[Federal Register Volume 60, Number 13 (Friday, January 20, 1995)]
[Notices]
[Pages 4362-4370]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 95-1480]
[[Page 4361]]
_______________________________________________________________________
Part X
Office of Management and Budget
_______________________________________________________________________
National Information Infrastructure; Draft Principles for Providing and
Using Personal Information and Commentary; Notice
��Federal Register / Vol. 60, No. 13 / Friday, January 20, 1995 /
Notices ��
[[Page 4362]]
OFFICE OF MANAGEMENT AND BUDGET
National Information Infrastructure; Draft Principles for
Providing and Using Personal Information and Commentary
AGENCY: Office of Management and Budget.
ACTION: Notice and request for comments.
-----------------------------------------------------------------------
SUMMARY: OMB is publishing these draft principles on behalf of the
Privacy Working Group of the Information Policy Committee, Information
Infrastructure Task Force. They were developed by the Working Group to
update the Code of Fair Information Practices developed in the early
1970s.
DATES: Comments should be submitted no later than March 21, 1995.
ADDRESSES: Comments should be sent to the Working Group on Privacy c/o
the NII Secretariat, National Telecommunications and Information
Administration, U.S. Department of Commerce, Room 4892, Washington,
D.C. 20230. The Principles and Commentary can be downloaded from the
IITF gopher/bulletin Board System: 202-501-1920. The IITF gopher/
bulletin board can be accessed through the Internet by pointing your
gopher client to IITF.DOC.GOV or by telnet to IITF.DOC. GOV and logging
in as GOPHER. Electronic comments may be sent to [email protected]
FOR FURTHER INFORMATION CONTACT:
Mr. Jerry Gates, Chair, Privacy Working Group, Bureau of the Census,
Room 2430, Building 3, Washington, D.C. 20233. Voice telephone: 301-
457-2515. Facsimile: 301-457-2654. E-mail: [email protected]
SUPPLEMENTARY INFORMATION: The following Principles and Commentary were
developed by the Information Infrastructure Task Force's Working Group
on Privacy with the goal of providing guidance to all participants in
the National Information Infrastructure. (The Principles appear in
plain text, and the Commentary appears in italics.) The Principles are
intended to update and revise the Code of Fair Information Practices
that was developed in the early 1970s. While many of the Code's
principles are still valid, the Code was developed in an era when paper
records were the norm.
The Working Group distributed a draft of the Principles and
Commentary for comment in May 1994 via electronic mail and in a notice
published in the Federal Register. Major resulting changes are: (1) The
Commentary has been incorporated into the Principles and has been
modified to reflect changes to the principles, define terms, and to
clarify areas of confusion; (2) the principles for Information
Collectors have been incorporated into Principles for Users of Personal
Information since some users also have a responsibility to inform and
obtain consent for uses; (3) the Principles now require Information
Collectors to conduct a privacy assessment before deciding to collect
information; (4) the notice given to individuals becomes the
determining factor for limiting the use of personal information; (5)
the information an individual may access and correct is expanded; and
(6) the provision of notice and a means of redress that was linked to
``final actions'' that may harm individuals is now based on an improper
disclosure of information or the use of information that lacks
sufficient quality.
Before issuing the Principles as a final product, the Working Group
is proposing them for comment again. The Working Group recognizes that
the Principles cannot apply uniformly to all sectors. They must be
carefully adapted to specific circumstances, therefore, the Working
Group asks that final comments focus on major concerns about applying
the principles broadly. Sectorial concerns should be addressed as
organizations develop internal principles.
Further, the Working Group debated the privacy rights of deceased
persons and how they might be addressed in the Principles, but was not
able to come to a conclusion. The Working Group also welcomes comments
on whether and how the Principles should be revised to treat the rights
of the deceased or their survivors.
Sally Katzen,
Administrator, Office of Information and Regulatory Affairs.
Privacy and the National Information Infrastructure: Principles for
Providing and Using Personal Information
Preamble
The United States is committed to building a National Information
Infrastructure (NII) to meet the information needs of its citizens.
This infrastructure, created by advances in technology, is expanding
the level of interactivity, enhancing communication, and allowing
easier access to services. As a result, many more users are discovering
new, previously unimagined uses for personal information. In this
environment, we are challenged to develop new principles to guide
participants in the NII in the fair use of personal information.
Traditional fair information practices, developed in the age of
paper records, must be adapted to this new environment where
information and communications are sent and received over networks on
which users have very different capabilities, objectives and
perspectives. Specifically, new principles must acknowledge that all
members of our society (government, industry, and individual citizens),
share responsibility for ensuring the fair treatment of individuals in
the use of personal information, whether on paper or in electronic
form. Moreover, the principles should recognize that the interactive
nature of the NII will empower individuals to participate in protecting
information about themselves. The new principles should also make it
clear that this is an active responsibility requiring openness about
the process, a commitment to fairness and accountability, and continued
attention to security. Finally, principles must recognize the need to
educate all participants about the new information infrastructure and
how it will affect their lives.
These ``Principles for Providing and Using Personal Information''
recognize the changing roles of government and industry in information
collection and use. Thus, they are intended to be equally applicable to
public and private entities that collect and use personal information.
