December 21, 2005
By Mike Krause
One by-product of advancing technology is the unprecedented ability of government to track and monitor the lives its citizenry.
The Colorado Legislature should consider a comprehensive data protection law that controls how government data are collected, created, stored, used and released by state and local agencies, while at the same time recognizing that Coloradoans are free citizens, not subjects who exist to fill databases with the details of their lives.
For instance, in 2001, the legislature directed the Colorado Division of Motor Vehicles (DMV) to use biometric technology to map applicants’ faces for driver’s licenses, and allowed access to the face print database to “aid a federal, state or local government agency in carrying out such agency’s official function.”
Yet often, the “official function” of any given government agency is as fluid as it is ambiguous. In other words, the legislature’s standard for the database could easily have been defined as “for any government purpose whatsoever.”
After national criticism, the legislature refined the scheme, requiring that before a government agency can tap into the image database, it must have “a reasonable suspicion that a crime has been committed or will be committed and a reasonable suspicion that the image requested is either the perpetrator of such a crime or the victim of such a crime.”
A good data protection law would just assume that of course there needs to be a good reason to tap such a database.
In Colorado, data collection by the state is only going to expand.
For instance, the federal Real ID Act’ is scheduled to go into effect in 2008. Real ID’ federalizes state drivers’ license standards and issuance. Among other things, the Act will require the Colorado Division of Motor Vehicles to verify, copy and store electronically all the breeder documents such as the birth certificate and social security card, required to prove such things as your address and citizenship.
The Colorado Division of Motor Vehicles will be fundamentally changed from an agency which administers driver’s licenses and vehicle registrations to a centralized identity registry, operated by the State of Colorado, but on behalf of the federal government.
A data protection law would put clear boundaries on how such an identity registry can, and cannot, be used.
In 2005, the Colorado Legislature enacted an electronic prescription drug monitoring program. The names of patients and the types of drugs they are prescribed and purchase will be collected in a centralized database searchable by numerous different fields. So a drug agent in Denver, or Washington D.C., will be able to peruse the prescription drugs taken by individual Coloradoans.
The legislature made misuse of the program a civil offense, with any fines paid being deposited back into the prescription drug monitoring fund. In other words, Colorado has a new, hugely intrusive database, which will actually profit from its own abuse.
A data protection law would empower citizens with a private right of action against government employees who abuse such a database. Simply depending on one government entity to punish another government entity for privacy abuse is contrary to the American principles of limited and accountable government.
Minnesota has a comprehensive data law, the “Minnesota Data Practices Act.” Here’s how the Minnesota law favors liberty over bureaucracy.
In 2003, it was discovered that the Minnesota Chiefs of Police Association (MCPA) was uploading files from various police agencies to a central databasethe Multiple Jurisdiction Network Organization (MJNO)classifying the information as confidential “criminal investigative data,”and making the database available back to law enforcement agencies throughout the state. It was determined that the MJNO was illegal under the Data Practices Act, and the program was shut down.
Among the findings: MJNO was collecting and sharing information, including gun permit records, which are considered private under the Minnesota law and require notification to the applicant as to how it will be used, “There is no authority from the legislature for these data to be transferred to a statewide database like MJNO whether operated by government or a private party.”
This is in addition to the fact that as a private entity, the MCPA had no authority to classify anything as confidential in the first place.
Technology, mixed with a little abuse of authority, allowed the MJNO to be created with no legislative permission, and in near secrecy.
As a general rule, Coloradoans don’t know how state-compiled personal information will be applied, who will gain access to it and what decisions will be made with it.
The simple fact is we should be able to know theses things. And the Colorado Legislature should make sure we do.