The Privacy Working Group has recently issued the final version of its Principles for Providing and Using Personal Information. Comments and questions should be referred to Jerry Gates, Chair of the Working Group at ggates@info.census.gov.
The National Information Infrastructure ("NII"), with its promise of a seamless web of communications networks, computers, databases, and consumer electronics, heralds the arrival of the information age. The ability to acquire, process, send, and store information at an acceptable cost has never been greater, and continuing advances in computer and telecommunications technologies will result in ever-increasing creation, use, and storage of information.
The NII promises enormous benefits. To name just a few, the NII offers the possibilities of greater citizen participation in deliberative democracy, advances in medical treatment and research, and quick verification of critical information such as a gun purchaser's criminal record. These benefits, however, do not come without a cost: the loss of privacy. Privacy in this context means "information privacy," an individual's claim to control the terms under which personal information--information identifiable to an individual--is acquired, disclosed, and used.
Two converging trends--one social, the other technological--lead to an increased risk to privacy in the evolving NII. As a social trend, individuals will use the NII to communicate, order goods and services, and obtain information. But, unlike paying cash to buy a magazine, using the NII for such purposes will generate data documenting the transaction that can be easily stored, retrieved, analyzed, and reused. Indeed, NII transactional data may reveal who communicated with whom, when, and for how long, as well as who bought what, for what price. Significantly, this type of personal information is automatically generated, in electronic form, and is therefore especially inexpensive to store and process.
The technological trend is that the capabilities of hardware, software, and communications networks are continually increasing, while costs are continually decreasing, allowing information to be used in ways that were previously impossible or economically impractical. For example, before the NII, in order to build a profile of an individual who had lived in various states, one would have to travel from state to state and search public records for information about the individual. This process would have required filling out forms, paying fees, and waiting in line for record searches at local, state, and federal agencies, such as the departments of motor vehicles, deed record offices, electoral commissions, and county record offices. Although one could manually compile a personal profile in this manner, it would be a time-consuming and costly exercise, one that would not be undertaken unless the offsetting rewards were considerable. In sharp contrast, today, as more and more personal information appears on-line, such a profile can be built in a matter of minutes, at minimal cost.
These two converging trends guarantee that as the NII evolves, more personal information will be generated and more will be done with that information. Here lies the increased risk to privacy. This risk must be addressed both to secure the value of privacy for individuals and society and to ensure that the NII will achieve its full potential. Unless this is done, individuals may not participate in the NII for fear that the costs to their privacy will outweigh the benefits. The adoption of principles of fair information practice is a critical first step in addressing this concern.
While guidance can be found in existing laws and principles, these need to be adapted to accommodate the evolving information environment. This changing environment presents new concerns.
These "Principles for Providing and Using Personal Information" ("the Principles") are offered to respond to this new information environment. The Principles attempt to provide meaningful guidance, striking a balance between abstract concepts and a detailed code. They are intended to guide all NII participants and should be used by those who are drafting laws and regulations, creating industry codes of fair information practices, and designing private sector and government programs that use personal information.
The limitations inherent in any such principles must be recognized. The Principles do not have the force of law and do not create any substantive or procedural right enforceable at law. They are not designed to produce specific answers to all possible questions; nor to single-handedly govern the various sectors that use personal information. The Principles should be interpreted and applied as a whole, pragmatically and reasonably. For example, those applying these principles should consider:
Where an overly mechanical application of the Principles would be particularly unwarranted, phrases with the words "appropriate" or "reasonable" appear in the text. This flexibility, built into the Principles to address hard or unexpected cases, does not mean that the Principles need not be adhered to rigorously. Finally, the Principles are intended to be consistent with the spirit of current international guidelines, such as the OECD Guidelines,/1/ regarding the use of personal information. The Principles invite further international cooperation over the development and harmonization of global privacy policies, adherence to which will bolster the ongoing development of the Global Information Infrastructure.
The United States is committed to building a National Information Infrastructure ("NII") to meet the information needs of its people. This infrastructure, created by advances in technology, is expanding the level of interactivity, enhancing communication, and allowing easier access to services. As a result, many more users are discovering new, previously unimagined ways to acquire and use personal information. In this environment, we are challenged to develop new principles to guide all NII participants in the fair use of personal information.
