aspe.hhs.gov
Open in
urlscan Pro
23.21.93.13
Public Scan
Submitted URL: http://aspe.hhs.gov/DATACNCL/1973privacy/tocprefacemembers.htm
Effective URL: https://aspe.hhs.gov/reports/records-computers-rights-citizens
Submission: On October 17 via manual from US — Scanned from DE
Effective URL: https://aspe.hhs.gov/reports/records-computers-rights-citizens
Submission: On October 17 via manual from US — Scanned from DE
Form analysis 1 forms found in the DOM
GET /search
<form class="navbar__search usa-search usa-search--small" action="/search" method="get" id="advanced-search-form" accept-charset="UTF-8">
<div role="search">
<label for="search-api-fulltext" class="usa-sr-only">Search by Keyword</label>
<input type="search" id="search-api-fulltext" name="search_api_fulltext" maxlength="128" class="usa-input" placeholder="Search">
<button class="usa-button" type="submit">
<span class="usa-sr-only">Search</span>
</button>
</div>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here's how you know
The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive
information, make sure you’re on a federal government site.
The site is secure.
The https:// ensures that you are connecting to the official website and that
any information you provide is encrypted and transmitted securely.
U.S. Department of Health and Human Services
ASPE
Office of the Assistant Secretary for Planning and Evaluation
Menu
* Topics
* Aging & Disability
* Behavioral Health
* Biomedical Research, Science, & Technology
* Children, Youth, & Families
* Data
* Evaluation
* Health & Health Care
* Homelessness & Housing
* Human Services
* Long-Term Services & Supports, Long-Term Care
* Policy & Regulation
* Poverty & Economic Mobility
* Prescription Drugs & Other Medical Products
* Public Health
* Strategic Plan
* Collaborations, Committees, and Advisory Groups
* NAPA - National Alzheimer's Project Act
* Physician-Focused Payment Model Technical Advisory Committee (PTAC)
* Office of the Secretary Patient-Centered Outcomes Research Trust Fund
(OS-PCORTF)
* Health and Human Services (HHS) Data Council
* About
* About ASPE
* Leadership
* Offices
* Contact ASPE
* HHS PRA Waiver Notices & IRB Exemption
Search by Keyword Search
RECORDS, COMPUTERS AND THE RIGHTS OF CITIZENS
BREADCRUMB
1. ASPE
2. Reports
3. Records, Computers and the Rights of Citizens
Publication Date
Jun 30, 1973
TRANSMITTAL LETTER TO SECRETARY
Honorable Caspar W. Weinberger
Secretary of Health, Education, and Welfare
Dear Mr. Secretary:
It is a privilege for me to submit this report to you on behalf of the
Secretary's Advisory Committee on Automated Personal Data Systems. The Committee
believes that the report makes a significant contribution toward understanding
many of the problems arising from the application of computer technology to
record keeping about people. Our recommendations provide the framework for
general solutions and also specify actions to be taken both within HEW and by
the Federal government as a whole.
We are grateful for the interest that you have expressed in our work. Both you
and former Secretary Richardson deserve praise for responding to public concern
about the issues posed by automation of personal-data record- keeping
operations. We have greatly appreciated the opportunity to be of service to you
and the Department, and, we hope, to all our fellow citizens.
Our undertaking has required the cooperation of many agencies and organizations
and the assistance of many individuals. We wish to thank everyone at HEW who
helped us. The contributions of individuals who served as our immediate staff
are acknowledged in the Preface to the report. We wish to note particularly the
remarkable diligence and devotion to our task of our Executive Director, David
B. H. Martin, and Associate Executive Director, Carole Watts Parsons.
Sincerely,
Willis W. Ware
Chairman
FOREWORD BY SECRETARY CASPAR W. WEINBERGER
Computers linked together through high-speed telecommunications networks are
destined to become the principal medium for making, storing, and using records
about people. Innovations now being discussed throughout government and private
industry recognize that the computer-based record, keeping system, if properly
used, can be a powerful management tool. Its capacity for timely retrieval and
analysis of complex bodies of data can be of invaluable assistance to
hard-pressed decision makers. Its ability to handle masses of individual
transactions in minutes and hours rather than in weeks or months, as was
formerly the case, makes possible programs of service to people that would have
been unthinkable in the manual record- keeping era. Medicare, for example, would
be impossible to administer without computers to take over many routine clerical
functions. Computer-based public assistance payments systems are also helping
States and counties to assure that welfare payments go to those who truly need
and deserve them. This Administration's strategy calls for strengthening direct
support of individuals-for putting cash directly in the hands of those who need
it-and keeping accurate, up-to-date, easily retrieved records on individual
beneficiaries helps achieve that goal.
Nonetheless, it is important to be aware, as we embrace this new technology,
that the computer, like the automobile, the skyscraper, and the jet airplane,
may have some consequences for American society that we would prefer not to have
thrust upon us without warning. Not the least of these is the danger that some
record keeping applications of computers will appear in retrospect to have been
oversimplified solutions to complex problems, and that their victims will be
some of our most disadvantaged citizens.
This report of the Secretary's Advisory Committee on Automated Personal Data
Systems calls attention to issues of record keeping practice in the computer age
that may have profound significance for us all.
One of the most crucial challenges facing government in the years immediately
ahead is to improve its capacity to administer tax dollars invested in human
services. To that end, we are attempting to eliminate ineligibility,
overpayment, and other errors from welfare caseloads. We are encouraging local
government and public and private service agencies to forge new cooperative
links with one another. We are attempting to move away from the fragmented
social service structures of the past, which have dealt with individuals and
with families as if their problems could be neatly compartmentalized; that is,
as if they were not people. Many of these measures could result in more
intensive and more centralized record keeping on individuals than has been
customary in our society. Potentially, at least, this is a double-edged sword,
as the Committee points out. On the one hand, it can help to assure that
decisions about individual citizens are made on the basis of accurate,
up-to-date information. On the other, it demands a hard look at the adequacy of
our mechanisms for guaranteeing citizens all the protections of due process in
relation to the records we maintain about them.
The report of the Secretary's Advisory Committee on Automated Personal Data
Systems deserves to be widely read and discussed. It represents the views of an
unusual mixture of experts and laymen. The Committee obviously considers its
recommendations to be a reasonable response to a difficult set of problems. The
Committee has taken a firm position with which some may disagree. However, we
should be grateful to the Committee for speaking with such a clear voice. In
doing so, it has no doubt set in motion the kind of constructive dialogue on
which a free society thrives.
Caspar W. Weinberger
PREFACE
This is a report about changes in American society which may result from using
computers to keep records about people. Its central concern is the relationship
between individuals and recordkeeping organizations. It identifies key issues
and makes specific recommendations for action.
The Secretary's Advisory Committee on Automated Personal Data Systems was
established by former Secretary of Health, Education, and Welfare Elliot L.
Richardson in response to growing concern about the harmful consequences that
may result from uncontrolled application of computer and telecommunications
technology to the collection, storage, and use of data about individual
citizens. The formation of the Committee rests upon a public interest
determination made by Secretary Richardson which provides in part as follows:
The use of automated data systems containing information about individuals is
growing in both the public and private sectors .... The Department itself uses
many such systems, and in addition, a substantial number .. are used by other
organizations, both public and private, with financial or other support ... from
the Department ... At the same time, there is a growing concern that automated
personal data systems present a serious potential for harmful consequences,
including infringement of basic liberties. This has led to the belief that
special safeguards should be developed to protect against potentially harmful
consequences for privacy and due process.
The Committee was asked to analyze and make recommendations about:
* Harmful consequences that may result from using automated personal data
systems;
* Safeguards that might protect against potentially harmful consequences;
* Measures that might afford redress for any harmful consequences;
* Policy and practice relating to the issuance and use of Social Security
numbers.
The Committee's membership encompassed a broad range of expertise and experience
and an equally diverse range of viewpoints. Some members came from the social
service professions where large-scale data banks are a fact of life, not a
probable future development. Others came from management backgrounds in both
government and private industry. Many have had practical experience in operating
or using automated personal data systems in settings ranging from a nationwide
credit-bureau network to the program management information system of a State
government. Others came from the academy, and from parts of the research
community concerned with applying knowledge developed by the information
sciences. Two members of the Committee were State legislators; one was a labor
union official; others were lawyers and. private citizens.
Given this diversity, it should be no surprise that at our first meetings, in
the spring of 1972, the views of individual members on the significance of
applying computer technology to personal-data record keeping sometimes differed
sharply. Many, indeed probably most, did not initially feel a sense of urgency
about the potential ill effects of current practices in the design and operation
of automated personal data systems. Some agreed that computer-based record
keeping poses a latent danger to individual citizens, but looked 'optimistically
to technological innovations, particularly access-control devices, to prevent
problems from arising. Others painted dramatic portraits of the potential
benefits of large-scale data networks to citizens in a densely populated, highly
mobile society-benefits that would accrue to all social I and economic classes,
enhancing knowledge, increasing the efficiency of social services, and expanding
personal freedom.
Slowly, however, the attitudes of the members changed. Shared concerns took root
as we heard testimony from over 100 witnesses representing more than 50
different organizations, and as we reviewed a substantial collection of written
materials, including reports by similar commissions in this country, Canada,
Great Britain, and Sweden. The Committee also gathered information on related
studies and fact-finding efforts through a special inquiry to approximately 250
trade and professional associations and public interest groups. (Appendix A
lists the individuals who appeared before the Committee and the groups and
organizations to which our letter of inquiry was sent.)
Out of this array of personal contacts, written communications, and published
documents, our report to the Secretary has emerged. We perceive ourselves as
sharing concerns and perspectives expressed in other recent reports on
computer-based record keeping; among them Privacy and Computers (1972), the
report of a task force established jointly by the Canadian Departments of
Communications and Justice; Data and Privacy (1972), the report of the Swedish
Committee on Automated Personal Systems; and Databanks in a Free Society (1972),
the report of the National Academy of Sciences Project on Computer Databanks.
Our undertaking has required the cooperation of many agencies and organizations
and the assistance of many individuals to all of whom we are grateful. We thank
all those in HEW who helped us, noting particularly the generous cooperation of
Al Guolo, James J. Trainor, Mrs. Lottie C. Owen, and James D. Smith. The
Assistance of those who worked as our immediate staff and consultants deserves
special acknowledgement as follows:
For general research support and helping to make our meetings productive-Paul J.
Corkery, John P. Fanning, Courtney B. Justice, Nancy J. Kleeman, Terrence D.C.
Kuch, Carolyn Lewis, William L. Marcus, John J. Salasin, Leonard Sherp,
Frederick H. Sontag, Lindsay Spooner, Jeffrey L. Steele, and Lynn Zusman;
For legal research and drafting - John P. Fanning;
For helping to prepare and edit drafts of the report and for preparing
appendices - John P. Fanning, Terrence D.C. Kuch, Daniel H. Lufkin, Lindsay
Spooner, and Patricia Tucker;
For typewriting and proofreading draft after draft of the report - Claire 1.
Hunkin, Rose Schiano, and Patricia Young;
For painstaking administrative support - Beverlyann Garfield, Ronald C. Lett,
James F. Sasser, Rose Schiano, and Helen C. Szpakowski.
Finally, we wish to note especially the dedication and completepersonal
commitment to all aspects of the Committee's undertaking by David B.H. Martin,
Special Assistant to the Secretary, who served as Executive Director for the
Committee, and Carole Watts Parsons, Associate Executive Director. Without their
patient prodding and tireless efforts, this report could not have been
completed.
Willis H. Ware, Chairman Secretary's Advisory Committee on Automated Personal
Data Systems
COMMITTEE MEMBERS
SECRETARY'S ADVISORY COMMITTEE ON AUTOMATED PERSONAL DATA SYSTEMS*
WILLIS H. WARE, Corporate Research Staff, The Rand Corporation,
Santa Monica, California, Chairman
LAYMAN E. ALLEN, Professor of Law, University of Michigan Law School,
Ann Arbor, Michigan
JUAN A. ANGLERO, Assistant Secretary for Planning & Development, Department of
Social Services,
Commonwealth of Puerto Rico
STANLEY J. ARONOFF, Ohio State Senator,
Cincinnati, Ohio
WILLIAM T. BAGLEY, California State Assemblyman,
Sacramento, California
PHILIP M. BURGESS, Professor of Political Science, The Ohio State University,
Columbus, Ohio
GERTRUDE M. COX, Statistical Consultant,
Raleigh, North Carolina
YL PATRICIA CROSS, Senior Research Psychologist, Educational Testing Service,
Berkeley, California
GERALD L. DAVEY, President and Chief Executive Officer, Medlab Computer
Services, Inc.,
Salt Lake City, Utah
J. TAYLOR DeWEESE, Philadelphia, Pennsylvania
GUY H. DOBBS, Vice President, Xerox Computer Services,
Los Angeles, California
*ROBERT R.J. GALLATI, Director, New York State Identification and Intelligence
System (NYSIIS),
Albany, New York
FLORENCE R. GAYNOR, Executive Director, Maitland Hospital,
Newark, New Jersey
**JOHN L. GENTILE, Deputy Director, State of Illinois Department of Finance,
Springfield, Illinois
*FRANCES GROMMERS, M.D., Visiting Lecturer, Harvard School of Pub lic of Public
Health,
Boston, Massachusetts
JANE L. HARDAWAY, Commissioner, State of Tennessee Department of Personnel,
Nashville, Tennessee
JAMES C. MARA, Administrator of Educational Accountability, State of Florida.
Department of Education,
Tallahassee, Florida
PATRICIA J. LANPHERE, Assistant Supervisor, Bureau of Services to Families and
Children, State of Oklahoma Department of Institutions, Social and
Rehabilitative Services,
Oklahoma City, Oklahoma
ARTHUR R. MILLER, Professor of Law, Harvard Law School,
Cambridge, Massachusetts
DON M. MUCHMORE, Senior Vice President, California Federal Savings and Loan
Association,
Los Angeles, California
JANE V. NOREEN, St. Paul, Minnesota
ROY SIEMILLER, Vice President, Labor Relations, National Affiance of
Businessmen, Washington, D.C.
MRS. HAROLD SILVER, Denver, Colorado
SHEILA M. SMYTHE, Vice President, Associated Hospital Service of New York,
New York, New York
JOSEPH WEIZENBAUM, Professor of Computer Science, Massachusetts Institute of
Technology,
Cambridge, Massachusetts
DAVID B.H. MARTIN, Special Assistant to the Secretary of Health, Education, and
Welfare, Executive Director
CAROLE W. PARSONS, Associate Executive Director
*Dr. Grommers served as Chairman of the Committee from May, 1972 to January,
1973; she was unable to continue as a member of the Committee thereafter.
*On April 1, 1973, Dr. Gallati assumed responsibility as Commanding Officer,
Inspection Division, Police Department, City of New York.
**On April 1, 1973, Mr. Gentile joined the U.S. Postal Service as Assistant
Postmaster General Management Information Systems Department.
SUMMARY AND RECOMMENDATIONS
The Secretary's Advisory Committee on Automated Personal Data Systems comprised
a cross section of experienced and concerned citizens appointed by the Secretary
of Health, Education, and Welfare to analyze the consequences of using computers
to keep records about people. The Committee assessed the impact of
computer-based record keeping on private and public matters and recommended
safeguards against its potentially adverse effects. The Committee paid
particular attention to the dangers implicit in the drift of the Social Security
number toward becoming an all-purpose personal identifier and examined the need
to insulate statistical-reporting and research data from compulsory legal
process.
The Committee's report begins with a brief review of the historical development
of records and record keeping, noting the different origins of administrative,
statistical, and intelligence records, and the different traditions and
practices that have grown up around them. It observes that the application of
computers to record keeping has challenged traditional constraints on
recordkeeping practices. The computer enables organizations to enlarge their
data-processing capacity substantially, while greatly facilitating access to
recorded data, both within organizations and across boundaries that separate
them. In addition, computerization creates a new class of record keepers whose
functions are technical and whose contact with the suppliers and users of data
are often remote.
The report explores some of the consequences of these changes and assesses their
potential for adverse effect on individuals, organizations, and the society as a
whole. It concludes that the net effect of computerization is that it is
becoming much easier for record-keeping systems to affect people than for people
to affect record-keeping systems. Even in nongovernmental settings, an
individual's control over the use that is made of personal data he gives to an
organization, or that an organization obtains about him, is lessening.
Concern about computer-based record keeping usually centers on its implications
for personal privacy, and understandably so if privacy is considered to entail
control by an individual over the uses made of information about him. In many
circumstances in modem life, an individual must either surrender some of that
control or forego the services that an organization provides. Although there is
nothing inherently unfair in trading some measure of privacy for a benefit, both
parties to the exchange should participate in setting the terms.
Under current law, a person's privacy is poorly protected against arbitrary or
abusive record-keeping practices. For this reason, as well as because of the
need to establish standards of record-keeping practice appropriate to the
computer age, the report recommends the enactment of a Federal "Code of Fair
Information Practice" for all automated personal data systems. The Code rests on
five basic principles that would be given legal effect as "safeguard
requirements" for automated personal data systems.
* There must be no personal data record keeping systems whose very existence is
secret.
* There must be a way for an individual to find out what information about him
is in a record and how it is used.
* There must be a way for an individual to prevent information about him that
was obtained for one purpose from being used or made available for other
purposes without his consent.
* There must be a way for an individual to correct or amend a record of
identifiable information about him.
* Any organization creating, maintaining, using, or disseminating records of
identifiable personal data must assure the reliability of the data for their
intended use and must take precautions to prevent misuse of the data.
The proposed Code calls for two sets of safeguard requirements; one for
administrative automated personal data systems and the other for automated
personal data systems used exclusively for statistical reporting and research.
Special safeguards are recommended for administrative personal data systems
whose statistical reporting and research applications are used to influence
public policy.
The safeguard requirements define minimum standards of fair information
practice. Under the proposed Code, violation of any safeguard requirement would
constitute "unfair information practice" subject to criminal penalties and civil
remedies. The Code would also provide for injunctive relief. Pending legislative
enactment of such a code, the report recommends that the safeguard requirements
be applied through Federal administrative action.
The report discusses the relationship of existing law to the proposed safeguard
requirements. It recommends that laws that do not meet the standards set by the
safeguard requirements for administrative personal data systems be amended and
that legislation be enacted to protect personal data used for statistical
reporting and research from compulsory disclosure in identifiable form.
The report examines the characteristics and implications of a standard universal
identifier and opposes the establishment of such an identification scheme at
this time. After reviewing the drift toward using the Social Security number
(SSN) as a de facto standard universal identifier, the Committee recommends
steps to curtail that drift. A persistent source of public concern is that the
Social Security number will be used to assemble dossiers on individuals from
fragments of data in widely dispersed systems. Although this is a more difficult
technical feat than most laymen realize, the increasing use of the Social
Security number to distinguish among individuals with the same name, and to
match records for statistical-reporting and research purposes, deepens the
anxieties of a public already suffused with concern about surveillance. If
record-keeping systems and their data subjects were protected by strong
safeguards, the danger of inappropriate record linkage would be small; until
then there is a strong case to be made for discouraging linkage.
The report recommends that use of the Social Security number be limited to
Federal programs that have a specific Federal legislative mandate to use the
SSN, and that new legislation be enacted to give an individual the right to
refuse to disclose his SSN under all other circumstances. Furthermore, any
organization or person required by Federal law to obtain and record the SSN of
any individual for some Federal program purpose must be prohibited from making
any other use or disclosure of that number without the individual's informed
consent.
The report recognizes the need to improve the reliability of the Social Security
number as an instrument for strengthening the administration of certain
Federally supported programs of public assistance. It also recognizes that
issuing Social Security numbers to ninth-grade students in schools is likely to
be consistent with the needs and convenience of young people seeking part-time
employment and who need an SSN for Social Security and Federal income tax
purposes. Accordingly, the Committee endorses the recommendation of the Social
Security Task Force that a positive program of issuing SSNs to ninth-grade
students in schools be undertaken. It does so, however, on the condition that no
school system shall be induced to cooperate in such a program against its will,
and that any person shall have a right to refuse to be issued an SSN in
connection with such a program. The Committee recommends that there be no
positive program of issuing SSNs to children in schools below the ninth-grade
level; and that the 1972 legislation amending the Social Security Act to require
enumeration of all persons who benefit from any Federally supported program be
interpreted narrowly. Finally, the Committee recommends legislation to prohibit
use of the Social Security number for promotional or commercial purposes.
The last chapter of the report contains an agenda of actions to be taken for
implementing the Committee's recommendations, which are set forth in full below.
RECOMMENDATIONS
Code of Fair Information Practice
We recommend the enactment of legislation establishing a Code of Fair
Information practice for all automated personal data systems.
* The Code should define "fair information practice" as adherence to specified
safeguard requirements.
* The Code should prohibit violation of any safeguard requirement as an "unfair
information practice."
* The Code should provide that an unfair information practice be subject to
both civil and criminal penalties.
* The Code should provide for injunctions to prevent violation of any safeguard
requirement.
* The Code should give individuals the right to bring suits for unfair
information practices to recover actual, liquidated, and punitive damages, in
individual or class actions It should also provide for recovery of reasonable
attorneys' fees and other costs of litigation incurred by individuals who
bring successful suits.
Pending the enactment of a code of fair information practice, we recommend that
all Federal agencies (i) apply the safeguard requirements, by administrative
action, to all Federal systems, and (ii) assure, through formal rule making,
that the safeguard requirements are applied to all other systems within reach of
the Federal government's authority. Pending the enactment of a code of fair
information practice, we urge that State and local governments, the institutions
within reach of their authority, and all private organizations adopt the
safeguard requirements by whatever means are appropriate.
Safeguards Requirements for Administrative Personal Data Systems
1. GENERAL REQUIREMENTS
A. Any organization maintaining a record of individually identifiable personal
data, which it does not maintain as part of an administrative automated personal
data system, shall make no transfer of any such data to another organization,
without the prior informed consent of the individual to whom the data pertain,
if, as a consequence of the transfer, such data will become part of an
administrative automated personal data system that is not subject to these
safeguard requirements.
B. Any organization maintaining an administrative automated personal data system
shall:
(1) Identify one person immediately responsible for the system, and make any
other organizational arrangements that are necessary to assure continuing
attention to the fulfillment of the safeguard requirements;
(2) Take affirmative action to inform each of its employees having any
responsibility or function in the design, development, operation, or maintenance
of the system, or the use of any data contained therein, about all the safeguard
requirements and all the rules and procedures of the organization designed to
assure compliance with them;
(3) Specify penalties to be applied to any employee who initiates or otherwise
contributes to any disciplinary or other punitive action against any individual
who brings to the attention of appropriate authorities, the press, or any member
of the public, evidence of unfair information practice;
(4) Take reasonable precautions to protect data in the system from any
anticipated threats or hazards to the security of the system;
(5) Make no transfer of individually identifiable personal data to another
system without (i) specifying requirements for security of the data, including
limitations on access thereto, and (ii) determining that the conditions of the
transfer provide substantial assurance that those requirements and limitations
will be observed --except in instances when an individual specifically requests
that data about him be transferred to another system or organization;
(6) Maintain a complete and accurate record of every access to and use made of
any data in the system, including the identity of all persons and organizations
to which access has-been given;
(7) Maintain data in the system with such accuracy, completeness, timeliness,
and pertinence as is necessary to assure accuracy and fairness in any
determination relating to an individual's qualifications, character, rights,
opportunities, or benefits, that may be made on the basis of such data; and
(8) Eliminate data from computer-accessible files when the data are no longer
timely.
II. PUBLIC NOTICE REQUIREMENT
Any organization, maintaining an administrative automated personal data system
shall give public notice of the existence and character of its system once each
year. Any organization maintaining more than one system shall publish such
annual notices for all its systems simultaneously. Any organization proposing,
to establish a new system, or to enlarge an existing system, shall give public
notice long enough in advance of the initiation or enlargement of the system to
assure individuals who may be affected by its operation a reasonable opportunity
to comment. The public notice shall specify:
(1) The name of the system;
(2) The nature and purpose(s) of the system;
(3) The categories and number of persons on whom data are (to be) maintained;
(4) The categories of data (to be) maintained, indicating which categories are
(to be) stored in computer-accessible files;
(5) The organization's policies and practices regarding data storage, duration
of retention of data, and disposal thereof;
(6) The categories of data sources;
(7) A description of all types of use (to be) made of data, indicating those
involving computer-accessible files, and including all classes of users and the
organizational relationships among them;
(8) The procedures whereby an individual can (i) be informed if he is the
subject of data in the system; (ii) pin access to such data; and (iii) contest
their accuracy, completeness, pertinence,
and the necessity for retaining them;
(9) The title, name, and address of the person immediately responsible for the
system.
III. RIGHTS OF INDIVIDUAL DATA SUBJECTS
Any organization maintaining an administrative automated personal data system
shall:
(1) Inform an individual asked to supply personal data for the system whether he
is legally required, or may refuse, to supply the data requested, and also of
any specific consequences for him, which are known to the organization, of
providing or not providing such data;
(2) Inform an individual, upon his request, whether he is the subject of data in
the system, and, if so, make such data fully available to the individual, upon
his request, in a form comprehensible to him;
(3) Assure that no use of individually identifiable data is made that is not
within the stated purposes of the system as reasonably understood by the
individual, unless the informed consent of the individual has been explicitly
obtained;
(4) Inform an individual, upon his request, about the uses made of data about
him including the identity of all persons and organizations involved and their
relationships with the system;
(5) Assure that no data about an individual are made available from the system
in response to a demand for data made by means of compulsory legal process,
unless the individual to whom the data pertain has been notified of the demand;
and
(6) Maintain procedures that (i) allow an individual who is the subject of data
in the system to contest their accuracy, completeness, pertinence, and the
necessity for retaining them; (ii) permit data to be corrected or amended when
the individual to whom they pertain so requests; and (iii) assure, when there is
disagreement with the individual about whether a correction or amendment should
be made, that the individual's claim is noted and included in any subsequent
disclosure or dissemination of the disputed data.
Existing laws or regulations affording individuals greater protection than the
safeguard requirements should be retained, and those providing less protection
should be amended to meet the basic standards set by the safeguards. In
particular, we recommend
* That the Freedom of Information Act be amended to require, an agency to
obtain the consent of an individual before disclosing in personally
identifiable form exempted category data about him, unless the disclosure is
within the purposes of the system as specifically required by statute.
* That pending such amendment of the Act, all Federal agencies provide for
obtaining the consent of individuals before disclosing individually
identifiable exempted-category data about them under the Freedom of
Information Act.
* That the Fair Credit Reporting Act be amended to provide for actual, personal
inspection by an individual of his record along with the opportunity to copy
its contents, or to have copies made; and that the exceptions from disclosure
to the individual now authorized by the Fair Credit Reporting Act for medical
information and sources of investigative information be omitted.
Statistical-Reporting and Research
Uses of Administrative Personal Data Systems
In light of our inquiry into the statistical-reporting and research uses of
personal data in administrative record-keeping systems, we recommend that steps
be taken to assure that all such uses are carried out in accordance with five
principles:
First, when personal data are collected for administrative purposes, individuals
should under no circumstances be coerced into providing additional personal data
that are to be used exclusively for statistical reporting and research. When
application forms or other means of collecting personal data for an
administrative data system are designed, the mandatory or voluntary character of
an individual's responses should be made clear.
Second, personal data used for making determinations about an individual's
character, qualifications, rights, benefits, or opportunities, and personal data
collected and used for statistical reporting and research, should be processed
and stored separately.
Third, the amount of supplementary statistical-reporting and research data
collected and stored in personally identifiable form should be kept to a
minimum.
Fourth, proposals to use administrative records for statistical reporting and
research should be subjected to careful scrutiny by persons of strong
statistical and research competence.
Fifth, any published findings or reports that result from secondary
statistical-reporting and research uses of administrative personal data systems
should meet the highest standards of error measurement and documentation.
In addition, there are certain safeguards that can be feasibly applied to all
administrative personal data systems used for statistical reporting and
research. Specifically, we recommend that the following requirements be added to
the safeguard requirements for administrative personal data systems:
Under I. General Requirements, add
C. Any organization maintaining an administrative automated personal data system
that publicly disseminates statistical reports or research findings based on
personal data drawn from the system, or from systems of other organizations,
shall:
(1) Make such data publicly available for independent analysis, on reasonable
terms; and
(2) Take reasonable precautions to assure that no data made available for
independent analysis will be used in a way that might reasonably be expected to
prejudice judgments about any individual data subject's character,
qualifications, rights, opportunities, or benefits.
Under the Public Notice Requirement, add
(8a) The procedures whereby an individual, group, or organization can gain
access to data used for statistical reporting or research in order to subject
such data to independent analysis.
Systems Used Exclusively For Statistical Reporting and Research
All the features of the Code of Fair Information Practice that we recommend for
automated personal data systems would apply to systems used exclusively for
statistical reporting and research. The safeguard requirements to be included in
the Code for such systems are designed to help protect the individual citizen
against unintended or unforeseen uses of information that he provides
exclusively for statistical reporting and research, and to help assure that the
uses organizations make of such data are subject to independent expert review
and open public discussion. Pending the enactment of a code of fair information
practice, we recommend that all Federal agencies (i) apply these safeguard
requirements, by administrative action, to all Federal statistical-reporting and
research systems, and (ii) assure, through formal rule making, that the
safeguard requirements are applied to all systems within reach of the Federal
government's authority. Pending the enactment of a code of fair information
practice, we also urge that State and local governments, the institutions within
reach of their authority, and all private organizations adopt the safeguard
requirements by whatever means are appropriate.
Safeguard Requirements For Statistical-Reporting and Research Systems
1. GENERAL REQUIREMENTS
A. Any organization maintaining a record of personal data, which it does not
maintain as part of an automated personal data system used exclusively for
statistical reporting or research, shall make no transfer of any such data to
another organization without the prior informed consent of the individual to
whom the data pertain, if, as a consequence of the transfer, such data will
become part of an automated personal data system that is not subject to these
safeguard requirements or the safeguard requirements for administrative personal
data systems.
B. Any organization maintaining an automated personal data system used
exclusively for statistical reporting or research shall:
(1) identify one person immediately responsible for the system, and make any
other organizational arrangements that are necessary to assure continuing
attention to the fulfillment of the safeguard requirements;
(2) Take affirmative action to inform each of its employees having any
responsibility or function in the design, development, operation, or maintenance
of the system, or the use of any data contained therein, about all the safeguard
requirements and all the rules and procedures of the organization designed to
assure compliance with them;
(3) Specify penalties to be applied to any employee who initiates or otherwise
contributes to any disciplinary or other punitive action against any individual
who brings to the attention of appropriate authorities, the press, or any member
of the public, evidence of unfair information practice;
(4) Take reasonable precautions to protect data in the system from any
anticipated threats or hazards to the security of the system;
(5) Make no transfer of individually identifiable personal data to another
system without (i) specifying requirements for security of the data, including
limitations on access thereto, and (ii) determining that the conditions of the
transfer provide substantial assurance that those requirements and limitations
will be observed-except in instances when each of the individuals about whom
data are to be transferred has given his prior informed consent to the transfer;
and
(6) Have the capacity to make fully documented data readily available for
independent analysis.
II. PUBLIC NOTICE REQUIREMENT
Any organization maintaining an automated personal data system used exclusively
for statistical reporting or research shall give public notice of the existence
and character of its system once each year. Any organization maintaining more
than one such system shall publish annual notices for all its systems
simultaneously. Any organization proposing to establish a new system, or to
enlarge an existing system, shall give public notice long enough in advance of
the initiation or enlargement of the system to assure individuals who may be
affected by its operation a reasonable opportunity to comment. The public notice
shall specify:
(1) The name of the system;
(2) The nature and purpose(s) of the system;
(3) The categories and number of persons on whom data are (to be) maintained;
(4) The categories of data (to be) maintained, indicating which categories are
(to be) stored in computer-accessible files;
(5) The organization's policies and practices regarding data storage, duration
of retention of data, and disposal thereof;
(6) The categories of data sources;
(7) A description of all types of use (to be) made of data, indicating those
involving computer-accessible files, and including all classes of users and the
organizational relationships among them;
(8) The procedures whereby an individual, group, or organization can pin access
to data for independent analysis;
(9) The title, name, and address of the person immediately responsible for the
system;
(10) A statement of the system's provisions for data confidentiality and the
legal basis for them.
III. RIGHTS OF INDIVIDUAL DATA SUBJECTS
Any organization maintaining an automated personal data system used exclusively
for statistical reporting or research shall:
(1) Inform an individual asked to supply personal data for the system whether he
is legally required, or may refuse, to supply the data requested, and also of
any specific consequences for him, which are known to the organization, of
providing or not providing such data;
(2) Assure that no use of individually identifiable data is made that is not
within the stated purposes of the system as reasonably understood by the
individual, unless the informed consent of the individual has been explicitly
obtained;
(3) Assure that no data about an individual are made available from the system
in response to a demand for data made by means of compulsory legal process,
unless the individual to whom the data pertain (i) has been notified of the
demand, and (ii) has been afforded full access to the data before they are made
available in response to the demand.
In addition to the foregoing safeguard requirements for all automated personal
data systems used exclusively for statistical reporting and research, we
recommend that all personal data in such systems be protected by statute from
compulsory disclosure in identifiable form. Federal legislation protecting
against compulsory disclosure should include the following features:
* The data to be protected should be limited to those used exclusively for
statistical reporting or research. Thus, the protection, would apply to
statistical-reporting and research data derived from administrative records,
and kept apart from them, but not to the administrative records themselves.
* The protection should be limited to data identifiable with, or traceable to,
specific individuals. When data are released in statistical form, reasonable
precautions to protect against "statistical' disclosure" should be considered
to fulfill the obligation not to disclose data that can be traced to specific
individuals.
* The protection should be specific enough to qualify for non-disclosure under
the Freedom of Information Act exemption for matters "specifically exempted
from disclosure by statute." 5 U.S.C. 552(b)(3).
* The protection should be available for data in the custody of all
statistical-reporting and research systems, whether supported by Federal
funds or not.
* Either the data custodian or the individual about whom data are sought by
legal process should be able to invoke the protection, but only the
individual should be able to waive it.
* The Federal law should be controlling; no State statute should be taken to
interfere with the protection it provides.
Use of the Social Security Number
We take the position that a standard universal identifier (SUI) should not be
established in the United States now or in the foreseeable future. By our
definition, the Social Security Number (SSN) cannot fully qualify as an SUI; it
only approximates one. However, there is an increasing tendency for the Social
Security number to be used as if it were an SUI There are pressures on the
Social Security Administration to do things that make the SSN more nearly an
SUI.
We believe that any action that would tend to make the SSN more nearly an SUI
should be taken only if, after careful deliberation, it appears justifiable and
any attendant risks can be avoided. We recommend 'against the adoption of any
nationwide, standard, personal identification format, with or without the SSN,
that would enhance the likelihood of arbitrary or uncontrolled linkage of
records about people, particularly between government and government-supported
automated personal data systems.
We believe that until safeguards against abuse of automated personal data
systems have become effective, constraints should be imposed on use of the
Social Security number. After that the question of SSN use might properly be
reopened.
As a. general framework for action on the Social Security number, we recommend
that Federal policy with respect to use of the SSN be governed by the following
principles:
First, uses of the SSN should be limited to those necessary for carrying out
requirements imposed by the Federal government.
Second, Federal agencies and departments should not require or promote use of
the SSN except to the extent that, they have a specific legislative mandate from
the Congress to do so.
Third, the Congress should be sparing in mandating use of the SSN, and should do
so only after full and careful consideration preceded by well advertised
hearings that elicit substantial public participation. Such consideration should
weigh carefully the pros and cons of any proposed use, and should pay particular
attention to whether effective safeguards have been applied to automated
personal data systems that would be affected by the proposed use of the SSN.
(Ideally, Congress should review all present Federal requirements for use of the
SSN and determine whether these existing requirements should be continued,
repealed, or modified.)
Fourth, when the SSN is used in instances that do not conform to the three
foregoing principles, no individual should be coerced into providing his SSN,
nor should his SSN be used without his consent.
Fifth, an individual should be fully and fairly informed of his rights and
responsibilities relative to uses of the SSN, including the right to disclose
his SSN whenever he deems it in his interest to do so.
In accordance with these principles, we recommend specific, preemptive, Federal
legislation providing:
(1) That an individual has a legal right to refuse to disclose his SSN to any
person or organization that does not have specific authority provided by Federal
statute to request it;
(2) That an individual has the right to redress if his lawful refusal to
disclose his SSN results in the denial of a benefit, or the threat of denial of
a benefit; and that, should an individual under threat of loss of benefits
supply his SSN under protest to an unauthorized requestor, he shall not be
considered to have forfeited his right to redress; and
(3) That any oral or written request made to an individual for his SSN must be
accompanied by a clear statement indicating whether or not compliance with the
request is required by Federal statute, and, if so, citing the specific legal
requirement.
In addition, we recommend
(4) That the Social Security Administration undertake a positive program of
issuing SSNs to ninth-grade students in schools, provided (a) that no school
system be induced to cooperate in such a program contrary to its preference; and
(b) that any person shall have the right to refuse to be issued an SSN in
connection with such a program, and such right of refusal shall be available
both to the student and to his parents or guardians;
I. RECORDS AND RECORD KEEPERS
"The horror of that moment, " the King went on, "I shall never, never forget!"
"You will, though, " the Queen said, "if you don't make a memorandum of it."
Lewis Carroll Through the Looking-glass
HISTORICAL DEVELOPMENT
In Cabinet No. 1 of the Musee des Antiquites Nationales near Paris there lies a
wing-bone of an eagle, not much longer than a finger. On it, three rows of tiny
marks, each carefully engraved with a flint point, count off a calendar of days
from new moon to new moon. That eagle bone from the Magdalenian period, roughly
14,000 years ago, is the most ancient evidence we have of man's unique ability
use abstract notation as an aid to memory.
Out of the Stone Age, through the dawn of agriculture, similar records in all
pre-literate cultures attest to the attempts of hunters, gatherers, and farmers
to keep track of the passing of the seasons and the meshing cycles of growth and
harvest on which survival depended. Even long after more complex societies had
fostered more elaborate forms of written record keeping, simple tally scratches,
half practical and half magical, continued to serve as records-on the tally
sticks of millers, for example, and on the six-guns of lawmen.
Record-keeping techniques grew and were perfected as once scattered tribes and
small communities were amalgamated into larger and more organized states. Among
the ancient cradles of civilization-Asia Minor, China, India, and Central and
South America-only the Inca civilization of the Andes did not develop a written
method of recording, using instead a system of knotted cords, called quipu.
Indeed, practically all the earliest writing deals with records-palace
inventories, lists of tribute to kings and sacrifices to temples, records of
royal births and deaths, traders' accounts-records of things too important to
trust to memory.
In most of the ancient world, the scribes and clerks who developed systematic
record keeping quickly expanded into generalized public administration. In Sumer
and other city-states of Mesopotamia, royal genealogies were embellished with
accounts of battles, land. surveys included detailed descriptions of farms and
villages, and tax records included commentaries on the tax laws that governed
them. Gradually these commentaries were detached from records proper and took on
a separate existence. The law code of Hammurabi, for example, emerged from the
notes of scribes and marks an important milestone in the history of social
organization. Once the laws of the state achieved an existence independent of
records, the witness of the records could be used to bind the state and the
citizen equally. When both the tax laws and the size of a man's herd were
matters of public record, the pressure of public scrutiny would tend to keep
both the publican and the herdsman honest.
Systematic record keeping in the ancient world reached a high point during the
Roman Empire and then degenerated with the decline of strong central government.
During the Middle Ages the levying of taxes was left largely in the hands of
local strongmen who had little interest in record keeping. Although the laws of
inheritance and the interest of the Church in proper sacramental procedures
encouraged parishes to maintain registers of births, marriages, and deaths,
those records seldom covered the bunk of the population. In soma cases, however,
rulers of newly conquered domains did order inventories and land surveys. One
such was William the Conqueror's survey, known as the Domesday Book, of the
extent and value of landholdings in England in 1086 A.D.. It became the
foundation of Exchequer records that, in turn, grew to include audits of the
accounts of sheriffs and other local officials. The memory-aiding function of
these records is suggested by the title of the official responsible for keeping
them-King's Remembrancer.
As a landmark in the gradual evolution from personal sovereignty to bureaucratic
administration, the Magna Carta of A.D. 1215 laid the foundation in Anglo-Saxon
legal tradition for codifying mutual responsibilities of government and
governed. The Magna Carta, wrested from King John by his powerful barons,
reduced the independence of justices, sheriffs, and other local officials,
censuring, in theory at least, that men who knew the common law and were willing
to observe it would hold positions of high authority. During the reign of King
John also, an administrative distinction between public and closed records began
to be observed; official records were divided into letters patent that were sent
and stored open, with the king's seal attached for authentication, and letters
close that were sent folded and sealed, and that were stored secure from public
inspection. The use and content of these two classes of records corresponds
well, as we shall see, with the modern practice of separating public from
confidential records.
As custom and statute more and more provided that government records should be
open to the public, the justification for closed or secret records came to be
their pertinence to the defense and security of the state. By the mid-1600's;
all royal courts maintained files1 of information on the identity and activities
of citizens or aliens who were considered a threat to the state or the
sovereign. Such files covered a small number of individuals by today's
standards, but were treated with great secrecy and came to be the responsibility
of a special class of record keeper well outside the regular channels of
administration. The scope and intensity of this special field of record keeping
soon gave it a character so different from its bureaucratic origins that it
becomes convenient at this point to draw a distinction between general
administrative records and the very special intelligence records.
As the idea gradually spread that governing a state involved more than
determining and following the wishes of a small ruling class, government became
less desultory, more aligned to philosophical currents, and less reactive to the
press of random events. As government thus grew more self-conscious, the need
for planning became apparent. At first, legislators used their right of access
to public records mainly to look backwards; to reconstruct the flow of history
that had brought them to their present position. However, lawmakers bent on
reform soon found that they needed better guides than records of legal
decisions, royal correspondence, and official accounts and audits. They needed
benchmark information from which to measure progress toward the goals they wish
to achieve.
About 1750, the notion of a national census was revived for the first time since
the Roman era. Public opposition was strong at first, many people suspecting a
scheme to raise taxes. The clergy, for whom the Biblical injunction against the
taking of a census still held,2 also were opposed. Resistance gradually
subsided.; first in Scandinavia and the German states, then generally throughout
the Continent and North America. In the American democracy, where a State's
Congressional representation constitutionally depends in part on the size of its
population, a national census, at ]east to the extent of a simple head count,
was an obvious political necessity.
Government soon found that although there was little organized public objection
to the head count as such, probing by census takers for information about
income, family life, living habits, and other personal matters turned citizens
obstinate and made the census more difficult to take.
The problem of gathering information from an antagonistic public led to the
creation of yet another class of official. records, the so-called statistical3
file. The essence of such a file is that the data it contains are not used to
affect specific individuals. In creating such a file, the government, in, order
to gain information the public might otherwise be reluctant to give, foregoes
some of the power over individuals that administrative records containing the
same data would afford. The essential condition is that citizens believe that
their individual contributions to a statistical file will not be made public and
will not be used to punish or embarrass them.
TYPES OF RECORDS ABOUT PEOPLE
As we approach the computer age in this brief survey of record keeping, we need
to define the three main types of records that have been distinguished
historically4.
> Administrative Records. The administrative record is often generated in the
> process of a transaction-marriage, graduation, obtaining a license or permit,
> buying on credit, or investing money. Usually a record that refers to an
> individual includes an address or other data sufficient for identification.
> Personal data- in an administrative record tends to be self-reported of
> gathered through open inspection of the subject's ,affairs. Private firms
> usually treat administrative records pertaining to individuals as proprietary
> information, while administrative records held by the government are normally
> accessible to the public and may be shared for administrative purposes among
> various agencies. Administrative records sometimes serve as credentials for an
> individual; birth certificates, naturalization papers, bank records, and
> diplomas all serve to define a person's status.
> Intelligence Records. The intelligence record may take a variety of forms.
> Familiar examples are the security clearance file, the police investigative
> file, and the consumer credit report. Some of the information in an
> intelligence record may be drawn from administrative records, but :much of it
> is the testimony of informants and the observations of investigators.
> Intelligence records tend to circulate among intelligence-gathering
> organizations and to be shared selectively with organizations that make
> administrative determinations about individuals. Intelligence records are
> seldom deliberately made public, except as evidence in legal proceedings.
Statistical Records. A statistical record is typically created in a population
census or sample survey. The data in it are usually gathered through a
questionnaire, or by some other method designed to assure the comparability of
individual responses. In nearly all cases, the identity of the record subject is
eventually separated from the data in the record. If a survey must follow a
given individual for a long time, his identity is often encoded, with the key to
the code entrusted to a separate record to guard anonymity. Data from
administrative records are sometimes used for statistical purposes, but
statistical records about identifiable individuals are generally not used for
administrative or intelligence purposes.
Not every record falls clearly into one of these three categories. The
contemporary personnel record combines features of bath administrative and
intelligence records, and the records in the modern "management information
system" have both administrative and statistical uses. Many records share
characteristics of all three types to some degree. Yet whether one looks at the
relationships among records of different types historically, from the
perspective of present-day public policy, or from the point of view of the
individuals who are the subjects of records, it is apparent that, by and large,
administrative records are considered public; intelligence records, secret; and
statistical records, anonymous. Moreover, democratic traditions with respect to
the maintenance of government records about people have deep historical roots in
a number of countries,5 and appear to be dominated by three major principles.
* An organization should record only information that has a clear-cut relevance
to its concerns. Religious data, for example, should not be recorded where
there is no state supported church, and citizens should not be required to
furnish extraneous data as the price of obtaining a benefit.
* As much as possible, information that has been collected should be held in
public files so that public scrutiny can act as a check on the arbitrary
exercise. of administrative authority. Closed files in government sould be
the exception, and their content and use should be regulated by specific
laws, both to limit their extent and to assure their confidentiality.6
* The three types of records described above should be held separately, and
each should be used only for its nominal purpose. The transfer of data from
one type of record to another should take place only under controlled
conditions. Records that do not fall neatly into one category, and record
systems whose structure or use blurs the boundaries between types of records,
demand special safeguards to protect personal privacy.
FROM RECORD KEEPING TO DATA PROCESSING
In this country, the end of World War II unleashed the deferred wants and
pent-up purchasing power of the war years onto a labor-poor, capital-rich
market. To help deal with the social and economic dislocations created, first,
by demobilization, and later, by the Cold War, government kept in force many of
the controls it had established during the years of all-out mobilization. The
nation's pride in its wartime accomplishments lent a tone of confidence to even
the most ambitious planning. Industry, for its part, took advantage of new
technologies emerging from. wartime research and development to make
revolutionary changes in its methods of producing and distributing goods and
services.
