« PreviousContinue »
sible for the data they manage. The effectiveness of this control appears to vary widely between different agencies. The various aspects of the problem are outlined in the summary of the AFIPS meeting.
The Bureau of the Budget is probably the prime mover toward the establishment of a National Data Center. This stems, of course, from its primary mission and its involvement in statistical systems development. Social scientists and economists have been very active furthering the project on the basis that improved data management is needed to provide better and more current information for government decision making.
The Gallagher Committee is closely following the legislative aspects of current developments being made toward a National Data Center. Requirements for legislative action will certainly be thoroughly investigated by the able members of this committee.
National Data Center requirements for coordination among federal, state, and municipal governments have as yet been given little consideration. The protection of corporate information in a National Data Center has also received very little consideration and should perhaps be brought to the attention of the Gallagher Committee.
The subject of privacy in the business environment is being investigated by the Federal Communications Commission under Docket 16979. Perhaps this also should be brought under the purview of the Gallagher Committee.
SUMMARY OF DISCUSSIONS AT AIRLIE The subjects covered in the discussions of the AFIPS Committee meeting at the Airlie Foundation will be presented at the Spring Eastern Joint Computer Conference at Atlantic City. The following summary is an attempt to highlight the discussions in terms of the interests of the NAM Computer Subcommittee.
The projected National Data Center proposes the centralization of data collection, storage, manipulation and retrieval now done by many federal departments and bureaus. Anticipated benefits include speeding up of information flow, increased availability in more usable forms, and decreased governmental costs. It is generally conceded that these benefits could be realized and that the technology exists to implement such a system. However, no substantial systems study has been made to evaluate such benefits nor, in fact, has there been a comprehensive study to determine how a National Data Center could or should be implemented. There are some indications that steps toward such a system may be taken prior to any comprehensive studies.
The possible invasion of individual privacy posed by the establishment of a National Data Center was not even considered in the Ruggles and Dunn Reports. Realization of the dangers involved has now made this the overriding issue of the whole controversy. The threat arises from the centralization of information that could increase the possibly of the establishment of dossiers on each citizen. Privacy is a fundamental freedom and an unquestioned constitutional right that must not be abrogated.
The emphasis, therefore, has shifted almost entirely to consideration of means to protect individual privacy if a National Data Center were to be established. It should be noted that the problem exists to an unknown degree in the present government data systems. Some protection is presently afforded by the fact that information concerning an individual is scattered in so many different places. However, with a National Data Center such information could be easily assembled unless access to data is adequately protected.
It is generally conceded that complete protection is impossible of attainment and that system costs will increase as the degree of protection is increase. A figure of 10 to 40 percent additional system cost was mentioned. Protection may be considered in two broad types, (a) those that stem from the design and tcehnical characteristics of the system, and (b) those established by statutory means or administrative order.
It has been said that information systems can be made fool-proof but not smart-proof. Possible safeguards in technical system design include
a. Measures to prevent bugging in both the computer and communications b. Encrypting of data sufficient to discourage unauthorized retrieval.
c. Equipping of memories and data files with key codes to prevent unauthorized insertions and retrievals.
d. Random external audits of protective computer programs.
f. Means for verification of the right to access the system. A system design consideration has been advanced which would, if feasible, provide a degree of protection.
Information systems may be classified into "Statistical Systems" where in. formation is not associated with individuals and "Intelligence Systems” which are directly associated with individuals. It has been proposed that only statistical information be included in the National Data Bank. This would limit the value of a data bank especially for sociological studies but would greatly reduce the privacy problem. There is a great deal of disagreement on this subject.
Many aspects have been probed of the protection of data systems by statutory means and by administrative order.
The control problem was summarized as having four elements :
a. Rules and Regulations.—Statutory rules provided by Congress would set the limits within which the system must operate.
Administrative agencies would set operational procedures within the predefined limits.
b. Safeguards.-Electronic safeguards would be part of the system design. Procedural safeguards would in de proof the need to know and identification of requests. The individual should have the right to confrontation with regard to his record in the system.
c. Penalties.—Strong penalties should be provided for anyone who obtains, uses, or circulates confidential information without appropriate authority. This would be covered by statute and by administrative rules.
d. Remedies.-If a person is injured by illegal or improper use of information concerning him he should have the right to seek a remedy by legal means.
As was so competently brought out at the Airlie Conference, the problems of the protection of privacy in the National Data Center are many and complex and should be largely resolved before instituting the system. Further, a systems study in depth should be made to determine the benefits and costs involved in the proposed system. Concurrently an implementation study should be made to de fine the technical design characteristics of the system. A close watch should be kept to deter the establishment of such a system without the above actions and authorizations.
