A primary goal of safeguard requirements for statistical-reporting and research systems must be to protect individual data subjects from harm. That goal will be frustrated if, after having been assured that the data he provides for a system will be seen only by persons formally involved in the statistical-reporting or research project, a data subject finds that the data have been disclosed in identifiable form in response to a subpoena.
Statistical-reporting or research data that can be traced to identifiable individuals should not be subject to compulsory disclosure through legal process. In our view, there must be new Federal legislation protecting against such disclosure, and it should include the following features:
- The data to be protected should be limited to those used exclusively for statistical reporting or research. Thus, the protection would apply to statistical-reporting and research data derived from administrative records, and kept apart from them. but not to the administrative records themselves.10
- The protection should be limited to data identifiable with, or traceable to, specific individuals. When data are released in statistical form, reasonable precautions to protect against "statistical disclosure"11 should be considered to fulfill the obligation not to disclose data that can be traced to specific individuals.
- The protection should be specific enough to qualify for non-disclosure under the Freedom of Information Act exemption for matters "specifically exempted from disclosure by statute" 5 U.S.C. 552 (b) (3).
- The protection should be available for data in the custody of all statistical-reporting and research systems, whether supported by Federal funds or not.
- The Federal law should be controlling; no State statute should interfere with the protection it provides. (The need also. exists for State legislation to protect statistical-reporting and research data that cannot be reached by Federal legislation.)
- Either the data custodian or the individual about whom data are sought by legal process should be able to invoke the protection, but only the individual should be able to waive it.
These are essential conditions for protecting statistical-reporting and research data from compulsory disclosure in identifiable form. Legislation incorporating the features indicated would not prevent the disclosure of basic records from a statistical-reporting or research system so long as data in the records could not be traced to specific individuals.
We offer no specific guidance on the form of the statutory protection. However, existing Federal confidentiality statutes contain some relevant examples. These range from absolute prohibitions against disclosure to authority for an administrative official to make disclosure regulations. Among the specific methods are the following:
Absolute Prohibition of Disclosure. Two existing statutes provide stringent protections for personal data held by Federal agencies.
(a) Data collected by the Bureau of the Census may not be revealed to anyone outside of the Bureau in a form in which an individual respondent is identifiable. There is no discretion for any Bureau official with respect to disclosure. There are criminal penalties for disclosure. The prohibition against disclosure serves to defeat legal process. If a respondent retains a copy of a report made to the Bureau, the copy, like the original, is immune from process. 13 U.S.C. 9,214.
(b) Data collected under the National Health Survey may not be used "for any purpose other than the statistical purpose for which it was supplied except pursuant to regulations of the Secretary [of Health, Education, and Welfare]; nor may any such information be published if the particular establishment or person supplying it is identifiable except with the consent of such establishment or person." Sec. 305(a) of the Public Health Service Act, 42 U.S.C. 242c. Here again, the holders of the records are given no discretion to reveal information or withhold it; only the establishment or the person who supplied the information has that discretion. Criminal penalties for disclosure derive from a general statute on disclosure of confidential information. 18 U.S.C. 1905.
Absolute Protection Against Compulsory Disclosure. A second pattern of data protection is provided by statutes that authorize a Federal official to authorize others to protect the privacy of individuals who are the subject of research by withholding from all persons not connected with the research the names and other identifying characteristics of such individuals. Such authority is vested in the Secretary of Health, Education, and Welfare by Section 303(a) of the Public Health Service Act, 42 U.S.C. 242a, with respect to drug research, and also by Section 333 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970, 42 U.S.C. 4582, with respect to alcohol abuse and alcoholism research. Similar authority is given the Attorney General by Section 502(c) of the Comprehensive Drug Abuse Prevention and Control Act of 1970, 21 U.S.C. 872(c), with respect to "research." The latter authority speaks only of "research," but appears in a section of the statute dealing with research related to enforcement of laws concerning drugs.
The authority in each of these instances is explicit as to immunity from process. Those who obtain the authorization "may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding" to identify the subjects of research. These sections are of wide scope. The authorization may be given to anyone engaged in the specified type of research. Thus, the Secretary or Attorney General can extend it to Federal employees under his control, Federal employees in other agencies, grantees, and even to resea chers who are not grantees. However, there is no absolute prohibition on disclosure. The Secretary or Attorney General may grant or withhold the authorization. The researcher with the authorization "may not be compelled. . .to identify such individuals," but may choose to identify them pursuant to process or otherwise, subject to whatever other ethical or legal constraints exist. Thus, it is not strictly a privilege, like the lawyer-client privilege, in which the individual who has provided the information controls the action of the professional in responding to process.
Discretion to Disclose Under Specified Conditions. The Drug Abuse Office and Treatment Act of 1972 (P.L.. 92255) provides a third model. Section 408 of that Act, 21 U.S.C. 1175, establishes as confidential, and forbids disclosure of, patient records "which are maintained in connection with the performance of any drug abuse prevention function authorized or assisted under any provision of this Act or any Act amended by this Act." There is a criminal penalty for disclosure. If the patient gives written consent, the record may be disclosed for medical care purposes, or to govern mental personnel in order to obtain benefits for the patient. If the patient does not give consent, the record may be disclosed for emergency medical treatment; for research, audit, or evaluation purposes (as long as the patient's identity is not further disclosed); or if authorized by a court order upon application showing good cause. Criminal charges may not be initiated or substantiated on the basis of patient records, and patients may not be investigated on the basis of patient records, except pursuant to disclosure under a court order. The section continues to apply to a patient's records after he ceases to be a patient.
