[Federal Register Volume 59, Number 100 (Wednesday, May 25, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-12761]
[[Page Unknown]]
[Federal Register: May 25, 1994]
_______________________________________________________________________
Part VII
Office of Management and Budget
_______________________________________________________________________
Draft Principles for Providing and Using Personal Information; Notices
OFFICE OF MANAGEMENT AND BUDGET
Draft Principles for Providing and Using Personal Information
AGENCY: Office of Management and Budget
ACTION: Notice with request for comments.
-----------------------------------------------------------------------
SUMMARY: OMB is publishing these draft principles on behalf of the
Working Group on Privacy of the Information Policy Committee of the
Information Infrastructure Task Force. They were developed by the
Working Group to update the Code of Fair Information Practices
developed in the early 1970's.
DATES: Comments should be submitted no later than June 13, 1994.
ADDRESSES: Comments should be sent to the Working Group on Privacy, c/o
the NII Secretariat, National Telecommunications and Information
Administration, U.S. Department of Commerce, Room 4892, Washington,
D.C. 20230. The Principles and Commentary can be downloaded from the
IITF/Gopher/Bulletin Board System: 202 09501 091920. The IITF/Gopher
Bullletin Board can be accessed through the Internet by pointing your
Gopher Client to iitf.doc.gov or by telnet to iitf.doc.gov and login as
gopher. Electronic comments may be sent to [email protected].
FOR FURTHER INFORMATION CONTACT: Mr. Robert N. Veeder, Information
Policy Branch, Office of Information and Regulatory Affairs, Office of
Management and Budget, Room 3235 NEOB, Washington, D.C. 20503. Voice
telephone (202) 395 093785
SUPPLEMENTARY INFORMATION:
Request for Comments on the draft Principles for Providing and
Using Personal Information and their Commentary.
The draft Principles for Providing and Using Personal Information
and the associated Commentary are the first work product of the
Information Infrastructure Task Force's Working Group on Privacy. They
are intended to update the Code of Fair Information Practices that was
developed in the early 1970s. While many of the Code's principles are
still valid, the Code itself was developed in an era when paper records
were the norm.
The advent of the National Information Infrastructure has caused
two things to change dramatically. No longer is information usage bound
by the limitations of paper--the seamless web of networks linking us to
each other is creating an interactive environment in which all of the
participants must share certain responsibilities. Moreover, non-
governmental usage rivals the government's, and is largely unregulated.
The following Principles were developed with the goal of providing
guidance to all participants in this new interactive world. The Working
Group recognizes that the Principles cannot apply uniformly to all
sectors. They must be carefully adapted to specific circumstances.
Nevertheless, the developers believe that the responsibilities and
relationships the Principles describe are basic ones. As such, they are
intended to assist legislators, regulators, and companies as they
develop codes of practice.
The Working Group invites public comment on the Principles and
Commentary. We are especially interested in understanding how the
Principles would work in this new interactive electronic environment
and particularly in non-governmental settings. Are they workable? How,
if at all, should they be changed? We hope that those who obtain the
Principles for review and comment will also share them as widely as
possible with others who might be interested in them.
Principles for Providing and Using Personal Information
Preamble
The United States is committed to building a National Information
Infrastructure (NII) to meet the information needs of its citizens.
This infrastructure, essentially created by advances in technology, is
expanding the level of interactivity, enhancing communication, and
allowing easier access to services. As a result, many more users are
discovering new, previously unimagined uses for personal information.
In this environment, we are challenged to develop new principles to
guide participants in the NII in the fair use of personal information.
Traditional fair information practices, developed in the age of
paper records, must be adapted to this new environment where
information and communications are sent and received over networks on
which users have very different capabilities, objectives and
perspectives. Specifically, new principles must acknowledge that all
members of our society (government, industry, and individual citizens),
share responsibility for ensuring the fair treatment of individuals in
the use of personal information, whether in paper or electronic form.
Moreover, the principles should recognize that the interactive nature
of the NII will empower individuals to participate in protecting
information about themselves. The new principles should also make it
clear that this is an active responsibility requiring openness about
the process, a commitment to fairness and accountability, and continued
attention to security. Finally, principles must recognize the need to
educate all participants about the new information infrastructure and
how it will affect their lives.
