As we stated earlier in this chapter, existing laws or regulations affording individuals greater protection than the safeguard requirements should be retained, and those providing less protection should be amended to meet the basic standards set by the safeguards. We have not attempted an exhaustive inventory of existing Federal and State statutes that may need to be amended to bring them into conformity with the safeguards, but in the course of our work we have identified two Federal statutes in regard to which we have specific recommendations.
FREEDOM OF INFORMATION ACT
The Federal Freedom of Information Act2 has a disturbing feature that could be eliminated by means of an amendment quite in keeping with the primary purpose of the Act. As noted in Chapter 111, the main objective of the Freedom of Information Act is to facilitate public access to information about how the Federal government conducts its activities. The Act contains a broad requirement that information held by Federal agencies be publicly disclosed. Nine categories of information are specifically exempted from the Act's mandatory disclosure requirement. For seven of the nine, moreover, disclosure is not prohibited or otherwise constrained by the Act, and the decision not to disclose is left entirely to the discretion of the agency holding the information. The agency is completely free to decide whether it will comply with a request that it disclose information falling within any of the seven exemptions.3
Of the seven discretionary exemptions, those that offer the most likely basis for an agency to withhold personal data from the public are:
trade secrets and commercial or financial information obtained from a person and privileged or confidential;
personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy; and
investigatory files compiled for law enforcement purposes except to the extent available by law to a party other than an agency.
The Act's failure to provide for data-subject participation in a decision by an agency to release personal data requested under the Act is inconsistent with safeguard requirement III(3) (p. 61, above) which calls for an individual's consent to any unanticipated use of data about himself in an administrative automated personal data system. Enactment of this requirement would necessitate modification of the Freedom of Information Act to give the data subject a voice in agency decisions about public disclosure of information covered by the Act, whenever such disclosure is not within the reasonable expectations of individuals about whom a Federal agency maintains data in an automated system.
As we see it, an agency that is the custodian of personal data about an individual should not have unilateral discretion to decide to grant a request for public disclosure of such data, especially if the data fall within one of the exempted categories under the Freedom of Information Act. The data custodian should have to obtain consent from the data subject before releasing identifiable personal data about him from an administrative automated personal data system, except in cases where making the requested disclosure without the individual's consent is within the stated purposes of the system as specifically required by a statute. We expect such cases to be few.
Accordingly, we recommend that the Freedom of Information Act be amended to require an agency to obtain the consent of an individual before disclosing in personally identifiable form exempted-category data about him, unless the disclosure is within the purposes of the system as specifically required by statute. Pending such amendment of the Act, we further recommend that all Federal agencies provide for obtaining the consent of individuals before disclosing exempted-category personal data about them under the Freedom of Information Act.
If the Act were so amended, its purpose of protecting the public's "right to know" about the activities of the Federal government would be brought into a better balance with the no less important public purpose of protecting the personal privacy of individuals who are the subjects of data maintained in the automated personal data systems of the Federal government. There may be other areas of conflict between the safeguard requirements and the Freedom of Information Act. The Act should be given a thorough reappraisal with a view to formulating additional amendments needed to accommodate the safeguard requirements. An amended Freedom of Information Act and the Code of Fair Information Practice we have proposed would, in combination, provide an improved statutory framework within which to resolve the unavoidable conflicts between personal privacy and open government.
FAIR CREDIT REPORTING ACT4
The Fair Credit Reporting Act is the first Federal statute regulating the vast consumer-reporting industry. Its basic purpose, as stated in the Act, is
to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer's right to privacy.
The consumer-reporting industry is comprised of credit bureaus, investigative reporting companies, and other organizations whose business is the gathering and reporting of information about individuals for use by others in deciding whether individuals who are the subject of such reports qualify for credit, insurance, or employment. Consumer-reporting agencies typically operate what we have called administrative personal data systems, many of which contain large quantities of intelligence-type data. Increasingly, these systems are being computerized.
The Fair Credit Reporting Act requires consumer-reporting agencies to adopt reasonable procedures for providing information about individuals to credit grantors, insurers, employers and others in a manner that is fair and equitable to the individual with regard to confidentiality, accuracy, and the proper use of such information. It also places requirements on users of consumer reports and consumer-investigative reports.
The chief requirements imposed by the Act include the following:
Accuracy of Information
Consumer-reporting agencies must follow reasonable procedures in preparing reports to assure maximum possible accuracy of the information concerning the individual about whom the report is prepared. The effect of this requirement extends to all the data gathering, storing, and processing practices of an agency.
Certain items of adverse information may not be included in a consumer report after they have reached specified "ages" (except in connection with credit and life insurance transactions of $50,000 or more and employment at an annual salary of $20,000 or more) via.: bankruptcies-14 years; suits and judgments-7 years; paid tax liens-7 years; accounts placed for collection or written off-7 years; criminal arrest, indictment, or conviction-7 years; any other adverse information-7 years.
Limited Uses of Information
- A consumer-reporting agency may furnish a consumer report about an individual to be used for the following purposes and no other:
- in response to a court order in accordance with written instructions of the individual to whom it relates;
- to determine the individual's eligibility for (i) credit or insurance to be used for personal, family, or household purposes, (ii) employment, including promotion, reassignment or retention as an employee; or (iii) a license or other benefit granted by a governmental instrumentality required by law to consider an applicant's financial responsibility or status;
- to meet a legitimate business need for a business transaction involving the individual.
