 |
Public Mistrust of Government
|
Dec. 4, 1996: Wall Street Journal. -- Many states are installing high-tech roadside sensors that promise to speed traffic, eliminate tollbooths, and cut costs. But government access to the lode of data compiled on drivers is alarming privacy advocates.
Dec. 6, 1996: New York Times. -- Indian activist accuses South Dakota Governor Janklow of violating free speech law by attempting to block unwanted email messages sent to him from her web site in Michigan.
Feb. 6, 1997: Washington Times. -- The practice of selling personal information by the Maryland Motor Vehicles Administration raises money as well as privacy concerns.
March 26, 1997: Boston Herald. -- ACLU questions whether small consulting company has necessary security to protect medical records of 2 million New Englanders it received from the State of Massachusetts in connection with a research study.
May 9, 1997: Deseret News. -- A number of GOP delegates want the convention to pass a resolution that would warn Utah lawmakers about formally requiring ``smart-card'' technology for a state driver's license. A bill, sponsored by Rep. Gerry Adair, R-Roy, that would have required the state Division of Motor Vehicles to begin such technology, failed in the 1997 Legislature, in part through the uncommon alliance of the conservative Eagle Forum and the state chapter of the American Civil Liberties Union.
As the above news items show, Governors, legislators, and state agencies have run into public concern, and in some cases outright opposition, on issues surrounding government collection, use, and protection of personal information on private citizens. It doesn't matter that many of these government technology initiatives are designed to increase efficiency, reduce cost, eliminate fraud, and improve citizen access -- things the electorate is always imploring government to do. The deep seated American concern for privacy, coupled with many people's fear of information technology, is producing contradictory pressures on policy makers.
To help frame the information technology privacy issue, this briefing paper will highlight: 1) how government and private business currently collect and use data about citizens/customers, 2) public attitudes about privacy, 3) current laws regulating government collection and use of personal data, and 4) issues and options for states. In addition, in Appendix A there is a separate discussion about confidentiality of medical records and Appendix B presents principles to protect privacy suggested by a federal task force.
Current Data Collection and Use
Recent advances in computer and telecommunications technology have allowed both the public and private sectors to collect, analyze, and disseminate a staggering amount of information on citizens and customers. The collection and use of this information is often done without the knowledge of the person about whom it is being collected. Examples include credit card purchases, pay-per-view movies, automated toll booth traffic, energy use, tax payments, etc.
Several facts illustrate the magnitude of the data being collected [1]:
* One data management and marketing company alone is estimated to maintain 350 terabytes of information about consumers (one terabyte equals 500 million pages of single-spaced text).
* Estimates indicate that computerized lists track more than two billion names (roughly 36 percent of the world's population)
* The average American is on at least twenty-five (and as many as one hundred) lists at any one time.
*Credit bureaus keep files on nearly 90% of American adults.
This information is routinely bought and sold, integrated and analyzed. It is used to target mailings, help make credit decisions, accept or deny health coverage, determine who will be audited, and more. To illuminate the easy availability of data consider this from CDB Infotek's brochure:
A personal computer, an ordinary phone line, and simple modem puts you in command of our vast array of public record information. Access to literally hundreds of millions of regional and national records can be yours in minutes. Social Security number $11, Registered voter profile $25, Neighborhood search $18, Superior court records $5-20 per court search. [2]
While the numbers above focus more on private sector data collection, the public sector is also compiling larger and larger data sets. For example, last year a man in Oregon purchased the entire state motor vehicle name and address list for $222 and posted it on the Internet. In addition, many states are now starting to combine databases from different agencies for the first time and use those combined data sets to streamline service delivery and help guide policy.
Public Attitudes
A recent Equifax/Louis Harris survey [3] shows that Americans are increasingly concerned about data being collected about them and how it will affect their privacy.
* Sixty-five per cent of the respondents in 1996 consider consumer privacy protection "very important," up from 61% in 1995.
* Threats to personal privacy was of concern to 64% of the respondents in 1978, 79% in 1990 and 1993, 82% in 1995 and 87% in 1996.
* In 1990, 71% said they believed consumers had lost "all control" over how personal information about them is circulated and used by companies. By 1995 that number rose to 80%.
