Five privacy measures the Nevada legislature should pass in 2015, Part I

1- Require public notice of license plate scanning, and set uniform standards for managing the data

Law enforcement agencies throughout Nevada are using license plate scanning technology. The scanners record every license plate number from every car they encounter, even at speeds up to 110 miles per hour, according to a proposal submitted by a vendor of car-mounted scanners.

Both local jurisdictions and the state have the devices. No uniform policies exist for storage and handling of the data, or for disclosure of records related to quantity of data captured, and whether it’s transmitted outside the state. These policies should be standardized across the state.

Citizens also have a right to know their vehicles are being tracked. The scans include GPS location data and other metadata that can be used to reconstruct activities and associations. Alerts to such technology should be posted in every jurisdiction where it’s used, on signs similar to those informing drivers that their speed is monitored by aircraft,  and should include a reference for more information.

2- Prohibit medical practices from scanning and storing driver’s licenses

Medical information is statistically among the most vulnerable to cybercrime and system breaches. The good news is, some insurance companies have apparently realized that scanning and storing driver’s licenses is a bad policy. The requirement is being loosened.

The bad news is that medical receptionists haven’t stopped demanding a copy the moment you enter the facility. You’re still forced to assert yourself if you want to keep your license out of their systems, perhaps even escalating the argument to the office manager. (Earlier this year, after losing one of these fights, I submitted questions in writing about the technical storage specifications and the rationale for retaining my license. Six weeks later I received a letter from the facility with the answer – “it’s not required and we’ll destroy the file if you’d like us to.”)

Why retain a document bearing a patient’s facial image and signature sample if you don’t have to? Why collect one more shred of personal information than necessary? This is an invitation to identity theft, and should be outlawed by statute.

3- Pass a resolution supporting federal reform of the Electronic Communications Privacy Act

NSA whistleblower Edward Snowden and Facebook founder Mark Zuckerberg were both toddlers when ECPA was written. That should convey the obsolescence of the federal law that controls government access to citizen communications, with no further explanation of the ways in which the nature and the volume of digital communication have changed, or the expansive government tactics employed to pursue it.

It’s conceivable the lame duck congress could pass ECPA reform before the 2015 legislative session convenes in Nevada. There are proposals with bipartisan support in Washington, and there’s a lot of pressure to act from the tech sector and privacy advocates. But in the event ECPA reform sits until next year, the Nevada legislature could go on the record with a resolution supporting reform. The American Legislative Exchange Council has a model resolution that can serve as a starting point, even if it’s not adopted wholesale.

4- Create a legislative subcommittee on privacy

In 2014, privacy discussions revolve in large part around technology. But privacy is an element in virtually every aspect of personal, family, and business life. The state legislature inserts itself into all of these areas, mostly without contemplation of how its actions affect privacy.

A subcommittee should be formed to review the implications of the dozens of bills each session that affect privacy.

The committee should also sponsor a bill requiring all government agencies at every level to review their own privacy policies and report back to the committee on data collection and privacy protections, with the relevant results compiled and posted online for accessibility to the public. Nevadans deserve to know what data is collected, where and how it is stored, and the purpose for which it’s used.

5- Codify a set of data handling and retention policies to protect student privacy

Public school students are subject to unprecedented data collection regarding their health, academic performance, disciplinary issues, and even their home life. The old joke about things that end up on your “permanent record” isn’t a joke anymore, it’s a reality.

Data collection on K-12 students, to the extent it can be controlled at the state level, should be reviewed and analyzed to determine which information is truly useful and which might be considered extraneous.

Stringent data security and privacy policies should protect students from criminals and commercial activity, but also protect the adults they will become from being haunted by the kids they once were. That means a vigorous schedule of data destruction should be part of the policy. The data should not outlive its educational necessity, and the longer it’s retained, the greater the odds it will leak. Young people change as they mature. Damaging details about their past should not become one more obstacle for them to overcome when they’re trying to conduct their adult lives.

California has just passed two laws that bear discussion and analysis. More about these statutes in a future post. They’re conceived to fill gaps in federal student privacy protections. They’re not completely in sync with the sentiments above, but they’re a demonstration of control at the state level.

Advertisements