[Federal Register Volume 59, Number 100 (Wednesday, May 25, 1994)]
[Unknown Section]
[Page 0]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 94-12761]


[[Page Unknown]]

[Federal Register: May 25, 1994]


_______________________________________________________________________

Part VII





Office of Management and Budget





_______________________________________________________________________




Draft Principles for Providing and Using Personal Information; Notices
OFFICE OF MANAGEMENT AND BUDGET

 
Draft Principles for Providing and Using Personal Information

AGENCY: Office of Management and Budget

ACTION: Notice with request for comments.

-----------------------------------------------------------------------

SUMMARY: OMB is publishing these draft principles on behalf of the 
Working Group on Privacy of the Information Policy Committee of the 
Information Infrastructure Task Force. They were developed by the 
Working Group to update the Code of Fair Information Practices 
developed in the early 1970's.

DATES: Comments should be submitted no later than June 13, 1994.

ADDRESSES: Comments should be sent to the Working Group on Privacy, c/o 
the NII Secretariat, National Telecommunications and Information 
Administration, U.S. Department of Commerce, Room 4892, Washington, 
D.C. 20230. The Principles and Commentary can be downloaded from the 
IITF/Gopher/Bulletin Board System: 202 09501 091920. The IITF/Gopher 
Bullletin Board can be accessed through the Internet by pointing your 
Gopher Client to iitf.doc.gov or by telnet to iitf.doc.gov and login as 
gopher. Electronic comments may be sent to [email protected].

FOR FURTHER INFORMATION CONTACT: Mr. Robert N. Veeder, Information 
Policy Branch, Office of Information and Regulatory Affairs, Office of 
Management and Budget, Room 3235 NEOB, Washington, D.C. 20503. Voice 
telephone (202) 395 093785

SUPPLEMENTARY INFORMATION:
    Request for Comments on the draft Principles for Providing and 
Using Personal Information and their Commentary.
    The draft Principles for Providing and Using Personal Information 
and the associated Commentary are the first work product of the 
Information Infrastructure Task Force's Working Group on Privacy. They 
are intended to update the Code of Fair Information Practices that was 
developed in the early 1970s. While many of the Code's principles are 
still valid, the Code itself was developed in an era when paper records 
were the norm.
    The advent of the National Information Infrastructure has caused 
two things to change dramatically. No longer is information usage bound 
by the limitations of paper--the seamless web of networks linking us to 
each other is creating an interactive environment in which all of the 
participants must share certain responsibilities. Moreover, non-
governmental usage rivals the government's, and is largely unregulated.
    The following Principles were developed with the goal of providing 
guidance to all participants in this new interactive world. The Working 
Group recognizes that the Principles cannot apply uniformly to all 
sectors. They must be carefully adapted to specific circumstances. 
Nevertheless, the developers believe that the responsibilities and 
relationships the Principles describe are basic ones. As such, they are 
intended to assist legislators, regulators, and companies as they 
develop codes of practice.
    The Working Group invites public comment on the Principles and 
Commentary. We are especially interested in understanding how the 
Principles would work in this new interactive electronic environment 
and particularly in non-governmental settings. Are they workable? How, 
if at all, should they be changed? We hope that those who obtain the 
Principles for review and comment will also share them as widely as 
possible with others who might be interested in them.

Principles for Providing and Using Personal Information

Preamble
    The United States is committed to building a National Information 
Infrastructure (NII) to meet the information needs of its citizens. 
This infrastructure, essentially created by advances in technology, is 
expanding the level of interactivity, enhancing communication, and 
allowing easier access to services. As a result, many more users are 
discovering new, previously unimagined uses for personal information. 
In this environment, we are challenged to develop new principles to 
guide participants in the NII in the fair use of personal information.
    Traditional fair information practices, developed in the age of 
paper records, must be adapted to this new environment where 
information and communications are sent and received over networks on 
which users have very different capabilities, objectives and 
perspectives. Specifically, new principles must acknowledge that all 
members of our society (government, industry, and individual citizens), 
share responsibility for ensuring the fair treatment of individuals in 
the use of personal information, whether in paper or electronic form. 
Moreover, the principles should recognize that the interactive nature 
of the NII will empower individuals to participate in protecting 
information about themselves. The new principles should also make it 
clear that this is an active responsibility requiring openness about 
the process, a commitment to fairness and accountability, and continued 
attention to security. Finally, principles must recognize the need to 
educate all participants about the new information infrastructure and 
how it will affect their lives.
    These ``Principles for Providing and Using Personal Information'' 
recognize the changing roles of government and industry in information 
collection and use. Thus they are intended to be equally applicable to 
public and private entities that collect and use personal information. 
However, these Principles are not intended to address all information 
uses and protection concerns for each segment of the economy or 
function of government. Rather, they should provide the framework from 
which specialized principles can be developed.

