Alaska - Sectoral Privacy Overview
- The Constitution of the State of Alaska expressly safeguards privacy rights. Article I, Section 22 states that the 'right of the people to privacy is recognized and shall not be infringed'.
- The Supreme Court of Alaska ('the Supreme Court') furthered the concepts of liberty and privacy in its ruling in Breese v. Smith, 501 P.2d 159, 168 (Alaska 1972) when it stated that "at the core of this concept [of liberty] is the notion of total personal immunity from governmental control: the right 'to be let alone'".
- In Ravin v. State of Alaska, 537 P.2d 494, 514-15 (Alaska 1975), the Supreme Court stated: "Since the citizens of Alaska, with their strong emphasis on individual liberty, enacted an amendment to the Alaska Constitution expressly providing for a right to privacy not found in the United States Constitution, it can only be concluded that that right is broader in scope than that of the Federal Constitution".
§45.48.010 et seq. of Chapter 48 of Article 1 of Title 45 of the Alaska Statutes ('AS') ('the Personal Information Protection Act') provides several protections for personal information, including:
- a notice requirement when a breach of security concerning personal information has occurred; and
- the ability to place a security freeze on a consumer credit report.
For a breach of security involving personal information, the Personal Information Protection Act provides that:
- 'Personal Information' means information in any form on an individual that is not encrypted or redacted, or is encrypted and the encryption key has been accessed or acquired, and consists of a combination of an individual's name and one or more of the following:
- the individual's social security number;
- the individual's driver's licence number or state identification card number;
- the individual's bank account number, credit card number, or debit card number; and
- passwords, personal identification numbers, or other access codes for financial accounts.
- 'Breach of security' means the unauthorised acquisition, or reasonable belief of unauthorised acquisition, of personal information that compromises the security, confidentiality, or integrity of the personal information maintained by the information collector.
- 'Acquisition' includes acquisition by:
- photocopying, facsimile, or other paper-based methods;
- a device, including a computer, that can read, write, or store information that is represented in numerical form; or
- any other method.
- Consumers must be notified when there is a breach of security of an information system containing personal information.
- Notice of the breach must be done expeditiously but can be delayed if it will interfere with a criminal investigation, or if the breach is unlikely to cause harm to the individual.
- Notice must be in writing but can also be given by electronic means under certain circumstances.
- Violations subject the violator (including a state agency) to a civil penalty of up to $500 for each consumer who was not provided notice, up to a maximum penalty of $50,000. In addition, the injured person can seek injunctive relief, and can recover actual economic harm. The Department of Administration may enforce this Section against a governmental body.
Regarding the ability to place a security freeze on a consumer credit report, the Personal Information Protection Act provides that a consumer may place a security freeze on the consumer's credit report. The effect of a freeze will prevent a third person from accessing the individual's credit report. A freeze can be placed by mail or other means if the credit reporting agency allows a freeze by another means. Once a freeze is in place, the consumer can remove it by submitting a request in an analogous manner.
The following exemptions allow access by certain entities even when a freeze is in place:
- use of the credit report to review or collect a financial obligation;
- persons acting under a court order;
- a municipal or state agency that administers child support enforcement obligations;
- the Department of Health and Social Services ('DHSS') when investigating fraud;
- the Department of Revenue when investigating or collecting taxes or implementing other statutory responsibilities;
- pre-screening allowed by the Fair Credit Reporting Act of 1970 ('FCRA'); and
- for insurance purposes.
The state of Alaska restricts access to medical records to the patient (AS §18.23.005), the patient's parents or guardians (if a minor) (AS §25.20.130), the DHSS (for financial records) (AS §47.07.074), and the Medical Review Organization (AS §18.23.010 et seq.).
If an individual can establish that a contract exists between the individual and a health care provider such as a hospital, the individual can sue the hospital for breach of contract for the improper disclosure of private medical information if they can establish that the contract imposed a contractual duty to not disclose the information. Guy v. Providence Health & Services, 502 P.3d 13 (Alaska 2022).
In Guy a hospital employee intentionally disclosed protected health information ('PHI') in violation of the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'). The Court described the employee as a 'rogue employee' that was acting outside the course and scope of their employment when the employee disclosed the PHI.
Patient alleged that the disclosure of the PHI breached the hospital's contractually duty to them to not improperly disclose their PHI. It is believed that the patient brought their action as a contract claim because HIPAA does not provide for a private cause of action and because their claim was brought after the statute of limitations for bringing a tort claim had already passed.
The lower court dismissed the contract claim ruling that the employee was not acting in the course and scope of their employment when they improperly disclosed the PHI and the hospital could not be vicariously liable for an employee acting outside the scope of their employment. The Court reversed holding that the rules of vicarious liability did not apply to breach of contract claims. The Court remanded the case to the lower court to determine whether a contract existed between the patient and the hospital and whether the hospital violated any contractual duty that it owed to the patient.
For banks and financial institutions, depositor and customer records are confidential (AS §06.01.028). The records of financial institutions relating to their depositors and customers and the information in the records are confidential. A financial institution may not disclose the records and information to another person except when, and only to the extent that, the disclosure is:
- authorised in writing by the depositor or customer;
- required by federal or state statute or regulation or by an order directed to the financial institution and issued by a court or administrative agency of competent jurisdiction;
- made to the holder of a negotiable instrument drawn on the financial institution as to whether the drawer has sufficient funds in the financial institution to cover the instrument;
- made to a consumer reporting agency regulated under the FCRA; or
- made in connection with the maintenance or servicing of the depositor's or customer's account with the financial institution, or with another entity as part of a private label credit card or other extension of credit on behalf of the entity.
