governmental institutions. Ambitiously conceived integrated systems, no matter how secure technically, may have the effect of blurring, either in fact or appearance, established lines of political accountability and constitutionally prescribed boundaries between branches of government. When different branches arrange to share an integrated data-processing facility and its data, the executive usually will operate it. This happens partly because operational functions are normal for the executive, and partly because executive agencies usually have more experience with computer systems. It leads people to fear, however, that the needs of executive claimants may be met before the needs of legislative bodies and the judiciary. The priority system for allocating computer support will, of course, look fair on paper, but in practice the result may often be to shortchange the passengers on the system in favor of the driver." The recent development of mini-computers, much cheaper than the big systems of only five years ago but of comparable power, is providing an attractive economic alternative to large integrated systems. Large systems, however, are also becoming less expensive and there is no assurance that they will not become even more so as the result of new technological advance.

Finally, in terms of the historical classification of records in Chapter I, we recognize that combining bits and pieces of personal data from various records is one way of creating an intelligence record, or dossier. The possibility of using a large computer to assemble a number of data banks into a "master file" so that a dossier on nearly everybody could then be extracted is currently remote, since the ability to merge unrelated files efficiently depends heavily upon their having many features of technical structure in common, and also on having adequate information to match individual records with certainty." These technical obstacles are

5 For a discussion of political issues raised by computer-based information systems in urban government, see Anthony Downs, "The Political Payoffs in Urban Information Systems," in Alan F. Westin (Ed.), Information Technology in a Democracy (Cambridge, Mass.: Harvard University Press), 1971, pp. 311-321.

"In addition to incompatibilities of file structure, the expectation that some day "it will all be put together" also runs afoul of the tenacity with which record-keeping

avoided if the capability to merge whole files is designed into a group of systems at the outset, a practice now characteristic of only a few multi-jurisdictional systems but perhaps becoming more prevalent. At the present time, however, compiling dossiers from a number of unrelated systems presents problems that few organizations, and probably no organizations outside of government, have the resources to solve."

Nonetheless, public concern about such combinations of data through linkings and mergers of files is well founded since any compilation of records from other records can involve crossing functional as well as geographic and organizational boundaries. When data from an administrative record, for example, become part of an intelligence dossier, neither the data subject nor the new holder knows what purpose the data may some day serve. Moreover, the investigator may believe that no detail is too small to put into dossier, while the subject, for his part, can never know when some piece of trivia will close a noose of circumstantial evidence around him. Public sensitivity to the possibility of such

(Continued)

organizations tend to protect their own turf. Certainly among private organizations competitive pressures sometimes inhibit the free circulation of information about clients and also induce resistance to sharing large blocks of individually identifiable data with government agencies. The California Bankers Association, for example, is currently involved in litigation (Stark v. Connally, 347 Fed. Supp. 1242, 1972) to prevent the Treasury Department from enforcing the reporting provisions of the so-called Bank Secrecy Act of 1970 (12 U.S.C. 1829b; 31 U.S.C. 1051-1122) with respect to domestic financial transactions.

"It should be noted that the same characteristics of automated systems which inhibit the compilation of dossiers can also inhibit efforts by the press and public interest groups to penetrate the decision-making processes of record-keeping organizations and expose them to public scrutiny. This is particularly true when organizations destroy “hard-copy” records after putting the information in them into computer-accessible form. In such cases, the computer can become a formidable gatekeeper, enabling a record-keeping organization to control access to public-record information that previously had been available to anyone with the time and energy to sift through its paper files. Putting public-record data in computer-accessible form can also increase the cost of piecing information together from several different files. The same programming costs that make it uneconomical for law enforcement investigators and private detectives to "fish" in the automated files of a credit bureau could also make it prohibitively expensive for private citizens to examine public records.

situations argues strongly for preserving the functional distinctions between different classes of personal data systems.

Technicians as Record Keepers

The reputation of the computer for impersonality and inhuman efficiency is due, in part, to the publicity given the computer as a poet, a chess-player, and a translator of exotic languages. "Machine intelligence" is a subject with fascinating technical and philosophical aspects. To date, however, there is no evidence that a computer capable of "taking over" anything it was not specifically programmed to take over is attainable. Indeed, as pointed out earlier, programming a computer to handle anything complicated is usually a very difficult and expensive job, requiring generous amounts of money, expertise, and management capability.

