It's a tough balance to strike for state officials: promoting government transparency on the web while protecting people's private information.
Lawmakers just wrapping up the 82nd legislative session are hoping they did that in the wake of high-profile data breaches that left the personal information of millions of current and former state employees exposed for a year. Open government laws that passed this year will both require state agencies to put more information online and restrict some private information about individuals.
Lawmakers are touting one new bill in particular, which they say will improve transparency and civic engagement by requiring state agencies (those that have money for it) to post online high-value data sets like maps of border colonias and job growth information. “Once we make this data available to people where they can analyze the information, I think they’re going to offer ideas for efficiency in government,” says Sen. Kirk Watson, D-Austin, who wrote the bill.
Posting raw, exportable data online gives media outlets, advocacy groups and individuals the ability to investigate the government’s stock of information and package it in visual ways that are useful for the public, says Sherri Greenberg, interim director at the Center for Politics and Governance at the LBJ School of Public Affairs. But Greenberg says, “it’s not enough to just have the raw data.” Providing visualizations, interactive tools and documents to explain the context of the information is also essential.
Some state agencies are ahead of the curve, and already post high-value data sets online. The state Department of Information Resources, which was created in 1989 to help transition Texas government into the digital age, aggregates the “Open Data” links on texas.gov, the state website. Comptroller Susan Combs also maintains the site texastransparency.org, which provides exportable data and interactive tools to explore state spending and revenue.
To ensure there would not be a seven-figure fiscal note attached to the bill, the law only requires state agencies to post data if they have existing financial resources or if they receive “a gift or grant specifically for the purpose of posting” data without any cost to the state. Watson says he believes “somebody or a couple of somebodies” will want access to the information, and will pony up the money.
Rep. Jeff Wentworth, R-San Antonio, who leads the Senate Open Government Committee, says Watson’s bill was part of “a concentrated effort” this session to modernize open records laws and increase government transparency. Another example is the “Truth in Taxation Summary” law, by Rep. Ken Paxton, R-McKinney, which requires each county with a website to post online its tax rates from the last five years. According to the bill analysis, the intent is to “promote additional accountability among elected local government leaders,” by making constituents aware of changes to the tax code.
But as Texas transitions into the data-driven digital age, many are concerned about private information being released online, especially in light of the recent data breaches reported by the Comptroller’s Office and the Health and Human Services Commission. In April, Combs announced a data breach that for a year left the personal information of more than 3.5 million current and former state employees exposed. And earlier this month, the Department of Assistive and Rehabilitative Services revealed that the personal data of about 4,900 current and former state employees could have been revealed in a security breach.
“I cannot caution enough in this realm," Greenberg says. "We must be very careful when we talk about personal privacy, security and certain data that should never... be online."
Lawmakers did not pass any bills that would directly address the recent security issues, but half of the 20 new laws related to “open records” create specific exceptions to open records laws in order to protect the personal information of particular groups of people.
The home addresses of U.S. attorneys and their families will no longer be included in public appraisal records, for example. “It’s to protect those people that are involved in prosecuting sometimes very vicious criminals,” Wentworth says.
Lawmakers also created provisions this session to protect students' record,s and identifying information about rape victims. One new law requires all educational institutions, including career schools and private colleges, to keep student records confidential. Another new law protects the privacy of rape victims who undergo a forensic medical examination. It ensures identifying information and details about the assault contained in the medical records, which may be used by the Department of Public Safety, cannot be released as part of an open records request.
Requiring agencies to post high-value data sets online could actually improve the security of private information, says Andy Wilson, an expert on data transparency for the nonprofit lobbying group Public Citizen. State agencies will have to clearly separate public information from private information before posting a database online. “It should be fairly simple if it is in the form of a spreadsheet or a database to just simply eliminate those columns of [private] data,” he says. “That’s a technical issue, not a privacy issue.”
The Comptroller’s Office says it is taking the concept of separation seriously in its attempts to prevent another lapse in security. The agency has isolated its private and public data on completely separate FTP servers “so it’s easier to manage and control,” says Allen Spelce, spokesman for the Comptroller’s Office.
He says the private information of 3.5 million public employees was exposed because of a human error. “In order to neutralize that human element, you put more redundancy in place,” he says. The agency has also installed software to provide automatic alerts when someone attempts to access or move sensitive information, and it is hiring three new employees — a chief privacy officer, chief technology officer, and information security officer — to address the security concerns.