This statute speaks of records "maintained in connection with any drug abuse prevention function," and this seems to include records kept solely for research, but the term "patient" is used repeatedly. The Act's legislative history shows that confidentiality was provided so that drug abusers would more readily seek treatment. [H. Rept. No. 92-920, -92nd Cong., 2d Sess., 33(1972)]. Implementing regulations issued by the Special Action Office for Drug Abuse Prevention, 21 C.F.R. Part 401, define "patient" as anyone who is or has been interviewed, examined, diagnosed, treated, or rehabilitated in connection with any drug abuse prevention function, and include "research" in the definition of the drug abuse prevention function.
It should be noted that the function of the court order in this scheme is to authorize a disclosure which would otherwise be forbidden, rather than to compel disclosure. The implementing regulations make it clear that the holder of the records may disclose the records if so authorized by a court order, but is not obliged to do so.
Discretion to Specify the Condtions for Disclosure. Another pattern of protection is found in Section 1106(a) of the Social Security Act, 42 U.S.C. 1306(a). The section does not deal explicitly with research, but covers any information received by the Department of Health, Education, and Welfare in the course of discharging duties under the Social Security Act. The section provides that no disclosure shall be made "except as the Secretary may by regulations prescribe." Thus, an administrative official is authorized to designate classes of information that may be disclosed, and that may not be disclosed, and to determine when and to whom data may be disclosed. In effect, an administrative official has discretion (which must be exercised in advance in published regulations) to respond to legal process or not.
1 David N. Kershaw and Joseph C. Small, "Data Confidentiality and Privacy: Lessons from the New Jersey Negative Income Tax Experiment," Public Policy, Vol. XX, No. 2 (Spring 1972), p. 261. The Mercer County dispute stemmed from a change in the State public assistance law which made more participants in the experiment eligible for welfare than had been the case when the experiment began. The 1969 investigation was terminated when the contractor agreed to reimburse the county welfare agency for any overpayments that came to light. Two years later, however, the experiment was subjected to a four-month grand jury investigation of charges that the contractor had "instructed lowincome families taking part in the experiment not to report income subsidies to city and county welfare authorities . . . ." Ibid., p. 268. During this same period, access to the contractor's files was also sought by the General Accounting Office and the U. S. Senate Finance Committee. '
2 The current version of this protection provides that:Neither the Secretary, .nor any other officer or employee of the Department of Commerce or bureau or agency thereof, may ...(1) use the information furnished under the provisions of this title for any purpose other than the statistical purposes for which it is supplied; or (2) make any publication whereby the data furnished by any particular establishment or individual under this title can be identified; or (3) permit anyone other then the mom officers and employees of the Department or bureau or agency thereof to examine the individual reports . . . .13 U.S.C. 9(a).
3The New Jersey case is not unique. At least two other incidents of a similar nature have been reported. See John Walsh, "Anti-poverty R&D: Chicago Debacle Suggests Pitfalls Facing OEO, "Science, 165, 19 September 1969, pp. 1243-1245; and "Appeals Court Orders MD to Reveal Patients' Photos," Psychiatric News, VII:2, November 15, 1972, p. 1. The latter describes a pending court case involving the New York City Methadone Maintenance Treatment Program.
4Report of the Committee on the Preservation and Use of Economic Data to the Social Science Research Council, April 1965, reprinted as Appendix I in The Computer and Invasion of Privacy, Hearings before a Subcommittee of the Committee on Government Operations, U. S. House of Representatives, 89th Congress, 2d Session, July 26, 27, 28, 1966; Statistical Evaluation Report No. 6-Review of Proposal for a National Data Center, prepared by Edgar S. Dunn, Jr., also reprinted in The Computer and Invasion of Privacy as Appendix 2; and Report of the Task Force on the Storage of and Access to Government Statistics (Washington, D.C.: Bureau of the Budget), October 1966.
5There is today a substantial evaluation research literature to which the interested reader can refer for a fuller account of how this new government-supported activity has developed. See, for example, Edward A. Suchman, Evaluative Research (New York: Russell Sage Foundation), 1967; Francis G. Caro, Readings in Evaluation Research (New York: Russell Sage Foundation, 1971; and Peter H. Rossi and Walter Williams (Eds.), Evaluating Social Programs: Theory, Practice, and Politics (New York and London: Seminar Press), 1972.
6See Chapter 6, "Privacy and Confidentiality," in Federal Statistics, the Report of the President's Commission on Federal Statistics (Washington, D.C.: U.S. Government Printing Office), 1971.
7National Center for Health Statistics, Standardized Micro-Data Transcripts (Rockville, Md.: National Center for Health Statistics), December 1972.
8Guidebook to the U.S. Department of Health, Education, and Welfare Computer Data Flies, 1973 (forthcoming).Statistical-Reporting and Research Systems 95
9This requirement corresponds to requirement 111(3) in Chapter IV.
10 See Note 7, Chapter V, p. 85.
11This is a risk that arises when a population is so narrowly defined that tabulations are apt to produce cells small enough to permit the identification of individual data subjects, or when a person using a statistical file has access to information which, if added to data in the statistical file, makes it possible to identify individual data subjects. See 1. P. Felice, "On the Question of Statistical Confidentiality," Jowml of the American Statistical Association, 67:337 (Much 1972), pp. 7-18.