Government agencies have been quick to move public information and transactions to the Internet, but theyve been slow to post privacy policies that tell citizens how theyll protect personal data collected and distributed online. Research from several sources indicates that public agency Web sites -- particularly those operated by local jurisdictions -- rarely spell out the circumstances under which data collected from constituents will be shared with other organizations, made public, sold to third parties or otherwise used.

Of the nations 25 most populous cities, only San Diego had posted a privacy policy on its main Web page, according to an informal study released late last year by the National Electronic Commerce Coordinating Council (NECCC). Similarly, Maricopa County, Ariz., was the only jurisdiction among the nations top 25 counties to post such a policy on its primary Web site, the study said.

Even more troubling is the apparent lack of progress made by cities and counties over a nine-month period examined by NECCC. The groups initial study conducted in March 2000 turned up only Maricopa Countys privacy policy out of 50 city and county sites surveyed. A December follow-up study found just one addition: the city of San Diego.

"It was very surprising to see the lack of privacy policies for cities and counties, as well as to see that over time they had done almost nothing [to improve]," said Danielle Germain, program manager for the Information Technology Association of Americas enterprise solutions division and a member of the NECCC workgroup that conducted the survey.

Results were more encouraging for states. NECCCs December survey found that 24 states posted privacy policies on their primary home pages. Whats more, those findings showed a 140 percent increase over the groups initial March survey, which located privacy policies on just 10 state home pages.

However, a Brown University study of 1,800 state and federal agency Web sites paints a bleaker picture. Only 7 percent of those sites included even the most rudimentary of privacy statements, said Darrell West, the political science professor who conducted the study last year.

"Our standard was a fairly minimalist one, which was: Did they merely post a privacy policy?" said West. "We did not evaluate how good the policy was, how many loopholes were in it or what type of language it used. Even with that very low standard, most [sites] didnt take privacy very seriously."

Held Up

Governments struggle with privacy policies for any number of reasons, according to observers.

West said creating these policies forces agencies to confront sensitive legal and political issues. "A big problem is really deciding what kind of commitment you want to make to the people using your Web sites. Virtually no one -- either in the public or private sector -- is offering an iron-clad privacy statement," he said. "Many of them are basically collecting information and promising not to disclose it or sell it outside of the site. But there are a lot of loopholes built in."

Privacy policies also may disclose contentious practices, such as the marketing of citizen information to third parties. "In the bricks-and-mortar part of government, the public sector is already reselling data. When people apply for a drivers license, many of them dont realize that state governments often sell that information," he said. "So consumers might be surprised to learn how information that they provide might be used."

Lack of leadership, particularly at the local government level, may contribute to the problem, added Germain. "Maybe the county board of supervisors is not very technology savvy, or there could be no CIO to drive these things forward," she said.

Finally, these policies must be carefully crafted to minimize legal risks, particularly in the cases of large agencies with complex business dealings. "That slows down the process because their lawyers

Steve Towns, Editor Steve Towns  | 

Steve Towns is the former editor of Government Technology, and former executive editor for e.Republic Inc., publisher of GOVERNING, Government TechnologyPublic CIO and Emergency Management magazines. He has more than 20 years of writing and editing experience at newspapers and magazines, including more than 15 years of covering technology in the state and local government market. Steve now serves as the Deputy Chief Content Officer for e.Republic.