However, these Principles are not intended to address all information
uses and protection concerns for each segment of the economy or
function of government. Rather, they should provide the framework from
which specialized principles can be developed as needed.
I. General Principles for All NII Participants
Participants in the NII rely upon the privacy, integrity, and
quality of the personal information it contains. Therefore, all
participants in the NII should use whatever means are appropriate to
ensure that personal information in the NII meets these standards.
A. Information Privacy Principle:
An individual's reasonable expectation of privacy regarding access
to and use of his or her personal information should be assured.
B. Information Integrity Principle:
Personal information should not be improperly altered or destroyed.
C. Information Quality Principle:
Personal information should be accurate, timely, complete, and
relevant [[Page 4363]] for the purpose for which it is provided and
used.
II. Principles for Users of Personal Information
A. Acquisition and Use Principles:
Users of personal information should recognize and respect the
privacy interests that individuals have in the use of personal
information. They should:
1. Assess the impact on privacy of current or planned activities in
deciding whether to obtain or use personal information.
2. Obtain and keep only information that could be reasonably
expected to support current or planned activities and use the
information only for those or compatible uses.
B. Notice Principle:
Individuals need to be able to make an informed decision about
providing personal information. Therefore, those who collect
information directly from the individual should provide adequate,
relevant information about:
1. Why they are collecting the information;
2. What the information is expected to be used for;
3. What steps will be taken to protect its confidentiality,
integrity, and quality;
4. The consequences of providing or withholding information; and
5. Any rights of redress.
C. Protection Principle:
Users of personal information should take reasonable steps to
prevent the information they have from being disclosed or altered
improperly. Such users should use appropriate managerial and technical
controls to protect the confidentiality and integrity of personal
information.
D. Fairness Principle:
Individuals provide personal information on the assumption that it
will be used in accordance with the notice provided by collectors.
Therefore, users of personal information should enable individuals to
limit the use of their personal information if the intended use is
incompatible with the notice provided by collectors.
E. Education Principle:
The full effect of the NII on the use of personal information is
not readily apparent, and individuals may not recognize how their lives
may be affected by networked information. Therefore, information users
should educate themselves, their employees, and the public about how
personal information is obtained, sent, stored, processed, and
protected, and how these activities affect individuals and society.
III. Principles for Individuals Who Provide Personal Information
A. Awareness Principle:
While information collectors have a responsibility to inform
individuals why they want personal information, individuals also have a
responsibility to understand the consequences of providing personal
information to others. Therefore, individuals should obtain adequate,
relevant information about:
1. Why the information is being collected;
2. What the information is expected to be used for;
3. What steps will be taken to protect its confidentiality,
integrity, and quality;
4. The consequences of providing or withholding information; and
5. Any rights of redress.
B. Redress Principles:
Individuals should be protected from harm caused by the improper
disclosure or use of personal information. They should also be
protected from harm caused by decisions based on personal information
that is not accurate, timely, complete, or relevant for the purpose for
which it is used. Therefore, individuals should, as appropriate:
1. Have the means to obtain their personal information and the
opportunity to correct information that could harm them;
2. Have notice and a means of redress if harmed by an improper
disclosure or use of personal information, or if harmed by a decision
based on personal information that is not accurate, timely, complete,
or relevant for the purpose for which it is used.
Commentary on the Principles
Preamble
1. The National Information Infrastructure (``NII''), with its
promise of a seamless web of communications networks, computers, data
bases, and consumer electronics, heralds the arrival of the information
age. The ability to obtain, process, send, and store information at an
acceptable cost has never been greater, and continuing advances in
computer and telecommunications technologies will result in ever-
increasing creation and use of information.
2. The NII promises enormous benefits. To name just a few, the NII
holds forth the possibility of greater citizen participation in
deliberative democracy, advances in medical treatment and research, and
quick verification of critical information such as a gun purchaser's
criminal record. These benefits, however, do not come without a cost:
the loss of privacy. Privacy in this context means ``information
privacy,'' an individual's claim to control the terms under which
personal information--information identifiable to a individual--is
obtained, disclosed and used.
3. Two converging trends--one social, the other technological--lead
to an increased risk to privacy in the evolving NII. As a social trend,
individuals will use the NII to communicate, order goods and services,
and obtain information. But, unlike paying cash to buy a magazine,
using the NII for such purposes will generate data documenting the
transaction that can be easily stored, retrieved, analyzed, and reused.
Indeed, NII transactional data may reveal who communicated with whom,
when, and for how long; and who bought what, for what price.
Significantly, this type of personal information--transactional data--
is automatically generated, in electronic form, and is therefore
especially cheap to store and process.
4. The technological trend is that the capabilities of hardware,
software, and communications networks are continually increasing,
allowing information to be used in ways that were previously impossible
or economically impractical. For example, before the NII, in order to
build a profile of an individual who had lived in various states, one
would have to travel from state to state and search public records for
information on the individual. This process would have required filling
out forms, paying fees, and waiting in line for record searches at
local, state, and federal agencies such as the departments of motor
vehicles, deed record offices, electoral commissions, and county record
offices. Although one could manually compile a personal profile in this
manner, it would be a time-consuming and costly exercise, one that
would not be undertaken unless the offsetting rewards were
considerable. In sharp contrast, today, as more and more personal
information appears on-line, such a profile can be built in a matter of
minutes, at minimal cost.