It seems safe to predict that economic and organizational constraints on the uses of computers will not change radically during the next few years. Although computing power and data-storage capability are steadily becoming cheaper, and problemoriented programming is being improved, no dramatic breakthroughs are in sight. This prediction, however, cuts two ways. If we can comfortably assume that computers will not take control of anything on their own volition, we may still feel some disappointment that the application of computers will tend to remain in the hands of trained specialists whose competence is primarily in data processing rather than in the fields that data processing serves. Some would say that this circumstance results from an abdication by managers of their proper role, but whatever the reason, the effect can easily be to insulate the record-keeping functions of an organization from the pressures of both consumers and suppliers of data.

The presence of a specialized group of data-processing professionals in an organization can create a constituency within the organization whose interests are served by any increase in data use, without much regard for the intrinsic value of the increased use. The point is underlined by an experience common to many organizations. Some unit is already operating a computer facility for accounting, processing scientific or engineering data, or for some

other straightforward application to which the technology is well-adapted. Because the facility has extra computer time available, it is soon discovered that attractive software packages can be purchased to enable the computer to enlarge its scope and become a "management information system."

Such systems are founded on the proposition that efficient decision making requires that managers have available to them a greater or more timely supply of relevant information than they have been getting. As commonly observed, however, most managers do not need more of relevant information nearly as badly as they need less of irrelevant raw data. Thus, until the theory of management itself has progressed to a stage where the necessary data content of management-oriented systems can be predicted, their users are likely to find them disappointing.

8

Another, potentially more serious, consequence of putting record keeping in the hands of a new class of data-processing specialists is that questions of record-keeping practice which involve issues of social policy are sometimes treated as if they were nothing. more than questions of efficient technique. The pressure for establishing a simple, identification scheme for locating records in computer-based systems is a case in point.

The technical argument for having a standard universal identifier for records about individuals focuses on increasing the efficiency of record keeping and record usage. Proponents argue that if every item of data entered into an automated system could be associated with an identifier unique to the individual to whom the data pertain, updating, merging, and linking operations would be greatly simplified and far less error-prone than they are today. Moreover, records could be used more intensively; administrative records indexed by Social Security number, for example, could also be used for certain types of research which require matching data on individuals from several different record systems.

To reap the full technical advantages of a standard identification scheme, it is necessary for each individual to supply the identifier

8

* See, for example, Russell Ackoff, "Management Misinformation Systems," in Westin, op. cit., pp. 264-271.

assigned to him every time he has contact with a record-keeping organization using it. This practice is already familiar to the clients of banks, credit-card services, and many other organizations that have developed their own standard schemes. What worries people is that the inconvenience to record-keeping organizations of having to devise their own numbering arrangements will encourage the adoption of a single universal scheme for use in all computer-based personal data systems. If this happens, organizations that share an interest in monitoring and controlling the behavior of some portion of the population will acquire an enlarged capacity to do so, since they will all be able to know when an individual has contact with any one of them. Fingerprints, for example, are the standard method used by the police to identify persons arrested for crimes. Fingerprinting assures accurate identification and may seem a reasonable way of dealing with criminal offenders, but it is a dubious model for other types of record-keeping organizations to follow.

It is, of course, a long step from having each individual identified in the same way in every data system to creating a giant national data bank of dossiers constructed from fragments of records on citizens in widely dispersed data systems. There would have to be some strong incentive for "putting it all together," and as we noted earlier, it is doubtful that even the dollar cost of doing so could be justified on any reasonable grounds. However, it is not necessary to build a giant national data bank to experience some of the effects of having one. There are already systems in operation which have some of the control capabilities that such a centralized dossier system would create.

One computer-based personal data system that came to our attention was a comprehensive health information system developed and maintained by an agency of the Department of Health, Education, and Welfare on an Indian reservation in the Southwest. Approximately 10,000 Indians living in the area have records in the system and another 4,000 have records in it but, for one reason or another, are not part of the active patient population. These 14,000 record subjects are, by and large, an economically dependent population with very serious health problems. Within the confines of the geographic area covered by the system-about the size of