Page images
PDF
EPUB

150

administratively imposed should first be presented to the Congress and should become effective only if not vetoed by either body within 60 days.

With these functions and with adequate personnel, funds, and authority to carry out its assigned tasks, the organization which the Commission is proposing could serve a vital role in developing fair information policies, providing executive branch coordination and direction, and monitoring agency compliance. These are all pressing needs in the area of confidentiality and disclosure. Although an agency with quasi-judicial authority could be more effective in enforcing executive branch compliance with existing legislation, such an agency might not be equipped to perform the functions of policy development, coordination, and direction which are now so urgently needed. For the present, it is the Commission's view that these latter functions are of top priority. Accordingly, we believe that the compliance authority of the new agency should be confined to persuasion, advice, and guidance, with authority to refer to the courts any violations which are not corrected by these methods. In the future, when the policy development phase has been completed or if the compliance authority of the new entity proves to be inadequate, the Congress may wish to consider granting the organization additional enforcement powers.

Recommendation No. 3

The President should propose and Congress should enact legislation to establish a new organization to centralize and coordinate existing information management functions within the executive branch and with particular focus on developing and recommending policies and standards on information disclosure, confidentiality, and safeguarding the security of information collected or maintained by Federal agencies (or in connection with federally funded programs). Such legislation should authorize and direct the agency to provide advice and guidance to other executive branch agencies, monitor compliance with information management laws, receive and mediate citizen complaints, and issue such standards and regulations as are required. Standards and regulations should lie before the Congress for 60 days before taking effect.

Security Safeguards for Information

This Commission believes that Federal regulation of the entire range of agency information practices is urgently needed, including the collection, management, and use of data as well as their dissemination. Section V noted that statutory or administrative guarantees of confidentiality can be worthless in the absence of adequate security safeguards. Yet no law except the Privacy Act-applicable only to individual data currently requires all Federal agencies to adopt such safeguards. With the Federal Government's substantial financial investment in the information it holds, it seems almost incomprehensible that so few funds or efforts are being spent to protect that investment.

There has, in fact, been relatively slight attention paid to the development of methods to safeguard the physical security of

government-held information. Although some guidelines have been developed for automated record systems, such as the NBS guidelines (FIPS #31), they cannot be considered comprehensive as they do not include the full range of physical, administrative, and technical safeguards. Further, the guidelines that have been developed have never been adequately tested in a working environment. The security of manual record systems has been virtually ignored. Before any government-wide security standards can be adopted, current guidelines must be tested and evaluated. Agencies should then be required to implement the standards developed. Monitoring and oversight responsibilities for andse standards belong ideally in the new unit proposed in Recommendation No. 3. Pending the establishment of that unit, however, immediate administrative action is necessary to undertake the testing and evaluation of the security guidelines mentioned above and in Section V. Uniformly applied Federal security standards are essential to the implementation of interagency exchanges of confidential data, and several steps must precede the adoption of any such standards. Accordingly, OMB should promptly plan and direct the National Bureau of Standards to undertake demonstration projects and risk management analyses, covering both automated and manual systems, so that testing and evaluation may be completed by the effective data of any legislation mandating the implementation of Federal security standards. In addition, the Comptroller General should develop criteria to be used by the General Accounting Office and agency auditors to isolate and identify agency security safeguard deficiencies.

Recommendation No. 4

Pending the establishment of the agency proposed in Recommendation No. 3, the Office of Management and Budget should plan and direct a series of demonstration projects and comprehensive risk management analyses in selected Federal agencies to test and evaluate the automated data processing guidelines developed by the National Bureau of Standards (FIPS #31) and to develop and test other appropriate guidelines before promulgating Federal security standards. In addition, the Comptroller General should develop criteria to be used by the General Accounting Office and agency auditors to isolate and identify agency security safeguard deficiencies.

A Call for Legislative Action

One basic finding of this Commission is that Federal laws establish-
ing information policy and practices are inconsistent at best and
chaotic at worst. Of the two general laws governing disclosure
and/or confidentiality, each has major defects and omissions:

The Freedom of Information Act covers all kinds of informa-
tion with some specific exceptions and exemptions
but applies to only one facet of information management
practice, that of disclosure.

The Privacy Act regulates all aspects of the information
"life-cycle" from collection onward - but does so for

151

152

only one kind or class of information, that dealing with individuals.

Superimposed on these statutes is a patchwork of other laws, agency regulations, policies, and practices that precludes a clear and consistent national policy on confidentiality and disclosure of information. This disarray results in uneven and out-dated treatment under the law, confusion over rights and obligations, and poor practices harmful to all parties. Reforms of a fundamental and farreaching nature are needed.

Accordingly, the Commission proposes that, in addition to the legislation called for in Recommendation No. 3, which would establish a new agency, other more comprehensive legislation be enacted to establish clear and consistent confidentiality and disclosure standards and to regulate as well the collection, maintenance, and use of all government-held information.

Recommendation No. 5

The President should propose and the Congress should enact a body of consistent law, or a new Fair Information Practices Act, consistent with the recommendations contained in this report. Such legislation should not only revise and codify existing confidentiality laws, regulations, and policies but should also regulate the collection, management, and utilization of all information maintained by Federal agencies.

