GOVERNMENT DATA: REGULATE
DISCLOSURE
House Bill 5693 as passed by the House
Second Analysis (1-20-99)
Sponsor: Rep. Lingg Brewer
Committee: Advanced Technology and
Computer Development
THE APPARENT PROBLEM:
The state and many local units of government contract with private companies to collect, store, and process data or analyze governmental databases. Therefore, the privately held databases can contain a substantial amount of information on Michigan residents such as Social Security numbers, tax information, property ownership, occupational licensing, and health information. Reportedly, some of the information contained in the databases is sold or made available to private investigative, marketing, and service firms without the knowledge of either the governmental unit originally generating the data or the individuals and businesses to whom the information relates.
Current law does not require private entities under contract to the state to provide maximum data and database security. In addition, since some of the firms under contract to Michigan governmental units may be located in other states, and therefore not subject to Michigan laws, the language in a contract becomes very important in providing necessary safeguards. However, some people believe that in light of the continued problem of unauthorized disclosure of information from databases, the contractual language has not proven to be a sufficient deterrent. Legislation has been proposed to discourage the unauthorized disclosure of information from governmental data sources.
THE CONTENT OF THE BILL:
The bill would create a new act to regulate the disclosure of government data to a third party by a person or business entrusted with that data for storage or processing. "Government data" would be defined as information gathered by the state or a local unit of government and that was transferred or entrusted to a person by electronic, print, digital, or other means for the sole purpose of being stored or processed on behalf of the governmental unit. A "third party" would be any person other than the person to whom the governmental unit transferred the data. "Person" would include an individual, partnership, corporation, association, limited liability company, or other legal entity. The bill would not apply to an official of the state or a municipality who was entrusted with government data in the performance of his or her official duties.
Under the bill, a person entrusted with government data for storage or processing would be prohibited from disclosing the data's contents to a third party without written authorization from the governmental unit that compiled the data. A person receiving such authorization would have to maintain a written record for three years that included the identity of the person to whom the disclosure had been made, the contents of the disclosed data, and the date of the disclosure. A copy would have to be provided to the governmental unit providing the written authorization for disclosure upon request.
Further, a person would have to secure a surety bond for $200,000 payable to the governmental unit before storing or processing government data. The bond would have to remain in effect for the duration of the period that a person stored, processed, or maintained the data. The bond would also have to specify that upon a violation of the bill's provisions, the bond amount would have to be paid to the affected governmental unit.
FISCAL IMPLICATIONS:
According to the House Fiscal Agency, the bill would have an indeterminate impact on state and local governments. Additional state and local administrative costs would be associated with the enforcement of the
bill, and the forfeiture of surety bonds by private entities for violations of the bill's provisions could result in additional state and local revenues. (4-21-98)
ARGUMENTS:
For:
The state and local governments often contract with private vendors to collect, store, process, or analyze data. This information often contains personal information about individuals. Apparently, some of the information is sold to other businesses that can in turn use it for telemarketing, advertising, or other purposes. However, many people feel that the information in governmental databases should be protected from unauthorized disclosures. Though the contracts between governmental agencies and data processing firms should provide sufficient protection, they don't always do so. A contract can be terminated, but if a governmental agency could not readily provide the canceled data services itself, or quickly find another business to provide those services, it may be hesitant to cancel a contract.
The bill would address this problem by requiring that a sub-contractor obtain written authorization from the governmental source generating the data before disclosing any information to a third party. The sub-contractor would also have to keep written records about the content of the information disclosed and to whom it was disclosed. Further, the bill's requirement of the posting of a surety bond would add an additional deterrent to unauthorized disclosure of information. The bill is an important first step in establishing standards for the regulation of information contained in governmental databases that are stored or maintained by non-governmental entities.
Against:
If a problem exists, then the language in contracts should be written so as to contain sufficient safety precautions. Besides, for some of the smaller municipalities in which the governmental business may be conducted on an official's home computer, the bill's requirements may be burdensome. Further, the bill does not address some aspects of security and confidentiality, such as the problems associated with workers leaving files or terminals unattended or in plain view of others.
Response:
As awareness of problems with security and confidentiality of information in governmental data increases, tighter language can be placed in future contracts. However, for those contracts already in existence that may be vague or not easily enforced, the bill would provide an important security measure to stop information from being sold or otherwise disclosed to unauthorized third parties. The bill would not be an instant cure-all, but would go far in beginning to address some of the confidentiality problems inherent in the current system of governmental records being stored or processed electronically by non-governmental entities.
POSITIONS:
There are no positions on the bill.
Analyst: S. Stutzky