e-Texas e-Texassmaller smarter faster governmentDecember, 2000
Carole Keeton Rylander
Texas Comptroller of Public Accounts

Recommendations of the Texas Comptroller


Chapter 1: Electronic Government

Improve Privacy Protection for Texas Citizens


Summary

The great potential for Internet-based citizen transactions with government is threatened by growing concern that private data may be misused or improperly disclosed. Common law, the US and Texas constitutions, and certain statutes in Texas and other states all recognize that individuals have interests worthy of legal protection from the damage done by improper disclosure. A government that fails to protect individuals’ privacy violates the first reason for its existence and may lose the confidence of citizens. To ensure the protection of Texans’ privacy, a Privacy Act should establish general privacy principles for state government.


Background

Many governments are placing increasing amounts of their data on the Internet, a move that gives citizens a much greater ability to understand and oversee government activities. But this trend also lets computer users “click” their way to government records that once were available only through the mail or in-person requests at government counters. While citizen concerns over privacy are not new, the increasing availability of electronic records on the Internet has intensified these concerns, causing people to worry more about keeping personal information private.

Today, personal privacy is threatened by technologies developing rapidly enough to outpace legislative efforts to protect privacy by years or decades. Business Week reported recently that in picking a presidential candidate, more Americans were concerned about privacy than taxes or defense.[1] A Federal Trade Commission survey found that more than three-fourths of consumers not otherwise concerned about their privacy fear losing it on the Internet.[2] Similarly, a Comptroller survey found that many Texans worry about the privacy of state government Web sites, especially the release of personal information such as Social Security numbers (SSNs); credit card or financial information; home and e-mail addresses and phone numbers; driver’s license numbers; and medical records. Some respondents cited hackers and identity theft as real concerns.[3]

Citizens’ concerns about privacy are legitimate. It is no surprise that law enforcement and consumer advocates view “identity theft” as a signature crime of our time.

One case that recently came to the attention of the Texas Office of the Attorney General (OAG) involved a woman who had been in hiding for several years from an abusive ex-husband. After she registered to vote, her address was posted on the city’s Web site, and her ex-husband found her by searching the Internet with her SSN. By exercising her right to vote, her ex-husband was able to find her; he broke down her front door and beat her severely. While a 1977 OAG open records decision provides some privacy protection under special circumstances, no provisions in state law allow individuals to opt out of having their addresses or other personal information published on the Internet, even if there is a legitimate need, such as protecting their own personal safety.[4]


Personal Information

Privacy concerns about information in government records, both paper and electronic, focus most intently on personal information. The federal Privacy Act of 1974 sets up a number of requirements to protect personal information in records collected and maintained by federal agencies, with the intent of limiting inappropriate access to information about individuals, including data on education, financial transactions, medical history, and criminal or employment history.[5]

California law goes a step further and defines personal information as any information an agency maintains that identifies or describes an individual including, but not limited to name, SSN, physical description, home address and phone number, education, financial matters, medical or employment history, password, e-mail address, and information that reveals any network location or identity.[6]

Individuals have a strong interest in protecting personal information held by government, especially their SSNs.[7] But the federal Social Security Act authorizes states to require persons to disclose their SSNs in the administration of certain programs such as tax, public assistance, driver’s license, and motor vehicle registration programs, and federal law does not prohibit disclosure authorized by a state before October 1, 1990.[8] Texas law provides that the SSNs of state employees and elected officials, along with their home addresses and home telephone numbers, will be released as public information unless the official or employee submits a form requesting that this information be withheld.[9]

The implications of wholesale release of personal information are illustrated by the experience of an information security manager for an alliance of health insurance plans. The manager challenged coworkers to dig up as much information as they legally could about him. He was shocked at how easily his most personal information was found, including his SSN, birth date, birth certificate, college transcript, phone bills, a scannable signature, his speaking schedule, and even his cat’s diet. When compiled, this information could be ruinous. Said one co-worker, “We could cut and paste his signature from his marriage license or divorce decree and put his signature on anything. We could have closed his bank account, or turned off his lights. We could have refinanced his house, or purchased a Mercedes Benz using easily obtainable banking information and a few well-placed fake references.”[10]


