all such information be subject to the same statutory requirements, as the Privacy Act does, is obviously not workable. This, in fact, has been one of the root causes of the confusion resulting from the Act - the fact that "personal" information is nowhere defined and that agencies, as a result, have not been sure what information was, in fact, covered by that legislation. The Commission believes, however, that the Privacy Act can be adapted to apply to all personal individual information collected and maintained by the Federal Government and by certain Federal contractors and grantees as well. What is needed is not an assortment of confidentiality laws, or disclosure provisions in other laws, each designed for particular programs, but some well-considered statutory distinctions which must be made among the kinds of personal information which the Act covers. Once these distinctions have been made, the requirements of the Act can be geared to the degree of sensitivity of the data and the degree of protection required. As a matter of fact, many provisions will be applicable to all personal information; it is primarily the disclosure provisions which will require refinement. The Commission recognizes that these statutory distinctions and definitions will not be easy to draft. But this should not be an insurmountable task, particularly if the expertise envisioned in the composition of the new administrative agency (proposed in Recommendation No. 3) is brought to the challenge. Other agencies courts and social welfare agencies, for example have had experience in classifying personal data in the records they maintain and some guiding principles can be garnered from their experience. A comprehensive review of existing confidentiality laws should further enable the Congress to establish the necessary distinctions which should be embodied in any amended Privacy Act. The Commission believes that this basic change in the Act would fashion a vehicle that could be made applicable to all Federal and many federally financed programs. Equally important, it would eliminate a considerable amount of the confusion which exists as to the implementation of the law. Previous sections of this report have referred to the need to amend the need for a more precise definition of “record” and a the need to amend the disclosure provisions to provide more the need to amend the exemption provisions so that For example, most social welfare agencies maintain separate "intake" and "case worker" files and juvenile courts generally maintain separate "social" and "legal" files. In addition, the now defunct Domestic Council Committee on the Right of Privacy, in conjunction with the National Bureau of Standards, devised a quantifiable formula for measuring the sensitivity of personal data. See Section III, n. 70 and accompanying text, supra. 165 166 the information rather than on the agency maintaining it or the system of records in which data are maintained; the need to extend the Act to Federal contractors and grantees and to other units of government or organizations administering federally funded programs; the need to amend the civil damages provisions to permit recovery of general damages against an agency that has willfully or intentionally violated the recordkeeping provisions of the Act and of actual damages against an agency whose gross negligence has resulted in such a violation; the need to provide an alternate, or additional, medium for the publication of agency notices of record systems and agency rules, as publication in the Federal Register has not been effective in reaching members of the public; and the need to retain the accounting of disclosures requirement but to provide some less onerous and less costly manner of maintaining the accounting. The balance of this section will deal only with the most significant of these, the exemption, disclosure, and civil remedies provisions and the need for the Act's extension. Changes in Exemption Provisions. As we have stated several times during the course of this report, the Commission believes that disclosure or confidentiality standards and exemptions from such standards should be based on the characteristics of the information rather than on the agency maintaining the information or the system of records in which it is contained. Yet the manner in which exemptions are provided in the Privacy Act, by allowing agencies, in advance of specific requests for access to particular records, to claim exemptions for entire systems of records, is completely contrary to this concept. The PPSC and this Commission agree that this procedure should be changed: (1) exemptions should be related to the particular record or information concerned, not to the system in which it is maintained, and (2) exemptions should be invoked only when applicable and not "in advance". The PPSC has suggested that the "pre-claimed" and "systems of records" exemptions provided in the Privacy Act be substantially revised and that "the Privacy Act's approach to exemptions from the individual access requirement. . . be modified to parallel that of the Freedom of Information Act."10 We agree. The Commission does not agree, however, with any suggestion that the exemptions in the Privacy Act duplicate, in content, those in the FOIA. The Privacy Act exemptions listed in subsection (k), Specific Exemptions, permit agencies to exempt themselves from certain provisions of the Act, primarily those allowing access to information. Yet the disclosure provided in the FOIA and the access provided in the Privacy Act are quite different both as to extent of publication and scope of material. The former results in public disclosure of all 10 Privacy Protection Study Commision, Personal Privacy in an Information Society (Washington, D.C.: U.S. Government Printing Office, 1977), p. 511. information relating to a particular matter; the latter results in exclusive disclosure of information relating solely to the individual requestor. Accordingly, as we have already stated in Section III, we believe that, apart from exemptions to protect national security and law enforcement interests, the rationale underlying exemptions must be quite different. Unlike the PPSC, this Commission would not retain any special provisions to be applied solely on the basis of the agency maintaining the records, such as now provided in subsection (j), General Exemptions. This report has already pointed out the inequities and incongruities resulting from these provisions which, in effect, allow the CIA and criminal law enforcement agencies or components to exempt themselves from substantially all provisions of the Act (including the requirement to maintain accurate, relevant, timely, and complete records and the provision for judicial review). Beyond that, we have already made clear our position that standards concerning disclosure or confidentiality of information should always be based on the characteristics of the information and not on any other factors. Accordingly, the Commission proposes that, pending a comprehensive