Personal Privacy in an Information Society. Implementation Strategy

07/12/1997

No single vehicle is adequate to carry out all of the Commission's recommendations in this chapter. Thus, the Commission has chosen a strategy which encompasses amendments to the Privacy Act of 1974, other legislative action, and voluntary compliance on the part of national study organizations.

The Commission feels that the principle of functional separation (Recommendation (1)) can be established by amending the Privacy Act. (16) The first set of steps necessary to apply that principle to Federal and federally assisted research, namely, establishing appropriate uses and disclosures for research and statistical records (Recommendations (2) and (3)) can best be implemented through a new Federal statute to provide a common line of minimum protection for the confidentiality of Federal or federally assisted research and statistical records.

The second set of steps necessary to apply the principle of functional separation-namely, establishing procedures for protecting the confidentiality of individually identifiable data-seeks to establish a consistent set of safeguards among Federal agencies and their contractors and grantees. Recommendations (4) and (5), which would achieve this objective, can be implemented through amendment of the Privacy Act. In addition, the Commission believes that new techniques for collecting, maintaining, and using records about individuals in ways that avoid personal identification ought to be developed and promulgated, and, therefore, recommends that the National Academy of Sciences voluntarily take the lead in doing so.

The third set of recommended steps, establishing the conditions of disclosure for individually identifiable information to be used for a research or statistical purpose, seeks to assure that a common set of conditions are met in a consistent and accountable way by Federal agencies and their contractors and grantees (Recommendations (7), (8), and (9)). These recommendations can be implemented through amendments to the Privacy Act of 1974 which currently sets minimum conditions for the use and disclosure of Federal records.

Recommendations (10) through (13) address the role of the individual in protecting himself and focus on notice and access. Recommendations (10), (11), and (12) which deal with notice, and Recommendation (13), which deals with access, can best be implemented through amendment to the Privacy Act. As pointed out in the earlier discussion of Recommendation (11), however, the Commission did not specify how the institutional review the recommendation would require should be established or what the required steps in the review process should be. The Commission urges that the National Commission for the Protection of Human Subjects in Biomedical and Behavioral Research incorporate Recommendation (11) into the mandate of the institutional review process it will recommend for all Federal agencies and also that Federal agency regulations implementing the Privacy Act incorporate the National Commission's recommendations.