The Privacy Protection Study Commission was given the broad mandate to investigate the personal-data record-keeping practices of governmental, regional, and private organizations and to recommend to the President and the Congress the extent, if any, to which the principles and requirements of the Privacy Act of 1974 should be applied to them. 1 Early in its inquiry, the Commission decided that to fulfill this mandate an assessment of the Privacy Act itself, its underlying philosophy, and the experience of Federal agencies to date in complying with it would be necessary. This appendix volume reports the detailed results of that assessment.
Those who have read Chapter 13 of Personal Privacy in an Information Society, the Commission's final report to the President and the Congress, will recognize the material in Chapter 3 of this volume. In Chapters 1 and 2, however, the reader will find much that we would have included in our final report had we not wanted to keep each of its 16 chapters to a reasonable length. In addition, in Chapter 4 of this volume, we discuss how the suggestions in Chapter 13 of our final report might be implemented as legislative requirements.
Our findings and conclusions are based on communications with agency heads and their designated Privacy Act points-of-contact, testimony from various Commission hearings, agency annual reports, some informal workshops, and hundreds of personal and telephone interviews by stafF. Although our inquiry was conducted in the early days of the Act's implementation, we believe that this close and continuous staff contact with agency operating personnel has allowed a fair assessment of agency implementation experience.
In conducting our inquiry, we encountered drafting problems in the current law, and, as the subsequent discussion will indicate, drafting details can have important consequences in an area which is both new to regulation and dependent upon changing technology. Thus, our conclusions concentrate on policy objectives rather than on the specifics of implementation. Our objective in setting forth our conclusions and offering suggestions for changes in the Act is to allow the policy objectives of the current law to be achieved more successfully without destroying necessary opportunities for flexibility in implementation. We have adopted this approach to allow for changing information technology and diversity of agency information needs and uses, as well as to foster the constructive creativity that can arise in the absence of overly restrictive requirements.
In many instances, the difficulty with the current law does not appear to arise from the flexibility of implementation it allows, but rather from the fact that agencies have taken advantage of that flexibility to contravene its spirit. Yet, making the law less flexible is not a desirable solution. Implementation costs would rise dramatically, and new developments in information technology could invite uncontrollable circumvention of rigidities in the statute. Hence, our approach has been to strengthen implementation flexibility while striving for clarity of interpretation and providing incentives for agencies to comply. This preserves the autonomy of each agency to decide how best to comply with each requirement.
If one accepts the view that it is best to tell an agency what to do, rather than how to do it, there are, nonetheless, issues that each agency cannot, and in some cases should not, resolve singly. The most obvious one is the question of whether a particular type of record-keeping system should exist at all; another is whether particular transfers of records among agencies are desirable. Such questions require independent policy judgments and therefore must be addressed by an entity other than the one directly involved. In Chapter 1 of Personal Privacy in an Information Society we enumerated the functions we believe such an independent entity should fulfill.
Finally, it is worth noting that the concerns expressed by the various agencies at the time of the Act's passage regarding anticipated costs of implementation, numbers of access requests, and burden of administration have generally proved to be unwarranted. Cost figures recently released by the Office of Management and Budget (OMB) show expenditures to be much lower than originally estimated. In 1974, OMB estimated that implementing the Act would cost $200-$300 million per year over the first four to five years and would require an additional one time start-up cost of $100 million, which would be expended in the first two years. In 1977, however, OMB estimated that start-up costs in the nine months between the Act's passage and the date it took effect had been $29,459,000, and that an additional $36,599,000 was spent for first-year operating expenses.2
The Commission hopefully expects that by making the details of its assessment of the Privacy Act available, it will contribute to making the law more effective. Although we describe some agency practices that seem less than exemplary, we also report many that show a constructive effort to comply with the spirit as well as the letter of the law. On balance, we believe that the Privacy Act of 1974 is an important step forward.
In conducting our assessment, we benefitted from the knowledge and counsel of hundreds of dedicated individuals throughout the Federal government. We were also fortunate to have associated with us an unusually industrious project staff. Arthur A. Bushkin served as Project Manager. Working with him as professional staff and consultants were Donald Bartlett, Justine V. R. Milliken, Timothy B. Braithwaite, Major William R. Elliott, Jr., Claudia R. Higgins, and J. Michael Taylor. Research assistance was provided by Zemphria R. Baskin. To each of them we extend our sincere appreciation.
David F. Linowes
1 88 Stat. 1905(b)(1); P.L. 93-579.
2Federal Personal Data Systems Subject to the Privacy Act of 1974, Second Annual Report of the President, Calendar Year 1976, p. 23.