Sweet Analytics, 'tis thou has ravished me!
Marlowe, Faustus, I, 34

VI. Special Problems of Statistical-Reporting and Research Systems.

When the United States was at war with Japan in 1942, the War Department asked the Census Bureau for the names and addresses of all Japanese-Americans who were living on the West Coast at the time of the 1940 Census. Persons of Japanese descent were being rounded up and transported inland for fear that some of them might prove disloyal in the event of a Japanese attack. Because of Title 13 of the U. S. Code, however, which prohibits disclosure of census data furnished by individuals, the Census Bureau could, and did, refuse to give out the names and addresses.

In 1969, the Mercer County (ICJ.) Prosecutor's Office subpoenaed the payment histories of 14 families participating in an income-maintenance experiment being conducted by a private contract research organization in Princeton. The prosecutor suspected that the families were defrauding the county welfare department by not reporting their monthly income from the experiment. The contractor found that it had no legal basis for resisting the subpoenas, even though its federally funded subcontract explicitly provided that "individual personal and financial information pertaining to all individuals and families who participate as respondents in this study shall remain strictly confidential."1

The difference between these two cases is clear and fundamental: In the Census case, the data were protected by a statute2 from disclosure in individually identifiable form; in the New Jersey case they were not.3 This chapter examines some of the problems posed by legally unprotected statistical-reporting and research files that contain data about identifiable individuals. It focuses on the need to protect individual data subjects from injury through disclosure of data about them, on one hand, and, on the other, the need to make files of personal data more accessible to persons who can make constructive use of the data they contain.

Background Observations

When we began our examination of automated record-keeping operations, we expected that we could leave out entirely data systems maintained exclusively for statistical reporting or research. We were mindful that in the mid-1960's a series of proposals4 to establish a national statistical data center had alerted the public to some of the dangers inherent in computer-based record-keeping operations. We also knew that the Freedom of Information Act contains no clear statement of Congressional intent with respect to the disclosure of individually identifiable data maintained for statistical reporting and research. We had assumed, however, that statisticalreporting and research data systems, by and large, would not contain data in personally identifiable form, and that if they did, the anonymity of individual data subjects would be protected by specific statutory safeguards. We were not prepared for the discovery that in many instances files used exclusively for statistical reporting and research do contain personally identifiable data, and that the data are often totally vulnerable to disclosure through legal process. This holds for data in Federal agency files as well as for data in the possession of State agencies and private research organizations.

Changes in social policy, which computer technology has to some extent facilitated, are in large part responsible for the existence of unprotected statistical-reporting and research files. Since the late 1950's, the Federal Government has been distributing increasingly large sums of money to the States on the basis of formulas that take account of special population characteristics. The recipient State governments, in turn, have been redistributing this money among their own political subdivisions, using grant-in-aid formulas that tend to generate new requirements for statistical data about people at nearly every level of government. Often coupled with these grants, moreover, have been planning requirements demanding highly detailed information about the populations of small geographic areas.

Program evaluation requirements, first levied on grant-in-aid recipients by Federal agencies and later explicitly written into some of the agencies' authorizing legislation, have been a further stimulus to the proliferation of statistical-reporting and research files containing data about people. From their initial emphasis on simple input accounting (how much was spent, by whom, for what purpose, on how many people, with which characteristics), evaluation studies have rapidly come to focus on measuring program effects.5 Because effects measurement usually requires before-andafter data on program participants, it has become necessary to preserve individual identities in evaluation research files. Interest in the specific events and processes that may account for changes in participant behavior over time has also grown along with interest in output measurement. Many of the factors that account for a participant's behavior are so subtle that they can only be isolated if records of people's movements and experiences are kept over an extended period.

A third factor that has enlarged the number of data files containing information about identifiable individuals is the broad support given to fundamental research in the social and biomedical sciences. In fact, files for research in these two areas may be the most numerous of all, and they exist in a variety of settings. Many such files are coming into the possession of government agencies as a consequence of contract arrangements that make agencies the proprietors of data generated in government-supported research and demonstration projects. Not all of these files contain information that identifies individual data subjects, but of those that do, the ones dealing with controversial social and political issues are particularly vulnerable to misuse in the absence of specific statutory safeguards.