A consumer-reporting agency must take all steps necessary to insure that its reports will be used only for the above purposes.
Notices to Individuals
Whenever credit, insurance, or employment is denied, or the charge for credit or insurance is increased, wholly or partly because of information in a report from a consumer-reporting agency, the user of the report must notify the individual affected and supply the name and address of the agency that made the report.
Whenever a consumer-reporting agency reports public record information about an individual which may adversely affect his ability to obtain employment, it must notify the individual that it is doing so, including the name and address of the person to whom the information is reported.
Whenever an investigative report (obtaining information through personal interviews with neighbors, friends, associates, or acquaintances) is to be prepared about an individual, he must be so notified in advance unless the report is for employment for which the individual has not applied.
Individual's Right of Access to Information
An individual about whom an investigative report is being prepared has the right, upon his request, to be informed of the nature and scope of the investigation.
An individual has the right, upon his request, and proper identification, to be clearly, accurately, and fully informed of: (i) the nature and substance of all information, except medical information, about him in the files of a consumer-reporting agency; (ii) the sources of such information, except sources of information obtained solely for an investigative report; and (iii) recipients of consumer reports fumished about the individual, within 2 prior years for employment purposes and within 6 prior months for any other purpose. (The individual has this right whether or not adverse action has been taken.)
Whenever credit is denied, or the charge for it increased, wholly or partly because of information obtained from a source other than a consumer-reporting agency, the individual affected has the right, upon his request, to learn the nature and substance of the information directly from its user.
Individual's Right to Contest Information
If an individual disputes the accuracy or completeness of information in a file maintained about him by a consumer-reporting agency, the agency must reinvestigate and record the current status of that information, or delete the information if it is found to be inaccurate or cannot be reverified. If the reinvestigation does not resolve the dispute, the individual has the right to file a brief statement explaining the dispute; and the agency must, in any subsequent report containing the disputed information, note the dispute and provide at least a clear summary of the individual's statement.
One reason for describing the Fair Credit Reporting Act in such detail is to illustrate the care with which the Congress has responded to the need it found to protect individuals from the adverse effects of unfair information practices in the consumer reporting industry. Although the Congress adopted a regulatory approach in this Act,5 it constitutes a strong precedent for our recommended Code of Fair Information Practice. In regulating the practices of both consumer-reporting agencies and the users of their reports, the Act, in effect, imposes many of the safeguard requirements we recommend.
The chief reason for presenting the Fair Credit Reporting Act, however, is to illustrate the point that existing laws that provide greater protection for individuals than our safeguards offer should be retained, while laws that provide less protection should be amended to meet the standards set by the safeguards. Section 606(a) of the Fair Credit Reporting Act, 15 U.S.C. 1681d(a), for example, requires that an individual be notified that an investigative report is being prepared about him before work on it is begun, whereas safeguard requirement III(2) (p. 59, above) gives an individual the right to be informed that he is the subject of a record only if he asks to know. In this instance, the Act's requirement, responsive to the particular circumstances of the consumer reporting industry, provides the individual with greater protection than our safeguard and should be retained.
Conversely, safeguard requirement III(2), which also guarantees an individual the right to see and obtain copies of data about him, provides more protection for individuals than Section 609(a) of the Fair Credit Reporting Act, 15 U.S.C. 1681g(a). Under the Act's requirement the individual is entitled to be fully informed by a consumer-reporting agency of the content of his record (except medical information and the sources of investigative information), but he is not entitled to see, copy, or physically possess his record. When an individual goes to a consumer-reporting agency to determine what information it has on him, the contents of the record must be read to him, but he must take the agency's word that it is telling him about all information in the record, and about all sources and recipients thereof. We understand that individuals have found this arrangement generally unsatisfactory, and further, that as the proportion of "sensitive" or adverse personal data in a record increases, compliance with the full disclosure requirement tends to diminish.
To bring Section 609(a) more in line with the protection afforded individuals by safeguard requirement III(2), and thus to achieve the objective of the Fair Credit Reporting Act more fully, we recommend that the Fair Credit Reporting Act be amended to provide for actual, personal inspection by an individual of his record along with the opportunity to copy its contents, or to have copies made. The choice between inspecting and copying should be left to the individual, and any charge for having copies made should be nominal.
We further recommend that the exceptions from disclosure to the individual now authorized by the Fair Credit Reporting Act for medical information and sources of investigative information should be omitted. It is a disturbing thought that an investigative consumer-reporting agency may have a record of medical information that the individual cannot know about or challenge. We realize that in Section 603(f) of the Fair Credit Reporting Act, 15 U.S.C. 1681a(f), "consumer reporting agencies" is defined broadly enough to apply to some organizations that are customary and appropriate repositories of medical. information. However, nothing in the Act should warrant the inference that every type of organization falling within the umbrella definition of "consumer reporting agencies" may, with impunity, conceal from an individual the fact that it is gathering, recording, and reporting medical information about him.
We have explained our skepticism about the propriety of utilizing anonymous data sources when determinations about an individual's character, qualifications, rights, opportunities, or benefits are being made. Moreover, we find no strong societal interest in having an individual routinely denied credit, insurance, or employment on the basis of information provided by any source that must be kept secret from him.6