Utah Stakes Privacy Position
- By Dan Caterinicchia, Dan Caterinicchia
- Apr 03, 2000
Utah recently became one of the first states to include a privacy policy
on its Internet home page to show citizens that their state government is
protecting their personal information, trying to make people feel more comfortable
when using online applications.
"If we can get some reasonable trust associated with what we're doing,
people are going to use online government resources," said Al Sherwood,
Utah's electronic commerce coordinator. "We need to show them that we're
customer-friendly and concerned with their privacy to help establish a sufficient
trust."
As consumers become more and more Internet-savvy, they are also becoming
increasingly concerned with their privacy online. A recent poll of 1,000
adults in the United States who actively use the Internet found that more
than 85 percent of them regarded the privacy of information transmitted
online as the most important issue the Internet faces. (The poll was conducted
by Atplan Inc., and can be found at www.webplan.net.)
Who can blame them? Information of an extremely personal nature, from
Social Security numbers to home addresses, is routinely required for even
the most basic Internet transactions. That doesn't even touch on the potential
dangers of having an insecure credit card number drifting through cyberspace.
And recent events like the high-profile hacking of some government and
commercial sites, as well as lawsuits being filed against Internet companies
for selling consumers' personal data without their consent, have propelled
online privacy into the national limelight.
"We became aware that privacy can be nothing less than a show-stopper
for electronic commerce and decided to get ahead of the game," Sherwood
said. "When people were just downloading stuff, it wasn't too big an issue.
But with new databases and applications online that require credit card
numbers and other personal information, people want it to be safe and secure."
To help boost customers' confidence, Sherwood, who also chairs the Utah
Electronic Commerce Council, helped draft and establish the privacy statement
for the portal to the e-Utah World Wide Web site (www.state.ut.us). The
policy, which was approved by the UECC on Jan. 10 and by the state's Information
Technology Policy Strategy Committee on Jan. 20, can be found through a
link at the bottom of the main Web page. Before that, the state did not
have an official stance on the subject. (Go to www.state.ut.us/privacy.html to view the new policy.)
Utah based its privacy policy on guidelines developed in 1980 by the
Organisation for Economic Co-operation and Development (www.oecd.org),
a group with members in 29 countries that provides a forum for governments
to develop economic and social policy.
"The OECD guidelines are not new stuff," Sherwood said. "It's just basic
principles that were formulated years ago, but remain the seminal work on
privacy."
The OECD guidelines say there should "be limits to the collection of
personal data and any such data should be obtained by lawful and fair means
and with the knowledge or consent of the data subject."
The guidelines also say "personal data should be relevant to the purposes
for which they are to be used, [and the] purposes for which personal data
are collected should be specified no later than at the time of data collection."
In addition to the OECD guidelines, Sherwood also contacted Richard
Varn, Iowa's chief information officer, because the state (www.state.ia.us)
was one of the only other states with a similar posted policy.
Varn formed the Iowa Access Advisory Council to deal with issues such
as the state portal's privacy policy shortly after he assumed his post last
April. He pulled in representatives from the public and private sectors,
including educators, lawyers and technology experts, to serve on the council.
Varn said some people argued that when citizens make a public-record
inquiry online, their IP addresses also should be public record. But IAAC
decided to make that information confidential "because citizens have the
right not to have someone asking them what they were doing." A public-record
inquiry done in-person is confidential.
Establishing a privacy policy is just one of the tools governments can
use to help solve the "privacy vs. access" debate, he said.
Varn said one of Iowa's main goals was to ensure that technology was
not getting blamed for problems it did not cause. "We just want to make
sure that if anonymous access to public records was the standard before,
that it be preserved in electronic access to records."
The National Information Consortium designed both Utah and Iowa's portals.
NIC (www.nicusa.com), based in Overland Park, Kan., is a provider of outsourced
portal services to state and local governments, including Utah, Iowa and
nine other states.
Brad Bradley, NIC's executive vice president and general counsel, said
NIC has had a number of opportunities to gather and resell data that private
companies would have jumped at, "but we have not specifically because
people don't like their governments doing that."
"People think it's cool when commercial sites greet them personally,
but they get nervous when government sites do it," Bradley said, adding
that the company is working with all of its state portal customers to develop
privacy policies.
Sherwood said the issue of personalization was one of the trickiest
problems to deal with when developing the policy. It stirred the debate
between people who wanted a highly interactive online experience and those
who were more concerned with privacy.
Personalization on Web sites involves people setting up preferences
and providing some personal information to establish specialized page views
and information that pertains to their expressed interests.
"There are desires in conflict," Sherwood said. "Some customers demand not
only privacy, but anonymity, while other people want a high level of customer
service and personalization. That's the two horns. If they want personalization,
we need to collect personal information."
Sherwood said e-Utah is not ready to personalize its services, but future
plans include sending people e-mails on a subject that they may have shown
an interest in. But people would be able to choose whether or not they wanted
to participate in the e-mail service.
"As we move more and more to a more personalized portal, we'll push
information out to people that's useful to them," Sherwood said. "They may
or may not want the e-mail again and if they "opt-out,' they will be deleted.
E-mail addresses primarily come in through inquiries and eventually we'll
register people who "opt-in' and that's it."
Though Utah appears to be one of the states leading the privacy effort,
Sherwood said there's still much progress to be made.
"We're still two or three iterations out of the portal before it gets
a really personal feeling, but we recognized a potential problem in advance
and got it into policy," Sherwood said. "Basically, people don't want their
private information sold to the highest bidder, and they don't want their
identities stolen. We wanted to get out ahead of [the problem] because it
would've been inevitable without something in place."