Records, Computers and the Rights of Citizens. Safeguard Requirements for Administrative Personal Data Systems

07/01/1973

SAFEGUARD REQUIREMENTS FOR ADMINISTRATIVE PERSONAL DATA SYSTEMS

I. GENERAL REQUIREMENTS

A. Any organization maintaining a record of individually identifiable personal data, which it does not maintain as part of an administrative automated personal data system, shall make no transfer of any such data to another organization without the prior informed consent of the individual to whom the data pertain, if, as a consequence of the transfer, such data will become part of an administrative automated personal data system that is not subject to these safeguard requirements.

All other safeguard requirements for administrative personal data systems have been formulated to apply only to automated systems. As suggested earlier, the safeguards would wisely be applied to all personal data systems that affect individuals directly, whether or not they are automated. If this is not done, however, it is necessary to assure that individuals about whom an organization maintains records of personal data, which are not part of an automated system, will be protected in the event that personal data from those records are transferred to automated systems. Requirement I.A. is intended to provide such protection by requiring that transfers of personal data to automated systems not subject to the safeguard requirements be made only with the informed consent of the individuals to whom the data pertain.

The requirement is formulated so as not to apply to transfers of personal data that are not in individually identifiable form, e.g., for statistical reporting. (Transfers of individually identifiable data to automated systems used exclusively for statistical reporting and research are covered in Chapter VI, p. 97.)

B. Any organization maintaining an administrative automated personal data system shall:

(1) Identify one person immediately responsible for the system, and make any other organizational arrangements that are necessary to assure continuing attention to the fulfillment of the safeguard requirements;

The obligation to identify a person responsible for the system is intended to provide a focal point for assuring compliance with the safeguard requirements and to guarantee that there will be someone with authority to whom a dissatisfied data subject can go, if other methods of dealing with the system are unsatisfactory. Systems that involve more than one organization may present special problems in this respect, and must be carefully designed to assure that a data subject is not shuffled from one organization to another when he seeks to assert his rights under these requirements.

(2) Take affirmative action to inform each of its employees having any responsibility or function in the design, development, operation, or maintenance of the system, or the use of any data contained therein, about all the safeguard requirements and all the rules and procedures of the organization designed to assure compliance with them;

This requirement takes account of the fact that the actions of many people, with diverse responsibilities and functions located in different parts of an organization, affect the operations of an automated personal data system. Often these people lack a common understanding of the possible consequences for the system of their separate actions. If an organization is to comply fully and efficiently with the safeguard requirements, its employees will have to be made thoroughly aware of all the rules and procedures the organization has established to assure compliance.

(3) Specify penalties to be applied to any employee who initiates or otherwise contributes to any disciplinary or other punitive action against any individual who brings to the attention of appropriate authorities, the press, or any member of the public, evidence of unfair information practice;

The employees of an organization must not be penalized for attempting to prevent or expose violations of the safeguard requirements. Organizations maintaining systems must assure their employees that no harm will come to them as a consequence of bringing evidence of poor practice or willful abuse to the attention of parties who are willing and prepared to act on it.

A personal-data record-keeping system is often one of the least visible aspects of an organization's operations. Organization managers are sometimes ignorant of important facets of system operations, and individual clients or beneficiaries often do not perceive how their difficulties in dealing with an organization may stem from its record-keeping practices. Furthermore, systems tend to be designed, developed, and operated by sizable groups of specialists, no one of whom has a detailed understanding of how each system works and of all the ways in which it can be abused. This diffusion of responsibility, and of practical knowledge of system characteristics, makes the integrity of computer-based record-keeping systems especially dependent on the probity of system personnel. Efforts by associations of data processing specialists to gain nationwide adherence to a code of professional ethics attest to the importance of this aspect of system operations.

(4) Take reasonable precautions to protect data in the system from any anticipated threats or hazards to the security of the system;

The purpose of requirement (4) is to assure that an organization maintaining an automated personal data system takes appropriate security precautions against unauthorized access to data in the system, including theft or malicious destruction of data files.

