Connecticut-they are also a highly mobile population, with each individual going by any one of several different names depending on circumstances.

The health facility consists of a combination of in-patient, out-patient, and field-clinic services. The purpose of its computerbased record-keeping system is to develop a complete, cradle-tograve, medical dossier on each individual eligible to use the facility, so that all can benefit from a comprehensive diagnostic and treatment program that aims to control illness by preventing its occurrence, or by taking preemptive steps at the first sign of a medical problem.

The record-keeping system has three basic components: (1) an administrative one that notes and describes every contact each patient has with any segment of the health facility, including the "interdisciplinary" teams of doctors, nurses, and social workers who travel about administering tests and providing ambulatory health services; (2) a statistical-reporting one that attempts to observe fluctuations in the incidence of certain types of ailments and to pinpoint "high risk" groups needing special preventive attention; and (3) a "surveillance" one that consists of the recorded results of medical tests administered according to a schedule established by the health facility. The system is a little more than three years old. By the summer of 1972 it contained about 50 million characters of data, or approximately 3,500 characters per patient-record. It accommodates data in narrative as well as standard computer-accessible form.

The system is an elegant tool for addressing a complex set of social problems. It would be hard to argue that the patient population being cared for would be better off without the services the system makes possible. It is also apparent that knowing who an individual is, and the details of his medical history, can be of vital importance in treating patients, but the system has certain social control capabilities that should be noted nonetheless.

The surveillance component, for example, has the primary purpose of discovering incipient medical problems in individual patients. To do this effectively, each patient must be induced to comply with the health facility's testing schedule, and the health

data system can be used to encourage compliance. As long as a patient has no need for medical treatment, he can avoid the testing program. However, once he becomes a patient, for whatever reason, his record will be there at the doctor's fingertips showing all tests he has not had but should be persuaded to have before he leaves the field clinic or wherever it is that he has come to the medical facility's attention. In discussing a system serving such patently humane purposes, words like "control" and "coercion" may have an objectionable ring, but the coercive potential of the surveillance component, especially in some other area of application, is evident.9

In another environment, the statistical-reporting component of the system could also have potentially unsavory consequences for individuals. It is characteristic of modern organizations to single out "high risk" categories of people to whom the normal standards and rules do not apply. Often these high risk groups are identified from statistical studies of populations that use the services an organization offers. The consequences for any given individual exhibiting the characteristics of the high risk group may range from total exclusion (uninsurability) to being made eligible for special treatment (remedial education, free medical care). Although there is nothing intrinsically harmful in such practices, in dealing with human populations it is essential not to assume that any single member of a statistically defined group will necessarily behave in the way predicted for the group as a whole. Theoretically, the adverse consequences of "statistical stereotyping" can be avoided by permitting an individual to know that he has been labelled a risk and to contest the label as applied to him. However, depending on the circumstances-and particularly on the stake that an organization may have in being able to predict the behavior of each individual in its clientele-a lone individual could have considerable difficulty making his case.

Even the administrative record-keeping component of a comprehensive data system can have coercive effects. When the administrative part of the health data system was described to the Committee, repeated reference was made to the advantages of knowing that a patient has previously been treated for an emotional

9

'A computer-based information system designed to control the population of a prison is described in Appendix F.

disorder when he shows up at a clinic claiming that he has accidentally scratched his wrist on a rusty nail. One hopes that his chances of being discharged after some bandaging and a tetanus shot are about the same as his chances of being committed for treatment as a potential suicide. But are they? Should they be? In some other record-keeping environment, could an individual depend on having someone equivalent to a trained medical practitioner available to make such a judgment?

Finally, it is important to note that the health data system has grown very rapidly, that elements like the "high risk" categorization were not present in the beginning, and that the health facility is now trying to improve its method of identifying patients for the purpose of updating and retrieving the information it maintains about them. In this particular situation, the Social Security number happens to be considered a poor identification device because many patients are thought to have more than one; but the patients also tend to have several different names, so the managers of the data system are trying to develop their own unique numbering scheme cross-referenced with all known "aliases" for each patient.