Acting together, these forces rapidly expanded commercial and governmental
activities in the late forties and early fifties, forcing a vast increase in the
volume of transactions requiring records about people. Compared with pre-war
years, the number of bark checks written, the number of college students, and
the number of pieces of mail all nearly doubled; the number of income-tax
returns quadrupled; and the number of Social Security payments increased by a
factor of more than 35.7
Technology developed during the war years was available to meet the challenge
posed by this rising tide of recorded transactions. Automated data processing,
transplanted from its military origin, quickly blossomed into a powerful
industry, feeding on the demands of commerce and government for fast and
efficient data handling, and in turn, fueling that demand by significantly
changing the philosophy and practice of management itself. Since most industries
based on a highly technical product must quickly develop a mass market to
recover the high development and tooling costs, the computer industry devoted
much attention and talent to marketing its products, without appreciating the
implications of the technological revolution it was unleashing.
By the 1960's, attractive prices, persuasive salesmen, and ingenious computer
software services had stimulated the introduction of automated data processing
equipment into a great many record-keeping organizations, sometimes with far too
little attention to the objectives and costs of automation. Although there were
many examples of diseconomies and a few outright failures, the successes were so
spectacular that the prestige of having a large-scale data processing capacity
often prompted managers to keep their computers running, even at a financial
loss.
The computer scored its earliest successes as a record keeper in fields where
the data were mainly numerical. The speed with which the computer can do complex
arithmetic, and the compactness of numerical data as compared to natural
language, were major factors in quickly amortizing the considerable expense of
installing a computer, and of converting an established record-keeping operation
to take full advantage of the computer's capabilities. Thus, the earliest
successes were heavily concentrated in science and engineering, banking,
insurance, and accounting, and, above all, in the space program, where the value
of computers in handling the intricate logistics of production, assembly, and
testing was soon discovered.
SYSTEMATIC MANAGEMENT
For computers to be used effectively as management tools, an organization must
first analyze its activities in a careful, systematic way. For example, if it is
known that the goals of an operation can be attained by more than one method,
the various alternatives can in principle be simulated on the computer, and
their relative costs and benefits thereby compared to find the most
cost-effective one. This mathematical simulation of a complex activity is called
systems analysis.
During the late sixties, planners began to extend the techniques of systems
analysis from their early engineering applications to more general problems of
society. In particular, systems analysis was brought to bear on such ambitious
tasks as improving the delivery of health care, managing the rapidly growing
welfare caseload in urban centers, and measuring the effectiveness of a
fragmented and increasingly expensive educational system.
The introduction of the disciplined methods of computer-assisted management gave
program managers new tools for "auditing" the performance of institutions in
programs of service to people. This auditing process includes:
* Keeping track of transactions between an organization and its clients or
beneficiaries;
* Measuring the performance of the organization in relation to the goals set
for it;
* Providing information needed for planning.
Each of these functions involves information about individuals. Administrative
data are needed for everyday management of individual transactions. Statistical
data are needed for planning and for assessing the performance of a program.
Intelligence: data are needed for making judgments about people's character and
qualifications; e.g., in making suitability determinations for employment,
commercial credit, welfare assistance, tuition-loan aid, or disaster relief.
The demand generated by all these uses for personal data, and for record-keeping
systems to store and process them, challenges conventional legal and social
controls on organizational record keeping. Records about people are becoming
both more ubiquitous and more important in everyday life. The number of
organizations performing service and control functions is growing. In many
cases, the scale of their operations virtually assures that the individuals they
affect will be known to them only through the contents of systematically
maintained records. A new technology is also demonstrating its potential to
accommodate radical growth in organizational record-keeping operations. Yet
society currently affords little protection for an individual who is the subject
of a record, unless some commercial or property interest in involved.
The following chapters represent our effort to demonstrate why this situation
deserves immediate attention and to recommend a course of action that, we
believe, constitutes an appropriate societal response to the problems at hand.
1 The use of the word "file" in this sense dates from the 1640's. See "File,"
Oxford English Dictionary, 1933,1V, 210.
2II Samuel 24 and I Chronicles, 21, 23, 27.
3The word statistics [state-istics] came into use in the late 18th century to
denote information on the condition of a state. See "Statistics," Oxford English
Dictionary, 1933, X, E64.
4The classification follows that of Prof. Alan Westin in M. Greenberger (Ed.),
Computers, Communications, and the Public Interest (Baltimore, Md.: The Johns
Hopkins Press), 1971, p. 156.
5The reader who is interested in comparing the American experience with that of
other nations will find a summary of available material in Appendix B, below.
6The evolution of Federal policy with respect to the confidentiality of census
data is traced in Appendix C, below. See also Daniel J. Boorstin, The Americans:
The Democratic Experience (New York: Random House), 1973, Chapters 19-28.
7Alan F. Westin, and Michael A. Baker, Databanks in a Free Society (New York:
Quadrangle Books), 1972, pp. 224-225.
II. LATENT EFFECTS OF COMPUTER-BASED RECORD KEEPING
The dangers latent in the spread of computer-based personal-data record keeping
stem, in our view, from three effects of computers and computer-related
technology on an organization's recordkeeping practices.
* Computerization enables an organization to enlarge its data-processing
capacity substantially.
* Computerization greatly facilitates access to personal data within a single
organization, and across boundaries that separate organizational entities.
* Computerization creates a new class of record keepers whose functions are
technical and whose contact with original suppliers and ultimate users of
personal data are often remote.
These three effects on personal-data record-keeping are seldom observed in
isolation from one another. Indeed, they are usually interdependent and may
acquire a self-reinforcing momentum. The discussion that follows is focused on
their potentially adverse consequences for individuals, for organizations, and
for the society as a whole. It concentrates on aspects of computer-based record
keeping that. highlight the influence of the technology, but also recognizes
that organizational objectives, bureaucratic behavior, and public attitudes
account in part for many of the potentially undesirable effects we have
identified.
TOO MUCH DATA
The bare statement that computerization enables an organization to enlarge its
capacity to process information deserves amplification. Although the computer
enables a large organization to handle more data, the cost of changing from a
manual to an automated operation may practically compel a smaller organization
to exploit its data-processing capacity more fully. The cost of setting up an
automated system includes not only that of equipment and special facilities, but
also the cost of system analysis and design, of writing and testing computer
programs, and of converting manual records into computer-accessible form. Thus,
the manager of a newly automated system may have a strong economic incentive to
spread the initial cost over as large a data-processing volume as he can; and to
economize wherever possible in providing services. that do not make a direct
contribution to the efficient operation of the system itself. A typical result
of this condition is that clients receive erroneous bills, unjustified dunning
letters, duplicate :magazine subscriptions, and countless other symptoms of
inadequate system design and operation. Although these may be more a nuisance
than a threat, they contribute heavily to the popular image of computerization
as an offending and intrusive phenomenon.
The annoyance factor is worth more attention than many system managers give it.
Resentment engendered in customers at the mercy of a computerized billing
system, for example, spills over onto other computer operations, making
unemotional discussion of computerization in fundamentally more significant
contexts difficult.
An early incentive to concentrate on efficiency may also foster a tendency to
behave as though data management were the primary goal of a computer-based
record-keeping operation. When this occurs, unnecessary constraints may be
placed on the gathering, processing, and output of data, with the result that
the system becomes rigid and insensitive to the interests of data subjects. A
commonly observed tendency in these situations is to make the data subject do as
much of the data collection work as possible by forcing him to decide how to fit
himself into a highly structured, but limited set of data categories (e.g.,
"Please check one of the following boxes.").
This can be a way to cut down errors in transcribing data from one form of
record to another, but when done solely in the interest of economy the system
may well sacrifice flexibility and accuracy. It is true that data compression
and "shorthand" record entries did not originate with the computer; ill-adapted
categorization has been the bane of bureaucracy for generations. However, manual
record keeping can, at the stroke of a pen, take account of data that do not fit
comfortably into pre-conceived categories, while a computer record is not
usually amenable to any sort of annotation that was not expressly planned for in
the design of the system. The relative inflexibility of computer-based record
keeping, coupled with the constraints that some automated systems put on the
freedom of data subjects to provide explanatory details in responding to
questions, contributes to the so-called "dehumanizing" :image of
computerization.
A recent occurrence in France illustrates how the inflexibility of an automated
personal data system can adversely affect large numbers of people.1 The computer
facility of the national family allotment system, which disburses some $600
million annually to 700,000 families in the Paris area, succumbed to the
confusion created by changes in the allotment rate for nonworking wives, young
people, and the handicapped. Efforts to unravel the difficulty were
unsuccessful, and the computer center had to be reorganized as a manual
operation in order to clear up an enormous backlog of emergency allotment
payments. The disruption of human lives resulting from the inability to use the
computer-based payments system was undoubtedly great and demonstrates why the
difficulty of making even minor changes in the computer programs of a complex
system gives cause for concern. Human bureaucracies exhibit similar rigidities,
but their procedures can usually be changed by management directive, often by a
simple promulgation of rules, and in a reasonably short time. In computer
systems, however, even a change that has the wholehearted support of all
concerned may be difficult and slow to effectuate.
This problem can become even more serious when economies of scale are sought by
consolidating the data-processing tasks of several organizations into one
automated system serving all. The effects of dysfunction then fall not only on
the customers of the system primarily at fault, but also on "bystander" data
subjects and other organizations.
EASY ACCESS
The second effect of computerization on personal-data record keeping-that it
facilitates access to data within a single organization and across boundaries
normally separating organizations-is another source of concern. Quick, cheap
access to the contents of a very large automated file often prompts an
organization or group of organizations to indulge in what might be called
"'dragnet behavior.2
An example of how a very carefully planned data system of ostensible social
benefit operates as a dragnet is the National Driver Register of the Department
of Transportation (more fully described in Appendix D). It provides a central
data facility containing the names of individuals whose driver licenses are
denied or withdrawn by a State. The purpose of the Register is to give each
State access to the current revocation records of all other States, so that one
may, if it wishes, avoid issuing a license to an individual whose license has
been denied or withdrawn by another State.
Suppose that Missouri revokes John Doe's license for a serious offense. Doe
applies in Illinois for a license, neglecting to mention the Missouri
revocation. If Illinois issues Doe a license, it in effect nullifies Missouri's
action, without knowing it is doing so. Before the National Driver Register was
established, Illinois would have had to make specific inquiry to all other
States in order to discover the Missouri record of license withdrawal. Because
this was time- consuming, States tended to do it only for blatantly suspicious
cases with the presumable result that many fraudulent applications were never
detected. Now that Doe's record of license withdrawal goes into the master file
of the National Driver Register, however, one query to the Register from
Illinois will bring the Missouri action to light within 24 hours, thus
permitting Illinois to make a decision to grant or withhold a license based upon
the original Missouri record.
How can a system whose only purpose is to prevent fraud by drivers of
demonstrated unfitness have any adverse effect? The answer lies in the
efficiency of the Register; it has become easier for most States to put all
their license applications routinely onto magnetic tape to be searched against
the Register's file, rather than to separate out the suspicious cases for
special treatment. If one accepts the objectives of the system-to identify
irresponsible or incompetent drivers, and thus to reduce the number of traffic
fatalities-this is not in itself an objectionable practice. However, automated
matching of queries against NDR records generates identity matches so imprecise
that subsequent manual ;screening reduces the system's 5000 possible "hits" per
day to about 500 probable ones. Of the probable hits, the operators of the
Register estimate that about three quarters are true identifications; that is,
they definitely relate to an individual who has misrepresented himself in a
license application. Arithmetic does the rest; a quarter of the probable hits --
125 individuals per day -- may find that they are required to prove that their
licenses have not been withdrawn. In theory, a reply from the Register is
supposed to be treated merely as a "flag" to inform the inquiring State that
there may be a record on the individual about whom the query was made in the
revocation files of another State. At least one State, however, makes the
"flagged" applicant bear the full burden of proving that such a record does not
exist. Here, the "dragnet effect" of cheap arid easy data access-the fact that
it is cheaper and more efficient to search the NDR on every license
application-has resulted in occasional nuisance and potential injustice to some
applicants:
The problems that can arise from the operation of the NDR stem from its role as
a clearinghouse for information supplied and used by more than 50 independent
driver licensing jurisdictions whose operations it does not control. Each
jurisdiction using the; Register risks being misled by incomplete or erroneous
data submitted. By another participating jurisdiction. Although mistakes
propagated by the NDR can usually be corrected at small expense in time and
trouble, other mufti jurisdictional clearinghouses can have potentially more
serious effects on individuals. The criminal history fileof the FBI's National
Crime Information Center (NCIC) is one example.
The NCIC is a computerized clearinghouse of information about wanted persons,
stolen property, and criminal history records3 that will eventually provide
criminal justice agencies throughout the United States with computer-to-computer
access to the dicta in its files. The ultimate objective of the NCIC criminal
history file is to enable law enforcement agencies, courts, and correctional
institutions to determine, in seconds, whether an individual has a criminal
record. The NCIC would appear to lack the potential to be used as a dragnet
because inquiries are made only about particular individuals with whom law
enforcement agencies have contact under conditions that constitute cause for
suspicion of wrongdoing. In this respect, it differs significantly from the
operation of the National Driver Register. Furthermore, the problem of mistaken
identification in using the criminal history files should not arise because of
NCIC's requirement that fingerprints be used to identify arrest and offender
records entered into the system. Errors of identification can and do occur in
using the records in the wanted persons files because these are not identified
by fingerprints. However, the ease with which inquiries can be made from remote
terminals located in law enforcement and criminal justice agencies all over the;
country could lead to access to the NCIC criminal history files by more users
and for checking on more individuals than is socially desirable.
Leaving aside the question of the probative value of arrest records, about which
lively controversy exists, the consequences of excessive use of criminal history
files might be innocuous if the NCIC records could be completely reliable. In
practice, however, the NCIC, like the National Driver Register, does not have
effective control over the accuracy of all the information in its files. The
NCIC is essentially an automated receiver, searcher, and distributor of data
furnished by others. If a subscribing system enters a partially inaccurate
record, or fails to submit additions or corrections to the NCIC files (e.g., the
recovery of a stolen vehicle or the disposition of an arrest), there is not much
that the NCIC can do about it.
Furthermore, the risk of propagating information that may lead to unjust
treatment of an individual by law enforcement authorities in subscribing
jurisdictions cannot be fully prevented.4
The NCIC checks on records being entered into its files, and periodically audits
its files to try to assure that system standards for completeness and accuracy
of records are being met. When it detects errors or points of incompleteness, it
can seek corrective action and can flag its records to warn users of possible
deficiencies. In the cases of an arrest record, however, even if the source
agency does eventually submit information about the disposition of the arrest,
there is no way that the NCIC can assure that all those who have had access to
the record in the interim will receive the disposition information. Once a
subscribing police department contributes an arrest report to the NCIC, that
report is available to any qualified requestor in the system. In some States,
this means that employers and licensing agencies (for physicians, barbers,
plumbers, and the like) will have access to the record under State laws that
require an arrest-record check on candidates for certain types of occupational
certification. Thus, unless a criminal record information system is designed to
keep track of all the ultimate users of each record released, and of every
person who has seem it, any correction or emendation of the original record can
never be certain to reach each holder of a copy.
Systems like the NCIC and the National Driver Register illustrate one of the
potentially most significant effects of computerization on personal-data record
keeping-the enhanced ability to gather, package, and deliver information from
one organization to ;another in circumstances where lines of authority and
responsibility are overlapping or ambiguous, and where the significance attached
to data disseminated by the system may vary among subscribing organizations.
Unless all organizations in a mufti jurisdictional system can be counted on to
interpret and use data in the same way, the likelihood of unfair or
inappropriate decisions about the individual to whom any given record pertains
will be a problv;m, and a particularly acute problem whenever records are
incomplete or compressed. The records of school children, for instance, while
highly comparable within a single school district, will be less so among the
districts of a single State, and even more disparate among different States.
Thus, data systems that are established deliberately to pass information across
jurisdictional lines must be very carefully designed so as to foster sensitive,
discriminating use of personal data.
The untoward effects of such systems (or of any system, :for that matter) do not
stem in the main from poor technical security. Although public mistrust of the
computer often centers on the possibility of unauthorized access to a central
data bank for purposes of blackmail or commercial exploitation (such as the
clandestine copying of a list of names and addresses), the. purely technical
difficulties that can be placed in the path of any but the most well-equipped
intruder can make almost every computer installation more secure than its manual
counterpart. Unless an intruder has detailed technical knowledge of the system,
and possibly also clandestine access to the facility itself, most systems can be
quite well defended against "unauthorized" access (although at the present time
many systems may not be well-defended). The problem is how to prevent
"authorized" access for "unauthorized" purposes, since most leakage of data from
personal data systems, both automated and manual, appears to result from
improper actions of employees either bribed to obtain information, or supplying
it to outsiders under a "buddy system" arrangement.
Concern about abuses of authorized access to "integrated" data systems
maintained by State and local governments can have a particularly debilitating
effect on people's confidence in their governmental institutions. Ambitiously
conceived integrated systems, no matter how secure technically, may have the
effect of blurring, either in fact or appearance, established lines of political
accountability and constitutionally prescribed boundaries between branches of
government. When different branches arrange to share an integrated
data-processing facility and its data, the executive usually will operate it.
This happens partly because operational functions are normal for the executive,
and partly because executive agencies usually have more experience with computer
systems. It leads people to fear, however, that the needs of executive claimants
may be met before the needs of legislative bodies and the judiciary. The
priority system for allocating computer support will, of course, look fair on
paper, but in practice the result may often be to shortchange the passengers on
the system in favor of the driver.5 The recent development of mini-computers,
much cheaper than the big systems of only five years ago but of comparable
power, is providing an attractive economic alternative to . large integrated
systems. Large systems, however, are also becoming less expensive and there is
no assurance that they will not become even more so as the result of new
technological advance.
Finally, in terms of the historical classification of records in Chapter I, we
recognize that combining bits and pieces of personal data from various records
is one way of creating an intelligence record, or dossier. The possibility of
using a large computer to assemble a number of data banks into a "master file"
so that a dossier on nearly everybody could then be extracted is currently
remote, since the ability to merge unrelated files efficiently depends heavily
upon their having many features of technical structure in common, and also on
having adequate information to match individual records with certainty.6 These
technical obstacles are avoided if the capability to merge whole files is
designed into a group of systems at the outset, a practice now characteristic of
only a few multi-jurisdictional systems but perhaps becoming more prevalent. At
the present time, however, compiling dossiers from a number of unrelated systems
presents problems that few organizations, and probably no organizations outside
of government, have the resources to solve.7
Nonetheless, public concern about such combinations of data through linkings and
mergers of files is well founded since any compilation of records from other
records can involve crossing functional as well as geographic and organizational
boundaries. When data from an administrative record, for example, become part of
an intelligence dossier, neither the data subject nor the new holder knows what
purpose the data may some day serve. Moreover, the investigator may believe that
no detail is too small to put into dossier, while the subject, for his part, can
never know when some piece of trivia will close a noose of circumstantial
evidence around him. Public sensitivity to the possibility of such situations
argues strongly for preserving the functional distinctions between different
classes of personal data systems.
TECHNICIANS AS RECORD KEEPERS
The reputation of the computer for impersonality and inhuman efficiency is due,
in part, to the publicity given the computer as a poet, a chess-player, and a
translator of exotic languages. "Machine intelligence" is a subject with
fascinating technical and philosophical aspects. To date, however, there is no
evidence that a computer capable of "taking over" anything it was not
specifically programmed to. take over is attainable. Indeed, as pointed out
earlier, programming a computer to handle anything complicated is usually a very
difficult and expensive job, requiring generous amounts of money, expertise, and
management capability.
It seems safe to predict that economic and organizational constraints on the
uses of computers . will not change: radically during the next few years.
Although computing power and data-storage capability are steadily becoming
cheaper, and problemoriented programming is being improved, no dramatic
breakthroughs are in sight. This prediction, however, cuts two ways. If we can
comfortably assume that computers will not take control of anything on their own
volition, we may still feel some disappointment that the application of
computers will tend to remain in the hands of trained specialists whose
competence is primarily in data processing rather than in the fields that data
processing serves. Some would say that this circumstance results from an
abdication by managers of their proper role, but whatever the reason, the effect
can easily be to insulate the record-keeping functions of an organization from
the pressures of both consumers and suppliers of data.
The presence of a specialized group of data-processing professionals in an
organization can create a constituency within the organization whose interests
are served by any increase in data use, without much regard for the intrinsic
value of the increased use. The point is underlined by an experience common to
many organizations. Some unit is already operating a computer facility for
accounting, processing scientific or engineering data, or for some other
straightforward application to which the technology is well-adapted. Because the
facility has extra computer time available, it is soon discovered that
attractive software packages can be purchased to enable the computer to enlarge
its scope and become a "management information system."
Such systems are founded on the proposition that efficient decision making
requires that managers have available to them a greater or more timely supply of
relevant information than they have been getting. As commonly observed, however,
most managers do not need more of relevant information nearly as badly as they
need less of irrelevant raw data.8 Thus, until the theory of management itself
has progressed to a stage where the necessary data content of
management-oriented systems can be predicted, their users are likely to find
them disappointing.
Another, potentially more serious, consequence of putting record keeping in the
hands of a new class of data-processing specialists is that questions of
record-keeping practice which involve issues of social policy are sometimes
treated as if they were nothing more than questions of efficient technique. The
pressure for establishing a simple, identification scheme for locating records
in computer-based systems is a case in point.
The technical argument for having a standard universal identifier for records
about individuals focuses on increasing the efficiency of record keeping and
record usage. Proponents argue that if every item of data entered into an
automated system could be associated with an identifier unique to the individual
to whom the data pertain, updating, merging, and linking operations would be
greatly. simplified and far less error-prone than they are today. Moreover,
records could be used more intensively; administrative records indexed by Social
Security number, for example, could also be used for certain types of research
which require matching data on individuals from several different record
systems.
To reap the full technical advantages of a standard identiflication scheme, it
is necessary for each individual to supply the identifier assigned to him every
time he has contact with a record-keeping organization using it. This practice
is already familiar to the clients of banks, credit-card services, and many
other organizations that have developed their own standard schemes. What worries
people is that the inconvenience to record-keeping organizations of having to
devise their own numbering arrangements will encourage the adoption of a single
universal scheme for use in all computer-based personal data systems. If this
happens, organizations that share an interest in monitoring and controlling the
behavior of some portion of the population will acquire an enlarged capacity to
do so, since they will all be able to know when an individual has contact with
any one of them. Fingerprints, for example, are the standard method used by the
police to identify persons arrested for crimes. Fingerprinting assures accurate
identification and may seem a reasonable way of dealing with criminal offenders,
but it is a dubious model for other types of record-keeping organizations to
follow.
It is, of course, a long step from having each individual identified in the same
way in every data system to creating a giant national data bank of dossiers
constructed from fragments of records on citizens in widely dispersed data
systems. There would have to be some strong incentive for "putting it all
together," and as we noted earlier, it is doubtful that even the dollar cost of
doing so could be justified on any reasonable grounds. However, it is not
necessary to build a giant national data bank to experience some of the effects
of having one. There are already systems in operation which have some of the
control capabilities that such a centralized dossier system would create.
One computer-based personal data system that came to our attention was a
comprehensive health information system developed and maintained by an agency of
the Department of Health, Education, and Welfare on an Indian reservation in the
Southwest. Approximately 10,000 Indians living in the area have records in the
system and another 4,000 have records in it but, for one: reason or another, are
not part of the active patient population. These 14,000 record subjects are, by
and large, an economically dependent population with very serious health
problems. Within the confines of the geographic area covered by the system-about
the size of Connecticut-they are also a highly mobile population, with each
individual going by any one of several different names depending on
circumstances.
The health facility consists of a combination of in-patient, out-patient, and
field-clinic services. The purpose of its cornputer-based record-keeping system
is to develop a complete, cradle-to-grave, medical dossier on each individual
eligible to use the facility, so that all can benefit from a comprehensive
diagnostic and treatment program that aims to control illness by preventing its
occurrence, or by taking preemptive steps at the, first sign of a medical
problem.
The record-keeping system has three basic components: (1) an administrative one
that notes and describes every contact each patient has with any segment of the
health facility, including the "interdisciplinary" teams of doctors, nurses, and
social workers who travel about administering tests and providing ambulatory
health services; (2) a statistical-reporting one that attempts to observe
fluctuations in the incidence of certain types of ailments and to pinpoint "high
risk" groups needing special preventive attention; and (3 ) a "surveillance" one
that consists of the recorded results of medical tests administered according to
a schedule established by the health facility. The system is a little more than
three years old. By the summer of 1972 it contained about 50 million characters
of data, or approximately 3,500 characters per patient-record. It accommodates
data in narrative as well as standard computer-accessible form.
The system is an elegant tool for addressing a complex set of social problems.
It would be hard to argue that the patient population being cared for would be
better off without the services the system makes possible: It is also apparent
that knowing who an individual is, and the details of his medical history, can
be of vital importance in treating patients, but the system has certain social
control capabilities that should be noted nonetheless.
The surveillance component, for example, has the primary purpose of discovering
incipient medical problems in individual patients. To do this effectively, each
patient must be induced to comply with the health facility's testing schedule,
and the health data system can be used to encourage compliance. As long as a
patient has no need for medical treatment, he can avoid the testing program.
However, once he becomes a patient, for whatever reason, his record will be
there at the doctor's fingertips showing all tests he has not had but should be
persuaded to have before he leaves the field clinic or wherever it is that he
has come to the medical facility's attention. In discussing a system serving
such, patently humane purposes, words like "control" and "coercion" may have an
objectionable ring, but the coercive potential of the surveillance component,
especially in some other area of application, is evident.9
In another environment, the statistical-reporting component of the system could
also have potentially unsavory consequences for individuals. It is
characteristic of modern organizations to single out "high risk" categories of
people to whom the normal standards and rules do not apply. Often these high
risk groups are identified from statistical studies of populations that use the
services an organization offers. The consequences for any given individual
exhibiting the characteristics of the high risk group may range from total
exclusion (uninsurability) to being made eligible for special treatment
(remedial education, free medical care). Although there is nothing intrinsically
harmful in such practices, in dealing with human populations it is essential not
to assume that any single member of a statistically defined group will
necessarily behave in the way predicted for the group as a whole. Theoretically,
the adverse consequences of "statistical stereotyping" can be avoided by
permitting an individual to know that he has been labelled a risk and to contest
the label as applied to him. However, depending on the circumstances-and
particularly on the stake that an organization may have in being able to predict
the behavior of each individual in its clientele-a lone individual could have
considerable difficulty making his case.
Even the administrative record-keeping component of a comprehensive data system
can have coercive effects. When the; administrative part of the health data
system was described to the Committee, repeated reference was made to the
advantages of knowing that a patient has previously been treated for an
emotional disorder when he shows up at a clinic claiming that he has
accidentally scratched his wrist on a rusty nail. One hopes, that his chances of
being discharged after some bandaging and a tetanus shot are about the same as
his chances of being committed for treatment as a potential suicide. But are
they? Should they be? In some other record-keeping environment, could an
individual depend on having someone equivalent to a trained medical practitioner
available to make such a judgment?
Finally, it is important to note that the health data system has grown very
rapidly, that elements like the "high risk" categorization were not present in
the beginning, and that the health facility is now trying to improve its method
of identifying patients for the purpose of updating and retrieving the
information it maintains about them. In this particular situation, the Social
Security number happens to be considered a poor identification device because
many patients are thought to have more than one; but the patients also tend to
have several different names, so the managers of the data system are trying to
develop their own unique numbering scheme cross-referenced with all known
"aliases" for each patient.
Scheduling, labelling, monitoring, improved methods of identifying records about
individuals-these are being discussed in some quarters today as if they were
mere tools for delivering services to people efficiently. In the health data
system just described, the surveillance component is regarded as a way of
providing preventive health care; of taking preemptive steps to halt the natural
development of illnesses and conditions conducive to illness. It is hard to
quarrel with those objectives, or for that matter with the objectives of a great
many data systems now in operation or being planned. Should a national credit
card service be prohibited from using a sophisticated personal data system to
prevent its card holders from going on irresponsible spending sprees? Should
school districts be forbidden to use personal data systems to help prevent
children from becoming delinquents?
These are difficult questions to answer. Often the immediate costs of not using
systems to take preemptive action against individuals can be estimated (in both
dollars and predictable social disruption), while the long-term costs of
increasing the capacity of organizations to anticipate, and thus to control,
the. behavior of individuals can be discussed only speculatively. One fact seems
clear, however; systems with preemptive potential are typically developed by
organizations, and groups of organizations, who see them primarily as attractive
technological solutions to complex social problems. The individuals that the
systems ultimately affect, the people about whom notations are made, the people
who are being labelled and numbered, have, by comparison,, a very weak role in
determining whether many of these systems should exist, what data they should
contain, and how they should be used.
THE NET EFFECT ON PEOPLE
Today it is much easier for computer-based record keeping to affect people than
for people to affect computer-based record keeping. This signal observation
applies to a very broad range of automated personal data systems. When a machine
tool produces shoddy products, the reaction of consumers (and of government
regulatory agencies in some cases) is likely to give the factory managers prompt
and strong incentives to improve their ways. This is much less likely to be the
case when computerized record-keeping operations fail to meet acceptable
standards.
There is some evidence that in commercial settings competition helps to prevent
harmful or insensitive record-keeping practices, especially when a
record-keeping organization (a bank, for instance) depends on continuous
interaction with individual data subjects in order to. keep its own records
straight. It is also true that a number of schools and colleges have been forced
to abandon automated registration and scheduling by determined student campaigns
to fold, spindle, and mutilate. In governmental sittings, however, the
dissatisfied data subject usually has nowhere else to take his business and can
even be penalized for refusing to cooperate. The result, of course, is that many
organizations tend to behave like effective monopolies, which they are.
It is no wonder that people have come to distrust computer-based record-keeping
operations. Even in non-governmental settings, an individual's control over the
personal information that he gives to an organization, or that an organization
obtains about him, is lessening as the relationship between the giver and
receiver of personal data grows more attenuated, impersonal, and diffused. There
was a time when information about an individual tended to be elicited in
face-to-face contacts involving personal trust and a certain symmetry, or
balance, between giver and receiver. Nowadays an individual must increasingly
give information about himself to large and relatively faceless institutions,
for handling and use by strangers-unknown, unseen and, all too frequently,
unresponsive. Sometimes the individual does not even know that an organization
maintains a record about him. Often he may not see it, much less contest its
accuracy, control its dissemination, or challenge its use by others.
In more than one opinion survey, worries and anxieties about computers and
personal privacy show up in the replies of about one third of those interviewed.
More specific concerns acre usually voiced by an even larger proportion.11 The
public fear of a "Big Brother" system, in effect a pervasive network of
intelligence dossiers, focuses on the computer, but it includes other marvels of
twentieth-century engineering, such as the telephone tap, the wireless
microphone, the automatic surveillance camera, and the rest of the modern
investigator's technical equipage. Such worries seem naive and unrealistic to a
data-processing specialist, but as in the case of campus protests against
computerized registration systems, the apprehension and distrust of even a
minority of the public can grossly complicate even a safe, straightforward
datagathering and record-keeping operation that may be of undoubted social
advantage.
It may be that loss of control and confidence are more significant issues in the
"computers and privacy" debate than the organizational appetite for information.
An agrarian, frontier society undoubtedly permitted much less personal privacy
than a modern urban society, and a small rural town today still permits less
than a big city. The poet, the novelist, and the social scientist tell us, each
in his own way, that the life of a small-town man, woman, or family is an open
book compared to the more anonymous existence of urban dwellers. Yet the
individual in a small town can retain his confidence because he can be more sure
of retaining control. He lives in a face-to-face world, in a social system where
irresponsible behavior can be identified and called to account. By contrast, the
impersonal data system, and faceless users of the information it contains, tend
to be accountable only in the formal sense of the word. In practice they are for
the most part immune to whatever sanctions the individual can invoke.
1New York Times, January 26, 1973, p. 4.
2 Although the term "dragnet" commonly connotes a system for catching criminals
or others wanted by the authorities, the term, as used here, refers to any
systematic screening of all members of a population in order to discover a few
members with specified characteristics.
3 See Appendix E for a discussion of the development of computerized criminal
justice information systems in the United States.
4 The NCIC system has been imitated by many city police departments whose
systems respond to inquiries from law enforcement jurisdictions in adjacent
suburbs. A suburban law enforcement officer first queries the city system to
which his terminal is linked; if the file search there yields nothing, his query
is passed on automatically to the State system and from there to the NCIC. These
local systems have all the accuracy problems of the NCIC and some are currently
the objects of law suits brought by their hapless victims. See, for example,
"S.F.'s Forgetful Computer," San Francisco Examiner, May 9> 1973, p. 3, and
"Coast Police Sued as Computer Errs," New York Times, May 5, 1973, p. 23. Almost
all of these cases involve the failure of a local jurisdiction to report the
recovery of a stolen vehicle or the revocation of a warrant.
5 For a discussion of political issues raised by computer-based information
systems in urban government, sex Anthony Downs, "The Political Payoffs in Urban
Information Systems," in Alan F. Westin (Ed.), Information Technology in a
Democracy (Cambridge, Mass.: Harvard University Press), 1971, pp. 311-321.
6 In addition to incompatibilities of file structure, the expectation that ;some
day "it will all be put together" also runs afoul of the tenacity with which
record-keeping organizations tend to protect their own turf. Certainly among
private organizations competitive pressures sometimes inhibit the free
circulation of information about clients and also induce resistance to sharing
large blocks of individually identifiable data with government agencies. The
California Bankers Association, for example, is currently involved in litigation
(Stark v.Connally, 347 Fed. Supp. 1242, 1972) to prevent the Treasury Department
from enforcing the reporting provisions of the so-called Bank Secrecy Act of
1970 (12 U.S.C. 1E29b; 31 U.S.C. 1051-1122) with respect to domestic financial
transactions.
7 It should be noted that the same characteristics of automated systems which
inhibit the compilation of dossiers can also inhibit efforts by the press and
public interest: groups to penetrate the decision-making processes of
record-keeping organizations and expose them to public scrutiny. This is
particularly true when organizations destroy "hard-copy" records after putting
the information in them into computer-accessible form. In such cases, the
computer can become a formidable gatekeeper, enabling -a record-keeping
organization to control access to public-record information that previously had
been available to anyone with the time and energy to sift through its paper
filers. Putting public-record data in computer-accessible form can also increase
the cost of piecing information together from several different files. The same
programming costs that make it uneconomical for law enforcement investigators
and private detectives to "fish" in the automated files of a credit bureau could
also make it prohibitively expensive for private citizens to examine public
records.
8 "See, for example, Russell Ackoff, "Management Misinformation Systems," in
Westin, op. cit., pp. 264-271.
9 A computer-based information system designed to control the population of a
prison is described in Appendix F.
10 For a cogent description of how this is done, see James B. Rule, Private
Lives and Public Surver7lance (London: Allen Lane), 1973, especially Chapter 6.
See also Robert A. Hendrickson, The Cashless Society (New York: Dodd, Mead &
Company), 1972.
11 See, for example, A National Survey of the Public's Attitudes Toward
Computers (AFIPS-TIME, Inc.) 1971. This survey is discussed in Alan F. Westin
and Michael A. Baker,
III. SAFEGUARDS FOR PRIVACY
There is widespread belief that personal privacy is essential to our well-being–
physically, psychologically, socially, and morally. Concern about the effects of
computerized personal data systems on their threat to privacy. Safeguards must
therefore focus protection of personal privacy.
The rationale for the safeguards that we will recommend is set forth in this
chapter. In it we take account of existing legal constraints on the. invasion of
personal privacy through record keeping and of the role that records play in the
relationship between individuals and record-keeping organizations.
PERSONAL PRIVACY, RECORD KEEPING, AND THE LAW
Some suggest that the risks presented by automated personal data systems call
for a Constitutional amendment, or a general computer-based record-keeping
practices. In the latter view, the enactment of an explicit, general right of
personal privacy, whether Constitutionally or by statute, would not only provide
no greater protection than is already latent in the common law of privacy, but
also would create uncertainty and confusion that the courts are ill-suited to
resolve.
Although the Constitution of the United States does not mention a right to
privacy, and only three State Constitutions (Alaska, California, and South
Carolina) make explicit provision for a right of privacy, various aspects of
personal privacy have been protected against government action by judicial
interpretation of certain provisions of the Bill of Rights. The First Amendment
guarantees free speech, a free press, and freedom of assembly and religion; the
Third Amendment prohibits quartering soldiers in private homes; the Fourth
Amendment prohibits unreasonable searches and seizures; the Fifth Amendment
protects against compulsory self-incrimination; and the Ninth Amendment
guarantees that rights not enumerated in the Constitution are retained by the
people. Courts have construed these protections of the Bill of Rights to uphold
the individual's right not to be coerced into revealing political, social, or
philosophical beliefs, or private associations, unless national security or
public order are at stake. The issues in many cases are clearly rooted in
concerns for personal privacy, but the courts have articulated their decisions
in terms of Bill of Rights guarantees. The Supreme Court, however, has
recognized a right of privacy as the basis for protecting the freedom of
individuals to practice contraception, to read or look at pornography at home,
and to have an unwanted pregnancy terminated.
Courts have also developed principles in the common law to allow suits for
invasion of privacy in various situations involving financial or reputational.
injury of one person by another. There is little evidence, however, that court
decisions will, either by invoking Constitutional rights or defining common law
principles, evolve general rules, framed in terms of a legal concept of personal
privacy, that will protect individuals against the potential adverse effects of
personal-data record-keeping practices. Indeed, there are many court decisions
in which seemingly meritorious claims that could have been sustained by
recognizing a right of privacy were denied because the courts would not permit
such a right to override other legal considerations.
Although there is a substantial number of statutes and regulations that
collectively might be called the "law of personal-data record keeping," they do
not add up to a comprehensive and consistent body of law. They reflect no
coherent or conceptually unified approach to balancing the interests of society
and the organizations that compile and use records against the interests of
individuals who are the subjects of records.1
The Federal Reports Act2 and the so-called "Freedom of Information Act,"3 taken
together, come as close as any enactments to providing a framework for Federal
policy in this area. However, they are limited in application to agencies of the
Federal government; they deal in a limited fashion with only two aspects of
record-keeping practice-data collection and data dissemination; and they contain
scant and potentially inconsistent protections for the interests of individual
record subjects.
The Federal Reports Act requires that Federal agencies, with several significant
exceptions, obtain concurrence from the Office of Management and Budget before
collecting "information upon identical items, from ten or more persons." The Act
was designed chiefly to help business enterprises. Its main purposes are to
minimize the "burden" upon those required to furnish information to the Federal
government; to minimize the government's data collection costs; to avoid
unnecessary duplication of Federal data-collection efforts; and to maximize the
usefulness to all Federal agencies of the information collected. Although
concern for the interests of individuals can be discerned in its administration,
the Act itself makes no mention of personal privacy. It neither creates nor
recognizes any rights for individuals with respect to the personal-data
record-keeping practices of the Federal government.
The Freedom of Information Act mandates disclosure to the public of information
held by the Federal government. It barely nods at the interest of the individual
record subject by giving Federal agencies the authority to withhold personal
data whose disclosure would constitute a clearly unwarranted invasion of
privacy. The Act, however, is an instrument for disclosing information rather
than for balancing the conflicting interests that surround the public disclosure
and use of personal records. The Act permits exemption from mandatory disclosure
for personal data whose disclosure would constitute a "clearly unwarranted
invasion of personal privacy," but the agency is given total discretion in
deciding which disclosures meet this criterion. The Act gives the data subject
no way at all to influence agency decisions as to whether and how disclosure
will affect his privacy.4
Many of the States, have similarly broad "public records" or "freedom of
information" statutes whose objective is to assure public access to records of
State government agencies,. Most of them, however, provide no exceptions from
their general disclosure requirements in recognition of personal privacy
interests. We discovered no State law counterparts to the Federal Reports Act.
By and large, one finds that record-keeping laws and regulations at all levels
of government are limited and specific in their application. The requirements
and prohibitions they impose apply to particular types of organizations,
records, or record-keeping practices. They seldom go further than to stipulate
that particular records shall be maintained and made accessible to the public,
to particular officials, or for particular purposes, or that particular records
shall be subject to confidentiality constraints. No body of statutory or
administrative law establishes rights for individual record subjects or other
rules of general application governing personal-data record-keeping practices,
whether manual or automated.
Nor should we look to court decisions to develop such general rules. Courts can
only decide particular cases; their opportunity to establish legal principle is:
limited by the nature of litigation arising from controversies between parties.
Few cases that raise the broad issues posed by all personal-data record keeping
g have been brought before the courts, and fewer that focus those issues on
computer based systems. There are several possible explanations for this.
One possibility is that nobody has been hurt enough or has felt sufficiently
aggrieved by current record- keeping practices to bring suit. Another is that
record-keeping and data-processing practices are not an overt or well understood
function of institutions, whether governmental or private. Their adverse effects
may not have been recognized. The individual affected may never discover that
the root of his difficulties with an institution was some piece of information
about him in a record. This is one reason for the section in the Fair Credit
Reporting Act5 that requires than an individual be notified when an adverse
action, such as denial of credit, insurance, or employment, is taken on the
basis of a report from a consumer-reporting agency.
Still another possibility is that unless injury to the individual can be
translated into reasonably substantial claims for damages, the individual
ordinarily has little incentive to undertake a lawsuit. Few people can afford to
bring suit against a well-defended organization solely for moral, satisfaction.
Record-keeping practices have ancient and predominantly honorable traditions, as
we have seen. Historically, their social utility has seldom been questioned.
Only when record-keeping systems can be shown to have caused actual injury, to
have created problems with serious Constitutional implications, or to be in
conflict with clear statutory requirements, are courts likely to interfere with
their operation. As a consequence, government data systems appear, under
existing law, to be virtually immune to constraint through suits by individual
data subjects; private-sector systems appear no less so. The personal-data
record-keeping, operations of private organizations are unlikely to give rise to
Constitutional issues and are typically not subject to statutory requirements.6
The judicial process, in short, seems functionally ill-suited to initiating
development of general common law rules relating to record-keeping practices.
The foregoing analysis leads us to conclude that the natural evolution of
existing law will not protect personal privacy from the risks of computerized
personal data systems. In our view the analysis also disposes of any expectation
that enactment of a mere right of personal privacy would afford such protection
.7 The creation of such a right without precise and elaborate definition of its
intended significance: would not overcome the obstacles in the judicial process
that hinder recognition of personal privacy in relation to record keeping. The
development of legal principles comprehensive enough to accommodate a range of
issues arising out of pervasive social operations, applications of a complex
technology, and conflicting interests of individuals, record-keeping
organizations, and society, will have to be the work of legislative and
administrative rule-making bodies.
A REDEFINITION OF THE CONCEPT OF PRIVACY
Our review of existing law leads to the conclusion that agreement must be
reached about the meaning of personal privacy in relation to records and
record-keeping practices. It is difficult, however, to define personal privacy
in terms that provide a conceptually sound framework for public policy about
records and record keeping and a workable basis for formulating rules about
record-keeping practices. For any one individual, privacy, as a value, is not
absolute or constant; its significance can vary with time, place, age, and other
circumstances. There is even more variability among groups of individuals. As a
social value, furthermore, privacy can easily collide with others, most notably
free speech, freedom of the press, and the public's "right to know."
Dictionary definitions of privacy uniformly speak in terms of seclusion,
secrecy, and withdrawal from public view. They all denote a quality that is not
inherent in most record-keeping systems. Many records made about people are
public, available to anyone to see and use. Other records, though not public in
the sense that anyone may see or use them, are made for purposes that would be
defeated if the data they contain were treated as absolutely secluded, secret,
or private. Records about people are made to fulfill purposes that are shared by
the institution maintaining them and the people to whom they pertain. Notable
exceptions are intelligence records maintained for criminal investigation,
national security, or other purposes. Use of a record about someone requires
that its contents be accessible to at least one other person-and usually many
other persons.
Once we recognize these characteristics of records, we must formulate a concept
of privacy that is consistent with records. Many noteworthy attempts to address
this need have been made.
> Privacy is the claim of individuals, groups, or institutions to determine for
> themselves when, how, and to what extent information about them is
> communicated to others. 8
> this is the core of the "right of individual privacy" --the right of the
> individual to decide for himself, with only extraordinary exceptions in the
> interests of society, when and on what terms his acts should be revealed to
> the general public. 9
> The right to privacy is the right of the individual to decide for himself how
> much he will share with others his thoughts, his feelings, and the facts of
> his personal life 10
> As a first approximation, privacy seems to be related to secrecy, to limiting
> the knowledge of -others about oneself. This notion must be refined. It is not
> true, for instance, that the less that is known about us the more privacy we
> hive. Privacy is not simply an absence of information about us in the minds of
> others; rather it is the control we have over information about ourselves.11
The significant elements common to these formulations are (1) that there will be
some disclosure of data, and (2) that the data subject should decide the nature
and extent of such disclosure. An important recognition is that privacy, at
least as applied to record-keeping practices, is not inconsistent with
disclosure, and thus with use. The further recognition of a role for the record
subject in deciding what shall be the nature and use of the record is crucial in
relating the concept of personal privacy to record-keeping practices.
Each of the above formulations, however, speaks of the data subject as having a
unilateral role in deciding the nature and extent of his self-disclosure. None
accommodates the observation that records of personal data usually reflect and
mediate relationships in which both individuals and institutions have an
interest, and are usually made for purposes that are shared by institutions and
individuals. In fact, it would be inconsistent with this essential.
characteristic. of mutuality to assign the individual record subject a
unilateral role in making decisions about the nature and use of his record. To
the extent that people want or need to have dealings with record-keeping
organizations, they must expect to share rather than monopolize control over the
content and use of the records made. about them.
Similarly, it is equally out of keeping with the mutuality of record-generating
relationships to assign the institution a unilateral role in making decisions
about the content and use of its records about individuals. Yet it is our
observation that organizations maintaining records about people commonly behave
as if they had been given such a unilateral role to play. This is not to suggest
that decisions are always made to the disadvantage of the record subject; the
contrary is often the case. The fact, however, is that the record subject
usually has no claim to a role in the decisions organizations make about records
that pertain to him. His opportunity to participate in those decisions depends
on the willingness of the record-keeping organization to let him participate
and, in a few .instances, on specific rights provided by law.
Here then is the nub of the matter. Personal privacy, as it relates to
personal-data record keeping must be understood in terms of a concept of
mutuality. Accordingly, we offer the following formulation:
> An individual's personal privacy is directly affected by the kind of
> disclosure and use made of identifiable information about him in a record. A
> record containing information about an individual in identifiable form must,
> therefore, be governed by procedures that afford the individual a right to
> participate in deciding what the content of the record will be, and what
> disclosure and use will be made of the identifiable information in it. Any
> recording, disclosure, and use of identifiable personal information not
> governed by such procedures must be proscribed as an unfair information
> practice unless such recording, disclosure or use is specifically authorized
> by law.
This formulation does not provide the basis for determining a priori which data
should or may be recorded and used, or why, and when. It does,, however, provide
a basis for establishing procedures that assure the individual a right to
participate in a meaningful way in decisions about what goes into records about
him and how that information shall be used.
Safeguards for personal privacy based on our concept of mutuality in
record-keeping would require adherence by record-keeping organizations to
certain fundamental principles of fair information practice.
* There must be no personal-data record-keeping systems whose very existence is
secret.
* There must be a way for an individual, to find out what information about him
is in a record and how it is used.