Note: The Director of the Budget in a report dated January 23, 1967, stated: “To assist all agencies in their management and uses of automatic data processing equipment, the initial phases of a Government-wide information system have been designed and will become operational early in calendar year 1967.”
I have no further information on this and do not know if it is related to a National Data Center.
COMMITTEE ON THE JUDICIARY,
March 30, 1967.
DEAR MR. BODINE: Thank you for your recent letter commenting on the Federal Communication Commission's inquiry regarding computers. Certainly appreciate your views. Per your suggestion, am sending a letter to the FCC informing them of our interest in the subject of invasion of privacy as it relates to the computer. A copy is enclosed.
As you may know, the Subcommittee recently held hearings on this subject and just as soon as hearing material has been printed, we will be glad to send you a copy. Would also appreciate receiving any report which your Computer Subcommittee will issue.
Am taking the liberty of including your letter and the accompanying report into our hearing record. Kind regards, Sincerely,
EDWARD V. LONG, Chairman.
COMMITTEE ON THE JUDICIARY,
March 30, 1967.
DEAR MR. CHAIRMAN : On March 14th and 15th, the Senate Subcommittee on Administrative Practice and Procedure began hearings on the subject of the computer and the potential invasion of privacy that it may create.
It is our understanding that the FCC is currently reviewing the role of the computer and communication services and facilities. Since this is of great concern to our Subcommittee, would hope that the FCC would also give consideration to the potential problems of invasion of privacy as it conducts its inquiry. We would, of course, like to be informed of all facets of your current investigation. Kind regards, Sincerely,
EDWARD V. LONG, Chairman,
U.S. DEPARTMENT OF COMMERCE,
BUREAU OF THE CENSUS,
Washington, D.C., January 26, 1967. Mr. BENNY L. KASS, Assistant Counsel, Subcommittee on Administrative Practice and Procedure,
Senate Judiciary Committee, U.S. Senate, Washington, D.C. DEAR MR. Kass: In response to your request, I enclose a selection of documents illustrating principles and practices of the Bureau of the Census with regard to protection of privacy and confidential treatment of information.
Privacy of individuals received consideration early in the history of censustaking. By 1840, the director of the census was instructing the census-takers to keep the information they collected confidential. By 1880, the Congress had passed a law providing penalties for census-takers who revealed information to unauthorized persons. The provisions of this law have been strengthened and brought up to date; they now appear in sections 8, 9, an 214 of Title 13, U.S. Code, which is Enclosure 1.
Two 19th century census practices resulting in invasion of privacy have long since been discontinued. The first was to post the census schedules in a public place so that anyone who was not included could add his name. The other was to file copies of the census schedules with the clerks of court. Before the 1870 census, the Superintendent pointed out, “The set of returns deposited in the county clerk's office was not only useless but mischievous, being subject, on account of proximity to the individuals or families enumerated, to curious or malicious examination.” At present, the only ones who may see the census schedules are Census Bureau employees who have taken an oath not to disclose the contents.
Instructions to Census Bureau employees on how to carry out the law on confidentiality are contained in Chapter C-2 of the Bureau's Administrative Manual, “Confidential Nature of Data Collected by the Bureau of the Census.” See Enclosure 2 and note the policy statement at the bottom of the first page: “It is the policy of the Bureau of the Census to place strict interpretation on Federal laws which require absolute confidentiality concerning details relating to individuals and establishments included in data it receives or prepares."
In publishing statistical totals, the Bureau suppresses figures that may disclose information about individual companies or persons, inserting a “D” in place of the figure. This is explained in the text of the reports. For example, the following statement appears in a report on water use from the 1963 Census of Manufactures :
Confidentiality of data for individual companies.—The Bureau of the Census is prohibited by law from publishing any statistics that disclose information reported by individual companies. In suppressing figures to avoid disclosing information of individual companies, geographic region and division totals are given precedence over individual States. In tables showing industry detail, major industry group (2-digit) totals take precedence over industry group (3-digit) totals which, in turn, take precedence over individual (4-digit) industries. In tables where industry and industry group data are shown within water-use regions or States, the water-use
region and State totals take precedence over the industry data. Before each decennial census of population and housing, the President issues a Proclamation to inform the people. The Proclamation for the 1960 census is Enclosure 3. Note the President's statement that, “No person can be harmed in any way by furnishing the information required. There need be no fear that disclosure will be made regarding any individual person or his affairs."
The public and the courts also recognize the confidentiality of census information. Enclosure 4 is a newspaper story of a court that refused to compel a litigant to ask the Census Bureau for certification of his age.
