Under the law you have a right to keep personal information private. The Massachusetts Fair Information Practices Act (FIPA, pronounced FEE'-PAH) tells government officials how they must handle personal information about people.14 FIPA defines:
- What "personal data" the government may collect;
- How and by whom this information can be used;
- What rights you have to see and copy information about yourself;
- What you can do if someone violates this law.
What Information Is Private
The information which FIPA covers is called "personal data." Personal data is any information about you which can easily be associated with you. For example, housing authorities collect personal data on applications for public and subsidized housing when they ask you your income and the names, relationships, and ages of people in your family.
Who Holds Personal Information
All agencies, boards, departments, divisions, commissions, and committees of the executive branch of state government may be holding personal data which is protected by FIPA. Housing authorities and other organizations or people that receive government funds to perform a government function are also required to follow FIPA regarding personal data in their possession.15 Such organizations or people include subsidized landlords, drug and alcohol programs, day care programs, and hundreds of other private agencies that receive government money to do a government-sponsored job.
What Obligations Do Holders Have
Any agency or entity covered by FIPA that collects personal data is called a "holder."16 There are specific do's and don'ts that every holder must follow. The most significant are briefly described below.
Restrictions on Release of Information
There are four ways a holder of personal data about you can legally give information out to others:17
- When the transfer of information is allowed or required by some other statute
- When the transfer is allowed or required by a regulation that is consistent with the purposes of FIPA (which is to protect privacy
- When there is a medical emergency and the information will aid in your treatment; or
- When you have given written permission for the transfer of information.
The last way—your giving permission—is the most common. It is generally done by use of a "consent-to-release" form. Sometimes such forms are referred to simply as "consent" forms or "release" forms, or even waiver forms. The term doesn't matter. Whatever it is called, it is a form where you give permission to have personal information about you given out to others. Before signing such a form—especially a housing authority's standard form18—you should keep the following points in mind:
- Know exactly what information is being released, for what purpose, to whom, and when.
- Know what the consequences are, both good and bad, of agreeing to give or refusing to give out certain information about yourself.
- Do not give a "blanket consent" for the agency to release all of your personal information to anyone.
- Give permission for the use of information until the occurrence of some specific event, such as your acceptance into public housing, or only for a limited period of time (no more than one year).
- Keep the right to revoke, or take back, your consent at any time. Make sure you put this in writing.
- Try not to sign the release form until very shortly before it is expected that the information will actually be released.
- Get a copy of your written consent, showing its date and your signature. Do not sign any form unless you know you are going to get a copy of it.19
Cannot Collect Unnecessary Information
A holder is allowed to collect only the amount of personal information that is "reasonably necessary" to perform its job.20 For example, if you are applying for government-funded housing, a housing authority can ask you only for personal information that is necessary to determine whether you meet the requirements of a particular housing program. It cannot ask you for information such as personal medical information. If you live in public or subsidized housing and the housing authority or landlord is collecting information about who comes to visit you, this is an unnecessary intrusion into your privacy.
If you suspect that a holder is collecting more information than is "reasonably necessary," you can review your personal file and ask that unnecessary information be removed. The section in this chapter called How to Correct Errors tells you how to do this.
Must Properly Maintain
A holder must make sure that any personal data it has is accurate.21A holder must also make sure that personal data is kept in a secure place.22For example, it could be kept in a locked file cabinet with access limited only to those who need to know the information.
A holder must, to the extent feasible, keep a complete record (sometimes called an "audit trail") of every time it gives any outside person or organization access to your personal information. This record must include the name of the person or organization and a description of the purpose for which the person or organization is going to use your personal information.23A holder must also let you see the audit trail.24
Getting Access to Your Own File
You have a right to see all personal information an agency holds about you.25To do this, write a letter to the individual in charge of records at the agency holding the information. Ask for all documents held by the holder that relate to you.
You should receive a reply from the holder within 30 days.26The agency must also give you the information you have requested in a form that you can understand. If you cannot understand it, take the document back and ask someone to sit down and explain it to you. It is a violation of FIPA for the holder to refuse to explain it to you.
