Who is protecting Utahns’ privacy?  Not the state of Utah!

by Dr. Ronald Mortenson / Columnist at UtahStandardNews.com / Aug 5, 2019

Key Points

·         The state of Utah does not adequately protect the personal identifying information (PII) that it collects from its citizens.

·         The state of Utah fails to effectively inform its citizens that it routinely discloses their PII and does not allow them to control the use of their PII.  Google and Facebook do a better job of informing users of how their data will be used and how they can control their PII than does the state of Utah.

·         The Utah Driver License Division (DLD) appears to be violating federal law by giving the social security numbers collected from millions of Utah driver license holders to the University of Utah without obtaining each driver’s express written consent.

·         Legislators who truly care about protecting Utahns’ PII are working on bills to let citizens know how the state protects their PII, who the state is sharing their PII with, and to force the state to take privacy seriously. Get behind them and help them.  Other legislators may run narrowly focused bills dealing only with facial recognition in order to allow the state to continue to sell, share and give away Utahn’s PII without their knowledge or consent.  Don’t be fooled by them.

Who is protecting the data that Utahns are forced to give the state and its entities in order to register to vote, to get a driver license, to register a birth, to obtain a marriage license, etc.? 

Well, it’s certainly not the legislature or the Herbert/Cox administration.  In fact, in accordance with bi-partisan laws passed by the legislature and signed by the governor, the state sells, shares and even gives away the PII of millions of Utahns.  This includes social security numbers, mothers’ maiden names, dates of birth, physical characteristics, photos, medical records, gender, addresses and much more.

The shocking fact is that even Google and Facebook do a better job of informing those providing data of what they do with it, on how they protect it, on how individuals can find out what data the entity has on them, and on how users can manage and delete their personal data.  The state of Utah falls woefully short in all of these areas.

For example, unlike the state of Utah, Google at least tells its users:  When you use our services, you’re trusting us with your information. We understand this is a big responsibility and work hard to protect your information and put you in control.  To help explain things as clearly as possible, we’ve added examples, explanatory videos, and definitions. And if you have any questions about this Privacy Policy, you can contact us. Facebook clearly states:  We collect the content, communications and other information you provide when you use our Products, including when you sign up for an account, create or share content, and message or communicate with others.

Unlike the state of Utah, Google and Facebook at least say they give their users the option of what information they provide.  Google: ….you can adjust your privacy settings to control what we collect and how your information is used.   FacebookYou can choose to provide information in your Facebook profile fields or Life Events about your religious views, political views, who you are “interested in,” or your health. 

And unlike the state of Utah, Google and Facebook give people the option to control at least some of their personal data.  GoogleThis Privacy Policy is meant to help you understand what information we collect, why we collect it, and how you can update, manage, export, and delete your information.  FacebookWe provide you with the ability to access, rectify, port and erase your data.

Now let’s look at the state of Utah.

Were you informed when you applied for a Utah driver license that the state would be giving your highly sensitive personal information to financial institutions, private investigators, insurance companies, the Utah Tax Commission, the University of Utah, the courts and to law enforcement? 

Were you told that the state would allow law enforcement agencies to access your driver license photo for facial recognition purposes?

Were you asked, in accordance with both federal and state law, to give your express written permission for the DLD to give your social security number to the University of Utah (the U) for research purposes?  Did you give your express written permission?  If not, why isn’t the Utah Attorney General’s Office looking into this apparent serious violation of state and federal law?

Were you informed when you received medical treatment that your medical records may be collected by the state and shared with the U and who-knows-who-else for research purposes?

Were you informed that your birth certificate and family history would be given to the U by the state of Utah without first obtaining your permission?

While the state sells, shares and gives away Utahns PII, it doesn’t make it easy for them find out who has their information or what they have.

For example, the Herbert/Cox administration gives the entire driver license database to the University of Utah.  However, the U is not subject to GRAMA requests so individuals cannot use GRAMA to view their personal records.

In addition, under the Herbert/Cox administration, the DLD’s agreement with the U prohibits the U from letting citizens know what specific information the DLD has given it.  Furthermore, when the U uses the driver license information to contact Utahns, the agreement prohibits the U from letting people know how they got their contact information.  Click here to read the agreement between the DLD and the U and make sure you look at Appendix A which has a long list of PII that the Herbert/Cox administration transfers to the U.

If you want to see your medical records, birth certificate information, family history data, etc. that the U is holding, you have to get the authorization of each separate agency that gave the U the records before the U will let you see your own personal information.  Some agencies will authorize the U to release the records and others won’t.

If you want to find what elements of your PII the DLD has given to private investigators, insurance companies, banks, the Tax Commission, and whoever else, good luck with that.

The bottom line is that Governor Herbert, Lt. Governor Cox and legislators have failed to protect the personal identifying information of the citizens who elected them.  Well, that’s not totally correct.  Governor Herbert made sure that his records were removed from the voter list that is sold by the state and posted to the internet

So, rather than selling, sharing and giving away Utahn’s PII, isn’t it time that Utah’s elected officials get serious about protecting their constituents’ privacy? 

Fortunately, legislators who truly care about protecting Utahns are working on bills to let citizens know how the state protects their PII, who the state is sharing their PII with and to force the state to take privacy seriously. Get behind them and help them.  Other legislators may run narrowly focused bills dealing only with facial recognition in order to allow the state to continue to sell, share and give away Utahn’s PII without their knowledge or consent.  Don’t be fooled by them.