Protect Personal Information in Public Records
State and federal laws recognize and protect the right to privacy. In response to the events of September 11, 2001, new initiatives designed to protect our nation’s security have raised concerns among open government advocates that too much public information is being removed from public access. Civil liberties advocates, by contrast, are concerned that surveillance and law-enforcement initiatives may unnecessarily infringe on citizens’ right to privacy. A Texas Privacy and Security Act should establish privacy and security principles for the state and processes for governmental agencies to follow when withholding public information for privacy or security reasons.
The right to privacy is widely understood to include the right of individuals to reasonable control over the collection, use and dissemination of personal information held by others.. Consumers should feel confident that information shared with an organization or government agency will not be used in ways inconsistent with customer expectations. In the wake of the World Trade Center disaster, privacy and security issues have become intertwined, especially as counter-terrorism initiatives result in expanded government authority to gather and share all kinds of personal information on individuals from business, medical, phone and other Internet sources.
The U.S. Constitution addresses individual privacy interests and rights, but courts’ interpretation of how to balance public interest with individual privacy generally comes down on the side of public interest. U.S. law recognizes the right to privacy, but the Supreme Court has held that it is not an “absolute” right. When the public, the state or federal government have policy objectives that conflict with the right to privacy, the right sometimes must yield.
The Texas Supreme Court has defined the right of privacy as a constitutional right. The Texas Constitution provides some protection of personal privacy except when government intrusion is warranted for a compelling objective.
While citizen concerns over privacy are not new, the increasing availability of electronic records on the Internet has intensified these concerns. Also of concern is the inappropriate handling of personal information by any entity that collects it, since it could contribute to increased incidents of “identity theft.” Already the government estimates that more than 500,000 people are victimized each year, costing consumers and financial institutions enormous sums of money.
The privacy of individual Texans may be compromised unless state government handles information about citizens with greater care.
The federal Privacy Act of 1974 established a number of requirements to protect personal information in the records collected and maintained by federal agencies. The act’s intent is to limit inappropriate access to information about individuals, including data on education, financial transactions, medical history and criminal or employment history. It allows federal agencies to share information with each other if proper privacy protection agreements are in place, though some information can be shared without agreements for such purposes as law enforcement or the collection of tax information. Even so, the act provides far less privacy protection than is found in many other countries.
Two major pieces of federal legislation are forcing the private sector to take privacy very seriously. The Gramm-Leach-Bliley Act of 1999 (GLB) limits the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated third parties. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 seeks to protect the privacy of personal health information and improve the efficiency of health care delivery by standardizing electronic data interchange. Many financial and health care institutions have complained about the difficulties and costs of compliance with these laws, particularly in light of the fact that they carry civil and criminal penalties.
Texas, like other states, has enacted legislation to ensure that state laws comply with the requirements of GLB and HIPAA. The 2001 Texas Legislature enacted H.B. 2155 to ensure consistency between state law and GLB requirements; S.B. 11 addressed HIPAA requirements while also providing additional protections not included in the federal law.
Other privacy-related legislation from the 2001 Legislature included H.B. 1922, which established that citizens are entitled to be informed about information collected about them, and that they can review and request corrections of incorrect information. This law also established a Personal Privacy Task Force to study state information practices that affect personal privacy. H.B. 678 protects the confidentiality of biometric information, such as retina or iris scans, fingerprints, voiceprints and records of hand or face geometry. H.B. 1544 protects information in motor vehicle records, while H.B. 2589 establishes a clearinghouse for information on all aspects of protecting the security of state agency information.
The extent and types of legislation needed to protect personal privacy is a matter of great debate. It is clear, however, that acutely personal data such as Social Security numbers, bank and credit card numbers, passwords, medical treatment files, children’s names and similar data must receive direct and uncomplicated protection through state and federal laws.
The principles of open government and the right to privacy are vital to a free, democratic form of government. Open government concerns the right of people to know what their government is doing and to keep it accountable. It also recognizes the need for open access to information accumulated by government in the ordinary course of its operations, unless the nature or kind of information requires that it be kept confidential.
While the principle of open government does not necessarily conflict with the right to privacy, both concern government policies related to information disclosure. Where the two principles do conflict, they must be balanced.
The Texas Public Information Act (PIA), formerly known as the Open Records Act, requires full disclosure of most government-held information. The Texas Office of the Attorney General (OAG) routinely reviews and rules on inquiries from government agencies about whether various requests for public information should be fulfilled. In general, OAG has found that very little information collected by the state is of no legitimate concern to the public.
PIA includes some privacy protections that prohibit the release of personal information collected for limited purposes for specific state programs or agencies. In addition, some 580 specific Texas laws provide some privacy protections. Texas still has no comprehensive state law, however, that addresses the reasonable privacy concerns of the average citizen in all situations.
