This policy applies to all public Web sites of State agencies in the Executive branch of Government other than Independent State agencies that operate Internet Web sites as a public service.

A cookie is a special text file that a Web site adds to your hard disk so that it can recall something about you at a later time. Typically, a cookie records your preferences when using a particular site.

Independent State agencies are authorities, boards, commissions and other agencies of the State of New Jersey, which are not subject to the policy supervision and control of the Governor. An example of an independent State agency would be the New Jersey Transit Authority.

Online is the condition of being connected to a computer or a telecommunications system. For the purposes of this policy, the term is used to describe a connection to the Internet.

Personally Identifiable Information means information that identifies an individual, including an individual's Social Security number, name, address other than the five digit zip code, driver identification number, telephone number and e-mail address.

The Principles of Fair Information Practices are a set of widely accepted information practices that the Federal Trade Commission supports for consumer oriented Web sites that collect personal identifying information from or about consumers online. The principles include consumer notice, consumer choice, appropriate levels of security and consumer access to their personally identifiable data.

SSL (Secure Sockets Layer) is a commonly used protocol for managing the security of a message transmission on the Internet.

Transaction risk assessment is the process that determines the security requirements necessary to ensure the appropriate level of availability, integrity, access, confidentiality, authentication and non-repudiation of the information in question.

A Web site is a collection of HTML (Hypertext Markup Language) files on a particular subject that includes a beginning file called a home page. For example, most companies, organizations, or individuals that have Web sites publish a single address. This is their home page address. From the home page, you can get to all the other pages on their site.

All New Jersey Executive Branch Agencies that operate Internet Web or online services shall have privacy statements that are prominently displayed on their home pages and any other public entry page where personally identifiable information is collected or transmitted. The statements shall be developed in accordance with the Principles of Fair Information Practices as recommended by the Federal Trade Commission and in consultation with agency legal counsel. The privacy statement shall be easy to find, read and understand. The statement should inform Web site users when personally identifiable information is collected, in what way the information will be used, any third party distribution of the information and the choices available regarding collection, use, and distribution of the collected information.

Following promulgation of this policy, each State agency that maintains a Web site requiring the collection or transmission of personally identifiable information will conduct a transaction risk assessment, and implement appropriate security and privacy safeguards. At a minimum, state Web sites that require or permit a citizen to enter the following information will use an SSL session or equivalent technology to encrypt the data:

• Social Security Number or tax identification number
• Transaction payment information, i.e. credit card number
• Individual Name, address and other personal information
• Individual identification codes and passwords
• Individual medical and health information
• Individual financial information, i.e. income
  
  

State Web sites that permit the download of forms for completion and subsequent return via unencrypted e-mail should notify users of the risk in sending sensitive or personal information via e-mail over the Internet.

State agencies that elect to obtain information through the use of cookies shall notify the user of the cookie, the information to be collected, and the use of the information collected.

Agencies shall establish security procedures and practices for the storing, handling and disposing of electronic records that contain personally identifiable information so that the information is not intercepted or changed by unauthorized persons.

Personally identifiable information will not be sold or distributed to non-governmental third parties for solicitation purposes unless permitted by law. The collection of personal data should be limited to that which is needed for legitimate public purposes and retained only as long as necessary. Personally identifiable information should only be used for the purposes disclosed in the privacy policy statement.

Agencies that enter into contracts or agreements for sharing personally identifiable information with other entities must have contractual requirements that protect the information from inappropriate uses.

If an agency intends for its Web site to collect personally identifiable information, then the agency will notify the public that State and Federal laws, including statutes, rules, regulations and the common law, control the use of information held by the state. Citizens should be informed about how they can review their personal information and recommend corrections if it is inaccurate or incomplete.

Agency privacy statements shall include the name and contact information of a person who can address questions regarding the privacy statement and privacy practices of the Agency.

Agencies that provide Web pages directed at children shall comply with the Children's Online Privacy Protection Act of 1998 (COPPA) and any other applicable State or Federal law. The Federal Trade Commission rule applies to Web sites or online service directed at children and to Web sites or online services where there is actual knowledge that the person from whom they seek information is a child. The requirements include but are not limited to:

• To post prominent links on their Web sites to a notice of how they collect, use, and/or disclose personal information from children.
• With certain exceptions, to notify parents that they wish to collect information from their children and obtain parental consent before collecting, using, and/or disclosing such information.
• Not to condition a child's participation in online activities on the provision of more personal information than is reasonably necessary to participate in the activity.
• To allow parents the opportunity to review and/or have their children's information deleted from the operator's database and to prohibit further collection from the child.
• To establish procedures to protect the confidentiality, security, and integrity of personal information they collect from children.

Employee

• To adhere to Statewide and agency security and confidentiality rules and procedures.
• Maintain the confidentiality of individuals' personally identifiable information consistent with law.

Agency Senior Management

• Designate a person or persons to act as the point of contact for all questions relating to access to information and privacy.
• Ensure that employees who have access to the Internet are educated on the importance of maintaining the confidentiality of personal information.
• Ensure that Web development efforts include consideration of privacy related issues.
• Approve appropriate privacy statements, where required.

Agency Information Technology Unit and the Office of Information Technology

Ensure that appropriate security safeguards are in place relating to the electronic transmission, electronic storage and electronic access of personal information.