Note to reader: This is Chapter 1 of Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission transmitted to President Jimmy Carter on July 12, 1977. The full Table of Contents is listed below.

1.  Introduction
2.  The Consumer-Credit Relationship
3.  The Depository Relationship
4.  Mailing Lists
5.  The Insurance Relationship
6.  The Employment Relationship
7.  Record Keeping in the Medical-Care Relationship
8.  Investigative-Reporting Agencies
9.  Government Access to Personal Records and "Private Papers"
10.  Record Keeping in the Education Relationship
11.  The Citizen as Beneficiary of Government Assistance
12.  The State Role in Privacy Protection
13.  The Relationship Between Citizen and Government: The Privacy Act of 1974
14.  The Relationship Between Citizen and Government: The Citizen as Taxpayer
15.  The Relationship Between Citizen and Government: The Citizen as Participant in Research and Statistical Studies
16.  The Social Security Number

Chapter 1


This report is about records and people. It looks toward a national policy to guide the way public and private organizations treat the records they keep about individuals. Its findings reflect the fact that in American society today records mediate relationships between individuals and organizations and thus affect an individual more easily, more broadly, and often more unfairly than was possible in the past. This is true in spite of almost a decade of effort to frame the objectives of a national policy to protect personal privacy in an information-dependent society. It will remain true unless steps are taken soon to strike a proper balance between the individual's personal privacy interests and society's information needs. In this report, the Privacy Protection Study Commission identifies the steps necessary to strike that balance and presents the Commission's specific recommendations for achieving it. This introductory chapter briefly describes the problem and focuses and defines the objectives of a national policy. It also weighs major competing values and interests and explains how the Commission believes its policy recommendations should be implemented.


One need only glance at the dramatic changes in our country during the last hundred years to understand why the relationship between organizational record keeping and personal privacy has become an issue in almost all modern societies. The records of a hundred years ago tell little about the average American, except when he died, perhaps when and where he was born, and if he owned land, how he got his title to it. Three quarters of the adult population worked for themselves on farms or in small towns. Attendance at the village schoolhouse was not compulsory and only a tiny fraction pursued formal education beyond it. No national military service was required, and few programs brought individuals into contact with the Federal government. Local governments to be sure made decisions about individuals, but these mainly had to do with taxation, business promotion and regulation, prevention and prosecution of crime, and in some instances, public relief for the poor or the insane.

Record keeping about individuals was correspondingly limited and local in nature. The most complete record was probably kept by churches, who recorded births, baptisms, marriages, and deaths. Town officials and county courts kept records of similar activities. Merchants and bankers maintained financial accounts for their customers, and when they extended credit, it was on the basis of personal knowledge of the borrower's circumstances. Few individuals had insurance of any kind, and a patient's medical record very likely existed only in the doctor's memory. Records about individuals rarely circulated beyond the place they were made.

The past hundred years, and particularly the last three decades, have changed all that. Three out of four Americans now live in cities or their surrounding suburbs, only one in ten of the individuals in the workforce today is self-employed, and education is compulsory for every child. The yeoman farmer and small-town merchant have given way to the skilled workers and white-collar employees who manage and staff the organizations, both public and private, that keep society functioning.

In addition, most Americans now do at least some of their buying on credit, and most have some form of life, health, property, or liability insurance. Institutionalized medical care is almost universally available. Government social services programs now reach deep into the population along with government licensing of occupations and professions, Federal taxation of individuals, and government regulation of business and labor union affairs. Today, government regulates and supports large areas of economic and social life through some of the nation's largest bureaucratic organizations, many of which deal directly with individuals. In fact, many of the private-sector record-keeping relationships discussed in this report are to varying degrees replicated in programs administered or funded by Federal agencies.

A significant consequence of this marked change in the variety and concentration of institutional relationships with individuals is that record keeping about individuals now covers almost everyone and influences everyone's life, from the business executive applying for a personal loan to the school teacher applying for a national credit card, from the riveter seeking check-guarantee privileges from the local bank to the young married couple trying to finance furniture for its first home. All will have their creditworthiness evaluated on the basis of recorded information in the files of one or more organizations. So also with insurance, medical care, employment, education, and social services. Each of those relationships requires the individual to divulge information about himself, and usually leads to some evaluation of him based on information about him that some other record keeper has compiled.

The substitution of records for face-to-face contact in these relation-ships is what makes the situation today dramatically different from the way it was even as recently as 30 years ago. It is now commonplace for an individual to be asked to divulge information about himself for use by unseen strangers who make decisions about him that directly affect his everyday life. Furthermore, because so many of the services offered by organizations are, or have come to be considered, necessities, an individual has little choice but to submit to whatever demands for information about him an organization may make. Organizations must have some substitute for personal evaluation in order to distinguish between one individual and the next in the endless stream of otherwise anonymous individuals they deal with, and most organizations have come to rely on records as that substitute. It is important to note, moreover, that organizations increasingly desire information that will facilitate fine-grained decisions about individuals. A credit-card issuer wants to avoid people who do not pay their bills, but it also strives to identify slow payers and well intentioned people who could easily get into debt beyond their ability to repay. Insurance companies seek to avoid people whose reputation or life style suggest that they may have more than the average number of accidents or other types of losses. Employers look for job applicants who give promise of being healthy, productive members of a work force. Social services agencies must sort individuals according to legally established eligibility criteria, but also try to see that people in need take advantage of all the services available to them. Schools try to take "the whole child" into account in making decisions about his progress, and government authorities make increasingly detailed evaluations of an individual's tax liability.

Each individual plays a dual role in this connection-as an object of information gathering and as a consumer of the benefits and services that depend on it. Public opinion data suggest that most Americans treasure their personal privacy, both in the abstract and in their own daily lives, but individuals are clearly also willing to give information about themselves, or allow others to do so, when they can see a concrete benefit to be gained by it. Most of us are pleased to have the conveniences that fine-grained, record-based decisions about us make possible. It is the rare individual who will forego having a credit card because he knows that if he has one, details about his use of it will accumulate in the card issuer's files.

Often one also hears people assert that nobody minds organizational record-keeping practices "if you have nothing to hide," and many apparently like to think of themselves as having nothing to hide, not realizing that whether an individual does or not can be a matter of opinion. We live, inescapably, in an "information society," and few of us have the option of avoiding relationships with record-keeping organizations. To do so is to forego not only credit but also insurance, employment, medical care, education, and all forms of government services to individuals. This being so, each individual has, or should have, a concern that the records organizations make and keep about him do not lead to unfair decisions about him.

In a larger context, Americans must also be concerned about the long-term effect record-keeping practices can have not only on relationships between individuals and organizations, but also on the balance of power between government and the rest of society. Accumulations of information about individuals tend to enhance authority by making it easier for authority to reach individuals directly. Thus, growth in society's record-keeping capability poses the risk that existing power balances will be upset. Recent events illustrate how easily this can happen, and also how difficult it can be to preserve such balances once they are seriously threatened.

This report concentrates on the delicate balance between various types of organizations' need for information about individuals and each individual's desire to be secure and fairly treated. It also recognizes, however, that government's expanding role as regulator and distributor of largess gives it new ways to intrude, creating new privacy protection problems. By opening more avenues for collecting information and more decision-making forums in which it can employ that information, government has enormously broadened its opportunities both to help and to embarrass, harass, and injure the individual. These new avenues and needs for collecting information, particularly when coupled with modern information technology, multiply the dangers of official abuse against which the Constitution seeks to protect. Recent history reminds us that these are real, not mythical, dangers and that while our efforts to protect ourselves against them must ultimately be fashioned into law, the choices they require are not mere legal choices; they are social and political value choices of the most basic kind.


The imbalance in the relationship between individuals and record-keeping institutions today is pointedly illustrated by the experiences of Catherine Tarver, a "welfare mother" from the State of Washington, and Mitchell Miller, a businessman from Kathleen, Georgia.

In the late 1960's Mrs. Tarver became ill and was hospitalized. The Juvenile Court, after reviewing a report by her caseworker which contained "assertedly derogatory contents," including an allegation of child neglect, placed her children temporarily in the custody of the Department of Public Assistance. A few months later, the Juvenile Court, after another hearing, exonerated Mrs. Tarver and returned her children to her, but the caseworker's report remained in her file at the Department of Public Assistance.

Although Mrs. Tarver had her children back and was no longer on the welfare rolls, she still wanted to have the caseworker's report removed from her file on the grounds that it was false, misleading, and prejudicial and would be available to other State social services agencies with whom she might subsequently have contact. When she asked for a fair hearing1 to challenge the report, the Public Assistance Department rejected her request because the grievance was not directly related to eligibility for public assistance. She sued in a State court but lost, the court agreeing with the welfare agency that the fair hearing procedure was not meant to deal with collateral problems. The U.S. Supreme Court refused to review her case and the caseworker's report remained in her file.

Mitchell Miller's difficulties began on December 18, 1972, when a deputy sheriff from Houston County, Georgia, stopped a Pepsico truck purportedly owned by Miller and found it was transporting 150 five-gallon plastic jugs, two 100-pound bags of wheat shorts, cylinders of bottled gas, and a shotgun condenser. Less than a month later, while fighting a warehouse fire, the sheriff and fire department officials found a 7,500 gallon distillery and 175 gallons of untaxed whiskey. An agent from the U. S. Treasury Department's Bureau of Alcohol, Tobacco and Firearms suspected Miller of direct involvement in both events and two weeks later presented grand jury subpoenas to the two banks where Miller maintained accounts. Without notifying Miller, copies of his checks and bank statements were either shown or given to the Treasury agents as soon as they presented the subpoenas. The subpoenas did not require immediate disclosure, but the bank officers nonetheless responded at once.

After he had been indicted, Miller attempted to persuade the court that the grand jury subpoenas used by the Treasury Department were invalid and, thus, the evidence obtained with them could not be used against him. He pointed out that the subpoenas had not been issued by the grand jury itself, and further, that they were returnable on a day when the grand jury was not in session. Finally, Miller argued that the Bank Secrecy Act's requirement that banks maintain microfilm copies of checks for two years2 was an unconstitutional invasion of his Fourth Amendment rights. The trial court rejected Miller's arguments and he appealed.