In framing its interrogations, the Census Bureau considers the willingness of the people to reply to them. See, for example, the paragraphs on color or race, religion, and social security number in the paper on “Some Questions Relating to the 1970 Census of Population and Housing" (Enclosure 5). See also the policy directive for the 970 Census (Enclosure 6), in which the Director points out that a new question “must be one which is generally accepted by the public as relevant to the census” and that “the questionnaire as a whole must not involve an undue burden on the respondents.” In discussing "The Development of Criteria for Surveys for Other Government Agencies” (Enclosure 7), the Bureau raised the question (page 3) of including interrogations that are personally sensitive to a significant proportion of the respondents.
Finally, I am sending you two statements that I made recently before other congressional committees. The first one (Enclosure 8) was made before the House Special Subcommittee of the Government Operations Committee, and I am including the opening statement of the Chairman of the Subcommittee and my memorandum to the Bureau staff after the hearing. The second one (Enclosure 9) was made before the House Subcommittee on Census and Statistics.
I hope that I have given you enough information to acquaint you with our policy on privacy of individuals and the need to protect the information we collect. If I can be of any further assistance to the Subcommittee, please let me know. Sincerely yours,
A. Ross ECKLER,
Director, Bureau of the Census. Enclosures: (Enclosures 1, 3, 4, 5, 6, 7, 8, and 9 are in Subcommittee files.)
[Bureau of the Census Administrative Manual, ch. C 2, effective date Feb. 29, 1956]
CONFIDENTIAL NATURE OF DATA COLLECTED BY THE BUREAU OF THE CENSUS
1. SUPERSEDED MATERIAL
This Chapter supersedes Chapter C 2, “Confidential Nature of Census Returns," dated March 25, 1949, and any other instructions which may be in conflict or inconsistent with its provisions.
The purpose of this Chapter is to
a. Inform employees of their obligations for maintaining the confidentiality of information the Bureau of the Census receives from respondents,
b. Provide information to assist employees in maintaining this confidentiality,
c. State the penalties provided by law for unauthorized disclosure of census information.
It is the policy of the Bureau of the Census to place strict interpretation on Federal laws which require absolute confidentiality concerning details relating to individuals and establishments included in data it receives or prepares. The Bureau of the Census requires each employee to adhere to the following sworn affidavit of nondisclosure which he is required to sign upon entering on duty: "I will not disclose any information contained in the schedules, lists, or statements obtained for or prepared by the Bureau of the Census, to any person or persons, except those designated by the Director.”
4. BASIS FOR CONFIDENTIALITY OF DATA COLLECTED 401. General
Protection against unauthorized disclosures is provided by law for all data the Bureau of the Census obtains in its periodic and interim censuses, surveys, and related data collection activities. Penalties, including fines or imprisonment or both (cf. Subsection 4.03) shall be imposed upon any Bureau employee who discloses census data except as authorized. 13 U.S.C. 9 provides that
“(a) Neither the Secretary, nor any other officer or employee of the Department of Commerce, or bureau or agency thereof, may, except as provided in section 8 of this title
(1) use the information furnished under the provisions of this title for any purpose other than the statistical purposes for which it is supplied; or
(2) make any publication whereby the data furnished by any particular establishment or individual under this title can be identified; or
(3) permit anyone other than the sworn officers and employees of the Department or bureau or agency to examine the individual reports. “(b) The provisions of subsection (a) of this section relating to the confidential treatment of data for particular individuals and establishments, shall not apply to the censuses of governments provided for by subchapter III of chapter 5 of this title, nor to interim current data provided for by subchapter IV of chapter 5 of this title, as to the subjects covered by censuses of governments, with respect to any information obtained therefor that is compiled from, or customarily provided in, public
records." 4.02 Exceptions to Nondisclosure
13 U.S.C. 8 provides for exceptions to nondisclosure of data as required by 13 U.S.C. 9 above. Under certain conditions data may be furnished to governors of states and territories, courts of record, and to individuals. The information under these exceptions may be furnished only, however, by those employees so authorized by the Director. The following data are authorized to be released under the exceptions provided by 13 U.S.C. 8:
a. Material already a matter of public record, as in the case of:
(1) State and local government statistics,
(2) The census of 1880 and prior censuses,
(1) Person enumerated,
(3) Blood relative or spouse of a deceased person when the request is accompanied with a certified copy of the death certificate and a statement that the information will not be used to the detriment of the person or persons concerned,
(4) Administrator of an estate upon presentation of a court order naming the administrator,
(5) Guardian upon receipt of proof of guardianship. 4.03 Penalties for Unauthorized Disclosure 13 U.S.C. 214 provides that,
"Whoever, being an employee referred to in subchapter II of chapter I of this title, having taken and subscribed the oath of office, publishes or communicates, without the written authority of the Secretary or other authorized officer or employee of the Department of Commerce or bureau or agency thereof, any information coming into his possession by reason of his employment under the provisions of this title, shall be fined not more than $1,000 or imprisoned not more than two years, or both.”