Ms. Maura Looney
Acting Supervisor of Public Records
One Ashburton Place
Boston, MA 02108
Dear Ms. Looney,
This letter is intended as a follow-up to a meeting attended by former Supervisor of Public Records Francine Gould, Sarah Bourne, ITD's Director of Internet Services, and me in May of this year. During that meeting, we discussed several legal issues arising under the Public Records Law and related to E-government and Information Technology ("IT"). Supervisor Gould indicated at that time that the best way for ITD to receive a firm opinion about the status of certain IT- and E-government- related documents under the Public Records Law from the Supervisor was for ITD to file a formal request for an advisory opinion pursuant to 950 CMR 32.07. At the end of that meeting, we agreed that ITD would send your office a letter requesting clarification of the Public Records Division's position with respect to the following issues, some of which were discussed in a very general sense at the meeting. Please accept this letter as a formal request for an advisory opinion from you under the above-cited provision of the regulations.
Since the time of my meeting with the former Supervisor, ITD has moved forward with the development of a new Web site portal, "Mass.gov", which ITD expects to launch on November 30, 2001. I regret that circumstances arising in our respective offices resulted in this letter being filed at such a late date. ITD respectfully requests that you consider providing us with an opinion regarding the matters raised in paragraphs C2, C3 and C4 of this letter, each of which pertains to information related to the Mass.gov portal, prior to November 30, 2001, if at all possible, so that ITD can fully inform citizens of the status of such information under the Public Records Law.
Finally, between the time of ITD´s meeting with the former Supervisor and the date of this letter, the Cyberlaw E-government Advisory Roundtable ("CLEAR") Records Management Workgroup, which will work to identify and develop best legal practices with respect to a wide range of records management issues from an agency perspective, has been convened and its members have reviewed and had input into this letter. As the Commonwealth moves into the E-government age, the issues raised here are of interest not only to ITD but to all entities subject to the Public Records Law.
A. Proprietary Information
The Commonwealth´s Public Records Law contains a limited exemption for proprietary information. Pursuant to Mass. Gen. L. ch. 4, sec. 7, cl. 26(g), agencies can withhold from public records requests
"trade secrets or commercial or financial information voluntarily provided to an agency for use in developing governmental policy and upon a promise of confidentiality; but this sub clause shall not apply to information submitted as required by law or as a condition of receiving a governmental contract or other benefit".
In its "Overview of the Public Records Law", your office notes that each of the six criteria contained in the exemption must be met in order for it to apply.
Proprietary information obtained by agencies as a result of hardware and software procurement. During my conversation with Ms. Gould, she indicated that, in the past, the Public Records Division has taken the position (which, on its face, appears to be supported by the text), that the Public Records Law provides no general exemption from disclosure for proprietary information, and that this provision clearly applies only in the limited circumstances described therein. Given the text of the statute, and absent any further guidance from the Supervisor, ITD has typically refused (where it has had the opportunity to do so ) to sign software licenses or other documents that require that certain information about the products that the agency uses remain confidential. Instead, ITD modifies such agreements so that they indicate that ITD will immediately notify the vendor if ITD receives a public records request that would require the disclosure of such information, thus giving the vendor time to move to quash or limit the request to protect their property rights.
However, another provision of the Public Records law may exempt proprietary information from disclosure. Section 7, cl. 26(a) of chapter 4 exempts information "specifically or by necessary implication exempted from disclosure by statute". The Federal copyright and patent laws create, for owners of intellectual property, the right to limit use and copying of such property in some circumstances. Because such Federal laws do not expressly require that such information be kept confidential, ITD has assumed that they do not create an exemption for proprietary information because they do not "specifically" exempt such information from disclosure. Alternatively one could argue that Federal copyright and patent laws, "by implication", exempt such information from disclosure, because the value of intellectual property owners' rights is clearly diminished if a state agency purchasing the products can be forced to disclose proprietary information in response to a public records request.