These ``Principles for Providing and Using Personal Information''
recognize the changing roles of government and industry in information
collection and use. Thus they are intended to be equally applicable to
public and private entities that collect and use personal information.
However, these Principles are not intended to address all information
uses and protection concerns for each segment of the economy or
function of government. Rather, they should provide the framework from
which specialized principles can be developed.
I. General Principles for the National Information Infrastructure
A. Information Privacy Principle
1. Individuals are entitled to a reasonable expectation of
information privacy.
B. Information Integrity Principles
Participants in the NII rely upon the integrity of the information
it contains. It is therefore the responsibility of all participants to
ensure that integrity. In particular, participants in the NII should,
to the extent reasonable:
Ensure that information is secure, using whatever means are
appropriate;
Ensure that information is accurate, timely, complete, and relevant
for the purpose for which it is given.
II. Principle for Information Collectors (i.e. entities that
collect personal information directly from the individual)
A. Collection Principle
Before individuals make a decision to provide personal information,
they need to know how it is intended to be used, how it will be
protected, and what will happen if they provide or withhold the
information. Therefore, collectors of this information should:
1. Tell the individual why they are collecting the information,
what they expect it will be used for, what steps they will take to
protect its confidentiality and integrity, the consequences of
providing or withholding information, and any rights of redress.
III. Principles for Information Users (i.e. Information Collectors
and entities that obtain, process, send or store personal
information)
A. Acquisition and Use Principles
Users of personal information must recognize and respect the stake
individuals have in the use of personal information. Therefore, users
of personal information should:
Assess the impact on personal privacy of current or planned
activities before obtaining or using personal information;
Obtain and keep only information that could reasonably be expected
to support current or planned activities and use the information only
for those or compatible purposes;
Assure that personal information is as accurate, timely, complete
and relevant as necessary for the intended use;
B. Protection Principle
Users of personal information must take reasonable steps to prevent
the information they have from being disclosed or altered improperly.
Such users should:
1. Use appropriate managerial and technical controls to protect the
confidentiality and integrity of personal information.
C. Education Principle
The full effect of the NII on both data use and personal privacy is
not readily apparent, and individuals may not recognize how their lives
can be affected by networked information. Therefore, information users
should:
1. Educate themselves, their employees, and the public about how
personal information is obtained, sent, stored and protected, and how
these activities affect others.
D. Fairness Principles
Because information is used to make decisions that affect
individuals, those decisions should be fair. Information users should,
as appropriate:
Provide individuals a reasonable means to obtain, review, and
correct their own information;
Inform individuals about any final actions taken against them and
provide individuals with means to redress harm resulting from improper
use of personal information;
Allow individuals to limit the use of their personal information if
the intended use is incompatible with the original purpose for which it
was collected, unless that use is authorized by law.
IV. Principles for Individuals who Provide Personal Information
A. Awareness Principles
While information collectors have a responsibility to tell
individuals why they want information about them, individuals also have
a responsibility to understand the consequences of providing personal
information to others. Therefore, individuals should obtain adequate,
relevant information about:
Planned primary and secondary uses of the information;
Any efforts that will be made to protect the confidentiality and
integrity of the information;
Consequences for the individual of providing or withholding
information;
Any rights of redress the individual has if harmed by improper use
of the information.
B. Redress Principles
Individuals should be protected from harm resulting from inaccurate
or improperly used personal information. Therefore, individuals should,
as appropriate:
Be given means to obtain their information and be provided
opportunity to correct inaccurate information that could harm them;
Be informed of any final actions taken against them and what
information was used as a basis for the decision;
Have a means of redress if harmed by an improper use of their
personal information.
Principles for Providing and Using Personal Information
Commentary
1. With the initiation and expansion of the National Information
Infrastructure (NII), 1A1 the information age is clearly upon us.
The ability to access, collect, store, analyze, and disseminate data at
an acceptable cost has never been greater, and continuing advances in
computer and telecommunications technologies, especially interactive
applications, will serve to ensure that the amount of electronically
stored personal information and transactional data will continue to
grow at a healthy pace.