* There must be a way for an individual to prevent information about him
obtained for one purpose from being used or made available for other purposes
without his consent.
* There must be a way for an individual to correct or amend a record of
identifiable information about him.
* Any organization creating, maintaining, using, or disseminating records of
identifiable personal data must assure the reliability of the data for their
intended use and must take reasonable precautions to prevent misuse of the
data.
These principles should govern the conduct of all personal-data record-keeping
systems. Deviations from them should be permitted only if it is clear that some
significant interest of the individual data subject, will be served or if some
paramount societal interest can be clearly demonstrated; no deviation should be
permitted except as specifically provided by law.
MECHANISMS FOR PROVIDING SAFEGUARDS
Many mechanisms have been suggested for providing safeguards against the
potential adverse effects of automated personal-data systems. Those who believe
a general right of personal privacy should be established, by Constitutional
amendment or by statute, propose, in - effect, that the courts should be the
mechanism. Although we have concluded that a general right of privacy is not a
reliable approach to achieving effective protection, the safeguards we recommend
in the following chapters of this report would rely in part on the courts.
Some have proposed that there be a public ombudsman to monitor automated
personal data systems, to identify and publicize their potential for adverse
effects, and to investigate and act on complaints -about their operation. We
note with approval the efforts of the Association for Computing Machinery, and
of many business firms and newspapers, to provide ombudsman service to the
victims of computer errors. We believe the benefits of this approach are many
and would like to see it extended to more systems. However, the ombudsman
concept is basically remedial and will, therefore, work best in the context of
established rights and procedures. Furthermore, the function is not well
understood or widely accepted in America, and some observers feel it has severe
limitations in the context of American legal, political, and administrative
traditions.
The "strongest", mechanism for safeguards which has been suggested is a
centralized, independent Federal agency to regulate the use of all automated
personal data systems. In particular, it has been proposed that such an agency,
if authorized to register or license the operation of such systems, could make
conformance to specific safeguard requirements a condition of registration or
licensure. The number and variety of institutions using automated personal data
systems is enormous. Systems themselves vary greatly in purpose, complexity,
scope of application, and administrative context. Their possible harmful effects
are as much a product of these- features as of computerization alone. We doubt
that the need exists or that the necessary public support could be marshaled at
the. present time for an agency of the scale and pervasiveness required to
regulate all automated personal data systems. Such regulation or licensing,
moreover, would be extremely complicated, costly, and might uselessly impede
desirable applications of computers to record keeping.12
The safeguards we recommend require the establishment of no new mechanisms and
seek to impose no constraints on the application of electronic data-processing
technology beyond those necessary to assure the maintenance of reasonable
standards of personal privacy in record keeping. They aim to create no obstacles
to further development, adaptation, and application of a technology that, we all
agree, has brought a variety of benefits to a wide range of people and
institutions in modem society.
The proposed safeguards are intended to assure that decisions about collecting,
recording, storing; disseminating,. and using identifiable personal data will be
made with full consciousness and consideration of issues of personal
privacy-issues that arise from inherent conflicts and contradictions in values
and interests. Our recommended safeguards cannot assure resolution of those
conflicts to the satisfaction of all individuals and groups involved. However,
they can assure that those conflicts will be fully recognized and that the
decision-making processes in both the private and public sectors, which lead to
assigning higher priority to one interest than to another, will be open,
informed, and fair.
The safeguards we will recommend are intended to create incentives for
institutions that maintain automated personal data systems to adhere closely to
basic principles of fair information practice. Establishment of a legal
protection against unfair information practice to embody the safeguard
requirements described in Chapters IV, V, and VI, will invoke existing
mechanisms to assure that automated personal data systems are designed, managed,
and operated with due regard for protection of personal privacy. We intend and
recommend that. institutions should be held legally responsible for unfair
information practice and should be liable for ,actual and punitive damages to
individuals representing themselves or classes of individuals. With such
sanctions institutional managers would have strong incentives to make sure their
automated personal data systems did not violate the privacy of individual data
subjects as defined.
Of greatest importance, from our point of view, the safeguards we will recommend
give the courts a reliable and generally applicable basis for protecting
personal privacy in relation to record keeping. The legal concept of fair
information practice we recommend will obviate the need to search for new
Constitutional doctrines or to invent ways of extending the existing common law
of privacy to cover situations for which it is conceptually ill-suited.
THE COSTS OF SAFEGUARDS
The safeguards we recommend will not be without costs, which will vary from
system to system. The personal- data record-keeping practices of some
organizations already meet many of the standards called for by the safeguards.
The Social Security Administration, for example, maintains a record of earnings
for each individual in the Social Security system, and each individual has the
legal right to learn the content of his record. Procedures have been set up to
allow an individual to find out easily what is in his record and to have the
record corrected if it is wrong. Disclosure of an individual's record outside
the system is forbidden, except under certain limited circumstances prescribed
by statute and regulation, and there are criminal penalties for unauthorized
disclosure. An individual is given notice and opportunity for a hearing when the
record is being changed at the initiative of the Social Security Administration.
These protections are a normal part of Social Security administration and,. in
our view, demonstrate the feasibility of building such safeguards into any
system. when the system's managers are strongly committed to do so.
We believe that the cost to most organizations of changing their customary
practices in order to assure adherence to our recommended safeguards will be
higher in management attention and psychic energy than in dollars. These costs
can be regarded in part as deferred costs that should already have been incurred
to protect personal privacy, and in part as insurance against future problems
that may result from adverse effects of automated personal data systems. From a
practical point of view, we can expect to reap the full advantages of these
systems only if active public antipathy to their use is not provoked.13
The past two decades have given America intensive lessons in the difficulty of
trying to check or compensate for undesirable side-effects stemming from
headlong application and exploitation of complex technologies. Water pollution,
air pollution, the annual highway death toll, suburban sprawl, and urban decay
are all unanticipated consequences of the too narrowly conceived and largely
unconstrained applications of technology. Hence, it is essential now for
organizational decision makers to understand why they should be sensitive to
issues of personal privacy and not permit their organizations unilaterally to
adopt computer-based record-keeping practices that may have adverse effects on
individuals. They must recognize where conflicts are likely to arise between an
individual's desire for personal privacy and an organization's record-keeping
goals and behavior. They must recognize that although individuals and
record-keeping organizations do have certain shared purposes, they also have
other purposes-some of which are mutual, though not perceived as such, and some
of which can be in direct conflict.
Record-keeping organizations must guard against insensitivity to the privacy
needs and desires of individuals; preoccupied with their own convenience or
efficiency, or their relationships with other organizations, they must not
overlook the effects on people of their record-keeping and record-sharing
practices. They have the power to eliminate misunderstanding, mistrust,
frustration, and seeming unfairness; they must learn to exercise it.
1 Appendix G contains a review of law that bears on the collection, storage,
use, and dissemination of information by the Department of Health, Education,
and Welfare.
2 44 U.S.C 3501-3511.
3 5 U.S.C 552.
4 The privacy implications of the Freedom of Information Act and its application
to computer-based record- keeping systems are discussed in Arthur R. Miller, The
Assault on Privacy (Ann Arbor: University of Michigan Press), 1971, pp. 152-161.
515 U.S.C. 1681-1681t (1970).
6The Fair Credit Reporting Act is a notable exception.
7 From this conclusion we should not be understood to be unaware of the
potential significance of an unqualified right of personal privacy-either
Constitutionally or by statute. We know of at least one instance in which the
existence of such a right in a State constitution served as the basis for the
State's Attorney General to deny access to certain public records whose
disclosure was not explicitly provided for in the governing State statutes. We
would support enactment of a right of personal privacy for many reasons, but not
as the only or best way to protect personal privacy in computer-based
record-keeping systems.
8 Alan F. Westin, Privacy and Freedom (New York: Atheneum), 1967, p. 7.
9 Ibid p. 373
10 Office of Science and Technology of the Executive Office of the President,
Privacy and Behavioral Research (Washington, D.C., 1967), p. 8.
11 Charles Fried, "Privacy," The Yale Law Journal, Vol. 77 (1968), p. 482.
12 These comments point up what we regard to be the deficiencies of a regulatory
approach that would constitute a single Federal agency as the regulatory body.
They are not intended to discourage the development of regulation in specific,
limited areas of application of computer-based record-keeping systems. For
example, where particular institutions or societal functions are already subject
to regulation, e.g., public utilities, common carriers, insurance companies,
hospitals, it well may be that an effective way to introduce and enforce
safeguard requirements would be through the public agencies that regulate such
institutions. Such an approach has been adopted with respect to the
credit-reporting industry (see discussion, Chapter IV, p. 69).
Many municipal governments have been exploring regulatory or quasi-regulatory
mechanisms for applying safeguard requirements to so-called "integrated
municipal information systems." The efficacy of such mechanisms has not yet been
demonstrated; however, we know of several that appear promising in conception.
In addition, at both State and local government levels, efforts are being made
to regulate the use of criminal justice information systems.
13In addition to maintaining and using records of personal information, computer
technology is a tremendous new force for development in many ways. Already, for
example, computers are controlling traffic on city streets and highway systems,
and in the air; supplementing human judgment in making medical diagnoses;
monitoring air pollution; predicting the weather; and even acting as surrogates
for human decision makers in controlling large electrical power systems,
industrial manufacturing processes, and highspeed rail transportation systems.
Such computer applications do not typically require identifiable information
about people. That which is required is limited and need be retained for only a
short time. Thus the social risks from computer systems such as these are beyond
the scope of this report.
IV. RECOMMENDED SAFEGUARDS FOR ADMINISTRATIVE PERSONAL DATA SYSTEMS
Our inquiry has led us to distinguish two categories of personal data systems
that deserve separate attention in developing safeguards. One consists of
administrative systems; the other of statistical-reporting and research systems.
The essential distinction between the two categories is functional. An
administrative personal data system maintains data on individuals for the
purpose of affecting them directly as individuals-for making determinations
relating to their qualifications, character, rights, opportunities, or benefits.
A statistical-reporting or research system maintains data about individuals
exclusively for statistical reporting or research, and is not intended to be
used to affect any individual directly.1
This chapter contains general recommendations for all personal data systems and
safeguard requirements for administrative personal data systems used as such.
Chapter V contains additional safeguard requirements for statistical-reporting
and research applications of administrative systems. Systems maintained
exclusively for statistical reporting or research and safeguard requirements for
them are addressed in Chapter VI.
Although our specific charge has been to analyze problems of automated systems,
our recommendations could wisely be applied to all personal data systems,
whether automated or manual. Computer-based systems magnify some record-keeping
problems and introduce others, but no matter how data are stored, any
maintenance of personal data presents some of the problems discussed in Chapters
II and III. Moreover, the distinction between an automated and a non-automated
system is not always easy to draw; requiring safeguards for all personal data
systems eliminates the need to rule on ambiguous cases. Uniform application of
safeguards to all systems will also facilitate conversion from manual to
automated data processing when it does occur.
We define an automated personal data system as a collection of records
containing personal data that can be associated with identifiable individuals,
and that are stored, in whole or in part, in computer-accessible files. Data can
be "associated with identifiable individuals" by means of some specific
identification, such as name or Social Security number, or because they include
personal characteristics that make it possible to identify an individual with
reasonable certainty. "Personal data" include all data that describe anything
about an individual, such as identifying characteristics, measurements, test
scores; that evidence things done by or to an individual, such as records of
financial transactions, medical treatment, or other services; or that afford a
clear basis for inferring personal characteristics or things done by or to an
individual, such as the mere record of his presence in a place, attendance at a
meeting, or admission to some type of service institution. "Computer-accessible"
means recorded on magnetic tape, magnetic disk, magnetic drum, punched card, or
optically scannable paper or film. A "data system" includes all processing
operations, from initial collection of data through all uses of the data. Data
recorded on questionnaires, or stored in microfilm archives, are considered part
of the data system, even when the computer-accessible files themselves do not
contain identifying information.
Consistent with the rationale set forth in Chapter III, we recommend the
enactment of legislation establishing a Code of Fair Information Practice for
all Automated personal data systems.
* The Code should define "fair information practice" as adherence to specified
safeguard requirements. (Safeguard requirements for administrative personal
data systems are set out below; those for statistical-reporting and research
systems will be found in Chapter VI.)
* The Code should prohibit violation of any safeguard requirement as an "unfair
information practice."
* The Code should provide that an unfair information practice be subject to
both civil and criminal penalties.
* The Code should provide for injunctions to prevent violation of any safeguard
requirement.
* The Code should give individuals the right to bring suits for unfair
information practices to recover actual, liquidated, and punitive damages, in
individual or class actions. It should also provide for recovery of
reasonable attorneys' fees and other costs of litigation incurred by
individuals who bring successful suits.
Pending the enactment of a code of fair information practice, we recommend that
all Federal agencies (i) apply the safeguard requirements, by administrative
action, to all Federal systems, and (ii) assure, through formal rule making,
that the safeguard requirements are applied to all other systems within reach of
the Federal government's authority. Pending the enactment of a code of fair
information practice, we urge that State and local governments, the institutions
within reach of their authority, and all private organizations adopt the
safeguard requirements by whatever means are appropriate. Labor unions, for
example, might find the application of the safeguards to employee records an
appropriate issue in collective bargaining.
ESTABLISHING AUTOMATED PERSONAL DATA SYSTEMS
We were not charged with developing criteria for determining when and for what
purposes to establish personal data systems. It is doubtful that any such
criteria are feasible or warranted. Our inquiry, however, has prompted us to
make cautionary observations to those who must decide whether, when, and how to
establish automated personal data systems.
The general proposition that records and record-keeping systems are desirable
and useful does not necessarily apply to every system. Some data systems appear
to serve no clearly defined purpose; some appear to be overly ambitious in
scale; others are poorly designed; and still others contain inaccurate data.
Each time a new personal data system is proposed (or expansion of an existing
system is contemplated) those responsible for the activity the system will
serve, as well as those specifically charged with designing and implementing the
system, should answer explicitly such questions as:
> What purposes will be served by the system and the data to be collected?
>
> How might the same purposes be accomplished without collecting these data?
>
> If the system is an administrative personal data system, are the proposed data
> items limited to those necessary for making required administrative decisions
> about individuals as individuals?
>
> Is it necessary to store individually identifiable personal data in
> computer-accessible form, and, if so, how much?
>
> Is the length of time proposed for retaining the data in identifiable form
> warranted by their anticipated uses?
A careful consideration of questions such as these might avert the establishment
of some systems. Even if a proposed system survives a searching examination of
the need for it, the very process should at least suggest limitations on the
collection and storage of data.
Formalized administrative procedures and requirements should be followed to
assure that questions about the purposes, scope, and utility of systems are
raised and confronted before systems are established or enlarged. Members of the
public should also have an opportunity to comment on systems before they are
created.
It is especially important that such procedures be followed whenever data
collection requirements, imposed by any Federal department or agency on States,
other grantees, or regulated organizations, are likely to result in the creation
or enlargement of personal data systems. In our view, any such data collection
requirement should be established by regulations adopted after the public has
been given an opportunity to comment, rather than by less formal means, such as
program guidelines or manuals. Adoption of a regulation also forces a Federal
agency to go through a formal process of internal justification and executive
review. In the case of Federal data-collection requirements, the notice of any
proposed regulation should contain a clear explanation of why each item of data
is to be collected and why it must be collected and stored in identifiable form,
if such is proposed.
THE SAFEGUARD REQUIREMENTS
An automated personal data system should operate in conformity with safeguard
requirements that, as stated above, should be enacted as part of a code of fair
information practice. It is difficult to formulate safeguard requirements that
will assure, in every system, an appropriate balance between the interest of the
individual in controlling information about himself and all other
interests-institutional and societal. However, because the safeguards we
recommend are so basic to assuring fairness in personal data record keeping, any
particular system, or class of systems, should be exempted from any one of them
only for strong and explicitly justified reason.
If organizations maintaining personal data systems are left free to decide for
themselves when and to what extent to adhere fully to the safeguard
requirements, the aim of establishing by law a basic code of fair information
practice will be frustrated. Thus, exemptions from, or modifications of, any of
the safeguard requirements should be made only as specifically provided by
statute, and there should be no exemption or modification unless a societal
interest in allowing it can be shown to be clearly paramount to the interest of
individuals in having the requirement imposed. "Societal interest," moreover,
should not be construed as equivalent to the convenience or efficiency of
organizations that maintain data systems, the preference of a professional
group, or the welfare of individual data subjects as defined by system users or
operators.
Existing policies that guide the handling of personal data should not be
uncritically accepted or reaffirmed. Nor should the basic "least common
denominator" quality of the safeguards discourage law-making bodies, or
organizations maintaining personal data systems, from providing individuals
greater protection than the safeguards offer. Existing laws or regulations that
provide protections greater than the safeguards should be retained; those that
provide less protection should be amended to meet the standards set by the
safeguards.
SAFEGUARD REQUIREMENTS FOR ADMINISTRATIVE PERSONAL DATA SYSTEMS
SAFEGUARD REQUIREMENTS FOR ADMINISTRATIVE PERSONAL DATA SYSTEMS
I. GENERAL REQUIREMENTS
A. Any organization maintaining a record of individually identifiable personal
data, which it does not maintain as part of an administrative automated personal
data system, shall make no transfer of any such data to another organization
without the prior informed consent of the individual to whom the data pertain,
if, as a consequence of the transfer, such data will become part of an
administrative automated personal data system that is not subject to these
safeguard requirements.
All other safeguard requirements for administrative personal data systems have
been formulated to apply only to automated systems. As suggested earlier, the
safeguards would wisely be applied to all personal data systems that affect
individuals directly, whether or not they are automated. If this is not done,
however, it is necessary to assure that individuals about whom an organization
maintains records of personal data, which are not part of an automated system,
will be protected in the event that personal data from those records are
transferred to automated systems. Requirement I.A. is intended to provide such
protection by requiring that transfers of personal data to automated systems not
subject to the safeguard requirements be made only with the informed consent of
the individuals to whom the data pertain.
The requirement is formulated so as not to apply to transfers of personal data
that are not in individually identifiable form, e.g., for statistical reporting.
(Transfers of individually identifiable data to automated systems used
exclusively for statistical reporting and research are covered in Chapter VI, p.
97.)
B. Any organization maintaining an administrative automated personal data system
shall:
> (1) Identify one person immediately responsible for the system, and make any
> other organizational arrangements that are necessary to assure continuing
> attention to the fulfillment of the safeguard requirements;
The obligation to identify a person responsible for the system is intended to
provide a focal point for assuring compliance with the safeguard requirements
and to guarantee that there will be someone with authority to whom a
dissatisfied data subject can go, if other methods of dealing with the system
are unsatisfactory. Systems that involve more than one organization may present
special problems in this respect, and must be carefully designed to assure that
a data subject is not shuffled from one organization to another when he seeks to
assert his rights under these requirements.
> (2) Take affirmative action to inform each of its employees having any
> responsibility or function in the design, development, operation, or
> maintenance of the system, or the use of any data contained therein, about all
> the safeguard requirements and all the rules and procedures of the
> organization designed to assure compliance with them;
This requirement takes account of the fact that the actions of many people, with
diverse responsibilities and functions located in different parts of an
organization, affect the operations of an automated personal data system. Often
these people lack a common understanding of the possible consequences for the
system of their separate actions. If an organization is to comply fully and
efficiently with the safeguard requirements, its employees will have to be made
thoroughly aware of all the rules and procedures the organization has
established to assure compliance.
> (3) Specify penalties to be applied to any employee who initiates or otherwise
> contributes to any disciplinary or other punitive action against any
> individual who brings to the attention of appropriate authorities, the press,
> or any member of the public, evidence of unfair information practice;
The employees of an organization must not be penalized for attempting to prevent
or expose violations of the safeguard requirements. Organizations maintaining
systems must assure their employees that no harm will come to them as a
consequence of bringing evidence of poor practice or willful abuse to the
attention of parties who are willing and prepared to act on it.
A personal-data record-keeping system is often one of the least visible aspects
of an organization's operations. Organization managers are sometimes ignorant of
important facets of system operations, and individual clients or beneficiaries
often do not perceive how their difficulties in dealing with an organization may
stem from its record-keeping practices. Furthermore, systems tend to be
designed, developed, and operated by sizable groups of specialists, no one of
whom has a detailed understanding of how each system works and of all the ways
in which it can be abused. This diffusion of responsibility, and of practical
knowledge of system characteristics, makes the integrity of computer-based
record-keeping systems especially dependent on the probity of system personnel.
Efforts by associations of data processing specialists to gain nationwide
adherence to a code of professional ethics attest to the importance of this
aspect of system operations.
> (4) Take reasonable precautions to protect data in the system from any
> anticipated threats or hazards to the security of the system;
The purpose of requirement (4) is to assure that an organization maintaining an
automated personal data system takes appropriate security precautions against
unauthorized access to data in the system, including theft or malicious
destruction of data files.
> (5) Make no transfer of individually identifiable personal data to another
> system without (i) specifying requirements for security of the data, including
> limitations on access thereto, and (ii) determining that the conditions of the
> transfer provide substantial assurance that those requirements and limitations
> will be observed-except in instances when an individual specifically requests
> that data about himself be transferred to another system or organization;
Requirement (5) is intended to provide protection against any additional risks
to data security resulting-from transfer of data from one system to another, or
from the establishment of regular data linkages between systems. To comply with
this requirement, an organization would have to be able to demonstrate that it
had carefully followed procedures deliberately designed to assure that the
security conditions for a data transfer, including transmission facilities and
the data security features and access limitations of the system receiving the
data, conform to specified expectations of the transferring organization and its
data subjects. In combination with safeguard requirement 111(3) (pp. 61-62,
below), which requires an organization to obtain the informed consent of
individual data subjects before permitting data about them to be put to uses
that exceed their reasonable expectations, this requirement would, for example,
prevent the sale of data files by one organization to another without the
consent of the data subjects if the security features and access limitations of
the purchasing organizations were such as to open the possibility of uses not
anticipated by the data subjects. The exception in requirement (5) is intended
to accommodate the possibility that an individual may need or want his record,
or data therefrom, to be made available to another organization even though such
transfer may entail risks of security or access that the transferring
organization would not undertake or permit, and could not, consistent with this
safeguard.
> (6) Maintain a complete and accurate record of every access to and use made of
> any data in the system, including the identity of all persons and
> organizations to which access has been given;
This requirement will contribute significantly to an organization's capacity to
detect improper dissemination of personal data. It is not intended to include
ordinary system housekeeping entries, such as updating of files, undertaken in
the course of normal maintenance by system personnel. To facilitate its
compliance with requirement III (4) (p. 62, below), an organization should
consider assuring that records of access to and use of data are part of, or are
easily associable with, the records of individuals that are accessed and used.
> (7) Maintain data in the system with such accuracy, completeness, timeliness,
> and pertinence as is necessary to assure accuracy and fairness in any
> determination relating to an individual's qualifications, character, rights,
> opportunities, or benefits that may be made on the basis of such data; and
> (8) Eliminate data from computer-accessible files when the data are no longer
> timely.
Requirements (7) and (8) are intended to reduce the number of instances in which
individuals are adversely affected by poorly conceived, poorly executed, or
excessively ambitious uses of automated personal data systems. Because specific
deficiencies in individual records will constitute evidence that requirement (7)
has been violated, the effect of the requirement will be to make an organization
as alert to isolated errors as it is to sources of recurring errors. To assure
alertness, giving high priority to periodic retraining of system personnel and
the suitability of their working conditions is essential. In addition, the
'organization may find that regular evaluation is needed of its data collection
procedures and of the accuracy with which data are being converted into computer
accessible form. If particular data are being reproduced for use by another
system or organization, steps may also have to be taken to apprise the receiving
organization of subtle pitfalls in interpreting the data.
Requirement (7) will discourage organizations from attempting to handle more
data than they can adequately process and should also reduce the likelihood that
computer-based "dragnet" operations will injure, embarrass, or otherwise harrass
substantial numbers of individuals. Requirement (8) will promote the development
of data-purging schedules that reflect the reasonable useful life of each
category of data. Although the requirement would not prohibit the retention of
data for archival purposes, it would assure that obsolete data are not available
for routine use.
II. Public Notice Requirement
Any organization maintaining an administrative automated personal data system
shall give public notice of the existence and character of its system once each
year. Any organization maintaining more than one system shall publish such
annual notices for all its systems simultaneously. Any organization proposing to
establish a new system, or to enlarge an existing system, shall give public
notice long enough in advance of the initiation or enlargement of the system to
assure individuals who may be affected by its operation a reasonable opportunity
to comment. The public notice shall specify:
> (1) The name of the system;
>
> (2) The nature and purpose(s) of the system;
>
> (3) The categories and number of persons on whom data are (to be) maintained;
>
> (4) The categories of data (to be) maintained, indicating which categories are
> (to be) stored in computer-accessible files;
>
> (5) The organization's policies and practices regarding data storage, duration
> of retention of data, and disposal thereof;
>
> (6) The categories of data sources;
>
> (7) A description of all types of use (to be) made of data, indicating those
> involving computer-accessible files, and including all classes of users and
> the organizational relationships among them;
>
> (8) The procedures whereby an individual can (i) be informed if he is the
> subject of data in the system; (ii) gain access to such data; and (iii)
> contest their accuracy, completeness, pertinence, and the necessity for
> retaining them;
>
> (9) The title, name, and address of the person immediately responsible for the
> system.
The requirement for announcing the intention to create or enlarge a system stems
from our conviction that public involvement is essential for fully effective
consideration of the pros and cons of establishing a personal data system.
Opportunity for public involvement must not be limited to actual or potential
data subjects; it should extend to all individuals and interests that may have
views on the desirability of a system.
We have not specified a uniform mechanism for giving notice, but rather expect
all reasonable means to be used. In the Federal government, we would expect at
least formal notice in the Federal Register as well as publicity through other
channels, including mailings and public hearings. We would expect State and
local governments to use whatever comparable mechanisms are available to them.
For other organizations maintaining or proposing systems arrangements such as
newspaper advertisements may be appropriate. Whatever methods are chosen, an
organization must have copies of its notices readily available to anyone
requesting them.
III. Rights of Individual Data Subjects
Any organization maintaining an administrative automated personal data system
shall:
> (1) Inform an individual asked to supply personal data for the system whether
> he is legally required, or may refuse, to supply the data requested, and also
> of any specific consequences for him, which are known to the organization, of
> providing or not providing such data;
This requirement is intended to discourage organizations from probing
unnecessarily for details of people's lives under circumstances in which people
may be reluctant to refuse to provide the requested data. It is also intended to
discourage coercive collection of personal data that, are to be used exclusively
for statistical reporting and research. (Secondary statistical-reporting and
research applications of administrative personal data systems are the subject of
Chapter V.)
> (2) Inform an individual, upon his request, whether he is the subject of data
> in the system, and, if so, make such data fully available to the individual,
> upon his request, in a form comprehensible to him;
We considered having this requirement provide that an individual be informed
that he is a data subject, whether or not he inquires. It seems to us, however,
that such a requirement could be needlessly burdensome to some organizations,
particularly if the character of their operations makes it likely that an
individual will know that he is the subject of data in one or more systems-for
example, systems that mail their customers monthly statements. Furthermore,
since our objective is to specify a set of fundamental "least common
denominator" standards of fair information practice, we concluded that it would
be sufficient to guarantee each individual the right to ascertain whether he is
a data subject when and if he asks to know.
We would, however, urge that organizations take the initiative to inform
individuals voluntarily that data are being maintained about them, especially if
it seems likely that the individuals would not be made fully aware of the fact
as a consequence of normal system operations. For example, in systems where
individuals become data subjects as a consequence of providing data about
themselves in an application, the form could describe the records that will be
maintained about them.
This requirement affords an individual about whom data are maintained in a
system the right to be informed, and the right to obtain a copy of data, only if
he may be affected individually by any use made of the system. For example,
employees about whom earnings data are maintained in individually identifiable
form in records kept by their employers would have these rights, but individuals
appearing collaterally in records, such as an employee's dependents or character
references, would have the rights afforded by this requirement only if they
could be affected by the uses made of the records in which they appear.
We recognize that the right of an individual to have full access to data
pertaining to himself would be inconsistent with existing practice in some
situations. The medical profession, for example, often withholds from a patient
his own medical records if knowledge of their content is deemed harmful to him;
school records are sometimes not accessible to students; admission to schools,
professional licensure, and employment may involve records containing
third-party recommendations not commonly made available to the subject.
As indicated earlier (pp. 52-53, above), exemption from any one of the safeguard
requirements should be only for a strong and explicitly justified reason. Thus,
existing practices restricting an individual's right to obtain data pertaining
to himself should be continued only if an exemption from the requirement of full
access is specifically provided by law.
Reassessment of existing practices that deprive individuals of full access to
data recorded about themselves will be one of the most significant consequences
of establishing safeguard requirement III (2). Many organizations are likely to
argue that it is not in the interest of their data subjects to have 'full
access. Others may oppose full access on the grounds that it would disclose the
content of confidential third-party recommendations or reveal the identity of
their sources. Still others may argue that full access should not be provided
because the records are the property of the organization maintaining the data
system. Such objections, however, are inconsistent with the principle of
mutuality necessary for fair information practice. No exemption from or
qualification of the right of data subjects to have full access to their records
should be granted unless there is a clearly paramount and strongly justified
societal interest in such exemption or qualification.
If an organization concludes that disclosing to an individual the content of his
record might be harmful to him, it can point that out, but if the individual
persists in his request to have the data, he should, in our view be given it.
The instances in which it can be convincingly demonstrated that there is
paramount societal interest in depriving an individual of access to data about
himself would seem to' be rare.
Similarly, we cannot accede in general to the claim that the sources of recorded
comments of third parties should be kept from a data subject if he wants to know
them. Disclosure to the data subject of the sources of such comments may be
difficult for organizations that have promised confidentiality. Modifying the
data subject's right of access in order to honor past pledges may be necessary.
However, the practice of recording data provided by third parties, with the
understanding that the identities of the data providers will be kept
confidential, should be continued only where there is a strong, clearly
justified societal interest at stake. Elementary considerations of due process
alone cast grave doubt on the propriety of permitting an organization to make a
decision about an individual on the basis of data that may not be revealed to
him or that have been obtained from sources that must remain anonymous to him.
> (3) Assure that no use of individually identifiable data is made that is not
> within the stated purposes of the system as reasonably understood by the
> individual, unless the informed consent of the individual has been explicitly
> obtained;
This requirement is intended to deal with one of the central issues of fair
information practice-controlling the use of personal data. Assume that a system
maintains no more personal data than reasonably necessary to achieve its
purposes. Assume further that its purposes are well understood and accepted by
the individuals about whom data are being maintained, and that all data in the
system are accurate, complete, pertinent, and timely. The question of how data
in the system are actually used still remains.
Because an individual can be adversely affected even by accurate data in
well-kept records, the use of personal data in a system should be held to
standards of fairness that minimize the risk that an individual will be injured
as a consequence of an organization's permitting data about him to be used for
purposes that differ substantially from whatever uses he has been led to expect.
The public notice called for by safeguard requirement 1I (pp. 57-58, above) is
intended to assure that when an individual first becomes a data subject, he will
be able to understand the purposes of the system and the types of uses to which
data about him will be put If, however, an organization expands the previously
announced purposes of the system, or enlarges the range of permissible uses of
data in identifiable form, it must not only revise its public notice for the
system; but also must obtain the prior consent of all existing data subjects.
The objective of requirement III(3), in short, is to make it possible for
individuals to avoid having data about themselves used or disseminated for
purposes to which they may seriously object. The requirement applies to all new
types of uses, whether they will be made by the system that initially collected
that data or by some other system or organization to which data are to be
transferred. Thus it applies (as noted on p. 56, above) to uses that may result
from the transfer to data to a system whose security features and access
limitations open the possibility of uses not anticipated by the data subjects.
> (4) Inform an individual, upon his request, about the uses made of data about
> him, including the identity of all persons and organizations involved and
> their relationships with the system;
This requirement will guarantee the individual an opportunity to find out
exactly how and why data about him have been used, and by whom. It provides this
right for an individual only when he makes a request; a general rule requiring
an organization to take the initiative in all cases to inform an individual how
data about him have been used would often not serve any useful purpose, and
might lead, for example, to periodic mass mailings to inform individuals of uses
of which they are already aware. Nonetheless, there may be instances when data
subjects will want to be informed on a regular basis about particular types of
data use. It is the intent of this safeguard that an organization provide such
service when an individual requests it.
Coupled with requirement I(6) (p. 56, above) this requirement would also afford
individuals the opportunity to advise those to whom records about them have been
disseminated of any corrections, clarifications, or deletions that should be
made.
> (5) Assure that no data about an individual are made available from the system
> in response to a demand for data made by means of compulsory legal process,
> unless the individual to whom the data pertain has been notified of the
> demand;
"Compulsory legal process" includes demands made in the form of judicial or
administrative subpoena and any other demand for data that carries a legal
penalty for not responding. It should be the responsibility of the person or
organization that seeks to obtain data by compulsory legal process to notify the
data subject of the demand and to provide evidence of such notification to the
system. In instances when it may be more practicable for the system to give
notice of the demand to the data subject, the cost of doing so should be borne
by the originator of the demand.
The intent of requirement (5) is to assure that an individual will know that
data about himself are being sought by subpoena, summons, or other compulsory
legal process, so as to enable him to assert whatever rights he may have to
prevent disclosure of the data.
> (6) Maintain procedures that (i) allow an individual who is the subject of
> data in the system to contest their accuracy, completeness, pertinence, and
> the necessity for retaining them; (ii) permit data to be corrected or amended
> when the individual to whom they pertain so requests; and (iii) assure, when
> there is disagreement with the individual about whether a correction or
> amendment should be made, that the individual's claim is noted and included in
> any subsequent disclosure or dissemination of the disputed data.
It is not the intent of this requirement in any way to relieve an organization
of the obligation to maintain data in accordance with requirement I(8) (p. 57,
above). Rather, in combination with requirement I(8), it is expected to give an
organization maintaining a system strong incentives to investigate and act upon
any claim by an individual that data recorded about him are incorrect,
insufficient, irrelevant, or out-of-date. The provision for obtaining
injunctions included in the Code of Fair Information Practice (p. 50, above)
will enable individuals to seek court orders for corrective action in regard to
their records.
RELATIONSHIP OF EXISTING LAWS TO THE SAFEGUARD REQUIREMENTS
As we stated earlier in this chapter, existing laws or regulations affording
individuals greater protection than the safeguard requirements should be
retained, and those providing less protection should be amended to meet the
basic standards set by the safeguards. We have not attempted an exhaustive
inventory of existing Federal and State statutes that may need to be amended to
bring them into conformity with the safeguards, but in the course of our work we
have identified two Federal statutes in regard to which we have specific
recommendations.
FREEDOM OF INFORMATION ACT
The Federal Freedom of Information Act2 has a disturbing feature that could be
eliminated by means of an amendment quite in keeping with the primary purpose of
the Act. As noted in Chapter 111, the main objective of the Freedom of
Information Act is to facilitate public access to information about how the
Federal government conducts its activities. The Act contains a broad requirement
that information held by Federal agencies be publicly disclosed. Nine categories
of information are specifically exempted from the Act's mandatory disclosure
requirement. For seven of the nine, moreover, disclosure is not prohibited or
otherwise constrained by the Act, and the decision not to disclose is left
entirely to the discretion of the agency holding the information. The agency is
completely free to decide whether it will comply with a request that it disclose
information falling within any of the seven exemptions.3
Of the seven discretionary exemptions, those that offer the most likely basis
for an agency to withhold personal data from the public are:
> trade secrets and commercial or financial information obtained from a person
> and privileged or confidential;
>
> personnel and medical files and similar files the disclosure of which would
> constitute a clearly unwarranted invasion of personal privacy; and
>
> investigatory files compiled for law enforcement purposes except to the extent
> available by law to a party other than an agency.
The Act's failure to provide for data-subject participation in a decision by an
agency to release personal data requested under the Act is inconsistent with
safeguard requirement III(3) (p. 61, above) which calls for an individual's
consent to any unanticipated use of data about himself in an administrative
automated personal data system. Enactment of this requirement would necessitate
modification of the Freedom of Information Act to give the data subject a voice
in agency decisions about public disclosure of information covered by the Act,
whenever such disclosure is not within the reasonable expectations of
individuals about whom a Federal agency maintains data in an automated system.
As we see it, an agency that is the custodian of personal data about an
individual should not have unilateral discretion to decide to grant a request
for public disclosure of such data, especially if the data fall within one of
the exempted categories under the Freedom of Information Act. The data custodian
should have to obtain consent from the data subject before releasing
identifiable personal data about him from an administrative automated personal
data system, except in cases where making the requested disclosure without the
individual's consent is within the stated purposes of the system as specifically
required by a statute. We expect such cases to be few.
Accordingly, we recommend that the Freedom of Information Act be amended to
require an agency to obtain the consent of an individual before disclosing in
personally identifiable form exempted-category data about him, unless the
disclosure is within the purposes of the system as specifically required by
statute. Pending such amendment of the Act, we further recommend that all
Federal agencies provide for obtaining the consent of individuals before
disclosing exempted-category personal data about them under the Freedom of
Information Act.
If the Act were so amended, its purpose of protecting the public's "right to
know" about the activities of the Federal government would be brought into a
better balance with the no less important public purpose of protecting the
personal privacy of individuals who are the subjects of data maintained in the
automated personal data systems of the Federal government. There may be other
areas of conflict between the safeguard requirements and the Freedom of
Information Act. The Act should be given a thorough reappraisal with a view to
formulating additional amendments needed to accommodate the safeguard
requirements. An amended Freedom of Information Act and the Code of Fair
Information Practice we have proposed would, in combination, provide an improved
statutory framework within which to resolve the unavoidable conflicts between
personal privacy and open government.
FAIR CREDIT REPORTING ACT4
The Fair Credit Reporting Act is the first Federal statute regulating the vast
consumer-reporting industry. Its basic purpose, as stated in the Act, is
> to insure that consumer reporting agencies exercise their grave
> responsibilities with fairness, impartiality, and a respect for the consumer's
> right to privacy.
The consumer-reporting industry is comprised of credit bureaus, investigative
reporting companies, and other organizations whose business is the gathering and
reporting of information about individuals for use by others in deciding whether
individuals who are the subject of such reports qualify for credit, insurance,
or employment. Consumer-reporting agencies typically operate what we have called
administrative personal data systems, many of which contain large quantities of
intelligence-type data. Increasingly, these systems are being computerized.
The Fair Credit Reporting Act requires consumer-reporting agencies to adopt
reasonable procedures for providing information about individuals to credit
grantors, insurers, employers and others in a manner that is fair and equitable
to the individual with regard to confidentiality, accuracy, and the proper use
of such information. It also places requirements on users of consumer reports
and consumer-investigative reports.
The chief requirements imposed by the Act include the following:
> Accuracy of Information
>
> Consumer-reporting agencies must follow reasonable procedures in preparing
> reports to assure maximum possible accuracy of the information concerning the
> individual about whom the report is prepared. The effect of this requirement
> extends to all the data gathering, storing, and processing practices of an
> agency.
>
> Obsolete Information
>
> Certain items of adverse information may not be included in a consumer report
> after they have reached specified "ages" (except in connection with credit and
> life insurance transactions of $50,000 or more and employment at an annual
> salary of $20,000 or more) via.: bankruptcies-14 years; suits and judgments-7
> years; paid tax liens-7 years; accounts placed for collection or written off-7
> years; criminal arrest, indictment, or conviction-7 years; any other adverse
> information-7 years.
>
> Limited Uses of Information
>
> * A consumer-reporting agency may furnish a consumer report about an
> individual to be used for the following purposes and no other:
> * in response to a court order in accordance with written instructions of the
> individual to whom it relates;
> * to determine the individual's eligibility for (i) credit or insurance to be
> used for personal, family, or household purposes, (ii) employment,
> including promotion, reassignment or retention as an employee; or (iii) a
> license or other benefit granted by a governmental instrumentality required
> by law to consider an applicant's financial responsibility or status;
> * to meet a legitimate business need for a business transaction involving the
> individual.
>
> A consumer-reporting agency must take all steps necessary to insure that its
> reports will be used only for the above purposes.
>
> Notices to Individuals
>
> Whenever credit, insurance, or employment is denied, or the charge for credit
> or insurance is increased, wholly or partly because of information in a report
> from a consumer-reporting agency, the user of the report must notify the
> individual affected and supply the name and address of the agency that made
> the report.
>
> Whenever a consumer-reporting agency reports public record information about
> an individual which may adversely affect his ability to obtain employment, it
> must notify the individual that it is doing so, including the name and address
> of the person to whom the information is reported.
>
> Whenever an investigative report (obtaining information through personal
> interviews with neighbors, friends, associates, or acquaintances) is to be
> prepared about an individual, he must be so notified in advance unless the
> report is for employment for which the individual has not applied.
>
> Individual's Right of Access to Information
>
> An individual about whom an investigative report is being prepared has the
> right, upon his request, to be informed of the nature and scope of the
> investigation.
>
> An individual has the right, upon his request, and proper identification, to
> be clearly, accurately, and fully informed of: (i) the nature and substance of
> all information, except medical information, about him in the files of a
> consumer-reporting agency; (ii) the sources of such information, except
> sources of information obtained solely for an investigative report; and (iii)
> recipients of consumer reports fumished about the individual, within 2 prior
> years for employment purposes and within 6 prior months for any other purpose.
> (The individual has this right whether or not adverse action has been taken.)
>
> Whenever credit is denied, or the charge for it increased, wholly or partly
> because of information obtained from a source other than a consumer-reporting
> agency, the individual affected has the right, upon his request, to learn the
> nature and substance of the information directly from its user.
>
> Individual's Right to Contest Information
>
> If an individual disputes the accuracy or completeness of information in a
> file maintained about him by a consumer-reporting agency, the agency must
> reinvestigate and record the current status of that information, or delete the
> information if it is found to be inaccurate or cannot be reverified. If the
> reinvestigation does not resolve the dispute, the individual has the right to
> file a brief statement explaining the dispute; and the agency must, in any
> subsequent report containing the disputed information, note the dispute and
> provide at least a clear summary of the individual's statement.
One reason for describing the Fair Credit Reporting Act in such detail is to
illustrate the care with which the Congress has responded to the need it found
to protect individuals from the adverse effects of unfair information practices
in the consumer reporting industry. Although the Congress adopted a regulatory
approach in this Act,5 it constitutes a strong precedent for our recommended
Code of Fair Information Practice. In regulating the practices of both
consumer-reporting agencies and the users of their reports, the Act, in effect,
imposes many of the safeguard requirements we recommend.
The chief reason for presenting the Fair Credit Reporting Act, however, is to
illustrate the point that existing laws that provide greater protection for
individuals than our safeguards offer should be retained, while laws that
provide less protection should be amended to meet the standards set by the
safeguards. Section 606(a) of the Fair Credit Reporting Act, 15 U.S.C. 1681d(a),
for example, requires that an individual be notified that an investigative
report is being prepared about him before work on it is begun, whereas safeguard
requirement III(2) (p. 59, above) gives an individual the right to be informed
that he is the subject of a record only if he asks to know. In this instance,
the Act's requirement, responsive to the particular circumstances of the
consumer reporting industry, provides the individual with greater protection
than our safeguard and should be retained.
Conversely, safeguard requirement III(2), which also guarantees an individual
the right to see and obtain copies of data about him, provides more protection
for individuals than Section 609(a) of the Fair Credit Reporting Act, 15 U.S.C.
1681g(a). Under the Act's requirement the individual is entitled to be fully
informed by a consumer-reporting agency of the content of his record (except
medical information and the sources of investigative information), but he is not
entitled to see, copy, or physically possess his record. When an individual goes
to a consumer-reporting agency to determine what information it has on him, the
contents of the record must be read to him, but he must take the agency's word
that it is telling him about all information in the record, and about all
sources and recipients thereof. We understand that individuals have found this
arrangement generally unsatisfactory, and further, that as the proportion of
"sensitive" or adverse personal data in a record increases, compliance with the
full disclosure requirement tends to diminish.
To bring Section 609(a) more in line with the protection afforded individuals by
safeguard requirement III(2), and thus to achieve the objective of the Fair
Credit Reporting Act more fully, we recommend that the Fair Credit Reporting Act
be amended to provide for actual, personal inspection by an individual of his
record along with the opportunity to copy its contents, or to have copies made.
The choice between inspecting and copying should be left to the individual, and
any charge for having copies made should be nominal.
We further recommend that the exceptions from disclosure to the individual now
authorized by the Fair Credit Reporting Act for medical information and sources
of investigative information should be omitted. It is a disturbing thought that
an investigative consumer-reporting agency may have a record of medical
information that the individual cannot know about or challenge. We realize that
in Section 603(f) of the Fair Credit Reporting Act, 15 U.S.C. 1681a(f),
"consumer reporting agencies" is defined broadly enough to apply to some
organizations that are customary and appropriate repositories of medical.
information. However, nothing in the Act should warrant the inference that every
type of organization falling within the umbrella definition of "consumer
reporting agencies" may, with impunity, conceal from an individual the fact that
it is gathering, recording, and reporting medical information about him.
We have explained our skepticism about the propriety of utilizing anonymous data
sources when determinations about an individual's character, qualifications,
rights, opportunities, or benefits are being made. Moreover, we find no strong
societal interest in having an individual routinely denied credit, insurance, or
employment on the basis of information provided by any source that must be kept
secret from him.6
A NOTE ON MAILING LISTS
The use of automated personal data systems to generate mailing lists deserves
special comment. Ordinarily such use entails no perceptible threat to personal
privacy. Even among individuals who strongly object to receiving quantities of
so-called "junk mail," most would probably concede that their objections are not
founded on any substantial claim that personal privacy has been invaded. Indeed,
it is hard to see how the mere delivery of an item of mail to an individual,
even though it is addressed to him by name, in itself entails an offensive or
harmful disclosure or use of personal data.
More important than the end use of the mailing list itself is the question of
the original source of the personal data from which the list was originally
assembled. In most cases, commercial mailing lists are made up of names and
addresses gathered during the course of commercial transactions. In the most
typical case, buying an item through the mail assures that the buyer's name will
be added to the list of a commercial dealer in names, and that the list will in
turn be sold, rented, and traded through a chain of further commercial mailers.
This exploitation of names may occasionally be irritating, but there is little
potential for substantial disclosure of closely held personal information, since
nothing beyond name and address was probably revealed in the first place.
A more serious threat to personal privacy arises when mailing lists are compiled
from sources that have nothing to do with commercial interests-the membership
list of a professional society, the faculty roster of a college, or the donor
list of a charity. In these cases, data furnished for one purpose are being used
for another, and even though the original source may not have contained more
than the name and address, the mere fact of being on the list may reveal
something about one's private life.
More serious still are lists derived from actual administrative data systems.
There is the strong probability that the original source contained data that
might well be intensely personal and that names will be selected for mailing
lists on the basis of such data. The data files for driver licenses, for
instance, usually contain medical information on disabilities. The
administrative files of schools contain grades and other personal items. Any use
of files such as these for any but the original intention carries a clear danger
of exploitation of truly private personal information.
