency decisions as a way to challenge inaccurate information

_ Agencies noted employees could review their own files

_ A few agencies reported annual requests for updated information in some programs

Finally in regard to the PDA, at the program review committee's October 2001 public hearing, a representative from the Freedom of Information Commission testified about the commission's implementation concerns about the PDA:

• experience and intuition suggests that state agencies generally do not comply with the essential provisions of the PDA. For example, we do not believe that most state agencies review the personal data they maintain to confirm that they are only keeping those data that are relevant and necessary. We also believe that many state agencies regularly deny people access to personal data about themselves. We base these beliefs on the testimony of people who file freedom of information complaints seeking access to their personal data ...

If seen as a program, the state's information privacy program could be likened to any core government function, such as accounting or operating a human resources system. In the areas of accounting and human resources, which are carried out at the individual agency level, there are monitoring mechanisms in place to ensure compliance with the policy expectations, including reporting and audit requirements. There are no such mechanisms in place for the PDA or the FOIA. Especially for the PDA, which has no visible administrative presence like the FOIC, the lack of oversight dilutes the original policy impulse of the PDA, to provide individuals with rights and information about how government was handling personally identifying information about themselves.

External Agency Administration

As noted above, first and foremost, Connecticut's information privacy policy is implemented largely at the individual agency level, and even more specifically at the programmatic level. There is no administrative entity responsible for general oversight purposes. However, for enforcement purposes, the FOIC, a quasi-judicial body, exists to handle appeals of agency decisions related to implementation of FOIA. In contrast, no such body exists to handle complaints about agency implementation of the PDA; a different remedial mechanism is provided. Figure III-1 depicts the various processes currently in place to enforce the FOIA and the PDA.

Although state agencies have independent responsibility to comply with the FOIA, the legislature chose to provide a central administrative enforcement mechanism. This mechanism was not always in place, though. While 1975 is the year cited as the advent of the freedom of information law in Connecticut, 18 years earlier in 1957, the state legislature passed the state's right-to-know law, setting out the broad notion that state agency records were open to the public. If a person seeking records under the state's right-to-know law believed an agency had violated the law in withholding records, the person's remedy was to file suit in court. The creation of the Freedom of Information Commission in 1975, along with other significant changes, was an important change that gave people a more accessible remedy for alleged violations.

The PDA has a different remedial process. As the figure shows, an individual who believes an agency violated the PDA can file suit in court, or the attorney general can, on his or her own initiative, or representing an individual can do the same. This remedy does not appear to have been used often. There is only one reported court decision about a violation of the Personal Data Act.¹

Does Connecticut need an administrative oversight structure to provide centralized and comprehensive oversight for information privacy? Under current law, except for the regulation requirement, the PDA is largely a series of principles with no required activities that would indicate how the principles are being carried out. In fact, many of the principles giving rights to data subjects are only triggered upon the request of the individual. This reactive stance begs the question: How would a person know to ask? Additionally, beyond the PDA, there are a whole array of specific confidentiality statutes related to specific agency records with which agencies need to comply.

Perhaps the best argument for a centralized information privacy entity is it would elevate the importance and visibility of personal privacy at a time when issues and concerns related to personal privacy and agency records are only going to increase, not decrease, due largely to technological advances. These advances include increased government data automation, data sharing, and internet publication. While the briefing report indicated, relatively speaking, there is not a lot of agency activity at this point related to providing volume data to nongovernmental entities and publishing agency data that contain personal information on the state's website, that activity will most likely increase.² In this report, the program review committee recommends in Chapter II agencies be required to develop and distribute notices about how information will be used when gathered from individuals. This would be a new, affirmative obligation for agencies, which would benefit from a consistent and comprehensive statewide administrative review.

Because of the above, the program review committee recommends creation of an independent oversight office for information privacy with a series of specific duties. This office would be similar in form to the Office of Victim Advocate and the Office of Child Advocate. Some of these duties involve evaluating and monitoring agency activities related to information privacy, and so the committee also recommends certain internal agency requirements to facilitate the work of the new oversight office, as well as to develop information to be used by the agencies themselves. Thus, the program review committee recommends the following:

Creation of Oversight Entity

There shall be established an independent Office of Information Privacy Advocate (OIPA). The Governor with the approval of the General Assembly shall appoint a person with knowledge of information privacy as Privacy Advocate.