The Fifth Circuit Court of Appeals also rejected Miller's claim that the Bank Secrecy Act was unconstitutional, an issue that had already been resolved by the U.S. Supreme Court in 1974.3 The Court of Appeals agreed, however, that Miller's rights, as well as the bank's, were threatened and that he should be accorded the right to legal process to challenge the validity of the grand jury subpoenas. The Court of Appeals saw Miller's interest in the bank's records as deriving from the Fourth Amendment protection against unreasonable searches and seizures which protected him against "compulsory production of a man's private papers to establish a criminal charge against him."

On April 21, 1976, a fateful day for personal privacy, the U.S. Supreme Court decided that Mitchell Miller had no legitimate "expectation of privacy" in his bank records and thus no protectible interest for the Court to consider. The Court reasoned that because checks are an independent record of an individual's participation in the flow of commerce, they cannot be considered confidential communications. The account record, moreover, is the property of the bank, not of the individual account holder. Thus, according to the Court, Miller's expectation of privacy was neither legitimate, warranted, nor enforceable.

The Tarver and Miller decisions4 are the law of the land, and the Commission takes no issue with their legal correctness. Viewed from one perspective, these cases are very narrow and affect only a minute percentage of the population. Tarver might be seen as simply refusing an additional request from a welfare mother who had received the benefits she was entitled to under a program; Miller as a decision affecting only the technical procedural rights of a criminal defendant. Perhaps these two cases are not very compelling, but the Commission singles them out because each starkly underscores an individual's present defenselessness with respect to records maintained about him. Who is there to raise such issues if not people in trouble? They are the ones who reach for and test the limits of existing legal protections, and if the protections are not there for them, they will not be there for anyone.

In both cases, institutional policies and the legal system failed individuals in their efforts to limit the impact of records on their lives. The Tarver case warns that one may be able to do nothing about a damaging record, not even if it is false, until some adverse action is taken on the basis of it; that one has no way to prevent the damage such an action can do. The Miller decision goes even further, making records the property solely of the record keeper, so that the individual cannot assert any interest in them, although his interest would be assertable if he himself held the same records. Even worse, it warns that not only a "revenuer" but anyone, public or private, can gain access to an individual's bank records if the bank agrees to disclose them.

Each case illustrates systemic flaws in the existing means available to any individual who tries to protect himself against the untoward consequences of organizational record keeping. Together they strongly suggest that if Americans still value personal privacy, they must make certain changes in the way records about individuals are made, used, and disclosed. Since so much of an individual's life is now shaped by his relationships with organizations, his interest in the records organizations keep about him is obvious and compelling. The above cases and the rest of this report show how poorly that interest is protected. If it is to be protected, public policy must focus on five systemic features of personal data record keeping in America today.

First, while an organization makes and keeps records about individuals to facilitate relationships with them, it also makes and keeps records about individuals for other purposes, such as documenting the record-keeping organization's own actions and making it possible for other organizations-government agencies, for example-to monitor the actions of individuals.

Second, there is an accelerating trend, most obvious in the credit and financial areas, toward the accumulation in records of more and more personal details about an individual.

Third more and more records about an individual are collected, maintained, and disclosed by organizations with which the individual has no direct relationship but whose records help to shape his life.

Fourth, most record-keeping organizations consult the records of other organizations to verify the information they obtain from an individual and thus pay as much or more attention to what other organizations report about him than they pay to what he reports about himself; and

Fifth, neither law nor technology now gives an individual the tools he needs to protect his legitimate interests in the records organizations keep about him.

The topical chapters that follow document the importance of these five systemic characteristics of personal-data record keeping in America today and present the Commission's recommended approach to solving the problems they create. The Commission believes that by focusing on these five characteristics constructive solutions to most of the record-related privacy protection problems that confront American society today and in the foreseeable future can be found.

The first characteristic-the fact that an organization may use its records about individuals in accounting for its operations to other centers of power and authority in society-has important implications for any policy of record-keeping regulation. It prompts caution in considering prohibitions on the collection of items of information from or about individuals, but at the same time draws attention to the need for special safeguards when requiring an organization to record any information about an individual that it does not need to facilitate its own relationship with him.

The second systemic characteristic-the accumulation in records of more and more personal details-is clearly visible in some of an individual's credit and financial relationships. It will become even more apparent as electronic funds transfer systems mature. This accumulation, moreover, is not the result of more and more people being asked more and more questions, but rather reflects the need and capacity of a particular type of record-keeping organization to monitor and control transactions with its individual customers. As the Commission points out in Chapter 3, it is new perilously easy for such a build-up, however innocently practical the purpose, to crystallize into a personal profile of an individual. The possession of such profiles invites the use of them for marketing, research, and law enforcement, and, in an electronic funds transfer environment, could provide a way of tracking an individual's current movements. The dramatic shift in the balance of power between government and the rest of society that such a development could portend has persuaded the Commission of the compelling need to single it out for special public-policy attention and action.

The third systemic characteristic-the attenuation of an individual's relationships with record- keeping organizations when information generated in a direct relationship is recorded in the files of other organizations that have no direct relationship with him-lies at the core of the recommendations in this report. The Commission finds that most organizations that keep records about individuals fall into one of three categories: (1) the primary record keeper (such as a credit grantor, insurer, or social services agency) that has a direct relationship with the individual; (2) support organizations whose sole sources of information are the primary record keepers they serve; and (3) support organizations (usually of an investigative character) that have independent sources of information. While this typology does not fit all cases-credit bureaus, for example, supplement the information they receive from credit grantors with information they search out from public records-it can serve as a guide in apportioning responsibilities among record-keeping institutions.

The fourth characteristic-that a primary record keeper normally verifies the information about himself an individual provides it, and tends to lean as much or more on the verification information it gets from other organizations than on what the individual divulges about himself-gives rise to some of the most difficult privacy protection issues. As records progressively displace face-to-face acquaintance, individuals are more and more driven to permit information in records about them to be disclosed as a condition of receiving services and benefits. For example, an individual who wants a credit card usually cannot have one unless he is willing to permit information about his credit usage to be disclosed regularly to credit bureaus, and through them to other credit grantors. An individual who applies for life insurance must agree to allow medical information about him to be disclosed to the Medical Information Bureau, and through the Bureau to later inquiring life and health insurers. An individual must now allow information to be disclosed from his medical records for a growing number of purposes even though the medical-care relationship requires him to divulge the most intimate details of his life and undergo the most intimate observation.

The sharing of information among record-keeping organizations also transmits the stigma that goes with some kinds of information. One's own physician, for example, may heartily approve of taking a minor or temporary problem to a psychiatrist, but the potential consequences 'of disclosing the mere fact that one has had psychiatric treatment are too well known to need description. Equally serious for some individuals are the consequences of disclosing arrest records, military discharge codes, and previous adverse insurance decisions, and the simple fact that a number of credit grantors asked for credit reports on a particular individual during a short span of time can adversely affect an evaluation of his credit worthiness. Such problems stem in part from the tendency of organizations to accept at face value information they get about individuals from other organizations. Questions are seldom asked about the social or bureaucratic processes by which the information came to be in the other organization's records, so that unwarranted assumptions can easily be made about its value. For the individual, of course, such an unwarranted assumption can start a progression of fortuitous events that may permanently deprive him of opportunities he deserves, or make it impossible for him to escape a particular line of inquiry whenever he seeks to establish a relationship with another organization.

The fifth and last characteristic-that neither law nor technology gives an individual the tools he needs to protect himself from the undeserved difficulties a record can create for him-may also leave him helpless to stop damage once it has started. Current law is neither strong enough nor specific enough to solve the problems that now exist. In some cases, changes in record-keeping practice have already made even recent legal protections obsolete. As record-keeping systems come to be used to preclude action by the individual, a recent trend in the credit and financial areas, it is important that the individual also be given preventive protections to supplement the after-the-fact protections he sometimes has today. The fact that Fair Credit Reporting Act procedures will enable him to get errors in the record corrected can be small and bitter comfort to a traveler stranded in a strange city late at night because information about his credit-card account status was inaccurately reported to an independent authorization service. He would undoubtedly prefer a procedure that would enable him to get an error corrected before it entered into an adverse decision about him, and so would most everyone if he stopped and thought about it.

The Commission also found numerous examples of situations in which decisions or judgments made on the basis of a record about an individual can matter to the individual very much but in which he has no substantive or procedural protection at all. The law as it now stands simply ignores the strong interest many people have in records about them-applicants to graduate and professional schools, people being considered for jobs or promotions for which they have not formally applied, patients whose records are subpoenaed as evidence in court cases that do not involve them directly, proprietors of small businesses who are the subjects of commercial-credit investigations, and individuals who are the subjects of Federal agency records the agency retrieves and uses by reference to some characteristic of the individual other than his name or an assigned identifying particular.

Paralleling the categories of individuals without protection under current law, there are categories of records that are subject to existing legal requirements if they are created by one particular type of organization, but not if they are created by any other type of organization, although the record and its purpose may be the same in all cases. For example, an investigative report is subject to restrictions if it was prepared by an investigative agency, but not if it was prepared by an insurance company or employer.

The Commission also found that whether a record is subject to existing law can depend on the technique by which it is generated or retrieved. For example, how does the Equal Credit Opportunity Act, a law drawn on the assumption that credit decisions turn on one or two particular items of information about the applicant, apply when a credit grantor uses "point scoring," a new method of evaluating credit applicants which submerges all the particular items of information about the applicant into one overall score?

The prescreening of mailing lists5 is another record-keeping technique that muddies the assumptions underlying existing legal protections. If a mailing list is to be used by a credit grantor to solicit new customers but is first run through an automated credit bureau where an individual's name is deleted from the list because his credit bureau records are in error as to the promptness with which he pays his bills, has he been subjected to an adverse credit decision? The law is currently unclear.

The role that technique can play in determining whether a particular type of record or record- keeping operation is or is not within the scope of existing legal protections is comparatively new. It arises in the main from automation, which multiplies the uses that can be made of a record about an individual, and will grow in importance as new record-keeping applications of computer and telecommunications technology are developed. Computers and telecommunications serve the interests of institutions and can be best appreciated as extensions of those interests, as subsequent chapters suggest. The failure to recognize that relationship has deflected attention from the essential policy choices the new technologies offer. Nonetheless, without the new technologies, certain record-keeping practices and the organizational activities they support would not be possible.