The Need to Protect Data Subjects From Injury

Even at the Federal level there are few statutes that protect personal data in statistical-reporting and research files from unintended administrative or investigative uses. The Census Act, the Public Health Service Act, and the Social Security Act are notable exceptions. Otherwise there is little to prevent anyone with enough time, money, and perseverance (to say nothing of someone who can issue or obtain a subpoena) from gaining access to a wealth of information about identifiable participants in surveys and experiments. This should not, and need not, be the case.Social scientists and others whose research involves human subjects are vocal about the importance of being able to assure individuals that information they provide for statistical reporting and research will be held in strictest confidence and used only in ways that will not result in harm to them as individuals. Unless people get-and believe-such assurances, they will inevitably become either less willing or less reliable participants in surveys and experiments.6 Ideally, data subjects should also be told of the conditions under which they are being asked to provide information, and should be given an opportunity to refuse if they find those conditions unsatisfactory. It is often asserted, for example, that the decennial census (in which response is mandatory) is a feasible undertaking only because the public willingly co-operates, and that the public's cooperation is best obtained by explaining to respondents the uses to which the data will be put.

We believe the principle that no harm must come to an individual as a consequence of participating in a general knowledge-producing activity should be regarded as the essence of "use for statistical or research purposes only." Individual data subjects asked to provide data for statistical reporting and research should also be fully informed, in advance, of the known consequences for them of providing or not providing data. Survey respondents and participants in experiments and demonstration projects are largely dependent on what they are told by interviewers or by explanatory notes on forms. Hence, it is incumbent on the institution conducting or funding a statistical-reporting or research project to find out how vulnerable the data in its files are, and so to inform its data subjects.

Finally, we believe that the best way to assure that individual data subjects will not be harmed is to extend to all personal data generated through statistical-reporting and research activities the statutory protections that have been given to census data and certain classes of health and economic data collected and used in the public interest.

The Need for Freer Access to Data in Government Files

The obverse of the problem of data confidentiality is the need to make basic data more accessible for reuse or reanalysis by all qualified persons or institutions. Personal data systems for statistical reporting and research are largely in the hands of institutions that wield considerable power in our society. Hence, it is essential that data which help organizations to influence social policy and behavior be readily available for independent analysis.

The ubiquitous computer has increased both the quantity of data potentially available to users and the number of potential users. Unfortunately, however, the data dissemination capability of many funding and collecting institutions has not grown commensurately. Among the general purpose statistical operations of the Federal government, the Census Bureau has led the way in making data from standard statistical series easily available to users in a form that protects the anonymity of respondents. Other agencies, notably the National Center for Health Statistics, have followed suit.7 The Department of Health, Education and Welfare is currently preparing a guidebook of its "public use" data files.8

Laudable as these efforts are, it should be emphasized that they are being made, for the most part, by agencies or offices within agencies whose primary mission is statistical reporting and research. They do not address the problem of access to the statisticalreporting and research files that operating agencies develop in the course of evaluating programs or in adding to the general knowledge of program administrators. It is true, as noted earlier, that anyone with enough money, time, and perseverance can probably gain access to substantial amounts of data not generally available for public use. Yet the individual researcher, or the independent critical expert, however perseverant, may not even know that important data exist, much less where to find them. If he does find them, and if he can afford to have them put in usable form, the documentation may not be sufficient to permit reconstruction of the conditions and suppositions under which the data were collected. An agency holding data collected under a pledge of confidentiality may not be willing to go to the trouble (or may itself not be able to afford the cost) of expunging elements that would serve to identify individual data subjects in order to make the data available.

In principle, there need be no conflict between informing the public about how the government conducts its business and protecting individual data subjects from harm. If data cannot be made available for reuse or reanalysis without disclosing the identity of data subjects, special precautions may have to be taken before making basic data accessible to qualified persons outside the collecting organization, but such precautions can be taken. For example, each data subject could be asked at the time of the initial data collection if he would consent to participate in a follow-up study, on the understanding that consent would be sought anew each time a further follow-up study is undertaken. Although such arrangements may add to the expense and difficulty of some data collections, a public institution that uses scientific approaches and methods has a duty to make the work it sponsors or supports available for critical appraisal.

