Personal Privacy in an Information Society. Implementation Principles

07/12/1997

The Commission's findings clearly reveal an overwhelming imbalance in the record keeping relationship between an individual and an organization, and its policy recommendations aim at strengthening the ability of the individual to participate in that relationship. This can be accomplished in three ways: by prohibiting or curtailing unjustifiably intrusive information collection practices; by granting the individual basic rights, such as the right to see, copy and correct records about himself, coupled with obligations or organizations to incorporate protections for personal privacy in their routine record keeping operations; and by giving the individual control over the disclosure of records about him. In exploring ways to implement its policy recommendations, the Commission was guided by three principles: (1) that incentives for systemic reform should be created; (2) that existing regulatory and enforcement mechanisms should be used insofar as possible; and (3) that unnecessary cost should be avoided.

In accordance with the first of these guiding principles, the recommended measures enable the individual to compel compliance with certain specific requirements even if he has suffered little or no injury. The Commission believes that an individual should be able to go to court to compel the production of records and to require the correction of erroneous information in them, and to hold a record keeping organization responsible for its disclosure practices. Because enforcement of such rights has in the past depended on a showing of direct financial loss, which is often difficult to demonstrate, most individuals have not been able to assert their interests effectively. The Commission's recommendations should make it easy for an individual to assert his interest, thus making it attractive to organizations to comply voluntarily rather than incur the cost of enforcement through judicial or administrative action.

The Commission believes that because giving an individual a right of access to records about him could lead to a defamation or invasion of privacy action, the liability of a record keeping organization for such claims resulting from its disclosure to an individual of a record about himself should be limited. An institution, however, should be liable for false information where there has been willful intent to injure the individual.

In accordance with the second guiding principle, that the policy recommendations should be implemented through existing regulatory and enforcement mechanisms insofar as possible, the Commission recognizes that while existing regulation seldom aims explicitly at protecting personal privacy in record keeping, it does, in fact, provide some protection, which the Commission has no wish to negate or duplicate. In the consumer credit area, for example, Regulation Z of the Federal Reserve Board15, issued pursuant to the Truth in Lending Act, explicitly specifies how an individual is to be informed of the terms and conditions of a particular loan. The Commission's recommendations would add a further requirement that the individual also be informed of the types and sources of information that will be collected about him and the uses to which the information will be put.

Similarly, the Commission relies on the Fair Credit Reporting Act16 as the vehicle for implementing many of its private sector recommendations because it is the statute at the Federal level that deals most explicitly and comprehensively with privacy issues in the private sector. For example, the Commission recommends that the individual's right of access to underwriting and certain claim information about himself maintained by an insurance company be provided by amendment of the FCRA in order to assure nationwide compliance. However, the Commission has used a different approach in implementing notice to applicants and insureds in regard to the types of information that will be collected about them and the sources and techniques that will be used. In this instance, the Commission directs its implementation to the State level, where, as a result of the McCarren Ferguson Act17, insurance is otherwise regulated unless there is explicit Federal legislation to the contrary. States use this authority to regulate the form of insurance policies, and, in some cases, applications for insurance, and thus can implement the recommended notification requirements as well.

Existing structures also provide a framework for implementing the Commission's recommendations for medical records. There the Commission considered two types of medical record keepers the institutional medical services provider and the individual practitioner. Since most institutional providers qualify under Medicare and Medicaid, the qualification process affords an effective means of assuring the compliance of institutional providers with the recommended medical records requirements. Individual practitioners, however, do not currently have to qualify under Medicare and Medicaid, although they are subject to State licensing authorities, and the Commission, therefore, recommends that States adopt model legislation applying the medical records safeguard requirements to all individual practitioners and to any institutional medical care providers that are not subject to Medicare or Medicaid qualification requirements.

In accordance with the Commission's third guiding principle, it tried to make sure that the privacy protection safeguards it recommended would not involve unnecessary cost, either to individuals or to record keeping organizations. The Commission believes that granting an individual rights within existing legal frameworks is far more efficient and significantly less costly than embarking on an ambitious new regulatory approach. As noted above, its recommended policy measures put the main ongoing costs of implementation on organizations that do not comply with the requirements, since it is they who will be subject to judicial or administrative sanctions and related costs. The organization that takes affirmative steps to comply with the recommendations should have little expense beyond the cost of educating its employees, initially revising some of its procedures and forms, and creating appropriate policy guidance. Even these costs can be controlled by allowing a reasonable time for transition. With intent the Commission does not recommend that organizations be required to report regularly to anyone or to obtain anyone's approval prior to revising or establishing its record keeping systems. Thus, the cost to government and to those who comply will be kept to a minimum.