---------------------------------------------------------------------------
\1\ 1A The term ``NII'' refers to a seamless web of
communications networks, computers, databases, and consumer
electronics that will put vast amounts of information at users'
fingertips.
---------------------------------------------------------------------------
2. Cost is, of course, the overriding factor. Continually
decreasing hardware, software and networking costs allow individuals
and organizations to use data in ways that were previously, in a non-
electronic world, cost-prohibitive. For example, if someone were
interested in building a dossier on a citizen who had lived in four
different states, that dossier could have been built ``manually'' by
travelling from state to state (or hiring individuals in each state) to
compile public records pertaining to that individual's birth, motor
vehicle registration, driver's license, real property holdings, voting,
etc. This would have required, however, filling out forms, paying fees,
and perhaps waiting in long lines for record searches at various state
and local office buildings. In short, it could be done, but it would
have been a time-consuming and costly exercise; thus, it would not be
done unless the reward for building this dossier were considerable. If
the ultimate goal were to collate data on thousands of
individuals,analytical processing costs would also be added to the mix.
3. Today, such a dossier can be built in a matter of minutes, at
minimal cost, assuming all the needed information is on-line. 1A2
Indeed, with the NII, the assumption is that large amounts of sensitive
information will be on line, and can be accessed, perhaps without
authority, by a large number of network users. With advanced
networking, each link in the chain--access, collection, storage, and
analysis--becomes a cost-effective method of using information, as does
the ability to disseminate the final collated product to others.
---------------------------------------------------------------------------
\2\ 1A This ease of access has led some to question whether even
traditionally public information, e.g., automobile registration and
drivers' licensing information, should be available on-line.
---------------------------------------------------------------------------
4. Such networking offers considerable benefits. The NII holds
forth the promise of greater public participation in society, advances
in medical treatment and research, and quick verification of critical
personal information (e.g., a gun purchaser's criminal record), just to
name a few. There is, however, another issue: information privacy. To
the extent that the ability to access, collect, store, analyze, and
disseminate data has never been greater, the threat to personal
information privacy has never been greater either. 1A3
---------------------------------------------------------------------------
\3\ 1A According to the First Annual Report of the Privacy
Rights Clearinghouse in California (January 1994), the Clearinghouse
hotline received over eleven thousand calls during its first year of
operation. Sixty-three percent of them related to direct marketing
(unsolicited mail and telephone calls), credit reporting, and Social
Security Numbers. Other topics of concern included medical records,
workplace monitoring, wiretapping, harassing telephone calls,
merchant information-gathering practices, government records, called
ID, and wireless telephones.
---------------------------------------------------------------------------
5. The truth is, the NII will only achieve its full potential if
individual privacy is properly protected. Absent such protections,
individuals may be reluctant to participate in the NII, fearful that
the risks to personal privacy outweigh the benefits. Citizens should
not have to make that choice; rather, they should be assured that the
use of personal information will be appropriately limited. The adoption
of fair information principles is a critical first step in that
direction.
6. Although Fair Information Principles currently exist, [see
Advisory Committee on Automated Personal Data Systems, Records,
Computers and the Rights of Citizens, (Washington, D.C., Department of
Health, Education and Welfare, 1973)], it is clearly time that they be
rewritten to address the issues raised by our new electronic
environment, as well as cover paper records. The most major concerns:
(1) It is no longer governments alone that collect and use large
quantities of personal data; the private sector clearly rivals the
government sector in information usage. As such, these new principles
should apply to both the government and private sectors.
(2) The NII will, if it fulfills its promise, be interactive; i.e.,
individuals about whom data relates (so-called ``data subjects'') will
become increasingly active participants, creating volumes of
communicative and transactional data. To the extent that individuals
are providing information about themselves, they too should have
obligations when using the NII.
(3) The transport vehicles for this information (the networks) are
vulnerable to abuse; thus, the reliability of the network itself
becomes critical to the future success of the NII.
