State of Texas
Department of Information Resources
Leadership for Texas Government Technology

Standards Review and Recommendation Publication

SRRPUB11
State Web Site Guidelines
Privacy and Security Policy Guidelines

Version 6 August 18, 2005

Since 1997 the Department of Information Resources (DIR) has advised state agencies and institutions of higher education that privacy and security needs to be considered in any Web site application. With the adoption of the State Web Site rule, DIR has required state agencies and institutions of higher education to publish and post a privacy and security policy on their Web site. In the 77th Legislative Session several laws were enacted that address additional requirements for agencies to protect the privacy of information collected on individuals. The following four bills address a number of privacy issues:

• House Bill 1922 Relating to state government privacy policy.
• House Bill 2589 Relating to the required posting of information on a state agency's Internet site and to the security, confidentiality, and management of certain information.
• Senate Bill 11 Relating to protecting the privacy of medical records; providing penalties.
• Senate Bill 694 Relating to the confidentiality of credit card, debit card, charge card, and access device numbers that are collected, assembled, or maintained by a governmental body and of certain e-mail addresses.

SB694 became effective May 26, 2001. It adds Sections 136 and 137 to Chapter 552 Government Code (the Public Information Act) and provides the following:
Sec. 552.136 (b) Notwithstanding any other provision of this chapter, a credit card, debit card, charge card, or access device number that is collected, assembled, or maintained by or for a governmental body is confidential.
Sec. 552.137 requires that (a) An e-mail address of a member of the public that is provided for the purpose of communicating electronically with a governmental body is confidential and not subject to disclosure under this chapter.
(b) Confidential information described by this section that relates to a member of the public may be disclosed if the member of the public affirmatively consents to its release.

Specific "Privacy and Security" requirements are addressed in the State Web Site rule as follows:
For state agencies §206.53
For institutions of higher education §206.73

Note: An individual's SSN should not be used, in whole or in part (e.g., last 4), as an ID and/or password for access to any online application. Additional information is available in Part 2: "Risks Pertaining to Electronic Transactions and Signed Records" in the "Guidelines for the Management of Electronic Transactions and Signed Records."

As a result of SB694, agencies that collect citizen e-mail addresses via a Web form should use an SSL session or equivalent technology to encrypt the data. Additional information is available in the §206 FAQ.

HB2589 makes several amendments to the Information Resource Management Act (Chapter 2054, Government Code). One of the amendments is to Section 2054.121, requiring DIR to adopt a policy to which state agencies must link. The policy must:
1. prescribe terms under which a person may use, copy information from, or link to a generally accessible Internet site maintained by or for a state agency;
2. protect the personal information of members of the public who access information from or through a generally accessible Internet site maintained by or for a state agency;
3. include a statement that the agency is prohibited from selling or releasing an e-mail address of a member of the public unless such person affirmatively consents to the sale or release of the information; and
4. specify other policies necessary to protect from public disclosure personal information submitted by a member of the public to a state agency's Internet site to the extent such information is confidential, excepted from the requirements of Section 552.021 of the Public Information Act or protected by other law intended to protect a person's privacy interests.

HB1922 is effective September 1, 2001. It adds Chapter 559, State Government Privacy Policies, to the Government Code as follows:
Sec 559.002 It is the policy of this state that an individual is entitled to be informed about information that a state governmental body collects about the individual unless the state governmental body is allowed to withhold the information from the individual under Section 552.023.
Sec. 559.003 (a) Each state governmental body that collects information about an individual by means of a form that the individual completes and files with the governmental body in a paper format or in an electronic format on an Internet site shall prominently state, on the paper form and prominently post on the Internet site in connection with the electronic form, that:
(1) with few exceptions, the individual is entitled on request to be informed about the information that the state governmental body collects about the individual;
(2) under Sections 552.021 and 552.023 of the Government Code, the individual is entitled to receive and review the information; and
(3) under Section 559.004 of the Government Code, the individual is entitled to have the state governmental body correct information about the individual that is incorrect.
(b) Each state governmental body that collects information about an individual by means of an Internet site or that collects information about the computer network location or identity of a user of the Internet site shall prominently post on the Internet site what information is being collected through the site about the individual or about the computer network location or identity of a user of the site, including what information is being collected by means that are not obvious.

Additional requirements of HB1922 include:
1. Each state governmental body shall establish a reasonable procedure under which an individual is entitled to have the state governmental body correct information about the individual that is possessed by the state governmental body and that is incorrect. The procedure may not unduly burden an individual using the procedure.
2. The governmental body may not charge an individual to correct information about the individual.
3. Establishment of a privacy task force to study issues related to the information practices of state government that affect personal privacy. The task force shall report the results of its study and its recommendations to the lieutenant governor and the speaker by September 1, 2002.

