Edited Version May 12, 1999 Transcript
EIIP Virtual Library Online Presentation

"Limitations to Data Access for Emergency Management"

Paul Hoff
Law Partner
Garvey, Schubert & Barer

Bruce McDowell
Project Director
National Academy of Public Administration

Martha Ditmeyer
Project Assistant
National Academy of Public Administration

EIIP Moderator: Avagene Moore

The original unedited transcript of the May 12, 1999 online Virtual Library presentation is available in EIIP Virtual Forum Archives (http://www.emforum.org). The following version of the transcript has been edited for easier reading and comprehension. Typos were corrected, date/time/names attributed by the software to each input were deleted but the content of questions and responses are as stated by each participant. Answers from the participants to questions by the audience are grouped beneath the appropriate question to facilitate meaning.


[Opening]

Avagene Moore: Welcome to the EIIP Virtual Library!

Before we start today's session, would like to remind you of a couple of things. Please note that any URLs used are live links -- click on them and the referenced Web page should appear in the browser window. For example, today's background page is http://www.emforum.org/vlibrary/990512.htm.

Please note the link to the Executive Summary of the report under consideration today, "Legal Limits on Access to and Disclosure of Disaster Information." Suggest you read the summary if you have not done so.

After the first one, the browser window may not automatically come to the top; you may have to click on a button at the status bar at the bottom of your screen.

Please do not send Direct Messages to our speakers during the formal part of the session; this is very distracting. You will have opportunity to ask questions during the Q&A segment of our program. I will review how to submit questions and comments prior to the Q&A time.

[Introduction]

And now to introduce today's topic and speakers. In January 1999, the National Academy of Public Administration (NAPA) undertook a study on limitations to data access, to explore legal constraints on the free exchange of information in support of all phases of disaster/emergency management.

Today we will hear about the findings of that study. This report draws on a number of previous NAPA studies with implications for emergency/disaster management and information.

Paul Hoff is a partner in Garvey, Schubert & Barer, a law firm active in the area of intellectual property and Internet practice with offices in Seattle, Portland and Washington, D.C. Paul is a nationally recognized expert in this area, and will present an overview of the report, as well as take your particular questions and concerns.

Bruce McDowell, NAPA Project Director, is also with us today. Glad to have you here, Bruce.

Martha (Marty) Ditmeyer is also on hand in the background to assist. Marty is a Project Assistant/Consultant, providing support and technical assistance for NAPA studies.

Paul, I turn the floor to you. Thanks to all for being here today.

[Presentation]

Paul Hoff: I look forward to discussing with you some of the results of the recent study by a Panel of the National Academy of Public Administration (NAPA) entitled the "Legal Limits on Access to and Disclosure of Disaster Information."

I will summarize some of the study's conclusions and then look forward to your questions. This is a complex area and it requires a great deal more study. It requires especially a great deal of input from people who are familiar with the precise kinds of information disaster managers need and the practical, legal, and procedural problems that arise when using information in any phase of disaster management.

First, what did the study assume about the nature of an NDIN?

The first slide is a general statement of what a national disaster information network would be. As you will see it does not assume any specific architecture to the system because of the uncertainty about exactly how active or passive a role the federal government would play in collecting the data …

[SLIDE 1]

Paul Hoff: ensuring its accuracy, and facilitating the exchange of information over the system. As we can discuss later, however, the exact nature of NDIN as it evolves will have a significant effect on the access and disclosure issues the study examined.

The data may come from a variety of different sources such as federal state and local governments, the private sector, universities and non-profits. Each piece of information may raise a different set of access and disclosure issues depending on the type of information involved and what is its source. Avagene, could we please have SLIDE 2?

[SLIDE 2]

Paul Hoff: Another way to illustrate the complexity of the problem is to look at it in terms of the kinds of legal concerns that use of the data may raise. The NAPA panel was asked to look particularly at four categories of these issues:

1) Privacy;

2) Intellectual property and associated proprietary rights to information;

3) Liability of data providers and the NDIN;

4) Laws on unauthorized access to the NDIN and tampering with data.