Making fully documented data available for reuse and reanalysis by persons competent to assess the interpretations that have been made of them can bring two benefits. First, the knowledge that other investigators will have an early opportunity to challenge its conclusions should tend to heighten the quality of the original collection and analysis, and second, advances in the sciences may produce more powerful techniques of analysis that could make it possible to glean additional information from data in the course of re-examining them.

Recommendations for Statistical-Reporting and Research Systems

In Chapter IV, we have recommended enactment of legislation establishing a code of fair information practice for all automated personal data systems. All the features of that code would apply to systems used exclusively for statistical reporting and research. Thesafeguard requirements to be included in the code for such systems are set forth below. They are designed to help protect the individual citizen against unintended or unforeseen uses of information he provides exclusively for statistical reporting and research, and to help assure that the uses organizations make of statistical-reporting and research data are subjected to independent expert review and open public discussion. Pending the enactment of a code of fair information practice as outlined in Chapter IV, we recommend that all Federal agencies (i) apply the safeguard requirements, by administrative action, to all Federal statistical-reporting and research systems, and (ii) assure, through formal rule making, that the safeguard requirements are applied to all systems within reach of the Federal government's authority. Pending the enactment of a code of fair information practice, we also urge that State and local governments, the institutions within reach of their authority, and all private organizations adopt the safeguard requirements by whatever means are appropriate.

In addition, we recommend that all personal data in systems used exclusively for statistical reporting and research be protected by statute from compulsory disclosure in identifiable form. The safeguard requirements recommended below are premised on the enactment of legislation granting such protection. There is no requirement, for example, guaranteeing data subjects access to the contents of records maintained about them. Theoretically, no such requirement is needed, since statistical-reporting and research data systems are not intended to be used to affect individuals directly; granting individuals access to records that can have no direct consequences for them as individuals would interfere with a system's operations to no useful end. In practice, however, the vulnerability of data in many statistical-reporting and research systems to compulsory disclosure in identifiable form means that for individual data subjects to be adequately protected from unforeseen disclosurers, those data must be afforded immunity from disclosure through compulsory legal process.

The safeguard requirements for statistical-reporting and research systems are modeled closely on the safeguard requirements for administrative systems in Chapter N. Hence explanatory notes are provided only in those cases where a requirement has been modified to fit the special characteristics of statistical-reporting and researchsystems. Where no notes appear following a requirement, the reader should refer to the notes on the corresponding safeguard in Chapter IV.


I. GENERAL REQUIREMENTSA. Any organization maintaining a record of personal data, which it does not maintain as part of an automated personal data system used exclusively for statistical reporting or research, shall make no transfer of any such data to another organization without the prior informed consent of the individual to whom the data pertain, if, as a consequence of the transfer, such data will become part of an automated personal data system that is not subject to these safeguard requirements or the safeguard requirements for administrative personal data systems (in Chapter IV).

All other safeguard requirements for statistical-reporting and research systems have been formulated to apply only to automated systems, although they would wisely be applied to all statistical-reporting and research systems, whether automated or manual. If this is not done, however, it is necessary to assure that individuals about whom an organization maintains records of personal data, which are not part of an automated system, will be protected in the event of transfers of such data to automated systems. Requirement LA. is intended to, rovide such protection for individuals by requiring that transfers of data about them to automated systems not subject to safeguard requirements be made only with their informed consent.

B. Any organization maintaining an automated personal data system used exclusively for statistical reporting or research shall:(I) Identify one person immediately responsible for the system, and make any other organizational arrangements that are necessary to assure continuing attention to the fulfillment of the safeguard requirements;

The obligation to identify a person responsible for the system is intended to provide a focal point for assuring compliance with the safeguard requirements and to guarantee that there will be someone with authority to whom individuals, groups, or organizations can go if other methods of dealing with the system are unsatisfactory. Systems that involve more than one organization may present special problems in this respect, and must be carefully designed to assure that a person is not shuffled from one organization to another when he seeks to assert any right under these requirements.

