MEMO TO PRIVACY POLICY COORDINATING COMMITTEE FROM HENRY GELLER

Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 PRESIDENTIAL PRIVACY INITIATIVE July 21, 1978 DRAFT Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17: CIA-R 6 tine Regist UNITED STATES DEPARTMENT OF COMMERCE National Telecommunications and Information Administration Washington, D.C. 20230 July 21, 1978 PRIVACY POLICY COORDINATING COMMITTEE of Commerce for Communications and Information) HENRY GELLER (Assistant Secretary RICK NEUSTADT (Assistant Director, Domestic Policy Staff) We are submitting the Response Memorandum for this study. This Memorandum is based on the report of the Privacy Protection Study Commission and on the agencies' reactions, as indicated in the reports of the six task forces. The Memorandum was prepared by the Privacy Initiative staff at the National Telecommunications and Information Administration, Department of Commerce, under the direction of Arthur Bushkin. This Memorandum needs your review and discussion before a decision memo can go to the President. We would like your written comments on these questions: (1) Does this paper inaccurately state your position on any issue? (2) Do you have any serious objections to any of the items reported as "areas of agreement"? (Silence will be taken as indicating agreement.) (3) For each issue of concern to you in the "areas of disagreement" or "issues for decision" sections, which option do you recommend (including an option that has not been listed, if appropriate)? (4) Should any privacy issues be addressed which are not currently discussed? (5) Which issues appear amenable to resolution through further interagency coordination, without need for Presidential decision? (6) Which issues do you believe require Presidential decision? Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 The comments should be submitted by August 14. (We have set this deadline because the agencies have already studied the issues in preparing the task force reports, so further extensive study should not be necessary.) Please send one copy to Rick Neustadt (Boom 208, Old Executive Office Building, Washington, DC 20500) and five copies to Art Bushkin (Room 706, 1800 G Street, NW, Washington, DC 20504; tel. 395-3122) This Memorandum presents preliminary, tentative views and is circulated only for discussion purposes. No part of it -- including the items labelled "areas of agreement" -- purports to state the Administration's position. Please do not circulate this Memorandum outside of your agency. cc: other interested agencies. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 Presidential Privacy Initiative July 21, 1978 Draft In July, 1977, the Privacy Protection Study Commission delivered its final report to the President and the Congress. The Administration's response to that report has been coordinated under the Domestic Policy Review System. A Cabinet-level Coordinating Committee was established, and the Commission's report divided into six areas and assigned to task groups for analysis and response. This document distills the task group reports. While alternatives to the Commission's recommendations were considered, this effort was fundamentally a response to the Commission's report. It was not an independent analysis of the privacy problem. The Presidential decision package is currently planned to have two parts: 1. a brief Presidential Review Memorandum high- lighting the issues for Presidential decision; and 2. a supporting document containing a more complete discussion of the issues and options. This document is the latter. This particular draft is part of a deliberative policy- making process and is an internal government working paper. It is not intended for public release. It has not been reviewed by the agencies to verify that their positions are accurately represented, and it does not represent the policy of the Administration. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 Page A. B. C. D. E. F. G. Structure of this Document Information Privacy Statement of the Problem Legislative History The Privacy Protection Study Commission Current Activity The Elements of a Privacy Policy 20 1. Notification of Information Collection Practices 20 2. Propriety and Relevance of Information Collected 22 4. Correction and Amendment of Records 27 6. Accuracy, Timeliness, and Completeness of Records 31 7. Confidentiality and Disclosure of Information 34 8. Implementation Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 Page II. Non-Federal Records 39 A. Introduction 39 B. C. D. E. F. G. H. Consumer Credit Tnsustry Commercial Credit Industry Depository Institutions Insurance Industry Employment Records Medical Records Education Records 83 I. Public Assistance and Social Service Records 88 J. Telephone Toll Records 94 III. Government Access to Personal Records Held by Third Parties 96 IV. Federal Record-Keeping 128 A. The Privacy Act of 1974 128 B. Federal Provision of Data-Processing and Telecommunications Services: Electronic Funds Transfer V. Other Issues 150 A. The Use of Truth Verification Devices in Employment 150 B. Standard Personal Identifier 152 C. Research and Statistical Studies 157 D. Coverage of the Wiretap Statute 161 Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 VI. Allocation of Federal Privacy Responsibilities Appendix - Complilation of Decisions Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 1 This document is divided into six parts. The first is a detailed introduction and the last five present a number of basic privacy policy issues for decision. In most cases, the issues can be decided as if they were independent of one another in that a particular decision on one issue need not force a related decision. on another issue. As Section I.G. suggests, however, a comprehensive privacy policy is usually understood to have certain essential elements. Part I provides the historical background and analytical framework for the document, and sets out the basic elements of a privacy policy. These elements, such as an individual's right to see and copy the records maintained about him, and to have a means of challenging records he thinks are inaccurate, are offered as the basis for an Administration privacy policy. The privacy policy under consideration is not meant to apply to all records or record-keeping relationships. Specific decisions concerning the way these elements might be applied to specific kinds of organizations are set out in Parts II through VI. The subsequent discussion includes specific limits on scope and coverage. No inferences should be drawn regarding extension of any policy beyond the areas presented below. Part II contains a description of nine different industries or types of records for which the Privacy Protection Study Commission recommended privacy protections. Following the description of each industry are the decisions, including a discussion of the various options, concerning application of the basic privacy policy to that industry. Part III deals with government access to records maintained by the private sector and by state and local governments. It primarily concerns access by law enforcement and regulatory agencies. Part IV discusses two areas concerning Federal record- keeping activity. The first is revision of the Privacy Act of 1974, and the second deals with government operation of electronic funds transfer services for private sector organizations. Part V contains three cross-cutting topics: the use of truth verification devices, such as lie detectors; Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 the establishment of a standard personal identifier; and the protections necessary to allow use of Federally maintained or financed records about individuals for research and statistical purposes. Part VI deals with the establishment of new or expanded privacy-related functions to be performed by the Federal government. Finally, the Appendix lists seriatim all of the decisions that have been presented throughout the document. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 3 B. Information Privacy This memorandum presents the policy choices underlying a potential Administration position on privacy. The use of the term "privacy" in this contex=owever, is somewhat ambiguous. A more appropriate phrase would be record-keeping privacy or, as it is more commonly called, information privacy, for what is being discussed is the collection, maintenance, use, and dissemination of information about people. The term "privacy," as it applies to recorded information, does not mean simply "confidentiality," "secrecy," or "limits to disclosure." In this context, "privacy" or "information privacy" also embodies notions of fairness, or more precisely, fair information practice. Indeed,`-~ privacy statutes of 'the type discussed erein are often ca a fair in ormation practice statutes. (In other countries, they are called data protection statutes.) While no precise definitions of "privacy," "fairness," or "fair information practice" exist, these concepts are generally understood in this context to mean providing individuals with procedural rights and mechanisms by which ey~may ota record-Keeping organizations accountable for thei recor - eepinc practices. One such procedural right, or fair information practice protection, for example, is that individuals be able to see and obtain a copy of the information about them which is maintained by a record-keeping organization. The goal of these individual rights is often described as giving the individual some measure of control over information about himself, although the term "control" is obviously too strong a concept. In fact, information privacy also recognizes an organization's interest in the content of a record and tries to capitalize on that interest in establishing protections for the individual. Basically, information privacy is an emerging body of procedural law, with only a few instances of substantive standards (e.g., the Privacy Act's prohibitions on the collection of information relating to an individual's exercise of his First Amendment rights). The developing body of law in the area of information privacy is only loosely related to other, more conventional aspects of privacy law. The common law tort of privacy invasion is generally divided into four categories: (1) intrusion upon an individual's physical solitude or seclusion; (2) public disclosure of private facts about an individual; (3) publicity which places an individual in a false light in the public eye; and Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 (4) appropriation of an individual'sname or likeness. By and large, the courts have refused to apply any of these four categories where organizational record- keeping practices have been at issue, and this is one major reason why new public policy is needed. Generally speaking, the first and second categories relate most closely to information privacy. The remedies, however, of the tort theory center around the collection of damages after an injury. Information privacy, on the other hand, attempts to establish, through a system of checks and balances, an environment in which the chance of injury occurring is minimized. Moreover, information privacy establishes a broader set of individual rights and organizational responsibilities in that it focuses not just on the disclosure of information, but on an organization's collection, maintenance, and use of information as well. For the remainder of this memorandum, unless otherwise noted, the term "privacy" will be used to mean only "information privacy." This excludes other, more conventional privacy issues, such as surveillance;, wiretapping, sexual freedom, and intrusions into the home, except to the extent that they relate to arecord keeper's information practices. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/1$ : CIA-RDP81-00142R000700030005-0 The privacy legislation to date, most of which has been fairly recent, represents a varied and sometimes inconsistent attempt to address a problem the precise nature of which is still emerging. Over the past decade, there has been an increasing awareness that the misuse of recorded information could be the source of harm or unfairness to individuals. More recently has come the realization that the well-intentioned use of recorded information could also have undesirable consequences. Furthermore, while recorded information increasingly mediates relationships between people and organizations, individuals have less and less control over these records. And contributing to this trend has been the explosion of information technology, particularly in computers and telecommunications, which not only magnifies the problems of manual systems, but also introduce some new problems as well (e.g., the accumulation of personal information in electronic funds transfer systems). American life has changed dramatically in this century, particularly in the last three decades. Most Americans now do at least some of their buying on credit, and most have some form of life, health, property, or liability insurance. Institutionalized medical care is almost universally available. Government social services programs now reach deep into the population, as do government licensing of occupations and professions, Federal taxation of individuals, and government regulation of business and labor union affairs. Today, the government regulates and supports large areas of economic and social life through some of the nation's largest bureaucratic organizations, many of which deal directly with individuals. A significant consequence of this marked change in the variety and concentration of institutional relationships with individuals is that record keeping about individuals now affects almost everyone. People have their credit- worthiness evaluated on the basis of recorded information in the files of one or more organizations. The same is true for those seeking insurance, medical care, employment, education, and social services. Each of these relationships requires the individual to divulge information about himself, and usually leads to some evaluation of him based on personal information that some other record keeper has compiled. In short, we live, inescapably, in an "information society," and few of us have the option of avoiding relationships with record-keeping organizations. To do so is to Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 forego not only credit but also insurance,, employment, medical care, education, and all forms of government services to individuals. The increased use of computers in such record-keeping activities tends to eliminate the pattern:, of informal protections for the privacy of personal information which existed when it took a great deal of time and cost a good bit of money to process or retrieve recorded information. Furthermore, the growing availability and decreasing cost of computer and tEelepmmunications technologies provide both the impetus and, means to perform new record-keeping functions. And the pace of technological development will only a=elerate this trend in the future. Coupled with this disappearance of the informal protections which promoted the proper use and confidnt.ality of recorded personal information, is the fact that formal, legal protections for personal records are in many cases nonexistent. When our existing legal structure was developed, most information of an intimate or revealing nature, such as financial records, was in the exclusive control and possession of the individual. Thus, the laws protecting personal information, like the Fourth and Fifth Amendments to the Constitution, were designed to protect information in the actual possession of the citizen. Today, a good deal of an individual's personal information is relinquished to organizations, governments included, which demand it in order to provide essential services; however, little legal protection has been extended to these records. As a result, the individual lacks protections against others obtaining and using financial, medical, and similar personal data about him. In addition, in this age of giant organizations, the individual does not possess the bargaining power inthe marketplace to fashion protections for how organizations will use and disclose his records. At the same time, the citizen has lost the reality of his constitutional protections against the biggest organization of all--government. That intimate personal information that the Fourth and Fifth Amendments were designed to protect is open to largely unaccountable government examination and is even demanded, as a matter of course,;;oy the government from record keepers on whole classes of citizens. The Privacy Protection Study Commission concluded that since so much of an individual's life isnow shaped Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 7 by his relationships with organizations, his interest in the records organizations keep about him is obvious and compelling. The Commission further concluded that, if the individual's interest is to be protected, public policy must focus on five sytemic features of personal- data record keeping in America today. 1. While an organization makes and keeps records about individuals to facilitate relationships with those individuals, it also makes and keeps records about individuals for other pyrposes, such as documenting the record-keeping organization's own actions, thus making it possible for other organizations--government agencies, for example- to monitor the actions of individuals. 2. There is an accelerating trend, most obvious in the credit and financial areas, toward the accumulation in records of more and more personal details about an individual. 3. More and more records about an individual are collected, maintained, and disclosed by organizations with which the individual has no direct relationship but: whose records help to shape his life. 4. Most record-keeping organizations consult the records of other organizations to verify the information they obtain from an individual and thus pay as much or more attention to what other organizations report about the individual than they pay to what he reports about himself; and 5. Neither law not technology now gives an individual the tools he needs to protect his legitimate interests in the records organizations keep about him. The significance of this view of the problem is that it focuses on systemic characteristics of our society rather than on specific record-keeping abuses. This was a major policy decision of the Privacy Commission, and it is.a view shared by many who are familiar with the trends in both record keeping and the law. The view that societal trends rather than specific abuses are the driving force for action draws attention to the fact that the forces which are undermining personal privacy often operate slowly and subtlely. The Commission Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 concluded, for example, that the problems perceived by the Congress at the time of the Privacy Act's passage have turned out to be more complex than anticipated, and by and large they are independent of the problem of premediated abuse... The real danger is the gradual erosion of individual liberies through the automation, integration, and interconnection of many small, separate record-kee "n systems, each of which alone may seem innocu u, even benvolent, and wholl justifiable. (Commissio emphasis) Thus, the Privacy Commission and other eperts warn that we are faced with a slow but steady erosion of privacy which, if left unreversed, will take us in another generation to a position where the extent of our human rights and the vitality of our.deroocracy will be jeopardized. This view is not, of course, universally shared. Organizations which might be covered by privacy protection point to the "lack of documented abuse." One problem is that abuses in this area are often difficult to document, although numerous abuses have been documented by the Commission and various legislative bodies. The basic public policy choice, however, is whetheg the measures described herein are, or should be, directed at s ec fic .11 such that abuses or whether the trend of affairs the proposed protections are required asa result of a fundamental value choice about the nature of our society. Interestingly, many private sector organizations that oppose privacy protection legislation doso on the basis of cost or opposition to government regulation. Yet, these same organizations are often quite willing to implement privacy safeguards, usually along the lines suggested by the Privacy Commission, on a voluntary basis. There is, in short, a broader copsensus on the nature of the problem (i.e., that the role of the individual needs to be strengthened vis vis law, technology, and record keeping) than there is on the nature of the proposed solution, although even this is slowly changing in the year since the Commission's report was published. Finally, any attempt to resolve the privacy problem must. balance the goals of privacy protection with other significant competing public interests. If they are to operate effectively, business, government, and other Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 9 institutions have legitimate needs to collect, use, and disclose information about individuals. If the concern for privacy were taken as an absolute, the ability of government, for example, and particularly law enforcement, to perform its required duties could be severely constrained. Other less tangible values may also conflict with the objective of personal privacy -- or at least the way one chooses to go about preserving it. Beginning with the First Amendment protections of freedom of speech and freedom of the press and continuing with the more recent drives for open government, our society has continuously affirmed its concern for the free flow of information. To the extent that privacy protections involve restraints- on the free flow of information about individuals, the values of privacy and the values of free speech have to be carefully balanced. Equally important are concerns about too great an intrusion by government into private affairs in order to preserve what many view essentially as private interests -- particularly when the greatest actual and potential offender against rights of privacy has been the government itself. Thus, the choices in the area of privacy are generally not between "good" and "evil," but between legitimate, though competing, public interests. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 D. Legislative History Privacy protections have a long history in this country, emanating from the Fourth Amendment's prohibition of unreasonable searches and siezures. In r cent years, a fairly consistent body of information privacy principles has appeared in a number of Federal statutes and in the reports of several Federal study commissions. These principles had their beginning in the "Code of Fair Information Practices" contained in'1973 report of the DHEW Secretary's Committee on Autpmated Personal Data Systems, and had their fullest and `dot explicit legislative expression as the eight prix a.es of the Privacy Act of 1974: (1) There shall be no personal-date record-keeping system whose very existence is secret and there shall be a policy of openness about an organization's personal-data record-keeping policies, practices, and system=s. (The Openness Principle) (2) An individual about whom information is maintained by a record-keeping organization in individually identifiable form shall have a right to see and copy that information. (Txe Individual Access Principle) (3) An individual about whom information is maintained by a record-keeping organization shall have a right to correct or amend t1e substance of that information. (The Indvidual Participation Principle) (4) There shall be limits on the types of information an organization may collect about an individual, as well as certain requirement with respect to the manner in which it collects such information. (The Collection Limitation Principle) (5) There shall be limits on the internal uses of information about an indivlual within a record-keeping organization. (The Use Limitation Principle) (6) There shall be limits on the external disclosures of information about an individual a record- keeping organization may make. (The Disclosure Limitation Principle) Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 11 (7) A record-keeping organization shall bear an affirmative responsibility for establishing reasonable and proper information management policies and practices which assure that its collection, maintenance, use, and dissemination of information about an individual is necessary and lawful and that the information itself is current and accurate. (The Information Management Principle) (8) A record-keeping organization shall be accountable for its personal-data record-keeping policies, practices, and systems. (The Accountability Principle) Some or all of these principles are applied, in different forms, to specific kinds of records, record keepers, and record-keeping practices by a number of Federal statutes. Including the Privacy Act, the foremost of these statutes are: a. Freedom of Information Act--Enacted in 1966 and amended in 1974, this statute requires the disclosure, subject to certain exceptions, of substantive and policy information maintained by Federal agencies to any person. As a result of this right of access, individuals are also able to obtain access to records about themselves, and thus, to a limited extent, this act and the more recent Privacy Act of 1974 overlap. b. Privacy Act of 1974--Enacted in 1974, this statute is Congress' first attempt to incorporate comprehensive privacy protections into the records management practices of the Federal government. The act regulates the collection, maintenance, use, and disclosure of personal information in the Federal sector. Except for certain government contractors, it does not apply to the private sector. Basically, it requires public notice of