Personal Privacy in an Information Society. Policy Guidelines

07/12/1997

The 13 recommendations in this chapter collectively provide a means of protecting personal privacy in research and statistical activities conducted or sponsored by the Federal government. The Commission's findings lead it to present for consideration to other research communities the following nine policy guidelines which it hopes will be voluntarily adopted by all those who conduct research and statistical activities. The Commission also believes that they could help to shape any State legislation in the field. The fundamental principle for the guidelines, as for the recommendations in the previous sections of this chapter, is that of functional separation-insulating the use of individually identifiable information for research and statistical purposes from all other uses. These guidelines follow the precepts in the Commission's recommendations.

Guideline (1):

Any record or information contained therein collected or maintained for a research or statistical purpose should not be used in individually identifiable form to make any decision or take any action directly affecting the individual to whom the record pertains, except within the context of the research plan or protocol, or with the specific authorization of such individual; and

That based on the foregoing principle, a special set of information practice requirements should be established for records and information contained therein collected or maintained in individually identifiable form for a research or statistical purpose.

Great care is needed to protect individually identifiable information from unauthorized or inadvertent disclosure. The Commission is persuaded not only that full technical, administrative, and physical safeguards must be established to protect confidentiality, but also that information should be rendered anonymous by being stripped of identifiers as soon after collection as possible.

Guideline (2):

Any entity that, for a research or statistical purpose, collects or maintains in individually identifiable form any record or information contained therein should be required:

  1. to establish and maintain adequate safeguards to protect such record or information from unauthorized disclosure; and
  2. to maintain such record or information in individually identifiable form only so long as is necessary to fulfill the research or statistical purpose for which it was collected, unless the entity can demonstrate that there are reasons for retaining the ability to identify the individual to whom the record or information pertains which outweigh the increase in the risks to the individual of exposure of the record.

Once the principle of functional separation is accepted, and adequate mechanisms for implementing it are in place, individually identifiable information can safely be disclosed for research and statistical purposes provided certain minimal conditions are met.

Guideline (3):

Except where specifically prohibited by law, an entity that collects or maintains a record or information may use or disclose in individually identifiable form either the record or the information contained therein for a research or statistical purpose without the consent of the individual to whom the record pertains, provided that the entity:

  1. determines that such use or disclosure does not violate any limitations under which the record or information was collected;
  2. ascertains that use or disclosure in individually identifiable form is necessary to accomplish the research or statistical purpose for which use or disclosure is to be made;
  3. determines that the research or statistical purpose for which any disclosure is to be made is of sufficient social benefit to wan-ant the increase in the risk to the individual of exposure of the record or information;
  4. requires that adequate safeguards to protect the record or information from unauthorized disclosure be established and maintained by the user or recipient, including a program for removal or destruction of identifiers; and
  5. prohibits any further use or redisclosure of the record or information in individually identifiable form without its express authorization.

The remaining six guidelines are for the further protection of individual data subjects from unfair collection practices, and to assure individual access whenever the principle of functional separation cannot be upheld.

The Commission believes it advisable that the fair information practice principles established by the Privacy Act of 1974, and supplemented by Recommendation (10) above, be extended to include individuals who supply information for research and statistical activities that are independent of the Federal government.

Guideline (4):

Absent an explicit statutory requirement to the contrary, no individual should be required to divulge information about himself for a research or statistical purpose. To assure that there is no coercion or deception, the individual should be informed:

  1. that his participation is at all times voluntary;
  2. of the purposes and nature of the data collection;
  3. of the possibility, if any, that the information may be used or disclosed in individually identifiable form for additional research or statistical purposes;
  4. of any requirements for disclosure in individually identifiable form required for purposes other than research and statistical use; and
  5. that if any such required disclosure is made for other than a research or statistical purpose, he will be promptly notified.

Individuals whose consent to participate in a research or statistical project cannot be given because of youth or disability or because the research design precludes it, and individuals whose circumstances coerce their participation need extra protection.

Guideline (5):

When information about an individual is to be collected in individually identifiable form for a research or statistical purpose, an institutional review process or responsible representative should be required to apply the principles enunciated in Guideline (4) in order to protect the individual:

  1. who is not competent to give informed consent to provide information about himself (e.g., a minor or mentally incompetent individual);
  2. whose consent may be seriously compromised by fear of some loss of benefit or imposition of sanction (e.g., "captive populations" such as students, welfare recipients, employees, prison inmates, or hospital patients); or
  3. when the ability to conduct statistical or research activity is predicated on the individual being unaware of its existence, purpose, or specific nature.

When individually identifiable information collected in the first instance for some other purpose is used for research and statistical purposes, it needs special attention.

Guideline (6):

When individually identifiable information is collected for a purpose other than a research or statistical purpose the individual should be informed:

  1. that such information may be used or disclosed in individually identifiable form for a research or statistical purpose, with appropriate safeguards; and
  2. that he may be recontacted as a result of such use or disclosure.

So long as all individually identifiable information used for research and statistical purposes is kept separate from use for any other purpose, the individual data subject does not need access to the record. When the information cannot be protected from use for other purposes, the individual should have a right of access.

Guideline (7):

When research or statistical records or information are collected and maintained in conformity with all the foregoing policy recommendations, an individual should have a right of access to a record or information which pertains to him if such record or information is used or disclosed in individually identifiable form for any purpose other than a research or statistical one (e.g., an inadvertent unauthorized disclosure).

Fairness demands that individuals have a way of finding out, if they wish, what disclosures of individually identifiable information about them have been made.

Guideline (8):

Any entity that collects or maintains a record or information for a research or statistical purpose should be required to keep an accurate accounting of all disclosures in individually identifiable form of such record or information contained therein such that an individual who is the subject of such record or information can rind out that the disclosure has been made and to whom.

The importance to an individual of access to information used for research and statistical purposes depends on the extent to which the information can be kept separate from use for other purposes.

Guideline (9):

If any record or information contained therein collected or maintained for a research or statistical purpose is disclosed in individually identifiable form without an assurance that such record or information will not be used to make any decision or take an action directly affecting the individual to whom it pertains, or without a prohibition on further use or disclosure (e.g., to a court or an audit agency), the individual should be notified of the disclosure, and of his right of access to the record and to the accounting for its disclosure, as provided by Guidelines (7) and (8) above.