Another study for the GDIN Transition team is looking at the issues raised by the possible use of classified or formerly classified information on the NDIN, so the study did not include national security issues.

The following examples may give you an idea of the range of problems that may arise in these four areas; intellectual, privacy,liability, and security.

Intellectual Property: Increasingly information from geographic information systems (GIS) is of use to disaster managers, but this information may be collected by federal, state, or local governments pursuant to contracts with commercial companies. The use and reuse of the information may be strictly regulated in order to protect the private company's commercial property rights. The practices of state and local governments vary widely with respect to whether they charge others to use the GIS data it obtains.

U.S. copyright laws, and contractual agreements between the data supplier and the initial user of the information will govern much of this. In other cases, companies may consider some information proprietary and simply not want to disclose it even if it does not qualify for copyright protection. One example is a utility company that declines to disclose information about its infrastructure for competitive reasons.

Privacy: Information about the number of occupants of a building, their medical history, and whether they have disabilities may be useful to disaster managers, but it may also invade an individual's privacy. Depending on the source of the information, its use could be a violation of federal and/or state privacy laws. Thus, the goals of an NDIN will have to be balanced in some cases by concerns for other values.

Liability: Members of the public may sue if they are hurt or suffer property losses because they relied on inaccurate information they got either directly from the NDIN, or from local officials who in turn relied on the NDIN. The willingness of both private companies and governments to contribute key information to the NDIN may be substantially reduced if they think they could be sued under strict theories of liability.

Security: To ensure the accuracy and reliability of the NDIN, the system must be protected from tampering. It must be protected from unauthorized use when access is restricted to satisfy other legal or operational concerns. Federal and state laws have an important role to play in ensuring the security of the system.

The next slide lists under each of these four legal issues some of the types of information that may raise particular problems. It illustrates that the access and disclosure problems could arise in any number of circumstances. Avagene, may we please have SLIDE 3?

[SLIDE 3]

Paul Hoff: At the federal level, the study identified some 18 different laws and rules that may affect these access and disclosure issues. Of course, there are many more laws and regulations at the state and local level.

For example, the study found that most states have their own open record laws. Some 80% of the large cities and counties with GIS data have rules or laws limiting access in some way. Avagene, could we please have SLIDE 4 listing these?

[SLIDE 4]

Paul Hoff: The study concluded that the legal concerns could be more or less severe depending on the particular phase of the emergency and the information used. When disaster information is used for general planning purposes it is particularly suitable for general distribution, since the timeliness of the information and the level of detail may be less important than in crisis management situations.

In that case privacy issues may not arise. In other circumstances, the most detailed personal information may be needed to compensate people following a disaster, and at that time privacy concerns may be at their height. The exact nature of the legal problem in any case will be defined by a matrix of the use to which the information is to be put, its source, the nature of the information itself, and the person who is seeking access to it.

Slide 5 illustrates the different characteristic of the data that may be most important at three stages of emergency management -- vulnerability management, crisis management and loss compensation management. As a result, the access and limitation concerns will be different at each stage. Avagene, could we have SLIDE 5, please?

[SLIDE 5]

Paul Hoff: The last two slides summarize the study's findings and recommendations. The study's findings emphasize not only the importance of the access and disclosure issues to creating an effective NDIN, but also the complexity of the issue and the need for further information and further study. Avagene, could we have SLIDE 6, please?

[SLIDE 6]

Paul Hoff: The study makes a number of recommendations. These recommendations included some general principles -- specific steps that the panel felt would help reduce the access and disclosure problems.

This includes restricting to those who most need it certain of the information on the NDIN. It also anticipated the need for legislative changes at both the federal and state level. It saw an important role for the federal government as a catalyst for state, local, and non-governmental action.

