Standards Review and Recommendation Publication
SRRPUB11
State Web Site Guidelines
Privacy and Security Policy Guidelines
Version 6 August 18, 2005
Since 1997 the Department of Information Resources (DIR) has advised state agencies and institutions of higher education that privacy and security needs to be considered in any Web site application. With the adoption of the State Web Site rule, DIR has required state agencies and institutions of higher education to publish and post a privacy and security policy on their Web site. In the 77th Legislative Session several laws were enacted that address additional requirements for agencies to protect the privacy of information collected on individuals. The following four bills address a number of privacy issues:
-
House Bill 1922 Relating to state government privacy
policy.
-
House Bill 2589 Relating to the required posting of
information on a state agency's Internet site and to the
security, confidentiality, and management of certain information.
-
Senate Bill 11 Relating to protecting the privacy of
medical records; providing penalties.
-
Senate Bill 694 Relating to the confidentiality of credit
card, debit card, charge card, and access device numbers
that are collected, assembled, or maintained by a governmental
body and of certain e-mail addresses.
SB694 became effective May 26, 2001. It
adds Sections 136 and 137 to Chapter 552 Government Code (the
Public Information Act) and provides the following:
Sec. 552.136 (b) Notwithstanding any other provision of this
chapter, a credit card, debit card, charge card, or access
device number that is collected, assembled, or maintained
by or for a governmental body is confidential.
Sec. 552.137 requires that (a) An e-mail address of a member
of the public that is provided for the purpose of communicating
electronically with a governmental body is confidential and
not subject to disclosure under this chapter.
(b) Confidential information described by this section that
relates to a member of the public may be disclosed if the
member of the public affirmatively consents to its release.
Specific "Privacy and Security" requirements are addressed in the State Web Site rule as follows:
For state agencies §206.53
For institutions of higher education §206.73
Note: An individual's SSN should not be used, in whole or in part (e.g., last 4), as an ID and/or password for access to any online application. Additional information is available in Part 2: "Risks Pertaining to Electronic Transactions and Signed Records" in the "Guidelines for the Management of Electronic Transactions and Signed Records."
As a result of SB694, agencies that collect
citizen e-mail addresses via a Web form should use an SSL
session or equivalent technology to encrypt the data. Additional
information is available in the §206
FAQ.
HB2589 makes several amendments to the
Information Resource Management Act (Chapter 2054, Government
Code). One of the amendments is to Section 2054.121, requiring
DIR to adopt a policy to which state agencies must link. The
policy must:
1. prescribe terms under which a person may use, copy information
from, or link to a generally accessible Internet site maintained
by or for a state agency;
2. protect the personal information of members of the public
who access information from or through a generally accessible
Internet site maintained by or for a state agency;
3. include a statement that the agency is prohibited from
selling or releasing an e-mail address of a member of the
public unless such person affirmatively consents to the sale
or release of the information; and
4. specify other policies necessary to protect from public
disclosure personal information submitted by a member of the
public to a state agency's Internet site to the extent such
information is confidential, excepted from the requirements
of Section 552.021 of the Public Information Act or protected
by other law intended to protect a person's privacy interests.
HB1922 is effective September 1, 2001. It
adds Chapter 559, State Government Privacy Policies, to the
Government Code as follows:
Sec 559.002 It is the policy of this state that an individual
is entitled to be informed about information that a state
governmental body collects about the individual unless the
state governmental body is allowed to withhold the information
from the individual under Section 552.023.
Sec. 559.003 (a) Each state governmental body that collects
information about an individual by means of a form that the
individual completes and files with the governmental body
in a paper format or in an electronic format on an Internet
site shall prominently state, on the paper form and prominently
post on the Internet site in connection with the electronic
form, that:
(1) with few exceptions, the individual is entitled on request
to be informed about the information that the state governmental
body collects about the individual;
(2) under Sections 552.021 and 552.023 of the Government Code,
the individual is entitled to receive and review the information;
and
(3) under Section 559.004 of the Government Code, the individual
is entitled to have the state governmental body correct information
about the individual that is incorrect.
(b) Each state governmental body that collects information
about an individual by means of an Internet site or that collects
information about the computer network location or identity
of a user of the Internet site shall prominently post on the
Internet site what information is being collected through
the site about the individual or about the computer network
location or identity of a user of the site, including what
information is being collected by means that are not obvious.
Additional requirements of HB1922 include:
1. Each state governmental body shall establish a reasonable
procedure under which an individual is entitled to have the
state governmental body correct information about the individual
that is possessed by the state governmental body and that
is incorrect. The procedure may not unduly burden an individual
using the procedure.
2. The governmental body may not charge an individual to correct
information about the individual.
3. Establishment of a privacy task force to study issues related
to the information practices of state government that affect
personal privacy. The task force shall report the results
of its study and its recommendations to the lieutenant governor
and the speaker by September 1, 2002.
SB11, effective September 1, 2001 relates
to protecting the privacy of medical records. Governmental
units, business entities and persons who maintain an Internet
site containing protected health information may be covered
by SB11. It amends the Health and Safety Code to add Subtitle
I, Medical Records, Chapter 181, Medical Records Privacy.