I. General Principles for the National Information Infrastructure

A. Information Privacy Principle
    1. Individuals are entitled to a reasonable expectation of 
information privacy.
B. Information Integrity Principles
    Participants in the NII rely upon the integrity of the information 
it contains. It is therefore the responsibility of all participants to 
ensure that integrity. In particular, participants in the NII should, 
to the extent reasonable:
    Ensure that information is secure, using whatever means are 
appropriate;
    Ensure that information is accurate, timely, complete, and relevant 
for the purpose for which it is given.

II. Principle for Information Collectors (i.e. entities that 
collect personal information directly from the individual)

A. Collection Principle
    Before individuals make a decision to provide personal information, 
they need to know how it is intended to be used, how it will be 
protected, and what will happen if they provide or withhold the 
information. Therefore, collectors of this information should:
    1. Tell the individual why they are collecting the information, 
what they expect it will be used for, what steps they will take to 
protect its confidentiality and integrity, the consequences of 
providing or withholding information, and any rights of redress.

III. Principles for Information Users (i.e. Information Collectors 
and entities that obtain, process, send or store personal 
information)

A. Acquisition and Use Principles
    Users of personal information must recognize and respect the stake 
individuals have in the use of personal information. Therefore, users 
of personal information should:
    Assess the impact on personal privacy of current or planned 
activities before obtaining or using personal information;
    Obtain and keep only information that could reasonably be expected 
to support current or planned activities and use the information only 
for those or compatible purposes;
    Assure that personal information is as accurate, timely, complete 
and relevant as necessary for the intended use;
B. Protection Principle
    Users of personal information must take reasonable steps to prevent 
the information they have from being disclosed or altered improperly. 
Such users should:
    1. Use appropriate managerial and technical controls to protect the 
confidentiality and integrity of personal information.
C. Education Principle
    The full effect of the NII on both data use and personal privacy is 
not readily apparent, and individuals may not recognize how their lives 
can be affected by networked information. Therefore, information users 
should:
    1. Educate themselves, their employees, and the public about how 
personal information is obtained, sent, stored and protected, and how 
these activities affect others.
D. Fairness Principles
    Because information is used to make decisions that affect 
individuals, those decisions should be fair. Information users should, 
as appropriate:
    Provide individuals a reasonable means to obtain, review, and 
correct their own information;
    Inform individuals about any final actions taken against them and 
provide individuals with means to redress harm resulting from improper 
use of personal information;
    Allow individuals to limit the use of their personal information if 
the intended use is incompatible with the original purpose for which it 
was collected, unless that use is authorized by law.

IV. Principles for Individuals who Provide Personal Information

A. Awareness Principles
    While information collectors have a responsibility to tell 
individuals why they want information about them, individuals also have 
a responsibility to understand the consequences of providing personal 
information to others. Therefore, individuals should obtain adequate, 
relevant information about:
    Planned primary and secondary uses of the information;
    Any efforts that will be made to protect the confidentiality and 
integrity of the information;
    Consequences for the individual of providing or withholding 
information;
    Any rights of redress the individual has if harmed by improper use 
of the information.
B. Redress Principles
    Individuals should be protected from harm resulting from inaccurate 
or improperly used personal information. Therefore, individuals should, 
as appropriate:
    Be given means to obtain their information and be provided 
opportunity to correct inaccurate information that could harm them;
    Be informed of any final actions taken against them and what 
information was used as a basis for the decision;
    Have a means of redress if harmed by an improper use of their 
personal information.

