OSI Privacy - Effective 8/5/2015
The California Health and Human Services Agency, Office of Systems Integration (OSI), is committed to promoting and protecting the privacy rights of individuals, as enumerated in Article 1 of the California Constitution, the Information Practices Act of 1977, and other state and federal laws.
- "Personal Information" is information about a natural person that identifies or describes an individual, including, but not limited to, his or her name, social security number, physical description, home address, home telephone number, education, financial matters, and medical or employment history, readily identifiable to that specific individual. A domain name or Internet protocol (“IP”) address is not considered personal information; however, it is considered "electronically collected personal information.”
- “Electronically collected personal information,” as defined in California Government Code section 11015.5, means “any information that is maintained by an agency that identifies or describes an individual user, including, but not limited to, his or her name, social security number, physical description, home address, home telephone number, education, financial matters, medical or employment history, password, electronic mail address, and information that reveals any network location or identity, but excludes any information manually submitted to a state agency by a user, whether electronically or in written form, and information on or relating to individuals who are users, serving in a business capacity, including, but not limited to, business owners, officers, or principals of that business.”
1. The OSI collects personal information on individuals only as allowed by law. The OSI limits the collection of personal information to what is relevant and necessary to accomplish the lawful purposes of the OSI. For example, the OSI may need to know an individual's home address, e-mail address, or telephone number, in order to answer the individual's questions or in order to provide requested assistance.
2. The OSI endeavors to tell people who provide personal information to the OSI the purpose for which the information is collected. The OSI strives to tell persons, who are asked to provide personal information, about the general uses the OSI will make of that information. This is done at the time of collection. With each request for personal information, the OSI provides information on the authority under which the request is made, the principal uses the OSI intends to make of the information, and the possible disclosures the OSI is obligated to make to other government agencies and to the public.
3. The OSI uses personal information only as specified and consistent with those purposes; unless the OSI obtains the consent of the subject of the information, or as required or allowed by law. The OSI collects personal information directly from individuals who volunteer to use some of our services, including our internet/online services. Collection of this information is required to deliver the specific services, but use of these services is voluntary. If any type of personal information is requested on the website or volunteered by the user, state and federal law, including the California Information Practices Act of 1977, California Government Code Section 11015.5., and the federal Privacy Act of 1974, may protect it. However, this information may be a public record once it is provided to the OSI, and may be subject to public inspection and copying if not otherwise protected by federal or state law.
The Public Records Act exists to ensure that California government is open and that the public has a right to have access to appropriate records and information possessed by state and local government agencies. At the same time, there are exceptions to the public's right to access records. These exceptions serve various needs, including maintaining the privacy of individuals. In the event of a conflict between this Policy and any law governing the disclosure of records (such as the Public Records Act or the Information Practices Act), the applicable law will control.
A special note regarding electronically collected personal information:
- The OSI automatically collects certain electronic information from users who browse the OSI’s internet website. The information that the OSI automatically collects when a user visits its website includes, but may not be limited to, the client IP address, the date and time when the website is visited, web pages displayed, and any forms that are uploaded. The OSI uses encrypted and unencrypted session cookies, text files stored temporarily on a visitor's computer by a web browser, to enable easy movement through the site. The information collected in this manner is not subject to requests made pursuant to the Public Records Act, and site visitors may request to have their information deleted without reuse or distribution by contacting us.
More specifically, if nothing is done during a visit to the website but browsing or downloading information, the OSI automatically collects and stores the following information about the visit:
- The IP address and domain name used, but not the e-mail address. The IP address is a numerical identifier assigned either to the visitor’s Internet service provider or directly to the visitor’s computer. The OSI uses the IP address to direct Internet traffic to the visitor and generate statistics used in the management of the OSI’s website;
- The type of browser and operating system used;
- The date and time the OSI’s site is visited;
- The web pages or services accessed at the OSI’s website;
- The website visited prior to coming to the OSI’s website;
- The website visited as the visitor is leaving the OSI’s website; and
- If a form is downloaded, the form that was downloaded.