5. In sum, these two converging trends guarantee that as the NII
evolves, more personal information will be generated and more will be
done with that information. Here lies the increased risk to privacy.
This risk must be addressed not only to secure the value of privacy for
individuals, but also to ensure that the NII will achieve its full
potential. Unless this is done, individuals may choose not to
participate in the NII for fear that the costs to their privacy will
outweigh the benefits. The adoption of fair [[Page 4364]] information
principles is a critical first step in addressing this concern.
6. While guidance to government agencies can be found in existing
laws and regulations, and guidance to private organizations exists in
principles and practices, these need to be adapted to accommodate the
evolving information environment.* This changing environment presents
new concerns:
*For example, the Privacy Act of 1974, 5 U.S.C. 552a; or New
York State Public Service Commission, Statement of Policy on Privacy
and Telecommunication. March 22, 1991, as revised on September 20,
1991.
---------------------------------------------------------------------------
(a) No longer do governments alone obtain and use large amounts of
personal information; the private sector now rivals the government in
obtaining and using personal information. New principles would thus be
incomplete unless they applied to both the governmental and private
sectors.
(b) The NII promises true interactivity. Individuals will become
active participants who, by using the NII, will create volumes of data
containing the content of communications as well as transactional data.
(c) The transport vehicles for personal information--the networks--
are vulnerable to abuse; thus, the security of the network itself is
critical to the NII's future success.
(d) The rapidly evolving information environment makes it difficult
to apply traditional ethical rules, even ones that are well understood
and accepted when dealing with tangible records and documents.
Consider, for example, how an individual who would never trespass onto
someone's home might rationalize cracking into someone's computer as an
intellectual exercise. In addition, today's information environment may
present questions about the use of personal information that
traditional rules do not even address.
7. These ``Principles for Providing and Using Personal
Information'' (the ``Principles'') attempt to create a new set of
principles responsive to this new information environment. The
Principles attempt to provide meaningful guidance on this new
information environment and attempt to strike a balance between
abstract concepts and a detailed code. They are intended to guide all
NII participants and should also be used by those who are drafting laws
and regulations, creating industry codes of fair information practices,
and designing private sector and government programs that use personal
information.
8. The limitations inherent in any such principles must be
recognized. As made clear in the Preamble, the Principles do not have
the force of law; they are not designed to produce specific answers to
all possible questions; and they are not designed to single-handedly
govern the various sectors that use personal information. The
Principles should be interpreted and applied as a whole, and
pragmatically and reasonably. Where an overly mechanical application of
the Principles would be particularly unwarranted, phrases with the
words ``appropriate'' or ``reasonable'' appear in the text. This
flexibility built into the Principles to address hard or unexpected
cases does not mean that the Principles need not be adhered to
rigorously.
9. Moreover, the Principles are intended to be in accord with
current international guidelines regarding the use of personal
information and thus should support the ongoing development of the
Global Information Infrastructure.
10. Finally, adherence to the Principles will cultivate the trust
between individuals and information users so crucial to the successful
evolution of the NII.
I. General Principles for All NII Participants
Participants in the NII rely upon the privacy, integrity, and
quality of the personal information it contains. Therefore, all
participants in the NII should use whatever means are appropriate to
ensure that personal information in the NII meets these standards.
11. Three fundamental principles should guide all NII participants.
These three principles--information privacy, information integrity, and
information quality--identify the fundamental requirements necessary
for the proper use of personal information, and in turn the successful
implementation of the NII
I.A. Information Privacy Principle:
An individual's reasonable expectation of privacy regarding access
to and use of his or her personal information should be assured.
12. If the NII is to flourish, an individual's reasonable
expectation of information privacy should be ensured. A reasonable
expectation of information privacy is an expectation subjectively held
by the individual and deemed objectively reasonable by society. Of
course, not all subjectively held expectations will be honored as
reasonable. For example, an individual who posts an unencrypted
personal message on a bulletin board for public postings cannot
reasonably expect that personal message to be read only by the
addressee.
13. What counts as a reasonable expectation of privacy under the
Principles is not intended to be limited to what counts as a reasonable
expectation of privacy under the Fourth Amendment of the United States
Constitution. Accordingly, judicial interpretations of what counts as a
reasonable privacy expectation under the Fourth Amendment should not
inhibit NII participants from applying the Principles in a manner more
protective of privacy.
I.B. Information Integrity Principle:
Personal information should not be improperly altered or destroyed.
14. NII participants should be able to rely on the integrity of the
personal information it contains. Thus, personal information should be
protected against unauthorized alteration or destruction.
I.C. Information Quality Principle
Personal information should be accurate, timely, complete, and
relevant for the purpose for which it is provided and used.
15. Finally, personal information should have sufficient quality to
be relied upon. This means that personal information should be
accurate, timely, complete, and relevant for the purpose for which it
is provided and used.
II. Principles for Users of Personal Information
II.A. Acquisition and Use Principles:
Users of personal information should recognize and respect the
privacy interests that individuals have in the use of personal
information. They should:
1. Assess the impact on privacy of current or planned activities in
deciding whether to obtain or use personal information.