agency record systems, provides for individual access to personal records, sets up procedures for an individual to correct or amend records about himself, limits disclosures of records, and establishes certain practices and policies of fair information practice. Individual access to the Federal district courts is available for enforcement purposes, and provision is made for both civil remedies and criminal penalties. c. Fair Credit Reporting Act--Enacted in 1970, this statute applies only to consumer-reporting agencies, i.e., entities that supply credit history and individual Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 background information to credit grantor3, insurers, employers, and others. The intent of the act is to enable a consumer to learn the "nature and substance" of all information pertaining to him in the records of a consumer-reporting agency, and to learn when a consumer report adversely affects a decision about him. The consumer may also demand a reinvestigation of the material and deletion or amendment of inaccurate or unverifiable information. The act places some loose disclosure limitations on a consumer-reporting agency. Individuals may recover civil damages iii Federal or state courts and criminal penalties are provided. The FTC has primary enforcement authority under this act., along with other regulators of financial institutions. d. Family Educational Rights and Qrivacy Act-- This statute, better known as the "Buckle_y-Pell Amendments, was enacted and amended in 1974. It provides for access by students over 18 or parents of minor'students to all. "education records" maintained by any educational institution receiving Federal funds. Also, the act sets rather stringent limits on the disclosure of such records to third parties which may be made without parental or student consent. The requirements of the act. are enforceable by the Secretary of the DHEW, whose only enforcement mechanism is the denial of Federal funds to any offending institution. DHEW also has the responsibility to issue regulations to be followed by educational institutions. e. Equal Credit Opportunity Act;--Enacted in 1974, and amended in 1976, this act proscribes discrimination in the granting of credit on nine bases, including race, religion, national origin, sex, marital status, and age. Although the collection of such information about credit applicants is often necessary to demonstrate compliance with the law, the use of such information about credit applicants is strictly limited. The basis for any denial of credit must be provided in writing. An individual can bring suit in Federal or state court to enforce the act, and can receive both money damages and equitable relief. Administrative enforcement rests with the Federal Trade Commission and with a number of other Federal agencies, primarily financial institution regulators. f. Fair Credit Billing Act--Enacted in 1974, this statute was amended in 1976. It basically regulates the use of information about a credit card holder by his creditor when a dispute develops between those Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 13 parties as to the amount owed. It permits a debtor to challenge and correct erroneous billing information and prohibits dissemination of adverse credit reports until the dispute is resolved. Enforcement is essentially the same as the Equal Credit Opportunity Act. g. Fair Debt Collection Practices Act--Enacted in 1977, this statute regulates debt collectors, and is designed to prevent abusive, deceptive, and unfair debt collection practices. Of particular interest to privacy, it prohibits various kinds of pretext interviews and other false representations of the dept collector's identity or business affiliation. It also prohibits communicating with the consumer's employer or other third parties about his debts, or publishing lists of alleged debtors, other than through a consumer reporting agency. There are also numerous Federal statutes which have privacy implications because they require organizations to collect, maintain, or disclose certain records. One example is the Bank Secrecy Act, enacted in 1970, which, despite its title, is not a "secrecy" act. Rather, it requires banking institutions to report to the Secretary of the Treasury information on certain types of financial transactions. It also requires banks to maintain certain records, including checks, for five years. Civil and criminal penalties are available against offending banking institutions. The Department of the Treasury has the responsibility to issue regulations under this act. The whole issue of privacy as that concept pertains to personal banking records has also been seriously affected by the recent Supreme Court case of United States v. Miller, 425 U.S. 435 (1976). In that case, the Court hel that a private individual has no legitimate "expectation of privacy" in his bank records and thus no legally enforceable interest for courts to consider. The Court ruled that checks negotiated by the individual are an independent record of that person's participation in the flow of commerce and, as such, are not to be considered confidential communications. Moreover, the court ruled that the bank records do not belong to the individual, but to the banking institution. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 14 E. The Privacy Protection Study Commission There have been a number of distinguished study efforts addressing the privacy problem. Most notable among those which preceeded the Privacy Commission were: The DHEW Secretary's Advisory Committee on Automated Personal Data Systems. -- This 1973 report first presented the principles of a "Code of Fair Information Practice," and is generally credited with providing the intellectual framework for the Privacy Act of 1974. - The Domestic Council Committee on the Right to Privacy. -- During its life (1974-1976), this group brought high level visibility to the privacy issue and direct involvement by the Executive Office of the President. Motivated by the work of these two committees and the work of various congressional committees, the Congress and the Executive Branch worked together to enact the Privacy Act of 1974. That act stands as the most concerted effort to date to resolve information privacy issues and to protect the interests of individuals in connection with records about them maintained by others. The Privacy Act, however, is aimed exclusively at Federal records and Federal record keepers. The concern remained that the problems of privacy protection were not limited to Federal records. Consequently, Congress decided that there should be further study to determine if the principles and requirements of the Privacy Act of 1974 should be applied to private sector record keepers and to state and local governments. Addressing these questions was the basic charge to the Privacy Protection Study Commission, a two-year independent Federal commission created by the Privacy Act. The Privacy Commission was given a broad mandate to: (1) investigate the personal information record- keeping practices of governmental, regional, and private organizations and to recommend to the President and the Congress the extent, if any, to which the principles and requirements of the Privacy Act should be extended to such organizations; and (2) make any other recommendations necessary to protect the privacy of individuals while meeting the legitimate needs of government and society for information. In July 1977, the Privacy Commission responded to its mandate with a 654-page report containing Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/1715 IA-RDP81-00142R000700030005-0 162 specific recommendations, and numerous less emphatic suggestions, supporting broader extension of the principles of the Privacy Act, but not the Act's specific requirements. In recommending extension of the principles, but not the requirements, of the Privacy Act to the non-Federal sector, the Privacy Commission made some explicit and implicit decisions regarding the applicability and appropriateness of these principles beyond the Federal sector. For example, the Commission determined that the Privacy Act's principle that there should be no secret record systems cannot be extended, not because it is not a desirable objective, but rather because there is no realistic mechanism for implementation. (In the Federal sector, notices describing agency record systems are published in the Federal Register.) Thus, while the fundamental objectives remain the-same, the basic elements of a privacy policy in the non-Federal sector would differ from the Privacy Act principles. The Privacy Commission also rejected the omnibus approach of the Privacy Act as being inappropriate for the non- Federal Sector. The Commission recommended instead that non-Federal privacy protection legislation be enacted on an industry-by-industry basis (e.g., banking, credit, insurance) or on a community-by-community basis (e.g., medical, education, social service and public assistance). In this way, the specific characteristics and requirements of each industry or community could be considered. The Privacy Commission's recommendations have the same general thrust as those of its predecessors. Driven by findings of actual and potential misuse of personal records, as well as by a concern for the gradual erosion of personal privacy resulting from the well-intentioned use of modern information technology, several Congressional committees, the DHEW Advisory Committee, the Domestic Council Committee on the Right to Privacy, and the Privacy Commission have all concluded that the way in which records about individuals are collected, maintained, used, and disclosed has to be changed. In particular, all the groups examining the problem have called for some degree of control of personal records to be returned to the individuals to whom those records pertain. These groups have urged the creation or bolstering of mechanisms to limit the collection of information by organizations. They have suggested specific restrictions on the gathering of information by government. They Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 have consistently recommended that an individual be provided the right to see and obtain a copy of records about himself, to correct errors in those records, and to be informed of (and, in some cases, limit) the uses to which those records will be put. And, they have endorsed the creation of a right for the individual to exercise some measure of control over the disclosure of records about himself outside the organization maintaining them. The Privacy Commission's recommendations have three basic objectives: minimizing intrusiveness, maximizing fairness, and creating legitimate expectations of confi- dentiality. The goal of mimimizing intrusiveness is to limit the collection of unnecessary or offensive personal information by organizations. The objective of maximizing fairness is to open up the process by which organizations use records about individuals, to permit the individual to know what is being done with personal information, and to allow him to ensure its accuracy and proper use. The creation of "legitimate expectations of confidentiality" is an effort to give legal recognition to the personal character of records about an individual And to establish a legitimate interest for the individual in what happens to those records. Such a legal interest would have two parts: (1) placing a duty on a private sector record keeper not to disclose recorded information about an individual without his authorization or consent; and (2) limiting the government's access to records held by private sector record keepers by requiring government to use legal process to obtain such records. In addition, the Commission concluded that giving rights and responsibilities to individuals and the organizations with whom they dealt was not enough. In order to monitor industry-wide activities; to be able to respond to the unforeseen consequences of the growth of information technology, and, in particular, to structure and enforce privacy policy effectively within the Federal government, the Commission recommended both that existing regulatory authority be augumented and that a new government entity be created. This combination, the Commission believed, was essential to ensure that personal privacy, and the ;basic values of individuality which underlie it, would continue to be protected in American society. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 17 F. Current Activity Congressional Since the Privacy Commission issued its report there has been a great deal of privacy interest in Congress. Immediately upon submission of the report, Congressmen Koch and Goldwater (both members of the Privacy Commission) introduced about a dozen bills that substantially followed the Commission's recommendations. Congressman Preyor reintroduced all of these bills as one omnibus bill, H.R. 10076. Congressman Preyor's Subcommitee on Government Information and Individual Rights recently has held hearings on this bill. Only a few issues, however, are the focus of legislative activity this term. First is the issue of government access to financial records. The House Banking Committee (H.R. 13088) and Judiciary Committee (H.R. 214) are considering similar bills that generally follow the Commission's approach. The Senate is also considering similar legislation. The Departments of Justice and the Treasury have already presented their own views on this legislation to both Senate and House committees. Second, provisions protecting the privacy of financial records generated by electronic fund transfer (EFT) systems are included in legislation recently reported out of the Senate Banking Committee. Third, medical record privacy was raised during the first session of this term in the context of amendment of the Social Security Act. Action on the proposed medical record privacy sections was tabled in committee until DHEW had time to develop a position in response to the, Commission's report. In May 1978, DHEW presented its own views to the Congress. State Activity in privacy matters resulting from the Privacy Commission's report is not limited to the United States Congress, nor is the Federal government in the lead in developing updated privacy protection. A number of states, led by California, have developed significantly greater privacy protections than are afforded by Federal law. Nine states now have constitutional provisions protecting individual privacy; seven states have passed omnibus privacy statutes similar to the Federal Privacy Act; eleven states have passed statutes that go beyond Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 the Federal Fair Credit Reporting Act; sixteen states have laws governing the disclosure of personal information by financial institutions; some states regulate the personal information practices of private sector employers; and many states have laws governing medical records. And this activity is expected to increase. This pro- liferation of state legislation has engendered some business support for Federal legislation that would provide uniformity of treatment for enterprises that operate nationwide. International There is also an international dimensio to the privacy issue. The locus of this emerging activity is Western Europe. In 1973, Sweden became the first European country to pass privacy protection legislation. Within the last 12 months, West Germany, Franc, Norway, and Denmark have adopted national legislation dealing with privacy protection. Other European countries and Australia are actively considering such legislation, and Canada, with a statute similar in some respects to the U.S. Privacy Act, is also studying the issue further. Japan is creating a study commission but shows no inclination to move rapidly. Both the Council of Europe (a strictly European, human rights-oriented organization) and the OECD (whose membership includes most advanced Western European countries, the U.S., Canada, Japan, and Australia) have been actively studying the issues. The Council of Europe has drafted a privacy protection convention, while OECD is both studying the economic and social aspects of international information flows, and is engaged in drafting guidelines for harmonizing disparate national privacy legislation. The European approach to privacy protection is generally to enact broad, omnibus legislation which covers all types of automated government and private sector records and which is implemented and enforced by a governmental bureaucracy. The Europeans stress that their intent is not only to establish standards for' protection of personal information, but also to make important social statements about the relationship of the citizen to the state. Parenthetically, the U.S. is by far the most important partner in international information exchanges and in the information processing industry, dominating world markets Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/171 CIA-RDP81-00142R000700030005-0 in computer software, hardware, and data processing. This dominance is well understood in other advanced countries, and to some uncertain degree may lie behind the sudden surge of concern for privacy protection. That is, the impetus for foreign privacy protection laws may lie not only in a genuine concern for the civil rights of local citizens, but also in an effort to blunt U.S. dominance of international information processing. The latter arises out of feelings of nationalism, concern for sovereignty, and economic control. At the same time, Europeans are also concerned about the export of personal information to the U.S. in the absence of adequate privacy protection in the U.S., and some European legislation can be interpreted to bar such export. Finally, Europeans are particularly concerned about the lack of a central governmental office to assist foreign nationals in the protection of their privacy rights within the U.S. In the international arena, the U.S. has several interests at stake: protecting the privacy of U.S. citizens concerning records maintained abroad, preventing the development of non-tariff barriers under the guise of privacy protections, and encouraging the free international flow of information. While the European activity to date presents no immediate threat to U.S. interests, the development of a comprehensive domestic privacy policy will greatly strengthen our ability to safeguard U.S. interests in the future. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 G. The Elements of a Privacy Policy The remainder of this, Part presents anoverview of the basic elements of a general privacy policy as that policy might be applied to the non-Fedral sector. It concludes with a proposed implementation strategy. In Part II, each of the nine industries and record- keeping relationships examined by the Commission is described and the decisions for application of this general policy to those industries anti record-keeping relationships are discussed. 1. Notification of Information Collection Practices Objective During the course of the business rela;tioriship between an organization and an individual, the organization may collect personal information about the individual from many sources. The first objective of a privacy policy is to give the individual some influence over an organization's information collection practices by requiring it to provide prior notice of the kinds of information it may seek and the types of sources that may be contacted, and to limit its information collection practices to those stated in a notice. This alerts an individual to the personal information that will be compiled about him as a result of entering into a record-keeping relationship. Current Law and Practice At present, individuals are given .little or no information about an organization's information collection practices. Thus, individuals are unable to make informed choices between competing organizations on the basis of their collection practices. Nor are individuals able to judge whether the good or service sought from an organization is worth the potential invasion of their privacy. Federal and state legislation in this 'area is limited. It imposes requirements on only a _few"record keepers, and those laws generally do not require a notice whenever information is collected about an individual. The Fair Credit Reporting Act, for example, requires only that institutions such as credit grantors, employers, and insurers notify an individual if they request an outside agency to prepare an investigative consumer report (a report prepared through personal interviews Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/IT : CIA-RDP81-00142R000700030005-0 with friends, neighbors, and other acquaintances concerning the consumer's character, general reputation, and mode of living). If the consumer makes a written request, he must be provided with a notice describing the "nature and scope" of the investigation. However, this requirement, applies only if the report is obtained from a consumer reporting agency; it does not apply if the user of the report performs the investigation itself. Discussion The Privacy Commission proposed that an organization be required to give the individual notice at the start of the business relationship of the kinds of information it may seek from third parties and the types of sources that may be contacted in the course of evaluating the application and maintaining the relationship. With this information, the individual can know what to expect before entering into a business relationship with the organization. In turn, the organization is limited to the information collection practices stated in the notice, unless it subsequently obtains the individual's consent to conduct an investigation or collect informa- tion not stated in the notice. Past experience with laws requiring a notice of collection practices such as this, including the Privacy Act of 1974 and the Fair Credit Reporting Act, suggests that just the fact of notification will help eliminate unnecessarily intrusive or otherwise objectionable collection practices. The requirement for notification of and limitations on collection practices is, however, no cure-all. First, it establishes only a procedural requirement that information collection practices be limited to those stated in a prior notice; it does not limit what that notice may contain. Moreover, in most industries, a model notice probably will be developed and adopted by the major companies, thereby limiting the competition among companies on the basis of collection practices. Second, because of extensive notices already required by other laws, there is a danger of information overload. One possible approach is to adopt a two-step process whereby the individual is automatically given only the most general notification, but is advised of his right to request and receive a more detailed notice. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 2. Propriety and Relevance of Information Collected Objective Another basic privacy objective is to limit the collection and use of information which may be improper or irrelevant to the decision-making process which gave rise to its collection. For example, a person's race and sex may be statistically relevant to a credit decision, but society has decided in the Equal Credit: Opportunity Act that it is improper to base credit decisions on such criteria. An allied concern i.nvglves the collection of proper and relevant information through means which society may consider improper, e.g., through pretext interviews in which the source is misled into supplying information, or through the use of truth verification devices (i.e., "lie detectors"). The-Commission proposed that governmental mechanisms should ei.st to consider individual citizen complaints about propriety and relevance on a problem-by-problem basis. It made specific proposals to prohibit the use of pretext interviews and truth verification device in certain contexts. Current Law and Practice There are few prohibitions on the private sector's collection of information. Most relevant laws prohibit only the use, but not the collection, of specific types of informaion. The Equal Credit Tp"portunity Act, for example, prohibits the use of sex, marital status, race, religion, and certain other characteristics as the basis for a credit decision. iowever, it permits collection of some of this information, e.g., marital status, which may affect the creditor's collection rights. It also requires collection of other information, e.g., race, to monitor discriminatory mortgage lending practices. The Fair Credit Reporting Act's original draft contained cleneral relevancy requirements, but they were removed in the face of heavy industry opposition. The Act does impose, with some significant exceptions, a prohibition on reporting adverse information more. than seven years old (which is a form of relevancy requirement). The only existing model of a general standard of propriety and relevance is the Privacy Act, which requires Federal agencies to maintain, use, and disseminate only records which are relevant and necessary to accomplish a lawful agency purpose. The Act also prohibits collection of information concerning an individual's exercise Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 23 of his First Amendment rights, except when collected for law enforcement purposes. According to the Commission, however, these requirements have had little impact on Federal record-keeping practices. Laws proscribing the use of what may be excessively intrusive collection techniques by private sector organ- izations are similarly limited. The use of truth veri- fication devices is regulated at the state level on an irregular basis, and only a few states now prohibit their use. Truth verification devices are barred from use in Federal employment by Civil Service Commission regulations. The Federal Trade Commission has found pretext interviews to be unfair or deceptive for businesses under its jurisdiction, and the recently enacted Fair Debt Collection Practices Act prohibits the use of these practices by debt collectors. Discussion The Commission proposed that there be formal governmental mechanisms to consider citizen complaints and raise questions of relevance and propriety on a case-by-case basis. This proposal was based upon the belief that certain information simply should not figure in business decisions--that it is of no concern to anyone but the individual himself. The Commission specifically rejected two alternative approaches to this issue: (1) to create general statutory requirements on the relevance and propriety of information for subsequent definition by a regulatory agency or the courts; and (2) absolute prohibitions on the collection and use of certain information (e.g. sexual preference, political affiliation, etc.) by all record-keeping organizations. Industry opponents of any propriety and relevance require- ments raise First Amendment objections to prohibitions on the free flow of information. Industry argues that market forces already influence businesses not to collect irrelevant information. Industry fears that any relevancy requirements will lead to limitations on the right to obtain information needed to make business decisions. With these concerns in mind, as well as the difficulty of determining what information is irrelevant to any possibly legitimate business use, the Commission for the most part refrained from specific prohibitions and opted for future case-by-case consideration. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 24 Two specific questions concerning the propriety and relevance of information collected will; be raised for decision: 1) Should the use of lie detectors be prohibited in employment decisions (considered in Part V). 2) Should a mechanism exist for challenging the relevance and propriety of information collected and used by credit grantors and insurance companies. (Part I.I.) Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 25 3. Individual Access to Records Objective The third privacy objective is to entitle an individual to see and obtain a copy of any reasonably retrieveable personal information concerning him which is held by a non-Federal record keeper. Current Law and Practice At present, the Privacy Act allows an individual access to records maintained about him by the Federal government. However, no such general right of access exists in the private sector. The Fair Credit Reporting Act (FCRA) gives an individual the limited right to learn the "nature and substance" of records held by a consumer reporting agency, but this does not mean that the individual can see the actual information in the records. The FCRA also does not apply to the records of credit grantors, depositories, insurers, and employers who may use these reports to made decisions about individuals. In the credit area, as a rough substitute for actual access to records when a billing dispute occurs, the Fair Credit Billing Act requires a credit-card issuer to provide a consumer with a written explanation of any disputed billings and copies of documentary evidence of indebtedness. In practice, many record keepers in the non-Federal sector do allow individuals to see and obtain copies of their records. Banks and credit-card issuers generally send the individual a monthly account statement which reflects a summary of the billing records which they maintain; many employers now permit employees access as a matter of good personnel practices. Partially in response to repeated criticism, the major consumer reporting agencies now allow an individual to see and copy a consumer report about him. However, the procedures developed for access are sometimes difficult for an individual to use and these are not rights provided in law. Discussion Individual access to records is a precondition to of the other basic elements of a privacy policy. example, a right of access enables the individual determine whether the records contain information the scope of the prior collection notice (if such is required) and to challenge the accuracy of the several For to beyond notice information Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 contained in the records. Merely extending the right to learn the "nature and substance" of what is in the record has proven in practice with the Fair Credit Reporting Act to be insufficient. "Nature and substance" is determined by the record keeper, and in the past record keepers have failed to adequately inform the individual of the records' contents, either intentionally or out of lack of knowledge about what the individual considered important. Assuming that only reasonably retrieveable records need be disclosed and that the organization's copying costs may be recovered, there is little problem in the effected industries with allowing individuals to see and copy their records. However, the situations in which such access occurs and, with some record keepers, the records to which access is allowed are questioned. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 27 4. Correction and Amendment of Records The fourth privacy objective is to provide an individual with the ability to challenge the accuracy of information about him maintained by non-Federal record keepers. If the individual believed the information were inaccurate, he would be entitled to bring the supposed inaccuracy to the record keeper's attention. The record keeper then would be obliged either to make the correction or to reinvestigate the disputed matter. If, after reinvestigation, the record keeper determined that the disputed information is accurate, the record keeper would have to indicate that the matter is in dispute and include the individual's version of the dispute in the record. The amended record would then have to be sent to prior and future recipients of the record, and, in some instances, to the source of the disputed information. Similarly, if a record keeper itself discovers a significant inaccuracy which it corrects in its own record, then it should also take reasonable steps to propagate that correction. Current: Law and Practice At present, there are no uniform requirements that non-Federal record keepers allow an individual to correct and amend records about him. The Fair Credit Reporting Act (FCRA) provides consumers with a right similar to that outlined above to dispute the accuracy.of consumer reports. With regard to Federal government records, the Privacy Act provides a general right to challenge the accuracy of recorded information similar to that provided by the FCRA. The Fair Credit Billing Act sets forth a specific procedure for resolving billing disputes, and requires reinvestigation by the record keeper. Under common law, a business which reports erroneous information could be sued for defamation or libel, but the individual would usually be required to prove that the information was furnished with malice or willful intent to injure. Discussion Some record keepers contend that market forces provide a significant incentive to correct clearly inaccurate information brought to a record keeper's attention by an individual. First, a change in the information may permit the record keeper to do business otherwise Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 foregone. Second, the record keeper has a general interest in good customer relations. However, if the inaccuracy is not obvious or is the result of an underlying error in the organization's records, there is generally little incentive for the organization to reinvestigate the matter. Nor is there a great incentive to send corrections of the record to other record keepers. Also, not many record keepers permit an individual to file a statement of his version of the facts. Finally, requiring an organization only to propagate corrections made by the individual ignores the possibility that the organization itself may discover and correct an error which, if left uncorrected in the files of other record keepers, could cause equal harm to the individual. Entitling an individual to challenge the accuracy of information is an important device for promoting the accuracy, timeliness, and completeness, of information maintained by the record keeper, but, from the individual's point of view, it is a partial safeguard if the record keeper is not obliged to send corrections to other record keepers. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/129 CIA-RDP81-00142R000700030005-0 5. Reasons for Adverse Decisions The fifth privacy objective deals with an individual's rights after a private sector organization decides not to provide a benefit or service, or decides to offer it on terms less favorable than usual. The objective is to allow an individual to know the specific reasons for the decision and the specific items of Information which are alleged to support the dec-l'sTon. Current Law and Practice The Equal Credit Opportunity Act (ECOA) requires disclosure of the specific reasons for an adverse credit decision. Credit grantors typically provide this information by a form checklist. The disclosure may be made either automatically or upon the request of the individual. The Fair Credit Reporting Act (FCRA) requires that an individual be notified when information from a consumer reporting agency is used in making an adverse credit, insurance, or employment decision. Unlike credit grantors (which are covered by the ECOA), insurers and employers are not required by statute to inform the individual of the reasons for an adverse decision. Some state insurance statutes entitle an individual to know why a policy was denied or cancelled, and at least one state (Virginia) has passed a statute providing consumers with the right to know the specific reasons for an adverse action on an application for insurance. Discussion A right to learn the reasons for the denial or termination of credit, insurance, or other benefits is the beginning step in consumer due process. The adverse decision may have been made on the basis of incorrect information or for reasons which are illegal, irrational, or against public policy. Although a right to learn the specific reasons for an adverse action, as well as any supporting information, would not allow the individual to require the institution to reconsider its decision to deny a benefit or service, it would enable the individual to provide supplemental information that the institution could use if it wished to reconsider its denial. Also, in addition to allowing the individual to have an adverse decision reversed in many cases, this right would enable the individual to challenge any decision criteria or information collection practice he thought improper or illegal. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 Experience with the ECOA demonstrates the usefulness of this right. The Federal Reserve Board recently studied the effects on nine large creditors of the ECOA's requirement that creditors inform rejected credit applicants of the reasons for the denial, either auto- matically or on request. The Federal Re-serve Board discovered that a substantial portion (12-23%) of the rejected applicants requested the reasons for the denial when those reasons were not given automatically. From 30-70% of those who requested the reas1ons then supplied more information; and from 25-72% of those supplying more information were then granted credit. Comparable results occurred when consumers were automatically provided the reasons for adverse decisions. Significant portions of private industry can be expected to oppose the requirement that an individual be informed of the reasons for an adverse decision. Even those supporting it fear that it might be implemented in such a way as to prove costly and otherwise burdensome. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 31 6. Accuracy, Timeliness, and Completeness of Records Objective An important consequence of viewing privacy as a matter of fairness is the stress placed upon the objective of the accuracy, timeliness, and completeness of the information used in making a business decision and disclosed by a record keeper to another decision maker. Of course, the expectation is not that records will ever be entirely error free. Rather, the aim is to assure that accuracy, timeliness, and completeness of records will be maximized. Current Law and Practice In the Federal sector, the Privacy Act requires that an agency "maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination." The Fair Credit Reporting Act requires consumer reporting agencies to adopt "reasonable procedures" to ensure the accuracy of the information they obtain and report. The nation's largest investigative reporting agency was recently found in violation of this standard by an FTC administrative law judge. The decision in this case, in which the company has been ordered to significantly alter its operating procedures and record- keeping practices, is being appealed. Apart from these provisions, record keepers are under no general legal obligation to cause reasonable steps to be taken to assure the accuracy, timeliness, and completeness of recorded information. Discussion The Privacy Commission identified two basic approaches to ensuring the accuracy, timeliness, and completeness of information collected, maintained, and disclosed by private sector record keepers. First, a law could establish a general standard of record-keeping performance and require organizations to take "reasonable procedures" to satisfy that standard. To enforce compliance, govern- ment agencies and individuals could be given a right of action against institutions whose record-keeping Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 practices did not satisfy this standard. In addition, government agencies could, if appropriate', be authorized to issue implementing regulations to define practices and procedures necessary to comply with the general standard. A second approach would be to create in law specific procedural rights and requirements addressing the problems identified in an industry or record-keeping community. In this approach, the objective of ensuring the accuracy, timeliness, and completeness of records would be sought by granting the individual the other rights discussed in this section (i.e., to see, copy, correct, and amend his records), and by requiring the record keeper to propagate corrections, rather than by holding the organi- zation to a general standard. This approach, too, would be enforced by giving individuals and government agencies a right of action against the record keeper. However, the government enforcement role here would be more limited, since there would be no need for regulations to define the practices which comply with the specific statutory requirements. In general, the Privacy Commission favored the second approach, and opposed placing a general record keeping standard on private sector record keepers. In the public sector, however, the Commission generally favored placing a general standard on the record keeper. The Commission believed that there is a substantial difference between applying a general "reasonable procedures" standard to the government and to private sector record keepers. The primary concern is that such a general standard applied to private sector record keepers would necessarily entail extensive government involvement in the record-keeping practices of private businesses. However, this concern obviously does not apply in the context of governmental entities, which are by definition subject to such scrutiny. Even those in private industry who support some sort of privacy protection legislation generally agree with the Commission's position of no general standard for accuracy, timeliness, and completeness. The Commission believed that creating specific rights and procedures would allow the individual more effective control over the accuracy, timeliness, and completeness of his records, and that adoption of a general standard would lead to high compliance costs, arising primarily from protracted litigation to determine what record- keeping practices would satisfy the standard. Finally, the Commission argued that its approach would place Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 33 the economic burden of compliance mainly on those organiza- tions with poor record-keeping practices and which fail to treat their customers in a responsible manner. The staff of the Federal Trade Commission, on the other hand, favors a general record-keeping standard for accuracy, timeliness, and completeness in the belief that such a standard is a necessary component of any comprehensive privacy policy. They believe that allowing an individual rights of access and correction should not be the only means by which the quality of records is maintained, and that the record keeper should bear an affirmative responsiblility to monitor its own record- keeping practices to prevent errors from occurring originally. They counter the argument that a general requirement will be burdensome and costly by suggesting that it would impose the general incentive to ensure that accuracy is given sufficient consideration in making information handling and system design decisions, without encumbering systems with specific, and perhaps inflexible, rules. Moreover, they point out that government regulation under such a standard, if drawn at all, need do no more than specify minimum requirements for such activities. These two approaches are not mutually exclusive, although they do represent different philosophies of government regulation. Both could be in place at the same time. The industry-by-industry decision section which follows (Part II) will consider application of both the specific procedural rights and requirements dictated by the Privacy Commission approach, and, where potentially appropriate, a general record-keeping standard for accuracy, timeliness, and completeness. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 7. Confidentiality and Disclosure of Information objective The final objective of a privacy policy is to protect the confidentiality of personal information held by credit institutions, banks, insurance institutions, and medical care providers, and of telephone toll records. Much of this information is highly personal, e.g., financial and medical information, and therefore arguably should be held in confidence. Current Law and Practice The Supreme Court has held that the individual has no legally enforceable expectation of confidentiality under the Fourth Amendment for financial records maintained by banks. (United States v. Miller, 425 U.S. 435 (1976)). A similar lack of legal protection exists for insurers, medical-care providers, and providers of telephone services. This means that, when the government asks a private sector record keeper to disclose personal information about an individual, the individual has no legal right to be notified of, or contest, the government's acquisition of those records. Nor does the individual ordinarily have a right to be notified of or to control the record keeper's voluntary disclosures of information to t:he government or others. In short, the individual has no legally enforceable expectation of confidentiality for the personal information which a private sector record keeper holds about him. Discussion The balance of this section develops one aspect of what the Privacy Commission labeled "an expectation of confidentiality": namely, the record keeper's obligation to maintain the confidentiality of certain records. Questions of government access to private sector records are discussed in Part III. The Commission proposed, and the respond'ng agencies generally thought it desirable, that, for credit grantors, depositories, insurers, medical-care providers, and telephone toll records, a legally enforceable expectation of confidentiality should be created and disclosures to others within the private sector should be constrained. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 35 This proposal contains both procedural and substantive controls on disclosures. Procedurally, at the beginning of his relationship with an organization, an individual would be given a notice describing the disclosures which may be made of information obtained in the course of that relationship. A record keeper could then disclose information only if the disclosure is: 1) consistent with the terms of the notice; 2) required or authorized by law (including the various forms of legal process which will be discussed in Part III); or 3) specifically authorized by the individual to whom the record pertains. If the record keeper fails to fulfill this obligation and improperly discloses personal information, the individual would have a legal right of action and could receive damages of up to $10,000 from the record keeper. As a substantive control, the notice given by the record keeper must include a "reasonably specific" description of all the allowable disclosures the record keeper intends to make. Other than (2) and (3) above, the only allowable disclosures are those which are: 1) necessary to service the relationship (e.g., from a credit grantor to a credit bureau); 2) necessary to protect the record keeper against the individual (e.g., in the event there is reason to suspect fraud); or 3) necessary to protect the individual (e.g., in the event of a medical emergency). If a disclosure is not within one of these allowable categories, it cannot be included in the notice and thereby made automatically by the record keeper. The requirement that the notice's description of disclosures be "reasonably specific" is, of course, a critical factor whose actual meaning, like all statutorily imposed "reasonableness" tests, will have to evolve. If the description is too vague, there will be no effective control. If the description is too specific, the requirement will prove burdensome to implement. Of course, there may still be instances in which an organization wishes to change its record-keeping practices so dramatically Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 that it is necessary to seek the consent of its customers for the new disclosure pattern. This proposal would allow the individual to participate in the process of disclosure and would give him some control, or at least influence, over the confidentiality with which his records are kept. While this may be important to a person's feelings of privacy its actual constraint on private sector record keepers disclosure practices will depend in part upon what disclosures are determined to be necessary to "service the relationship." However, establishing a legal duty on the record keeper and giving the individual a right of action to enforce the obligation represents a significant shift in the current legal structure governing the confidentiality of records. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/137: CIA-RDP81-00142R000700030005-0 8. Implementation The Privacy Commission, in suggesting an implementation strategy for its recommendations, attempted to minimize government regulation and to bring about adequate enforcement of its recommendations with a minimum of cost to both the individual and the record keeper. Most of the Commission's recommendations do, however, specify mandatory measures. In part, the Commission chose a statutory approach because it believed that voluntary compliance would be too uneven to be dependable; but more importantly, many of the issues are legal ones and require legal remedies. In the Miller case described above, for example, if the bank had wholeheartedly tried to protect Miller's interest, it would have done him little or no good since, under existing law, Miller would have no legal interest in the records to assert. The primary mode of enforcement adopted by the Commission was to provide an individual a right to sue to force an institution to comply with one or several of the objectives. For example, an individual could sue in court to obtain a copy of a record about him or to require the correction of a particular item of information if a record keeper failed to do so. In addition to being able to enforce compliance with the specific requirements, an individual who was successful in court would be given attorney's fees and damages of up to $1,000. This provision was intended to encourage individuals to exercise their rights. In general, the Commission did not propose that an individual be able to obtain general damages for most violations of his rights. However, the Commission did recommend that, where the institution has violated an individual's expectation of confidentiality, the individual would be able to recover actual damages and, if the institution acted willfully or intentionally in violating an individual's expectation of confidentiality, the individual could be awarded general damages in the amount of at least $1,000, but not more than $10,000. The Commission believed that the greatest possible harm to the individual occurs when information is disseminated outside of the institution, and so recommended that an individual be able to recover damages for such a loss. As a second aspect of its implementation strategy, the Commission recommended that Federal agencies with existing enforcement authority be able to force institutions Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 to comply where there have been repeated viptations, because individuals are not always in a postion to assert their own rights. The Commission also recommended that existing agencies with expertise in particular fields should enforce the recommendations in each of their own areas of responsibility. In doin so, the Commission explicitly rejected the concept if a centralized privacy enforcement function in relation to the private sector. The Commission believed that this implementation approach would substantially burden only those institutions who refuse to follow the objectives in good',, faith. There would be no general compliance costs, such as annual filings or registrations. Only those institutions which are brought into court by individuals;; or the government for failing to comply would have to bear the costs of justifying their practices anc procedures. Finally, the Commission followed the approach of the Fair Credit Reporting Act in establishing, minimum Federal standards, but not restricting the states frF going further than the Federal statute. For example, under the FC.RA, Federal law requires a credit bureau to inform an individual of the "nature and substance" of information it possesses about him. Various states (including California and Maryland) go one step further and require the credit bureau to give the individual an actual copy of his report. The Commission adopted this approach in response to the great concern of private sector institutions over the danger of duplicative or conflicting requirements in both the Federal and state levels, and believed that it was appropriate throughout the private sector. Area of Agreement Except. as otherwise indicated in the remai der of this memorandum, the basic implementation strtt 9y proposed by the Commission has been assumed for the purpases of drafting this memorandum. While the agencies have not spoken directly to the issue of implementation strategy, except as indicated below, their respdses to the specific recommendations of the Comp iSsion stiggest agreement with the Commission's implementation strategy. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/197 : CIA-RDP81-00142R000700030005-0 This part presents for decision the issues involved in applying the basic privacy package discussed in the previous section to non-Federal record keepers. This includes the major record-keeping industries in the private sector (credit, depository, and insurance), as well as the other record-based "relationships" which individuals maintain with organizations (employment, medical care, education, and public assistance and social services). These are the record relationships that were studied by the Privacy Commission, and to which the bulk of the Commission's 162 specific recom- mendations were directed. Each industry or record-keeping relationship is considered separately. First, the industry and its characteristic record-keeping problems are discussed, including an examination of current law and practice. Next, in summary form, those areas of agreement among the Privacy Commission, the agencies, and the affected industries and groups are presented. Since the indicated areas of agreement parallel the elements of a basic privacy policy presented in the immediately preceeding section, there is no specific discussion of the "pros" and "cons." Finally, the issues which require decision are presented. Generally, these are questions which raised significant disagreement between the Commission, the agencies, and the affected private sector record keepers. Unless otherwise indicated, a single, general term is used to encompass the full range of institutions within an industry or record-keeping community. For example, the term "insurance institutions" is used to refer not only to insurers, but also to the information support organizations within the insurance industry, such as indexers of information, like the Medical Information Bureau (MIB), and consumer reporting agencies. Finally, any characterization of the position of industry with respect to a particular proposal is inevitably a condensation of varying, and sometimes conflicting, points of view. In particular, an indication of industry support for a particular position does not necessarily mean that industry would affirmatively seek passage of legislation incorporating that position; rather, in some cases, it indicates only that industry accepts the position, either for substantive or political reasons. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 40 B. Consumer Credit Industry Descri__?tion of the Record Relationship It is the rare American household that does not have some sort of consumer-credit relationship. Banks, savings and loan associations, finance companies, credit unions, and retailers are the principal providers of this service. As the amount of consumer credit has increased in our society, so has the reliance of these institutions upon recorded information about individuals in establishing and maintaining credit relationships. This, in turn, has led the credit industry to vastly expand its facilities for sharing information on individuals, especially through credit bureaus, the traditional vehicle for such interchange. Typically, local and national credit bureaus collect and maintain information on an individual's previous and existing lines of credit, payment history, financial status (income and employment), and public:-record information, such as bankruptcies. They collect this information from credit grantors, many of whom, such as the large retailers, provide the credit bureaus with periodic updated reports on each of their credit customers. The credit bureaus distribute this information to other credit grantors for use in evaluating an applicant's credit worthiness and to other credit oureaus, collection agencies, inspection bureaus, insurers, and employers who use it for a variety of purposes. Credit card issuers rely heavily upon recorded information not only in establishing a line of credit, but also in documenting its use. They continually collect and maintain information to enable their card; holders to identify the various transactions made--eg., name of merchant and goods or services provided. The popularity of credit cards has led to a dependence on an elaborate authorization system to control customer fraud and overextension. Credit-card authorization services keep records showing which cards are cancelled, overextended, or stolen. Merchants check with these authorization services before accepting cards. To maintain the information base, card issuers routinely disclose their negative information to the service, which reports to subscribers, such as airlines, hotels, and restaurants. Check authorization and guarantee services serve a similar function regarding individuals who have written bad ch h t o rvices, determine ovecC el ste ZDV~3~b /1~a :nClA-RDP81-00142R000700030005-0  Approved For Release 2003/04/J17 : CIA-RDP81-00142R000700030005-0 for their subscribers whether an individual has a recent history of writing bad checks; check guarantee services guarantee payment. Automation has greatly increased the speed and efficiency with which information is collected and exchanged within the credit industry. In addition, it has changed the manner in which credit decisions are made. Credit decisions are now frequently made through a technique called "point-scoring," by which a credit grantor statisti- cally rates an applicant's key personal characteristics and produces an overall rating of credit worthiness. While this system has its economic advantages, it diminishes the individual's opportunity to challenge the basis of a credit decision, since he has greater difficulty in isolating the factors which caused a negative decision. Current Law The information practices of the credit industry are already regulated by the Fair Credit Reporting Act (FCRA), the Equal Credit Opportunity Act (ECOA), and the Fair Credit Billing Act. The ECOA proscribes the use of race, sex, marital status, and some other kinds of information in credit decisions, and requires that the reasons for an adverse decision be disclosed if the individual so requests. When an individual asks for these reasons, creditors usually respond with a form checklist. Credit grantors are currently not required to disclose the specific item(s) of information supporting those reasons, as the Privacy Commission recommendations discussed below would provide. Credit grantors are, however, required by the FCRA to notify the individual whenever information supplied by a credit bureau is used in making the adverse decision, and to give him the name and address of the credit bureau. A credit grantor is not required to disclose to an individual the contents of a credit report that served as a basis for an adverse decision; in fact, a credit bureau's contract with the credit grantor usually precludes this. If the consumer wishes to learn the contents of the credit bureau's report, he must go directly to the credit bureau. The information practices of credit bureaus are the most regulated of all private sector record keepers. The Fair Credit Reporting Act gives the individual the right to know the "nature and substance" of his credit bureau record and to file an explanatory notice when he disputes its accuracy. The FCRA also requires credit bureaus to adopt "reasonable procedures" to Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 assure the,accuracy of the information they report to subscribers. Areas of Agreement There is agreement among the Commission and most agencies responding that, in the area of consumer credit, Federal law should require: a) that credit grantors notify individuals at the time of application for credit of their collection and disclosure practices, and follow that notice; b) that individuals have the right to automatically be given the reasons for an adverse credit decision; and, upon request, to see and copy the specific item(s) of information used in making that decision; c) that credit grantors promptly send any corrections of inaccurate, untimely, or incomplete information to credit bureaus, debt collection agencies, or authorization services to whom the inaccurate information has previously been disclosed; d) that credit authorization services be covered by the requirements placed upon credit grantors and credit bureaus (including the requirements placed on consumer reporting agencies by the Fair Credit Reporting Act-), except for the requirement to propagate corrections (in (c) above) ; e) a legally enforceable expectation of confidentiality (as defined in Section I.G.7); and f) enforcement by: (i) an individual right of action, and (ii) the FTC or bank for repeated or regulatory systematic agencies violations. Areas of Disagreement 1. Should an individual have a right to see and copy at any time all reasonably retrieveable records about him held by a credit grantor, not just the items of information that have been used to make an adverse decision (as set forth in 1(b) above). Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 43 To provide for access to consumer credit records only after an adverse decision is inconsistent with the approach the Commission took in other areas. Arguably, an individual should be able to avoid an adverse decision by correcting erroneous information before the decision is made. In addition, if an individual is denied credit based on information reported by a credit grantor other than the one to which he is applying, he will need access to the reporting creditor's records. While the Fair Credit Billing Act provides some help in this situation, it does not apply to all creditors (e.g., closed-end credit relationships are excluded) and must be used within 60 days of when the error occurs. A general right of access to all credit information will allow the individual to correct such information. The Department of Commerce and the National Credit Union Administration suggested this provision. The Privacy Commission recommended that an individual have access to his credit records only when an adverse decision has been made about him and only to those records that a credit grantor has used to make that decision.. This differs from other areas, such as insurance, where the Commission recommended a right of access to all information at all times. The Commission made this distinction because an individual usually receives a monthly statement of his credit account, which in combination with the records that might be used to make an adverse decision, comprises all the records that a credit grantor commonly maintains on the individual. The Commission believed that it would unnecessarily burden credit grantors to require them to assemble and disclose at any time the information they regularly make available as part of a monthly billing cycle. The credit industry would prefer no right of see and copy, but if such a right were granted, would prefer that it be provided only in the instance of an adverse decision and include only the records used in the decision, thereby reducing retrieval costs. The Department of the Treasury supports" the Privacy Commission recommendation. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 Decision: Yes, the individual should have a right of access to all credit records upon request. No, an individual right of access to credit records should be limited to those records that have been used to make an adverse decision about him. 2. Should an individual have access to credit records about him maintained but not prepare by the institution from which he seeks the records, e.g,_credit reports in the hands of a credit grantor? The Commission recommended that an individual have direct access to all records maintained by a credit grantor, and the responding agencies, while endorsing the general recommendation, did not speak directly to this specific issue. This is intended to close a current gap in consumer credit law. The Equal Credit Opportunity Act requires. a credit grantor to disclose the reasons for an adverse decision, and the Fair Credit Reporting Act requires that the consumer be told if the decision was based "in whole or in part" on information obtained from a consumer reporting agency. However, by contract the credit grantor cannot disclose the report which was used. The consumer must now go directly to the credit bureau to get his file, yet the credit bureau does not know why the adverse decision was made. The Commission's recommendations would allow the individual to be informed of the reasons for an adverse decision and see the information used in that, decision in the same place. In addition, it is possible that the credit bureau may not know what information it gave to the credit grantor. Because credit bureaus regularly update their files, the information that the individual eventually gets from a credit bureau, may not be the information that the credit grantor received and used to make an adverse decision. The credit industry, particularly the credit bureau Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 45 industry, opposes this requirement. Credit bureau reports are coded and must be interpreted to the consumer. Although it is feasible for the credit grantor to interpret the report for the consumer (they already interpret it for their own use), credit bureaus would prefer to do so themselves, particularly since they may ultimately be liable if the consumer sues for negligent or willful defamation. Also, credit bureaus already have employees trained to interpret the reports for consumers, and credit grantors would prefer not to train their own employees for this purpose. Decision: _ Yes, an individual should have a right of access to credit records about him maintained but not generated by the institution from which he seeks the records. No, an individual's right of access to credit records should be limited to those records generated by the institution from which he seeks the records. 3. Should there be a mechanism for the individual to challenge the relevance and propriety of information collected or used by credit grantors? The Commission did not recommend that a single Federal agency be assigned this responsibility, but suggested that appropriate authority be vested in the Federal Home Loan Bank Board, the Federal Reserve Board, and other regulatory agencies responsible for enforcing the Fair Credit Reporting Act. The Commission was specific, however, in recommending that the mechanism not involve direct regulatory control by a Federal agency on questions of relevance and propriety. As envisioned by the Commission, the mechanism would collect consumer complaints about the information practices of the industries they regulate and report to Congress as to the need for legislation to control the collection or use of any particular -items of information. An example might be that the Federal Reserve Board would suggest legislation prohibiting the collection of information indicating sexual preference for use in credit decisions. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 The Commission, the Department of Commerce, and the National Credit Union Administration support this proposal. Individuals may be frustrated by what they believe to be overbroad and irrelevant or improper requests for information, Often they do not have the market power to prevent its collection. A government agency, such as the Federal Reserve Board or the Federal Trade Commission, could consider consumer complaints and suggest reme4ial legislation as needed on a case-by-case basis. The credit granting and credit reporting industries uniformly and vehemently oppose this recommendation, which is also opposed by the Federal Reserve. Industry believes that the marketplace discourages the collection of irrelevant or improper information and that there is a trend to collect less information. Industry argues that most information is relevant to some business purpose, and does not want government interference in business decisions about what information to collect. To the extent problems once existed, industry also believes that they have been resolved by the Equal Credit Opportunity Act, which prohibits the use of marital status, sex, age, religion, national origin, or race in making credit decisions. Decision: Yes, there should be governmental mechanisms for the individual to challenge the relevance and propriety of information collected or used by credit grantors. No, such mechanisms should not be created. 4. Should Federal law require that a credit grantor have reasonable procedures to ensure the accuracy, timeliness, and completeness of the personal information it collects, maintains and discloses? For a general discussion of this issue, see Section I.G.6, "Accuracy, Timeliness and Completeness." Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/047 : CIA-RDP81-00142R000700030005-0 Option 1: All credit grantors: It is the position of the FTC staff that a "reasonable procedures" standard for accuracy, timeliness, and completeness similar to that contained in the Fair Credit Reporting Act (15 U.S.C. 1681e(b)) for credit bureaus is a necessary component of a comprehensive privacy policy applied to credit institutions. Current law is unbalanced in its coverage of the information practices of the credit industry. The industry depends heavily upon the exchange of information, with credit bureaus serving as the information brokers, or go-betweens, for the industry. In addition to using credit bureau reports for evaluating consumer applications for credit, credit grantors regularly report to the credit bureaus on the state of their consumer .accounts; thus, they are both providers and receivers of information as it flows within the industry. While credit bureaus are required to have reasonable procedures to assure the accuracy of the information they report, credit grantors are under no such requirement regarding the information they report to one another, either directly or through the intermediary of a credit bureau. The imposition of such a requirement would erase the often artificial distinction currently drawn between credit bureaus and their sources of information (credit grantors). The FTC staff, which has primary enforcement responsi- bility for the FCRA, has found that placing the "reasonable procedures" requirement on credit bureaus has, among other effects, caused them to maintain routine procedures for correction of gross errors in the information they process and disclose. However, the impact of these procedures has been limited by the absence of a legal requirement on the credit grantor to ensure the overall accuracy of the information it. supplies to the credit bureau, and the fact that the credit bureau is not in a market position to influence the credit grantor to report only accurate information. The FTC staff has also identified specific problems related to the absence of standard codes for information reported by credit grantors, the filing of adverse credit reports by credit grantors even after signing a general release for partial payment of a disputed debt, and in the identifying information used in credit grantor reports to credit bureaus. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 The FTC staff believes that a requirement that a credit grantor adopt "reasonable procedures" to ensure the accuracy, timeliness, and completeness of records would help solve some of these problems. Finally, while the FTC staff would endorse the Commission's proposal concerning the accuracy of information reported by credit-card issuers to credit authorization service (see option 2, below), it would argue that the proposal addresses only a small portion of the identifiable problems in the credit industry. The FTC staff believes that a general requirement is preferable to the more specific and limited remedies recommended by the Commission. Note that this option was not considered by the agencies in the review process. Option 2: Only credit-card issuers' repojts to independent authorization services: In contrast to option 1, which addresses all reports made by all consumer credit,grantors, this recommendation addresses only one class of credit grantors (credit- card issuers), and then only the reports they make to independent authorization services. it does not cover reports made by credit grantors to credit bureaus and other credit grantors. The Commission recommended that Federal law require a credit-card issuer to have reasonable procedures to assure that the information it. disclosed to an independent authorization service, is accurate at the time of disclosure. However, it explicitly rejected recommending that a Federal statute require all credit grantors to adopt reasonable procedures to ensure the accuracy, timeliness, and completeness of their records as a separate, general rule. The Privacy Commission position ?_s supported by the Commerce Department, the NatLonal Credit Union Administration, and the Federal Reserve Board. The Privacy Commission made its specific recommendation concerning authorization services because they act preemptively. An individual thy.: has no way of rectifying an error in an independent authorization service record in time to affect that transaction when his use of his credit card to pay for goods or services is refused because of negative and incorrect information from an authorization service. Procedures to correct inaccuracies after the fact, therefore, do little good in this instance. Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 49 The Privacy Commission's rejection of a general "reasonable procedures" standard was based on the belief that the identifiable problems in consumer credit will be adequately remedied by the combination of current law and the specific individual rights and institutional obligations proposed in its other recommendations. For example, the Commission believed that the specific problems concerning erroneous information reported by credit grantors to credit bureaus would be addressed by allowing an individual to be informed of the reasons for an adverse consumer credit decision, and to see, copy, correct, and amend the information used in that decision. While this mechanism would not necessarily prevent an error from occurring, it would adequately protect the individual when an error did occur. The Commission did not believe that preventative protections for accuracy, timeliness, and completeness were necessary in the consumer credit area for records other than those which are disclosed to the authorization services. This option is supported by the Department of Commerce and the National Credit Union Administration. Note that only options 2 and 3 were presented in the review process. Option 3: No action: The Treasury Department and industry oppose both the Commission's specific recommendation (Option 2) and the proposal presented in Option 1 above. Card issuers believe that market pressures already force them to have reasonable procedures to ensure accuracy. They believe this is true for all credit records, including those disclosed to the independent authorization systems. The card issuers fear that a legislatively imposed requirement will eventually result in government's dictating the specific procedures that business must follow to ensure accuracy. They point to the FTC suit against Equifax (a major consumer reporting agency) for not having "reasonable procedures to assure maximum possible accuracy" in which the FTC administra- tive law judge made very specific decisions regarding the procedures that he believed were "reasonable." Finally, the imposition of a general legal requirement may place a greater burden on smaller credit grantors and retailers, exacerbating an existing trend Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0  Approved For Release 2003/04/17 : CIA-RDP81-00142R000700030005-0 toward the disappearance of credit granting by smaller businesses. The Commission recommendation would be less likely to have such an effect because it is directed only to credit-card issuers, which are already predominantly automated and therefore have already included provisions in their systems for maintaining the integrity (i.e., at least the accuracy and timeliness) of their data bases. This option is supported by the Department of the Treasury, which believes that current law provides sufficient protections. Dec:Lskon: Federal law should require a credit grantor to have reasonable procedures to ensure the accuracy, timeliness, and completeness of the information it collects, maintains, and discloses. Federal law should require that a credit- card issuer adopt reasonable procedures to ensure that the information it discloses to an independent authorization service is accurate at the time of disclosure. Adopt no new reasonable procedures" requirement in consum