As every man goes through life he fills in a number of forms for the record, each containing a number of questions . .. There are thus hundreds of little threads radiating from every man, millions of threads in all. If these threads were suddenly to become visible, the whole sky would look like a spider's web, and if they materialized as rubber bands, buses; trams and even people would all lose the ability to move, and the wind would be unable to carry torn-up newspapers or autumn leaves along the streets of the city. They are not visible, they are not material, but every man is constantly aware of their existence.... Each man, permanently aware of his own invisible threads, naturally develops a respect for the people who manipulate the threads.

Alexander Solzhenitsyn, Cancer Ward
Reprinted with the permission of Farrar, Straus & Giroux, Inc. from Cancer Ward by Alexander Solzhenitsyn, English translation of Part I © The Bodley Head Ltd. 1968; Part 11 © The Bodley Head Ltd. 1969.

III. Safeguards for Privacy

There is widespread belief that personal privacy is essential to our well-being– physically, psychologically, socially, and morally. Concern about the effects of computerized personal data systems on their threat to privacy. Safeguards must therefore focus protection of personal privacy.

The rationale for the safeguards that we will recommend is set forth in this chapter. In it we take account of existing legal constraints on the. invasion of personal privacy through record keeping and of the role that records play in the relationship between individuals and record-keeping organizations.

Personal Privacy, Record Keeping, and the Law

Some suggest that the risks presented by automated personal data systems call for a Constitutional amendment, or a general computer-based record-keeping practices. In the latter view, the enactment of an explicit, general right of personal privacy, whether Constitutionally or by statute, would not only provide no greater protection than is already latent in the common law of privacy, but also would create uncertainty and confusion that the courts are ill-suited to resolve.

Although the Constitution of the United States does not mention a right to privacy, and only three State Constitutions (Alaska, California, and South Carolina) make explicit provision for a right of privacy, various aspects of personal privacy have been protected against government action by judicial interpretation of certain provisions of the Bill of Rights. The First Amendment guarantees free speech, a free press, and freedom of assembly and religion; the Third Amendment prohibits quartering soldiers in private homes; the Fourth Amendment prohibits unreasonable searches and seizures; the Fifth Amendment protects against compulsory self-incrimination; and the Ninth Amendment guarantees that rights not enumerated in the Constitution are retained by the people. Courts have construed these protections of the Bill of Rights to uphold the individual's right not to be coerced into revealing political, social, or philosophical beliefs, or private associations, unless national security or public order are at stake. The issues in many cases are clearly rooted in concerns for personal privacy, but the courts have articulated their decisions in terms of Bill of Rights guarantees. The Supreme Court, however, has recognized a right of privacy as the basis for protecting the freedom of individuals to practice contraception, to read or look at pornography at home, and to have an unwanted pregnancy terminated.

Courts have also developed principles in the common law to allow suits for invasion of privacy in various situations involving financial or reputational. injury of one person by another. There is little evidence, however, that court decisions will, either by invoking Constitutional rights or defining common law principles, evolve general rules, framed in terms of a legal concept of personal privacy, that will protect individuals against the potential adverse effects of personal-data record-keeping practices. Indeed, there are many court decisions in which seemingly meritorious claims that could have been sustained by recognizing a right of privacy were denied because the courts would not permit such a right to override other legal considerations.

Although there is a substantial number of statutes and regulations that collectively might be called the "law of personal-data record keeping," they do not add up to a comprehensive and consistent body of law. They reflect no coherent or conceptually unified approach to balancing the interests of society and the organizations that compile and use records against the interests of individuals who are the subjects of records.1

The Federal Reports Act2 and the so-called "Freedom of Information Act,"3 taken together, come as close as any enactments to providing a framework for Federal policy in this area. However, they are limited in application to agencies of the Federal government; they deal in a limited fashion with only two aspects of record-keeping practice-data collection and data dissemination; and they contain scant and potentially inconsistent protections for the interests of individual record subjects.

The Federal Reports Act requires that Federal agencies, with several significant exceptions, obtain concurrence from the Office of Management and Budget before collecting "information upon identical items, from ten or more persons." The Act was designed chiefly to help business enterprises. Its main purposes are to minimize the "burden" upon those required to furnish information to the Federal government; to minimize the government's data collection costs; to avoid unnecessary duplication of Federal data-collection efforts; and to maximize the usefulness to all Federal agencies of the information collected. Although concern for the interests of individuals can be discerned in its administration, the Act itself makes no mention of personal privacy. It neither creates nor recognizes any rights for individuals with respect to the personal-data record-keeping practices of the Federal government.

