|
Public
Information Law
|
 |
Several
laws have been enacted over the past few decades that affect
your responsibilities when it comes to gathering and protecting
data.
Although most were written when the internet was in its infancy, their provisions
apply to web servers just like they apply to records rooms.
|
|
Although this page has
little to do with securing your web site, the information
here will ease your mind when it comes to worries about
satisfying all the federal requirements you fall under
when you start
offering more useful web site content (like online reporting
or wanted person posters).
Many departments are overly cautious about moving any of
their services online due to the perceived potential of violating
the provisions of these acts.
The reality is that,
if you follow the security steps
outlined
in this web site, the information transmitted
from and stored by your department’s web site will
be much safer from unauthorized access than the information
you store
anywhere
else.
It takes a certain level of technical expertise
to attack your web site - expertise that the majority
of your web
site users just don’t have. Any idiot can break a
window on one of your police cruisers and help themselves
to any
information that we all leave stored under the visor or
in the glove box.
It takes skill and unique knowledge to
access
that same information on your web server.
But, that doesn’t mean that you shouldn’t be
careful what information you store on your web server. A
good rule of thumb to follow is to not collect any information
from your web site, or store any information on your web
server, that’s not subject to disclosure by your state’s
public record laws.
This way, even in a worse case scenario where someone
does manage to gain access to your web server and steal
information,
they aren’t getting access to anything they couldn’t
have obtained much more easily by simply requesting it
from your records room.
With
the wide array of documents that most states declare as
public record, as long as you aren’t asking for
medical history or financial information you should have
no difficulties with the following laws and acts.
|
Sarbanes-Oxley
Act
|
Passed
in 2002, the Sarbanes-Oxley Act was directed at accounting
and auditing practices, but a specific section also can
apply to police department web sites.
From Internet
Security Systems :
Section 404 of the Sarbanes-Oxley Act mandates that all public organizations
demonstrate due diligence in the disclosure of financial information and implement
a series of internal controls and procedures to communicate, store. and protect
that data.
Public organizations are also required under Section 404 to protect these controls
from internal and external threats and unauthorized access, including those that
could occur through online systems and networks.
Although this act specifies financial information, the day isn't too far off
when it could apply to you. Like when your department starts handling routine
fine payments online.
In any case, make sure your network and online systems are secure and don't ask
for any financial information from your web site visitors.
|
Federal
Privacy Act of 1974
|
The
section of the Federal Privacy Act of 1974 that may apply
to police department web sites reads:
Section b: "No agency shall disclose any record which is contained in a
system of records by any means of communication to any person, or to another
agency, except pursuant to a written request by, or with the prior written consent
of, the individual to whom the record pertains, unless disclosure of the record
would be...(b)(3)for a routine use as defined in subsection (a)(7)"
"(a)(7) the term ‘‘routine use’’ means, with respect
to the disclosure of a record, the use of such record for a purpose which is
compatible with the purpose for which it was collected;"
That being said, police departments are exempt from the non-disclosure requirement
if the material collected and disseminated is:
"(k)(2) investigatory material compiled for law enforcement
purposes (which is) (j)(2) maintained by an agency or component thereof which
performs as its principal function any activity pertaining to the enforcement
of criminal laws, including police efforts to prevent, control, or reduce crime
or to apprehend criminals, and the activities of prosecutors, courts, correctional,
probation, pardon, or parole authorities, and which consists of (A) information
compiled for the purpose of identifying individual criminal
offenders and alleged offenders and consisting only of identifying data and notations
of arrests, the nature and disposition of criminal charges, sentencing, confinement,
release, and parole and probation status; (B) information compiled for the purpose
of a criminal investigation, including reports of informants and investigators,
and associated with an identifiable individual; or (C) reports identifiable to
an individual compiled at any stage of the process of enforcement of the criminal
laws from arrest or indictment through release from supervision."
As you can see, any information a police web site provides is exempt from the
non-disclosure provisions of the Federal Privacy Act of 1974 as long as the information
is being used for a legitimate law enforcement purpose.
But, this act also precludes you from collecting any information that is outside
your purpose for collecting data in the first place.
To simplify, if you're asking a web site visitor for information for a specific
purpose, it may be a violation of this act to collect additional data that is
beyond the scope of what is needed to fulfill that purpose.
For example, if you were allowing your web site visitors to submit nominations
online for a program that rewards children for good citizenship, it would likely
be a violation of this act to ask for their social security number on the nomination
form too.
But, if you were taking incident reports online, requesting a social security
number would be reasonable and not covered by this act.
|
The
Freedom of Information
Act
|
The
Freedom of Information Act only applies to police department
web sites in that it specifically covers what cannot
be kept private when it comes to public records.
As mentioned in the beginning of this section, your state public information
law should be your guide when it comes to deciding what information to collect
on your web site as it already encompasses federal law like this act in its provisions.
|
Conclusion
|
The
short answer to how public information law and associated
federal acts affect your web site can be summarized:
• Don't collect any information through your web site or store any information
on your web server that isn't considered a public record by your state's public
records law.
• Protect any data you do store with proper security measures like those
outlined on this web site.
• Only ask for and collect data that is relevant to the specific purpose
for the collection, and only use that information to fulfill that specific purpose.
• If you're displaying someone's personal information on your web site
(missing person or wanted person records, for example), only display that information
necessary to meet the immediate law enforcement purpose. Displaying a photo and
providing a physical description, age, likely destination, and the circumstances
of the incident are legitimate. Providing a social security number or date of
birth for the person involved may not be.
Although it's important to understand how these acts affect your department's
web site, don't let their existence dissuade you from doing things like displaying
wanted person posters or taking reports online.
As long as you're engaged in a legitimate law enforcement purpose and take steps
to protect your web site from unauthorized access, you're actually protected,
not made vulnerable
by the provisions of these acts.
|
None
of the information on this page should be taken as legal
advice. Consult your city or county law director, state
attorney general, or other recognized authority for specific
advice on how these acts may pertain to you and your
department's web site.
|
|