2. Obtain and keep only information that could be reasonably
expected to support current or planned activities and use the
information only for those or compatible uses.
16. The benefit of information lies in its use, but therein lies an
often unconsidered cost: the threat to information privacy. A critical
characteristic of privacy is that once it is lost, it can rarely be
restored. Consider, for example, the extent to which the inappropriate
release of sensitive medical information could ever be rectified by
public apology.
17. Given this characteristic, privacy should not be addressed as a
mere afterthought, after personal information has been obtained.
Rather, information users should explicitly consider the impact on
privacy in the very process of deciding whether to obtain or use
personal information in the first place. In assessing this impact,
information [[Page 4365]] users should gauge not just the effect their
activities may have on the individuals about whom personal information
is obtained. They should also consider other factors, such as public
opinion and market forces, that may provide guidance on the
appropriateness of any given activity.
18. After assessing the impact on information privacy, an
information user may conclude that it is appropriate to obtain and use
personal information in pursuit of a current activity or a planned
activity. A planned activity is one that is clearly contemplated by the
information user, with the present intent to pursue such activity in
the future. In such cases, the information user should obtain only that
information reasonably expected to support those activities. Although
information storage costs decrease continually, it is inappropriate to
collect volumes of personal information simply because some of the
information may, in the future, prove to be of some unanticipated
value. Also, personal information that has served its purpose and can
no longer be reasonably expected to support any current or planned
activities should not be kept.
19. Finally, information users should use the personal information
they have obtained only for current or planned activities or for
compatible uses. A compatible use is a use of personal information that
was within the individual's reasonable contemplation or sphere of
consent when the information was collected. The scope of this consent
depends principally on the notice provided by the information collector
pursuant to the Notice Principle (II.B) and obtained by the individual
pursuant to the Awareness Principle (III.A). Without this compatible
use limitation, personal information may be used in ways that violate
the understanding and consent under which the information was provided
by the individual. This may subject the individual to unintended and
undesired consequences, which will discourage further use of the NII.
II.B. Notice Principle:
Individuals need to be able to make an informed decision about
providing personal information. Therefore, those who collect
information directly from the individual should provide adequate,
relevant information about:
1. Whey they are collecting the information;
2. What the information is expected to be used for;
3. What steps will be taken to protect its confidentiality,
integrity, and quality;
4. The consequences of providing or withholding information; and
5. Any rights of redress.
20. Personal information can be obtained in one of two ways: it can
be either collected directly from the individual or acquired from some
secondary source. By necessity, the principles governing these two
different methods of obtaining personal information must differ. While
notice obligations can be placed on all those who collect information
directly from the individual, they cannot be imposed uniformly on
entities that have no such direct relationship. If all recipients of
personal information were required to notify every individual about
whom they receive data, the exchange of personal information would
become prohibitively burdensome, and many of the benefits of the NII
would be lost. However, if such users intend to use the information for
uses not compatible with the understanding and consent of the
individual, individuals must be given the ability to limit such use
(see II.D, the Fairness Principle). Accordingly, notice obligations
apply only to those who collect personal information directly from the
individual and any users who want to use the data for incompatible
uses.
21. This requirement specifically applies to all parties who
collect transactional data generated as a byproduct of an individual's
participation in the NII. Such parties include not only the party
principally transacting with the individual in order to provide some
product or service but also to those transaction facilitators such as
communication providers and electronic payment providers who help
consummate these transactions. for example, if an individual purchases
flowers with a credit card through an on-line shopping mall accessed
via modem, the Notice Principle applies to all parties who collect
transactional data related to the purchase; not only to the florist,
but also to the telephone and credit card companies.
22. In sum, all parties who collect personal information directly
from the individual--whether they are the party principally transacting
with the individual or are merely a transaction facilitator--should
provide a notice that will adequately inform the individual about what
the information is expected to be used for, including current and
planned activities, and expected disclosures to third parties.
23. By providing notice, information collectors afford the
individual a meaningful opportunity to exercise judgment in accordance
with the Awareness Principle (III.A). Together, the Notice Principle
and the Awareness Principle highlight the interactive nature of the NII
and how responsibility must be shared between those who collect
personal information and those who provide it. The importance of
providing this notice cannot be overstated, however, since the terms of
the notice determine the scope of the individual's consent, which must
be respected by all subsequent users of that information.
24. Having said this, it is important to realize that what counts
as adequate, relevant information to satisfy the Notice Principle
depends on the circumstances surrounding the collection of information.
In some cases, a particular use of personal information will be so
clearly contemplated by the individual that providing formal notice is
not necessary. For example, if an individual's name and address is
collected by a pizza operator over the telephone simply to deliver the
right pizza to the right person at the right address, no elaborate
notice or disclaimer need precede taking the individual's order.
However, should the pizza operator use the information in a manner not
clearly contemplated by the individual--for example, to create and sell
a list of consumers of pizzas containing fatty ingredients to health
insurance companies--then some form of notice should be provided. In
other cases, not every one of the components of the Notice Principle
will need to be conveyed. For example, a long distance carrier that
uses transactional data generated as part of a telecommunications
transaction only to route calls and create accurate billings might need
only provide notice of its data security practices.