The Commission's single deviation from these three principles is the approach it recommends to the problem of systematic or repeated violations. The Commission advocates rights for individuals and relies primarily on the individual to exercise and protect those rights with the help of the courts, but as many of the chapters point out, however, giving an individual better ways to protect himself can be an inadequate tool. Thus, when there is evidence of repeated or systematic violations, the measures recommended for particular record keeping areas assign specific responsibility on behalf of the public for enforcing compliance to appropriate government agencies, such as the Federal Trade Commission or State insurance departments.

The Commission's implementation strategy also considers the question of Federal preemption and the desirability of uniform requirements. National bankers, insurers, retailers, and other industries subject to Federal regulations have strongly urged the Commission to recommend that any mandatory requirements be exclusively Federal so that they and, indeed, their customers, do not have to struggle with 50 separate sets of rules. The Fair Credit Reporting Act addresses this desire for uniformity by permitting a State to supplement but not narrow the Act's requirements. For example, the FCRA specifies that an individual shall be informed on request of the nature and substance of a credit report; California law, without contradicting the FCRA, takes the extra step of requiring that an individual be allowed on request to see such a report. When the Commission recommends Federal legislation, it intends such legislation to establish the reasonable basis upon which organizations may deal with all individuals on whom they maintain information or records, regardless of political jurisdiction. While the Commission believes its recommended measures provide proper protections for personal privacy, particular States may deem it desirable to establish further requirements for their own citizens. They should not be prohibited from doing so as long as their requirements do not conflict with or narrow Federal law. The same is true in the public sector where the Commission has recommended Federal requirements applicable to federally funded State programs; there is no barrier to the States going further if they want to do so.

Experience with the term agency as used in the Privacy Act of 1974 illustrates a potential problem, which the Commission hopes to avoid with the term organization used in its recommendations. The way an agency defines itself for the purpose of complying with the Privacy Act's requirements makes a significant difference in the disclosures of records it can make and in the degree of its responsibility for establishing operating rules and procedures.18 It is convenient for an agency to define itself as a unit at the highest possible organizational level. Thus, the Office of the Secretary of Health, Education and Welfare, the Office of Education, the Social Security Administration, the Public Health Service, and a number of other units are all deemed to be one agency the Department of Health, Education and Welfare (DHEW). As a consequence, any disclosure of information about an individual by one office, administration, or service to another can be considered an internal agency disclosure not subject to the Privacy Act's limitations on third party disclosures without written consent of the individual. Another result is that the rules for Privacy Act compliance are DHEW rules rather than rules of its components.

The term organization presents similar problems in the private sector. The Commission believes that there should be flexibility allowing organizations to define themselves in various ways. For example, a conglomerate corporation or corporate group may or may not want to define itself as a single organization for the purpose of complying with the measures recommended for a particular record keeping relationship. Considering the many forms of corporate and administrative control, the Commission believes the choice can be left to the organizations on two conditions.

The first is that at whatever level an organization is defined as a single unit, that must be the level responsible for promulgating and enforcing standard operating procedures at all subordinate levels. For example, if the American Telephone and Telegraph Company considers itself and all of its subsidiaries and affiliated local phone companies to be one organization, AT&T must promulgate, enforce, and be accountable for compliance with the procedures to be followed by all of those entities.

The second condition is that regardless of the level at which an organization is defined as a unit, an individual must be assured that information about him collected and maintained in connection with one record keeping relationship will not be made available for use in connection with another. For example, information collected by an employer from an employee to process a claim under a group health insurance policy is not to be used for personnel purposes. If two affiliated companies define themselves as a unit but perform two different function some extending credit and the other selling insurance, for example, information about customers must not flow between them without adherence to the notice, authorization, and other requirements called for in the Commission's recommendations. Likewise, a corporate affiliate in, say, the retailing business should not rent or lend the names and addresses of its customers to another affiliate to market insurance unless the retailer informs its customers that it intends to do so and gives them an opportunity to indicate that they do not want their names used for that purpose.