Existing Protections for Privacy

Common law has recognized a right to privacy for more than a century, holding that individuals should be able to keep highly intimate or embarrassing facts private if they are of no legitimate concern to the public. But the protection that common law affords is much less than the public wants and expects in the Internet age. Moreover, a large amount of government information is identified as being of legitimate public interest under open-records legislation, and the common law does not exempt such information from required public disclosure.[11]


Federal Privacy Laws

The right to privacy is among the rights protected by the US Constitution. This protection was bolstered by the federal Privacy Act of 1974, which applies to information held by federal agencies. However, the protection afforded by law in the US is much less comprehensive than that found in many other countries, and does not necessarily facilitate electronic commerce or ensure consistency with privacy legislation in other countries.[12] And, while many federal bills have been proposed for addressing privacy in the Internet Age, few if any have been passed into legislation.[13]

The federal Privacy Act of 1974 allows federal agencies to disclose written and electronic records (other than those exempted by law) only with the written consent of the individual to whom the records pertain or by request of other federal agencies. Agencies may provide statistical data for research, though, as long as it contains no personal identifiers. Some information can be shared without agreements for such purposes as law enforcement or the collection of tax information.[14]

The US Constitution does address individual privacy interests, but courts’ interpretation of how to balance public interest with individual privacy generally comes down on the side of public interest.[15] US law specifically finds the right to privacy a fundamental right protected by the Constitution, but the Supreme Court also has held that privacy is not an absolute right, and that some state regulation in privacy areas is appropriate.[16]


Privacy Protection in Texas

While Texas has not enacted a privacy act, its Supreme Court has defined the right of privacy as a constitutional right. The Texas Public Information Act (PIA) passed initially as the Open Records Act and amended most recently in 1999, requires full disclosure of most government-held information, but also provides some privacy protection.

The Texas Supreme Court defined the right of privacy as:

...the right of an individual to be left alone, to live a life of seclusion, to be free from unwarranted publicity...and the right to be free from the wrongful intrusion into one’s private activities in such manner as to outrage or cause mental suffering, shame or humiliation to a person of ordinary sensibilities.[17]

The Court also has found that:

the Texas Constitution protects personal privacy from unreasonable intrusion. This right to privacy should yield only when the government can demonstrate that an intrusion is reasonably warranted for the achievement of a compelling governmental objective that can be achieved by no less intrusive, more reasonable means.[18]

Texas’ PIA states that “public information” that is “collected, assembled, or maintained under a law or ordinance or in connection with the transaction of official business” should be available to citizens unless expressly provided for otherwise by law.[19] The PIA has provisions prohibiting the release of 35 specific types of personal information collected for limited purposes for specific state programs or agencies. These exceptions address particular populations and circumstances, such as state employees, crime victims, and prison inmates. Student records and library records also are protected, but the act does not address the privacy of the average citizen in all situations.[20] Other information is protected by the Texas Constitution, judicial options, and around 580 specific Texas statutes.[21]

In general, the public has applauded the openness of Texas government, and the Legislature has acted to strengthen the policy and minimize exemptions. As a result, however, Texas may have some of the weakest legal protections for privacy in the country.[22] Without stronger protection, Texas citizens will have no way to protect themselves from the release of certain information that could prove to be extremely damaging.


Privacy Laws in Other States

State legislatures across the nation are considering thousands of bills that address some aspect of privacy. Some of this activity is prompted by governments that are providing more services and information through the Internet.[23]

Nine states—California, Hawaii, Idaho, Kentucky, Massachusetts, Minnesota, New York, Ohio, and Virginia—have state privacy acts based largely on the provisions of the federal Privacy Act. These acts set privacy standards for the governments of their respective states. Neither the federal nor the various state privacy acts, however, govern the collection or use of personal information by nongovernmental entities.[24] Other states, including Iowa, Maryland, Utah, Washington, Wisconsin, and Wyoming are considering similar legislation, although lobbyists for financial, marketing, and retail industries have been putting up strong resistance to such measures.[25]