Principles of a Fair Information Practices Act

The Commission recognizes that any such far-reaching legislation must be preceded by a comprehensive review of existing legislation to determine which laws demand repeal and which contain principles which warrant preservation and embodiment in the new Act. This would entail studying and evaluating not only those laws regulating Federal information activities, such as the Federal Reports Act, the Federal Records Act, the Privacy Act, and the FOIA, but also all other laws (including Executive Order 11652) which presently restrict the disclosure of government-held information.

Any new law should preserve and combine the valuable and enduring features of existing legislation. Thus, the principles enunciated in the FOIA, emphasizing the greatest feasible public disclosure of government-held information, should be the underlying policy of a new Fair Information Practices Act (FIPA). Similarly, many of the worthwhile principles embodied in the Privacy Act, which now apply only to records containing identifiable data about individuals, should be extended to the collection, maintenance, and use of other information as well.

As this report has already indicated, however, no uniform principles or standards can be developed that would apply to all such information. Distinctions must be made based on the source of the information, its content, the purpose for which it is collected or maintained, and the form in which it is maintained or used. Nevertheless, clear and consistent standards can and should be developed for broad categories of information, with classification based on one or another of these four factors. As a Fair Information

[ocr errors]

Practices Act would cover all information collected or maintained by Federal agencies as well as some information maintained in connection with federally funded programs, these categories would require separate treatment in the Act. Recognizing, of course, that there will be some overlap among these classifications and that, in some instances — as in the case of personal individual information - further sub-classifications will be needed, the Commission proposes that distinct policies and standards be developed for such categories of information, including the following:

Personal information about individuals;

Proprietary business or commercial data;
Statistical/research data;

Criminal law enforcement data; and

National security data.

Disclosure or confidentiality policies will vary considerably for each of these categories. Each class of information must be treated separately so that, in each instance, the objectives of disclosure and information sharing can be achieved consistent with the protection of private rights and national interests. Within each category, as well, existing confidentiality legislation must be thoroughly reviewed if consistency is to be achieved and the worthwhile principles of these laws are to be preserved. Security standards will also vary as they must be based, to a large extent, on the risk of confidentiality violations and the value of the protected information. There will also be some necessary variations in collection standards. Obviously, law enforcement data and national security data cannot be collected with the same degree of openness and candor that applies to other types of data.

Yet, in most instances, except for its disclosure and confidentiality provisions, the principles enunciated in the Privacy Act should be extended to all information maintained by Federal agencies. This and other Commission reports indicate that such an approach would overcome several of the recurring complaints brought to this Commission's attention. Reporting respondents, whether they be business entities, organizations, or individuals, have complained as much about the intrusiveness and questionable relevance of government information demands as they have about the quantity of information sought. Two common complaints have been: “We (the respondents) don't know what the Government wants, much less why it requests what it does or how it is useful." "The agency's form said the information we supplied would not be released in a way that would identify our company. Now, as a result of a law suit, our company's information is publicly available. Why can't we trust what an agency tells us?"

Although this Commission is not equipped to spell out all the provisions that must be embodied in any fair information practices legislation, our study in this area indicates that the following general principles, if adopted, would help to restore some of that trust and would ensure that information exchanges were governed by "appropriate standards of confidentiality."

153

Thus, Federal agencies should generally be required, as they now are when collecting individual data, to inform respondents of their authority for collecting information, whether response is voluntary or mandatory, the purpose of collecting the information, and the uses to be made of the data. In addition, if agencies do grant pledges of confidentiality, they should be required to inform respondents of (1) their authority for guaranteeing confidentiality, (2) the specific information that will be safeguarded, and (3) the extent, if any, to which disclosures will be made. Taken together, these principles would not only discipline agencies seeking to collect information but would also inform respondents of the purpose, uses, and disclosure policies that would apply to such data. Where public policy or compliance with a FOIA request required agency disclosure in contravention of a previous assurance of confidentiality, the agency would be required to make reasonable attempts to notify the respondent before disclosure was made.

[ocr errors]

Agencies should also be required to promulgate rules and procedures including those for training personnel, defining rules of conduct for staff, and imposing penalties for noncompliance - to ensure that agency policies on public disclosure as well as those on safeguarding the confidentiality and security of information are effectively carried out. The adoption of appropriate security safeguards should be required for all confidential data maintained by agencies. Sound information management practices further demand that agencies maintain and use only that information which is accurate, relevant, timely, and complete, and that some provision be made except, of course, where national security or law enforcement interests would preclude it to enable respondents to correct or amend erroneous or incomplete data about themselves.

[ocr errors]
[ocr errors]

Similarly, although this Commission favors increased agency data sharing wherever practicable, one caveat is essential. As a general rule, confidential information collected for one purpose should not be disclosed to another program or agency for another purpose. To protect both the user of the data from reliance on irrelevant, incomplete, or untimely information and the data source-from a breach of trust such interagency disclosures should be permitted only in exceptional circumstances, clearly specified in the law. By the same token, data disclosed from one agency to another should be limited to information that is necessary and relevant to and will be used for performing a lawfully authorized function or activity of the recipient agency.

Within these limitations, however, there exists a substantial amount of information which should be available for use within the Federal Government. Even where national or societal interests preclude the public disclosure of data, these same interests may encourage the exchange or flow of this information from one agency to another. The Commission's Energy Report contains examples of such data and recommends that all energy information be classified as "secret", "confidential", or "public", with that classified as "confidential" being available only for intragovernmental use. Other recommendations in this report, such as those concerning statistical 154 data and personal information about individuals, adopt a similar

« PreviousContinue »