Our review of existing law leads to the conclusion that agreement must be reached about the meaning of personal privacy in relation to records and record-keeping practices. It is difficult, however, to define personal privacy in terms that provide a conceptually sound framework for public policy about records and record keeping and a workable basis for formulating rules about record-keeping practices. For any one individual, privacy, as a value, is not absolute or constant; its significance can vary with time, place, age, and other circumstances. There is even more variability among groups of individuals. As a social value, furthermore, privacy can easily collide with others, most notably free speech, freedom of the press, and the public's "right to know."
Dictionary definitions of privacy uniformly speak in terms of seclusion, secrecy, and withdrawal from public view. They all denote a quality that is not inherent in most record-keeping systems. Many records made about people are public, available to anyone to see and use. Other records, though not public in the sense that anyone may see or use them, are made for purposes that would be defeated if the data they contain were treated as absolutely secluded, secret, or private. Records about people are made to fulfill purposes that are shared by the institution maintaining them and the people to whom they pertain. Notable exceptions are intelligence records maintained for criminal investigation, national security, or other purposes. Use of a record about someone requires that its contents be accessible to at least one other person-and usually many other persons.
Once we recognize these characteristics of records, we must formulate a concept of privacy that is consistent with records. Many noteworthy attempts to address this need have been made.
Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others. 8
this is the core of the "right of individual privacy" --the right of the individual to decide for himself, with only extraordinary exceptions in the interests of society, when and on what terms his acts should be revealed to the general public. 9
The right to privacy is the right of the individual to decide for himself how much he will share with others his thoughts, his feelings, and the facts of his personal life 10
As a first approximation, privacy seems to be related to secrecy, to limiting the knowledge of -others about oneself. This notion must be refined. It is not true, for instance, that the less that is known about us the more privacy we hive. Privacy is not simply an absence of information about us in the minds of others; rather it is the control we have over information about ourselves.11
The significant elements common to these formulations are (1) that there will be some disclosure of data, and (2) that the data subject should decide the nature and extent of such disclosure. An important recognition is that privacy, at least as applied to record-keeping practices, is not inconsistent with disclosure, and thus with use. The further recognition of a role for the record subject in deciding what shall be the nature and use of the record is crucial in relating the concept of personal privacy to record-keeping practices.
Each of the above formulations, however, speaks of the data subject as having a unilateral role in deciding the nature and extent of his self-disclosure. None accommodates the observation that records of personal data usually reflect and mediate relationships in which both individuals and institutions have an interest, and are usually made for purposes that are shared by institutions and individuals. In fact, it would be inconsistent with this essential. characteristic. of mutuality to assign the individual record subject a unilateral role in making decisions about the nature and use of his record. To the extent that people want or need to have dealings with record-keeping organizations, they must expect to share rather than monopolize control over the content and use of the records made. about them.
Similarly, it is equally out of keeping with the mutuality of record-generating relationships to assign the institution a unilateral role in making decisions about the content and use of its records about individuals. Yet it is our observation that organizations maintaining records about people commonly behave as if they had been given such a unilateral role to play. This is not to suggest that decisions are always made to the disadvantage of the record subject; the contrary is often the case. The fact, however, is that the record subject usually has no claim to a role in the decisions organizations make about records that pertain to him. His opportunity to participate in those decisions depends on the willingness of the record-keeping organization to let him participate and, in a few .instances, on specific rights provided by law.
Here then is the nub of the matter. Personal privacy, as it relates to personal-data record keeping must be understood in terms of a concept of mutuality. Accordingly, we offer the following formulation:
An individual's personal privacy is directly affected by the kind of disclosure and use made of identifiable information about him in a record. A record containing information about an individual in identifiable form must, therefore, be governed by procedures that afford the individual a right to participate in deciding what the content of the record will be, and what disclosure and use will be made of the identifiable information in it. Any recording, disclosure, and use of identifiable personal information not governed by such procedures must be proscribed as an unfair information practice unless such recording, disclosure or use is specifically authorized by law.
This formulation does not provide the basis for determining a priori which data should or may be recorded and used, or why, and when. It does,, however, provide a basis for establishing procedures that assure the individual a right to participate in a meaningful way in decisions about what goes into records about him and how that information shall be used.
Safeguards for personal privacy based on our concept of mutuality in record-keeping would require adherence by record-keeping organizations to certain fundamental principles of fair information practice.
- There must be no personal-data record-keeping systems whose very existence is secret.
- There must be a way for an individual, to find out what information about him is in a record and how it is used.
- There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent.
- There must be a way for an individual to correct or amend a record of identifiable information about him.
- Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.
These principles should govern the conduct of all personal-data record-keeping systems. Deviations from them should be permitted only if it is clear that some significant interest of the individual data subject, will be served or if some paramount societal interest can be clearly demonstrated; no deviation should be permitted except as specifically provided by law.