The Freedom of Information Act mandates disclosure to the public of information held by the Federal government. It barely nods at the interest of the individual record subject by giving Federal agencies the authority to withhold personal data whose disclosure would constitute a clearly unwarranted invasion of privacy. The Act, however, is an instrument for disclosing information rather than for balancing the conflicting interests that surround the public disclosure and use of personal records. The Act permits exemption from mandatory disclosure for personal data whose disclosure would constitute a "clearly unwarranted invasion of personal privacy," but the agency is given total discretion in deciding which disclosures meet this criterion. The Act gives the data subject no way at all to influence agency decisions as to whether and how disclosure will affect his privacy.4

Many of the States, have similarly broad "public records" or "freedom of information" statutes whose objective is to assure public access to records of State government agencies,. Most of them, however, provide no exceptions from their general disclosure requirements in recognition of personal privacy interests. We discovered no State law counterparts to the Federal Reports Act.

By and large, one finds that record-keeping laws and regulations at all levels of government are limited and specific in their application. The requirements and prohibitions they impose apply to particular types of organizations, records, or record-keeping practices. They seldom go further than to stipulate that particular records shall be maintained and made accessible to the public, to particular officials, or for particular purposes, or that particular records shall be subject to confidentiality constraints. No body of statutory or administrative law establishes rights for individual record subjects or other rules of general application governing personal-data record-keeping practices, whether manual or automated.

Nor should we look to court decisions to develop such general rules. Courts can only decide particular cases; their opportunity to establish legal principle is: limited by the nature of litigation arising from controversies between parties. Few cases that raise the broad issues posed by all personal-data record keeping g have been brought before the courts, and fewer that focus those issues on computer based systems. There are several possible explanations for this.

One possibility is that nobody has been hurt enough or has felt sufficiently aggrieved by current record- keeping practices to bring suit. Another is that record-keeping and data-processing practices are not an overt or well understood function of institutions, whether governmental or private. Their adverse effects may not have been recognized. The individual affected may never discover that the root of his difficulties with an institution was some piece of information about him in a record. This is one reason for the section in the Fair Credit Reporting Act5 that requires than an individual be notified when an adverse action, such as denial of credit, insurance, or employment, is taken on the basis of a report from a consumer-reporting agency.

Still another possibility is that unless injury to the individual can be translated into reasonably substantial claims for damages, the individual ordinarily has little incentive to undertake a lawsuit. Few people can afford to bring suit against a well-defended organization solely for moral, satisfaction.

Record-keeping practices have ancient and predominantly honorable traditions, as we have seen. Historically, their social utility has seldom been questioned. Only when record-keeping systems can be shown to have caused actual injury, to have created problems with serious Constitutional implications, or to be in conflict with clear statutory requirements, are courts likely to interfere with their operation. As a consequence, government data systems appear, under existing law, to be virtually immune to constraint through suits by individual data subjects; private-sector systems appear no less so. The personal-data record-keeping, operations of private organizations are unlikely to give rise to Constitutional issues and are typically not subject to statutory requirements.6 The judicial process, in short, seems functionally ill-suited to initiating development of general common law rules relating to record-keeping practices.

The foregoing analysis leads us to conclude that the natural evolution of existing law will not protect personal privacy from the risks of computerized personal data systems. In our view the analysis also disposes of any expectation that enactment of a mere right of personal privacy would afford such protection .7 The creation of such a right without precise and elaborate definition of its intended significance: would not overcome the obstacles in the judicial process that hinder recognition of personal privacy in relation to record keeping. The development of legal principles comprehensive enough to accommodate a range of issues arising out of pervasive social operations, applications of a complex technology, and conflicting interests of individuals, record-keeping organizations, and society, will have to be the work of legislative and administrative rule-making bodies.

A Redefinition of the Concept of Personal Privacy

Our review of existing law leads to the conclusion that agreement must be reached about the meaning of personal privacy in relation to records and record-keeping practices. It is difficult, however, to define personal privacy in terms that provide a conceptually sound framework for public policy about records and record keeping and a workable basis for formulating rules about record-keeping practices. For any one individual, privacy, as a value, is not absolute or constant; its significance can vary with time, place, age, and other circumstances. There is even more variability among groups of individuals. As a social value, furthermore, privacy can easily collide with others, most notably free speech, freedom of the press, and the public's "right to know."

