10

national interests or privacy rights require it and, further, that any exceptions to full disclosure should be based on the characteristics of the information and not on the agency collecting the data or its applicable legislation. Accordingly, the Commission recommends that Congress review the laws now encompased in the (b)(3) exemption of the FOIA with a view toward repealing this exemption. Information maintained and used solely for statistical or research purposes is not treated uniformly under existing law. The Commission believes that such information should not be used, where the respondent's identity is stated or inferable, for enforcement, regulatory, or administrative purposes, nor should it be publicly disclosed in identifiable form. On the other hand, information collected for regulatory, compliance, or other administrative purposes is a valuable source of statistical data and its utilization in identifiable form solely for statistical purposes should be encouraged as long as adequate confidentiality and security safeguards are provided. Accordingly, the Commission recommends (Recommendation No. 7), as part of the proposed FIPA or as separate legislation, the enactment of statutory provisions to restrict the use and disclosure of information collected or maintained solely for statistical purposes but to require the prompt public disclosure of the results of such research in nonidentifiable form. This legislation would also make available solely for statistical use and only with adequate confidentiality and security safeguards most information (including the Census Bureau's "Industrial Directory") maintained by the Federal Government.

Another cluster of recommendations (Nos. 8-12) calls for changes in the Privacy Act:

Recommendation Nos. 8 and 9 suggest alternative methods of revising the exemption provisions of the Privacy Act. We propose that exemptions be based on the characteristics of the information to be exempted rather than on the agency maintaining the information or the system of records in which the information is contained. Pending a basic revision of the Act's exemption provisions, the Commission urges Congress to repeal or amend subsections (j) and (d)(5). Recommendation No. 10 suggests a comprehensive revision of the nondisclosure provisions of the Act to replace and consolidate existing confidentiality provisions in specific program legislation. The new provisions would be based on distinctions in the sensitivity of the data to be disclosed. This would serve two major purposes. It would replace existing inconsistent laws with one comprehensive statute. Equally important, it would permit freer disclosure of certain types of information while imposing further restrictions on the disclosure of sensitive data. In all instances, nonconsensual disclosures to other agencies would be limited to that information necessary and relevant to the purpose of the disclosure. Furthermore, no agency could deny an individual a right, privilege, or benefit provided by Federal law because of that individual's failure or refusal to consent to an agency's disclosure of personal information about him.

These proposed amendments would permit the more effi-
cient use of certain nonsensitive information about individu-
als but would also give individuals more control over the use
of information collected about themselves.

Recommendation No. 11 proposes that Congress amend
subsection (g), Civil Remedies, to facilitate the recovery of
damages and other relief when agencies fail or refuse to
comply with any of the provisions of the Act. The present
provisions provide no remedy for most agency violations
unless an individual can prove actual injury as the result of
an agency's "intentional or willful" violation. As these
criteria are difficult to meet, subsection (g) does little to
encourage agency compliance with the Act.

Recommendation No. 12 urges the Congress, when it
amends the Privacy Act in accordance with Recommenda-
tion No. 10, to amend it further to extend the Act to certain
programs and activities receiving Federal financial assis-
tance. This would go far to increase and enhance data
sharing at different levels of government by replacing
existing confusion with one set of "rules" governing the
information activities of federally funded programs.

The preceding recommendations, whether administrative or statuto-
ry in nature, will not achieve their goals in the absence of strong and
vigorous compliance machinery. Therefore, Recommendation No. 3
proposes the creation of a new organization with broad responsibili-
ties for standard-setting, monitoring agency compliance with confi-
dentiality and disclosure laws, mediating disputes between citizens
and Government, and leading the executive branch effort to develop
fair information practices legislation.

Closely related to overall compliance issues are those dealing with information security and safeguards. We therefore recommend the prompt initiation of demonstration projects to test and evaluate safeguard/security guidelines. These "risk management" tests should be conducted before final Federal security standards are promulgated. (See Recommendation No. 4.)

Organization of the Report

The balance of this report consists of five sections. Section II examines the current state of the law on confidentiality and information sharing. The Freedom of Information Act is introduced as a comprehensive public disclosure statute and its exemptions noted. Statutory prohibitions against disclosure or release of information are also noted. Separate and detailed treatment is given to (1) individual information, (2) proprietary business data, (3) information kept secret in the interests of national security, and (4) confidentiality of data shared by more than one agency.

Section III examines administrative implementation and operation of Federal information laws in this field. The analysis focuses on (1) administrative and bureaucratic constraints on data sharing and (2) agency administration of the Freedom of Information Act and the Privacy Act. This analysis pinpoints inadequacies in existing compli- 11

ance machinery and argues for organizational and administrative reforms along with revised sanctions for agency noncompliance. Section IV discusses the confidentiality constraints on information sharing. Relying extensively on other studies of this Commission, this Section describes the common and distinctive barriers to sharing depending on the kind of data involved. The data categories examined here are individual information, proprietary business data, statistical data used for research purposes (as opposed to rulemaking and/or enforcement), and information exchanged among Federal, State and local agencies. This section concludes with an assessment of the positive and negative influences of technology on information sharing.

Section V examines Federal confidentiality standards and security safeguards. "Adequate" security is defined in terms of a system's ability to prevent unauthorized or accidental disclosure, destruction, diversion, or alteration of records and files. Existing security standards are then reviewed. Approaches and guidelines are suggested to strengthen these safeguards where specific deficiencies have been found.

Section VI summarizes the findings of the report and presents the Commission's recommendations.

