Personal Privacy in an Information Society. Findings and Conclusions


In assessing the Privacy Act of 1974, the Commission sought answers to the following two questions:

  • Does the Act effectively address the issues and problems it was intended to address?
  • Are there important information policy issues and problems the Act might address but does not address, or does not address adequately?

On the whole, the Commission has concluded that:

(1) The Privacy Act represents a large step forward, but It has not resulted in the general benefits to the public that either its legislative history or the prevailing opinion as to its accomplish-ments would lead one to expect;

(2) Agency compliance with the Act is difficult to assess because of the ambiguity of some of the Act's requirements, but, on balance, it appears to be neither deplorable nor exemplary;

(3) The Act ignores or only marginally addresses some personal-data record-keeping policy issues of major importance now and for the future.

The more specific conclusions that follow stem from these three basic conclusions. The Commission believes that if the Congress seeks to remedy these deficiencies by amending the Act, three steps are essential:

First, the ambiguous language in the law should be clarified to minimize variations in interpretation, but not implementation, of the law.

Second, any clarification should incorporate "reasonableness tests" to allow flexibility and thus give the agencies incentives to attend to implementation issues and to take account of the differences between manual and automated record keeping, diverse agency record-keeping requirements, and future technological developments.

Third, the Act's reliance on its system-of-records definition as the sole basis for activating all of its requirements should be abandoned in favor of an approach that activates specific requirements as warranted.

The impact of the first two of these suggestions will become clear when the specifics of the Commission's other, more detailed, conclusions are explained. The third, however, is central to the operation of the Act. From an examination of both the language of the Act and its legislative history, it seems clear that the intent of Congress was to include in the definition of the term "record"6 every one that contains any kind of individually identifiable information about an individual. However, because the Congress was mindful of the burden such a definition could impose on an agency, it limited the Act's coverage to records retrieved from a "system of records" by "name . . . or identifying number, symbol, or other identifying particular . . . ," (5 U.S.C. 552a(a)(5)] Thus, unless an agency, in fact, retrieves recorded information by reference to a "name . . . identifying symbol, or other identifying particular . . .," the system in which the information is maintained is not covered by the Act. Whereas the current record definition refers to information about an individual which contains his name or identifier, the system-of-records definition refers to information about an individual which is retrieved by name, identifier, or identifying particular. The crucial difference is obvious, and the effect has been wholesale exclusion from the Act's scope of records that are not accessed by name, identifier, or assigned particular. None of the Act's protections accrue to an individual whose record is so treated.

There are many examples of readily accessible individually identifi-able agency records that are not retrieved by personal identifier,7 and current and emerging computer and telecommunications technology will create more. While the language of the Act speaks in terms of retrieval by discrete individual identifiers, most automated record systems facilitate identification of an individual's record based on some combination of the individual's attributes or characteristics, natural or assigned, as well as by reference to individual identifiers in the more conventional sense. Thus, it would be easy to program a computer to locate particular individuals through attribute searches (e.g., "list all blonde, female Executive Directors of Federal Commissions").8 Retrieval of individually identifiable information by scanning (or searching) large volumes of computer records is not only possible but an ever-increasing agency practice. The Federal Trade Commission, for example, is transcribing all written material in its litigation files for computer retrieval, thereby making it possible to search for all occurrences of a particular name, or any other character pattern for that matter.

In summary, the system-of-records definition has two limitations. First, it undermines the Act's objective of allowing an individual to have access to the records an agency maintains about him, and second, by serving as the activating, or "on/off switch" for the Act's other provisions, it unnecessarily limits the Act's scope. To solve this problem without placing an unreasonable burden on the agencies, the Commission believes the Act's definition of a system of records should be abandoned and its definition of a record amended.

The term record should include attributes and other personal characteristics assigned to an individual, and a new term, accessible record, should be defined to delineate those individually identifiable records that ought to be available to an individual in response to an access request. Accessible records would include those which, while not retrieved by an individual identifier, could be retrieved by an agency without unreasonably burdening it, either through its regular retrieval procedures or because the subject is able to help the agency find the record. If an individual knew he was mentioned in a particular record, for example, he would be entitled to access to it whether or not agency practice is to access the record by reference to him.

The Commission believes that when an individual asks to see and copy information an agency maintains on him, the agency should be required to provide that information if it can do so without an unreasonable expenditure of time, money, or other resources or if the individual can provide specific enough locating information to render the record accessible without an unreasonable expenditure. In implementing this provision, however, an agency should not have to establish any new cross-referencing schemes for the purpose of granting access, such as would be required if the agency had to be aware of all references to one individual in other individuals' files or in files indexed in any other manner (e.g., references to agency officers in files indexed by agency name). In this connection, the Commission would also urge deletion of the clause (in Subsection d(1)) of the Act which requires an agency to allow an individual access "to any information pertaining to him which is contained in the system . . . ." This requirement is impossible to satisfy since an agency often does not know how to find "all" such information.

The Commission also believes that the terms record, individually identifiable record, and accessible record should operate as separate activators, or "on/off switches," for the appropriate provisions of the Act. For example, the Act's civil remedies could apply in all cases in which the misuse of an individually identifiable record through failure to comply with one of the Act's requirements resulted in injury to an individual, while the access to records provision could be subject to the reasonable burden test of the accessible record definition. This would allow more flexibility and broaden the scope of the current Act.

Another provision of the Act that limits its scope is the one dealing with contractors. Recipients of discretionary Federal grants who perform functions similar or identical to functions performed by contractors are not covered. Agency personnel interviewed by Commission staff frequently expressed the view that the implicit distinction in the Act between contractors and grantees is, in many cases, artificial. The Commission agrees. In Chapter 15, moreover, it recommends that a uniform set of requirements and safeguards be applied to records collected or maintained in individually identifiable form for a research or statistical purpose under Federal authority or with Federal funds, and the Privacy Act is suggested as a basic vehicle for implementing these recommendations.

While care must be taken to avoid creating undue burdens on the contractor or grantee, the Commission believes that the Federal government must assure that the basic protections of the Privacy Act apply to records generated with Federal funds for use by the Federal government. Specifically, the Commission believes that any contractor or recipient of a discretionary Federal grant, or any subcontractor thereof, who performs any function on behalf of a Federal agency which requires the contractor or grantee to maintain individually identifiable records, should be subject to the provi-sions of the Act. The Act, however, should not apply to employment, personnel, or administrative records the contractor or grantee maintains as a necessary aspect of supporting the contract or grant, but which bear no other relation to its performance. The Act also should not apply to individually identifiable records to which the following three conditions all apply: (1) records that are neither required nor implied by terms of the contract or grant; (2) records for which no representation of Federal sponsorship or association is made; and (3) records that will not be provided to the Federal agency with which the contract or grant is established, except for authorized audits or investigations. The added specificity in delineating which records fall within the Act's purview represents an attempt to preserve the intent of the Act while removing some of the confusion that could result in undue burden on contractors and grantees.

The remaining analysis of agency implementation of the Privacy Act will be based on the eight Privacy Act principles identified earlier. The extent of their fulfillment will be examined and the Commission's suggestions for change in their implementation will be presented and explained.