Privacy Guidebook and Related Publications
In December 2000, the National Electronic Commerce Coordinating
Council (NECCC) published "Privacy Policies - Are You Prepared?
A Guidebook for State and Local Government" that provides
additional information that may assist agencies in developing
privacy policies. In 2001 they published Building Citizen
Trust and Confidence with Web Site Branding, Citizen Expectations
for Trustworthy Electronic Government: An Assessment and Framework
for State Policy Makers and Information Technology Providers,
and Consumer Privacy Protections on the Internet. Copies of
the publications are available at http://www.ec3.org
Key Privacy and Security Policy Areas
Notice: A Privacy and Security Policy should
be published on every government web site, even if the site
does not collect any information that results in creating
a record. This statement tells the visitors to your site how
you handle any information you get from them. State agency
web sites are highly diverse, and have many different purposes.
The privacy and security policies that agencies write for
those sites are also diverse. Agencies must tailor their statements
to the information practices of each individual site. It is
important to post your site's policy promptly, so visitors
to your site know the site's information practices.
Choice: Specific Web-based forms that require
personal information from a visitor shall post a privacy and
security policy, or a link to the policy, at the top of the
page/form indicating how the information will be used, and
under what conditions the information may be shared or released
to another party. The form should include a notice that the
information may be a public record and therefore subject to
release as an open record under the Public Information Act.
Web pages designed for children must comply with all applicable
federal and state laws intended to protect minors.
Access: Citizens should be able to view
and contest the accuracy and completeness of data collected
about them.
Security: Agencies that collect data must
take reasonable steps to ensure that information collected
from citizens is accurate and secure from unauthorized use.
Model Privacy and Security Policy (Based on 1
T.A.C. §206 State Web Sites)
Introductory language.
The policy should identify the agency and short overview
about the agency's privacy and security practices and how
they apply to the site.
Example: The Department of Information Resources (DIR) maintains
this Web site as a public service. This policy describes DIR's
privacy and security practices regarding information collected
from visitors to the site, including what information is collected
and how that information is used.
The policy applies to all pages beginning with www.dir.state.tx.us,
www.texan.state.tx.us,
www.tex-an.state.tx.us,
www.tex-an.net,
and www.tgic.state.tx.us.
Please note that all information collected or maintained
by DIR is subject to the provisions of the Texas Public Information
Act (Chapter 552, Texas Government Code).
Information collected and stored automatically.
In the course of operating a web site, certain information
may be collected automatically in logs or by cookies. Some
agencies may be able to collect a great deal of information,
but by policy elect to collect only limited information. In
some instances, agencies may have the technical ability to
collect information and later take additional steps to identify
people, such as by looking up static Internet Protocol addresses
that can be linked to specific individuals. Your policy should
make clear whether or not you are collecting this type of
information and whether you will take further steps to collect
more information.
Example: For site management functions, information is collected
for analysis and statistical purposes. This information is
not reported or used in any manner that would reveal personally
identifiable information, and will not be released to any
outside parties unless legally required to do so in connection
with law enforcement investigations or other legal proceedings.
We use Log analysis tools to create summary statistics, which
are used for purposes such as assessing what information is
of most interest, determining technical design specifications,
and identifying system performance or problem areas. The following
information is collected for this analysis:
User Client hostname - The hostname (or IP address if DNS is
disabled) of the user/client requesting access.
HTTP header, "user-agent" - The user-agent information includes
the type of browser, its version, and the operating system it's
running on.
HTTP header, "referer" - The referer specifies the page from
which the client accessed the current page.
System date - The date and time of the user/client request.
Full request - The exact request the user/client made.
Status - The status code the server returned to the user/client.
Content length - The content length, in bytes, of the document
sent to the user/client.
Method - The request method used.
Universal Resource Identifier (URI) - The location of a resource
on the server.
Query string of the URI - Anything after the question mark in
a URI.
Protocol - The transport protocol and version used.
Note: If the site uses cookies, the policy should identify
what information is collected and how that information is
used and protected.
Example: Cookies and Web Bugs
The DIR Web site may use cookies to provide interactive pages,
such as Web-based forms and surveys. DIR does not use the
information for other purposes. The DIR Web site does not
use Web bugs or Clear GIFs to track or report visitor information.
Notes: A cookie file contains unique information
a web site can use to track such things as passwords, lists
of pages you've visited, and the date when you last looked
at a specific page or to identify your session at a particular
web site. A cookie is often used in commercial sites to identify
the items selected for a specific shopping cart application.
Cookies come in several types, primarily session or persistent,
and may be set and controlled, where the cookie information
is sent, by the site itself or another site, a third-party
in a different domain. Agencies that are providing access
to information and services may have a valid requirement to
use session cookies, providing that the use is disclosed in
the associated privacy and security policy. Persistent cookies
expire after a period of time. This can be after a few minutes,
days, or years. If a state agency uses persistent cookies
they should set them to expire as soon as possible, and indicate
the time setting in their privacy and security policy (e.g.,
15-30 minutes after the average time of a session, or after
several days if used with a web based survey). If the site
does use persistent cookies the application should be properly
coded to identify the agency that set the cookie.
