Personal Privacy in an Information Society. The Framework for a National Policy


The imbalance in the relationship between individuals and record-keeping institutions today is pointedly illustrated by the experiences of Catherine Tarver, a "welfare mother" from the State of Washington, and Mitchell Miller, a businessman from Kathleen, Georgia.

In the late 1960's Mrs. Tarver became ill and was hospitalized. The Juvenile Court, after reviewing a report by her caseworker which contained "assertedly derogatory contents," including an allegation of child neglect, placed her children temporarily in the custody of the Department of Public Assistance. A few months later, the Juvenile Court, after another hearing, exonerated Mrs. Tarver and returned her children to her, but the caseworker's report remained in her file at the Department of Public Assistance.

Although Mrs. Tarver had her children back and was no longer on the welfare rolls, she still wanted to have the caseworker's report removed from her file on the grounds that it was false, misleading, and prejudicial and would be available to other State social services agencies with whom she might subsequently have contact. When she asked for a fair hearing1 to challenge the report, the Public Assistance Department rejected her request because the grievance was not directly related to eligibility for public assistance. She sued in a State court but lost, the court agreeing with the welfare agency that the fair hearing procedure was not meant to deal with collateral problems. The U.S. Supreme Court refused to review her case and the caseworker's report remained in her file.

Mitchell Miller's difficulties began on December 18, 1972, when a deputy sheriff from Houston County, Georgia, stopped a Pepsico truck purportedly owned by Miller and found it was transporting 150 five-gallon plastic jugs, two 100-pound bags of wheat shorts, cylinders of bottled gas, and a shotgun condenser. Less than a month later, while fighting a warehouse fire, the sheriff and fire department officials found a 7,500 gallon distillery and 175 gallons of untaxed whiskey. An agent from the U. S. Treasury Department's Bureau of Alcohol, Tobacco and Firearms suspected Miller of direct involvement in both events and two weeks later presented grand jury subpoenas to the two banks where Miller maintained accounts. Without notifying Miller, copies of his checks and bank statements were either shown or given to the Treasury agents as soon as they presented the subpoenas. The subpoenas did not require immediate disclosure, but the bank officers nonetheless responded at once.

After he had been indicted, Miller attempted to persuade the court that the grand jury subpoenas used by the Treasury Department were invalid and, thus, the evidence obtained with them could not be used against him. He pointed out that the subpoenas had not been issued by the grand jury itself, and further, that they were returnable on a day when the grand jury was not in session. Finally, Miller argued that the Bank Secrecy Act's requirement that banks maintain microfilm copies of checks for two years2 was an unconstitutional invasion of his Fourth Amendment rights. The trial court rejected Miller's arguments and he appealed.

The Fifth Circuit Court of Appeals also rejected Miller's claim that the Bank Secrecy Act was unconstitutional, an issue that had already been resolved by the U.S. Supreme Court in 1974.3 The Court of Appeals agreed, however, that Miller's rights, as well as the bank's, were threatened and that he should be accorded the right to legal process to challenge the validity of the grand jury subpoenas. The Court of Appeals saw Miller's interest in the bank's records as deriving from the Fourth Amendment protection against unreasonable searches and seizures which protected him against "compulsory production of a man's private papers to establish a criminal charge against him."

On April 21, 1976, a fateful day for personal privacy, the U.S. Supreme Court decided that Mitchell Miller had no legitimate "expectation of privacy" in his bank records and thus no protectible interest for the Court to consider. The Court reasoned that because checks are an independent record of an individual's participation in the flow of commerce, they cannot be considered confidential communications. The account record, moreover, is the property of the bank, not of the individual account holder. Thus, according to the Court, Miller's expectation of privacy was neither legitimate, warranted, nor enforceable.