Federal and state security initiatives
Most of the nation saw the events of September 11, 2001 as a wake-up call to an enduring threat of terrorism that will require ongoing measures to protect the nation’s security.. New legislation has greatly expanded the ability of law enforcement, intelligence and other governmental agencies to combat terrorism; these include expanded authority to conduct electronic surveillance of phone and Internet communications and cell phones.
Many legislators worry that this expanded authority may trample long-held civil liberties. The Electronic Privacy Information Center and a broad coalition of civil liberties groups agree. For example, the Free Expression Network urges legislators to tone down new legislation that they claim suppresses public debate and needlessly monitors citizens’ Internet use.
The FBI’s National Infrastructure Protection Center (NIPC) has been established to bring together representatives from U.S. government agencies, state and local governments, and the private sector to protect the nation’s critical infrastructures. Similar initiatives are under way in Texas. The Governor’s Task Force on Homeland Security has recommended enhanced state and local preparedness to respond to terrorist events and threats, while OAG’s State Infrastructure Protection Advisory Committee has developed a model for information assurance and information-sharing to protect critical infrastructure in areas such as telecommunications, energy, financial services, water, transportation, health care and emergency services. .
In addition, the Texas Department of Information Resources (DIR) has established a rule that requires state agencies to establish security policies and plans to ensure that computer systems and employee access procedures protect critical state information.
Balancing privacy, open government and security
The OAG believes that the goal of protecting critical state infrastructures can be accomplished without infringing civil liberties, the public’s right to know or the Texas Public Information Act or, in short, that public safety can be balanced effectively with open government. OAG’s consideration of a specific security exemption in PIA, however, has raised an alarm for the Freedom of Information Foundation, calling the proposed exemption “an awfully slippery slope” because such measures may abrogate the very laws that make us free.
The federal experience shows how difficult it can be to balance these interests when they conflict. NIPC has warned that the Internet, widely viewed as a vehicle for making government more open, is a potential threat to national security. NIPC is concerned that seemingly isolated information from various government sources can be compiled to aid and plan terrorist attacks.
NIPC recommends that agencies conduct a risk-management analysis before putting information on the Web to weigh the goal of open government against potential security risks. While NIPC provides factors to be considered in such an analysis, it falls short of recommending clear policies and direction for agencies to follow. And this lack of clear direction has alarmed open government and public interest advocates. They warn that vaguely worded directives allowing tighter controls on government information could cordon off much information that could prove valuable to the public safety and public interest.
Major shifts in public-access policies already have deleted vast amounts of information from federal government Web sites, in decisions often made by lower-level staff without clear policy guidance. The Nuclear Regulatory Commission’s Web site had highly detailed maps on nuclear storage sites, which were appropriately removed. The Energy Department may have gone too far, however, when it removed environmental impact statements intended to alert communities to potential dangers posed by weapons’ sites.
Due to unclear policy direction, the Federal Aviation Administration (FAA) and Logan Airport took exactly opposite approaches to information sharing. The FAA removed data from its Web site on enforcement actions, including records of accidents, incidents and even pilot and maintenance training schools, while Logan Airport put all of this and more on its site to assure the public that security is improving.
Recent federal and state security initiatives will require the sharing of information from federal, state, local and private sources. The FBI, Department of Defense, Department of Justice, state and local law enforcement and the private sector all collect tremendous amounts of information, but at present these data are not being shared in a useful manner. Expanded sharing of databases, however, makes it increasingly important to establish ways to document and strengthen privacy practices. Unless effective privacy protection measures are applied consistently among all these entities, it seems inevitable that citizens’ privacy rights will be violated.
Information sharing for the purpose of accountability is also a concern. For example, a recent U.S. Department of Education ruling interpreted privacy requirements in the Family Educational Rights and Privacy Act so restrictively that the Texas Higher Education Coordinating Board and Texas Education Agency can no longer share individual student record data with noneducational entities. While no one argues against the need to protect student-record files, this action could prevent the Texas Council on Workforce and Economic Competitiveness from meeting its legislative mandate to evaluate the state’s workforce system, simply because it is not an educational entity. This type of information sharing, moreover, had been going on for years without negative repercussions.
Perhaps the most dangerous conclusion one could draw is that privacy protections should be eliminated in the interests of security. Financial industry lobbyists are arguing in favor of relaxed privacy laws because they prevent them from alerting law enforcement to potential crimes. Two bills are generally supported by this lobby, one that would place a moratorium on state financial privacy laws and another that would set federal standards to supersede state financial privacy laws. The chairman of the House Financial Services Committee, Rep. Spencer Bachus, has said, “Right now it’s a solution to a problem that doesn’t exist. I’ve not heard from any law enforcement or regulatory agencies that the privacy laws are a hindrance.” Some state officials agree, maintaining that state laws have adequate exemptions for law enforcement.
