To assess the Privacy Act's requirements and the effectiveness of its implementation, the Commission sought to identify the principles and underlying philosophy that formed the basis for the Act. To do so, a study of the Act's legislative history, the language of the law, and its actual implementation was necessary. The findings and conclusions presented below are based on communications with agency heads and their designated Privacy Act points-of-contact, testimony from various Commission hear-ings, agency annual reports, some informal workshops, and literally hundreds of personal and telephone interviews by staff. Although the Commission's inquiry was conducted in the early days of the Act's implementation, it believes that this close and continuous staff' contact with agency operating personnel has allowed a fair assessment of agency implementation experience.2
In conducting its inquiry, however, the Commission encountered both conceptual and drafting problems with the current law. As the subsequent discussion will indicate, drafting details can have important consequences in an area which is both new to regulation and dependent upon changing technology. Thus, the Commission's conclusions concentrate on policy objectives rather than on the specifics of implementation. Its objective in setting out its conclusions and offering suggestions for change in the Act is to allow the policy objectives of the current law to be achieved more successfully without destroying necessary opportunities for flexibility in implementation. The Commission adopted this approach to allow for changing information technology and diversity of agency information needs and uses, as well as to foster the constructive creativity that can arise in the absence of overly restrictive requirements.
In many instances, the difficulty with the current law is not in its objectives nor in the flexibility it allows, but rather that agencies have taken advantage of its flexibility to contravene its spirit. Yet, making the law less flexible is not a desirable solution. Implementation costs would rise dramatically, and new developments in information technology could invite uncontrollable circumvention of rigidities in the statute. Thus, the Commission's approach is to strengthen flexibility and provide incentives for agency compliance while preserving the essential autonomy of each agency to decide how best to comply with each requirement.
If one accepts the view that it is best to tell an agency what to do, rather than how to do it, there are still issues that each agency cannot, and in some cases should not, resolve singly. The most obvious one is the question of whether a particular type of record-keeping system should exist at all; another is whether particular transfers of records among agencies are desirable. Such questions require independent policy judgments and thus must be addressed by an entity other than the one directly involved. In Chapter 1, the Commission enumerates the functions it believes such an entity should fulfill.
Finally, it is worth noting at the outset that the concerns expressed by the various agencies at the time of the Act's passage regarding anticipated costs of implementation, numbers of access requests, and burden of administration have generally proved to be unwarranted. For example, the expected controversy over patient access to medical records has not developed. Cost figures recently released by the Office of Management and Budget (OMB) show expenditures to be much lower than originally estimated. In 1974, OMB had estimated that implementing the Act would cost $200-$300 million per year over the first four to five years and require an additional one time start-up cost of $100 million, which would be expended in the first two years. In 1977, however, OMB estimated that start-up costs in the nine months between the Act's passage and the date it took effect were $29,459,000, and that an additional $36,599,000 was spent for first-year operating expenses.3