SB11, effective September 1, 2001 relates to protecting the privacy of medical records. Governmental units, business entities and persons who maintain an Internet site containing protected health information may be covered by SB11. It amends the Health and Safety Code to add Subtitle I, Medical Records, Chapter 181, Medical Records Privacy.

Privacy Guidebook and Related Publications
In December 2000, the National Electronic Commerce Coordinating Council (NECCC) published "Privacy Policies - Are You Prepared? A Guidebook for State and Local Government" that provides additional information that may assist agencies in developing privacy policies. In 2001 they published Building Citizen Trust and Confidence with Web Site Branding, Citizen Expectations for Trustworthy Electronic Government: An Assessment and Framework for State Policy Makers and Information Technology Providers, and Consumer Privacy Protections on the Internet. Copies of the publications are available at http://www.ec3.org

Key Privacy and Security Policy Areas

Notice: A Privacy and Security Policy should be published on every government web site, even if the site does not collect any information that results in creating a record. This statement tells the visitors to your site how you handle any information you get from them. State agency web sites are highly diverse, and have many different purposes. The privacy and security policies that agencies write for those sites are also diverse. Agencies must tailor their statements to the information practices of each individual site. It is important to post your site's policy promptly, so visitors to your site know the site's information practices.

Choice: Specific Web-based forms that require personal information from a visitor shall post a privacy and security policy, or a link to the policy, at the top of the page/form indicating how the information will be used, and under what conditions the information may be shared or released to another party. The form should include a notice that the information may be a public record and therefore subject to release as an open record under the Public Information Act. Web pages designed for children must comply with all applicable federal and state laws intended to protect minors.

Access: Citizens should be able to view and contest the accuracy and completeness of data collected about them.

Security: Agencies that collect data must take reasonable steps to ensure that information collected from citizens is accurate and secure from unauthorized use.

Model Privacy and Security Policy (Based on 1 T.A.C. §206 State Web Sites)

Introductory language.

The policy should identify the agency and short overview about the agency's privacy and security practices and how they apply to the site.

Example: The Department of Information Resources (DIR) maintains this Web site as a public service. This policy describes DIR's privacy and security practices regarding information collected from visitors to the site, including what information is collected and how that information is used.
The policy applies to all pages beginning with www.dir.state.tx.us, www.texan.state.tx.us, www.tex-an.state.tx.us, www.tex-an.net, and www.tgic.state.tx.us.

Please note that all information collected or maintained by DIR is subject to the provisions of the Texas Public Information Act (Chapter 552, Texas Government Code).

Information collected and stored automatically.

In the course of operating a web site, certain information may be collected automatically in logs or by cookies. Some agencies may be able to collect a great deal of information, but by policy elect to collect only limited information. In some instances, agencies may have the technical ability to collect information and later take additional steps to identify people, such as by looking up static Internet Protocol addresses that can be linked to specific individuals. Your policy should make clear whether or not you are collecting this type of information and whether you will take further steps to collect more information.

Example: For site management functions, information is collected for analysis and statistical purposes. This information is not reported or used in any manner that would reveal personally identifiable information, and will not be released to any outside parties unless legally required to do so in connection with law enforcement investigations or other legal proceedings.

We use Log analysis tools to create summary statistics, which are used for purposes such as assessing what information is of most interest, determining technical design specifications, and identifying system performance or problem areas. The following information is collected for this analysis:

Note: If the site uses cookies, the policy should identify what information is collected and how that information is used and protected.

Example: Cookies and Web Bugs
The DIR Web site may use cookies to provide interactive pages, such as Web-based forms and surveys. DIR does not use the information for other purposes. The DIR Web site does not use Web bugs or Clear GIFs to track or report visitor information.

Notes: A cookie file contains unique information a web site can use to track such things as passwords, lists of pages you've visited, and the date when you last looked at a specific page or to identify your session at a particular web site. A cookie is often used in commercial sites to identify the items selected for a specific shopping cart application.

Cookies come in several types, primarily session or persistent, and may be set and controlled, where the cookie information is sent, by the site itself or another site, a third-party in a different domain. Agencies that are providing access to information and services may have a valid requirement to use session cookies, providing that the use is disclosed in the associated privacy and security policy. Persistent cookies expire after a period of time. This can be after a few minutes, days, or years. If a state agency uses persistent cookies they should set them to expire as soon as possible, and indicate the time setting in their privacy and security policy (e.g., 15-30 minutes after the average time of a session, or after several days if used with a web based survey). If the site does use persistent cookies the application should be properly coded to identify the agency that set the cookie.

