Gov. Jim Doyle announced Tuesday a plan to increase the
protection of residents’ personal information stored by government agencies.
The state will implement recommendations in a report from
the Milwaukee-based financial services and privacy protection firm Metavante
Corp.
Doyle’s recommendations are to replace Social Security
numbers with random ID numbers wherever possible, appointing a privacy officer
to each government agency, conducting an annual risk assessment of each agency
and developing standardized vendor contract language.
“As Metavante recognizes in its report, state agencies
already have some strong policies and practices in place for protecting
sensitive information,” Doyle wrote in a letter to Wisconsin Department of
Administration Secretary Michael Morgan.
Last January, Doyle asked Metavante to look into how the
state can improve its handling of sensitive information following a mailing
that went out by a Texas vendor hired by the Department of Health and Family
Services. The mailing had Social Security numbers of the recipients on the
address labels.
DOA Media Relations spokesperson Linda Barth thinks the
governor has put forth a good plan for state agencies to follow.
“The governor has made it clear that he wants citizens to be
sure their data is protected and that it is a priority with all state
agencies,” Barth said.
Barth said Metavante did well coming in and reviewing a
complex situation.
“We think they did an excellent job, and we really
appreciate their insight,” Barth said.
The creation of privacy officers will help the agencies
establish which ones use sensitive data like Social Security numbers for
identification and develop policies for how to deal with the handling of such
data.
“A lot of agencies are required by federal or state law
to use them, but wherever possible we will try to use randomly selected ID
numbers,” Barth said.
The privacy officers will meet to advise Morgan on
implementation of the Metavante recommendations. They will also establish
standards for all the agencies to operate consistently.
The contracts for vendors hired by agencies will also be
changed to avoid leaking of private data like in January.
“There is going to be very strong language in all
contracts with all vendors to make sure that Social Security numbers are
protected,” Barth said.
Metavante commended some of the actions already being
implemented by the state such as the consolidation of the IT server to a
central server. This allows for greater control over the storage of sensitive
information.
Also on the report is the recommendation to create a
training program for all state employees about their responsibilities to
protect the information of residents.
A statement from the DOA said Metavante worked on a pro bono
basis to come up with their recommendations.
There is no set timeline yet for when the recommendations
will be implemented.
“We’re going to be working with other agencies to
establish a timeline and determine how many resources this will take to
implement,” Barth said.
Metavante conducted the research by comparing the state’s
practices with other practices in the financial industry. They reviewed state
policy, conducted interviews with personnel from seven state agencies and
conducted site visits to observe the practices in place at the agencies.