revision of the exemption provisions of the Privacy Act, Congress should repeal subsection (j), General Exemptions, and subsection (d)(5). At a minimum, subsection (j) should be amended to require that agencies included within that subsection be subject to subsection (g), Civil Remedies; subsection (d)(5) should also be amended to clarify its meaning. Subsection (d)(5) provides that nothing in the Act's access provisions "shall allow an individual access to any information compiled in reasonable anticipation of a civil action or proceeding." Unlike the other exemptions in the Act, this one is phrased in terms of the information to which access may be denied. But, as mentioned earlier in this report, its meaning is far from clear. Because of the confusion surrounding this exemption and the fact that it is not subject to the Act's rulemaking procedures or to judicial review, OMB has suggested that subsection (d) (5) be invoked only as a last resort. The Commission seriously questions the rationale for this exemption, particularly since this kind of information is generally available to a litigant through civil discovery. If it is to be retained in the Act, however, its meaning and scope should be clarified. " Even with respect to the exemption for investigatory material "compiled for law enforcement purposes," there is justification for a more narrowly defined exemption in the Privacy Act as the requestor would have access only to information about himself. Although the Privacy Act exemption, in subsection (k)(2), is rather broadly worded, its legislative history supports the view that its purpose was to avoid alerting "subjects of investigations that their activities [were] being scrutinized, and thus allow them time to take measures to prevent detection of illegal action or escape prosecution." H. Rep. 1416, 93d. Cong., 2d. Sess., p. 19 (1974). See discussion in Section III, n. 31, supra. 167 168 Recommendation No. 8 That Congress should substantially revise the exemption provisions of the Privacy Act to provide for exemptions based on the characteristics of the information to be exempted rather than on the agency maintaining the information or the system of records in which the information is maintained. Recommendation No. 9 Pending a comprehensive revision of the exemption provisions of the Privacy Act, Congress should repeal subsection (1), General Exemptions, and subsection (d)(5) of the Act. At a minimum, Congress should amend subsection (1) to require that agencies included therein be subject to subsection (g), Civil Remedies, and should amend subsection (d)(5) to clarify its meaning. Changes in Disclosure Provisions. Like its exemption provisions, the provisions in subsection (b) of the Privacy Act, relating to disclosure of individual data, are in need of comprehensive revision. One of the main purposes of the Act, as stated in section 2(b)(2), was to "permit an individual to prevent records pertaining to him obtained by . . . agencies for a particular purpose from being used or made available for another purpose without his consent." In theory, the concept of enabling an individual to control the collection and disclosure of information about himself and, to some extent, how it will be used cannot be questioned. In practice, however, it cannot be unqualifiedly applied to Federal information practices. The Federal Government could not function let alone function efficiently-without, for example, collecting some information from secondary sources or utilizing nonconsensual interagency data exchanges. On the other hand, as this report has demonstrated, the many statutory exceptions to the principle set forth above, listed in subsection (b) of the Act, and the overly broad, and generally unmonitored, agency interpretations of its "routine use" and "need to know" provisions have resulted in numerous disclosures of information for purposes and uses totally unrelated to the purpose for which the information was collected. Moreover, agency reliance on the so-called "informed consent" principle, whereby individuals applying for government benefits or privileges are asked to consent in advance to specified interagency transfers, has made a mockery of the concept of individual control over the disclosure and use of personal information. Unless specifically prescribed by law, no individual should be required to authorize or consent to a future disclosure of information by a Federal agency as a condition of applying for or securing any right, benefit, or privilege provided by Federal law. Clearly, a balance must be struck between individual rights and government needs. Yet the Privacy Act, as presently drafted, does not provide the proper vehicle for achieving this balance. Even if subsection (b)(1) -the "need to know" provision were amended in accordance with the PPSC's suggestion 2 and the “routine use” provision carefully monitored, and even if some of the many other exceptions to nondisclosure were repealed, subsection (b) would still suffer from one basic deficiency—that it attempts to treat all personal information about individuals in the same way. As mentioned earlier in this section, the Federal Government collects and maintains a broad range of "personal" information about individuals—some of an extremely sensitive nature and some of the type that could be disclosed without constituting a "clearly unwarranted invasion of personal privacy." Although the Commission recognizes that it is diffficult to define distinctions between or among these types of data on the basis of objective standards, the comprehensive review of other laws regulating the disclosure of personal information about individuals, proposed in Recommendation No. 6, should provide the Congress with an excellent perspective on the broad range of information collected and the diverse ways in which this information is handled. The Commission trusts that from this review and assessment will come the development of a broad definition of "sensitive data" and of consistent standards applicable to such information, to be embodied in new Privacy Act disclosure provisions to coordinate and replace the numerous other confidentiality laws or provisions in this area. For a definition of another type of personal information, the Congress may be guided by distinctions drawn by the courts in deciding exemption (b)(6) cases under the FOIA. Applying the test adopted by some courts in exemption (b)(6) cases13-balancing the need for and interest to be served by disclosure for a particular purpose or to a particular requestor against the potential invasion of personal privacy - Congress could, and should, determine that sound government administration and efficiency justify the intragovernmental disclosure of certain kinds of personal information about individuals. These disclosures would, of course, be subject to the following Information collected for one purpose another purpose. Only that information which is necessary and relevant to 12 Thus, the PPSC has proposed that the "compatible purpose" test be 169 |