The Committee staff studied the structure and practices of the mailing-list
industry to gauge the threats to personal privacy that could arise from that
source, as well as to examine the applicability of the safeguard requirements to
the industry. The report of the study is presented in Appendix H; an abstract of
its conclusions, which we fully endorse, is given here:
An underlying function of the Advisory Committee's recommended safeguards is to
provide effective feedback mechanisms that will help to make automated personal
data systems more responsive to the interests of individuals. Systems maintained
by most government agencies, and by many private organizations, do not provide
for tight links between individuals and the system operators. The direct-mail
industry, however, is largely organized around the idea of public feedback; the
trade press concentrates almost obsessively on methods for maximizing response
and minimizing complaints.
Because most mailings draw a response from only 3 or 4 percent of the
addressees, a small change in the response rate can have relatively large
economic implications for the mailer. The same is true for the compilers and
brokers of mailing lists, because the price a list commands in the rental market
depends not so much on its demographic sophistication as on its accuracy and
freshness. Lists are cleaned by adding a special imprint to the mailing which
gives the Postal Service authority to correct and return (at first-class rates)
all undeliverable pieces. Since it costs about four times as much to discover
and correct a "nixie" as it does to make a clean mailing in the first place,
there is a powerful economic incentive to concentrate lists on known buyers at
addresses of known accuracy.
Another feedback mechanism operates on the industry as a whole. Direct-mail
advertising is strongly dependent for survival on the official good will of a
large number of agencies of the government; opposition from the Postal Service,
from motor vehicle registrars, or from the Census Bureau, to name a few
examples, would seriously hamper the industry on its present scale. It seems
likely that a scandal involving public records, or the development of a public
allergy to direct-mail advertising, would lead to govemment moves to put
constraints on the industry.
Constructive publicity toward emphasizing the rights of the individual relative
to direct-mad advertising, especially the methods the industry has adopted for
getting off and getting on the larger lists, would go far in strengthening these
feedback mechanisms that already operate. In particular, the Direct Mail
Advertising Association's Mail Preference Service deserves wider attention.
If feedback mechanisms stronger than those provided by the economics of the
industry should become desirable, there would be formidable practical
difficulties in applying the Committee's safeguards to the freewheeling small
operators of the direct-mail industry. The most directly applicable of the
Committee's safeguards is the requirement for the informed consent of the data
subject to be obtained before any collateral use may be made of data from an
administrative personal data system. To accomplish this, forms that are used by
the system in transactions with individuals (applications, for example) and that
are vulnerable to mailing-list uses, could be printed with a block in which the
individual-by his deliberate action-could indicate whether or not his name and
address could be sold or otherwise transferred to another data system for
mailing-list use. Of course, this could not prevent his name and address from
being copied by hand out of a public record system, but the cost of such
handcopying would sharply curtail much commercial use.
In view of the controls already at work in the direct-mail advertising industry,
this limited application of the Committee's safeguards seems sufficient. It
would provide protection to individuals from having their names unexpectedly
appear on mailing lists without their consent. We doubt the utility and
feasibility of trying to make the rest of the Committee's proposed safeguard
requirements apply to the mailing list as such, as a form of administrative
automated personal data system, or to organizations that deal only in mailing
lists. If the control of mailing lists is to be undertaken by law, it should be
done by legislation that is directed specifically to that purpose.
If the foregoing analysis of the situation underestimates the felt need for
greater mailbox privacy, it would be feasible to undertake specific legislative
action against the direct-mail advertising industry to provide greater
protections, as the regulation of information practices in the
consumer-reporting industry amply demonstrates.
A NOTE ON INTELLIGENCE RECORDS
In developing safeguard requirements, we have divided personal data
record-keeping systems into two broad categories, (i) administrative systems,
and (ii) systems maintained exclusively for statistical reporting and research.
The distinction between the two is in their purpose vis-a-vis individuals.
Administrative systems are intended to be used to affect individuals as
individuals; statistical reporting and research systems are not. According to
this classification, intelligence records are properly considered administrative
records.
A chief characteristic of intelligence records is that they are compiled for
purposes that presuppose the possibility of taking adverse action against an
individual. Their focus is on providing a basis for protecting the
data-gathering organization, or other organizations that it serves, against the
individual. There are many examples of intelligence-type personal-data
record-keeping systems. From a historical standpoint, the original and classical
intelligence records were those compiled and maintained about individuals who
were viewed as possible enemies of the state. The most obvious and perhaps most
common ones today are those compiled by the criminal intelligence systems of
Federal, State, and local law enforcement agencies about individuals suspected
of being engaged in criminal activities, of being threats to public safety or
national. security, or of being suitable objects of surveillance and
investigation for less clearly definable reasons. There are, however, many other
examples of intelligence-type records, including investigative records of
credit-reporting agencies, private detective agencies, industrial security
organizations, and so on. It is hard to know how many types of intelligence data
systems exist because their function leads as a rule to careful concealment.
In framing our proposed safeguard requirements for administrative personal data
systems, we did not focus on intelligence records as such. We realize that if
all of the safeguard requirements were applied to all types of intelligence
records, the utility of many intelligence-type records for the purposes they are
designed to serve might be greatly weakened. In some instances this would
clearly not be a desirable outcome from the standpoint of important societal
interests, such as the apprehension and prosecution of individuals engaged in
organized crime. It does not follow, however, that there . is no need for
safeguards for personal-data intelligence recordkeeping systems. The risk of
abuse of intelligence records is too great to permit their use without some
safeguards to protect the personal privacy and due process interests of
individuals.
The mere gathering of intelligence data can be a serious threat to personal
privacy and should be carried out with strict respect for the Constitutional
rights of individuals. Once criminal intelligence data have been compiled, their
use in connection with law enforcement prosecutions is safeguarded by all the
Constitutional requirements of due process and by laws that establish
limitations on the exercise of the police power, including civil and criminal
remedies and penalties that may be imposed to enforce such limitations. We have
not attempted to assess whether protections now afforded individuals from abuses
of intelligence records as used in criminal law enforcement should be
strengthened.
We are concerned, however, about the use of criminal intelligence data, and
intelligence records maintained by organizations other than law enforcement
agencies, for many purposes that involve determinations about the
qualifications, character, opportunities, or benefits of individuals to which
the protective requirements of due process may not apply or for which they may
not be fully effective. Such determinations include suitability for employment,
especially in public service or in positions of critical fiduciary
responsibility; clearance for access to classified national security information
held by the Federal government and its contractors; and eligibility for various
public benefits, permits, and licenses.
Enactment of the proposed Code of Fair Information Practice for administrative
personal data systems will afford an excellent opportunity to determine
precisely what protections for individuals should be applied to intelligence
record-keeping systems. Any exception from a safeguard requirement that is
proposed for any type of intelligence system must be specifically sanctioned by
statute and then only if granting the exception would serve a societal interest
that is clearly paramount to the interest served by having the requirement
imposed.
The process of considering exceptions for intelligence systems will entail a
careful review of existing policies, laws, and practices governing the creation,
maintenance, and use of intelligence records about individuals. The- need for
such a review has seldom seemed more urgent in the history of our Nation.
NOTES
1In our brief review of the history of record keeping in Chapter 1, we took note
of the origins and existence of intelligence records. These should be thought of
as a type of administrative personal data system, since intelligence records are
maintained about people for the purpose of affecting them directly as
individuals We have not, however, examined intelligence record-keeping systems
as such, and it was not with such systems in mind that we developed the
safeguard recommendations set forth in this chapter. At the end of the chapter,
we have included a brief statement about the application of our safeguards to
intelligence records.
225 U.S.C. 552 (1970).
3 The remaining two exemptions refer to information that is: "specifically
required by Executive order to be kept secret in the interest of the national
defense or foreign policy;" and "specifically exempted from disclosure by
statute." Legal prohibitions against disclosure of information in these two
categories are not affected by the Act.
415 U.S.C. 1681-1684t.
5The Federal Trade Commission has the basic responsibility for enforcing the
Act, but where specific types of institutions are already regulated (for other
purposes) by other agencies, those agencies are charged with enforcing the Act;
e.g., the Comptroller of the Currency (national banks), the Federal Reserve
Board (member banks of the Federal Reserve systems other than national banks),
the Interstate Commerce Commission (common carriers), and the Civil Aeronautics
Board (air carriers).
V. STATISTICAL REPORTING AND RESEARCH USES OF ADMINISTRATIVE DATA SYSTEMS
Many automated personal data systems established primarily for administrative
purposes are also used for statistical reporting and research. Since one
advantage of computerizing administrative records is the capability thereby
acquired for high-speed data retrieval and manipulation, a growing number of
administrative data systems will be put to such additional uses. The safeguard
recommendations in this chapter take account of that expectation.
DIMENSIONS OF THE PROBLEM
A modern organization, as a rule, maintains elaborate records about the money it
spends, the people it serves, the quantities of goods and services it dispenses,
and the number, qualifications, and salaries of the people who work for it. It
does so, in part, because it must account for its activities to investors or
taxpayers, and to other organizations that monitor and regulate its behavior.
An organization also needs to plan for the future. A firm selling to the public
is interested in knowing what the public wants, or can be persuaded to want. A
school needs to know about the financial and intellectual capabilities of
students coming to it for learning. A government agency tries to forecast demand
for the services it provides or supports.
These incentives to develop indicators of institutional performance make it
difficult to control the quantity and variety of personal data stored in
administrative record-keeping systems, and the statistical-reporting and
research uses that are made of such data. The personal data that organizations
collect for administrative purposes should be limited, ideally, to data that are
demonstrably relevant to decision making about individuals. A substantial amount
of personal data, however, appear to be collected because at some point someone
thought they might be "useful to have," and found they could be easily and
cheaply obtained on an application form, or some other record of an
administrative transaction.
For example, college students applying for governmentguaranteed loans in one
State have been required to provide the State guarantee agency with data on
matters that had no direct relation to its individual entitlement decisions.
These data, "for our statistical interest" as their intended use was described
to the Committee, included race, marital status, sex, adjusted family income,
and student-reported "average grades received for last term of fulltime
post-high school study." These data have been used to produce statistical
reports for internal agency use, for informal discussions with State
legislators, and to "run a profile once yearly on . . . schools and . . .
lenders to see if there is any odd pattern . . . occurring." On one occasion
data in the system also have been used in a study conducted by an outside
researcher. For making entitlement decisions, however, the data being collected
in excess of those required by law, were described to us as not very helpful to
the program, and at least two data elements-sex and student-reported grades-were
said to be absolutely valueless.1
The student loan case is but one illustration. The presentations of system
managers and users yielded others. We found that decisions to collect personal
data are being made without careful consideration of whether they will in fact
serve the purposes for which they are supposedly being collected. As a result,
substantial sums may be spent on comprehensive data collections for purposes
that could often be much better served by other approaches, such as collecting
statistical-reporting and research data only from a small sample of an
organization's clients or beneficiaries. Most disturbing of all, we found that
personal data in excess of those clearly needed for making decisions about
individuals are sometimes collected in a way that makes them seem prerequisite
to the granting of rights, benefits, or opportunities.
MANDATORY OR VOLUNTARY DATA COLLECTION?
Poorly conceived data collection can result in various kinds of injury to
individuals. As observed earlier, any file of personal data is a potential
source of harm to individuals when it is used outside its appropriate context,
and much of the personal data in administrative files either is a public record
or is vulnerable to legal process.
There is also reason to believe that failure to separate information collected
for statistical-reporting or research from data used in entitlement decisions
may cause such decisions to be made unfairly. "Race" and "sex" are no longer
asked on many application forms because of their acknowledged influence on some
types of decision making about individuals. There are circumstances in which
other kinds of data may have similarly unwarranted effects.2 Moreover,
collecting more information than is needed for day-to-day administrative
decisions may discourage people from taking advantage of the services an
organization offers. As one witness told the Committee:
> . . . . our experience indicates that . . . . rigid adherence to proper data
> collection often "turns off" many clients, even when the interviewer is
> ingenious at gathering it. Also counselors often openly resent [having to ask]
> questions which actually may jeopardize their relationship with a client.
Perhaps most important of all is the intrusive effect of unrestrained data
collection on self-esteem. Occasionally one hears that a wealthy citizen has
hired a chauffeur and limousine to avoid disclosing his Social Security number,
or some other item of information, to a State Department of Motor Vehicles. One
is tempted to dismiss such protests as the trivial antics of rich eccentrics;
yet they indicate the high cost of trying to escape personal inquiries of
organizations that monopolize the distribution of certain privileges and
benefits. The plight of the welfare beneficiary is especially extreme in this
respect, but with all the forms that everyone of us is constantly filling out,
it would probably be hard to find a single individual who has not had one
occasion at least to wonder, "Why do they want to know that?" and "What will
happen if I refuse to tell them?"
Collecting statistical-reporting and research data in conjunction with the
administration of service and payment programs is not intrinsically undesirable.
However, such supplementary data gathering should be carefully designed and
managed, and should be performed only with the voluntary, informed cooperation
of individual respondents. Otherwise only personal data directly and
demonstrably germane to a decision about any given individual should be
collected.
Separate collection of data for statistical reporting and research could have
several practical advantages. First, by increasing the cost of supplementary
data gathering, it discourages the collection of useless items. Second, it might
reduce the amount of data that must be specially protected because it is
identifiable. Although personal data maintained exclusively for statistical
reporting and research often need broader and stronger protection than they are
afforded,3 differentiating sharply among the purposes and uses of data files
should encourage public confidence in organizational record-keeping practices
and ease the access control burden that now weighs heavily on some system
managers.
Third, separate collection of personal data for statistical reporting and
research could help to make the collection process more reliable. We learned of
instances in which an ambitious information system's appetite for data has
induced careless statistical reporting. This problem appears to be especially
prevalent where an information system has been established to help coordinate
the activities of a number of small, loosely knit organizations. Such
carelessness can frustrate the management objectives of a system by diluting the
quality of data furnished to it in ways that may not be recognized or, if
recognized, may be very difficult to control.4
ASSURING SOUND SECONDARY USES OFADMINISTRATIVE DATA SYSTEMS
Administrative record-keeping operations can and do constitute rich sources of
statistical-reporting and research data useful for many purposes. For example,
the Federal government uses Internal Revenue Service records as a source of data
for the quinquennial Census of Business and Manufacturers; hospital records are
used to develop research data banks on particular diseases or disabilities;
school and college records are used to study the relationship between academic
performance and subsequent career achievement. Unfortunately, however, the mere
existence of an administrative data base can create a strong temptation to use
it for statistical reporting and research without sufficient attention to the
appropriateness of doing so.
Three conditions that encourage sound use of data systems for statistical
reporting and research are often absent from the environment in which
administrative systems are designed and operated They are:
* knowledge of the social processes by which data come to be collected;
* management of data collection and analysis by individuals with strong
statistical and research competence; and
* independent expert scrutiny of analytic methods and results.
Knowledge of Data Collection Processes. Detailed understanding of how and why
data come to be collected is often difficult, if not impossible, to achieve. For
example, not everyone who is eligible for public assistance applies for it, and
the amount and kind of information collected from each applicant may vary in
subtle ways.5 Hence, if data from administrative systems are used for
statistical reporting and research, the results must take account of systematic
bias resulting from incompleteness in the data base. Measuring such bias can be
expensive and time-consuming, and corrections for it can be even harder to make.
Highly trained people are needed to conduct careful studies of the processes by
which data in a system are being generated. Because of their expense and
difficulty, however, and also because they can bring to light inadequacies in
the overall performance of an organization, such studies tend not to be done.
Statistical and Research Competence. Because most administrative systems are
committed to day-to-day record-keeping operations, they are seldom managed or
staffed by persons with strong statistical and research competence. It is true
that the statistical offices of a few large government agencies-notably the
Social Security Administration and the Internal Revenue Service-have
substantially influenced the statistical uses made of their principal data
sources, which are mainly administrative records. Similar examples can be found
at other levels of government and among private organizations, but there are
also numerous instances in which such statistical and research competence is
brought to bear only through informal or sporadic consulting arrangements, if at
all.
Independent Scrutiny. Because administrative data systems are not created
expressly for statistical reporting and research, they also tend to lack the
strong ties to external groups of data users, and to the formal systems of
professional peer review that characterize general purpose statistical-reporting
and research operations. This isolation from independent expert scrutiny,
coupled with the management orientation of administrative data systems, weakens
the incentive to maintain high standards in the secondary statisticalreporting
and research uses that are made of them.
Neglect of these three conditions is particularly dangerous in a governmental
setting. In business, the quality of statistical reporting and research may be
measured by the usefulness of such work to the planning and marketing functions
that maintain a firm's competitive position. In government, however, feedback
from the marketplace is attenuated. Save for the occasional newsworthy
statistical report, the ancillary uses of administrative data systems may be
ignored by outside professionals and invisible to the general public and its
elected representatives.
In the Federal Government, formal arrangements for implementing the Federal
Reports Act are supposed to serve as a check on the uses made of administrative
record-keeping systems for statistical reporting and research. However, at other
levels of government, the low visibility of such uses, coupled with the uneven
impact of public information laws, can create an open invitation to misguided
use of statistical reports and research findings based on administrative data.
We learned, for example, that one agency of a State government recently
attempted to compare earnings declarations made by some public assistance
beneficiaries to county welfare offices, with earnings of those same
beneficiaries reported by their employers to a second State agency. This complex
comparison of data derived from two quite different administrative
record-keeping systems was undertaken mainly to verify the beneficiaries'
eligibility for public assistance payments on a case-by-case basis, but it also
resulted in a statistical report "showing" that a substantial percentage of the
State's public assistance beneficiaries were engaged in "apparent fraud." The
design of the comparison, and thus the resulting data, supported no such
conclusion. Few people are aware of its technical failings, however, and it
seems unlikely that many more will discover them, since appropriately documented
data from the study have not been made available outside the sponsoring State
agencies.
RECOMMENDATIONS
In light of our inquiry into the statistical-reporting and research uses of
personal data in administrative recordkeeping systems, we recommend that steps
be taken to assure that all such uses are carried out in accordance with five
principles.
> First, when personal data are collected for administrative purposes,
> individuals should under no circumstances be coerced into providing additional
> personal data that are to be used exclusively for statistical reporting and
> research. When application forms or other means of collecting personal data
> for an administrative data system are designed, the mandatory or voluntary
> character of an individual's responses should be made clear.6
> Second, personal data used for making determinations about an individual's
> character, qualifications, rights, benefits, or opportunities, and personal
> data collected and used for statistical reporting and research, should be
> processed and stored separately.7
> Third, the amount of supplementary statistical-reporting and research data
> collected and stored in personally identifiable form should be kept to a
> minimum.
> Fourth, proposals to use administrative records for statistical reporting and
> research should be subjected to careful scrutiny by persons of strong
> statistical and research competence.
> Fifth, any published findings or reports that result from secondary
> statistical-reporting and research uses of administrative personal data
> systems should meet the highest standards of error measurement and
> documentation.
It would be difficult to apply each of these principles uniformly to all
administrative automated personal data systems. For this reason, we have not
translated them into safeguard requirements to be enacted as part of a code of
fair information practice. Adherence to their spirit, however, is warranted by
the growing significance of statistical-reporting and research uses of
administrative personal data systems -- both for individual data subjects and
for the institutions maintaining such systems.
In addition, there are certain safeguards that can be feasibly applied to all
administrative automated personal data systems used for statistical reporting
and research. Specifically, we recommend that the following requirements be
added to the safeguard requirements for administrative personal data systems:
* Under I. General Requirements (Chapter IV, pp. 53-57), add
C. Any organization maintaining an administrative automated personal data system
that publicly disseminates statistical reports or research findings based on
personal data drawn from the system, or from administrative systems of other
organizations, shall:
> (1) Make such data publicly available for independent analysis, on reasonable
> terms; and
>
> (2) Take reasonable precautions to assure that no data made available for
> independent analysis will be used in a way that might reasonably be expected
> to prejudice judgments about any individual data subject's character,
> qualifications, rights, opportunities, or benefits.
* Under the Public Notice Requirement (Chapter IV, p. 58), add
> (8a) The procedures whereby an individual, group, or organization can gain
> access to data used for statistical reporting or research in order to subject
> such data to independent analysis.
The purpose of general requirements C. (1) and (2) is to assure that when
statistical reports or research findings based on personal data from
administrative systems are used to affect social policy, the data will be
available, in an appropriate form, for independent analysis. To comply with this
requirement, an organization will have to plan carefully all publicly
disseminated statistical-reporting and research uses of personal data in the
administrative systems it maintains.
The public notice for an administrative personal data system will specify any
statistical-reporting and research uses to be made of data in the system
(requirement II. (7), p. 58) The additional information required by requirement
(8a) will make it easier to obtain access to data for independent analysis.
1 A representative of the State agency told the Committee that the agency would
not compel a student applicant to provide this information "because we have come
to find it is totally worthless . . . . . [A] t one time we thought it would be
a viable way of sampling the type of student we would assist. We determined it
is not much use . . . [but w]e have not taken it out."
2For a cogent analysis of the effects of "contextual" information on clinical
disability determinations, see Saad L. Nagi, Disability and Rehabilitation
(Columbus, Ohio: Ohio State University Press), 1969, especially Chapters 2 and
9. Discussion of this problem will also be found in Stanton Wheeler (Ed.), On
Record: Files and Dossiers in American Life (New York: Russell Sage Foundation),
1969.
3The special problems of data maintained exclusively for statistical reporting
and research are discussed in Chapter VI.
4 As one representative of a small group of agencies observed in his testimony
before the Committee: Client- (rather than management-) oriented agencies are
philosophically committed to research only secondarily, as a tool for delivering
more effective services. Therefore, they often must be dragged kicking and
screaming into the data collection business. This is totally apart from their
finances or their training . . . . Where services are . . . interfered with,
data collection goes out the window. Measurement error can then be quite high.
5These variations may result from practices rooted in a bureaucratic subculture
of which the record-keeping operation is but one-albeit important-part. See, for
example, the discussions of how juvenile court, welfare, credit, and elementary
school records are generated, in Wheeler, op. cit., Chapters 2, 5, 11, and 12.
6 Recall in this regard safeguard requirement III (1), recommended in Chapter IV
(p. 59, above) for all administrative automated personal data systems; viz.,
that an individual asked to supply data for a system be informed clearly whether
he is legally required or free to refuse to provide the data requested. That
safeguard, when applied, will effectively eliminate de facto coercion of data
subjects into providing more information than is needed for making
administrative decisions.
7Separating the two types of data in this way would make it easier to apply the
protection against compulsory disclosure recommended in Chapter VI (pp. 102-103,
below).
VI. SPECIAL PROBLEMS OF STATISTICAL REPORTING AND RESEARCH SYSTEMS
When the United States was at war with Japan in 1942, the War Department asked
the Census Bureau for the names and addresses of all Japanese-Americans who were
living on the West Coast at the time of the 1940 Census. Persons of Japanese
descent were being rounded up and transported inland for fear that some of them
might prove disloyal in the event of a Japanese attack. Because of Title 13 of
the U. S. Code, however, which prohibits disclosure of census data furnished by
individuals, the Census Bureau could, and did, refuse to give out the names and
addresses.
In 1969, the Mercer County (ICJ.) Prosecutor's Office subpoenaed the payment
histories of 14 families participating in an income-maintenance experiment being
conducted by a private contract research organization in Princeton. The
prosecutor suspected that the families were defrauding the county welfare
department by not reporting their monthly income from the experiment. The
contractor found that it had no legal basis for resisting the subpoenas, even
though its federally funded subcontract explicitly provided that "individual
personal and financial information pertaining to all individuals and families
who participate as respondents in this study shall remain strictly
confidential."1
The difference between these two cases is clear and fundamental: In the Census
case, the data were protected by a statute2 from disclosure in individually
identifiable form; in the New Jersey case they were not.3 This chapter examines
some of the problems posed by legally unprotected statistical-reporting and
research files that contain data about identifiable individuals. It focuses on
the need to protect individual data subjects from injury through disclosure of
data about them, on one hand, and, on the other, the need to make files of
personal data more accessible to persons who can make constructive use of the
data they contain.
BACKGROUND OBSERVATIONS
When we began our examination of automated record-keeping operations, we
expected that we could leave out entirely data systems maintained exclusively
for statistical reporting or research. We were mindful that in the mid-1960's a
series of proposals4 to establish a national statistical data center had alerted
the public to some of the dangers inherent in computer-based record-keeping
operations. We also knew that the Freedom of Information Act contains no clear
statement of Congressional intent with respect to the disclosure of individually
identifiable data maintained for statistical reporting and research. We had
assumed, however, that statisticalreporting and research data systems, by and
large, would not contain data in personally identifiable form, and that if they
did, the anonymity of individual data subjects would be protected by specific
statutory safeguards. We were not prepared for the discovery that in many
instances files used exclusively for statistical reporting and research do
contain personally identifiable data, and that the data are often totally
vulnerable to disclosure through legal process. This holds for data in Federal
agency files as well as for data in the possession of State agencies and private
research organizations.
Changes in social policy, which computer technology has to some extent
facilitated, are in large part responsible for the existence of unprotected
statistical-reporting and research files. Since the late 1950's, the Federal
Government has been distributing increasingly large sums of money to the States
on the basis of formulas that take account of special population
characteristics. The recipient State governments, in turn, have been
redistributing this money among their own political subdivisions, using
grant-in-aid formulas that tend to generate new requirements for statistical
data about people at nearly every level of government. Often coupled with these
grants, moreover, have been planning requirements demanding highly detailed
information about the populations of small geographic areas.
Program evaluation requirements, first levied on grant-in-aid recipients by
Federal agencies and later explicitly written into some of the agencies'
authorizing legislation, have been a further stimulus to the proliferation of
statistical-reporting and research files containing data about people. From
their initial emphasis on simple input accounting (how much was spent, by whom,
for what purpose, on how many people, with which characteristics), evaluation
studies have rapidly come to focus on measuring program effects.5 Because
effects measurement usually requires before-andafter data on program
participants, it has become necessary to preserve individual identities in
evaluation research files. Interest in the specific events and processes that
may account for changes in participant behavior over time has also grown along
with interest in output measurement. Many of the factors that account for a
participant's behavior are so subtle that they can only be isolated if records
of people's movements and experiences are kept over an extended period.
A third factor that has enlarged the number of data files containing information
about identifiable individuals is the broad support given to fundamental
research in the social and biomedical sciences. In fact, files for research in
these two areas may be the most numerous of all, and they exist in a variety of
settings. Many such files are coming into the possession of government agencies
as a consequence of contract arrangements that make agencies the proprietors of
data generated in government-supported research and demonstration projects. Not
all of these files contain information that identifies individual data subjects,
but of those that do, the ones dealing with controversial social and political
issues are particularly vulnerable to misuse in the absence of specific
statutory safeguards.
THE NEED TO PROTECT DATA SUBJECTS FROM INJURY
Even at the Federal level there are few statutes that protect personal data in
statistical-reporting and research files from unintended administrative or
investigative uses. The Census Act, the Public Health Service Act, and the
Social Security Act are notable exceptions. Otherwise there is little to prevent
anyone with enough time, money, and perseverance (to say nothing of someone who
can issue or obtain a subpoena) from gaining access to a wealth of information
about identifiable participants in surveys and experiments. This should not, and
need not, be the case.Social scientists and others whose research involves human
subjects are vocal about the importance of being able to assure individuals that
information they provide for statistical reporting and research will be held in
strictest confidence and used only in ways that will not result in harm to them
as individuals. Unless people get-and believe-such assurances, they will
inevitably become either less willing or less reliable participants in surveys
and experiments.6 Ideally, data subjects should also be told of the conditions
under which they are being asked to provide information, and should be given an
opportunity to refuse if they find those conditions unsatisfactory. It is often
asserted, for example, that the decennial census (in which response is
mandatory) is a feasible undertaking only because the public willingly
co-operates, and that the public's cooperation is best obtained by explaining to
respondents the uses to which the data will be put.
We believe the principle that no harm must come to an individual as a
consequence of participating in a general knowledge-producing activity should be
regarded as the essence of "use for statistical or research purposes only."
Individual data subjects asked to provide data for statistical reporting and
research should also be fully informed, in advance, of the known consequences
for them of providing or not providing data. Survey respondents and participants
in experiments and demonstration projects are largely dependent on what they are
told by interviewers or by explanatory notes on forms. Hence, it is incumbent on
the institution conducting or funding a statistical-reporting or research
project to find out how vulnerable the data in its files are, and so to inform
its data subjects.
Finally, we believe that the best way to assure that individual data subjects
will not be harmed is to extend to all personal data generated through
statistical-reporting and research activities the statutory protections that
have been given to census data and certain classes of health and economic data
collected and used in the public interest.
THE NEED FOR FREER ACCESS TO DATA IN GOVERNMENT FILES
The obverse of the problem of data confidentiality is the need to make basic
data more accessible for reuse or reanalysis by all qualified persons or
institutions. Personal data systems for statistical reporting and research are
largely in the hands of institutions that wield considerable power in our
society. Hence, it is essential that data which help organizations to influence
social policy and behavior be readily available for independent analysis.
The ubiquitous computer has increased both the quantity of data potentially
available to users and the number of potential users. Unfortunately, however,
the data dissemination capability of many funding and collecting institutions
has not grown commensurately. Among the general purpose statistical operations
of the Federal government, the Census Bureau has led the way in making data from
standard statistical series easily available to users in a form that protects
the anonymity of respondents. Other agencies, notably the National Center for
Health Statistics, have followed suit.7 The Department of Health, Education and
Welfare is currently preparing a guidebook of its "public use" data files.8
Laudable as these efforts are, it should be emphasized that they are being made,
for the most part, by agencies or offices within agencies whose primary mission
is statistical reporting and research. They do not address the problem of access
to the statisticalreporting and research files that operating agencies develop
in the course of evaluating programs or in adding to the general knowledge of
program administrators. It is true, as noted earlier, that anyone with enough
money, time, and perseverance can probably gain access to substantial amounts of
data not generally available for public use. Yet the individual researcher, or
the independent critical expert, however perseverant, may not even know that
important data exist, much less where to find them. If he does find them, and if
he can afford to have them put in usable form, the documentation may not be
sufficient to permit reconstruction of the conditions and suppositions under
which the data were collected. An agency holding data collected under a pledge
of confidentiality may not be willing to go to the trouble (or may itself not be
able to afford the cost) of expunging elements that would serve to identify
individual data subjects in order to make the data available.
In principle, there need be no conflict between informing the public about how
the government conducts its business and protecting individual data subjects
from harm. If data cannot be made available for reuse or reanalysis without
disclosing the identity of data subjects, special precautions may have to be
taken before making basic data accessible to qualified persons outside the
collecting organization, but such precautions can be taken. For example, each
data subject could be asked at the time of the initial data collection if he
would consent to participate in a follow-up study, on the understanding that
consent would be sought anew each time a further follow-up study is undertaken.
Although such arrangements may add to the expense and difficulty of some data
collections, a public institution that uses scientific approaches and methods
has a duty to make the work it sponsors or supports available for critical
appraisal.
Making fully documented data available for reuse and reanalysis by persons
competent to assess the interpretations that have been made of them can bring
two benefits. First, the knowledge that other investigators will have an early
opportunity to challenge its conclusions should tend to heighten the quality of
the original collection and analysis, and second, advances in the sciences may
produce more powerful techniques of analysis that could make it possible to
glean additional information from data in the course of re-examining them.
RECOMMENDATIONS FOR STATISTICAL REPORTING AND RESEARCH SYSTEMS
In Chapter IV, we have recommended enactment of legislation establishing a code
of fair information practice for all automated personal data systems. All the
features of that code would apply to systems used exclusively for statistical
reporting and research. Thesafeguard requirements to be included in the code for
such systems are set forth below. They are designed to help protect the
individual citizen against unintended or unforeseen uses of information he
provides exclusively for statistical reporting and research, and to help assure
that the uses organizations make of statistical-reporting and research data are
subjected to independent expert review and open public discussion. Pending the
enactment of a code of fair information practice as outlined in Chapter IV, we
recommend that all Federal agencies (i) apply the safeguard requirements, by
administrative action, to all Federal statistical-reporting and research
systems, and (ii) assure, through formal rule making, that the safeguard
requirements are applied to all systems within reach of the Federal government's
authority. Pending the enactment of a code of fair information practice, we also
urge that State and local governments, the institutions within reach of their
authority, and all private organizations adopt the safeguard requirements by
whatever means are appropriate.
In addition, we recommend that all personal data in systems used exclusively for
statistical reporting and research be protected by statute from compulsory
disclosure in identifiable form. The safeguard requirements recommended below
are premised on the enactment of legislation granting such protection. There is
no requirement, for example, guaranteeing data subjects access to the contents
of records maintained about them. Theoretically, no such requirement is needed,
since statistical-reporting and research data systems are not intended to be
used to affect individuals directly; granting individuals access to records that
can have no direct consequences for them as individuals would interfere with a
system's operations to no useful end. In practice, however, the vulnerability of
data in many statistical-reporting and research systems to compulsory disclosure
in identifiable form means that for individual data subjects to be adequately
protected from unforeseen disclosurers, those data must be afforded immunity
from disclosure through compulsory legal process.
The safeguard requirements for statistical-reporting and research systems are
modeled closely on the safeguard requirements for administrative systems in
Chapter N. Hence explanatory notes are provided only in those cases where a
requirement has been modified to fit the special characteristics of
statistical-reporting and researchsystems. Where no notes appear following a
requirement, the reader should refer to the notes on the corresponding safeguard
in Chapter IV.
SAFEGUARD REQUIREMENTS FOR STATISTICAL-REPORTING AND RESEARCH SYSTEMS
SAFEGUARD REQUIREMENTS FOR STATISTICAL-REPORTING AND RESEARCH SYSTEMS
> I. GENERAL REQUIREMENTSA. Any organization maintaining a record of personal
> data, which it does not maintain as part of an automated personal data system
> used exclusively for statistical reporting or research, shall make no transfer
> of any such data to another organization without the prior informed consent of
> the individual to whom the data pertain, if, as a consequence of the transfer,
> such data will become part of an automated personal data system that is not
> subject to these safeguard requirements or the safeguard requirements for
> administrative personal data systems (in Chapter IV).
> > All other safeguard requirements for statistical-reporting and research
> > systems have been formulated to apply only to automated systems, although
> > they would wisely be applied to all statistical-reporting and research
> > systems, whether automated or manual. If this is not done, however, it is
> > necessary to assure that individuals about whom an organization maintains
> > records of personal data, which are not part of an automated system, will be
> > protected in the event of transfers of such data to automated systems.
> > Requirement LA. is intended to, rovide such protection for individuals by
> > requiring that transfers of data about them to automated systems not subject
> > to safeguard requirements be made only with their informed consent.
> B. Any organization maintaining an automated personal data system used
> exclusively for statistical reporting or research shall:(I) Identify one
> person immediately responsible for the system, and make any other
> organizational arrangements that are necessary to assure continuing attention
> to the fulfillment of the safeguard requirements;
> The obligation to identify a person responsible for the system is intended to
> provide a focal point for assuring compliance with the safeguard requirements
> and to guarantee that there will be someone with authority to whom
> individuals, groups, or organizations can go if other methods of dealing with
> the system are unsatisfactory. Systems that involve more than one organization
> may present special problems in this respect, and must be carefully designed
> to assure that a person is not shuffled from one organization to another when
> he seeks to assert any right under these requirements.
> > (2) Take affirmative action to inform each of its employees having any
> > responsibility or function in the design, development, operation, or
> > maintenance of the system, or the use of any data contained therein, about
> > all the safeguard requirements and all the rules and procedures of the
> > organization designed to assure compliance with them;
> > (3) Specify penalties to be applied to any employee who intiates or
> > otherwise contributes to any disciplinary or other punitive action against
> > any individual who brings to the attention of appropriate authorities, the
> > press, or any member of the public, evidence of unfair information practice;
> > (4) Take reasonable precautions to protect data in the system from any
> > anticipated threats or hazards to the security of the system;
> > (5) Make no transfer of individually identifiable personal data to another
> > system without (i) specifying requirements for security of the data,
> > including limitations on access thereto, and (ii) determining that the
> > conditions of the transfer provide substantial assurance that those
> > requirements and limitations will be observedexcept in instances when each
> > of the individuals about whom data are to be transferred has given his prior
> > informed consent to the transfer;
> Requirement (5) has basically the same implications for statistical-reporting
> and research systems that it has for administrative systems (Chapter IV, p.
> 56). However, applied to statistical-reporting and research systems along with
> requirement 111 (2) (p. 101, below), requirement (5) will also preventan
> organization or a researcher from transferring data in identifiable form to
> another organization or researcher who could not fully guarantee that the
> transfer would result in no uses of the data not reasonably anticipated by the
> data subjects.
> > (6) Have the capacity to make fully documented data readily available for
> > independent analysis.
> This requirement should be understood to mean that data whose use helps an
> organization to influence social policy and behavior must be readily
> available. In cases where independent analysis could not be performed without
> knowing the identity of each data subject, a system would be considered fully
> "capable" if, for example, it had obtained the consent of each data subject to
> participate in a follow-on study, or had a policy of seeking the consent of
> data subjects on behalf of persons wanting to perform such independent
> analysis.
> II. PUBLIC NOTICE REQUIREMENT
> > Any organization maintaining an automated personal data system used
> > exclusively for statistical reporting or research shall give public notice
> > of the existence and character of its system once each year. Any
> > organization maintaining more than one such system shall publish annual
> > notices for all its systems simultaneously. Any organization proposing to
> > establish a new system, or to enlarge an existing system, shall give public
> > notice long enough in advance of the initiation or enlargement of the system
> > to assure individuals who may be affected by its operation a reasonable
> > opportunity to comment. The public notice shall specify:
> > (1) The name of the system;(2) The nature and purpose(s) of the system;(3)
> > The categories and number of persons on whom data are (to be) maintained;(4)
> > The categories of data (to be) maintained indicating which categories are
> > (to be) stored in computer-accessible files;(5) The organization's policies
> > and practices regarding data storage, duration of retention of data, and
> > disposal thereof;(6) The categories of data sources;(7) A description of all
> > types of use (to be) made of data, indicating those involving
> > computer-accessible files, and including all classes of users and the
> > organizational relationships among them;(8) The procedures whereby an
> > individual, group, or organization can gain access to data for independent
> > analysis;(9) The title, name, and address of the person immediately
> > responsible for the system;(10) A statement of the system's provisions for
> > data confidentiality and the legal basis for them.
> This requirement has two primary objectives: (1) to assure that there will be
> no automated personal data system whose very existence is kept secret from the
> public; and (2) to assure that uses of systems by organizations to help them
> influence social policy or behavior are not immune from independent expert
> scrutiny. Instances will no doubt arise in which announcement of a research
> project prior to undertaking it could seriously hamper part of the study. In
> other instances, the scale of a project might be so small, and its influence
> on social policy so remote, that strict compliance with the public notice
> requirement will seem unduly burdensome. For such cases some mechanism will
> have to be devised for granting exemptions from the public notice requirement.
> Because of the diversity of statistical-reporting and research activities that
> organizations conduct, sponsor, or support, we have not tried to specify
> criteria for granting exemptions or to prescribe any particular mechanism for
> dealing with requests for exemptions on a case-by-case basis. We do feel,
> however, that the people who want to do research that might qualify for an
> exemption should not be asked to bear the full burden of deciding whether an
> exemption is appropriate.The matter of exemptions from the public notice
> requirement is one to which careful attention will have to be addressed when
> the safeguard requirements are being applied by administrative action,
> andeventually in connection with the enactment of legislation establishing the
> code of fair information practice for statisticalreporting and research
> systems.
> We have also refrained from specifying a uniform mechanism for giving notice.
> For Federal agencies, we would expect formal notice in the Federal Register,
> but a catalog of data files published annually would also suffice. We would
> expect State and local governments to use whatever comparable mechanisms are
> available to them. Other systems may find that notices given through
> professional journals or mailings would be appropriate. Whatever methods are
> chosen, an organization must have copies of its notices readily available to
> anyone requesting them.
> III. RIGHTS OF INDIVIDUAL DATA SUBJECTS
> Any organization maintaining an automated personal data system used
> exclusively for statistical reporting or research shall:
> > (1) Inform an individual asked to supply personal data for the system
> > whether he is legally required, or may refuse, to supply the data requested,
> > and also of any specific consequences for him, which are known to the
> > organization, of providing or not providing such data;
As indicated in Chapter IV (p. 59, above), one purpose of this requirement is to
discourage coercive collection of personal data that are to be used exclusively
for statistical reporting and research. However, the requirement that an
individual be informed of the consequences of providing, or not providing, data
for a system is also intended to assure that no pledge to hold data in
confidence will be given by a data-collecting organization without apprising
each data subject of the legal limitations, if any, of such a pledge.
> > (2)9 Assure that no use of individually identifiable data is made that is
> > not within the stated purposes of the system as reasonably understood by the
> > individual, unless the informed consent of the individual has been
> > explicitly obtained;
> > (3) Assure that no data about an individual are made available from the
> > system in response to a demand for data made by means of compulsory legit
> > process, unless the individual to whom the data pertain (i) has been
> > notified of the demand, and (ii) has been afforded full access to the data
> > before they are made available in response to the demand.
> The intent of this requirement is similar to that of requirement Ill (S), as
> explained in Chapter IV (p. 63, above). Because there is no safeguard
> requirement for statistical-reporting and research systems giving an
> individual the right of access to data about himself (as provided in
> requirement 111 (2) for administrative systems), this requirement gives an
> individual that right in the event of a compulsory process demand. The need
> for this requirement would be obviated by enactment of legislation providing
> effective protection against compulsory disclosure of identifiable personal
> data maintained in statistical-reporting and research systems. However, until
> such legislation is enacted, or if, when enacted, the legislation leaves an
> organization maintaining such a system any discretion whatsoever to waive the
> protection against compulsory disclosure, this safeguard should be the minimum
> protection afforded individual data subjects.
STATUTORY PROTECTION AGAINST COMPULSORY DISCLOSURE
A primary goal of safeguard requirements for statistical-reporting and research
systems must be to protect individual data subjects from harm. That goal will be
frustrated if, after having been assured that the data he provides for a system
will be seen only by persons formally involved in the statistical-reporting or
research project, a data subject finds that the data have been disclosed in
identifiable form in response to a subpoena.
Statistical-reporting or research data that can be traced to identifiable
individuals should not be subject to compulsory disclosure through legal
process. In our view, there must be new Federal legislation protecting against
such disclosure, and it should include the following features:
* The data to be protected should be limited to those used exclusively for
statistical reporting or research. Thus, the protection would apply to
statistical-reporting and research data derived from administrative records,
and kept apart from them. but not to the administrative records themselves.10
* The protection should be limited to data identifiable with, or traceable to,
specific individuals. When data are released in statistical form, reasonable
precautions to protect against "statistical disclosure"11 should be
considered to fulfill the obligation not to disclose data that can be traced
to specific individuals.
* The protection should be specific enough to qualify for non-disclosure under
the Freedom of Information Act exemption for matters "specifically exempted
from disclosure by statute" 5 U.S.C. 552 (b) (3).
* The protection should be available for data in the custody of all
statistical-reporting and research systems, whether supported by Federal
funds or not.
* The Federal law should be controlling; no State statute should interfere with
the protection it provides. (The need also. exists for State legislation to
protect statistical-reporting and research data that cannot be reached by
Federal legislation.)
* Either the data custodian or the individual about whom data are sought by
legal process should be able to invoke the protection, but only the
individual should be able to waive it.
These are essential conditions for protecting statistical-reporting and research
data from compulsory disclosure in identifiable form. Legislation incorporating
the features indicated would not prevent the disclosure of basic records from a
statistical-reporting or research system so long as data in the records could
not be traced to specific individuals.
We offer no specific guidance on the form of the statutory protection. However,
existing Federal confidentiality statutes contain some relevant examples. These
range from absolute prohibitions against disclosure to authority for an
administrative official to make disclosure regulations. Among the specific
methods are the following:
Absolute Prohibition of Disclosure. Two existing statutes provide stringent
protections for personal data held by Federal agencies.
> (a) Data collected by the Bureau of the Census may not be revealed to anyone
> outside of the Bureau in a form in which an individual respondent is
> identifiable. There is no discretion for any Bureau official with respect to
> disclosure. There are criminal penalties for disclosure. The prohibition
> against disclosure serves to defeat legal process. If a respondent retains a
> copy of a report made to the Bureau, the copy, like the original, is immune
> from process. 13 U.S.C. 9,214.
>
> (b) Data collected under the National Health Survey may not be used "for any
> purpose other than the statistical purpose for which it was supplied except
> pursuant to regulations of the Secretary [of Health, Education, and Welfare];
> nor may any such information be published if the particular establishment or
> person supplying it is identifiable except with the consent of such
> establishment or person." Sec. 305(a) of the Public Health Service Act, 42
> U.S.C. 242c. Here again, the holders of the records are given no discretion to
> reveal information or withhold it; only the establishment or the person who
> supplied the information has that discretion. Criminal penalties for
> disclosure derive from a general statute on disclosure of confidential
> information. 18 U.S.C. 1905.
Absolute Protection Against Compulsory Disclosure. A second pattern of data
protection is provided by statutes that authorize a Federal official to
authorize others to protect the privacy of individuals who are the subject of
research by withholding from all persons not connected with the research the
names and other identifying characteristics of such individuals. Such authority
is vested in the Secretary of Health, Education, and Welfare by Section 303(a)
of the Public Health Service Act, 42 U.S.C. 242a, with respect to drug research,
and also by Section 333 of the Comprehensive Alcohol Abuse and Alcoholism
Prevention, Treatment, and Rehabilitation Act of 1970, 42 U.S.C. 4582, with
respect to alcohol abuse and alcoholism research. Similar authority is given the
Attorney General by Section 502(c) of the Comprehensive Drug Abuse Prevention
and Control Act of 1970, 21 U.S.C. 872(c), with respect to "research." The
latter authority speaks only of "research," but appears in a section of the
statute dealing with research related to enforcement of laws concerning drugs.
The authority in each of these instances is explicit as to immunity from
process. Those who obtain the authorization "may not be compelled in any
Federal, State, or local civil, criminal, administrative, legislative, or other
proceeding" to identify the subjects of research. These sections are of wide
scope. The authorization may be given to anyone engaged in the specified type of
research. Thus, the Secretary or Attorney General can extend it to Federal
employees under his control, Federal employees in other agencies, grantees, and
even to resea chers who are not grantees. However, there is no absolute
prohibition on disclosure. The Secretary or Attorney General may grant or
withhold the authorization. The researcher with the authorization "may not be
compelled. . .to identify such individuals," but may choose to identify them
pursuant to process or otherwise, subject to whatever other ethical or legal
constraints exist. Thus, it is not strictly a privilege, like the lawyer-client
privilege, in which the individual who has provided the information controls the
action of the professional in responding to process.