When Can Access Be Denied
There are some circumstances when an agency can refuse to give you access to information about yourself. A holder may refuse you access if allowing you access to your own file is prohibited by another law. However, there are very few laws that prohibit such access rather than merely regulate it.27
Another exception to the right to see your file is when disclosure to you "would probably so prejudice the possibility of effective law enforcement that such disclosure would not be in the public interest." This provision applies when you are the subject of an investigation and your knowledge about the details of the investigation would unreasonably hinder it. But there is a limit to how long the file may be withheld from you. It must be released either when the investigating agency starts an administrative proceeding or a court case or one year from the start of the investigation, whichever is first.28
If you think your file or your personal information contains an error or is incomplete, you have a right to have the holder correct the error. To do this, you should write a letter describing the problem to the person in charge of the record. If she does not make the correction, you should then ask for a meeting with that person so that together you can go over what information needs to be removed or corrected. If the record holder still refuses to change the record, the holder must put a note in your file that you claim that the record is not accurate. You have a right to submit your version of the truth.29 You may also challenge the accuracy of information by filing a complaint or grievance, as described in the next section.
What to Do If Your Rights Are Violated
Under FIPA, you may challenge the accuracy, completeness, relevance, or release of personal information by filing a complaint or grievance with the holder or by bringing a lawsuit in court.
Agency Complaint or Grievance
Every agency or holder of personal information must have written procedures that allow an individual to challenge the accuracy or improper handling of personal information.30 Because each agency has its own procedures, you should start by asking for and contacting the person responsible for the agency's "personal data system."31 For example, if a housing authority has violated your rights under FIPA, you can file a complaint with the housing authority's "personal data officer." If you are not satisfied with her resolution of your complaint, you may appeal the decision through the housing authority's grievance procedures,32 or you may even take legal action in court.
You have a right to sue a holder (an organization, not an individual within an organization) in order to correct your record and to collect money damages for violations of the law.33You must file a lawsuit in state superior court within three years of the date of the last FIPA violation. You will probably need a lawyer to help you.
When you go to court, you may ask the judge for a court order forcing the holder to stop doing something or to do something. For example, you may ask a judge to order the landlord to correct certain information in your tenant file. If you win your case and a court awards you money damages, you are entitled to at least $100 for each violation of FIPA. You may also be awarded court costs and attorney's fees.
Attorney's fees awards have been made in FIPA cases both when the plaintiff is represented by a private lawyer and even when representation is by a free legal services attorney.34This is an important part of FIPA because, if you have a good case, it may be easier to find a private lawyer to take your case, even if you can't pay any money "up front." For more information about filing a lawsuit, see Chapter 14: Taking Your Landlord to Court.
14. G.L. c. 66A, §§1, 2 and 3.
15. G.L. c. 66A, §3, provides that "the department of housing and community development (shall promulgate rules and regulations to carry out the purposes of this chapter which shall be applicable to local housing and redevelopment authorities of the cities and towns." See also 760 C.M.R. §8.
16. G.L. c. 66A, §1 (definition of "Holder").
17. G.L. c. 66A, §2(c). There is also an unacknowledged exception where courts will order a disclosure of personal data under a protective order that generally protects privacy, but which also allows parties to have access to information that is crucial to a case.
18. If a tenant applies for or lives in housing funded by the federal government, the housing authority must use a consent-to-release form that meets the requirements of 42 U.S.C. §3544.
19. The DHCD regulations contain some specific requirements for an informed consent procedure, 760 C.M.R. §8.02.
20. G.L. c. 66A, §2(l).
21. G.L. c. 66A, §2(h).
22. G.L. c. 66A, §2(d).
23. G.L. c. 66A, §2(f).
24. G.L. c. 66A, §2(g).
25. G.L. c. 66A, §2(i), 1st sentence.
26. The length of time within which each agency must reply to a request is set forth in its own regulations. Most regulations allow between 20 and 30 days for a response.
27. Advocates may wish to challenge an agency refusing a client access to her own file if the agency is relying on another statute which does not expressly prohibit access but merely regulates it.
28. G.L. c. 66A, §2(i), 2nd and 3rd sentences.
29. G.L. c. 66A, §2(j)(2).
30. G.L. c. 66A, §2(j)(1).
31. G.L. c. 66A, §2(a 950 C.M.R. §32.05.
32. 760 C.M.R. §6.08, starting with subsection (4)(a) and especially the 2nd (unnumbered) paragraph thereafter, starting with the words: "A grievance regarding some other matter … "; and G.L. c. 214, §3B.
33. G.L. c. 214, §3B.
34. See Torres v. Attorney General, 391 Mass. 1, 14-16 (1984).