The broad availability and low cost of computer and telecommunications technologies provides both the impetus and the means to perform new record-keeping functions. These functions can bring the individual substantial benefits, but there are also disadvantages for the individual. On one hand, they can give him easier access to services that make his life more comfortable or convenient. On the other, they also tempt others to demand, and make it easier for them to get access to, information about him for purposes he does not expect and would not agree to if he were asked.

It is also quite evident that record-keeping organizations exploiting these new technologies to facilitate their own operations now pay little heed to the ways they could use the same technologies to facilitate exercise of the individual's rights and prerogatives in records used to make important decisions about him. It is ironic but true that in a society as dependent as ours on computer and telecommunications technology, an individual may still have to make a personal visit to a credit bureau if he wants access to the information the bureau maintains about him, or to get an erroneous record corrected. Although an error in a record can now be propagated all over the country at the speed of light, many organizations have made no provision to propagate corrections through the same channels, and existing law seldom requires them to do so. As a general proposition, system designers by and large have not fully used their knowledge and capabilities to make record-keeping systems serve individual as well as organizational needs and interests.

This is not to lay the blame on system designers, who are people doing what they are asked to do by the record-keeping organizations that support or pay for their services. The fault lies in the lack of strong incentives for the organization to ask them to do what they know how to do in the individual's interest. One reason for the way systems are designed and have been operated in the past has been their high cost. Instead of costing more, however, increased technological capability is now costing less and less, making it easier than ever for record-keeping organizations to take account of the individual's interests as well as their own, if they have incentives to do so.

One of the most striking of the Commission's several findings with respect to the current state of record-keeping law and practice is how difficult it can be for an individual even to find out how records about him are developed and used. What makes the difficulty the more serious is that the limited rights he now has depend in the main on his taking the initiative to exercise them. The list of records kept about an individual of which he is not likely to be aware seems endless. Even when he knows a record is being compiled, he often does not know what his rights with respect to it are, much less how to exercise them effectively, nor is he likely to be aware at the time he enters a record- keeping relationship of the importance of finding out.

In most cases, the individual can only guess at what types of information or records will be marshaled by those making any particular decision about him; furthermore, the specific sources are likely to be concealed from him. The situation makes it all but impossible for him to identify errors, or if he does, to trace them to their source. It also makes it impossible for him to know whether organizations with which he believes he has a confidential relationship have disclosed records about him to others without his knowledge or consent.


Every member of a modern society acts out the major events and transitions of his life with organizations as attentive partners. Each of his countless transactions with them leaves its mark in the records they maintain about him. The uniqueness of this record-generating pressure cannot be overemphasized. Never before the Twentieth Century have organizations tried or been expected to deal with individuals in such an exacting fashion on such a scale. Never before have so many organizations had the facilities for keeping available the information that makes it possible for them to complete daily a multitude of transactions with a multitude of individuals, and to have the relevant facts on each individual available as a basis for making subsequent decisions about him. Obviously the advent of computing technology has greatly contributed to these changes, but automated record-keeping has grown in concert with many other changes in administrative techniques, and in public attitudes and expectations.

The Commission finds that as records continue to supplant face-to-face encounters in our society, there has been no compensating tendency to give the individual the kind of control over the collection, use, anddisclosure of information about him that his face-to-face encounters normally entail.

What two people divulge about themselves when they meet for the first time depends on how much personal revelation they believe the situation warrants and how much confidence each has that the other will not misinterpret or misuse what is said. If they meet again, and particularly if they develop a relationship, their self-revelation may expand both in scope and detail. All the while, however, each is in a position to correct any misperception that may develop, and to judge whether the other is likely to misuse the personal revelations, or pass them on to others without asking permission. Should either suspect that the other has violated the trust on which the candor of their communication depends, he can sever the relationship altogether, or alter its terms, perhaps by refusing thereafter to discuss certain topics or to reveal certain details about himself. Face-to-face encounters of this type, and the human relationships that result from them, are the threads from which the fabric of society is woven. The situations in which they arise are inherently social, not private, in that the disclosure of information about oneself is expected.

An individual's relationship with a record-keeping organization has some of the features of his face-to-face relationships with other individuals. It, too, arises in an inherently social context, depends on the individual's willingness to divulge information about himself or to allow others to do so, and often carries some expectation as to its practical consequences. Beyond that, however, the resemblance quickly fades.

By and large it is the organization's sole prerogative to decide what information the individual shall divulge for its records or allow others to divulge about him, and the pace at which he must divulge it. If the record keeping organization is a private-sector one, the individual theoretically can take his business elsewhere if he objects to the divulgences required of him. Yet in a society in which time is often at a premium, in which organizations performing similar functions tend to ask similar questions, and in which organizational record-keeping practices and the differences among them are poorly perceived or understood, the individual often has little real opportunity to pick and choose. Moreover, if the record-keeping organization is a public-sector one, the individual may have no alternative but to yield whatever information is demanded of him.

Once an individual establishes a relationship with a record-keeping organization, he has even less practical control over what actually gets into a record about him, and almost none over how the record is subsequently used. In contrast to his face-to-face relationships with other individuals, he can seldom check on the accuracy of the information the organization develops about him, or discover and correct errors and misperceptions, or even find out how the information is used, much less participate in deciding to whom it may be disclosed. Nor, as a practical matter, can he sever or alter the terms of the relationship if he finds its informational demands unacceptable.

A society that increasingly relies on records to mediate relationships between individuals and organizations, and in which an individual's survival increasingly depends on his ability to maintain a variety of such relation- ships, must concern itself with such a situation. Ours has begun to do so, and the Commission's inquiry showed that the individual's ability to protect himself from obvious record-keeping abuses has improved somewhat in recent years. Nevertheless, most record-keeping relationships are still dangerously one-sided and likely to become even more so unless public policy makers create incentives for organizations to modify their record-keeping practices for the individual's protection, and give individuals rights to participate in record-keeping relationships commensurate with their interest in the records organizations create and keep about them.

Accordingly, the Commission has concluded that an effective privacy protection policy must have three concurrent objectives:

These three objectives both subsume and conceptually augment the principles of the Privacy Act of 19746 and the five fair information practice principles set forth in the 1973 report of the Department of Health, Education, and Welfare's Secretary's Advisory Committee on Automated Personal Data Systems.7 The second objective, to maximize fairness, in a sense subsumes all of them, and many of the Commission's specific recommendations articulate them in detail. The Commission has gone about protecting personal privacy largely by giving an individual access to records that pertain to him. Taken together, however, the three proposed objectives go beyond the openness and fairness concerns by specifically recognizing the occasional need for a priori determinations prohibiting the use, or collection and use, of certain types of information, and by calling for legal definitions of the individual's interest in controlling the disclosure of certain types of records about him.

Minimizing Intrusiveness

The Commission believes that society may have to cope more adequately in the future with objections to the collection of information about an individual on the grounds that it is "nobody's business but his own." There are only a few instances where the collection, or collection and use, of a particular type of information has been proscribed on grounds of impropriety, i.e., unwarranted intrusiveness. There are a number of examples of the proscription of certain uses of particular types of information, such as race, sex and marital status, but the character of these fairness-based proscriptions is not the same as when unwarranted intrusive-ness is the rationale. When fairness is the overriding concern, organizations must often continue to collect the information in question in order to demonstrate compliance. For example, how can an employer or credit grantor show that it is not systematically using sex and race to discriminate among applicants unless it records the sex and race of all applicants? When impropriety is the main concern, however, the mere asking of the question must be proscribed. The proscription may also apply to use, but only to make sure that if the proscribed information is already on record, it will not enter into the decision-making process.

The intrusiveness issue is perhaps the most difficult one the Commission addresses. Whether or not the questions an organization asks individuals constitute intrusions on personal privacy is a problem that begins with the lines of inquiry society accepts as proper for an organization to pursue in making decisions about individuals. Thus, so long as society countenances a particular line of inquiry, questions as to how far it may properly go seem largely aesthetic. Indeed, if an individual's only concern is to be fairly treated, he should logically prefer to have recorded as much information as possible about himself as protection against inaccurate evaluation. For the individual there is clearly a trade-off. Does he always want to be evaluated on the basis of information that is, from an objective standpoint, strictly relevant, or does he prefer to be evaluated on the basis of a thoroughgoing inquiry that may give context to his particular situation and allow extenuating but not patently relevant circumstances to be taken into account? Such questions are extremely difficult if not impossible to answer. The Commission, in the chapters that follow, recommends four ways of addressing them..

First, the Commission recommends that individuals be informed more fully than they now are of the information needs and collection practices of a record-keeping organization in advance of committing themselves to a relationship with it. If the individual is to serve as a check on unreasonable demands for information or objectionable methods of acquiring it, he must know what to expect so that he will have a proper basis for deciding whether the trade-off is worthwhile for him.

Second, the Commission also recommends that a few specific types of information not be collected at all. For example, in the employment and personnel area, the Commission will recommend that arrest information not be collected by employers for use in hiring and promotion decisions unless its use for such purposes is required by law.

Third, the Commission proposes certain limitations on the information collection methods used by record-keeping organizations. In general, the Commission believes that if an organization, public or private, has declared at the start its intent to make certain inquiries of third parties, and to use certain sources and techniques in doing so, it should be constrained only from exceeding the scope of its declaration. The Commission also recommends that private-sector record keepers be required to exercise reasonable care in selecting and retaining other organizations to collect information about individuals on their behalf. These "reasonable care" recommendations and the ones that would bar pretext interviews and make acquiring confidential information under false pretenses punishable as a criminal offense, are the Commission's response to testimony showing that some organizations make a business of acquiring confidential records about individuals without their authorization for use by lawyers and insurance claim adjusters.

