Senate Committee on State Affairs – September 16, 2014 Hearing

Below is the HillCo client report from the September 16 Senate State Affairs Committee hearing.

The Committee took up the following Interim Charges:
Examine possible measures to protect the personal privacy of Texas residents from governmental and commercial surveillance, including:
(1)   any necessary limits on warrantless search and seizure of data from electronic devices and wireless providers, including digital content and geolocational data;
(2)   any necessary protections against non-consented video and audio recordings collected by private handheld and wearable mobile devices and other private surveillance; and
(3)   any necessary limits on warrantless monitoring of the physical location of individuals through the use of biometrics, RFID chips, facial recognition, or other technologies.
 
Examine related measures proposed or passed in other states. Review the types and scope of personal data collected by governmental and commercial entities and consider methods to minimize the government's collection of data on its citizens. The study should include:
(1)   whether sufficient protections exist for DNA samples and information, including whether there should be a prohibition on the creation of DNA databases, except for felons and sex offenders;
(2)   methods to protect the privacy of gun owners from aggregated purchasing pattern tracking;
(3)   mechanisms to ensure that private health care information is properly protected; and
(4)   ways to ensure that previously anonymous data is not improperly re-identified and marketed.
 
Examine related measures proposed or passed in other states. Examine possible reforms designed to increase citizens' ability to know what data is being collected about them by governmental and commercial entities and with whom that data is being shared, including an analysis of consumer informed consent. Examine related measures proposed or passed in other states.
 
Study the online legislative resources available to the public from Texas Senate Committee websites and compare resources to those provided by other state legislative committees in Texas and other states. Determine how Texas Senate websites can be improved to provide a more interactive and transparent government.
 
Online Legislative Resources
 
Jeff Archer, Texas Legislative Council

• Resource witness
• The charge is specific to Senate websites
• Estes – how many are there?
  • 1 portal with links and sub-sites
• Operated separately from Texas Legislature Online
• New video streaming from Granicus
  • Faster than the previous online streaming from Real Player
• Estes – are we slowly moving away from using paper witness cards?
  • Moving to the EWAF system that the House already uses
  • Nichols believes that this session it will still be optional in the Senate
  • Huffman – how far back in the archive can you go under this new system?
    • Transferred all that were already in existence from the old system to the new
  • Huffman – can the public take snippets for their own use?
    • The Senate could claim copyright
  • Huffman – are committee votes posted in real time online?
    • Yes, since last session
• The Sunlight Foundation does a score card on transparency and Texas is a very high scorer

 
Data Collection
 
Sarah Paul, Texas Criminal Justice Coalition

• There are 12M individuals with state criminal records
• 1 in 5 do not have a final disposition
• Various websites purchase records from the state and then anyone can go buy anyone’s criminal record
• There are a handful of state agencies handling criminal records but they sell them and there is no tracking of what 3^rd parties they go to
• Some records aren’t updated sufficiently and individuals suffer in the community even if they haven’t been found guilty of anything
• Want the sale of criminal records limited to after final disposition
• Want the bulk sale of records prohibited entirely
• Would like DPS to be the sole entity maintaining criminal records
• Need to expand eligibility for non-disclosure and expunction
  • Need to streamline the process
• Lucio asked for data on criminal records without final decisions, how Texas ranks compared to other states and how life without parole has affected the data

 
Helen Gabler, University of Texas

• Discussed a report she did on the Texas Criminal Justice System and criminal records
• There are 1M new arrests every year
• Creates barrier to lodging and employment
• Reforms to expunction and non-disclosure laws are critical
• There has been enormous financial growth in 3^rd party criminal background companies with little regulation
• The lack of frequent updating and faulty search mechanisms make many records not accurate
• Need a method to track record dissemination to ensure factual information is in all of them
• Estes – we need to quantify how much money these companies are getting for the sale of these records
• Recommends:
  • Making DPS the sole clearinghouse for the records;
  • Periodic audits; and
  • Prohibit future 3^rd party sales
• Lucio – have other states limited the sale of criminal records?
  • Tarrant County has, and Travis County delays sale until disposition
  • Most states do not have uniform control over the records
  • Alaska is probably the furthest along in doing this
• Lucio asked for data on white collar vs. non white collar criminal records,  records on elected officials and how many of these were arrested, found not guilty or arrested but turned over to make them not guilty
• Out of the 65M criminal records in the US 2/3 are misdemeanors and 1/3 are felonies
• Huffman – this is difficult because these things can remove a certain amount of transparency, for example not making mug shots public – the media would go crazy
• Lucio asked for the drug conviction record numbers
  • He will bring up drug testing again this legislative session