(5) Make no transfer of individually identifiable personal data to another system without (i) specifying requirements for security of the data, including limitations on access thereto, and (ii) determining that the conditions of the transfer provide substantial assurance that those requirements and limitations will be observed-except in instances when an individual specifically requests that data about himself be transferred to another system or organization;

Requirement (5) is intended to provide protection against any additional risks to data security resulting-from transfer of data from one system to another, or from the establishment of regular data linkages between systems. To comply with this requirement, an organization would have to be able to demonstrate that it had carefully followed procedures deliberately designed to assure that the security conditions for a data transfer, including transmission facilities and the data security features and access limitations of the system receiving the data, conform to specified expectations of the transferring organization and its data subjects. In combination with safeguard requirement 111(3) (pp. 61-62, below), which requires an organization to obtain the informed consent of individual data subjects before permitting data about them to be put to uses that exceed their reasonable expectations, this requirement would, for example, prevent the sale of data files by one organization to another without the consent of the data subjects if the security features and access limitations of the purchasing organizations were such as to open the possibility of uses not anticipated by the data subjects. The exception in requirement (5) is intended to accommodate the possibility that an individual may need or want his record, or data therefrom, to be made available to another organization even though such transfer may entail risks of security or access that the transferring organization would not undertake or permit, and could not, consistent with this safeguard.

(6) Maintain a complete and accurate record of every access to and use made of any data in the system, including the identity of all persons and organizations to which access has been given;

This requirement will contribute significantly to an organization's capacity to detect improper dissemination of personal data. It is not intended to include ordinary system housekeeping entries, such as updating of files, undertaken in the course of normal maintenance by system personnel. To facilitate its compliance with requirement III (4) (p. 62, below), an organization should consider assuring that records of access to and use of data are part of, or are easily associable with, the records of individuals that are accessed and used.

(7) Maintain data in the system with such accuracy, completeness, timeliness, and pertinence as is necessary to assure accuracy and fairness in any determination relating to an individual's qualifications, character, rights, opportunities, or benefits that may be made on the basis of such data; and

(8) Eliminate data from computer-accessible files when the data are no longer timely.

Requirements (7) and (8) are intended to reduce the number of instances in which individuals are adversely affected by poorly conceived, poorly executed, or excessively ambitious uses of automated personal data systems. Because specific deficiencies in individual records will constitute evidence that requirement (7) has been violated, the effect of the requirement will be to make an organization as alert to isolated errors as it is to sources of recurring errors. To assure alertness, giving high priority to periodic retraining of system personnel and the suitability of their working conditions is essential. In addition, the 'organization may find that regular evaluation is needed of its data collection procedures and of the accuracy with which data are being converted into computer accessible form. If particular data are being reproduced for use by another system or organization, steps may also have to be taken to apprise the receiving organization of subtle pitfalls in interpreting the data.

Requirement (7) will discourage organizations from attempting to handle more data than they can adequately process and should also reduce the likelihood that computer-based "dragnet" operations will injure, embarrass, or otherwise harrass substantial numbers of individuals. Requirement (8) will promote the development of data-purging schedules that reflect the reasonable useful life of each category of data. Although the requirement would not prohibit the retention of data for archival purposes, it would assure that obsolete data are not available for routine use.

II. Public Notice Requirement

Any organization maintaining an administrative automated personal data system shall give public notice of the existence and character of its system once each year. Any organization maintaining more than one system shall publish such annual notices for all its systems simultaneously. Any organization proposing to establish a new system, or to enlarge an existing system, shall give public notice long enough in advance of the initiation or enlargement of the system to assure individuals who may be affected by its operation a reasonable opportunity to comment. The public notice shall specify:

(1) The name of the system;

(2) The nature and purpose(s) of the system;

(3) The categories and number of persons on whom data are (to be) maintained;

(4) The categories of data (to be) maintained, indicating which categories are (to be) stored in computer-accessible files;

(5) The organization's policies and practices regarding data storage, duration of retention of data, and disposal thereof;

(6) The categories of data sources;

(7) A description of all types of use (to be) made of data, indicating those involving computer-accessible files, and including all classes of users and the organizational relationships among them;

(8) The procedures whereby an individual can (i) be informed if he is the subject of data in the system; (ii) gain access to such data; and (iii) contest their accuracy, completeness, pertinence, and the necessity for retaining them;

(9) The title, name, and address of the person immediately responsible for the system.

The requirement for announcing the intention to create or enlarge a system stems from our conviction that public involvement is essential for fully effective consideration of the pros and cons of establishing a personal data system. Opportunity for public involvement must not be limited to actual or potential data subjects; it should extend to all individuals and interests that may have views on the desirability of a system.

