(a) A state agency shall publish a privacy and security policy
for its Web site, and post a link to the policy from its home page. The privacy
and security policy shall address the following:
(1) Notice: Disclose the agency's information practices before
collecting personal information from the public. The use of logging software,
cookies, and/or Web bugs. Information collected by other technologies and
processes. Information collected via e-mail and Web-based forms.
(2) Choice: Options with respect to how personal information
collected from them may be used for purposes beyond those for which the information
was provided and whether they wish to have that information shared.
(3) Access: The procedure under which an individual may obtain
and/or have the agency correct information about the individual.
(4) Security: The procedures to ensure that information collected
from individuals is accurate and secure from unauthorized use.
(b) Web pages designed for children must comply with all applicable
federal and state laws intended to protect minors.
(c) Prior to providing access to information or services on
a state Web site that require user identification, each state agency shall
conduct a transaction risk assessment, and implement appropriate privacy and
security safeguards. At a minimum, state Web sites that require an individual
to enter the following information in a Web based electronic form shall use
an SSL session or equivalent technology to encrypt the data:
(1) Both the individual's name and other personal information,
such as an SSN;
(2) Transaction payment information;
(3) An individual's access identification code and password;
(4) An individual's e-mail address.
(d) Any Web based form that requests information from the public
shall have a link to the associated privacy and security policy.
|