On the other hand, it also made a number of other recommendations emphasizing the evolving nature of the NDIN, and the importance of taking access and disclosure limitation issues into account as the NDIN develops. Avagene, could we please have SLIDE 7?

[SLIDE 7]

Paul Hoff: As you can see from the slide, the study concluded that to assist in the design of an NDIN, all the potential stakeholders in such a network should work closely together.

There is a need to define more precisely the specific data elements that must be acquired and disclosed to identified parties for identified disaster management purposes. Conferences should be held to identify and reach agreement on acceptable features of "best practice" models to assist in resolving the access and disclosure issues.

The panel also recognized the importance of active educational programs in order to make those designing the NDIN aware of how these access and disclosure issues could significantly undermine the effectiveness of the NDIN if not recognized and addressed directly. Only then can specific legislative recommendations be drafted, and specific practices recommended.

So I hope that all of you can participate in this evolving process. A 24-page summary of the entire report is available on the NAPA web site. I believe Avagene has posted a link to it. In the near future, the entire study will also be available on the NAPA website.

[CLOSING]

That concludes the presentation, Avagene. I look forward to questions and comments.

Avagene Moore: Thank you, Paul and Marty. Might add that Bruce McDowell, NAPA, was involved in putting this session together; we appreciate his help also. As a reminder for Q&A, if you have a question or comment, please input a question mark (?) to indicate you wish to speak. Compose your question, and hold it until you are recognized before sending it to the screen. This way, we can keep order. You will be recognized in order of the question marks that are seen on the screen. First question, please.

[Audience Questions]

Question:

Tricia Wachtendorf: Can you discuss in a little more detail the major barriers or issues involved in data sharing across separate political jurisdictions, particularly across international borders?

Paul Hoff: The problem comes when you merge in one data base, information from different jurisdictions with different laws on such matters as privacy, or cost sharing for GIS data. Which rules apply overall, or do you try to apply different laws to different aspects of the data. Something that would obviously be very difficult.

Bruce McDowell: Internationally, the Europeans favor copyrighting databases but that is very difficult in the U.S.

Question:

David Graham: Can you give us some examples of the type of information/data that will be included in NAPA?

Bruce McDowell: There will be different types of data for different EM tasks. We showed some on earlier slides. We also set them up by task. We have three "data cubes" that illustrate what they might look like. Amy, can we show the data cubes?

Amy Sebring: Sorry, they will have to wait for the report, Bruce.

Bruce McDowell: OK. For planning/mitigation they might be land use, natural hazards, man-made hazards, buildings, people, response resources. For crisis management, they might be Warning systems, critical infrastructure, etc. For loss compensation, they might be financial eligibility, regulatory compliance.

Question:

Avagene Moore: Paul, do you have anything to add?

Paul Hoff: No, not to that answer.

Question:

Amy Sebring: Paul, do disclaimers as to accuracy, such as "Use at your own risk" afford reasonable protection from liability? Do they need to include specific language such as "hold harmless"?

Paul Hoff: You are correct that disclaimers may help in some cases. But they are not always effective. For example, disclaimers are not usually effective against suits under theories of strict liability. And of course you have policy concerns with using disclaimers too widely. You want people to have confidence in the data.

Question:

Rick Tobin: You hinted at possible lawsuits by the public, based on their expectations, but all the studies I have read show there is no clear evidence that emergency management organizations are sued based on their emergency activities during a disaster. Did you find any evidence to support a different opinion?

Paul Hoff: That is an excellent point and the kind of consideration that requires more study and input from actual disaster managers. The concern I believe is that as you combine in an NDIN a great deal more information in one place and it is much more available to the general public; there will be substantially increased problems with lawsuits.

Even now, the use of disclaimers by some federal agencies indicates a real concern with the problem.

Bruce McDowell: Mistakes like with the Chinese Embassy in Belgrade could happen in our business.