California law requires each state agency to maintain in its records only personal information that is relevant and necessary to accomplish an agency purpose authorized by state or federal government. Internet users must be notified that personal information about them is being collected. Government entities must receive permission from the users before distributing or selling the information, and cannot distribute or sell electronically collected personal information to a third party without the subject’s written permission, except in certain circumstances such as criminal investigations.[26] Also, government entities must electronically display the methods they use to collect electronic information, the types of information collected, and their purpose.[27]

Minnesota’s government data practices detail the rights of individuals for whom data are stored. Individuals must be informed of the purpose and intended use of data that the government requests, whether they may refuse to supply them, and the known consequences arising from supplying or refusing to supply personal data. Individuals can contest the accuracy or completeness of these data by notifying the responsible authority, which each state agency must identify. These authorities must prepare a public document containing appropriate details about the personal data each agency maintains. Access to private or confidential data on individuals is limited to those who are authorized to have access by state or federal law.[28]

Massachusetts requires government agencies that maintain personal data to identify the person or persons responsible for maintaining the data and for ensuring that the information is not accessed or disseminated inappropriately. Massachusetts also requires government entities to establish procedures for individuals or their representatives to contest the accuracy, completeness, pertinence, timeliness, relevance, or dissemination of their personal data.[29]

Washington state has an executive order designed to ensure that agencies comply fully with public disclosure and open government laws while protecting personal information as much as possible. The order states that “A taxpayer’s sensitive tax information has never been subject to public scrutiny. Nor do citizens expect that their health records, bank accounts, or credit card numbers will be open for inspection or available to others.” The executive order prohibits the unauthorized sale of citizens’ personal information by the state, provides broad opportunities for citizens to review and correct personal information, and makes certain that state government contractors use personal information only for contract purposes, do not keep or sell the information for other purposes, and are held accountable if they do.[30]


Balancing Privacy with Open Government

Both the principle of open government and the right to privacy are vital in a free, democratic form of government. The right to privacy concerns collecting, disseminating, and using personal information about individuals. The principle of open government concerns the right of the people to know what their government is doing and to keep it accountable. Therefore, the right to privacy does not, in general, conflict with the principle of open government. However, because both concern government policies related to information disclosure, the possibility of some conflict remains. Where the two principles do conflict, they must be balanced. Information that citizens must by law provide to government—and that they wouldn’t willingly give anyone else—must be handled with care. This includes information that is required to receive some benefit from or to transact business with government.

One major area of concern is that privacy legislation not impinge on the right of the public and the press to know what government is doing. Rebecca Daugherty, director of the Freedom of Information Foundation Service Center, argues that “anything that allows bureaucrats to broadly exempt information from disclosure is a problem.”[31]

Another expert on the issue, Robert Gellman, chairman of the Subcommittee on Privacy and Confidentiality for the US Department of Health and Human Services’ National Committee on Vital and Health Statistics, believes the conflict between the press and privacy advocates is not as deep and broad as some believe. Most fair information practices championed by privacy advocates, such as openness, access, data quality, security, and accountability are acceptable to open government advocates, Gellman said.[32]

The day-to-day accomplishments of the Texas Attorney General’s Open Records Division testify that it is possible to promote open government while enforcing provisions in the PIA and other statutes that protect privacy. The division routinely reviews and rules on inquiries from governmental entities about whether, based on state law, specific requests for public information should be fulfilled or withheld. The division handles about 5,000 cases per year.[33]


Why a Texas Privacy Act?

A privacy act for Texas could assure citizens that Texas state and local governments will respect their right to privacy and not disclose information that carries a reasonable expectation of privacy. A well-crafted statute would balance the public’s guaranteed right to know what its government is doing with its right to privacy. The act could help ensure that government entities do not collect more information than they need, do not misuse the information they collect, and do not disclose personal information protected by law.

