Privacy Policies for Municipal Web Sites
(from Maine Townsman, August/September 2001)
by Jeri Holt, Resource/Web Manager, MMA
"Each public entity that has a publicly accessible site on the Internet associated with it shall develop a policy regarding its practices relating to personal information and shall post notice of those practices on its publicly accessible site on the Internet."
The goal of the Blue Ribbon Commission to Establish a Comprehensive Internet Policy, the group that proposed this legislation, was to "improve citizen comfort with doing government business over the Internet." Furthermore, they wanted government sites to serve as "role model(s) for private websites."
Enonymous.com also reports privacy policies of 14% on organization (.org) sites, 15% on network (.net) sites, and only 3% on education (.edu) sites. The government (.gov) sites, mostly federal, reported 69% with privacy policies posted. With this new law, Maine is following this trend in requiring the posting of these policies on government sites.
The policy should include the following information if appropriate: 1) notice of what information is collected, 2) who collects it, 3) what is the purpose for collecting it, 4) give a choice about collection and consequences if not collected, 5) note access and/or security for information collected, 6) notice of change policy, and 7) contact information.
The notice of information collected can function as an introductory paragraph for the policy.
"Individuals who visit the ___ web site are important to us. Because visitors to our site are important, we do not capture personal information about them without their permission. We endeavor to collect only the minimum amount of information needed to meet the purposes for which the site was created."
If the "purposes for which the site was created" isn't clear, be sure to explain what you mean.
Since this is a municipal government site and is subject to Maine's Freedom of Access Act specified in 1 MRSA Chapter 13, you will need a statement about public disclosure.
"All information collected on the State of Maine website will be treated the same as any written communication and is subject to the confidentiality and public disclosure provisions of 1 MRSA Chapter 13."
A definition of personal information in this section will also allow the policy to cover the points about choice in whether to submit the information.
"Personally identifiable information" is information about a person that is readily identifiable to that specific individual. It includes, for example, an individual's name, street address, e-mail address, or phone number."
Specify that you don't collect information, or if you do, tell what, how, and why.
"Personally identifiable information will not be collected unless you voluntarily send an e-mail message, fill out and send an online form, or fill out personal information and send in a survey. Your choice not to participate in these activities will not impair your ability to access certain information or obtain a service online."
Or from another state site:
"Your choice not to engage in these activities will not impair your ability to browse our Web site. However, it may impair your ability to utilize some of our online services."
If you do collect this information, tell them how it is stored and who has access.
"When personal information is stored by Maine Revenue Services, it is kept in a secure location where it is accessible only to authorized employees and agents of Maine Revenue Services."
Also discuss e-mail and how it will be handled. E-mail is subject to any of the laws that pertain to written correspondence to a municipal office. Retention of documents schedules are set out in the disposition of local government records rules from the Maine State Archives, Department of the Secretary of State, at http://www.state.me.us/sos/arc/recmgmt/localgov/localatt.htm.
"E-mail messages, sent to any Maine State Government address, will be treated the same as any other written communication. They may be subject to public inspection or legal disclosure and may be saved for a period of time before they are destroyed. E-mail or other information requests sent to the state website may be maintained in order to respond to the request, forward that request to the appropriate agency, or to provide the web designer with valuable customer feedback to assist in improving the site."
"E-mail addresses obtained as a result of a request to the state site will not be sold or given to private companies for marketing purposes."
If you do surveys or as the visitor to fill in any forms online, tell them what you will do with that information. This could be similar to the e-mail above, but this section on the State's page is also good to have as part of your policy.
"Any other information provided by a visitor at the request of an agency of Maine State Government, such as the completion and electronic filing of a form, will be considered to be voluntarily provided by the visitor and will be treated in the same manner as information provided in written form or in person during a visit to the agency. Information provided may be subject to public inspection and legal disclosure and may be saved for a period of time before it is destroyed. It may be shared with another state agency for appropriate action."
Changes in Policy:
You should state the procedure if there are changes made in this policy. Some policies state that notification of changes will be posted on the homepage thirty days before taking effect, some promise to post a notice that there have been changes for a certain time, others may just say that changes will be made to the policy at the discretion of the site owner. The following is a sample from an e-commerce site:
Provide information about who to contact and a method of contact for anyone with questions about the policy. You can also use this as a method to allow people to inquire about and gain access to any of their own personal information.
"If you have questions about this policy, please contact [e-mail address] or call [name] at [telephone number] or write to [name & address]."
(from State policy regarding collecting visitors' statistics)
"We may collect some or all of the following information about visitors who view or download information from our websites:
|Date||Date the visit occurred.|
|Time||Time the visit occurred.|
|Client IP||Unique Internet Protocol (IP) address of the website visitor. The IP address recorded is normally that of the visitor's Internet service provider, e.g., aol.com if the visitor connects from an America Online account.|
|Server IP||Unique Internet Protocol (IP) address of the State of Maine web server accessed.|
|HTTP Status||Hyper Text Transfer Protocol (HTTP) error code. E.g., "404 Requested Page Not Found."|
|HTTP Request URL||Identifies the web page or file requested by the website visitor.|
|Bytes Sent||Amount of data sent from the web server to website visitor during that connection.|
|Bytes Received||Amount of data sent from website visitor to the web server.|
|User Agent||Type of web browser or other client software that made request to the web server.|
|Referrer||Uniform Resource Locator (URL) that referred to the requested file.|
|Protocol Version||Version of HTTP used by the visitor's web browser software. The information we collect is used to improve the content of our web services and help us understand how people are using our services. We analyze our website logs to continually improve the value of the materials available on our site.|
The information in our website logs is not personally identifiable, and we make no attempt to link it with the individuals that browse our website.
Some of this statistical information, such as a running count of the number of visitors, may be displayed on the website or shared with other state governments to aid in the provision of better service to the public."
(from State policy on "cookies")
Customized Services: Cookies may also be used to automatically identify a particular user to the system, in order to provide a customized service, such as a personalized web page. In this case, a cookie containing a unique user identifier will be permanently stored on your web browser. We do not store sensitive information in such cookies; only a unique user identifier or generic preference values are stored. Personal information you give us for processing a transaction or using one of our personalization features, may be stored on our secure web server.
The "help" portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies or how to disable cookies altogether. However, cookies allow you to take full advantage of many of the Information Resource of Maine's eGovernment services, and we recommend that you set your web browser to accept cookies.
You can refuse the cookies or delete the cookie file from your computer by using any of the widely available methods."