Is This Local Government's Privacy Policy Fair?

stinkydog asks: "I though some of the IANALs and privacy experts on Slashdot might have some good input on the following privacy policy for a Parks and Recreation department in a large city. Does it make sense? Would you sign off on it?" Read it below and share your thoughts on this, as always.

"What information do we collect?

Name - Allows us to identify parents, guardians and participants

Address - Provides an exact geographic location

Emergency contacts - Allows us to reach a responsible party in an emergency

Birth Date - Allows us to calculate age of participants

Sex - Provides further information on participants

School - Allows us to better partner with education providers

Waiver - The waiver contains three parts: 1) A liability release 2) Permission to seek treatment in an emergency situation 3) A release of claims against our photographic records of our programming

Some federally funded programs also require:

Household income - Calculated against the poverty line

Household size - Used in conjunction with household income

Ethnicity - Compared with census data

How do we use what we collect?

Although we my use the unique information we collect about participants to inform them of further recreational and cultural opportunities, we will not sell, trade or otherwise release unique information without a court order. Telephone number information will be used for contacts related to programming registered for by a household member (changes, cancellations, emergencies, and satisfaction surveys), Aggregate data, such as the number of participants by zip code or the average age of program participants will be used in marketing literature, in making management decisions, and to better tailor our offerings to the need of our customers. Aggregate data will be striped of all unique names and address before being released. The law protects the unique data we collect, and it can not/will not be released without a court order. The data we collect for the Federal Government is released to them in aggregate form. No unique information is sent to the Federal Government.

Definitions:

Unique information: Able to identify a single person or household (example: John Smith; 2013 W Third St., 333-2100)

Aggregate information: information that is the same for a group of people (example 4-6 years old; 45403)"

No balancing act

[Tau Zero]

The balancing factor is that it is more convient to the participant if we keep the info on file so we do not have to ask the same question again and again.

I think you misunderstood my point. You wouldn't be balancing anything, you would only ask the questions once at the time of registration. At that time you would separate the intrusive stuff from the contact data, figure out which bin (say, street block) it should go into, add it to the bin, and destroy the paper copy. Voila, no identifiable info. When someone comes into the pool who's from, say, the 300 block of Oak Street, your computer notes that the 300 block of Oak is 27% Black, 19% Hispanic, 15% oriental and 39% white, and adds those fractions to the attendance totals.

Someone could always go around and use the contact database to survey everyone who came through your doors, but this would require their effort and people could always tell them to get lost. It would not be a case of you turning over data; you wouldn't even have the data, so nobody could bother you about it. If your point is to keep the Feds happy with their stat data without becoming a lightning rod, that seems like a good way to achieve it.
--
Knowledge is power
Power corrupts
Study hard

Try to destroy all identifiable info ASAP

[Tau Zero]

I don't know what your requirements are, but if you are allowed to "statistically sample" your data you might want to pre-aggregate income, race and other data on some reasonable basis (geographically block-by-block or on some other criterion), then add tote up the average contribution from that statistical bin to your totals when someone from that block comes to the pool. This would allow you to destroy the personally identifiable information immediately after using it to update your statistics. Neither the government nor a lawsuit can force you to release what you do not have, and you cannot be held in contempt for failing to turn over information that you destroy in your normal course of business. This is likely to keep you out of trouble, because you cannot be harassed on the basis of data which do not exist.

Using a two-part form, with the contact info and home address on one part (to file) and the rest on the other (to destroy right after data entry) will address people's concerns. Your disclaimer may also get people thinking about privacy, and how much info the government has any business keeping. If you can turn the Fed's money into a chance to do some consciousness-raising, kudos to you!
--
Knowledge is power
Power corrupts
Study hard

Re:Try to destroy all identifiable info ASAP

[stinkydog]

The balancing factor is that it is more convient to the participant if we keep the info on file so we do not have to ask the same question again and again.

I would like to balance convience and privacy for the users.

As per the 'court order' business, this is a CYA manuver to deal with the fact it could happen, not that I expect it to happen.

