Conversely, safeguard requirement III(2), which also guarantees an individual the right to see and obtain copies of data about him, provides more protection for individuals than Section 609(a) of the Fair Credit Reporting Act, 15 U.S.C. 1681g(a). Under the Act's requirement the individual is entitled to be fully informed by a consumer-reporting agency of the content of his record (except medical information and the sources of investigative information), but he is not entitled to see, copy, or physically possess his record. When an individual goes to a consumer-reporting agency to determine what information it has on him, the contents of the record must be read to him, but he must take the agency's word that it is telling him about all information in the record, and about all sources and recipients thereof. We understand that individuals have found this arrangement generally unsatisfactory, and further, that as the proportion of "sensitive" or adverse personal data in a record increases, compliance with the full disclosure requirement tends to diminish.

To bring Section 609(a) more in line with the protection afforded individuals by safeguard requirement III(2), and thus to achieve the objective of the Fair Credit Reporting Act more fully, we recommend that the Fair Credit Reporting Act be amended to provide for actual, personal inspection by an individual of his record along with the opportunity to copy its contents, or to have copies made. The choice between inspecting and copying should be left to the individual, and any charge for having copies made should be nominal.

We further recommend that the exceptions from disclosure to the individual now authorized by the Fair Credit Reporting Act for medical information and sources of investigative information should be omitted. It is a disturbing thought that an investigative consumer-reporting agency may have a record of medical information that the individual cannot know about or challenge. We realize that in Section 603(f) of the Fair Credit Reporting Act, 15 U.S.C. 1681a(f), "consumer reporting agencies" is defined broadly enough to apply to some organizations that are customary and appropriate repositories of medical information. However, nothing in the Act should warrant the inference that every type of organization falling within the umbrella definition of "consumer reporting agencies" may, with impunity, conceal from an individual the fact that it is gathering, recording, and reporting medical information about him.

We have explained our skepticism about the propriety of utilizing anonymous data sources when determinations about an individual's character, qualifications, rights, opportunities, or benefits are being made. Moreover, we find no strong societal interest in having an individual routinely denied credit, insurance, or employment on the basis of information provided by any source that must be kept secret from him.

A Note on Mailing Lists

The use of automated personal data systems to generate mailing lists deserves special comment. Ordinarily such use entails no perceptible threat to personal privacy. Even among individuals who strongly object to receiving quantities of so-called “junk mail,” most would probably concede that their objections are not founded on any substantial claim that personal privacy has been invaded. Indeed, it is hard to see how the mere delivery of an item of mail to an individual, even though it is addressed to him by name, in itself entails an offensive or harmful disclosure or use of personal data.

More important than the end use of the mailing list itself is the question of the original source of the personal data from which the list was originally assembled. In most cases, commercial mailing lists are made up of names and addresses gathered during the course of commercial transactions. In the most typical case, buying an item through the mail assures that the buyer's name will be added to the list of a commercial dealer in names, and that the list will in turn be sold, rented, and traded through a chain of further commercial mailers. This exploitation of names may occasionally be irritating, but there is little potential for substantial disclosure of closely held personal information, since nothing beyond name and address was probably revealed in the first place.

A more serious threat to personal privacy arises when mailing lists are compiled from sources that have nothing to do with commercial interests-the membership list of a professional society,

"Experience under the Fair Credit Reporting Act should be carefully assessed to identify other amendments necessary to assure the effectiveness of its intended protections for individuals. For an analysis of deficiencies of the Act, see "Protecting the Subjects of Credit Reports," The Yale Law Journal, Vol. 80, No. 5 (April, 1971), pp. 1035-1069.

the faculty roster of a college, or the donor list of a charity. In these cases, data furnished for one purpose are being used for another, and even though the original source may not have contained more than the name and address, the mere fact of being on the list may reveal something about one's private life.

More serious still are lists derived from actual administrative data systems. There is the strong probability that the original source contained data that might well be intensely personal and that names will be selected for mailing lists on the basis of such data. The data files for driver licenses, for instance, usually contain medical information on disabilities. The administrative files of schools contain grades and other personal items. Any use of files such as these for any but the original intention carries a clear danger of exploitation of truly private personal information.

The Committee staff studied the structure and practices of the mailing-list industry to gauge the threats to personal privacy that could arise from that source, as well as to examine the applicability of the safeguard requirements to the industry. The report of the study is presented in Appendix H; an abstract of its conclusions, which we fully endorse, is given here:

An underlying function of the Advisory Committee's recommended safeguards is to provide effective feedback mechanisms that will help to make automated personal data systems more responsive to the interests of individuals. Systems maintained by most government agencies, and by many private organizations, do not provide for tight links between individuals and the system operators. The direct-mail industry, however, is largely organized around the idea of public feedback; the trade press concentrates almost obsessively on methods for maximizing response and minimizing complaints.

