Not long ago, the Social Security Administration (SSA) asked me to testify as part of a series of national forums concerning access to Social Security account information on the agency's Web site. While it was painted in the media as being one fraught with privacy concerns, like most problems, there is more than one side to this issue. Because I follow issues pertaining to access to government information, I often become involved in issues where access and privacy intersect and, often, clash. The publicity concerning access to personally-identifiable Social Security account information on the SSA's Web site is just one in a continuing line of access/privacy issues that need to be addressed as we work out the ground rules for electronic dissemination of sensitive personal or economic information.
The privacy perspective of the issue was laid out in the very balanced testimony of Marc Rotenberg, director of the Electronic Privacy Information Center in Washington, D.C., when he testified before the House Social Security Subcommittee on this issue. As Rotenberg noted, the privacy issues presented here cut in both directions. As a general rule, personal information should not be disclosed to third parties without prior consent. On the other hand, fair information practices include the individual's ability to have access to his or her own personal information for purposes of verifying its accuracy and completeness. Through this access mechanism, government agencies may be assured that information is accurate and up-to-date by receiving input from the person most likely to know.
Because the privacy dimensions of this debate have been so ably presented and discussed by Rotenberg and others, I want to look somewhat more carefully at the access implications. A bedrock principle of statutes covering access to government information is that a requester should be given access to records unless they fall within one or more specific exemptions.
Under access policies pursued by the Clinton administration, even in those instances where information may be withheld because it meets the definition for protection under a specific exemption, such information should still be disclosed as a matter of discretion unless the agency can articulate a foreseeable harm from disclosure. Of course, it is worth pointing out in the context of this specific incident that agencies have no discretion to disclose personal information that falls within the confines of Exemption 6 or 7(C) of the Freedom of Information Act (FOIA). Exemption 6 protects information whose disclosure would constitute "a clearly unwarranted invasion of personal privacy," while Exemption 7(C) protects law enforcement information where disclosure would constitute "an unwarranted invasion of personal privacy."
In Dept. of Defense vs. FLRA, the Supreme Court made it clear that records falling under either of these categories would be exempt under the Privacy Act. That is because one of the Privacy Act's exceptions to the rule of prior consent is that disclosure is required under the FOIA. The disclosure of a record that falls within the confines of either privacy exemption of the FOIA would not be a required disclosure and, thus, would not be permitted under the law as it currently is interpreted.
While the Social Security Administration's program to allow access to an individual's personal account information is certainly not set up to be administered as if the agency is receiving individual FOIA or Privacy Act requests for the information, some of the same analytical exercises may be useful.
To access advocates like myself,
the disclosure of individual account information should not be restricted solely because of its electronic availability.
At the outset, it is important to be aware of the fear held by access advocates that somehow the technology of electronic access and dissemination will throw up obstacles to access that would not be present if the records were disseminated on paper. To access advocates like myself, the disclosure of individual