Is Responsible Use of Personal

The question is not about stopping the flow of data, but controlling it.

by / March 31, 1999
Privacy advocates have long complained that we have lost control of our personal information. They say our information is being collected, used and disseminated without our permission and that government and business use it in ways inconsistent with the purposes for which the information was originally collected.

Access advocates see strong evidence that the balance between privacy and access has tilted decisively toward privacy, that records that should be public are considered exempt because they contain personal information. Until the Supreme Court's 1989 decision in Dept. of Justice vs. Reporters Committee, balancing informational privacy against statutory demands of access under the Freedom of Information Act was done on an ad hoc basis that weighed the privacy interest of nondisclosure against the social utility of the requester's intended use of the information.

The court decided that the only public interest in disclosure intended by Congress was when the information shed light on government activities or operations, the burden of proof for which is an almost impossible standard to meet. Further, the court recognized a vested privacy interest in individuals whose public-record misdeeds or embarrassments had been long forgotten in some dusty public archive. They found, with good reason, that electronic databases containing such information were vastly more accessible and, thus, potentially more invasive of privacy.

After the Reporters Committee case, federal courts that previously found no protected privacy interest in basic information like names and addresses now found the exact same information protected because requesters could no longer show a valid reason for disclosure. Its long-term result was to set in motion a debate over whether various categories of public-record information should be closed because of privacy concerns. The debate's first significant victim was the state-controlled database of motor vehicle registration information, records that in most states were widely available for most purposes. The stated rationale for the Drivers' Privacy Protection Act was the misuse of records to track down and harass individual drivers.

The act was followed by moves in various localities to shut down voter records, land records and other categories of traditionally public documents.

Commercial Concerns

On the business side, the debate is similar, though any value of access is largely economic. Revelations about the ease with which Conde Nast was able to get its magazine subscribers to part with intimate personal information in answer to a readers' survey are underscored by stories about how quickly shoppers part with information about their buying habits in exchange for
discounts. Businesses want to know more about their potential customers, and use public-record information and data traded and sold between businesses to better target their customers.

All this requires mountains of personal information, and the real fear is that neither government nor business can or should be trusted with all that data. One option is to cut off the flow of data, but that seems unlikely in a world that revolves around information. Further, denying public access to such records does little to prevent government from misusing the information. Successfully turning off the tap of personal information flow would require prohibiting government from initially collecting the information. Politicians and policy-makers should move toward winnowing the amount of personal information currently collected and closely monitor any newly proposed collection programs.

Minimizing the collection of personal information is an excellent idea for government, but many businesses may thrive by collecting information. Except for public discontent, businesses have little incentive to slow the collection of personal data.

Fear of Abuse

What worries individuals most is that their personal information will be misused. This could mean abuse for illegal purposes such as stalking or credit card fraud, or for more benign purposes such as selling personal information to another company from whom the individual may not want solicitations. Perhaps some of these problems can be solved by cutting off access to personal information, but to say all personal information flows should be shut down is akin to closing the highways because some drivers behave recklessly. The goal should be to promote responsible behavior, not to prohibit it altogether.

Responsible use of personal information requires an enforceable fair-information-practices policy, probably statutory. Governments and businesses need to inform people about the purposes for which their information is collected and the information's possible secondary uses. For business, such a requirement may go a step further -- informing individuals that their information is being collected. Shopper discount programs do not typically make it clear that collection of personal information is the quid pro quo for the discount. Individuals must have rights of access and correction of their own personal information. The federal privacy act makes clear that there are circumstances under which access and correction should not be permitted, but those are the exception, not the rule.

Further, a request for correction does not have to lead to correction or amendment, but should require the information holder to clearly annotate the information to include a statement of disagreement on the part of the individual. Information holders need to maintain a system to account for secondary disclosures, and secondary disclosures should be allowed only where compatible with the original collection of information or have been consented to by the individual. Most importantly, individuals must have a legitimate remedy, through the courts if necessary, for violations of these policies. The mediation models being touted by industry, such as BBBOnline, an online service of the Better Business Bureau, are a first step but are unlikely to provide satisfactory remedies in many cases because their authority is so tenuous.

Need Some Faith

If people had faith that their personal information was used responsibly and that there were checks and balances built into the system, the worries about dissemination of such information might die down. It is worth wondering whether punishing misuse and irresponsible behavior while promoting responsible behavior might allow both privacy and access advocates to resolve this issue peacefully.

Harry Hammitt is editor/publisher of Access Reports, a newsletter published in Lynchburg, Va., covering open-government laws and information-policy issues. Email
Harry Hammitt Contributing Writer