Colorado Task Force on Information Technology

Minutes of Meeting on

October 15, 2001

(As approved by Board)


The meeting of the Colorado Task Force on Information Technology (“Task Force”) was called to order by I. Thomas Bieging, at 2:00 p.m. on October 15, 2001 at the offices of McKenna & Cuneo, L.L.P., Denver, Colorado. 

Present were Bill Mitchell, Dave Baker, Amy Redfern, Joe Dickerson, Jim Ginsburg and Senator Ken Gordon.  Also present was Dana Williams, Administrative Assistant to Ms. Davidson and I. Thomas Bieging, counsel to the Privacy Task Force.  The meeting was recorded by tape.

Mr. Bieging opened the meeting and requested approval of the Minutes of the Meeting of July 31, 2001.  Upon motion duly seconded and carried, the Minutes of the Meeting of July 31, 2001 were approved as prepared. 

Mr. Bieging reviewed with the members of the Task Force the draft Report Outline revised as of October 15, 2001.  Mr. Bieging advised the members of the Task Force that the revised draft reflected comments, which had been received from members since the Report Outline was presented for the Task Force’s consideration.  The purpose of this meeting was to further review that draft Report, with comments, with the intent of moving the Report closer to a final version to be presented to the Legislature consistent with the mandate to the Task Force. 

The Task Force then proceeded to discuss various aspects of the Report.  Comments from Task Force members and the public included:

  1. Ms. Redfern suggested that the comments relating to the time sensitive nature of this Report be moved to a forward in the Report so that a reader would be cognizant of the rapid changes in policy and technology that were occurring in the areas addressed by the Report.
  2. The Task Force reinforced the concept that the Task Force’s recommendations applied not only to data collected electronically, but data collected by any means by the State.  Accordingly, laws and policies relating to privacy and the handling of data collected by the State need to assure applicability to all forms of data and data collection.
  3. Members of the Task Force articulated the core principle to be found in a state privacy policy.  That principle is that a privacy policy insures that the State shall not provide personally identifiable information (“PII”) to third parties unless specifically required by statute or the Colorado Public Records Act.  A state privacy policy should acknowledge that PII may be shared with other agencies or entities to the extent that the sharing is required for agencies to accomplish their statutorily mandated goals.  At the same time, if such sharing is to be allowed, there must be assurances of notice of such fact to the citizens submitting data.
  4. Discussion followed regarding the requirement that the State reserve the right to change its Privacy Policy.  At a minimum, the State needs to advise citizens of the date of the most recent change to the Privacy Policy.
  5. Discussion continued with members of the public commenting regarding the potential need for third party audits of the State’s performance under its Privacy Policy and the possibility of using a “Web Trust seal”, such as that provided by the American Institute of Certified Public Accountants.  Renelle Everett of Deloitte & Touche indicated that she would provide to the Task Force information regarding any state websites that use such trust seals.
  6. The Task Force discussed the access principle referred to in the Report. The access principle is one of the four Fair Information Practice Principles relating to privacy. The Task Force discussion evidenced a concern to strike a balance between the citizen’s need to correct data that may be inaccurate and the cost and security necessary to allow individuals to access a state data base where such information may be collected.  It was the consensus of the Task Force that this matter should be studied further by the State and addressed in any State Privacy Policy.  Natalie Hanlon-Lee and Adam Scoville of Faegre & Benson, LLP, indicated that in their survey of state websites, they found no states that provide online ability for a citizen to access data collected by the state regarding the citizen and correct any discrepancies.
  7. The members of the Task Force requested that the draft report be amended at paragraph III-A-4 to reflect that additional federal statutes, such as the Federal Education Right and Privacy Act may preempt certain fields regarding privacy and technology and that the state should monitor the enforcement of such acts to determine if the results under federal legislation are appropriate and adequately protect Colorado citizens.
  8. The members of the Task Force deleted items found in IV-D-2(a) and (b).  The Task Force members did suggest that the Legislature consider the adequacy of the existing laws relating to disclosure of medical information since the input received by the Task Force indicated that this area of the law appeared to lack clarity.
  9. The members of the Task Force considered the recommendations received from Faegre & Benson LLP regarding components of the State’s Privacy Policy.  The recommendations adopted included:
  • Declare a policy of protection for individual privacy;
  • Minimize data collected to the least information required to complete a particular transaction;
  • Provide clear notice of State Open Records Act and its effect on privacy;
  • Include a method for feedback from the public on compliance to the Privacy Policy;
  • Ensure that contracts with third party providers comply with the State Privacy Policies;
  • Adopt a unitary policy among different agencies with the least amount of deviation.
  • Establish a unitary policy for the collection of all data regarding of the source or medium.

The Task Force instructed Mr. Bieging to incorporate the discussions of October 15, 2001, into the draft Report and to prepare a written report for the Task Force’s consideration at the November meeting. 

The Task Force set the date for the November meeting of the Task Force as November 19, 2001, at 2:00 p.m. at the offices of McKenna & Cuneo, L.L.P. in Denver, Colorado.

There being no further business to come before the Task Force, the meeting was adjourned at 3:50 p.m.