The state's not telling.

Internal privacy audits released by the Department of Administration on Tuesday are so heavily blacked out that it's impossible to determine what information some state agencies collect, how they collect it and what they do with it once it's in their hands.

Even the names of officials who wrote and received memos on the subject were blacked out from the records.

Nevertheless, a preliminary review of the audits hints at some weaknesses in protecting the information.

Cari Anne Renlund, DOA's chief legal counsel, said she blacked out details about the collection and handling of private information to make sure it wouldn't fall into the wrong hands.

"The audits list the confidential information the state holds, describe how and where it is maintained, and identify vulnerabilities in how it is secured," Renlund wrote in a letter to the Wisconsin State Journal, which requested the audits under the state's open records law. "Releasing the audits without redactions would provide a 'key to the lockbox' to potential hackers and identity thieves."

But Peter Fox, executive director of the Wisconsin Newspaper Association, said while he understood the need for caution, some of the cuts "just seem curious."

"Essentially, by redacting the information, they have made it classified," Fox said after reviewing samples of the blacked-out audits. "I would be interested to know what were the overarching criteria for redacting specific elements of information (and) the qualifications of the individuals who made the decisions to redact."

The State Journal's request covered just the audits, which were intended to provide an accounting of the information agencies collect. The newspaper did not seek any confidential information.

Doyle acts

The audits, conducted by 15 Cabinet agencies, were made public the same day Gov. Jim Doyle ordered state agencies to stop using Social Security numbers when possible and called on them to conduct annual privacy assessments, improve training for workers and institute other safeguards.

Doyle on Tuesday also released a private company's review of state privacy practices. Metavante, the Milwaukee financial services company that conducted the review for free, said the state "has implemented many effective practices for the protection of sensitive information."

But it recommended the state create a standard privacy program across agencies that addresses who collects, handles and stores sensitive information.

Doyle ordered the Metavante review and internal audits in the wake of two security breaches in January involving the accidental release of Social Security numbers of state residents.

Inconsistencies

A preliminary review of the audits Tuesday show inconsistencies in what kinds of information DOA released about agency practices.

For example, it disclosed that the state Department of Revenue collects such information as names, Social Security numbers, bank account information, income, dates of birth and other sensitive information from taxpayers.

DOR collects the information for tax purposes, although it is also used in criminal investigations and for involuntary collection actions, among other things.

In contrast, DOA blacked out all references to what type of information is collected by the Department of Health and Family Services' Division of Children & Family Services. Also blacked out were details about how the information is collected and what happens to it once the agency receives it.

Renlund said DOA made the cuts after consulting the agencies' lawyers and Mike Lettman, director of information security for DOA's Division of Enterprise Technology.

Some of the audits did offer candid assessments of potential security problems, details Renlund said she cut out because she didn't want unscrupulous people trying to exploit them.

But it's hard to tell from what's left how serious the problems are, or if they have been corrected.

For example, one memo by a Department of Agriculture, Trade and Consumer Protection employee — whose name is blacked out — reads:

"... also raised concerns about how ... to existing ... are often kept in ... and ... and ... who should not have access know where to find them."

In another memo, the Department of Transportation reported, "The ... in ... identified and corrected a ... flaw that printed the FEIN/SSN of businesses on solicitation mailing labels."