Every member of a modern society acts out the major events and transitions of his life with organizations as attentive partners. Each of his countless transactions with them leaves its mark in the records they maintain about him. The uniqueness of this record-generating pressure cannot be overemphasized. Never before the Twentieth Century have organizations tried or been expected to deal with individuals in such an exacting fashion on such a scale. Never before have so many organizations had the facilities for keeping available the information that makes it possible for them to complete daily a multitude of transactions with a multitude of individuals, and to have the relevant facts on each individual available as a basis for making subsequent decisions about him. Obviously the advent of computing technology has greatly contributed to these changes, but automated record-keeping has grown in concert with many other changes in administrative techniques, and in public attitudes and expectations.
The Commission finds that as records continue to supplant face-to-face encounters in our society, there has been no compensating tendency to give the individual the kind of control over the collection, use, anddisclosure of information about him that his face-to-face encounters normally entail.
What two people divulge about themselves when they meet for the first time depends on how much personal revelation they believe the situation warrants and how much confidence each has that the other will not misinterpret or misuse what is said. If they meet again, and particularly if they develop a relationship, their self-revelation may expand both in scope and detail. All the while, however, each is in a position to correct any misperception that may develop, and to judge whether the other is likely to misuse the personal revelations, or pass them on to others without asking permission. Should either suspect that the other has violated the trust on which the candor of their communication depends, he can sever the relationship altogether, or alter its terms, perhaps by refusing thereafter to discuss certain topics or to reveal certain details about himself. Face-to-face encounters of this type, and the human relationships that result from them, are the threads from which the fabric of society is woven. The situations in which they arise are inherently social, not private, in that the disclosure of information about oneself is expected.
An individual's relationship with a record-keeping organization has some of the features of his face-to-face relationships with other individuals. It, too, arises in an inherently social context, depends on the individual's willingness to divulge information about himself or to allow others to do so, and often carries some expectation as to its practical consequences. Beyond that, however, the resemblance quickly fades.
By and large it is the organization's sole prerogative to decide what information the individual shall divulge for its records or allow others to divulge about him, and the pace at which he must divulge it. If the record keeping organization is a private-sector one, the individual theoretically can take his business elsewhere if he objects to the divulgences required of him. Yet in a society in which time is often at a premium, in which organizations performing similar functions tend to ask similar questions, and in which organizational record-keeping practices and the differences among them are poorly perceived or understood, the individual often has little real opportunity to pick and choose. Moreover, if the record-keeping organization is a public-sector one, the individual may have no alternative but to yield whatever information is demanded of him.
Once an individual establishes a relationship with a record-keeping organization, he has even less practical control over what actually gets into a record about him, and almost none over how the record is subsequently used. In contrast to his face-to-face relationships with other individuals, he can seldom check on the accuracy of the information the organization develops about him, or discover and correct errors and misperceptions, or even find out how the information is used, much less participate in deciding to whom it may be disclosed. Nor, as a practical matter, can he sever or alter the terms of the relationship if he finds its informational demands unacceptable.
A society that increasingly relies on records to mediate relationships between individuals and organizations, and in which an individual's survival increasingly depends on his ability to maintain a variety of such relation- ships, must concern itself with such a situation. Ours has begun to do so, and the Commission's inquiry showed that the individual's ability to protect himself from obvious record-keeping abuses has improved somewhat in recent years. Nevertheless, most record-keeping relationships are still dangerously one-sided and likely to become even more so unless public policy makers create incentives for organizations to modify their record-keeping practices for the individual's protection, and give individuals rights to participate in record-keeping relationships commensurate with their interest in the records organizations create and keep about them.
Accordingly, the Commission has concluded that an effective privacy protection policy must have three concurrent objectives:
- to create a proper balance between what an individual is expected to divulge to a record- keeping organization and what he seeks in return (to minimize intrusiveness);
- to open up record-keeping operations in ways that will minimize the extent to which recorded information about an individual is
- itself a source of unfairness in any decision about him made on the basis of it (to maximize fairness); and
- to create and define obligations with respect to the uses and disclosures that will be made of recorded information about an individual (to create legitimate, enforceable expectations of confidentiality).