The Tarver and Miller decisions4 are the law of the land, and the Commission takes no issue with their legal correctness. Viewed from one perspective, these cases are very narrow and affect only a minute percentage of the population. Tarver might be seen as simply refusing an additional request from a welfare mother who had received the benefits she was entitled to under a program; Miller as a decision affecting only the technical procedural rights of a criminal defendant. Perhaps these two cases are not very compelling, but the Commission singles them out because each starkly underscores an individual's present defenselessness with respect to records maintained about him. Who is there to raise such issues if not people in trouble? They are the ones who reach for and test the limits of existing legal protections, and if the protections are not there for them, they will not be there for anyone.

In both cases, institutional policies and the legal system failed individuals in their efforts to limit the impact of records on their lives. The Tarver case warns that one may be able to do nothing about a damaging record, not even if it is false, until some adverse action is taken on the basis of it; that one has no way to prevent the damage such an action can do. The Miller decision goes even further, making records the property solely of the record keeper, so that the individual cannot assert any interest in them, although his interest would be assertable if he himself held the same records. Even worse, it warns that not only a "revenuer" but anyone, public or private, can gain access to an individual's bank records if the bank agrees to disclose them.

Each case illustrates systemic flaws in the existing means available to any individual who tries to protect himself against the untoward consequences of organizational record keeping. Together they strongly suggest that if Americans still value personal privacy, they must make certain changes in the way records about individuals are made, used, and disclosed. Since so much of an individual's life is now shaped by his relationships with organizations, his interest in the records organizations keep about him is obvious and compelling. The above cases and the rest of this report show how poorly that interest is protected. If it is to be protected, public policy must focus on five systemic features of personal data record keeping in America today.

First, while an organization makes and keeps records about individuals to facilitate relationships with them, it also makes and keeps records about individuals for other purposes, such as documenting the record-keeping organization's own actions and making it possible for other organizations-government agencies, for example-to monitor the actions of individuals.

Second, there is an accelerating trend, most obvious in the credit and financial areas, toward the accumulation in records of more and more personal details about an individual.

Third more and more records about an individual are collected, maintained, and disclosed by organizations with which the individual has no direct relationship but whose records help to shape his life.

Fourth, most record-keeping organizations consult the records of other organizations to verify the information they obtain from an individual and thus pay as much or more attention to what other organizations report about him than they pay to what he reports about himself; and

Fifth, neither law nor technology now gives an individual the tools he needs to protect his legitimate interests in the records organizations keep about him.

The topical chapters that follow document the importance of these five systemic characteristics of personal-data record keeping in America today and present the Commission's recommended approach to solving the problems they create. The Commission believes that by focusing on these five characteristics constructive solutions to most of the record-related privacy protection problems that confront American society today and in the foreseeable future can be found.

The first characteristic-the fact that an organization may use its records about individuals in accounting for its operations to other centers of power and authority in society-has important implications for any policy of record-keeping regulation. It prompts caution in considering prohibitions on the collection of items of information from or about individuals, but at the same time draws attention to the need for special safeguards when requiring an organization to record any information about an individual that it does not need to facilitate its own relationship with him.

The second systemic characteristic-the accumulation in records of more and more personal details-is clearly visible in some of an individual's credit and financial relationships. It will become even more apparent as electronic funds transfer systems mature. This accumulation, moreover, is not the result of more and more people being asked more and more questions, but rather reflects the need and capacity of a particular type of record-keeping organization to monitor and control transactions with its individual customers. As the Commission points out in Chapter 3, it is new perilously easy for such a build-up, however innocently practical the purpose, to crystallize into a personal profile of an individual. The possession of such profiles invites the use of them for marketing, research, and law enforcement, and, in an electronic funds transfer environment, could provide a way of tracking an individual's current movements. The dramatic shift in the balance of power between government and the rest of society that such a development could portend has persuaded the Commission of the compelling need to single it out for special public-policy attention and action.

