One such commission, The Privacy Protection Study Commission (PPSC), has recently issued its final report, Personal Privacy in an Information Society." To the extent that that report contains findings and recommendations in the same areas that this Commission has explored, specific references are made in this report to PPSC recommendations. Agreements and disagreements between the two reports are carefully noted. It cannot be overemphasized, however, that the focus and scope of the two reports are considerably different. The PPSC was concerned with the broad area of personal privacy and, in this context, explored all information systems containing identifiable data about individuals—whether collected or maintained by the Federal Government, by State and local governments, or by the private sector. The scope of this report is in one respect broader, in another narrower; we are concerned with all information maintained by the Federal Government. Thus, in addition to information about individuals, this report deals with information about business entities, State and local governments, and other organizations and institutions. On the other hand, it is limited to that information contained in Federal information systems. One significant area of Federal information activities was not explored, however. Time and staff limitations precluded the Commission from conducting a comprehensive investigation of information collected and used for criminal law enforcement purposes. Nevertheless, many of the points that relate to other kinds of information policy and practices-such as protecting the confidentiality of individual information, the sharing of data among Federal agencies and State and local entities, and exchanges of statistical data are pertinent to criminal law enforcement data as well. The Commission recognizes the need for more detailed examination in this area and notes that its own investigation did not provide an adequate basis for recommendations. Terms and Definitions Certain terms used in this report need defining. The term information, for example, has been given its broadest meaning. Unlike other CFP reports, this report makes no distinction among the terms "data", "information", and "knowledge"; all are included as "information". Encompassed within this latter term is any matter which may be the subject of communication, whether expressed graphically, pictorially, numerically, or in words, and whether recorded on paper or on tape or on any other physical substance. Disclosure or dissemination means communication to another by any means, whether written or oral. Access is the opportunity to receive information, to be the recipient of a "disclosure". Confidentiality, as used in this report, is the imposition of any limitation on free and open disclosure, whether such limitations are imposed on those who are granted access or on the purposes for which access may be granted and whether disclosure is limited by executive order, statute, or administrative fiat. Confidential information, then, encompasses secret information (such as that classified, pursuant to 7 Privacy Protection Study Commission, Personal Privacy in an Information Society (Washington, D.C.: U.S. Government Printing Office, July 1977). 5 6 Executive Order 11652, "in the interest of national defense or foreign policy"), personal information about individuals, which, pursuant to the Privacy Act of 1974, is subject to strict disclosure limitations, and any other information subject to disclosure restrictions. In the course of this report, the term information will be subclassified according to various characteristics the reporting unit or data subject (e.g., "individual" or "business entity"), the purposes for which it is collected (e.g., determining eligibility for benefits, law enforcement, regulatory, compliance, research), its content (e.g., "national security" or "trade secrets"), the form in which it is maintained (identifiable or "statistical"), and whether its collection is voluntary or mandatory. Rules and policies on confidentiality vary in accordance with these and other subclassifications. In short, there are not and probably cannot be any uniform rules of confidentiality applicable to all information collected, maintained, and used by the Federal Government. It is only within these categories that uniform rules can be enunciated, adopted, and enforced. Nevertheless, such rules and standards must be founded upon general principles and public policy already established in the Constitution and in those Federal laws regulating overall governmental information activities. Principle Themes and Findings The themes and topics in this report are inherently complex. They range from core values of a democratic society - the individual's right of privacy, the citizen's right to know, and the Government's need to collect and exchange information and, in some instances, to restrict its disclosure to definitional disputes argued in conferences, corridors, and courtrooms; from diverse administrative practices and procedures to technological innovations in data collection, processing, storage, retrieval, and display. The material covered is also broad in scope and resistant to dramatic simplification. Nevertheless, the evidence supports several findings, each relevant to this Commission's obligation to investigate and recommend needed changes in Federal information laws, policies, and practices, and to develop "appropriate standards of confidentiality." This Commission finds that: Federal laws treating confidentiality and disclosure of information are inconsistent at best and chaotic at worst. Each of the two statutes of general applicability has grave defects and omissions: The Freedom of Information Act (FOIA) covers all kinds of information with some specific exceptions and exemptions - but applies to only one facet of information management practice, that of disclosure. The Privacy Act regulates all aspects of the information "life-cycle" from collection onward but does so for only one kind or class of data, identifiable information about individuals. Superimposed on these statutes is a patchwork of other Existing Federal standards on the confidentiality and disclo- Compliance machinery for enforcing Federal information laws is inadequate. Available sanctions are infrequently used, remedies are not always appropriate given the nature of the offense or the injury sustained, and organizational responsibility is fragmented. These deficiencies apply not only to Federal confidentiality and public disclosure laws, but also to statutes such as the Federal Reports Act, the Federal Records Act, and others. A new and independent organization is needed to coordinate Federal information management activities and to give particular focus to developing standards on information disclosure, confidentiality, and security safeguards and to monitoring compliance with existing laws and regulations. Barriers to