Because most mailings draw a response from only 3 or 4 percent of the addressees, a small change in the response rate can have relatively large economic implications for the mailer. The same is true for the compilers and brokers of mailing lists, because the price a list commands in the rental market depends not so much on its demographic sophistication as on its accuracy and freshness. Lists are cleaned by adding a special imprint to the mailing which gives the Postal Service authority to correct and return (at first-class rates) all undeliverable pieces. Since it costs about four times as much to discover and correct a "nixie" as it does to make a clean mailing in the first place, there is a powerful economic incentive to concentrate lists on known buyers at addresses of known accuracy.

Another feedback mechanism operates on the industry as a whole. Direct-mail advertising is strongly dependent for survival on the official good

will of a large number of agencies of the government; opposition from the Postal Service, from motor vehicle registrars, or from the Census Bureau, to name a few examples, would seriously hamper the industry on its present scale. It seems likely that a scandal involving public records, or the development of a public allergy to direct-mail advertising, would lead to government moves to put constraints on the industry.

Constructive publicity toward emphasizing the rights of the individual relative to direct-mail advertising, especially the methods the industry has adopted for getting off and getting on the larger lists, would go far in strengthening these feedback mechanisms that already operate. In particular, the Direct Mail Advertising Association's Mail Preference Service deserves wider attention.

If feedback mechanisms stronger than those provided by the economics of the industry should become desirable, there would be formidable practical difficulties in applying the Committee's safeguards to the freewheeling small operators of the direct-mail industry. The most directly applicable of the Committee's safeguards is the requirement for the informed consent of the data subject to be obtained before any collateral use may be made of data from an administrative personal data system. To accomplish this, forms that are used by the system in transactions with individuals (applications, for example) and that are vulnerable to mailing-list uses, could be printed with a block in which the individual-by his deliberate action-could indicate whether or not his name and address could be sold or otherwise transferred to another data system for mailing-list use. Of course, this could not prevent his name and address from being copied by hand out of a public record system, but the cost of such handcopying would sharply curtail much commercial use.

In view of the controls already at work in the direct-mail advertising industry, this limited application of the Committee's safeguards seems sufficient. It would provide protection to individuals from having their names unexpectedly appear on mailing lists without their consent. We doubt the utility and feasibility of trying to make the rest of the Committee's proposed safeguard requirements apply to the mailing list as such, as a form of administrative automated personal data system, or to organizations that deal only in mailing lists. If the control of mailing lists is to be undertaken by law, it should be done by legislation that is directed specifically to that purpose.

If the foregoing analysis of the situation underestimates the felt need for greater mailbox privacy, it would be feasible to undertake specific legislative action against the direct-mail advertising industry to provide greater protections, as the regulation of information practices in the consumer-reporting industry amply demonstrates.

A Note on Intelligence Records

In developing safeguard requirements, we have divided personaldata record-keeping systems into two broad categories, (i) administrative systems, and (ii) systems maintained exclusively for statistical reporting and research. The distinction between the two is in their purpose vis-a-vis individuals. Administrative systems are intended to be used to affect individuals as individuals; statistical reporting and research systems are not. According to this classification, intelligence records are properly considered administrative records.

A chief characteristic of intelligence records is that they are compiled for purposes that presuppose the possibility of taking adverse action against an individual. Their focus is on providing a basis for protecting the data-gathering organization, or other organizations that it serves, against the individual. There are many examples of intelligence-type personal-data record-keeping systems. From a historical standpoint, the original and classical intelligence records were those compiled and maintained about individuals who were viewed as possible enemies of the state. The most obvious and perhaps most common ones today are those compiled by the criminal intelligence systems of Federal, State, and local law enforcement agencies about individuals suspected of being engaged in criminal activities, of being threats to public safety or national. security, or of being suitable objects of surveillance and investigation for less clearly definable reasons. There are, however, many other examples of intelligence-type records, including investigative records of credit-reporting agencies, private detective agencies, industrial security organizations, and so on. It is hard to know how many types of intelligence data systems exist because their function leads as a rule to careful concealment.

In framing our proposed safeguard requirements for administrative personal data systems, we did not focus on intelligence records as such. We realize that if all of the safeguard requirements were applied to all types of intelligence records, the utility of many intelligence-type records for the purposes they are designed to serve might be greatly weakened. In some instances this would clearly not be a desirable outcome from the standpoint of important societal interests, such as the apprehension and prosecution of individuals