Similarly, although no Massachusetts statute specifically or by necessary implication exempts intellectual property from general disclosure under the Public Records Law, the General Laws are rife with statutory provisions that protect trade secrets and prohibit their disclosure by public agencies, in diverse circumstances. See, e.g., Mass. Gen. L. ch. 93, sec 42 (taking of trade secret without owner's permission entitles owner to damages); ch. 21, sec. 27 (Division of Water Quality must protect trade secrets provided to it by water pollution dischargers); ch. 21C, sec. 4 (Division of Hazardous Waste must protect trade secrets of hazardous waste generators); ch. 23B, sec. 29 (trade secrets received by Department of Housing and Community Development not public record); ch. 23D, sec. 7 (trade secrets received by Massachusetts Industrial Service Program not public record); ch. 23G, sec. 2 (trade secrets received by Mass. Dev. Finance Agency not public record); ch. 25, sec. 5D (DTE must protect trade secrets received by it from regulated industries); ch. 29, sec. 2RR (trade secrets received by DET not subject to Public Records Law).
In light of the Legislature´s acknowledgement throughout these provisions of the General Laws that trade secrets require protection, interpreting the Public Records Law to permit disclosure of such information by agencies not subject to one of the statutes cited above is an anomaly. Surely the drafters of the Public Records Law, whose goal was to open the acts of government to public scrutiny, did not intend that the law would be used as a lever to pry open trade secrets placed under lock and key by other provisions of the General Laws, simply because they were received by a Commonwealth agency whose organic legislation, like that of ITD, failed to specifically reference the confidential nature of trade secrets.
Trial use of software. If you conclude that trade secrets are only exempt from disclosure under the Public Records law if they meet the six criteria set forth in clause 26(g), does that provision exempt proprietary material held by state agencies as a result of trial use of software? ITD and other agencies are often given the opportunity to use software on a trial basis before the formal bidding process begins on a particular project. "Test-driving" software provides the vendor with an obvious marketing advantage and provides ITD and other agencies with an opportunity to reduce the cost to the taxpayer of the ultimate purchase. By using software on a trial basis agencies can determine, before investing a substantial amount of the Commonwealth's money in a purchase, whether the product at issue should be explored further in connection with a formal procurement down the road. Procurement and policy-making are often inextricably intertwined in this area; trial basis use of software can assist agencies in both purchasing decisions and their attempts to set technological standards and policies for electronic government activities.
To than end, ITD requests answers to the following questions:
- Does Mass. Gen. L. ch. 4, sec. 7, cl. 26(a) exempt copyrighted or patented proprietary information held by the Commonwealth for any reason?
- Does the trade secrets exemption set forth in Mass. Gen. L. ch. 4, sec. 7, cl. 26(g) exempt proprietary information held by agencies in connection with trial use of software?
B. Information Technology Security Information
Even before the events of September 11th, 2001, it was clear that the Commonwealth´s ability to maintain mission-critical IT resources despite natural disasters, cybercrime, civil unrest, war and terrorism, was a function of the quality of its IT security systems. Today, it is more obvious than ever that IT security information should be exempt from disclosure under the Public Records Law.
In the past, the Supervisor of Public Records has decided, in response to a public records request for records that would have disclosed the brand and manufacturer of ITD's network security software, and a report on ITD's Internet security systems, that all of the foregoing information was exempt from disclosure under Mass. Gen. L. ch. 4, sec. 7, cl. 26, specifically under section 26(b), which exempts information "related solely to internal . . . rules and practices of the government unit". See letter from Public Records Division to Todd Wallack, Boston Herald, dated December 10, 1998, attached hereto as Exhibit A. Because of the narrow scope of the question posed to the Supervisor in the above-referenced matter, the Supervisor's decision contained no broad general statement that all specific information regarding the Commonwealth's IT security was exempt from disclosure.
In some cases disclosure of any information about IT security procurement, installed systems, or system data, with the exception of the date of a contract award, and the rates, fees or costs proposed by all bidders, could make the Commonwealth's IT security vulnerable to attack. Therefore, ITD requests an opinion from you that all information pertaining to the Commonwealth's IT security systems and their operation, including public bidding information following the award of IT security contracts, (except for the limited information referred to above), is exempt from disclosure under the Public Records Law.
C. "New" Documents Generated by Agency's Web site Presence.
As the Commonwealth´s presence on the Internet evolves, ITD and agencies have had questions about the status under the Public Records Law of "new" types of records generated by agency Web sites, Web site portals and the Commonwealth's increasingly complex computer networks. The following subsections describe several "new" categories of documents. ITD requests that you issue an opinion regarding their status under the Public Records Law.
- Web site pages. Agencies web site pages are like brochures or other written material in which agencies make representations to the public. Agencies frequently change their pages. Is each page of a Web site, and its permutations over time, a public record?
