Records, Computers and the Rights of Citizens. Safeguard Requirements for Statistical-Reporting and Research Systems



I. GENERAL REQUIREMENTSA. Any organization maintaining a record of personal data, which it does not maintain as part of an automated personal data system used exclusively for statistical reporting or research, shall make no transfer of any such data to another organization without the prior informed consent of the individual to whom the data pertain, if, as a consequence of the transfer, such data will become part of an automated personal data system that is not subject to these safeguard requirements or the safeguard requirements for administrative personal data systems (in Chapter IV).

All other safeguard requirements for statistical-reporting and research systems have been formulated to apply only to automated systems, although they would wisely be applied to all statistical-reporting and research systems, whether automated or manual. If this is not done, however, it is necessary to assure that individuals about whom an organization maintains records of personal data, which are not part of an automated system, will be protected in the event of transfers of such data to automated systems. Requirement LA. is intended to, rovide such protection for individuals by requiring that transfers of data about them to automated systems not subject to safeguard requirements be made only with their informed consent.

B. Any organization maintaining an automated personal data system used exclusively for statistical reporting or research shall:(I) Identify one person immediately responsible for the system, and make any other organizational arrangements that are necessary to assure continuing attention to the fulfillment of the safeguard requirements;

The obligation to identify a person responsible for the system is intended to provide a focal point for assuring compliance with the safeguard requirements and to guarantee that there will be someone with authority to whom individuals, groups, or organizations can go if other methods of dealing with the system are unsatisfactory. Systems that involve more than one organization may present special problems in this respect, and must be carefully designed to assure that a person is not shuffled from one organization to another when he seeks to assert any right under these requirements.

(2) Take affirmative action to inform each of its employees having any responsibility or function in the design, development, operation, or maintenance of the system, or the use of any data contained therein, about all the safeguard requirements and all the rules and procedures of the organization designed to assure compliance with them;

(3) Specify penalties to be applied to any employee who intiates or otherwise contributes to any disciplinary or other punitive action against any individual who brings to the attention of appropriate authorities, the press, or any member of the public, evidence of unfair information practice;

(4) Take reasonable precautions to protect data in the system from any anticipated threats or hazards to the security of the system;

(5) Make no transfer of individually identifiable personal data to another system without (i) specifying requirements for security of the data, including limitations on access thereto, and (ii) determining that the conditions of the transfer provide substantial assurance that those requirements and limitations will be observedexcept in instances when each of the individuals about whom data are to be transferred has given his prior informed consent to the transfer;

Requirement (5) has basically the same implications for statistical-reporting and research systems that it has for administrative systems (Chapter IV, p. 56). However, applied to statistical-reporting and research systems along with requirement 111 (2) (p. 101, below), requirement (5) will also preventan organization or a researcher from transferring data in identifiable form to another organization or researcher who could not fully guarantee that the transfer would result in no uses of the data not reasonably anticipated by the data subjects.

(6) Have the capacity to make fully documented data readily available for independent analysis.

This requirement should be understood to mean that data whose use helps an organization to influence social policy and behavior must be readily available. In cases where independent analysis could not be performed without knowing the identity of each data subject, a system would be considered fully "capable" if, for example, it had obtained the consent of each data subject to participate in a follow-on study, or had a policy of seeking the consent of data subjects on behalf of persons wanting to perform such independent analysis.


Any organization maintaining an automated personal data system used exclusively for statistical reporting or research shall give public notice of the existence and character of its system once each year. Any organization maintaining more than one such system shall publish annual notices for all its systems simultaneously. Any organization proposing to establish a new system, or to enlarge an existing system, shall give public notice long enough in advance of the initiation or enlargement of the system to assure individuals who may be affected by its operation a reasonable opportunity to comment. The public notice shall specify:

(1) The name of the system;(2) The nature and purpose(s) of the system;(3) The categories and number of persons on whom data are (to be) maintained;(4) The categories of data (to be) maintained indicating which categories are (to be) stored in computer-accessible files;(5) The organization's policies and practices regarding data storage, duration of retention of data, and disposal thereof;(6) The categories of data sources;(7) A description of all types of use (to be) made of data, indicating those involving computer-accessible files, and including all classes of users and the organizational relationships among them;(8) The procedures whereby an individual, group, or organization can gain access to data for independent analysis;(9) The title, name, and address of the person immediately responsible for the system;(10) A statement of the system's provisions for data confidentiality and the legal basis for them.

This requirement has two primary objectives: (1) to assure that there will be no automated personal data system whose very existence is kept secret from the public; and (2) to assure that uses of systems by organizations to help them influence social policy or behavior are not immune from independent expert scrutiny. Instances will no doubt arise in which announcement of a research project prior to undertaking it could seriously hamper part of the study. In other instances, the scale of a project might be so small, and its influence on social policy so remote, that strict compliance with the public notice requirement will seem unduly burdensome. For such cases some mechanism will have to be devised for granting exemptions from the public notice requirement. Because of the diversity of statistical-reporting and research activities that organizations conduct, sponsor, or support, we have not tried to specify criteria for granting exemptions or to prescribe any particular mechanism for dealing with requests for exemptions on a case-by-case basis. We do feel, however, that the people who want to do research that might qualify for an exemption should not be asked to bear the full burden of deciding whether an exemption is appropriate.The matter of exemptions from the public notice requirement is one to which careful attention will have to be addressed when the safeguard requirements are being applied by administrative action, andeventually in connection with the enactment of legislation establishing the code of fair information practice for statisticalreporting and research systems.

We have also refrained from specifying a uniform mechanism for giving notice. For Federal agencies, we would expect formal notice in the Federal Register, but a catalog of data files published annually would also suffice. We would expect State and local governments to use whatever comparable mechanisms are available to them. Other systems may find that notices given through professional journals or mailings would be appropriate. Whatever methods are chosen, an organization must have copies of its notices readily available to anyone requesting them.


Any organization maintaining an automated personal data system used exclusively for statistical reporting or research shall:

(1) Inform an individual asked to supply personal data for the system whether he is legally required, or may refuse, to supply the data requested, and also of any specific consequences for him, which are known to the organization, of providing or not providing such data;

As indicated in Chapter IV (p. 59, above), one purpose of this requirement is to discourage coercive collection of personal data that are to be used exclusively for statistical reporting and research. However, the requirement that an individual be informed of the consequences of providing, or not providing, data for a system is also intended to assure that no pledge to hold data in confidence will be given by a data-collecting organization without apprising each data subject of the legal limitations, if any, of such a pledge.

(2)9 Assure that no use of individually identifiable data is made that is not within the stated purposes of the system as reasonably understood by the individual, unless the informed consent of the individual has been explicitly obtained;

(3) Assure that no data about an individual are made available from the system in response to a demand for data made by means of compulsory legit process, unless the individual to whom the data pertain (i) has been notified of the demand, and (ii) has been afforded full access to the data before they are made available in response to the demand.

The intent of this requirement is similar to that of requirement Ill (S), as explained in Chapter IV (p. 63, above). Because there is no safeguard requirement for statistical-reporting and research systems giving an individual the right of access to data about himself (as provided in requirement 111 (2) for administrative systems), this requirement gives an individual that right in the event of a compulsory process demand. The need for this requirement would be obviated by enactment of legislation providing effective protection against compulsory disclosure of identifiable personal data maintained in statistical-reporting and research systems. However, until such legislation is enacted, or if, when enacted, the legislation leaves an organization maintaining such a system any discretion whatsoever to waive the protection against compulsory disclosure, this safeguard should be the minimum protection afforded individual data subjects.