Discretion to Disclose Under Specified Conditions. The Drug Abuse Office and
Treatment Act of 1972 (P.L.. 92255) provides a third model. Section 408 of that
Act, 21 U.S.C. 1175, establishes as confidential, and forbids disclosure of,
patient records "which are maintained in connection with the performance of any
drug abuse prevention function authorized or assisted under any provision of
this Act or any Act amended by this Act." There is a criminal penalty for
disclosure. If the patient gives written consent, the record may be disclosed
for medical care purposes, or to govern mental personnel in order to obtain
benefits for the patient. If the patient does not give consent, the record may
be disclosed for emergency medical treatment; for research, audit, or evaluation
purposes (as long as the patient's identity is not further disclosed); or if
authorized by a court order upon application showing good cause. Criminal
charges may not be initiated or substantiated on the basis of patient records,
and patients may not be investigated on the basis of patient records, except
pursuant to disclosure under a court order. The section continues to apply to a
patient's records after he ceases to be a patient.
This statute speaks of records "maintained in connection with any drug abuse
prevention function," and this seems to include records kept solely for
research, but the term "patient" is used repeatedly. The Act's legislative
history shows that confidentiality was provided so that drug abusers would more
readily seek treatment. [H. Rept. No. 92-920, -92nd Cong., 2d Sess., 33(1972)].
Implementing regulations issued by the Special Action Office for Drug Abuse
Prevention, 21 C.F.R. Part 401, define "patient" as anyone who is or has been
interviewed, examined, diagnosed, treated, or rehabilitated in connection with
any drug abuse prevention function, and include "research" in the definition of
the drug abuse prevention function.
It should be noted that the function of the court order in this scheme is to
authorize a disclosure which would otherwise be forbidden, rather than to compel
disclosure. The implementing regulations make it clear that the holder of the
records may disclose the records if so authorized by a court order, but is not
obliged to do so.
Discretion to Specify the Condtions for Disclosure. Another pattern of
protection is found in Section 1106(a) of the Social Security Act, 42 U.S.C.
1306(a). The section does not deal explicitly with research, but covers any
information received by the Department of Health, Education, and Welfare in the
course of discharging duties under the Social Security Act. The section provides
that no disclosure shall be made "except as the Secretary may by regulations
prescribe." Thus, an administrative official is authorized to designate classes
of information that may be disclosed, and that may not be disclosed, and to
determine when and to whom data may be disclosed. In effect, an administrative
official has discretion (which must be exercised in advance in published
regulations) to respond to legal process or not.
1 David N. Kershaw and Joseph C. Small, "Data Confidentiality and Privacy:
Lessons from the New Jersey Negative Income Tax Experiment," Public Policy, Vol.
XX, No. 2 (Spring 1972), p. 261. The Mercer County dispute stemmed from a change
in the State public assistance law which made more participants in the
experiment eligible for welfare than had been the case when the experiment
began. The 1969 investigation was terminated when the contractor agreed to
reimburse the county welfare agency for any overpayments that came to light. Two
years later, however, the experiment was subjected to a four-month grand jury
investigation of charges that the contractor had "instructed lowincome families
taking part in the experiment not to report income subsidies to city and county
welfare authorities . . . ." Ibid., p. 268. During this same period, access to
the contractor's files was also sought by the General Accounting Office and the
U. S. Senate Finance Committee. '
2 The current version of this protection provides that:Neither the Secretary,
.nor any other officer or employee of the Department of Commerce or bureau or
agency thereof, may ...(1) use the information furnished under the provisions of
this title for any purpose other than the statistical purposes for which it is
supplied; or (2) make any publication whereby the data furnished by any
particular establishment or individual under this title can be identified; or
(3) permit anyone other then the mom officers and employees of the Department or
bureau or agency thereof to examine the individual reports . . . .13 U.S.C.
9(a).
3The New Jersey case is not unique. At least two other incidents of a similar
nature have been reported. See John Walsh, "Anti-poverty R&D: Chicago Debacle
Suggests Pitfalls Facing OEO, "Science, 165, 19 September 1969, pp. 1243-1245;
and "Appeals Court Orders MD to Reveal Patients' Photos," Psychiatric News,
VII:2, November 15, 1972, p. 1. The latter describes a pending court case
involving the New York City Methadone Maintenance Treatment Program.
4Report of the Committee on the Preservation and Use of Economic Data to the
Social Science Research Council, April 1965, reprinted as Appendix I in The
Computer and Invasion of Privacy, Hearings before a Subcommittee of the
Committee on Government Operations, U. S. House of Representatives, 89th
Congress, 2d Session, July 26, 27, 28, 1966; Statistical Evaluation Report No.
6-Review of Proposal for a National Data Center, prepared by Edgar S. Dunn, Jr.,
also reprinted in The Computer and Invasion of Privacy as Appendix 2; and Report
of the Task Force on the Storage of and Access to Government Statistics
(Washington, D.C.: Bureau of the Budget), October 1966.
5There is today a substantial evaluation research literature to which the
interested reader can refer for a fuller account of how this new
government-supported activity has developed. See, for example, Edward A.
Suchman, Evaluative Research (New York: Russell Sage Foundation), 1967; Francis
G. Caro, Readings in Evaluation Research (New York: Russell Sage Foundation,
1971; and Peter H. Rossi and Walter Williams (Eds.), Evaluating Social Programs:
Theory, Practice, and Politics (New York and London: Seminar Press), 1972.
6See Chapter 6, "Privacy and Confidentiality," in Federal Statistics, the Report
of the President's Commission on Federal Statistics (Washington, D.C.: U.S.
Government Printing Office), 1971.
7National Center for Health Statistics, Standardized Micro-Data Transcripts
(Rockville, Md.: National Center for Health Statistics), December 1972.
8Guidebook to the U.S. Department of Health, Education, and Welfare Computer
Data Flies, 1973 (forthcoming).Statistical-Reporting and Research Systems 95
9This requirement corresponds to requirement 111(3) in Chapter IV.
10 See Note 7, Chapter V, p. 85.
11This is a risk that arises when a population is so narrowly defined that
tabulations are apt to produce cells small enough to permit the identification
of individual data subjects, or when a person using a statistical file has
access to information which, if added to data in the statistical file, makes it
possible to identify individual data subjects. See 1. P. Felice, "On the
Question of Statistical Confidentiality," Jowml of the American Statistical
Association, 67:337 (Much 1972), pp. 7-18.
VII. THE SOCIAL SECURITY NUMBER AS A STANDARD UNIVERSAL IDENTIFIER
Our charter commissioned us to analyze policy and practice relative to the
issuance and use of the Social Security number, including prohibitions,
restrictions, conditions, or other qualifications on the issuance and use of the
number which now exist, or might be imposed to help implement whatever
safeguards for automated personal data systems we might recommend.
This particular aspect of our charge stems from growing public concern that the
Social Security number will become a standard universal identifier used by all
manner of organizations and data systems to establish the identity of
individuals, to link records about them, and generally to keep track of them
from cradle to grave. This concern also led to the establishment of the Social
Security Number Task Force in February 1970, and was reflected in former HEW
Secretary Elliot L. Richardson's testimony, in March 1971, before the U.S.
Senate Subcommittee on Constitutional Rights, chaired by Senator Sam J. Ervin,
Jr.1
Why do these concerns exist? Are they reasonable? What can be done about them?
To answer these questions we must first understand something about identifiers
in general and the nature and implications of a standard universal identifier in
particular.
There are many kinds of personal identifiers. A person's name is an identifier,
the most ancient of all, but is not a reliable one, since often it is neither
unique nor permanent. Even unusual names may be widely shared, and because of
family patterns identical ones are often concentrated in particular localities.
Some names change when people marry or divorce, and when children are adopted.
Some people are known by different names in different social settings; e.g.,
itinerants, persons with aliases, and married women who use a maiden name
professionally.
To compensate for the unreliability of names as personal identifiers, additional
schemes of identification have been devised. These commonly take the form of
numeric or alpha-numeric labels that provide the uniqueness and permanence names
customarily lack. The reliability thereby achieved is important to
record-keeping systems in order to assure accuracy in merging and updating data
to be stored about individuals. Usually such labels are established for a single
system, but in some instances, a single one may be used in more than one system;
for example, in all the record-keeping systems of an organization that maintains
different sets of records on a given group of people. If one label is used by
separate organizations, such as the Social Security number is for the taxpayer's
identification number, a driver's license number, and a school student number,
that label may be on its way to becoming a de facto universal identifier.
CRITERIA FOR A STANDARD UNIVERSAL IDENTIFIER
A standard universal identifier (SUI) is a systematically assigned label that,
theoretically at least, distinguishes a person from all others. If the labels
assigned by a universal identification scheme are to fulfill this function, each
SUI must meet all the following criteria:
UNIQUENESS. It must be unique for each person. No more than one person can be
assigned the same SUI, and each person must have no more than one SUI.
PERMANENCE. It must not change during the life of an individual and should not
be re-used after his death until all records concerning him have been retired.
UBIQUITY. Labels must be issued to the entire population for which unique
identification is required.
AVAILABILITY. It must be readily obtainable or verifiable by anyone who needs
it, and quickly and conveniently regainable in case it is lost or forgotten.
INDISPENSABILITY. It must be supported by incentives or penalties so that each
person will remember his SUI and report it correctly; otherwise systems will
become clogged with errors.
ARBITRARINESS. It must not contain any information. If it does, e.g., State of
issuance, it will be longer than necessary, thus violating the "brevity"
criterion (see below). It may also violate the "permanence" criterion if
changeable items, such as name or address, are incorporated. Most important, if
items of personal information are part of an SUI, they will be automatically
disseminated whenever the SUI is used; in our view, this would be undesirable.
BREVITY. It must be as short as possible for efficiency in recognition,
retrieval, and processing by man or machine.
RELIABILITY. It must be constructed with a feature that detects errors of
transcription or communication.2 If the communication of SUIs were done entirely
by machine, errors could be minimized through technology, but short of this,
there must be protection against the risk of human error in writing or reciting
an SUI. For the foreseeable future, the need will continue for people to fill
out forms and to report information themselves.
IMPLICATIONS OF A STANDARD UNIVERSAL IDENTIFIER
The advantages of a standard universal identifier, as seen by its proponents,
are easier and more accurate updating, merging, and linking of records about
individuals for administrative, statistical, and research purposes. According to
them, duplication and error in record keeping would be reduced. Individuals,
moreover, would be relieved of the need to use many different identifying
numbers; an SUI might supplant credit card numbers, personal checking account
numbers, driver license numbers, and many other identifiers.
In spite of these practical advantages, the idea of an SUI is objectionable to
many Americans. Even in some European countries where SUIs were introduced
without opposition a generation or more ago, their use has recently raised fears
and anxieties in the population. Many people both feel a sense of alienation
from their social institutions and resent the dehumanizing effects of a highly
mechanized civilization. Every characteristic of an SUI heightens such emotions.
* The bureaucratic apparatus needed to assign and administer an SUI would
represent another imposition of government control on an already heavily
burdened citizenry.
* To realize all the supposed benefits of an SUI, mandatory personal identity
cards would have to be presented whenever called for. Loss or theft of an SUI
card would cause serious inconvenience, and the mere threat of official
confiscation would be a powerful weapon of intimidation.
* The national population register that an SUI implies could serve as the
skeleton for a national dossier system to maintain information on every
citizen from cradle to grave.
* An unchangeable SUI used everywhere would make it much easier for an
individual to be traced, and his behavior monitored and controlled, through
the records maintained about him by a wide range of different institutions.
* A permanent SUI issued at birth could create an incentive for institutions to
pool or link their records, thereby making it possible to bring a lifetime of
information to bear on any decision about a given individual. American
culture is rich in the belief that an individual can pull up stakes and make
a fresh start, but a universally identified man might become a prisoner of
his recorded past.
This Committee believes that fear of a standard universal identifier is
justified. Although we are not opposed to the concept of an SUI in the abstract,
we believe that, in practice, the dangers inherent in establishing an SUIwithout
legal and social safeguards against the abuse of automated personal data
systems-far outweigh any of its practical benefits. Therefore, we take the
position that a standard universal identifier should not be established in the
United States now or in the foreseeable future.3 The question can surely be
re-examined after there has been sufficient experience with the safeguards
proposed in this report to evaluate their effectiveness.
HE SOCIAL SECURITY NUMBER (SSN) AS AN SUI
But is it not too late to oppose a standard universal identifier? Is not the SSN
already a de facto SUI? To answer these questions, we must first measure the SSN
against the criteria for an SUI given above.
UNIQUENESS. The SSN is not a unique label. More than 4.2 million people, by the
Social Security Administration's own estimates, have two or more SSNs. More
serious, although much less prevalent, are the instances in which more than one
person has been issued or uses the same SSN.4
PERMANENCE. The SSN is, in almost all cases, permanent for an individual
throughout his life.
UBIQUITY. The SSN is nearly universal for adult Americans, much less so for
those of high-school age and below.
AVAILABILITY. The SSN of an individual is readily verifiable by the Social
Security Administration for some users, and not at all for others. It is
regainable from the Social Security Administration by persons who have lost
their cards and forgotten their numbers, but not immediately. An individual's
SSN, however, is increasingly ascertainable from many sources other than the
Social Security Administration.
INDISPENSABILITY. The incentives and requirements to report one's SSN correctly
are growing, though in some contexts there are incentives to omit or falsify the
number.
ARBITRARINESS. The SSN is not entirely arbitrary; the State of issuance is coded
into the number.
BREVITY. The SSN with its nine digits is three places longer than an
alpha-numeric label capable of numbering 500 million people without duplication,
and two places longer than one that can accommodate 17 billion people. The SSN
could therefore be shorter if it were alpha-numeric.
RELIABILITY. The SSN has no check-feature, and most randomly chosen nine-digit
numbers cannot be distinguished from valid SSNs. It is thus particularly prone
to undetectable errors of transcription and oral reporting.
By our definition, the SSN cannot fully qualify as an SUI; it only approximates
one.
The SSN had its genesis, in accounting practice and was first known as the
Social Security Account Number (SSAN). It was established to number accounts for
the 26 million people with earnings from jobs covered by the Social Security Act
of 1935. Income-maintenance benefits under the Act, though not payable until the
retirement or death of a worker, were to be determined on the basis of his
record of earnings. Each worker needed a uniquely identifiable account to which
records of his earnings would be posted periodically. Since obviously many would
have the same or similar names, it was decided to assign each a unique number to
identify his account and assure an accurate record of earnings, which his
employer would report both by name and account number.
Name and number were used because standard accounting practice had accustomed
people to numbered accounts, and because the technology of the day, notably the
punched card machine with its 80-column card, required a short numeric
identifier for efficiently adding the records of new transactions to existing
master-file records.
Nine digits were chosen to provide for future expansion. A check-feature was not
provided because the technology of the day could not cope with it, and manual
checking, though possible, was judged too timeconsuming to be feasible. The
Social Security Administration has developed ingenious error-detection methods,
and has improved them over the years to the point where it now neither needs nor
desires a check- feature.5
Despite the deficiencies of the SSN for purposes other than those for which it
was designed, its use is widespread and growing, even where its limitations are
recognized. How did this come about? Why is the SSN now so widely used for
purposes and in areas unrelated to the Social Security program?
HISTORY OF THE SOCIAL SECURITY NUMBER AND ITS USES
The original Social Security Act (P.L.. 74-271, August 14, 1935) imposed two
taxes to finance the program of retirement and survivor benefits to be
administered by the Social Security Board. One was a tax as a percentage of
wages imposed on employees; the second was a matching tax on employers. To
finance the Federal contribution to State programs of unemployment compensation
required by the same Act, a tax as a percentage of wages was imposed on
employers.
Section 807 of that Act charged the Bureau of Internal Revenue in the Treasury
Department with collecting all three taxes. Section 807(b) provided Such taxes
shall be collected and paid in such manner . . . (either by making and filing
returns, or by stamps, coupons, tickets, books, or other reasonable devices or
methods necessary or helpful in securing a complete and proper collection and
payment of the tax or in securing proper identification of the taxpayer), as may
be prescribed by the Commissioner of Internal Revenue ....
The first mention of the SSN in a law or regulation is in a Bureau of Internal
Revenue regulation of November 5, 1936 under which an identifying number, called
an "account number," was to be applied for by each employee, and assigned by the
Postmaster General or the Social Security Board. Each employee was directed to
report his number to his employer. Employers were directed to keep records
showing the name and number of each employee and to enter employee account
numbers on all required tax returns. The regulation provided that "Any employee
may have his account number changed at any time by applying to the Social
Security Board and showing good reasons for a change. With that exception, only
one account number will be assigned to an employee. "6
It is ironic to discover-though logical and understandable in retrospect-that
the first step in the process of extending the use of the Social Security number
beyond the purposes of the Social Security program was taken by the Social
Security Board itself on January 15, 1937. After the Social Security Act was
passed, a question arose about an account numbering system to be used by State
agencies established to administer the State unemployment insurance programs.
The Board decided that the Social Security number should be used for all workers
insured under these programs, rather than have each State agency develop its own
identification system. As a result of this decision, many workers not covered by
the Social Security program received SSNs for use in State unemployment
insurance programs
For some years after its inception in 1936, there was no substantial use of the
SSN other than that required for the Social Security and unemployment
compensation programs. Most Americans had not been issued a number, and few
organizations felt the need of a numeric identifier for purposes of data
processing.
Although many people are under the impression that use of the SSN for other than
Social Security program purposes is forbidden by law, this is not the case and
never has been. The impression may in part have arisen from the fact that, for
many years, the card bearing one's Social Security Account Number. has carried
the legend, "NOT FOR IDENTIFICATION." The purpose of this legend is to notify
anyone to whom a card might be presented that it cannot be relied upon, by
itself, as evidence of the identity of the person presenting it.
In 1943, the Civil Service Commission decided that there should be a numerical
identification system for all Federal employees and proposed to the Bureau of
the Budget that use of the SSN be authorized for this purpose. This led to the
issuance of Executive Order 9397. That order, which is still in effect, provides
in part as follows:
> WHEREAS certain Federal agencies from time to time require in the
> administration of their activities a system of numerical identification of
> accounts of individual persons; and...
> WHEREAS it is desirable in the interest of economy and orderly administration
> that the Federal Government move towards the use of a single, unduplicated
> numerical identification system of accounts and avoid the unnecessary
> establishment of additional systems;
> NOW, THEREFORE, . . . it is hereby ordered as follows:
1. Hereafter any Federal department, establishment, or agency shall, whenever
the head thereof finds it advisable to establish a new system of permanent
account numbers pertaining to individual persons, utilize exclusively the Social
Security account numbers . . . .
The order directs the Social Security Board, the predecessor agency of the
Social Security Administration, to provide for the assignment of an account
number to any person required by any Federal agency to have one, and to furnish
the number, or the name and identifying data, pertaining to any person or
account number upon request of any Federal agency using the SSAN for a numerical
identification system of accounts under the order. The order also directs that
> The Social Security Board and each Federal agency shall' maintain the
> confidential character of information relating to individuals obtained
> pursuant to the provisions of this Order.
Finally, the order provides for the costs of services rendered thereunder by the
Social Security Board to be reimbursed by the agency receiving such services.
Most civil servants had never applied for SSNs because their employment was not
covered by the Social Security Act. Since they were not being assigned numbers
for Social Security program purposes, the costs had to be paid from funds
appropriated for the Civil Service Commission. The Commission, however, was
unable to obtain the necessary funds, and so it was not until November, 1961
that the assignment of numbers to Civil Service employees was initiated as an
adjunct of the Internal Revenue Service's taxpayer identification program (see
below).
The issuance of Executive Order 9397 in 1943 theoretically may have provided the
basis for a change in conception of the role of the SSN. However, there is no
evidence that it had any practical significance until after the 1961 decision to
use the SSN as an individual identifier for Federal tax purposes. It has been
suggested that Executive Order 9397 was intended to apply only to instances when
Federal agencies seek to number records of financial transactions, and not to
numbering other kinds of records, such as employment, attendance, performance,
or medical records. The fiscal interpretation follows from the wording of the
order which speaks of the efficiency to be gained from "a single . . . system of
accounts . . . ." To interpret the order as applying to all kinds of Federal
agency record systems is arguably beyond the meaning of its language. In any
case, it appears that Federal agencies are free to use the SSN in any way they
wish, and no instance has come to our attention in which the order has been
invoked to compel or limit an agency's use of the SSN.
What many regard as the single most substantial impetus to use the SSN for
purposes other than the Social Security program occurred in 1961, when the
Internal Revenue Service, after discussions with the Social Security
Administration, decided to use the SSN for taxpayer identification. This
decision was implemented by an amendment to the Internal Revenue Code that
authorized the Secretary of the Treasury to require each person making "a
return, statement, or other document" under the Internal Revenue Code to
"include such identifying number as may be prescribed for securing proper
identification of such person." The Secretary was also authorized "to require
such information as may be necessary to assign an identifying number to any
person."7 The Secretary delegated his authority to the Commissioner of Internal
Revenue, who has issued a number of regulations, the combined effect of which
may be summarized as follows.
* The taxpayer's identification number for use by individuals (except as
employers in a trade or business) is the SSN.
* The SSN for each individual taxpayer and each beneficiary of an estate or
trust must be furnished on all tax returns and related statements and
documents filed in connection with every tax imposed by the Internal Revenue
Code. (A failure to include the number as required on a return gives rise to
a civil penalty of $5, unless the failure to provide the number is due to
"reasonable cause." Int. Rev. Code of 1954, Sec. 6676.)
* An individual is obliged to obtain an SSN from the Social Security
Administration and furnish it when requested, for purposes of complying with
Internal Revenue Service regulations, by any of the following: employers;
estates and trusts; corporations and other entities paying dividends; banks,
mutual savings and savings and loan institutions; insurance companies;
stockbrokers and securities dealers; other entities paying interest; and
nominees receiving dividends or interest.
Many other actions of the Federal government have expanded the areas of use of
the SSN beyond its original purposes.
* The Treasury Department further expanded use of the SSN in 1963 by requiting
its use in registration of all United States transferable and
non-transferable securities other than U.S. savings bonds. The following year
the requirement for such use of the SSN was applied to Series H savings
bonds. The Treasury Department has announced that as of October 1, 1973, the
inscriptions on Series E bonds must also include the SSN. (Meanwhile the
Treasury has modified its earlier rule that the names of women on savings
bond inscriptions be preceded by "Miss," "Mrs.,"or other title, by permitting
omission of the title if the woman's SSN is included.)
* In a decision dated Aprll 16, 1964, the Commissioner of Social Security
approved the issuance of SSNs to pupils in the ninth grade and above, if a
school requests such issuance and indicates willingness to cooperate in the
effort. The Social Security Administration Claims Manual explains that this
decision was made (1) to accommodate requests from school systems "desiring
to use the SSN for both automatic data processing and control purposes, so
that the progress of pupils could be traced throughout their school lives
across district, county, and State lines", and (2) because issuance of SSNs
to school children in groups is more orderly, efficient, less costly to the
Social Security Administration, and gives better assurance of identification
of the chlldren than if students eventually apply for numbers one at a time.
* In June 1965 the Commissioner of Social Security authorized the issuance of
an SSN to every recipient of State old-age assistance benefits who did not
already have one, in order to establish a more efficient process for exchange
of information between these agencies and the Social Security Administration.
When the Social Security Act was amended in 1965, to provide hospital and
medical insurance (Medicare) administered by the Social Security
Administration, it became necessary for most individuals aged 65 and over who
did not already have an SSN to obtain one.
* In June 1965 the Civil Service Commission began to add SSNs to the retirement
records of their annuitants. This represented an extension of the SSN
issuance system started in 1961 for civil service employees.
* Effective January 1, 1966, after consultation with the Social Security
Administration, the Veterans Administration began using the SSN as a hospital
admission number, and for other record-keeping purposes.
* On April 7, 1966, the Commissioner of Social Security approved the test usage
of the SSN by the Division of Indian Health of the Public Health Service to
facilitate development and maintenance of comprehensive health histories of
Indians from birth to death.
* By memorandum dated January 30, 1967, the Secretary of Defense advised the
Social Security Administration of his decision to use the SSN as the service
number of all military personnel.
* . Pursuant to the Currency and Foreign Transactions Reporting Act (the
so-called Bank Secrecy Act), P.L. 91508, October 26, 1970; 31 U.S.C.
1051-1122, the Treasury Department issued regulations in 1972 requiring
banks, savings and loan associations, credit unions, and brokers and dealers
in securities to obtain the SSNs of all their customers. The Act requires
these financial organizations to maintain records of certain large
transactions to facilitate criminal, tax, and regulatory investigations with
respect to currency and foreign transactions. The SSNs of individuals
required for account records under the regulations will already have been
obtained in almost all cases by these financial organizations under
regulations of the Internal Revenue Service governing tax reporting. A
notable impact has been the requirement to furnish one's SSN to open a
checking account.
* . Use of the SSN is being promoted by the National Driver Register of the
U.S. Department of Transportation. Although the Department of Transportation
lacks authority to require it, use of the SSN is encouraged by the Register
to facilitate matching the records of reports and inquiries it receives. This
has led most State motor vehicle departments to collect SSNs from all
drivers, and some to shift to the SSN for their driver license identification
number.
* . The Social and Rehabilitation Service of the Department of Health,
Education, and Welfare has for some time been promoting the use of the SSN by
States for the identification of individual applicants and beneficiaries
under all welfare and social services programs.
* The Congress, in Section 137 of the Social Security Amendments of 1972,8 has
required the Secretary of HEW to take affirmative measures to issue SSNs to
the maximum extent practicable to aliens entitled to work in the United
States and "to any individual who is an applicant for or recipient of
benefits under any program financed in whole or in part from Federal funds
including any child on whose behalf such benefits are claimed by another
person." The quoted language of this requirement appears to call for the
issuance of an SSN to virtually everyone in America who does not already have
one, but the legislative history clearly indicates that such universal
enumeration was not intended. The Senate Finance Committee had proposed a
requirement of affirmative measures for the assignment of SSNs to all
children at the time they first enter school, as well as to aliens and all
applicants for and recipients of benefits under Federally supported programs.
However, the bill was amended in conference. Instead of requiring the
Secretary to take affirmative measures to enumerate children at their
entrance into school, the Act makes such measures optional, but the Act
retains the requirement that numbers be assigned to aliens, and to applicants
and recipients of benefits. Although the legislation does not specify any
uses to be made of SSNs issued pursuant to its mandate, the legislative
history indicates that Congress intended them to be available for use in
preventing aliens from working illegally and public assistance beneficiaries
from receiving duplicate or excessive payments.
Review of the Federal actions described above (which do not by any means
constitute an exhaustive list makes it clear that the Federal government itself
has been in the forefront of expanding the use of the SSN. All these actions
have actively promoted the tendency to depend more and more on the SSN as an
identifier-of workers, taxpayers, automobile drivers, students, welfare
beneficiaries, civil servants, servicemen, veterans, pensioners, and so on.
If use of the SSN as an identifier continues to expand, the incentives to link
records and to broaden access to them are likely to increase. Until safeguards
such as we have recommended in Chapters IV, V and VI have been implemented, and
demonstrated to be effective, there can be no assurance that the consequences
for individuals of such linking and accessibility will be benign. At best,
individuals may be frustrated and annoyed by unwarranted exchanges of
information about them. At worst, they may be threatened with denial of status
and benefits without due process, since at the present time record linking and
access are, in the main, accomplished without any provision for the data subject
to protest, interfere, correct, comment, and, in most instances, even to know
what linking of which records is taking place for what purposes.
Although few people have flatly proposed that an SUI be mandated for all
Americans, there is a strong tendency for authorities in government and industry
to make decisions that, taken collectively, are likely to lead to the
establishment of an SUI. There is an increasing tendency for the Social Security
number to be used as if it were an SUI. Even organizations selecting a
single-system personal identifier are likely to choose the SSN "because it is
available," or for efficiency and convenience. There are pressures on the Social
Security Administration to do things that make the SSN more nearly an SUI, such
as issue more SSNs than the Social Security program requires, for purposes
wholly unrelated.
We believe that any action that would tend to make the SSN more nearly an SUI
should be taken only if, after careful deliberation, it appears justifiable and
any attendant risks can be avoided. We recommend against the adoption of any
nationwide, standard, personal identification format, with or without the SSN,
that would enhance the likelihood of arbitrary or uncontrolled linkage of
records about people, particularly between government or government-supported
automated personal data systems.9 What is needed is a halt to the drift toward
an SUI and prompt action to establish safeguards providing legal sanctions
against abuses of automated personal data systems. The recommendations in the
following chapter are directed toward that end.
1Federal Data Banks, Computers and the Bill of Rights, Hearings before the
Subcommittee on Constitutional Rights of the Committee on the Judiciary, United
States Senate, 92nd Congress, 1st Session, February and March 1971, Part 1, pp.
775-881. 108
2 A possible error detecting feature is a number (called a check-digit) that can
be derived in some way from the identification number and appended to it. For
example, a check-digit may be derived by multiplying the fast digit of the
identification number by 1, the second by 2, the third by 3 (and so on), summing
the products of the multiplications, and extracting the digital root of their
sum. The identification number 1463, handled this way, produces a check-digit of
3 (1 X 1 = 1, 2 X 4 = E, 3 X 6 = 18 4 X 3 = 12; 1 + E + 1 E + 12 = 39; 3 + 9 =
12; 1 + 2 = 3) which is written at the end of the number to produce 14633. A
computer and a human being can each readily verify the accuracy of the number.
Transpositions are detectable. "14363," for instance, would be caught as
illegitimate, because the correct check-digit for the number 1436 is not 3, but
6 (1 X 1=1, 2X 4=E, 3X 3=9, 4X 6=24; 1+E+9+24=42;4+2=6). Most singledigit errors
are also detectable, though ermrs of more than one digit may coincidentally
generate valid check-digits and hence not be detectable.
3 The National Academy of Sciences Computer Databanks Project reached a similar
conclusion on the basis of its independent, empirical assessment of the issues
involved. See Alan F. Westin and Michael A. Baker, Databanks in a Free Society
(New York: Quadrangle Books), 1972. pp. 396-400.
4"Account number 078-05-1120 was the first of many numbers now referred to as
`pocketbook' numbers. It first appeared on a sample account number card
contained in wallets sold . . . nationwide in 1938. Many people who purchased
the wallets assumed the number to be their own personal account number. It was
reported thousands of times on employers' quarterly reports; 1943 was the high
year, with 5,755 wage earners listed as owning the famous number. More recently,
the IRS requirement that the Social Security AN [Account Number] be shown on all
tax returns resulted in 39 taxpayers showing 078-05-1120 as their number. The
number continues to be reported at least 10 times each quarter. There are now
over 20 different 'pocketbook' numbers . . . ." Account Number and Employer
Contact Manual (Baltimore, Md.: Social Security Administration), Sec. 121.
5Ibid., Sec. 554 ff.
6 T.D. 4704, 1 Fed. Reg. 1741 (Nov. 7, 1936); 26 C.F.R. Part 401 (1st ed.,
1939).
7P.L. 87-397 (Oct. 5, 1961); Internal Revenue Code of 1954, Sec. 6109.
8 P.L. 92-603, October 30, 1972; 42 U.S.C. 405.
9One notable attempt to establish a standard for the identification of
individual Americans for purposes of information exchange was that offered by a
committee of the American National Standards Institute (ANSI) in 1969. The
standard, as proposed, consisted in part of an individual's SSN; opposition to
that feature in particular led in 1972 to official withdrawal of the standard
from further consideration pending resolution of the issues that are covered by
this report.
VIII. RECOMMENDATIONS REGARDING USE OF THE SOCIAL SECURITY NUMBER
Until safeguards against abuse of automated personal data systems have become
effective, constraints should be imposed on the use of the SSN. After that, the
question of SSN use might properly be reopened.
We recommend that Federal policy with respect to use of the SSN be governed by
the following general principles.
First, uses of the SSN should be limited to those necessary for carrying out
requirements imposed by the Federal government.
Second, Federal agencies and departments should not require or promote use of
the SSN except to the extent that they have a specific legislative mandate from
the Congress to do so.
Third, the Congress should be sparing in mandating use of the SSN, and should do
so only after full and careful consideration preceded by well advertised
hearings that elicit substantial public participation. Such consideration should
weigh carefully the pros and cons of any proposed use, and should pay particular
attention to whether effective safeguards have been applied to the automated
personal data systems that would be affected by the proposed use of the SSN.
Fourth, when the SSN is used in instances that do not conform to the three
foregoing principles, no individual should be coerced into providing his SSN,
nor should his SSN be used without his consent.
Fifth, an individual should be fully and fairly informed of his rights and
responsibilities relative to uses of the SSN, including the right to disclose
his SSN whenever he deems it in his interest to do so.
In light of these principles, we make specific recommendations with respect to
the individual's right to refuse to disclose his SSN, issuance of SSNs,
constraints on use or dissemination of SSNs, and prohibition of
non-data-processing uses of the SSN. Ideally, Congress should review all present
Federal requirements for use of the SSN to determine whether the existing
requirements should be continued, repealed, or modified. In this chapter, we
recommend several modifications that would apply to all SSN requirements now in
force.
RIGHT OF AN INDIVIDUAL TO REFUSE TO DISCLOSE THE SOCIAL SECURITY NUMBER
As indicated in Chapter VII, increasing demands are being placed on individuals
to furnish an SSN in circumstances when use of the SSN is not required by the
Federal government for Federal program purposes. For example, the SSN is
demanded of individuals by State motor vehicle departments, by public utility
companies, landlords, credit grantors, schools, colleges, and innumerable other
organizations.
Existing Federal law and Social Security regulations are silent on such uses of
the SSN. They provide no clear basis for keeping State and local government
agencies and private organizations from demanding and using the number. As a
practical matter, disclosure of one's SSN has been made a condition for
obtaining many benefits and services, and legal challenges to this condition
under State law have been almost uniformly unsuccessful.
If the SSN is to be stopped from becoming a de facto SUI, the individual must
have the option not to disclose his number unless required to do so by the
Federal government for legitimate Federal program purposes, and there must be
legal authority for his refusal. Since existing law offers no such clear
authority, we recommend specific, preemptive, Federal legislation providing:
(1) That an individual has the right to refuse to disclose his SSN to any person
or organization that does not have specific authority provided by Federal
statute to request it;
(2) That an individual has the right to redress if his lawful refusal to
disclose his SSN results in the denial of a benefit, or the threat of denial of
a benefit; and that, should an individual under threat of loss of benefits
supply his SSN under protest to an unauthorized requestor, he shall not be
considered to have forfeited his right to redress.
(3) That any oral or written request made to an individual for his SSN must be
accompanied by a clear statement indicating whether or not compliance with the
request is required by Federal statute, and, if so, citing the specific legal
requirement.
ISSUANCE OF SOCIAL SECURITY NUMBERS
The report of the Social Security Number Task Force1 identified the need to
improve the integrity of the SSN for some uses now required by Federal law.
Steps have been initiated during the last two years to decrease the likelihood
that any individual will be assigned more. than one SSN without the knowledge of
the Social Security Administration. They include: improved procedures for
verifying the identity of each applicant for an SSN; issuance of SSNs only from
the central office of the Social Security Administration rather than from its
1,000 field offices; implementation of a process- that will provide
comprehensive, automated screening of applications for SSNs; and the
establishment by Section 208 of the Social Security Act2 of a penalty for
fraudulently furnishing false information regarding one's identity in order to
obtain an SSN. There is good reason to expect that the combined effect of all
these actions will be to improve significantly the integrity of the SSN.
Enumeration of School Children. The Social Security Number Task Force
recommended that the Social Security Administration "should embark on a positive
program of enumerating [issuing SSNs to] school children at the ninth-grade
level, with concurrent establishment of proof of age and identity." We have
given long and careful thought to this recommendation. Our first inclination was
flatly to oppose it as an action that would promote the use of the SSN as a de
facto SUI. After further deliberation, and exploration of relevant issues with
the Commissioner of Social Security, we decided to endorse the Task Force
recommendation with two important qualifications. Specifically, we recommend
(4) That the Social Security Administration undertake a positive program of
issuing SSNs to ninth-grade students in schools, provided (a) that no school
system be induced to cooperate in such a program contrary to its preference; and
(b) that any person shall have the right to refuse to be issued an SSN in
connection with such a program, and such right of refusal shall be available
both to the student and to his parents or guardians.
Children in the ninth grade have reached the age when they are likely to seek
part-time or summer employment and need an SSN for Social Security program and
Federal income tax purposes. Indeed, many young people obtain SSNs for such
purposes before they reach ninth grade. Under Section 137 of the Social Security
Amendments of 1972, many children who receive certain Federal cash benefits will
also be assigned SSNs before they reach ninth grade. Since a program of
ninth-grade enumeration is likely to be consistent with the needs and
convenience of most young people, it is not likely to seem coercive. Moreover,
our recommendation is designed to prevent any coercion.
Both the Task Force Report and the Commissioner of Social Security have
indicated that a program of ninth-grade enumeration would offer the Social
Security Administration an opportunity to inform students about the Social
Security program and their rights and responsibilities in relation to it. We
urge that any such student briefings include information about their rights and
responsibilities with respect to uses of the SSN. We also note the observations
made in the Task Force Report, and reiterated by the Commissioner of Social
Security, that ninth-grade enumeration is advantageous to the Social Security
Administration on a cost-benefit basis.
Finally, our inquiries and discussions with Social Security Administration
representatives convinced us that a positive program of ninth-grade enumeration
would contribute significantly to enhancing the integrity of the SSN. The
contribution to this end might appear somewhat greater if the program enumerated
children at the time of their first enrollment in school, as authorized by the
Congress .in Section 137 of the Social Security Amendments of 1972. However, we
strongly recommend
(5) That there be no positive program of issuing SSNs to children below the
ninth-grade level, either at the initiative of the Social Security
Administration or in response to requests from schools or other institutions.
A positive program of issuing SSNs to all children at school entry has little to
recommend it. It would almost surely seem coercive, since the proportion of
children in kindergarten or first grade who need an SSN is small. These children
are too young for a significant educational contact with the Social Security
program. Most important, such a mass enumeration program would be a very
significant further step toward making the SSN a de facto standard universal
identifier-a step there are no compelling reasons to take.
Enumeration of Beneficiaries of Federally Funded Programs. As we noted in
Chapter VII (pp. 120-121), Section 137 of the Social Security Amendments of 1972
requires the Secretary of HEW to take affirmative measures to issue the SSN as
widely as practicable.
to any individual who is an applicant for or recipient of benefits under any
program financed in whole or in part from Federal funds including any child on
whose behalf such benefits are claimed by another person.
This provision, read literally, could well provide the authority for
establishing a standard universal identifier. Yet as we understand it, this
provision was included in the legislation in the narrow context of improving the
administration of public assistance programs. It is a technical provision in a
large and complicated piece of legislation (the printed Public Law runs to 165
pages) in which other very controversial issues occupied the attention of the
Congress and the public. This particular provision was not the subject of public
hearings.
The conditions under which Section 137 became law did not allow for adequate
consideration of an action that has the potential of driving America toward an
SUI. We therefore believe that the Secretary has an obligation to use the
authority granted in Section 137 only in the most limited way consistent with
the mandate-as a tool for improving the administration of public assistance
programs. The potential consequences are too dangerous to allow an SUI to be
established without wide and careful public consideration and full assessment of
the potential consequences.
Specifically, we recommend
(6) That the Secretary limit affirmative measures taken to issue SSNs pursuant
to Section 205 (c)(2) (13)(i)(II) of the Social Security Act, as amended by
Section 137 of Public Law 92-603, to applicants for or recipients of public
assistance benefits supported from Federal funds under the Social Security Act.
We further recommend
(7) That the Secretary do his utmost to assure that any future legislation
dealing with the SSN be preceded by full and careful consideration and well
advertised hearings that elicit substantial public participation.
We would stress once again that the SSN in its present form is not a
satisfactory standard universal identifier. Even with the steps that have been
taken to improve the integrity of the SSN, the SSN cannot provide a guarantee of
identity unless it is coupled with some stable feature of physical
identification, such as fingerprints. In its present form, therefore, adoption
of the SSN as an SUI would not lead to all the advantages of improved program
administration that proponents of its widened use anticipate, e.g., to
"identify" welfare beneficiaries. If the Committee had to choose today between a
true SUI, complete with fingerprinted identification cards on the one hand, and
something less than ultimate efficiency in the administration of public
assistance programs on the other, we would rather risk the latter; we think the
American public would too. The steps being taken to strengthen the integrity of
the SSN can lead to significant improvement in the administration of public
assistance, while our recommendations will check the drift of the SSN toward
becoming a de facto SUI. Until effective safeguards against the abuse of
computer-based personal data systems have been established, and until there has
been full public debate of the desirability of an SUI, this is the point at
which the situation must be held in check.
CONSTRAINTS ON USE AND DISSEMINATION OF SOCIAL SECURITY NUMBERS
Recommendations (8)-(10) below are designed to limit uses of the SSN to those
necessary to carry out Federal government purposes for which there is a legal
requirement that the SSN be obtained and recorded, and to discourage all
practices that substantially increase the circulation of individual SSNs
together with the names of their holders.
Recommendation (8) is intended to constrain the behavior of organizations and
persons that are legally required to obtain and record the SSN for Federal
purposes, but which use the SSN in other ways that constitute virtual public
dissemination of SSNs along with names of the individuals to whom they belong.
Among the many uses of the SSN that this recommendation is designed to abate are
its use as an employee identification number, a patient identification number, a
student identification number, a customer identification number, a driver
identification number, and as the primary organizing element in the
record-keeping system of any non-Federal organization. Although such uses may be
convenient, they are not necessary. Under present circumstances, moreover, they
increase the circulation of SSNs, thereby inviting unconstrained linking of
record-keeping systems. Accordingly, we recommend
(8) That any organization or person required by Federal law to obtain or record
the SSN of any individual be prohibited from making any use or disclosure of the
SSN without the informed consent of the individual, except as may be necessary
to the Federal government purposes for which it was required to be obtained and
recorded. This prohibition should be established by a specifc and preemptive act
of Congress.
This recommendation stems in part from observing that the Social Security
Administration treats the SSN with the same confidentiality as the data in its
records of Social Security accounts. Access to Social Security data is governed
by Section 1106 of the Social Security Act and Regulation No. 1 of the Social
Security Administration. The result is that the Social Security Administration
will disclose an individual's SSN only to those third persons and organizations
permitted by law to obtain SSA record data. The Social Security Administration
and the Internal Revenue Service each require organizations to obtain and use
the SSNs of individuals for various Federal program purposes. In principle these
agencies should require such organizations to treat the SSN with the same
confidentiality as the Social Security Administration does. Regrettably,
however, there appears to be no legal authority to support the imposition of
such a requirement. Recommendation (8) would establish such authority.
Recommendation (8), coupled with recommendations (1) and (3) (pp. 125-126,
above), would also diminish the risk of nuisance, frustration, and possible
serious disadvantage resulting from the use of an individual's SSN to
impersonate him. One use of the SSN that appears to be proliferating is as a
password, or authenticator of identity, when an individual's name alone is
thought insufficient; e.g., in credit-card purchasing and check-cashing. Such
use is not necessary, just convenient, and can be risky, since the widespread
circulation of SSNs makes them increasingly ascertainable by anyone wishing to
impersonate another.
An example from our own experience will illustrate the problem. We met on a
Saturday in a conference room in a government facility. Security procedures
required us to give names and SSNs from a telephone located outside the locked
main entrance to a guard who was out of sight inside the building. The guard had
earlier been furnished with a list of our names and SSNs. Given the wide
dissemination of SSNs, we were impressed by how easily someone could have
impersonated any one of us to gain admittance to the building.
One may treat this example lightly, but the principle is important. As long as
the SSN of an individual can be easily obtained (some organizations list the
SSNs of their employees or members in published rosters), both individuals and
the organizations that use it as a password are vulnerable to whatever harm may
result from impersonation.
Recommendations (9) and (10) are intended to constrain the provision of "SSN
services" by the Social Security Administration. The phrase, "SSN services," is
defined in the Social Security Number Task Force Report as including
enumeration, or issuing numbers to individuals who do not have them; validation,
or confirming that the number an organization has on file for an individual is
the same as the number that appears for him in SSA records; correction, or
supplying the proper number from SSA files when an individual has alleged an
incorrect number; and identification, or supplying a number from SSA's files to
match a particular name, a name to match a number, or vice-versa [sic].3
The Task Force report recommends that SSN services be provided by the Social
Security Administration (i) "to public and private organizations using the SSN
for health, welfare, or educational purposes" and (ii) to facilitate research
activities.
Although we recognize the spirit of cooperation that prompted the Task Force
position, we believe that the effect of the recommendations would unnecessarily
spread use of the SSN. Our recommendations limit SSN services even more narrowly
than the Task Force recommendations.
We recommend
(9) That the Social Security Administration provide "SSN services" to aid record
keeping only to organizations or persons that are required by Federal law to
obtain or record the SSN, and then only as necessary to fulfill the purposes for
which the SSN is required to be obtained or recorded; and
(10) That the Social Security Administration provide "SSN services" to aid
research activities only when it can assure that the provision of such services
will not result in the use of the SSN for record-keeping and reporting
activities beyond those permitted under recommendation (9), and then only
provided that rigid safeguards to protect the confidentiality of personal data,
including the SSN, are incorporated into the research design.
These recommendations distinguish between use of the SSN for record-keeping
purposes and its use for research activities. SSN services must not be provided
to aid an organization's record keeping, except to the extent necessary to
enable the organization to fulfill requirements associated with its Federally
imposed obligations to collect and record the number. Our recommendation (8)
would prohibit organizations from using the SSN beyond this limit, and the
Social Security Administration would be obliged to refrain from providing SSN
services in cooperation with a violation of the prohibition. As an interim
measure, the Social Security Administration should limit SSN services as though
recommendation (8) were in force. The limitation must apply to all cases,
including requests from organizations that provide health, education, and
welfare services.
The effect of our recommendations may be illustrated by a case discussed in the
Social Security Number Task Force Report.4 A State mental health service
requested SSN services from the Social Security Administration to enable it to
use the SSN as the patient identification number in a new computerized
record-keeping system. It evidently wanted to use the number for general
administrative record keeping; such a use is not legally required for any
Federal program purpose. The mental health service is obligated to, use the SSN
to report the earnings and income taxes of its own employees; it might also need
to obtain and use the SSNs of some of its patients to comply with record-keeping
requirements of Federal benefit programs mandated by the Social Security Act,
e.g., Medicare. However, its Federally required SSN uses do not extend to using
the SSN for all patient record keeping, and the mental health service can
clearly create its own identification code to track patients.
If the SSN Task Force recommendations were to be followed in this case, the
Social Security Administration would provide SSN services to the mental health
service for all its patient record keeping (to simplify the service's reporting
of unduplicated patient counts to HEW'S National Institute of Mental Health).
Under our recommendation, by contrast, the Social Security Administration would
not provide SSN services, and the SSN would, therefore, not be spread by various
uses of mental health service records and thus become available for still other
uses.
Recommendation (10) recognizes the interest in providing SSN services in support
of various kinds of evaluation and research activities. There is no reason why
this cannot be done without adding to the unnecessary spread of the SSN for
record-keeping and data processing activities or to SSN dissemination of the
sort we wish to curtail.
In the case discussed above, suppose that the State mental health service
proposes to conduct studies of the effectiveness of its services, and that
knowing the SSNs of its patients, and having SSN services, might help in some
way. Lacking any Federal requirement to use the SSN for evaluation research, the
mental health service could not compel disclosure of patients' SSNs for that
purpose. However, for all patients' SSNs voluntarily disclosed with informed
consent, our recommendation (10) would permit the Social Security Administration
to provide SSN services.