information sharing are too often imbedded in law due to the influence of particular interest groups. One consequence is that several agencies, each with a legitimate need for information, are prevented from designing and installing a cooperative data collection program which could minimize paperwork for both respondents and the Government. Where statutory barriers to information sharing do not exist, administrators tend to erect such barriers. Some agencies and bureaucrats develop a proprietary interest in information received, are reluctant to disclose or transfer this information to other Federal agencies, and strongly resist dissemination of data to the general public. Other agencies have deservedly earned a reputation for forthright and timely public disclosure of information despite the fact that release may be embarrassing. Technology in and of itself is not a key to expanded information sharing between and among Federal agencies. Technology must be subordinate to and supportive of sound public policy. Federal security guidelines must be tested before security standards can be established to safeguard confidential information. Criteria should also be developed for auditing or identifying agency security safeguard deficiencies. The nature of the Federal system, whereby State and local agencies administer not only Federal programs but also 7 8 those without Federal support, leads to multiple and diverse policies affecting the same data collected from the same person or respondent. Significant opportunities for increased data sharing are Substantive reform requires concerted action from the Overview of Commission Recommendations The 12 recommendations in this report suggest measures which would encourage the maximum utilization of information collected by the Federal Government within a framework guaranteeing appropriate standards of confidentiality. Although several are geared toward strengthening existing confidentiality laws, such as the Privacy Act, the basic thrust of the recommendations is to facilitate data sharing by enlarging the scope of information available for free and open disclosure and, equally important, by adopting uniform standards of confidentiality for various kinds of information collected by the Federal Government. Some of the recommendations are directed solely to the executive branch and some solely to the Congress but most would require concerted efforts by both. The report's first recommendation calls for strong Presidential action emphasizing disclosure of government-held information as national policy, subject only to statutory exemptions. A Presidential directive should reinforce the Attorney General's recent memorandum "...impress[ing] upon all levels of government the requirements, and the spirit, of the Freedom of Information Act. The government should not withhold documents unless it is important to the public interest to do so, even if there is some arguable basis for the withholding." 8 Such a directive has both symbolic and substantive purposes. By emphasizing disclosure and increased sharing of information, the President's commitment to open government would be given new expression and an environment conducive to full dissemination would be created. By directing executive departments and agencies to adopt rules and procedures to ensure that this policy was communicated to all employees and that effective measures were installed to discipline personnel ignoring or violating the policy, all levels of government personnel would be made aware of the requirements and spirit of the Freedom of Information Act. In carrying out the directive, each agency would be required to undertake a comprehensive review of its confidentiality laws, regulations, policies, and practices. Where no statutory authority exists for withholding information from public disclosure, agencies 8 Attorney General Bell, Letter to Heads of All Federal Departments and Agencies re Freedom of Information Act, May 5, 1977, p.1. would be directed to discontinue issuing pledges of confidentiality for the information they collect. Further, each agency would be required to report to the President, within a specified time, on the justification and need for continued disclosure restrictions (Recommendation No. 2). This would not only provide agencies with a current reassessment of their confidentiality laws, policies, and practices, but would lay the foundation for Presidential initiative in recommending legislation to correct omissions, deficiencies, and inconsistencies in existing laws. Recommendation No. 6 would go hand-in-hand with Recommendation No. 2, urging the appropriate committees of the Congress to undertake a similar review of confidentiality laws as a first step toward enactment of comprehensive legislation to replace and consolidate the profusion of existing confidentiality laws and to remedy the deficiencies in current legislation and administrative practices. Recommendation No. 5 urges the enactment of a body of consistent laws or a Fair Information Practices Act (FIPA) to regulate the collection, management, use, and dissemination of all information maintained by the Federal Government. Comprehensive fair information practices legislation would articulate the basic principles for regulating different classifications of information according to its content, its use, its source, and the form in which it would be disclosed. The following classes of data, for example, would be treated distinctly so that the objectives of public disclosure and information sharing could be balanced against other interests, such as national security and rights to privacy: Personal information about individuals; Proprietary business and commercial data; • Statistical information; Criminal law enforcement data; and National security data Many of the remaining recommendations call for specific changes in existing legislation or enactment of new legislation which could, ideally, be embodied in a new Fair Information Practices Act. Thus, Recommendation No. 6 proposes that Congress consider the repeal of exemption (b)(3) of the FOIA. That Act spells out, in eight of its nine exemptions, the specific kinds of information which may be withheld from public disclosure. The so-called (b)(3) exemption, however, is a catch-all for matters ". . .specifically exempted from disclosure by statute." The effect of this exemption, even though narrowed recently by Congress, is to withhold from public disclosure and often from interagency sharing an unknown quantity of information simply because a large body of inconsistent and occasionally conflicting laws makes this information confidential. To encourage wide-spread use of data collected by Federal agencies and to implement the policies enunciated in the FOIA, the Commission believes that information should be withheld only when 95 U.S.C. §552 (b)(3) was amended by Section 5(b) of the Government in the Sunshine Act, P.L. 94-409, 5 U.S.C. §552b. |