Public Agencies, Private Data

As access to state-held records becomes easier, citizens want to see the issue addressed. Increasingly, states are faced with making new rules in unfamiliar territory.

by / November 30, 2000
Internet privacy issues abound, and governments worldwide stand at various levels of addressing the matter. Canada and Australia have federal privacy commissioners, and in America, several state governments have an eye toward the federal government, hoping guidelines for dealing with a citizenry that is becoming increasingly jittery about parting with personal information will soon emerge.

In its privacy-policy report released in September, the National Electronic Commerce Coordinating Council (NECCC) warned that the privacy debate has received too little attention on the state and local levels during the rush to adopt e-commerce.

The NECCC report cited a survey in which only 19 states reported having privacy policies or notices posted on their Web sites. That report came on the heels of a Business Week/Harris poll published in March in which 96 percent of respondents said they felt that it was at least somewhat important that a Web site have a privacy policy. In the same study, 67 percent said they believed that sharing information so that individuals can be tracked across multiple sites is inappropriate.

Regulating Use

Although there is anxiety over issues like Echelon, an intelligence gathering organization, and Carnivore, the FBI's software system used to monitor e-mail, most citizens are more concerned with personal information gathered by government and, more importantly, what "big brother" is doing with that information.

"The theme that seems to come up most consistently is the lack of notice given on government Web sites about privacy policies and the concerns about who has access to certain data records," said Kara LaPierre, director of e-government initiatives at the National Information Consortium (NIC). "Most folks' concerns center on trying to create economies without putting at risk personally identifiable data. That's really the crux of the issue."

Although some states have shown initiative in dealing with Internet privacy matters, the majority are either waiting for federal guidelines or lagging behind because of a lack of knowledge. The lack of action on the state level has raised concerns that patchwork legislation among the states will prevail and ultimately fail.

"Some people would suggest that the cat's already out of the bag and now it's just a question of how well we control it," said Eric Seabrook, deputy secretary of Ohio.

"We are facing a risk any time we go into a new legislative session of eager legislators wanting to get protections set down in law, so we may end up with a very patchwork approach to privacy legislation in this country," said LaPierre. "That's not necessarily the right answer, but I'm not sure that public policy in a coordinated way can be established quickly enough to prevent that from happening."

"My sense is that the states are being pretty circumspect," said Pari Sabety, director of technology policy of the Ohio Supercomputer Center. "They're saying, 'Let's wait for the feds to act. If they don't act and we see it inhibiting our competitive advantage as a state, then that's something we should take action on.'"

In the meantime, as states proceed in making services available via the Internet, some warn that, without effective policy, privacy concerns could have a backlash effect on e-commerce, especially in the case of states reselling public information.

Information Poses Threat

According to Basil Nikas, CEO of PublicPurchasing.Net, the biggest threat to e-commerce is the repercussions involved when states obtain free services, such as online licensing, from companies that then resell the information. Nikas, an NECCC board member, pointed out that, although the Supreme Court has weighed in against the practice, "You're going to see a big backlash" as more citizens become aware of such practices.

The ease with which information can be accessed and distributed using 20th-century technology means governments have to figure out how to share data, such as public health information, in a sensitive manner that doesn't invade the privacy of individuals.

"It's a very critical public-policy concern to make sure you can administer benefits properly, yet not jeopardize individual privacy," said LaPierre. "I don't think it calls for federal legislation, but certainly for an awful lot of cross-boundary cooperation."

LaPierre noted that the federal government has delegated a lot of the administration of federally funded programs, such as welfare, to the states, which leaves them in a quandary when they need to share personal eligibility information with the feds.

"There is really no federal answer to that, so the states are, among themselves, trying to figure out how to share that data without creating a national database of, well, poor people," said LaPierre.

Local Rule Makers Weigh In

The issue affects cities and counties as well, as evidenced by a case in Durham, N.C., this year in which city police sought to limit access to their property records for fear that criminals would track them down. The city council agreed but the county didn't, and the information wound up online anyway.

"Government is facing simultaneous challenges -- the need, and in some cases, requirements to make information accessible," said Seabrook. "You're trying to be as customer-friendly as possible and at the same time protect people."

Although LaPierre envisions no federal legislation, she does foresee commissions set up to study the issue. "There's still too much debate over opt-in and opt-out and how legislation would affect state government doing its own business as sovereign. Most of the legislation you hear about has to do with controlling how companies deal with identifiable data as opposed to how government does."

And that underscores some of the difficulties in comparing privacy issues internationally and in the states: The emphasis overseas is not on government but on how businesses deal with data.

"I think you'll find in the social democratic countries, especially, there is actually tremendous data sharing at the government level," said LaPierre. "However, since it's not data that's resold to private interests, it's not as common a theme in our discussions."

European countries are also more strict when dealing with the privacy issue, partly because of a different attitude in government, and also, according to Nikas, because they've been dealing with it longer. "We're much more free with our information, which has benefits and negative points."

But what's new in the United States is not the information, it's how the information is accessed and transferred. "We've always had access to all these public records," said Sabety. "It's just that [before the Internet] it was hard to go down to the courthouse and [photocopy] them all, and go through those dusty drawers. It's just become a whole lot easier when you're making access to large files with public bits and bytes."

Another key will be defining what is and what is not a public document. Nikas said NECCC is trying to spread the word to government on how to protect themselves and the public.

"We've been trying to educate government to make sure in new contracts that they specifically state that the information belongs to the state and cannot be repackaged or resold or re-anything under any circumstances," he said.

Nikas said the privacy issue learning curve is steep, but that states may be catching on. "They were naive at first but are moving along faster now. They're being very, very cautious; the attorneys' general offices and secretaries of states are [ensuring] all future contracts and bid documents include statements that all information belongs to the state."


By Jim McKay, Staff Writer