PROHIBITION OF NON-DATA-PROCESSING USES OF THE SOCIAL SECURITY NUMBER
The SSN is sometimes used for a purpose having nothing to do with
identification, record keeping, or data processing. While these uses do not
directly contribute to unfair information practices, they have other undesirable
effects. Consider these examples.
> "Lucky number" contests in which an SSN is drawn, and its holder is awarded
> some prize. This is objectionable because it may induce people to try to
> obtain extra SSNs to increase their chances of winning, and because it
> trivializes the SSN.
> Various items of merchandise, such as wallets, sold with a number-bearing
> facsimile Social Security card enclosed. This is how one such sample number
> noted in Chapter VII5 came to be used by more than five thousand people. There
> are undoubtedly other difficulties that have not yet come to light. We
> understand that such practices are abating as a result of years of intensive
> (and expensive) fieldwork by the Social Security Administration which,
> however, has no legal authority to prevent them.
> "Skip-tracing" efforts in which, to quote a Social Security Administration
> manual,
[d] ebt or tracing organizations occasionally use special correspondence
techniques to obtain information from an individual owing money. Some mail out
postcards showing a false [SSN] and asking "Is this your Social Security number?
If not, call the number listed below to correct this matter."
This is blatantly deceptive and violates reputable business practice. It may
also lead people to think that the Social Security Administration is somehow
cooperating with skip-tracers.
Such spurious uses of Social Security cards and SSNs tend to interfere with
appropriate uses of the SSN and to confuse the public about its proper purposes.
They also complicate the work of the Social Security Administration.
Accordingly, we recommend
(11) That specific and preemptive Federal legislation be enacted prohibiting use
of an SSN, or any number represented as an SSN, for promotional or commercial
purposes.
1Social Security Number Task force: Report to the commissioner (Baltimore, Md.:
U.S. Social Security Administration), 1971.
2As provided by Section 130 of the Social Security Amendments of 1972, P.L.
92-603, October 30, 1972; 42 U.S.C. 408.
3Op. cit. pp. 26-27
4Ibid., pp. 24-25.
5 Note 4, p. 112, above.
IX. ACTION AGENDA FOR THE SECRETARY OF HEALTH, EDUCATION, AND WELFARE
The charter directs us to specify the steps that must be taken to put our
recommendations into effect. We have done so in this chapter. For each action
outlined below, the chapter and pages of the report where the corresponding
recommendation is discussed are indicated.
LEGISLATION
We have made a number of recommendations that require the submission of
legislative proposals to the Congress as follows.
* To establish a code of fair information practice for all automated personal
data systems maintained by agencies of the Federal government or by
organizations within reach of the authority of the Federal government. The
code should embody safeguard requirements for both administrative systems and
systems used exclusively for statistical reporting and research, and should
provide injunctive relief as well as civil and penal sanctions for violation
of the code [Ch. IV, pp. 50, 53-64; Ch. V, pp. 86-87; Ch. VI, pp. 97-102] .
* To establish protection against compulsory disclosure through legal process
for identifiable personal data used exclusively for statistical reporting and
research [Ch. VI, pp. 102-106]:
* To amend the Freedom of Information Act to require that an agency obtain the
consent of an individual before disclosing data about him in identifiable
form [Ch. IV, pp. 64-66] .
* To protect individuals against unauthorized use of the Social Security number
by providing that: (i) an individual shall have the right not to disclose his
Social Security number unless specifically required to do so by Federal
statute [Ch. VIII, pp. 125-126] ; (ii) any oral or written request made to an
individual for his Social Security number shall be accompanied by a clear
statement of the legal basis for the request [Ch. VIII, pp. 125-126 ] ;.
(iii) an individual shall have a right to redress if his lawful refusal to
disclose his Social Security number results in the denial of a benefit, or
the threat of such denial [Ch. VIII, pp. 125-126] ; (iv) any organization or
person required by Federal law to obtain and record the Social Security
number of an individual shall be prohibited from using or disclosing it
without the individual's informed consent, except as may be necessary to the
Federal purposes for which the number was obtained and recorded [Ch. VIII,
pp. 130-132] .
* To prohibit any person or organization from using any Social Security number,
or any number represented as a Social Security number, for promotional or
commercial purposes [Ch. VIII, pp. 134-135].
* To amend Section 609 (a) of the Fair Credit Reporting Act (i) to give an
individual the right to inspect personally the records that any
consumer-reporting agency maintains about him, and to copy their contents or
have copies made [Ch. IV, pp. 66-70]; (ii) to delete the exceptions from
disclosure to an individual now permitted for medical information and sources
of information used in investigative consumer reports [Ch. IV, pp. 70-71 ] .
Action by the Secretary to initiate these legislative proposals should be taken
in concert with the Attorney General, the Secretary of the Treasury, and the
Chairman of the Federal Trade Commission, as appropriate.
ADMINISTRATIVE ACTION
Many of our recommendations can be implemented by the issuance of regulations or
administrative guidelines.
Regulations should be issued:
* To make applicable all the safeguard requirements for automated personal data
systems to all systems within the Department [Ch. IV, pp. 50-64; Ch.V,
pp.85-87; Ch. VI, pp. 95-102] .
* To make applicable all the safeguard requirements for automated personal data
systems to all systems that can be reached through grant, contract, or other
relations with the Department [Ch. IV, p. 50; Ch. V, p. 86; Ch. VI, p. 96] .
* To amend the Department's regulation under the Freedom of Information Act to
provide that the consent of an individual shall be obtained before disclosing
any data about him in identifiable form [Ch. IV, pp. 65-66].
Administrative guidelines should be issued:
* Establishing procedures for rigorous and thorough evaluation of
(i) any proposal to create or expand any automated personal data system within
the Department (Ch. IV, pp. 5152 ] ; (ii) any proposal to use administrative
personal data for statistical reporting or research [Ch. V, pp. 82-86] ; and
(iii) any proposal that would tend to require the creation or expansion of an
automated personal data system outside the Department in response to
requirements or needs of programs and activities of the Department [Ch. IV, p.
521.
* Requiring that a regulation, with notice of proposed rule making, be issued
by the Department before taking any action that would tend to require a
State, locality, or other grantee to create or expand an automated personal
data system [Ch. IV, p. 52].
* Providing for the publication annually of a compilation of the public notices
of all automated personal data systems maintained within the Department [Ch.
IV, pp. 57-58; Ch. VI, pp. 99-101 ] .
* Directing the Social Security Administration:
(i) to undertake a positive program to issue Social Security numbers to
ninth-grade students in schools, provided (a) that no school system be induced
to cooperate in such a program contrary to its preference; and (b) that any
person shall have the right to refuse to be issued a Social Security number in
connection with such a program [Ch. VIII, 127-1281; (ii) to undertake no
positive program of issuing Social Security numbers to children below the
ninth-grade level [Ch. VIII, p. 1281; (iii) to limit affirmative measures taken
to issue Social Security numbers pursuant to subparagraph (B) (i) (II) of
Section 205 (c) (2) of the Social Security Act, as amended by Section 137 of
Public Law 92-603, to applicants for or recipients of public assistance benefits
supported from Federal funds under the Social Security Act [Ch. VIII, pp.
128-130] ; (iv) to provide SSN services only to organizations or persons
required by Federal law to obtain or record the Social Security number, and then
only as necessary to fulfill the (v) to monitor all future legislative proposals
dealing with the Social Security number and to recommend actions to be taken by
the Secretary to assure that such proposals will be enacted only after full and
careful consideration in well advertised hearings that elicit substantial public
participation [Ch. VIII, pp. 129-130].
ADDITIONAL ACTION
In addition to the steps necessary to put our recommendations into effect, there
are some further steps the Department can take to assure that the goals of the
recommendations are fully achieved. These include:
* Communicating opposition to any proposal for the adoption of any nationwide,
standard, personal identification format, with or without the SSN, that would
enhance the likelihood of arbitrary or uncontrolled linkage of records about
people, particularly between government or government-supported automated
personal data systems;
* Making comments on proposed Federal legislation having implications for
personal privacy in record keeping which will seek to assure incorporation in
such legislation of safeguard requirements of the kind recommended in this
report for all automated personal data systems;
* Encouraging attention in all forms of educational activity to the individual
citizen's stake in his personal privacy, to the practical exercise of his
rights with respect to the records maintained about him, and to the social
impact of computerbased record-keeping systems;
* Supporting research on the use and impact of computerbased record-keeping
systems in such areas as education, health services delivery, public
assistance, juvenile delinquency prevention, and community mental health;
* .Encouraging the development of standards of ethical behavior and
professional competence for data-processing personnel;
* Enhancing the capacity of the Federal government to design and develop
computer-based record-keeping systems without reliance on outside
specialists;
* Monitoring the application of the safeguard requirements to determine whether
they are having their intended effect and, most important, whether they are
themselves a source of any adverse social consequences;
* Cooperating with the States in developing uniform State legislation to
establish the recommended code of fair information practice for all automated
personal data systems that would not be reached by Federal legislation. Among
the organizations through which such cooperation might be undertaken are the
National Conference of Commissioners on Uniform State Laws, the Advisory
Commission on Intergovernmental Relations, the Council of State Governments,
the National Governors Conference, the National Legislative Conference, and
the National Conference of State Legislative Leaders.
* Urging the Office of Management and Budget to direct all Federal agencies to
require their grantees and contractors to operate automated personal data
systems with all the safeguards we recommend for systems supported by the
Department. In the interest of convenience and simplicity for grantees and
contractors, the Office of Management and Budget might prescribe
government-wide grant and contract conditions incorporating the safeguard
requirements we recommend, just as it now prescribes conditions in such areas
as intergovernmental planning and financial management. While such action may
not be feasible until there has been some experience in applying the
safeguard requirements, we would expect to see the Department take a lead
role in promoting uniform, government-wide safeguard requirements for
automated personal data systems of Federal grantees and contractors.
ORGANIZATIONAL RESPONSIBILITY
Responsibility for taking the actions necessary to implement our recommendations
will have to be assigned to many officials of the Department who are already
burdened with other duties. They will need guidance and assistance. The
Secretary will need to designate someone who can devote substantial time and
effort to assuring that these actions are taken in a timely and effective
fashion. Therefore, an official in the Office of the Secretary should be given
responsibility to serve as a combination advisor, monitor, and catalyst to
assure that the concerns addressed in this report receive continuing attention,
and specifically, to assure that automated personal data systems within the
Department, and within grantee and contractor agencies, are operated in
accordance with the safeguards we recommend. This official should have adequate
authority, staff, and support to conduct these activities effectively.
This official should be directed to embark on a positive program of heightening
concern within the Department for the issues raised in this report. This program
should reach to all who now do, or are apt in the future, to use, direct, or
contribute to the use or development of automated personal data systems, at all
Civil Service grade levels and in all operating agencies.
IMMEDIATE ACTION
We expect that the Secretary may wish to have the report reviewed by many key
officials of the Department, including the heads of each of the Department's
operating agencies. Following such a review, a detailed plan to carry out the
foregoing action agenda will have to be formulated.
Once such a plan has been adopted, responsibility will have to be assigned to
someone to oversee its execution. To start this process we recommend that the
Secretary:
* Assign responsibility for distributing the report for review to the Executive
Secretary of the Department; and
* Assign responsibility for preparing a detailed plan to carry out the action
agenda to an official in the Office of the Secretary.
APPENDICES
"COMPUTERS AND PRIVACY": THE REACTION IN OTHER COUNTRIES
Common Concerns
Most of the advanced industrial nations of Western Europe and North America
share concerns about the social impact of computer-based personal data systems.
Although there are minor differences in the focus and intensity of their
concerns, it is clear that there is nothing peculiarly American about the
feeling that the struggle of individual versus computer is a fixed feature of
modern life. The discussions that have taken place in most of the industrial
nations revolve around themes that are familiar to American students of the
problem: loss of individuality, loss of control over information, the
possibility of linking data banks to create dossiers, rigid decision making by
powerful, centralized bureaucracies. Even though there is little evidence that
any of these adverse social effects of computer-based record keeping have
occurred on a noticeable scale, they have been discussed seriously since the
late sixties, and the discussions have prompted official action by many
governments as well as by international organizations.
Concern about the effects of computer-based record keeping on personal privacy
appears to be related to some common characteristics of life in industrialized
societies. In the first place, industrial societies are urban societies. The
social milieu of the village that allowed for the exchange of personal
information through face-to-face relationships has been replaced by the
comparative impersonality of urban living. Industrial society also demands a
much more pervasive administration of governmental activities-the collection of
taxes, health insurance, social security, employment services, education-many of
which collect and use personal data in an impersonal way. Nor should we overlook
the increasing uniformity of industrial societies fostered by mass
communications media so efficient that few issues of genuine interest and
importance fail to achieve near-global extent.
Concern about the effects of computer-based record keeping appears to have deep
roots in the public opinion of each country, deeper roots than could exist if
the issues were manufactured and merchandised by a coterie of specialists, or
reflected only the views of a self-sustaining group of professional Cassandras.
The fragility of computer-based systems may account for some of the concern. It
is not necessary for public opinion to be unanimously opposed to the
computerization of personal-data record keeping, or even actively mistrustful of
it, to destroy the effectiveness of a record-keeping operation. The active
opposition of even a few percent of those whom a system means to serve can
cripple the powerful, but fragile, mechanism of a highly automated system.
Nor is it necessary for this opposition to be manifested in physical sabotage of
the computer itself (although that has happened); it is enough merely to
withhold cooperation. There are few computer systems designed to deal with the
disruption that deliberately lost or mutilated punched cards in a billing
system-to give a simple example-would cause. Thus, the very vulnerability of
automated personal data systems, systems without which no modern society could
function, may make careful attention to the human element transcend national
boundaries.
The Response in Individual Nations
WEST GERMANY
On October 7, 1970, the West German State of Hesse adopted the world's first
legislative act directed specifically toward regulating automated data
processing. This "Data Protection Act" applies to the official files of the
government of Hesse; wholly private files are specifically exempted from
control. The Act established a Data Protection Commissioner under the authority
of the State parliament whose duty it is to assure that the State's files are
obtained, transmitted, and stored in such a way that they cannot be altered,
examined, or destroyed by unauthorized persons. The Commissioner is also
explicitly responsible for observing the effects of automated data processing on
the operations of the State government, and on its decision-making powers. He
must take particular note of whether computerization leads to any displacement
in the distribution of powers among the governmental bodies of the State.
Thus, the Data Protection Act of Hesse seems designed more to protect the
integrity of State data and State government than to protect the interests of
the people of the State. As a pioneer statute in the field of computer law,
however, its exact practical effects could scarcely have been predicted, and in
no way diminish its usefulness as a guide for other jurisdictions that can learn
from the Hesse experience.
To judge from the second annual report of the Data Protection Commissioner, that
experience has been one of mild philosophical frustration, punctuated by
occasional practical victories.1 In one instance, the Commissioner learned of
the existence of a computer in a university clinic only through a newspaper
account of a fire; in another the Commissioner successfully blocked the release
of criminal records to a private research center.
Based on the experience of Hesse, the States of Rheinland-Pfalz and Hamburg have
passed similar acts, and the States of Baden Wiirttemberg, Schleswig-Holstein,
Bavaria, and Lower Saxony have adopted slightly more circumscribed laws or
regulations. At the Federal level, the Bundestag has considered a number of
proposals for national laws of wider scope than any of the present State laws,
but the estimated costs to data holders of complying with the proposed
requirements for mandatory disclosure of data have thus far raised enough
objections to cause the Bundestag to reconsider those requirements. It seems
likely, however, that some version of a relatively strong law will be passed
during 1973.
SWEDEN
When strong opposition to the 1969 census erupted in Sweden, public mistrust
centered not so much on the familiar features of the census itself as on the
fact that, for the first time, much of the data gathering would be done in a
form specifically designed to facilitate automated data processing. Impressed by
the possibility that opposition might be so severe as to invalidate the entire
census, the government added the task of studying the problems of computerized
record keeping to the work of an official commission already studying policies
with respect to the confidentiality of official records.
After a notably thorough survey of personal data holdings in both public and
private systems, the commission issued a report containing draft legislation for
a comprehensive statute for the regulation of computer-based personal data
systems in Sweden.2 The aim of the act is specifically the protection of
personal privacy. Its key provisions are these:
* Establishment of an independent "Data Inspectorate," charged with the
responsibility for executing and enforcing the provisions of the Data Law.
* No automated data system containing personal data may be set up without a
license from the Data Inspectorate.
* Data subjects have the right to be informed about all uses made of the data
about them, and no new use of the data may be made without the consent of the
subject.
* Data subjects have the right of access without charge to all data about them,
and if the data are found to be incorrect, incomplete, or otherwise faulty,
they must either be corrected to the subject's satisfaction, or a statement
of rebuttal from the subject must be filed along with the data.
* The Data Inspectorate will act as ombudsman in all matters regarding
automated personal data systems.
The Data Law has been passed by the Swedish Parliament and will become effective
on July 1, 1973. A transition period of one year will be allowed to implement
all the provisions of the law.
FRANCE
Article 9 of the French Civil Code states plainly, "Everyone has the right to
have his private life respected." 3 As legal scholars in all countries have
noted, however, it is very difficult to define the precise limits of privacy in
every case that comes before a court, and in spite of such explicit protection,
the privacy of the French, both inside and outside of automated personal data
systems, seems in practice no better defended than that of most other people.
Although concern about the issue of "computers and privacy" has frequently
surfaced in the French press4 and in data-processing periodicals,5 public
interest in the subject is not deeply engaged. One bill has been introduced in
Parliament, but was withdrawn pending completion of a study jointly sponsored by
the Department of Justice and the Delegue L'Informatique. An earlier study by
the staff of the Conseil d'Etat seems to have influenced the proposed bill, but
the legal and administrative implications of many of the features of the
proposal appear never to have been carefully developed.6
One other development on the French scene deserves mention. The 1972 annual
report of the Supreme Court of Appeals went considerably out of its way, after
reviewing a case of literary invasion of privacy, to comment on the subject of
computers and privacy:
> … The progress of automation burdens society in each country with the menace
> of a computer which would centralize the information that each individual is
> obliged to furnish in the course of his life to the civil authorities, to his
> employer, his banker, his insurance company, to Internal Revenue, to Social
> Security, to the census, to university administrations, and, in addition, the
> data, correct or not, which is received about him by the various services of
> the police. When one thinks about the uses that might be made of that mass of
> data by the public powers, of the indiscretions of which that data might be
> the origin, and of the errors of which the subjects might be the victims, one
> becomes aware that there lies a very important problem, not only for the
> private life of everyone, but even for his very liberty.
> It appears to us that this eventuality, an extremely probable one, ought to be
> made the object of consideration of the public power, . . .and that this
> consideration should take its place among the measures of precaution and of
> safeguard which should not lack for attention.7
To sum up, the situation in France is complex. The subject of computers and
privacy has been given serious attention by a relatively small group of experts,
but that group has an influence in government far out of proportion to its
numbers. The attitude of the present government is strongly colored by another
aspect of the privacy problem: It has been caught in a wiretap scandal, and its
defensiveness in that regard appears to be influencing its actions on the
computer front. The official report of the present working group is due before
the end of 1973, but it does not seem realistic to expect that there will be any
definitive action in France before, perhaps, mid-1974.
GREAT BRITAIN
Britain is unique among the countries reviewed in having recently completed a
thorough study of the entire subject of privacy.8 Although the committee in
charge of the study, the Younger Committee, was restricted in its terms of
reference to private, rather than public, organizations that might threaten
privacy, the committee's report is a model of clarity and concern. In brief, the
Committee found that both the customs of society and the Common law had evolved
defenses against the traditional intrusions of nosey neighbors, unwelcome
visitors, door-to-door salesmen, and the like. Against the new threats of
technological intrusions-wiretaps, surveillance cameras, and, of course,
computerized data banks-the Committee recognized that the traditional defenses
are inadequate. To help deal with the threat of the computer, the Committee
recommended specific safeguards to be applied to automated personal data
systems, although it left the method of application up to the government to
decide. The main features of the safeguards are:
1. Information should be regarded as held for a specific purpose and not to be
used, without appropriate authorization, for other purposes
2. Access to information should be confined to those authorized to have it for
the purpose for which it was supplied.
3. The amount of information collected and held should be the minimum
necessary for the achievement of the specified purpose.
4. In computerized systems handling information for statistical purposes,
adequate provision should be made in their design and programs for
separating identities from the rest of the data.
5. There should be arrangements whereby the subject could be told about the
information held concerning him.
6. The level of security to be achieved by a system should be specified in
advance by the user and should include precautions against the deliberate
abuse or misuse of information.
7. A monitoring system should be provided to facilitate the detection of any
violation of the security system.
8. In the design of information systems, periods should be specified beyond
which the information should not be retained.
9. Data held should be accurate. There should be machinery for the correction
of inaccuracy and the updating of information.
10. Care should betaken in coding value judgments.9
The Younger Committee also considered proposing specific legislation for
automated personal data systems, based upon draft bills that had been submitted
to Parliament before the Committee was formed. After concluding that the
proposed laws were too constraining to be justified by the level of threat as
the Committee saw it, the Committee reserved the option to recommend legislation
at a later date, and confined its present recommendation to urging that the
data-processing industry voluntarily adopt the safeguards as a code of good
practice. This has now been accomplished in the form of a professional code
adopted by the British Computer Society.10 Although only about one third of the
computer professionals in Britain belong to the Society, those who do belong
are, by and large, in a position to enforce the provisions of the code. Further
regulation appears to be in the early stages of Parliamentary debate, and it is
likely only a question of time until safeguards with the full effect of law will
be in force in Britain.
CANADA
In, April 1971 the Departments of Communications and Justice jointly established
a Task Force on Privacy and Computers, growing out of earlier work in the
Department of Communications on issues concerning the use of computers in
communications. The Task Force was given broad terms of reference to consider
the rights and values of the individual that cluster about the notion of
privacy, and to examine present and foreseeable effects on those rights and
values of computerized information systems containing personal data about
identifiable individuals.
The Task Force began by carrying out a thorough survey of the status of personal
data files in Canada and of the attitudes of Canadians about those files and
their uses. It found that there was much more interchange of data among systems
than the public realizes, that there are more inaccuracies in the files than
generally realized, but that few individuals had actually experienced any
intrusion on their personal privacy through either use or misuse of computers.
In its report, published in late 1972,11 the Canadian Task Force concluded that
computer invasion of privacy is still far short of posing a social crisis.
However, the rapidly rising volume of computerized personal data and the equally
rapidly rising public expectation of a right to deeper and more secure privacy
threaten to converge at the crisis level. To forestall that crisis, the Task
Force recommends that a commissioner or ombudsman be established in a suitable
administrative setting, that carefully prepared test cases on cogent issues be
brought before the courts, and that the operation of government data systems be
made to serve as a national model.
REFERENCES
British Computer Society. Privacy and the Computer-Steps to Practicality.
London: British Computer Society, 1972.
Canada. Department of Communication/Department of Justice. Task Force on Privacy
and Computers. Privacy and Computers. Ottawa: Information Canada,1972.
Ditchley Foundation. Private Rights and Freedom of the Individual. Ditchley
Paper No. 41. Ditchley Park, Emstone, Oxfordshire, England: The Ditchley
Foundation, 1972.
Federal Republic of Germany. Hesse State Parliament. Data Protection
Commissioner. First Activity Report. (Document 7/1495) 1972. Second Activity
Report. (Document 7/3137)1973.
France. Conseil d'Etat. Rapport annuel 1969-1970. Troisième partie: Réformes d
órdre législatif, reglementaire ou administratif. Deuxieme etude: Les
consequences du développement de l'informatique sur les libertés publiques et
privées et sur les décisions administmtives.
Great Britain. Home Office. Report of the Committee on Privacy. Rt. Hon. Kenneth
Younger, Chairman. London: H. M. Stationery Office, 1972.
International Commission of Jurists. "The Protection of Privacy." International
Social Science Journal, 24:3 (1972).
Justice. (British Section of the International Commission of Jurists.) Privacy
and the Law. Mark Littman and Peter Carter-Ruck, Chairmen. London: Stevens &
Sons Limited, 1970.
Lenk, Klaus. Automated Information in Public Administration-Present Developments
and Impact. Document DAS/SPR/72.18. Paris: Organisation for Economic Cooperation
and Development, 1972.
Niblett, G. B. F. Digital Information and the Privacy Problem. OECD Informatics
Studies, No. 2. Paris: Organisation for Economic Cooperation and Development,
1971.
Pipe, Russell. Data Base Developments and International Dimensions. Document
DAS/SPR/72.20. Pads: Organisation for Economic Cooperation and Development,
1972.
Rowe, B. C., ed. Privacy, Computers and You. Manchester, England: The National
Computing Centre Limited, 1972.
Rule, James B. Private Lives and Public Survillance. London: Allen Lane, 1973.
Samuelsen, Erik. Statlige databanker og personlighets vern (Public Data-Banks
and the Defense of Privacy). Oslo: Universitets Forlaget, 1972.
Stromholm, Stig. Right of Privacy and Rights of The Personality: A Comparative
Survey. Working paper prepared. for the Nordic Conference on Privacy organized
by the International Commission of Jurists, Stockholm, May 1967. Stockholm: P.
A. Norstedt & Sonars Forlag, 1967.
Sweden. Justitiedepartmentet. Data och integritet (Data and Privacy). Stockholm:
Almanna Forlaget, 1972.
Thomas, Uwe. Computerized Data Banks in Public Administration. OECD Informatics
Studies, No. 1. Paris: Organisation for Economic Cooperation and Development,
1971.
United Nations. Economic and Social Council. Commission on Human Rights. Human
Rights and Scientific and Technological Developments. Report of the
Secretary-General. Addendum. 29 December 1970.
Warner, Malcolm, and Michael Stone. The Data Bank Society: Organizations,
Computers, and Social Freedom. Old Woking, Surrey, England: Unwin Brothers
limited, 1970.
--------------------------------------------------------------------------------
1Federal Republic of Germany, State of Hesse, Hessischer Landtag, Vorlage des
Datenschutzbeauftrogten (Report of the Data Protection Commissioner), Document
7/3137, 29 March 1973. Reviewed in Frankfurter Allgemeine Zeitung fur
Deutschland, 18 April 1973; English version of review in The German Tribune, No.
578, 10 May 1973, p. 3.
2Sweden, Justice Department, Data och integritet (Data and Privacy), Document
SOU 1972:47 (Stockholm: Almänna Förlaget), 1972.
3"The Protection of Privacy," International Social Science Journal, XXIV, No. 3,
1972, p. 448.
4Le Monde, November 29, 1972, pp. 20-21, for example.
5 l'Informatique, Aprll, 1971 (entire issue).
6France, Conseil d'Etat, Rapport Annuel 1969-1970, 3iéme Parties, 2ieme étude,
Fascicule 3, "Les conséquences du développment de l'Informatique sur les
libertés publiques et privées et sur les décisions administratives," Paris,
1970.
7France, Cour de Cassation, Rapport de Cassation. Année Judiciare 1971-1972
(Paris: La Documentation Francaise), 1972, p. 16.
8Great Britain, Home Office, Report of the Committee on Privacy, Rt. Hon.
Kenneth Younger, Chairman (London: H. M. Stationery Office), 1972.
9Ibid., pp. 163-184.
10The British Computer Society, Privacy and the Computer–Steps to Practicality
(London: The Society), 1972.
11Privacy and Computers. A report of a Task Force established jointly by
Department of Communications/Department of Justice (Ottawa: Information Canada),
1972.
CONFIDENTIALITY AND THE CENSUS, 1790-1929
ROBERT C. DAVIS*
The census of population envisaged by Article I, Sec. 2 of the Constitution
involved only a decennial enumeration of the inhabitants of each state,
distinguishing free from slave, and excluding untaxed Indians. Yet from the
beginning the census encompassed more than this minimal enumeration, and as the
scope of census inquiries expanded, the confidentiality of personal data
supplied for statistical purposes became an increasingly urgent issue. Gradually
administrative and legal safeguards were instituted to insure confidentiality
until, in 1919, it became a felony to misuse data supplied to the census by
individuals. A complete study of the evolution of government policy with respect
to the confidentiality of census data would necessarily involve a full-scale
history of the census itself. This brief overview can at best sketch the
development of that policy and indicate the major factors that appear to have
shaped it.
The history of census policy on confidentiality may be conveniently divided into
four broad periods. During the first six censuses (1790-1840), the
confidentiality issue arose with respect to economic data. From 1850 to 1870
administrative directives extended the principal of confidentiality to all
census data; with the Census of 1880 it became a misdemeanor to disclose
information collected in the census. Thereafter, the creation of a permanent
Bureau of the Census (in 1902) set in motion events that led to the Census Act
of March 3, 1919, which made the unauthorized disclosure of personal data
collected in the census a felony.1
Beyond Bare Enumeration, 1790-1840
James Madison played the major role in expounding the philosophy of the first
census and in establishing its procedures. Madison spoke for many of the leaders
of his time when he expressed his desire to gather this "most useful
information" for Congress. The census, he argued, should be "extended so as to
embrace some other objects besides the bare enumeration of the inhabitants; it
would enable them to adapt the public measures to the particular circumstances
of the community." Echoing The Federalist Papers, he wished to know accurately
the "several classes" of the nation so that Congress could "make proper
provision for the agricultural, commercial, and manufacturing interests . . . in
due proportion."2
Madison embodied his vision of the census as the vehicle for socioeconomic
research in a bill that divided the population into four categories: free white
males, free white females, free blacks, and slaves. The free whites were to be
differentiated by ageyounger than 16, 16 or older-and Madison also wished to
classify the population, where appropriate, under thirty occupational and
industrial headings.3
The Senate deleted the proposal on occupations, much to Madison's disgust, but
the crucial point is that the first act pushed beyond the simple constitutional
provision, thereby establishing a precedent for the enormous expansion of the
census in the following century.4 Madison's argument for converting the census
into a vehicle for statistical inquiry became the standard rationale echoed in
future Congresses. In spite of occasional objections to the implied powers
interpretation of Article I, Sec. 2, a Federal court was not asked to rule on
the constitutionality of the expanded census until 1901. Its decision reaffirmed
the necessity and right of government to gather statistics to guide public
policy.5
Madison's statistical ideology may have looked toward the needs of an expanding
nation, but his administrative conceptions with regard to the census were bound
to his own time. The census bill of 1790 was based on the assumption that each
enumeration was to be an ad hoc operation, carried out at minimal cost, and
utilizing existing functionaries of government as far as possible. The bill
divided the labor between the Congress, which determined the content of the
census schedules, and the federal marshals, who appointed assistant marshals to
do the enumeration. The thoroughness of the enumeration was to be checked by the
marshals, the district courts, and the public before aggregate figures were
transmitted to the national capital for compilation and publication. This
system, with minor modifications, was used in the first six censuses.
Concern for accuracy is evident in the rules for enumerators. Bound by oath and
threatened with fines, the assistant marshal had to file copies of his census
schedules with the clerk of the district court who would make them available for
inspection by the grand jury. Furthermore, the enumerator was bound to
> cause a correct copy, signed by himself, of the schedule, containing the
> number of inhabitants, within his division, to be set up at two of the most
> public places within the same, there to remain for the inspection of all
> concerned . . . . 6
Both these requirements involved disclosure, but apparently the confidentiality
issue was not raised. Given the few facts contained in the schedule, all of
which were common knowledge locally, it is probable that most citizens did not
perceive the public posting of census results as an invasion of privacy.
The practices established in the first census may have seemed sensible and
frugal, but built into the procedures were a number of problems. Because data
collection was decentralized, the Secretary of State had little control over the
quality of the aggregate figures submitted by the marshals. The public posting
of census schedules sacrificed confidentiality in the hope of attaining
accuracy, a dubious proposition in the long run. And, in the absence of a
permanent census bureau, expertise in the collation, analysis, and presentation
of census data could not accumulate at the federal level.
The Census of 1790, published by Thomas Jefferson in the autumn of 1791,
revealed a population of 3,929,214. At about the same time, Jefferson wrote to a
friend that, "Making a very small allowance for omissions, which we know to have
been very great, we are certainly above four millions, probably about four
million one hundred thousand."7 Assuming that his estimate of the undercount was
reasonable, one can only speculate about the causes of the difficulty.
Clearly the problems of communication and travel, especially in the frontier
areas, must have been a contributing factor. Then, too, the lack of detailed
instructions to the marshals must be considered. When asked to initiate the
field work phase of the first enumeration, Tobias Lear, Washington's private
secretary, apparently sent out copies of the census law, nothing more.8 The
suspicion that census data would be used in levying future taxes may also have
played a role in the reluctance of some citizens to cooperate.
To the statistics-minded generation of the Founding Fathers,9 the skimpy data of
the first census must have been disappointing. Jefferson's dissatisfaction is
evident in the memorial regarding plans for the Census of 1800, which he sent to
Congress as President of the American Philosophical Society. It called for "a
more detailed view of the inhabitants," and suggested the inclusion of refined
age groupings
> from whence may be calculated the ordinary duration of life in these States,
> the chances of life for each epoch thereof, and the ratio of the increase of
> their population; firmly believing that the result will be sensibly different
> from what is presented in the tables of other countries . . . .10
The memorial suggested the age intervals that might be used, and urged that data
be collected on nativity and occupation. The American Philosophical Society and
the Connecticut Academy of Arts and Sciences joined forces in the advocacy of
census reform, but the legislation for the approaching census showed scant
evidence of their influence.
The only significant change in the schedule for 1800 was the refinement of age
categories for the free white population, including females (for whom no age
data were collected in 1790). The census was placed formally under the authority
of the Secretary of State, but otherwise no major procedural alterations were
made. Fortunately, the incumbent Secretary of State, Timothy Pickering, was
concerned about the quality of the census and drafted a set of detailed
instructions to guide the marshals. He clarified the wording of the Census Act
by defining terms, and he restated the categories of the census in the form of
questions to be asked the head of each household. He also outlined procedures
for recording, copying, posting, and aggregating the returns. On the requirement
that the schedules be posted, Pickering wrote:
> These copies will distinguish . . . the several families, by the names of
> their master, mistress, steward, overseer, or other principal person therein.
> The design of the copies thus set up, appears to be that if any of the
> inhabitants discover errors in the enumerations, they may be made known to the
> assistant; and the naming of the heads of families will render the detection
> of errors practicable." 11
Whether the instructions helped produce a better census is not clear, but it
seems likely that it did not. The compilation of the census was placed in the
hands of a State Department clerk, Jacob Wagner, and when the report appeared in
1801 its scanty data allowed little more than Jefferson's observation that "the
increase of numbers during the last ten years, proceeding in a geometrical
ratio, promises a duplication in a little more than twenty-two years."12
The third census of population merely repeated the procedures of 1800. John B.
Colvin, a clerk in the State Department, issued copies of the Pickering
instructions and compiled the aggregate statistics as they came in. However, the
desire for economic data, voiced earlier by Madison and Jefferson, found an able
advocate in the Secretary of the Treasury, Albert Gallatin. Called upon to
report on the state of American manufactures, Gallatin reported to Congress the
insufficient nature of such statistics and added, "Permit me to observe that the
approaching census might afford the opportunity to obtain detailed and correct
information on that subject . . . . "13 Congress immediately authorized the
collection of data on manufacturing establishments and their products. Gallatin
drafted instructions for the enumerators in terms of broad objectives, noting
that
> No particular form can be prescribed, and to the request that each assistant
> should give in his own way the best account which, as he proceeds to take the
> census, he may be able to collect, I can add but very general instructions."
> 14
The first attempt to collect economic data ended in frustration, due to the
vagueness of the instructions, the carelessness of the enumerators, and the
resistance of respondents. Samuel Latham Mitchill, a prominent scientist in
Congress, and Tench Coxe, who had helped gather Hamilton's manufacturing data,
successively worked over the material. Coxe pointed out the "numerous and very
considerable imperfections and omissions" and Mitchill urged that "an exact
schedule of all the subjects of inquiry ought to be formed" before the next
census attempted to gather such statistics. 15
In this first attempt to graft a complicated survey on a relatively simple
population schedule the weakness of the early census system was bared, and the
issue of confidentiality was raised for the first time. Clearly, information
about business was considered a private matter by some, and it was, therefore,
an issue that had to be dealt with when the fourth enumeration was planned.16
When Secretary of State John Quincy Adams confronted the problem of the Census
of 1820, he set about drafting new and careful instructions. Congress had
modified the census law to gather details of sex and age in the free black arid
slave population, but stipulated different age categories than those for free
whites. As a corollary to gathering immigration data at ports of entry, the
number of foreigners not naturalized was to be ascertained, and Congress called
for another attempt at gathering economic statistics. The population (including
slaves) was to be classified as engaged in agriculture, commerce, or
manufacturing. A supplementary act called for an enumeration of manufacturing
establishments, giving details of products, their market value, and the raw
materials utilized; the kind of machinery; the amount of capital invested;
contingent expenses; wages and composition of the labor force. Altogether the
enumeration of manufacturing establishments comprised fourteen inquiries.17
Resistance to such detailed investigations was acknowledged by treating the
economic inquiry as voluntary and separate from the population schedule. Adams
wrote:
> as the act lays no positive injunction upon any individual to furnish
> information upon the situation of his property, or his private concerns, the
> answers to all inquiries of that character must be altogether voluntary . . .
> . It is to be expected that some individuals will feel reluctant to give all
> the information desired in relation to manufacture ....18
Recognition of the difficulty of obtaining "private" information of an economic
nature was a beginning step toward recognition of the principle of
confidentiality, but no such concept was applied to the population schedules.
They were still posted "for the detection of errors which may have happened in
the names of the heads of families and the numbers of persons to be returned . .
. . " 19
The economic data obtained by the voluntary procedure were disappointing, and
objections to the economic investigation probably influenced the decision of
Congress to omit such a schedule in 1830. The Census of 1830, however, did
produce a significant precedent in another sector. For the first time data were
collected on the blind and the deaf, a reflection of the humanitarian concern
for the handicapped which was rising in America. Hesitantly, the census moved
toward attention to social problems that were considered outside the legislative
scope of the Congress, but about which public policy was being shaped at the
State level.20
Insofar as centralization of records touches on the issue of confidentiality,
the legislation for the 1830 census provides still another landmark. Congress
provided for transmission to the Secretary of State of a copy of the schedules
as well as an aggregate summary. Furthermore, the schedules of the first four
censuses, preserved in the records of the district courts, were also to be sent
to Washington. It appears that the impetus for this legislation was the desire
to preserve the history of the nation, but it also indicated an urge for better
statistical work by the Federal government, for Congress made provision for the
returns of the earlier censuses to be organized and published with the results
of the fifth enumeration. That products of this effort were "absolutely
valueless," as a later census director put it, should not distract attention
from the spirit of the legislation.21
A methodological advance was also recorded in the 1830 Census. Uniform printed
forms were used for the first time in the enumeration, although this innovation,
unfortunately, was not coupled with improvements in other fieldwork procedures.
Poor fieldwork and clerical ineptitude were accompanied by the reluctance of the
citizenry to answer the census inquiries. Even though economic questions were
omitted, some citizens believed "that the enumeration is made with a view to the
assessment of taxes, enrollment in the militia, or the collection of militia
fines . . . .22
The appetite of Congress for more and better statistics grew during the decade
between the fifth and sixth censuses. A Congressional resolution calling for
data on population growth and militia strength led the Department of State into
an early demographic analysis to which was added a study of taxation. The debate
on the tariff drew the Treasury Department into a survey of manufacturers that
was more elaborate than any prior census effort. Interest also flared briefly in
a suggestion that an official statistician be appointed to make regular
compilations of statistical materials useful to government, but in the end
Congress fell back on the old pattern of depending on the census to carry the
full burden.23
President Martin Van Buren, responding in part to the widespread surge of
statistical interest during his administration, became an advocate of a
substantially enlarged Census of 1840; and Congress agreed. It acted not only to
classify individuals by their economic pursuits, but to obtain
> all such information in relation to mines, agriculture, commerce,
> manufactures, and schools, as will exhibit a full view of the pursuits,
> industry, education and resources of the country . . . . 24
Drafting the schedules was left to the Secretary of State. Accordingly, a
detailed economic schedule was drawn up that probed into capital investments,
forms of ownership, and output of products. The question of confidentiality was
raised by these new inquiries and the instructions to the enumerators took
account of it:
> Objections, it has been suggested, may possibly arise on the part of some
> persons to give the statistical information required by the act, upon the
> ground of disinclination to expose their private affairs. Such, however, is
> not the intent nor can be the effect, of answering ingenuously the
> interrogatories. On statistical tables no name is inserted-the figures stand
> opposite no man's name; and therefore the objection can not apply. It is,
> moreover, inculcated upon the assistant that he consider all communications
> made to him in the performance of this duty, relative to the business of the
> people, as strictly confidential.25
Although the economic questions were thought to merit protection, the population
schedule was not. The act for the Census of 1840 retained the requirement that
the results of the population count be posted in order to ascertain errors.26
The detailed economic inquiries were not received with equanimity by the
populace, especially in rural regions. Several counties in Virginia, Georgia,
Alabama, and Louisiana refused to answer them as there was no penalty attached
to noncompliance. Andrew Jackson was convinced that "the foolish questions" lost
the Democrats Tennessee in the presidential election. The question in many
minds, not confined to one region by any means, was voiced by a leading southern
journal: "Is this federal prying into the domestic economy of the people a
precursor to direct taxes?"27
The defective statistics supplied by careless enumerators and evasive citizens
could not be adequately detected, much less fully corrected, by the census
system. William A. Weaver, who supervised the State Department clerks checking
the census returns, stated that upwards of 20,000 errors were discovered in the
returns from Massachusetts alone. The discovery of further errors in the printed
reports led to a national discussion of census shortcomings.28 Among the many
voices raised, the most significant was that of the American Statistical
Association. Founded in 1839, the new organization was an active critic of the
official statistics on Negro insanity, data already being cited in the national
controversy over slavery. As the result of its futile struggle to get
corrections made in the Census of 1840, the Association became committed to the
fight for a better census in 1850.29
The American Statistical Association was not the only source of statistical
enthusiasm. In varying degrees, reform groups, business associations, medical
societies and agricultural organizations expressed the need for statistics
related to their specific interests. At the State and local level, statistical
activities ranged from sanitary surveys to registration of vital statistics to
statewide censuses of agriculture and manufacturing. A small cadre of
statisticians began to grow out of this experience, but there was no central
statistical bureau created in Washington to attract them to the Federal service.
Unlike the situation in most European countries, statistics in the United States
remained decentralized and uncoordinated."30
Census Development, 1840-1880
Among all the interest groups concerning themselves with statistics there was
general agreement that the Census of 1840 had been, as John Gorham Palfrey
called it, "a mortifying failure,"31 and there was widespread agreement in
Congress that the approaching Census of 1850 should be conducted in a better
manner.
The statisticians of New York and Boston led the fight for census reform. In
1848 memorials from the New York Historical Society and the American Statistical
Association, drafted by Archibald Russell and Lemuel Shattuck respectively,
launched the effort. The burden of their advice was to start planning early and
to utilize statistical experts. After much maneuvering in Congress, a bill was
passed creating a Census Board to plan the schedules for the seventh
enumeration. The Secretary of State, the Attorney General, and the Postmaster
General constituted the Board. Rather than appoint a statistician to commence
the work, they chose instead Joseph C. G. Kennedy of Pennsylvania, whose
political credentials as a fervent Whig were impeccable. Kennedy, a lawyer and
journalist, soon needed expert advice, so Russell and Shattuck were called to
Washington to be his statistical consultants. In spite of a complicated wrangle
involving Kennedy, the Board, and the Senate census committee, a census bill
emerged in May 1850. It was primarily the product of the advice of Russell and
Shattuck, but Kennedy won a victory too. He was appointed to superintend the
seventh census.32
The new census schedules opened avenues of inquiry that thrust the issue of
confidentiality to the fore. The schedule for the free population would list
every inhabitant by name, giving, in addition, sex, age, color, nativity, place
of birth, marital status, literacy, real estate ownership, and information as to
whether the individual was deaf, dumb, blind, insane, idiotic, or a pauper or
convict. The slave schedule was less inclusive, but more detailed than ever
before. A mortality schedule listed by name all who had died in the preceding
year, with personal and medical details included. The agricultural schedule
covered a wide range of data on the operations of each farmer and planter; the
manufacturing schedule asked for economic details on every establishment
producing over $500 annually; and the schedule on social statistics asked the
enumerator to gather data on various local institutions.33
Given the increased scope of the inquiry, the issue of confidentiality had to be
faced. For the first time, the census bill did not require public posting of the
population schedules, but it also made no provision for penalties for misuse of
personal data. Kennedy's instructions on the point, however, were very clear.
Information has been received at this office that in some cases unnecessary
exposure has been made by the assistant marshals with reference to the business
and pursuits, and other facts relating to individuals, merely to gratify
curiosity, or the facts applied to the private use or pecuniary advantage of the
assistant, to the injury of others. Such a use of the returns was neither
contemplated by the act itself nor justified by the intentions and designs of
those who enacted the law. No individual employed under sanction of the
Government to obtain these facts has a right to promulgate or expose them
without authority.34
The precise nature of the abuse of confidentiality referred to does not survive
in the existing records. Although Kennedy's correspondence contains many
requests for information, replies were limited to aggregate data. There is only
one recorded case that might be counted as a partial exception to the rule of
absolute confidentiality. A man seeking his lost brother was informed that a man
of a similar name was living in Texas.35 In another reply to a request for
access to census schedules Kennedy wrote, "I have no objection to your taking
from the office such returns as may be necessary to the purpose you name . . .
."36 However, it is not possible to ascertain the nature of "the purpose" or the
specific returns referred to.
When the census duties were taken over by James D. B. De Bow in 1853, the same
rules of confidentiality were applied. The chief clerk of the census, in denying
a request for names and personal details from the 1850 enumeration, observed
that "the question is, whether it is well, in order to oblige or benefit an
individual, to risk any increase of obstacles under which the Government labors
in procuring such information . . . ."37 De Bow felt, however, that the
resistance encountered in 1840 to the economic questions had diminished. "Such
objections were rarely raised in 1850," he wrote, "and in but two or three cases
was it necessary to call in the services of the district attorney to enforce the
requisitions of the law."38
The census act of 1850 governed the Census of 1860 and Kennedy once again was
appointed superintendent. The eighth enu meration had all the strengths and
weaknesses of the seventh, as the schedules and procedures were fixed by law.
The Civil War also put unique demands on the census: the President needed data
on the probable cost of compensated emancipation; the War Department wanted
quotas of draftees calculated; General Sherman needed maps showing food and
forage for his March to the Sea. 39
It is possible that confidentiality was breached under the stress of war, but in
general the work of the Census Office proceeded very much as before. The volumes
on population and agriculture appeared in 1864, and the reports on manufacturing
and mortality were in hand by 1865. In that year, however, Kennedy was abruptly
removed from office, demonstrating once again the vulnerability of a temporary
census office to the shifting fortunes of politics.40
As the 1870 enumeration approached, it seemed evident to many statisticians that
the census law of 1850 needed to be replaced with more satisfactory legislation.