A new technology called a Web bug is being used by some web sites to track and/or report information about a visitor to a web page. Web bugs are also called Web Beacons or Clear GIFs.

In order for visitors to make informed decisions about the privacy practices of state agencies, the visitor should be able to access the home page and Privacy and Security Policy page without the site setting a cookie or using a web bug to track the visitor.

Information Collected from E-mails and Web Forms.

Many web sites receive identifiable information from e-mails or web forms. Some statement is appropriate about how the identifiable information is treated when the individual provides it.

Example:

E-Mail
State agencies may not sell or release the e-mail addresses of members of the public that have been provided to communicate electronically with a government body without the affirmative consent of the affected member of the public. Personally identifiable information contained in a question or comment sent to DIR in an e-mail message or submitted in an online form is only used by DIR to respond to the request and to analyze trends. DIR may redirect the message to another government agency or person who is in a better position to answer the question.

Web-Based Forms
DIR uses Web-based forms to collect survey results, to provide online registration for some DIR-sponsored events, and to provide online reporting of continuing education activities by Information Resources Managers. Personally identifiable information collected from these forms has a specified use (for example, registration, survey response, etc.) and DIR uses the information only for that purpose. Each Web-based form contains a link to this privacy policy.

An individual who submits information in electronic format through this Web site is entitled, on request, to receive and review the information DIR collects about the individual, and to have DIR correct the information. To do this, please contact DIR at dirinfo@dir.state.tx.us.

Security and Intrusion Detection Language.

Many agency sites use information collected on a site to detect potentially harmful intrusions and to take action once an intrusion is detected. In some situations, the policy of the agency may be not to collect personal information such as from IP logs. In the event of authorized law enforcement investigations, however, and pursuant to any required legal process, information from those logs and other sources may be used to help identify an individual.

Example:

We use a secure socket layer (SSL) connection to enhance the security of any information you choose to submit to us on our Web site. In other areas of our Web site, we provide only the security necessary to maintain our Web site and information we provide to you.

For site security purposes and to ensure that this service remains available to all users, this government computer system employs software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage.

Except for authorized law enforcement investigations, no other attempts are made to identify individual users or their usage habits. Raw data logs are used for no other purposes and are scheduled for regular destruction in accordance with the Texas State Library and Archives Commission.

Unauthorized attempts to upload information or change information on this service are strictly prohibited and may be punishable under the Texas Penal Code Chapters 33 (Computer Crimes) or 33A (Telecommunications Crimes).

Other Privacy Issues

Platform for Privacy Preferences
The Platform for Privacy Preferences (P3P) is a technical specification, developed by the World Wide Web Consortium, that will enable web sites to identify their privacy practices in a manner that can be understood by commercially-available web browsers. Every state agency should consider implementing P3P on the home page and key public entry points to an agency web site. Other related information:

An introduction to P3P http://www.w3.org/P3P/introduction

P3P homepage http://www.w3.org/P3P

Specification http://www.w3.org/TR/P3P

Validator http://big.w3.org/cgi-bin/validate.pl

Privacy of Individually Identifiable Health Information

See Senate Bill 11 Relating to protecting the privacy of medical records. The U.S. Department of Health and Human Services is developing "Standards for Privacy of Individually Identifiable Health Information." State agencies that handle health care information will need to monitor and plan for implementing the security and privacy standards. Violations of the HHS regulations are subject to fines, up to $250,000. Additional information is available at: http://aspe.hhs.gov/admnsimp/index.htm

Audit Requirements

Agencies that collect extensive data about an individual, or sensitive data (e.g., medical), should have documented policies and practices that can be audited. The State Auditor's Office has published Electronic Commerce Risks and Controls http://www.sao.state.tx.us/ec.pdf.

Additional Resources

An example of a privacy and security policy

The Center for Public Policy at Brown University publishes an annual assessment of e-Government. The 2002 report evaluated 1,206 state government sites, 46 federal legislative or executive sites, and 13 federal court sites. The full report is available at http://www.InsidePolitics.org/Egovt02us.html. They also published an assessment of city web site and that report is available at http://www.InsidePolitics.org/egovt02city.html and a Global assessment at http://www.InsidePolitics.org/egovt02int.html

A privacy wizard is available at http://www.truste.org. (Note: "The Privacy Statement generated by the Wizard is a good starting point and needs to be edited according to the sites specific privacy practices and that it is up to the Web site to add these unique qualities to the privacy statement.")

The CPA Web Trust form at http://www.aicpa.org/webtrust/tocb.htm can assist agencies in assessing the type of information collected, how that information is protected, and audited.

Address questions about the Texas Information Technology Standards Web pages to:
Barbara Nadalini
512-463-5360, phone