(4) Traditional ethical rules, long-accepted when dealing with
tangible objects, are not easily applied in the new electronic
environment, and all NII participants must be educated in the proper
use of the NII. Consider, for example, how an individual who would
never trespass in the home of another might attempt to justify computer
hacking as an intellectual exercise. Indeed, what constitutes a proper
use of the NII or NII information might not be intuitively obvious.
Whether a particular use is acceptable may depend on a host of factors
including, but by no means limited to, the purpose for which the data
was collected, whether the use is compatible with that purpose, and
whether the use is specifically authorized by law. In such an
environment, individuals need to be educated about the proper use of
both the NII and the information it contains.
7. As ambitious as the task is, these Principles attempt to address
these issues. That said, one must recognize the limitations inherent in
any such principles. First, the Principles are not intended to have the
force of law. Broad sweeping principles provide a framework for
addressing fair information practices, but any specific regulatory
implementation must be sector by sector. This is because each
information sector (e.g., medical, financial, law enforcement, national
security, research and statistics) has specific and unique needs that
cannot be addressed by general principles.
8. Second, the Principles are only intended to apply domestically;
although, to the best of our knowledge, these Principles are in accord
with current international guidelines regarding personal privacy and
data protection, and should not hinder the ongoing development of an
international information infrastructure.
9. Third, the Principles only address information identifiable to a
living individual. It makes little sense to restrict the use of
information that does not relate to an identifiable living person, and
to do so would unduly hamper researchers and others who use large
quantities of data for generic statistical purposes.
10. Finally, although the Principles are written broadly, there
will no doubt be times when their strict application would be
inappropriate. For example, public safety could be undermined if law
enforcement had to seek a data subject's approval before obtaining
transactional records relevant to an ongoing criminal investigation on
the theory that this use was incompatible with the purpose for which
the records were originally created. To account for such cases, the
words ``as appropriate'' or ``to the extent reasonable'' appear in the
Principles. This is not to suggest, however, that the Principles need
not be rigorously adhered to. To the contrary, the need to diverge from
a given principle should be the exception, not the rule, and should
only occur when there is an compelling reason. For in the end, it is
adherence to these Principles that is critical to developing trust
between data users and data subjects in the electronic information age.
General Principles for the National Information Infrastructure
11. We begin with the three principles that apply to all NII
participants: information collectors, information users, and
individuals (``data subjects''). These three principles, relating to
privacy and information integrity, provide the underpinnings for the
successful implementation of the NII. They state clearly that
individuals are entitled to a reasonable expectation of information
privacy, and that efforts should be made to ensure that information is
adequately protected and used appropriately.
12. If the NII is to be trusted, participants must have a
reasonable expectation of privacy in personal information. Although
individuals harbor subjective expectations of privacy, these must be
honored only to the extent that society is prepared to recognize those
subjective expectations as objectively reasonable. For example, an
individual who posts an unencrypted personal message in an area of a
bulletin board service that is provided for open, public messages
cannot reasonably expect that his/her message will only be read by the
individual listed in the salutation. Where a subjective expectation of
privacy is made clear and is objectively reasonable, however,
individuals should have their privacy respected.
13. NII participants must also be able to rely upon the integrity
of the information contained in and transmitted through the NII. This
will be the case only if the information is secure from improper
disclosure and alteration, and if the information is accurate, timely,
complete, and relevant for the purpose for which it is used. The
responsibility of providing adequate security and reliable information
falls properly on all participants in the NII.
14. We recognize, of course, that individuals and organizations do
not always provide accurate and complete data when requested. Large
data brokers, as well as privacy advocates, may intentionally provide
false data as a method of monitoring data flow. For example, an
individual who misspells his name slightly when dealing with one
company and then receives mail, with the name similarly misspelled,
from a second company, may now be aware that the first company has
disseminated his name to others. We do not intend to suggest that any
falsehood violates this principle. It would violate this principle,
however, to provide false information to create some improper result
(such as receiving illegitimate benefits or injuring another).