Scheduling, labelling, monitoring, improved methods of identifying records about individuals-these are being discussed in some quarters today as if they were mere tools for delivering services to people efficiently. In the health data system just described, the surveillance component is regarded as a way of providing preventive health care; of taking preemptive steps to halt the natural development of illnesses and conditions conducive to illness. It is hard to quarrel with those objectives, or for that matter with the objectives of a great many data systems now in operation or being planned. Should a national credit-card service be prohibited from using a sophisticated personal data system to prevent its card holders from going on irresponsible spending sprees?1o Should school districts be forbidden to use personal data systems to help prevent children from becoming delinquents?

These are difficult questions to answer. Often the immediate costs of not using systems to take preemptive action against

10

For a cogent description of how this is done, see James B. Rule, Private Lives and Public Surveillance (London: Allen Lane), 1973, especially Chapter 6. See also Robert A. Hendrickson, The Cashless Society (New York: Dodd, Mead & Company), 1972.

508-625 O-73-5

individuals can be estimated (in both dollars and predictable social disruption), while the long-term costs of increasing the capacity of organizations to anticipate, and thus to control, the behavior of individuals can be discussed only speculatively. One fact seems clear, however; systems with preemptive potential are typically developed by organizations, and groups of organizations, who see them primarily as attractive technological solutions to complex social problems. The individuals that the systems ultimately affect, the people about whom notations are made, the people who are being labelled and numbered, have, by comparison, a very weak role in determining whether many of these systems should exist, what data they should contain, and how they should be used.

The Net Effect on People

Today it is much easier for computer-based record keeping to affect people than for people to affect computer-based record keeping. This signal observation applies to a very broad range of automated personal data systems. When a machine tool produces shoddy products, the reaction of consumers (and of government regulatory agencies in some cases) is likely to give the factory managers prompt and strong incentives to improve their ways. This is much less likely to be the case when computerized record-keeping operations fail to meet acceptable standards.

There is some evidence that in commercial settings competition helps to prevent harmful or insensitive record-keeping practices, especially when a record-keeping organization (a bank, for instance) depends on continuous interaction with individual data subjects in order to keep its own records straight. It is also true that a number of schools and colleges have been forced to abandon automated registration and scheduling by determined student campaigns to fold, spindle, and mutilate. In governmental settings, however, the dissatisfied data subject usually has nowhere else to take his business and can even be penalized for refusing to cooperate. The result, of course, is that many organizations tend to behave like effective monopolies, which they are.

It is no wonder that people have come to distrust computerbased record-keeping operations. Even in non-governmental settings, an individual's control over the personal information that he

gives to an organization, or that an organization obtains about him, is lessening as the relationship between the giver and receiver of personal data grows more attenuated, impersonal, and diffused. There was a time when information about an individual tended to be elicited in face-to-face contacts involving personal trust and a certain symmetry, or balance, between giver and receiver. Nowadays an individual must increasingly give information about himself to large and relatively faceless institutions, for handling and use by strangers-unknown, unseen and, all too frequently, unresponsive. Sometimes the individual does not even know that an organization maintains a record about him. Often he may not see it, much less contest its accuracy, control its dissemination, or challenge its use by others.

In more than one opinion survey, worries and anxieties about computers and personal privacy show up in the replies of about one third of those interviewed. More specific concerns are usually voiced by an even larger proportion.11 The public fear of a “Big Brother" system, in effect a pervasive network of intelligence dossiers, focuses on the computer, but it includes other marvels of twentieth-century engineering, such as the telephone tap, the wireless microphone, the automatic surveillance camera, and the rest of the modern investigator's technical equipage. Such worries seem naive and unrealistic to a data-processing specialist, but as in the case of campus protests against computerized registration systems, the apprehension and distrust of even a minority of the public can grossly complicate even a safe, straightforward datagathering and record-keeping operation that may be of undoubted social advantage.

It may be that loss of control and confidence are more significant issues in the "computers and privacy" debate than the organizational appetite for information. An agrarian, frontier society undoubtedly permitted much less personal privacy than a modern urban society, and a small rural town today still permits less than a big city. The poet, the novelist, and the social scientist tell us, each in his own way, that the life of a small-town man, woman, or family is an open book compared to the more anonymous existence of

11 See, for example, A National Survey of the Public's Attitudes Toward Computers (AFIPS-TIME, Inc.) 1971. This survey is discussed in Alan F. Westin and Michael A. Baker, Databanks in a Free Society (New York: Quadrangle Books), 1972, pp. 465-485.