Texas Privacy Act and existing protections
The 2001 Legislature considered a Texas Privacy Act (S.B. 866) but did not pass it into law. The bill would have established privacy principles for state and local governments, while assigning responsibilities to protect personal citizen information held by government to the OAG, the State Auditor’s Office (SAO) and two existing state committees.
OAG already promotes open government while enforcing PIA provisions and as many as 580 Texas statutes that protect privacy. Without legislation authorizing the agency to establish clear standards for information sharing agreements, security and accountability initiatives will not be as effective as they should be. Clear, focused and specific state policies and processes would help OAG ensure that federal problems caused by open government exemptions do not occur in Texas.
SAO is responsible for assessing risks faced by the state in all areas, and conducting audits to ensure that the highest areas of risk are addressed first. Yet only security and access control are included in standard agency and university audits. Privacy and records management criteria could be included in audit guidelines to ensure that state agencies address privacy, open government and security requirements established by federal and state law, OAG and DIR.
SAO audits also could ensure that agencies collect only the information needed for their legislative functions and programs. Such audits do not currently identify instances in which agencies collect more information than they need to administer programs, nor do they limit information collecting practices to only those authorized explicitly or implicitly by each agency’s legislation. 
The Legislature’s Open Records Steering Committee is charged with determining the types of public information that would be useful to the public or cost-effective for the government to provide on the Internet. Given today’s security concerns, both a privacy and a security role could prove appropriate, so that detailed blueprints and other information that could pose security risks are removed from agency Web sites while procedures are put in place to ensure that open government principles are not intentionally or inadvertently violated by government agencies.
The Records Management Interagency Coordinating Council (RMICC), also established by the Legislature, reviews and studies the state’s records management activities. This council also could address security concerns. Both the Open Records Steering Committee and RMICC could work in concert with OAG opinions and SAO audit guidelines.
State law should be amended to include a Texas Privacy and Security Act.
A Texas Privacy and Security Act should establish general privacy and security principles for state agencies, including provisions to protect personal information, promote state-of-the-art records management practices and provide auditing guidelines to ensure that government handles personal information properly and in compliance with state and federal laws. The act should include the core provisions of the 2001 Privacy Act legislation, and should incorporate recommendations from the Personal Privacy Task Force report to the 2003 Texas Legislature.
The act should promote information sharing among federal, state, local and private entities to ensure the success of security and accountability initiatives. The Office of the Attorney General (OAG) should be directed to establish data sharing standards to ensure that federal, state, local and private criteria and practices enhance the state’s response to terrorist threats without eroding privacy protections in law. OAG should review agency requests for the withholding of information for security purposes to ensure that only that information related to security is withheld and no more. OAG should use the guidelines established by the National Infrastructure Protection Center as a starting point:
- Has the information been cleared and authorized for public release?
- Does the information provide details concerning enterprise security?
- Is any personal information posted (such as biographical data, addresses, etc.)?
- How could someone intent on causing harm misuse this information?
- Could this information be dangerous if used in conjunction with other publicly available data?
- Could someone use the information to target your personnel or resources?
The State Auditor’s Office should establish auditing criteria for privacy and records management as a companion to existing security and access control criteria. Standard agency audits should determine that agencies comply with privacy, open government and security requirements established by federal and state law, OAG and the Department of Information Resources (DIR). SAO audits also should ensure that agencies collect only the information needed for their legislative functions and programs.
The missions and duties of the Open Records Steering Committee and the Records Management Interagency Coordinating Council should be expanded to include privacy and security responsibilities, so that state policies and practices embrace open government principles to the fullest extent possible while protecting the security and the privacy of Texas citizens.
This recommendation would not entail any significant fiscal impact for the state. The Legislative Budget Board (LBB) determined that similar 2001 legislation (S.B. 866) had no significant fiscal implications. This determination was based on input from the Texas Department of Information Resources, the Office of the Attorney General, the State Auditor’s Office and the Comptroller’s office.
The LBB did cite significant local government costs for S.B. 866, based on input from the Texas Municipal League. The costs cited assumed that the act would require local governments to request permission from OAG each time they wanted to withhold publicly requested records containing information such as Social Security numbers. On the contrary, however, the act should make it state policy that those items should not be released except under unusual circumstances. An OAG authorization would be needed only in those rare instances in which a local government believes that there is a compelling governmental interest in disclosing the information.
OAG standards for privacy and security can be developed with existing resources. The SAO should incorporate privacy and security audits as part of its ongoing auditing schedule, and with the existing resources provided for this purpose. Open Records Steering Committee and RMICC activities related to privacy and security can be accomplished with existing resources.