We have not specified a uniform mechanism for giving notice, but rather expect all reasonable means to be used. In the Federal government, we would expect at least formal notice in the Federal Register as well as publicity through other channels, including mailings and public hearings. We would expect State and local governments to use whatever comparable mechanisms are available to them. For other organizations maintaining or proposing systems arrangements such as newspaper advertisements may be appropriate. Whatever methods are chosen, an organization must have copies of its notices readily available to anyone requesting them.

III. Rights of Individual Data Subjects

Any organization maintaining an administrative automated personal data system shall:

(1) Inform an individual asked to supply personal data for the system whether he is legally required, or may refuse, to supply the data requested, and also of any specific consequences for him, which are known to the organization, of providing or not providing such data;

This requirement is intended to discourage organizations from probing unnecessarily for details of people's lives under circumstances in which people may be reluctant to refuse to provide the requested data. It is also intended to discourage coercive collection of personal data that, are to be used exclusively for statistical reporting and research. (Secondary statistical-reporting and research applications of administrative personal data systems are the subject of Chapter V.)

(2) Inform an individual, upon his request, whether he is the subject of data in the system, and, if so, make such data fully available to the individual, upon his request, in a form comprehensible to him;

We considered having this requirement provide that an individual be informed that he is a data subject, whether or not he inquires. It seems to us, however, that such a requirement could be needlessly burdensome to some organizations, particularly if the character of their operations makes it likely that an individual will know that he is the subject of data in one or more systems-for example, systems that mail their customers monthly statements. Furthermore, since our objective is to specify a set of fundamental "least common denominator" standards of fair information practice, we concluded that it would be sufficient to guarantee each individual the right to ascertain whether he is a data subject when and if he asks to know.

We would, however, urge that organizations take the initiative to inform individuals voluntarily that data are being maintained about them, especially if it seems likely that the individuals would not be made fully aware of the fact as a consequence of normal system operations. For example, in systems where individuals become data subjects as a consequence of providing data about themselves in an application, the form could describe the records that will be maintained about them.

This requirement affords an individual about whom data are maintained in a system the right to be informed, and the right to obtain a copy of data, only if he may be affected individually by any use made of the system. For example, employees about whom earnings data are maintained in individually identifiable form in records kept by their employers would have these rights, but individuals appearing collaterally in records, such as an employee's dependents or character references, would have the rights afforded by this requirement only if they could be affected by the uses made of the records in which they appear.

We recognize that the right of an individual to have full access to data pertaining to himself would be inconsistent with existing practice in some situations. The medical profession, for example, often withholds from a patient his own medical records if knowledge of their content is deemed harmful to him; school records are sometimes not accessible to students; admission to schools, professional licensure, and employment may involve records containing third-party recommendations not commonly made available to the subject.

As indicated earlier (pp. 52-53, above), exemption from any one of the safeguard requirements should be only for a strong and explicitly justified reason. Thus, existing practices restricting an individual's right to obtain data pertaining to himself should be continued only if an exemption from the requirement of full access is specifically provided by law.

Reassessment of existing practices that deprive individuals of full access to data recorded about themselves will be one of the most significant consequences of establishing safeguard requirement III (2). Many organizations are likely to argue that it is not in the interest of their data subjects to have 'full access. Others may oppose full access on the grounds that it would disclose the content of confidential third-party recommendations or reveal the identity of their sources. Still others may argue that full access should not be provided because the records are the property of the organization maintaining the data system. Such objections, however, are inconsistent with the principle of mutuality necessary for fair information practice. No exemption from or qualification of the right of data subjects to have full access to their records should be granted unless there is a clearly paramount and strongly justified societal interest in such exemption or qualification.

If an organization concludes that disclosing to an individual the content of his record might be harmful to him, it can point that out, but if the individual persists in his request to have the data, he should, in our view be given it. The instances in which it can be convincingly demonstrated that there is paramount societal interest in depriving an individual of access to data about himself would seem to' be rare.