Finally, in some areas, the Commission supports the idea of having governmental mechanisms both to receive complaints about the propriety of inquiries made of individuals and to bring them to the attention of bodies responsible for establishing public policy. The Commission believes, however, that such complaints require the most delicate public-policy response. Our society is wary of government interference in information flows, and rightly so, even when personal privacy is at stake. It may be warranted in some cases, but only as a last resort. Thus, the Commission prefers to see such concerns addressed to the greatest possible extent by enabling the individual to balance what are essentially competing interests within his own scheme of values.

Maximizing Fairness

A principal objective of the Privacy Act of 1974 is to assure that the records a Federal agency maintains about an individual are as accurate, timely, complete, and relevant as is necessary to assure that they are not the cause of unfairness in any decision about the individual made on the basis of them. Proper management of records about individuals is the key to this objective, and the Privacy Act seeks to enlist the individual's help in achieving it by giving him a right to see, copy, and correct or amend records about himself. The Fair Credit Reporting Act (FCRA) and the Fair Credit Billing Act (FCBA) also focus on fairness in record keeping, though their scope of application and their specific requirements differ from those of the Privacy Act. FCRA requirements apply primarily to the support organizations which verify and supplement the information a credit, insurance, or employment applicant divulges to the primary record keepers in those three areas, but which do not themselves participate in decisions about applicants. The FCBA, however, applies to primary record keepers but only to a particular type-grantors of credit that involves regular billing-and only to a particular aspect of their operations-the settlement of billing disputes.

Other recent legislation centering on fairness in record keeping includes the Family Educational Rights and Privacy Act of 1974 and the several State fair-information-practice statutes. Their scope and specific requirements approximate those of the Privacy Act more closely than do those of any of the fairness-centered statutes that currently apply to the private sector.

All of these efforts to establish fairness protections for records about individuals have been resisted. The arguments against them have ranged from the alleged need to keep secret the identity of third-party sources, even institutional sources, to fear that organizations would be inundated with requests to see, copy, and correct records. These arguments are still heard, despite the fact that wherever such protections have been established, most of the anticipated difficulties have failed to materialize.

The vast majority of the Commission's recommendations relate directly or indirectly to fairness in record keeping. For the individual, necessary fairness protections include a right of access to records about himself for the purpose of reviewing, copying, and correcting or amending them as necessary plus some control over the collection and disclosure of information about him. For organizations, fairness protection includes the responsibility to apprise individuals that records have or will be created about them, and to have reasonable procedures for assuring the necessary accuracy, timeliness, completeness, and relevance of the information in the records they maintain about individuals, including a responsibility to forward corrections to other organizations under specified circumstances. The Commission believes, however, that achieving the fairness objective will depend on varying the combination of rights for individuals and responsibilities for organizations according to the particular circumstances of each type of record-keeping relationship.

For example, the Commission will recommend that applicants in several areas of record keeping be apprised of the scope, sources, and methods of inquiry the organization intends to use in verifying application information, but the recommended requirement is not precisely the same in each case. Similarly, the Commission will also recommend a general right of access for individuals to the records about them maintained by insurance institutions and medical-care providers. But because credit and depository institutions typically have procedures for keeping an individual apprised of the content of the records they maintain about him, the Commission there will recommend a more limited right of access for individuals to be triggered by an adverse decision. So also the Commission concluded that the individual's right of access to records about him maintained for research and statistical purposes can safely be limited to situations in which such a record may be used in making a decision about him.

The right to correct or amend a record is essential to fairness in many areas. To be effective, it must usually be coupled with an obligation of the record-keeping organization to forward the correction or amendment to past recipients of inaccurate or incomplete information. The Commission has recommended modifying this blanket obligation somewhat to require that record keepers need forward corrections and amendments only to past recipients designated by the individual and those to which the record-keeping organization regularly discloses the kind of information in question. The Commission believes that this modification has the desirable effect of relieving record-keeping organizations of the obligation to keep an accounting of every disclosure of every record about an individual without materially weakening the individual's protection. Amendments would, of course, still have to be forwarded to future recipients and the insurance and employment recommendations call, in addition, for automatic propagation of corrections and amendments to investigative support organizations that were sources of corrected or amended information. All of the correction and amendment recommendations also make provision for disagreements between the individual and a record-keeping organization about the accuracy, timeliness, or completeness of a record.

In regard to fairness in disclosure, the Commission recommends requiring the individual's authorization where it finds that a necessary protection, and specifies what it believes the authorization statement should contain if it is to serve both the information needs of, for example, insurers and employers and the individual's interest in controlling the divulgence of information about himself by record keepers with which he has a confidential relationship. The Commission's recommendations in this regard recognize the gatekeeping role that certain types of records play-that is, the role they play in decisions as to whether an individual will be allowed to enter into particular social, economic, or political relationships, and if so, under what circumstances. Where records play such a role, the individual usually has no choice but to allow them to be used in making decisions about him. Since informed consent is valid only if wholly voluntary, it means little in this context. Hence, the Commission finds authorization the appropriate pre-condition of disclosure, rather than informed consent, and couples it with a principle of limited disclosure. This principle is a key concept because it asserts that a disclosure should include no more of the recorded information than the authorized request for disclosure specifies. The Commission recognizes, and indeed emphasizes, that the holder of a record cannot and should not bear the burden of deciding what information to disclose when presented with a valid authorization statement of the type the Commission recommends. The main problem is that some keepers of records that contain intimate personal details routinely disclose much more information about individuals than they are asked for, simply as a matter of convenience and economy. The Commission, therefore, has established the principle of limited disclosure as a general tenet of fair record-keeping practice.

The Commission's fairness recommendations generally call for reason-able procedures to assure accuracy, timeliness, and completeness in records of information about individuals. For example, in the public sector, the Commission recommends that reasonable procedures be an affirmative management obligation, while in the private sector, it relies on the rights it recommends for individuals to assure that organizations adopt reasonable procedures.

The Commission believes that by opening up record-keeping practices and by giving an individual opportunities to interact easily with a record keeper, particularly at crucial points in a record-keeping relationship, both individuals and organizations will benefit. The quality of the information in records will be improved while at the same time the individual and the organization will both be protected from errors or other deficiencies that can have untoward consequences for both.

Legitimizing Expectations of Confidentiality

The third public-policy objective, protecting confidentiality, pertains to the disclosure of information about an individual without his consent. Confidential treatment of recorded information is necessary for the maintenance of many kinds of relationships between individuals and organizations. The medical-care relationship, for example, often demands uninhibited candor from the individual about the most intimate details of his private life. There are also relationships between individuals and organizations that depend on the accumulation of extremely detailed records about the individual's activities, such as those compiled by a bank or by an independent credit-card issuer. The records of these relationships provide a revealing, if often incomplete, portrait of the individual, often touching on his beliefs and interests as well as his actions. While in theory these relationships are voluntary, in reality an individual today has little choice but to establish them as he would be severely, and perhaps insurmountably, disadvantaged if he did not.

There is also the fact that many of the records about individuals which these record keepers now maintain are the kinds of records the individual formerly would have kept in his exclusive possession. The transactional record a checking account creates, for example, would have existed a century ago in the form of receipts or, at most, ledger entries kept by the individual himself at home.

As long as records remained in his possession, both law and societal values recognized his right to control their use and disclosure. Government in particular was restricted in its ability to gain access to them, even to facilitate a criminal prosecution. When organizations began to maintain such records, however, the individual began to lose control over who might see and use them. The balance society had deemed crucial was disrupted.

Although individuals have tended to retain the old value system, expecting certain records to be held in confidence by the organizations that now maintain them, the law has not taken account of that fact. The protections that exist still apply in almost all instances only to records in the individual's exclusive possession. The lack of a legal interest for the individual in the records organizations maintain about him has put him in an extremely vulnerable position. The scale and impersonality of organizational record keeping today allows him little opportunity to influence an organization's own use and disclosure practices, and as the Miller case showed, he has no interest whatsoever to assert when government demands access to the records an organization maintains about him. The Miller case said, in effect, that government no longer has to operate within the strictures of the Fourth and Fifth Amendments when it wants to acquire financial records pertaining to an individual; that what were once his private papers are now open to government scrutiny. What amounts to mere curiosity will suffice as justification if government agents want to see them.

To help redress the imbalances between individuals and organizations on one hand, and individuals, organizations and government on the other, the Commission recommends in this report that a legally enforceable "expectation of confidentiality" be created in several areas. The concept of a legally enforceable expectation of confidentiality has two distinct, though complementary, elements. The first is an enforceable duty of the record keeper which preserves the record keeper's ability to protect itself from improper actions by the individual, but otherwise restricts its discretion to disclose a record about him voluntarily. The second is a legal interest in the record for the individual which he can assert to protect himself against improper or unreasonable demands for disclosure by government or anyone else. The Commission has concluded that without this combination of duty and assertable interest, the law as it stands now will continue to deprive the individual of any opportunity to participate in decisions of organizations to disclose records kept about him, whether the disclosure is voluntary or in response to an authoritative demand.

The Commission specifies what it considers to be the proper terms of the individual's enforceable expectation in relationships with credit grantors, depository institutions, insurers, medical-care providers, the Internal Revenue Service, and providers of long-distance telephone service. Once again the recommendations are tailored to the particulars of each kind of record-keeping relationship. In each case, the Commission recommends that a protectible legal interest for the individual be created by statute; specifies the voluntary disclosures it believes should be permissible without the individual's consent and the procedures for establishing them; and sets forth the rules for initiating and complying with government demands for access to records. In no instance, however, does the Commission advocate complete, unilateral control by the individual. In every case it has respected the record-keeping organization's legitimate interests when threatened by actions of the individual. In essence, the Commission has said that the individual's interest must be recognized; that there must be procedures to force conflicting claims into the open; and that within this framework established by public policy, value conflicts should be resolved on a case-by-case basis.


A major theme of this report is that privacy, both as a societal value and as an individual interest, does not and cannot exist in a vacuum. Indeed, "privacy" is a poor label for many of the issues the Commission addresses because to many people the concept connotes isolation and secrecy, whereas the relationships the Commission is concerned with are inherently social. Because they are, moreover, the privacy protections afforded them must be balanced against other significant societal values and interests. The Commission has identified five such competing societal values that must be taken into account in formulating public policy to protect personal privacy: (1) First Amendment interests; (2) freedom of information interests; (3) the societal interest in law enforcement; (4) cost; and (5) Federal-State relations.


