LETTER TO MR. RICK NEUSTADT FROM MICHAEL J. MALANICK

STATINTL STATINTL Approved ForReleaseN01/03/17 ? CIA-RDP81-00142R000700030 !HAL, INTELLIGENCE AGENCY WASHINGTON, D.C. 20505 Mr. Rick Neustadt Assistant Director Domestic Policy Staff Old Executive Office Building Room 208 Washington, D.C. 20500 Dear Mr. Neustadt: 044 Registry 14 NOV 1978 This Agency's views are adequately reflected in the Revised Draft of November 1, 1978, on the Presidential Privacy Initiative. One small correc- tion is needed, however. At the top of page 191, CIA is referred to erroneously as a law enforcement agency. Our concerns, especially in the area of investigations, often parallel those of law enforce- ment agencies, but we are not in that category. We did support the "con" position on this issue, but it is not a position with which we identify strongly. The simplest way to amend the paragraph, therefore, would be to delete the phrase "and the CIA." 5 cc: Sincerely, /s/ Michael J. Malanick Michael J. Malanick Acting Deputy Director for Administration Mr. Art Bushkin 1800 G Street, N.W. Room 706 Washington, D.C. 20504 Distribution: Original - Addressee 5 -"Mr. Bushkin OGC DDA Subject 1 - DDA Chrono 1 - Al Chrono : CIA-RDP81-00142R000700030001-4 STATINTL Ap 00700030001-4 SENDER WILL CHECK CLASSIFICATIO;4 TOP kND BOTTOM CONFIDENTIAL 1-1 UNCLASSIFIED SECRET OFFICIAL ROUTING SLIP Toe NAME AND ADDRESS DATE I 1 A / / / 7 2 3 4 5 6 ACTION DIRECT REPLY PREPARE REPLY APPROVAL DISPATCH RECOMMENDATION COMMENT FILE RETURN CONCURRENCE INFORMATION SIGNATURE Remarks: pi A/o-ie. 4hat ,,, any cactctiltooLk I oopiArin ea ts . ., , The attacked a r e do 0 iv -firt e (41. gr-s-ic- tot' brre' c for, bovrtes.4-r-c. Polk y S4-0-- -P--0 6-y 13 ILOV: FOLD HERE TO RETURN TO SENDER . e c E NO. DATE re1UV 7 AireVg 'UNCLASSIFIED CONFIDtNTIAL SECRET ApproAcI2130r Ptoteitsen2001/03/17 : CfNIRDP8f2005142k000700030001-4 Approved For Release 2001/03117 : CIA-RDP81-00142R000700030001-4 PRESIDENTIAL PRIVACY INITIATIVE November 1 1978 REVISED DRAFT Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 460;1143/ 7 : CIA-RDP81-00142R000700030001-4 UNITED STATES DEPARTMENT OF COMMERCE National Telecommunications and Information Administration Washington, D.C. 20230 November 1, 1978 Executive Registry MEMORANDUM FOR: PRIVACY POLICY COORDINATING COMMIT FROM: HENRY GELLER (Assistant Secretary of Commerce for Communications and Information) RICK NEUSTADT (Assistant Director, Domestic Policy Staff) We are submitting the Response Memorandum for this study. This Memorandum is based on the report of the Privacy Protection Study Commission and on the agencies' reactions, as indicated in the reports of the six task forces. The Memorandum was prepared by the Privacy Initiative staff at the National Telecommunications and Information Administration, Department of Commerce, under the direction of Arthur Bushkin. A draft of this Memorandum has alteady been circulated for review and comment, and this version should now reflect your agency's views. If you have any additional comments will you please qgpmit them bY_NQuambar_13th. We have set this deadline because the agencies have already studied the issues in. preparing the original task force reports and their earlier comments on the draft Memorandum, so no further effort, other than the possible correction of minor errors, should be required. Furthermore, rapid completion of this effort is necessary in order to present the final decision package to the President in a timely manner and to allow sufficient time to draft legislation for submission in the next Congress. Please send one copy of any comments you may have to Rick Neustadt (Room 208, Old Executive Office Building, Washington, D.C. 20500), and five copies to Arthur Bushkin (Room 706, 1800 G Street, N.W., Washington, D. C. 20504, telephone 395-3122). Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 AD Droved F.or Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Information regarding the next Coordinating Committee meeting, as well as a copy of the shorter Presidential Decision Memorandum, will be transmitted next week. This Memorandum presents preliminary, tentative views and is circulated only for discussion purposes. No part of it -- including the items labelled "areas of agreement" -- purports to state the Administration's position. Please do not circulate this Memorandum outside of your agency. Attachment cc: Other interested agencies Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 4 ? ? ? Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Presidential Privacy Initiative November 1, 1978 Draft Preface In July, 1977, the Privacy Protection Study Commission delivered its final report to the President and the Congress. The Administration's response to that report has been coordinated under the Domestic Policy Review System. A Cabinet-level Coordinating Committee was established, and the Commission's report divided into six areas and assigned to task groups for analysis and response. This document distills the task group reports. While alternatives to the Commission's recommendations were considered, this effort was fundamentally a response to the Commission's report. It was not an independent analysis of the privacy Problem. The Presidential decision package is currently planned to have two parts: 1. a brief Presidential Review Memorandum highlighting the issues for Presidential decision; and 2. a supporting document containing a more complete discussion of the issues and options. This document is the latter. This particular draft is part of a deliberative policy- making process and is an internal government working paper. It is not intended for public release. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 TABLE OF CONTENTS Page I. Introduction 1 A. Structure of This Document 1 B. Information Privacy 3 C. Statement of the Problem 5 D. Legislative History 10 E. The Privacy Protection Study 15 Commission F. Current Activity 18 G. The Elements of a Privacy Policy 21 1. Notification of Information 21 Collection Practices 2. Propriety and Relevance of 23 Information Collected 3. Individual Access to Records 26 4 Correction and Amendment of 28 Records 5. Reasons for Adverse Decisions 30 6. Accuracy, Timeliness, and 32 Completeness of Records 7. Confidentiality and Disclosure 36 of Information 8. Implementation 39 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Page Non-Federal Records 41 A. Introduction 41 B. Consumer Credit Industry 42 C. Commercial Credit Industry 54 D. Depository Institutions 60 E. Insurance Industry 65 F. Employment Records 79 G. Medical Records 87 H. Education Records 89 I. Public Assistance and Social 94 Service Records J. Telephone Toll Records 100 III. Government Access to Personal Records Held by Third Parties IV. Federal Record-Keeping A. The Privacy Act of 1974 B. Federal Provision of Data-Processing and Telecommunications Services: Electronic Funds Transfer V. Other Issues A. The Use of Truth Verification Devices in Employment B. Standard Personal Identifier 181 C. Statistical and Research Studies 186 D. Coverage of the Wiretap Statute 193 103 142 142 165 178 178 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Page VI. Allocation of Federal Privacy 194 Responsibilities Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 1 I. Introduction A. Structure of This Document This document is divided into six parts. The first is a detailed introduction and the last five present a number of basic privacy policy issues for decision. In most cases, the issues can be decided as if they were independent of one another in that a particular decision on one issue need not force a related decision on another issue. As Section I.G. suggests, however, a comprehensive privacy policy is usually understood to have certain essential elements. Part I provides the historical background and analytical framework for the document, and sets out the basic elements of a privacy policy. These elements, such as an individual's right to see and copy the records maintained about him, and to have a means of challenging records he thinks are inaccurate, are offered as the basis for an Administration privacy policy. The privacy policy under consideration is not meant to apply to all records or record-keeping relationships. Specific decisions concerning the way these elements might be applied to specific kinds of organizations are set out in Parts II through VI. The subsequent discussion includes specific limits on scope and coverage. No inferences should be drawn regarding extension of any policy beyond the areas presented below. Part II contains a description of nine different industries or types of records for which the Privacy Protection Study Commission recommended privacy protections. Following the description of each industry are the decisions, including a discussion of the various options, concerning application of the basic privacy policy to that industry. Part III deals with government access to records maintained by the private sector and by state and local governments. It primarily concerns access by law enforcement and regulatory agencies. Part IV discusses two areas concerning Federal record- keeping activity. The first is revision of the Privacy Act of 1974, and the second deals with government operation of electronic funds transfer services for private sector organizations. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved ForRelease2001/03/17 : CIA-RDP81-00142R000700030001-4 2 Part V contains three cross-cutting topics: the use of truth verification devices, such as lie detectors; the establishment of a standard personal identifier; and the protections necessary to allow use of Federally maintained or financed records about individuals of research and statistical purposes. Part VI deals with the establishment of new or expanded privacy-related functions to be performed by the Federal government. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved ForRelease2001/03/17 : CIA-RDP81-00142R000700030001-4 3 B. Information Privacy This memorandum presents the policy choices underlying a potential Administration position on privacy. The use of the term "privacy" in this context, however, is somewhat ambiguous. A more appropriate phrase would be record-keeping privacy or, as it is more commonly called, information privacy, for what is being discussed is the collection, maintenance, use, and dissemination of information about people. The term "privacy," as it applies to recorded information, does not mean simply "confidentiality," "secrecy," or "limits to disclosure." In this context, "privacy" or "information privacy" also embodies notions of fairness, or more precisely, fair information practice. Indeed, privacy statutes of the type discussed herein are often called fair information practice statutes. (In other countries, they are called data protection statutes.) While no precise definitions of "privacy," "fairness," or "fair information practice" exist, these concepts are generally understood in this context to mean providin5 individuals with procedural rights and mechanisms by which they may hold reco?d-keePing organizations accountable for their record-keeping practices. One such procedural right, or fair information practice protection, for example, is that individuals be able to see and obtain a copy of the information about them which is maintained by a record-keeping organization. The goal of these individual rights is often described as giving the individual some measure of control over information about himself, although the term "control" is obviously too strong a concept. In fact, information privacy also recognizes an organization's interest in the content of a record and tries to capitalize on that interest in establishing protections for the individual. Basically, information privacy is an emerging body of procedural law, with only a few instances of substantive standards (e.g., the Privacy Act's prohibitions on the collection of information relating to an individual's exercise of his First Amendment rights). The developing body of law in the area of information privacy is only loosely related to other, more conventional aspects of privacy law. The common law tort of privacy invasion is generally divided into four categories: (1) intrusion upon an individual's physical solitude or seclusion; (2) public disclosure of private facts about an individual; (3) publicity which places an individual in a false light Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/174: CIA-RDP81-00142R000700030001-4 in the public eye; and (4) appropriation of an individual's name or likeness. By and large, the courts have refused to apply any of these four categories where organizational record-keeping practices have been at issue, and this is one major reason why new public policy is needed. Generally speaking, the first and second categories relate most closely to information privacy. The remedies, however, of the tort theory center around the collection of damages after an injury. Information privacy, on the other hand, attempts to establish, through a system of checks and balances, an environment in which the chance of injury occurring is minimized. Moreover, information privacy establishes a broader set of individual rights and organizational responsibilities in that it focuses not just on the disclosure of information, but on an organization's collection, maintenance, and use of information as well. For the remainder of this memorandum, unless otherwise noted, the term "privacy" will be used to mean only "information privacy." This excludes other, more conventional privacy issues, such as surveillance, wiretapping, sexual freedom, and intrusions into the home, except to the extent that they relate to a record keeper's information practices. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 C. Statement of the Problem The privacy legislation to date, most of which has been fairly recent, represents a varied and sometimes inconsistent attempt to address a problem the precise nature of which is still emerging. Over the past decade, there has been an increasing awareness that the misuse of recorded information could be the source of harm or unfairness to individuals. More recently has come the realization that the well-intentioned use of recorded information could also have undesirable consequen- ces. Furthermore, while recorded information increasin9ly mediates relationshlps between people and orpnizations, individuals have less and less control over these records. And contrlioutiNi to this trend has been the explosion of information technology, particularly in computers and telecommunications, which not only magnifies the problems of manual systems, but also introduces some new problems as well (e.g., the accumulation of personal information in electronic funds transfer systems). American life has changed dramatically in this century, particularly in the last three decades. Most Americans now do at least some of their buying on credit, and most have some form of life, health, property, or liability in- surance. Institutionalized' medical care is almost universally available. Government social services programs now reach deep into the population, as do government licensing of occupations and professions, Federal taxation of individuals, and government regulation of business and labor union affairs. Today, the government regulates and supports large areas of economic and social life through some of the nation's largest bureaucratic organizations, many of which deal directly with individuals. A significant consequence of this marked change in the variety and concentration of institutional relationships with individuals is that record keeping about individuals now affects almost everyone. People have their credit- worthiness evaluated on the basis of recorded information in the files of one or more organizations. The same is true for those seeking insurance, medical care, employment, education, and social services. Each of these relationships requires the individual to divulge information about himself, and usually leads to some evaluation of him based on personal information that some other record keeper has compiled. In short, we live, inescapably, in an "information society," and few of us have the option of avoiding relationships with record-keeping organizations. To do so is to forego not only credit but also insurance, employment, medical Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 :6CIA-RDP81-00142R000700030001-4 care, education, and all forms of government services to individuals. The increased use of computers in such record-keeping activities tends to eliminate the pattern of informal protections for the privacy of personal information which existed when it took a great deal of time and cost a good bit of money to process or retrieve recorded information. Furthermore, the growing availability and decreasing cost of computer and telecommunications technologies provide both the impetus and means to perform new record-keeping functions. And the pace of technological development will only accelerate this trend in the future. Coupled with this disappearance of the informal protections which promoted the proper use and confidentiality of recorded personal information, is the fact that formal, legal protections for personal records are in many cases nonexistent. When our existing legal structure was developed, most information of an intimate or revealing nature, such as financial records, was in the exclusive control and possession of the individual. Thus, the laws protecting personal information, like the Fourth and Fifth Amendments to the Constitution, were designed to protect information in the actual possession of the citizen. Today, a good deal of an individual personal information is relinquished to organizations, governments included, which demand it in order to provide essential services; however, little legal protection has been extended to these records. As a result, the individual lacks protections against others obtaining and using financial, medical, and similar personal data about him. In addition, in this age of giant organizations, the individual does not possess the bargaining power in the marketplace to fashion protections for how organizations will use and disclose his records. At the same time, the citizen has lost the reality of his constitutional protections against the biggest organization of all--government. That intimate personal information that the Fourth and Fifth Amendments were designed to protect is open to largely unaccountable government examination and is even demanded, as a matter of course, by the government from record keepers on whole classes of citizens. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 7 The Privacy Protection Study Commission concluded that since so much of an individual's life is now shaped by his relationships with organizations, his interest in the records organizations keep about him is obvious and compelling. The Commission further concluded that, if the individual's interest is to be protected, public policy must focus on five sytemic features of personal- data record keeping in America today. 1. While an organization makes and keeps records about individuals to facilitate relationships with those individuals, it also makes and keeps records about individuals for other purposes, such as documenting the record-keeping organiza- tion's own actions, thus making it possible for other organizations--government agencies, for example-to monitor the actions of individuals. 2. There is an accelerating trend, most obvious in the credit and financial areas, toward the accumulation in records of more and more personal details about an individual. 3. More and more records about an individual are collected, maintained, and disclosed by organizations with which the individual has no direct relationship but whose records help to shape his life. 4. Most record-keeping organizations consult the records of other organizations to verify the information they obtain from an individual and thus pay as much or more attention to what other organizations report about the individual than they pay to what he reports about himself; and 5. Neither law nor technology now gives an individual the tools he needs to protect his legitimate interests in the records organizations keep about him. The significance of this view of the problem is that it focuses on systemic characteristics of our society rather than on specific record-keeping abuses. This was a major policy decision of the Privacy Commission, and it is a view shared by many who are familiar with the trends in both record keeping and the law. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 The view that societal trends rather than specific abuses are the driving force for action draws attention to the fact that the forces which are undermining per- sonal privacy often operate slowly and subtly. The Commission concluded, for example, that the problems perceived by the Congress at the time of the Privacy Act's passage have turned out to be more complex than anticipated, and by and large they are independent of the problem of premediated abuse... The real danqer is the 9radual erosion of indiirMal liberties TEroup the autoTTEERFT inte9ration, and interconnection 3T-many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, im?wholITTuiErmb e. (Commission emphasis) Thus, the Privacy Commission and other experts warn that we are faced with a slow but steady erosion of privacy which, if left unreversed, will take us in another generation to a position where the extent of our human rights and the vitality of our democracy will be jeopardized. This view is not, of course, universally shared. Organi- zations which might be covered by privacy protection point to the "lack of documented abuse." One problem is that abuses in this area are often difficult to document, although numerous abuses have been documented by the Commission and various legislative bodies. The basic public policy choice, however, is whether the measures describedherein are, or should be, directed at specific abuses or wEgEnT the trend of affairs ri such that theprotections are required as a result o1-7 fundamental value choice about the nataT7617Sur society. Interestingly, many private sector organizations that oppose privacy protection legislation do so on the basis of cost or opposition to government regulation. Yet, these same organizations are often quite willing to implement privacy safeguards, usually along the lines suggested by the Privacy Commission, on a voluntary basis. There is, in short, a broader consensus on the nature of the problem (i.e., that the role of the individual needs to be strengthened vis-a-vis law, technology, and record keeping) than there is on the nature of the proposed solution, although even this is slowly changing in the year since the Commission's report was published. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 9 Finally, any attempt to resolve the privacy problem must balance the goals of privacy protection with other significant competing public interests. If they are to operate effectively, business, government, and other institutions have legitimate needs to collect, use, and disclose information about individuals. If the concern for privacy were taken as an absolute, the ability of government, for example, and particularly law enforcement, to perform its required duties could be severely constrained. Other less tangible values may also conflict with the objective of personal privacy -- or at least the way one chooses to go about preserving it. Beginning with the First Amendment protections of freedom of speech and freedom of the press and continuing with the more recent drives for open government, our society has continuously affirmed its concern for the free flow of information. To the extent that privacy protections involve restraints on the free flow of information about individuals, the values of privacy and the values of free speech have to be carefully balanced. Equally important are concerns about too great an intrusion by government into private affairs in order-to preserve what many view essentially as private interests -- particularly when the greatest actual and potential offender against rights of privacy has arguably been the government itself. Thus, the choices in the area of privacy are generally not between "good" and "evil," but between legitimate, though competing, public interests. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1710CIA-RDP81-00142R000700030001-4 D. Legislative History Privacy protections have a long history in this country, emanating from the Fourth Amendment's prohibition of unreasonable searches and seizures. In recent years, a fairly consistent body of information privacy principles has appeared in a number of Federal statutes and in the reports of several Federal study commissions. These principles had their beginning in the "Code of Fair Information Practices" contained in 1973 report of the DHEW Secretary's Committee on Automated Personal Data Systems, and had their fullest and most explicit legislative expression as the eight principles of the Privacy Act of 1974: (1) There shall be no personal-data record-keeping system whose very existence is secret and there shall be a policy of openness about an organization's personal-data record-keeping policies, practices, and systems. (The Openness Principle) (2) An individual about whom information is maintained by a record-keeping organization in individually identifiable form shall have a right to see and copy that information. (The Individual Access Principle) (3) An individual about whom information is maintained by a record-keeping organization shall have a right to correct or amend the substance of that information. (The Individual Participation Principle) (4) There shall be limits on the types of information an organization may collect about an individual, as well as certain requirements with respect to the manner in which it collects such information., (The Collection Limitation Principle) (5) There shall be limits on the internal uses of information about an individual within a record-keeping organization. (The Use Limitation Principle) (6) There shall be limits on the external disclosures of information about an individual a record- keeping organization may make. (The Disclosure Limitation Principle) Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/117i: CIA-RDP81-00142R000700030001-4 (7) A record-keeping organization shall bear an affirmative responsibility for establishing reasonable and proper information management policies and practices which assure that its collection, maintenance, use, and dissemination of information about an individual is necessary and lawful and that the information itself is current and accurate. (The Information Management Principle) (8) A record-keeping organization shall be accountable for its personal-data record-keeping policies, practices, and systems. (The Accountability Principle) Some or all of these principles are applied, in different forms, to specific kinds of records, record keepers, and record-keeping practices by a number of Federal statutes. Including the Privacy Act, the foremost of these statutes are: a. Freedom of Information Act--Enacted in 1966 and amended in 1974, this statute requires the disclosure, subject to certain exceptions, of substantive and policy information maintained by Federal agencies to any person. As a result of this right of access, individuals are also able to obtain access to records about themselves, and thus, to a limited extent, this act and the more recent Privacy Act of 1974 overlap. b. Privacy Act of 1974--Enacted in 1974, this statute is Congress' first attempt-to incorporate comprehensive privacy protections into the records management practices of the Federal government. The act regulates the collection, maintenance, use, and disclosure of personal information in the Federal sector. Except for certain government contractors, it does not apply to the private sector. Basically, it requires public notice of agency record systems, provides for individual access to personal records, sets up procedures for an individual to correct or amend records about himself, limits disclosures of records, and establishes certain practices and policies of fair information practice. Individual access to the Federal district courts is available for enforcement purposes, and provision is made for both civil remedies and criminal penalties. c. Fair Credit Reporting Act--Enacted in 1970, this statute applies only to consumer-reporting agencies, i.e., entities that supply credit history and individual Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 12 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 background information to credit grantors, insurers, employers, and others. The intent of the act is to enable a consumer to learn the "nature and substance" of all information pertaining to him in the records of a consumer-reporting agency, and to learn when a consumer report adversely affects a decision about him. The consumer may also demand a reinvestigation of the material and deletion or amendment of inaccurate or unverifiable information. The act places some loose disclosure limitations on consumer-reporting agencies, requires such agencies to follow reasonable procedures to ensure accuracy, and generally prohibits the reporting of adverse information over seven years old. Individuals may recover civil damages in Federal or state courts and criminal penalties are provided. The FTC has primary enforcement authority under this act, along with other regulators of financial institutions. d. Family Educational Rights and Privacy Act--This statute, better known as the "Buckley-Pell Amendments," was enacted and amended in 1974. It provides for access by students over 18 or parents of minor students to all "education records" maintained by any educational institution receiving Federal funds. Also, the act sets rather stringent limits on the disclosure of such records to third parties which may be made without parental or student consent. The requirements of the act are enforceable by the Secretary of the DHEW, whose only enforcement mechanism is the denial of Federal funds to any offending institution. DREW also has the responsibility to issue regulations to be followed by educational institutions. e. Equal Credit 0 ortunit Act--Enacted in 1974, and amended in 1976, this act proscribes discrimination in the granting of credit on nine bases, including race, religion, national origin, sex, martial status, and age. Although the collection of such information about credit applicants is required in certain instances to demonstrate complicance with the law, the use of such information about credit applicants is saictly limited. The specific reasons for any denial of credit must be provided in writing. An individual can bring suit in Federal or state court to enforce the act, and can receive both money damages and equitable relief. The Federal Reserve Board was granted exclusive authority to issue regulations implementing the Act. Administrative enforcement of the Act and the FRB Regulations rests with the Federal Trade Commission and with a number of other Federal agencies, primarily financial institution regulators. Approved For Release 2001103/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03L137 : CIA-RDP81-00142R000700030001-4 f. Fair Credit Billing Act--Enacted in 1974 and amended in 1976, this statute established a mandatory dispute resolution procedure for billing errors occuring on credit cards and other "open end" lines of credit. It basically regulates the use of information about a credit card holder by his creditor when a dispute develops between those parties as to the amount owed. It permits a debtor to challenge and correct erroneous billing information and prohibits dissemination of adverse credit reports until the dispute is resolved. Enforcement is essentially the same as the Equal Credit Opportunity Act. g. Fair Debt Collection Practices Act--Enacted in 1977, this statute regulates debt collectors, and is designed to prevent abusive, deceptive, and unfair debt collection practices. Of particular interest to privacy, it prohibits various kinds of pretext inter- views and other false representations of the debt collector's identity or business affiliation. It also prohibits communicating with the consumer's employer or other third parties about his debts, or publishing lists of alleged debtors, other than through a consumer reporting agency. h. Right to Financial Privacy Act of 1978--Epacted late this session with strong administration support, this Act is a response to the recent Supreme Court case of United States v. Miller, 425 U.S. 435 (1976). In that case, the Court held that a private individual has no legitimate "expectation of privacy" in his bank records and thus no legally enforceable interest for courts to consider. The Court ruled that checks negotiated by the individual are an independent record of that person's participation in the flow of commerce and, as such, are not to be considered confidential communica- tions. Moreover, the court ruled that the bank records do not belong to the individual, but to the banking institution. The Act provides that a government agency seeking access to an individual's bank records from his bank must, in most cases, give him prior written notice containing the reasons government seeks the record. The individual thus has an opportunity to contest the government access in court. The statute does not require a financial institution to supply the records to a government agency that successfully overcomes any customer objections in court, but does minimize the financial institution's liability against a suit by the customer whose records are given to the government. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17i CIA-RDP81-00142R000700030001-4 There are also numerous Federal statutes which have privacy implications because they require organizations to collect, maintain, or disclose certain records. One example is the Bank Secrecy Act, enacted in 1970, which, despite its title, is not a "secrecy" act. Rather, it requires banking institutions to report to the Secretary of the Treasury information on certain types of financial transactions. It also requires banks to maintain certain records, including checks, for five years. Civil and criminal penalties are available against offending banking institutions. The Department of the Treasury has the responsibility to issue regulations under this act. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/13/5: CIA-RDP81-00142R000700030001-4 E. The Privacy Protection Study Commission There have been a number of distinguished study efforts addressing the privacy problem. Most notable among those which ?preceeded the Privacy Commission were: The DREW Secretary's Advisory Committee on Automated Personal Data Systems. -- This 1973 report first presented the principles of a "Code of Fair Information Practice," and is generally credited with providing the intellectual framework for the Privacy Act of 1974. The Domestic Council Committee on the Right to Privacy. -- During its life (1974-1976), this group brought high level visibility to the privacy issue and direct involvement by the Executive Office of the President. Motivated by the work of these two committees and the work of various congressional committees, the Congress and the Executive Branch worked together to enact the Privacy Act of 1974. That act stands as the most concerted effort to date to resolve information privacy issues and to protect the interests of individuals in connection with records about them maintained by others. The Privacy Act, however, is aimed exclusively at Federal records and Federal record keepers. The concern remained that the problems of privacy protection were not limited to Federal records. Consequently, Congress decided that there should be further study to determine if the principles and requirements of the Privacy Act of 1974 should be applied to private sector record keepers and to state and local governments. Addressing these questions was the basic charge to the Privacy Protection Study Commission, a two-year independent Federal commission created by the Privacy Act. The Privacy Commission was given a broad mandate to: (1) investigate the personal information record- keeping practices of governmental, regional, and private organizations and to recommend to the President and the Congress the extent, if any, to which the principles and requirements of the Privacy Act should be extended to such organizations; and (2) make any other recommendations necessary to protect the privacy of individuals while meeting the legitimate needs of government and society for information. In July 1977, the Privacy Commission responded to its mandate with a 654-page report containing Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 16 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 162 specific recommendations, and numerous less emphatic suggestions, supporting broader extension of the principles of the Privacy Act, but not the Act's specific requirements. In recommending extension of the principles, but not the requirements, of the Privacy Act to the non-Federal sector, the Privacy Commission made some explicit and implicit decisions regarding the applicability and appropriateness of these principles beyond the Federal sector. For example, the Commission determined that the Privacy Act's principle that there should be no secret record systems cannot be extended, not because it is not a desirable objective, but rather because there is no realistic mechanism for implementation. (In the Federal sector, notices describing agency record systems are published in the Federal Register.) Thus, while the fundamental objectives remain the same, the basic elements of a privacy policy in the non-Federal sector would differ from the Privacy Act principles. The Privacy Commission also rejected the omnibus approach of the Privacy Act as being inappropriate for the non- Federal Sector. The Commission recommended instead that non-Federal privacy protection legislation be enacted on an industry-by-industry basis (e.g., banking, credit, insurance) or on a community-by-community basis (e.g., medical, education, social service and public assistance). In this way, the specific characteristics and requirements of each industry or community could be considered. The Privacy Commission's recommendations have the same general thrust as those of its predecessors. Driven by findings of actual and potential misuse of personal records, as well as by a concern for the gradual erosion of personal privacy resulting from the well-intentioned use of modern information technology, several Congressional committees, the DHEW Advisory Committee, the Domestic Council Committee on the Right to Privacy, and the Privacy Commission have all concluded that the way in which records about individuals are collected, maintained, used, and disclosed has to be changed. In particular, all the groups examining the problem have called for some degree of control of personal records to be returned to the individuals to whom those records pertain. These groups have urged the creation or bolstering of mechanisms to limit the collection of information by organizations. They have suggested specific restrictions on the gathering of information by government. They Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17: CIA-RDP81-00142R000700030001-4 ? have consistently recommended that an individual be provided the right to see and obtain a copy of records about himself, to correct errors in those records, and to be informed of (and, in some cases, limit) the uses to which those records will be put. And, they have endorsed the creation of a right for the individual to exercise some measure of control over the disclosure of records about himself outside the organization maintaining them. The Privacy Commission's recommendations have three basic objectives: minimizing intrusiveness, maximizing fairness, and creating legitimate expectations of confi- dentiality. The goal of mimimizing intrusiveness is to limit the collection of unnecessary or offensive personal information by organizations. The objective of maximizing fairness is to open up the process by which organizations use records about individuals, to permit the individual to know what is being done with personal information, and to allow him to ensure its accuracy and proper use. The creation of "legitimate expectations of confidentiality" is an effort to give legal recognition to the personal character of records about an individual and to establish a legitimate interest for the individual in what happens to those records. Such a legal interest would have two parts: (1) placing a duty on a private sector record keeper not to disclose recorded information about an individual without his authorization or consent; and (2) limiting the government's access to records held by private sector record keepers by requiring government to use legal process to obtain such records. In addition, the Commission concluded that giving rights and responsibilities to individuals and the organizations with whom they dealt was not enough. In order to monitor industry-wide activities, to be able to respond to the unforeseen consequences of the growth of information technology, and, in particular, to structure and enforce privacy policy effectively within the Federal government, the Commission recommended both that existing regulatory authority be augumented and that a new government entity be created. This combination, the Commission believed, was essential to ensure that personal privacy, and the basic values of individuality which underlie it, would continue to be protected in American society. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 18 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 F. Current Activity Congressional Since the Privacy Commission issued its report there has been a great deal of privacy interest in Congress. Immediately upon submission of the report, Congressmen Koch and Goldwater (both members of the Privacy Commission) introduced about a dozen bills that substantially followed the Commission's recommendations. Congressman Preyer reintroduced all of these bills as one omnibus bill, H.R. 10076. Congressman Preyer's Subcommitee on Government Information and Individual Rights held hearings on this bill during the last Congress. Only a few issues, however, were the focus of legislative activity this last term. First is the issue of government access to financial records. The Congress enacted the Right to Financial Privacy Act of 1978, incorporating the Administration position on this issue. Second, provisions protecting the privacy of financial records generated by electronic fund transfer (EFT) systems were included in legislation reported out of the Senate Banking Committee. However, as finally adopted by the Congress, the Electronic Fund Transfer Act contained no privacy procisions. Third, medical record privacy was raised during the first session of this term in the context of amendment of the Social Security Act. Action on the proposed medical record privacy sections was tabled in committee until DHEW had time to develop a position in response to the Commission's report. In May 1978, DHEW presented its own views to the Congress. State Activity in privacy matters resulting from the Privacy Commission's report is not limited to the United States Congress, nor is the Federal government in the lead in developing updated privacy protection. A number of states, led by California, have developed significantly greater privacy protections than are afforded by Federal law. Nine states now have constitutional provisions protecting individual privacy; seven states have passed omnibus privacy statutes similar to the Federal Privacy Act; eleven states have passed statutes that go beyond Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 19 the Federal Fair Credit Reporting Act; sixteen states have laws governing the disclosure of personal information by financial institutions; some states regulate the personal information practices of private sector employers; and many states have laws governing medical records. And this activity is expected to increase. This pro- liferation of state legislation has engendered some business support for Federal legislation that would provide uniformity of treatment for enterprises that operate nationwide. International There is also an international dimension to the privacy issue. The locus of this emerging activity is Western Europe. In 1973, Sweden became the first European country to pass privacy protection legislation. Within the last 12 months, West Germany, France, Norway, and Denmark have adopted national legislation dealing with privacy protection. Other European countries and Australia are actively considering such legislation, and Canada, with a statute similar in some respects to the U.S. Privacy Act, is also studying the issue further. Japan is creating a study commission but shows no inclination to move rapidly. Both the Council of Europe (a strictly European, human rights-oriented organization) and the OECD (whose membership includes most advanced Western European countries, the U.S., Canada, Japan, and Australia) have been actively studying the issues. The Council of Europe has drafted a privacy protection convention, while OECD is both studying the economic and social aspects of international information flows, and is engaged in drafting guidelines for harmonizing disparate national privacy legislation. The European approach to privacy protection is generally to enact broad, omnibus legislation which covers all types of automated government and private sector records and which is implemented and enforced by a governmental bureaucracy. The Europeans stress that their intent is not only to establish standards for protection of personal information, but also to make important social statements about the relationship of the citizen to the state. Parenthetically, the U.S. is by far the most important partner in international information exchanges and in the information processing industry, dominating world markets Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 20 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 in computer software, hardware, and data processing. This dominance is well understood in other advanced countries, and to some uncertain degree may lie behind the sudden surge of concern for privacy protection. That is, the impetus for foreign privacy protection laws may lie not only in a genuine concern for the civil rights of local citizens, but also in an effort to blunt U.S. dominance of international.information processing. The latter arises out of feelings of nationalism, concern for sovereignty, and economic control. At the same time, Europeans are also concerned about the export of personal information to the U.S. in the absence of adequate privacy protection in the U.S., and some European legislation can be interpreted to bar such export. Finally, Europeans are particularly concerned about the lack of a central governmental office to assist foreign nationals in the protection of their privacy rights within the U.S. In the international arena, the U.S. has several interests at stake: protecting the privacy of U.S. citizens concerning records maintained abroad, preventing the development of non-tariff barriers under the guise of privacy protections, and encouraging the free international flow of information. While the European activity to date presents no immediate threat to U.S. interests, the development of a comprehensive domestic privacy policy will greatly strengthen our ability to safeguard U.S. interests in the future. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/172:1CIA-RDP81-00142R000700030001-4 G. The Elements of a Privacy Policy The remainder of this Part presents an overview of the basic elements of a general privacy policy as that policy might be applied to the non-Federal sector. It concludes with a proposed implementation strategy. In Part II, each of the nine industries and record- keeping relationships examined by the Commission is described and the decisions for application of this general policy to those industries and record-keeping relationships are discussed. 1. Notification of Information Collection Practices Objective During the course of the business relationship between an organization and an individual, the organization may collect personal information about the individual from many sources. The first objective of a privacy policy is to give the individual some influence over an organization's information collection practices by requiring it to provide prior notice of the kinds of information it may seek and the types of sources that may be contacted, and to limit its information collection practices to those stated in a notice. This alerts an individual to the personal information that will be compiled about him as a result of entering into a record-keeping relationship. Current Law and Practice At present, individuals are given little or no information about an organization's information collection practices. Thus, individuals are unable to make informed choices between competing organizations on the basis of their collection practices. Nor are individuals able to judge whether the good or service sought from an organization is worth the potential invasion of their privacy. Federal and state legislation in this area is limited. It imposes requirements on only a few record keepers, and those laws generally do not require a notice whenever information is collected about an individual. The Fair Credit Reporting Act, for example, requires only that institutions such as credit grantors, employers, and insurers notify an individual if they request an outside agency to prepare an investigative consumer report (a report prepared through personal interviews Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 22 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 with friends, neighbors, and other acquaintances concerning the consumer's character, general reputation, and mode of living). If the consumer makes a written request, he must be provided with a notice describing the "nature and scope" of the investigation. However, this requirement applies only if the report is obtained from a consumer reporting agency; it does not apply if the user of the report performs the investigation itself. Discussion The Privacy Commission proposed that an organization be required to give the individual notice at the start of the business relationship of the kinds of information it may seek from third parties and the types of sources that may be contacted in the course of evaluating the application and maintaining the relationship. With this information, the individual can know what to expect before entering into a business relationship with the organization. In turn, the organization is limited to the information collection practices stated in the notice, unless it subsequently obtains the individual's consent to conduct an investigation or collect information not stated in the notice. Past experience with laws requiring a notice of collection practices such as this, including the Privacy Act of 1974 and the Fair Credit Reporting Act, suggests that just the fact of notification will help eliminate unnecessarily intrusive or otherwise objectionable collection practices. The requirement for notification of and limitations on collection practices is, however, no cure-all. First, it establishes only a procedural requirement that information collection practices be limited to those stated in a prior notice; it does not limit what that notice may contain. Moreover, in most industries, a model notice probably will be developed and adopted by the major companies, thereby limiting the competition among companies on the basis of collection practices. Second, because of extensive notices already required by other laws, there is a danger of information overload. One possible approach is to adopt a two-step process whereby the individual is automatically given only the most general notification, but is advised of his right to request and receive a more detailed notice. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/13 : CIA-RDP81-00142R000700030001-4 2. Propriety and Relevance of Information Collected Objective Another basic privacy objective is to limit the collection and use of information which may be improper or irrelevant to the decision-making process which gave rise to its collection. For example, a person's race and sex may be statistically relevant to a credit decision, but society has decided in the Equal Credit Opportunity Act that it is improper to base credit decisions on such criteria. And, some information collected or reported may bear no logical relationship to the decision to be made. One example might be the inclusion of a non-credit related arrest that did not result in conviction. An allied concern involves the collection of proper and relevant information through means which society may consider improper, e.g., through pretext interviews in which the source is misled into supplying information, or through the use of truth verification devices (i.e., "lie detectors"). The Commission proposed that governmental mechanisms should exist to consider individual citizen complaints about propriety and relevance on a problem-by-problem basis. It made specific proposals to prohibit the use of pretext interviews and truth verification devices in certain contexts. Current Law and Practice There are few prohibitions on the private sector's collection of information. Most relevant laws prohibit only the use, but not the collection, of specific types of information. The Equal Credit Opportunity Act, for example, prohibits the use of sex, marital status, race, religion, and certain other characteristics as the basis for a credit decision. However, it permits collection of some of this information, e.g., marital status, which may affect the creditor's collection rights. It also requires collection of other information, e.g., race, to monitor discriminatory mortgage lending practices. The Fair Credit Reporting Act's original draft contained general relevancy requirements, but they were removed in the face of heavy industry opposition. The Act does impose, with some significant exceptions, a prohibition on reporting adverse information more than seven years old (which is a form of relevancy requirement). Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 24 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 The only existing model of a general standard of propriety and relevance is the Privacy Act, which requires Federal agencies to maintain, use, and disseminate only records which are relevant and necessary to accomplish a lawful agency purpose. The Act also prohibits collection of information concerning an individual's exercise of his First Amendment rights, except when collected for law enforcement purposes. According to the Commission, however, these requirements have had little impact on Federal record-keeping practices. Laws proscribing the use of what may be excessively intrusive collection techniques by private sector organizations are similarly limited. The use of truth verification devices is regulated at the state level on an irregular basis, and only a few states now prohibit their use. Truth verification devices are barred from use in Federal employment by Civil Service Commission regulations. The FTC has found that deceptive information gathering techniques violate the provisions of the Federal Trade Commission Act, and the recently enacted Fair Debt Collection Practices Act specifically prohibits deceptive information gathering practices. It also places an affirmative obligation on the debt collector to identify himself and his purposes when communicating with a debtor in attempting to collect a debt. Discussion The Commission proposed that there be formal governmental mechanisms to consider citizen complaints and raise questions of relevance and propriety on a case-by-case basis. This proposal was based upon the belief that certain information simply should not figure in business decisions--that it is of no concern to anyone but the individual himself. The Commission specifically rejected two alternative approaches to this issue: (1) to create general statutory requirements on the relevance and propriety of information for subsequent definition by a regulatory agency or the courts; and (2) absolute prohibitions on the collection and use of certain information (e.g., sexual preference, political affiliation, etc.) by all record-keeping organizations. Industry opponents of any propriety and relevance requirements raise First Amendment objections to prohibitions on the free flow of information. Industry argues that market forces already influence businesses not to collect Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/n : CIA-RDP81-00142R000700030001-4 irrelevant information. Industry fears that any relevancy requirements will lead to limitations on the right to obtain information needed to make business decisions. With these concerns in mind, as well as the difficulty of determining what information is irrelevant to any possibly legitimate business use, the Commission for the' most part refrained from specific prohibitions (although it did make several specific recommendations restricting the reporting and use of information on fairness and intrusiveness grounds) and opted for future case-by-case consideration. Two specific questions concerning the propriety and relevance of information collected will be raised for decision: 1) Should the use of lie detectors be prohibited in employment decisions (considered in Part V). 2) Should a mechanism exist for challenging the relevance and propriety of information collected and used by credit grantors and insurance companies. (Part II) Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 :26IA-RDP81-00142R000700030001-4 3. Individual Access to Records Objective The third privacy objective is to entitle an individual to see and obtain a copy of any reasonably retrieveable personal information concerning him which is held by a non-Federal record keeper. Current Law and Practice At present, the Privacy Act allows an individual access to records maintained about him by the Federal government. However, no such general right of access exists in the private sector. The Fair Credit Reporting Act (FCR) gives an individual the limited right to learn the "nature and substance" of records held by a consumer? reporting agency, but this does not mean that the individual can see the actual information in the records. The FCRA also does not apply to the records of credit grantors, depositories, insurers, and employers who may use these reports to make decisions about individuals. In the credit area, as a rough substitute for actual access to records when a billing dispute occurs, the Fair Credit Billing Act requires a credit-card issuer to provide a consumer with a written explanation of any disputed billings and copies of documentary evidence of indebtedness. In practice, many record keepers in the non-Federal sector do allow individuals to see and obtain copies of their records. Banks and credit-card issuers generally send the individual a monthly account statement which reflects a summary of the billing records which they maintain; many employers now permit employees access as a matter of good personnel practices. Partially in response to repeated criticism, the major consumer reporting agencies now allow an individual to see and copy a consumer report about him. However, the procedures developed for access are sometimes difficult for an individual to use and these are not rights provided in law. Discussion Individual access to records is a precondition to of the other basic elements of a privacy policy. example, a right of access enables the individual determine whether the records contain information the scope of the prior collection notice (if such is required) and to challenge the accuracy of the several For to beyond notice information Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1277: CIA-RDP81-00142R000700030001-4 contained in the records. Merely extending the right to learn the "nature and substance" of what is in the record has proven in practice with the Fair Credit Reporting Act to be insufficient. "Nature and substance" is determined by the record keeper, and in the past record keepers have failed to adequately inform the individual of the records' contents, either intentionally or out of lack of knowledge about what the individual considered important. Assuming that only reasonably retrieveable records need be disclosed and that the organization's copying costs may be recovered, there is little problem in the affected industries with allowing individuals to see and copy their records. However, the situations in which such access occurs and, with some record keepers, the records to which access is allowed are questioned. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 28 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 4. Correction and Amendment of Records Objective The fourth privacy objective is to provide an individual with the ability to challenge the accuracy of information about him maintained by non-Federal record keepers. If the individual believed the information were inaccurate, he would be entitled to bring the supposed inaccuracy to the record keeper's attention. The record keeper then would be obliged either to make the correction or to reinvestigate the disputed matter. If, after reinvestigation, the record keeper determined that the disputed information is accurate, the record keeper would have to indicate that the matter is in dispute and include the individual's version of the dispute in the record. The amended record would then have to be sent to prior and future recipients of the record, and, in some instances, to the source of the disputed information. Similarly, if a record keeper itself discovers a significant inaccuracy which it corrects in its own record, then it should also take reasonable steps to propagate that correction. Current Law and Practice At present, there are no uniform requirements that non-Federal record keepers allow an individual to correct and amend records about him. The Fair Credit Reporting Act (FCRA) provides consumers with a right similar to that outlined above to dispute the accuracy of consumer reports. With regard to Federal government records, the Privacy Act provides a general right to challenge the accuracy of recorded information similar to that provided by the FCRA. The Fair Credit Billing Act sets forth a specific procedure for resolving billing disputes, and requires reinvestigation by the record keeper. Under common law, a business which reports erroneous information could be sued for defamation or libel, but the individual would usually be required to prove that the information was furnished with malice or willful intent to injure. Discussion Some record keepers contend that market forces provide a significant incentive to correct clearly inaccurate information brought to a record keeper's attention by an individual. First, a change in the information may permit the record keeper to do business otherwise Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 29 foregone. Second, the record keepeL has a general interest in good customer relations. However, if the inaccuracy is not obvious or is the result of an underlying error in the organization's records, there may not be sufficient economic incentive for the organization to adequately reinvestigate the matter. If the cost of rein- vestigation would outweigh the benefit of retaining the individual as a customer, then the customer may simply be written off. Nor is there a great incentive to send corrections of the record to other record keepers. Also, not many record keepers permit an individual to file a statement of his version of the facts. Finally, requiring an organization only to propagate corrections made by the individual ignores the possibility that the organization itself may discover and correct an error which, if left uncorrected in the files of other record keepers, could cause equal harm to the individual. Entitling an individual to challenge the accuracy of information is an important device for promoting the accuracy, timeliness, and completeness, of information maintained by the record keeper, but, from the individual's point of view, it is a partial safeguard if the record keeper is not obliged to send corrections to other record keepers. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 30 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 5. Reasons for Adverse Decisions Objective The fifth privacy objective deals with an individual's rights after a private sector organization decides not to provide a benefit or service, or decides to offer it on terms less favorable than usual. The objective is to allow an individual to know the specific reasons for the decision and the specific items of info-F.17g.= which are alleged to support the decision. Current Law and Practice The Equal Credit Opportunity Act (ECOA) requires dis- closure of the specific reasons for an adverse credit decision. Credit grantors typically provide this information by a form checklist. The disclosure may be made either automatically or upon the request of the individual. The Fair Credit Reporting Act (FCRA) requires that an individual be notified when infor- mation from a consumer reporting agency is used in making an adverse credit, insurance, or employment decision. Unlike credit grantors (which are covered by the ECOA), insurers and employers are not required by statute to inform the individual of the reasons for an adverse decision. Some state insurance statutes entitle an individual to know why a policy was denied or cancelled, and at least one state (Virginia) has passed a statute providing consumers with the right to know the specific reasons for any adverse action by an insurance company. The Privacy Commission found present procedures through which the individual could learn the basis for an adverse decision inadequate. The FTC's experience with the ECOA leads it to the same conclusion. Discussion A right to learn the reasons for the denial or termination of credit, insurance, or other benefits is the beginning step in consumer due process. The adverse decision may have been made on the basis of incorrect information or for reasons which are illegal, irrational, or against public policy. Although a right to learn the specific reasons for an adverse action, as well as any supporting information, would not allow the individual to require the institution to reconsider its decision to deny Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 31 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 a benefit or'service, it would enable the individual to provide supplemental information that the institution could use if it wished to reconsider its denial. It would also have the beneficial educational effect of informing the individual of the areas in which he must improve in order to be granted the credit, insurance, or other benefits he seeks. Moreover, in addition to allowing the individual to have an adverse decision reversed in many cases, this right would enable the individual to challenge any decision criteria or infor- mation collection practice he thought improper or illegal. Experience with the ECOA demonstrates the usefulness of this right. The Federal Reserve Board recently studied the effects on nine large creditors of the ECOA's requirement that creditors inform rejected credit applicants of the reasons for the denial, either automatically or on request. The Federal Reserve Board discovered that a substantial portion (12-23%) of the rejected applicants requested the reasons for the denial when those reasons? were not given automatically. From 30- 70% of those who requested the reasons then supplied more information; and from 25-72% of those supplying more information were then granted credit. Comparable results occurred when consumers were automatically provided the reasons for adverse decisions. Significant portions of private industry can be expected to oppose the requirement that an individual be informed of the reasons for an adverse decision. Even those supporting it fear that it might be implemented in such a way as to prove costly and otherwise burdensome. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1ii CIA-RDP81-00142R000700030001-4 6. Accuracy, Timeliness, and Completeness of Records Objective An important consequence of viewing privacy as a matter of fairness is the stress placed upon the objective of the accuracy, timeliness, and completeness of the information used in making a business decision and disclosed by a record keeper to another decision maker. Of course, the expectation is not that records will ever be entirely error free. Rather, the aim is to assure that accuracy, timeliness, and completeness of records will be maximized. Current Law and Practice In the Federal sector, the Privacy Act requires that an agency "maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination." The Fair Credit Reporting Act requires consumer reporting agencies to adopt "reasonable procedures" to ensure the accuracy of the information they obtain and report. The nation's largest investigative reporting agency was recently found in violation of this standard by an FTC administrative law judge. The decision in this case, in which the company has been ordered to significantly alter its operating procedures and record-keeping practices, is being appealed. Apart from these provisions, record keepers are under no general legal obligation to cause reasonable steps to be taken to assure the accuracy, timeliness, and completeness of recorded information. Discussion The Privacy Commission identified two basic approaches to ensuring the accuracy, timeliness, and completeness of information collected, maintained, and disclosed by private sector record keepers. First, a law could establish a general standard of record-keeping performance and require organizations to take "reasonable procedures" to satisfy that standard. To enforce compliance, govern- ment agencies and individuals could be given a right Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/031$7 : CIA-RDP81-00142R000700030001-4 of action against instituions whose record-keeping practices did not satisfy this standard. In addition, government agencies could, if appropriate, be authorized to issue implementing regulations to define practices and procedures necessary to comply with the general standard. A second approach would be to create in law specific procedural rights and requirements addressing the problems identified in an industry or record-keeping community. In this approach, the objective of ensuring the accuracy, timeliness, and completeness of records would be sought by granting the individual the other rights discussed in this section (i.e., to see, copy, correct, and amend his records), and by requiring the record keeper to propagate corrections, rather than by holding the organization to a general standard. This approach, too, would be enforced by giving individuals and government agencies a right of action against the record keeper. However, the government enforcement role here would be more limited, since there would be no need for regulations to define the practices which comply with the specific statutory requirements. In the private sector, rthePrivacy Commission generally favored the second approach, rather than a general record keeping standard. There were, however, a few areas in which the Privacy Commission recommended a "reasonable procedures" standard in the private sector. It recommended a "reasonable procedures to ensure accuracy" standard for credit authorization and reporting services; made recommendations for correction of specific unreasonable procedures in other areas; and recommended a general reasonable procedures standard for insurance, but felt that this goal could be attained without legislation. In the public sector, however, the Commission generally favored placing a general standard on the record keeper. The Commission believed that there is a substantial difference between applying a general "reasonable procedures" standard to the government and to private sector record keepers. The primary concern is that such a general standard applied to private sector record keepers would necessarily entail extensive government involvement in the record-keeping practices of private businesses. However, this concern obviously does not apply in the context of governmental entities, which are by definition subject to such scrutiny. Even those in private industry who support some sort of privacy protection legislation generally agree with the Commission's position of no general standard for accuracy, timeliness, and completeness. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 34 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 The Commission believed that creating specific rights and procedures would allow the individual more effective control over the accuracy, timeliness, and completeness of his records, and that adoption of a general standard would lead to high compliance costs, arising primarily from protracted litigation to determine what record- keeping practices would satisfy the standard. Finally, the Commission argued that its approach would place the economic burden of compliance mainly on those organizations with poor record-keeping practices and which fail to treat their customers a responsible manner. The staff of the Federal Trade Commission, on the other hand, believes that establishing a standard of accuracy for personal information that certain record keepers disclose to third parties is a necessary component of any comprehensive privacy policy. While the untimeliness or incompleteness of an item of information may be so severe as to make the reporter information inaccurate, the FTC's recommendation is confined to reasonable procedures to ensure accuracy and not to distinct require- ments for timeliness and completeness of information. It can be argued that here, as under the Privacy Act, the general reasonable procedures requirement should extend to information that is used by the record keeper for making any determination about the consumer. The FTC does not _take that position because it believes that, absent 'other factors, market forces surrounding a business decision should be presumed to be sufficient to ensure the optimum accuracy of information used. The staff of the FTC believes that allowing an individual rights of access and correction should not be the only means by which the quality of records is maintained, and that the record keeper should bear an affirmative responsibility to monitor its own record-keeping practices to prevent errors from occurring originally. The FTC staff counters the argument that a general requirement will be burdensome and costly by suggesting that it would impose the general incentive to ensure that accuracy is given sufficient consideration in making information handling and system design decisions, without encumbering systems with specific, and perhaps inflexible, rules. Moreover, it points out that government regulation under such a standard, if drawn at all, need do no more than specify minimum requirements for such activities. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1375: CIA-RDP81-00142R000700030001-4 These two approaches are not mutually exclusive, although they do represent different philosophies of government regulation. Both could be in place at the same time. The industry-by-industry decision section which follows (Part II) will consider application of both the specific procedural rights and requirements dictated by the Privacy Commission approach, and, where potentially appropriate, a general record-keeping standard for accuracy, timeliness, and completeness. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 36 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 7. Confidentiality and Disclosure of Information Objective The final objective of a privacy policy is to protect the confidentiality of personal information held by credit institutions, banks, insurance institutions, and medical care providers, and of telephone toll records. Much of this information is highly personal, e.g., financial and medical information, and therefore arguably should be held in confidence. Current Law and Practice In 1976, the Supreme Court held that the individual has no legally enforceable expectation of confidentiality under the Fourth Amendment for financial records maintained by banks. (United States v. Miller, 425 U.S. 435 (1976)). The recently enacted Right of FinancialPrivacy Act of 1978 which sought to address this problem, grants the individual the right to receive notice of, and to contest, Federal agency access to his bank records. However, similar legal protections do not exist for the records maintained by insurers, medical-care providers, and providers of telephone services. This means that when the government asks a private sector record keeper, other than a bank, to disclose personal information about an individual, the individual has no legal right to be notified of, or to contest, the government's acquisition of those records. Nor does the individual ordinarily have a right to be notified of or to control the record keeper's voluntary disclosures of information to the government or others. In short, the individual has no legally enforceable expectation of confidentiality for the personal information which private sector record keepers hold about him. Discussion The balance of this section develops one aspect of what the Privacy Commission labeled "an expectation of confidentiality": namely, the record keeper's obligation_ - to maintain the confidentiality of certain records. Questions of government access to private sector records are discussed in Part III. The Commission proposed, and the responding agencies generally thought it desirable, that, for credit grantors, depositories, insurers, medical-care providers, and telephone toll records, a legally enforceable expectation of confidentiality should be created and disclosures to others within the private sector should be constrained. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 * Approved For Release 2001/04177 : CIA-RDP81-00142R000700030001-4 This proposal contains both procedural and substantive controls on disclosures. Procedurally, at the beginning of his relationship with an organization, an individual would be given a notice describing the disclosures which may be made of information obtained in the course of that relationship. A record keeper could then disclose information only if the disclosure is: 1) consistent with the terms of the notice; 2) required or authorized by law (including the various forms of legal process which will be discussed in Part III); or 3) specifically authorized by the individual to whom the record pertains. If the record keeper fails to fulfill this obligation and improperly discloses personal information, the individual would have a legal right of action and could receive compensation from the record keeper for any actual damages he suffered, as well as general damages of up to $10,000. if a court determined that the record keeper acted willfully or intentionally. As a substantive control, the notice given by the record keeper must include a "reasonably specific" description of all the allowable disclosures the record keeper intends to make. Other than (2) and (3) above, the only allowable disclosures are those which are: 1) necessary to service the relationship (e.g., from a credit grantor to a credit bureau); 2) necessary to protect the record keeper against the individual (e.g., in the event there is reason to suspect fraud); or 3) necessary to protect the individual (e.g., in the event of a medical emergency). If a disclosure is not within one of these allowable categories, it cannot be included in the notice and thereby made automatically by the record keeper. The requirement that the notice's description of disclosures be "reasonably specific" is, of course, a critical factor whose actual meaning, like all statutorily imposed reasonableness" tests, will have to evolve. If the description is too vague, there will be no effective control. If the description is too specific, the requirement will prove burdensome to implement. Of course, there igocceattsIVRAMMittlkOPM0000000001-4 38 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 that it is necessary to seek the consent of its customers for the new disclosure pattern. This proposal would allow the individual to participate in the process of disclosure and would give him some control, or at least influence, over the confidentiality with which his records are kept. While this may be important to a person's feelings of privacy, its actual constraint on private sector record keepers' disclosure practices will depend in part upon what disclosures are determined to be necessary to "service the relationship." However, establishing a legal duty on the record keeper and giving the individual a right of action to enforce the obligation represents a significant shift in the current legal structure governing the confidentiality of records. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1P. CIA-RDP81-00142R000700030001-4 8. Implementation The Privacy Commission, in suggesting an implementation strategy for its recommendations, attempted to minimize government regulation and to bring about adequate enforcement of its recommendations with a minimum of cost to both the individual and the record keeper. Most of the Commission's recommendations do, however, specify mandatory measures. In part, the Commission chose a statutory approach because it believed that voluntary compliance would be too uneven to be dependable; but more importantly, many of the issues are legal ones and require legal remedies. In the Miller case described above, for example, if the bank had wholeheartedly tried to protect Miller's interest, it would have done him little or no good since, under existing law, Miller would have no legal interest in the records to assert. The primary mode of enforcement adopted by the Commission was to provide an individual a right to sue to force an institution to comply with one or several of the objectives. For example, an individual could sue in court to obtain a copy of a record about him or to require the correction of a particular item of information if a record keeper failed to do so. In addition to - being able to enforce compliance with the specific requirements, an individual who was successful in court would be given attorney's fees and damages of up to $1,000. This provision was intended to encourage individuals to exercise their rights. In general, the Commission did not propose that an individual be able to obtain general damages for most violations of his rights. However, the Commission did recommend that, where the institution has violated an individual's expectation of confidentiality, the individual would be able to recover actual damages and, if the institution acted willfully or intentionally in violating an individual's expectation of confidentiality, the individual could be awarded general damages in the amount of at least $1,000, but not more than $10,000. The Commission believed that the greatest possible harm to the individual occurs when information is disseminated outside of the institution, and so recommended that an individual be able to recover damages for such a loss. As a second aspect of its implementation strategy, the Commission recommended that Federal agencies with existing enforcement authority be able to force institutions Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 MIA-RDP81-00142R000700030001-4 to comply where there have been repeated violations, because individuals are not always in a position to assert their own rights. The Commission also recommended that existing agencies with expertise in particular fields should enforce the recommendations in each of their own areas of responsibility. In doing so, the Commission explicitly rejected the concept of a centralized privacy enforcement function in relation to the private sector. The Commission believed that this implementation approach would substantially burden only those institutions who refuse to follow the objectives in good faith. There would be no general compliance costs, such as, annual filings or registrations. Only those institutions which are brought into court by individuals or the government for failing to comply would have to bear the costs of justifying their practices and procedures. Finally, the Commission followed the approach of the Equal Credit Opportunity Act in establishing minimum Federal standards, but not restricting the states in going further than the Federal statute. The Commission adopted this approach in response to the great concern of private sector institutions over the danger of duplicative or conflicting requirements in both the Federal and state levels, and believed that it was appropriate throughout the private sector. Area of Agreement Except as otherwise indicated in the remainder of this memorandum, the basic implementation strategy proposed by the Commission has been assumed for the purposes of drafting this memorandum. While the agencies have not spoken directly to the issue of implementation strategy, except as indicated below, their responses to the specific recommendations of the Commission suggest agreement with the commission's implementation strategy. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/171 CIA-RDP81-00142R000700030001-4 II. Non-Federal Records A. Introduction This part presents for decision the issues involved in applying the basic privacy package discussed in the previous section to non-Federal record keepers. This includes the major record-keeping industries in the private sector (credit, depository, and insurance), as well as the other record-based "relationships" which individuals maintain with organizations (employment, medical care, education, and public assistance and social services). These are the record relationships that were studied by the Privacy Commission, and to which the bulk of the Commission's 162 specific recom- mendations were directed. Each industry or record-keeping relationship is considered separately. First, the industry and its characteristic record-keeping problems are discussed, including an examination of current law and practice. Next, in summary form, those areas of agreement among the Privacy Commission, the agencies, and the affected industries and groups are presented. Since the indicated areas of agreement-perallei-the elements of a basic privacy policy presented in the'immediately preceeding section, there is no specific discussion of the "pros" and "cons." Finally, the issues which require decision are presented. Generally, these are questions which raised significant disagreement between the Commission, the agencies, and the affected private sector record keepers. Unless otherwise indicated, a single, general term is used to encompass the full range of institutions within an industry or record-keeping community. For example, the term "insurance institutions" is used to refer not only to insurers, but also to the information support organizations within the insurance industry, such as indexers of information, like the Medical Information Bureau (MIB), and consumer reporting agencies. Finally, any characterization of the position of industry with respect to a particular proposal is inevitably a condensation of varying, and sometimes conflicting, points of view. In particular, an indication of industry support for a particular position does not necessarily mean that industry would affirmatively seek passage of legislation incorporating that position; rather, in some cases, it indicates only that industry accepts the position, either for substantive or political reasons. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1i : CIA-RDP81-00142R000700030001-4 B. Consumer Credit Industry Description of the Record Relationship It is the rare American household that does not have some sort of consumer-credit relationship. Banks, savings and loan associations, finance companies, credit unions, and retailers are the principal providers of this service. As the amount of consumer credit has increased in our society, so has the reliance of these institutions upon recorded information about individuals in establishing and maintaining credit relationships. This, in turn, has led the credit industry to vastly expand its facilities for sharing information on individuals, especially through credit bureaus, the traditional vehicle for such interchange. Typically, local and national credit bureaus collect and maintain information on an individual's previous and existing lines of credit, payment history, financial status (income and employment), and public-record information, such as bankruptcies. They collect this information from credit grantors, many of whom, such as the large retailers, provide the credit bureaus with periodic updated reports on each of their credit customers. The credit bureaus distribute this information to other credit grantors for use in evaluating an applicant's credit worthiness and to other cxeditbureaus,.collection agencies, inspection bureaus, insurers, and employers who use it for a variety of purposes. Credit card issuers rely heavily upon recorded information not only in establishing a line of credit, but also in documenting its use. They continually collect and maintain information to enable their card holders to identify the various transactions made--e.g., name of merchant and goods or services provided. The popularity of credit cards has led to a dependence on an elaborate authorization system to control customer fraud and overextension. Credit-card authorization services keep records showing which cards are cancelled, overextended, or stolen. Merchants check with these authorization services before accepting cards. To maintain the information base, card issuers routinely disclose their negative information to the service, which reports to subscribers, such as airlines, hotels, and restaurants. Check authorization and guarantee services serve a similar function regarding individuals who have written bad checks. Check authorization services determine Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/031/17 : CIA-RDP81-00142R000700030001-4 for their subscribers whether an individual has a recent history of writing bad checks; check guarantee services guarantee payment. Automation has greatly increased the speed and efficiency with which information is collected and exchanged within the credit industry. In addition, it has changed the manner in which credit decisions are made. Credit decisions are now frequently made through a technique called "point-scoring," by which a credit grantor statisti- cally rates an applicant's key characteristics and produces an overall rating of credit worthiness. While this system has its economic advantages, it diminishes the individual's opportunity to challenge the basis of a credit decision, since he has greater difficulty in isolating the factors which caused a negative decision. Current Law The information practices of the credit industry are already regulated by the Fair Credit Reporting Act (FCRA), the Equal Credit Opportunity Act (ECOA), the Fair Credit Billing Act, and the Fair Debt Collection Practices Act. The ECOA proscribes the use of race, sex, marital status, and some other kinds of information in credit decisions, and requires that the reasons for an adverse decision be disclosed if the individual so requests. When an individual asks for these reasons, creditors usually respond with a form checklist. Credit grantors are currently not required to disclose the specific item(s) of information supporting those reasons, as the Privacy Commission recommendations discussed below would provide. Credit grantors are, however, required by the FCRA to notify the individual whenever information supplied by a credit bureau is used in making the adverse decision, and to give him the name and address of the credit bureau. A credit grantor is not required to disclose to an individual the contents of a credit report that served as a basis for an adverse decision; in fact, a credit bureau's contract with the credit grantor usually precludes this. If the consumer wishes to learn the contents of the credit bureau's report, he must go directly to the credit bureau. The information practices of credit bureaus are the most regulated of all private sector record keepers. The Fair Credit Reporting Act gives the individual the right to know the "nature and substance" of his credit bureau record and to file an explanatory notice when he disputes its accuracy. The FCRA also requires cevisiricrvelZPF8fWeig2sViatl/OSPrisPetAMD AMINes" to " - 2R000700030001-4 Approved For Release 2001/03/1Y: CIA-RDP81-00142R000700030001-4 assure the accuracy of the information they report to subscribers. Areas of Agreement There is agreement among the Commission and most agencies1 responding that, in the area of consumer credit, Federal law should require: a) that credit grantors notify individuals at the time of application for credit of their collection and disclosure practices, and follow that notice; b) that individuals have the right to be given the reasons for an adverse credit decision; and, upon request, to see and copy the specific item(s) of information used in making that decision; C) that credit grantors promptly send any corrections of inaccurate, untimely, or incomplete information to credit bureaus, debt collection agencies, or authorization services to whom the inaccurate information has previously been disclosed; d) that credit authorization services be covered by the requirements placed upon credit grantors and credit bureaus (including the requirements placed on consumer reporting agencies by the Fair Credit Reporting Act), except for the requirement to propagate corrections (in (c) above) and the obligation to record previous inquiries and to disclose them to consumers (Section 609 of the FCRA); a legally enforceable expectation of confidentiality (as defined in Section I.G.7); and f) enforcement by: (i) an individual right of action, and 1/ The CSC opposes (e), below, in the belief that establishing an expectation of confidentiality for these, or any other records, would significantly impair the Government's personnel investigations programs. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1476: CIA-RDP81-00142R000700030001-4 (ii) the FTC or bank regulatory agencies for repeated or systematic violations. Areas of Disagreement 1. Should an individual have a right to see and copy at any time all reasonably retrieveable records about him held by a credit grantor, not just the items of information that have been used to make an adverse decision (as set forth in 1(b) above). Pro: Con: To provide for access to consumer credit records only after an adverse decision is inconsistent with the approach the Commission took in other areas. Arguably, an individual should be able to avoid an adverse decision by correcting erroneous information before the decision is made. In addition, if an individual is denied credit based on information reported by a credit grantor other than the one to which he is applying, he will need access to the reporting creditor's records. While the Fair Credit Billing Act provides-some, -help in this situation,- it does not apply to all creditors (e.g., closed- end credit relationships are excluded) and must be used within 60 days of when the error occurs. A general right of access to all credit information will allow the individual to correct such information. The Department of Commerce, the Federal Trade Commission, the Office of Science and Technology Policy (OST?), the National Credit Union Administration, and the Special Assistant to the President for Consumer Affairs support this provision. The Privacy Commission recommended that an individual have access to his credit records only when an adverse decision has been made about him and only to those records that a creditor has used to make that decision. This differs from other areas, such as insurance, where the Commission recommended a right of access to all information at all times. The Commission made this distinction because an individual usually receives a monthly Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 46 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 statement of his credit account, (although the FTC points out that many consumers, who receive traditional installment credit loans, do not receive periodic statements). The Commission believed that it would unnecessarily burden credit grantors to require them to assemble and disclose at any time the information they regularly make available as part of a monthly billing cycle. The credit industry would prefer no right of see and copy, but if such a right were granted, would prefer that it be provided only in the instance of an adverse decision and include only the records used in the decision, thereby reducing retrieval costs. The Department of the Treasury and the staff of the Federal Reserve Board support the Privacy Commission recommendation. Decision: Yes, the individual should have a right of access to all credit records upon request. No, an individual right of access to credit records should be limited to those records that have been used to make an adverse decision about him. 2. Should an individual have access 'to credit records about him maintained but not preaared by the institution from which he seeks the records, e.g., credit reports in the hands of a credit_gyantor? Pro: The Commission recommended that an individual have direct access to all records maintained by a credit grantor. This is intended to close a current gap in consumer credit law. The Equal Credit Opportunity Act requires a credit grantor to disclose the reasons for an adverse decision, and the Fair Credit Reporting Act requires that the consumer be told if the decision was based "in whole or in part" on information obtained from a consumer reporting agency. However, by contract the credit grantor cannot disclose the report which was used. The consumer must now Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03W : CIA-RDP81-00142R000700030001-4 Con: go directly to the credit bureau to get his file, yet the credit bureau does not know why the adverse decision was made. The Commission's recommendations would allow the individual to be informed of the reasons for an adverse decision and see the information used in that decision in the same place. In addition, it is possible that the credit bureau may not know what information it gave to the credit grantor. Because credit bureaus regularly update their files, the information that the individual eventually gets from a credit bureau may not be the information that the credit grantor received and used to make an adverse decision. The Department of Commerce, the FTC, OSTP and the Special Assistant to the President for Consumer Affairs support this option. The credit industry, particularly the credit bureau industry, opposes this requirement. Credit bureau reports are coded and must be interpreted to the consumer. Although it is feasible for the credit grantor to interpret the report for the consumer (they already interpret it for their own use), credit bureaus would prefer to do so themselves, particularly since they may ultimately be liable if the consumer sues for negligent or willful non-compliance with the FCRA. Also, credit bureaus already have employees trained to interpret the reports for consumers, and credit grantors would prefer not to train their own employees for this purpose. This option is supported with some modification by the Department of the Treasury and the staff of the Federal Reserve Board. Decision: Yes, an individual should have a right of access to credit records about him maintained but not generated by the institution from which he seeks the records. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 48 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 No, an individual's right of access to credit records should be limited to those records generated by the institution from which he seeks the records. 3. Should there be a mechanism for the individual to challenge the relevance and propriety of information collected or used by credit grantors? The Commission did not recommend that a single Federal agency be assigned this responsibility, but suggested that appropriate authority be vested in the Federal Home Loan Bank Board, the Federal Reserve Board, and other regulatory agencies responsible for enforcing the Fair Credit Reporting Act. The Commission was specific, however, in recommending that the mechanism not involve direct regulatory control by a Federal agency on questions of relevance and propriety. As envisioned by the Commission, the mechanism would collect consumer complaints about the information practices of the industries they regulate and report to Congress as to the need for legislation to control the collection or use of any particular items of information. An example might be that the Federal Reserve Board would suggest legislation prohibiting the collection of information about arrestswhich did not result in convictions for use in credit decisions. Pro: The Commission, the FTC, OSTP, the Special Assistant to the President for Consumer Affairs and the National Credit Union Administration support this proposal. Individuals may be frustrated by what they believe to be overbroad and irrelevant or improper requests for information. Often they do not have the market power to prevent its collection. A government agency, such as the Federal Reserve Board or the Federal Trade Commission, could consider consumer complaints and suggest remedial legislation as needed on a case-by-case basis. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 4CIA-RDP81-00142R000700030001-4 Con: The credit granting and credit reporting industries uniformly and vehemently oppose this recommendation, which is also opposed by the Department of Commerce and the staff of the Federal Reserve Board. Industry believes that the marketplace discourages the collection of irrelevant or improper information and that there is a trend to collect less information. Industry argues that most information is relevant to some business purpose, and does not want government interference in business decisions about what information to collect. To the extent problems once existed, industry also believes that they have been resolved by the Equal Credit Opportunity Act, which prohibits the use of marital status, sex, age, religion, national origin, race, receipt of public assistance, or good faith exercise of any right under the Consumer Credit Protection Act, in making credit decisions. The Department of the Treasury'alzo oppoaes the creation of such mechanisms absent more specific information about the proposed mechanism and its costs. Decision: Yes, there should be governmental mechanisms for the individual to challenge the relevance and propriety of information collected or used by credit grantors. No, such mechanisms should not be created at this time. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/175PCIA-RDP81-00142R000700030001-4 4. Should Federal law require that a credit grantor have reasonable procedures to ensure the accuracy of the personal information it collects, maintains and discloses? For a general discussion of this issue, see Section I.G.6, "Accuracy, Timeliness and Completeness." Option 1: All credit grantors: It is the position of the FTC staff that a "reasonable procedures" standard for accuracy similar to that contained in the Fair Credit Reporting Act (15 U.S.C. 1681e(b)) for credit bureaus is a necessary component of a comprehensive privacy policy applied to credit institutions. Current law is unbalanced in its coverage of the information practices of the credit industry. The industry depends heavily upon the exchange of information, with credit bureaus serving as the information brokers, or go-betweens, for the industry. In addition to using credit bureau reports for evaluating consumer applications for credit, credit grantors regularly report to the credit bureaus on the state of their consumer accounts. Credit grantors, particularly consumer finance companies, also directly exchange or verify information amongst themselves. Thus, credit grantors are both providers and receivers of information as it flows within the industry. While credit bureaus are required to have reasonable procedures to assure the accuracy of the information they report, credit grantors are under no such requirement regarding the information they report to one another, either directly or through the intermediary of a credit bureau. The imposition of such a requirement would erase the often artificial distinction currently drawn between credit bureaus and their sources of information (credit grantors). The FTC staff, which has primary enforcement responsi- bility for the FCRA, has found that placing the "reasonable procedures" requirement on credit bureaus has, among other effects, caused them to maintain routine procedures for correction of gross errors in the information they process and disclose. However, the impact of these procedures has been limited by the absence of a legal requirement on the credit grantor to ensure the overall accuracy of the information it supplies to the credit bureau, and the fact that the credit bureau is not in a market position to influence the credit grantor to report only accurate information. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/i7 : CIA-RDP81-00142R000700030001-4 The FTC staff has also identified specific problems related to the absence of standard codes for information reported by credit grantors, the filing of adverse credit reports by credit grantors even after signing a general release for partial payment of a disputed debt, and in the identifying information used in credit grantor reports to credit bureaus. The FTC staff believes that a requirement that a credit grantor adopt "reasonable procedures" to ensure the accuracy of records which they disclose would help solve some of these problems. Finally, while the FTC staff would endorse the Commission's proposal concerning the accuracy of information reported by credit-card issuers to credit authorization services (see Option 2, below), it would argue that the proposal addresses only a small portion of the identifiable problems in the credit industry. Option 2: Only credit-card issuers' reports to independent authorization services: In contrast to Option 1, which addresses all reports made by all consumer credit grantors, this option addresses only one class of credit grantors (credit- card issuers), and then only the reports they make to independent authorization services. It does not cover reports made by credit grantors to credit bureaus and other credit grantors. The Commission recommended that Federal law require a credit-card issuer to have reasonable procedures to assure that the information it discloses to an independent authorization service is accurate at the time of disclosure. However, it explicitly rejected recommending that a Federal statute require all credit grantors to adopt reasonable procedures to ensure the accuracy of all external disclosures of their records. The Privacy Commission position is supported by the National Credit Union Administration and the Federal Reserve Board. The Privacy Commission made its specific recommendation concerning authorization services because they act preemptively at the time of transaction. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03117 : CIA-RDP81-00142R000700030001-4 An individual thus has no way of rectifying an error in an independent authorization service record in time to affect that transaction when his use of his credit card to pay for goods or services is refused because of negative and incorrect information from an authorization service. Pro- cedures to correct inaccuracies after the fact, therefore, do little good in this instance. The Privacy Commission's rejection of a general "reasonable procedures" standard was based on the belief that the identifiable problems in consumer credit will be adequately remedied by the combination of current law and the specific individual rights and institutional obligations proposed in its other recommendations. For example, the Commission believed that the specific problems concerning erroneous information reported by credit grantors to credit bureaus would be addressed by allowing an individual to be informed of the reasons for an adverse consumer credit decision, and to see, copy, correct, and amend the information used in that decision. While this mechanism would not necessarily prevent an error from occurring, it would adequately protect the individual when an-error did occur. The Commission did not believe that preventative protections for accuracywere necessary in the consumer credit area for disclosures other than those made to the authorization services. Option 3: No action: The Departments of Commerce and Treasury oppose both the Commission's specific recommendation (Option 2) and the proposal presented in Option 1 above. The Treasury position is based upon the belief of the Comptroller of the Currency that the Fair Credit Reporting Act and standard banking practices under the Federal Reserve System already require National banks to have reasonable procedures insuring that the information they collect, maintain, and disclose is accurate, timely and complete. Similar requirements may also exist Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/S7 : CIA-RDP81-00142R000700030001-4 for independent authorization services and check guarantee services, since they also are considered by the Federal Trade Commission to be consumer reporting agencies under the Fair Credit Reporting Act. The latter issue is now being litigated. Pending its resolution, the Comptroller of the Currency believes that no new "reasonable procedures" requirements should be adopted. Industry also opposes both Option I and 2. Card issuers believe that market pressures already force them to have reasonable procedures to ensure accuracy. They believe this is true for all credit records, including those disclosed to the independent authorization systems. The card issuers fear that a legislatively imposed requirement will eventually result in government's dictating the specific procedures that business must follow to ensure accuracy. Finally, the imposition of a general legal requirement may place a greater burden on small credit grantors and retailers, exacerbating an existing trend toward the disappearance of credit granting by smaller businesses. The Commission recommendation would be less likely to have such an effect because it is directed _only to credit-card issuers, which are already predominantly automated and therefore have already included provisions in their systems for maintaining the integrity (i.e., at least the accuracy and timeliness) of their data bases. Decision: ..???????1.1*, 001.10.1111.11.10111?????? Federal law should require all _credit grantors to have reasonable procedures to ensure the accuracy of the information they disclose. Federal law should require that a credit- card issuer adopt reasonable procedures to ensure that the information it discloses to an independent authorization service is accurate at the time of disclosure. Adopt no new "reasonable procedures" requirement in consumer credit. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03Pg : CIA-RDP81-00142R000700030001-4 C. Commercial Credit Industry Description of the Record Relationshi2 Commercial credit is most frequently extended to one business by another, e.g., when a manufacturer sells goods to a buyer with some or all of the payment due sometime after delivery. Commercial credit is also extended to commercial establishments by banking institutions and government agencies, such as the Small Business Administration. Commercial reporting services, such as Dun & Bradstreet, collect information about businesses and their principals on a regular basis. When a business seeks commercial credit, the credit grantor often requests a report on the business from one of these reporting services. For medium and large companies, commercial credit decisions are generally made on the basis of information about the business entity, rather than about the individual owners and officials. However, for small businesses, such as partnerships and sole proprietorships, personal information may figure extensively in the credit granting - decision, and the livelihoods of the owners and principals may be directly affected. Current Law Neither the information practices of commercial reporting services nor the use made of their reports is regulated by the Fair Credit Reporting Act, which regulates consumer reporting agencies. However, Federal Reserve Board Regulation B, implementing the Equal Credit Opportunity Act, requires commercial credit grantors, upon request, to notify a credit applicant whose request for credit has been denied of the reasons for the adverse commercial credit decision. But, even if a commercial credit report is given as the reason for an adverse action, there is no legal right to see or dispute it. Issues for Decision With regard to the records about individuals created and maintained by commercial credit grantors and commercial reporting services, the Privacy Commission recommended that Federal law provide: 1) An individual right, upon request, to see, copy, correct, and amend information about Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/H : CIA-RDP81-00142R000700030001-4 him maintained by a commercial credit reporting service; 2) An individual right to be notified, upon request, by a commercial credit grantor who has used a commercial credit report containing personal information on the individual to make an adverse credit decision, of the identity of the commercial credit reporting service that made the report; and 3) enforcement by: a) an individual right of action, and b) the Federal Trade Commission for repeated or systematic violations. The Privacy Commission did not study the commercial credit industry in detail, and, in particular, did not establish a detailed record on the practices of commercial credit grantors. It recommended further study of these practices. While there is little disagreement with the substance of the above Commission recommendations, the limited record and the strong industry opposition suggest that the primary issue in the commercial credit area is: 1. Should the recommendations of the Privacy Commission (listed above) for the personal records created and maintained by commercial credit grantoa and reporting services be adopted in Federal law? Pro: Commercial credit reports contain varying kinds of personal information on the owners and managers of businesses which seek commercial credit. This information on a company's principals can be critical to the decision of whether or not to grant credit, particularly for smaller businesses. Under present law, an individual whose business is denied credit because of personal information about him in a commercial report has no legal right to compel the credit grantor or commercial reporting service to disclose the information on which the decision was made, nor can he compel the credit grantor to disclose the name of the commercial reporting service (or even whether one was used). Although the commercial reporting industry will generally voluntarily show reports on a business to the Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/031167 : CIA-RDP81-00142R000700030001-4 Con: business' owners and officers, the absence of an explicit legal right to this disclosure can be crucial when there is a dispute and access is denied. The commercial credit industry argues in opposition to this recommendation that businessmen have the sophistication and market power to protect their own interests without the need and attendant costs of providing these rights by law. However, it is primarily the smaller businesses whose credit worthiness is decided on the basis of personal information about individual managers and owners, and it is exactly these businesses which lack the market power to protect themselves when credit is denied on the basis of inaccurate information. Moreover, the cost of implementing the proposal would be minimal, since the only change required from present practice is that a credit grantor would have to disclose the identity of a commercial reporting service whose report was used to make an adverse credit decision. Finally, Dun and Bradstreet, the nation's largest commercial reporting service, agrees to the appropriate- ness of these procedures. However, it believes that only the second requirement is a candidate for Federal action--the marketplace, in its judgment, being a sufficient incentive for the first requirement. Further, it believes that the second requirement should be imposed only through regulations implementing the Equal Credit Opportunity Act, not through new legislation. (The authority of the Federal Reserve Board to expand the ECOA regulations in this manner is unclear.) The OSTP endorses this option, with some modification. The commercial credit granting and reporting industries oppose privacy measures regarding the personal information they collect and maintain for three primary reasons. First, industry argues that these procedures are consonant with present practice and therefore unnecessary. Second, the commercial reports at issue contain only limited personal information, and most of that information is supplied directly by the subject or taken from public records. The personal information contained in the reports Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/177: CIA-RDP81-00142R000700030001-4 is thus relatively accurate and generally known to the individuals to whom it pertains. Third, they argue that businessmen are knowledgeable about credit granting and credit reports, and have the sophistication and market power to protect themselves. The Department of Commerce and the Special Assistant to the President for Consumer Affairs recommend that no action be taken regarding commercial credit records until further study. The Treasury Department also opposes the Commission recommendation. The Treasury Department's opposition to adoption of the Commission's recommendations is based upon the belief of the Comptroller of the Currency that the protections envisioned are covered adequately already by the Equal Credit Opportunity Act, the Small Business Act and other laws, and thus may be unnecessary. As an alternative to legislation at this time, industry suggests that government develop and monitor a code of voluntary standards along the lines of the Commission's recommendations. This would further? encourage voluntary action by the industry, and in the event of non-compliance could form the basis for legislation at a later date. Decision: ??????????.1.6.10?-- Yes, the Privacy Commission recommendations (as listed above) should be adopted in Federal law (using, to the extent possible, the regulations implementing the Equal Credit Opportunity Act and otherwise through a new Federal statute). Na, the Privacy Commission recommendations should not be implemented through legislation, but should be suggested as voluntary standards with legislation to follow in the event of non-compliance. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/t/13: CIA-RDP81-00142R000700030001-4 2. Should Federal law require that commercial reporting services have reasonable procedures to assure the accuracy of inrormation pertaining to individuals included in Fg5FEETTEauced by them? For a general discussion of this issue, see "Accuracy, Timeliness and Completeness" in Section I.G.6. above. (Note: Commercial credit grantors rarely, if ever, collect or use personal information about the individuals involved in businesses which seek commercial credit, other than that contained in the reports of a commercial reporting service. Nor do they disclose personal information to these services; they report only ledger information on the credit accounts of the businesses with which they have a credit relationship. For these reasons the Commission did not recommend placing a "reasonable procedures" requirement on commercial Credit grantors regarding the personal information which they maintain or disclose.) Pro: Consumer reporting agencies are required by the Fair Credit Reporting Act to have "reasonable procedures" to assure the accuraoy of information in. - their reports, but commercial repOrting services are not. The Commission recommended, that the FCRA should be amended to impose a "reasonable procedures" standard on that part of a commercial reporting service's activities that involve information about individuals. A requirement that commercial reporting services have an affirmative responsibility to be accurate when initially making a report is important because an inaccurate report about a businessman may cause him to lose a business opportunity that cannot be recaptured when the report is later corrected. For example, a retailer who is unable to replenish his inventory becuase of an inaccurate credit report will be unable to make up those sales once the report is corrected. It is critical to him that the report be accurate the first time around. Moreover, the reasonable procedures standard appears to have worked effectively in the consumer reporting field, where it caused significant changes in industry paactice. Equifax, which prepares both consumer reports and commercial reports, states Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/175:9CIA-RDP81-00142R000700030001-4 Con: that the requirement would pose no additional burden because it follows the same procedures in preparing both kinds of reports. In addition, if the model of the FCRA is used to fashion this requirement, there would be no need for detailed government regulation. The Special Assistant to the President for Consumer Affairs and the FTC support this option. The Treasury Department, the Commerce Department, the staff of the Federal Reserve Board, OSTP, and the commercial reporting industry oppose this recommendation at this time. Treasury believes that this protection is adequately provided by the Equal Credit Opportunity Act, the Small Business Act, and other Federal laws. (The ECOA provides that applicants for commercial credit be given the reasons for adverse decisions, and the Small Business Act, which governs certain Small Business Administration loan programs, prohibits discrimination in making these loans. Neither act imposes a reasonable procedures standard). Industry opposes this recommendation out of fear that it would lead to pervasive government regulation of business practices. Second, they assert that the forces of the market place already discourage the reporting of inaccurate information. Finally, industry argues that there has been no showing of harm flowing from present industry procedures. Decisical: ??????1110.111111111???????? Yes, Federal law should require that commercial reporting services have reasonable procedures to assure the accuracy of information pertaining to individuals included in reports produced by them. No, such requirements should not be imposed. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved ForRelease2001/03/17 : CIA-RDP81-00142R000700030001-4 60 D. Depository Institutions Description of the Record Relationshi2 Depository institutions -- banks, savings and loan associations, and credit unions -- offer both credit and depository services. To the extent that they make consumer, commercial, and mortgage loans, they are treated as credit grantors in this memorandum. To the extent that they provide checking and savings accounts and, as part of that service, offer check guarantee, or electronic funds transfer privileges, they are treated here as depositories. Traditionally, the primary deposit services that a depository provides for its non-business customers are checking and savings accounts. To open such an account for an individual, the depository usually requires only a signature and deposit. It rarely conducts an investigation or collects extensive personal information. Once the account is established, however, the records of checks and deposits which the depository compiles can become a virtual economic and social diary for an individual. For this reason, depositories are acutely aware of the concern to keep their clients' financial affairs confidential. This more traditional view of depository institutions and their record systems is being altered, however, by the extension of new services such as "overdraft protection" and the emergence of Electronic Funds Transfer (EFT) systems which combine traditional depository functions (checking and savings) with credit card-type payment mechanisms. These services carry an attendant risk which depositories are willing to accept only after conducting a review of an applicant's credit background. Some depositories and other independent companies are also beginning to offer services which guarantee check payment, thus combining in one institution the more common functions of depositories, credit bureaus, credit authorization systems and insurers. The Privacy Commission recommended a privacy policy designed to address these new functions and the new record systems which will evolve. Current Law When a bank grants overdraft privileges, credit cards, or other credit services, it is subject to the Equal Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 ? Approved For Release 2001/03/1q1: CIA-RDP81-00142R000700030001-4 Credit Opportunity Act and must disclose the reasons for an adverse decision if the individual requests. When a depository offers checking and savings services, it is covered by no similar Federal law, or by any other Federal law giving the individual rights to see, copy, correct or amend his records. In addition to state regulations, depositories are required by Federal law to accumulate certain records and make them available to the government. The Bank Secrecy Act of 1970 and its implementing regulations require depositories to retain copies of checks drawn over $100 (in practice, most depositories copy all checks); the Act also requires banks to report to the government financial transactions over a certain amount. Although a number of states (notably California) have legally enforceable confidentiality standards for financial records, the 1976 Supreme Court decision in United States v. Miller makes it clear that under then current Finni lairaWaunt records are business records of the bank, and the account holder has no "expectation of privacy" in them. However, the Financial Privacy Act of 1978 now provides that a government agency seeking access to an individual's bank records from his bank must, in most cases, gime him priax.written notice containing the reasons government:seeks the record. The individual thus has an opportunity to contest the government access in court, and a legal interest in those reocrds. Areas of Agreement There is agreement among the Privacy Commission, most of the responding agencies and significant segments of the banking industry that, with regard to depository institutions, Federal law should require: a) that depository institutions notify applicants of their collection and disclosure practices, and follow that notice; b) that depository institutions promptly notify independent check-guarantee and check authorization services of corrections of erroneous information previously reported to them; C) that check-guarantee and check-authorization services be subject to the provisions of the Fair Credit Reporting Act; Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/172: CIA-RDP81-00142R000700030001-4 d) a legally enforceable expectation of confidentiality (as defined in Section I.G.7.); and 1/ e) enforcement by: (i) an individual right of action, and (ii) the FTC or other depository institution regulatory agencies for repeated or systematic violations. Areas of Disagreement 1. Should an individual have the right to be given the svecific reasons for an adverse depository decision and to be informed of the specific item(s) of information used in making that decision? Pro: The Commission recommended this provision, and the Departments of Commerce and Treasury, the Special Assistant to the President for Consumer Affairs, the Federal Trade Commission, and OSTP support it. They believe that depository and credit institutions should be treated alike. Although it is rare, individuals sometimes are turned down for a depository or checking account, for example, on the basis of negative information received from a check authorization service. In this instance, the Commission asserted that the individual should be able to know this and to see the item(s) of information used by the bank in making that decision. The Comptroller of the Currency believes that a blanket requirement for depository institutions to furnish individuals with the specific reasons for adverse decisions and the specific items used 1/ The Civil Service opposes an expectation of confidentiality for these, or any other records, in the belief that this would significantly impair the Government's personnel investigations program. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/033Z : CIA-RDP81-00142R000700030001-4 Con: to make those decisions, may be extremely burdensome in some situations. The Treasury Department believes, therefore, that the language which may be used to implement this recommendation should be broad enough to permit depository institutions some reasonable latitude. If there is a decision to deny a loan, overdraft privileges, or a credit card, the Equal Credit Opportunity Act currently requires a depository to inform the individual of the reasons. Depositories claim that there is no need to apply this requirement to opening a deposit account since they almost never deny an application. They assert that it would be costly and unnecessary to set out the item(s) of information that support the adverse decision. The Federal Deposit Insurance Corporation (FDIC) opposes applying this or any other privacy requirement to depositories absent a showing of abuse. The staff of the Federal Reserve Board also opposes the recommendation in the belief that the Equal Credit Opportunity Act and the FCRA now adequately protect the interests of individuals. Decision: 4.1..1.1?111?11101.1.11???.1.???????? Yes, require disclosure of the reasons for an adverse depository decision and, upon request, the items of information used in making the decision. No. 2. S4O,u14 an indj.vidual have a right to see and copy at any time all reasonably retrievable records abotilt him Iheld by a depository, not just the items of in?ormation used to make an adverse decision? , Pro: To provide for access only to depository records used in making an adverse decision is inconsistent with the approach the Commission took in other areas (such as insurance). Credit grantors, landlords, and others often seek information about an individual Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1674: CIA-RDP81-00142R000700030001-4 Con: from his bank, and the individual should arguably be able to avoid an adverse decision in these areas by correcting erroneous information before a disclosure or decision is made. de can do so only if he has a general right to see and copy these records at any time. Moreover, the burden on the depository institutions to provide these records at any time would not be very great given the centralized character of their record-keeping systems. The Department of Commerce and the FTC support this option. The Privacy Commission opposed giving the individual a right to see and copy these records at any time because it believed that it would place an unnecessary burden on depositories. The individual presently receives copies of records with respect to his depository account on a periodic basis, usually in the form of monthly statements, cancelled checks, and receipts for deposits and withdrawals. The Commission believed that the individual's right of access is important only in the adverse decision situation, where the individual may be affected by information that does not stem from transactions for which he already has records. OSTP and the Special Assistant to the President for Consumer Affairs support this option. Decision: Yes, the individual should have a right of access to all depository records upon request. No, an individual right of access to depository records should be limited to those records that have been used to make an adverse decision about him. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 65 E. Insurance Industry Description of the Record Relationship Two of every three Americans have some form of life insurance; 90% of the civilian population under age 65 have some form of individual or group health insurance; and 15% of all Americans are covered by one of the pension plans offered by life insurance companies. Unlike the credit area, in which eligibility decisions increasingly are based on objective criteria, insurance decisions continue to reflect the insurance underwriter's subjective evaluation of the individual applicant. The insurance industry uses highly personal records extensively in its decision making. For health and life insurance, the primary risk factors are current health, employment, and hobbies, e.g., sky diving, auto racing, etc. For property and casualty insurance, more subjective criteria, such as prior claims history, driving habits, and "moral life-style information," are added to these factors. Insurance companies also collect a great deal of information about individuals in the course of settling claims. Some of this information may be used in evaluating an individual's subsequent insurance application. This is especially true of property and casualty insurance, where the paramount concerns are preventing fraud and the accurate prediction of risk. Within the insurance industry, a variety of support organizations have arisen which facilitate the collection and sharing of personal information for use within the industry. In addition to consumer reporting agencies, which conduct investigations on individuals for under- writing purposes, organizations such as the Medical Information Bureau (MIS) index personal information on policy holders and applicants for use by subscriber companies in order to facilitate the direct exchange of information between member life insurance companies. Current Law Traditionally, the insurance industry has been regulated at the state level. With regard to information practices, some states, notably California, have tried to regulate companies' use of certain information, e.g., moral Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/n : CIA-RDP81-00142R000700030001-4 life style, on the basis of propriety and relevance. Other states have proscribed the use of age, race, and sex. The consumer reporting industry, which investigates individuals for insurers as well as other clients, has been regulated at the national level by the Fair Credit Reporting Act since 1970. There is, however, some doubt whether organizations like the Medical Information Bureau (MIB) are covered by this law. As for the insurance companies themselves, no Federal legal controls exist with regard to the accuracy, timeliness, and completeness of the information they collect and maintain. Partially in response to the Commission's report, some state insurance commissioners have begun to develop fair information practice codes for the insurance companies operating within their states, and the National Association of (State) Insurance Commissioners has drafted model state legislation incorporating the bulk of the Commission's recommendations.. One state (Virginia) has a recently enacted law requiring the consumer to be notified of the reason for an adverse insurance decision. Areas of Agreement Although there is disagreement about how privacy protection in the insurance industry should be implemented, the Commission, the responding agencies, and some insurance companies, particularly in the life and health areas, agree that substantive protections should include: a) a requirement that insurance institutions notify applicants of their collection and disclosure practices, and follow that notice; b) the right for an individual to challenge the accuracy of those insurance records to which he has access (as defined below); c) a requirement that the record keeper send any corrections it makes of inaccurate information to: i) anyone designated by the individual who has received the inaccurate infor- mation within the preceeding two years; Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/F : CIA-RDP81-00142R000700030001-4 ii) any support organization which regularly receives such information; and iii) any support organization which furnished the inaccurate information; d) a prohibition on pretext interviews (an interview in which an investigator: (1) pretends to be someone he is not; (2) pretends to represent someone he does not; or (3) misrepresents the purpose of the interview); e) the right for an individual to be given the reason(s) and item(s) of information used in an adverse insurance decision; f) ?the right for an individual not to be denied insurance based solely on the fact that he previously has been denied insurance; and g) a legally enforceable expectation of confidentiality (as defined in Section I.G.7).' Areas of Disagreement 1. Should the Privacy protections applicable to the insurance industry be required by Federal law' Pro: The Commission, the FTC, OSTP, the Special Assistant to the President for Consumer Affairs, and some insurance companies, particularly in the life and health areas, agree that some uniform Federal privacy standards are desirable in the insurance area so that a person's minimum rights would not vary depending upon the state in which the individual lives, nor depend upon the ability of state officials to control the activities of a multistate insurer. There is currently no widespread state regulation The Civil Service Commission opposes an expectation of confidentiality for these, or any other records, in the belief that this would significantly impair the Government's personnel investigations program. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1P8. CIA-RDP81-00142R000700030001-4 Con: of insurance information practices and it is not clear that states are interested in such comprehensive regulation at this time. In the case of insurance application forms, which states traditionally have regulated, the Commission did, however, deem it appropriate to leave regulation to the states. The extent and effectiveness of voluntary action by the insurance industry are uncertain at this point. The FTC, which supports this option, suggests that the Fair Credit Reporting Act may serve as a model for regulating the insurance industry, inasmuch as it grants individuals certain minimum rights, which have been expanded upon by several states. In this instance both the states and the Federal government share enforcement responsi- bilities for whatever Federal laws are enacted. The FTC suggests that concurrent enforcement respon- sibility will ensure that state insurance commissioners are able to include privacy issues in their regular examinations of state insurance institutions, while also ensuring that the Federal government will be able to stop practices which affect consumers in more than one state. Some life and health insurance companies and most casualty insurers, with two major exceptions, believe that implementation of the Commission's recommendations should be left to the states. The general policy of the Federal government, embodied in the McCarran-Ferguson Act of 1945, has been to leave regulation of insurance to the states (although aspects of the general Federal- state regulation of insurance question are currently being examined by OMB). The companies' position is based more on their desire to maintain the existing regulatory framework than on any particular privacy issue. As they currently operate under 50 different state regulatory schemes, many companies see no objection to differing privacy regulations. The Department of Commerce also supports this option at this time. Commerce asserts that states should be given an opportunity to enact a model privacy law for insurers before Federal legislation is considered. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 69 Decision: Yes, privacy protections applicable to the insurance industry should be required by Federal law. .1?101?1111????????????????? No, regulation of the insurance industry's privacy practices should be left to the states. With regard to individual access to records, there is agreement that third party claimants, i.e. those who are neither policy holders nor beneficiaries, should not have a right of access to insurance claims records and that the identity of non-institutional sources of information (for instance, a neighbor or associate) need not be revealed where information was provided on the condition of confidentiality and where the information which they provide is not the sole or major reason for an adverse decision. In addition, there is agreement that a statutory provision governing individual access to insurance records should include ?a qualified privilege such that an individual would have no right of action for defamation against a company based on information obtained under this procedure, except for false information furnished with malice or willful intent to injure. Moreover, it is agreed that the Fair Credit Reporting Act, which provides the individual the right to know the "nature and substance" of a consumer investigative report, be amended to allow him to see and copy that record. There is, however, opposition within the insurance industry to the Commission's general recommendation that individuals should have a statutory right to see and copy their records. Although major elements of the industry publicly support the policy of individual access to insurance records, there are two areas of contention. First, some base their support for the Commission's recommendation on an assumption that the recommendation would allow the information used in making underwriting decisions to be excluded from the records to which the individual is allowed access. The Commission provided--although arguably not in explicit language--that a right to see and copy insurance records must include underwriting records, since they contain most of the personal information of critical importance to the decision of whether or not to insure an individual and at what rate. For this reason, the question of Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 70 individual access to underwriting records is not raised for separate decision, but rather subsumed explicitly into the larger issue of individual access to records. The second area of contention concerns individual access to first-party claims records (records of claims made by an individual to his own insurer). These questions are raised for decision below. 2. Should an individual have a ri ht to see and co the records about him maintained by an insurance THaitution, including information used by an insurer in makirT4--dh-iihallkii-jVeUiii-567-- Pro: Con: Individual access to records is a precondition to several of the other basic elements of privacy and central to ensuring compliance with many of the Privacy Commission's recommendations in this area. It enables the individual to check whether the records contain information beyond the scope of the prior collection notice and to challenge the accuracy of information contained in the records. Moreover, the information used by an insurance company in making its underwriting decisions is exactly the information of concern to the individual. Without such access, the general right would be rendered meaningless. Also, with a Federal statute limiting the insurer's liability as a result of disclosure, allowing the individual access to records about him will not be costly in terms of administrative procedures or litigation. This is the Privacy Commission recommendation, and is supported by the Commerce Department, the FTC, OSTF, and the Special Assistant to the President for Consumer Affairs. Insurance industry opposition to the individual's right to see and copy insurance records comes primarily from property and casualty insurers and focuses on the records used in their underwriting decisions. They believe that these records represent the subjective views and opinions of their professional underwriters concerning the business judgement of accepting a particular risk. In addition, Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 71 they regard these records as a work product, since they are not disclosed outside the company. To allow the individual direct access to these records would, they assert, restrict the ability of the underwriter to take all available information into account in his decision. Decision: maidloadmmeliom..??? Yes, an individual should be able to see and copy the records about him maintained by an insurance institution, including the records used in making underwriting decisions. No, an individual should have no such right of access. 3. Should an i,ndividual's riqht to see and copy the recaeas maintaf.ned by an insurance institution inci.uae tirst-parti claims recoras? Pro: The Privacy Commission considered specifically whether an individual should have a right to see and copy first-party claims records, and recommended that he should have access except for information compiled in reasonable anticipation of a criminal or civil action or for use in settling a claim while the claim remains unsettled. The Department of Commerce, the FTC, OSTP, and the Special Assistant to the President for Consumer Affairs concur. These records are not only important to the individual with regard to a particular claim, but once the claim is settled they can affect whether or not he will be able to get insurance in the future and at what rate. This is particularly true with property and casualty insurance where a record of prior claims is the most important factor in making these decisions. Although these records are generally available to the individual as a result of civil procedure in the context of litigation, the Commission believed that the individual should be able to see and copy them, upon request, since most cases do not go to litigation and claims records may subsequently be used in underwriting. However, to ensure that the settlement procedures Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved ForRelease2001/03/17 : CIA-RDP81-00142R000700030001-4 72 Con: not be compromised, the Commission recommended that access not be allowed until the claim is settled. Important elements of the insurance industry oppose allowing an individual to see and copy first-party claims records, even after the claim is settled, because they believe that these records represent an adversary relationship between the individual and the company. They fear that forcing this information to be disclosed will make insurers reluctant in the future to settle a claim if the records show that settlements are made with claimants who may not be legally entitled to a settlement. They argue that allowing the individual access to a claims record after the claim is settled will not prevent him from reopening the claim based upon the information in the record. The insurance industry believes that the individual is already well protected in court regarding access to these records. Decision: Yes, an individual should be able to see and copy first-party claims records maintained by an insurance institution. No, an individual should not have a statutory right to see and copy first- party claims records, independent of court action. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 a Ala Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 73 4. Should an individual's right of access to his insurance records in the hands of an insurance com?any or support organization include access to information prepared by another institutional source e.g., a consumer investigative report maintained b an insurance company? Pro: Con: The Commission, the Department of Commerce, the FTC, OSTP, and the Special Assistant to the President for Consumer Affairs support this proposal. The insurance company makes the decision to grant insurance, and at what rate. Therefore, it is the insurance company's records which are important to the individual. As noted earlier, the Fair Credit Reporting Act now allows the individual to know the "nature and substance" of a consumer investigative report, but does not require that the insurance company itself make that disclosure. In fact, most contracts between insurance companies and consumer reporting agencies prohibit the insurance company from disclosing the report to the consumer. The individual has a market relationship only with the insurance company. To require the individual to seek out the institutional source will discourage many people from exercising the right of access. Finally, while the institutional source can explain the information in the report, it cannot explain the information's meaning to the insurer. A number of major insurance companies support this proposal. Others do not. The cost to the industry would be slight, and the industry has an interest in having accurate information available to it. Some insurance companies and the major consumer reporting agencies oppose this proposal. They argue that the consumer reporting agencies alone are competent to discuss their reports' contents with the individual. They claim that allowing an insurance company to discuss a report with the individual could lead to misunderstandings Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved ForRelease2001/03/17 : CIA-RDP81-00142R000700030001-4 74 and might inhibit the correction process (if the report contains inaccurate information). Some insurance companies claim that this proposal would impose additional costs on them to train their staff to discuss such reports with people. Decision: Yes, an individual's right of access to his insurance records should include access to information originating with another institutional source. No, information originating with another institutional source should be excluded from an individual's right of access to his records in the hands of a recipient record keeper. 5. Should there be a mechanism for the individual challense of information co ecte. or use by an insurer or insurance support organization? The Commission recommended that each State Insurance Commissioner collect complaints concerning the relevance and propriety of the information collected and used by insurance institutions, and either promulgate rules or recommend state legislation to proscribe the collection of irrelevant or improper information. As an alternate and not mutually exclusive approach, the Commission suggested that the Federal Insurance Administrator or other appropriate Federal entity could be given the authority to compile reports from individual consumers and from the states, and report to the Congress concerning the need for legislation. It did not recommend, however, that the Federal Insurance Administrator have the rule- making authority urged for State Insurance Commissioners. The decision as to the role of these government agencies will be made below. Pro: The Commission, OST?, the Special Assistant to the President for Consumer Affairs, and the FTC support this proposal. When they apply for insurance, Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03Pg : CIA-RDP81-00142R000700030001-4 Con: individuals may be frustrated by what they believe to be overbroad and irrelevant or improper requests for information. Generally, they do not have the market power to prevent its collection; the alternative is to forgo entirely the benefit of insurance. A government agency, such as the office of a State Insurance Commissioner, could consider consumer complaints and take action or suggest remedial legislation on a case-by-case basis. Such a mechanism already exists in California, where action has been taken to proscribe the collection Of "moral life-style" information for use in insurance decisions The insurance and consumer reporting industries uniformly and vehemently oppose this recommendation. They believe that the marketplace discourages the collection of irrelevant or improper information, and that there is currently a trend in sections of the insurance industry to collect less information. Industry argues that most information is relevant to some business purpose, and does not want government interference in business decisions about what information to collect. These same,arguments . were used by these industries to remove general- - relevancy requirements which had been included in the original draft of the Fair Credit Reporting Act. The Department of Commerce also believes that no such mechanisms should be created. Decision: Create a Federal governmental mechanism (using the Federal Insurance Administrator or other Federal entity), and urge the states to create state governmental mechanisms, for the individual to challenge the relevance and propriety of information collected and used by insurance institutions. Urge the states to create, governmental mechanisms for the individual to challenge the relevance and propriety of information collected and used by insurance institutions. No such mechanisms should be created. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/176: CIA-RDP81-00142R000700030001-4 6. Should Federal law require insurance institutions to adopt reasonable procedures to ensure the accuracy of the information they disclos4?gbout an individual? For a general discussion of this issue see "Accuracy of Records" in Section I.G.6 above. Pro: It is the position of the Special Assistant to the President for Consumer Affairs, OSTP, and the staff of the Federal Trade Commission that a general "reasonable procedures" standard similar to that contained in the Fair Credit Reporting Act is a necessary component of any comprehensive privacy policy in the insurance area. The FTC staff believes, based on its enforcement experience under the Fair Credit Reporting Act, that there may be instances in which the specific privacy rights and requirements proposed by the Commission would not effectively prevent erroneous information from circulating within the insurance industry and from being used to make adverse decisions about the individuals to whom it -pertains. On the other hand, a legal requirement that an insurer take reasonable steps to ensure the accuracy of its information might, for example, encourage a reinvestigation of information, or perhaps prompt the insurer to ask the applicant to explain or document information before using it to make a decision. While it is possible that the specific procedural rights and requirements proposed by the Commission could create an environment through which this occurs automatically, the FTC staff supports a separate Federal requirement of meeting a general standard. The FTC also believes that a general requirement for accuracy would be preferable to the Commission's approach of establishing procedural rights for the individual and placing specific requirements on flows of information within the insurance industry. They argue that these requirements are inflexible, Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 77 Con: ????=.1?111. and would not allow an insurance company, for example, to institute alternative procedures which might better achieve the objectives of accuracy, or address problems developing in the future. Placing a requirement on the record keeper concerning the accuracy of the information it discloses would also help to ensure greater accuracy for the infor- mation an insurer collects, maintains and uses to make decisions. Finally, the FTC asserts that placing this requirement on insurers would erase an often artificial distinction which the Fair Credit Reporting Act currently draws between consumer reporting agencies and insurance institutions. The FCRA currently places a "reasonable procedures" requirement on consumer reporting agencies, while an insurer, which uses the reports they produce or which may conduct similar investigations itself, is not covered. The Commission explicitly recommended that Ansurance institutions not be required by statute to-adopt reasonable procedures to ensure the accuracy, timeliness, and completeness of its records, but rather adopt such practices voluntarily. The Commission believed that the mix of specific in- dividual rights and institutional obligations it recommended will assure the kind of management attention to record-keeping policy and practice that achieves accuracy, timeliness, and completeness and, moreover, that such rights and obligations were sufficient to address this problem. The proposal of a general standard is also strongly opposed by the insurance industry, which fears extensive government regulation of the information used to make business decisions. Industry believes that the marketplace is the best vehicle for establishing the balance between the cost and the degree of accuracy of recorded information. It is convinced that the vagueness of a general standard would lead to needless compliance costs, and the industry would prefer the other specific procedural requirements whose costs could be more easily anticipated. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/178: CIA-RDP81-00142R000700030001-4 The Department of Commerce also opposes such a requirement. Decision: Yes, insurance institutions should be required to adopt reasonable procedures to ensure the accuracy of the information they disclose about an individual. No, there should be no such statutory requirement. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/177.9CIA-RDP81-00142R000700030001-4 F. Employment Records Description of the Record Relationship Employment records may be the most extensive category of personal records maintained about individuals in our society. Private employers require applicants and employees to supply detailed information about their lives, to submit to tests and examinations, and to authorize the employer to acquire whatever records it wants about them from other organizations. In addition, as a result of providing various job benefits and services, employers frequently maintain extensive medical and insurance records on the: employees. There is, moreover, a growing trend among larger employers toward the computer- ization of personnel files. Thus, these records may be immediately available to different levels of management and at various job sites around the world. This trend toward more sophisticated and detailed record- keeping is balanced, in part, by increasing tendencies for private employers to allow employees access to at least a portion of their records, and to extend employees the opportunity to correct inaccuracies. Employers are also more reluctant to disclose information. about their employees than before, although it is unclear whether employers with these policies effectively limit access by law enforcement and other government officials. Current Law and Practice The maintenance and enforcement of privacy protection with respect to employment records presents special problems. Except as covered by collective bargaining, there is no general legal framework in the private sector employment environment which could accommodate the resolution of privacy questions, such as what records are covered or whether the use of particular information in an employment decision is improper or irrelevant. It would, for example, be relatively simple for an employer to terminate or fail to promote an employee who complains that his privacy is being invaded, and because of the multitude of factors involved in any employment decision -- both business-related and personal -- it would be difficult for the employee to prove that such an action was retaliatory. In addition, consistent regulation is difficult because of the vast differences among employers with regard to size, type of employees, benefits provided, centralization of work place and record-keeping functions, nature of Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17g(cIA-RDP81-00142R000700030001-4 promotion and other personnel programs, and degree of unionization. There are two large groups of employees to whom some elements of a basic privacy policy now apply in law: Federal government employees and private employees covered by collective bargaining agreements. Both have evolved from, and are enforced through, a system of established due process, which stipulates that the employee may be discharged only for just cause. Privacy protections for Federal employees are also provided by the Privacy Act of 1974, which gives the employee access to his records even without his filing a griev- ance or complaint with the Civil Service Commission. The privacy rights gained by non-Federal employees as a result of collective bargaining contracts are more limited than those accorded Federal employees and differ from contract to contract. When an employee files a grievance, the union and the employee are generally allowed access to the relevant employer records for use in the proceeding. Knowing this, many employers carefully limit the potentially sensitive information in the personnel files of union employees. In addition, three states have recently'pessed laws allowing employees to see and copy their records. Over two-thirds of all private sector employees, however, do not have any of the above protections. In addition, the Fair Credit Reporting Act allows employees access to investigative reports and other types of consumer reports prepared for employment decisions. However, just as with consumer reports prepared for insurers and credit grantors, this is a limited right which does not apply where the employer conducts his own investigation. Areas of Agreement There is agreement among the Privacy Commission, the Department of Labor, and many private employers that privacy protection in private sector employment should include: a) an employer's notice to his employees of the collection and disclosure practices; b) an opportunity for the individual to see and copy the records maintained by his employer; Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 81 C) an opportunity for the individual to correct and amend his records; d) a limitation on disclosure to that contained in the notice; e) a prohibition on pretext interviews (an inter- view in whical an investigator: (1) pretends to be someone he is not; (2) pretends to represent someone he does not; or (3) mis- represents the purpose of the interview); and f) that for the job-related records which an employer maintains, the above principles should be endorsed by the government but made vOliwItaEy, not mandatory, on the part of the employer. aLeasofDireement There is a need for decision in the employment area on the following two questions, which go beyond the above noted areas of concensus and would implement 13Z statute some of these measures. 1. Should there be a Federal law granting employees the right to see and-coy the personal records which their employer maintains about them? Note: It is generally agreed that any law which grants employees a right to see and copy the personal records maintained about them by their employer must exclude certain records from those to which the employee is given a right of access. This memorandum does not attempt to precisely distinguish those records which the employee would not be allowed to see and copy; however, such records might include: (1) industry security and claims records; GO records of supervisory estimates of promotion potential, company promotion planning, or plans for future assignments or salary adjustments; and (3) records obtained from third parties under a pledge of confidentiality. Pro: There is increasing interest in employee rights issues, including privacy. The enactment of a law granting employees the right to see and copy Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/g? : CIA-RDP81-00142R000700030001-4 Con: records would be an important first step in this direction, even though such a law, absent a right to challenge the accuracy of records and a strong enforcement mechanism, may not create an enforceable right for all employees in every situation. where the employees are union members, this right would enable them to see records outside of the griev- ance process. If the records were incorrect or improper, then this itself might become the subject of a grievance proceeding. A few states have enacted laws granting employees these rights, although they do not provide for consistent procedures and penalties. For large corporations, operating in many states, prolifera- tion of such laws could create substantial admin- istrative problems. A Federal law with uniform procedures and penalties would be tore efficient and effective. OSTP and the staff of the FTC support this option. Many employers are already moving voluntarily to provide employees with an opportunity to see and even correct their records. In addition, the Commission recommended voluntary implementa- tion in employment because it believed that, absent a strong enforcement mechanism, employees would be unable to assert their rights without fear of retaliation, subtle or direct, by employers. The right to see and copy records, by itself, without a right to challenge their accuracy and a strong enforcement mechanism, is a mere shadow of a right; and, to give employees the power to effectively enforce such a right would fundamentally change the nature of the employment relationship in this country (as discussed more fully in the Con to the next question for decision). The Commission found that the two existing state statutes are not frequently used by employees, and their enforcement has been virtually non-existent. Furthermore, the activity to date at the state level (three states now have some variety of "see and copy" laws) does not indicate a sufficient trend to justify a Federal statute. The Departments of Labor and Commerce support this position. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Decision: ?????????????........ 83 Yes, there should be a Federal law granting employees the right to see and copy the personnel records their employer maintains about them. No, employee access to employment records should be sought through voluntary action on the part of employers. 2. Should there be a legally enforceable exgectation o contidentialitY as defined in Section I.G.7) for employment reCoras? Pro: Employment records are frequently the first place to which investigators and other outside parties go when seeking information about an individual. Under current law, employers can disclose as they please. This problem of privacy protection in the employment context is more amenable than any other-to individual enforcement through court action. Requests for information and disclosures by employers can be documented. It would therefore be relatively easy for an employee to substantiate improper disclosure. Moreover, under ordinary circumstances many employers already release information from employee files only at the request of the employee or pursuant to a legal requirement. It would therefore not impede their existing business arrangements in any significant way. Classifying a record as one in which an individual has an expectation of confidentiality generally restricts government access to that record to instances where process is used, notice is given and an opportunity to challenge is had. In the Department of Justice's view, only those records which reveal details of an individual's life to the degree warranting such restrictions (e.g., financial records, medical records) should be included. The Department of Justice believes that employment records, if carefully defined, may be included in this group. OSTP and the staff of the Federal Reserve Board also support this option. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 84 Con: Most disclosures of personal information made by employers are at the direct request of, and in the interests of, their employees, usually for such purposes as obtaining credit, a lease, or subsequent employment with another organization. If an enforceable expectation of confidentiality is created for these records, employers will have to develop systems of accountability so that dis- closures are made only with the specific authorization of the employee, and they will be liable for improper disclosures. Given the cost of both of these factors, employers might not be inclined to disclose information about their employees to others, even at the specific request of the employee. In addition, even if an employee were to win a law suit against an employer for improper disclosure, it would be difficult to protect him from the more subtle forms of employer retaliation, such as failing to promote him or giving him undesirable work assignments. Indeed, it might even be impos- sible to protect such an employee from termination. Furthermore, if-a provision were added prohibiting employer retaliation, there is still the question of how long the employer would be required to retain an employee who has sued him before he would not have to show that a dismissal was non- retaliatory. A heavy burden would be placed on a private employer to establish the legitimacy of its decision to fire an employee, in effect giving employees who sue a presumptive right to a particular job. There is also a question of who would evaluate such a showing by the employer and what standards they would use. Finally, the tremendous diversity in the sorts of business carried on by private employers is reflected in an equal diversity of information disclosure needs and practices. Currently, a great deal of information about employees flows informally to ensure the propriety of employee conduct or to verify background information in hiring or promoting to sensitive positions. It can be argued that no sweeping prohibitions on employer disclosures should be established unless and until the pattern of flows in different busi- nesses is understood and provisions are made to accommodate those which are proper. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 85 The Department of Commerce and the Civil Service Commission support this option. Decision: ??????11.11... Yes, there should be a legally enforceable expectation of confidentiality for employment records. ? .11.4.11 No, employers should limit their disclosures of information on employees through voluntary action. 3. Should the DeRartment of Labor develop a voluntarY code of conduct or those privacy measures recommended for voluntary adoption in employment, and monitor compliance with that code? Pro: Con: The Privacy Commission found that most employers were almost totally unaware of privacy issues until quite recently. It can be argued, therefore, that they are ill-equipped to design new record- keeping policies and practices without outside, expert guidance. Centralization of this effort in the Department of Labor will ensure consistency and will enable the government department most concerned with the problems of the work force to exert its influence on employers. This channel has been used before, and, according to the Department of Labor, employers have responded affirmatively. A government monitoring effort would further encourage employers to follow through on voluntary compliance. The Department of Commerce, OSTP, the Special Assistant to the President for Consumer Affairs, and the staff of the Federal Reserve Board support the development of a voluntary code. Although employers have only recently become active on privacy issues, large private sector corporations have been responding affirmatively since the Commission issued its report. A voluntary code developed by the Department of Labor is not needed at this time. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved ForRelease2001/03/17 : CIA-RDP81-00142R000700030001-4 86 Decision: Yes, the Department of Labor should develop a voluntary privacy code for employers and monitor their compliance. Yes, the Department of Labor should develop a voluntary privacy code for employers, but should not monitor their compliance. No, the Department of Labor should not develop such a code. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 87 G. Medical Records Description of the Record Relationship Patients expect doctors to question them closely about all aspects of life in order to make a correct diagnosis and to prescribe the proper course of treatment. Thus, in the medical-care context, questions about the relevance and propriety of the information gathered are rarely raised. Rather, privacy concerns focus upon the patient's access to his own medical record, his ability to challenge its accuracy, and the confidentiality with which it is held. Today medical-record information is frequently disclosed to institutions other than medical-care providers for use in many non-medical decisions. Often an individual's job or ability to collect on an insurance policy depend on medical-record information being available to the decision-maker. Yet, it is rare for the individual himself to have access to his medical records or to information gleaned from them. One reason is the general reluctance of medical-care professionals to share these records, and another reason is that, legally, medical records belong to the medical-care provider. Current Law Historically, a patient's expectation that information given a doctor will be kept in confidence has been founded on the doctor's adherence to the Hippocratic Oath. In practice, society frequently requires doctors to depart from their oath. Although 19 states have laws which in some way recognize the confidentiality of medical records, and a doctor can lose his license to practice in 21 states for revealing patient information, few courts allow a patient to sue his doctor for disclosing information about him without his permission. Case law permits doctors almost unlimited discretion in deciding what disclosures to make of patient information. Areas of Agreement The Commission, the responding agencies, and the medical community agree that a Federal law to establish privacy protections for medical records is needed. Such protections would include: Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 88 a) the right for an individual to have direct access to the medical records about him (i.e., to see and copy those records), except when the medical pro- fessional responsible for the record believes direct access to it might harm the patient, in which case access should be permitted through a designated inter- mediary;1/ b) the right for an individual to challenge the accuracy of his medical records; C) a legally enforceable expectation of confidentiality (as defined in Section I.G.7); and d) authorizing the Secretary of HEW to issue implementing regulations, and encouraging the states to adopt similar legislation governing medical record keepers not subject to Federal law. Issue for Decision The Department of Health, Education, and Welfare has drafted legislation implementing the above principles of privacy protection for medical records, and this proposed legislation has been circulated for agency comment through OMB's legislative clearance process. Agencies that have not received copies should contact OMB. Any agency concerns may be resolved through the OMB process, or, if necessary, should be raised for inclusion in this Presidential Review Process. 1/ The Department of the Treasury does not believe that individuals should have a right of access to psychiatric records held by Federal agencies such as the Secret Service. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved ForRelease2001/03/17 : CIA-RDP81-00142R000700030001-4 89 H. Education Records Description of the Record Relationship Student life produces many records. There are teacher evaluations of academic ability, academic accomplishment, and social adjustment. Applying to private schools and universities largely is a paper process. With regard to the records of educational institutions, most of the protections discussed earlier as basic elements of a privacy policy now are provided by law. Current Law The Family Education Rights and Privacy Act of 1974 (FERPA) gives students over 18 and parents of minor students the rights to have access to their records and to challenge the accuracy of their records. FERPA also contains stringent protections for the confiden- tiality of student records. Areas of Aareement The Commission and most responding agencies agree)] that, beyond the current provisions of FERPA, there is a need for: a) greater student involvement in developing privacy policies to comply with FERPA, and greater community involvement in the case of public school systems; b) an explicit statutory right of action for the individual against any educational insti- tution which fails to comply with FERPA to the detriment of a student or parent; and c) the educational agency or institution to be able to disclose information to law enforce- ment officials without the consent of the student or parent where the disclosure of that information is necessary to an authorized investigation of ongoing violations of law which threaten the welfare of the educational institution or agency or its students or faculty. The Department of Commerce thinks that amendment of FERPA should be deferred. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved ForRelease2001/03/17 : CIA-RDP81-00142R000700030001-4 90 Areas of Disagreement 1. Should FERPA be extended to cover applicants for admission to schools and colleges and to educa- tional testing and data-assembly services? Pro: Con: The Family Education Rights and Privacy Act now applies only after an applicant is admitted to an educational institution, and at this time he becomes entitled to see his admissions file. However, unsuccessful applicants for admission are not entitled under FERPA to see the records used in the admission process? In addition, the records of organizations like the Educational Testing Service which administer standardized tests (e.g., the Scholastic Aptitude Tests used for admissions to most American colleges and universities) to thousands of students and assemble academic data about applicants for admission to colleges and universities are not covered by. FERPA. The Commission recommended that these exceptions: be eliminated. OSTP supports this position. The Commission did not intend to lay bare the admissions process, and did not believe its recommen- dations would do so. Rather, the recommendations aim at ensuring that applicants may see and copy these records to ensure that they are judged on the basis of information that is accurate, complete, relevant, and timely. DHEW and the university community oppose this recommendation on the basis that it would be costly and administratively burdensome. They do not feel that there has been a sufficient demonstration of need for this extension of FERPA. Since applicants may come from across the country, institutions fear the administrative cost of verifying the identity of the requester and copying and mailing the records. In addition, in most cases, the number of applicants greatly exceeds the number of places available, and decisions are often comparative and most subjective. Therefore, allowing access will be of little use to the applicant who had Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 91 not been admitted, particularly since it is un- likely that the institution can reconsider its decision if it proves to have been based on in- accurate information. The Department of Commerce believes that any amendment of FERPA should be deferred at this time. Decision: ..10,01.1?611.111.11.11. Yes, extend FERPA to cover applicants for admission, and educational testing and data-assembly services. No, do not extend FERPA to applicants for admission, and educational testing and data-assembly services. 2. Should FERPA be amended to provide that the student or his parent may not waive his right to see and copy letters of recommendation? Pro: FERPA currently permits students and parents to waive any of the rights it grants. The Commission was concerned that students have been coerced into waiving their right of access to letters of recommendation in response to institutional "requests" for waivers. The Commission also developed evidence that educational institutions tend to discount letters of recommendation about students who have not waived their right to see these letters, even though the institution may not know whether the student has actually seen the letters. Finally, without access, a student cannot ensure that information about him supplied by others is correct. As to the teacher's concerns, the Commission be- lieved that making candid professional evaluations is part of his professional responsibility. A teacher who makes student evaluations without malice and as part of his official duties is not susceptible to a defamation suit nor, in the Commission's opinion, to any significant threat of physical reprisal from irate students. Con: According to DHEW and many students who have dealt with DHEW's FERPA staff, teachers have refused Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1i CIA-RDP81-00142R000700030001-4 to provide letters of recommendation without assurances of confidentiality. Many educators regard letters of recommendation as private communi- cation and thus view keeping them confidential as a professional perogative. Many educational institutions fear that openness would make letters less candid, and therefore of significantly less value in the admissions process. Moreover, since the student asks the teacher for a recommendation, they argue that the student should be able to waive his right to see it. DHEW and OSTP support this position, and the Department of Commerce believes that any amendment of FERPA should be deferred at this time. Decision: Yes, FERPA should be amended to provide that the student or his parent may not waive his right to see and copy letters of recommendation. No, FERPA should not be so amended. 3. Should Federal law (FERPA) be amended to require educational institutions to adopt reasonable procedures to ensure t e accuracy of the records they collect and maintain? For a general discussion of this issue see "Accuracy of Records" in Section I.G.6 above. Pro: The Commission recommended this requirement because it believed that levying responsibility for the content and quality of records on educational institutions would reduce the collection and main- tenance of erroneous, incomplete, or misleading information. The Commission found evidence that the accuracy and completeness of records is a significant problem for educational institutions, especially elementary and secondary schools. While it recognized a lack of consensus about the need for these standards and what the standards should be, the Commission believed that they are necessary for "effective educational service delivery and protection of the individual." The Commission believed that the law should establish minimum requirements in this area. The Special Assistant to the President for Consumer Affairs supports this option. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 93 Con: DHEW opposes the Commission recommendation. It believes that establishment of such procedures should be left to states and localities, many of which already have standards for the content and accuracy of education records. HEW argues that it would be difficult to enforce compliance with a Federal requirement without allocation of substantial additional resources. However, if abuses occur in the future indicating the need for additional safeguards, DREW believes that new requirements can be established through regu- lation under the FERPA as currently enacted. The Department of Commerce believes that amendment of FERPA should be deferred. Decision: ???????????1???.... romolorlemolpom.?00 Yes, FERPA should be amended to require educational institutions to adopt reason- able procedures to ensure the accuracy, timeliness, and completeness of the records they collect and maintain. No. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 94 I. Public Assistance and Social Service Records Description of the Record RelationshIE Public assistance and social services involve relation- ships between individuals and state and local governments. Included are programs which provide cash and in-kind benefits to people on the basis of financial need. While most of these programs receive substantial Federal financial support, state and local government agencies are responsible for their administration. The Commission found that administration of the "welfare system" depends heavily upon the collection and use of personal information. Those seeking assistance generally must disclose sensitive personal information in applying for aid, and they must submit to what can be an extensive verification process. The relationship between the applicant and program administrator is invariably documented in record form. In view of the sensitive nature of the information contained in public assistance and social service records and the need to use that information in making decisions about particular people and about general program funding and priorities, concern for the confidentiality accorded such records presents special problems. Current Law and Practice No overall policy exists with regard to the information practices of public assistance and social service agencies. The Federal government has not required programs receiving Federal funds to adopt the principles of privacy protection in their record-keeping systems. Nor have state and local governments acted independently. In most cases, there are neither guidelines for the accuracy, complete- ness, relevance, and timeliness of records, nor procedures whereby an individual can challenge the accuracy of records. In some cases, there are no record-keeping requirements at all. Areas of Agreement The Commission and most responding agencies agree/ that privacy protection for public assistance and social service records should include: 1/ The Department of Commerce believes that action affecting public assistance and social service records should be deferred. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 95 a) a requirement that applicants be notified of public assistance and social service programs' collection and disclosure practices, and that the notice be followed; b) the right for an individual to have access to his records, except for: i) records being used in an ongoing investiga- tion of suspected violations of law by the individual; ii) medical information, in certain situations as defined in Section II,G, above; and iii) the identity of sources of information who request confidentiality, and then only when the source's information is not the sole basis for an adverse decision; the right of an individual to challenge the accuracy of his records; and d) a legally enforceable expectation of confidentiality (as defined in Section I.G.7). Areas of Disagreement 1. Should an_avplicant for public assistance and social service programs be able to prevent an agency from obtaining and using information from sources other than himself (i.e., a collateral sourCel wit5out 'his consent by requiring the agency to notity him any time it desires to contact a collateral source and allowing him to withdraw his spplicstion if he does not want the source to be contacted? Pro: Except in a very few states, applicants for, and recipients of, public assistance and social services now have no control over the sources contacted by agencies to verify information. The Commission firmly believed that it was desirable and necessary that agencies be permitted to contact collateral sources only with an individual's consent. Individuals have reason to fear the loss of employment and residence if certain people (e.g., employers and landlords) learn that they have applied for, Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 96 Con: or are receiving, public assistance or social services. Even people who do not fear adverse consequences may simply not wish certain people to know of their involvement with public assistance and social service programs. The Commission recommended that individuals be able to prevent an agency from contacting a col- lateral source to which they objected by withdrawing their application, except when the individual was suspected of violating a law in connection with a public assistance or social service program. The Commission believed that Oregon and Tennessee's experience with such provisions indicates they can be implemented without significant cost or difficulty. This position has the support of DREW and the Department of Labor. Opposition to the proposal centers on three arguments. First, that "everybody knows who's on welfare," so that the protection would be meaningless in that respect. Second, since the client who needs the assistance can ill afford to forego the benefits, his choice is hollow. Finally, the Commission's recommendation is said to be cumbersome, time- consuming, and expensive. Since the individual is to be given veto rights as to each collateral source, he must be notified whenever the agency wants to make such a contact. Moreover, there is some fear that he might contact the collateral source first in order to try to influence that source to provide information favorable to him. OSTP and the Department of Housing and Urban Development endorse this view, as does the Department of Commerce which believes that any such action affecting these records should be deferred. Decision: Yes, an applicant should be able to prevent an agency from contacting collateral sources without his consent by withdrawing his application. No, an applicant should not be able to prevent an agency from contacting collateral sources. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 97 2. Should privacy protections in the area of ;Dublic assistance and social service programs be implemented by a Federal law setting forth general standards and requiring states to enact specific legislation within two leqislative sessions? (The alternative is for Owse protections to be embodied in Federal law and required of states as a condition of receiving Federal fundS.) Option 1: General Federal standards; specific state action There is general agreement that privacy protections should be basically uniform. However, considerable disagreement exists as to how such uniformity should be achieved. The Commission argued that each state should be able to decide its specific requirements within the context of general Federal standards. In the past, Federal agencies have not exercised strong oversight of state record-keeping practices, even where the requirements were clear. Some Federal agencies lack the resources to monitor state pradticet adequately It is also believed that state laws would be more effective because the states could shape the requirements to fit local conditions and would have a greater stake in enforcing their own laws. Also, only state laws could cover programs not receiving Federal funds. Option 2: Specific Federal standards as condition of ilnaing DHEW, MUD, and OSTP oppose the Commission's proposal, and support making Federal standards a condition of funding. First, the Commission proposal marks a departure from the Federal government's traditional approach of ensuring the protection of individuals by the states, as with the civil rights laws. Second, the Commission's approach is thought to be cumbersome and possibly productive of divergent practices from state to state. Third, the Commission's proposal ignores the Federal government's responsibility to itself ensure the proper expenditures of Federal funds. The Department of Commerce, in contrast to these views, believes that no requiremtns should be imposed at this time. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/178: CIA-RDP81-00142R000700030001-4 Decision: Adopt the Commission proposal of general Federal standards and required specific state legislation. Adopt the DHEW proposal of specific Federal requirements being a condition of receiving Federal funds. Take no action. 3. Should Federal law require states to provide by statute that sublic assistance and social service agencies must ave reasona e proce ures to ensure the accuracy, timeliness, completeness, and relevance of the records they maintain and disclose? For a general discussion of this issue see "Propriety and Relevance of Information Collected" in Section I.G.2 and "Accuracy, Timeliness, and Completeness" in Section I.G.6. above. Pro: This is the Commission recommendation, and is supported by the Department of Labor, OSTP, and the Special Assistant to the President for Consumer Affairs. The Commission believed that public assistance and social service agencies, unlike private sector record keepers, do not have an obvious interest in assuring the accuracy, timeliness, completeness, and relevance of their records, and currently are not required to do so by Federal law. Such a requirement would encourage these record keepers, for example, to reinvestigate third-party source information before relying on it to make a judgment, and might prompt agencies to ask the client to explain document information that may be inaccurate before incorporating it in the file. The Commission believed that such an incentive is appropriate given the subjective nature of the information collected and maintained by these agencies, and the fact that not all personnel employed by these agencies have adequate professional training to properly evaluate its usefulness. Finally, because these are public agencies, such a requirement would not involve costly regulation and litigation, as it might in the private sector. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Con: 99 Finally, the Commission recommended that social service and public assistance agencies adopt reasonable procedures to ensure relevance, as well as accuracy, timeliness, and completeness. It did so here and not in the private sector areas because it believed that, as government agencies, these record keepers should be subject to the same requirements as the Federal government which, under the Privacy Act, may maintain only information which is "relevant and necessary" to accomplish a purpose of the agency. The Commission did not believe that this would entail unnecessary regulation by the Federal government. The Department of Health, Education, and Welfare strongly supports the objective of the Commission's recommendation, but believes it inappropriate for the Federal government to legislate on the subject. Several agencies also suggest that there is no demonstrated need to mandate these procedures by statute, and that it might be intrusive for the Federal government to require such procedures of State institutions. .There is also a concern that such a statute would be impossible for the Federal government to enforce. The Department of Commerce and the Veterans Administration thinks that no such Federal law should be imposed at this time. Decision: ??11....1?.10.110.1?? Yes, Federal law should require states to provide by statute that public assistance and social service agencies must have reasonable procedures to ensure the accuracy, timeliness, completeness, and relevance of the records they maintain and disclose. No. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved ForRelease2001/03/17 : CIA-RDP81-00142R000700030001-4 100 J. Telephone Toll Records Description of Records Telephone conversations between private persons are confidential, absent the consent of one party for a third party to overhear or monitor the conversation. Under present law, severe restrictions control the monitoring of such communications. If improperly gathered, the records of unauthorized telephone monitoring will be excluded as evidence in a court of law and could become the basis for a criminal action against the collector. There is, however, a bi-product of telephone communications which may reveal significant information about an individual and for which no such restrictions apply. This bi- product is the telephone toll record--the record indexed by the name or number of the individual listing all toll calls (local or long distance) made by him and the telephone number to which he spoke. The Commission recommended that there be an expectation of confidentiality for these records. Current Law and Practice The American Telephone and Telegraph Company, which maintains most of the telephone toll records created in the United States, now refuses to disclose toll records unless presented with a subpoena or other legal order. However, when presented with a subpoena or legal order compelling disclosure, a telephone company is currently under no legal requirement to notify the individual prior to releasing the records, or even to indicate afterwards that this has occurred. Moreover, subpoenas will often be issued in ex parte proceedings, and the individual has no legal interest to assert against the government's claimed need for access to this information about him. Issue for Decision 1. Should the individual have an expectation of con- fidentiality (as defined in Section I.G.7) for telephone toll records? Pro: The Commission recommended that there be an expectation Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 101 Con: of confidentiality for these records because it believed that the mere fact of communication between two parties may be as revealing as the content of the communication. While, in practice, these records are not made available to outside parties without a subpoena or legal order, the Commission's position was that the individual currently is not afforded adequate protection when such a legal request is made. Without the full provisions of the expectation of confidentiality, the individual is not given prior notice of the request and standing and legal interest to challenge the disclosure in a court of law. Finally, government is already required to obtain a search warrant in order to monitor telephone conversations and obtain the content of such communications, and the Commission saw no compelling reasons not to extend this requirement to the record of whom the conversation was between. The Department of Commerce and OSTP support this position. The Civil Service Commission, the Departments of Justice and Treasury, and other law enforcement agencies oppose this recommendation. They argue that the scope of the privacy interest in telephone toll records is considerably less than in other records covered by an expectation of confidentiality. While a rather detailed picture of an individual's life can be obtained, for example, from bank records showing where, and often, for what purpose money was spent, toll records contain far less intimate information. By definition, toll records generally indicate only a relatively limited quantity of long-distance numbers dialed from a telephone; they do not indicate local calls, which are far more numerous and revealing of a person's life. Even where a number is recorded, moreover, there is no indication of who actually received the call, and of course no information is recorded as to the substance of the conversation. Warrants are required for actual monitoring of telephone conversations precisely because wiretapping does invade the privacy of conversations themselves, but that is a far greater intrusion than learning after the fact what number was called. Thus wiretapping analogy is inappropriate. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1710gIA-RDP81-00142R000700030001-4 Imposition of an expectation of confidentiality will create procedural requirements for obtaining toll records that will delay investigations, particularly of white-collar and organized crime offenses. In view of the limited privacy interest in such records, this burden on law enforcement is not justified. Decision: Yes, an expectation of confidentiality should be created for telephone toll records. No, an expectation of confidentiality should not be created for telephone toll records. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved ForRelease2001/03/17 : CIA-RDP81-00142R000700030001-4 103 III. Government Access to Personal Records Held by Third Parties Issues Part II of this memorandum presented decisions concerning the expectation of confidentiality that an individual may have in connection with records maintained by certain private sector record keepers (e.g., credit grantors, banks, medical care providers, insurance institutions, and employers), and in telephone toll records. The primary issues presented in this section are: (1) what should be the scope and nature of the process used by government to obtain records where it has been decided that an individual should have a legally enforce- able expectation of confidentiality; and, (2) where an individual does not have such an expectation, to what extent should there be procedural requirements on government collection of records from other govern- mental record keepers and from private sector institutions. Government has unique powers to collect and use infor- mation, powers which are ordinarily used quite legitimate- ly, but which can also be employed to coerce individuals. As-a result, our legal system has traditionally incor- porated safeguards to balance the powers of the state with necessary protections for the individual. As discussed in the introduction, however, concern over the effectiveness of the traditional safeguards has emerged because of an important, though gradual, change in record-keeping patterns. Today, sensitive personal information that historically would have been held in the individual's exclusive custody is maintained by third-party record keepers, such as credit-card issuers or banks, who require this information in order to provide vital services. This change in record-keeping patterns has outflanked traditional legal protections, such as the Fourth Amendment to the Constitution, and permits government agencies to collect personal information through informal, unrecorded requests that leave the individual without knowledge of, or control over, the access process. Current Law and Practice At present, a private sector record keeper, such as a bank or credit-card issuer, may comply with a govern- ment request for access to personal information as it pleases, without regard for the wishes or expectations of confidentiality of the individual to whom the record pertains. most third-party record keepers generally Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/11P:ICIA-RDP81-00142R000700030001-4 comply voluntarily with government requests. In addition,, this process of informal access is the usual means by which government investigators collect the information they need. This is not the case, though, in California where private sector record keepers operate under a state constitutional requirement that creates what amounts to an expectation of confidentiality in personal information held by certain third parties. For the rest of the nation, however, prevailing law is most clearly expressed in the Supreme Court's decision in United States v. Miller, 425 U.S. 435 (1976). In that decision, the Court explicitly stated that customer account records in a bank are not the private papers of the customer and that the individual has no legal interest in protecting the confidentiality of those records, including no ability to raise Fourth and Fifth Amendment objections when the government seeks access to the records. The Court reasoned that an individual has neither ownership nor possession of such records; the records are simply the "business records the bank." While the Financial Privacy Act of 1978 essentially addresses this problem by establishing a legal interest for the individual in his bank records, no similar protections exist for other categories of records maintained by third-party record keepers, including credit grantors, insurers, medical-care providers and telephone service: companies. The crucial element in this legal formulation is that an individual lacking a "proprietary interest" in records maintained by a third-party is without a legal basis upon which to challenge government access to those records. In other words, current law does not establish a duty of confidentiality on the third-party record keeper. Without creation of such a duty, even if the record keeper notified the individual and the individual had standing in court to challenge the government's action, the only interest that he could raise would concern at most technical and procedural challenge rights, and thus would provide little effective protection. Finally, in addition to using informal modes of access and the constitutionally delimited process of the search warrant, the Federal government obtains records and written information through the use of three basic forms of compulsory legal process: administrative summons, grand jury subpoena, and judicial subpoena in the course of litigation. A subpoena or summons is simply a form which a government agency or attorney Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17169IA-RDP81-00142R000700030001-4 fills in to show who is commanded to appear, with what document or testimony, and when and where he should appear. An agency must have explicit legislative authority to issue an administrative summons and the form is prepared by an official of the agency involved. For a judicial or grand jury subpoena, the blank form is obtained from the clerk of a district court and is subject to court supervision, if challenged by the record holder. Agency Participation One of the task groups created, as part of this review process, specifically addressed the Commission's govern- ment access recommendations. The agencies represented were: Department of Justice, Department of the Treasury, Department of Defense, Department of Health, Education and Welfare, Department of Labor, Central Intelligence Agency, Federal Reserve System, Civil Service Commission, Veterans Administration, General Services Administration, Federal Communications Commission, and Federal Home Loan Bank Board. The scope of responses received from these agencies ranged from complete rejection of the Privacy Commission's recommendations to limited acceptance of them. No agency fully accepted all of the recommendations. The Justice Department, as the result of the work of an internal task group, developed a detailed alternative proposal which adopted the fundamental principles presented by the Privacy Commission, while attempting to reduce some of the difficulties which it believed the Commission's specific recommendations would create for law enforcement and other government functions. The Department of the Treasury joined in the Justice position, and this alternative was presented by the two Departments to the House Banking Committee in preparation for its mark-up of H.R. 13088 on July 11, 1978. The Committee reported out a bill, H.R. 13471, incorporating the Justice proposal with some modifications. There developed, however, extensive Congressional opposition to the bill, both from those concerned that the bill did not sufficiently protect individual privacy, and from those fearing that certain of the bill's provisions would adversely affect law enforcement. There were also serious executive branch reservations: the Department Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/170CIA-RDP81-00142R0007000300014 of Commerce favored stronger privacy protections, and a variety of lending and loan guarantee agencies were concerned that the bill's policies did not take account of their concerns. As a result of extensive discussions, both within the executive branch and between Federal agencies and the members and staff of the appropriate Congressional committees, a new policy position was developed and adopted in the form of floor amendments to H.R. 13471, and which was endorsed by the Departments of Justice, Treasury, and Commerce and by the loan agencies. This policy is referred to in the remainder of this Chapter as the "Combined Agencies" proposal. References to agency positions (other than the Combined Agencies position) are to positions expressed in the Report of the "Privacy Study Task Goups #2," March 21, 1978. This memorandum, and the agency task group review that led to it, focuses on records maintained by several types of private sector record keepers and by state and local governments. The Departments of Justice and Treasury have presented a detailed position on government access policy which, however, is limited to bank records. For the purpose of this discussion the positions of Justice and the Treasury, to the extent applicable, are treated as if they applied to all records discussed. Treasury would prefer to gain experience with the procedures it advocates for bank records, before extending these procedures to other records. In addition, some independent regulatory agencies, such as the Securities and Exchange Commission, object to the application of any of these requirements to them and are seeking total legislative exemptions. This process has identified areas of agreement as well as disagreement among agency positions. This section first sketches the areas of agreement and then presents those areas of important disagreement where decisions are necessary. Areas of Agreement There is general agreement throughout government that new legal protections for personal privacy need to be established when government seeks records about Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 107 individuals held by certain private sector record keepers. Specific agreement exists as follows about what some of the elements of such protection should be. 1. Notice to an Individual of Government Access to His Records The Privacy Commission and, with the exception of the Civil Service Commission (which objects because it would like personnel investigations excepted from the notice requirements), the executive agencies, including the Departments of Justice and the Treasury, agree that certain private sector record keepers should not be permitted to disclose personal information to the government except through some form of legal process, though the executive agencies feel that the process need not be compulsory (see issue 1 below). All parties agree that the interests of the individual citizen should be balanced against government's need for the information before disclosure; ordinarily, records could be disclosed only if the subject were given notice of a government access request and an opportunity to challenge the potential disclosure in court. Presumably, the recotds to be covered by this requirement would be all those in which an expectation of confidentiality has been adopted in Part II, but there has been no specific agreement so far on records other than bank records. There is also agreement among the agencies that some exceptions to the notice requirement should be made (though disagreement exists over what the specific exceptions should be). All parties are agreed that implementation of these recommendations, to whatever degree, would require reform of the existing notice and challenge procedures relating to the use of compulsory process. 2. Protections Would Only Apply When the Individual to Whom the Records Pertain is the Subject of an Investigation The Commission and the agencies agree that the proposed governmental access recommendations should apply only if the personal information being sought pertains to an individual who is the subject of, or likely to become Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1T0:8CIA-RDP81-00142R000700030001-4 publicly implicated in, the iavestigation for which the access request was being made. The recommendations would not apply if the record keeper is the subject of an investigation in which individual records are needed to prove the case against the record keeper. Consequently, many requests for access to personal information made to private sector record keepers by supervisory and regulatory agencies, and some requests by law enforcement agencies, would not be covered by the proposed access limitations. Thus, the provisions would not apply if an agency sought all of the records of a company to determine if the company, and not individual customers, had violated the law. The Combined Agencies proposal offers two further safeguards to protect the interests of individuals whose records are sought for such a purpose. First, the agency would be required to give the record keeper a sworn statement attesting to compliance with the provisions of the government access statute. Second, when personal records were obtained pursuant to such a sworn statement, the records could not be transferred to other government agencies for prosecution or used against an individual; the second agency could be notified that a violation might exist but could only obtain the records by giving the individual notice and an opportunity to contest the second agency's access. 3. Protections Only for Natural Persons Because of the terms of its mandate, the Privacy Commission's recommendations apply only to natural persons. Partnerships, corporations, and other business entities, even if composed of only one or two individuals, are not covered. The limitations of the Commission's mandate notwithstanding, the executive agencies agree that the recommendations should apply only to natural persons. (Some disagreement with this position has been expressed in Congress, some Members believing that an individual should not be deemed to have given up his rights simply because of his participation in a business entity.) 4. Exclusion of Search Warrants The Privacy Commission excluded search warrants from its proposed access limitations. The Commission observed that search warrants can be obtained only after an Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 109 ex parte hearing at which evidence is presented to a neutral magistrate sufficient to meet the Fourth Amendment's "probable cause" requirements. In addition, search warrants are most frequently used to collect information directly from an individual and do not ordinarily involve the record-keeping relationship issues which this memorandum addresses. However, the Commission urged that further study be given to the question of what papers may be seized with a search warrant. This call for action was recently echoed by the press and some Members of the Congress in the wake of the Supreme Court's decision in Zurcher v. Stanford Daily (46 U.S.L.W. 4546, May 31, 1978), which upheid the use of a search warrant to seize evidence held by a newspaper which was not itself accused of any crime. In light of Zurcher, the Administration is evaluating the desirability of strengthening the protections on the use of search warrants. This issue is not being treated as part of this review process. Areas of Disagreement The disagreements between the Privacy Commission and the agencies primarily center around: (1) the nature of the proposed protections where an individual is deemed to have an expectation of confidentiality; and (2) the application of certain of the recommendations to all types of records and to state and local government record keepers. This set of issues for decision involves situations in which government seeks records in the course of a particular investigation or administrative proceeding. The section will also present an issue for decision that relates to statutes requiring private sector record keepers to report personal information automatically and routinely to government authorities. A. Nature 4nd Substance of Protections Where an Individual is Deemed to Have an Expectation of Confidentiality This group of issues defines the process that will be used for access to the records in which individuals are to be given an expectation of confidentiality. This expectation of confidentiality has been defined in Section I.G.7, and the kinds of records to which it applies have been identified in Part II. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/Ho: CIA-RDP81-00142R000700030001-4 1. Should government access to confidential records always be through compulsory process? The Commission recommended that government access to personal information in which there is an ex ectation of confidentiality be permitted only through use of compulsory process. The Combined Agencies proposal recommends that, at least for bank records, the agencies or their components that do not have legal authority to use compulsory process be authorized by law to obtain records by using a "formal written request" procedure which they have developed. The Combined Agencies formal written request proposal would create a new form of process, though not a compulsory one. This process would provide notice to the individual and standing to contest the government's request in court. If the individual failed to make a challenge within the required time period, or if a court rejected his challenge, the record keeper would be free to exercise its own judgment concerning compliance and would have immunity from civil liability to the customer if it released the requested records to the government. However, unlike the compulsory process proposed by the Commission, the record keeper would not be required to make disclosure in response to a "foriar written request." The precise form of a "formal written request" could be established by regulation by each agency involved, and need not be specifically authorized by the Congress, which would set forth only the general framework of the request procedures. Option 1: Compulsory process Three arguments support the Commission's proposal for exclusive reliance upon compulsory process to obtain confidential personal records. First, many banks currently require the government to use compulsory process and the Commission was not persuaded that this unduly restricts law enforcement investigations. Second, although the Combined Agencies proposal gives record keepers discretion to refuse disclosure, even when the individual does not exercise his privacy rights, the cooperation Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 1 : CIA-RDP81-00142R000700030001-4 11 of record keepers with informal government requests suggests that most would routinely comply with the formal request. Finally, although the proposed formal written request procedure includes protections for the individual that are now missing when agencies make requests for records, the proposal involves a Congressional endorsement of a formal access procedure available to all agencies. This runs counter to the tradition-I notion of careful and limited grants of police power and may have the effect of increasing government collection activities. Assuming that most record keepers would comply with these formal written requests, the effect- -especially when exceptions to the notice requirement are made--may be to give every Federal agency the equivalent of compulsory process powers. This option is supported by the Office of the Special Assistant to the President for Consumer Affairs. Option 2: Formal Written Request: Three arguments support adoption of the Combined Agencies request scheme. First, most investigative agencies currently rely on informal modes of access to obtain the records needed to carry out their investigative functions. It is unclear whether other agencies with criminal and civil investigative jurisdiction will be able to effectively carry out their functions, because they do not have adequate access to compulsory process. Legislating administrative summons powers for all these agencies will be a slow and uncertain process. The use of formal written requests will allow them to continue obtaining information, while at the same time protecting individual privacy. Second, the formal written request proposal accommodates privacy considerations by incorporating rights of notice and challenge. This is a far greater protection than is currently required by law. Third, the Department of Justice has asserted that reliance on existing forms of compulsory process will unduly restrict law enforcement investigations. If the formal written request scheme is not accepted some segments of the department will be forced to rely exclusively on, and thus burden, the grand Approved For Release 2001/03/17 : CIA-RDP81;00142R000700030001-4 Approved For Release 2001/03/1ri2CIA-RDP81-00142R000700030001-4 jury process to obtain records. This option is supported by the Departments of Justice, Treasury, Commerce, HEW the CIA, Federal Reserve Board, Veterans Administration, and the Office of Science and Technology Policy. Decision: Require the use of compulsory process for all government access requests for those types of records in which the individual has an expectation of confiden- tiality. Permit agencies or their components that do not have authority to issue subpoenas or administrative summons to use a formal written request procedure for those types of records in which the individual has an expectation of confidentiality. Collateral Decision Staff note: Regardless of the option selected above, the collateral question is raised of seeking legislative authority for administrative summons powers for agencies or components thereof that do not now have access to compulsory process but need to acquire personal records for which there is an expectation of confidentiality. While some agencies have informally expressed an interest in this regard, (the Justice Department favors granting summons power to the FBI, the Drug Enforcement Administra- tion, and the Civil Rights Division, and the Department of Defense seeks summons powers for its own activities), there is presently insufficient data to enumerate the strengths and weaknesses of this option. Seek legislative authority for administra- tive summons powers for Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 113 2. What should be the nature of the )udicial standard which can be employed by an individual in order to make the government justify its access request? As discussed earlier, the Commission and the Executive Branch Agencies agree that a Federal law should be enacted to give an individual the two elements of a protectible legal interest in records held by private sector record keepers in which he has an expectation of confidentiality. First, the individual would have the right to be notified of a government access request and the opportunity to go to court to challenge the request and protect his interests. Second, the substapce of the legal interest which the individual was seeking to protect in any challenge would be defined in a legislative standard. Such a standard is the heart of the protectible legal interest, vital in giving effect to any protection for a citizen's records. Notice of a government request to obtain an individual's records and a right to challenge that request are of little value without a defined legal interest which can be used to test the legitimacy of a government inquiry, requiring government to justify its request. Basic disagreement exists, however, between the Privacy Commission recommendation and the Combined Agencies proposal over the specific nature of the challenge rig.hts and the definition of the legal standard. The Commission recommended that an individual challenging a government request for records in which he had an expectation of confidentiality be provided with a legal interest which includes both the right: (1) to require from the government evidence of the "reasonable relationship 3E?The record sought to the investigation underway"; and (2) to assert the protections which he would have under the Fourth and Fifth Amendments if the records were in his possession. The Commission believed that this second part of the interest did not rise to the level of forcing government to meet the "probable cause" standard required to obtain a search warrant; rather, as a result of recent Supreme Court opinions, the Commission concluded it could best be characterized as a "reasonable cause" standard which government would have to meet in order to justify access to an individual's records. The Combined Agencies proposal would require an individual whose records are sought to file a motion and affidavit Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/VA CIA-RDP81-00142R000700030001-4 in an appropriate Federal district court: (1) stating that records pertaining to him have been sought; and (2) "showing that there is reason to believe that the financial records sought are not relevant to a legitimate law enforcement inquiry..." The agency would then have to establish to the satisfaction of the court that the documents requested were relevant to a "legitimate law enforcement inquiry---aerined as "a lawful investigation or official proceeding inquiring into a violation of, or failure to comply with, any civil or criminal statute or any rule, regulation, or order issued pursuant thereto." The two proposals differ on the following two points: (1) the Combined Agencies proposal would place on an individual challenging an access request the burden of coming forward with an argument to suggest why government's request is unjustified, rather than requiring, as does the Commission's proposal, that the government present evidence justifying a request in the first instance; and (2) the Combined Agencies formulation offers a less burdensome substantive standard for government agencies to meet in order to justify access than does the Commission proposal. Option 1: Commission Position: The Commission concluded that only by requiring government to take the initial burden of justifying its request before any 1E37277.4 by the individual, and by adopting a relatively high standard against which to test the adequacy of government's justification, could government agencies be prevented from seeking more information than they need, or from seeking information without sufficient grounds. By forcing attention in each case to questions of relevance, propriety, and a specific and justifiable government interest, an individual's legitimate interests in his bank and similar records can be most effectively recognized, and the potential for improper actions by government checked. The Commission's proposal would require the government to carry the burden of showing that the records sought are relevant to a legitimate and specific investigation. The Combined Agencies proposal places the final burden of making this justification on the government, but requires the individual Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 115 to first produce an argument demonstrating that there isreason to believe that his records are not relevant to a legitimate law enforcement inquiry. The individual, as a result, may be put in the position of demonstrating what is, or is not, a legitimate law enforcement inquiry, rather than merely being required to make a non-specific objection which triggers a government duty to file. This could make it very difficult for an individual to effectively initiate and sustain a challenge. Finally, the relatively high substantive standard recommended by the Commission as part of an individual's protectible legal interest assures that a good deal more than mere suspicion will be needed to justify government access to a citizen's private records. Option 2: Combined Agencies Position: The Commission's proposal may cause undesirable adjudicatory delay by allowing procedural objections to be raised. The requirement that an individual have the burden of coming forward to show why there is no relevant law enforcement purpose for. the records to be disclosed is necessary to discourige frivolous challenges and dilatory tactics. If an individual did not have such a burden he might force the government to waste considerable time, expense, and effort even though there was no legitimate basis for his challenge. Experience under the Tax Reform Act of 1976 indicates that frivolous challenges can be a problem. The Commission's substantive standard is so high that government agencies may not be able to meet their burden, particularly at the early stages of an investigation. In particular, the imposition of such standards may jeopardize the prosecution of white collar crimes, where financial record information is crucial at the early stages of investigation. There is some experience in California, where the applicable standard is similar to the standard proposed by the Commission (though somewhat higher), which indicates that delays and premature termination of investigations may result. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03T6: CIA-RDP81-00142R000700030001-4 Finally, the procedures and substantive standard in the Combined Agencies proposal are a significant step forward from the present legal situation where an individual has no rights. Moreover, the substantive standard will cause the process to be subject to individual and public scrutiny, as well as court supervision, which will act as a significant check on any abuses. Option 3: Compromise Position: A compromise option would be to establish a substantive standard for disclosure equivalent to that contained in the Combined Agencies proposal. This option would, however, adopt the Commission's approach of placing the initial burden on the 7overnment by dispensing with the Combined Agencies requirement that the individual first come forward with a showing that the government's request is unjustified. This formulation has the effect of placing the principal burden on government to make an initial showing of legitimacy by establishing the connection between the records sought and an investigation of a violation of law. In so doing, the approach offers protection against use of process for "fishing expeditions." At the same time, elimination of the Commission's requirement that the government overcome the equivalent of an individual's "Fourth and Fifth Amendment" interests will ease the danger of excessive impairment of government investigations. On the other hand, it offers more limited protection than the Combined Agencies against challenges made only to delay or impair legitimate investigations. Decision: Adopt Commission proposal: burden on the government to establish specific relevance of its request first; "reasonable cause" standard. Adopt Combined Agencies proposal: burden on individual to come forward and present basis for questioning propriety of govern- ment request; "legitimate law enforcement inquiry" standard. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 41. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 117 Adopt compromise: burden on government of initially coming forward; "legitimate law enforcement inquiry" as standard. 3. What should be the exceptions to the notice and challenge rights? The agencies and the Commission agree in general that when a government access request for personal information for which there is an expectation of confidentiality is directed at a third-party record keeper: (1) the individual to whom the record pertains should receive a copy of the request from the requesting agency at the same time that the request is served upon the record keeper; and (2)that the individual should have an opportunity to go to court to challenge the request. To the extent that there is disagreement, it centers around whether there should be exceptions to these notice and challenge rights. The Commission's proposal would never permit an agency to dispense with notice Fior to obtaining records, if the personal information being sought were one of the categories of personal information considered confidential (i.e., for which the record-keeper was under a duty --ot=aonfidentiality).- The-government, of course, always has the option of obtaining a search warrant, which avoids the prior notice to the individual. The Combined Agencies proposal recognizes an individual's expectation of confidentiality but also enumerates certain conditions in which privacy interests would yield to other important societal interests. Agencies could obtain a court order for a delay of a notice if there were reason to believe that prior notice would result in endangering the life or safety of any person, flight from prosecution, destruction of or tampering with the evidence, intimidation of potential witnesses, or would otherwise "seriously jeopardize" or "unduly delay" the investigation. In addition, an agency could have access to records without giving the individual prior notice and without first obtaining a court order delaying or dispensing with notice in the following circumstances: (1) if a grand jury subpoena were used. (This topic will be treated below as issue 6.) Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/E8: CIA-RDP81-00142R000700030001-4 (2) if the investigation involved either foreign counter or positive intelligence activities; or protection of the President. (However, the agency must give the record-keeping institution a sworn statement that the access complies with the provisions of the government access statute). (3) if an emergency situation existed in which there were an imminent danger of flight, destruction of records, or a threat to life or safety. (However, the emergency exceptions would be subject to a requirement that the agency provide: (a) a written representation of an emergency to the record keeper; (b) an affidavit to a court within five days after access justifying the use of the emergency procedures; and (c) the individual with notice of the access at the expiration of a court ordered period of delay or, in the absence of such an order, as soon as practicable.) (4) If access to the records is for servicing or foreclosing a Federal loan or loan guarantee. Option 1: No exceptions: The Commission's approach is more likely to safeguard an individual's privacy because it far more strictly restricts access to confidential personal information. If the government could actually make a showing in court which would sustain an exception to the prior notice and challenge requirements, then the government is likely to have the requisite probable cause to obtain a search warrant. In addition, the Combined Agencies formulation contains a relatively broad definition of the circumstances that would permit a court to issue an order delaying notice to the subject. Since the conditions for waiver are broadly drawn, courts may tend to routinely grant applications for waiver of notice. This is particularly likely where exception can be made if prior notice "otherwise jeopardizes an investigation." Finally, the Combined Agencies formulation, in Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 119 some circumstances, permits agencies to dispense with notice without the check of prior court supervision. The argument that court supervision is impractical and inappropriate for foreign intelligence, Presidential protection, and emergency investigations is compelling if the scope of what is considered foreign intelligence or Presidential protection services is tightly interpreted. This is uncertain without the protection of court supervision. Option 2: Some exceptions: The principal deficiency in the Commission's approach is that it is unyielding in the requirement that notice be provided prior to access to the categories of information for which there is an expectation of confidentiality. Under the Commission's approach, it would not be possible in many instances for a government agency to obtain credit, banking, medical, or insurance records (assuming the duty of confidentiality has been elected in Part II) without first giving the individual notice and an opportunity to go to court. The only exception to the notice requirement, of course, would be where the government uses a search warrant, with its relatively high standard of probable cause -- a standard far higher than that which would be needed to sustain the proposed exceptions. The Combined Agencies proposal, except in a few circumstances, assures either prior court review or individual notice before agencies can obtain access to personal information for which there is an expectation of confidentiality. It is argued that the position of no court supervision is justified for foreign intelligence activity because the current definitions of foreign intelligence activity are accepted by Congress and to require disclosure of such activities to a court may seriously jeopardize those activities. The same is true of investigations in connection with protecting the President. As an additional protection, where such access occurs without court supervision the agencies will be subject to review by the appropriate Congressional oversight committees. The only other area where Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1712CIA-RDP81-00142R000700030001-4 there is no prior court review is in certain life- threatening emergency situations in which it is reasonable to dispense with prior notice in order to prevent harm from occurring. Even there, however, the agency must file a justification for the access in court within five days. This proposal is supported by the Departments of Justice, Treasury, Commerce, and Defense, CIA, and the Veterans Administration. Option 3: Compromise: There is a possible compromise between these two positions which adopts the Combined Agencies formu- lation, except that it would tighten the grounds upon which a court could delay notice to the record subject. (No notice would be provided, within the standards suggested by the Combined Agencies, in foreign intelligence and Presidential protection situations, as well as under the Combined Agencies emergency access proposals.) A judge could waive notice only where the government presents facts to establish: (a) that the substantive standards for using a subpoena as described in issue 2 above are satisfied; and (b) that notice would be likely to result in: .(i) endangering the life or safety of any person; (ii) flight from Prosecution; (iii) destruction of, or tampering with, evidence; or (iv) intimidation of potential witnesses. Permitting waiver of notice because it would "otherwise seriously jeopardize the investigation," a standard included in the Combined Agencies proposal, would not be included because it allows too much flexibility. The limitations listed above encompass the specific circumstances which might jeopardize an investigation, and waivers should be limited to such circumstances. This compromise would provide the basis for meaningful court supervision and balances the interests presented by the Combined Agencies and the Privacy Commission, without running the danger of overly broad formulations which might be misused. It is supported by HEW, the Office of Science and Technology, and the Office of the Special Assistant to the President for Consumer Affairs. The Department of Justice objects, on the grounds that the compromise does not provide for emergency situations (e.g., kidnapping) where delay associated with giving notice might cause harm. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 121 Decision: 41.1=101110,11/1?1/101.110 Adopt the Commission notice and challenge proposal. Adopt the Combined Agencies notice and challenge proposal. Adopt the compromise set forth above. 4. Should judicial subpoena in the course of litigation be covered? The Commission recommended that government use compulsory process for access to personal information in which an individual has an expectation of confidentiality, when that individual is already involved in a judicial proceeding with the government (both civil and criminal). The individual would have rights of prior notice and challenge and recognition of the substantive legal interest decided above. Pro: Under the procedures that today govern civiL and criminal litigation, a litigant has a right of notice when the government seeks access, and a right to challenge that access on the grounds that the documents sought are not relevant to the case being tried. The Commission proposal would increase the grounds on which the individual could challenge access by bringing into play a new substantive legal interest--the "expectation of confidentiality" decided in Part 11 of this memorandum. Absent this provision, the result would be looser controls over government access to documents in the course of litigation than at other times, which is just the opposite of the situation today. This position is supported by the Department of Justice, provided that an exception is carved out for those cases in which the customer whose records are sought by government during the course of litigation is himself a party to the litigation. The position is also supported by the Office of Science and Technology Policy. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1172:2CIA-RDP81-00142R000700030001-4 Con: The Federal Rules of Civil Procedure and Criminal Procure contain detailed, well worked-out, and sufficient protections for documents sought by the government in connection with litigation to which the government authority and the individual to whom the documents pertain are parties. The individual receives notice and an opportunity to litigate issues of relevance. It will be confusing and burdensome to courts and litigants to create special procedures applicable only to those records in which the litigant has an "expectation of con- fidentiality." This position is supported by the Departments of Commerce, Treasury, HEW, Defense, the CIA, Federal Reserve Board, Veterans Administration, and the Office of the Special Assistant to the President for Consumer Affairs. Decision: Apply the access proposals to judicial subpoena in the course oe litigation. Exempt judicial subpoena from access proposals in the course of litigation. 5. Should the standards for the issuance of, and use of information obtained by, administrative summons be reformed? The Commission recommended tightening the procedures for the issuance of administrative summons and imposing limitations on the use of personal information obtained by administrative summons. Specifically, the Commission recommended that Federal law provide that: a) an administrative summons may be used only to inspect records required by law to be maintained by the record keeper; b) the information acquired with the administrative summons may be used only for purposes of the investigation or enforcement action which justified acquisition of the information; and Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 123 Pro: Con: C) an administrative summons must be issued by a supervisory official and not a field agent. The Commission argued that use of administrative summons by a wide variety of Federal agencies is expanding without adequate control and restrictions. Specifically, there is little supervisory control of when and for what purposes a summons is issued. The Commission developed evidence that administrative summons are frequently issued by field agents rather than supervisors. In addition, the Watergate and Intelligence Committee investigations identified questionable or improper uses of administrative summons power. Limitations on issuance procedures and on the permissible uses of information obtained from administrative summons are necessary to limit intra-and interagency sharing of personal information, and the use of the information for a purpose unrelated to the purpose of the original investigation. The-Commission.concluded.that the strictures found in current-law, including the Privacy Act, are ineffectual in controlling the exchange of personal information within the government, particularly for law enforcement purposes. Counterarguments are directed primarily to that portion of the Commission's proposal that places limitations on government use and retention of this information, not on the limitations on access. It is arTied that the Privacy Act should control information use without being subjected to piecemeal exception. If administrative summons procedures are to be reformed, this should be done on a comprehensive basis, not just in the context of access to records. This sort of sweeping reform requires a broader study than the Commission undertook. The Departments of Justice and the Treasury have not spoken in detail to this proposal. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1724CIA-RDP81-00142R000700030001-4 Decision: Adopt Commission issuance and use recommendations (more than one may be adopted): a) an administrative summons may be used only to inspect records required by law to be maintained by the record keeper. This recommendation is supported by the Department of HEW. b) the information acquired with the administrative summons may be used only for purposes of the investigation or enforcement action which justified acquisition of the information. This recommendation is supported by the Department of HEW. C) an administrative summons must be issued by a supervisory official and not a field agent. This recommendation is supported by the Departments of HEW, Justice, and Commerce. Or Retain present law without change. This position is supported by the Department of Defense, the Veterans Administration the CIA, and the Office of Science and Technology Policy. 6. Should the standards protecting the secrecy of information obtained by a grand jury which assure protections or individuals under Investigation be reformed? The Commission's proposed grand jury reforms would require that personal information obtained through use of a grand jury subpoena: a) be returned and actually presented to the grand jury; b) be employed only for a criminal prosecution where the grand jury issuing the subpoena issued a presentment or indictment; Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 125 C) be destroyed or returned to the record keeper where no indictment or presentment is issued (except to the extent that the information has become part of the official minutes of the grand jury); d) not be copied or kept apart from the sealed records of the grand jury; and 4 ?, Pro: be protected by stringent penalties for improper use or disclosure outside the grand jury. In support of its grand jury reforms, the Commission observed that use of the grand jury subpoena suffers from a significant discontinuity between theory and practice. The use of a grand jury in criminal prosecutions is constitutionally mandated and shrouded, in theory, with certain protections. The grand jury subpoena permits the grand jury to collect virtually any evidence it desires. To balance this power, the deliberations of a grand jury, and the testimony and other information it obtains, are theoretically protected by a strto standard of secrecy. But, the Privacy Commission found that, in practice, the grand jury subpoena has to a significant extent become an administrative tool in assisting prosecutors to collect information. Its current use is characterized as a device employed by investigators to circumvent the more stringent requirements which must be met to obtain a search warrant. According to the Commission, documents are often subpoenaed by government investigative agents without the knowledge or the approval of the grand jury. The Commission found that information obtained by investigators using grand jury subpoenas may never reach an attorney for the government, let alone the grand jury; it may simply be retained in the files of the investigative agency for unspecified future use. The Commission also argued that Rule 6(e) of the Federal Rules of Criminal Procedure, which currently governs the information collection practices of Federal grand juries, is insufficient protection because it contains many ambiguities. Rule 6(e) requires the prosecutor to obtain a court order as a precondition Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/E6: CIA-RDP81-00142R000700030001-4 Con: to disclosing "matters occurring before the grand jury," and limits that disclosure to one "preliminary to or in connection with a judicial proceeding." There is no definition of "matters occurring before the grand jury" and it is not clear that this formulation covers records subpoenaed but not returned and presented to the grand jury. The rule does not provide for notice or standing to the individual if the prosecutor applies for a disclosure order. Rule 6(e) permits disclosures to investigators assigned to the investigation, but does not restrict subsequent disclosures of summaries or abstracts of subpoenaed documents (one of the problems identified by the Privacy Commission), since the summaries and abstracts are not "matters occurring before the grand jury." What case law exists suggests that the traditional safeguards for information obtained for the grand jury, as reflected in Rule 6(e), have been rendered ineffectual and that the problems identified by the Commission remain unremedied. The Commission's position is supported by the Office of the Special Assistant to the President for Consumer Affairs. The Departments of Justice and the Treasury urge that the grand jury subpoena process be exempt from the access limitation proposals. They take the position that the Federal Rules of Criminal Procedure should control grand jury information use without being subjected to new and piecemeal limitations. They point out that Rule 6(e), which was amended by the judicial conference and consented to by Congress effective October 1, 1977, currently imposes strict limits on the prosecutor's right to disclose information obtained in a grand jury's investigation. Under the Rule, disclosure and use of such information, without a court order, is restricted to Department of Justice attorneys and other government personnel deemed necessary by the prosecutor to assist him in the enforcement of Federal criminal law. A court order is required, based upon a showing of particularized need, for a disclosure or use for any other purpose. Knowing violation of the Rule is expressly made punishable by contempt of court. Furthermore, it is illogical to subject only one type of records obtained from Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 127 a limited number of sources (records in which an individual has an expectation of confidentiality) to special restrictions on use. This position is supported by all responding agencies except the Special Assistant to the President for Consumer Affairs -- the Departments of Justice, Treasury, Commerce, HEW, Defense, CIA, and the Office of Science and Technology Policy. Decision: aml????????....rop Adopt Commission grand jury recommendations. Adopt Justice/Treasury approach and retain present law without change. B. Extenslon of parts of government access recommendations to records where an individual does not have an expectation a confidentiality and to the collection practices of state and local governments. The Commission and the Departments of Justice and the Treasury agree that for private sector records the provisions for full individual notice and challenge rights-ta.e.vterst-deeided), should ap*Zy only where it has been determined that an individual has an expectation of confidentiality in connection with certain record- keeping relationships as discussed in Part II of this memorandum. The areas of disagreement concern whether the scope of these provisions should be extended in whole or in part to other record-keeping situations. 7.A Should 9overnment requests for private sector records other than those covered by an expectation of confiaentiaiity (as decidea in Part II) be documented by s "paper trail" to create greater aCCountabflitY? The Commission recommended that government access to personal information from private sector record keepers in which the individual does not have an expectation of confidentiality require the use of legal process. In many instances (grand jury subpoenas constitute the major exception), the Commission's proposal would mean that the individual receive notice of the access request and an opportunity to raise at least procedural objections in court. This approach has been rejected by everyone within government. Approved For Release 2001/03/17: CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1172 CIA-RDP81-00142R000700030001-4 Many executive agencies do, however, urge that where Federal agency access is obtained without individual consent to non-confidential records, the agencies should be required to make the request on an agency letterhead to the record keeper. "Letterhead" requests would not require notice to the subject or an opportunity for a court challenge and, as a legal matter, would not compel compliance by the record keeper. (This issue was not addressed by the Departments of Justice and the Treasury in their testimony on access to financial records because that testimony concerned only bank records for which there would be an expectation of confidentiality.) Option 1: Letterhead Request The Commission and most agencies believe that because much of the information collection by the government is done in an informal manner, neither the individual nor anyone else may ever know that a request to, and conseqlent disclosure by, a private sector record keeper has been made. The government should therefore be required to leave a paper trail of its investigation. This can be accomplished by requiring an agency to make all requests for information in writing, on an agency letterhead. To require the additional step of legal process, as the Commission suggested, adds considerably to an agency's administrative burden, and adds nothing to the interests of creating a paper trail that will not be satisfied by a letterhead request. Legal process is only necessary if notice and challenge rights are important, which is not the case for these non-confidential records. Requiring a letterhead request would cause a "paper trail" to exist in two places: (1) the government agency making the request; and (2) the organization releasing the information. Consequently there is an opportunity for government and individual oversight. Documentation of government information collection activities will be valuable for investigating and assessing the legitimacy of government investigative conduct and the disclosure practices of private sector organizations. This option is supported by the Departments of Commerce and HEW, the Veterans Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1172.9CIA-RDP81-00142R000700030001-4 Administration, the Office of Science and Technology Policy, and the Office of the Special Assistant to the President for Consumer Affairs. Department of Defense favors creating a paper trail, but believes a letterhead request approach would be grossly inefficient, and suggests that other and more efficient methods of establishing the necessary paper trail should be explored. Option 2: Compulsory Process The Commission supported the need for a paper trail for the reasons set forth above, but did not examine letterhead requests. It can be argued that, because a letterhead request does not provide notice to the individual, it is less likely to result in questionable government collection activities coming under public scrutiny. Since an agency's compulsory process powers have received specific congressional approval or review through a judicially controlled and supervised process, compulsory process provides greater protections than a letterhead request. 