Question:

Terry Birkenstock: This is clearly a very complex issue - Thanks for laying out some of the major issues for us. Paul, you've sort of just hinted at this, but can you give a quick breakdown of how, or if, the Internet creates new problems in data sharing versus the data sharing that goes on separate from the Internet - beyond simply easier access?

Paul Hoff: Part of the problem is certainly simply the easier access. But compared to data sharing through use of paper it is more difficult to segregate the sources and limitations attached to any particular piece of data. And the Internet of course assumes a great deal of software behind the information collection and use. And that raises key copyright issues.

Bruce McDowell: There is a tendency in databases to suffer from garbage-in, garbage-out. We really need to guard against that.

Question:

Terry Birkenstock: Metadata is one way to let a data user know what the limitations and restrictions on use of the data are. Does that solve some of the problems?

Bruce McDowell: Yes. It does not improve the data but it warns people how bad they are.

Question:

Doug Burreson: In the GIS data realm, what protections (if any) does the existence of FGDC compliant metadata afford an agency? (If that metadata includes accuracy statements and appropriate uses clauses.)

Bruce McDowell: Appropriate use statements are useful but the next step would be for NDIN to try to get what people need.

Question:

David Graham: So much environmental information is available on the Internet under the USEPA's Toxics Release Inventory and environmental interest groups. Is information on other topics noted in the study beyond environmental widely available?

Bruce McDowell: State and local governments have lots of land use, etc. available through their GIS that could be especially useful in mitigation planning.

Question:

Amy Sebring: When working as a local manager, I wanted to compile a Special Needs database, with info on the elderly, but was not assured that access to this information could be protected from open records requests. Did you have an opportunity in this study to look at some of the state laws protecting individual privacy?

Paul Hoff: Yes, the study did an overview look at state privacy laws.

What we found was that about 18 states have specific privacy laws that like the federal Privacy Act could limit expressly using and disclosing personal information. But this illustrates how varied the laws are even between these 18 states and the remaining states are even more varied.

Bruce McDowell: We need a lot more work on state laws, lots of variation among them..

Final Question:

Amy Sebring: Are policies between federal agencies generally consistent? That is, do different federal agencies generally follow the same rules?

Paul Hoff: The quick answer to that is there are a few attempts to coordinate policies in areas such as privacy but so much depends on the actual implementation to a particular situation, that it is hard to do.

Avagene Moore: Thank you, Bruce, Paul and Marty. That's all the time we have today. If Paul and Marty can hang around for a couple of minutes after the Virtual Library is officially closed for the day, we will return to the Virtual Forum where we can all express our thanks and ask other questions or make further comments.

Before officially closing, would like to remind you of next week's events:

The Round Table on Tuesday May 18, 1:00 PM EDT is based on a project now underway through FEMA and the Community Family Preparedness program that is looking at various preparedness programs and measures in our school systems. We had an excellent session yesterday about a new emergency planning manual developed for Pennsylvania schools. This effort is also interested in getting disaster awareness into the curriculum of our nation's schools. I encourage everyone to be here for more discussion about various programs and ideas for ensuring better prepared schools and creating a culture of disaster preparedness through educating our young people.

On Wednesday, May 19, 12:00 Noon EDT, we have a panel scheduled to talk about Domestic Sustainable Development. At the moment, we are working with the planners for last weeks' National Town Meeting on a Sustainable America that took place in Detroit, Michigan (May 2-5). FEMA, EPA, DOE, city/county governments, and private sector corporations were involved. We will have a panel made up of some of the representatives of these organizations. Make plans to participate.

One more time, want to remind everyone that starting first of June, the EIIP Round Table sessions will begin at 12:00 Noon EDT, same time as the formal Wednesday discussions. We hope this will make it easier for everyone to remember the official time for both sessions.

Again, thank you, Bruce, Paul and Marty. Thanks to you, audience. Great program today! Let's all adjourn now to the Virtual Forum to say thanks to our speakers.