allow an individual to find out easily what is in his record and to have the record corrected if it is wrong. Disclosure of an individual's record outside the system is forbidden, except under certain limited circumstances prescribed by statute and regulation, and there are criminal penalties for unauthorized disclosure. An individual is given notice and opportunity for a hearing when the record is being changed at the initiative of the Social Security Administration. These protections are a normal part of Social Security administration and, in our view, demonstrate the feasibility of building such safeguards into any system when the system's managers are strongly committed to do so. We believe that the cost to most organizations of changing their customary practices in order to assure adherence to our recommended safeguards will be higher in management attention and psychic energy than in dollars. These costs can be regarded in part as deferred costs that should already have been incurred to protect personal privacy, and in part as insurance against future problems that may result from adverse effects of automated personal data systems. From a practical point of view, we can expect to reap the full advantages of these systems only if active public antipathy to their use is not provoked.13 The past two decades have given America intensive lessons in the difficulty of trying to check or compensate for undesirable side-effects stemming from headlong application and exploitation of complex technologies. Water pollution, air pollution, the annual highway death toll, suburban sprawl, and urban decay are all unanticipated consequences of the too narrowly conceived and largely unconstrained applications of technology. Hence, it is 13 In addition to maintaining and using records of personal information, computer technology is a tremendous new force for development in many ways. Already, for example, computers are controlling traffic on city streets and highway systems, and in the air; supplementing human judgment in making medical diagnoses; monitoring air pollution; predicting the weather; and even acting as surrogates for human decision makers in controlling large electrical power systems, industrial manufacturing processes, and highspeed rail transportation systems. Such computer applications do not typically require identifiable information about people. That which is required is limited and need be retained for only a short time. Thus the social risks from computer systems such as these are beyond the scope of this report. essential now for organizational decision makers to understand why they should be sensitive to issues of personal privacy and not permit their organizations unilaterally to adopt computer-based record-keeping practices that may have adverse effects on individuals. They must recognize where conflicts are likely to arise between an individual's desire for personal privacy and an organization's record-keeping goals and behavior. They must recognize that although individuals and record-keeping organizations do have certain shared purposes, they also have other purposes-some of which are mutual, though not perceived as such, and some of which can be in direct conflict. Record-keeping organizations must guard against insensitivity to the privacy needs and desires of individuals; preoccupied with their own convenience or efficiency, or their relationships with other organizations, they must not overlook the effects on people of their record-keeping and record-sharing practices. They have the power to eliminate misunderstanding, mistrust, frustration, and seeming unfairness; they must learn to exercise it. I know everybody's income and what everybody earns; And I carefully compare it with the income-tax returns; To everybody's prejudice I know a thing or two; Yet everybody says I am a disagreeable man! King Gama in Gilbert and Sullivan's IV Recommended Safeguards for Our inquiry has led us to distinguish two categories of personal data systems that deserve separate attention in developing safeguards. One consists of administrative systems; the other of statistical-reporting and research systems. The essential distinction between the two categories is functional. An administrative personal data system maintains data on individuals for the purpose of affecting them directly as individuals—for making determinations relating to their qualifications, character, rights, opportunities, or benefits. A statistical-reporting or research system maintains data about individuals exclusively for statistical reporting or research, and is not intended to be used to affect any individual directly.1 1In our brief review of the history of record keeping in Chapter I, we took note of the origins and existence of intelligence records. These should be thought of as a type of administrative personal data system, since intelligence records are maintained about people for the purpose of affecting them directly as individuals. We have not, however, examined intelligence record-keeping systems as such, and it was not with such systems in mind that we developed the safeguard recommendations set forth in this chapter. At the end of the chapter, we have included a brief statement about the application of our safeguards to intelligence records. This chapter contains general recommendations for all personal data systems and safeguard requirements for administrative personal data systems used as such. Chapter V contains additional safeguard requirements for statistical-reporting and research applications of administrative systems. Systems maintained exclusively for statistical reporting or research and safeguard requirements for them are addressed in Chapter VI. Although our specific charge has been to analyze problems of automated systems, our recommendations could wisely be applied to all personal data systems, whether automated or manual. Computer-based systems magnify some record-keeping problems and introduce others, but no matter how data are stored, any maintenance of personal data presents some of the problems discussed in Chapters II and III. Moreover, the distinction between an automated and a non-automated system is not always easy to draw; requiring safeguards for all personal data systems eliminates the need to rule on ambiguous cases. Uniform application of safeguards to all systems will also facilitate conversion from manual to automated data processing when it does occur. We define an automated personal data system as a collection of records containing personal data that can be associated with identifiable individuals, and that are stored, in whole or in part, in computer-accessible files. Data can be "associated with identifiable individuals" by means of some specific identification, such as name or Social Security number, or because they include personal characteristics that make it possible to identify an individual with reasonable certainty. "Personal data” include all data that describe anything about an individual, such as identifying characteristics, measurements, test scores; that evidence things done by or to an individual, such as records of financial transactions, medical treatment, or other services; or that afford a clear basis for inferring personal characteristics or things done by or to an individual, such as the mere record of his presence in a place, attendance at a meeting, or admission to some type of service institution. "Computer-accessible" means recorded on magnetic tape, magnetic disk, magnetic drum, punched card, or optically scannable paper or film. A "data system" includes all processing operations, from initial collection of data through all uses of the data. Data recorded on |