CIO OUTLOOK

With privacy, you have plenty of options

Otto Doll

Unless you've been on a desert island, you know that privacy is getting a lot of attention these days. The 106th Congress has 51 House bills and 23 Senate bills pending on the subject.

That may sound like plenty of action, but until policymakers address one of the root problems'a person's right to opt in or out of having personal data used'we may never resolve the privacy issue.

In terms of how governments use the data they get from citizens, I see a privacy option spectrum that ranges from opt-free to opt-out to opt-in to never-use. The spectrum's end points are in use today but are under attack.

Opt-free is when personal information is shared in whatever way the collector wants without asking permission. That's what I call the mailing list syndrome. Citizens hate it.

The private sector's misuse of information most often generates complaints, but information gathered by agencies is sometimes also used this way.

At the other end of the spectrum is never-use, when personal information is strictly controlled. Collectors don't use personal information beyond its original purpose, whether buying medicine or getting a driver's license. The public sector frequently takes this stance in the form of laws or administrative rules.

Opt-out means individuals restrict the use of their personal information only when they take specific action to forbid it. Thus the default under this policy leaves agencies free to use information in any way they choose.

People are often persuaded, confused or misguided into consenting to the use of their personal information. What sometimes happens is that governments'and businesses'restrict their own use of that data, but pass it on to third parties that have no restrictions. Or the information is passed on to so-called affiliated third parties. For example, a tax agency might give financial data to a child welfare department.

Opt-in gets past the messy problems of opt-out schemes. An opt-in policy means an agency cannot use gathered information unless a person specifically grants you permission.

Any solution requires three elements.

First is an opt-in policy that covers the primary information gatherer and all its third parties. Governments should require a citizen's permission to reuse or forward information.

Second, there must be processes to allow an agency not only access to gathered data but also the ability to correct or update it. If we can so easily use technology to gather personal information, then we can just as easily build into our information systems a means to maintain it.

Finally, misuse of information should be treated like identity theft. This would require state privacy laws to have sufficient bite. States are already enacting identity theft statutes to protect people's common electronic tags such as log-on identifications and passwords or electronic fingerprints. Shouldn't all personal information be treated as a kind of electronic signature of a person?

We in government can claim success when our constituents are convinced that their personal information is in good hands'their hands.

Otto Doll, chief information officer of South Dakota, formerly worked in federal information technology. He is president of the National Association of State Information Executives.

inside gcn

  • Congressman sees broader role for DHS in state and local cyber efforts

    Automating the ATO

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above