Existing codes of fair information practice must be adapted to a new environment in which information and communications are sent and received over networks by users who have very different capabilities, objectives, and perspectives. In this interactive, networked environment, many new relationships are being formed among individuals, communication providers, and other NII participants. New principles must acknowledge that each party has a different relationship with the individual and has different uses for personal information.
New principles should not diminish existing constitutional and statutory limitations on access to information, communications, and transactions, such as requirements for warrants and subpoenas. Such principles should ensure that access limitations keep pace with technological developments. These principles should acknowledge that all elements of our society share responsibility for ensuring the fair treatment of individuals in the use of personal information, whether on paper or in electronic form. Moreover, the principles should recognize that the interactive nature of the NII can empower individuals to participate in protecting information about themselves. The new principles should also make clear that this responsibility can be exercised only with openness about the process, a commitment to fairness and accountability, and continued attention to security. Finally, the principles should recognize the need to educate all participants about the new information infrastructure and how it will affect their lives.
These "Principles for Providing and Using Personal Information" ("the Principles") recognize the changing roles of government and industry in information acquisition and use. Thus, they are intended to apply to both public and private entities. The Principles are designed to guide all NII participants as well as those who are drafting legislation and crafting policy regarding the use of personal information. They provide the basic framework from which specialized principles can be developed as needed.
Trade-offs will be inevitable in implementing the Principles because privacy interests are not absolute and must be balanced against the need for accountability, the value of an unabridged flow of information, and other societal benefits recognized in law, such as lawful law enforcement activities. For example, certain decisions about the flow of personal information have already been made for us by the First Amendment, and nothing in the Principles should be read to require policies derogating the constitutionally protected freedom of speech and the press. Given these sometimes conflicting interests and public policies, the Principles must be implemented pragmatically yet conscientiously, giving due consideration to issues such as the extent to which providing personal information is voluntary, the adequacy of the notice regarding how the personal information may be used, the scope of the individual's consent, and the cost of protecting information in light of the information's sensitivity.
1. Three fundamental principles should guide all NII participants. These three principles--information privacy, information integrity, and information quality--identify the fundamental requirements necessary for the proper use of personal information, and in turn the successful implementation of the NII. All NII participants should use appropriate means to ensure that these principles are satisfied.
Personal information should be acquired, disclosed, and used only in ways that respect an individual's privacy.
2. The NII can flourish only if all participants respect information privacy. Information privacy is an individual's claim to control the terms under which personal information--information identifiable to an individual--is acquired, disclosed, and used. The level of privacy that must be respected is an individual's reasonable expectation, an expectation subjectively held by the individual and deemed objectively reasonable by society. Not all subjectively held expectations will be honored as reasonable. For example, an individual who posts an unencrypted personal message on a bulletin board for public postings cannot reasonably expect that personal message to be read only by the addressee.
3. What counts as a reasonable expectation of privacy under the Principles is not limited by what counts as a reasonable expectation of privacy under the Fourth Amendment of the United States Constitution. In many instances, society has deemed it reasonable to protect privacy at a level higher than that required by the Fourth Amendment. See, e.g., Electronic Communications Privacy Act, 18 U.S.C. § 2701 (1988); Right to Financial Privacy Act, 12 U.S.C. § 3401 (1988); Privacy Act, 5 U.S.C. § 552a (1988). The Information Privacy Principle fully supports such possibilities.
4. As explained in later principles and commentary, an individual's privacy can often be best respected when individuals and information users come to some mutually agreeable understanding of how personal information will be acquired, disclosed, and used. However, in certain cases--for example, if the individual lacks sufficient bargaining power--purely contractual arrangements between individuals and information users may fail to respect privacy adequately. In such instances, society should ensure privacy at some basic level in order to satisfy the Information Privacy Principle.
Personal information should not be improperly altered or destroyed.
5. NII participants should be able to rely on the integrity of the personal information the NII contains. Thus, personal information should be protected against improper alteration or destruction.
Personal information should be accurate, timely, complete, and relevant for the purpose for which it is provided and used.
6. Personal information should have sufficient quality to be relied upon. This means that personal information should be accurate, timely, complete, and relevant for the purpose for which it is provided and used.
Information users should:
7. The benefit of information lies in its use, but therein lies an often unconsidered cost: the threat to information privacy. A critical characteristic of privacy is that once it is lost, it can rarely be restored. Consider, for example, the extent to which the inappropriate release of sensitive medical information could ever be rectified by public apology.