The legitimate expectation of confidentiality is a concept the Commission endorses for several of the record-keeping relationships examined in this report. The policy objective is that when the relationship is one involving confidentiality of records, the record keeper shall be constrained from disclosing information about an individual without his authorization, either voluntarily or in response to a demand for it. The Commission recognizes that recommending any restriction on the free flow of truthful information raises serious questions in a democratic society, and sought ways to avoid conflict with both the goals of the First Amendment to the Constitution, and with the policy of broad access to public information articulated in statutes like the Freedom of Information Act.

When the Commission recommends rules to govern a record keeper's voluntary disclosure of a record about an individual, it does not attempt to specify, nor does it assign to either government or the individual the responsibility of determining which information in the record may or may not be disclosed. Neither does the Commission recommend any liability for third parties who merely receive information or records generated by a confidential relationship. The Commission's recommendations simply specify to whom information may be disclosed without the individual's consent. The role of government in the enforcement of a recommended expectation of confidentiality would be simply to act, through the courts, as referee in disputes between a record keeper and an individual about whether an expectation is legitimate and whether it has been violated. Government would have no independent interest to enforce, and would take no enforcement initiative, except where deception or misrepresentation is used to acquire medical records without the patient's consent. Only the individual would have an enforceable interest.

The Commission takes great care to avoid recommendations that would amount to regulating the content of records collected, maintained, or disclosed by private-sector organizations because of two related considerations, one abstract, the other concrete. The first consideration is that a democratic society must keep governmental intrusion into the flow of information to a minimum; the second is that the First Amendment sharply limits such government intrusion. Of importance here are the recent decisions of the U.S. Supreme Court that have found private commercial information flows as deserving of First Amendment protections as the personal exercise of the right of free speech.

In simplified terms, the First Amendment prohibits the Federal government (and through the Fourteenth Amendment, the States) from enacting any law which would abridge the right to communicate information to others or to receive information from others.8 Broad as it is, this interpretation of the right to free speech does not mean the right is unlimited. It allows for such familiar strictures on the content of information exchanges as prohibiting slanderous or libelous communications, and, more pertinent to the question here, it allows for certain regulation of the process of communication when it occurs in a public forum. In other words, government may properly regulate the flow of information to the extent its regulations apply only to the process of communication in public places.

In addition, the Supreme Court has been willing to accept some government actions which require private organizations to comply with the decision an individual has made regarding the communications he does not want to receive. In Lamont v. Postmaster General,9 for example, the issue was the constitutionality of a Federal statute requiring the Postal Service to prevent firms from mailing material to individuals who have indicated that they do not want it because they consider it obscene. Because the statute leaves all determinations about content to the individual and requires the Postal Service only to see that the individual's wishes are respected, the Supreme Court held the statute constitutional. In other words, it is not unconstitutional to give an individual standing to assert his own interest in the flow of communication between private parties.

Individuals and organizations that do not engage in commercial activities have traditionally enjoyed the full range of constitutional free speech protections. For commercial entities, however, First Amendment protections have been virtually nonexistent10 until a few years ago when the U.S. Supreme Court, in Virginia State Board of Pharmacy v. Virginia Citizens Consumer Council,11 declared that the doctrine denying First Amendment protection to commercial speech had been swept away. In sweeping it away, the Court did, however, indicate that some restrictions on commercial communications are legitimate, though it left the standards for such restriction unclear.

The Court in the Virginia case stressed that the decision did not mean that a regulation prohibiting the advertising of an illegal activity would be unconstitutional. In 1974, in Pittsburgh Press v. Human Relations Commission,12 there was a challenge to a municipal ordinance prohibiting the publication of lists of job openings by sex unless the designations were based on bona fide occupational considerations. The Court rejected the First Amendment challenge and sustained the ordinance. The majority opinion described the advertisements as "classic examples of commercial speech" and went on to note that commercial advertising ordinarily enjoys some First Amendment protection. What made this particular advertising susceptible to regulation was the illegitimacy of the activity advertised. In effect, the Court argued that if a commercial activity is illegal, then speech which promotes or assists in effecting such activity may be prohibited.

Such a rationale is not entirely satisfactory. Is the decision of the legislature that a certain commercial activity is illegal enough to deny communication concerning that activity free speech and free press protections? If the illegal activity is in part a result of the mere communication of information or ideas, should First Amendment analyses apply? Or should some other standard be employed to test the propriety of the legislative determination restricting communication? In any case, since the illegal-activity standard of Pittsburgh Press applies only to commercial communication, this test appears to establish that commercial speech remains doctrinally outside the mainstream of the First Amendment in some ways.

The Commission believes that the extension of First Amendment protections to commercial communication as defined in these recent Supreme Court cases, which almost exclusively concern advertising, does not pose any obstacle to the establishment of legitimate expectations of confidentiality for individuals in the private sector. The Commission is in no instance recommending an absolute restriction on the communication of information; rather, it recommends that an individual be informed at the beginning of a relationship what information may be disclosed from records about him and for what purposes. Following Lamont, it also recommends that an individual be given an opportunity to participate in any change that would materially affect his legitimate expectation.

Protection of privacy against government intrusions is a complementary limitation to protection of communications from government interference. Therefore, the Commission further recommends that if the requestor of records is a government agency, such agency bear the burden of notifying the individual, and that laws be enacted to allow the individual standing to assert his interest as defined in the recommended measures. This clearly raises no First Amendment issues.


The second competing societal value the Commission identified is freedom of information. In enacting the Freedom of Information Act (FOIA) in 1966,13 and strengthening it eight years later, the Congress gave expression to society's strong interest in opening the records of Federal government agencies to public inspection. The FOIA, to be sure, allows for exceptions from the general openness rule which an agency may invoke for certain information pertaining to national defense and foreign policy, law enforcement, individuals, internal agency deliberations, trade secrets, and information specifically declared confidential by other statutes. The withholding of exempt records, however, is subject to administrative and judicial review. Most of the States have enacted their own FOIA statutes in one form or another. Other statutes, both Federal and State, open meetings of certain governmental bodies to the public. The legal actions brought to test these statutes have shown the courts to be generally sympathetic to broadening public access to government records and deliberations, and, of course, journalists are natural advocates of full access and disclosure. Altogether, the presumption against secrecy in decision making and record keeping by government agencies is now firmly established.

The Commission has recommended the continuation of restrictions on the disclosure of specific records about individuals maintained by government agencies. While this recommendation may seem to conflict with the principle of freedom of information and openness, the Commission firmly believes that it is compatible with those principles and, indeed, that they are complementary aspects of a coherent public policy concerning public records.

In the Federal government, adjustments between freedom of information policy and confidentiality policy are made at two levels. At the first of these levels, the Federal FOIA makes adjustments by incorporating several statutes which, with particularity, direct that specific records be withheld from the public. The Federal FOIA does not require the disclosure of matters that are:

specifically exempted from disclosure by statute (other than section 552b of this title), provided that such statute (A) requires that the matter be withheld from the public in such a manner as to leave no discretion on the issue, or (B) establishes particular criteria for withholding or refers to particular types of matters to be withheld. [5 U.S. C 552(b)(3) (1976)]

Tax returns and the responses of individual households to Census Bureau inquiries fall into this category. The Commission believes that it is preferable for the Congress to create this sort of explicit confidentiality policy than for government administrators to decide when such records should or should not be disclosed.

The second level at which freedom of information and privacy interests relate becomes apparent when a Federal agency receives a legitimate Freedom of Information Act request for access to a record about an individual and finds that the record is subject to the Privacy Act of 1974. When the two Acts are read together any disclosure of a record about an individual in a system of records as defined by the Privacy Act to any member of the public other than the individual to whom the record pertains is forbidden if the disclosure would constitute a "clearly unwarranted invasion of personal privacy." The reverse obligation also holds: even though a record is about an individual, it cannot be withheld from any member of the public who requests it if the disclosure would not constitute a clearly unwarranted invasion of personal privacy. The courts are the final arbiters of which disclosures do or do not meet the unwarranted-invasion test and over the years they have established certain types of recorded information which must be disclosed without question. Two examples are Civil Service grades of Federal employees, and the names of persons who have participated in elections supervised by the National Labor Relations Board.

For government, the Commission believes that the policy of combining explicit legislation for particular types of records with a general standard to be applied in all other cases is an appropriate way to balance the freedom of information interests and confidentiality interests. As Chapter 13 explains, the combination does not lead to resolution of difficult cases overnight, but it does create a framework within which the conflicts between the two competing though compatible interests can be resolved.

The general concept of freedom of information has no currency in the private sector. Issuers of regulated securities must publicly disclose particular items of information about the individuals who control or manage companies, but organizations in the private sector by and large have no affirmative obligation to disclose their records about individuals to the public. They may be required to disclose such records to government agencies for a variety of reasons, as described in Chapter 9, but in many cases government is prohibited from subsequently disclosing that information to the public. Thus, in the private sector there is no freedom of information policy to conflict with a confidentiality of records policy.

Indeed, the Commission believes that in most instances the persuasive power of an active press can be relied on to work out a proper adjustment between the right to privacy and the freedom of information principle as it applies to public disclosure of information in records about individuals maintained by private-sector organizations. However, the Commission also believes that the individual needs some limited control over the public disclosure of particular types of information about him. An individual should be able to limit the public disclosure of credit, insurance, medical, employment, and education record information about himself. In these areas, the Commission has recommended for the individual an assertable interest so that he can have a role in determining whether information about him should be publicly released. In fact, as to certain identifying information referred to as directory information, the Commission's recommendations recognize the general practice of public disclosure in such areas as employment, medical care, and education. Thus, reporters should be able to continue to find out who is in what hospital, who is employed by what firm, and who is enrolled in what school.

The Commission's recommendations, with one exception, do not limit or affect the ability of the press to request or obtain information. The area of medical records is the one area where the Commission not only recommends a duty on the record keeper to respect an individual's expectation of confidentiality but also suggests that it be made a crime to seek such information through misrepresentation or deception. Specific abuses by persons seeking medical-record information for use in adversary situations have led the Commission to conclude that such a recommendation is necessary. In all other cases, the Commission's recommendations do- not limit or affect the ability of the press to request or obtain information. These balances are difficult to strike and the Commission has attempted to establish mechanisms for doing so rather than recommend specific disclosure prohibitions.