A number of state committees and agencies are addressing privacy-related issues, and these efforts could be coordinated under a Texas Privacy Act. For example, the Records Management Interagency Coordinating Council (RMICC) was established by state law to review and study the state’s records management activities and report findings with recommended legislation to the governor and Legislature. Because of the importance of privacy issues, RMICC established a Privacy and Access to Electronic Records Workgroup in September 1999, even though privacy is not a part of RMICC’s legislative mandate.[34]

The RMICC work group is considering steps needed to ensure that government data-collection and record-keeping practices adequately protect privacy, while addressing records management policies, the use and accuracy of information, and the need to update records retention schedules. The work group also is identifying training and guidance that government employees need to meet privacy requirements in the PIA and other statutes. It is also establishing guidelines for state and local government data collection and sharing. Very little of the work group’s findings will be included in RMICC’s upcoming report to the Legislature, however, because privacy is not part of its legislative mandate.

Another body, the Open Records Steering Committee, was established by the 1999 Texas Legislature to study and determine the type of public information that would be useful to the public or cost-effective for the government to provide on the Internet or through other electronic means. This Steering Committee reports to the Legislative Budget Board on the number and nature of requests for public information, the cost for responding to those requests, and the cost for making information available to the public on the Internet or another electronic format. The law that established the committee, however, did not charge it with considering the privacy implications of such actions.[35]

The State Auditor’s Office (SAO) is involved in a national initiative to establish guidelines for auditing security and privacy policies for new and existing electronic government and electronic commerce systems. The proposed national guidelines would address government policies on disclosing information that identifies individuals.[36] While the SAO already has the authority to review government records management systems, other high-risk projects and statutory mandates have taken precedence, and the agency has no plans for such audits in 2001.[37]


Privacy Protection for E-Government Success

A recent Brown University study assessing state and federal e-government initiatives found that Texas’ Web sites ranked first in accessibility. But only 3 percent of Texas state sites offer security policies (placing Texas 33rd among states), and only 14 percent offer privacy features (with Texas ranking sixth).[38]

In July 2000, Texas went live with TexasOnline, a pilot project of state government and a private-sector partner. TexasOnline is an Internet portal intended to streamline state government processes, ultimately becoming a one-stop site for doing business with government regardless of the level of government or the nature of the business. To make this happen, state agencies will need to share data so that they can customize their services for individual users. For example, TexasOnline users already can access a number of popular Web sites on such topics as Texas travel, doing business with the state, and the lottery. As TexasOnline becomes more sophisticated, it may customize its services for individual users, just as private Web sites let users personalize information they receive, from sports to astrology.

Carolyn Purcell, director of the state’s Department of Information Resources (DIR), has warned that the privacy of individual Texans may be compromised unless state government handles information about citizens with greater care.[39] This could include assurances that information collected through TexasOnline to provide customized services is not tracked inappropriately, or released in a way that would allow private parties to build dossiers on individuals.

Without this assurance, the success of TexasOnline and similar initiatives may be in question. Numerous surveys demonstrate that privacy concerns can deter people from conducting potentially sensitive transactions over the Internet.[40] Some consumers even avoid the Internet entirely due to their concerns about privacy.[41]

Canadians showed alarm and outrage when their media and parliament turned intense attention to a government database containing personal information. Wired News reported that, “bowing to pressure from its own privacy commission” the Canadian government agreed to “dismantle a gargantuan database” of data compiled from tax returns, child tax benefit payments, welfare files, federal employment programs, the nation’s health insurance master file, and similar sources. Apparently, no efforts were made to assure Canadian citizens that information possessed or released by government would not be misused.[42] Without sufficient privacy protocols in place, Texas could face the same problem.

DIR already has established a rule requiring all state agency Web sites to post privacy policies.[43] However, the rule does not specify minimum levels of privacy protection. While DIR is addressing privacy issues in its biennial report to the Legislature, it has not established privacy policies to answer the question of how personal information, willingly provided by a visitor to a Web site, is handled, and whether it is shared or sold.[44]


Recommendation

State law should be amended to include a Texas Privacy Act.

The Texas Privacy Act should establish general privacy principles, include provisions to protect personal information, promote state-of-the-art records management practices, and provide auditing guidelines to ensure that governments handle personal information properly and comply with state and federal laws when releasing and sharing it.