Federal Information Policy:
The State of The Law

This legislation springs from one of our most essential
principles: a democracy works best when the people have
the information that the security of the Nation permits. No
one should be able to pull curtains of secrecy around
decisions which can be revealed without injury to the public
interest.

So stated President Johnson, on July 4, 1966, upon signing P.L.
89-487, the first Federal "public information" law,' designed, as he
said, "to make information available to the full extent consistent with
individual privacy and with the national interest." It is axiomatic that
self-government is meaningless without an informed electorate. Our
nation was founded on the principle of free and open government,
as expressed in the oft-quoted statement of James Madison:2

A popular government, without popular information, or the
means of acquiring it, is but a Prologue to a Farce or a
Tragedy; or perhaps both. Knowledge will forever govern
ignorance: And a people who mean to be their own
Governors must arm themselves with the power which
knowledge gives.

Yet it was not until roughly ten years ago that legislation was
enacted to ensure public access to Government information.
Starting in 1946, with section 3 of the Administrative Procedure Act,
which prescribed disclosure of "matters of official record" only to
persons "properly and directly concerned" with the subject matter
of the inquiry, through the Freedom of Information Act of 19663 and
the 1974 amended Act, providing for disclosure to "any person" of
all but specifically exempted information, legislation in this area has
progressed dramatically in an attempt to keep pace with the ever-
increasing body of Government information. At the same time, at the
other end of the spectrum, the past thirty years have witnessed the
growth of an elaborate executive branch secrecy system, devel-
oped, allegedly, to protect "the security of the Nation." More

'As stated when the Act was passed, “[a]lthough the theory of an informed electorate is vital to the proper operation of a democracy there is nowhere in our present law a statute which affirmatively provides for that information". S. Rep. 813, 89th Cong., 1st Sess., p.3 (1965). P.L. 89-487, 5 U.S.C. §552, amended Section 3 of the Administrative Procedure Act (P.L. 85-169, 5 U.S.C. §1002). Although Section 3 was referred to as the "public information" section, it was not a general public information law and did not provide for public access to official records generally. It permitted withholding information if secrecy was required by "the public interest" or "good cause" and restricted access to persons "properly and directly concerned" with the information.

2 Letter to W.T. Barry, August 4, 1822, 9 Writings of James Madison, p. 103
(Hunt Ed. 1910).

3 P.L. 89-487, as amended by P.L.90-23 (1967), 5 U.S.C. §552.
* P.L. 93-502, as amended by P.L. 94-409 (1976), 5 U.S.C. §552.

13

recently, concerns for the protection of individual privacy have further limited public access to Government information. Obviously, the development of technology, the growth of the information industry, and the ever-increasing role of government in the lives of ordinary citizens have all contributed both to public demand for and executive branch attempts to withhold information. The Congress has attempted to strike a balance between these competing interests by establishing, through the Freedom of Information Act (FOIA), a public policy of the fullest public disclosure "consistent with individual privacy and with the national interest" and by prescribing the specific types of information which may be withheld from public disclosure.

Whether, apart from the public access rights provided by the Freedom of Information Act, there is a Constitutional foundation for a public right of access to government information is a matter still open to discussion. No Federal court has yet been confronted with this issue. In any event, the balancing test employed by the courts in First Amendment freedom of speech cases is the same test generally used by the courts in FOIA cases to determine whether specific exemptions to the Act should be applied. The question has been consistently presented as one requiring a balancing between the public's right to know and the Government's need to keep information secret, with the presumption in favor of public disclosure. Thus, the courts have consistently held that the disclosure provisions of the FOIA must be broadly interpreted and the exemptions narrowly construed. As far as disclosure to the public is concerned, the amended Act even provides a triggering mechanism for declassifying national security information by providing for in camera review and de novo consideration of the classification of information "kept secret in the interest of national defense or foreign policy."8

5 Extract from statement of President Johnson upon signing P.L. 89487 on July 4, 1966:

I am instructing every official in this administration...to make information available to the full extent consistent with individual privacy and with the national interest."

• Cf. cases cited in n. 7, infra, with Pickering v. Board of Education, 391 U.S. 563 (1968); Gibson v. Florida Legislative Investigative Committee, 372 U.S. 539 (1963); New York Times Co. v. Sullivan, 376 U.S. 254 (1964); Sheppard v. Maxwell, 384 U.S. 333 (1966); Baldwin v. Redwood City, 540 F.2d 1360 (9th Cir., 1976); Vietnam Veterans Against the War v. Morton, 379 F.Supp. 9 (D.D.C., 1974), rev'd on other grounds, 506 F.2d 53 (D.C. Cir., 1974); A Quaker Action Group v. Morton, 516 F.2d 717 (D.C. Cir., 1975); Cox Broadcasting Corp. v. Cohn, 420 U.S. 469 (1975). See also Halperin v. Department of State, et al., Civ. No. 76-1528 (D.C. Cir., Aug. 16, 1977), n. 13 and 14 and accompanying text.

7 Department of Air Force v. Rose, 425 U.S.352 (1976); Environmental Protection Agency v. Mink, 410 U.S. 73, 80 (1973); Vaughn v. Rosen, 484 F.2d 820, 823 (D.C. Cir., 1973), cert. den. 415 U.S. 977 (1974), 523 F.2d 1136 (D.C. Cir., 1975); Soucie v. David, 448 F.2d 1067, 1080 (D.C. Cir., 1971).

14 85U.S.C. §552(b)(1).