(2) Take affirmative action to inform each of its employees having any responsibility or function in the design, development, operation, or maintenance of the system, or the use of any data contained therein, about all the safeguard requirements and all the rules and procedures of the organization designed to assure compliance with them;

(3) Specify penalties to be applied to any employee who intiates or otherwise contributes to any disciplinary or other punitive action against any individual who brings to the attention of appropriate authorities, the press, or any member of the public, evidence of unfair information practice;

(4) Take reasonable precautions to protect data in the system from any anticipated threats or hazards to the security of the system;

(5) Make no transfer of individually identifiable personal data to another system without (i) specifying requirements for security of the data, including limitations on access thereto, and (ii) determining that the conditions of the transfer provide substantial assurance that those requirements and limitations will be observedexcept in instances when each of the individuals about whom data are to be transferred has given his prior informed consent to the transfer;

Requirement (5) has basically the same implications for statistical-reporting and research systems that it has for administrative systems (Chapter IV, p. 56). However, applied to statistical-reporting and research systems along with requirement 111 (2) (p. 101, below), requirement (5) will also preventan organization or a researcher from transferring data in identifiable form to another organization or researcher who could not fully guarantee that the transfer would result in no uses of the data not reasonably anticipated by the data subjects.

(6) Have the capacity to make fully documented data readily available for independent analysis.

This requirement should be understood to mean that data whose use helps an organization to influence social policy and behavior must be readily available. In cases where independent analysis could not be performed without knowing the identity of each data subject, a system would be considered fully "capable" if, for example, it had obtained the consent of each data subject to participate in a follow-on study, or had a policy of seeking the consent of data subjects on behalf of persons wanting to perform such independent analysis.


Any organization maintaining an automated personal data system used exclusively for statistical reporting or research shall give public notice of the existence and character of its system once each year. Any organization maintaining more than one such system shall publish annual notices for all its systems simultaneously. Any organization proposing to establish a new system, or to enlarge an existing system, shall give public notice long enough in advance of the initiation or enlargement of the system to assure individuals who may be affected by its operation a reasonable opportunity to comment. The public notice shall specify:

(1) The name of the system;(2) The nature and purpose(s) of the system;(3) The categories and number of persons on whom data are (to be) maintained;(4) The categories of data (to be) maintained indicating which categories are (to be) stored in computer-accessible files;(5) The organization's policies and practices regarding data storage, duration of retention of data, and disposal thereof;(6) The categories of data sources;(7) A description of all types of use (to be) made of data, indicating those involving computer-accessible files, and including all classes of users and the organizational relationships among them;(8) The procedures whereby an individual, group, or organization can gain access to data for independent analysis;(9) The title, name, and address of the person immediately responsible for the system;(10) A statement of the system's provisions for data confidentiality and the legal basis for them.

This requirement has two primary objectives: (1) to assure that there will be no automated personal data system whose very existence is kept secret from the public; and (2) to assure that uses of systems by organizations to help them influence social policy or behavior are not immune from independent expert scrutiny. Instances will no doubt arise in which announcement of a research project prior to undertaking it could seriously hamper part of the study. In other instances, the scale of a project might be so small, and its influence on social policy so remote, that strict compliance with the public notice requirement will seem unduly burdensome. For such cases some mechanism will have to be devised for granting exemptions from the public notice requirement. Because of the diversity of statistical-reporting and research activities that organizations conduct, sponsor, or support, we have not tried to specify criteria for granting exemptions or to prescribe any particular mechanism for dealing with requests for exemptions on a case-by-case basis. We do feel, however, that the people who want to do research that might qualify for an exemption should not be asked to bear the full burden of deciding whether an exemption is appropriate.The matter of exemptions from the public notice requirement is one to which careful attention will have to be addressed when the safeguard requirements are being applied by administrative action, andeventually in connection with the enactment of legislation establishing the code of fair information practice for statisticalreporting and research systems.