The third competing interest the Commission identified is the interest in preventing and prosecuting crime. Organizations do and should have the means of protecting themselves from suspected fraud in insurance claims, fraudulent use of credit cards, multiple welfare applications, and the like. Organizations, both private and public, exchange information among themselves and with law enforcement authorities to protect against such losses and to assist in the prosecution of crime. The Commission has not suggested that this organizational interest be curtailed. Rather, it recommends that individuals be apprised, at the time they establish a relationship involving confidential records that information about them may be disclosed for investigative or enforcement purposes if the record keeper develops evidence that points to criminal behavior on their part. Government requests or demands for recorded information about individuals for law enforcement purposes pose a special problem. As a result of the Miller decision discussed earlier, an individual has no constitutional protections against government demands for access to records third parties maintain about him. There are some statutory protections, such as those for census records, Federal . income-tax returns, and records developed in connection with federally funded drug abuse research and treatment programs. The Commission believes, however, that the individual should have an assertable interest in other types of records about him, such as those maintained by financial institutions, insurance companies, medical-care providers, and providers of long-distance telephone service, as a matter of general policy.

Government agencies have testified that to enforce the law, they need full and complete access to records kept about individuals by third parties. They argue that to restrict their access, or more specifically to subject it to the assertion of an individual's interest, would unduly handicap their legitimate law enforcement activities. The Commission seriously considered these arguments and has developed a set of recommendations that allow for continued law enforcement access, but under stricter rules. These rules are in two parts. First, they require law enforcement agencies to use legal process of some form whenever they seek information about an individual from a third- party record keeper. Second, when they seek access to records in which the individual has a legitimate expectation of confidentiality, the Commission recommends that the individual involved be given notice and the legal capacity to contest the action. The Commission has not recommended prohibiting government access, but rather giving the individual an assertable interest in the process of government information gathering about him. The requirement for legal process in all instances has the further advantage that it creates the basis for meaningful accountability mechanisms.


The fourth competing interest the Commission identified is cost. In maximizing fairness, this is the most compelling competing interest. Whether an organization is public or private, to make changes in record keeping practices can increase its cost of operation and thus make the product or service it provides either more expensive or less accessible, or both. When this happens, both the record-keeping organization and some if not all of its customers or clients suffer. Adoption of the Commission's recommendations means that a great many organizations will have to make some changes in their record keeping. The costs of compliance will be higher or lower depending on how well an organization's current practices reflect the recommended balance between organizational interests and the individual's interest. The Commission has tried to keep compliance costs to a minimum by not recommending that organizations be required to report periodically to Federal or State government agencies, and also by not recommending inflexible procedural requirements.

The Commission's recommendations are, aimed at getting results. Thus, they try to take advantage of the shared` interest of individuals and organizations in keeping records accurate, timely, and complete. As previously noted, one reason for giving an individual a right of access to records about him is that doing so affords an organization the free help of an expert the individual himself on the accuracy of the information the organization uses to make decisions about him. Organizations, however, need some assurance before they are will mg to enlist such help that it will not turn out to be unduly or undeservedly expensive.

To open an insurance company's underwriting files to inspection by applicants and policyholders, for example, gives the company a powerful motive to record oily accurate, pertinent information about them and to keep its records as timely and complete as necessary. To encourage applicants and policyholders to look for information in underwriting files that could serve as the basis for defamation actions and windfall recoveries, however, would be contrary to the Commission's cost minimizing objective and also an impediment to systemic reform. The Commission wants organizations to invest in improving their record keeping practices, not to spend their money in costly litigation over past practices and honest mistakes. Hence the Commission's recommendation is to limit the liability of a record keeper that responds to an individual's request for access to a record it maintains about him.

Organizations in the private sector have a strong interest in keeping their decisions about customers, clients, applicants, or employees free of unreasonable government interference. The Commission's recommendations recognize this interest by concentrating on the quality of the information an organization uses as the basis for making a decision about an individual, rather than on the decision itself. For private sector organizations the adverse decision requirements the Commission recommends will expose the records used in arriving at a decision to reject an applicant, but the Commission relies on the incentives of the marketplace to prompt reconsideration of a rejection if it turns out to have been made on the basis of inaccurate or otherwise defective information.

For public sector organizations, the Commission recommends no affirmative requirement that they reverse an adverse decision made on the basis of faulty information. For educational institutions, where the procedures for correcting or amending records are likely to be divorced from decision making procedures, and where the individual has no easily envocable due process protections, the Commission proposes an affirmative requirement to reconsider but not a requirement to reverse. The Commission strongly believes that to mix concern about the outcome of individual decisions with concern about the quality of the information used in arriving at them not only risks undesirable interference with organizational prerogatives but also invites confusion as to the nature and extent of the individual's privacy interest, possibly to its detriment in the long run.


A major interest that must be weighed in the balance of organizations' needs for information against the individual's interest in having his personal privacy protected is society's interest in maintaining the integrity of the Federal system. The division of responsibility and authority between the Federal government and States is a cornerstone of the American political system and the Commission has been particularly attentive to it in both the methods it recommends for establishing legal requirements and the regulatory mechanisms and sanctions for enforcing such requirements.

In areas of record keeping where the States are prominent record keepers, or where records are generated in carrying out State programs, the Commission pays particular attention to the reserved powers principle enunciated in the Tenth Amendment to the Constitution, emulating the Supreme Court's care14 not to interfere with the conduct of essential State government functions. Thus, where Federal regulation seems necessary, the Commission recommends making the requirements a condition of Federal benefits, which leaves the States some degree of choice. The Commission recommends tempering such exercise of Federal spending power by leaving considerable latitude in how the States implement the policies, and by urging them to make the minimum Federal requirements part of their own State legislation and to assume most of the responsibility for enforcing them.

In the areas of private sector record keeping where the States share regulatory power with the Federal government, the Commission recommends maintaining the current balance. For example, in financial areas where the Federal government now does most of the regulating, the Commission relies heavily on current Federal mechanisms in the implementation of the measures it recommends, with the State playing a supplemental role. In the insurance area, where the States now do most of the regulating, the Commission recognizes a need for some limited Federal intervention in order to provide the necessary uniformity, but relies on the State enforcement mechanisms that now have primary responsibility.

Each of the implementation measures the Commission recommends is designed to avoid disturbance of the current Federal-State political balance of power. Indeed, the structure of the Commission's recommendations as a whole should strengthen the FederalState partnership and increase the State's role in protecting the interests of the individual.


Each policy recommendation in this report is supplemented by an implementation recommendation. Collectively, the Commission's implementation recommendations add up to a consistent strategy for the practical application of the policies and practices the Commission believes should be adopted. The Commission has not tried to draft any of its recommendations in final statutory language. The Commission does, however, suggest how and in what manner its recommendations should be adopted, since the impact and significance of policies can be adequately assessed only in light of how they are to be applied.


The Commission's findings clearly reveal an overwhelming imbalance in the record keeping relationship between an individual and an organization, and its policy recommendations aim at strengthening the ability of the individual to participate in that relationship. This can be accomplished in three ways: by prohibiting or curtailing unjustifiably intrusive information collection practices; by granting the individual basic rights, such as the right to see, copy and correct records about himself, coupled with obligations or organizations to incorporate protections for personal privacy in their routine record keeping operations; and by giving the individual control over the disclosure of records about him. In exploring ways to implement its policy recommendations, the Commission was guided by three principles: (1) that incentives for systemic reform should be created; (2) that existing regulatory and enforcement mechanisms should be used insofar as possible; and (3) that unnecessary cost should be avoided.

In accordance with the first of these guiding principles, the recommended measures enable the individual to compel compliance with certain specific requirements even if he has suffered little or no injury. The Commission believes that an individual should be able to go to court to compel the production of records and to require the correction of erroneous information in them, and to hold a record keeping organization responsible for its disclosure practices. Because enforcement of such rights has in the past depended on a showing of direct financial loss, which is often difficult to demonstrate, most individuals have not been able to assert their interests effectively. The Commission's recommendations should make it easy for an individual to assert his interest, thus making it attractive to organizations to comply voluntarily rather than incur the cost of enforcement through judicial or administrative action.

The Commission believes that because giving an individual a right of access to records about him could lead to a defamation or invasion of privacy action, the liability of a record keeping organization for such claims resulting from its disclosure to an individual of a record about himself should be limited. An institution, however, should be liable for false information where there has been willful intent to injure the individual.

In accordance with the second guiding principle, that the policy recommendations should be implemented through existing regulatory and enforcement mechanisms insofar as possible, the Commission recognizes that while existing regulation seldom aims explicitly at protecting personal privacy in record keeping, it does, in fact, provide some protection, which the Commission has no wish to negate or duplicate. In the consumer credit area, for example, Regulation Z of the Federal Reserve Board15, issued pursuant to the Truth in Lending Act, explicitly specifies how an individual is to be informed of the terms and conditions of a particular loan. The Commission's recommendations would add a further requirement that the individual also be informed of the types and sources of information that will be collected about him and the uses to which the information will be put.

Similarly, the Commission relies on the Fair Credit Reporting Act16 as the vehicle for implementing many of its private sector recommendations because it is the statute at the Federal level that deals most explicitly and comprehensively with privacy issues in the private sector. For example, the Commission recommends that the individual's right of access to underwriting and certain claim information about himself maintained by an insurance company be provided by amendment of the FCRA in order to assure nationwide compliance. However, the Commission has used a different approach in implementing notice to applicants and insureds in regard to the types of information that will be collected about them and the sources and techniques that will be used. In this instance, the Commission directs its implementation to the State level, where, as a result of the McCarren Ferguson Act17, insurance is otherwise regulated unless there is explicit Federal legislation to the contrary. States use this authority to regulate the form of insurance policies, and, in some cases, applications for insurance, and thus can implement the recommended notification requirements as well.