Principles for Providing and Using Personal Information

Commentary
    1. With the initiation and expansion of the National Information 
Infrastructure (NII), 1A1 the information age is clearly upon us. 
The ability to access, collect, store, analyze, and disseminate data at 
an acceptable cost has never been greater, and continuing advances in 
computer and telecommunications technologies, especially interactive 
applications, will serve to ensure that the amount of electronically 
stored personal information and transactional data will continue to 
grow at a healthy pace.
---------------------------------------------------------------------------

    \1\ 1A The term ``NII'' refers to a seamless web of 
communications networks, computers, databases, and consumer 
electronics that will put vast amounts of information at users' 
fingertips.
---------------------------------------------------------------------------

    2. Cost is, of course, the overriding factor. Continually 
decreasing hardware, software and networking costs allow individuals 
and organizations to use data in ways that were previously, in a non-
electronic world, cost-prohibitive. For example, if someone were 
interested in building a dossier on a citizen who had lived in four 
different states, that dossier could have been built ``manually'' by 
travelling from state to state (or hiring individuals in each state) to 
compile public records pertaining to that individual's birth, motor 
vehicle registration, driver's license, real property holdings, voting, 
etc. This would have required, however, filling out forms, paying fees, 
and perhaps waiting in long lines for record searches at various state 
and local office buildings. In short, it could be done, but it would 
have been a time-consuming and costly exercise; thus, it would not be 
done unless the reward for building this dossier were considerable. If 
the ultimate goal were to collate data on thousands of 
individuals,analytical processing costs would also be added to the mix.
    3. Today, such a dossier can be built in a matter of minutes, at 
minimal cost, assuming all the needed information is on-line. 1A2 
Indeed, with the NII, the assumption is that large amounts of sensitive 
information will be on line, and can be accessed, perhaps without 
authority, by a large number of network users. With advanced 
networking, each link in the chain--access, collection, storage, and 
analysis--becomes a cost-effective method of using information, as does 
the ability to disseminate the final collated product to others.
---------------------------------------------------------------------------

    \2\ 1A This ease of access has led some to question whether even 
traditionally public information, e.g., automobile registration and 
drivers' licensing information, should be available on-line.
---------------------------------------------------------------------------

    4. Such networking offers considerable benefits. The NII holds 
forth the promise of greater public participation in society, advances 
in medical treatment and research, and quick verification of critical 
personal information (e.g., a gun purchaser's criminal record), just to 
name a few. There is, however, another issue: information privacy. To 
the extent that the ability to access, collect, store, analyze, and 
disseminate data has never been greater, the threat to personal 
information privacy has never been greater either. 1A3
---------------------------------------------------------------------------

    \3\ 1A According to the First Annual Report of the Privacy 
Rights Clearinghouse in California (January 1994), the Clearinghouse 
hotline received over eleven thousand calls during its first year of 
operation. Sixty-three percent of them related to direct marketing 
(unsolicited mail and telephone calls), credit reporting, and Social 
Security Numbers. Other topics of concern included medical records, 
workplace monitoring, wiretapping, harassing telephone calls, 
merchant information-gathering practices, government records, called 
ID, and wireless telephones.
---------------------------------------------------------------------------