8. Given this characteristic, privacy should not be addressed as a mere afterthought, once personal information has been acquired. Rather, information users should explicitly consider the impact on privacy in the very process of designing information systems and in deciding whether to acquire or use personal information in the first place. In assessing this impact, information users should gauge not just the effect their activities may have on the individuals about whom personal information is acquired, disclosed, and used; they should also consider other factors, such as public opinion and market forces, that may provide guidance on the appropriateness of any given activity.
9. After assessing the impact on information privacy, an information user may conclude that it is appropriate to acquire personal information in pursuit of a current or planned activity. A planned activity is one that is contemplated by the information user, with the intent to pursue such activity in the future. In all cases, the information user should acquire only that information reasonably expected to support those activities. Although information storage costs decrease continually, it is inappropriate to collect volumes of personal information simply because some of the information may, in the future, prove to be of some unanticipated value. Also, personal information that has served its purpose and is no longer reasonably expected to support any current or planned activities should not be kept.
10. The ability to acquire certain kinds of personal information does not mean that it is proper to do so. In certain cases, individuals have no choice whether to disclose personal information. For example, if the individual executes a transaction on the NII, personal information in the form of transactional data will typically be generated. In other cases, the choice may exist in theory only. Exercising certain choices may result in the denial of a benefit that individuals need to participate fully in society--for example, obtaining a license to drive an automobile. In such cases, society should establish some basic level of privacy protection in accordance with the Information Privacy Principle (I.A.).
Information users who collect personal information directly from the individual should provide adequate, relevant information about:
11. Personal information can be acquired in one of two ways: it can be collected directly from the individual or obtained from some secondary source. By necessity, the principles governing these two methods of acquiring personal information differ. While notice obligations can be placed on all those who collect information directly from the individual, they cannot be imposed uniformly on entities that have no such direct relationship. If all recipients of personal information were required to notify every individual about whom they receive data, the exchange of personal information would become prohibitively burdensome, and many of the benefits of the NII would be lost.
12. For those who collect personal information directly from the individual, the Notice Principle requires the individual to be given sufficient information to make an informed decision about his or her privacy. The importance of providing this notice cannot be overstated because the terms of the notice substantially determine the individual's understanding of how personal information will be used, an understanding that must be respected by all subsequent users of that information.
13. The Notice Principle specifically applies to personal information designated by law as a public record and to transactional data generated as a byproduct of a transaction. With respect to transactional data, this principle applies to all parties, including not only the party principally transacting with the individual in order to provide some product or service, but also to those transaction facilitators such as communication providers and electronic payment providers who help to consummate these transactions. For example, if an individual purchases flowers with a credit card through an on-line shopping mall accessed via modem, the Notice Principle applies to all parties who collect transactional data related to the purchase, not only to the florist, but also to the telephone and credit card companies. Transaction facilitators would ordinarily provide notice at the time they establish an account, or when billing the customer.
14. What counts as adequate, relevant information to satisfy the Notice Principle depends on the circumstances surrounding the collection of information. In some cases--especially where there is a continuing relationship between the individual and the information collector-- notice need not be given before each instance that personal information is collected. For example, an information or communication service provider should ordinarily give notice when the individual subscribes to a particular service and perhaps periodically thereafter, not each time the individual uses the service. In other cases, the ordinary and acknowledged use of personal information is so clearly contemplated by the individual that providing formal notice is not necessary. For example, if an individual's name and address is collected by a pharmaceutical company that takes the order over interactive television simply to deliver the right medicine to the right person at the right address, no elaborate notice need precede taking the individual's order. However, should the pharmaceutical company use the information in a manner not clearly contemplated by the individual--for example, to create and sell a list of people afflicted with high blood pressure to health insurance companies--then some form of notice should be provided.
15. While the Notice Principle indicates what might constitute the elements of adequate notice, it does not prescribe a particular form for that notice. Rather, the goal of the Principle is to ensure that the individual has sufficient information in an understandable form to make an informed decision. Thus the drafters of notices should be creative about informing in ways that will help all individuals, regardless of age, literacy, and education to achieve this goal.
