Sign-up for email updates

Protecting Texans’ Identities:
The Challenges of Securing Privacy
in Transparent Government

Chapter VIII: Conclusion & Recommendations

Conclusion

On Aug. 7, 2009, State Sen. Robert Duncan, Chair of the Senate Committee on State Affairs with jurisdiction over the Public Information Act, asked the Comptroller’s office “to study and analyze and prepare a report on the amount and types of personally identifiable information collected by each state governmental body.” The project included a request for exploration of the volume and types of personally identifiable information collected and maintained by all state agencies and institutions of higher education, along with an analysis of the disclosure and sale of personally identifiable information under Chapters 521, 522, and 730 of the Texas Transportation Code by the state agencies to which those chapters apply.

Data for this report were collected through development of six surveys and collection of information from various programs and divisions within each state agency and institution of higher education. Three strategies were employed to improve the validity of the surveys including an assessment by a team of experts and a pilot survey among a selected number of agencies and institutions.

In May 2010, the surveys were e-mailed to all participating agencies/institutions along with a copy of Sen. Duncan’s letter, instructions and guidelines. The agencies were given two weeks to complete and return the surveys. More than 2,000 were completed and returned.

Our research revealed that state agencies and public universities have experienced significant information security-related incidents in the last five years. In 2009 alone, nine Texas metro areas made the Federal Trade Commission’s top 50 list of largest metropolitan areas with the most identity theft consumer complaints. Many of those incidents involved identity theft relating to government documents or benefits. Those incidents have resulted in the disclosure of personally identifiable information such as Social Security numbers and dates of birth and have diminished the level of trust between the governmental body or university and the people served.

The data analysis revealed that as of Jan. 1, 2010, the participating state agencies and institutions of higher education collected and stored over 5 billion pieces of personally identifiable information – 4,358,936,859 (86.9 percent) residing with state agencies and 657,339,341 (13.1 percent) maintained by institutions of higher education.

First and last names (324 million) were the items of personally identifiable information most frequently collected and maintained by state agencies followed by home address (309 million), dates of birth (297 million) and Social Security numbers (more than 229 million). Other high-ranking personally identifiable information items were personal cell/home telephone numbers (202 million), medical information (214 million), personal e-mail addresses (155 million) and drivers license numbers (more than 152 million).

The same trend was noted in personally identifiable information items collected by institutions of higher education: First and last names were the most frequent personally identifiable information items collected (more than 36 million), followed by dates of birth (nearly 32 million), personal cell/home telephone number (more than 31 million) and home address (more than 31 million).

State agencies and institutions of higher education received 1,070,991 open records requests in fiscal 2009. Of those, more than 99 percent were received by state agencies and less than 1 percent by institutions of higher education. Of those, 712,293 (66 percent) asked for personally identifiable information.

In fiscal 2009 less than one percent of personally identifiable information-related requests were referred to the Office of the Attorney General (OAG). Of those, the majority were ruled to be protected (1,118 out of 1,247 requests – nearly 90 percent).

Nearly three-quarters of respondents (143 agencies/institutions) indicated that they receive revenue for sharing information. Only 22.9 percent (44 agencies/institutions) said that they do not receive revenue for sharing information. On average, all agencies and institutions received approximately $64.5 million per year, of which more than 99 percent was received by state agencies with less than 1 percent from the institutions of higher education. The Texas Department of Public Safety led all state agencies in generating revenue through sharing information in fiscal 2009, followed by the Secretary of State’s office and the Railroad Commission.

Only 26 percent of open records divisions and close to 32 percent of human resources divisions discuss safety and security of personally identifiable information in their weekly or monthly meetings, and less than one-third of IS/IT, human resources and open records divisions are adequately trained in collection, management and handling of personally identifiable information.

Finally, in response to whether a review of safeguards was conducted for effectiveness on a regular basis by IS/IT divisions, 86 percent responded positively with 24 agencies (14 percent) indicating that safeguards are not reviewed on a regular basis. Of those who reviewed the safeguards on a regular basis, a significant majority mentioned that it was done once or more per year (86 percent). More than 15 percent said it was done every other year and 3.4 percent indicated it was conducted every three to four years.

Recommendations

The following recommendations are designed to help protect employees of governmental bodies and private individuals who share information with these bodies. These recommendations are based on survey responses, identity theft statistics and nationwide trends regarding the protection of personal information and transparency.