    5. The truth is, the NII will only achieve its full potential if 
individual privacy is properly protected. Absent such protections, 
individuals may be reluctant to participate in the NII, fearful that 
the risks to personal privacy outweigh the benefits. Citizens should 
not have to make that choice; rather, they should be assured that the 
use of personal information will be appropriately limited. The adoption 
of fair information principles is a critical first step in that 
direction.
    6. Although Fair Information Principles currently exist, [see 
Advisory Committee on Automated Personal Data Systems, Records, 
Computers and the Rights of Citizens, (Washington, D.C., Department of 
Health, Education and Welfare, 1973)], it is clearly time that they be 
rewritten to address the issues raised by our new electronic 
environment, as well as cover paper records. The most major concerns:
    (1) It is no longer governments alone that collect and use large 
quantities of personal data; the private sector clearly rivals the 
government sector in information usage. As such, these new principles 
should apply to both the government and private sectors.
    (2) The NII will, if it fulfills its promise, be interactive; i.e., 
individuals about whom data relates (so-called ``data subjects'') will 
become increasingly active participants, creating volumes of 
communicative and transactional data. To the extent that individuals 
are providing information about themselves, they too should have 
obligations when using the NII.
    (3) The transport vehicles for this information (the networks) are 
vulnerable to abuse; thus, the reliability of the network itself 
becomes critical to the future success of the NII.
    (4) Traditional ethical rules, long-accepted when dealing with 
tangible objects, are not easily applied in the new electronic 
environment, and all NII participants must be educated in the proper 
use of the NII. Consider, for example, how an individual who would 
never trespass in the home of another might attempt to justify computer 
hacking as an intellectual exercise. Indeed, what constitutes a proper 
use of the NII or NII information might not be intuitively obvious. 
Whether a particular use is acceptable may depend on a host of factors 
including, but by no means limited to, the purpose for which the data 
was collected, whether the use is compatible with that purpose, and 
whether the use is specifically authorized by law. In such an 
environment, individuals need to be educated about the proper use of 
both the NII and the information it contains.
    7. As ambitious as the task is, these Principles attempt to address 
these issues. That said, one must recognize the limitations inherent in 
any such principles. First, the Principles are not intended to have the 
force of law. Broad sweeping principles provide a framework for 
addressing fair information practices, but any specific regulatory 
implementation must be sector by sector. This is because each 
information sector (e.g., medical, financial, law enforcement, national 
security, research and statistics) has specific and unique needs that 
cannot be addressed by general principles.
    8. Second, the Principles are only intended to apply domestically; 
although, to the best of our knowledge, these Principles are in accord 
with current international guidelines regarding personal privacy and 
data protection, and should not hinder the ongoing development of an 
international information infrastructure.
    9. Third, the Principles only address information identifiable to a 
living individual. It makes little sense to restrict the use of 
information that does not relate to an identifiable living person, and 
to do so would unduly hamper researchers and others who use large 
quantities of data for generic statistical purposes.
    10. Finally, although the Principles are written broadly, there 
will no doubt be times when their strict application would be 
inappropriate. For example, public safety could be undermined if law 
enforcement had to seek a data subject's approval before obtaining 
transactional records relevant to an ongoing criminal investigation on 
the theory that this use was incompatible with the purpose for which 
the records were originally created. To account for such cases, the 
words ``as appropriate'' or ``to the extent reasonable'' appear in the 
Principles. This is not to suggest, however, that the Principles need 
not be rigorously adhered to. To the contrary, the need to diverge from 
a given principle should be the exception, not the rule, and should 
only occur when there is an compelling reason. For in the end, it is 
adherence to these Principles that is critical to developing trust 
between data users and data subjects in the electronic information age.

General Principles for the National Information Infrastructure

    11. We begin with the three principles that apply to all NII 
participants: information collectors, information users, and 
individuals (``data subjects''). These three principles, relating to 
privacy and information integrity, provide the underpinnings for the 
successful implementation of the NII. They state clearly that 
individuals are entitled to a reasonable expectation of information 
privacy, and that efforts should be made to ensure that information is 
adequately protected and used appropriately.
    12. If the NII is to be trusted, participants must have a 
reasonable expectation of privacy in personal information. Although 
individuals harbor subjective expectations of privacy, these must be 
honored only to the extent that society is prepared to recognize those 
subjective expectations as objectively reasonable. For example, an 
individual who posts an unencrypted personal message in an area of a 
bulletin board service that is provided for open, public messages 
cannot reasonably expect that his/her message will only be read by the 
individual listed in the salutation. Where a subjective expectation of 
privacy is made clear and is objectively reasonable, however, 
individuals should have their privacy respected.
    13. NII participants must also be able to rely upon the integrity 
of the information contained in and transmitted through the NII. This 
will be the case only if the information is secure from improper 
disclosure and alteration, and if the information is accurate, timely, 
complete, and relevant for the purpose for which it is used. The 
responsibility of providing adequate security and reliable information 
falls properly on all participants in the NII.
    14. We recognize, of course, that individuals and organizations do 
not always provide accurate and complete data when requested. Large 
data brokers, as well as privacy advocates, may intentionally provide 
false data as a method of monitoring data flow. For example, an 
individual who misspells his name slightly when dealing with one 
company and then receives mail, with the name similarly misspelled, 
from a second company, may now be aware that the first company has 
disseminated his name to others. We do not intend to suggest that any 
falsehood violates this principle. It would violate this principle, 
however, to provide false information to create some improper result 
(such as receiving illegitimate benefits or injuring another).