16. Finally, although the Notice Principle requires information collectors to inform individuals what steps will be taken to protect personal information, they are not required to provide overly technical descriptions of such security measures. Indeed, such descriptions might be unwelcome or unhelpful to the individual. Furthermore, they may be counterproductive since widespread disclosure of the technical security measures might expose system vulnerabilities, in conflict with the Protection Principle (II.C.).
Information users should use appropriate technical and managerial controls to protect the confidentiality and integrity of personal information.
17. On the NII, personal information is maintained in a networked environment, an environment that poses tremendous risk of unauthorized access, disclosure, alteration, and destruction. Both insiders and outsiders may gain access to information they have no right to see or may make hard-to-detect changes in data that will then be relied upon in making critical decisions.
18. For example, our health care providers expect to become intensive participants in the NII. Through the NII, a hospital in a remote locale will be able to send x-rays for review by a radiologist at a teaching hospital in another part of the country. The potential benefits are obvious. Yet, such benefits will not be realized if individuals refuse to send such sensitive data because they fear that the NII cannot ensure that sensitive medical data will remain confidential and unaltered.
19. In deciding what controls are appropriate, information users should recognize that personal information should be protected in accordance with the individual's understanding and in a manner commensurate with the harm that might occur if it were improperly disclosed or altered.
20. In protecting personal information, information users should adopt a multi-faceted approach that includes both technical and managerial controls. As for technical controls, information users should, for example, consider encrypting personal information, including the contents of communications and information generated from transactions. In addition, they should consider computerized audit trails, which help detect improper access by both insiders and outsiders. As for management controls, one could strive, for example, to create an organizational culture in which individuals learn about fair information practices and adopt these practices as the norm. Also, organizations could establish policies to forbid information acquired for one activity from being used for another unrelated activity.
Information users should not use personal information in ways that are incompatible with the individual's understanding of how it will be used, unless there is a compelling public interest for such use.
21. An individual's understanding encompasses the individual's objectively reasonable contemplation and scope of consent when the information was collected. As explained earlier, an individual's understanding depends principally on the notice provided by the information collector pursuant to the Notice Principle (II.B.) and obtained by the individual pursuant to the Awareness Principle (III.A.). Without a Fairness Principle, information use may know no boundaries and thus go beyond the individual's understanding.
22. If an information user seeks to use personal information in an incompatible manner, the user must first notify the individual and obtain his or her explicit or implicit consent. The nature of the incompatible use will determine whether such consent should be explicit or implicit. In some cases, the consequences to an individual may be so significant that the prospective data user should proceed only after the individual has specifically opted into the use by explicitly agreeing. In other cases, a notice offering the individual the ability to opt out of the use within a certain specified time may be adequate. Inherent in this principle is the requirement that whenever personal information is transferred from information user to user, the individual's understanding of how that personal information will be used must also be conveyed. Because all information users must abide by the Fairness principle, both information transferor and transferee bear a responsibility to ensure that the individual's understanding is transferred along with the information.
23. In deciding whether a particular use of information is "incompatible" with an individual's understanding, information users should evaluate whether the uses are permitted explicitly in the notice or are otherwise consistent with the notice. Any use of information beyond these conditions is incompatible with the individual's understanding. What is incompatible under this Principle is not limited to what has been interpreted as incompatible under the Privacy Act. See 5 U.S.C. § 552a.
24. The Fairness Principle cannot be applied uniformly in every setting. An incompatible use is not necessarily a harmful use; in fact, it may be extremely beneficial to the individual and society. There are some incompatible uses that will produce enormous benefits and have at most a trivial effect on the individual's information privacy interest. Research and statistical studies, in which information will not be used to affect the individual, are examples. Obtaining the consent of the individual to permit new statistical uses of existing data adds cost and administrative complexity to the process and risks impairing the research project. In other cases, personal information may be used for a significant public need recognized by society in a highly formal, open way (typically in legislation) that would be thwarted by giving the individual a chance to limit its use. One example would be the use of personal information in a law enforcement investigation for which the suspect's consent would be unlikely and even asking for such consent would be counterproductive to the investigation. Another example would be an incompatible use of personal information, made by the investigatory press, that is specifically protected and sanctioned by the First Amendment.
Information users should educate themselves and the public about how information privacy can be maintained.
