notify the source of the data promptly, upon receipt of the FOIA request. Recommendation No. 2 The President's Directive, proposed in Recommendation No. 1, should require all Federal departments and agencies to undertake a comprehensive review of the confidential information they collect or maintain (except information classified pursuant to E.O. 11652 or the Atomic Energy Act, as amended), the statutory or other authority for confidential treatment, and their policies and practices of disclosure, and report to the President, within a specified period (e.g., 120 days), on the legal justification and need for withholding such information from public or limited disclosure. The President should further instruct agencies: (1) to discontinue issuing pledges of confidentiality for the Information they collect unless statutory authority exists for withholding such information from public disclosure; and (2) to issue appropriate regulations providing a right of notification to persons who have previously submitted information pursuant to such pledges - or who have submitted information which may be exempt from public disclosure — whenever an agency contemplates public disclosure of or receives a FOIA request for such information, such notification to be made promptly upon the receipt of the FOIA request or at least ten days prior to contemplated disclo sure. The Presidential directive, if effectively carried out throughout the executive branch, should go a long way towards bringing about some sense of order and consistency in agency compliance with the FOIA. Equally important, it should impress upon all agencies and all levels of government the open disclosure policy which the new administration has already endorsed. It should also provide the President with the resources he will need to propose legislation to the Congress to correct the omissions, deficiencies, and inconsistencies in existing confidentiality and disclosure laws. It will, however, leave untouched another large body of information which is now being withheld from public disclosure and from interagency use that is, information classified under E.O. 11652 and the Atomic Energy Act. The Commission recognizes, of course, that much of the information currently so classified may need to be kept secret. On the other hand, the very system pursuant to which information is classified — the large number of agencies with classification authority and the very broad dissemination of that authority within these agenciesand the lack of any effective independent monitoring mechanism raise questions of accountability and feed suspicions that the system is being abused. Recent court cases, arising under the amended (b)(1) exemption of the FOIA, substantiate charges of overclassification and unnecessary classification of data. Even the recently issued report of the Interagency Classification Review Committee2 raises troublesome questions about the use of unautho 2 Interagency Classification Review Committee, 1976 Progress Report (Washington, D.C.: July 6, 1977). 145 rized classification markings, the proliferation of documents with derived classification markings, the large numbers of employees with classification authority, and the efficacy of the declassification program. The Congress has, on numerous occasions, considered legislation to replace E.O. 11652, to provide for the statutory classification of information affecting national defense and foreign policy and to establish an independent entity or multi-agency board to monitor the classification and declassification of data. Although such legislation may be necessary, a more immediate need, in this area as in the area of confidentiality laws, is the mandatory review of current agency policies and practices. Such a review is essential to focus agency attention on the way the classification system is actually working and, beyond that, to provide the President with sufficient information on which to base his appraisal of the system. Short of legislation to replace E.O. 11652, a new Executive order could go a long way toward making the system more accountable, by decreasing the number of agencies and persons with classification authority, by providing more precise standards for classification, by providing penalties for classification abuses as severe as those for unauthorized disclosures, and by establishing an independent entity to review and monitor classification decisions and procedures.3 Equally important is the need to make available on a restricted basis some of the information which is presently classified. Even within the perimeters of information justifiably classified in the interest of "national security", there is a considerable amount of data, collected and maintained at great cost to the Government, which is presently not being put to its optimum use. Some provision should be made to enable other Federal agencies to utilize this data to avoid additional collection costs and duplicative collection activities. Whether through legislation or a new Executive order, any new board or other entity established to review and monitor compliance should also be authorized to handle agency requests to use classified data. A Call for Administrative Action The Need for Expertise, Coordination, At various points in this report, the Commission has referred to the 3 After this report was written, there were reports in the press that the President had already requested a study in this area and that he had under consideration several proposals for a new Executive order to replace E.O. 146 11652. agency compliance with each of these acts has presented separate and distinct problems. As a result of the most recent amendments to the FOIA, including express time requirements for agency response, limitations on agency fees, and provisions for fuller judicial review, agency compliance with that Act has improved markedly. Moreover, the Department of Justice, with authority to encourage agency compliance with the FOIA, has done an excellent job in providing guidance to other Federal agencies and in attempting to bring about consistent Government-wide standards on disclosure. Although some commentators have been critical of the Attorney General's 1967 Memorandum on the Act and the more recent 1975 Memorandum, both of which reflect an attitude toward public disclosure which is a far cry from that recently announced by Attorney General Bell, the Department has devoted considerable time, effort, and resources toward carrying out its FOIA functions. Yet it is the judicial branch rather than the executive which has undoubtedly been primarily responsible for recent changes in agency attitudes toward public disclosure. Easier access to the courts and provisions for expedited consideration and de novo and in camera review have provided meaningful judicial remedies for agency noncompliance. On the other hand, these very provisions have imposed considerable additional burdens on the Federal courts and have resulted in increased backlogs in court calendars. Accordingly, some commentators have suggested that the courts be relieved of this jurisdiction and that an administrative tribunal be established to handle the FOIA caseload. The Privacy Act has presented a somewhat different, and more complex, problem. Agency noncompliance with that legislation has been due at least as much to confusion and lack of understanding as it has been to agency reluctance or resistance to its mandate. Much of this confusion stems from the Act itself, which suffered from considerable redrafting immediately prior to its passage and which has little reliable legislative history to aid in its interpretation. Accordingly, this