The Office of the Attorney General (OAG) should continue to review privacy issues when addressing public information requests under the PIA and other statutes. The OAG’s role should be expanded to include issues raised by the principles, provisions, and requirements established by the Texas Privacy Act:

A. General Privacy Principles

The Texas Privacy Act should establish privacy principles to assure citizens that personal information held by government will not be used inappropriately; that privacy safeguards in state law will be implemented effectively at all levels of government; and that government will limit the collection of personal information to that which is reasonably necessary for the purposes of program implementation, and the authentication of identity, security, and other legally appropriate operations.

Texas’ privacy principles could be crafted as follows:

An increasing number of citizens are concerned that personal information held by the state might be used inappropriately, that unauthorized people may have access to it, and that some information may be inaccurate, incomplete, or unnecessary. Therefore, the State of Texas declares its commitment to strengthen privacy protections for personal information held by government, and to the principles of open government and the people’s right to know.

Because inadvertent release, careless storage, or improper disposal of data could result in embarrassment or other harm to individuals and potential liability for the state, government has an obligation to protect personal information about citizens, as required by law. It must exercise particular care in protecting records containing sensitive and private health, financial, and other personal information that can identify individuals, such as Social Security numbers.

Texas citizens have a right to know how personal information collected by government that identifies a specific individual is handled, and the extent to which that information may be disclosed or kept confidential under the law.

Government should limit the collection of personal information to that reasonably necessary for purposes of program implementation, authentication of identity, security, and other legally appropriate operations.

Government should examine its records retention schedules and retain personal information only as long as needed to carry out the purpose for which it was originally collected or the minimum period required by law.

Nothing in this act should be construed to prohibit or otherwise impair a lawful investigative or protective activity undertaken by or on behalf of the state. State agencies and other governmental entities shall, in all cases, comply with applicable law.

B. Provisions for Protection of Personal Information

The Texas Privacy Act should prohibit disclosure of specified categories of personal information to the fullest extent possible. Governments should not release Social Security numbers, bank account and credit card account numbers, passwords, or other information that reveals any network location or identity except under extraordinary circumstances and for a compelling state interest, as determined by the OAG.

Consideration should be given to including in the act additional privacy provisions beyond protections already contained in state statutes for individuals’ records pertaining to education, financial matters, and medical history, so long as such protections do not infringe on the public’s right to know.

The act should authorize the OAG to establish guidelines for reviewing privacy issues that arise in response to public information requests. These guidelines should include safeguards to ensure that only information of a personal nature, and not information that is required to continue the state’s long tradition of open government, is exempted from disclosure by government entities.

The act also should authorize the OAG to explore options for allowing citizens to “opt out” of having personal information released by government entities if the release of that information poses a significant danger, such as releasing the address of someone who is being stalked.

The act should authorize the Department of Information Resources (DIR), with OAG input and approval, to establish general policy and minimum standards to protect privacy for all state government Web sites. For example, the policy should limit the use of “cookie” technology in tracking individual citizens, but could allow cookies for the purpose of providing customized services requested by individual citizens. DIR should track and report compliance by governmental entities to the Legislature.

The act should direct government entities to establish plans to modify data systems so that personal identifiers, especially SSNs, are no longer used to track individuals in state programs.

C. Provisions Relating to Internet Privacy, Records Management, and Audits

The Texas Privacy Act should broaden the role of the Open Records Steering Committee so that it may determine the privacy implications of putting government information on the Internet. It also should authorize the Records Management Interagency Coordinating Council (RMICC) to provide guidance and policy direction to governmental entities to promote state-of-the-art electronic records management practices.

The State Auditor’s Office (SAO) should establish auditing guidelines to ensure that entities do not collect more personal information than is required, and that records management systems properly protect information in accordance with state and federal law. To the extent possible with current resources, SAO also should explore options for expanding statutorily-mandated and high-risk audits to include a review of internal controls used to protect the security and privacy of personal information held by government.


