Other PPSC recommendations set forth the specific minimum requirements of the proposed Federal information standards. Many are substantially identical to those contained in the Privacy Act. 22 Others are geared to the two unique issues discussed earlier: (1) the confidential nature of social services information, and (2) the need to allow disclosure of certain individually identifiable data "for purposes related to the administration and enforcement of other public assistance and social services programs for which the individual has applied, is required to apply, or may be eligible".23 Still other minimum requirements embody changes, such as the permissible disclosure of individually identifiable information for "a research or statistical purpose" and the elimination or refinement of several existing nondisclosure exceptions, which this Commission believes should also be embodied in the Privacy Act. The CFP supports these recommendations as well as the PPSC recommendations relating to the disclosure and use of information under Title IV-D of the Social Security Act (the Child Support Enforcement Program). By repealing all existing Federal disclosure restrictions, except those relating to drug and alcohol abuse programs, 24 and by replacing the present patchwork system with a uniform standard of fair information practices applicable to all social service programs, the problems inherent in the present system could be met. If adequately enforced, the new Federal standards would ensure that "adequate standards of confidentiality" were observed. Equally important, such standards would not only facilitate the administrative reforms suggested in other reports of this Commission but would contribute substantially toward coordinating and improving the delivery of services. The Commission takes issue with only two aspects of the PPSC recommendations. Instead of the two-step process suggested, this Commission suggests amending the Privacy Act to extend its provisions to Federal grantees and contractors and to enact, at the same time, those special provisions on access and disclosure necessitated by the unique nature of social service and medical records. States would still be free to enact legislation tailored to their specific needs as long as the mimimum Federal standards were observed. In addition, instead of dispersing compliance responsibilities among several State and Federal agencies, the Commission would recommend centralizing these responsibilities in a new administrative agency. Any compliance efforts will, of course, 22 Ibid. E.g., Recommendation (3) similar to 5 U.S.C. §552a(e)(2); Recommendation (6) similar to 5 U.S.C. §552a(d)(1); Recommendation (8) similar to 5 U.S.C. §552a(d)(2), (3), and (4), and (f)(4); Recommendation (9) same as 5 U.S.C. §552a(e)(5) and (6). 23 lbid. E.g., Recommendation (10)(a). 24 Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act of 1970 (42 U.S.C. §4582); Drug Abuse Office and Treatment Act of 1972 (21 U.S.C. §1175) We do not necessarily support the PPSC recommendation that these existing disclosure restrictions be retained. If the Privacy Act were amended in accordance with Commission recommendations set forth in Section VI, infra, retention of these specific restrictions would be unnecessary. 95 96 generate additional paperwork, but centralizing these acitivities in one agency will avoid the creation of new duplicative systems similar to those which this Commission is attempting to eliminate. Moreover, the history of other compliance programs, such as those under Title VI of the Civil Rights Act of 1964,25 demonstrates that coordination of efforts and centralized responsibilities are essential to their success. PPSC and the Use of the SSN: The PPSC Report (Chapter 16) recognizes that the main objection to the use of the SSN's — as a tool for facilitating records linkages, exchanges, and consolidation - is misplaced and should be directed, instead, at the linkages, exchanges, and consolidation which must be controlled. The PPSC has recommended a continuation of the status quo, retaining Section 7 of the Privacy Act and authorizing a new, independent entity to monitor the use of the SSN and other labels by private organizations. The Privacy Commission has recommended that Executive Order 9397 be amended to preclude its use, after January 1, 1977, as legal authority for any new demands for the disclosure of SSN's and that the Federal Government not take any action at present to foster the development of a standard, universal label for individuals or of a central population register. This Commission recognizes that clear, explicit safeguards and 25 42 U.S.C. §§1971, 1975a - 1975d, 2000a-2000h-6. See CFP Report on Equal Employment Opportunity. 26 As in its reports on welfare and education records, several of the confidentiality requirements are somewhat different from those contained in the Privacy Act and would correct deficiencies which this Commission has found in that Act. Thus, Recommendation (10)(c) would permit the disclosure of individually identifiable information for statistical or research purposes; Recommendation (10)(h) would distinguish between sensitive and "directory" information; Recommendations (10)(g) and (i), (11), and (12) would tighten disclosure restrictions; and Recommendation (13) would require specific written authorizations for prohibited disclosures rather than the now loosely applied concept of "informed consent". penalties for anyone seeking or obtaining medical records under false pretenses (as already provided in the Privacy Act), encouraging States to enact similar requirements and noncovered medical care providers to establish similar procedures as those to be embodied in the proposed HEW regulations. Those PPSC recommendations relating to health statistics, insofar as they raise issues similar to those raised by its recommendations on Research and Statistical Activities, are discussed below in the section on Statistical Information. The CFP endorses the objectives of the PPSC recommendations and that Commission's efforts to provide greater protection to the information contained in medical records. We also strongly support the proposed requirements which would strengthen corresponding requirements in the Privacy Act.27 At the same time, we must question the PPSC approach, which it, itself, recognizes has not been effective in the area of education records and which, for no persuasive reason, is different from that which it has recommended for welfare records. Further, if, as the CFP believes, changes are needed in the confidentiality provisions of the Privacy Act, such changes should be embodied in that Act and made applicable to all Federal records rather than only to those in these selected areas. That Act should then be extended to Federal grantees and contractors or, at the least, to these affected grantees, with responsibility for compliance centralized