The third systemic characteristic-the attenuation of an individual's relationships with record- keeping organizations when information generated in a direct relationship is recorded in the files of other organizations that have no direct relationship with him-lies at the core of the recommendations in this report. The Commission finds that most organizations that keep records about individuals fall into one of three categories: (1) the primary record keeper (such as a credit grantor, insurer, or social services agency) that has a direct relationship with the individual; (2) support organizations whose sole sources of information are the primary record keepers they serve; and (3) support organizations (usually of an investigative character) that have independent sources of information. While this typology does not fit all cases-credit bureaus, for example, supplement the information they receive from credit grantors with information they search out from public records-it can serve as a guide in apportioning responsibilities among record-keeping institutions.

The fourth characteristic-that a primary record keeper normally verifies the information about himself an individual provides it, and tends to lean as much or more on the verification information it gets from other organizations than on what the individual divulges about himself-gives rise to some of the most difficult privacy protection issues. As records progressively displace face-to-face acquaintance, individuals are more and more driven to permit information in records about them to be disclosed as a condition of receiving services and benefits. For example, an individual who wants a credit card usually cannot have one unless he is willing to permit information about his credit usage to be disclosed regularly to credit bureaus, and through them to other credit grantors. An individual who applies for life insurance must agree to allow medical information about him to be disclosed to the Medical Information Bureau, and through the Bureau to later inquiring life and health insurers. An individual must now allow information to be disclosed from his medical records for a growing number of purposes even though the medical-care relationship requires him to divulge the most intimate details of his life and undergo the most intimate observation.

The sharing of information among record-keeping organizations also transmits the stigma that goes with some kinds of information. One's own physician, for example, may heartily approve of taking a minor or temporary problem to a psychiatrist, but the potential consequences 'of disclosing the mere fact that one has had psychiatric treatment are too well known to need description. Equally serious for some individuals are the consequences of disclosing arrest records, military discharge codes, and previous adverse insurance decisions, and the simple fact that a number of credit grantors asked for credit reports on a particular individual during a short span of time can adversely affect an evaluation of his credit worthiness. Such problems stem in part from the tendency of organizations to accept at face value information they get about individuals from other organizations. Questions are seldom asked about the social or bureaucratic processes by which the information came to be in the other organization's records, so that unwarranted assumptions can easily be made about its value. For the individual, of course, such an unwarranted assumption can start a progression of fortuitous events that may permanently deprive him of opportunities he deserves, or make it impossible for him to escape a particular line of inquiry whenever he seeks to establish a relationship with another organization.

The fifth and last characteristic-that neither law nor technology gives an individual the tools he needs to protect himself from the undeserved difficulties a record can create for him-may also leave him helpless to stop damage once it has started. Current law is neither strong enough nor specific enough to solve the problems that now exist. In some cases, changes in record-keeping practice have already made even recent legal protections obsolete. As record-keeping systems come to be used to preclude action by the individual, a recent trend in the credit and financial areas, it is important that the individual also be given preventive protections to supplement the after-the-fact protections he sometimes has today. The fact that Fair Credit Reporting Act procedures will enable him to get errors in the record corrected can be small and bitter comfort to a traveler stranded in a strange city late at night because information about his credit-card account status was inaccurately reported to an independent authorization service. He would undoubtedly prefer a procedure that would enable him to get an error corrected before it entered into an adverse decision about him, and so would most everyone if he stopped and thought about it.

The Commission also found numerous examples of situations in which decisions or judgments made on the basis of a record about an individual can matter to the individual very much but in which he has no substantive or procedural protection at all. The law as it now stands simply ignores the strong interest many people have in records about them-applicants to graduate and professional schools, people being considered for jobs or promotions for which they have not formally applied, patients whose records are subpoenaed as evidence in court cases that do not involve them directly, proprietors of small businesses who are the subjects of commercial-credit investigations, and individuals who are the subjects of Federal agency records the agency retrieves and uses by reference to some characteristic of the individual other than his name or an assigned identifying particular.