  1. The Legislature should consider creating an information security council or review board, consisting of representatives from small, medium and large sized agencies and institutions of higher education. For example, some entities could include the following: Health and Human Services Commission, Department of Public Safety, Department of Information Resources, the Information Technology Council for Higher Education and the Comptroller of Public Accounts. The Office of the Attorney General and the State Library and Archives Commission could also serve as ex officio, non-voting members of the council.
  2. The information security council or review board referenced above should at minimum have the authority over, and be responsible for:
    1. Appointing an advisory committee or committees to assist the council.
    2. Creating model security awareness training policies and procedures for state governmental bodies, particularly those collecting, handling, transferring, sharing and/or releasing personally identifiable information, and should at minimum address:
      1. Destruction, deletion, and/or purging of unwanted personally identifiable information in coordination with the State Library and Archives Commission and the Records Management Interagency Coordinating Council;
      2. Procedures agencies can use to help ensure confidentiality policies remain consistent as data is transferred to other agencies or entities;
      3. Increasing security awareness levels across all state agencies and institutions;
      4. Developing techniques and recommendations for agencies and institutions to effectively communicate their personally identifiable information confidentiality policies and procedures to third-party vendors who may access personally identifiable information residing in state databases;
      5. Adopting uniform guidelines relating to the security of laptops, removable data storage devices, and communication devices, including, but not limited to personal digital assistants, cell phones and smart phones.
      6. Regular assessments of the types of personally identifiable information collected and maintained by agencies and institutions to determine if such information is necessary.
    3. Making recommendations in a report to the Legislature regarding:
      1. An update on statewide privacy issues, including the increased or decreased threat of identity theft, the status of the model personally identifiable information training policies and the overall protection of personally identifiable information;
      2. Whether the information public employees may elect to protect under Section 552.024, Gov’t Code (Social Security number, home address, home phone and family member information), should be automatically protected without the need for an election (according to Comptroller data, more than 97 percent of employees at state agencies and 86 percent of employees at institutions of higher education have elected not to share at least one of the above pieces of information);
      3. Whether agencies and institutions should be required to monitor and/or conduct regular inventories or audits of the number and types of personally identifiable information they collect to determine if any items may no longer be necessary for the effective functioning of the agency or institution; and
      4. Whether, in light of an increased threat of fraud, identity theft or new technologies and circumstances that may impact privacy considerations, the Legislature should consider adding protections that would allow governmental bodies to redact or withhold from public release drivers license numbers, Social Security numbers (or variations thereof, including taxpayer identification number, vendor identification number, and Texas identification number), home addresses, home telephone numbers, family member information and dates of birth.
      While personally identifiable information such as date of birth or Social Security number might not have been considered “highly intimate” information in 1980, most individuals today would consider it to be sensitive in nature, particularly in conjunction with their complete name, work information, sex, race and ethnicity. In addition, it is clear that this type of data is highly sought out by identity thieves as they attempt to profit from its theft and subsequent use. Half of the states currently provide some sort of protection for dates of birth and other pieces of sensitive information and more appear to be trending in that direction. Several states, including Arizona, Illinois, Kansas, New Jersey, North Dakota and Nebraska, exempt state employee personnel files with exceptions for name, gross salary and employing agency. Several participating agencies indicated there is a need to protect this type of information from disclosure under the Public Information Act.

      A regular review of privacy issues will help keep the state abreast of the ever-changing trends in this arena and assure the public that the state takes the protection of its personally identifiable information seriously. Such reviews will also assure the public that the data being collected by governmental bodies is, in fact, necessary for the successful management and operation of each agency, division or program.
    4. Making recommendations to agencies and institutions of higher education on changes to state forms, so the public is more aware of which types of personally identifiable information being provided are public under the Public Information Act.
      Agencies are already required to provide statements under the Federal Privacy Act explaining why Social Security numbers are being collected and what use will be made of them and advising of an individual’s right to correct false information or to see information about oneself under Government Code Chapter 559. This recommendation should help add transparency to many state processes and create more public awareness of which types of information are protected and which are not.
    5. Ensuring one public information/privacy website exists and is accessible to the public.
      1. The website should provide, at a minimum, the following: a complete list of public information officers and/or privacy officers at state agencies and institutions and their contact information; links to all state agencies and their cost and access policies; and a consistent and convenient e-mail address to submit requests and obtain needed transparency resources.
      2. Agencies should also designate a person to address individual concerns or special circumstances under which an individual’s personally identifiable information should not be publicly disclosed at least until a determination can be made by the Attorney General.
      Currently, there is no complete contact list for public information officers or privacy officers at state agencies. Creating a comprehensive list at the state level could be useful for members of the public who have concerns about personally identifiable information.
    6. Ensuring that state agencies and institutions of higher education use consistent definitions to help determine which data types are sensitive, confidential or public. And, in coordination with the Public Electronic Services On-the-Internet (PESO) workgroup, help ensure that agencies create, where administratively and economically feasible, an easily accessible website or portal for the types of data that are determined to be public and not sensitive in nature, so the public can easily view and retrieve the data without having to make an official open record request. This may help reduce the number of open record requests, thereby helping to reduce instances that may result in the unnecessary or improper inclusion of sensitive or confidential data.
    7. Generally, the council should be subject to the Texas Open Meetings Act (OMA), with meetings open to the public for comment. However, the council should not be required to openly deliberate on the following: (1) security assessments or deployments relating to information resources technology; (2) network security information as described by Section 2059.055(b), Gov’t Code; or (3) the deployment, or specific occasions for implementation, of security personnel, critical infrastructure, or security devices. The council must ensure that the appropriate workgroups, committees and experts in the areas of privacy, public information, security of electronic information and other needed areas of expertise are invited to assist and provide needed technical assistance.

« Return to State Response