Fiscal Impact

The OAG estimates that passage of the Texas Privacy Act would require the addition of one staff attorney to handle additional privacy rulings and establish the required guidelines and policy reviews. The additional attorney would cost approximately $60,000 per year, for salary and benefits.

FiscalYear
Savings/(Cost) to theGeneral Revenue Fund
Change in FTEs
2002
($60,000)
+1
2003
($60,000)
+1
2004
($60,000)
+1
2005
($60,000)
+1
2006
($60,000)
+1

Government entities could plan how they would eliminate the use of Social Security numbers to track individuals in state programs with existing resources. Any modifications or changes in records management practices could be made with existing resources.

Expanding the mandates of the RMICC and Open Records Steering Committee to include privacy experts, studying privacy concerns, and establishing policies would not require additional expenditures. Government entities would use new policies to enhance existing practices that are already part of their responsibilities.

DIR already is authorized by rule to establish privacy guidelines related to state Web sites, and it is addressing some privacy issues through its legislatively-mandated reports to the Legislature (i.e., its biennial report and the SB 974 task force report). Strengthening DIR’s authority to establish and track a uniform Web site policy would not require additional expenditures.

SAO should be able to implement new records management audit guidelines and expand and reprioritize records management audits with its existing resources.


Endnotes

[1 ] “Voters: Optimistic, Yet Skeptical,” Business Week (August 7, 2000), p. 101.

[2 ] Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace (Washington, DC, May 2000), p. 2 (http://www.ftc.gov/os/2000/05/index.htm#22). (Internet document.)

[3] Texas Comptroller of Public Accounts, “E-Texas: Help Open State’s Portal,” Fiscal Notes (June 2000), p. 4.

[4 ] Interview with Sandy Sawyer, former investigator, Open Records Hotline, Office of the Attorney General, Austin, Texas, October 20, 2000.

[5 ] 5 U.S.C.A. §552.

[6 ] California Government Code §1798.3 (1977).

[7] International Brotherhood of Electrical Workers v. US Department of Housing and Urban Development, 852 F.2d 87 (3rd Cir. 1988).

[8 ] 42 U.S.C. s. §405(c) (2); Public Law 93-579, Section 7.

[9 ] V.T.C.A., Government Code §522.024.

[10 ] Tina Kelly, “An Expert in Computer Security Finds His Life Is a Wide-Open Book,” New York Times (December 13, 1999) (http://www.nytimes.com/library/tech/99/12/biztech/articles/13kirk.html). (Internet document.)

[11] Memorandum from the Office of the Attorney General to the House Committee on State Affairs Subcommittee on Privacy Issues, July 20, 2000.

[12 ] Department of Information Resources, Privacy Issues, by the Senate Bill 974 Task Force (Austin, Texas, September 25, 2000), p. 11. (Draft report.)

[13 ] Testimony of Gary Chapman, Lyndon B. Johnson School of Public Affairs Faculty and director of the 21st Century Project, at “Private Lives, Public Rights: the Bernard and Audre Rapoport 2000 FOI Conference,” presented by the Freedom of Information Foundation of Texas, September 22-23, 2000.

[14] 5 U.S.C.A. §552a.

[15 ] Memorandum from the Office of Attorney General to House Committee on State Affairs Subcommittee on Privacy Issues.

[16 ] Martin Weinstein, Summary of American Law (Rochester, New York, The Lawyers Co-Operative Publishing Co., 1988), §6.3: “The Right of Privacy,” p. 75.

[17] Billings v. Atkinson, 489 S.W.2d 858, 859 (Tex. 1973).

[18] Texas State Employees Union v. Texas Department of Mental Health and Mental Retardation, 746 S.W.2d 203, 205 (Tex. 1987).

[19 ] V.T.C.A., Government Code, §552.001-002.

[20 ] Department of Information Resources, Privacy Issues, p. 4.

[21] Memorandum from the Office of Attorney General to House Committee on State Affairs Subcommittee on Privacy Issues.

[22] Testimony of State Representatives Steve Wolens and Brian McCall at the “Private Lives, Public Rights: the Bernard and Audre Rapoport 2000 FOI Conference,” presented by the Freedom of Information Foundation of Texas, September 22-23, 2000.