Paralleling the categories of individuals without protection under current law, there are categories of records that are subject to existing legal requirements if they are created by one particular type of organization, but not if they are created by any other type of organization, although the record and its purpose may be the same in all cases. For example, an investigative report is subject to restrictions if it was prepared by an investigative agency, but not if it was prepared by an insurance company or employer.

The Commission also found that whether a record is subject to existing law can depend on the technique by which it is generated or retrieved. For example, how does the Equal Credit Opportunity Act, a law drawn on the assumption that credit decisions turn on one or two particular items of information about the applicant, apply when a credit grantor uses "point scoring," a new method of evaluating credit applicants which submerges all the particular items of information about the applicant into one overall score?

The prescreening of mailing lists5 is another record-keeping technique that muddies the assumptions underlying existing legal protections. If a mailing list is to be used by a credit grantor to solicit new customers but is first run through an automated credit bureau where an individual's name is deleted from the list because his credit bureau records are in error as to the promptness with which he pays his bills, has he been subjected to an adverse credit decision? The law is currently unclear.

The role that technique can play in determining whether a particular type of record or record- keeping operation is or is not within the scope of existing legal protections is comparatively new. It arises in the main from automation, which multiplies the uses that can be made of a record about an individual, and will grow in importance as new record-keeping applications of computer and telecommunications technology are developed. Computers and telecommunications serve the interests of institutions and can be best appreciated as extensions of those interests, as subsequent chapters suggest. The failure to recognize that relationship has deflected attention from the essential policy choices the new technologies offer. Nonetheless, without the new technologies, certain record-keeping practices and the organizational activities they support would not be possible.

The broad availability and low cost of computer and telecommunications technologies provides both the impetus and the means to perform new record-keeping functions. These functions can bring the individual substantial benefits, but there are also disadvantages for the individual. On one hand, they can give him easier access to services that make his life more comfortable or convenient. On the other, they also tempt others to demand, and make it easier for them to get access to, information about him for purposes he does not expect and would not agree to if he were asked.

It is also quite evident that record-keeping organizations exploiting these new technologies to facilitate their own operations now pay little heed to the ways they could use the same technologies to facilitate exercise of the individual's rights and prerogatives in records used to make important decisions about him. It is ironic but true that in a society as dependent as ours on computer and telecommunications technology, an individual may still have to make a personal visit to a credit bureau if he wants access to the information the bureau maintains about him, or to get an erroneous record corrected. Although an error in a record can now be propagated all over the country at the speed of light, many organizations have made no provision to propagate corrections through the same channels, and existing law seldom requires them to do so. As a general proposition, system designers by and large have not fully used their knowledge and capabilities to make record-keeping systems serve individual as well as organizational needs and interests.

This is not to lay the blame on system designers, who are people doing what they are asked to do by the record-keeping organizations that support or pay for their services. The fault lies in the lack of strong incentives for the organization to ask them to do what they know how to do in the individual's interest. One reason for the way systems are designed and have been operated in the past has been their high cost. Instead of costing more, however, increased technological capability is now costing less and less, making it easier than ever for record-keeping organizations to take account of the individual's interests as well as their own, if they have incentives to do so.

One of the most striking of the Commission's several findings with respect to the current state of record-keeping law and practice is how difficult it can be for an individual even to find out how records about him are developed and used. What makes the difficulty the more serious is that the limited rights he now has depend in the main on his taking the initiative to exercise them. The list of records kept about an individual of which he is not likely to be aware seems endless. Even when he knows a record is being compiled, he often does not know what his rights with respect to it are, much less how to exercise them effectively, nor is he likely to be aware at the time he enters a record- keeping relationship of the importance of finding out.

In most cases, the individual can only guess at what types of information or records will be marshaled by those making any particular decision about him; furthermore, the specific sources are likely to be concealed from him. The situation makes it all but impossible for him to identify errors, or if he does, to trace them to their source. It also makes it impossible for him to know whether organizations with which he believes he has a confidential relationship have disclosed records about him to others without his knowledge or consent.