Electronic Privacy Information Center, “Pretty Poor Privacy: An Assessment of P3P and Internet Privacy,” June 2000, http://www.epic.org/reports/prettypoorprivacy.html (Last visited November 7, 2002.)
Paul Sholtz, “The Changing Definition of Privacy,” Special to ZDNet (October 1, 2001). http://zdnet.com.com/2100-1107-530818.html?legacy=zdnn. (Last visited November 7, 2002.), and Debra D. Bernstein and Jonathan Winer, “Business Implications of the U.S. anti-Terrorism Law,” GigaLaw.com (November 1, 2001), http://www.gigalaw.com/articles/2001-all/bernstein-2001-11-all.html (Last visited August 6, 2002.)
Memorandum from the Office of Attorney General to House Committee on State Affairs Subcommittee on Privacy Issues, Austin, Texas, July 20, 2000.
Martin Weinstein, Summary of American Law (Rochester, New York, The Lawyers Co-Operative Publishing Co., 1988), §6.3: “The Right of Privacy,” p. 75.
Texas State Employees Union v. Texas Department of Mental Health and Mental Retardation, 746 S.W.2d 203, 205 (Tex. 1987).
Alan Charles Raul, “Privacy Needn’t Crumble Before Cookies and Spam,” Los Angeles Times (March 1, 2001).
5 U.S.C.A. §552.
5 U.S.C.A. §552a.
Texas Department of Information Resources, Privacy Issues, by the Senate Bill 974 Task Force (Austin, Texas, September 25, 2000), p. 11.
Gramm-Leach-Bliley Act, Public Law 106-102, 1999, and Federal Trade Commission 16 CFR Part 313, Privacy of Consumer Financial Information, Final Rule, March 2000.
Dibya Sarkar, “Officials Shaky on HIPAA Compliance,” FCW.com, November 19, 2001, http://www.fcw.com/geb/articles/2001/1119/web-hipaa-11-19-01.asp. (Last visited November 7, 2002.)
Alan Charles Raul, “Privacy Needn’t Crumble Before Cookies and Spam.”
Tex. Gov’t Code, §552.002-002, and Texas Department of Information Resources, Privacy Issues, p. 4.
Memorandum from the Office of Attorney General to the House Committee on State Affairs Subcommittee on Privacy Issues.
President George W. Bush, “Securing the Homeland, Securing the Nation,” http://www.whitehouse.gov/homeland/homeland_security_book.html (Last visited November 7, 2002.)
Provide Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (PATRIOT), 107th Congress, 1st Session.
Governor’s Task Force on Homeland Security, January Report to the Governor (Austin, Texas, January 31, 2002), pp. 4, 11, 48, 49 and 51, and State Infrastructure Protection Advisory Committee, Report of the State Infrastructure Protection Advisory Committee, March 25, 2002, p. 15, http://www.oag.state.tx.us/sipac/sipac_toc.htm(Last visited November 7, 2002.)
Tex. Admin. Code. §202.1
 State Infrastructure Protection Advisory Committee, Report of the State Infrastructure Protection Advisory Committee, pp. 1-15.
 Donnis Baggett, “Danger Seen in Texas’ Access Laws Security Idea by Attorney General,” FOI Focus (Winter, 2002), p. 1.
National Infrastructure Protection Center, Highlights (December 7, 2001), p. 2.
William Matthews, “Walking a Fine Line on Web Access,” FCW.com (February 4, 2002), http://www.fcw.com/fcw/articles/2002/0204/pol-access-02-04-02.asp. (Last visited November 7, 2002.)
OMB Watch, “Right-to-Know Update,” (February 19, 2002), http://www.ombwatch.org/article/articleview/509/1/1/. (Last visited November 7, 2002.)
State Infrastructure Protection Advisory Committee, Report of the State Infrastructure Protection Advisory Committee, p. 3.
Drew Clark, “Board Proposes Annual Privacy Report, Agency Coordination,” Govexec.com (March 5, 2002).
Letter from Don W. Brown, commissioner of Higher Education, to Diane Rath, Chair, Texas Workforce Commission, February 22, 2002.
“Banks, Citing Anti-Terrorism Role, Ask Federal Government to Block State Consumer Privacy Laws,” The Associated Press (February 19, 2002).
Memorandum from the Office of Attorney General to the House Committee on State Affairs Subcommittee on Privacy Issues, July 20, 2000.
Interview with Nancy Rainosek, manager, Texas State Auditor’s Office, Austin, Texas, March 27, 2002.
Materials provided by Nancy Rainosek, manager, Texas State Auditor’s Office, Austin, Texas, September 27, 2000, and interview with Nancy Rainosek.
Tex. Gov’t Code §552.009.
Tex. Gov’t Code §441.203.
National Infrastructure Protection Center, Highlights (December 7, 2001), p. 2.