25. The Education Principle represents a significant addition to the traditional principles of fair information practice. There are many uses of the NII for which individuals cannot rely completely on governmental or other organizational controls to protect their privacy. Although individuals often rely on such legal and institutional controls to protect their privacy, many people will engage in activities outside of these controls, especially as they engage in the informal exchange of information on the NII. Thus, individuals must be aware of the hazards of providing personal information, and must make judgments about whether providing personal information is to their benefit.
26. The full effect of the NII on the use of personal information is not readily apparent, and individuals may not recognize how their lives may be affected by networked information. Because it is important that individuals and information users appreciate how the NII affects information privacy, all information users should participate in education about the handling and use of personal information. Traditionally, governments and schools have educated the public on matters of social rights and responsibilities, and they must continue to play a lead role. However, as major builders of the NII, the private sector has as crucial a role to play. Such education, which would help individuals minimize the risks to their privacy, could involve privacy telephone hotlines, Internet privacy "help" sites, and comprehensive marketing and publicity campaigns.
Individuals should obtain adequate, relevant information about:
27. Increasingly, individuals are being asked to surrender personal information about themselves. Sometimes the inquiry is straight-forward; for example, a bank will ask for personal information prior to processing a loan request. In this case, one use for the information is clear--to process the loan application. There may, however, be other uses that are not so obvious, such as using some of that information for a credit card solicitation. Indeed, individuals regularly disclose personal information without being fully aware of the many ways in which that information may ultimately be used. For example, an individual may not realize that paying for medical services with a credit card creates transactional data that could reveal the individual's state of health.
28. The Awareness Principle recognizes that although information collectors have a responsibility to inform individuals why they want personal information, individuals also have a responsibility to understand the consequences of providing personal information to others. This is especially true in an interactive realm such as the NII, in which individuals can actively shape the terms of their participation. For example, when individuals have real choices about whether and to what degree personal information should be disclosed, they should take an active role in deciding whether to disclose personal information in the first place, and under what terms.
29. Of course, if individuals are to be held responsible for making these choices, they must be given enough information to make intelligent choices. This is how the Awareness Principle works in conjunction with the Notice Principle (II.B.) and more broadly with the Education Principle (II.E) to enable individuals to take responsibility over how personal information is disclosed and used.
Individuals should be able to safeguard their own privacy by having:
30. Individuals should have a means to obtain from information users a copy of their personal information and to correct information about them that lacks sufficient quality to ensure fairness in its use. The extent to which such means are provided depends on various factors, including the seriousness of the consequences to the individual of using the personal information and any First Amendment rights held by the information user.
31. Further, if the terms of the information collection are unsatisfactory, the individual should consider various self-initiated measures to safeguard privacy. For example, to safeguard the confidentiality or integrity of a communication, the individual should have the opportunity to use appropriate tools such as encryption. Also, to avoid leaving a data trail of transactional records, individuals should have the opportunity to remain anonymous, when appropriate. For example, anonymity would be appropriate when an individual browses a public electronic library or when an individual engages in anonymous political speech protected by the Constitution. See McIntyre v. Ohio Elections Commission, 131 L. Ed. 2d 426 (1995). In an ideal world, offering undecipherable encryption or absolute anonymity would serve to protect privacy with no negative effect. Unfortunately, in the real world, some will abuse these technologies and, in the process, harm others. It is beyond the scope of the Principles how encryption or anonymity can be offered to individuals for legitimate uses while minimizing their misuse. These issues must, however, be addressed if the NII is to achieve its full potential.
Individuals should, as appropriate, have a means of redress if harmed by an improper disclosure or use of personal information.
32. Redress is required only when an individual is harmed. Designed for general applicability, the Redress Principle does not answer in any particular case whether harm has occurred at all or whether enough harm has occurred to warrant a specific form of redress. Those questions must be answered in the sectoral implementation of the Principles.
33. An improper use specifically includes a decision based on personal information of inadequate quality--information that is not accurate, timely, complete, or relevant for the purpose for which it is provided and used. The Redress Principle does not, however, set the level of culpability on the part of the information user necessary to warrant a specific form of redress.
34. When redress is appropriate, the Principles envision various forms including, but not limited to, informal complaint resolution, mediation, arbitration, civil litigation, regulatory enforcement, and criminal prosecution, in various private, local, state, and federal forums with the goal of providing relief in the most cost-effective manner possible.
/1/ See Organization for Economic Cooperation and Development, Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, Annex to Recommendations of the Council of 23rd September 1980. .