Dictionary definitions of privacy uniformly speak in terms of seclusion, secrecy, and withdrawal from public view. They all denote a quality that is not inherent in most record-keeping systems. Many records made about people are public, available to anyone to see and use. Other records, though not public in the sense that anyone may see or use them, are made for purposes that would be defeated if the data they contain were treated as absolutely secluded, secret, or private. Records about people are made to fulfill purposes that are shared by the institution maintaining them and the people to whom they pertain. Notable exceptions are intelligence records maintained for criminal investigation, national security, or other purposes. Use of a record about someone requires that its contents be accessible to at least one other person-and usually many other persons.

Once we recognize these characteristics of records, we must formulate a concept of privacy that is consistent with records. Many noteworthy attempts to address this need have been made.

Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated to others. 8
this is the core of the "right of individual privacy" --the right of the individual to decide for himself, with only extraordinary exceptions in the interests of society, when and on what terms his acts should be revealed to the general public. 9
The right to privacy is the right of the individual to decide for himself how much he will share with others his thoughts, his feelings, and the facts of his personal life 10
As a first approximation, privacy seems to be related to secrecy, to limiting the knowledge of -others about oneself. This notion must be refined. It is not true, for instance, that the less that is known about us the more privacy we hive. Privacy is not simply an absence of information about us in the minds of others; rather it is the control we have over information about ourselves.11

The significant elements common to these formulations are (1) that there will be some disclosure of data, and (2) that the data subject should decide the nature and extent of such disclosure. An important recognition is that privacy, at least as applied to record-keeping practices, is not inconsistent with disclosure, and thus with use. The further recognition of a role for the record subject in deciding what shall be the nature and use of the record is crucial in relating the concept of personal privacy to record-keeping practices.

Each of the above formulations, however, speaks of the data subject as having a unilateral role in deciding the nature and extent of his self-disclosure. None accommodates the observation that records of personal data usually reflect and mediate relationships in which both individuals and institutions have an interest, and are usually made for purposes that are shared by institutions and individuals. In fact, it would be inconsistent with this essential. characteristic. of mutuality to assign the individual record subject a unilateral role in making decisions about the nature and use of his record. To the extent that people want or need to have dealings with record-keeping organizations, they must expect to share rather than monopolize control over the content and use of the records made. about them.

Similarly, it is equally out of keeping with the mutuality of record-generating relationships to assign the institution a unilateral role in making decisions about the content and use of its records about individuals. Yet it is our observation that organizations maintaining records about people commonly behave as if they had been given such a unilateral role to play. This is not to suggest that decisions are always made to the disadvantage of the record subject; the contrary is often the case. The fact, however, is that the record subject usually has no claim to a role in the decisions organizations make about records that pertain to him. His opportunity to participate in those decisions depends on the willingness of the record-keeping organization to let him participate and, in a few .instances, on specific rights provided by law.

Here then is the nub of the matter. Personal privacy, as it relates to personal-data record keeping must be understood in terms of a concept of mutuality. Accordingly, we offer the following formulation:

An individual's personal privacy is directly affected by the kind of disclosure and use made of identifiable information about him in a record. A record containing information about an individual in identifiable form must, therefore, be governed by procedures that afford the individual a right to participate in deciding what the content of the record will be, and what disclosure and use will be made of the identifiable information in it. Any recording, disclosure, and use of identifiable personal information not governed by such procedures must be proscribed as an unfair information practice unless such recording, disclosure or use is specifically authorized by law.

This formulation does not provide the basis for determining a priori which data should or may be recorded and used, or why, and when. It does,, however, provide a basis for establishing procedures that assure the individual a right to participate in a meaningful way in decisions about what goes into records about him and how that information shall be used.

Safeguards for personal privacy based on our concept of mutuality in record-keeping would require adherence by record-keeping organizations to certain fundamental principles of fair information practice.

These principles should govern the conduct of all personal-data record-keeping systems. Deviations from them should be permitted only if it is clear that some significant interest of the individual data subject, will be served or if some paramount societal interest can be clearly demonstrated; no deviation should be permitted except as specifically provided by law.