A new technology called a Web bug is being used by some web
sites to track and/or report information about a visitor to
a web page. Web bugs are also called Web Beacons or Clear
GIFs.
In order for visitors to make informed decisions
about the privacy practices of state agencies, the visitor
should be able to access the home page and Privacy and Security
Policy page without the site setting a cookie or using a web
bug to track the visitor.
Information Collected from E-mails and Web Forms.
Many web sites receive identifiable information from e-mails
or web forms. Some statement is appropriate about how the
identifiable information is treated when the individual provides
it.
Example:
E-Mail
State agencies may not sell or release the e-mail addresses
of members of the public that have been provided to communicate
electronically with a government body without the affirmative
consent of the affected member of the public. Personally identifiable
information contained in a question or comment sent to DIR
in an e-mail message or submitted in an online form is only
used by DIR to respond to the request and to analyze trends.
DIR may redirect the message to another government agency
or person who is in a better position to answer the question.
Web-Based Forms
DIR uses Web-based forms to collect survey results, to provide
online registration for some DIR-sponsored events, and to
provide online reporting of continuing education activities
by Information Resources Managers. Personally identifiable
information collected from these forms has a specified use
(for example, registration, survey response, etc.) and DIR
uses the information only for that purpose. Each Web-based
form contains a link to this privacy policy.
An individual who submits information in electronic format
through this Web site is entitled, on request, to receive
and review the information DIR collects about the individual,
and to have DIR correct the information. To do this, please
contact DIR at dirinfo@dir.state.tx.us.
Security and Intrusion Detection Language.
Many agency sites use information collected on a site to
detect potentially harmful intrusions and to take action once
an intrusion is detected. In some situations, the policy of
the agency may be not to collect personal information such
as from IP logs. In the event of authorized law enforcement
investigations, however, and pursuant to any required legal
process, information from those logs and other sources may
be used to help identify an individual.
Example:
We use a secure socket layer (SSL) connection to enhance
the security of any information you choose to submit to us
on our Web site. In other areas of our Web site, we provide
only the security necessary to maintain our Web site and information
we provide to you.
For site security purposes and to ensure that this service
remains available to all users, this government computer system
employs software programs to monitor network traffic to identify
unauthorized attempts to upload or change information, or
otherwise cause damage.
Except for authorized law enforcement investigations, no
other attempts are made to identify individual users or their
usage habits. Raw data logs are used for no other purposes
and are scheduled for regular destruction in accordance with
the Texas State Library and Archives Commission.
Unauthorized attempts to upload information or change information
on this service are strictly prohibited and may be punishable
under the Texas Penal Code Chapters 33 (Computer Crimes) or
33A (Telecommunications Crimes).
Other Privacy Issues
Platform for Privacy Preferences
The Platform for Privacy Preferences (P3P) is a technical
specification, developed by the World Wide Web Consortium,
that will enable web sites to identify their privacy practices
in a manner that can be understood by commercially-available
web browsers. Every state agency should consider implementing
P3P on the home page and key public entry points to an agency
web site. Other related information:
An introduction to P3P http://www.w3.org/P3P/introduction
P3P homepage http://www.w3.org/P3P
Specification http://www.w3.org/TR/P3P
Validator http://big.w3.org/cgi-bin/validate.pl
Privacy of Individually Identifiable Health Information
See
Senate Bill 11 Relating to protecting the privacy of medical
records. The U.S. Department of Health and Human Services
is developing "Standards for Privacy of Individually Identifiable
Health Information." State agencies that handle health care
information will need to monitor and plan for implementing
the security and privacy standards. Violations of the HHS
regulations are subject to fines, up to $250,000. Additional
information is available at: http://aspe.hhs.gov/admnsimp/index.htm
Audit Requirements
Agencies that collect extensive data about an individual,
or sensitive data (e.g., medical), should have documented
policies and practices that can be audited. The State Auditor's
Office has published Electronic Commerce Risks and Controls
http://www.sao.state.tx.us/ec.pdf.
Additional Resources
An example of a privacy
and security policy
The Center for Public Policy at Brown University publishes
an annual assessment of e-Government. The 2002 report evaluated
1,206 state government sites, 46 federal legislative or executive
sites, and 13 federal court sites. The full report is available
at http://www.InsidePolitics.org/Egovt02us.html.
They also published an assessment of city web site and that
report is available at http://www.InsidePolitics.org/egovt02city.html
and a Global assessment at http://www.InsidePolitics.org/egovt02int.html
A privacy wizard is available at http://www.truste.org.
(Note: "The Privacy Statement generated by the Wizard is a
good starting point and needs to be edited according to the
sites specific privacy practices and that it is up to the
Web site to add these unique qualities to the privacy statement.")
The CPA Web Trust form at http://www.aicpa.org/webtrust/tocb.htm
can assist agencies in assessing the type of information
collected, how that information is protected, and audited.
Address questions about the Texas Information Technology Standards Web pages to:
Barbara Nadalini
512-463-5360, phone
|