About That Confidential Information
At our meeting last week (WidenI77 TownHall meeting in Cornelius on July 24. Click HERE for video.) we raised two issues regarding personal data. First was the breath of information that could be collected, including SSN’s and medical data. Second was that the private company- Cintra- could be collecting it.
Last Friday the NCDOT disputed both issues. In a strongly worded (and widely reported) statement, they said:
NO SOCIAL SECURITY NUMBERS, MEDICAL INFORMATION, BIRTH DATES OR ANY OTHER PERSONAL INFORMATION WILL BE COLLECTED BY THE NORTH CAROLINA TURNPIKE AUTHORITY, NCDOT, OR CINTRA
Further, they said:
Any customer information will be collected, stored and kept secure by the North Carolina Turnpike Authority (Under NCDOT), NOT Cintra.
But let’s look at the actual language in the signed contract.
Item 1: Cintra (the “Developer”) will design and operate an Electronic Toll Collection System:
24.1 Developer shall design, develop, fabricate, test, integrate, deploy and/or construct, operate, maintain, and upgrade from time to time an Electronic Toll Collection System (ETCS) supporting Open Road Tolling (ORT) on the HOT Lanes in accordance with the requirements of this Section 24….
Item 2: This system could collect confidential information:
8.7.2 Developer acknowledges that the data generated by, or accumulated or collected in connection with, operation of Developer’s Electronic Toll Collection System… may consist ofor include information that identifies an individual who is a patron of the Project and that is exempt from disclosure to the public or other unauthorized persons under applicable Law (“Patron Confidential Information”).
Item 3: The confidential information includes what we enumerated at our meeting:
8.7.2 (Continued) Patron Confidential Information includes names, addresses, social security numbers, e-mail addresses, telephone numbers, financial profiles, credit card information, driver’s license numbers, vehicle registration information, medical data, law enforcement records….
Item 4: Cintra has to hold the confidential information in strict confidence:
8.7.4 Developer agrees to hold Patron Confidential Information in strictest confidence and not to make use of Patron Confidential Information for any purpose other than the performance of this Agreement, including toll violation processing and collection.
Item 5: Cintra can share the confidential information with the entities we enumerated at our meeting:
8.7.5 Developer shall release Patron Confidential Information only to (a) NCDOT if requested, (b) authorized employees or Contractors requiring such information for the purpose of carrying out obligations under this Agreement, (c) authorized collection agencies as necessary to assist their collection of toll violations, (d) the North Carolina Department of Public Safety and any other public law enforcement agency with jurisdiction to provide traffic patrol, traffic law enforcement and the other police and public safety services as necessary to assist its enforcement of toll violation traffic infractions, (e) any Lender or Substituted Entity that succeeds to Developer’s Interest, and(f) any Governmental Entity if requested and required pursuant to applicable Law.
So according to the language of the contract, Cintra will design and operate a toll collection information system and store and use confidential information.
This raises troubling questions:
- If Cintra will never handle confidential information then why does the contract specify how they are to store and use it?
- If SSN and other personal information will never be collected, why are these data enumerated in the contract? Why not just say this information cannot be collected?
- If the NCTA operates the toll collection system then why does the contract specify Cintra build and operate this system?
It may be that in practice the NCTA will operate the toll collection system and safeguard the data, but the contractual language is clear: Cintra collects the data. Cintra can use the data. If this is not what will actually happen, then the contract must be revised.
NCDOT responded to our rebuttal saying “the complete language of the Comprehensive Agreement, not edited excerpts, will govern the protection of user data with regard to the managed lanes.”
Short URL: http://pundithouse.com/?p=16339