Responsibilities of Original Collectors (i.e., Entities that
Collect Information Directly from the Individual) of Personal
Information
15. One of the most alluring features of the NII--easy access to
and dissemination of information--also provides one of its most vexing
problems: it is impossible for an individual to identify all the other
individuals and organizations that may possess some personal
information about himself or herself. At the risk of over-
simplification, there are essentially two types of data users: those
who collect information directly from the data subject, and those who
do not. By necessity, the rules for these two groups must differ.
16. Those who collect information directly from the individual
should inform the data subject
(1) how the information collected will be used,
(2) whether the information will remain confidential and be
protected against improper access or alteration, and
(3) the consequences of providing or withholding the requested
information.
The fulfilling of these obligations will ensure that individuals
have a meaningful opportunity to exercise sound judgment in accordance
with the Principles for Individuals Who Provide Personal Information.
Juxtaposed, the Principles for Information Collectors and Principles
for Individuals Who Provide Personal Information highlight the true
interactive nature of the NII and the ideal symbiotic relationship
between data collectors and data subjects.
17. It is simply impossible, of course, to impose these Information
Collector obligations on entities that have no direct relationship with
the individual. If every recipient of data were required to contact
every individual on whom they receive data to provide some form of
notice, the exchange of information would become unduly burdensome, and
the benefits of the NII would be lost. On the other hand, information
dispersion will be common on the NII and the following principles,
designed to promote fair information use, should apply to all data
users (including data collectors).
Responsibilities of Information Users (i.e., Information Collectors
and Entities that Obtain, Process, Send or Store Personal
Information).
18. In an environment where individuals cannot realistically know
where all personal information about them resides, and cannot account
for each use of that information, it is simply impossible for
individuals to ensure that personal information is used fairly. In some
cases, even arguably adverse actions may go unnoticed, and therefore
redress will not be available. For example, a company may decide not to
include an individual in a mass mailing offer regarding a financial
opportunity because an analysis of that individual's credit history
suggests the individual is a bad credit risk. In such an environment,
it is particularly important to ensure that data users use personal
information in acceptable ways. The following principles, which apply
to all users (including Collectors), fall into four categories:
Acquisition and Use, Protection, Education, and Fairness.
A. Acquisition and Use Principles
19. The benefit of information lies in its use, but such use may
also have a negative effect on personal privacy. Additionally, that
privacy, once lost, cannot always be entirely restored (consider, for
example, the extent to which the inappropriate release of extremely
embarrassing personal information is rectified by a public apology). To
protect the information privacy of individuals adequately requires that
the effect of data use be considered before personal information is
obtained or used. In assessing this effect, data users will need to
consider not just the effect of their action on the individual, but
other factors (such as public opinion and market forces) which may be
relevant in determining whether a particular data use is appropriate.
20. It may well be that the effect on personal privacy has been
considered and it has been decided, appropriately, to obtain and use
personal information for some purpose. In such cases, the data user
should obtain only that information which could reasonably be expected
to support current or planned activities. Although the cost of storing
information continues to decrease, it is simply inappropriate to
collect volumes of personal information because it may, in the future,
prove to be of some unanticipated value. Moreover, once collected,
personal information should only be used for those current or planned
activities, or other compatible purposes. Incompatible uses not
authorized by law should not be undertaken without consultation with
the data subject. See, Fairness Principles, below. Finally, information
should only be kept as long as necessary. It should be destroyed when
appropriate.
21. Reasonable efforts should be made to ensure that information
that will be relied upon is accurate, timely, complete, and relevant.
It must be recognized that information which is accurate when collected
may not be used for years, and the use of stale information may have
unfair or inaccurate results.
B. Protection Principle
22. In a networked environment, the risk of unauthorized access
(i.e., loss of confidentiality) and unauthorized alteration (i.e., loss
of data integrity) increases exponentially. Both insiders and outsiders
may browse through information they have no right to see, or make hard-
to-detect changes in data which will then be relied upon in making
decisions that affect the individual. For example, our national health
system expects to become an intentive user of the NII. A hospital in
remote part of the country may pass x-rays through the NII for review
by a renowned radiologist at a teaching hospital in another part of the
country. For improving the quality of patient care, the benefits of
such transfers are enormous. Yet, it is unlikely that such sensitive
data will be passed through a system where it could be subject to
unauthorized alteration and potential misuse? It is therefore incumbent
on data users to protect the data commensurate with the harm that might
occur if the data were improperly disclosed or altered. Additionally,
the level of protection should be consistent with whatever the data
subject was told if the data was collected directly from the
individual.
