As we reported in Chapter II, there are extensive federal regulations designed to protect the confidentiality of the individuals and organizations whose private information is reported in federal databases. The laws regulating the sharing of federal data place much more responsibility upon the data producer than the user. Many of these laws specify severe penalties for agency employees in the event that disclosures occur, but these penalties rarely extend to the individuals outside the agency who are actually responsible for the disclosures. A 2005 National Academy of Sciences (NAS) panel report on expanding access to research data notes that “at present, the obligation to protect individual respondents falls primarily on those who collect the data, thereby creating a disincentive for providing access to other researchers” (National Research Council 2005). The NAS panel addressed two recommendations to this problem:
Recommendation 7. All releases of public-use data should include a warning that the data are provided for statistical purposes only and that any attempt to identify an individual respondent is a violation of the ethical understandings under which the data are provided. Users should be required to attest to having read this warning and instructed to include it with any data they redistribute.
Recommendation 8. Access to public-use data should be restricted to those who agree to abide by the confidentiality protections governing such data, and meaningful penalties should be enforced for willful misuse of public-use data.
Achieving these objectives—particularly the second—would require new legislation authorizing agencies to impose penalties.