in a new administrative agency with expertise in the area of information management practices. Proprietary Business Information: Confidentiality vs. the FOIA Among the segments of the population affected by Federal reporting requirements, none has been as vocal in expressing its concerns as the business community. Commission studies and reports substantiate complaints of onerous, and sometimes unnecessary, Federal demands on business entities, particularly on small businesses, which can ill afford these burdens. These complaints are exacerbated by the fear that information given "in confidence" to a Federal agency may be released within the Government and used for another purpose or may be disclosed to a business competitor under the public disclosure requirements of the Freedom of Information Act. In view of the current state of the law and the growing tendency of the business community to use the FOIA to obtain commercial information, such apprehension appears justified. The State of the Law on Disclosing Business Data The laws on confidentiality of proprietary business information are as varied, numerous, and inconsistent as those relating to individual data. Although the FOIA is a comprehensive public disclosure statute, applicable to all kinds of information maintained by executive agencies, it is not a confidentiality statute in any sense as its 27 Ibid. 97 98 exemptions do not bar disclosure but merely permit agencies to withhold information. Moreover in view of the many and varied confidentially provisions in other laws and the fact that the (b)(3) exemption of the FOIA removes from its scope information specifically declared confidential by these laws, there is no uniform standard or even consistent standards governing the public disclosure of business data. The Commission's reports reveal that many of the same confidentiality issues arise with respect to commercial or industrial information as with respect to personal/individual data. The Segments of Business study, discussed below in connection with statistical information, poses the problem of the extent to which information collected for research purposes — with a pledge of confidentiality - can or should be disclosed for other purposes. The Energy study raises similar issues and, in addition, illustrates the constraints on data sharing and on the effective administration of programs posed by the lack of uniform standards relating to disclosure. Business entities, like individuals, claim a need and a right to protect from disclosure the "confidential" information which they submit to the Federal Government. There is, however, one significant difference between the confidentiality of individual and business information and that lies in its statutory protection. Whatever its limitations, the Privacy Act does restrict disclosures of individual information by Federal agencies whether within the executive branch or to other governmental units. Moreover, some commentators and the PPSC believe that that Act restricts public disclosures by precluding Federal agencies from making discretionary releases of individual data under exemption (b)(6) of the FOIA, where such disclosures would constitute "a clearly unwarranted invasion of personal privacy".28 There is, however, no comparable legislation applicable to all business entities to assure them that "private" information will not be released and used to affect their interests adversely. Morover, exemption (b)(6), it is generally agreed, is not applicable to business entities.29 Exemption (b)(4), relating to "trade secrets and commercial or financial information obtained from a person and privileged or confidential", is the corresponding exemption for "private" business information. Judicial interpretation of this exemption is still far from settled, but recent cases have interpreted "confidential" in such a way that much of the data submitted to the government "in 28 See PPSC Report, note 16, supra, p. 520. But cf. Disabled Officer's confidence" could not be protected from public disclosure, particu- The Use of the FOIA by the Business Community: "Reverse The requirement in the 1966 Freedom of Information Act that information be available to "any person" - not only to those persons "properly and directly concerned" was viewed by most commentators as essential to any public disclosure statute. In conformance with this language, the courts have consistently held that a requestor's rights under the FOIA will not be affected by his particular interest in the information;31 information of "public interest" must be available to any and all members of the public. There is little doubt, however, that the Act is increasingly being used to serve private interests of one sort or another. The most publicized "abuse" of the Act's processes has been its use by business entities to obtain the release of commercial information relating to their competitors. The number of "reverse FOIA" cases, initiated by business entities to bar the release of such data, is rapidly increasing. According to Justice Department sources, there are currently about 300 cases in litigation involving proprietary business information. Business entities also use the FOIA to obtain the results of Government research which can then be utilized for proprietary purposes. Requests are also submitted by persons who are or may be engaged in litigation with an agency to obtain premature discovery of agency documents. Students seeking an easy way to complete academic assignments and occasional "cranks" and troublemakers who may be seeking only to harass Government agencies add further to the FOIA case load. Although all these requests may be somewhat removed from the primary purpose of the Act-to ensure an informed electorate and have imposed an increased burden on agency personnel32 and on the courts, this seems a fair price to pay for effective public disclosure legislation. This Commission does not suggest that the Act be amended to impose restrictions on requestors or to require, as a general policy, that their interests be questioned in determining whether information should be disclosed. Nor does it recommend that limitations on search and duplication fees, imposed by the 1974 amendments, be removed even though the taxpayers may now be "subsidizing the information-gathering activities of corporations". 33 30 Charles River Park "A" Inc. v. Department of H.U.D., 519 F.2d 935 (D.C. 31 Environmental Protection Agency v. Mink, 410 U.S. 73, 79, 86 (1973), and 32 See, for example, Annual Report of the Department of Justice to Congress covering FOIA and Privacy Act operations during calendar year 1976, submitted March 25, 1977; Burt Schorr, "Telling Tales: How a Law Is Being Used to Pry Business Secrets from Uncle Sam's Files," The Wall Street Journal, May 9, 1977; Mark Arnold, "Who's Going Fishing In Government Files?," Juris Doctor, April 1976. 33 Mark Arnold, Ibid. 99 |