We have also refrained from specifying a uniform mechanism for giving notice. For Federal agencies, we would expect formal notice in the Federal Register, but a catalog of data files published annually would also suffice. We would expect State and local governments to use whatever comparable mechanisms are available to them. Other systems may find that notices given through professional journals or mailings would be appropriate. Whatever methods are chosen, an organization must have copies of its notices readily available to anyone requesting them.


Any organization maintaining an automated personal data system used exclusively for statistical reporting or research shall:

(1) Inform an individual asked to supply personal data for the system whether he is legally required, or may refuse, to supply the data requested, and also of any specific consequences for him, which are known to the organization, of providing or not providing such data;

As indicated in Chapter IV (p. 59, above), one purpose of this requirement is to discourage coercive collection of personal data that are to be used exclusively for statistical reporting and research. However, the requirement that an individual be informed of the consequences of providing, or not providing, data for a system is also intended to assure that no pledge to hold data in confidence will be given by a data-collecting organization without apprising each data subject of the legal limitations, if any, of such a pledge.

(2)9 Assure that no use of individually identifiable data is made that is not within the stated purposes of the system as reasonably understood by the individual, unless the informed consent of the individual has been explicitly obtained;

(3) Assure that no data about an individual are made available from the system in response to a demand for data made by means of compulsory legit process, unless the individual to whom the data pertain (i) has been notified of the demand, and (ii) has been afforded full access to the data before they are made available in response to the demand.

The intent of this requirement is similar to that of requirement Ill (S), as explained in Chapter IV (p. 63, above). Because there is no safeguard requirement for statistical-reporting and research systems giving an individual the right of access to data about himself (as provided in requirement 111 (2) for administrative systems), this requirement gives an individual that right in the event of a compulsory process demand. The need for this requirement would be obviated by enactment of legislation providing effective protection against compulsory disclosure of identifiable personal data maintained in statistical-reporting and research systems. However, until such legislation is enacted, or if, when enacted, the legislation leaves an organization maintaining such a system any discretion whatsoever to waive the protection against compulsory disclosure, this safeguard should be the minimum protection afforded individual data subjects.

Statutory Protection Against Compulsory Disclosure

A primary goal of safeguard requirements for statistical-reporting and research systems must be to protect individual data subjects from harm. That goal will be frustrated if, after having been assured that the data he provides for a system will be seen only by persons formally involved in the statistical-reporting or research project, a data subject finds that the data have been disclosed in identifiable form in response to a subpoena.

Statistical-reporting or research data that can be traced to identifiable individuals should not be subject to compulsory disclosure through legal process. In our view, there must be new Federal legislation protecting against such disclosure, and it should include the following features:

These are essential conditions for protecting statistical-reporting and research data from compulsory disclosure in identifiable form. Legislation incorporating the features indicated would not prevent the disclosure of basic records from a statistical-reporting or research system so long as data in the records could not be traced to specific individuals.

We offer no specific guidance on the form of the statutory protection. However, existing Federal confidentiality statutes contain some relevant examples. These range from absolute prohibitions against disclosure to authority for an administrative official to make disclosure regulations. Among the specific methods are the following:

Absolute Prohibition of Disclosure. Two existing statutes provide stringent protections for personal data held by Federal agencies.

(a) Data collected by the Bureau of the Census may not be revealed to anyone outside of the Bureau in a form in which an individual respondent is identifiable. There is no discretion for any Bureau official with respect to disclosure. There are criminal penalties for disclosure. The prohibition against disclosure serves to defeat legal process. If a respondent retains a copy of a report made to the Bureau, the copy, like the original, is immune from process. 13 U.S.C. 9,214.

(b) Data collected under the National Health Survey may not be used "for any purpose other than the statistical purpose for which it was supplied except pursuant to regulations of the Secretary [of Health, Education, and Welfare]; nor may any such information be published if the particular establishment or person supplying it is identifiable except with the consent of such establishment or person." Sec. 305(a) of the Public Health Service Act, 42 U.S.C. 242c. Here again, the holders of the records are given no discretion to reveal information or withhold it; only the establishment or the person who supplied the information has that discretion. Criminal penalties for disclosure derive from a general statute on disclosure of confidential information. 18 U.S.C. 1905.