Responsibilities of Original Collectors (i.e., Entities that 
Collect Information Directly from the Individual) of Personal 
Information

    15. One of the most alluring features of the NII--easy access to 
and dissemination of information--also provides one of its most vexing 
problems: it is impossible for an individual to identify all the other 
individuals and organizations that may possess some personal 
information about himself or herself. At the risk of over-
simplification, there are essentially two types of data users: those 
who collect information directly from the data subject, and those who 
do not. By necessity, the rules for these two groups must differ.
    16. Those who collect information directly from the individual 
should inform the data subject
    (1) how the information collected will be used,
    (2) whether the information will remain confidential and be 
protected against improper access or alteration, and
    (3) the consequences of providing or withholding the requested 
information.
    The fulfilling of these obligations will ensure that individuals 
have a meaningful opportunity to exercise sound judgment in accordance 
with the Principles for Individuals Who Provide Personal Information. 
Juxtaposed, the Principles for Information Collectors and Principles 
for Individuals Who Provide Personal Information highlight the true 
interactive nature of the NII and the ideal symbiotic relationship 
between data collectors and data subjects.
    17. It is simply impossible, of course, to impose these Information 
Collector obligations on entities that have no direct relationship with 
the individual. If every recipient of data were required to contact 
every individual on whom they receive data to provide some form of 
notice, the exchange of information would become unduly burdensome, and 
the benefits of the NII would be lost. On the other hand, information 
dispersion will be common on the NII and the following principles, 
designed to promote fair information use, should apply to all data 
users (including data collectors).

Responsibilities of Information Users (i.e., Information Collectors 
and Entities that Obtain, Process, Send or Store Personal 
Information).