Existing structures also provide a framework for implementing the Commission's recommendations for medical records. There the Commission considered two types of medical record keepers the institutional medical services provider and the individual practitioner. Since most institutional providers qualify under Medicare and Medicaid, the qualification process affords an effective means of assuring the compliance of institutional providers with the recommended medical records requirements. Individual practitioners, however, do not currently have to qualify under Medicare and Medicaid, although they are subject to State licensing authorities, and the Commission, therefore, recommends that States adopt model legislation applying the medical records safeguard requirements to all individual practitioners and to any institutional medical care providers that are not subject to Medicare or Medicaid qualification requirements.

In accordance with the Commission's third guiding principle, it tried to make sure that the privacy protection safeguards it recommended would not involve unnecessary cost, either to individuals or to record keeping organizations. The Commission believes that granting an individual rights within existing legal frameworks is far more efficient and significantly less costly than embarking on an ambitious new regulatory approach. As noted above, its recommended policy measures put the main ongoing costs of implementation on organizations that do not comply with the requirements, since it is they who will be subject to judicial or administrative sanctions and related costs. The organization that takes affirmative steps to comply with the recommendations should have little expense beyond the cost of educating its employees, initially revising some of its procedures and forms, and creating appropriate policy guidance. Even these costs can be controlled by allowing a reasonable time for transition. With intent the Commission does not recommend that organizations be required to report regularly to anyone or to obtain anyone's approval prior to revising or establishing its record keeping systems. Thus, the cost to government and to those who comply will be kept to a minimum.

The Commission's single deviation from these three principles is the approach it recommends to the problem of systematic or repeated violations. The Commission advocates rights for individuals and relies primarily on the individual to exercise and protect those rights with the help of the courts, but as many of the chapters point out, however, giving an individual better ways to protect himself can be an inadequate tool. Thus, when there is evidence of repeated or systematic violations, the measures recommended for particular record keeping areas assign specific responsibility on behalf of the public for enforcing compliance to appropriate government agencies, such as the Federal Trade Commission or State insurance departments.

The Commission's implementation strategy also considers the question of Federal preemption and the desirability of uniform requirements. National bankers, insurers, retailers, and other industries subject to Federal regulations have strongly urged the Commission to recommend that any mandatory requirements be exclusively Federal so that they and, indeed, their customers, do not have to struggle with 50 separate sets of rules. The Fair Credit Reporting Act addresses this desire for uniformity by permitting a State to supplement but not narrow the Act's requirements. For example, the FCRA specifies that an individual shall be informed on request of the nature and substance of a credit report; California law, without contradicting the FCRA, takes the extra step of requiring that an individual be allowed on request to see such a report. When the Commission recommends Federal legislation, it intends such legislation to establish the reasonable basis upon which organizations may deal with all individuals on whom they maintain information or records, regardless of political jurisdiction. While the Commission believes its recommended measures provide proper protections for personal privacy, particular States may deem it desirable to establish further requirements for their own citizens. They should not be prohibited from doing so as long as their requirements do not conflict with or narrow Federal law. The same is true in the public sector where the Commission has recommended Federal requirements applicable to federally funded State programs; there is no barrier to the States going further if they want to do so.

Experience with the term agency as used in the Privacy Act of 1974 illustrates a potential problem, which the Commission hopes to avoid with the term organization used in its recommendations. The way an agency defines itself for the purpose of complying with the Privacy Act's requirements makes a significant difference in the disclosures of records it can make and in the degree of its responsibility for establishing operating rules and procedures.18 It is convenient for an agency to define itself as a unit at the highest possible organizational level. Thus, the Office of the Secretary of Health, Education and Welfare, the Office of Education, the Social Security Administration, the Public Health Service, and a number of other units are all deemed to be one agency the Department of Health, Education and Welfare (DHEW). As a consequence, any disclosure of information about an individual by one office, administration, or service to another can be considered an internal agency disclosure not subject to the Privacy Act's limitations on third party disclosures without written consent of the individual. Another result is that the rules for Privacy Act compliance are DHEW rules rather than rules of its components.

The term organization presents similar problems in the private sector. The Commission believes that there should be flexibility allowing organizations to define themselves in various ways. For example, a conglomerate corporation or corporate group may or may not want to define itself as a single organization for the purpose of complying with the measures recommended for a particular record keeping relationship. Considering the many forms of corporate and administrative control, the Commission believes the choice can be left to the organizations on two conditions.

The first is that at whatever level an organization is defined as a single unit, that must be the level responsible for promulgating and enforcing standard operating procedures at all subordinate levels. For example, if the American Telephone and Telegraph Company considers itself and all of its subsidiaries and affiliated local phone companies to be one organization, AT&T must promulgate, enforce, and be accountable for compliance with the procedures to be followed by all of those entities.

The second condition is that regardless of the level at which an organization is defined as a unit, an individual must be assured that information about him collected and maintained in connection with one record keeping relationship will not be made available for use in connection with another. For example, information collected by an employer from an employee to process a claim under a group health insurance policy is not to be used for personnel purposes. If two affiliated companies define themselves as a unit but perform two different function some extending credit and the other selling insurance, for example, information about customers must not flow between them without adherence to the notice, authorization, and other requirements called for in the Commission's recommendations. Likewise, a corporate affiliate in, say, the retailing business should not rent or lend the names and addresses of its customers to another affiliate to market insurance unless the retailer informs its customers that it intends to do so and gives them an opportunity to indicate that they do not want their names used for that purpose.


The Commission had three basic alternatives for giving effect to its policy recommendations: (1) voluntary compliance; (2) statutory creation of rights, interests, or responsibilities enforceable through either individual or governmental action; and (3) establishment of ongoing governmental mechanisms to investigate, study, and report on privacy protection issues. Each of the Commission's policy recommendations specifies the alternative it believes is most appropriate for that particular measure.

In the areas of research and statistical activities, and education, for example, the Commission specifies legislation in the form of amendments to existing Federal statutes to define further the responsibilities and duties of those types of record keepers. In the public assistance and social services area, the Commission specifies Federal action that would make State enactment of the recommended statutory rights and responsibilities a condition of Federal funding.

In the private sector, the Commission specifies voluntary compliance when the present need for the recommended change is not acute enough to justify mandatory legislation, or if the organizations in an industry have shown themselves willing to cooperate voluntarily. In its mailing list recommendations for example, the Commission specifies that when an organization has a practice of renting, lending, or exchanging the names of its customers, members, or donors for use by others in a direct mail marketing or solicitation, it should inform each of them that it does so and give each an opportunity to veto the practice with respect to his own name. The Commission does not call for legislation to enforce compliance with this recommendation because it has reason to believe the industry is willing to accept these restrictions voluntarily, and there are no legal impediments to stop it from doing so.

The Commission also relies mainly on voluntary compliance in the area of employment and personnel; though there are a few exceptions, the most notable being the recommendation dealing with the creation and use of investigative reports, where implementation by amendment of the Fair Credit Reporting Act is the Commission's choice. In this area, the Commission prefers to rely mainly on voluntary compliance because of the complexity of the relationship between employer and employee, and the difficulty of classifying all the various records different employers maintain about their employees and the way they use these records in employment decision making. For the Commission to recommend otherwise would be to recommend uniformity where variation is not only widespread but inherent in the employee-employer relationship as our society now knows it.

Most of the Commission's recommendations, however, do specify mandatory measures. This is partly because the Commission believes that in most cases voluntary compliance would be too uneven to be dependable; but more importantly, many of the issues the Commission's recommendations address are legal ones and require legal remedies. In the Miller case described above, for example, if the bank had wholeheartedly tried to protect Miller's interest, it would have done him little or no good since under existing law, Miller would have no interest in the records to assert. If a Federal agency insists on having an individual's account record today, a bank cannot successfully refuse to make it available.

In some cases, existing law and practice also work against the individual when he seeks access to records about himself. For example, the contracts that consumer reporting agencies have with their insurer, employ er, and credit grantor subscribers specify that the client may not disclose the information they report on an individual. Thus, an organization reaching an adverse decision about an individual on the basis of an investigative report cannot disclose the negative information in the report to him, even if it would otherwise be willing to do so. The Commission's recommendations would void such prohibitions.

In choosing mandatory implementation alternatives for the private sector, the Commission also aimed for consistency in the matter of damages and in the method of enforcement. Where the Commission recognizes an individual's right of access to records that have not entered into a decision adverse to him, as in the insurance recommendations for example, it has recommended that when an individual denied this right substantially prevails in court, he be able to recover the costs of compelling compliance, including attorney fees, but that he not be awarded damages. When the individual's right of access is triggered by an adverse decision and a record keeper fails to perform a duty required of it, or fails to correct or amend a record about him or to propagate a correction or amendment, a court which determines that the denial or failure was willful or intentional would not only allow the individual to recover his cost of compelling compliance, including attorney's fees, but also could award him up to $1,000.

For credit, insurance, and depository records, the Commission adopts the concept of a "legitimate expectation of confidentiality." Since the damage an individual can suffer from an organization's breach of confidentiality often cannot be undone, the Commission recommends that an individual so aggrieved have the right to compensation for any special (i.e., actual) damages resulting from a private sector organization's violation of his legitimate expectation of confidentiality, and, if a court determines that the organization acted willfully or intentionally, to additional compensation for general damages in the amount of at least $1,000 but no more than $10,000.

The third implementation choice obviously requires a Federal body to oversee, regulate, and enforce compliance with certain of the Commission's recommendations. This alternative is not incompatible with the other two. In fact there are powerful arguments for using it in conjunction with the other two, rather than depending on the first two alone.

The strongest argument for using a combination of alternatives is the dynamic character of personal data record keeping practices that will continue to create new privacy concerns, and redirect existing ones. Without a focal point to keep privacy concerns in proper perspective for the public as well as for record keeping organizations, other issues competing for attention may obscure them.

