In light of our inquiry into the statistical-reporting and research uses of personal data in administrative recordkeeping systems, we recommend that steps be taken to assure that all such uses are carried out in accordance with five principles.
First, when personal data are collected for administrative purposes, individuals should under no circumstances be coerced into providing additional personal data that are to be used exclusively for statistical reporting and research. When application forms or other means of collecting personal data for an administrative data system are designed, the mandatory or voluntary character of an individual's responses should be made clear.6
Second, personal data used for making determinations about an individual's character, qualifications, rights, benefits, or opportunities, and personal data collected and used for statistical reporting and research, should be processed and stored separately.7
Third, the amount of supplementary statistical-reporting and research data collected and stored in personally identifiable form should be kept to a minimum.
Fourth, proposals to use administrative records for statistical reporting and research should be subjected to careful scrutiny by persons of strong statistical and research competence.
Fifth, any published findings or reports that result from secondary statistical-reporting and research uses of administrative personal data systems should meet the highest standards of error measurement and documentation.
It would be difficult to apply each of these principles uniformly to all administrative automated personal data systems. For this reason, we have not translated them into safeguard requirements to be enacted as part of a code of fair information practice. Adherence to their spirit, however, is warranted by the growing significance of statistical-reporting and research uses of administrative personal data systems -- both for individual data subjects and for the institutions maintaining such systems.
In addition, there are certain safeguards that can be feasibly applied to all administrative automated personal data systems used for statistical reporting and research. Specifically, we recommend that the following requirements be added to the safeguard requirements for administrative personal data systems:
- Under I. General Requirements (Chapter IV, pp. 53-57), add
C. Any organization maintaining an administrative automated personal data system that publicly disseminates statistical reports or research findings based on personal data drawn from the system, or from administrative systems of other organizations, shall:
(1) Make such data publicly available for independent analysis, on reasonable terms; and
(2) Take reasonable precautions to assure that no data made available for independent analysis will be used in a way that might reasonably be expected to prejudice judgments about any individual data subject's character, qualifications, rights, opportunities, or benefits.
- Under the Public Notice Requirement (Chapter IV, p. 58), add
(8a) The procedures whereby an individual, group, or organization can gain access to data used for statistical reporting or research in order to subject such data to independent analysis.
The purpose of general requirements C. (1) and (2) is to assure that when statistical reports or research findings based on personal data from administrative systems are used to affect social policy, the data will be available, in an appropriate form, for independent analysis. To comply with this requirement, an organization will have to plan carefully all publicly disseminated statistical-reporting and research uses of personal data in the administrative systems it maintains.
The public notice for an administrative personal data system will specify any statistical-reporting and research uses to be made of data in the system (requirement II. (7), p. 58) The additional information required by requirement (8a) will make it easier to obtain access to data for independent analysis.
1 A representative of the State agency told the Committee that the agency would not compel a student applicant to provide this information "because we have come to find it is totally worthless . . . . . [A] t one time we thought it would be a viable way of sampling the type of student we would assist. We determined it is not much use . . . [but w]e have not taken it out."
2For a cogent analysis of the effects of "contextual" information on clinical disability determinations, see Saad L. Nagi, Disability and Rehabilitation (Columbus, Ohio: Ohio State University Press), 1969, especially Chapters 2 and 9. Discussion of this problem will also be found in Stanton Wheeler (Ed.), On Record: Files and Dossiers in American Life (New York: Russell Sage Foundation), 1969.
3The special problems of data maintained exclusively for statistical reporting and research are discussed in Chapter VI.
4 As one representative of a small group of agencies observed in his testimony before the Committee: Client- (rather than management-) oriented agencies are philosophically committed to research only secondarily, as a tool for delivering more effective services. Therefore, they often must be dragged kicking and screaming into the data collection business. This is totally apart from their finances or their training . . . . Where services are . . . interfered with, data collection goes out the window. Measurement error can then be quite high.
5These variations may result from practices rooted in a bureaucratic subculture of which the record-keeping operation is but one-albeit important-part. See, for example, the discussions of how juvenile court, welfare, credit, and elementary school records are generated, in Wheeler, op. cit., Chapters 2, 5, 11, and 12.
6 Recall in this regard safeguard requirement III (1), recommended in Chapter IV (p. 59, above) for all administrative automated personal data systems; viz., that an individual asked to supply data for a system be informed clearly whether he is legally required or free to refuse to provide the data requested. That safeguard, when applied, will effectively eliminate de facto coercion of data subjects into providing more information than is needed for making administrative decisions.
7Separating the two types of data in this way would make it easier to apply the protection against compulsory disclosure recommended in Chapter VI (pp. 102-103, below).