0114110w-w-' oonftp. Option 3: No Paper Trail (status quo) .1 It is inappropriate to require the government to use a letterhead request to obtain information which, by definition, the individual does not expect will be treated in a confidential manner. This position is supported by The Departments of Treasury, and State, the Civil Service Commission, the CIA, and the Department of Justice, which believes that the costs of keeping a paper trail would be enormous, and that the privacy interests are negligible. Decision: .41.0101.???????????? Letterhead request Compulsory process No paper trail Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/113:0CIA-RDP81-00142R000700030001-4 7.B Should requests by Federal agencies for personal records held by state and local governments be subject to some restrictions? The Commission recommended that some form of compulsory legal process be used whenever the government seeks personal information for purposes of making a decision about an individual from any private sector record keeper and any agency of another governmental jurisdiction. Option 1: Letterhead Request The letterhead approach rests on the desirability of creating a uniform system of government collection. Since there is a great deal of sensitive personal information that flows from state governments to the Federal government, there is need to have a record that will establish what information was exchanged, when, under what authority, and for what purposes. As discussed in Option 1 of issue 7A, this approach would create a paper trail but would not have the burdens attendant with formal process. This position is supported by the Departments of Commerce and HEW, the Veterans Administration, and the Office of the -Special Assistant to the President for Consumer Affairs. The Department of Defense favors creating a paper trail but, as in Issue III.B.7.A above, feels that there are probably cheaper ways of achieving a paper trail than the letterhead request process. Option 2: Compulsory Process For the reasons discussed in Option 2 of issue 7A, the Commission believed that compulsory process should be used for Federal access to state and local government records. Option 3: No Paper Trail (Status Quo) The arguments on this issue go primarily to the problems of compulsory process, rather than of letterhead requests. Many government agencies, or components, do not have the legal authority to use compulsory process. Instead, they rely upon voluntary production of personal information by state and local agencies for the operation Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 131 of programs, such as the security clearance and employment eligibility investigations. Although it is reasonable to expect that agencies would obtain individual consent for a state to release data, it is possible that an extension of the access limitation to state record keepers would endanger the present mode of operation of important Federal programs. This position is supported by the Treasury Department, which opposes any restrictions on Federal agency access to personal records held by state and local governments where the requesting Federal agency is authorized to collect the information and has a need for it, and by the Department of Justice, the CIA, the Civil Service Commission, and the staff of the Federal Reserve Board. Decision: ...EN.1????16.1.., Letterhead request Compulsory process No paper trail 8. Should state and local government agencies-be. restricted in their information collection practices? The Commission's access recommendations are aimed specifically at Federal agency activities, although the Commission's report states that, as a matter of policy and logic, its recommendations are equally applicable to state and local government agencies. However, out of concern for the difference in forms of state legal process and possible questions of constitutionality, the Commission did not include the information collection processes of state and local government agencies in its recommendations. Instead, the Commission stated that its proposals for reform of Federal government access should serve as a model for state action. The recently passed Right to Financial Privacy Act of 1978, applies the new access procedures only to Federal agencies. The Department of Justice, however, has urged that the government access provisions be applied by Federal law to agencies at all levels of government seeking access to (bank) records. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 132 There is a particular problem to be considered in deciding whether or not to extend the particular access provisions adopted for Federal agencies directly to the states by Federal law. The expectation of confidentiality, with its duty of non-disclosure for private sector record keepers, selected in Part II will prohibit informal access to records for all government agencies, state and local as well as FFdiral. Absent a Federal law reforming state as well as Federal processes, the loss of informal access would require state agencies to employ whatever forms of compulsory process they currently have available in order to obtain records. In many states this would impose little, if any, new burdens; in others, however, the end of informal access would leave state agencies needing access to personal records with few, and often very difficult, routes by which to obtain them. Furthermore, (1) establishing the expectation of confidentiality, (2) extending the particular government access provisions adopted earlier in this part only to Federal agencies, and (3) selecting the formal written request option in issue 1, could lead to the undesired side effect of placing a greater burden on state and local government agencies' access to records than on Federal agencies' access to those same records. Three options exist with regard to the question of possibly extending the access provisions to state and local governments while at the same time avoiding the above-mentioned problem. The first two would retain the expectation of confidentiality and its concomitant duty on the record keeper not to disclose, unless required by law or permitted through legal process, as a barrier to informal access by agencies at all levels of government. In one case, the Administration could seek to directly extend the access provisions it decides to adopt for the Federal government to the states; in the other case, it could seek to expressly permit in statute the adoption by the states of new processes for access which incorporate at least the minimum protections adopted for Federal agencies (e.g., incorporating at least the requirements for formal written requests, if that position was accepted in issue 1). The third option would be not to apply the access provisions for Federal agencies to the states and to eliminate an individual's expectation of confidentiality when a state agency was seeking his records, thereby exempting Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 133 the states from the restrictions on informal access to confidential personal information which were set forth in Part II. Option 1: Apply access provisions to all levels of government The philosophical and practical reasons that justify limiting Federal government access to records apply with equal force to state and local governments. Accordingly, a comprehensive approach assures the greatest protection of individual rights. In addition, a comprehensive approach avoids the dangers of: (a) inconsistent or conflicting state and Federal laws; (b) Federal-state preemption questions; and (c) "silver platter" investigations (i.e., investigations performed by a state agency that a Federal agency would not be able to perform legally, with a subsequent transfer of the fruits of the investigation to a Federal prosecutor.) By establishing one set of procedures and standards on a nation-wide basis, large national organizations and citizens of different states will be assured of equal and consistent treatment with regard to their legal obligations-and .rights. There is considerable debate regarding whether this direct extension by Federal law of detailed access requirements to the states would be constitutional. Recent Supreme Court decisions indicate that the Federal government cannot directly legislate to alter or regulate the internal processes of state governments. There are, however, no constitutional obstacles to the creation by Congress of the expectation of confidentiality, and its concomitant duty on the record keeper not to disclose, under its authority to regulate interstate commerce. As noted above, once such a duty was in place, it could be expected to affect the circumstances under which state agencies obtain personal information, including the use of compulsory process. It would not, however, affect the internal procedures of state agencies or judicial systems. This is the position of the Department of Justice (which would, however, exempt those states and localities that already have similar laws governing access to personal records, e.g., California) and is supported by Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved ForRelease2001/03/17 : CIA-RDP81-00142R000700030001-4 134 the Office of the Special Assistant to the President for Consumer Affairs. State agencies can be expected to oppose this position vigorously. Option 2: Apply access provisions directly only to Federal agencies; permit, by statute, state adoption of processes with at least the minimum Federal requirements The Commission did not look at state government access practices in as much detail as it looked at Federal government access practices and, hence, the factual record available to support extension of all the government access provisions to the states is not as complete. This option would, however, still establish a baseline national policy which would assure large record-keeping organizations and individual citizens of relatively consistent and equal treatment from state to state. In all likelihood, state laws adopted under this option would be similar, most likely following the Federal model. Finally, this option avoids most of the problems of Federal-state relations inherent in the previous option and it limits the role of the Federal government in determining the investigative procedures of state agencies. For example, several states currently have more stringent requirements for access than are likely to be adopted by the Federal government. Application of a Federal law in those states could effectively lower existing state protections. By permitting, rather than directing, the adoption of lower Federal standards, this option leaves the final choice to the states. This is the Commission position and is supported by the Departments of Commerce and HEW, the CIA, Federal Reserve Board, and the Office of Science and Technology Policy. Option 3: Apply access provisions only to Federal agencies; exem t state re uests for records from the prohibition on in ormal access This final option would create an exemption for state and local governments to the legally enforceable expectation of confidentiality defined in Section I.G.7. Its advantage is that it would avoid any potential problems by leaving the Federal government completely silent on state and local government Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1 CIA-RDP81-00142R000700030001-4 access to reccrds, but the cost would be the elimination of most of the protections for the individual provided by the expectation of confidentiality. In essence, there would no longer be a consistent national policy protecting confidential personal records. On the Federal level, the elimination of restrictions on state agencies could result in records being made available to Federal investigators through state access capabilities which circumvent the intended protections of the Federal access requirements. (This concern is one of the arguments outlined above for direct application of the access provisions to all levels of government.) Finally, this option would be viewed as creating a major loophole in any Administration privacy policy. There could be many different legally enforceable expectations of confidentiality, and, in some states, the individual could have no protection against state and local government access to records for which he had a legally enforceable expectation of confidentiality vis-a-vis Federal government access requests. Decision: .amemm..01?1/..01?0114. a??01.41?001.......ro .01110?441.6.1.14. Apply all access provisions directly by Federal law to all Federal, state, and local government agencies. Apply access provisions directly only to Federal agencies; but expressly permit, by statute, states to adopt new access processes which incorporate at least the minimum protections for Federal agencies. Apply access provisions only to Federal agencies; exempt the states from both the particular access provisions for Federal agencies and the provisions of the legally enforceable expectation of confidentiality (as defined in Section I.G.7 and decided in Part II) which prohibit informal access by government agencies. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1173.6CIA-RDP81-00142R000700030001-4 C. Compulsory Reporting Requirements 9. Should there be reform of compulsory record keeping and reporting statutes? All of the other issues addressed in Part III of this memorandum discuss access in the course of a specific investigation or administrative pnoceding. This issue discusses statutes which require the automatic and routine reporting of particular items of information by private sector record keepers (e.g., the Bank Secrecy Act) to the government. Because of the growing trend toward enactment of statutes that require private sector organizations to collect and maintain information about individuals for subsequent inspection by, or reporting to, government agencies, one of the Commission's Federal access proposals addressed the nature of these compulsory reporting statutes. In particular, the Commission recommended that statutes that create requirements for private sector record keepers to collect personal information for inspection or reporting to government include the following provisions: a) each requirement be expressly authorized in statute; b) each requirement clearly identify the purposes that it serves and establish standards by which to measure the relevance of the information required to these purposes; C) no information be collected or reported in individually identifiable form, except where necessary to accomplish a designated purpose; d) information private sector record keepers are required to maintain for inspection by authorized agents of the government is available only upon presentation of a valid summons or subpoena (NOTE: This provision would not apply to records reported to government agencies); e) each record keeper must notify an individual at the beginning of a record-keeping relationship of the information that government may see; f) the information collected by the government is unavailable for unrelated civil or criminal prosecutions; and Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/01/17 : CIA-RDP81-00142R000700030001-4 g) the information is destroyed by the government, and may be destroyed by the record keeper, when and if a specific statute of limitations governing the use of such information expires. The agencies are in basic agreement with the thrust of the Commission's recommendation, and with the specific provisions concerning: 1) the need for information collection or reporting requirements to be relevant to the policies and purposes that they serve (provisions (b) and (c) above); 2) the need for record keepers to notify an individual at the beginning of a record- keeping relationship of the information that government may see (provision (f) above); and 3) the destruction of records reported or maintained by compulsory require- ment. There is, however, a need for specific decision on the following questions relating to reform of compulsory record-keeping and reporting requirements. Issues for decision: A. Should requirements for private sector record keepers to collect personal information or inspection or reporting to gOvernment be authorized only by statute? Option 1: Commission Position: (Each requirement be expreSsly authorized in statute) - The Commission believed that the crux of the problem with compulsory record-keeping and reporting requirements lay in the exercise of "unreviewed executive discretion in these information collection activities. The Commission found that statutory grants of authority to agencies enabling them to require reporting or record keeping were ordinary, vague and overly broad, permitting agencies to establish requirements which result in the collection of information without appropriate attention to the agency's need for the information or to the utility of the information. It decided that outside accountability must be recreated and that statutory standards are needed to establish clean limit to executive agency action and against which agency actions can be measured. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03473? CIA-RDP81-00142R000700030001-4 0 tion : A encies Position: re or in or collection requirements may ?e aut o ize y s a ate, regu atlon or court order.) The Federal agencies, primarily the program agencies, such as HEW, strongly object to the Commission's recommendation that all compulsory reporting requirements must be established by statute. The compromise proposed by the agencies is that compulsory reporting requirements be established either by statute, agency rulemaking, or court order. They believe that this broadening of the Commission's recommendation is necessary to provide agencies with sufficient flexibility to carry out their responsibilities in program areas, but yet provide for accountability through rulemaking and judicial safeguards. In order to give Congress and the agencies time to conform existing practices to this requirement, a review of existing statutes and regulations would be conducted; and the recommendation would not take effect until that review is completed. Decision: Option 1: Commission Recommendation: Compulsory reporting and record keeping requirements be authorized only by statute. Option 2: Agencies Position: Compulsory record keeping and reporting requirements be authorized by statute, regulation or court order. B. Should authorized agents of the government be be required to present a valid summons or subpoena in order to inspect information which private sector record keepers are riisiTiTied to maintain? Option 1: Commission Position: The Commission recommended that government agents be required to present a valid summons or subpoena in order to inspect information which private sector record keepers are required to maintain. The Commission found that the minimal agency restric- tions currently in effect permit Federal agents access to vast numbers of records without any need to justify their inquiry. The Commission Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 139 concluded that reforms are necessary because the current system "is fraught with greater potential for abuse, and threatens individual liberties and privacy more, than any other legitimate way government goes about gathering information." Option 2: Agencies Position: The Federal agencies disagree with the Commission recommendation. They propose instead that any restrictions on government access to records collected under compulsory requirements be established in statute, regulation, or court order specifically relating to those records, including statutes enacting an expectation of confidentiality, as discussed in this memorandum. The agencies recognize the need for standards of confidentiality to apply to certain records, but regard the Commissions recommendation that such standards apply in all instance where the record sought is collected in accordance with a compulsory requirement, as being unnecessarily burdensome. As an example, under the agencies' proposal, when a Federal govern- ment official seeks access to financial records ?.4:..--which a bank is required by the Sank Secrecy Act of 1970 to maintain and where access is for a purpose covered by the Financial Privacy Act of 1978, such as for a criminal or civil investigation that may adversely affect the individual, than the agency would be required to present a valid summons, subpoena or other form of legal process, in accordance with the Act. However, if a govern- ment official seeks access to those same records in order to ensure that the bank is complying with statutory record-keeping requirements, an instance not covered by the Financial Privacy Act of 1978, then the requirement to employ valid summons, subpoena or other legal process would not apply. The Department of Treasury in particular disagrees with the Commission's treatment of these records as being a special case, and believes that these records should be available for access by government agencies for legal purposes related to law enforce- ment, tax, or other regulatory matters. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/13749CIA-RDP81-00142R000700030001-4 Decision: Option 1: Commission position: summons or subpoena Option 2: Agencies' position: restrictions on access apply C. Should information collected under a compulsory reporting requirement be available to other government agencies for unrelated civil or criminal prosecutions? Option 1: Commission Position: Information collected under compulsory requirement should not be available for unrelated civil or criminal prosecutions The Commission found that, once collected, information flows relatively freely within government, with little attention to the propriety of such flow. Since the government currently need not justify the original compulsory collection, individuals are effectively barred from objecting to whatever use and redisclosure of that information occurs. Although the Privacy Act of 1974 does provide some restrictions on the flow of information within the government, the Commission believed that records collected from private sector record keepers under compulsory requirements should be subject to a stricter standard than information otherwise obtained. Require Existing Option 2: Alencies Position: Restrictions on use and redisclosure of the Privacy Act of 1974 should apply The enforcement agencies, such as the Departments of Justice and the Treasury, object to the Commission's recommendation that new restrictions be placed on the use of information collected under a compulsory reporting requirement. The agencies have found that information obtained from these sources has been extremely valuable in various major investigations (such as drug smuggling and bribery), and believe the public interest is not served by placing strict restrictions on the flow of this information between agencies for legitimate law enforcement purposes. They propose that such information may be referred Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 141 to a proper investigating authority (1) if the information discloses evidence of a civil or criminal violation or potential violation and (2) if the investigating authority would be allowed to receive the information under existing statute or regulation issued pursuant to such statute (including,the Privacy Act of 1974), or under other recognized form of legal process. The Federal agencies do not believe that these records should be treated for purposes of use and redisclosure any differently than other records collected and maintained by the Federal government. Decision: ..III/moomoige?????????? mil?????,1001.111??????????? Option 1: New restrictions limiting the use of information collected under compulsory requirement for unrelated civil or criminal prosecution. Option 2: Existing restrictions should apply. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/W CIA-RDP81-00142R000700030001-4 IV. Federal Record-Keeping This section addresses two general areas relating to privacy and the Federal government: 1) The record-keeping practices of the Federal agencies, particularly as they are covered by the Privacy Act of 1974, are candidates for re-examination in light of the Commission's findings; and 2) There are certain services provided by the government, particularly the provision of telecommunications and data-processing services for electronic funds transfer systems, which raise important privacy questions. A. The Privacy Act of 1974 Issue The issue is whether the record-keeping and information management practices of the Federal government as they are covered by the Privacy Act of 1974 should be reformed. The Privacy Act has been criticized as a cumbersome and ineffective tool to solve real problems. While the principles of the Privacy Act are generally accepted, its specific requirements are believed by many to need improvement. The Privacy Commission concluded that: 1) The Privacy Act represents a large step forward, but it has not resulted in the general benefits to the public that either its legislative history or the prevailing opinion as to its accomplishments would lead one to expect; 2) Agency compliance with the Act is difficult to assess because of the ambiguity of some of the Act's requirements, but on balance, it appears to be neither deplorable nor exemplary (in view of the ambiguity of the statute itself, the Commission was not prepared to judge agency compliance as either adequate or inadequate); and 3) The Act ignores or only marginally addresses some personal information record-keeping policy issues of major importance now and for the future. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 143 Also, criticism of the Act is often aimed at the lack of any significant, centralized rulemaking and policy making structure at the Federal level. It is believed that such a structure should, on an ongoing basis, consider how agencies would best administer the Act, as well as establish privacy policy for Federal programs which may face significantly privacy problems not adequately treated by the Privacy Act. (This issue will be discussed separately in Part VI below.) To the extent that these issues raise problems which demand immediate resolution, solutions may be possible through either legislative reform or unilateral executive action. Since the Privacy Act has been in effect for less than three years, there is a great deal of reluctance among congressional staff and Executive Branch employees to revise the Privacy Act legislatively at this time. Therefore, the discussion below presents alternatives for administrative, rather than legislative, action where they are practicable. Current Law The Act, in effect since September 27, 1975, requires agencies to: 1. publish a list of record systems they maintain on individuals, together with a statement of what the records are used for, to whom they are disclosed, and whether they are exempt from the access and correction provisions Of the Act. 2. permit individuals to see and copy records about them, as well as to correct inaccuracies in those records; 3. limit the collection and use of personal information to that which is proper and necessary for an agency function.; 4. limit the disclosure of personal information; and Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 :1W-RDP81-00142R000700030001-4 5. ensure the reliability and security of personal information in their possession. In addition to establishing these rights and obligations, the Act has certain definitional limitations to allow for exemptions. Also, the Privacy Act was drafted to allow for flexibility in the application of its provisions. First, the Privacy Act does not cover all Federal records. Rather, it applies only to records which are retrieved la the reference to "name" or "other identifying particular. The intent was to impose the Act's requirements on records about particular individuals which were maintained or used on an easily retrievable basis. Second, the Act, drafted to satisfy the concerns of many government officials, particularly those representing law enforcement, provides a very broad exemption structure in which entire record systems may be excluded from many of the Act's provisions. Congress recognized that ongoing law enforcement investigations, certain personnel evaluations, and legitimate national security interests could be jeopardized by disclosure of certain records. It sought, by exempting complete:systems- containing such records from the individual access and certain other provisions, to protect the government from premature exposure of such operations. Third, in applying through specific statutory provisions the general principle of limited disclosure of personal information, Congress recognized that it still could not identify in the statute every disclosure which was appropriate for each Federal agency. To ensure the continued flow of needed information among agencies, while providing some protections against indiscriminate disclosure, the Congress established a "routine use" provision which permits an agency to freely disclose information outside of the agency when the disclosure is for a use "compatible with the purpose for which (the record) was collected." Also, none of the Privacy Act's limitations on disclosure apply to personal information that is required to be publicly disclosed pursuant to the Freedom of Information Act. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 145 Fourth, in the interests of flexibility and decentralized administration, Congress elected to allow agencies to tailor implementation of the Act to their particular needs and responsibilities. While the Office of Management and Budget (OMB) was given some authority to issue guidelines and provide direction, such guidance is not binding on the agencies; nor is government-wide regulatory or enforcement authority given to any other organization. Finally, to enforce compliance with certain provisions of the Act or to recover actual damages occasioned by an "intentional or willful" violation, an individual may sue an agency directly. An individual may compel the agency to allow him access to a record about him, or to correct that record, as well as recover his out- of-pocket expenses. Discussion The Commission concluded "that the Privacy Act needs significant modification and change if it is to accomplish its objectives within the Federal Government." The specific findings 'wtich led to the call for general overhaul of the Act are too numerous to list, but a sample should indicate the breadth and complexity of what the Commission believed were the principal problems with the Act. The Commission found that: 1. The current use of the Act's "system of records" definition allows agencies to avoid the requirements of the Act by changing the way their records are retrieved. Some agencies have, in fact, changed certain retrieval schemes in order to avoid the Act's requirements; 2. The Privacy Act's approach to exemptions from the individual access requirement permits a situation where access could be denied under the Privacy Act, because the record belonged in an exempt system, but allowed under the Freedom of Information Act, because its release would not jeopardize any legitimate law enforcement or national security interests (with one consequence being that the individual could see the record but not correct it, since the Privacy Act's correction rights did not apply); and Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03{3476: CIA-RDP81-00142R000700030001-4 3. The "routine use" provision of the Act is being interpreted so broadly by most agencies that it encompasses almost any disclosure of information to parties outside the agency. Also, it provides no standards for internal agency disclosures, even where the disclosure would be between two otherwise unrelated components of a massive agency, such as DHEW (e.g., between the Social Security Administration and the Public Health Service). The Privacy Commission made a number of suggestions which, when taken together, constitute a wholesale revision of the existing Act. The Commission also prepared a model statute embodying its strategy for revision of the Act; that model statute has been introduced in the House as H.R. 8279 and as one portion of H.R. 10076. The Commission proposals include several steps it believed essential to any revision of the Act; 1. The ambiguous language in the law should be clarified to minimize variations in interpretation. 2. Clarification of the Act should explicitly incorporate "reasonableness tests" to avoid a strict interpretation of the Act and to allow for flexibility in implementation. This would give the agencies incentives to attend to implementation issues and to take account of the differences between manual and automated record keeping, diverse agency record-keeping requirements, and future technological developments. 3. The Act's reliance on its "system of records" definition as the sole basis for activating all of its requirements should be abandoned in favor of an approach that activates specific requirements as warranted. (This is a fundamental change in the basic structure of the Act, and it reflects the generally accepted view that real reform of the Act will require changes in the Act's definitiOns.) Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1747CIA-RDP81-00142R000700030001-4 4. Provisions should be incorporated into the Act which would increase agency accountability and ensure more effective application of the requirements of the Act--through better implementation, more vigorous oversight, and more thorough and effective enforcement of the Act. Issues for Decision 1. Should the Administration endorse revision of the Privacy Act? Option 1: (Privacy Commission Proposal): The Privacy Commission concluded that the Act, while a large and worthwhile step forward, was not meeting its objectives, and many observers both in and out of government agree. It is certainly possible to improve the Act while reducing the current burden on the agencies. In addition, there is some doubt as to the legitimacy and credibility of agency objections to revision of the Act based on claims of burden. The concerns expressed by the various agencies at the time of the Act's passage regarding cost of implementation and burden, of administration have generally proved unfounded. Indeed, original agency estimates of cost were too high by a factor of almost 10. The Presidential policy regarding privacy protections for the private sector may be difficult to justify and may suffer in credibility unless there is a concurrent effort to further reform Federal ? record keeping. Further, to the extent that the Privacy Act serves as a model for state legislative action, any fundamental weaknesses may be carried over and duplicated. In the international arena, there is pressure to revise the Privacy Act to cover all individuals instead of just American citizens. While this is thought to be a simple modification, it can be expected that such a move would, at a minimum, call into question the entire exemption structure of the Act. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03{1478: CIA-RDP81-00142R000700030001-4 Option 2: The arguments against revision of the Privacy Act are generally not based upon support for the structure or effectiveness of the current law as much as they are based upon the inadvisability of taking any action at this time because: (1) there is not enough data available to justify and guide a revision effort; and (2) there is little political support for revision of the Act. The Privacy Commission's specific suggestions for revision of the Act were presented in a different format from the other, more general, recommendations in the Commission's report. The agencies were not tasked to respond to these specific legislative suggestions as part of this review process, and most did not do so. Based upon the limited information available, however, it can be expected that agency reaction will be strong and widely varied in relation to the specific language of any proposed revision of the Act. Those agencies which did respond expressed concern over increased costs of implementation and expanded administrative burdens, as.wellas over the possibility that certain of the proposals, if adopted, would prove unmanageable, notwithstanding any concern over burden and expense. In addition, there is little discernible support, either in the Congress or in the agencies, for massive revision of the Privacy Act at this time. Even those who would strengthen the Act are fearful that opening it up to amendment now may do more harm than good. The general inclination is to first consider other areas of privacy, principally as regards government access to private sector records and general private sector record-keeping, before attempting a legislative restructuring of Federal sector record-keeping, tentatively in 1981. This option is supported by most of the Federal agencies, including the Departments of Defense, Commerce, Justice, and the Treasury, and by the CIA, the Veterans Administration, OSTP, and GSA. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 149 Option 3: There exists a middle position between endorsement of the Privacy Commission proposals for complete revision and rejection of basic reform of the Act. The Administration can endorse broad reform but not commit itself to the specifics or methodology adopted by the Privacy Commission. Since the Commission's investigation occurred in the earliest days of the Act's life, it may be wise to examine the subsequent experience before endorsing specific revisions. As part of this reform, it might also be appropriate to take certain steps administratively (as discussed below). This option is favored by the Department of Health, Education and Welfare. Decision: ????111,10.01110.????????? Option 1: Endorse Privacy Commission recommendations to fundamentally revise and strengthen the Act. Option 2: Defer fundamental changes in Act until there is more experience under it; plan tentiatively to seek legislation in 1981. Option 3: Endorse concept of fundamental revision of Act in 1979-80 Congress with goal of strengthening Act while minimizing agency burden; assign staff to review issues and develop positions. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 150 2. Should the applicable requirements of the Privacy Act be extended to applyto cert_4_41L=naLiilLa systems operate y certain reciPI4fiti-of discretionary Federal grants? The Privacy Act currently provides (in subsection 3(m)) that systems of records operated by government contractors to accomplish an agency function are subject to the requirements of the Act. The intent of this provision was to prevent agencies from evading the requirements of the Act by "contracting out" the performance of government functions. There are two separate questions here. The first question is whether or not the current contractor provision of the Privacy Act is working effectively. The available evidence indicates that they are not. The second question, which is raised as an issue, is whether or not the applicable requirements of the Privacy Act should be extended to discretionary Federal grantees. Current OMB guidance to agencies on the contractor provision of the Act indicates that: o The Act applies to "systems operated under a contract which are designed to accomplish an agency function." o The provisions apply to contracts either which provide explicitly for the operation of a system of personal records or which could not be performed without the establishment of such a system. o The Act does not apply to personal records maintained by the contractor incidental to the performance of the contract. For example, it does not apply to contractor personnel records of employees engaged on the contract. o The mere presence of Federal funds does not automati- cally mean that the Act applies. For example, the Federally funded State and local unemployment compensation records are not considered to be subject to the Act; nor are Federally funded, State-run public assistance programs. The General Accounting Office (GAO) has just completed an extensive study of the effectiveness of the contractor provisions of the Privacy Act. Final publication of Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03Pni CIA-RDP81-00142R000700030001-4 the report is expected shortly, but the highlights of the report have already been described by GAO in Congressional testimony. It reads in part: In summary, the applicability of the Privacy Act of 1974 to Federal contractors is not clearly understood. Implementation of the subsection of the act addressing contractors has been given low priority by contracting agencies and by con- tractors. This is evident from --the sparse and sometimes unclear guidelines issued to implement subsection 3(m); --the low level of training given to agency and contractor personnel to acquaint them with the subsection; --the acknowledgement by agency officials that they had not included the Privacy Act clause in many contracts where it should have been; --The almost complete lack of monitoring by contracting agencies to determine whether those contractors considered subject to the Act do, in fact, comply with its requirements; and --the general absence of new initiatives by contractors obligated to meet the act's re- quirements. Many agency and contractor officials believe this is not a cause for concern because: --prior practices by contractors often already assured the protection of personal information, and --in few, if any, cases have Federal contractors violated the privacy rights of individuals. Even so, there is a potential for harm of varying consequences to persons involved, because some Federal contractors handle highly sensitive and/or commercially valuable personal information and security practices vary extensively among con- tractors. Moreover, while the existing legislation perhaps could be further clarified, there is no doubt that the Congress intended that Federal contractors whose contracts provide for the operation Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 152 of a "systems of records" containing personal data that, in effect replace agency systems, comply with the Privacy Act's requirements. Therefore, we believe the Office of Management and Budget should direct and encourage Federal agencies and departments to improve their effort to comply with the subsection 3(m) of the Privacy Act of 1974. More specifically, we believe that OMB should: --improve and expand its own guidelines to assist agencies in making decisions as to which contracts should be subject to the Act. A clear explanation of the rationale for coverage, and more examples, would be useful; --encourage the Civil Service Commission and agencies to include better coverage of sub- section 3(m) in Privacy Act training programs; --review and clarify procurement regulations to assure that contractors are aware of what information is subject to the Act's require- ments; --reemphasize its existing guidance to agencies that all contracts be reviewed for possible applicability of the Privacy Act; --direct agencies to acquaint contractors-- through training programs or, if appropriate, less costly measures, such as periodic written reminders--of the Privacy Act's requirements; and --require that agencies establish an appropriate method of monitoring contractors' compliance with the act. The GAO findings are consistent with, although a signifi- cant expansion of, the Privacy Commission findings in this area. OMB has already indicated its intention to review the forthcoming GAO report and to provide additional guidance to the agencies by modifying OMB Circular A-108 ("Privacy Act Implementation") as appropriate. Action by OMB Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 153 in this regard is supported by staff of Defense, HEW, Treasury, Justice, CIA, VA, GSA, and the Special Assistant to the President for Consumer Affairs. The issue for decision is whether this action is sufficient or, more specifically, whether certain records maintained by certain discretionary Federal grantees should also be covered by the applicable requirements of the Privacy Act. The Privacy Commission found that the explicit distinction in the Act between contractors (who are covered) and grantees (who are not covered) is, in many cases, artifi- cial. The Commission therefore recommended that Privacy Act coverage be extended to all personal data systems which met certain criteria, whether established by the recipients of discretionary Federal grants or by Federal government contractors. As applied to discretionary Federal grantees, the provisions of the Act would be subject to OMB guidelines similar to those listed above for contractors, and also would not apply to individually identifiable records to which th-g?rollowing three condi- tions all apply: (1) records that are neither required nor implied by the terms of the contract; (2) records for which no representation of Federal sponsorship or association is made; and (3} recotds which will not be available to the contracting/granting agency except for authorized audits or investigations. The Commission included these limitations on the scope of the recommendation so as not to place Privacy Act requirements on all agencies of state and local governments, universities, and private and corporate grantees which now receive Federal funds. Instead, the Commission advocated the general principle that "the Federal govern- ment must assure that the basic protection of the Privacy Act apply to records generated with Federal funds for use by the Federal government" (i.e., regardless of whether the vehicle was a contract or a grant). Generally speaking, this provision would expand present coverage to cover research grants, and would be applied in conjunc- tion with the appropriate policy for research and statistical records (see V.c.). Since this extension would apply only to discretionary Federal grants, it could be implemented without amending the Privacy Act by requiring agencies to incorporate the appropriate parts of the Privacy Act into their grant instruments. Formal agency views on this issue varied considerably. Commerce, HEW, and Defense supported administrative extension of the Act to grantees. Justice and Treasury Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/030574: CIA-RDP81-00142R000700030001-4 opposed extension pending further study. GSA opposed extension by Executive Order, saying instead that Congress should consider the issue if and when it undertakes to amend the statute. VA and CIA opposed extension. Pro: Con: The Privacy Commission strongly expressed the belief that "the Federal government must assure that the basic protections of the Privacy Act apply to records generated with Federal funds for use by the Federal government." The Commission was unable to draw a clear distinction as to why the records created by Federal contractors should be covered by the Act, while those created by grantees are not. Moreover, the Commission found that there is currently confusion over what is a grant and what is a contract. Extension of the Privacy Act to cover discretionary Federal grantees would establish a consistent uniform standard, and thus eliminate much uncertainty of the applicability of the Act. Extension of the Act's requirements to the recipients of discretionary Federal grants could lead to increased costs and administrative burdens for grantees, burdens which will ultimately diminish the resources available under any particular grant which generates or uses personally identifiable records. Decision: Adopt policy that applicable provisions of the Privacy Act should apply to recipients of certain discretionary Federal grants; direct OMB to prepare appropriate guidance for agencies in conjunction with its revised guidance on the contractor pro- visions. Do not extend Privacy Act to grantees. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1175.5CIA-RDP81-00142R000700030001-4 3. Should administration of the "routine use" provision of the Act be substantially strengthened? Under the Privacy Act, "the term 'routine use' means, with respect to the disclosure of a record, the use of such record for a purpose which is compatible with the purpose for which it was collected." The Privacy Act requires agencies to inform individuals from whom information is collected of the purposes for which the information will be used and their rights, benefits, or obligations with respect to supplying that information. The Act permits agencies to subsequently establish new "routine uses" of the information for compatible purposes which may not have been foreseen at the time the system was established. All "routine uses" (those established prior to collecting personal information as well as those subsequently established) are subject to public review and comment. The Privacy Commission considered the "routine use" provision a major weakness of the Act, and many observers in the Congress, the agencies, and the privacy community agree with that view. It is argued that the "routine use" provision permits agencies far greater latitude to disclose information than Congress actually intended, while still allowing the agencies to uphold the letter of the law. In the recent House debate on H.R. 13471, the Financial Privacy Act, there was a specific colloquey between the Democratic and Republican supporters of the bill: (1) discussing the Privacy Act's "routine use loophole" (emphasis added); and (2) declaring that a particular section of the bill "closes that loophole as it applies to financial records." The Privacy Commission advocated a substantial tightening of the "routine use" provision of the Act for two reasons: (1) it believed that agencies have interpreted nearly all external disclosures of information as "compatible 71-al the purpose" for which the information was originally collected; and (2) the clause provides no standards for internal agency disclosures. In order to correct these problems, the Commission proposed that any "routine uses" established also be consistent with the individual's "reasonable expectations of use and disclosure under which the information was provided, collected, or obtained." This standard would enable an individual to measure the subsequent use of his personal information against Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 156 the expectation he had when he supplied it, as opposed to simply any technically legitimate purpose for which the information might be employed, whatever the original expectations of the individual. This would afford individuals an increased measure of control over their records. In response, it is argued that, while such a test, and its imposition on both external and internal agency disclosures of information, would go a long way toward solving the problems identified by the Commission, it would also impose a significant burden. Further, it could pose the risk that agency judgments might come under legal scrutiny on the basis of the subjective expectations of an individual at the time information was collected, although clearly drafted notices to the individual at the time of information collection (already a Privacy Act requirement) would presumably address this concern. The proposal would also eliminate the broad, and it is argued, Congressionally intended agency discretion over how information will be used and disclosed internally. Agency views vary widely on this issue. The Special Assistant to the President for Consumer Affairs urged revising the "routine use" provision along the lines recommended by the Commission, stating: Federal government privacy protections cannot be a sham if we expect the non-Federal sector to accept Federal legislation regarding the main- tenance of records systems which uphold individual privacy. Therefore, it is especially important that the Federal government accord individuals at least the same expectation of confidentiality which they would be given in the non-Federal sector (i.e., a higher standard of privacy protection for bank records, medical records, credit records, etc.). Commerce, Justice, GSA, HEW, and the Office of Federal Statistical Policy and Standards support acceptance of the concept of revising the "routine use" standard, but instructing staff to develop an alternative to the Commission's approach. Justice stated that: Since the "routine use" standard does not provide adequate guidance, it should be revised, but the standard for transferring information should be no higher than requiring that transfers be made to further legitimate law enforcement activities. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/115:7CIA-RDP81-00142R000700030001-4 HEW suggests that: Alternatives should include the development of legislative proposals, so that the Congress could provide political approval for classes of inter- agency transfers. Defense, Treasury, VA, and CIA support the option of taking no action. Defense argues that the "routine use" provision is not a major weakness of the Act, but rather "is a positive feature of the Act which allows agencies the flexibility necessary to implement (the Act's) otherwise stringent requirements." Even though Defense is opposed to any change in the "routine use" provision of the Act however, the Defense Privacy Board is advocating a policy of requiring all DOD com- ponents to list "internal" as well as "external routine uses" of information contained in a system of records. This position is based on the belief that an individual should have a right to know where the material is being sent, both within and outside the Department. Finally, the President's August 31, 1978 memorandum to the heads of executive departments and agencies requests agency heads to initiate additional efforts to avoid unwarranted disclosures of personal information and strengthen internal management of personal informa- tion. In addition, OMB is currently circulating draft guidelines on the sharing of information between agencies for use in "matching" programs, which will address one segment of the "routine use" problem. OMB has also recently taken steps to increase the circulation of agency proposals for new and altered systems -- which include proposed "routine uses" of such information -- thereby enhancing the opportunities for public oversight. Given the latitude provided by the Act, the Administration could adopt the position that the "routine use" standard needs to be revised and that agency administration of inter-agency and intra-agency transfers of information should be tightened up, but not necessarily in accordance with the standard proposed by the Commission. This would provide affirmative Administration action on a major concern expressed by the Commission. Options 2 and 3 below are not mutually exclusive and provide Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 158 this middle ground position. In addition to the support already indicated for Option 2, staff of DOD, Treasury, HEW, Justice, CIA, VA, GSA, and the Special Assistant to the President for Consumer Affairs have indicated support for Option 3. Decision: Option 1: Revise the "routine use" standard along the lines recommended by the Privacy Commission. Option 2: Accept concept of revising "routine use" standard, but direct staff to develop alternatives to the Commission's approach. (This option may be selected in conjunction with Option 3.) Option 3: Enhance opportunities for increased public scrutiny of agency administration of the routine use pro- visions and take further steps to require agencies to tighten up on their internal management practices -- by such actions as: (a) follow-up by OMB on the President's August 31, 1978 memorandum; and (b) asking agency heads to task the individual responsible for overseeing the agency's administration of the Act to develop specific plans and timetables for enhancing the agency's administration of these provisions of the Act (including the conduct of appropriate training) and assuring that the agency conducts a responsive public involvement program consistent with applicable law. (This option may be selected in conjunction with Option 2.) Option 4: Take no action at this time. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1/75?CIA-RDP81-00142R000700030001-4 4. Should the head of each agency be reguired to designate a person responsible for overseeing the agency's administration of the Privacy Act? The Privacy Commission found that agencies which experi- enced the greatest success in implementing the Privacy Act had established formal mechanisms to deal with its requirements. The Commission believed that a crit- ical element in this approach was the designation of one responsible official with authority to oversee the Act's implementation, and the Commission therefore recommended designation of such an official in every agency. This official's responsibilities would include: (1) issuing any instructions, guidelines, or standards necessary to implement the Privacy Act; (2) assuring the consistent application of regulations and policies within the agency; and (3) providing for the effective education of system managers and decision makers who are responsible for the collection, maintenance, or disclosure of personal information. Current OMB policies assign agency heads responsibility for establishing internal agency procedures and responsi- bilities for administering the Privacy Act consistent with guidelines issued by OMB. There are significant variations in the procedures and responsibilities estab- lished by various agencies; some-are very structured and centralized, whereas.others are more decentralized. Pro: The agencies uniformly agreed with the Commission that it would be desirable to require agencies to designate a single person responsible for over- seeing the administration of the Privacy Act. The advantages to such a proposal are that it would: (1) increase the importance, visibility, and awareness of privacy responsibilities; (2) facilitate communications on privacy matters; (3) enhance implementation of central policy direc- tion, such as OMB's proposed matching guidelines; and (4) establish a center of expertise to assist in training and effective implementation of the Act. In addition, such an approach would strengthen the basis noncentralized enforcement strategy of the Act. This could be implemented by directing OMB to revise OMB Circular No. A-108 accordingly. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/No: CIA-RDP81-00142R000700030001-4 Con: The disadvantages of designating a single person within each agency for overseeing the agency's administration of the Privacy Act are that it diminishes agency head discretion and that it could result in agency requests for additional staff. In addition, because of the cross-cutting nature of privacy concerns, the establishment of such a position could diminish responsibility and accountability of any program and functional managers for assuring compliance with the Act. Decision: Direct OMB to revise OMB Circular No. A-108 to require the head of each agency to designate a person responsible for overseeing the agency's administration of the Privacy Act. Take no action. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/13761CIA-RDP81-00142R000700030001-4 5. Should agency oversight procedures for developing new systems involving personal data be reformed? Federal agency decision-making processes for the design of personal data systems and the procurement of computers and telecommunications capacity for such systems have been severely criticized. It is argued that these decisions too often are made at the operations level with inadequate policy oversight and consideration of privacy and other social values. Considerable time, money, and effort have been spent in recent years designing automated record-keeping systems which have subsequently been halted in the final stages of development when OMR, GSA, Congress, or the public have discovered a lack of privacy considerations. In addition to the costs incurred, this eleventh-hour delay or cancellation of systems frequently leads to the loss of needed informa- tion by agencies and causes frustration and lowered morale among those who plan and develop these new systems. The Privacy Commission considered this an extremely important issue. In the Commission's words: Perhaps the most significant finding in the Commission's assessment of-the Privacy Act arises from its examination of the vehicles available for evaluating and assessing existing record systems, new systems, and agency practices and procedures. Quite simply, there is no vehicle for answering the question: "Should a particular record-keeping policy, practice, or system exist at all?" While the Act takes an important step in establishing a framework by which an individual may obtain and question the contents of his record, it does not purport to establish ethical standards or set limits to the collection or use of certain types of information. Without such standards, however, the principal threat of proliferating records systems is not addressed. Nowhere, other than in the ineffec- tive section requiring the preparation and review of new system notices, does the Act address the question of who is to decide what and how information should be collected, and how it may be used. To deal with this situation, the Congress and the Executive Branch will have to take action. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 162 A number of steps have recently been taken to address these problems: o As a part of the Administration's multi-year budget initiative, OMB is requiring agencies to identify major computer and telecommunications systems acquisitions in the current year, the budget year, and four years beyond the budget year. OMB will provide this information to Congress in order to assure earlier opportunities for Congressional review of agency plans. This list of acquisitions will also be provided to GSA to assist in the performance of its procurement control functions. o Internal OMB procedures for reviewing agencies' FY 80 budget proposals require a review of agency proposals for information processing activities to assure that they are needed and meet the re- quirements of the Privacy Act. o A recent OMB policy issuance requires agencies to establish (by November 24, 1978) a comprehensive computer security program for all sensitive com- puter applications, including those which process personal information. o Agencies are required to report proposals for new or altered personal data systems to OMB and the Congress 60 days prior to issuing data collec- tion forms or a Request for Proposal for computer or telecommunications systems or services. o In order to give Members of Congress and the public a greater opportunity to comment on Federal agency on these proposals, a summary of them is being published by OMB in the Federal Register and mailed directly to staff of Members of Congress who have indicated an interest in privacy, privacy press, and a list of private citizens and groups which have indicated an interest in privacy. The issue is whether or not to further reform the existing processes for oversight of system development to assure that even earlier consideration is given to privacy protection and similar concerns. The options listed below are not mutually exclusive; all or any combination of them could be adopted. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 163 Option 1: Assign oversight and review responsibilities to a designated agency official. Responsibility for reviewing proposed new systems, or changes to existing systems, early in the planning stages could be assigned to the designated agency official (discussed in issue 4 above). Be could assist in new systems design by examining proposals with regard to their impact on personal privacy. Because this official would be responsible for all privacy-related matters within the agency, he would be more sensitive to these interests than those with purely program or system develop- ment responsibilities. The Federal agencies uni- formly support this option. It could be accomplished by directing OMB to revise OMB Circular No. A- 108 accordingly. Option 2: Establish quidelines on the responsibility,, frarning, an 1100Intment of system managers. The Privacy Act requires that a "system manager" be named for each proposed new system. Agencies have varied widely in their interpretation of thisrequirementi-AsMadia-moulagers range-etas?sent= agency officials to computer technicians. OMB could be directed to revise OMB Circular No. A-108 to require, for example, that the system manager be named at the beginning of the process of planning the system, that he be someone with knowledge of the system, and that he report directly to the person running the agency program which the system serves. In addition, agencies could be required to develop, or augment existing, programs for educating system managers in the broad policy objectives of designing and operating systems which incorporate concerns such as privacy. HEW, GSA, and the Special Assistant to the President for Consumer Affairs also endorse this option. Option 3: Adopt earlier trigger mechanisms for external oversight of agency record systems. As now required by the Privacy Act, the "trigger" for external oversight of a new record-keeping system is preparation of a new system notice which is sent to OMB and the Congress 60 days prior to implementation of the system. By this time, however, an agency often has spent substantial Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 164 sums designing the system and is committed to it. This lessens the likelihood that the privacy issues which will be raised by outside reviewers can be readily resolved. Agencies could be required to prepare these notices earlier in the design stages of the system or, alternatively, to prepare an annual agenda of the major systems under considera- tion and forward the agenda to whatever agency has central Executive Branch oversight authority for review. HEW, GSA, and the Special Assistant to the President for Consumer Affairs also endorse this option. Decision: (Any number of those options may be slected) Assign oversight and review responsibilities to the designated agency official. Establish guidelines on the responsibility, traiding, and appointment of system managers. Adopt earlier trigger mechanism for external oversight of agency record systems. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 165 B. Federal Provision of Data-Processing and Tele- communications Services: Electronic Funds Transfer Issue The Federal government, less by deliberate design than by circumstance, has become increasingly involved in the provision of data-processing and telecommunications services to state and local governments and even to private organizations. The provision of these services by the Federal government raises a broad range of policy questions, among them privacy issues. Moreover, these issues are fundamentally different from the others considered in this memorandum. They go to the structure of government in an information society. The concern is twofold: (1) if government itself provides tele- communications and data-processing services for personal information, then government will have direct and unaccountable access to it, thereby making it significantly more difficult to enforce whatever privacy protections the society decides to adopt; and (2) if the private sector is capable of providing such services, then the government should not displace, or compete with, this private sector activity.. This This memorandum seeks decisions only in relation to the Federal government's provision of Electronic Funds Transfer (EFT) services. (An earlier memorandum from the President's Reorganization Project dealt with a similar problem concerning the FBI's operation of cer- tain telecommunications services through NCIC.) The specific question to be addressed here is what the role of the Federal government should be in the operation of EFT systems. In particular, what restrictions, if any, should be imposed on government operation of EFT systems, and what privacy protections should be established in those circumstances in which government does provide zrT services? Discussion The term Electronic Funds Transfer (EFT) encompasses a number of financial services which generally involve moving funds from one depository account to another, without also moving pieces of paper. In order to under- stand the privacy issues engendered by EFT, a brief description of the paper check system and of several EFT systems is appropriate. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 166 When a check drawn on one bank is deposited in another bank, the bank receiving the deposit must arrange to have that check physically transported to the bank on which it was drawn. In some cases, two banks will directly exchange checks drawn on each other. Where a number of local institutions are involved, they will all meet at a designated time and place each day and exchange checks. The place where they meet is called a clearinghouse. When the check is drawn on an out-of-town bank which is not a member of the local clearinghouse, the bank will frequently present the check to the Federal Reserve System for collection. The Federal Reserve will transport the check directly to the out-of-town bank (or to a processing center designated by that bank). The Federal Reserve System currently clears approximately 40% of all checks. Although computers may be used to process the checks, the payment instructions are still written on paper (i.e., the check) and, hence, this form of financial transaction can be called Paper Funds Transfer. In Electronic Funds Transfer, by contrast, the payment instructions that in the check system are contained on the paper check are instead represented electronically. The electronic message may move instantaneously from a terminal at a merchant's checkout counter to the customer's bank and result in the instantaneous transfer of funds, or it may be written on a magnetic computer tape for later posting to the appropriate account. The critical element from a privacy standpoint is that the payment data is contained in a machine-readable form, and in some systems, is transmitted electronically to a central location. There are several forms of Electronic Funds Transfer systems, the most important for the purposes of this memorandum being the automated clearinghouse (ACH) and the point-of-sale (POS) system. Automated Clearinghouse (ACH) An automated clearinghouse is an outgrowth historically of the paper check clearinghouse discussed above. Just as banks bring paper checks to a traditional clearing- house, banks (or other depository institutions, such as savings and loan associations, mutual savings banks, and credit unions) that participate in an ACH bring to it a magnetic computer tape containing payment instructions Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 167 concerning their customers' accounts. The ACH processes these tapes, sorts the payments by receiving bank (the bank in which the person or company receiving payment has its account), and sends each bank a new computer tape containing payment instructions for its accounts. In most cases today, the tapes are transported physically, although for transfers between ACEs and between ACEs and participating financial institutions, systems have been developed to transmit the data electronically via a telecommunications link instead of manually through the exchange of computer tapes. An ACH payment begins when an individual signs the paper authorizing the transaction--for example, authorizing his employer to deposit his wages automatically, or authorizing his insurance company to deduct insurance premiums automatically. Following this initial written authorization, the transfers continue to occur on a regularly scheduled basis until the individual revokes the authorization (or loses his job or his insurance coverage). Because of this initial authorization process, ACHs are currently used primarily for large, regularly recurring payments, such as salary, social security, annuity, insurance, or mortgage payments. Point-of-Sale (POS) A second example of EFT is the point-of-sale system in which the purchaser, using a terminal that is located at a merchant's establishment and is electronically connected to the customer's depository institution, transfers funds instantaneously from his depository account to that of the merchant at the time of purchase. Unlike ACH transactions, POS transactlons are not pre- authorized and regularly recurring. Each transaction is individually initiated by the customer for an amount of money that varies with the purchase, much like a credit-card transaction. There are very few POS systems in operation, although this is the system most people have in mind when they think of EFT. There are two kinds of hybrid POS/ACH systems that are technically feasible and may be economically attrac- tive. In the first, paper transactions which contain qualitative information are batch processed at the ACH. These are essentially ACH transactions which are not preauthorized and recurring. An example would be pro- cessing of paper originated credit card transactions. In the second, the POS terminal at the merchant location Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/i118: CIA-RDP81-00142R000700030001-4 (or the bank computer to which the merchange terminal was electronically linked) would record the transaction on magnetic tape. The magnetic tape would then be processed at the end of the day through an ACH. Depository institutions are developing EFT systems for a number of reasons. First, EFT transactions are accomplished without a visit to the depository institu- tion or the execution of a check, thus saving time and the cost of processing slips of paper. Second, payment is assured, thereby avoiding problems occasioned by the reluctance of merchants to accept personal checks. Finally, because EFT allows all depository accounts to be subject to withdrawal on demand, like present- day checking accounts, funds in all types of depositories- -commercial banks, savings and loan associations, mutual savings banks, and credit unions--may be utilized. The Privacy Commission believed that the EFT systems that create these benefits also raise problems for individual privacy. The sheer efficiency of electronic recording media, as opposed to paper, dictates that the records will become more centralized and the details more easily retrievable for outside use than they are today. It is far simpler to retrieve transaction informa- tion through the use of computers than by a physical search of paper or microfilm/microfiche records. Also, point-of-sale services increase the potential for monitoring an individual's movements and activities, since they create a real-time record of his financial transactions. Moreover, the Privacy Commission concluded from its study of EFT that continued development will result in the recording of more detailed information about individuals by financial institutions than is otherwise required, including, perhaps, items of information not ordinarily considered payment data. For example, accounting and administrative data, such as benefit and tax withholding information, may eventually accompany the strictly financial data now maintained by depositories. The Privacy Commission felt that these threats to privacy are greatly intensified if government operates the systems. It observed that, as EFT systems "become more sophisticated and documentation and surveillance capability increases, government's operation of EFT systems will become...an unparalleled threat to personal privacy." Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 169 Current Law and Practice Congress recently passed the Electronic Fund Transfer Act that deals with a number of consumer issues in EFT but that does not address privacy or the question of government operation. The Federal government is currently engaged in widespread, and growing, use of electronic funds transfer to make government payments for salaries, pensions, revenue sharing, and the like. One of the nation's major currently operating EFT systems, the ACHs discussed above, is operated by a Federal agency, the Federal Reserve Board, which provides this service both for the Department of the Treasury and for private sector institutions. If, for example, a private employer wishes to use EFT to pay its employees, or to receive payments from its customers, the payment information flows through the Federal Reserve. Government payments are still the great majority of all ACH tansactions, but the share initiated by the private sector is growing. There are now 32 ACHs in operation: one run primarily by the private sector, 31 by the Federal Reserve. The Federal ReserveTtcefftty decided to Itilk thtse ACHs through a Federal Reserve-run telecommunications system, so that information flowing between ACHs will move electronically through a government telecommunications system. At present, the Federal government does not process point-of-sale (POS) transactions. However, as POS systems (and other EFT systems, such as telephone bill paying) increase and penetrate new markets, the natural progression may be for ACHs to clear these transactions as well. It is this information which the Privacy Commission believed could form the raw material for piecing together personal profiles of individuals. Because ACHs are today operated by the Federal government, whereas POS systems are not, and because the two systems arguably raise different privacy concerns, they are discussed separately below. In addition, because the Coordinating Committee believes that it is important to consider economic and antitrust considerations, as well as privacy concerns, in deciding the issue of government operation, these latter concerns are also addressed here. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03M) : CIA-RDP81-00142R000700030001-4 Privacy Considerations in Continued Federal Reserve ACH Operation Automated clearinghouses do not today collect or transmit enough data on individuals to permit a significant infringement on personal privacy. The payments now being transmitted by ACHs are primarily recurring payments such as salary, insurance, and mortgage payments, plus payments such as revenue sharing that do not involve an individual's account. Furthermore, the Federal Reserve is currently taking affirmative action to increase protection for the privacy of transaction data processed by the automated clearinghouses that it operates. In addition, it is argued that the Federal Reserve's sixty- year history of handling paper checks and electronic transfers of Federal funds, as well as its more recent operation of ACHs, has shown no abuse of the information as a result of Federal Reserve operation. It is also the case that the Federal government can, without legistlation, restrict private sector access to ACH informa- tion maintained by the Federal Reserve. If the private sector ran ACHs, legislation creating privacy protections would be needed. Finally, it has been suggested that the requirements of the Bank Secrecy Act (which requires that banks collect and report to the government information on certain financial transactions) may make private sector operation of ACHs a greater threat to privacy. In opposition to government operation of ACHs, it is argued that a government operated and subsidized system makes it less likely that private sector alternatives will develop, leading to a greater concentration of financial information than would otherwise occur. Further, "government as operator" is in a conflict of interest with "government as regulator," making it less likely in the future that necessary but possibly inconvenient privacy protections will be imposed on the developing EFT systems. Finally, the Privacy Commission concluded that the organizational structure for EFT is developing so rapidly that unless a decision to limit govern- ment operation is taken now, "the inertia of economic cir- cumstance may destroy the policy choice, leaving the Federal Reserve as the basic provider of service." Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 171 The critical privacy question concerning ACEs is whether the ACEs will, in time, become the hub of other types of EFT systems. If ACEs become the switch through which POS transactions are routed, then government operation of ACEs presents much more serious privacy concerns than do present government ACH activities. Two matters suggest that this might occur. First, the Federal Reserve has discussed with interested parties the possibility of clearing or settling payments originated at off-line POS terminals through the Federal Reserve's automated clearing facilities. (POS systems are described below.) And, one ACH has recently undertaken to commission a feasibility study on having that ACH operate as a switch for automated teller machines (devices located either in the walls of a bank or in places such as shopping centers, and at which a customer can make deposits, withdraw cash, transfer funds from his savings account to his checking account or vice-versa, and in some systems pay certain kinds of bills). In addition, a number of financial institutions are investi- gating using ACEs to clear payments for telephone bill ??.payment systems. And,. one bank is now clearing Master Charge and Visa bankcard payments through a Federal Reserve operated ACH. Thus, the distinction between ACH payments as regularly recurring, and POS payments as episodic and individually initiated, is rapidly breaking This is an example of the first hybrid POS/ACH system discussed above. The privacy concern raised is that the Federal Reserve will now have access to POS-type information without the cost or complexity of existing electronic communication to the actual point-of-sale. Second, the Federal Reserve is now connecting the ACEs through its telecommunications network. This provides a national telecommunications link for effecting interregional ACH payments and enhances, to some observers, the attrac- tiveness of using ACEs to provide on-line EFT services. The difficulty with predicting the role of ACHs in anything other than the very short term is that the organizational, technological, and legal structures of EFT are still fluid. Economic Considerations in Continued Federal Reserve ACH Operations To date, private sector depositories have not provided ACH services without the Federal Reserve's operational - Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 172 assistance. The Federal Reserve System has operated a funds transfer network since 1918, over which trans- actions in Federal Funds, U.S. government securities, and settlements between commerical banks are effected. More recently, as commercial banks have experimented with the exchange of payments on magnetic tape, rather than by paper check, the Federal Reserve has performed clearing and settlement services for these payments similar to those it does for payments made by paper check. (The Federal Reserve today clears about 40% of all checks.) The Federal Reserve has shared ACE research and development costs with the private sector, and operates 31 of the 32 ACEs. It can be argued that only Federal Reserve operation permits nationwide availability of ACE services at this time. Thus, significant dislocation in the operation of this payments mechanism may result should government participation be constrained. A second concern is that the U.S. Treasury has determined that the cost of disbursement could be lowered by con- verting government payments from check to magnetic tape. The Federal Reserve, as the Treasury's fiscal agent, distributes these payments along with the paper check payments that it has traditionally distributed for the Treasury. Thus, regardless of whether or not alternative private systems develop, the Federal government will continue to provide these services for its own payments. It is argued by some that since the marginal additional cost to the Federal government of also providing these services to commercial banks is minimal, government should continue to do so at this time. It is also argued that government provisions of ACE services makes it more likely that all types of depositing institu- tions will have equitable access to ACEs (commercial banks have on occasion attempted to restrict the ability of savings and loans and credit unions to join ACE associa- tions). Those opposing Federal Reserve involvement are concerned that competitive and potentially more innovative private systems are prevented from developing so long as the Federal Reserve provides this service at no additional cost to member banks. The Federal Reserve has announced its intention to begin separately pricing and charging for its ACE services, but has not yet been able to develop a satisfactory pricing scheme. Critics assert that, without the need to seek a profit, the Federal Reserve Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 ' Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 173 will not be as responsive to the needs of consumers, merchants, and institutions that are involved with ACHs as a private firm would be. They point to the recent innovations in the newly competitive telecommunications common carrier industry to support that thesis. Privacy Considerations ip Government Operated POS or POS/ACH Systems The Federal government has no plans to operate a pure POS system. However, if government were to provide these services, there are several respects in which government might provide greater privacy safeguards than private operation. First, the Department of the Treasury, which issues regula- tions under the Bank Secrecy Act, suggests that government may not be subject to the Bank Secrecy Act and may therefore be able to destroy information which privately-operated EFT systems would be required by the Act to maintain. Second, government has no marketing incentive to distribute POS developed information. It is argued against government operation that point- of-sale systems may collect, transmit, and store suffi- ciently detailed information on an individual's behavior to allow the creation of a detailed portrait of his activities and beliefs. (This is also true for the hybrid POS/ACH systems discussed above.) Allowing government to operate POS switching or clearing facilities could, in a mature EFT system, put a government agency at the heart of a data-communications system containing detailed personal information on the citizens using the POS systems. In addition, POS systems that operate on-line and in real-time can be used as a means of learning instantaneously the location and activity of someone the moment he uses his EFT card. The Privacy Commission argued that a govern- ment agency is more likely than a private sector organization to cooperate with another agency's request for surveillance. The Commission noted that, in the past, the government has used the data contained in IRS files (which the Commission believed are not as rich in personal information as would be the files of a mature EFT system) for harrassment and political advantage. Finally, it is suggested that government operation of a nationwide system may encourage centralization, thus making the information more easily retreivable. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 174 Economic Considerations in Government Operated POS or POS/ACH Systems With ACEs already in place, a technical and organizational infrastructure has been established that could allow the development of ACE clearing of batched FOS transactions at minimal extra cost. In addition, if the Federal Reserve were to handle the same percentage of EFT transactions that it now handles of checks (40%), there might be significant economies of scale resulting in cheaper service. However, by contrast to ACEs, there are numerous private sector POS systems operating. There is no private sector drive to have the Federal Reserve operate POS systems, and Federal involvement does not seem needed to spur the growth of this new payment system. Instead, government operation might drive existing POS systems from the market and discourage the pursuit of experimentation with different types of systems. Areas of Agreement Regarding EFT Systems There is agreement that privacy protections for EFT should include, in addition to the provisions generally applicable to depository institutions, the following: Non-government and Government Operated Systems: 1. Individually identifiable account information generated in the provisions of EFT services should be retained only in the account records of the financial institution and other parties to a transaction, except that it may be retained by the EFT service provider to the extent, and for the limited period of time, that such information is essential to fulfill the operational requirements of the service provider; 2. Procedures should be established so that an individual can promptly correct inaccuracies in transactions or account records generated by an EFT system, so as to provide protections for EFT systems comparable to these provided by the Fair Credit Billing Act for credit- card systems. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 175 Government Operated Systems: (Note: these are recommendations of the National Commission on Electronic Fund transfers.) 1. Any government agency providing EFT services should follow privacy rules and procedures that are at least as restrictive as those of private sector EFT system operators; and 2. Access by other government agencies to records of EFT transactions in the temporary possession of a government EFT service provider should be governed by rules and procedures that are at least as restrictive as those for access to EFT records maintained by private sector financial institutions. The Federal Reserve Board is drafting guidelines for all member banks that will allow disclosure of EFT infor- mation only pursuant to court order. In addition, the Federal Reserve, effective November 6, will destroy all personally identifiable ACE information after 60 days. Dollar amount-and tenk?tdentifier information-will be destroyed after one year; Thus, it will be possible to reconstruct an individual's payment history, but only by going to his bank, as at present. Issue for Decision 1. Should tyle Federal restrict Its opera private sector? Option 1: Support: 7overnmnt withdraw from, or ions off EPT services for the Do not limit government operation of EFT for the private sector at this time. Federal Reserve -- There is no evidence indicating that continued Federal Reserve participation in an electronic payments mechanism is a threat to privacy. U.S. Postal Service Central Intelligency Agency -- Supports without restriction of "at this time" because it believes that government operation is the most economically efficient way to operate and because it feels that government operation poses no threat to privacy. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17176 : CIA-RDP81-00142R000700030001-4 Department of the Treasury -- Privacy problems will not be solved by restricting government operation of EFT services. In fact, govern- ment operation may pose fewer threats to privacy because government is not subject to the Bank Secrecy Act. In addition, there is no reason to restrict Federal provision of POS services until there is an actual proposal to evaluate. In any case, a decision on restriction of Federally provided EFT services cannot be made on privacy grounds alone. Option 2: Provide that no government entity be allowed to own, operate, or otherwise manage any part of an electronic payments mechanism that involves transactions among private parties. Support: Privacy Commission Department of Justice -- Believes that Federal agencies should not provide services that preempt competitive private sector EFT development. Option 3: Allow overnment o eration of automated clearin - houses (ACHs), but not, at present or in-the foreseeable future, of point-of-sale (POS) switching and clearing facilities (including hybrid POS/ACH), except for the provision of net settlement among depository institutions. Support: National Commission on Electronic Fund Transfers--Based its recommendation primarily on economic considerations.* National Credit Union Administration * Department of Commerce Special Assistant to the President for Consumer Affairs Decision: Do not limit government operation of EFT for the private sector at this time. * These groups have not spoken to the issue of hybrid POS/ACH. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 177 44 mmeammlamomax Provide that no government entity be allowed to own, operate, or otherwise manage any part of an electronic payments mechanism that involves transactions among private parties. Allow government operation of automated clearinghouses (ACHs), but not, at present or in the foreseeable future, of point- of-sale switching and clearing facilities, (including hybrid POS/ACH), except for the provision of net settlement among depository institutions. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 178 V. Other Issues A. The Use of Truth Verification Devices in Employment Issue Truth verification devices are used to try to determine whether or not someone is telling the truth by examining changes in a person's physical characteristics thought to be beyond this voluntary control. The question is whether there should be a Federal law to forbid a Erivate sector employer from using the polygraph or other truth verification devices (e.g., the Psychological Stress Evaluator) to gather information from an applicant or employee. This issue does not address the use of these devices in Federal government employment (where use is prohibited by Civil Service Commission regulations) or in the law enforcement context, since the courts now deal with these questions by determining the admissibility of polygraph tests as evidence in criminal trials. Current Law and Practice Civil Service Commission regulations prohibit the use of polygraph and other truth verification devices in Federal employment. Where their use in private employment has been regulated, regulation has been by the states. A few states ban their use entirely; most either only license their operators or do not regulate them at all. Senator Hayh has introduced S. 1843 to prohibit the use of these devices for private employment purposes. Hearings have been held. Employers currently use truth verification devices in two contexts. First, some employers administer tests when an individual applies for employment, and on a regular schedule to current employees. Second, the devices are sometimes used to gather evidence about employees suspected of illegal activity on the job. In 1974, about 300,000 private-sector employees were tested. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 179 Issue for Decision 1. Should Federal law prohibit the use of polygraph and other truth verification devices in employment? Option 1: Prohibit the use of polygraph and other truth verification devices in private sector employment. This is the Privacy Commission proposal, and is supported by the Departments of Labor and Justice, and the Special Assistant to the President for Consumer Affairs. Objections to the use of truth verification devices go to their inherent intrusiveness, and to their effect of depriving an individual of control over divulging information about himself since he generally must submit to the test or lose his job. Unions have alleged that these devices are used more-to frighten employees than to get information. Moreover, there is some question as to the reliability of these devices. In the main, truth verification devices are not considered sufficiently reliable for the results obtained by their use to be admissible in court. In response to these concerns, many major employers have ceased to use them. Option 2: Prohibit routtne use of Polygraph tests for job applicants and employees, but not for use to 9ather evidence about employees suspected of illegal activity on the job. The Department of Commerce and the Treasury Department support this option. This vould preclude the use of polygraph tests during the hiring process and as a routine requirement for all employees, but would still allow use of these devices in the investigation of specific incidents of suspected fraud, theft or other illegal activities. Option 3: OPposeTederal Legislation. Opposition to a prohibition on the use of polygraph and other truth verification devices comes from private business, particularly the retail industry. They argue that a prohibition on polygraph and other truth verification devices will increase the cost of employee theft and fraud, and that this cost will be passed directly to the consumer and society. In addition, it is argued that the impact will fall most heavily on smaller businesses which are at a competitive disadvantage in absorbing these aosts. Approved For Keiease 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 180 The Department of Defense also opposes Federal legislation prohibiting the use of polygraph in private sector employment. While recognizing that the current proposal does not address the use of these devices in Federal employment, DOD is concerned that, if adopted, the proposal may later be so extended in law. The polygraph is currently used for pre-employment screening within components of the Department of Defense, such as the National Security Agency (NSA), dealing with highly sensitive intelligence matters. The Department asserts that a prohibition on the use of polygraph might cause significant damage to the highly sensitive national intelligence mission of NSA. Decision: Prohibit the use of polygraph and other truth verification devices in employment. Prohibit routine use of polygraph tests for job applicants and employees, but not for use to gather evidence about employees suspected of illegal activity on the job. Oppose Federal legislation. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 181 B. Standard Personal Identifier Issue It is a common perception that when a government assigns a number to each of its citizens it can then track an individual through every aspect of his life. It is an equally common belief that the absence of a unique and standard personal identifier would make such a task more difficult. The continuing advancements in computer technology have served to magnify such concerns. Finally, many individuals see the general use of the Social Security Account Number (SSAN) as a real threat to their personal privacy; indeed, such usage has become a symbol for many privacy problems. Discussion The Privacy Commission, following a detailed study of the use of SSAN, concluded, as have most other groups studying the problem, that a Standard Personal Identifier system is less a problem than it appears to be. The Commission further concluded that the real problem is the exchange of information among record systems. :1L-Stan4a04wPe-reonal Identifier-would facilitate such exchanges. However, the absence of a Standard Personal Identifier does not n&?si9nificantly FaIrra this flow of information. Modern technology has already sidestepped the need for a single, unique number which identifies individuals. With nothing more than name, birthdate, birthplace, and address, it is possible to accurately identify an individual or his record. As a result, most observers agree that the more appropriate method for dealing with this problem is to develop safeguards and protections .s? against the unrestricted flow of personal information, generally along the lines suggested by the Commission and the agencies. Any statement of Administration privacy policy must, however, remain sensitive to the public concern over the Standard Personal Identifier issue. It must also be adopted with the understanding that the privacy problems encountered with the Standard Personal Identifier are inherently without solution. This is because, in the privacy context, the strength of a Standard Personal Identifier is also its weakness. The use of a Standard Personal Identifier certainly facilitates the exchange and consolidation of records Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/041k: CIA-RDP81-00142R000700030001-4 or information about an individual. By the same token, however, it also ensures accurate personal and record identification in all instances and serves to minimize errors in the transfer of information and documents both inside and outside an organization. Without the accuracy a Standard Personal Identifier supplies, an individual might be denied a right, benefit, or opportunity to which he would otherwise be entitled. The time required to gain access to information is significantly reduced, which increases organizational efficiency and decreases costs to the taxpayer or consumer. The Commission concluded that accurate personal and record identification are an essential component of fairness in record keeping. The aspects of a Standard Personal Identifier system which allow these benefits to flow give rise to serious concern among members of the public, however. The same records management systems which are aided by the Standard Personal Identifier in the exchange and consolidation of all personal information about an individual can be manipulated to produce the identical result for illegal or improper purposes. Certainly, information held by one record holder should not in all instances be made available or accessible to another decision-making record holder. And yet, the Standard Personal Identifier would facilitate and, some would argue, encourage just this type of information "swapping" between record holders. Finally, there is opposition to use of the SSAN, or any Standard Personal Identifier, on the grounds that it tends to dehumanize people, reducing them to their SSAN, or whatever other number is assigned. While the depth of this feeling is undeniable, it is not clear that there are any real policy choices to deal with it. Removal of all the account numbers that people possess in today's society is simply not a realistic option. Current Law and Practice Section 7 of the Privacy Act of 1974, P.L. 93-579, was intended to control the use of the SSAN as a form of Standard Personal Identifier. That section makes it unlawful for any Federal, state, or local governmental agency to deny an individual any right, benefit, or privilege based upon his refusal to disclose his SSAN. Such prohibition, however, does not apply in those instances where disclosure is required by Federal statute Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 183 or where the requirement existed prior to January 1, 1975. Further, any agency requesting such disclosure must inform the individual whether his disclosure is mandatory or voluntary, the authority under which solicitation is made, and the uses that will be made of the SSAN. In the Federal sector, the impact of this section has been limited by Executive Order 9397, which was promul- gated in 1943 and which instructs agencies to use the SSAN when establishing new systems of account numbers. This order has been interpreted as constituting a requirement in existence prior to January 1, 1975, and, consequently, as continuing authority for the use of the SSAN in new record systems. A further limita- tion on the proscriptions outlined in Section 7 of the Privacy Act is to be found in the Tax Reform Act of 1976. In that statute, any state or political subdivision thereof is authorized to require disclosure of the SSAN and to rely on it as a personal identifier in the administration of any tax, general public assistance, driver's license, or motor vehicle registration law. As a consequence of Executive Order 9397 and the Tax Reform Act, the already widespread use of the SSAN as a standard identifier-in the--Te~rnieffivietitsmiks-not significantly limited. Use of the SSAN in the private sector is somewhat more limited. This is partially due to the fact that most large commercial organizations assign their own particular number to each individual's account or record. It is also due to the ability of modern computer systems, as discussed above, to accurately identify an individual or his record without placing reliance on a particular number. As an example, one large credit information organization with over 50 million records in its system routinely identifies individual records based on nothing more than name, address, and date and place of birth. Areas of Agreement The Commission and the agencies, with the exception of the Treasury Department, agree on the following points concerning privacy protections for a Standard Personal Identifier: a) the Federal Government should do nothing to foster the development of a Standard Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/M: CIA-RDP81-00142R000700030001-4 Personal Identifier until it has addressed the underlying issue, which is controlling the disclosure and exchange of recorded information; and b) the limits currently placed by Section 7 of the Privacy Act on the use by Federal, state, and local government agencies of the Social Security Account Number as an identifier should not be increased. Areas of Disagreement 1. Should Executive Order 9397 (a 1943 order directing Federal agencies to use the Social Security Account Number when establishing a new system of permanent account numbers) be amended so that Federal agencies may not, as of January 1, 1977, rely on it as legal authority by which to create new demands for the disclosure of an individual's Social Security Account Number (SSAN)? Pro: Con: The Commission believed that use by some agencies of E.O. 9397 as legal authority for requiring disclosure of the SSAN undercuts the intent of the Privacy Act's Section 7. The Commission believed that Section 7's exemptions were intended to apply only where an agency has specific legal authority to require disclosure of the SSAN, and not when it has an authority of general applicability such as E.O. 9397. In order to minimize disruption, the Commission recommended that agencies that had relied on E.O. 9397 as authority to require disclosure of the SSAN before January 1, 1977, should be allowed to continue to do so. The agencies uniformly oppose this recommendation as being disruptive and of little benefit at this stage. In the Department of Defense, for example, virtually all computerized records are indexed on the basis of SSAN. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 185 A prohibition on the future use of the SSAN would require the maintenance of separate, and different, indexing programs, with questionable beneficial results. The agencies opposing the recommendation include the Departments of Commerce, Defense, State, Treasury, Justice, HEW, the CIA, and the Veterans Administration, the Civil Service Commission, and the Office of Science and Technology Policy. Decision: .????.0.011?1111=1?11111.1111 ....0????1110.11.0. Yes, amend E.O. 9397 so that Federal agencies may not, as of January 1, 1977, rely on it as legal authority by which to create new demands for the disclosure of an individual's Social Security Account Number. No, do not amend E.O. 9397. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 186 C. Statistical and Research Studies Issue In the Privacy Commission's view, the use of personal records for statistical and research studies required a careful balancing of the individual's interest in personal privacy with society's need for knowledge. First, unlike the other uses of records addressed in this memorandum, research and statistical activities generally do not lead to an immediate or direct benefit for, or an adverse effect on, the individual subject. While the researcher may ask for the individual's participation or for information about him, society as a whole, rather than the individual, is the ultimate beneficiary. Second, research and statistical studies rely heavily on the voluntary cooperation of research subjects in providing accurate information. As an inducement to candor, research subjects are generally given a promise of confidentiality or anonymity before being asked to provide information. However, as discussed below, with few exceptions present laws do not explicitly protect these records when they are sought by a govern- ment agency or others. A related problem is the ethical and legal question as to the appropriate action by a researcher who learns from a respondent of a possible intention to commit a crime, or a confession of a serious past one. Finally, statistical and research studies increasingly rely upon the availability of records and data bases maintained by third-party record keepers, both govern- ment and non-government. With few exceptions, statutory protections are not established for the individual whose records are disclosed for such a purpose. The issues discussed in this memorandum deal only with personal information. There are important statistical programs, such as those administered by the Bureau of Labor Statistics, Bureau of Census, and others, which ask for information from business respondents, typically on a voluntary basis. The question of protecting the confidentiality of statistical and research reports obtained from businesses which do not contain individually identifiable information on individuals is a separate issue which has to be examined on its own merit and is not considered further in the present memorandum. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1V8:7CIA-RDP81-00142R000700030001-4 Current Law and Practice Certain Federal laws protect from compelled disclosure a limited number of statistical and research records collected for specific purposes. For example, all records collected by the Bureau of the Census under the authority of Title 13, U.S.C., are protected from disclosure in individually identifiable form. Also, HEW may authorize researchers engaged in mental health or alcohol or drug abuse research to withhold names or identifying characteristics of data subjects, and this immunity covers them in any Federal, state, or local civil, criminal, administrative, legislative or other proceeding (42 U.S.C. 4582). However, such specific protections do not cover most statistical collections, nor most cases where research is conducted using records with confidential information about the record subject. Moreover, some Federal statutes are drawn to facilitate the exchange of data so that it may be used for both administrative and research purposes, thereby eliminating redundant collection (Federal Reports Act). In interviews or direct requests to gain access to personal records, statistical collection agencies and researchers generally give assurances that the information will be held in confidence, and ordinarily strive to preserve that confidentiality. Yet, at present, apart from a few existing legal safeguards illustrated above, even the most well-meaning researcher or statistical agency may be forced to disclose information under court order or subpoena, lest he pay the personal conse- quences of violating that order. And, increasingly both private and public organizations are seeking access to "confidential" research data. Should researchers and statisticians not be in a legally defensible position to protect the confidentiality of individually identifiable records, they could not promise confidentiality or anonymity and this could have major adverse implications for the accuracy of the data obtained. On the other hand, an absolute prohibition against all disclosures may create situations where important information is withheld from law enforcement, which may also act to society's detriment. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/0310: CIA-RDP81-00142R000700030001-4 Discussion A policy addressing the use of personal records for research and statistical studies should set out two fundamental standards: first, the rules governing when a statistical agency or researcher may have access to personal records that were not collected for such purposes; and second, the rules governing when records collected for statistical or research purposes may be used for other purposes. Area of agreement Access by statistical agencies and researchers to personal records collected for purposes other than statistical or research studies. The Commission's judgment, strongly supported by the agencies, is that for socially desirable research and statistical studies to continue, laws should be passed, or amended, to permit and regulate access by researchers to medical, educational and social service records (the records most often used in these studies) and access by statistical agencies and designated units to these and other administrative or regulatory records as necessary to carry out their respective statistical mandates. It is agreed that statistical agencies and researchers must at times be allowed access to these records in individually identifiable form even without the direct consent or knowledge of the subject individual. It is also agreed that, to protect the record subject, the institution maintaining the records should conduct a responsible review of each research protocol and enter into a written agreement with the researchers assuring that the privacy of the individual will be protected. These laws would apply to Federally maintained records generated with Federal funds for use by the Federal government. Recommendations 7, 8, 9 and 12 of Chapter 15 of the Final Report of the Privacy Commission apply. Area of disagreement Access to research and statistical records for non- research purposes. The Privacy Commission recommended that there be a clearly defined boundary between the use of personal Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/1139 CIA-RDP81-00142R000700030001-4 information for research and statistical purposes and its use for administrative or other purposes. The principle of functional separation, it is argued, follows from the principle of informed consent, i.e., that information is provided to statistical and research studies by or about individuals with a promise of confidentiality. Therefore, the principle of "functional separation" would mean that research and statistical records, collected under a promise of confidentiality, could never be used in any way to make a decision about or take an action against the subject individual. Analogous considerations apply to files created explicitly for statistical or research purposes but derived from administrative files. However, departments or agencies should decide prior to the establishment of new recotd systems whether they are to be used solely for research and statistical purposes--in which case, but only in that case, they could promise the confidentiality of identifiable individual records on the basis of "functional separation" established by statute. When records are collected for mixed statistical and administrative purposes, they should not qualify as statistical or research records under the principle of "functional separation." For example; in applying :the principle of functional separatioft; personal records collected for research on drug abuse with the promise of confidentiality could not be disclosed to a narcotics officer for criminal prosecution or used administratively to determine support payments while the individual was undergoing withdrawal therapy. Yet, at the same time, records collected for the purpose of administering a drug abuse program, but also used for research purposes, would not be covered by the principle of "functional separation." The Commission did not, however, recommend that research and statistical records be totally immune from disclosure subject to court order. The principle of "functional separation" would allow for disclosures needed: 1) to prevent imminent physical injury to the data subject; 2) where there is an alleged violation of law by the researcher or institution; or 3) for auditing the particular statistical or research program. The principle would apply to research and statistical records generated with Federal funds for use by the Federal government. The question for decision, therefore is: Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 190 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 1. Should there be a Federal statute establishing a policy of "functional separation," such that no personal information collected or maintained for a research or statistical purpose may be used or disclosed in individually identifiable form so as to allow any decision, or to facilitate the taking of any action, directly Tnecting the individual to whom the_s_ts9sclit Pro: This, the Commission's proposal, is supported with some modifications by the Department of Commerce, DHEW, Defense, the Department of Labor, the National Archives and Records Service, Office of Science and Technology Policy, Special Assistant to the President for Consumer Affairs. Justice, while concerned about the administrative burden of separate systems, "supports the principle that whenever information was obtained pursuant to a promise of confidentiality then these conditions must be followed." Veterans Administration supports the principle so long as the agency can designate the files to which it applies--which it could do prior to the collection. The Commission's proposal is also strongly supported by the statistical and research community. All believe that a standard of confidentiality, such as is established with "functional separation," is essential to ensure the continuing integrity of research and statistical studies. They fear that research subjects will not voluntarily participate in these studies in the future or, even worse, not provide accurate information if researchers or statisticians cannot promise confidentiality of identifiable individual records, particularly since it is society as a whole, not the individual research subjects, that benefits from their participation. However, researchers and statisticians cannot make that promise if no strict legal standard of confidentiality exists protecting the data subjects from use of the information to affect them adversely. To allow an exception for access to these records for law enforcement purposes, however legitimate, would, they argue, effectively undermine the entire approach. They also argue that access to statistical or research records for administrative or law enforcement purposes, would, at best, be of temporary benefit to the latter activities since, if the integrity of statistical records is seen by the responding public to be compromised, the ability to collect these records would be jeopardized. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/031+f CIA-RDP81-00142R000700030001-4 Con: Some law enforcement agencies, including the Department of Treasury and the CIA, oppose the Commission's proposal in the belief that data collected by a government agency for use in research and statistical studies should be available to that agency for other purposes needed to accomplish its mission, and to any second agency which has the legal authority and the need to collect the information. They believe that this access for non-research purposes should not be contingent on the consent of the individuals concerned, even if the data were originally collected under a promise of confidentiality or anonymity. The particular concern is for successful law enforcement. Furthermore, the Treasury Department is particularly concerned over the creation of a statutory rule prohibiting a researcher from voluntarily disclosing the unintended acquisition of an indication that someone planned to commit a violent act. Treasury believes that even if it is necessary to provide protection against the power of someone (law enforcement agency or private litigant) to compel the production of information from a statistical agency or researcher, it should be possible to accmmodate a principle which allows statistical agencies or researchers to voluntarily release information in order to prevent the commission of a crime of violence. Some agencies believe that it will be very difficult and perhaps costly to classify records for either "research and statistical purposes" or for "administrative use" when they are frequently used for both purposes. In this connection it is to be noted, however, that the Privacy Commission recommends the identification of records as being for "research and statistical purposes" only where the objective is the developing and reporting of aggregate or anonymous information not intended to be used, in whole or in part, for making a decision about an individual that is not an integral part of the particular research project." Thus a file intended to be used for making decisions about particular individuals, even though it might also be used for statistical and research purposes, would not qualify as a set of statistical or research records under the principle of "functional separation." In such circumstances of intended mixed use of records no promise of confidentiality would be made to the individual or third party supplying the information. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/W: CIA-RDP81-00142R000700030001-4 Decision Yes, there should be such a policy of "functional separation" for research and statistical records. No, there should not be such a policy. Related Issues The following issues will eventually need to be resolved if a policy of functional separation for research and statistical records is adopted: o Whether additional mechanisms for the authorization and/or monitoring of inter-agency transfers of research and statistical information will have to be developed to insure the confidentiality of information when maintained by the receiving agency; and o Whether legislation establishing a policy of functional separation should allow researchers and statistical agencies to voluntarily disclose research or statistical information indicating the posibility of a future crime of violence, provided that the subject of the record has been notified of this possibility prior to the collection. Thus, the legislation could allow two different types of promises of confidentiality and corresponding legal safeguards: absolute confidentiality, qualified only by court ordered investigations directed at the collecting agency or researcher; and confidentiality qualified also to exclude cases involving imminent physical danger to another person. This is proposed by the Department of the Treasury. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/11793CIA-RDP81-00142R000700030001-4 D. Coverage of the Wiretap Statute The statute that prohibits most wiretapping defines wiretapping as the "aural" acquisition of communications. This definition arguably does not cover the digital transmission of conversations or data. Some argue that this definition should be revised so that digital transmissions are clearly covered. However, as noted in Section I.B above, this memorandum deals only with information privacy, excluding matters such as wiretapping and other forms of electronic surveillance to the extent they do not involve the information practices of a record keeper. The Privacy Commission did not address the issue of wiretapping and most agencies have not yet taken positions. However, the Congress had before it in the last session, H.R. 214, the "Bill of Rights Procedures Act", that contained in Title III provisions strengthening the current legal prohibitions on wiretaps. Title III would amend the current prohibition on the "aural acquisition" of "wire or oral" communications by deleting the word "aural", so as to prohibit the interception of data communications. The Department of Justice supports this expansion of the coverage of the wiretap statutes, but believes that the proposed modification may sweep so broadly as to prohibit use of any kind of device to examine toll records, and proscribe use of a mechanical filing system to retrieve information previously sent by wire. The Department of Justice is now preparing draft language to the wiretapping statute that would ensure the coverage of non-aural communications, without suffering the problem of overbreadth. Finally, Title III would require communication common carriers to notify their employees prior to listening in to employee conversations with customers as part of "supervisory monitoring". The Department of Justice has suggested permitting "supervisory observing" interceptions only to the extent that interceptions are permitted by an agreement between a communication common carrier and its employees. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/0314314: CIA-RDP81-00142R000700030001-4 VI. Allocation of Federal Privacy Responsibilities Issue A variety of personal privacy protections have been created by Federal law, and this memorandum has discussed possible areas of new privacy protections. In addition, there are questions of whether the Federal government should undertake certain administrative functions relating to the protection of privacy in the Federal and non- Federal sectors, as well as what organization should be responsible for carrying out each of the functions deemed necessary. Discussion The Privacy Commission concluded that the existing Federal administrative structure for overseeing Federal agencies' collection and disclosure of information and for implementing the Privacy Act is inadequate. As discussed earlier, each agency is responsible for its own implementation of Privacy Act responsibilities. OMB is tasked in the Act with providing oversight and guidance regarding the Act's implementation, although it has no authority to enforce any guidance or interpre- tation it may provide. In practice, the agencies generally follow OMB's guidance, absent some compelling agency interest to the contrary. Critics of OMB's performance contend that it has been less active and less effective in the privacy area than it might have been, although OMB believes that "criticism of (its) oversight role may stem from a lack of visibility and understanding of how OMB is carrying out its responsibili- ties." OMB has also been limited in its role by personnel constraints--OMB allocates 0.8 person year to continuing oversight of the Privacy Act--and by Congress' rejection of a centralized enforcement approach in,the Privacy Act. The Commission found that some agencies regard privacy concerns either as an afterthought or as an impediment to their substantive program missions. Within an agency, the unit with privacy responsibility is often under pressure to decide favorably to, and in accordance with, the program needs of the agency. There have been cases of differing interpretations of the Act's requirements within agencies which have no central privacy coordinator. Moreover, there is no office which monitors, reviews, and coordinates Privacy Act compliance at the Federal level for all of the agencies. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 195 The Commission also observed that there are some issues that individual agencies cannot, and in certain cases should not, resolve on their own. The most obvious of these is the question of whether a particular type of record-keeping system should exist at all; another is whether particular transfers of records among agencies are desirable; and still another is whether certain types of information should be considered public informa- tion. The Commission believed that such questions require independent policy judgments, often on a govern- mentwide rather than an agency-by-agency basis, and thus should be addressed by a unit with government- wide privacy oversight authority. Of equal importance, the pressures to fulfill primary program functions tend to lead agencies to design informa- tion systems with regard only to program objectives and not privacy or similar social concerns. Such a narrow focus for system design and development often short-changes the rights and interests of individual citizens. In addition, failure to consider questions such as privacy, and incorporate appropriate protections, at the design stage of a system can lead to substantial waste; development of systems has been stopped after considerable investment when Congress and others have discovered a lack of consideration for individual rights in the system design. Internal agency processes which could help alleviate part of this problem were identified in Part IV. In addition, a credible, politically account- able central oversight unit would enable the Federal government to take effective and fiscally prudent advantage of new information technologies. Additionally, there are a number of Federal laws covering portions of the non-Federal sector which affect personal privacy. The Family Educational Rights and Privacy Act gives a single agency (HEW) enforcement responsibility. Other statutes, like the Fair Credit Reporting Act, the Fair Credit Billing Act, and the Equal Credit Opportunity Act, place primary enforcement responsibility with one agency, the FTC, but give authority to other agencies on a selective basis (e.g., the Comptroller of the Currency has enforcement authority for national banks and the Federal Reserve Board for member non-national banks). Finally, the Equal Credit Opportunity Act gives rulemaking authority to one agency (FRB) and enforcement authority to another (FTC). While most of the laws allow an individual to take legal action to protect himself, no agency has overall responsibility Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03M): CIA-RDP81-00142R000700030001-4 to develop privacy policy or monitor and evaluate activity outside the Federal sector. If a privacy policy is adopted for the private sector, the variety and number of Federal regulatory and enforcement agencies which would be involved suggested to the Commission the need for a central Federal entity which could assist and direct the development of a uniform approach. Three additional considerations common to both Federal and non-Federal privacy policy, combined with those previously discussed, led the Privacy Commission to urge creation of a new and independent Federal organization. First, the Commission, itself limited to a two-year life by statute, saw a need for some body which would be able to respond on a continuing basis to the unforeseen consequences of the growth of information technology and to suggest any needed executive and legislative action. Second, the absence of a forum for continued study and evolution of new policy responses--whether or not technology pushed the issue to the fore--was viewed as a serious weakness of the current system. Finally, the Commission strongly believed that there was a need for a central organization to which an individual could turn for non-regulatory and non-enforcement assist- ance, whether his problem was caused by a Federal agency or by a private organization. The entity could advise the individual, but enforcement authority would remain in existing agencies. In the legislative discussions that preceded the passage of the Privacy Act, a great deal of discussion was devoted to the establishment of a central authority. The Congress rejected such a notion on the grounds that it would tend to diminish the accountability of agency heads. There was also a fear that a centralized rulemaking or "licensing" authority could unduly interfere with the operation of program activities by unilaterally imposing heavy procedural requirements. The Congress, with the concurrence of the previous Administration, concluded that each agency head should be made responsible for overseeing the implementation of privacy policy within his agency and that a regulatory function was not justified, appropriate, or desirable. These concerns are still alive in the Congress, which has given a mixed reception to the Commission proposal for the Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 197 creation of an independent entity with privacy responsi- bilities. In some quarters, the concept is endorsed, either as a separate organization or as part of a larger agency dedicated to individual rights concerns. The response of a few critical committees (particularly in the House) has been, at best, unenthusiastic. A majority of the executive agencies oppose the idea of an independent agency. Most agencies, however, agree that there are additional functions dealing with privacy which should be undertaken by the Executive Branch. Although there was not unanimity, most agencies agreed on the specific functions to be performed, as discussed below. There was, however, no agreement on the agency or agencies which should discharge these functions. Issues for Decision Two basic questions require decision. First, what additional privacy-related functions should be undertaken by the Executive Branch? Second, what organization(s) should be responsible for carrying out those functions? Proposed Functions -.- 1. Should oversight of Federal agencies' records management practices for personal information (including implementation of the Privacy Act; collection of information; and design, development, an operation of record systems) be substantially strengthened by designating a high-Ievel unit with ayttloritY to issue binding decisions, regula- tionst. or i , interpretations mplementing tfie Privacy Act? Pro: MI.11,111011111111111 These decisions, regulations, and interpretations would deal not only with procedural matters but also with the determination of what information must be made available to individuals or the public at large in the context of the privacy exemption to the Freedom of Information Act, although in no instance would it be directed or suggested that information about an individual be withheld from individuals. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03A178: CIA-RDP81-00142R000700030001-4 Con: This proposal is supported by the Privacy Commission's findings on the ineffectiveness of current oversight of the Privacy Act and the need to increase agency accountability to solve problems which cannot or should not be resolved by a single agency and to ensure more effective application of the Act. Such a central oversight function would address the need for early and adequate review of proposals for the development of new systems to assure that privacy and other social implications have been fully accommodated in the system design. (Additional supporting arguments for this proposal, which is endorsed by GSA and the Office of the Special Assistant to the President for Consumer Affairs, have been made earlier in this section and in Section IV. A). The Departments of Commerce, Justice, the Treasury, HER, and Defense, the Veterans Administration, the CIA, and the staff of the Federal Reserve Board, oppose establishing a centralized Privacy Act oversight function with authority to issue binding decisions. Arguments against establishing such a function begin with the observation that it is a major departure from the concept of agency automony in the original Privacy Act. Concern is also expressed that sufficient experience has not been acquired to validate the need for this new function. A danger of overlap of responsibility between an organization exercising this new authority and existing agencies is also foreseen. It is pointed out that creation of such general oversight responsibility would weaken the responsibility and consequent diligence of Federal agencies. It is recommended instead that the status quo be retained, with OMB giving policy guidance to the agencies and resolving interagency disputes. Decision: Create such authority. No. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 199 2. (a) Should the Federal government monitor and evaluate information privacy practices in the non-Federal sector? (b) Should a government function be designated to provide expert advice and assistance to the President and the agencies on privacy matters, including the privacy implications of proposed statutes and re.gulationsf new or revised record systems; and agencies' information collection practices? (c) Should authority an resources be designated. for conducting ongoing studies ot,privacy questions, particularly in regard to the consequences of the growth of information tedbnologies in both the public and private sectors? The Congress and most observers have concluded that privacy is a "permanent" public policy issue which will not be resolved by this or any other single initia- tive. Continuing advances in computer and telecommunica- tions technology alone will continue to precipitate changes in the concentrations and flows of personal information in American society which will result in privacy protection problems. The Federal government will be under increasing pressure to attend to the privacy issue, and to do so will require consistent and continuing policy responses. Thus far, a principal difficulty in developing a coherent Federal privacy policy has been the lack of a stable body with expertise and authority to advise the President and the Congress. In the past five years, three organizations with respon- sibility for considering privacy problems have been created and then disbanded: The HEW Advisory Committee, the Domestic Council Committee on the Right of Privacy, and the Privacy Commission. In addition, there have been numerous other, more narrowly focused, Federal activities. Expense and duplication of effort have been great. Policy development would be more cost- effective, and arguably better, if permanent and adequately staffed responsibility in this area were given to one organization. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/21CP: CIA-RDP81-00142R000700030001-4 Furthermore, as the Privacy Commission and other observers have noted, oversight of agency activity to ensure that it conforms with existing policies is not enough. Most oversight, for example, is necessarily triggered by agency requests for funding to develop or procure new systems. The pace of technological change, particularly the rapid decrease in the cost of hardware and of systems development, will soon make such an oversight process obsolete. Sophisticated computer and telecommunications systems will no longer cost millions or even hundreds of thousands of dollars, and agencies will be able to meet their computer and telecommunications needs for a price which will make budget-triggered review impracticable. Additionally, the proliferation of low-cost home and office computer systems, and their consequent interconnection to large systems and data bases, raises a host of privacy-related questions, even the outlines of which are still unclear. In order to effectively develop and apply privacy policy, respon- sibility needs to be established for the consideration of new technological developments and the policy responses which will be needed. There is clear agency concensus on subsections (b) and (c). All of the nine agencies responding, except HEW, support (b) and (c) above. Treasury takes no position on (c), but supports (b). Subsection (a) is also supported by most of the agencies responding (Department of Commerce, Office of Science and Technology Policy, Office of the Special Assistant to the President for Consumer Affairs, CIA, Veterans Administration, and the staff of the Federal Reserve Board) which note that such responsibility can logically be shared by agencies with existing mandates in the appropriate private sector area. For example, the Department of Labor believes that it can perform an important function in connection with employment records. Additionally, some private sector organizations favor some form of monitoring of their voluntary compliance so that they can be assured that their efforts will be considered and evaluated before any legislative efforts are undertaken. Subsection (a) is opposed by HEW and by the Department of Justice, which fears that this monitoring function would be too great an intrusion on the autonomy of state and local governments. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 201 (Note: the term "non-Federal" includes private sector organizations, and quasi-public organizations, such as medical or educational institutions; it does not include state and local government agencies.) International considerations also support establishment of these three functions. The United States is unlikely, in the near future, to establish a privacy-related regulatory authority for the public and private sectors, as is the trend in other countries. Representatives of the international community recognize this, but they still would prefer one focal point to which they could take their concerns on privacy-related issues. In view of these international concerns, the State Department supports "the establishment within the Executive Branch of an office to provide guidance and oversight functions with regard to U.S. privacy policy and legislation." State does not, however, support the establishment of a new bureaucracy to handle privacy issues. HEW, which opposes these three functions, supports a fourth--a research and development program to investi- gate the potential for privacy.protection offered by advanced technology.' HEW believes that, for example, computer-communications technology has potential applica- tion in such areas as recording of disclosures, improving security and integrity, and facilitating an individual's access to his records. Decision: motooser.iimoo?Nom. 411.1?111111.11111?11.1111.1.??? Establish these three functions. No. 3. Should authority be established for a qovernment entity to participate in Federal administrative proceedings of other agencies materially affecting personal privacy, including the presentation of testimony and other evidence but not including any right to seek, or participate in, judicial review of agency actions? Such a function would help ensure continued and systematic attention to privacy concerns throughout the regulatory Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03M: CIA-RDP81-00142R000700030001-4 and decision-making structure of government. In addition, it would give a legitimate and presumably effective voice to concerns which are currently usually ignored. The Federal Trade Commission, which supports this option, would go further and give the entity the right to intervene in and seek judicial review of agency actions affecting privacy. It believes that the need for this entity, which might be modeled in part on the oft-proposed consumer protection agency, is demonstrated by the FTC's experience under the Fair Credit Reporting Act. For example, the FTC is: (1) currently attempting to persuade the Department of Justice to restrict prosecutors from seeking consumer reports through use of grand jury subpoenas which are issued in blank by the clerk of the court and signed by a Federal or state prosecutor; (2) attempting to persuade the Civil Aeronautics Board to impose Fair Credit Reporting Act protections on a proposed joint agreement between member airlines for the exchange of information concerning consumers who are alleged to have dishonored checks; and (3) investigating a large Federal credit grantor's apparent failure to comply with the Fair Credit Reporting Act and the Equal Credit Opportunity Act's requirements with respect to providing reasons for denial. The FTC believes that these examples are indicative of the need for creation of an advocate-oversight respon- sibility somewhere within the Federal government. Moreover, the FTC believes that responsibility would best be placed in an entity which itself has no substantial interest in obtaining information about individuals (other than in connection with an investigation of the record keeper). The Special Assistant to the President for Consumer Affairs also endorses this proposal. Most executive agencies, including the Departments of justice, the Treasury, HEW, Commerce, and Defense, the Veterans Administration, the CIA, and the staff of the Federal Reserve Board, as well as corporate interests, oppose the grant of this authority. They believe it would only burden an already overburdened process. In addition, they feel that the responsibility for ensuring proper attention to privacy concerns should remain with each agency. They also note that, with increased access to administrative proceedings by a wide variety of public interest groups, such authority may not be necessary. Finally, a number of agencies argue that consideration of this issue should be deferred until agencies have more experience dealing with the Privacy Act. Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Decision: ?1?1111????????????IMM. 203 Yes, there should be an agency with authority to fulfill this responsibility. No. 4. Should individuals be able to obtain government assistance with regard to privacy-related problems Of concern to them, particularly regarding the information collection practices of specific agencies or organizations? Such a "complaint" function would not provide any authority to correct problems. /t would simply establish a single place to which individuals could bring their concerns or to which they could go in order to discover the appropriate channels for redress of grievances. In addition, this function would permit the organization exercising it to bring systematic patterns of complaint to the proper forum for attention, be it an agency, the President, or Congress. A priority for this unit would bs to consider the propriety of information which Federal agencies collect. The Privacy Act of 1974, while admonishing agencies to maintain only such information "as is relevant and necessary," provided no opportunity for challenging the general collection practices of an agency. The Act permits only limited challenge, through its access and correction provisions. In addition, this challenge mechanism operates after the fact; there is no way for an individual to dispute collection before it occurs. Finally, even if a,n individual successfully aballenges the existence of a specific item of information in his record, the removal of that item from his record would have no effect on either the continued collection of such items by an agency or their continued existence in other persons' records. Most of the executive departments endorse the idea of providing a mechanism for challenge, but only the Office of the Special Assistant to the President for Cosumer Affairs wishes to see any new authority at this time. The Departments of Commerce, Justice, the Treasury, HEW, Defense, the CIA, and the Veterans Administration would prefer, in general, to rely on their own judgments, and believe that an individual Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/0303'4: CIA-RDP81-00142R000700030001-4 should bring his grievance directly to the concerned agency. In addition, OMB already has some authority to review the propriety of agency collection practices under Section 3506 of Title 44, although admittedly, Section 3506 incorporates no standards of review, nor does it facilitate individual challenges to agency collection. Private sector organizations also oppose this proposal because they believe that it would encourage unnecessary complaints and dissatisfaction to be expressed. In addition, this proposal would probably demand considerable resources of staff and money without a tangible benefit to the government in return. Finally, it might frustrate individuals who would find the unit unable to actually solve their problems. Decision: Establish such a mechansim. No. Assignment of Privacy Functions 5. To what organization(s) should the above new functions be delegated? If any new or augmented functions are created, the question of where they should be lodged remains. The functions established could be alloted among existing agencies, or to a new organization. The Privacy Commission recommended a new entity within the Executive Branch. The Commission argued that no existing agency has a mandate to carry out privacy functions. It concluded that a new organization is needed because existing agencies have competing interests and responsibilities which would make it very difficult for them to carry out the proposed functions even-handedly. Furthermore, some of the functions to be performed call for a considera- tion of competing interests between agencies. All agencies recommend against creating such a new organization. They contend that existing agencies could perform both private and public sector functions. OMB currently exercises responsibility for the Privacy Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 205 Act and its role could be continued and extended. The Commerce Department's National Telecommunications and Information Administration (NTIA) is a focal point for privacy policy work. (It provided the staff support for this Presidential Review Memorandum.) Other agencies, such as Justice, Labor, and HEW, are also working in the privacy area. To the extent that the agencies recommend designations of authorities, many agencies suggest that more than one agency have responsibility in these areas, depending on which of the functions described in Issues VI. if 2, 3, and 4 is involved. The most common themes seem to be that NTIA is seen as the appropriate place for dealing with non-Federal privacy issues, the Department of Justice is suggested as appropriate for making certain legal judgments concerning the Privacy Act, and OMB is favored for dealing with many Federal agency privacy problems, particularly those involving implementing the Privacy Act. But there is no unanimity on any of these points. Decision: .111111???????????????110.? Create A new privacy 6i7Ehriation with appropriate resources. Divide functions between existing agencies, with appropriate resources, as set out below: A. Strengthened Oversight of Federal Agencies as described in Issue 1 if the decision is made to create the function). With the exception of GSA and Special Assistant to the President for Consumer Affairs, responding agencies opposed strengthening oversight of Federal record management practices. However, if oversight authority is augmented, the agencies are divided in their recommendations as to the existing agencies that should be assigned these new func- tions. As to oversight of Federal agencies (Issue VI. 1), a strengthened OmB is seen by the Departments Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 206 Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 of Defense and HEW, the Veterans Administration, and Special Assistant to the President for Cosumer Affairs, as a logical locus, particularly to provide oversight and coordination for the Privacy Act. The Department of Justice is favored by the staff of the Federal Reserve Board and is regarded by the Treasury Department as the place to which interagency problems of a technical nature could be referred. The Veterans Administration views Justice as the appropriate source for legal opinions regarding the Privacy Act. The CIA recommends the Department of Commerce's National Telecommunications and Information Administration (NTIA) as the logical focal point for oversight of Federal agency practices. The General Services Administration recommends its National Archives and Records Service (NARS) as the logical agency to oversee Federal agencies' records manage? ment practices for personal informa? tion, because NARS already has oversight responsibility for records management programs under the Federal Records Act of 1950. The Justice Department supports a division of responsibility among OMB, GSA, and Justice. Commerce (NTIA) GSA Justice OMB (other) B. Deve3neiltoti_iri_X_Ey_Nacolicr InMiirg-advicetothePresident, agencies, and Congress (no regulatory authority) as described in Issues 2, 3, and 4 (depending upon which options are selected). The agencies are divided regarding which agency should have responsibility Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4 Approved For Release 2001/03/17296IA-RDP81-00142R000700030001-4 for development of privacy policy, including advice to the President, agencies, and Congress, monitoring and evaluating information privacy practices in the non-Federal sector, and the other responsibilities set out in Issues VI. 2, 3, and 4. The Department of Commerce's NTIA is supported by the Departments of Defense and Commerce, the Veterans Administration (for non-Federal agency privacy matters), the CIA, and the Office of the Special Assistant to the President for Consumer Affairs. OMB is suggested by the Departments of Justice, the Treasury, HEW, and the Veterans Administration. The Department of Justice also supports GSA and itself. The VA also supports the Justice Department. ??????????????????????? Commerce (NTIA) Justice -01AB (other) Approved For Release 2001/03/17 : CIA-RDP81-00142R000700030001-4