A primary objective of the Commission's implementation strategy is to make sure that the privacy issues stay in proper focus. This requires continuing attention from a broad public policy perspective– a need that is not fulfilled today even within the scope of the Privacy Act. A means must be found to provide for continued public awareness of what is clearly a continuing and pivotal concern, and to assure ongoing attention to develop and refine understanding of specific and emerging problems. Notwithstanding the broad scope of this report, a number of tasks remain. Significant record keeping areas, such as licensing at the State and local level, remain unexplored and several chapters of this report highlight other problem areas that need further analysis, including the issue of unreasonable intrusiveness as evidenced by the amount and type of information an individual is required to reveal about himself in return for a desired or needed service or benefit. As indicated earlier, the propriety question is an extremely delicate one and there is as yet no generally accepted method of arriving at answers to it in different contexts. The Commission's recommendations offer mechanisms to identify those kinds of questions so they can be debated in the context most likely to be constructive in determining public policy.

A further argument for combining all three alternatives is that experience with other publicpolicy issues of this sort suggests a continuing need to coordinate the policies that have been and will be adopted, and to assist in identifying and resolving real or apparent conflicts between existing, modified, and new statutes and regulations.

There is also the consideration that decentralized enforcement spreads responsibility for enforcement among agencies, organizations and individuals, each of which has numerous other responsibilities, thus increasing the risk that privacy objectives and protections will be obscured. The Commission advocates rights for individuals and reliance primarily on the courts to assure exercise of those rights. As indicated in many chapters of this report, however, improving the capability of the individual to protect himself can be an inadequate tool for resolving major systemic problems. The Commission sees a need for some influential "prodding" structure, some sustained oversight over the actual implementation of the protections it recommends. The Federal agency experience under the Privacy Act described in Chapter 13 attests to the need as it has arisen within the Federal government. The experience of the various Federal regulatory bodies that will have additional responsibilities if the Commission's recommendations are adopted for example, the Federal Trade Commission, the Federal Reserve Board, and the compliance monitoring units of the Department of Health, Education and Welfare further underscores it.

Finally, in all areas of the public sector the Commission has studied, the need for a mechanism to interpret both law and policy is clear. The difficulty of deciding which disclosures of records about individuals are routine within the meaning of the Privacy Act often raises conflicts of interest or interpretation between two or more Federal agencies. Similarly, as indicated in Chapter 13, Federal agencies often need an efficient means of arriving at common solutions to their common privacy protection problems, such as establishing procedures for the disposal of records, the propagation of corrections, and the maintenance of accountings of disclosures. State agencies frequently complain about being subjected to multiple, and sometimes incompatible, record keeping rules as a consequence of participating in programs funded by different Federal agencies or by different components within a single agency. There must also be a way of bringing private sector recommendations for voluntary action to the attention of all the relevant organizations. Many of these varied needs can best be met by the third implementation alternative.

Therefore the Commission recommends:

That the President and the Congress establish an independent entity within the Federal government charged with the responsibility of performing the following functions:

(a) To monitor and evaluate the implementation of any statutes and regulations enacted pursuant to the recommendations of the Privacy Protection Study Commission, and hae the authority to formally participate in any Federal administrative proceeding or process where the action being considered by another agency would have a material effect on the protection of personal privacy, either as the result of direct government action or as a result of government regulation of others.

(b) To continue to research, study, and investigate areas of privacy concern, and in particular, pursuant to the Commission's recommendations, if directed by Congress, to supplement other governmental mechanisms through which citizens could question the propriety of information collected and used by various segments of the public and private sector.

(c) To issue interpretative rules that must be followed by Federal agencies in implementing the Privacy Act of 1974 or revisions of this Act as suggested by this Commission. These rules may deal with procedural matters as well as the determination of what information must be available to individuals or the public at large, but in no instance shall it direct or suggest that information about an individual be withheld from individuals. (d) To advise the President and the Congress, government agencies, and, upon request, States, regarding the privacy implications of proposed Federal or State statutes or regulations.

The entity the Commission recommends may be a Federal Privacy Board or some other independent unit. However, if a new entity is established, the only enforcement authority the Commission would recom mend it be given would be in connection with the implementation by Federal agencies of the Privacy Act itself. Its oversight responsibility in all of the other areas covered by the Commission's recommendations would require it only to participate in the proceedings of other agencies when substantive privacy issues are involved. For example, if the Federal Reserve Board were to issue proposals to amend its Regulation Z pursuant to the Truth in Lending Act after the Commission's recommendations are adopted, the new entity could participate in the proceedings only to the extent of presenting testimony and other comments from a privacy protection point of view.


The strongest argument for the need to keep attention focused on the issue of personal privacy in record keeping is in the facts of record keeping themselves. The facts and the specific recommendations the Commission makes on the basis of its analysis of them are presented in the chapters that follow.

Chapter 2 examines the record keeping policies and practices of credit grantors and the organizations whose records they use to establish and control their consumer credit relationships. Consumer credit is an area in which new services and new record keeping methods have dramatically changed the primary record keeping relationship. As the chapter points out, personal interaction in consumer credit transactions has declined markedly in the last several decades, making recorded information the paramount factor in establishing and maintaining the consumer credit relationship. Chapter 2 ends with a note on the practices of commercial reporting firms and the Commission's recommendations with respect to the records they maintain about individuals.

Chapter 3 explains why the record keeping policies and practices of depository institutions (mainly commercial banks and savings and loan associations) are beginning to pattern themselves on those of credit grantors. Chapter 3 includes the Commission's analysis of the impact of electronic funds transfer systems on personal privacy, an impact with potentially profound significance.

Chapter 4 explores the creation and use of mailing lists. It shows that, contrary to popular belief, names and addresses do not get transferred from one mailing list to another in ways that disclose confidential information about individuals, but that impending changes in the way mailing lists are developed will make it easier for that to happen.

Chapter 5 examines record keeping in the insurance relationship, an area that has been little explored from a privacy protection standpoint. In contrast to the credit and depository relationships, the insurance relation ship may depend in part on information about individuals developed from interviews with neighbors and associates. This difference introduces a special set of privacy protection issues which are also present to some extent in the private sector employee- employer relationship examined in Chapter 6.

Chapter 7 assesses the growing demand on medical care providers for information in the records they maintain on individual patients. The use of medical record information to make nonmedical decisions about individuals is explored in the chapters on insurance and employment, but Chapter 7 is where it is brought into focus. The crux of the problem is that individuals are asked to authorize the disclosure of medical record information about themselves for a variety of purposes, but usually have no way of finding out what is in their medical records and thus must decide to authorize without a proper basis for estimating the consequences such disclosures may have for them.

Chapter 8 examines investigative reporting services in the private sector, weaving threads from earlier chapters into an analysis of why the Commission believes sweeping changes are needed in the record keeping practices of these firms.

Chapter 9 begins the transition from the private to the public sector. It concentrates on threats to personal privacy that stem from two main sources: changes in the way individuals go about their day t oday business, and the tendency of government in recent years to rewrite the rules of the game without letting the other players know. It argues that to wait on the courts to create adequate protections for the individual is to adopt a policy of uncertain outcome and recommends legislation to right the balance between individual liberty and social order that the increase in government's demands for access to records about individuals has upset.

Chapters 10 and 11 address two areas education, and public assistance and social services in which both the Federal government and the States have a policy interest. The past decade has seen important initiatives to safeguard personal privacy from obvious record keeping abuses in both areas. These two chapters evaluate those initiatives in terms of current conditions and emerging trends. Chapter 12 summarizes the State's role in protecting personal privacy as it emerges from the Commission's recommendations in all of the preceding chapters.

With Chapter 13, the report turns to the record keeping practices of Federal government agencies. The Commission decided early in its inquiry that it could not recommend whether the principles and requirements of the Privacy Act should be extended to organizations outside the Federal government without first assessing the Privacy Act's effectiveness in the one area where its principles and requirements have been applied. Chapter 13 reports the results of the assessment and suggests a strategy for amending the Privacy Act as it applies to Federal agencies.

Chapter 14 on the Federal taxpayer relationship responds to a directive from the Congress that the Commission examine and make recommendations with respect to Internal Revenue Service disclosures of information about taxpayers. The Commission issued an interim report on the topic in June of 1976, just prior to passage of the 1976 Tax Reform Act. Chapter 14 compares the pertinent provisions of the 1976 legislation with the recommendations the Commission made at that time, and covers several related issues that were not addressed in the interim report.

Chapter 15 contributes to the continuing debate over the level of protection that should be afforded records about individuals that are intended to be used for research and statistics.

Chapter 16 on the Social Security Number and other assigned identifiers punctuates the Commission's findings and recommendations. While its principal conclusion is that the core problem is the lack of policy on the disclosures record keeping organizations may make of a record about an individual, it recommends that government take no action that would encourage the drift toward using the SSN or anything else as a standard, universal identifier until such policy has been developed and made effective.


1 For a discussion of the fair hearing procedures, see Chapter 11.

2Bank Secrecy Act, 12 U.S.C. 1829b, 1953; 12 C.F.R. §103.36.

3 California Bankers Association v. Schultz, 416 U.S. 21 (1975).

4State ex rel. Tarver v. Smith 78 Wash. 2d 152, 470 P.2d 172, cert. denied, 402 U.S. 1001 (1971); United States v. Miller, 425 U.S. 435 (1976).

5See Chapter 4.

6 For an analysis of the Privacy Act principles, see Chapter 13.

7 U.S. Department of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers, and the Rights of Citizens (Washington, D.C.:1973), p.41. The five fair information principles were: (1) there must be no personal-data record-keeping systems whose very existence is secret; (2) there must be a way for an individual to find out what information about him is in a record and how it is used; (3) there must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent; (4) there must be a way for an individual to correct or amend a record of identifiable information about him; and (5) any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.

8 See, e.g., Stanley v. Georgia, 394 U.S. 557 (1969); Kliendieast v. Mandel, 408 U.S. 753 (1972); Cox Broadcasting Corp. v. Cohn, 420 U.S. 469 (1975).

9 391 U.S. 301 (1965).

10 Thomas I. Emerson, The System of Freedom of Expression (New York: Vintage, 1970), p. 414.

11425 U.S. 748 (1976).

12413 U.S. 376 (1973).

13 5 U.S.C. 552.

14 National League of Cities v. Usery, 426 U.S. 833 (1976).

15 12 C.F.R. §226.

1615 U.S.C. 1681 et seq.

1715 U.S.C. 1012.

18 See Chapter 13.