* Twenty-four percent indicated they had personally experienced a privacy invasion.
* Both the 1995 and 1994 polls indicated that Americans remain more concerned about privacy intrusions by government than by businesses.
All personal information is not equal in the eyes of survey respondents. The privacy of criminal records and credit and motor vehicle information is less sensitive than workers compensation, health claims, health history, and pharmaceutical data.
Public concerns about the collection and use of personal data are based upon four interrelated fears. The first is a general fear of the dehumanizing nature of having their lives captured in an "electronic profile" or "clone". The second is that the data compiled about them might be used inappropriately. The third is that unauthorized people will gain access to that data. The final fear is that the information may be incomplete or inaccurate yet they have no way of knowing about the errors or correcting them
Policy makers are heightening concerns by increasingly looking to information technology to solve many long standing societal issues. For example, the approach adopted for collecting child support payments from deadbeat parents is a nationwide data base of Social Security numbers kept on all new hires. Solve illegal immigration problems by creating a national ID system. Keep guns out of the hands of criminals by developing a nationwide database on violent criminals.
Laws to Protect Privacy
Privacy fears might be allayed by a common legal and regulatory framework governing the collection and use of personal information but no such framework currently exists. Rather, laws to protect privacy have been called "reactive, ad-hoc, and confused." Generally they have followed a sectoral approach at both the state and federal levels. That is, separate statutes often exist for privacy related to bank records, cable TV, credit, medical, state data banks, etc.
A somewhat dated report shows that western states have enacted a patchwork of privacy laws (see table below). More recent figures show that approximately 5,000 bills were introduced in state legislatures in 1996. One hundred twenty-three consumer privacy bills were enacted in 1996, up from 66 in 1995. In addition, a great deal of attention has focused recently on restricting access to motor vehicle records and Social Security numbers. One problem some states are starting to find is that this ad hoc, sector-by-sector approach has led to inconsistencies in approaches. For example, New Mexico has over forty different statutory provisions dealing with privacy and confidentiality of both personal and corporate data.
In addition, to state law, federal law places preconditions regarding the protection of data on the award of federal funding for some state programs which are partially or completely federally funded. Examples include data from student records, child abuse cases, and driver's license and vehicle registrations.
There are numerous federal laws regarding federal use and disclosure of federally collected personal data. Most of these laws were enacted after a high profile public revelation of some misuse or invasion of privacy. While considered en toto to be fairly comprehensive, there is however some disagreement as to how effective these laws have been. The laws include:
The Privacy Act of 1974 - Applies to federal records that are retrieved by name or other personal identifier. Under the Act, individuals have the right to access agency records containing information about themselves and the right to request amendment of inaccurate or incomplete information.
The Paperwork Reduction Act of 1980 - Seeks to minimize the federal paperwork burden, to coordinate federal information policies and to ensure that the "collection, maintenance, use and dissemination of information by the federal government is consistent with applicable laws relating to confidentiality."
Computer Matching and Privacy Protection Act of 1988 - The Matching Act, which amends the Privacy Act, regulates federal agency use and exchange of information contained in existing agency databases.
In addition to these more government focused Acts are numerous sector-specific Acts such as the Fair Credit Reporting Act of 1992, the Electronic Communications Privacy Act of 1986, the Family and Educational Privacy Act of 1974, the Video Privacy Protection Act, and the Driver's Privacy Protection Act of 1994. Trying to head off legislation and improve their public standing, many industry groups are trying to develop industry-wide privacy codes and guidelines. In addition, entrepreneurs are developing products to give consumers more control over their privacy (e.g., caller ID for telephones).
The whole arena of electronic privacy is rapidly changing. It is not just a state and federal issue but an international one as well. The Organization for Economic Cooperation and Development issued privacy guidelines back in 1981. The Council of Ministers of the European Commission adopted a Directive on protection of personal data in 1995. The Directive requires member nations to conform their privacy laws by 1998. Several countries (Canada, Australia, New Zealand, Japan, and Hong Kong) have created an office of Privacy Commissioner to guide government policy.