25. While the Notice Principle indicates what might constitute the
elements of adequate notice, it does not prescribe a particular form
for that notice. Rather, the goal of the Principle is to ensure that
the individual has sufficient information to make an informed decision.
Thus the drafters of notices should be creative about informing in ways
that will help the individual achieve this goal.
26. Finally, although the Notice Principle requires information
collectors to inform individuals what steps will be taken to protect
personal information, they are not required to provide overly technical
descriptions of such security measures. Indeed, such descriptions might
be unwelcome or unhelpful to the individual. Furthermore, they may be
counterproductive since widespread disclosure of the technical security
measures might expose system vulnerabilities, in conflict with the
Protection Principle (II.C).
II.C. Protection Principle:
[[Page 4366]]
Users of personal information should take reasonable steps to
prevent the information they have from being disclosed or altered
improperly. Such users should use appropriate managerial and technical
controls to protect the confidentiality and integrity of personal
information.
27. On the NII, personal information is maintainted in a networked
environment, an environment that poses tremendous risk of unauthorized
access, disclosure, alteration, and destruction. Both insiders and
outsiders may gain access to information they have no right to see, or
make hard-to-detect changes in data that will then be relied upon in
making decisions that may have profound effects.
28. For example, our national health care system expects to become
an intensive participant in the NII. Through the NII, a hospital in a
remote locale will be able to send x-rays for review by a renowned
radiologist at a teaching hospital in another part of the country. The
benefits to the patient are obvious. Yet, such benefits will not be
reaped if individuals refuse to send such sensitive data because they
fear that the NII lacks safeguards needed to ensure that sensitive
medical data will remain confidential and unaltered.
29. In deciding what controls are appropriate, information users
should recognize that personal information should be protected in a
manner commensurate with the harm that might occur if it were
improperly disclosed or altered. Also, personal information collected
directly from the individual should be protected in accordance with the
information provided to the individual pursuant to the Notice Principle
(II.B).
30. Finally, technical controls alone cannot provide adequate
protection of personal information. Although technical safeguards are
well-suited to protect against unauthorized outsiders, they are less
well suited to protect against insiders who may be able to alter or
delete data improperly without breaching any technical access controls.
Therefore, to protect personal information, information users should
adopt a multi-faceted approach that includes both managerial and
technical solutions. One management technique, for example, could
strive to create an organizational culture in which individuals learn
about fair information practices and adopt these practices as the norm.
II.D. Fairness Principle:
Individuals provide personal information on the assumption that it
will be used in accordance with the notice provided by collectors.
Therefore, users of personal information should enable individuals to
limit the use of their personal information if the intended use is
incompatible with the notice provided by collectors.
31. Two principles work together to ensure the fair use of
information in the NII. The Acquisition and Use Principle (III.A.2)
requires information users to use personal information only for current
or planned activities or for compatible uses. In conjunction with this
principle, the Fairness Principle requires users to enable individuals
to limit incompatible uses of personal information. Juxtaposed, these
two principles highlight again the interactive and interrelated
relationships on the NII, which require participants to share the power
and responsibility for the proper use of personal information.
32. An incompatible use occurs when personal information is used in
a way neither reasonably contemplated nor consented to by the
individual when the information was collected. As explained earlier,
the scope of this consent depends principally on the notice provided by
the information collector pursuant to the Notice Principle (II.B) and
obtained by the individual pursuant to the Awareness Principle (III.A).
33. An incompatible use is not necessarily a harmful use; in fact,
it may be extremely beneficial to the individual and society. For
example, society may benefit when researchers and statisticians use
previously collected personal information to determine the cause of a
potentially fatal disease such as cancer.
34. On the other hand, without some limitation, information use may
know no boundaries. Without a Fairness Principle, personal information
provided under the terms disclosed and obtained pursuant to the Notice
(II.B) and Awareness (III.A) Principles may be used in ways that
violate those terms and thus go beyond the individual's understanding
and consent. To guard against this result, before information is used
in an incompatible manner, such use should be communicated to the
individual and his or her explicit or implicit consent obtained. The
nature of the incompatible use will determine whether such consent
should be explicit or implicit. In some cases, the consequences to an
individual may be so significant that the prospective data user should
proceed only after the individual has specifically opted into the use
by explicitly agreeing. In other cases, a notice offering the
individual the ability to opt out of the use within a certain specified
time may be adequate. It is the responsibility of the data user to
ensure that the individual is able to prevent such incompatible use.
Implicit in this principle is the idea that the original data collector
will convey to every new user information about the original notice.
35. Having said this, it must be recognized that the Fairness
Principle cannot be applied uniformly in every setting. There are some
incompatible uses that will have no effect on the individual's
information privacy interest. Research and Statistical studies may be
an example. Obtaining the consent of the individual to participate in
such studies will add cost and administrative complexity to the process
without affecting the individual's information privacy interests. In
other cases, the information is for a significant public need that
would be thwarted by giving the individual a chance to limit its use,
and society recognizes the need and authorizes the use in a highly
formal, open way (typically in legislation). An example would be the
collection of data to support a law enforcement investigation where
obtaining a suspect's consent to a new use of what has become
investigatory data would be unlikely and even asking for such consent
could be potentially counterproductive to the investigation.