Mechanisms for Providing Safeguards

Many mechanisms have been suggested for providing safeguards against the potential adverse effects of automated personal-data systems. Those who believe a general right of personal privacy should be established, by Constitutional amendment or by statute, propose, in - effect, that the courts should be the mechanism. Although we have concluded that a general right of privacy is not a reliable approach to achieving effective protection, the safeguards we recommend in the following chapters of this report would rely in part on the courts.

Some have proposed that there be a public ombudsman to monitor automated personal data systems, to identify and publicize their potential for adverse effects, and to investigate and act on complaints -about their operation. We note with approval the efforts of the Association for Computing Machinery, and of many business firms and newspapers, to provide ombudsman service to the victims of computer errors. We believe the benefits of this approach are many and would like to see it extended to more systems. However, the ombudsman concept is basically remedial and will, therefore, work best in the context of established rights and procedures. Furthermore, the function is not well understood or widely accepted in America, and some observers feel it has severe limitations in the context of American legal, political, and administrative traditions.

The "strongest", mechanism for safeguards which has been suggested is a centralized, independent Federal agency to regulate the use of all automated personal data systems. In particular, it has been proposed that such an agency, if authorized to register or license the operation of such systems, could make conformance to specific safeguard requirements a condition of registration or licensure. The number and variety of institutions using automated personal data systems is enormous. Systems themselves vary greatly in purpose, complexity, scope of application, and administrative context. Their possible harmful effects are as much a product of these- features as of computerization alone. We doubt that the need exists or that the necessary public support could be marshaled at the. present time for an agency of the scale and pervasiveness required to regulate all automated personal data systems. Such regulation or licensing, moreover, would be extremely complicated, costly, and might uselessly impede desirable applications of computers to record keeping.12

The safeguards we recommend require the establishment of no new mechanisms and seek to impose no constraints on the application of electronic data-processing technology beyond those necessary to assure the maintenance of reasonable standards of personal privacy in record keeping. They aim to create no obstacles to further development, adaptation, and application of a technology that, we all agree, has brought a variety of benefits to a wide range of people and institutions in modem society.

The proposed safeguards are intended to assure that decisions about collecting, recording, storing; disseminating,. and using identifiable personal data will be made with full consciousness and consideration of issues of personal privacy-issues that arise from inherent conflicts and contradictions in values and interests. Our recommended safeguards cannot assure resolution of those conflicts to the satisfaction of all individuals and groups involved. However, they can assure that those conflicts will be fully recognized and that the decision-making processes in both the private and public sectors, which lead to assigning higher priority to one interest than to another, will be open, informed, and fair.

The safeguards we will recommend are intended to create incentives for institutions that maintain automated personal data systems to adhere closely to basic principles of fair information practice. Establishment of a legal protection against unfair information practice to embody the safeguard requirements described in Chapters IV, V, and VI, will invoke existing mechanisms to assure that automated personal data systems are designed, managed, and operated with due regard for protection of personal privacy. We intend and recommend that. institutions should be held legally responsible for unfair information practice and should be liable for ,actual and punitive damages to individuals representing themselves or classes of individuals. With such sanctions institutional managers would have strong incentives to make sure their automated personal data systems did not violate the privacy of individual data subjects as defined.

Of greatest importance, from our point of view, the safeguards we will recommend give the courts a reliable and generally applicable basis for protecting personal privacy in relation to record keeping. The legal concept of fair information practice we recommend will obviate the need to search for new Constitutional doctrines or to invent ways of extending the existing common law of privacy to cover situations for which it is conceptually ill-suited.

The Costs of Safeguards

The safeguards we recommend will not be without costs, which will vary from system to system. The personal- data record-keeping practices of some organizations already meet many of the standards called for by the safeguards. The Social Security Administration, for example, maintains a record of earnings for each individual in the Social Security system, and each individual has the legal right to learn the content of his record. Procedures have been set up to allow an individual to find out easily what is in his record and to have the record corrected if it is wrong. Disclosure of an individual's record outside the system is forbidden, except under certain limited circumstances prescribed by statute and regulation, and there are criminal penalties for unauthorized disclosure. An individual is given notice and opportunity for a hearing when the record is being changed at the initiative of the Social Security Administration. These protections are a normal part of Social Security administration and,. in our view, demonstrate the feasibility of building such safeguards into any system. when the system's managers are strongly committed to do so.

