Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
23 ⢠Designating which position within the department or agency is responsible for the implementation of and ad- herence to this privacy policy; ⢠Prominently posting the policy physically in its offices and on its Internet website, if any; ⢠Distributing the policy to each of its employees and con- tractors who have access to personal data; ⢠Complying with the Information Practices Act (Civil Code Section 1798 et seq.), the Public Records Act (Gov- ernment Code Section 6250 et seq.), Government Code Section 11015.5, and all other laws pertaining to informa- tion privacy, and ⢠Using appropriate means to successfully implement and adhere to this privacy policy.188 The Smart Card Alliance recommends the following policy objectives: ⢠Smart card-related databases of personal information should be encrypted and should transmit only encrypted information. ⢠Transactions between smart card and reader should be offline only, and any information captured by a reader or other intermediate system should be deleted as soon as a transaction is complete. ⢠Organizations should set up checklists to show who is authorized to see or change information in each data field. ⢠Cardholders should be required to authorize, via pass- word, personal identification number or biometric per- mission, the extraction of any data from their smart cards. ⢠Applications should be structured so that transaction records canât be used as surveillance tools. 189 Further, the Smart Card Alliance recommends: ⢠The organization must have a privacy and security pol- icy that clearly defines what personal information is to be collected, how the information will be used, who can ac- cess the information, how the information will be pro- tected, and how the individual will control its use and provide updates to the information over time. ⢠The enrollment and identity proofing process must ver- ify that the information presented is accurate and protect the confidentiality and integrity of that information. ⢠The system must protect each individualâs information at all times, including while the information is being stored and while it is being used. ⢠The ID an individual carries must protect its contents from being copied, altered, or hacked, to prevent unau- thorized use, misuse, or disclosure of the personal infor- mation it carries. ⢠The exchange of data between the ID and whatever de- vice reads the ID must be protected to prevent unauthor- ized capture and use of data to impersonate an individ- ual. 188 http://www.dot.ca.gov/privacy.html. 189 http://www.gcn.com/online/vol1_no1/21158-1.html (Last visited Jan. 24, 2008). ⢠Access to the personal information should be granted only after an issuer-defined authentication process. Only necessary information should be released and only to au- thorized systems or individuals. ⢠All personnel involved in using the system must be carefully trained and monitored to ensure strict confor- mance to the systemâs policies and practices. Compromis- ing these policies and practices means compromising the identity management system itself. 190 Each transit provider would be well advised to closely examine these fair information standards and policies if it has not already done so. Further, each transit pro- vider can determine which principles and guidelines suit its particular objective, protect the transit usersâ privacy, and are legally defensible. VI. CONCLUSION Smart Cards have many potentially valuable uses. They may facilitate more expeditious, efficient, and economical fare collection, easing passenger access to and through the system. They may allow the collection of more useful data that can be employed to make bet- ter marketing and planning decisions, including types of fare stimulation packages or when and where new or different services should be offered. They also have the potential to add a layer of security to the transit system so as to ban dangerous patrons or terrorists from the system or apprehend them if they commit a criminal act, particularly if biometric identifiers and more pow- erful RFID card readers are incorporated into them. The more the information collected and correlated with other databases moves across the spectrum from mere fare collection to market data collection to security and surveillance, the greater the privacy concerns. The fundamental challenge of transportation security is to be highly effective in protecting the public against terrorism, while not intruding unnecessarily upon per- sonal privacy, convenience, and civil liberty, nor bur- dening unduly the efficiency of public transportation. The public would be well served if careful thought and analysis was given to where to draw the line between these conflicting policy objectives. As we have seen, transit providers enjoy a wide Con- stitutional latitude in which to collect observable infor- mation in public areas such as transit stations and ve- hicles. They have a legitimate governmental interest in the collection of information concerning fares, and probably such additional data as the identity and ad- dress of the card holder. They probably also have wide discretion to acquire information necessary to serve the compelling governmental interest in protecting public safety and security, such as biometric identifiers, and correlate that data with law enforcement information, particularly in a post-9/11 worldâa world in which London and Madrid subways have been bombed, and 190 http://www.smartcardalliance.org/alliance_activities/identity.cf m (Last visited Jan. 24, 2008).
24 Tokyo subways have been gassed, by terrorists. In such an environment, there may be a compelling governmen- tal interest in the protection of public safety that may allow a wide berth of information acquisition and user monitoring. Moreover, the courts have already given governmental institutions wide latitude in monitoring individual conduct in public places, as transit facilities clearly are. However, the acquisition of information not legitimately related to security (such as a patronâs race, religion, political affiliation, or sexual preference), or the imposition of intrusive security measures or proce- dures (such as strip searching suspect patrons) would not likely survive Constitutional scrutiny. Absent Constitutional restraint, the issue becomes one of what sorts of local legal, regulatory, or institu- tional restraints may be imposed. As we have seen, some state statutes and transit agency regulations do attempt to protect privacy. Sometimes, the statutes work at cross purposes, as when on the one hand a state attempts to enhance governmental transparency by promulgating a Freedom of Information Act, while on the other it attempts to protect individual privacy by limiting its dissemination. A transit provider also can further protect privacy through its internal regulations or procedures. Though the Constitutional latitude may be wide, local governmental institutions and transit providers may voluntarily seek to provide privacy pro- tection beyond that mandated by federal law. Transit agenciesâ regulations or procedures can pro- tect privacy in various ways. They may limit the type of information that is gathered. They may circumscribe the universe of persons who may have access to it. They may protect information against external dissemina- tion. Information collected can be encrypted, and fire- walls built against external access. The information collected can be prohibited from distribution except by court order. Transit providers, however, must deter- mine the extent of that privacy protection and how it will be legally implemented.