[23] William Matthews, “Privacy Fears Prompt Study, Delay,” CNN.com (May 22, 2000) (http://www.cnn.com/2000/TECH/computing/05/22/new.privacy.study.idg/index.html). (Internet document.)

[24] Memorandum from the Office of Attorney General to House Committee on State Affairs Subcommittee on Privacy Issues.

[25] Rachel Zimmerman and Glenn R. Simpson, “Lobbyists Swarm Legislatures To Stop Tough Privacy Bills,” The Wall Street Journal (April 21, 2000).

[26] California Government Code §1798.1 (1977).

[27 ] California Government Code §11015.5 (2000).

[28] Minnesota Statutes Annotated §13.04 (2-4).

[29] Massachusetts Statute 66A §2.

[30 ] State of Washington’s Governor’s Office, “Public Records Privacy Protections, Executive Order 00-03” (http://www.governor.wa.gov/eo/eo_00-03.htm). (Internet document.)

[31 ] Testimony of Rebecca Daugherty, director of the Freedom of Information Service Center, at the Private Lives, Public Rights, The Bernard and Audre Rapoport 2000 FOI Conference, Presented by the Freedom of Information Foundation of Texas, September 22-23, 2000.

[32] Testimony of Robert Gellman, chairman of the Subcommittee on Privacy and Confidentiality for the US Department of Health and Human Services’ National Committee on Vital and Health Statistics, at the Private Lives, Public Rights, The Bernard and Audre Rapoport 2000 FOI Conference, presented by the Freedom of Information Foundation of Texas, September 22-23, 2000.

[33 ] Testimony of Texas Attorney General John Cornyn at the “Private Lives, Private Rights: the Bernard and Audre Rapoport 2000 FOI Conference,” resented by the Freedom of Information Foundation of Texas, September 22-23, 2000.

[34 ] V.T.C.A., Government Code §441.203.

[35 ] V.T.C.A., Government Code §552.009; Texas HB 1851, Leg. Reg. Sess. (1999).

[36 ] Draft guidelines for auditing Electronic Government and Electronic Commerce systems in agencies, National Electronic Commerce Coordinating Council and the US Government Accounting Office, pp. 1, 4, 6; materials provided by Nancy Rainosek, manager, State Auditor’s Office, September 27, 2000.

[37 ] Telephone interview with Nancy Rainosek, manager, State Auditor’s Office, Austin, Texas, October 4, 2000.

[38 ] Krista Larson, “Texas’ Web Sites Most Accessible, Study Finds,” The Dallas Morning News (September 16, 2000), p. 3F.

[39] Editorial Board, Austin American-Statesman (July 27, 2000); and interview with Carolyn Purcell, executive director of the Texas Department of Information Resources, October 3, 2000.

[40 ] Electronic Government Task Force, Senate Bill 974 Legislative Report (October 3, 2000) p. 25.

[41 ] Federal Trade Commission, Privacy Online: Fair Information Practices in the Electronic Marketplace (Washington, DC, May 2000), p. 2 (http://www.ftc.gov/os/2000/05/index.htm#22). (Internet document.)

[42] “Canada Scraps Citizen Database,” Wired News Report (May 30, 2000) (http://www.wired.com/news/politics/0,1283,36649,00.html). (Internet document.)

[43 ] T.A.C. §201.12 (http://www.state.tx.us/Standards/S201-12.htm) and Standards Review and Recommendation Publication SRRPUB11 (http://www.state.tx.us/Standards/srrpub11-privacy-policy.htm). (Internet documents.)

[44 ] Telephone interview with Carolyn Purcell, executive director of the Department of Information Resources, Austin, Texas, October 3, 2000; and National Electronic Commerce Coordinating Council Privacy 2000 Work Group, Privacy Policies-Are You Prepared: A Guidebook for State and Local Government (Washington, DC, July 2000), p. 16.



e-Texas is an initiative of Carole Keeton Rylander, Texas Comptroller of Public Accounts
Post Office Box 13528, Capitol Station
Austin, Texas

Privacy Policy