 
Paul Quincy, Criminal Defense Attorney

• Expunction can only happen after all charges are dismissed
• In the case of a dismissal or plea deal for a lesser offense expunction cannot happen
• Also, cannot be eligible for expunction until the statute of limitations is over
• There are compliance problems with DPS certifying and expunction

 
Shane Menking, Data Foundry

• Used to be Texas.net
• 1^st independently owned internet company in the US
• 3 data centers in Texas with a 4^th opening in Houston in ‘15
• Operate globally
• “Real estate” for servers
• Attract global enterprises
• Placing mission critical infrastructure
• Estes – is Texas attractive to potential customers?
  • HB 2268 proved that Texas is taking a leadership role
• Encourage further strengthening privacy and transparency laws
• The data they house is the property of their customers and they do not share anything with 3^rd parties
• There is no transparency in the government data collection of its citizens
  • Toll tag information should not be shared
  • Once the record is taken care of, i.e. the toll is paid – the record should be destroyed
• State agencies should not be able to gather geolocation information without a warrant
• Estes asked him to put the toll tag issue together for him and he will get answers from TXDOT
• Estes – we need to find a balance of legitimate use and overreaching

 
Scott McCullough, Attorney

• Specializes in electronic communication law
• Millions of citizens in Texas without any infractions and their data is still dumped into a government repository against their knowledge
  • Cell phone GPS, toll tags, red light cameras
• Individuals don’t even know what data points are created about them
  • Data brokers can create a starkly accurate picture of daily life
• There is a private license plate fleet uploading data to repositories
• Need overarching policies about the collection of small amounts of data that eventually form a dossier
  • Government should only gather info for specific purposes and destroy it after the need expires – should never be shared with a 3^rd party
• Texas should limit, regulate or ban a central repository
• We cannot control federal surveillance but we can establish Texas as a secure state

 
James Taylor, Houston PD

• State and local law enforcement do not snoop, they answer 911
• They are not the NSA
• Geolocation of a handset requires approval of a judge due to necessity of probable cause
• Historically calls were made home to home and were identifiable – this is new technology we have to catch up to
• Wants more access to cell data, etc.
• HB 2268 is hampering their ability to investigate and people are dying
• Huffman – you are referring to cases under current investigation without significant probable cause?
  • Geolocation is constitutionally protected – should have the higher burden of proof
  • Cell phone info is not protected this way
• Cell data is filtered for common links to isolate a suspect – it finds the common denominator
  • Brings police closer to probable cause in an investigation
  • HB  2268 confused the definitions

 
Bill Exley, Houston DA

• Hi unit helps police in “blood and guts” investigations
• Writes court orders and warrants
• He is a citizen too – he doesn’t want invasion of his privacy
• Need access to call detail logs to locate a suspect
• Legislation realigned what an officer will have to articulate to get cell data
  • The now have to articulate probable cause that data that they are trying to obtain will lead to a person that did a crime
  • Having location data can also help to show if a suspect is lying – meaningful to a jury
• Need to tweak statute to keep law enforcement from accessing data at will, but gives them access in the event of a crime

 
Bexar County DA, Criminal Division

• Investigates white collar crimes
• This data is important to her investigations because it helps connect the suspect to a location
• The new legislation makes them unsure of which process is needed – currently they are reading the law to say that they need a warrant with probable cause to access data
• Estes – understands that legislation they passed last session is keeping them from doing their job and they will need to tweak it this session

 
Scott Hensen, Texas Electronic Privacy Coalition

• The statutes on electronic surveillance in Texas are a complete jumble
  • Outdated with loopholes
• Police have to have warrants to look into cell data
  • Texas Appeals court ruled that a warrant is not necessary to access cell phone data, he would go with the court’s decision
• Texas statute on GPS trackers needs to be updated to require a warrant for access due to court decisions
• Wants regulation for Stingrays (MC Catchers)
  • Fake phone towers that collect cell data
  • 4 in Texas that he knows of, completely unregulated and invasive
• Need regulation for automatic license plate readers
• Concerned that DPS now collects fingerprints from all 10 fingers and fingerprints are used as passwords on new technology
• Huffman – what about a requirement that all police officers wear a body cam? Is that invasive?
  • These are brand new and problems versus benefits need to be weighed after awhile
  • Doesn’t want to legislate something that is so brand new
  • DPS is currently piloting

