Utah Stakes Privacy Position

Utah recently became one of the first states to include a privacy policy on its Internet home page to show citizens that their state government is protecting their personal information, trying to make people feel more comfortable when using online applications.

"If we can get some reasonable trust associated with what we're doing, people are going to use online government resources," said Al Sherwood, Utah's electronic commerce coordinator. "We need to show them that we're customer-friendly and concerned with their privacy to help establish a sufficient trust."

As consumers become more and more Internet-savvy, they are also becoming increasingly concerned with their privacy online. A recent poll of 1,000 adults in the United States who actively use the Internet found that more than 85 percent of them regarded the privacy of information transmitted online as the most important issue the Internet faces. (The poll was conducted by Atplan Inc., and can be found at www.webplan.net.)

Who can blame them? Information of an extremely personal nature, from Social Security numbers to home addresses, is routinely required for even the most basic Internet transactions. That doesn't even touch on the potential dangers of having an insecure credit card number drifting through cyberspace.

And recent events like the high-profile hacking of some government and commercial sites, as well as lawsuits being filed against Internet companies for selling consumers' personal data without their consent, have propelled online privacy into the national limelight.

"We became aware that privacy can be nothing less than a show-stopper for electronic commerce and decided to get ahead of the game," Sherwood said. "When people were just downloading stuff, it wasn't too big an issue. But with new databases and applications online that require credit card numbers and other personal information, people want it to be safe and secure."

To help boost customers' confidence, Sherwood, who also chairs the Utah Electronic Commerce Council, helped draft and establish the privacy statement for the portal to the e-Utah World Wide Web site (www.state.ut.us). The policy, which was approved by the UECC on Jan. 10 and by the state's Information Technology Policy Strategy Committee on Jan. 20, can be found through a link at the bottom of the main Web page. Before that, the state did not have an official stance on the subject. (Go to www.state.ut.us/privacy.html to view the new policy.)

Utah based its privacy policy on guidelines developed in 1980 by the Organisation for Economic Co-operation and Development (www.oecd.org), a group with members in 29 countries that provides a forum for governments to develop economic and social policy.

"The OECD guidelines are not new stuff," Sherwood said. "It's just basic principles that were formulated years ago, but remain the seminal work on privacy."

The OECD guidelines say there should "be limits to the collection of personal data and any such data should be obtained by lawful and fair means and with the knowledge or consent of the data subject."

The guidelines also say "personal data should be relevant to the purposes for which they are to be used, [and the] purposes for which personal data are collected should be specified no later than at the time of data collection."

In addition to the OECD guidelines, Sherwood also contacted Richard Varn, Iowa's chief information officer, because the state (www.state.ia.us) was one of the only other states with a similar posted policy.

Varn formed the Iowa Access Advisory Council to deal with issues such as the state portal's privacy policy shortly after he assumed his post last April. He pulled in representatives from the public and private sectors, including educators, lawyers and technology experts, to serve on the council.

Varn said some people argued that when citizens make a public-record inquiry online, their IP addresses also should be public record. But IAAC decided to make that information confidential "because citizens have the right not to have someone asking them what they were doing." A public-record inquiry done in-person is confidential.

Establishing a privacy policy is just one of the tools governments can use to help solve the "privacy vs. access" debate, he said.

Varn said one of Iowa's main goals was to ensure that technology was not getting blamed for problems it did not cause. "We just want to make sure that if anonymous access to public records was the standard before, that it be preserved in electronic access to records." The National Information Consortium designed both Utah and Iowa's portals. NIC (www.nicusa.com), based in Overland Park, Kan., is a provider of outsourced portal services to state and local governments, including Utah, Iowa and nine other states.

Brad Bradley, NIC's executive vice president and general counsel, said NIC has had a number of opportunities to gather and resell data that private companies would have jumped at, "but we have not — specifically because people don't like their governments doing that."

"People think it's cool when commercial sites greet them personally, but they get nervous when government sites do it," Bradley said, adding that the company is working with all of its state portal customers to develop privacy policies.

Sherwood said the issue of personalization was one of the trickiest problems to deal with when developing the policy. It stirred the debate between people who wanted a highly interactive online experience and those who were more concerned with privacy.

Personalization on Web sites involves people setting up preferences and providing some personal information to establish specialized page views and information that pertains to their expressed interests. "There are desires in conflict," Sherwood said. "Some customers demand not only privacy, but anonymity, while other people want a high level of customer service and personalization. That's the two horns. If they want personalization, we need to collect personal information."

Sherwood said e-Utah is not ready to personalize its services, but future plans include sending people e-mails on a subject that they may have shown an interest in. But people would be able to choose whether or not they wanted to participate in the e-mail service.

"As we move more and more to a more personalized portal, we'll push information out to people that's useful to them," Sherwood said. "They may or may not want the e-mail again and if they "opt-out,' they will be deleted. E-mail addresses primarily come in through inquiries and eventually we'll register people who "opt-in' and that's it."

Though Utah appears to be one of the states leading the privacy effort, Sherwood said there's still much progress to be made.

"We're still two or three iterations out of the portal before it gets a really personal feeling, but we recognized a potential problem in advance and got it into policy," Sherwood said. "Basically, people don't want their private information sold to the highest bidder, and they don't want their identities stolen. We wanted to get out ahead of [the problem] because it would've been inevitable without something in place."