Absolute Protection Against Compulsory Disclosure. A second pattern of data protection is provided by statutes that authorize a Federal official to authorize others to protect the privacy of individuals who are the subject of research by withholding from all persons not connected with the research the names and other identifying characteristics of such individuals. Such authority is vested in the Secretary of Health, Education, and Welfare by Section 303(a) of the Public Health Service Act, 42 U.S.C. 242a, with respect to drug research, and also by Section 333 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970, 42 U.S.C. 4582, with respect to alcohol abuse and alcoholism research. Similar authority is given the Attorney General by Section 502(c) of the Comprehensive Drug Abuse Prevention and Control Act of 1970, 21 U.S.C. 872(c), with respect to "research." The latter authority speaks only of "research," but appears in a section of the statute dealing with research related to enforcement of laws concerning drugs.

The authority in each of these instances is explicit as to immunity from process. Those who obtain the authorization "may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceeding" to identify the subjects of research. These sections are of wide scope. The authorization may be given to anyone engaged in the specified type of research. Thus, the Secretary or Attorney General can extend it to Federal employees under his control, Federal employees in other agencies, grantees, and even to resea chers who are not grantees. However, there is no absolute prohibition on disclosure. The Secretary or Attorney General may grant or withhold the authorization. The researcher with the authorization "may not be compelled. . .to identify such individuals," but may choose to identify them pursuant to process or otherwise, subject to whatever other ethical or legal constraints exist. Thus, it is not strictly a privilege, like the lawyer-client privilege, in which the individual who has provided the information controls the action of the professional in responding to process.

Discretion to Disclose Under Specified Conditions. The Drug Abuse Office and Treatment Act of 1972 (P.L.. 92255) provides a third model. Section 408 of that Act, 21 U.S.C. 1175, establishes as confidential, and forbids disclosure of, patient records "which are maintained in connection with the performance of any drug abuse prevention function authorized or assisted under any provision of this Act or any Act amended by this Act." There is a criminal penalty for disclosure. If the patient gives written consent, the record may be disclosed for medical care purposes, or to govern mental personnel in order to obtain benefits for the patient. If the patient does not give consent, the record may be disclosed for emergency medical treatment; for research, audit, or evaluation purposes (as long as the patient's identity is not further disclosed); or if authorized by a court order upon application showing good cause. Criminal charges may not be initiated or substantiated on the basis of patient records, and patients may not be investigated on the basis of patient records, except pursuant to disclosure under a court order. The section continues to apply to a patient's records after he ceases to be a patient.

This statute speaks of records "maintained in connection with any drug abuse prevention function," and this seems to include records kept solely for research, but the term "patient" is used repeatedly. The Act's legislative history shows that confidentiality was provided so that drug abusers would more readily seek treatment. [H. Rept. No. 92-920, -92nd Cong., 2d Sess., 33(1972)]. Implementing regulations issued by the Special Action Office for Drug Abuse Prevention, 21 C.F.R. Part 401, define "patient" as anyone who is or has been interviewed, examined, diagnosed, treated, or rehabilitated in connection with any drug abuse prevention function, and include "research" in the definition of the drug abuse prevention function.

It should be noted that the function of the court order in this scheme is to authorize a disclosure which would otherwise be forbidden, rather than to compel disclosure. The implementing regulations make it clear that the holder of the records may disclose the records if so authorized by a court order, but is not obliged to do so.

Discretion to Specify the Condtions for Disclosure. Another pattern of protection is found in Section 1106(a) of the Social Security Act, 42 U.S.C. 1306(a). The section does not deal explicitly with research, but covers any information received by the Department of Health, Education, and Welfare in the course of discharging duties under the Social Security Act. The section provides that no disclosure shall be made "except as the Secretary may by regulations prescribe." Thus, an administrative official is authorized to designate classes of information that may be disclosed, and that may not be disclosed, and to determine when and to whom data may be disclosed. In effect, an administrative official has discretion (which must be exercised in advance in published regulations) to respond to legal process or not.