Similarly, we cannot accede in general to the claim that the sources of recorded comments of third parties should be kept from a data subject if he wants to know them. Disclosure to the data subject of the sources of such comments may be difficult for organizations that have promised confidentiality. Modifying the data subject's right of access in order to honor past pledges may be necessary. However, the practice of recording data provided by third parties, with the understanding that the identities of the data providers will be kept confidential, should be continued only where there is a strong, clearly justified societal interest at stake. Elementary considerations of due process alone cast grave doubt on the propriety of permitting an organization to make a decision about an individual on the basis of data that may not be revealed to him or that have been obtained from sources that must remain anonymous to him.

(3) Assure that no use of individually identifiable data is made that is not within the stated purposes of the system as reasonably understood by the individual, unless the informed consent of the individual has been explicitly obtained;

This requirement is intended to deal with one of the central issues of fair information practice-controlling the use of personal data. Assume that a system maintains no more personal data than reasonably necessary to achieve its purposes. Assume further that its purposes are well understood and accepted by the individuals about whom data are being maintained, and that all data in the system are accurate, complete, pertinent, and timely. The question of how data in the system are actually used still remains.

Because an individual can be adversely affected even by accurate data in well-kept records, the use of personal data in a system should be held to standards of fairness that minimize the risk that an individual will be injured as a consequence of an organization's permitting data about him to be used for purposes that differ substantially from whatever uses he has been led to expect. The public notice called for by safeguard requirement 1I (pp. 57-58, above) is intended to assure that when an individual first becomes a data subject, he will be able to understand the purposes of the system and the types of uses to which data about him will be put If, however, an organization expands the previously announced purposes of the system, or enlarges the range of permissible uses of data in identifiable form, it must not only revise its public notice for the system; but also must obtain the prior consent of all existing data subjects.

The objective of requirement III(3), in short, is to make it possible for individuals to avoid having data about themselves used or disseminated for purposes to which they may seriously object. The requirement applies to all new types of uses, whether they will be made by the system that initially collected that data or by some other system or organization to which data are to be transferred. Thus it applies (as noted on p. 56, above) to uses that may result from the transfer to data to a system whose security features and access limitations open the possibility of uses not anticipated by the data subjects.

(4) Inform an individual, upon his request, about the uses made of data about him, including the identity of all persons and organizations involved and their relationships with the system;

This requirement will guarantee the individual an opportunity to find out exactly how and why data about him have been used, and by whom. It provides this right for an individual only when he makes a request; a general rule requiring an organization to take the initiative in all cases to inform an individual how data about him have been used would often not serve any useful purpose, and might lead, for example, to periodic mass mailings to inform individuals of uses of which they are already aware. Nonetheless, there may be instances when data subjects will want to be informed on a regular basis about particular types of data use. It is the intent of this safeguard that an organization provide such service when an individual requests it.

Coupled with requirement I(6) (p. 56, above) this requirement would also afford individuals the opportunity to advise those to whom records about them have been disseminated of any corrections, clarifications, or deletions that should be made.

(5) Assure that no data about an individual are made available from the system in response to a demand for data made by means of compulsory legal process, unless the individual to whom the data pertain has been notified of the demand;

"Compulsory legal process" includes demands made in the form of judicial or administrative subpoena and any other demand for data that carries a legal penalty for not responding. It should be the responsibility of the person or organization that seeks to obtain data by compulsory legal process to notify the data subject of the demand and to provide evidence of such notification to the system. In instances when it may be more practicable for the system to give notice of the demand to the data subject, the cost of doing so should be borne by the originator of the demand.

The intent of requirement (5) is to assure that an individual will know that data about himself are being sought by subpoena, summons, or other compulsory legal process, so as to enable him to assert whatever rights he may have to prevent disclosure of the data.

(6) Maintain procedures that (i) allow an individual who is the subject of data in the system to contest their accuracy, completeness, pertinence, and the necessity for retaining them; (ii) permit data to be corrected or amended when the individual to whom they pertain so requests; and (iii) assure, when there is disagreement with the individual about whether a correction or amendment should be made, that the individual's claim is noted and included in any subsequent disclosure or dissemination of the disputed data.

It is not the intent of this requirement in any way to relieve an organization of the obligation to maintain data in accordance with requirement I(8) (p. 57, above). Rather, in combination with requirement I(8), it is expected to give an organization maintaining a system strong incentives to investigate and act upon any claim by an individual that data recorded about him are incorrect, insufficient, irrelevant, or out-of-date. The provision for obtaining injunctions included in the Code of Fair Information Practice (p. 50, above) will enable individuals to seek court orders for corrective action in regard to their records.