Personally Identifiable Information (PII) as a Public Records Challenge

From meeting agendas and calendars to police reports and surveillance footage, public records are generated and stored by state and local governments every day. Public records contain a wide variety of data and sometimes include personally identifiable information (PII) which needs to be protected. Keeping PII out of the public domain is a crucial responsibility we all share and FOIA requests are no exception.

Whether the result of configuring databases incorrectly or misplacing drives with sensitive data, some of the largest data breaches in recent years have happened because of human error. Given the massive amounts of sensitive data that government agencies manage on a daily basis, there is a growing need to take greater precautions against the accidental release of PII.

Inadvertent disclosure of sensitive information may seem minor in some cases, but data in the wrong hands has the potential to impact millions of people for years to come. State and local governments can save a lot of unnecessary embarrassment and litigation by understanding the consequences of accidentally releasing PII and implementing the steps to prevent it from happening.

When PII Becomes Public

Unfortunately, there is no “undo” button to be pressed when sensitive information is compromised. Data can be resecured; but once it has been exposed there is a vulnerability inherent in the fact that there is no way to know who may have seen it or copied it. The result of a data breach can be damaging for citizens whose PII was compromised and for the reputation of the government agency responsible for the exposure.

In 2011, the Texas Comptroller’s Office inadvertently disclosed the PII of 3.5 million teachers and employees, including social security numbers and other personal information, on a server that was accessible to the public. Though the Office claimed the information had not been misused, it resolved the issue by moving the information to a secure location without public access.

In Georgia, the personal information of more than 6 million voters was compromised in an event that became known as #PeachBreach. The Secretary of State’s Office acknowledged the accidental disclosure and offered free credit reporting to those affected. Similarly, an independent researcher discovered that an incorrectly configured database allowed the PII of 191 million American voters to be exposed on the open internet.

Security breaches have become so prevalent that each state has legislation in place requiring private or governmental entities to notify individuals when their PII has been compromised. Though each state’s laws may differ, they all typically address:

  • Who must comply with the laws (e.g. government agencies, businesses)
  • Definitions of PII
  • What constitutes a data breach
  • Requirements for notice
  • Exemptions

Keeping Sensitive Information Secure

There will always be the need for government agencies to collect PII, and the responsibility to protect it goes hand in hand. FOIA request volume continues to grow and so too does the need for secure processes and platforms. As manual processes become more automated, technology takes on a greater role in public records management.

The importance of data security continues to increase as more public records are adapted into digital formats. Information storage methods and data hosting are more relevant than ever; government agencies handling PII need the highest level of security and data protection available. GovQA’s partnership with Microsoft Azure ensures that jurisdictions are operating with the most technically sophisticated CJIS, HIPAA, FISMA audited hosting platform available to government entities today. 

It’s important to note that, even though they are called “public” records, a great number of “originals” contain sensitive PII which must be removed prior to releasing records.  Before technology, this used to involve a sharpie marker to “black out” the private data.  Today, when records are required to be released, agencies can use In-tool redaction software to censure PII from all formats — paper, digital, and video files. Redaction is streamlined with features such as: text search, pattern matching, redact similar, exemption tracking, and responsive records packeting.  Security tagging can prevent access to sensitive data even from internal agency staff lacking proper credentials.  The most sophisticated tools, like GovQA’s Flat-lock Redaction™, flatten and lock redaction PDFs to ensure confidence in confidentiality and avoid redaction horror stories.

From architecture, encryption, and monitoring to hosting and compliance, data security software helps create a strong foundation for proper PII management. Automating workflows and processes reduces the chance for human error and helps provide government agencies with advanced data security. By centralizing and monitoring processes within GovQA’s configurable software, jurisdictions are well-equipped to mitigate data threats.

Join the Conversation. What are your peers prioritizing as they look to 2022?

Take the 2022 Peers In Public Records Survey.

The Peers in Public Records Newsletter (formerly FOIA News) is a bi-monthly e-newsletter brought to you by GovQA. It is a collection of the latest trends in public record requests and government transparency initiatives, shared stories, live roundtables, informative case studies, and actionable knowledge that will help you calm the chaos and keep your organization compliant. Send your comments to peers@govqa.com.

Subscribe to the Peers in Public Records Newsletter

© Copyright 2021. PiPRSurvey. All rights reserved.