1 David N. Kershaw and Joseph C. Small, "Data Confidentiality and Privacy: Lessons from the New Jersey Negative Income Tax Experiment," Public Policy, Vol. XX, No. 2 (Spring 1972), p. 261. The Mercer County dispute stemmed from a change in the State public assistance law which made more participants in the experiment eligible for welfare than had been the case when the experiment began. The 1969 investigation was terminated when the contractor agreed to reimburse the county welfare agency for any overpayments that came to light. Two years later, however, the experiment was subjected to a four-month grand jury investigation of charges that the contractor had "instructed lowincome families taking part in the experiment not to report income subsidies to city and county welfare authorities . . . ." Ibid., p. 268. During this same period, access to the contractor's files was also sought by the General Accounting Office and the U. S. Senate Finance Committee. '

2 The current version of this protection provides that:Neither the Secretary, .nor any other officer or employee of the Department of Commerce or bureau or agency thereof, may ...(1) use the information furnished under the provisions of this title for any purpose other than the statistical purposes for which it is supplied; or (2) make any publication whereby the data furnished by any particular establishment or individual under this title can be identified; or (3) permit anyone other then the mom officers and employees of the Department or bureau or agency thereof to examine the individual reports . . . .13 U.S.C. 9(a).

3The New Jersey case is not unique. At least two other incidents of a similar nature have been reported. See John Walsh, "Anti-poverty R&D: Chicago Debacle Suggests Pitfalls Facing OEO, "Science, 165, 19 September 1969, pp. 1243-1245; and "Appeals Court Orders MD to Reveal Patients' Photos," Psychiatric News, VII:2, November 15, 1972, p. 1. The latter describes a pending court case involving the New York City Methadone Maintenance Treatment Program.

4Report of the Committee on the Preservation and Use of Economic Data to the Social Science Research Council, April 1965, reprinted as Appendix I in The Computer and Invasion of Privacy, Hearings before a Subcommittee of the Committee on Government Operations, U. S. House of Representatives, 89th Congress, 2d Session, July 26, 27, 28, 1966; Statistical Evaluation Report No. 6-Review of Proposal for a National Data Center, prepared by Edgar S. Dunn, Jr., also reprinted in The Computer and Invasion of Privacy as Appendix 2; and Report of the Task Force on the Storage of and Access to Government Statistics (Washington, D.C.: Bureau of the Budget), October 1966.

5There is today a substantial evaluation research literature to which the interested reader can refer for a fuller account of how this new government-supported activity has developed. See, for example, Edward A. Suchman, Evaluative Research (New York: Russell Sage Foundation), 1967; Francis G. Caro, Readings in Evaluation Research (New York: Russell Sage Foundation, 1971; and Peter H. Rossi and Walter Williams (Eds.), Evaluating Social Programs: Theory, Practice, and Politics (New York and London: Seminar Press), 1972.

6See Chapter 6, "Privacy and Confidentiality," in Federal Statistics, the Report of the President's Commission on Federal Statistics (Washington, D.C.: U.S. Government Printing Office), 1971.

7National Center for Health Statistics, Standardized Micro-Data Transcripts (Rockville, Md.: National Center for Health Statistics), December 1972.

8Guidebook to the U.S. Department of Health, Education, and Welfare Computer Data Flies, 1973 (forthcoming).Statistical-Reporting and Research Systems 95

9This requirement corresponds to requirement 111(3) in Chapter IV.

10 See Note 7, Chapter V, p. 85.

11This is a risk that arises when a population is so narrowly defined that tabulations are apt to produce cells small enough to permit the identification of individual data subjects, or when a person using a statistical file has access to information which, if added to data in the statistical file, makes it possible to identify individual data subjects. See 1. P. Felice, "On the Question of Statistical Confidentiality," Jowml of the American Statistical Association, 67:337 (Much 1972), pp. 7-18.

Table of Contents