23. It is not enough, however, to rely upon technical controls.
Although technological safeguards can serve to protect data
confidentiality and integrity, there is a human component that defies a
solely technical solution. For example, insiders--those who are
authorized to access and alter data--may not violate access controls
when they improperly alter or delete data they are authorized to
change. Therefore, the protections employed must be multi-faceted and
include technical solutions, management solutions (e.g., creating an
environment where fair information practices are the accepted norm),
and educational solutions (e.g., providing data handlers with proper
training).
C. Education Principle
24. The Education Principle represents a significant addition to
the traditional Fair Information Principles. The effect of the NII on
both data use and personal privacy is by no means readily apparent.
Most individuals are ignorant as to the amount of personal information
already networked, and may not recognize how their lives can be
affected by networked information.
25. It is important that information users appreciate how the NII
affects information privacy, and that individuals understand the ways
in which personal information can be used in this new environment.
Thus, data users need to educate themselves, their own employees, and
the public in general about how personal information is obtained,
transmitted, used and stored, including what types of security measures
are being used to protect data confidentiality and data integrity.
D. Fairness Principles
26. If information can be used to adversely affect an individual,
it is only fair that individual have a reasonable means to obtain,
review, and correct personal information about himself or herself.
Moreover, to the extent adverse actions are taken against the
individual, the individual should be notified and have a means of
redress. Equally important, the data collector should explain to the
individual exactly what that means of redress is. Redress may take many
forms (mediation, arbitration, civil suit, criminal prosecution) and be
offered in different forums (federal, state, local) but cannot be
imposed by these principles.
27. One of the most difficult issues is dealing with incompatible
uses of previously collected information. An incompatible use is not
necessarily a bad use; in fact, it may be of considerable benefit to
either a data subject or society as a whole. A data subject may
benefit, for example, when a customer mailing list is used to warn
those customers that a product that they purchased is defective and may
cause serious physical injury. Society as a whole may benefit when
criminal conviction information is used for some purpose not originally
contemplated such as screening candidates for child care positions or
weapons purchases. Similarly, researchers and statisticians using
previously collected information may determine the cause of a
potentially fatal disease such as cancer.
28. On the other hand, without some limitation, information use may
know no boundaries. Individuals who disclose information for one
purpose may then be subjected to unintended and undesired consequences,
and this will discourage them from disclosing personal information in
the future. To ensure that this does not occur, information should only
be used in ways compatible with the purposes for which it was collected
and, before incompatible uses occur, they must either be authorized by
law or the individual data subject should be notified so that he or she
can opt out of such use.
Rights and Responsibilities of Individuals who Provide Personal
Information
29. As noted, the NII has significant implications for information
use and personal privacy. In such an interactive environment, it is not
sufficient for individuals to disclose personal information and then
abdicate responsibility for the consequences; rather, individuals must
take an active role in deciding whether to disclose personal
information in the first instance. But if individuals are to be held
responsible for making these choices, they must be empowered to make
intelligent choices. This requires that they receive meaningful
information on the intended uses of the information they provide, and
the consequences for providing or withholding personal information. For
these purposes, the ``Principles for Individuals who Provide Personal
Information'' create two discrete categories that apply to individuals:
Awareness and Redress.
A. Awareness Principles
30. Awareness encompasses the notion that individuals should
understand the ways in which personal information may be used, and the
results that flow from such use. This will allow them to make
intelligent choices regarding the disclosure of personal information.
31. Increasingly, individuals are being asked to surrender personal
information about themselves. Sometimes the inquiry is straight-
forward; for example, a bank may ask for personal information prior to
processing a loan request. In this type of situation, it may be clear
to the individual the purpose, or at least the primary purpose, for
which the information is sought (e.g., processing the loan
application). There may, however, be secondary uses which are not so
immediately obvious, such as being put on a mailing list for a credit
card solicitation. Indeed, there are no doubt many times when
individuals decide to disclose information without being fully
cognizant of the many ways in which that information may ultimately be
used.