Nevertheless, given the interactive possibilities that the NII offers,
data users should be creative about finding ways to satisfy the
Fairness Principle.
II.E. Education Principle:
The full effect of the NII on the use of personal information is
not readily apparent, and individuals may not recognize how their lives
may be affected by networked information. Therefore, information users
should educate themselves, their employees, and the public about how
personal information is obtained, sent, stored, processed, and
protected, and how these activities affect individuals and society.
36. The Education Principle represents a significant addition to
the traditional Code of Fair Information Practices. There are many uses
of the NII for which individuals cannot rely completely on governmental
or other organizational controls to protect their privacy. Although
individuals often rely on such legal and institutional controls to
protect their privacy, many people will engage in activity outside of
these controls, especially as they engage in the informal exchange of
information on the NII. Thus, individuals must be aware of the hazards
of providing personal information, and must make judgments about
whether providing personal information is to their
benefit. [[Page 4367]]
37. Because it is important that information users appreciate how
the NII affects information privacy, and that individuals understand
the ways in which personal information can be used in this new
environment, information users should participate in educating
themselves and others about the handling and use of personal
information in the evolving NII.
III. Principles for Individuals Who Provide Personal Information
38. As previously noted, the NII will be interactive. Individuals
will not be mere objects that are acted upon by the NII; rather, they
will actively participate in using and shaping the new information
technologies and environments. In such as essentially interactive
realm, individuals should assume some responsibility for their
participation in instances where they can affect that participation.
For example, where individuals will have choices about whether and to
what degree personal information should be disclosed, they should take
an active role in deciding whether to disclose personal information in
the first place, and under what terms. Of course, in certain cases,
individuals have no choice whether to disclose personal information.
For example, if the individual wants to execute a transaction on the
NII, personal information in the form of transactional data will
necessarily be generated. Or, the choice may exist in theory only. For
example, an individual may be permitted not to disclose certain
personal information, although exercising such choice will result in
the denial of a benefit that they cannot give up to participate fully
in society--e.g., obtaining a license to drive an automobile. If
individuals are to be held responsible for making these choices, they
must be given enough information by information collectors and users to
make intelligent choices.
III.A. Awareness Principle:
While information collectors have a responsibility to inform
individuals why they want personal information, individuals also have a
responsibility to understand the consequences of providing personal
information to others. Therefore, individuals should obtain adequate,
relevant information about:
1. Why the information is being collected;
2. What the information is expected to be used for;
3. What steps will be taken to protect its confidentiality,
integrity, and quality;
4. The consequences of providing or withholding information; and
5. Any rights of redress.
39. The Awareness Principle, in conjunction specifically with the
Notice Principle (II.B) and more broadly with the Education Principle
(II.E), strives to cultivate an environment where individuals have been
given the tools necessary to take responsibility over how personal
information is disclosed and used.
40. Increasingly, individuals are being asked to surrender personal
information about themselves. Sometimes the inquiry is straight-
forward; for example, a bank may ask for personal information prior to
processing a loan request. In such situations the purpose for which the
information is sought is clear--to process the loan application. There
may, however, be other uses that are not so obvious, such as using that
information for a credit car solicitation.
41. Indeed, individuals regularly disclose personal information
without being fully aware of the many ways in which that information
may ultimately be used. For example, an individual who pays or medical
services with a credit card may not recognize that he or she is
creating transactional data that could reveal the individual's state of
health. The Awareness Principle encourages individuals to learn about
and take into consideration such consequences before participating in
these kinds of transactions.
III.B. Redress Principles:
Individuals should be protected from harm caused by the improper
disclosure or use of personal information. They should also be
protected from harm caused by decisions based on personal information
that is not accurate, timely, complete, or relevant for the purpose for
which it is used. Therefore, individuals, should, as appropriate:
1. Have the means to obtain their personal information and the
opportunity to correct information that could harm them;
2. Have notice and a means of redress if harmed by an improper
disclosure or use of personal information, or if harmed by a decision
based on personal information that is not accurate, timely, complete,
or relevant for the purpose for which it is used.
42. There will be times when individuals are harmed by the improper
disclosure or use of personal information. Individuals will also be
harmed by the use of personal information that lacks sufficient quality
to ensure fairness in that use. It is therefore important to implement
measurers to avoid or limit that harm, as well as measures to provide
relief should harm occur.
43. Therefore, individuals should be able to obtain from
information users, as appropriate, a copy of their personal information
and have the opportunity to correct information about them that lacks
sufficient quality to assure fairness in use and thus prevent potential
harm. Whether this opportunity should be granted depends on the
seriousness of the consequences to the individual of the use of the
information. Finally, appropriate forms of redress should be available
for individuals who have been harmed by the improper disclosure or use
of personal information, or by the use of personal information that
lacks sufficient quality to be used fairly. The Principles envision
various forms of redress including, but not limited to, mediation,
arbitration, civil litigation, regulatory enforcement, and criminal
prosecution, in various private, local, state, and federal forums with
a goal of providing relief in the most cost-effective, efficient manner
possible.