Commission believes that basic revision of that Act is called for, and we will so recommend. Beyond that, however, as the first legislation affecting such a broad range of agency information practices, that Act was bound to require guidance, advice, and expertise in carrying out its provisions. Even agencies willing and eager to comply with the Privacy Act have found that they lacked the resources or the "know-how" to do so. The overall guidance and advice which OMB has attempted to furnish have plainly been inadequate. Moreover, judicial review has so far, at least not been a meaningful remedy and it is unlikely that it will be unless and until the Act is amended. Even with the necessary legislative amendments which the Commission is recommending (Recommendation No. 11), the courts may not be adequately equipped to handle this burden in addition to their already substantial FOIA caseload. With these factors in mind, the Commission gave serious consideration to proposals to establish an independent agency with quasijudicial functions to enforce compliance with the FOIA and the 147 148 Privacy Act. Despite our general reluctance to recommend the establishment of additional regulatory agencies, the Commission found rather persuasive the need to relieve the courts of increasingly heavy FOIA and perhaps Privacy Act caseloads. On balance, however, we were persuaded by compelling evidence of other more immediate needs that another kind of administrative entity with somewhat different functions and powers would be more effective, at least for the present. The Commission is convinced that one of the most pressing needs along with strong executive leadership and direction is the development of sound, consistent, and comprehensive legislation in the area of fair information practices-whether such legislation is embodied in a Fair Information Practices Act or in separate statutes specifically designed to apply to different categories of information (e.g., statistical data, criminal law enforcement data, or national security data). Unlike the PPSC, this Commission finds that the past method of developing fair information policies, through a patchwork of provisions enacted in diverse pieces of program legislation, has not been an effective or appropriate means of establishing clear or consistent or comprehensible standards. In fact, it has been this process which has been largely responsible for the present state of confusion in our confidentiality laws. Several of this Commission's recommendations suggest steps to be taken to establish clear and consistent fair information policies. Recommendation Nos. 6 and 10, together with Recommendation No. 2, already discussed, point to the need for a comprehensive review and revision of existing legislation in this area. Recommendation No. 7 deals specifically with statistical data while Recommendation Nos. 8, 9, 10, 11, and 12 suggest specific amendments to the Privacy Act. The Commission recognizes that legislation in this area cannot and should not be hastily drafted. Complex issues are involved requiring a delicate balancing of private and societal needs. Much time, study, and expertise will be required if we are to avoid the interpretative and administrative problems created by other legislation in this field, such as the Privacy Act and the "Buckley Amendment", which were, in fact, all too hastily drafted. A new administrative entity composed of persons with knowledge and expertise in such fields as law, civil rights and liberties, records management, and computer technology could serve an invaluable function by helping to develop legislation in this area and by developing confidentiality and security standards appropriate for different categories of information. The PPSC has already laid some of the groundwork for legislation in the area of privacy protection for data about individuals. A new organization could continue this work as well as expand it into other categories of information. The Commission contemplates that any such entity, if promptly established, would assist the President in carrying out the directive 4 The Family Educational Rights and Privacy Act of 1974, P.L. 93-568, 20 U.S.C. §1232g, a hastily drafted revision of Sen. Buckley's floor amendment to the General Education Provisions Act, P.L. 93-380, passed only four months earlier. proposed in the two previous recommendations. Thus, the new organization should offer guidance to executive branch agencies in their review of current confidentiality laws, policies, and practices, and should assist the President in studying and evaluating the agency reports called for in Recommendation No. 2. In addition to developing policies and standards to be embodied in new legislation, a new administrative organization would serve to coordinate responsibility for compliance with such laws. The need for more consistent and coherent information policies is matched only by the need for greater coordination if not centralization in overseeing these policies. The oversight responsibility currently authorized, as by the Federal Reports Act, the Federal Records Act, the Privacy Act, and the FOIA, is scattered among OMB, GAO, GSA, and the Department of Justice. Basically, however, compliance with the FOIA, the Privacy Act, and other confidentiality laws has been left solely to the administering agencies. Certainly, there is enough evidence in this report to have established that self-policing alone is not an effective method of achieving compliance. Accordingly, the Commission believes that a new organization is needed to monitor and oversee compliance with Federal confidentiality and disclosure laws. If the Privacy Act or other similar legislation is extended to federally funded programs, the new organization should also monitor the compliance efforts of others operating these programs. Such monitoring activities would consist, among others, of conducting periodic assessments and evaluations of agency policies and practices, mediating disputes between citizens and government agencies, and resolving issues of interagency sharing of information. Another primary responsibility of the new entity, closely related to those already discussed, would be to establish confidentiality standards. Some standards would be embodied in legislation; others, such as those confidentiality and security safeguards proposed for identifiable information exchanged solely for statistical purposes (see Recommendation No. 7), would be administratively imposed. Other areas ripe for standard setting include: (1) distinctions which must be made among the kinds of personal information about individuals and the different disclosure limitations which should apply, for example, to directory-type information as contrasted with more sensitive information revealing intimate details of a person's life; (2) definitions and guidelines for agencies seeking to specify the "purpose" or "use" of information being collected; (3) development of disclosure provisions that are more workable and practical than those currently provided in the Privacy Act; (4) development of procedures for notifying persons (primarily business entities) who have submitted information "in confidence" that disclosure of such information has been requested under the FOIA or is contemplated by the agency holding the data; (5) development of information systems security standards; and (6) development of personnel training programs or guidelines to encourage staff compliance with agency policies on confidentiality, disclosure, and security. Given the crucial role that such standards would play in Federal information policy and practices, those that are to be 149 |