    18. In an environment where individuals cannot realistically know 
where all personal information about them resides, and cannot account 
for each use of that information, it is simply impossible for 
individuals to ensure that personal information is used fairly. In some 
cases, even arguably adverse actions may go unnoticed, and therefore 
redress will not be available. For example, a company may decide not to 
include an individual in a mass mailing offer regarding a financial 
opportunity because an analysis of that individual's credit history 
suggests the individual is a bad credit risk. In such an environment, 
it is particularly important to ensure that data users use personal 
information in acceptable ways. The following principles, which apply 
to all users (including Collectors), fall into four categories: 
Acquisition and Use, Protection, Education, and Fairness.
A. Acquisition and Use Principles
    19. The benefit of information lies in its use, but such use may 
also have a negative effect on personal privacy. Additionally, that 
privacy, once lost, cannot always be entirely restored (consider, for 
example, the extent to which the inappropriate release of extremely 
embarrassing personal information is rectified by a public apology). To 
protect the information privacy of individuals adequately requires that 
the effect of data use be considered before personal information is 
obtained or used. In assessing this effect, data users will need to 
consider not just the effect of their action on the individual, but 
other factors (such as public opinion and market forces) which may be 
relevant in determining whether a particular data use is appropriate.
    20. It may well be that the effect on personal privacy has been 
considered and it has been decided, appropriately, to obtain and use 
personal information for some purpose. In such cases, the data user 
should obtain only that information which could reasonably be expected 
to support current or planned activities. Although the cost of storing 
information continues to decrease, it is simply inappropriate to 
collect volumes of personal information because it may, in the future, 
prove to be of some unanticipated value. Moreover, once collected, 
personal information should only be used for those current or planned 
activities, or other compatible purposes. Incompatible uses not 
authorized by law should not be undertaken without consultation with 
the data subject. See, Fairness Principles, below. Finally, information 
should only be kept as long as necessary. It should be destroyed when 
appropriate.
    21. Reasonable efforts should be made to ensure that information 
that will be relied upon is accurate, timely, complete, and relevant. 
It must be recognized that information which is accurate when collected 
may not be used for years, and the use of stale information may have 
unfair or inaccurate results.
B. Protection Principle
    22. In a networked environment, the risk of unauthorized access 
(i.e., loss of confidentiality) and unauthorized alteration (i.e., loss 
of data integrity) increases exponentially. Both insiders and outsiders 
may browse through information they have no right to see, or make hard-
to-detect changes in data which will then be relied upon in making 
decisions that affect the individual. For example, our national health 
system expects to become an intentive user of the NII. A hospital in 
remote part of the country may pass x-rays through the NII for review 
by a renowned radiologist at a teaching hospital in another part of the 
country. For improving the quality of patient care, the benefits of 
such transfers are enormous. Yet, it is unlikely that such sensitive 
data will be passed through a system where it could be subject to 
unauthorized alteration and potential misuse? It is therefore incumbent 
on data users to protect the data commensurate with the harm that might 
occur if the data were improperly disclosed or altered. Additionally, 
the level of protection should be consistent with whatever the data 
subject was told if the data was collected directly from the 
individual.
    23. It is not enough, however, to rely upon technical controls. 
Although technological safeguards can serve to protect data 
confidentiality and integrity, there is a human component that defies a 
solely technical solution. For example, insiders--those who are 
authorized to access and alter data--may not violate access controls 
when they improperly alter or delete data they are authorized to 
change. Therefore, the protections employed must be multi-faceted and 
include technical solutions, management solutions (e.g., creating an 
environment where fair information practices are the accepted norm), 
and educational solutions (e.g., providing data handlers with proper 
training).
C. Education Principle
    24. The Education Principle represents a significant addition to 
the traditional Fair Information Principles. The effect of the NII on 
both data use and personal privacy is by no means readily apparent. 
Most individuals are ignorant as to the amount of personal information 
already networked, and may not recognize how their lives can be 
affected by networked information.
    25. It is important that information users appreciate how the NII 
affects information privacy, and that individuals understand the ways 
in which personal information can be used in this new environment. 
Thus, data users need to educate themselves, their own employees, and 
the public in general about how personal information is obtained, 
transmitted, used and stored, including what types of security measures 
are being used to protect data confidentiality and data integrity.
D. Fairness Principles
    26. If information can be used to adversely affect an individual, 
it is only fair that individual have a reasonable means to obtain, 
review, and correct personal information about himself or herself. 
Moreover, to the extent adverse actions are taken against the 
individual, the individual should be notified and have a means of 
redress. Equally important, the data collector should explain to the 
individual exactly what that means of redress is. Redress may take many 
forms (mediation, arbitration, civil suit, criminal prosecution) and be 
offered in different forums (federal, state, local) but cannot be 
imposed by these principles.
    27. One of the most difficult issues is dealing with incompatible 
uses of previously collected information. An incompatible use is not 
necessarily a bad use; in fact, it may be of considerable benefit to 
either a data subject or society as a whole. A data subject may 
benefit, for example, when a customer mailing list is used to warn 
those customers that a product that they purchased is defective and may 
cause serious physical injury. Society as a whole may benefit when 
criminal conviction information is used for some purpose not originally 
contemplated such as screening candidates for child care positions or 
weapons purchases. Similarly, researchers and statisticians using 
previously collected information may determine the cause of a 
potentially fatal disease such as cancer.
    28. On the other hand, without some limitation, information use may 
know no boundaries. Individuals who disclose information for one 
purpose may then be subjected to unintended and undesired consequences, 
and this will discourage them from disclosing personal information in 
the future. To ensure that this does not occur, information should only 
be used in ways compatible with the purposes for which it was collected 
and, before incompatible uses occur, they must either be authorized by 
law or the individual data subject should be notified so that he or she 
can opt out of such use.