Appendix I. Principles for Providing and Using Information in the NII--
Comparison of May 25, 1994, and Revised Version
I. General Principles for the National Information Infrastructure
Participants in the NII rely upon the privacy, integrity, and
quality of the personal information it contains. Therefore, all
participants in the NII should use whatever means are appropriate to
ensure that personal information in the NII meets these standards.
------------------------------------------------------------------------
Original Version--May
25, 1994 Revised Version Change
------------------------------------------------------------------------
A. Information Privacy
Principle
Individuals are An individual's Moves principal from
entitled to a reasonable expectation abstract
reasonable expectation of privacy regarding ``expectation,'' to
of information privacy. access to and use of an assurance that is
his or her personal the responsibility of
information should be all participants.
assured.
[[Page 4368]]
B. Information
Integrity Principles
Participants in the NII Personal information Principle has been
rely upon the should not be revised to focus on
integrity of the improperly altered or traditional security
information it destroyed. definition of data
contains. It is integrity--guarding
therefore the against improper
responsibility of all alteration or
participants to ensure destruction. Data
that integrity. In quality attributes
particular, provisions have been
participants in the moved to new
NII should, to the principle:
extent reasonable: Information Quality
Principle, below.
1. Ensure that
information is secure,
using whatever means
are appropriate;
2. Ensure that
information is
accurate, timely,
complete, and relevant
for the purpose for
which it is given.
C. Information Quality
Principle (NEW)
(Partly contained in Personal information New principle, but
Information Integrity should be accurate, broken out of old
Principle.). timely, complete, and Integrity.
relevant for the
purpose for which it
is provided and used.
------------------------------------------------------------------------
OLD II. Principle for Information Collectors (i.e. entities that
collect personal information directly from the individual)--This
principle has been deleted and its provisions moved to the Information
Users Principles as the new ``Notice Principle.''
------------------------------------------------------------------------
Original Version--May
25, 1994 Revised Version Change
------------------------------------------------------------------------
A. Collection Principle
Before individuals make NA..................... Principle moved to and
a decision to provide combined with the
personal information, Principles for
they need to know how Information Users.
it is intended to be
used, how it will be
protected, and what
will happen if they
provide or withhold
the information.
Therefore, collectors
of this information
should tell the
individual why they
are collecting the
information, what they
expect it will be used
for, what steps they
will take to protect
its confidentiality
and integrity, the
consequences of
providing or
withholding
information, and any
rights of redress.
------------------------------------------------------------------------
New II. Principles for Information Users (i.e. Information
Collectors and entities that obtain, process, send or store personal
information).
------------------------------------------------------------------------
Original Version--May
25, 1994 Revised Version Change
------------------------------------------------------------------------
A. Acquisition and Use
Principles
Users of personal Users of personal The assessment in
information must information should paragraph 1, now
recognize and respect recognize and respect precedes a decision
the stake individuals the privacy interests to collect data, not
have in the use of that individuals have merely the data
personal information. in the use of personal collection itself.
Therefore, users of information. They
personal information should:
should:
1. Assess the 1. Assess the impact on The original paragraph
impact on personal privacy of current or 3, placing
privacy of current planned activities in responsibilities on
or planned deciding whether to users to assure data
activities before obtain or use personal quality has been
obtaining or using information. moved to the
personal Information Quality
information. Principle in Section
I to emphasize that
this is a
responsibility of all
parties.
2. Obtain and keep 2. Obtain and keep only
only information information that could
that could be reasonably expected
reasonably be to support current or
expected to planned activities and
support current or use the information
planned activities only for those or
and use the compatible uses.
information only
for those or
compatible
purposes.
3. Assure that
personal
information is as
accurate, timely,
complete and
relevant as
necessary for the
intended use..
------------------------------------------------------------------------
B. Notice Principle (This is a new principle for this section. It
recognizes that notice is a critical element in the successful
establishment of the Principles as a working set of guidelines.
Adequate notice will ensure that information acquisition and usage
occurs within the knowledge and consent of the individual who provides
it. Because users may wish to use information for purposes that are
incompatible with that knowledge and consent, the principle states that
before such use can occur, the individual must be renotified and his or
her consent obtained.)
[[Page 4369]]
------------------------------------------------------------------------
Original Version--May
25, 1994 Revised Version Change
------------------------------------------------------------------------
(Originally contained Individuals need to be Moved from ``Collector
in the ``Collector able to make an Principle'' to
Principle.''). informed decision emphasize
about providing responsibility of
personal information. both collectors and
Therefore, those who certain users to
collect information inform individuals of
directly from the the uses of their
individual should data and to obtain
provide adequate, their knowledge and
relevant information consent to such uses.
about:.
1. Why they are
collecting the
information;
2. What the information
is expected to be used
for;
3. What steps will be
taken to protect its
confidentiality,
integrity, and
quality;
4. The consequences of
providing or
withholding
information; and
5. Any rights to
redress.
------------------------------------------------------------------------
C. Protection Principle (renumbered as C.)
------------------------------------------------------------------------
Original Version--May
25, 1994 Revised Version Change
------------------------------------------------------------------------
Users of personal Users of personal Changes verb ``must''
information must take information should to ``should'' for
reasonable steps to take reasonable steps consistency with
prevent the to prevent the other wording
information they have information they have throughout the
from being disclosed from being disclosed Principles.
or altered improperly. or altered improperly.