Responsibilities. Within available appropriations, the Privacy Advocate may:

• receive and review annual agency information privacy activity reports;
• evaluate and monitor agency compliance with laws related to information privacy;
• recommend legislation and administrative practices related to information privacy;
• receive complaints about agency compliance with the PDA and may refer them to the Attorney General;
• develop and promote educational materials for Connecticut citizens on information privacy issues, coordinating with other state agencies where appropriate (e.g., Department of Consumer Protection);
• assist the Department of Information Technology in carrying out its responsibilities for the state's information infrastructure;
• consult with the Freedom of Information Commission on issues of mutual concern;
• form and coordinate a working group of privacy compliance officers to develop guidelines for publication of agency records on the internet; and
• review and comment on the notice provisions developed by state agencies for persons from whom agencies collect personal data (See recommendation in Chapter II).

The Information Privacy Advocate shall annually submit to the governor and the General Assembly a detailed report describing the work of the Information Privacy Advocate.

Creation of Internal Agency Accountability Mechanisms

Each agency shall appoint a privacy compliance officer. This person shall report to the commissioner and be responsible for ensuring the agency is implementing the personal data act and other information privacy requirements.

For each fiscal year, the agency, through the privacy compliance officer, shall prepare a report on or provide information about:

• specific activities related to ensuring pertinent agency employees are knowledgeable about the various laws pertaining to the maintenance and disclosure of personal data in the custody of the agency;
• the current status of agency security provisions regarding both automated and manual records, including use of limited access mechanisms;
• specific activities related to ensuring the agency is only maintaining relevant and necessary personal data to accomplish the lawful purposes of the agency;
• a written up-to-date list of individuals entitled to access each of the agency's personal data systems;
• the number of requests for personal data by data subjects and the outcomes, including the specific reasons for any denials;
• the number of requests involving personal data by persons other than the data subject, including the outcomes, along with the agency's determination of whether the invasion of personal privacy exemption applied or not;
• each governmental agency with which the agency shares data, the type of data shared, the purpose of the data sharing, and whether there is a written agreement between the two entities; and
• any provision of personal data on a volume basis to any nongovernmental entity, including a description of the information provided, to whom provided, any written agreement covering the transaction, and the total amount of any payments for such transaction.

This report shall be submitted to the OPIA and the Connecticut General Assembly by October 1 or each year for the fiscal year ending the preceding June 30.

Finally with respect to the PDA regulations, the program review committee recommends each agency that currently has regulations should review them to see if they are still timely and appropriate to agency circumstances and agencies that have not yet adopted regulations do so as soon as possible.

Department of Motor Vehicles

A final administrative area relates to the Department of Motor Vehicles. The committee briefing report described in some detail the specific DMV statute that governs motor vehicle records, which is an example of a law that attempts to regulate, but not totally prohibit, disclosure of personal information. As noted in the briefing, the law is based on federal requirements contained in the Federal Drivers Privacy Protection Act, and the states are limited in the approaches they can take.

How law implemented. Personal information is distributed in three ways under Connecticut's version of the Driver Privacy Protection Act at DMV. The common factor for information distribution is that any request must fit into one of the acceptable statutory reasons for disclosure.

• DMV distributes motor vehicle information to other governmental entities, including municipal tax assessors, and state and federal agencies, mostly at no charge, under written agreements.
• DMV responds to individual requests for information presented on a DMV form, the J-23, either by mail or in person at DMV's Wethersfield office.
• DMV has contracts with a number of entities to provide information for fees on a volume basis.

The contracts for volume information have several specific provisions regulating the use of the information received from DMV, described in the committee briefing. The non-volume requests are handled based on a form submission process that requires the requesting party to present certain information and certify the request is for a permissible purpose under law.

Compliance monitoring. According to DMV, until a year ago, little to no contract compliance monitoring occurred due to resource constraints. In the last year, one DMV employee has done some compliance testing, but the department believes more should be done. Likewise, there is no systematic check of the non-volume request process. The Department of Motor Vehicles collects millions of dollars a year for the state from selling motor vehicle record information, and the program review committee finds the effort to ensure compliance with the restrictions that accompany these sales needs to increase.

Thus the committee recommends the Department of Motor Vehicles develop and implement a systematic method of reviewing contract compliance for volume sales, as well as a system of spot-checking nonvolume sale activities.

¹ Steadwell v. Warden, 186 Conn.153 (1982)

² See Privacy and State Agencies, LPR&IC Staff Briefing, 10/2/01, pgs. 13-14

Return to Year 2001 Studies

Return to Table of Contents