Rights and Responsibilities of Individuals who Provide Personal 
Information

    29. As noted, the NII has significant implications for information 
use and personal privacy. In such an interactive environment, it is not 
sufficient for individuals to disclose personal information and then 
abdicate responsibility for the consequences; rather, individuals must 
take an active role in deciding whether to disclose personal 
information in the first instance. But if individuals are to be held 
responsible for making these choices, they must be empowered to make 
intelligent choices. This requires that they receive meaningful 
information on the intended uses of the information they provide, and 
the consequences for providing or withholding personal information. For 
these purposes, the ``Principles for Individuals who Provide Personal 
Information'' create two discrete categories that apply to individuals: 
Awareness and Redress.
A. Awareness Principles
    30. Awareness encompasses the notion that individuals should 
understand the ways in which personal information may be used, and the 
results that flow from such use. This will allow them to make 
intelligent choices regarding the disclosure of personal information.
    31. Increasingly, individuals are being asked to surrender personal 
information about themselves. Sometimes the inquiry is straight-
forward; for example, a bank may ask for personal information prior to 
processing a loan request. In this type of situation, it may be clear 
to the individual the purpose, or at least the primary purpose, for 
which the information is sought (e.g., processing the loan 
application). There may, however, be secondary uses which are not so 
immediately obvious, such as being put on a mailing list for a credit 
card solicitation. Indeed, there are no doubt many times when 
individuals decide to disclose information without being fully 
cognizant of the many ways in which that information may ultimately be 
used.
    32. It is difficult, if not impossible, to anticipate all such 
uses. Individuals who pay for medical services with a charge card may 
not recognize that they are creating transactional records from which 
others may attempt to ascertain the current state of the individual's 
health. Equally problematic is that the assumptions drawn from such 
data may be false, and the individual may never know that the data has 
been used to reach some conclusion, or take some action, regarding his 
or her future.
    33. It is impossible to formulate any set of principles that can 
cover comprehensively all possible uses of information. Nor would such 
an attempt be wise for, in fact, different people desire and expect 
different levels of privacy, and hold different concerns regarding the 
ultimate use of personal data. Ultimately, whether an individual 
chooses to disclose personal information, or create a transactional 
record, should depend upon the individual's own wishes unless, of 
course, the information is required by law.
    34. The Awareness Principles recognize the importance of personal 
choice and cultivate an environment where these critical personal 
decisions can be made intelligently. For whatever the degree of 
personal interest in information privacy, it is critical that 
individuals receive enough facts to make rational choices regarding the 
disclosure of personal information.
    35. First and foremost, an individual should know the intended 
primary and secondary uses of the information. Second, individuals 
should determine whether efforts will be made to assure data 
confidentiality and data integrity. In some cases, confidentiality may 
be required by law (e.g., tax records), but of equal concern may be the 
technical and managerial controls in place to protect the data. This 
principle does not mean that the individual should obtain a technical 
explanation regarding the security measures used to protect such data. 
Indeed, such technical explanations might be unwelcome, unwarranted and 
counterproductive (widespread disclosure of the technical measures used 
might actually expose vulnerabilities in a given system). But 
individuals should be told whether the information is intended to 
remain confidential and whether efforts will be made to preserve data 
integrity. Some individuals might choose not to disclose personal data 
if they knew that the data provided was freely obtainable by others, or 
might easily be altered.
    36. Individuals should also be informed of the consequences of 
providing or withholding information. Data subjects should be told 
whether disclosing the requested information is mandatory (i.e., 
required by law) or voluntary, and the consequences that can flow from 
their decision. We recognize fully that even when disclosure is legally 
``voluntary,'' it may in fact be coerced (e.g., the refusal to 
``voluntarily'' provide information may result in the denial of 
critical life-sustaining benefits). General principles cannot resolve 
such difficult issues but clearly, whatever the consequences, they 
should be clearly articulated.
    37. Lastly, there will be times when individuals feel aggrieved by 
the improper use of personal information. If redress is available, 
individuals should be aware of that fact, and be informed as to how 
such redress can be obtained.
B. Principle of Redress
    38. Invariably, people will be harmed by the improper disclosure or 
improper use of personal information. It is therefore important to 
implement proactive measures to limit that harm, and reactive measures 
to provide relief when harm occurs.
    39. To the extent inaccurate information can be used to harm 
individuals, it follows that individuals may wish to ensure that 
collected and stored personal information is in fact accurate and 
complete. For this reason, individuals should be able to obtain from 
data users, as appropriate, a copy of this personal information and 
have the opportunity to correct inaccurate information. This may allow 
them, proactively, to prevent anticipated harms. This principle is, 
however, limited in scope. Although, idealistically, all stored 
personal information should be accurate, the fact remains that 
inaccurate personal information does and will exist, and correcting 
inaccurate data cannot be done without cost. Pragmatically, it makes 
little or no sense to devote resources to correcting data that cannot 
be used to harm the individual, and therefore the opportunity to review 
personal information in order to correct data inaccuracies is limited 
to those cases where harm may occur.
    40. When final actions are taken against individuals, they are 
entitled to notice. Absent notice, it may be impossible to seek 
available redress. Moreover, redress should be available for 
individuals who have been harmed by the improper use of information 
(including the use of inaccurate information). To ensure that 
individuals can take advantage of these redress mechanisms, the 
awareness principle, as noted above, requires that individuals be 
informed of the remedies available.
[FR Doc. 94-12761 Filed 5-24-94; 8:45 am]
BILLING CODE 3110-01-F