Such users should use Such users should use
appropriate managerial appropriate managerial
and technical controls and technical controls
to protect the to protect the
confidentiality and confidentiality and
integrity of personal integrity of personal
information. information.
------------------------------------------------------------------------
D. Fairness Principles (This Principle has been moved up to
emphasize the importance of users treating information providers
fairly.)
------------------------------------------------------------------------
Original Version--May
25, 1994 Revised Version Change
------------------------------------------------------------------------
Because information is
used to make decisions
that affect
individuals, those
decisions should be
fair. Information
users should, as
appropriate:
1. Provide Individuals provide The Principle has been
individuals a personal information simplified. It looks
reasonable means on the assumption that to the notice given
to obtain, review, it will be used in under the Notice
and correct their accordance with the Principle as the
own information. notice provided by determinant of when
collectors. Therefore, individuals should be
users of personal given the ability to
information should limit use of their
enable individuals to personal information.
limit the use of their The redress
personal information provisions of the
if the intended use is original formulation
incompatible with the have been
notice provided by incorporated into the
collectors. Notice Principle
above and to the
Redress Principles in
Section III. The
Commentary provides
guidance on what
constitutes a
``compatible'' and
``incompatible'' use.
2. Inform
individuals about
any final actions
taken against them
and provide
individuals with
means to redress
harm resulting
from improper use
of personal
information;
3. Allow
individuals to
limit the use of
their personal
information if the
intended use is
incompatible with
the original
purposes for which
it was collected,
unless that use is
authorized by law.
E. Education Principle
The full effect of the The full effect of the Expands education
NII on both data use NII on the use of principles to include
and personal privacy personal information societal effects
is not readily is not readily given the potential
apparent, and apparent, and effect of the NII on
individuals may not individuals may not social structures and
recognize how their recognize how their relationships.
lives can be affected lives may be affected
by networked by networked
information. information.
Therefore, information Therefore, information
users should educate users should educate
themselves, their themselves, their
employees, and the employees, and the
public about how public about how
personal information personal information
is obtained, sent, is obtained, sent,
stored and protected, stored, processed, and
and how these protected, and how
activities affect these activities
others. affect individuals and
society.
[[Page 4370]]
III. Principles for
Individuals who Provide
Personal Information
A. Awareness Principles
While information While information Description of what
collectors have a collectors have a information
responsibility to tell responsibility to individual should
individuals why they inform individuals why obtain to make
want information about they want personal informed decision to
them, individuals also information, provide data has been
have a responsibility individuals also have simplified.
to understand the a responsibility to
consequences of understand the
providing personal consequences of
information to others. providing personal
Therefore, individuals information to others.
should obtain Therefore, individuals
adequate, relevant should obtain
information about. adequate, relevant
information about:
.....................
1. Planned primary and 1. Why the information
secondary uses of the is being collected;.
information.
2. Any efforts that 2. What the information
will be made to is expected to be used
protect the for;.
confidentiality and
integrity of the
information.
3. Consequences for the 3. What steps will be
individual of taken to protect its
providing or confidentiality,
withholding integrity, and
information. quality;.
4. Any rights of 4. The consequences of
redress the individual providing or
has if harmed by withholding
improper use of the information; and.
information.
5. Any rights of
redress.
B. Redress Principles
Individuals should be Individuals should be Redress section has
protected from harm protected from harm been rewritten to
resulting from caused by the improper expand the scope of
inaccurate or disclosure or use of its provisions.
improperly used personal information. Whereas original
personal information. They should also be formulation
Therefore, individuals protected from harm restricted
should, as appropriate. caused by decisions individuals ability
based on personal to correct
information that is information that
not accurate, timely, could harm them to
complete, or relevant only ``inaccurate''
for the purpose for information, revised
which it is used. draft includes any of
Therefore, individuals the information
should, as quality attributes
appropriate: from the Information
Quality Principle as
a basis: e.g.,
incomplete
information.
1. Be given means to 1. Have the means to Original paragraphs 2
obtain their obtain their personal and 3, stating that
information and be information and the individuals should be
provided opportunity opportunity to correct informed of ``final
to correct inaccurate information that could actions'' taken
information that could harm them. against them and have
harm them. a means of redress if
harmed by improper
uses of their
personal information
has been consolidated
into one new
paragraph. The
``informed of any
final actions''
thought has been
discarded because of
the difficulty of
arriving at an
adequate definition
of what constitutes a
``final action.''
Instead, it has been
replaced with a
provision for
``notice and means of
redress'' for
improper disclosures
of information, or
for use of data that
lacks sufficient
quality as explained
by the Information
Quality Principles.
2. Be informed of any 2. Have notice and a
final actions taken means of redress if
against them and what harmed by an improper
information was used disclosure or use of
as a basis for the personal information,
decision. or if harmed by a
decision based on
personal information
that is not accurate,
timely, complete, or
relevant for the
purpose for which it
is used.
3. Have a means of
redress if harmed by
an improper use of
their personal
information.
------------------------------------------------------------------------
[FR Doc. 95-1480 Filed 1-19-95; 8:45 am]
BILLING CODE 3110-01-P-M