 
Matthew Henry, Data Foundry

• Supports additional protections
• Supports warrants for cell phone data, but there should be exceptions for exigent circumstances like kidnapping, etc.
• Police should not be able to access location history – infringes on privacy
• Geolocation should be protected
  • No Stingrays, chip scanners etc.
• Estes – Are bad guys using the Stingrays?
  • Haven’t heard of any outside government use
• Passwords should be protected as “content” as defined in statute
• Need protection for encrypted information
• If a license plate scan hasn’t demonstrated a crime within one week, it should be destroyed

 
Chris Soghoian, ACLU

• Expert on electronic policy
• Fraser – federal law allows for law enforcement to track cell phone GPS data even if the phone is off – can a private citizen access this equipment?
  • No, but the GPS chip can be turned on by the cell company without consent
  • Cell phone companies retain GPS data for years
• Utah is probably the most privacy protected state

 
Public Health Information
 
John Villanacci, DSHS

• DSHS manages all of the state health data registries
  • Measure burden of disease and identifies patterns
  • Measures treatment and causes of disease
• Texas Cancer Registry
  • Both passive and active surveillance – active and required reporting
  • Largest in the US
  • Last year there were 295 requests for data, mainly for research
• Birth Defects Registry
  • One of the largest globally
  • Active registry
  • Many Texas institutions producing publications using the data
  • Do blood lead level surveillance
    • Looked at 500,000 kids last year and identified about 400 children with elevated levels
    • Have investigators actively go out to identify the cause, whether it be paint, etc.
• EMS and Trauma Registry
  • 2.5M records a year to try and improve trauma care
  • Estes – we need preparations to ensure Ebola doesn’t come into this state

 
Nagla Alarian, Department of Health Statistics – DSHS

• Texas health care data collection division
• Collect hospital inpatient data through claims information
• Collect outpatient data on invasive surgical and radiological procedures
• Per statute, they maintain a public use data file
  • Includes information from claims, but is de-identified by both provider and patient, as well as specific date of service
  • Used for research, publications
  • Used to identify trends
• Maintain a research data file
  • Information can be requested by any agency, de-identified
  • Used for research or programmatic needs
  • Can generate quality measures in aggregate form
• Funding
  • Sale of records allow for 30%-50% of the cost of collection and processing to be recouped
• Data Security
  • Contractors have strict requirements
  • DSHS conducts audits for adherence

 
Patricia Vojack, HHSC

• Both the Texas Medical Privacy Act and HIPAA set privacy standards for private health information (PHI)
• HHSC uses PHI for:
  • Claims data
  • Managed care encounter data
  • Data analytics
  • The Medicaid Eligibility Health Information System
• Contracts between HHSC and its vendors are for claims administration, eligibility determination
• HHSC has a very well developed privacy program
  • Hired a new privacy program director in August 2014
• HB 300 from the 82^nd Legislative session strengthened privacy for PHI
  • Requires employee training
  • Requires agencies that receive consumer complaints regarding PHI to report to the AG
  • THSA developed privacy and security standards, and HHSC took those standards to promulgate rules
  • Required several reports to the Legislature from January 2013 to January 2014

 
Nora Belcher, Texas E-Health Alliance

• Texas is the national leader in medical record privacy
• HB 300 made the “covered entities” definition in HIPAA broader, with very few exclusions
  • Ex: crime victims compensation fund
  • Prohibits re-identification without patient consent if the information already is de-identified
  • Cannot sell PHI without consent, including provisions on sharing data
  • THSA has created a certification program
    • Dallas Children’s Hospital is the first to come forward
    • Texas is the 1^st state to develop a certification process – hoping to encourage really strong compliance
• Rhode Island has established some safe harbors for providers to take digital data at face value from another provider

 
Sunday Yokubaitis, Golden Frog and Data Foundry

• Operate globally
• Have a Viper program that encrypts data
• Incorporated in Switzerland because they have strong privacy framework and the right to privacy is in their constitution
• Estes – why the Swiss?
  • The have a better set up than the US
  • HB 2268 and the inclusion of warrants for emails sent waves across the US with an outpouring of positivity
• Texas is like the Switzerland of the US with jobs, servers and talent
• Texas is a haven for the tech industry, and strong privacy laws draw people here

 
***The Senate State Affairs Committee will hold one more Interim Meeting in early December