AS §06.01.028 and regulations concerning banks and financial institutions are enforced by the Alaska Department of Commerce, Community, and Economic Development ('DCCED'). The DCCED may impose civil monetary penalties. If the violation is caused by a person other than a financial institution, a civil monetary penalty of not more than $2,500 a day for a single violation, and not more than $25,000 for multiple violations that constitute a single proceeding or a series of related proceedings. If the violation is caused by a financial institution, a civil monetary penalty of not more than $5,000 a day for a single violation, and not more than $50,000 for multiple violations that constitute a single proceeding or a series of related proceedings. Criminal penalties can also be found for violations of this statute.
AS §23.05.080 requires an employer to keep an accurate record of the name, address, and occupation of each person employed, of the daily and weekly hours worked by each person, and of the wages paid each pay period to each person. The record must be kept on file for at least three years.
AS §23.10.100 requires an employer to keep for at least three years at the place where the employee is employed a record of the name, address, and occupation of each employee, the rate of pay and the amount paid each pay period to each employee, the hours worked each day and each workweek by each employee, and other payroll information that the Commissioner of the Department of Labor ('the Commissioner') may require.
The Commissioner or an authorised representative of the Commissioner may copy the employer's records at any reasonable time.
AS §23.10.430 outlines that an employer must permit an employee or former employee to inspect and make copies of the employee's personnel file and other personnel information maintained by the employer concerning the employee under reasonable rules during regular business hours. The employer may require the employee or former employee to pay the reasonable cost of duplication. This Section further provides that:
- 'Employee' means a person employed by an employer.
- 'Employer' means a person who employs one or more other persons.
- 'Personnel file and other personal information' means all papers, documents, and reports pertaining to a particular employee that are used or have been used by an employer to determine that employee's eligibility for employment, promotion, additional compensation, transfer, disciplinary or other adverse personnel action (§15.910(d)(1) of Article 6 of Chapter 15 of Title 8 of the Alaska Administrative Code ('AAC')).
- 'Personnel file and other personal information' does not include (1) information of a personal nature about a person other than the employee if disclosure of the information would constitute an unwarranted invasion of the other person's privacy; (2) information relating to an ongoing investigation of a violation of a criminal or civil statute by the employee; or (3) an employer's ongoing investigation of employee misconduct (8 AAC §15.910(d)(2)).
AS §45.50.475 outlines that it is an unfair method of competition and an unfair or deceptive act or practice in the conduct of trade or commerce for a person to:
- engage in a telephone solicitation of a customer whose telephone number has been registered with the national do not call registry for the minimum amount of time required by the national do not call registry before the date the call is made;
- engage in the telephone solicitation of a customer who has previously communicated to the telephone solicitor, or to the business enterprise or charitable organisation for which the person is calling, the customer's desire not to receive telephone solicitations to that number; or
- originate a telephone call using an automated or recorded message as a telephonic advertisement or telephone solicitation.
AS §45.50.479 outlines that a person may not send unsolicited commercial electronic mail to another person from a computer located in this state or to an electronic mail address that the sender knows is held by a resident of this state if the commercial electronic mail contains information that consists of explicit sexual material that another law provides may only be viewed, purchased, rented, leased, or held by an individual who is 18 years of age or older, unless the subject line of the advertisement contains 'ADV:ADLT' as the first eight characters. Furthermore, it provides that:
- 'Commercial electronic mail' means electronic mail consisting of advertising material for the lease, sale, rental, gift, offer, or other disposition of real property, goods, or services, including an extension of credit;
- 'Explicit sexual material' means material that visually or aurally depicts conduct described in AS §11.41.455(a), but is not limited to conduct engaged in by a child under 18 years of age; and
- 'Unsolicited commercial electronic mail' means commercial electronic mail sent to a person who does not have an existing personal or business relationship with the sender and has not given permission for or requested the sending of the commercial electronic mail.
AS §§45.48.500 to 590 provide that businesses and government agencies are required to take reasonable measures to protect against unauthorised access to, or use of, records when disposing of records containing personal information. To comply with this requirement, a business or government agency can implement compliance and monitoring policies that require the destruction of personal information or enter a contract with a third party for the disposal and destruction of the records. A business or government agency is not liable for the disposal after relinquishing control of the records to a third party that is in the business of record destruction.
Knowing violations of this section are subject to a $3,000 penalty plus actual economic damages, court costs, and full reasonable attorneys' fees. In addition, this Section provides that:
- 'Business' means a person who conducts business in the state of Alaska or a person who conducts business in the state of Alaska and maintains or otherwise possesses personal information on Alaska State residents.
- 'Conducts business' includes engaging in activities as a financial institution organised, chartered, or holding a licence or authorisation certificate under the laws of the state of Alaska, another state, the US, or another country.
- 'Possesses' includes possession for the purpose of destruction.
- 'Dispose' means:
- the discarding or abandonment of records containing personal information; or
- the sale, donation, discarding, or transfer of (1) any medium, including computer equipment or computer media, that contains records of personal information; (2) non-paper media, or other than that identified in point (1) above, on which records of personal information are stored; and (3) equipment for non-paper storage or information.
- 'Governmental agency' means a state or local governmental agency, except for an agency of the judicial branch.
- 'Personal information' means:
- an individual's passport number, driver's licence number, state identification number, bank account number, credit card number, debit card number, other payment card number, financial account information, or information from a financial application; or
- a combination of an individual's name and medical information, insurance policy number, employment information, or employment history.
- 'Records' means material on which information that is written, drawn, spoken, visual, or electromagnetic is recorded or preserved, regardless of physical form or characteristics, but does not include publicly available information containing names, addresses, telephone numbers, or other information an individual has voluntarily consented to have publicly disseminated or listed.
A biometric privacy law was first proposed in the Alaska Legislature in 2017. To date, it has not moved forward beyond being a proposal.