Records, Computers and the Rights of Citizens. IV. Recommended Safeguards for Administrative Personal Data Systems


Our inquiry has led us to distinguish two categories of personal data systems that deserve separate attention in developing safeguards. One consists of administrative systems; the other of statistical-reporting and research systems. The essential distinction between the two categories is functional. An administrative personal data system maintains data on individuals for the purpose of affecting them directly as individuals-for making determinations relating to their qualifications, character, rights, opportunities, or benefits. A statistical-reporting or research system maintains data about individuals exclusively for statistical reporting or research, and is not intended to be used to affect any individual directly.1

This chapter contains general recommendations for all personal data systems and safeguard requirements for administrative personal data systems used as such. Chapter V contains additional safeguard requirements for statistical-reporting and research applications of administrative systems. Systems maintained exclusively for statistical reporting or research and safeguard requirements for them are addressed in Chapter VI.

Although our specific charge has been to analyze problems of automated systems, our recommendations could wisely be applied to all personal data systems, whether automated or manual. Computer-based systems magnify some record-keeping problems and introduce others, but no matter how data are stored, any maintenance of personal data presents some of the problems discussed in Chapters II and III. Moreover, the distinction between an automated and a non-automated system is not always easy to draw; requiring safeguards for all personal data systems eliminates the need to rule on ambiguous cases. Uniform application of safeguards to all systems will also facilitate conversion from manual to automated data processing when it does occur.

We define an automated personal data system as a collection of records containing personal data that can be associated with identifiable individuals, and that are stored, in whole or in part, in computer-accessible files. Data can be "associated with identifiable individuals" by means of some specific identification, such as name or Social Security number, or because they include personal characteristics that make it possible to identify an individual with reasonable certainty. "Personal data" include all data that describe anything about an individual, such as identifying characteristics, measurements, test scores; that evidence things done by or to an individual, such as records of financial transactions, medical treatment, or other services; or that afford a clear basis for inferring personal characteristics or things done by or to an individual, such as the mere record of his presence in a place, attendance at a meeting, or admission to some type of service institution. "Computer-accessible" means recorded on magnetic tape, magnetic disk, magnetic drum, punched card, or optically scannable paper or film. A "data system" includes all processing operations, from initial collection of data through all uses of the data. Data recorded on questionnaires, or stored in microfilm archives, are considered part of the data system, even when the computer-accessible files themselves do not contain identifying information.

Consistent with the rationale set forth in Chapter III, we recommend the enactment of legislation establishing a Code of Fair Information Practice for all Automated personal data systems.

  • The Code should define "fair information practice" as adherence to specified safeguard requirements. (Safeguard requirements for administrative personal data systems are set out below; those for statistical-reporting and research systems will be found in Chapter VI.)
  • The Code should prohibit violation of any safeguard requirement as an "unfair information practice."
  • The Code should provide that an unfair information practice be subject to both civil and criminal penalties.
  • The Code should provide for injunctions to prevent violation of any safeguard requirement.
  • The Code should give individuals the right to bring suits for unfair information practices to recover actual, liquidated, and punitive damages, in individual or class actions. It should also provide for recovery of reasonable attorneys' fees and other costs of litigation incurred by individuals who bring successful suits.

Pending the enactment of a code of fair information practice, we recommend that all Federal agencies (i) apply the safeguard requirements, by administrative action, to all Federal systems, and (ii) assure, through formal rule making, that the safeguard requirements are applied to all other systems within reach of the Federal government's authority. Pending the enactment of a code of fair information practice, we urge that State and local governments, the institutions within reach of their authority, and all private organizations adopt the safeguard requirements by whatever means are appropriate. Labor unions, for example, might find the application of the safeguards to employee records an appropriate issue in collective bargaining.