The Privacy Act of 1974: An Assessment. APPENDIX 4 TO The Report of The Privacy Protection Study Commission.. Subsection 3(E)(10)


There is a modest amount of legislative history on subsection 3(e)(10), the Privacy Act's so-called "safeguarding of information" provision, but it is enough to understand the legislative intent. According to the Senate Committee on Government Operations, it was intended that

the term "appropriate safeguards" should incorporate a standard of reasonableness and refer to those safeguards which represent current state-of-the-art procedures at any given time . . . .70

In taking this approach, moreover, the Committee believed it could "look forward to increasingly higher standards of reasonableness"-that it was purposely allowing for a "certain amount of risk management" wherein administrators would weigh the need for security measures against their cost and probable effectiveness.71

OMB assigned to the National Bureau of Standards (NBS) the task of developing and publishing guidelines to implement the computer security requirements implicit in subsection 3(e)(10). NBS took the approach of describing a wide variety of safeguards from which agencies could select those that met their needs. In its Federal Information Processing Standards (FIPS) Publication No. 31, published prior to passage of the Privacy Act, NBS had already developed a menu of fairly detailed physical security safeguards. In Computer Security Guidelines for Implementing the Privacy Act, FIPS Publication No. 41, published in August 1975, NBS described the need for risk assessment and examined the threats to data integrity which can arise from employee error and misuse, and from failing to control access to computer-based systems. NBS stressed the importance of standards for the maintenance of data, of rules of conduct for employees, of accounting and auditing mechanisms, and of physical security safeguards. Encryption, however, was only recommended for high-risk systems containing "sensitive" information.72

The implementation of subsection 3(e)(10) has varied. Some agencies have engaged in technological overkill and avoided more important administrative safeguards. Others have simply tightened their rules on locking file cabinets. The Commerce Department reports that since the passage of the Act, files are returned more quickly and kept locked more regularly.73 The Civil Service Commission provided additional locks for its files and revamped its access policies and procedures.74 The Department of Defense has likewise provided additional physical protection for its dataprocessing areas and strengthened its administrative safeguards against unauthorized access to its records on individuals.75 The Federal Aviation Administration claims that for the first time it has succeeded in getting personnel in the field to lock up investigative and medical files.76 The Overseas Private Investment Corporation has reduced the number of locations used for information storage,77 and the Drug Enforcement Administration has centralized and automated its system for monitoring disclosures.78 The Department of Health, Education, and Welfare has set an example for other agencies by establishing baseline security requirements to be met by all its components and, even more importantly, by establishing a vehicle for auditing compliance with them.79

OMB reports that in the nine months between the day the Privacy Act was passed and the day it took effect, Federal agencies spent $2.2 million on security safeguards they considered necessary to comply with the Act, and another $l.3 million in calendar year 1976.80 Despite these expenditures, however, many agency employees still wish for specific guidelines or standards that would keep them from having to worry about whether they are complying. Clearly, the Act has had a positive effect on security practices, and on employee awareness of them, but more effort must be devoted to establishing and, most important of all, to auditing compliance with administrative, physical, and technical security procedures.