32. It is difficult, if not impossible, to anticipate all such
uses. Individuals who pay for medical services with a charge card may
not recognize that they are creating transactional records from which
others may attempt to ascertain the current state of the individual's
health. Equally problematic is that the assumptions drawn from such
data may be false, and the individual may never know that the data has
been used to reach some conclusion, or take some action, regarding his
or her future.
33. It is impossible to formulate any set of principles that can
cover comprehensively all possible uses of information. Nor would such
an attempt be wise for, in fact, different people desire and expect
different levels of privacy, and hold different concerns regarding the
ultimate use of personal data. Ultimately, whether an individual
chooses to disclose personal information, or create a transactional
record, should depend upon the individual's own wishes unless, of
course, the information is required by law.
34. The Awareness Principles recognize the importance of personal
choice and cultivate an environment where these critical personal
decisions can be made intelligently. For whatever the degree of
personal interest in information privacy, it is critical that
individuals receive enough facts to make rational choices regarding the
disclosure of personal information.
35. First and foremost, an individual should know the intended
primary and secondary uses of the information. Second, individuals
should determine whether efforts will be made to assure data
confidentiality and data integrity. In some cases, confidentiality may
be required by law (e.g., tax records), but of equal concern may be the
technical and managerial controls in place to protect the data. This
principle does not mean that the individual should obtain a technical
explanation regarding the security measures used to protect such data.
Indeed, such technical explanations might be unwelcome, unwarranted and
counterproductive (widespread disclosure of the technical measures used
might actually expose vulnerabilities in a given system). But
individuals should be told whether the information is intended to
remain confidential and whether efforts will be made to preserve data
integrity. Some individuals might choose not to disclose personal data
if they knew that the data provided was freely obtainable by others, or
might easily be altered.
36. Individuals should also be informed of the consequences of
providing or withholding information. Data subjects should be told
whether disclosing the requested information is mandatory (i.e.,
required by law) or voluntary, and the consequences that can flow from
their decision. We recognize fully that even when disclosure is legally
``voluntary,'' it may in fact be coerced (e.g., the refusal to
``voluntarily'' provide information may result in the denial of
critical life-sustaining benefits). General principles cannot resolve
such difficult issues but clearly, whatever the consequences, they
should be clearly articulated.
37. Lastly, there will be times when individuals feel aggrieved by
the improper use of personal information. If redress is available,
individuals should be aware of that fact, and be informed as to how
such redress can be obtained.
B. Principle of Redress
38. Invariably, people will be harmed by the improper disclosure or
improper use of personal information. It is therefore important to
implement proactive measures to limit that harm, and reactive measures
to provide relief when harm occurs.
39. To the extent inaccurate information can be used to harm
individuals, it follows that individuals may wish to ensure that
collected and stored personal information is in fact accurate and
complete. For this reason, individuals should be able to obtain from
data users, as appropriate, a copy of this personal information and
have the opportunity to correct inaccurate information. This may allow
them, proactively, to prevent anticipated harms. This principle is,
however, limited in scope. Although, idealistically, all stored
personal information should be accurate, the fact remains that
inaccurate personal information does and will exist, and correcting
inaccurate data cannot be done without cost. Pragmatically, it makes
little or no sense to devote resources to correcting data that cannot
be used to harm the individual, and therefore the opportunity to review
personal information in order to correct data inaccuracies is limited
to those cases where harm may occur.
40. When final actions are taken against individuals, they are
entitled to notice. Absent notice, it may be impossible to seek
available redress. Moreover, redress should be available for
individuals who have been harmed by the improper use of information
(including the use of inaccurate information). To ensure that
individuals can take advantage of these redress mechanisms, the
awareness principle, as noted above, requires that individuals be
informed of the remedies available.
[FR Doc. 94-12761 Filed 5-24-94; 8:45 am]
BILLING CODE 3110-01-F