These three objectives both subsume and conceptually augment the principles of the Privacy Act of 19746 and the five fair information practice principles set forth in the 1973 report of the Department of Health, Education, and Welfare's Secretary's Advisory Committee on Automated Personal Data Systems.7 The second objective, to maximize fairness, in a sense subsumes all of them, and many of the Commission's specific recommendations articulate them in detail. The Commission has gone about protecting personal privacy largely by giving an individual access to records that pertain to him. Taken together, however, the three proposed objectives go beyond the openness and fairness concerns by specifically recognizing the occasional need for a priori determinations prohibiting the use, or collection and use, of certain types of information, and by calling for legal definitions of the individual's interest in controlling the disclosure of certain types of records about him.
The Commission believes that society may have to cope more adequately in the future with objections to the collection of information about an individual on the grounds that it is "nobody's business but his own." There are only a few instances where the collection, or collection and use, of a particular type of information has been proscribed on grounds of impropriety, i.e., unwarranted intrusiveness. There are a number of examples of the proscription of certain uses of particular types of information, such as race, sex and marital status, but the character of these fairness-based proscriptions is not the same as when unwarranted intrusive-ness is the rationale. When fairness is the overriding concern, organizations must often continue to collect the information in question in order to demonstrate compliance. For example, how can an employer or credit grantor show that it is not systematically using sex and race to discriminate among applicants unless it records the sex and race of all applicants? When impropriety is the main concern, however, the mere asking of the question must be proscribed. The proscription may also apply to use, but only to make sure that if the proscribed information is already on record, it will not enter into the decision-making process.
The intrusiveness issue is perhaps the most difficult one the Commission addresses. Whether or not the questions an organization asks individuals constitute intrusions on personal privacy is a problem that begins with the lines of inquiry society accepts as proper for an organization to pursue in making decisions about individuals. Thus, so long as society countenances a particular line of inquiry, questions as to how far it may properly go seem largely aesthetic. Indeed, if an individual's only concern is to be fairly treated, he should logically prefer to have recorded as much information as possible about himself as protection against inaccurate evaluation. For the individual there is clearly a trade-off. Does he always want to be evaluated on the basis of information that is, from an objective standpoint, strictly relevant, or does he prefer to be evaluated on the basis of a thoroughgoing inquiry that may give context to his particular situation and allow extenuating but not patently relevant circumstances to be taken into account? Such questions are extremely difficult if not impossible to answer. The Commission, in the chapters that follow, recommends four ways of addressing them..
First, the Commission recommends that individuals be informed more fully than they now are of the information needs and collection practices of a record-keeping organization in advance of committing themselves to a relationship with it. If the individual is to serve as a check on unreasonable demands for information or objectionable methods of acquiring it, he must know what to expect so that he will have a proper basis for deciding whether the trade-off is worthwhile for him.
Second, the Commission also recommends that a few specific types of information not be collected at all. For example, in the employment and personnel area, the Commission will recommend that arrest information not be collected by employers for use in hiring and promotion decisions unless its use for such purposes is required by law.
Third, the Commission proposes certain limitations on the information collection methods used by record-keeping organizations. In general, the Commission believes that if an organization, public or private, has declared at the start its intent to make certain inquiries of third parties, and to use certain sources and techniques in doing so, it should be constrained only from exceeding the scope of its declaration. The Commission also recommends that private-sector record keepers be required to exercise reasonable care in selecting and retaining other organizations to collect information about individuals on their behalf. These "reasonable care" recommendations and the ones that would bar pretext interviews and make acquiring confidential information under false pretenses punishable as a criminal offense, are the Commission's response to testimony showing that some organizations make a business of acquiring confidential records about individuals without their authorization for use by lawyers and insurance claim adjusters.
Finally, in some areas, the Commission supports the idea of having governmental mechanisms both to receive complaints about the propriety of inquiries made of individuals and to bring them to the attention of bodies responsible for establishing public policy. The Commission believes, however, that such complaints require the most delicate public-policy response. Our society is wary of government interference in information flows, and rightly so, even when personal privacy is at stake. It may be warranted in some cases, but only as a last resort. Thus, the Commission prefers to see such concerns addressed to the greatest possible extent by enabling the individual to balance what are essentially competing interests within his own scheme of values.
A principal objective of the Privacy Act of 1974 is to assure that the records a Federal agency maintains about an individual are as accurate, timely, complete, and relevant as is necessary to assure that they are not the cause of unfairness in any decision about the individual made on the basis of them. Proper management of records about individuals is the key to this objective, and the Privacy Act seeks to enlist the individual's help in achieving it by giving him a right to see, copy, and correct or amend records about himself. The Fair Credit Reporting Act (FCRA) and the Fair Credit Billing Act (FCBA) also focus on fairness in record keeping, though their scope of application and their specific requirements differ from those of the Privacy Act. FCRA requirements apply primarily to the support organizations which verify and supplement the information a credit, insurance, or employment applicant divulges to the primary record keepers in those three areas, but which do not themselves participate in decisions about applicants. The FCBA, however, applies to primary record keepers but only to a particular type-grantors of credit that involves regular billing-and only to a particular aspect of their operations-the settlement of billing disputes.