Issues and Options for States
1. The principal issue for governors is how to balance the electorate's desire for a more efficient and streamlined state government with citizen concern about privacy. Options for governors to consider to help improve privacy protection, lower public apprehension, and advance state information technology solutions include:
* Push for passage of state legislation to plug any gaps in privacy laws.
* Adopt a set of principles by executive order to guide the state's collection, use, and dissemination of personal data. (The NIITF published a recommended set of principles in 1995. See attached.)
* Direct agencies to audit of their data collection and data security practices.
* Appoint a Citizen's Privacy Ombudsman to act as an advocate for privacy and confidentiality issues within state government.
* Add privacy protection to the list of duties of the state's chief information officer, IT commission and/or to the state's annual information technology report.
* Include language pertaining to data security requirements in state contracts.
* Hold public forum to elicit concerns and to educate citizens about what protections are already available to them.
* Use the bully pulpit to advocate for privacy issues within the state and private sectors.
2. Another issue is what role governors want to play in national privacy debates. Examples include debates on a wide variety of topics including protecting children from pornography on the Internet, strengthening airline security, and protecting medical records. A key policy issue for governors in many of these debates is whether to support uniform federal privacy laws or to oppose them in favor of individual or coordinated state approaches (see Appendix A for discussion of how this relates to telemedicine).
A related issue to preemption, as it relates to privacy legislation at the federal level, is unfunded mandates. For example, the Driver's Privacy Protection Act of 1994 requires states to implement privacy protection legislation for motor vehicle records. States will have to make expensive changes to their computer systems and revise or add new forms to be filled out by applicants in order to comply.
3. Finally, governors may want to weigh in on the NIITF report option regarding creation of a federal privacy entity. The draft NIITF report solicits public comment on the issues it raises. One of those issues is whether to create a Federal privacy entity (and whether to empower that entity with or without regulatory authority) or create a non-governmental or advisory entity to help guide federal privacy efforts. In the recent Louis Harris poll cited above, while respondents were concerned about government's collection and use of personal data, two-thirds of those polled prefer the current system to creation of a federal privacy commission.
Compilation of State and Federal Privacy Laws 1992
| AK | A Z |
CA | CO | H I |
I D |
K S |
MT | N E |
NV | NM | ND | OR | S D |
T X |
U T |
WA | WY | U S |
|
| Arrest records | X | X | X | X | X | X | X | X | X | ||||||||||
| Bank records | X | X | X | X | X | X | |||||||||||||
| Cable TV | X | X | |||||||||||||||||
| Computer crime | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X |
| Credit | X | X | X | X | X | X | X | X | X | X | X | ||||||||
| Criminal justice | X | X | X | X | X | X | X | X | X | X | X | X | X | ||||||
| Gov't data banks | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | |||
| Employment | X | X | X | X | X | X | X | X | X | X | |||||||||
| Insurance | X | X | X | X | X | X | |||||||||||||
| Mailing lists | X | X | X | X | X | X | X | X | |||||||||||
| Medical | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | |
| Miscellaneous | X | X | X | X | X | X | |||||||||||||
| Polygraphing | X | X | X | X | X | X | X | X | X | X | X | X | X | X | |||||
| Privacy statutes | X | X | X | X | X | X | X | X | X | X | |||||||||
| Privileges | X | X | X | X | X | X | X | X | X | X | X | X | X | ||||||
| School records | X | X | X | X | X | X | X | X | X | X | X | X | X | X | |||||
| Social security # | X | X | X | X | |||||||||||||||
| Tax records | X | X | X | X | X | X | X | X | X | X | X | X | X | ||||||
| Tele. Solicitation | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | |||
| Testing | X | X | X | X | X | X | X | X | |||||||||||
| Wiretaps | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X | X |
(1) Options for Promoting Privacy on the Information Infrastructure, National Information Infrastructure Task Force, Draft April 1997. This briefing paper borrows heavily from that document.
(2) Speech given by Beth Givens of Privacy Rights Clearinghouse. 1995
(3) 1996 Equifax/Harris Consumer Privacy Survey
(4) The Fundamental Role of Privacy and Confidence in the Network". Wake Forest Law Review, 1995
(5) Compilation of State and Federal Privacy Laws. 1992