The information the OSI automatically collects or stores is used to improve the content of OSI’s web services and to help the OSI understand how people are using the OSI’s services. This information does not identify a visitor personally and is used for gathering website statistics. The information the OSI automatically collects and stores in logs about visits to the OSI’s website helps staff to analyze the OSI website to continually improve the value of the materials available. The OSI’s website logs do not identify a visitor by personal information, and the OSI makes no attempt to link other websites with the individuals that browse the OSI’s web site.
California Government Code section 11015.5 prohibits all state agencies from distributing or selling any electronically collected personal information, as defined above, about users to any third party without the permission of the user. The OSI does not sell any "electronically collected personal information." Any distribution of "electronically collected personal information" will be solely for the purposes for which it was provided to us.
The OSI may provide or distribute certain lists and statistical reports of regulatory information as provided by law, but no personal information is sold or distributed, and all relevant legal protections still apply to the state's websites.
- The OSI does not collect home, business or e-mail addresses, or account information from persons who simply browse the OSI’s website. The OSI collects personal information about individuals through the OSI’s website only if an individual provides such information to the OSI voluntarily through e-mail, registration forms, or surveys, for example. If an OSI website visitor voluntarily participates in an activity that asks for specific information (i.e., completing a request for assistance, personalizing the content of the website, sending an e-mail, or participating in a survey), more detailed data will be collected. If a visitor chooses not to participate in these activities, that choice will in no way affect the visitor’s ability to use any other feature of the website.
- The OSI’s use of e-mail addresses. An OSI website visitor may choose to provide the OSI with personal information, as in an e-mail with a comment or question. The OSI uses the information to improve service to website visitors or to respond to their requests. Sometimes the OSI will forward an e-mail to other state employees who may be better able to help, and those staff may be employed by a different agency within the state. Except for authorized law enforcement investigations or, as required by law, the OSI does not share e-mails with any other organizations. We use visitor e-mails to respond appropriately. This may be to respond to the sender, to address issues identified in the e-mail, to further improve the OSI’s website, or to forward the e-mail to another agency for appropriate action.
Submission of an e-mail to OSI, OSI staff and/or communication through the website does not create any attorney-client or other privileged or confidential relationship. Accordingly, website visitors should not disclose any information to the OSI that they wish to remain private or confidential.
Cookies created on a visitor’s computer by using the OSI’s website do not contain "personal information" and do not compromise the visitor’s privacy or security. The OSI uses the cookie feature only to store a randomly generated identifying temporary tag on a visitor’s computer. Visitors have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but web browser settings may be modified to decline cookies. If a visitor chooses to decline cookies, he or she may not be able to access some of the features in the OSI’s interactive applications. If the visitor chooses to accept cookies, he or she also has the ability to later delete cookies that have been accepted. For example, in Internet Explorer 10 you can delete cookies by selecting “Tools,” “Safety,” “Delete browsing history,” “Cookies” and “Delete.” Each browser may provide a different way to delete cookies. If a visitor chooses to delete cookies, any settings and preferences controlled by those cookies will be deleted and may need to be recreated during the next access of the OSI’s website.
4. The OSI uses information security safeguards. Reasonable precautions are taken to protect the personal information of individuals collected or maintained against loss, unauthorized access, and illegal use or disclosure. Secure Socket Layer (SSL) encryption software for the OSI Security Tool protects the security of each individual’s personal information during transmission through the OSI’s website. Such personal information is stored by the OSI in secure locations. The OSI’s staff is trained on procedures for the management of personal information, including limitations on the release of information. Access to personal information is limited to those members of the OSI’s staff whose work requires such access. Confidential information is destroyed according to the OSI’s records retention schedule. The OSI conducts periodic reviews to ensure that proper information management policies and procedures are understood and followed.
5. The OSI provides people who provide personal information with an opportunity to review that information. Individuals, who provide personal information, are allowed to review the information and contest its accuracy or completeness.