Other recent legislation centering on fairness in record keeping includes the Family Educational Rights and Privacy Act of 1974 and the several State fair-information-practice statutes. Their scope and specific requirements approximate those of the Privacy Act more closely than do those of any of the fairness-centered statutes that currently apply to the private sector.
All of these efforts to establish fairness protections for records about individuals have been resisted. The arguments against them have ranged from the alleged need to keep secret the identity of third-party sources, even institutional sources, to fear that organizations would be inundated with requests to see, copy, and correct records. These arguments are still heard, despite the fact that wherever such protections have been established, most of the anticipated difficulties have failed to materialize.
The vast majority of the Commission's recommendations relate directly or indirectly to fairness in record keeping. For the individual, necessary fairness protections include a right of access to records about himself for the purpose of reviewing, copying, and correcting or amending them as necessary plus some control over the collection and disclosure of information about him. For organizations, fairness protection includes the responsibility to apprise individuals that records have or will be created about them, and to have reasonable procedures for assuring the necessary accuracy, timeliness, completeness, and relevance of the information in the records they maintain about individuals, including a responsibility to forward corrections to other organizations under specified circumstances. The Commission believes, however, that achieving the fairness objective will depend on varying the combination of rights for individuals and responsibilities for organizations according to the particular circumstances of each type of record-keeping relationship.
For example, the Commission will recommend that applicants in several areas of record keeping be apprised of the scope, sources, and methods of inquiry the organization intends to use in verifying application information, but the recommended requirement is not precisely the same in each case. Similarly, the Commission will also recommend a general right of access for individuals to the records about them maintained by insurance institutions and medical-care providers. But because credit and depository institutions typically have procedures for keeping an individual apprised of the content of the records they maintain about him, the Commission there will recommend a more limited right of access for individuals to be triggered by an adverse decision. So also the Commission concluded that the individual's right of access to records about him maintained for research and statistical purposes can safely be limited to situations in which such a record may be used in making a decision about him.
The right to correct or amend a record is essential to fairness in many areas. To be effective, it must usually be coupled with an obligation of the record-keeping organization to forward the correction or amendment to past recipients of inaccurate or incomplete information. The Commission has recommended modifying this blanket obligation somewhat to require that record keepers need forward corrections and amendments only to past recipients designated by the individual and those to which the record-keeping organization regularly discloses the kind of information in question. The Commission believes that this modification has the desirable effect of relieving record-keeping organizations of the obligation to keep an accounting of every disclosure of every record about an individual without materially weakening the individual's protection. Amendments would, of course, still have to be forwarded to future recipients and the insurance and employment recommendations call, in addition, for automatic propagation of corrections and amendments to investigative support organizations that were sources of corrected or amended information. All of the correction and amendment recommendations also make provision for disagreements between the individual and a record-keeping organization about the accuracy, timeliness, or completeness of a record.
In regard to fairness in disclosure, the Commission recommends requiring the individual's authorization where it finds that a necessary protection, and specifies what it believes the authorization statement should contain if it is to serve both the information needs of, for example, insurers and employers and the individual's interest in controlling the divulgence of information about himself by record keepers with which he has a confidential relationship. The Commission's recommendations in this regard recognize the gatekeeping role that certain types of records play-that is, the role they play in decisions as to whether an individual will be allowed to enter into particular social, economic, or political relationships, and if so, under what circumstances. Where records play such a role, the individual usually has no choice but to allow them to be used in making decisions about him. Since informed consent is valid only if wholly voluntary, it means little in this context. Hence, the Commission finds authorization the appropriate pre-condition of disclosure, rather than informed consent, and couples it with a principle of limited disclosure. This principle is a key concept because it asserts that a disclosure should include no more of the recorded information than the authorized request for disclosure specifies. The Commission recognizes, and indeed emphasizes, that the holder of a record cannot and should not bear the burden of deciding what information to disclose when presented with a valid authorization statement of the type the Commission recommends. The main problem is that some keepers of records that contain intimate personal details routinely disclose much more information about individuals than they are asked for, simply as a matter of convenience and economy. The Commission, therefore, has established the principle of limited disclosure as a general tenet of fair record-keeping practice.