We believe that the cost to most organizations of changing their customary practices in order to assure adherence to our recommended safeguards will be higher in management attention and psychic energy than in dollars. These costs can be regarded in part as deferred costs that should already have been incurred to protect personal privacy, and in part as insurance against future problems that may result from adverse effects of automated personal data systems. From a practical point of view, we can expect to reap the full advantages of these systems only if active public antipathy to their use is not provoked.13

The past two decades have given America intensive lessons in the difficulty of trying to check or compensate for undesirable side-effects stemming from headlong application and exploitation of complex technologies. Water pollution, air pollution, the annual highway death toll, suburban sprawl, and urban decay are all unanticipated consequences of the too narrowly conceived and largely unconstrained applications of technology. Hence, it is essential now for organizational decision makers to understand why they should be sensitive to issues of personal privacy and not permit their organizations unilaterally to adopt computer-based record-keeping practices that may have adverse effects on individuals. They must recognize where conflicts are likely to arise between an individual's desire for personal privacy and an organization's record-keeping goals and behavior. They must recognize that although individuals and record-keeping organizations do have certain shared purposes, they also have other purposes-some of which are mutual, though not perceived as such, and some of which can be in direct conflict.

Record-keeping organizations must guard against insensitivity to the privacy needs and desires of individuals; preoccupied with their own convenience or efficiency, or their relationships with other organizations, they must not overlook the effects on people of their record-keeping and record-sharing practices. They have the power to eliminate misunderstanding, mistrust, frustration, and seeming unfairness; they must learn to exercise it.

1 Appendix G contains a review of law that bears on the collection, storage, use, and dissemination of information by the Department of Health, Education, and Welfare.

2 44 U.S.C 3501-3511.

3 5 U.S.C 552.

4 The privacy implications of the Freedom of Information Act and its application to computer-based record- keeping systems are discussed in Arthur R. Miller, The Assault on Privacy (Ann Arbor: University of Michigan Press), 1971, pp. 152-161.

515 U.S.C. 1681-1681t (1970).

6The Fair Credit Reporting Act is a notable exception.

7 From this conclusion we should not be understood to be unaware of the potential significance of an unqualified right of personal privacy-either Constitutionally or by statute. We know of at least one instance in which the existence of such a right in a State constitution served as the basis for the State's Attorney General to deny access to certain public records whose disclosure was not explicitly provided for in the governing State statutes. We would support enactment of a right of personal privacy for many reasons, but not as the only or best way to protect personal privacy in computer-based record-keeping systems.

8 Alan F. Westin, Privacy and Freedom (New York: Atheneum), 1967, p. 7.

9 Ibid p. 373

10 Office of Science and Technology of the Executive Office of the President, Privacy and Behavioral Research (Washington, D.C., 1967), p. 8.

11 Charles Fried, "Privacy," The Yale Law Journal, Vol. 77 (1968), p. 482.

12 These comments point up what we regard to be the deficiencies of a regulatory approach that would constitute a single Federal agency as the regulatory body. They are not intended to discourage the development of regulation in specific, limited areas of application of computer-based record-keeping systems. For example, where particular institutions or societal functions are already subject to regulation, e.g., public utilities, common carriers, insurance companies, hospitals, it well may be that an effective way to introduce and enforce safeguard requirements would be through the public agencies that regulate such institutions. Such an approach has been adopted with respect to the credit-reporting industry (see discussion, Chapter IV, p. 69).

Many municipal governments have been exploring regulatory or quasi-regulatory mechanisms for applying safeguard requirements to so-called "integrated municipal information systems." The efficacy of such mechanisms has not yet been demonstrated; however, we know of several that appear promising in conception. In addition, at both State and local government levels, efforts are being made to regulate the use of criminal justice information systems.

13In addition to maintaining and using records of personal information, computer technology is a tremendous new force for development in many ways. Already, for example, computers are controlling traffic on city streets and highway systems, and in the air; supplementing human judgment in making medical diagnoses; monitoring air pollution; predicting the weather; and even acting as surrogates for human decision makers in controlling large electrical power systems, industrial manufacturing processes, and highspeed rail transportation systems. Such computer applications do not typically require identifiable information about people. That which is required is limited and need be retained for only a short time. Thus the social risks from computer systems such as these are beyond the scope of this report.

Table of Contents