In Congress, the reform movement was led by James A. Garfield. After much
consultation, Garfield drafted a new census act in which he sought to improve
the occupational and industrial classification, to create a board to supervise
the census, to shorten the census period, to improve methods of selecting census
personnel, and generallv to expand the number of inquiries. One suggestion had
political implications. Garfield wanted to take the appointment of census
enumerators out of the hands of the Federal marshals. In suggesting replacing
the marshals' districts with Congressional districts as the basis for
appointment of enumerators, Garfield was, in effect, handing the Senate's
patronage to the House-a move that defeated the bill when it arrived in the
Senate.41
If Garfield failed to reform the census, he succeeded in nondnating its new
superintendent, Francis Amasa Walker. Walker was confirmed, but he had to work
within the confines of the census act of 1850 which had been modified only
slightly to reflect the abolition of slavery and to eliminate some of the
ambiguities in the 1850 and 1860 enumerations.42 Nonetheless, in his
instructions to enumerators, Walker made clear his position on confidentiality:
> No graver offense can be committed by assistant marshals than to divulge
> information acquired in the discharge of their duty. All disclosures should be
> treated as strictly confidential, with the exception hereafter to be noted in
> the case of the mortality schedule. Information will be solicited of any
> breach of confidence on the part of the assistant marshals. The department is
> determined to protect the citizen in all his rights in the present census . 43
The exception noted permitted the assistant marshals to submit mortality
schedules to "some physician who will be willing, out of public spirit and
professional interest, to glance over the entire list of diseases and correct a
defective classification" of the cause of death of individuals so listed.44
In spite of Walker's preparations, the Census of 1870 suffered from an
undercount of unprecedented proportions in the South. Given the limits imposed
by the act of 1850, very little could be done from Washington to prevent the
fiasco. The politics of Reconstruction dictated that marshals in the South,
often non-residents of their districts, had to appoint loyal Republicans. The
liberal use of census patronage to attract freedmen to the Party led to the
appointment of illiterates as enumerators. Even when the enumerators were
capable people, they had to contend with white hostility and black fear.
Sometimes the work was illegally subcontracted, and sometimes, as Henry Gannett
reported, census data were gathered at "court sessions, musters, public
meetings, etc." Walker initially estimated the undercount of Southern blacks to
be about 350 to 400 thousand but he later conceded that it probably ran as high
as 510,000.45
In spite of the serious flaws in the enumeration of the South, the Census of
1870 was a marked improvement over all previous censuses. The reports were more
detailed, better annotated, and the data were more clearly presented in tables
and graphs. Due attention was called to limitations of the data, and Walker
included a thorough historical and methodological discussion of census
procedures. In a sense, the 1870 report was a brief for census reform, and that
issue was joined soon again in Congress.
Census Reform, 1880-1900
Although James A. Garfield was active in promoting reform of the census,
Representative Samuel S. Cox and Senator Justin Morrill led the fight in the
Congress. Senator Morrill pointed out that the country had outgrown the census
as conceived in 1850.
> The statistical facts now required are not merely for the gratification of the
> curiosity of students, but are for daily, practical use in wide directions,
> and are to serve as the constant resource of legislators, both state and
> national . 46
Represenative Cox presented to the House not only an able history and critique
of census practices, but also a detailed exposition of the needed reforms.47
The 1880 census act embodied many of the reforms suggested in 1870 and added a
few new provisions. Federal marshals were replaced by district supervisors as
the chief local functionaries. Appointed by the President, with the advice and
consent of the Senate, the district supervisors were empowered to appoint
enumerators, with the consent of the Superintendent of the census. The
enumerators, moreover, were to be "selected solely with reference to their
fitness."48 The topics to be enumerated were named in the act, but the
Superintendent was given authority to set up the schedules and make reasonable
modifications within the broad range of areas to be covered. The Superintendent
was further empowered to hire "experts and special agents" to handle specific
areas requiring special knowledge.49
These reforms clearly broke with past census practices. On the issue of
confidentiality, the census-taker's oath was a decisive change as well. Each
enumerator now had to swear not to disclose "any information contained in the
schedules, lists or statements obtained by me to any person or persons, except
to my superior officers."50 It was further stipulated that
> an enumerator who shall disclose any statistics of property or business
> included in his return, shall be deemed guilty of a misdemeanor, and upon
> conviction shall forfeit a sum not exceeding five hundred dollars . . . .51
It is noteworthy that the penalty clause specifically mentions economic data,
again reflecting the sensitivity felt about collecting that type of information.
Notable also are the instructions to enumerators to check with attending
physicians the cause of death of individuals listed in the mortality schedule,52
and the provision in a supplementary piece of legislation for correcting census
returns by a method akin to the public posting procedure of earlier times. The
enumerator was instructed to file with the county clerk a list of "names, with
age, sex, and color, of all persons enumerated by him."53 He was further
instructed to advertise his availability for 15 days at the courthouse for the
purpose of making corrections in the enumeration of population, including taking
evidence under oath of needed changes, and to make known to the bystanders, if
any, the outcome "of such inquiry for correction and the whole number of persons
by him enumerated . . . ."5· This availability of the facts of age, sex, and
color in a semi-public setting, of course, ran counter to the growing emphasis
on safeguarding the confidentiality of personal data collected by the census.
Charles W. Seaton, who, like Walker, combined political and statistical
credentials, took over as Superintendent of the census in 1881. He guided the
census through budget crises, fended off politically motivated charges of
fraudulent counts in the South," and promoted the use of mechanical aids in
census work, particularly a simple tallying device that had been in limited use
since 1870.
The sheer volume of data collected in 1880, especially in the area of economic
statistics and special studies, was impressive. Twenty two quarto volumes
totalling 19,305 pages (plus a compendium of 1,898 pages) appeared between 1883
and 1888. Clearly, the outer limits of data management were reached in the 1880
enumeration and any further extension of the census would require a new system
for data processing.56
Herman Hollerith, a young engineer who had worked as a special agent in the 1880
Census, became interested in the problem and, after some experimentation,
invented the punched card system for recording and tabulating the census
returns. Hollerith's solution was as ingenious as it was simple. Hand-tallying
of raw data was replaced by punching holes in cards whose columns corresponded
to census data classifications. The cards, representing individuals or other
units, were then counted electrically. Even in its earliest stage of
development, the Hollerith system speeded tabulations to such an extent that its
merits were demonstrable before the 1890 enumeration began.57
The advent of the new system had dual implications for the question of
confidentiality. On the one hand, it removed the actual census return one step
farther from the final statistical process. On the other hand, it made possible
the collection of even more information on individuals. On balance, however, it
is probable that the Hollerith system enhanced the anonymity, and thus the
confidentiality,of census data, although technologically it was the forerunner
of modern computer-based record keeping.
The census act of 1890 followed closely the precedents set in 1880. The
provisions for insuring confidentialty were similar with respect to the
enumerator's oath and the penalties for unauthorized disclosure of personal
data. However, the provision for depositing lists of individuals with the county
courts was dropped. Instead, the Superintendent was authorized to disclose to
"any municipal government," upon request, a list of names of its inhabitants,
indicating "sex, age, birthplace, and color, or race." The enumerators were also
instructed to check with the attending physician for the cause of death of
persons reported in the mortality schedule.58
The census reform of 1880 did not include the establishment of a continuing
census bureau and the arrangements for 1890 were equally impermanent. When
Robert P. Porter was appointed Superintendent, in 1889, he had to seek out
former census employees, and rescue schedules and instructions from bureaucratic
oblivion. The lack of continuity, the haste in organizing for the enumeration,
and the problems of patronage all made Porter's position difficult. Porter's own
appointment was determined more by politics than by statistical experience. A
journalist-editor, he was a vigorous protectionist and served on the Tariff
Commission of 1882, and had worked on the 1880 Census; thus, his free-trade
enemies kept up a barrage of criticism until his resignation in 1893.59
Congressional critics complained of slowness in completing the tabulations, a
charge that had arisen after each previous enumeration, and threatened to close
the Census Office in 1893. However, a series of enactment' extended its life and
placed it under the direction of Carroll D. Wright, an able statistician, who
was Commissioner of Labor. The status of the census as a bureaucratic orphan
brought home to many the need for a permanent Census Bureau.60
The Census Bureau. 1902-29
The need for a continuing statistical organization was well-stated by De Bow in
1854:
> Each census has taken care of itself. Every ten years some one at Washington
> will enter the hall of a department, appoint fifty or a hundred persons under
> him, who, perhaps, have never compiled a table before . . . .If any are
> qualified it is no merit of the system .. ..In Washington, as soon as an
> office acquires familiarity with statistics. . .it is disbanded, and even the
> best qualified employee is suffered to depart.61
In the following decades, other voices raised the same complaint, but Congress
did not really begin to act seriously in the matter until the census crisis of
the nineties. Then the approaching enumeration of 1900 made it necessary to
organize a census office before a permanent bureau could be created. Moreover,
the organization of the new office preserved an old duality in census
operations, the political and the statistical. The position of Director embodied
the former, while the Assistant Director was to be "a practical, experienced
statistician." Political influence in census jobs was not eliminated.62
The act of March 6, 1902 transformed the census unit into a permanent Office,
headed by a Director under whom were four chief statisticians. Provision was
made for fitting census personnel into the classified civil service. The
statistical duties of the office were specified and the work was spread out
across the intercensal period. This is not to say that the new office settled
into an uneventful period of tranquility. On the contrary, the census was to be
involved in years of struggles to define its role, fend off political influence,
build its professional staff, and increase the scope of its activities .63
Just before the Census Office was established, a decision of the Circuit Court
of the Southern District of New York gave belated sanction to the extensive work
of the census. The reasoning of District Judge Edward B. Thomas was clearly
Madisonian:
> The functions vested in the national government authorize the obtainment of
> the information . . .[in order to enact] laws adapted to the needs of the vast
> and varied interests of the people, after acquiring detailed knowledge thereof
> ....[The government has the right to] make the researches. . .[in order to
> meet] its ever-widening obligations. . .to the welfare of its citizens and to
> the world . . . .For the national government to know something, if not
> everything, beyond the fact that the population of each state reaches a
> certain limit, is apparent, when it is considered what is the dependence of
> this population upon the intelligent actions of the general government.
The court then cited the wide range of social and economic problems on which
Congress must legislate, and concluded that
> for these or similar purposes the government needs each item of information
> demanded by the census act, and such information, when obtained, requires the
> most careful study, to the end that the fulfillment of the governmental
> function may be wise. 64
The case did not touch on the confidentiality of personal data; but
confidentiality was the subject of Congressional action in the decades that
followed. The act for the 1900 Census declared unauthorized disclosure of census
data to be a misdemeanor punishable by a fine of up to $500.65 A decade later
the punishment was increased: upon conviction a fine not to exceed $1,000, or
imprisonment of up to 2 years, or both, could be imposed at the discretion of
the court.66 The Act of March 3, 1919, providing for the fourteenth census,
declared such disclosure to be a felony and a fine not to exceed $1,000, or
imprisonment of up to 2 years, or both, was again authorized.67
When Congress enacted a comprehensive census law for the 1930 and subsequent
censuses, it retained the penalty provision of the 1919 statute. The permanent
act of June 18, 1929 also included a section that succinctly stated the
safeguards for confidentiality instituted in the Bureau of the Census. Section
11 provided
> That the information furnished under the provisions of this Act shall be used
> only for the statistical purposes for which it is supplied. No publication
> shall be made by the Census Office whereby the data furnished by any
> particular establishment or individual can be identified, nor shall the
> Director of the Census permit anyone other than the sworn employees of the
> Census Office to examine the individual reports.68
During the same period (1900-1929), regulations about access to census records
were established. Governors, municipal officers, and courts of record could
obtain information from the schedules under the provisions of the various census
acts. Private individuals, for "genealogical or other proper purposes," were
allowed certain specific information, provided the information could not be used
to the detriment of the person to whom it pertained. Free access to census data
was limited to the records of the first nine enumerations.69
SUMMARY
During the first century of census activity the expansion of statistical inquiry
raised the issue of confidentiality. The protection of personal data provided
for statistical purposes was instituted administratively, then by statute.
Before 1850, population schedules were posted publicly in an effort to detect
errors, but as early as 1820 assurances of confidentiality were given for
economic information. From 1850 to 1870, administrative rules extended
confidentiality to all census data, but it was not until 1880 that unauthorized
disclosure of information about individuals was declared to be a misdemeanor.
The penalties for violating confidentiality were gradually strengthened until,
in 1919, unauthorized disclosure was declared a felony.
Although it is not possible to weigh the importance of the protection of
confidentiality in precise terms, it clearly seems to have been one factor that
made it possible for the census to grow. Even given extensive support for the
Madisonian viewpoint on the value of social statistics, the corollary guarantee
of confidentiality has been needed.
As late as 1929, Herbert Hoover, in his proclamation announcing the Census of
1930, felt called upon to reassure the populace:
> The sole purpose of the Census is to secure general statistical information
> regarding the population and resources of the country, and replies are
> required from individuals only to permit the compilation of such general
> statistics. No person can be harmed in any way by furnishing the information
> required. The Census has nothing to do with taxation, with military or jury
> service, with the compulsion of school attendance, with the regulation of
> immigration, or with the enforcement of any national, state, or local law or
> ordinance. There need be no fear that any disclosure will be made regarding
> any individual person or his affairs. For the due protection of the rights and
> interests of the persons furnishing information every employee of the Census
> Bureau is prohibited under heavy penalty from disclosing any information which
> may thus come to his khowledge.70
--------------------------------------------------------------------------------
*This paper was prepared for the Secretary's Advisory Committee on Automated
Personal Data Systems. It is based in part on research supported by a grant from
the American Philosophical Society whose aid is gratefully acknowledged.
Professor Davis is with the Department of Sociology, Case Western Reserve
University.
1 On the growth of the census, see: Carroll D. Wright and William C. Hunt, The
History and Growth of the United States Census, Senate Document No. 194, 56th
Congress, 1st Session, 1900, Serial 3856, and W. Stull Holt, The Bureau of the
Census: Its History, Activities and Organization (Washington, D. C.: The
Brookings Institution), 1929. See also Hyman Alterman, Counting People: The
Census in History (New York: Harcourt, Brace & World), 1969, and Amy Herbert
Scott, Census, U.S.A.: Fact Finding for the American People, 1790-1970 (New
York: Seabury Press), 1968.
2Annals of Congress, 1, p. 1077.
3The schedule is reproduced in Dorothy Whitson, "1970, Year of the Nineteenth
Decennial Census," Daughters of the American Revolution Magazine, Vol. CIV
(1970), p. 245.
4Wright and Hunt, op. cit., p. 87.
5US. v.Moriarity, 106 Fed. 886(C.C.S.D.N.Y. 1901).
6Wright and Hunt, op. cit., pp. 926-927.
7Andrew A Lipscomb (Ed.), The Writings of Thomas Jefferson, Vol. VIII
(Washington, D. C.: The Thomas Jefferson Memorial Association), 1905, p. 236.
8Tobias Lear, Circular to Marshals, March 5, 1790, in Papers of George
Washington, Microfilm Edition, Series 2.
9Washington requested personal copies of the census returns, a move quite in
keeping with his interest in the statistical study of Scotland by Sir John
Sinclair. [Washington to Sinclair, March 15, 1793, in The Correspondence of the
Right Honorable Sir John Sinclair, Bart., Vol. II (London: H. Colburn and R.
Bentley), 1631, pp. 16-17. See also Franklin Knight (Ed.), Letters on
Agriculture from His Excellency George Washington .. ..(Washington, D. C.:
Franklin Knight), 1847.] Alexander Hamilton's interest in sound statistical data
is shown in his research for his report on manufacturing. [Arthur H. Cole (Ed.),
Industrial and Commercial Correspondence of Alexander Hamilton Anticipating His
Report on Manufacturing (Chicago: A. W. Shaw Company), 1926.] Madison's own
feelings come through in his lament to Jefferson about the truncated census
bill: "It contained a schedule ascertaining the component classes of the
Society, a kind of information extremely requisite to the Legislator, and much
wanted for the science of Political Economy." [Letters and Other Writings of
James Madison, Vol. I (Philadelphia, Pa.: L. B. Lippincott & Co.), 1865, p.
507.]
10 Wright and Hunt, op. cit., p. 19.
11Timothy Pickering, Circular to Marshals, April 30, 1800, in Pickering Papers,
Massachusetts Historical Society.
12 Lipscomb, op. cit., III, p. 330.
13National Intelligencer, April 20, 1810.
14National Intelligencer, July 2, 1810.
15 Samuel L. Mitchill, "Views of the Manufactures in the United States,"
American Medical and Philosophical Register, Vol. 11 (1811-1812), p. 408; and
Wright and Hunt, op. cit., p. 23.
16On the problems of economic statistics, see Meyer H. Fishbein, "Early Business
Statistical Operations of the Federal Government," National Archives Accestions,
No. 54, June 1958, pp. 1-29, and "The Censuses of Manufactures, 1810-1890,"
National Archives Accessions, No. 57, June 1963, pp. 1-20.
17Wright and Hunt, op. cit., pp. 26-27.
18Ibid., p. 136.
19Ibid.
20 Harry Best, Deafness and the Deaf in the United States (New York: The
Macmillan Company), 1943.
21Wright and Hunt, op. cit., pp. 2E-32. Francis A. Walker's evaluation is on
page 30.
22Hazard's Pennsylvania Register, Vol. V (1830), p. 352.
23"Statistical View of the Population of the United States from 1790 to 1830,
Inclusive," Senate Executive Document No. 505, 23d Congress, 2d Session, 1835,
Serial 252; "Documents Relating to the Manufactures in the United States," House
Document No. 308, 22d Congress, 1st Session, 1833, Serials 222 and 223; and
Frank Freidel, Francis Lieber: Nineteenth-Century Liberal (Baton Rouge:
Louisiana State University Press), 1947, pp. 172-174.
24 Wright and Hunt, op. cit., p. 36.
25Ibid., P.145.
26 Ibid., p. 929.
27Andrew Jackson to Martin Van Buren, November 24, 1840, Papers of Martin Van
Buren, Microfilm Edition; and James D. B. DeBow Statistical View of the United
States.. Being a Compendium of the Seventh Census (Washington, D. C.: Beverley
Tucker), 1854, p. 12,
28Proceedings proceedings of the New York Historical Society for the Year 1848
(New York: The Society), 1848. p. 45.
29Albert Deutsch, "The First U.S. Census of the Insane (1840) and Its Use as
ProSlavery Propaganda," Bulletin of the History of Medicine, Vol. XV (1944), pp.
469-482; Leon F. Litwack, North of Slavery: The Negro in the Free States,
1790-1860 (Chicago: University of Chicago Press), 1961, pp. 40-46; and William
Stanton, The Leopard's Spots: Scientific Attitudes Toward Race in America,
1815-59 (Chicago, Ill.: University of Chicago Press), 1%0, pp. 5866.
30See Robert C. Davis, "The Beginnings of American Social Research," in George
H. Daniels (Ed.), Nineteenth-Century American Science: A Reappraisal (Evanston,
Ill.: Northwestern University Press), 1972, pp. 152-178; Paul J. Fitz Patrick,
"Statistical Societies in the United States in the Nineteenth Century," American
Statistician, Vol. XI (December, 1957), pp. 13-21; John Koren (Ed.), The History
of Statistics (New York: The Macmillan Company), 1918; Franklin H. Top (Ed.),
The History of American Epidemiology (St. Louis: C. V. Mosby), 1952; and Luther
L. Bernard and Jesse Bernard, Origins of American Sociology: The Social Science
Movement in the United States (New York: Thomas Y. Crowell Company), 1943.
31Congressional Globe, 30th Congress, 2d Session, Vol. 18, p. 638.
32Davis, op. cit., pp. 163-166, and Wright and Hunt, op. cit., pp. 39-50.
33Wright and Hunt, op. cit., pp. 150-153, 227-229, 234-236, 312-314, and
646-649.
34Ibid., p.150.
35J. C. G. Kennedy to S. C. Miller. November 29, 1851, National Archives, Record
Group 29, Census, Item 11 (Letterbook).
36J. C. G. Kennedy to William D. Cooke, September 26, 1851, loc. cit.
37T. H. Baird to George C. Whiting, May 22, 1855, National Archives, Record
Group 48, Department of the Interior, Office of the Secretary, Patents and
Miscellaneous Division, File 183. See also Baird to Whiting, March 23, 1855,
loc. cit.
38 De Bow, op. cit., p. 12.
39Typed copy of clipping, New York Tribune, undated, enclosed in Annie E, K.
Bidwell to Walter F. Willcox, June 30, 1917, in Walter F. Willcox Papers,
Library of Congress. See also General William T. Sherman, Memoirs, Vol. II (New
York: D. Appleton and Company), 1875, p. 31; David C. Mearns (Ed.), The Lincoln
Papers, Vol. II (Garden City, L. I.: Doubleday), 1948, pp. 587-589; and Roy P.
Basler (Ed.), The Collected Works of Abraham Lincoln, Vol. V (New Brunswick:
Rutgers University Press), 1933, pp. 160-161.
40James Harlan to J. C. G. Kennedy, June 2, 1865; Kennedy to Harlan, June 3 and
8, 1865; Kennedy to Andrew Johnson, June 17 and 19, 1865, in Andrew Johnson
Papers, Microfilm Edition.
41Mary L. Hinsdale (Ed.), Garfield-Hinsdale Letters (Amy Arbor: University of
Michigan Press), 1949, pp. 146-147; Congressional Globe, 41 st Congress, 2d
Session, Vol. 42, Part 2, p. 1147; James P. Munroe, A Life of Francis Amasa
Walker (New York: Henry Holt and Company), 1923, p. 109: Theodore Clarke Smith,
The Life and Letters of James Abram Garfield, Vol. II (New Haven: Yale
University Press), 1925, pp. 794-795; and Francis Amasa Walker, "American
Industry and the Census," Atlantic Monthly, Vol. XXIV (1869), pp. 689-701; "The
Census Imbroglio," The Nation, February 24, 1870, p. 116.
42Wright and Hunt, op. cit., pp. 54-56
43Ibid., p. 156.
44 Ibid, p. 161.
45New York Times March 8, 1891; Francis A. Walker, Discussions in Economics and
Statistics, Vol. II (New York: Henry Holt and Company), 1899, pp. 49-58; and
Henry Gannett, "The Alleged Census Frauds in the South," International Review,
Vol. X (1881), pp. 459-467. The total undercount is estimated at about 1,260,000
in U. S. Bureau of the Census, Historical Statistics of the United States,
Colonial Times to 1957 (Washington, D. C.: U. S. Government Printing office),
1960, p. 12. For the problem of underenumeration, see Advisory Committee on
Problems of Census Enumeration, Carole W. Parsons (Ed.), America's Uncounted
People (Washington, D. C.: National Academy of Sciences National Research
Council), 1972.
46Congressional Record, 45th Congress, 3d Session, Vol. 8, Put 2, p. 1049.
47Ibid., pp. 1534-1544, and David Lindsey, "Sunset" Cox: Irrepressible Democrat
(Detroit, Mich.: Wayne State University Press), 1959, p. 190.
48Ibid.,Wright and Hunt, Ibid., pp. 155-166, 936-943.
49Ibid.,p, 65.
50Ibid., p. 937.
51Ibid., p. 938.
52Ibid., p. 231.
53Ibid., p. 942.
54Ibid., pp. 942-943.
55Gannett, op. cit.; Francis A. Walker, "The Eleventh Census of the United
States," Quarterly Journal of Economics, Vol. II (1887-1888), pp. 135-161.
56Wright and Hunt, op. cit., pp.58-69.
57Leon F. Truesdell, The Development ofPunch Card Tabulation in the Bureau of
the Census, 1890-1940 (Washington, D. C.: U.S. Government Printing Office),
1965, pp. 26-56.
58Wright and Hunt, op. cit., pp. 233 and 948.
59Holt, op. cit., pp. 27-31.
60Wright and Hunt, op. cit., pp. 69-76.
61De Bow, op. cit., p. 18.
62Holt, op. cit., pp. 31-34.
63Ibid., pp. 34-36 (for the period 1902-1930).
64U.S. v. Moriarity, 106 Fed. 886, 691, 692 (C.C.S.D.N.Y. 1901). See 14 Am Jur
2d, Census, for an excellent summary of the legal status of the census by Henry
C. Land.
65Act of Match 3, 1899, ch. 419, aec. 21, 30 Stat. 1020.
66Act of March 3, 1909, ch. 2, sec. 22, 36 Stat. 8.
67Act of March 3, 1919, ch. 97, sec. 22, 40 Stat. 1299.
68Act of June 18, 1929, ch. 28, sec., 11, 46 Star. 25.
69Holt, op. cit., pp. 85-86.
7046 Stat. 3012. Proclamation by Herbert Hoover, November 22, 1929.
CORRECTIONETICS: A BLUEPRINT FOR 1984
DANIEL H. LUFKIN*
*Staff Consultant to the Committee
The American Justice Institute of Sacramento, California, working under a grant
from the National Institute of Mental Health, completed in 1972 a six volume
report1 of a three-year study of "the utilization of advanced information system
technology as a means of improving the correctional decision-making process."
The aim of the study was to design a system to enable managers of correctional
institutions to make completely objective decisions about the treatment and
disposition of criminal offenders. The study was the work of the Institute's
Correctional Decisions Information Project (CDIP), whose epigraph is inscribed
on the second cover of Volume I of the report:
> "TODAY AN INFORMATION SYSTEM HOLDS FOR CORRECTIONS THE SAME BREAKTHROUGH
> POTENTIAL AS DID THE MICROSCOPE FOR BIOLOGICAL SCIENCES YESTERYEAR."
It must in no way demean the dedicated and intelligent effort of the CDIP staff
to point out that any project that aims to create an automated personal data
system to monitor and control the popula tion of a prison efficiently
necessarily creates a system with all the earmarks of the worst surveillance
data bank any civil libertarian could imagine. CDIP has completed much of the
work needed to reduce 1984 to practice. Simple substitutions of the words
"governmental" for correctional2 and "citizen" for offender3 in the following
excerpts from the CDIP report transforms serious and humane objectives for
prisoners into a nightmare for citizens.
(C)orrectional administrators ...must be able to ...determine the ability of
each operational program to assist various types of offenders toward
correctional goal attainment. Such an ability is totally dependent upon
information. Thus, information is power to withstand irrational, unjustified
onslaughts. Information is power to confirm constructive policy decisions.
information is power to provide leadership for a rational approach to an
improved correctional process. (Vol. 1, pp. 1-2).
The Correctional Information System portrayed in these documents is for that
breed of managers which strives for an increasingly effective efficient, and
responsive approach to rational, humane control and reintegration of offenders.
Vol. 1, p. 6)
The recycling approach, or Correctionetic concept of successive approximations
to desired goal attainment, is not limited to the management of corrections. It
applies equally well to individual offenders as they strive to achieve their
objectives on any of a number of dimensions of personal adjustments, e.g.,
vocational, marital, leisure time/social, or academic. (Vol. 1, p. 7)
This type of decision-making assistance is possible for correctional managers as
they perform the following basic functions which constitute the management
process:
> 1. Goal Definition
> 2. Planning
> 3. Operations Control
> 4. Achievement Assessment
> 5. Effectiveness Evaluation (Vol. 1, p. 8)
The last paragraph betrays the weakness of the transformation: if we assume that
the CDIP system could apply as well to a nation as to a prison, we are also
assuming that "management" and "government" are interchangeable. In fact,
however, the idea of the social contract, of authority derived from the consent
of the governed (rather than from the managed), is precisely what differentiates
a nation from a prison.
Valuable as a more thorough exploration of that differentiation might be, we
shall forego it here in order to concentrate on the practicalities of the CDIP
approach in the context of a special micro-society into which the problems of
citizens' rights and privacy do not immediately intrude. Nevertheless, the
conditions of prisoners and of free citizens are not diametrically opposed:
prison and 20th-century America are not the end points on any scale of social
values. Prisoners do have rights and privacy just as ordinary citizens have
restrictions and intrusions. Correctionetics includes data on an offender's
religion and sexual practices, but none on the contents of his letters or his
conversations with his lawyer. Correctionetics is thoroughly benevolent, and
efficient benevolence is precisely the characteristic that seems to lie at the
root of our suspicions of the computerized state.
At the heart of Correctionetics is the capability for what CDIP calls demand
reporting: the capability of producing from a generalized data base a report
whose content and structure fit the needs of one particular decision. In such a
system, the capability of generating routine reports with fixed content is
implicit. In the correctional context, for example, the manager may request a
report listing the total number and names of offenders in a particular
institution who have been convicted of a certain crime, who have served their
minimum sentence, are in a given range of age, and who have a particular
occupation or skill. Such a report would simplify matching offenders eligible
for release with known job possibilities outside. In the civil context, a demand
request might be for a list of the blond males in their late thirties who drive
blue Pontiacs with the last license digit of seven. The motive of the request is
not the offer of a job, but rather the search for a bank robber.
The capability of a data system to perform such a search clearly rests on two
features: a comprehensive file of personal characteristics, and the logical
ability to compare the file contents with the terms of the request. Both these
capabilities are easy to build into a computer system; in theory there is no
difficulty at all in setting up a system of considerable range and depth.
Experience tells us, though, that real life consistently falls short of
expectations. It is instructive to see how this universal principle operates on
Correctionetics and to extrapolate that knowledge to the real world.
Offender Data File
The underlying operating unit of Correctionetics is the offender data file
(ODF), a record of 369 different facts and opinions about the offender. When the
CDIP study fast began, in July 1969, the ODF included only 200 data elements.
Let us note for later reference that the number of data elements found to be
needed nearly doubled in about two years of planning and experimental operation
of the system. The ODF begins with the name (and aliases) of the offender, three
identification numbers, his date and place of birth, his first year of State
residence, his ethnic origin, and his religious preference. This much
information, the offender identification block, requires 139 characters of file
space as a minimum for each offender. (The average offender was found to have
2.6 aliases at 33 characters per alias, and some had as many as 12.)
The ODF goes on to record the legal status, the offense history, the medical,
dental, psychological, psychiatric, academic, vocational, and adjustment
histories of the offender, details of his childhood, his family and its economic
status, his work history in the institution, and his prospects for release and
parole. The data are grouped into 17 blocks and occupy a minimum file space of
1134 characters, but the complete ODF would easily fit on a single page of
typescript, since most of the information is entered in coded form.
Coding data in order to conserve storage space and to make possible a logical
search for a known data entity is characteristic of computer data processing.
The extent to which the coding con ventions match the underlying structure of
the data determines to a very great extent the ultimate power of the computer
program to handle any but the simplest sorting tasks. The coding manual for
building the ODF provides explicit codes for every coded data element. Since the
computer's perception of the real world takes place only through the medium of
the codes (outside of literal data such as names and the like), the structure of
the codes and selection of the code elements must be made with the greatest care
and foresight.
In the experience of practically every organization that has developed a sizable
computer data base, one of the greatest expenses in the operation comes in
converting the data from conventional manual to encoded machineaccessible form.
Conscientious, accurate coding demands well-trained, highly motivated clerks who
can keep an extensive body of coding rules in mind and apply them quickly to an
amorphous mass of real-world facts.
In the CDIP work, the coding manual is a 200-page volume explaining every
possible entry in the ODF. The scope and structure of the codes themselves have
apparently never been tested by processing a large number of actual correctional
records, although we shall later discuss a greatly restricted pilot program and
its results. The coding manual shows the extent to which standardized codes for
occupations, school subjects, diseases, and similar common data entities have
already been adopted among independent but parallel data-processing
organizations. Academic course codes are those of the California Department of
Education, and include not only introduction to data processing (MXA) and
computer techniques (MXB), but also a very full range of elementary and
secondary school subjects. The vocational training codes are those used in
Federal government job classifications. The Federal code is considerably edited
to provide a fuller breakdown of skills important to prison operation: laundry
workers (36x.xxx), farm workers (2xx.xxx), food workers (52x.xxx), mattress
inspectors (780.687), and the like. (There is no code provision for locksmith.)
Medical diagnosis and treatment is coded according to the American Medical
Association's Standard Nomenclature of Diseases and Operations. The codes for
voluntary and leisure time activities presumably reflect the choices available
to actual inmates of the California correctional system. They include all the
familiar sports plus some surprises, such as bicycle racing (103) and golf
(111). Special interest groups include aviation (706) and transactional analysis
(726). That an activity code for the classification of prisoners can hold
surprises is a good indication that a similar code for the public at large would
run to many times 200 pages.
Data for Decision Making
During the course of the CDIP study, two pilot programs were carried out to test
the preliminary design of the system and to demonstrate the operation of the
system before experienced correctional managers. The results of those programs
are interesting as an indicator of the potentials and pitfalls we could expect
to meet in a large-scale general system.
In testing some of the preliminary design concepts of the system, CDIP planners
identified the following factors in decision-making processes that use data in
the way they can be provided by a largescale computerized system:
* Decision makers say they need data concerning large numbers of variables.
* Empirical - studies indicate that the decision-making process actually
involves a small number of variables, six or eight at the most.
* The structure of the decision-making process itself and the order of
presentation of the data both affect the outcome.
These and other more peripheral problems were tested in an experimental setting
with data records of actual prisoners presented to experienced correctional
officers in a simulation of computer operation. The officers decided on the
disposition of three hypothetical cases: granting a minimum-security custody
rating; granting a parole after a minimum sentence had been served; and revoking
a parole after a borderline violation. The type of data, its order of selection,
and its weight in the ultimate decision were all recorded.
The detailed analysis of the experiment appears in Appendix D of the CDIP
report; it is enough here to summarize the findings which would have broader
applicability to a similar task in a citizen data bank.
* The decision makers did in fact use an average of only eight pieces of data.
There were a number of data items which were never looked at, even though
they had been specifically requested in the data bank.
* For the decision on custody rating and granting parole, the record of the
offense itself was the first thing considered. For revoking parole, the
offense was second. In general, purely factual data on the offender's history
were used more than subjective data derived from evaluation of the offender
by the correctional staff.
* Deeper statistical analysis of the decision-making process revealed no
underlying regularities in the way decisions were made, which regularities
many data-processing specialists assume to exist.
Data for Reports
In the second pilot test, the capabilities of a computer program package much
more restricted than the full, planned correctionetics system were demonstrated
to meetings of senior correctional officers at their national conventions. A
special 74-item ODF was prepared from the conventional records of 5756 offenders
in a cross section of the institutions of the California Department of
Corrections. It is worth noting that the project found it necessary to
"embellish" (CDIP's word) the original data to make them conform to the
requirements of the demonstration.
In the first demonstration, at Palm Springs, a computer at Santa Monica was
loaded with the data base and the demonstration programs. The terminal at Palm
Springs was connected to the computer by telephone. The demonstration programs
were relatively simple sorting routines which demonstrated how to generate a
list of offenders to be released in the next month, and then searching the ODF
for a qualified inmate to take over a clerk's job vacated by a releasee. After
the prepared program application was demonstrated, the spectators were allowed
to make up their own queries for the, data, although it is not clear from the
report what these queries were or how well that part of the demonstration
worked.
The second demonstration of the same program package was held in Cincinnati. It
is a keen comment on the computer specialist's faith in his charges that the
CDIP staff took the precaution of punching all the query input on paper tape
beforehand, so that a keyboard mistake-alas! all too common-would not upset the
demonstration. The staff also took the precaution of punching the computer's
output on paper tape beforehand and taking that tape with them to Cincinnati.
There, the output could be fed into the teletype printer under the control of a
foot-switch, thus simulating the action of a computer at the other end of the
line without exposing the demonstration to the dangers of real-life computer
operation. (It is also a tribute to the candor of the CDIP staff that they fully
describe this ploy in their report.) The demonstration ended with a period of
genuine computer operation over the link, during which the audience had an
opportunity to try the system. Typical queries from the experienced correctional
officers dealt with average time served by offenders in various classifications
of confinement; profiles of offenders involved in escape attempts, juvenile
commitment history of selected sets of adult offenders, and other similar
sorting and listing tasks.
Correctionetics as a Data Bank
What does this report about Correctionetics, an automated personal data system
designed for a prison society with few of the traditional concerns for privacy,
have to tell us about computers and privacy in our own wider society? Are we
looking at a worst-case microcosm, one from which we can no more extrapolate to
our present civil society than we can from an anthill? Even as an antihill can
teach us something about living beings in general, so can Correctionetics teach
us something about the intrinsic limitations computerized personal data systems
have, even in the absence of manifest safeguards for privacy.
Let us look at some of the features of Correctionetics and compare them with
roughly corresponding features of other personal data systems.
Scope. First, and of fundamental importance, Correctionetics stores no more data
on an individual prisoner than the manual system did. In point of fact, it
stores less. When the records of the sample population were being prepared for
the demonstrations, it was necessary to omit all but a tiny fraction of the
material in the prisoners' record jackets, many of which were half afoot thick.
The material omitted was that least suited to computer treatment; that is,
anecdotal and narrative records, interview reports by psychologists, extracts
from correspondence, and the like. It is this sort of intelligence record that
is fundamentally unsuited for computer treatment, and which would have the
greatest potential for harm to privacy if it were to enter the lightly protected
files of a computer data bank.
Costs. Second, Correctionetics seems to be so grossly uneconomical that there
would be little incentive to adopt it in a full-scale way. As every business
comptroller knows, it is almost impossible to price out a computer system before
it goes into operation, and difficult enough even to measure the running
operating costs. The CDIP report is reticent on costs, but we would estimate the
storage and processor requirement for an offender population of 50,000 to be
over 250,000,000 bytes (CDIP Table 5.4.2). Roughly corresponding commercial
credit experience suggests a cost of about $80,000 per month to which staff and
overhead costs would add about 50 percent to bring the total cost to about
$120,000 per month. It is hard to see that the advantages of automated prison
management on the scale suggested by CDIP would be defensible unless it could be
carried as a partial load on some larger generalpurpose system.
Impact on Decision Making. Third, the impact of Correctionetics on the actual
process of prison management decision making does not seem to be all that
striking. It is obvious that the computer has no difficulty in finding, for
example, the average age of narcotics offenders in a particular institution, but
one suspects that the warden could guess the figure closely enough for practical
purposes with no aid at all. For particular tasks, such as matching parolees
with job openings, the services of a computer are well defensible, but more
economically carded out in a special-purpose system that only handles employment
data and need not process the excess baggage of the rest of the offender data
file merely to arrive at a job match. This illustrates a point that deserves
emphasis again and again in designing data-processing systems: a system should
be no larger than needed to do a particular task. Money spent to provide
capacity for the possibility of data processing in the abstract, or merely to
provide "management information" is like wagering at unknown odds. A management
information program run once or twice a month on a computer system that
otherwise earns its keep on accounting, payroll, and inventory yields impressive
decorations for the board room and likely does no harm. But neither does it do
enough good to deserve a dedicated computer system all to itself.
Safeguards for Correctionetics
Finally, we may look at Correctionetics as a test case for the application of
safeguards. What effects would there be if Correctionetics gave offenders more
control over information about themselves?
In the Correctionetics system there is no provision for feedback from the data
subjects. The prison management's goals are defined in terms of data
measurements made through the system, and the system is then used as the means
of bringing operations of the prison into conformity with those goals. If a data
error creeps in from any source, the system can produce a false measurement or a
false operation or both; without suitable feedback, the false measurement may
well reinforce the false operation instead of correcting it.
Let us look at an example as it might actually run through the Correctionetics
system. Through a coding error, a prisoner's file is changed to show that he is
an active homosexual. A status change report is automatically generated which
removes him from a television repair course (forbidden to sexual offenders) and
transfers him to a cell in a more secure block (because a profile of such
offenders shows them to be, on the average, more aggressive than others). These
two actions confirm the prisoner's suspicions about the prison administration
and he fulfills their expectations by actually becoming sullen and aggressive,
which behavior, in turn, generates another automatic transfer order to an
"adjustment center." In this scenario, and in a hundred others we could imagine,
an originally minor error in a record has snowballed into serious injustice.
Giving the prisoner a right to know what information his file contains would
have had the immediate effect of discovering the error, provided he realized
that some change in that information had taken place. In this case, the change
in training status would have been an obvious clue to him. A right to secure
correction of the data would have stopped its propagating in the program and
would have prevented or undone the subsequent actions the system made on the
basis of the error.
Thus, the possibility of feedback from the data subject to the data bank can act
as a powerful brake on the freedom of an authority to take arbitrary action. It
is obvious that this would have clear benefit for a person at the bottom of the
heap, but we wish to point out that it also protects the authority taking
action. If we make the assumption that administrative injustice will eventually
come to light and be dealt with through the law, it is very much to the benefit
of the warden, in our example, to insure that his decisions are based on the
best data he can command. Rules to ensure that errors in personal data banks are
discovered and corrected promptly will go far toward preventing abuse of even so
stern a system as Correctionetics.
Computerized Decision Making
The deeper question of the actions that an automated system such as
Correctionetics can take on the basis of even perfect data also deserves careful
consideration. In our example from the actual program, a record as a sexual
offender was automatically treated as sufficient cause to disqualify an innate
from training as a television repairman. This is a simple decision to program,
and one presumably based on an actual rule of the California Department of
Corrections. In pre-automation practice, the application of such a rule would
usually take place in a context such that knowledge of other factors in the
offender's record would come to the attention of the training officer. He might
give the rule only as much weight as he thought appropriate in the light of all
the factors in an individual case, and could certainly at least take initiative
to seek occasional exceptions from the rule.
It is precisely that sort of personal initiative which seems to be the most
strongly appreciated advantage of human over computerized administration.
Although we have all experienced occasions in which a bureaucrat acted like a
computer, we also recognize those occasions as the exceptions to our usual
experience with human decision making.
To be fair, it is possible in theory to program a computer to simulate human
decision making. In practice, though, it is obvious from the Correctionetics
experiment that we are far from attaining that end.
1Correctional Decisions Information Project, Correctionetics: Modular Approach
to an Advanced Correctional Information System (Sacramento, Calif.: American
Justice Institute), 1972.
2 Not italicized in original text.
3 Not italicized in original text.
THE LAW RELATING TO HEW PERSONAL-DATA RECORD KEEPING
Introduction
The Federal law bearing on collection, storage, handling, dissemination, and
other use of information about individuals (hereinafter often referred to as
"personal information activities") is a large and varied assortment of statutes,
regulations, Executive orders, and other directives. Little of this law applies
generally to all agencies of the Federal government, and still less has general
application to personal information activities of organizations outside the
Federal government.
This paper discusses the law that governs the behavior of the Department of
Health, Education, and Welfare1 (hereinafter referred to as "the Department" or
"HEW") and its grantees and contractors in the conduct of personal information
activities.
Three statutes of general application throughout the Federal government are
discussed with special reference to their HEW effects: the Federal Reports Act,
44 U.S.C. 3501 et seq.; the so-called "Freedom of Information Act", 5 U.S.C.
552; and a criminal statute forbidding government officers and employees from
making unauthorized disclosures of information. 18 U.S.C. 1905. This paper
focuses on personal information and does not cover the law relating to trade
secrets or commercial information.
The statutory sources of authority relating to HEW's conduct of personal
information activities may be categorized as follows: (1) broad authority to
administer and manage HEW; (2) authority for HEW to carry out particular program
activities, including research, whether conducted by HEW or by others with
support from HEW; (3) authority for HEW information (or personal information)
activities; (4) authority (sometimes by Executive order rather than by statute)
which, though not directly conferring authority on HEW, gives rise indirectly to
obligations' imposed on HEW, commonly along with other government departments,
to obtain, provide, and/or report personal information for its own purposes or
to other government departments or agencies (e.g., Civil Service Commission,
Internal Revenue Service) to the Congress, or to the public. Except in category
(3), these sources of authority generally make no explicit reference to
information (or personal information) activities, but it is a reasonable and
necessary interpretation of the authority to include such activities.
Sources of authority for HEW's personal information activities are legion,
resulting particularly from the necessity of interpreting such authority to
exist in all statutes concerning program activities and research covered by
category (2). This paper seeks to present a complete compilation of the sources
of authority for HEW's personal information activities in categories (1), (3),
and (4). With respect to category (2) it discusses only statutes that have
special significance in relation to personal information activities or contain a
provision relating specifically to personal information activity. It should be
noted that in order to perform statutory program duties, it is often necessary
to conduct personal information activities, particularly in programs that
provide direct services to individuals, for example, the repatriation assistance
programs of the Social and Rehabilitation Service, 24 U.S.C. 321-29, and section
1113 of the Social Security Act, 42 U.S.C. 1313. In addition, authorized
research activities, for example in the health fields, frequently require
extensive information about individuals. Examples of authority for the "conduct
and support" of research activities include the statutes authorizing the
research institutes of the National Institutes of Health. Public Health Service
Act sections 402 (Cancer, 42 U.S.C. 282), 412 (Heart Diseases, 42 U.S.C. 287a),
422 (Dental Diseases, 42 U.S.C. 288a), 431 (Arthritis, Rheumatism, and Metabolic
Diseases, Neurological Diseases and Stroke, and other particular diseases and
groups of diseases, 42 U.S.C. 289a), 441 (Child Health and Human Development, 42
U.S.C. 289d), 442 (General Medical Sciences, 42 U.S.C. 289e), 451 (Eye Diseases
and Visual Disorders, 42 U.S.C. 289i).
Because the statutes deal sparingly with personal information activities, one
must also turn to regulations that have been issued to implement statutes to get
a fuller understanding of the authority that governs such activities. We have
sought to identify and discuss the principal regulations that have operational
significance for the conduct of personal information activities, including all
that are Departmental in scope (i.e., apply to all operating agencies of the
Department) and those that apply throughout a particular operating agency. Of
regulations limited in application to a particular program or activity, we have
attempted to include only those that contain specific provisions about personal
information activities. Guidance as to HEW personal information activities
appears also in program materials issued at the operating level which are more
detailed than statutes or regulations but which may lack the force of law. The
discussion of such materials in this paper is limited to a few examples.
The law relating to personal information activities carried out in connection
with HEW personnel administration is treated separately, because the legal
requirements and operational considerations involved are distinctive.
Authority to Collect Information
GENERAL
The Department was created by Reorganization Plan No. 1 of 1953 which became
effective on April 11, 1953 (67 Stat. 18) and is recognized as an executive
department in 5 U.S.C. 101. The Plan provides that the Department shall be
administered under the supervision and direction of the Secretary. A general
grant of power enables the Secretary to act as he finds necessary in order to
carry out his responsibilities in the areas of health, welfare, social security,
and education. An opinion of the Attorney General, discussing general
Secretarial powers, emphasized that express statutory authority is not required
for every administrative act. 28 Op. Atty. Gen. 549 (January 5, 1911). The
Secretary's responsibilities are further defined in part in 5 U.S.C. 301 which
states:
> The head of an Executive department . . . may prescribe regulations for the
> government of his department, the conduct of its employees, the distribution
> and performance of its business, and the custody, use, and preservation of its
> records, papers, and property.