Re:Missing: Opt-in/Opt-out

[stinkydog]

The city already conducts a random sample blind telephone survey bi-annualy (in conjunction with a local university), I wanted to leave open the option of focusing on our participants in that survey. We do not block caller ID and make every effort to respect peoples wishes. The opt-out is a good idea and I will fit it in. Remeber we do not market at the level of a 'real' bussines (call centers, weekly mass mailings etc.). Marketing is a small portion of our budget. Our marketing goal is to find out what services people want ant let them know when they are occuring, not forcing people to buy what the do not need.

Re:Mostly reasonable

[stinkydog]

The data in question is specifically collected only for programs funded by Community Development Block Grants. It is used to validate the tose dollars are benifiting low/moderate income families. The values are ploted against a grid based on income and household size to determine the income level. The mandate for these progreams is 50% of participants be low/mod income.

Is there a better way to determine this? I do not have one.

If parks and rec organizations were properly funded, we would not have to take the Fed's dole.

Local nightmare

[coyote-san]

Local rec centers are often nightmares.

Skipping the details (partly because I've forgotten them :-), the local rec center was very non-responsive to complaints. Eventually there was strong evidence that someone was taking pictures in the women's locker room.

The response? A rewritten waiver that made it clear that patrons could be photographed ANYWHERE IN THE FACILITY and they gave permission for this. Only people following the news would know that this included the shower, the toilet, and other areas where most people expect privacy.

Another part of the waiver was an acceptance of all risk on rec center sponsored events. I can accept the need to protect the facility from lawsuits because, e.g., someone felt that they didn't really need to have a physical before joining a high impact aerobics class. But this disclaimer looked like it would also cover an accident on an art gallery tour caused by a drunk driver employeed by the city, someone injured by a lightning strike because a nature hike tour ignored numerous warning signs of an approaching storm, and other clearly negligent acts.

I doubt you'll get anywhere with the bureaucrat running the Rec Department. You might, but it's unlikely. You should probably expect to speak at city council meetings and hope someone will listen. But the city is dealing with some legitimate concerns (minors need parental contact information, most other people desire emergency contact information, the feds provide a lot of funding and demand proof that the money isn't being used at a de facto country club).

Mostly reasonable

[pubudu]

Most of the information under What Information Do We Collect? is reasonable, but the information required by the federal government is problematic. The fact that the center will not use that information against me specifically (ensured by the non-use of unique information) is hardly reassuring; there is something objectionable about the idea that there is, somewhere in the ever-secure filing cabinet of a rec center, a piece of paper that lists my name, address, income, family, and race.

The information that the rec center requests is reasonable and seems to serve legitimate purposes. The federal government, on the other hand, wants data that I, as a citizen, do not want anyone but them to have (at least in conjunction with my name and address). If they need the info, does it have to go on the same form as the other information?

You've done well..

[technos]

That's a privacy policy I could live with.

Missing: Opt-in/Opt-out

[ebbe11]

Although we my use the unique information we collect about participants to inform them of further recreational and cultural opportunities,

Add the possibility for participants to decide whether they will accept promotional material, preferably as an opt-in choice. See also Jakob Nielsen's column on "Request Marketing" [useit.com].

Re:Local nightmare

[stinkydog]

Actually, I am authoring the policy and I want to achieve the best balance that I can between privacy and meeting the needs and requirements of the department and city.

The photo waiver is in place because a person wanted to be paid for a photo we took at one of our free events. We need the ability to document programs and events without having to chase down every participant or their parent for a waiver of rights to the photo. By getting sign-off in advance we save the hassle. It is a small price to pay IMHO for a free or subsidized service.

About the waiver, it only protects us if you do something stupid. If we do something stupid (negligence) no waiver in the world can protect us from the lawsuit. They are of limited value in the best circumstance and utterly worthless the rest of the time.

I am one of the bureaucrats running the Rec. department. We read Slashdot to!

As per you local difficulties I can not comment but it sounds pretty wrong to me.

Re:Missing: Opt-in/Opt-out

[javagurl]

Telephone number information will be used for contacts related to programming registered for by a household member (changes, cancellations, emergencies, and satisfaction surveys).

Unless this rec center enjoys annoying its patrons, I'd consider it essential to give the them the ability to opt-out of survey phone calls. Since survey call-centers are usually blocking caller-id, I think most people would agree that such calls an are, at minimum, suspicious and annoying.

JavaGurl