- Customer relations management documents. Several state agencies have their own portal Web sites, and ITD is soon to launch a portal Web site providing citizens, businesses and visitors to Massachusetts with a onestop link to the Web pages of all parts of state and municipal government. In connection with that function, ITD is establishing a "customer relationship management" unit that will field calls from users who have questions about how to use the Web site portal or an agency Web site linked to the portal. The CRM unit will intake and create records pertaining to personally identifiable information about users such as their name, phone number and email address and the content of their question, and then proceed to assist them. ITD requests that you issue an opinion that such information be exempted from disclosure under the exemption for "internal practices of the government unit" set forth at Mass. Gen. L. ch. 4, sec. 7, cl. 26(b).
- Authentication information. Many government Web sites will be requesting "authentication"information from users in order to ensure that users requesting access to confidential data or transactions on line are who they say they are and are authorized by the agency owning the data or transaction to access or engage in the same. In order to facilitate authentication, a "directory" system associated with the portal will store and manipulate personally identifiable information about individual users, including their email address, and an identification name and password chosen by them for use with the authentication system. In addition, the authentication system will associate with the user´s email, password and ID information about the data that they are entitled to view and the transactions in which they are entitled to engage. In the future, some users of the portal´s authentication system will be the Commonwealth´s business partners, seeking to access Commonwealth data or engage in a business transaction with the Commonwealth from a remote location. Other users of the authentication system will be individuals who need or receive services from the Commonwealth. Their names would be associated in the authentication system with agencies such as the Department of Mental Health or the Department of Transitional Assistance. Will the authentication data, including the user's chosen name and password, and the authentication information associated with it, be exempt from disclosure under cl. 26(b)? ITD strongly urges you to find that it is exempt, on the grounds that all authentication information (1) relates to IT security, which, as noted above, should be exempt from disclosure as a category; (2) relates solely to an internal rule or practice of the Commonwealth under Mass. Gen. L. ch. 4, sec. 7, cl. (26)(b); and (3) in some cases, particularly where the authentication information pertains to an individual seeking services provided by human service agencies, such information, if disclosed, would constitute an unwarranted invasion of personal privacy under cl. (26)(c).
- Personalization information. Web site portals are most useful when they are "personalized "for the user. In order to have a "personalized"experience at a Web site, the site must storesome information about the user´s past interests or preferences while visiting the site. ITD is aware of no current state Web site that uses personalization, but the ability to accept personalization is one of the features of the new Mass.gov portal. For example, the portal software is capable of setting up an appropriate set of links for a user who identifies herself as a parent who needs transitional assistance and help for a child with special needs. The personalization feature of the portal, if used, could set up the user´s future visits so that she was automatically given a Web page with links to the Department of Transitional Assistance, the Department of Education, and the Department of Labor and Workforce Development. ITD would argue that all personalization information collected by the Mass.gov portal should be exempt from disclosure under the Public RecordsLaw because it (1) relates solely to an internal rule or practice of the Commonwealth under Mass. Gen. L. ch. 4, sec. 7, cl. (26)(b) and (2) in some cases, particularly where the personalization feature is used by an individual seeking services provided by human service agencies, such information, if disclosed, would constitute an unwarranted invasion of personal privacy under cl. (26)(c).
- "Behind the scene" documents. Some electronic documents are used to help the agency hosting a Web site or maintaining a computer network to use the site most efficiently. For example, Server logs track the Internet Protocol addresses of Web site users; as such, they contain personally identifiable information that could, in conjunction with information submitted by the user at the site, be used to track the time and document access associated with an individual user's visit to a Web site or sites. Monitoring records are generated by software that helps the agency manage the Web site by recording number of "hits" to the site, pages most frequently visited, etc. Other monitoring software records information about normal site operations or security information. Yet other software records the activity of search engines like Alta Vista or Yahoo used by agencies at their sites. ITD requests that you address the question of whether such information is exempt from disclosure under the Public Records Law.
Your answers to the foregoing questions will assist ITD as it helps the Commonwealth chart a course for a future in which citizens, businesses and agencies will transact more and more business online. I would be more than happy to arrange a meeting between you and the technical personnel who have detailed knowledge of the IT-related documents discussed above, to facilitate your response.
Thank you for your assistance in this matter.
Very truly yours
Linda M. Hamel
Information Technology Division
Director of Policy and Planning ITD
Members of the CLEAR Records Management Workgroup