See also section 215(b) of the Public Health Service Act, 42 U.S.C. 216(b),
setting forth similar authority to promulgate regulations for administration of
the Public Health Service, including regulations relating to custody, use and
preservation of records.
In addition to the Secretary's general authority to manage the Department, there
are numerous specific statutory provisions authorizing collection of information
by HEW. The authority for the conduct of programs characteristically requires
that HEW make periodic reports on the conduct and status of those programs. In
addition, where HEW is authorized to contract with or grant money to States,
localities, and private institutions for the conduct of programs, the
legislation generally requires them to make periodic reports to the Department
or its agencies. See, e.g., Elementary and Secondary Education Act, section
142(a) (3), 20 U.S.C. 241f(a) (3), (periodic reports to the Commissioner of
Education evaluating effectiveness of Title I payments).
EDUCATION
Perhaps the broadest grant of authority for collection of information is the
Organic Act of 1867, 14 Stat. 434, which established a "Department of Education"
> . . . .for the purpose of collecting such statistics and facts as shall show
> the condition and progress of education in the several States and Territories,
> and of diffusing such information respecting the organization and management
> of schools and school systems, and methods of teaching, as shall aid the
> people of the United States in the establishment and maintenance of efficient
> school systems, and otherwise promote the cause of education throughout the
> country. See 20 U.S.C. 1.
Under more recent education laws the Commissioner of Education is charged
specifically with collecting and disseminating information. Section 422(a) of
the General Education Provisions Act provides:
> The Commissioner shall
>
> (1) prepare and disseminate to State and local educational agencies and
> institutions information concerning applicable programs and cooperate with
> other Federal officials who administer programs affecting education in
> disseminating information concerning such programs;
>
> (2) inform the public on federally supported education programs;
>
> (3) collect data and information on applicable programs for the purpose of
> obtaining objective measurements of the effectiveness of such programs in
> achieving their purposes; and
>
> (4) prepare and publish an annual report (to be referred to as "the
> Commissioner's annual report") on (A) the condition of education in the
> nation, (B) developments in the administration, utilization, and impact of
> applicable programs, (C) results of investigations and activities by the
> Office of Education, and (D) such facts and recommendations as will serve the
> purpose for which the Office of Education is established (as set forth in
> section 403 of this Act). 20 U.S.C. 1231a(a).
Other provisions relating to collection of information are found in section 417
of the General Education Provisions Act, 20 U.S.C. 1231f, and in section 501 of
the Education Professions Development Act, 20 U.S.C. 1091. The former gives the
Commissioner authority to furnish various information to, and to make special
statistical compilations and surveys for, State or local officials, private
organizations, or individuals. The latter provides for the development of
"information on the actual needs for educational personnel, both present and
long range."
Although it seems clear that the foregoing provisions regarding information
activities in the field of education do not contemplate the dissemination of
identifiable personal information, such information may need to be collected in
order to prepare the statistical compllation and analyses to be used or
disseminated.
HEALTH
In defining the general powers and duties of the Secretary in the health area,
section 301 of the Public Health Service Act states:
> The Secretary shall conduct in the Service, and encourage, cooperate with, and
> render assistance to other appropriate public authorities, scientific
> institutions, and scientists in the conduct of, and promote the coordination
> of, research, investigations, experiments, demonstrations, and studies
> relating to the causes, diagnosis, treatment, control, and prevention of
> physical and mental diseases and impairments of man, including water
> purification, sewage treatment, and pollution of lakes and streams. In
> carrying out the foregoing the Secretary is authorized to-
> > (a) Collect and make available through publications and other appropriate
> > means, information as to, and the practical application of, such research
> > and other activities; 42 U.S.C. 241.
Further authority to collect information in the health field is provided in
section 305 of the Public Health Service Act which authorizes the National
Health Surveys and Studies as follows:
> (a) The Secretary is authorized, (1) to make, by sampling or other appropriate
> means, surveys and special studies of the population of the United States to
> determine the extent of illness and disability and related information such
> as: (A) the number, age, sex, ability to work or engage in other activities,
> and occupation or activities of persons afflicted with chronic or other
> disease or injury or handicapping condition; (B) the type of disease or injury
> or handicapping condition of each person so afflicted; (C) the length of time
> that each such person has been prevented from carrying on his occupation or
> activities; (D) the amounts and types of services received for or because of
> such conditions; (E) the economic and other impacts of such conditions; (F)
> health care resources; (G) environmental and social health hazards; and (H)
> family formation, growth, and dissolution; and (2) in connection therewith, to
> develop and test new or improved methods for obtaining current data on illness
> and disability and related information . . . . 42 U.S.C. 242c.
It should be noted that a provision was added to this paragraph by P.L. 91515 to
protect the privacy of persons supplying such information. (See discussion at p.
279, below.)
Section 317 of the Public Health Service Act, 42 U.S.C. 247b, authorizes support
of communicable disease control programs, and calls for reports to the Secretary
on communicable disease problems by grantees under the program.
Section 315 of the Public Health Service Act, 42 U.S.C. 247, authorizes the
issuance of information related to public health. .
Section 313 of the Public Health Service Act, 42 U.S.C. 245, directs the
Secretary to " . . . . prepare and distribute suitable and necessary forms for
the collection and compilation of [mortality, morbidity, and vital statistics]
which shall be published as a part of the health reports published by the
Secretary." This section is authority for the operations of the National Center
for Health Statistics of the Health Services and Mental Health Administration.
In addition there are programs involving health services which involve the
collection of personal information (e.g., operation of Public Health Service
hospitals, Public Health Service Act § 321, 42 U.S.C. 248; narcotics addict care
and treatment, Public Health Service Act § 341, 42 U.S.C. 257).
The Secretary is authorized to "conduct examinations and investigations for the
purposes of . . . [the Federal Food, Drug, and Cosmetic] Act . . . . " 21 U.S.C.
372.
Under the Federal Coal Mine Health and Safety Act of 1969, 30 U.S.C. 801960, the
Secretary has certain obligations with respect to the medical examination of
coal miners. Under the Act, coal mine operators are obliged to provide miners
with chest X-rays in accordance with instructions of the Secretary, and to
provide the Secretary with the results of the readings of such X-rays. Under the
Act, the Secretary is obliged to provide the results of such readings to the
miners involved. Sec. 203(a), 30 U.S.C. 843. There is no statutory obligation of
confidentiality, but the Secretary's regulations for the program require mine
operators to give assurance that they will not "solicit a physician's
roentgenographic findings" and that they have instructed the physicians that
duplicate X-rays will not be made. 42 C.F.R. 37.4.
WELFARE
The authority of the Social Security Administration (SSA) to collect information
is derived primarily from its duty to carry out its program responsibilities. In
this regard, Title II of the Social Security Act, Federal OldAge, Survivors, and
Disability Insurance Benefits (OASDI), provides in part as follows:
> (a) The Secretary shall have full power and authority to make rules and
> regulations and to establish procedures, not inconsistent with the provisions
> of this title, which are necessary or appropriate to carry out such
> provisions, and shall adopt reasonable and proper rules and regulations to
> regulate and provide for the nature and extent of the proofs and evidence and
> the method of taking and furnishing the same in order to establish the right
> to benefits hereunder. Sec. 205(a); 42 U.S.C. 405(a).
* * * * * * * * * * * * * * * *
On the basis of information obtained by or submitted to the Secretary, and after
such verifications therof as he deems necessary, the Secretary shall establish
and maintain records of the amounts of wages paid to, and the amounts of
self-employment income derived by, each individual and of the periods in which
such wages were paid and such income was derived and, upon request, shall inform
any individual or his survivor, or the legal representative of such individual
or his estate, of the amounts of wages and self-employment income of such
individual and the periods during which such wages were paid and such income was
derived, as shown by such records at the time of such request. Sec. 205
(c)(2)(A); 42 U.S.C. 405 (c)(2).
The Secretary is also authorized to obtain information for the purpose of any
hearing, investigation or other proceeding authorized or directed under Title II
of the Social Security Act or relative to any other matter within his
jurisdiction thereunder, by use of the subpoena power if necessary. Sec. 205(d);
42 U.S.C. 405(d).
Section 218(e) (1)(B) of the Social Security Act, 42 U.S.C. 418(e) (I)(B),
authorizes the Secretary to issue regulations prescribing reports by States
under agreements extending OASDI coverage to State and local government
employees.
Title XVIII of the Social Security Act, Health Insurance for the Aged
(Medicare), authorizes the use of intermediaries and carriers for the
administration of benefits and specifies that each contract shall provide that
the intermediary or carrier shall furnish to the Secretary information it
obtains in performing its functions and shall maintain records supporting such
information § 1816(b)(2), 42 U.S.C. 1395h(b)(2), and § 1842(b)(3)(D) and (E), 42
U.S.C. 1395u(b)(3)(D) and (E). In addition, the Secretary is authorized to
secure information "as may be necessary in the carrying out of his functions. .
." and directed to carry on studies relating to health care of the aged and to
the operation and administration of the hospital and supplementary medical
insurance programs for the aged. § § 1874 and 1875, 42 U.S.C. 1395kk and 139511.
The collection of information by SSA is closely related to some Internal Revenue
Service activities and there is interchange of information between the agencies.
See 20 C.F.R. 401.3 (d). Internal Revenue Act provisions and the regulations
thereunder provide that:
> Every person liable for any tax imposed by this title, or for the collection
> thereof, shall keep such records, render such statements, make such returns,
> and comply with such rules and regulations as the Secretary [of the Treasury]
> or his delegate may from time to time prescribe. Whenever in the judgment of
> the Secretary or his delegate it is necessary, he may require any person, by
> notice served upon such person or by regulations, to make such returns, render
> such statements, or keep such records, as the Secretary or his delegate deems
> sufficient to show whether or not such person is liable for tax under this
> title. 26 U.S.C. 6001; Sec 26-C.F.R. 1.6001-1.
> When required by regulations prescribed by the Secretary [of the Treasury] or
> his delegate any person made liable for any tax imposed by this title, or for
> the collection thereof, shall make a return or statement according to the
> forms and regulations prescribed by the Secretary or his delegate. Every
> person required to make a return or statement shall include therein the
> information required by such forms or regulations. 26 U.S.C. 6011(a); See 26
> C.F.R. 1.6011-1.
The Administration on Aging has the "duty and function" to
> (1) serve as a clearinghouse for information related to problems of the aged
> and aging;
>
> (4) develop plans, conduct, and arrange for research in the field of aging . .
> . .
>
> (6) prepare, publish, and disseminate educational materials dealing with the
> welfare of older persons;
>
> (7) gather statistics in the field of aging which other Federal agencies are
> not collecting; .... Older Americans Act of 1965, § 202.
There is also the requirement, similar to that under Titles I, IV, X, XIV, XVI
and XIX of the Social Security Act (seep. 268, below), that a State agency
administering a State plan program under the Older Americans Act will make
reports to the Commissioner on Aging, " . . in such form and containing such
information, as the Commissioner may from time to time require." Older Americans
Act of 1965, § 305(a)(3).
Information and reports authority also exists in the area of juvenile
delinquency prevention and control. The Secretary is directed to "collect,
evaluate, publish, and disseminate information and materials relating to
research and programs and projects. . . " in the juvenile delinquency field.
Juvenile Delinquency Prevention Act, § 303, 42 U.S.C. 3873. Provision is made
for continuing evaluation of programs and activities under the Act, which
evaluations "shall include comparisons with proper control groups composed of
persons who have not participated in programs" under the Act. Title IV, §405, 42
U.S.C. 3885. The Act also requires an annual report to Congress on Juvenile
delinquency activities including, among other things,
> the number and types of training projects, number of persons trained and in
> training, and job placement and other follow-up information on trainees and
> former trainees . . . . Title IV, §409, 42 U.S.C. 3889.
Each title of the Social Security Act authorizing a public assistance program
contains a clause that the State plan for the program must
> provide that the State agency will make such reports, in such form and
> containing such information, as the Secretary may from time to time require,
> and comply with such provisions as the Secretary may from time to time find
> necessary to assure the correctness and verification of such reports; Title I,
> Old Age Assistance and Medical Assistance for the Aged, § 2(a)(6), 42 U.S.C.
> 302(a)(6); Title IV, Aid to Families with Dependent Children, § 402(a)(6), 42
> U.S.C. 602(a)(6); Title X, Aid to the Blind, § 1002(a)(6), 42 U.S.C.
> 1202(a)(b); Title XIV, Aid to the Permanently and Totally Disabled,
> §1402(a)(6), 42 U.S.C. 1202(a)(6); Title XVI, Aid to the Aged, Blind, or
> Disabled, and Medical Assistance for the Aged, § 1602(a)(6), 42 U.S.C.
> 1382(a)(6); Title XIX, Medical Assistance (Medicaid), § 1902(a)(6), 42 U.S.C.
> 1396(a)(6).
There is a specific reporting requirement in section 402(a)(21) of the Social
Security Act, 42 U.S.C. 602(a)(21), that the States send to the Secretary the
names and social security numbers of parents who have a court-ordered obligation
to support AFDC recipients, but who cannot be found. Under § 410 of the Act, 42
U.S.C. 610, the Secretary is to consult the Secretary of the Treasury to see if
such parents can be located through Internal Revenue Service files. Another
authorization to collect information is found in the legislation establishing
the Children's Bureau (a unit now placed in the Office of Child Development),
which is charged with "investigating and reporting] to the Secretary . . . upon
all matters pertaining to the welfare of children . . . . " Act of April 9,
1912, ch. 73 sec. 2, 37 Star. 79, 42 U.S.C. 192.
OFFICE FOR CIVIL RIGHTS
Executive Order 11246 (3 C.F.R. 342 (1964-65 Comp.), Sept. 24, 1965), which
prohibited discrimination in employment practices by Federal contractors and
subcontractors, provides that in every Government contract, in addition to the
nondiscrimination clauses, the following clause shall be included:
> (5) The contractor will furnish all information and reports required by
> Executive Order No. 11246 of September 24, 1965, and by the rules,
> regulations, and orders of the Secretary of Labor, or pursuant thereto, and
> will permit access to his books, records, and accounts by the contracting
> agency and the Secretary of Labor for purposes of investigation to ascertain
> compliance with such rules, regulations, and orders. § 202.
In HEW, compliance with the Executive order is handled by the Office for Civil
Rights (OCR). The Executive order provides that
> Each contracting agency shall be primarily responsible for obtaining
> compliance with the rules, regulations, and orders of the Secretary of Labor
> with respect to contracts entered into by such agency or its contractors. §
> 205.
In addition, a section of the regulations issued by the Secretary of Labor
pursuant to the Executive order provides that
> The head of each agency shall, subject to the prior approval of the Director
> [of the Office of Federal Contract Compliance], establish a program and
> promulgate procedures to carry out the agency's responsibilities for obtaining
> compliance with the order and regulations and orders issued pursuant thereto.
> 41 C.F.R. 60-1.6(b).
The Director of the Office of Federal Contract Compliance is further authorized
to redelegate authority given to him. Such redelegated authority "shall be
exercised under [the Director's] general direction and control." 41 C.F.R.
60-1.46. One further provision upon which OCR jurisdiction is based contains the
definition of "compliance agency":
> . . . .the agency designated by the Director on a geographical, industry or
> other basis to conduct compliance reviews and to undertake such other
> responsibilities in connection with the administration of the order as the
> Director may determine to be appropriate. 41 C.F.R. 60-1. 3(d).
This section continues with guidelines for when no such designation is made.
The Department of Labor regulations define the responsibilities of OCR for
conducting compliance reviews, 41 C. F. R. 60-1.20, and complaint
investigations. 41 C.F.R. 60-1.24 (b). The regulations also require such
disclosure to OCR as is necessary to determine whether a contractor is complying
with the Executive order. 41 C.F.R. 60-1.7 and 1.43.
OCR activities also include monitoring compliance with Title VI of the Civil
Rights Act of 1964 which prohibits discrimination in programs and activities
receiving Federal financial assistance. Under Title VI, Department regulations
provide for the submission of compliance information to the Department by
recipients of financial assistance and for access by Department officials to
such information as is necessary to ascertain compliance with the Act. 45 C.F.R.
80.6. The regulations also require periodic compliance reviews and
investigations of specific complaints. 45 C.F.R. 80.7.
Constraints on the Process of Collecting Information
Superimposed upon the authority of HEW to collect information is the Federal
Reports Act, 44 U.S.C. 3501-3511, passed originally in 1942 (56 Stat. 1078).
Section 3509 states that "A Federal agency may not conduct or sponsor the
collection of information upon identical items, from ten or more persons, other
than Federal employees, unless, in advance of adoption or revision of any plans
or forms to be used in the collection-" the Office of Management and Budget
(OMB) approves the proposed collection of information.
The stated purpose of this Act is to minimize both the burden upon those
required to furnish information and the cost to the Government of collection. In
addition, the Act provides for cooperation among agencies in sharing
information. Provisions are included relating to unlawful disclosure and
confidentiality of information. See p.p. 272-273, below. See generally OMB
Circular No. A-40 Revised, May 3, 1973.
The Act defines "information" as
> facts obtained or solicited by the use of written report forms, application
> forms, schedules, questionnaires, or other similar methods calling either for
> answers to identical questions from ten or more persons other than agencies,
> instrumentalities, or employees of the United States or for answers to
> questions from agencies, instrumentalities, or employees of the United States
> which are to be used for statistical compilations of general public interest.
> 44 U.S.C. 3502.
Under OMB instructions accompanying the report clearance request form (OMB
Standard Form 83), one paragraph is specifically directed to whether sensitive
questions may be included and, if so, in what form:
> Additional justification must be provided for surveys which include questions
> of a sensitive nature, such as sex behavior and attitudes, religious beliefs
> and other matters which are commonly considered private. This should include
> the reasons why the agency considers the questions necessary and the specific
> uses to be made of the data obtained. The explanation to be given respondents
> and any steps to be taken to secure their consent (except where response is
> mandatory) should be stated. Describe extent of confidentiality and protection
> provided against disclosure of information from individual returns, including
> arrangements for disposition of completed report forms. Instructions, III,
> A-7.
Limitations on Storage, and Dissemination of Information
Limitations on the storage, handling and dissemination of information collected
by HEW are found in statutes, Depart mental regulations, Civil Service
Commission regulations, manuals, policy statements, contract guidelines and
miscellaneous memoranda
The overall Federal government records management policy is set out in 44 U.S.C.
3101 which requires the head of each Federal agency to
> ....make and preserve records containing adequate and proper documentation of
> the organization, functions, policies, decisions, procedures, and essential
> transactions of the agency and designed to furnish the information necessary
> to protect the legal and financial rights of the Government and of persons
> directly affected by the agency's activities.
As mentioned in the previous discussion of the Federal Reports Act. (pp.
270-271, above) there is a section in that Act discussing when information
collected under reports approved under the Act may be released.
> (a) If information obtained in confidence by a Federal agency is released by
> that agency to another Federal agency, all the provisions of law including
> penalties which relate to the unlawful disclosure of information apply to the
> officers and employees of the agency to which information is released to the
> same extent and in the same manner as the provisions apply to the officers and
> employees of the agency which originally obtained the information. The
> officers and employees of the agency to which the information is released, in
> addition, shall be subject to the same provisions of law, including penalties,
> relating to the unlawful, disclosure of information as if the information had
> been collected directly by that agency.
> (b) Information obtained by a Federal agency from a person under this chapter
> may be released to another Federal agency only-
* (1) in the form of statistical totals or summaries; or
* (2) if the information as supplied by persons to a Federal agency had not, at
the time of collection, been declared by that agency or by a superior
authority to be confidential; or
* (3) when the persons supplying the information consent to the release of it
to a second agency by the agency to which the information was originally
supplied; or
* (4) when the Federal agency to which another Federal agency releases the
information has authority to collect the information itself and the authority
is supported by legal provision for criminal penalties against persons
failing to supply the information. 44 U.S.C. 3508.
Superimposed upon all HEW information disclosure is the Public Information Act,
5 U.S.C. 552. This Act (usually known as the "Freedom of Information Act")
establishes a formalized declaration of availability of records and information
of all Government agencies. The policy of the Act as implemented in the HEW
Public Information Regulation, 45 C.F.R. Part 5, is ". . .one of the fullest
responsible disclosure limited only by the obligations of confidentiality and
the administrative necessities recognized by the Act." 45 C.F.R. 5.12. The
exemptions from this policy of disclosure which are stated in the Act are:
> . . .matters that are
> (1) specifically required by Executive order to be kept secret in the interest
> of the national defense or foreign policy;
>
> (2) related solely to the internal personnel rules and practices of an agency;
>
> (3) specifically exempted from disclosure by statute;
>
> (4) trade secrets and commercial or financial information obtained from a
> person and privileged or confidential;
>
> (5) inter-agency or intra-agency memorandums or letters which would not be
> available by law to a party other than an agency in litigation with the
> agency;
>
> (6) personnel and medical files and similar files the disclosure of which
> would constitute a clearly unwarranted invasion of personal privacy;
>
> (7) investigatory files compiled for law enforcement purposes except to the
> extent available by law to a party other than an agency;
>
> (8) contained in or related to examination, operating, or condition reports
> prepared by, on behalf of, or for the use of an agency responsible for the
> regulation or supervision of financial institutions; or
>
> (9) geological and geophysical information and data, including maps,
> concerning wells. 5 U.S.C. 552 (b).
The HEW Public Information Regulation provides the operating requirements for
the Public Information Act. Whenever certain materials, such as final opinions
in the adjudication of cases, which are required to be made available under the
Act, relate to an individual, the name or other identifying details shall be
removed and the materials shall so indicate, if release of such information
would constitute a "clearly unwarranted invasion of privacy." 45 C.F.R. 5.16.
The exemptions to required disclosure as set out in the Act are reiterated in
the Regulation with amplification of their scope. 45 C.F.R. 5.70 et.seq. In
addition, Appendix A of the Regulation provides examples of exempt materials.
Proposed amendments to these regulations take account of experience with the
regulations and court decisions. 38 Fed. Reg. 8273, May 30, 1973.
An explicit statutory constraint on disclosure of information which is preserved
by exemption (3) is found in section 1106(a) of the Social Security Act, 42
U.S.C. 1306(a), which prohibits disclosure of any personal information obtained
by the Department in the course of administration of the Act except as
specifically prescribed in regulations issued by the Secretary. (Criminal
penalties are provided for violation of this provision.) There are two carefully
delimited statutory exceptions from this general prohibition on disclosure of
information obtained by HEW under the Social Security Act. The first is Section
1106(c) of the Act which requires the Secretary to furnish an individual's most
recent address, or the address of the individual's most recent employer, to a
court or a state or local public assistance agency where the individual is
sought for purposes of a child support order. 42 U.S.C. 1306(c): See 20 C.F.R.
401.3(g) (3) and (4). The second, found in Section 290(c) of the Immigration and
Nationality Act, provides for release of information regarding the identity and
location of aliens to any official of the Department of Justice charged with the
administration of Title II of that Act. 8 U.S.C. 1360(c). See 20 C.F.R.
401.3(p).
Social Security Administration Regulation No. 1, 20 C.F.R. Part 401, issued
under Section 1106 of the Social Security Act, specifies with respect to any
information "which in any way relates to, or is necessary to, or is used in or
in connection with, the administration of the old-age, survivors, disability, or
health insurance programs conducted pursuant to Titles II and XVIII of the
Social Security Act," what information may be disclosed, under what
circumstances and to whom. (No regulation has been issued to prescribe
permissible disclosure of any information obtained by HEW in the course of its
administration of the public assistance programs of the Social Security Act,
viz., under Titles I, IV, V, X, XI, XIV, XVI, and XIX. Hence, disclosure of such
information is barred by Section 1106(a) of the Act.) The disclosures permitted
by SSA Regulation No. I relate primarily to situations in which: the claimant or
his representative gives authorization; disclosure is necessary for a social
security program purpose; any official of the Treasury Department or the
Department of Justice charged with administration of Titles II, VIII or IX of
the Social Security Act, or certain contribution and revenue laws, needs
information for the purpose of such administration; any Federal official charged
with administration of public assistance, retirement or other benefit payment
programs needs information for the purpose of such administration; any State or
local agency official charged with administration of various Federally-aided
public assistance programs needs information for the purpose of such
administration; any authorized Federal official is engaged in investigation or
prosecution of a criminal violation of the Act or certain contributions and
revenue laws; and the Federal Bureau of Investigation or the U.S. Secret Service
is engaged in investigation or prosecution of threat or act of espionage,
sabotage or other similar act inimical to national security and certifies in
writing that the information requested is required in an investigation of major
importance to protect national security. The foregoing and certain other
situations when information may be dis closed are specified in careful detail in
the Regulation. 20 C.F.R. 401.3.
A criminal statute of government-wide applicability provides criminal penalties
for unauthorized disclosure of specified classes of information by government
officers and employees. This statute states:
> Whoever, being an officer or employee of the United States or of any
> department or agency thereof, publishes, divulges, discloses, or makes known
> in any manner or to any extent not authorized by law any information coming to
> him in the course of his employment or official duties or by reason of any
> examination or investigation made by, or return, report or record made to or
> filed with, such department or agency or officer or employee thereof, which
> information concerns or relates to the trade secrets, processes, operations,
> style of work, or apparatus, or to the identity, confidential statistical
> data, amount or source of any income, profits, losses, or expenditures of any
> person, firm, partnership, corporation, or association; or permits any income
> return or copy thereof or any book containing any abstract or particulars
> thereof to be seen or examined by any person except as provided by law; shall
> be fined not more than $1,000, or imprisoned not more than one year, or both;
> and shall be removed from office or employment. 18 U.S.C. 1905.
Its principal focus appears to be the protection of commercial secrets, but the
reference to "identity. . .of any person" and "confidential statistical data"
might provide some possibility of employing this statute in cases of
unauthorized disclosure of personal data. In any case, however, it merely
provides a criminal penalty for disclosing information "in any manner or to any
extent not authorized by law." It does not of itself impose an obligation of
nondisclosure and does not qualify as a statutory exemption from disclosure
under exemption (3) of the Freedom of Information Act (p. 273 above).
Constraints on Grantee Behavior
In some instances HEW's program authority makes explicit statutory provision for
the handling of personal information obtained by Law Relating to HEW Record
Keeping 277 HEW grantees. For example, the Social Security Act requires that
State plans for the programs of Old Age Assistance, Aid to the Blind, Aid to the
Permanently and Totally. Disabled, Aid to the Aged, Blind or Disabled, and
Medical Assistance for the Aged, pro vide safeguards which permit the use or
disclosure of information concerning applicants or recipients only to public
officials who re quire the information in connection with their official duties,
or to other persons for purposes directly connected with, the administra tion of
the plan. Social Security Act, § 2(a)(7), 42 U.S.C. 302(a)(7); § 1002(a)(9), 42
U.S.C. 1202(a)(9), § 1402(a)(9), 42 U.S.C. 1352(a)(9); § 1602(a)(7), 42 U.S.C.
1382(a)(7). State plans for Aid to Families with Dependent Children and for
Medical Assistance must provide safeguards limiting use or disclosure of
information to purposes directly connected with the administration of the plan.
Social Security Act, § 402(a)(9), 42 U.S.C. 602(a)(9) and § 1902(a)(7), 42
U.S.C. 1396a(a)(7). All the Public Assistance programs of the Social Security
Act had, until the Social Security Amendments of 1972 (P.L. 92-603, October 30,
1972) the same limitation on disclosure found in sections 402 and 1902. Those
Amendments broadened the access for all the programs except AFDC and Medical
Assistance, to permit public officials access to information about applicants
and recipients. P.L. 92-603, § 413. The Amendments also provided the broader
access in the new program of Grants to States for Services to the Aged, Blind,
or Disabled, under a new Title VI which will go into effect on January 1, 1974.
§ 602(a)(6). The States' obligations with respect to information about
recipients in the public assistance programs (other than Medical Assistance) are
modified by § 618 of the Revenue Act of 1951, 42 U.S.C. 302 note, which allows
States to have legislation allowing access to records of disbursement of public
assistance funds as long as the legislation "prohibits the use of any list or
names obtained through such access to such records for commercial or political
purposes."
HEW implementation of the requirements for safeguarding infor mation is found in
45 C.F.R. 205.50. This regulation is in the process of revision to take account
of the 1972 amendments.
The behavior of States in handling information in Public As sistance programs is
further constrained by Department instructions on how the States may determine
eligibility. Under 45 C.F.R. 206.10(a)(12), a State agency must get the
applicant's consent before consulting records. about the applicant. Under a
recent proposal (37 Fed. Reg. 28189, Dec. 21, 1972), States would have been
permitted to consult public records (i.e., records of any public agency, whether
or not available for public inspection), without seeking consent.
A more recent proposal (38 Fed. Reg. 9819, April 20, 1973) would remove Federal
restrictions on State behavior in this area by eliminating from 45 C.F.R. 206.10
any reference to consultation of records. If this proposal is adopted, the
resulting flexibility would permit States to consult any records without seeking
consent.
Three grant programs in the health field carry their own specific restrictions
on grantee handling of patient data. The Venereal Disease Prevention and Control
Program under § 318 of the Public Health Service Act, 42 U.S.C. 247c, (added by
P.L. 92-449) has a requirement that information about the examination, care, or
treatment of any individual carried out under the grant program "shall not,
without such individual's consent, be disclosed except as may be necessary to
provide service to him . . . ." There is specific provision for disclosure of
statistics, or for "clinical or research purposes" as long as the individual's
identity is not disclosed.
Two programs under Title XI of the Public Health Service Act provide grants for
screening, counseling, and some treatment for X sickle cell anemia and Cooley's
anemia, two genetic blood disorders. The applicants for the grants
"shall-..,.(2) provide for strict confidentiality of all test results, medical
records, and other information regarding screening, counseling, or treatment of
any person treated, except for (A) such information as the patient (or his
guardian) consents to be released, or (B) statistical data compiled without
reference to the identity of any such patient. . ., § 1104(a)(2) and § I
113(a)(2) of the Public Health Service Act; 42 U.S.C. 300b-3(a)(2) and
300c-2(a)(2).
The Social Security Amendments of 1972 added a new Part B to Title XI of the
Social Security Act. This authorizes the Secretary to enter into agreements with
organizations to review, from a technical and professional standpoint, the
necessity and quality of medical services for which payment may be made under
the Social Security Act. (This includes Medicare, Medicaid, and certain child
health programs.) These organizations will be nonprofit associations of
physicians, or other organizations found able to perform the task, and are
designated Professional Standards Review Organizations.
Certain obligations with respect to confidentiality are imposed by the statute.
Under § 1155(a)(4), 42 U.S.C. 1320c-4(ax4), these organizations must arrange for
the maintenance and review of
> profiles of care and services received and provided with respect to patients,
> utilizing to the greatest extent practicable in such patient profiles, methods
> of coding which will provide maximum confidentiality as to patient identity
> and assure objective evaluation consistent with the purposes of this part.
There is a prohibition on disclosure of information in § 1166, 42 U.S.C.
1320c-15, which is somewhat similar to the one in § 1106. Under § 1166, data or
information acquired by any Professional Standards Review Organization shall be
held in confidence and not disclosed except as necessary to carry out the
purposes of the program, or under "such circumstances as the Secretary shall by
regulations provide to assure adequate protection of the rights and interests of
patients, health care practitioners, or providers of health care." Fine,
imprisonment, and the costs of prosecution are provided as penalties.
Section 305(a) of the Public Health Service Act authorizing the Secretary to
conduct the National Health Surveys and Studies, 42 U.S.C. 242C (pp. 263-264,
above) includes the following constraint added by P.L. 91-515:
> No information obtained in accordance with this paragraph may be used for any
> purpose other than the statistical purposes for which it was supplied except
> pursuant to regulations of the Secretary; nor may any such information be
> published if the particular establishment or person supplying it is
> identifiable except with the consent of such establishment or person.
Explicit provision to authorize constraints on disclosure of personal
information in research relating to drugs is found in § 303(a) of the Public
Health Service Act, 42 U.S.C. 242a, as follows:
> The Secretary may authorize persons engaged in research on the use and effect
> of drugs to protect the privacy of individuals who are the subject of such
> research by withholding from all persons not connected with the conduct of
> such research the names or other identifying characteristics of such
> individuals. Persons so authorized to protect the privacy of such individuals
> may not be compelled in any Federal, State, or local civil, criminal,
> administrative, legislative, or other proceedings to identify such
> individuals. 42 U.S.C. 242a.
Similar authority with respect to alcohol research is found in § 333 of the
Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and
Rehabilitation Act of 1970. 42 U.S.C. 4582. The Attorney General has similar
authority with respect to drug research under § 502(c) of the Comprehensive Drug
Abuse Prevention and Control Act of 1970, 21 U.S.C. 872(c). In these
authorities, the authorization to hold data confidential may be given to anyone
conducting the specified research; there is no requirement of Federal
connection. The authorization with respect to drug research has been given to
Federal employees not in HEW and to employees of an OEO-funded project with no
HEW connection, 37 Fed. Reg. 21547, Oct. 12, 1972, and to employees of HEW
contractors doing alcoholism research. 37 Fed. Reg. 28310, Dec. 22, 1972.
Availability of Public Health Service records and information is governed by 42
C.F.R., Part 1. Clinical information as defined is confidential and is available
"...only as necessary for the performance of the functions of the Service" or in
certain limited instances, such as to a patient or his designee upon a
reasonable showing of need; to a government agency which requested or arranged
for examination, care or treatment service facilities; or to State or public
health agencies "engaged in collecting data regarding disease." 42 C.F.R. 1.102.
In addition, upon a court order, clinical information shall be disclosed in
accordance with applicable local law regarding confidentiality of
physician-patient communications.
When non-clinical information has been obtained under an assurance of
confidentiality, it may be disclosed only with the consent of the person or
agency to whom the assurance was given or when the Secretary determines that
disclosure is necessary to prevent "an epidemic or other grave danger to the
public health" or in a legal action brought against the Government. 42 C.F.R.
1.103.
The regulations contain additional limitations on release of records and
information concerning actions of advisory councils; regulatory programs such as
licensing of biological products; conduct of research projects; and applications
for employment or Federal support.
Six other regulations provide limitations on dissemination of information.
42 C.F.R 200.12 provides that State Plans for maternal and child health and
crippled children's programs shall provide for designation of all personal
information as confidential with suitable regulations and safeguards to be
provided. However, information which does not identify particular individuals
may be disclosed in summary or statistical form. ,
42 C.F.R., Part 3 provides, among other conditions, that the Special Statistical
Services of the National Center for Health Statistics may be furnished provided
that "the data or statistics requested are not confidential."
42 C.F.R., Part 300 provides that the records of Saint Elizabeth's Hospital are
confidential and may be disclosed only upon a court order or if the
Superintendent determines that it would "not be inimical to the public interest
or to the welfare of the patient." 42 C.F.R. 300.2.
21 C.F.R., Part 4 provides for procedures to be followed by persons desiring to
obtain records and information of the Food and Drug Administration not
specifically available under the Freedom of Information Act and the Department's
implementing regulations.
The Food and Drug Administration (FDA) regulation governing investigational new
drugs and approved new drugs specifically provides that the identity of
individual patients need not be divulged by a clinical investigator physician
unless the records of particular subjects require a more detailed study by FDA
personnel of the case history or unless there is reason to believe that the
records do not represent actual cases studied or do not represent actual results
obtained. 21 C.F.R. 130.3(a)(12), 130.3(a)(13), and 130.13(c).
Disclosure of individual information obtained in the administration of the
Social and Rehabilitation Service repatriation assistance program, authorized by
Section 1113 of the Social Security Act, 42 U.S.C. 1313, is carefully
constrained by regulation for the benefit of assisted individuals. 45 C.F.R.
212.9.
Other Limitations
In addition to the statutes and regulations discussed above, guidelines relating
to disclosure of information exist in many other forms including manuals,
circulars and instructions, policy statements, contract clauses, and assurances
on data collection forms. Many of these develop and enlarge upon the policies
and procedures which are prescribed in statutes and regulations. In other
instances, these guidelines have been promulgated in the absence of any specific
statutory or regulatory provisions. Examples of such guidelines are as follows.
The National Center for Health Statistics (NCHS) has issued a comprehensive
policy statement on release of data. Simply stated, this policy is one of
"absolute and uncompromising protection of confidentiality. . .with respect to
data supplied by respondents as privileged communications." Data are never to be
released in a manner in which a respondent's identity is revealed, but rather
only as aggregate statistics. Detailed procedures for handling particular
classes of data or programs are provided. Furthermore, there are restrictions
placed on the use of the statistics themselves so that there will be no misuse
or misrepresentation. The NCHS requires a pledge in each contract that
confidentiality of records will be maintained and that access to data will be
strictly limited. A document signed by Surgeon General L.E. Burney on February
26,1957 and published in the Federal Register, 22 Fed. Reg. 1687 (March 15,
1957), underscores the guarantees. This is supplemented by another similar
assurance published in May, 1959. 24 Fed. Reg. 4061 (May 20, 1959). Furthermore,
most data collecting questionnaires carry a confidentiality assurance. All
persons engaged in datacollecting activities with NCHS must also sign an
affidavit guaranteeing nondisclosure.
Health Services and Mental Health Administration Circular No. 71.1 entitled,
"Assurances of Confidentiality Given in Obtaining Information" sets out the
Public Health Service policy for the Health Services and Mental Health
Administration (HSMHA) governing when such assurances shall be given, what form
the assurance shall take and what the responsibilities are with respect to
information collected subject to the assurance.
In situations where information is collected and stored by third parties under
contracts with HEW, generally either the contracts themselves or contract
guidelines include confidentiality provisions. The Community Care Contract
Agency Series, guidelines prepared by the Narcotic Addict Rehabilitation Branch
of the National Institute of Mental Health, provide that the records maintained
for each patient will be kept confidential and that release of information,
other than to government program personnel and the Federal courts, will be
permitted only with the patient's signed consent.
Social Security Administration (SSA) contracts with intermediaries and carriers,
e.g., Blue Cross, include clauses directing them to adopt policies and
procedures to insure that information obtained in carrying out their functions
under the Social Security Act shall be used and disclosed solely as provided in
SSA Regulation No. 1 (p. 275, above). Furthermore, the contractors must agree to
include in all subcontracts disclosure clauses identical to those in their own
contracts.
The Social Security Claims Manual, SSA's operating instructions for its
employees, contains an entire chapter devoted to disclosure of information. See
Ch. 7300. This chapter, is keyed to the regulations, 20 C.F.R., Part 401, and
covers in rigorous detail, circumstances under which disclosure is allowed.
The Social Security Handbook, which does not have the force of law, contains
nine pages bearing directly upon the subject of what information SSA may or may
not disclose under specified conditions and circumstances. Handbook, § § 141-153
and 1701. The Handbook was published to provide a detailed explanation of the
social security program to the public and it does not reflect changes in the
regulations since early 1968.
A guide to policies governing the provision of special statistical information,
records, and related materials created pursuant to Section 417 of the General
Education Provisions Act, 20 U.S.C. 1231f (p. 262, above), was adopted by the
Office of Education in March, 1972. 37 Fed. Reg. 6218 (March 25, 1972). The
basic policy is "to make. . .collected statistical information available. . .as
widely and promptly as possible" subject to certain constraints including
nonviolation of confidentiality of data.
Permanent Storage and Disposal of Information
A comprehensive statutory scheme vests authority for management of Federal
government records in the General Services Administration (GSA) including
generally supervising each agency's record keeping, setting standards for
selective retention of records, establishing centers for storage, processing and
servicing of records, and finally, regulating and handling the ultimate disposal
or permanent storage of all government records. 44 U.S.C. 2901-2910 and 44
U.S.C. 33013314.
Records that contain information that is subject to confidentiality restrictions
remain subject to such protection when transferred to GSA, as provided by a
regulation that states:
> Whenever any records that are transferred are subject to restrictions upon
> their use, imposed pursuant to statute, Executive order, or agency
> determination, such restrictions shall continue in effect after the transfer.
> Restrictions imposed by agency determination may be removed by agreement
> between the agencies concerned. 41 C.F.R. 101-11.409-8.
Personnel Information Activities
In addition to the authority to collect personnel information to fulfill general
Departmental administrative responsibilities (pp. 260-261, above), there is a
duty imposed upon the Department to collect personnel information to fulfill
Civil Service Commission (CSC) requirements. Under the provisions of 5 U.S.C.
2951 and Executive Order 10577, HEW is required periodically to provide various
personnel-related reports to the Civil Service Commission. Section 7.2 of Civil
Service Rule VII provides that:
> Each agency shall report to the Commission, in such manner and at such times
> as the Commission may prescribe, such personnel information as it may request
> relating to positions and officers and employees in the competitive service
> and in the excepted service, whether permanent or career, careerconditional,
> indefinite, temporary, emergency, or subject to contract. 5 C.F.R. 7.2.
The data required for these reports are essentially those supplied on the CSC
Standard Form 50, Notification of Personnel Action. That information consists of
basic personal data (name, sex, birth date); basic employment data (grade, dates
of entrance into service and of potential promotion, pay plan and occupation
code, insurance codes, type of personnel actions taken); veteran preference code
and handicap code. See Federal Personnel Manual, Chapter 291.
Civil Service Commission regulations deal extensively with the maintenance of
personnel records. The regulations require establishment of an Official
Personnel Folder for each employee, 5 C.F.R. 293.202, which Folder is under the
jurisdiction and control of and part of the records of the Civil Service
Commission. 5 C.F.R. 293.203. In these Folders each agency is obliged to
maintain reports of selection and other personnel actions as listed in 5 U.S.C.
2951 and also other records as required by Commission instructions. 5 C.F.R.
293.204. There is a provision relative to removal of records of only temporary
value from the Folder. 5 C.F.R. 293.209.
Another requirement for collection of information about Federal employees is
found in 5 C.F.R. 713.302 which calls for periodic reporting of employment
statistics by race and national origin. CSC regulations provide that data as to
race or national origin may be collected only by visual identification. 5 C.F.R.
713.302(b). In addition, anyone having the authority to take or recommend
personnel action in the competitive service is prohibited from making any
inquiry concerning race, religion, or political affiliation of any employee in,
or any eligible or applicant for, the competitive service. 5 C.F.R. 4.2.
The disclosure of information collected for personnel purposes is limited by
statutes and regulations as follows. The Freedom of Information Act specifically
exempts from public disclosure matters
> related solely to the internal personal rules and practices of an agency . . .
> .[and] personnel and medical files and similar files the disclosure of which
> would constitute a clearly unwarranted invasion of personal privacy. 5 U.S.C.
> 552(b)(2) and (6).
These sections are amplified in regulations of both the Civil Service
Commission, 5 C.F.R. 294.103, and the Department, 45 C.F.R. 5.72 and 5.76 (p.
274, above).
The general policy of the Civil Service Commission is to make information
available unless disclosure would constitute a clearly unwarranted invasion of
personal privacy or is otherwise prohibited by law. Medical information may not
be made available without the individual's written consent, 5 C.F.R. 294.401,
nor may informa- tion from annual and sick leave records, 5 C.F.R. 294.1101.
Names, present and past positions, titles, grades, salaries and duty stations of
government employees are publicly available, except when release of such
information is prohibited by law or Executive order or when the information is
sought for commercial or other solicitation or for political purposes.
Employee's name, address, Social Security number, and amount of Federal
compensation are furnished to State or local taxing authorities pursuant to
Office of Management and Budget Circular No. A-38, Revised. In addition, limited
information may be made available to prospective employers and home address
shall be made available to a police or court official for the purpose of service
of a summons, warrant, subpoena or other legal process. Approved educational and
historical researchers may be granted limited access to information about
separated employees which is stored with the General Services Administration;
however, information that is derogatory to the former employee shall not be made
available under this provision. 5 C.F.R. 294.702. With the exception of certain
medical information, test material, and investigative reports, employees, former
employees, and their representatives or other persons having their consent may
have access to their Official Personnel Folders. Finally, Official Personnel
Folders are, with limitations on material relating to loyalty and security,
officially accessible to members of Congress, representatives of Congressional
committees and subcommittees, government officials of the District of Columbia
and Federal executive branch officials. 5 C.F.R. 294.703. Provision exists for
limited disclosure to the parties concerned and to the public of information
from administrative appeal and complaint files established for purposes of
employee grievances and administrative appeals. 5 C.F.R. 294.801.
Instructions, letters and bulletins are issued by the Civil Service Commission
periodically to amplify, update, and reinforce the requirements provided in
statutes and regulations. The instructions of the Civil Service Commission,
found in the Federal Personal Manual (FPM), are issued under the authority of
Executive Order 10561 and under the regulations discussed above. They apply to
all executive departments and agencies. Chapter 290 of the FPM, added in 1969,
is designed to guide agencies in the use of automated data processing in
personnel administration. It discusses modifications of standard forms necessary
or desirable when automated processing is used and also lists data elements
necessary to meet reporting requirements, FPM, Ch. 290, Appendix A,
and-mandatory and optional data elements when an automated system is used. FPM,
Ch. 290, Appendix B.
--------------------------------------------------------------------------------
1The Department comprises a number of organizational components through which
its operational programs and activities are carried out, viz.: the Public Health
Service (PHS), consisting of the Food and Drug Administration (FDA), the Health
Services and Mental Health Administration (HSMHA) and the National Institutes of
Health (NIH); the Education Division, consisting of the National Institute of
Education (NIE) and the Office of Education (OE); the Social and Rehabilitation
Service (SRS); the Social Security Administration (SSA); and the Office of the
Secretary (OS), consisting in put of the Office for Civil Rights (OCR), and the
Office of Human Development, which includes the Administration on Aging (AOA),
the Office of Child Development (OCD), and the Office of Youth Development
(OYD). (Effective July 1, 1973, the operating agency constituents of the Public
Health Service will be reorganized to consist of the Food Drug Administration,
the Center for Disease Control, the Health Resources Administration, the Health
Services Administration, and the National Institutes of Health.)
Topics
Electronic Health Records (EHR)
Return to top
About ASPE
* About ASPE
* Leadership
* Offices
* Waivers & Exemptions
* Contact
Other Resources
* ASPE Home
* HHS Home
* USA.gov
* Office of the Inspector General
* The White House
* Accessibility
* Budget / Performance
* Privacy Policy
* Nondiscrimination Notice
* FOIA
* Plain Writing Act
* No Fear Act
* Disclaimers
* Viewers & Players
* Glossary
* Common Acronyms
* HHS Vulnerability Disclosure Policy
Language Assistance
* Spanish
* 繁體中文
* 简体中文
* Tiếng Việt
* 한국어
* Tagalog
* Русский
* العربية
* Kreyòl Ayisyen
* Français
* Polski
* Português
* Italiano
* Deutsch
* 日本語
* فارسی
* English
CONNECT WITH US
Don't miss the latest news from ASPE
Sign Up
ASPE.HHS.GOV
Twitter (link is external)
BETTER RESEARCH FOR BETTER POLICY
The Assistant Secretary for Planning and Evaluation (ASPE) is the principal
advisor to the Secretary of the U.S. Department of Health and Human Services on
policy development, and is responsible for major activities in policy
coordination, legislation development, strategic planning, policy research,
evaluation, and economic analysis.
Assistant Secretary for Planning and Evaluation, Room 415F
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, D.C. 20201
+1 202.690.7858