The Commission's fairness recommendations generally call for reason-able procedures to assure accuracy, timeliness, and completeness in records of information about individuals. For example, in the public sector, the Commission recommends that reasonable procedures be an affirmative management obligation, while in the private sector, it relies on the rights it recommends for individuals to assure that organizations adopt reasonable procedures.
The Commission believes that by opening up record-keeping practices and by giving an individual opportunities to interact easily with a record keeper, particularly at crucial points in a record-keeping relationship, both individuals and organizations will benefit. The quality of the information in records will be improved while at the same time the individual and the organization will both be protected from errors or other deficiencies that can have untoward consequences for both.
Legitimizing Expectations of Confidentiality
The third public-policy objective, protecting confidentiality, pertains to the disclosure of information about an individual without his consent. Confidential treatment of recorded information is necessary for the maintenance of many kinds of relationships between individuals and organizations. The medical-care relationship, for example, often demands uninhibited candor from the individual about the most intimate details of his private life. There are also relationships between individuals and organizations that depend on the accumulation of extremely detailed records about the individual's activities, such as those compiled by a bank or by an independent credit-card issuer. The records of these relationships provide a revealing, if often incomplete, portrait of the individual, often touching on his beliefs and interests as well as his actions. While in theory these relationships are voluntary, in reality an individual today has little choice but to establish them as he would be severely, and perhaps insurmountably, disadvantaged if he did not.
There is also the fact that many of the records about individuals which these record keepers now maintain are the kinds of records the individual formerly would have kept in his exclusive possession. The transactional record a checking account creates, for example, would have existed a century ago in the form of receipts or, at most, ledger entries kept by the individual himself at home.
As long as records remained in his possession, both law and societal values recognized his right to control their use and disclosure. Government in particular was restricted in its ability to gain access to them, even to facilitate a criminal prosecution. When organizations began to maintain such records, however, the individual began to lose control over who might see and use them. The balance society had deemed crucial was disrupted.
Although individuals have tended to retain the old value system, expecting certain records to be held in confidence by the organizations that now maintain them, the law has not taken account of that fact. The protections that exist still apply in almost all instances only to records in the individual's exclusive possession. The lack of a legal interest for the individual in the records organizations maintain about him has put him in an extremely vulnerable position. The scale and impersonality of organizational record keeping today allows him little opportunity to influence an organization's own use and disclosure practices, and as the Miller case showed, he has no interest whatsoever to assert when government demands access to the records an organization maintains about him. The Miller case said, in effect, that government no longer has to operate within the strictures of the Fourth and Fifth Amendments when it wants to acquire financial records pertaining to an individual; that what were once his private papers are now open to government scrutiny. What amounts to mere curiosity will suffice as justification if government agents want to see them.
To help redress the imbalances between individuals and organizations on one hand, and individuals, organizations and government on the other, the Commission recommends in this report that a legally enforceable "expectation of confidentiality" be created in several areas. The concept of a legally enforceable expectation of confidentiality has two distinct, though complementary, elements. The first is an enforceable duty of the record keeper which preserves the record keeper's ability to protect itself from improper actions by the individual, but otherwise restricts its discretion to disclose a record about him voluntarily. The second is a legal interest in the record for the individual which he can assert to protect himself against improper or unreasonable demands for disclosure by government or anyone else. The Commission has concluded that without this combination of duty and assertable interest, the law as it stands now will continue to deprive the individual of any opportunity to participate in decisions of organizations to disclose records kept about him, whether the disclosure is voluntary or in response to an authoritative demand.
The Commission specifies what it considers to be the proper terms of the individual's enforceable expectation in relationships with credit grantors, depository institutions, insurers, medical-care providers, the Internal Revenue Service, and providers of long-distance telephone service. Once again the recommendations are tailored to the particulars of each kind of record-keeping relationship. In each case, the Commission recommends that a protectible legal interest for the individual be created by statute; specifies the voluntary disclosures it believes should be permissible without the individual's consent and the procedures for establishing them; and sets forth the rules for initiating and complying with government demands for access to records. In no instance, however, does the Commission advocate complete, unilateral control by the individual. In every case it has respected the record-keeping organization's legitimate interests when threatened by actions of the individual. In essence, the Commission has said that the individual's interest must be recognized; that there must be procedures to force conflicting claims into the open; and that within this framework established by public policy, value conflicts should be resolved on a case-by-case basis.