Date: Thu, 26 Jan 95 09:52:50 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@uwm.edu Subject: Computer Privacy Digest V6#010 Computer Privacy Digest Thu, 26 Jan 95 Volume 6 : Issue: 010 Today's Topics: Moderator: Leonard P. Levine IITF Privacy Principles Draft Privacy Principles 01/20/95 [long] Info on CPD [unchanged since 12/29/94] ---------------------------------------------------------------------- From: JKANG@ntia.doc.gov Date: 25 Jan 1995 11:31:44 -0500 Subject: IITF Privacy Principles The Privacy Working Group of the Information Infrastructure Task Force ("IITF") has recently released its second draft of privacy principles, "Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information." It appears at 60 Fed. Reg. 4362 (January 20, 1995), and can also be found on-line via gopher or telnet (login=gopher) at IITF.DOC.GOV. The IITF was created to implement the Clinton Administration's vision of the National Information Infrastructure. The Task Force consists of high-level representatives of various federal agencies that develop information and telecommunications policy. One of the IITF working groups is the Privacy Working Group ("PWG"), which released a first draft of its principles in May 1994, after holding public hearings. On the basis of extensive comments received from industry, state and local governments, consumer groups, and individuals, the PWG has substantially revised the principles and released its second draft. Public comments, which may be submitted electronically, are welcome. They are due by March 21, 1995. ---------- Jerry Kang Acting Professor, UCLA School of Law Office of Policy Analysis and Development, NTIA jkang@ntia.doc.gov [MODERATOR: the gopher address is "ntiaunix1.ntia.doc.gov". For Mosaic or lynx users the URL is "gopher://ntiaunix1.ntia.doc.gov". The draft privacy principal is currently in the "Hot off the press!" entry. I have copied it into the next posting.] ------------------------------ From: "Prof. L. P. Levine" Date: 25 Jan 1995 10:49:59 -0600 Subject: Draft Privacy Principles 01/20/95 [long] OFFICE OF MANAGEMENT AND BUDGET National Information Infrastructure: Draft Principles for Providing and Using Personal Information and Commentary AGENCY: Office of Management and Budget ACTION: Notice and request for comments SUMMARY: OMB is publishing these draft principles on behalf of the Privacy Working Group of the Information Policy Committee, Information Infrastructure Task Force. They were developed by the Working Group to update the Code of Fair Information Practices developed in the early 1970s. DATES: Comments should be submitted no later than [insert date 60 days from date of publication]. ADDRESSES: Comments should be sent to the Working Group on Privacy c/o the NII Secretariat, National Telecommunications and Information Administration, U.S. Department of Commerce, Room 4892, Washington, D.C. 20230. The Principles and Commentary can be downloaded from the IITF gopher/bulletin Board System: 202-501-1920. The IITF gopher/bulletin board can be accessed through the Internet by pointing your gopher client to iitf.doc.gov or by telnet to iitf.doc.gov and logging in as gopher. Electronic comments may be sent to nii@ntia.doc.gov. FOR FURTHER INFORMATION CONTACT: Mr. Jerry Gates, Chair, Privacy Working Group, Bureau of the Census, Room 2430, Building 3, Washington, D.C. 20233. Voice telephone: 301- 457-2515. Facsimile: 301-457-2654. E-mail: ggates@info.census.gov. SUPPLEMENTARY INFORMATION: The following Principles and Commentary were developed by the Information Infrastructure Task Force's Working Group on Privacy with the goal of providing guidance to all participants in the National Information Infrastructure. (The Principles appear in plain text, and the Commentary appears in italics.) The Principles are intended to update and revise the Code of Fair Information Practices that was developed in the early 1970s. While many of the Code's principles are still valid, the Code was developed in an era when paper records were the norm. The Working Group distributed a draft of the Principles and Commentary for comment in May 1994 via electronic mail and in a notice published in the Federal Register. Major resulting changes are: 1) the Commentary has been incorporated into the Principles and has been modified to reflect changes to the principles, define terms, and to clarify areas of confusion; 2)the principles for Information Collectors have been incorporated into Principles for Users of Personal Information since some users also have a responsibility to inform and obtain consent for uses; 3) the Principles now require Information Collectors to conduct a privacy assessment before deciding to collect information; 4) the notice given to individuals becomes the determining factor for limiting the use of personal information; 5) the information an individual may access and correct is expanded; and 6) the provision of notice and a means of redress that was linked to "final actions" that may harm individuals is now based on an improper disclosure of information or the use of information that lacks sufficient quality. Before issuing the Principles as a final product, the Working Group is proposing them for comment again. The Working Group recognizes that the Principles cannot apply uniformly to all sectors. They must be carefully adapted to specific circumstances, therefore, the Working Group asks that final comments focus on major concerns about applying the principles broadly. Sectorial concerns should be addressed as organizations develop internal principles. Further, the Working Group debated the privacy rights of deceased persons and how they might be addressed in the Principles, but was not able to come to a conclusion. The Working Group also welcomes comments on whether and how the Principles should be revised to treat the rights of the deceased or their survivors. Sally Katzen Administrator Office of Information and Regulatory Affairs Privacy and the National Information Infrastructure: Principles for Providing and Using Personal Information Preamble The United States is committed to building a National Information Infrastructure (NII) to meet the information needs of its citizens. This infrastructure, created by advances in technology, is expanding the level of interactivity, enhancing communication, and allowing easier access to services. As a result, many more users are discovering new, previously unimagined uses for personal information. In this environment, we are challenged to develop new principles to guide participants in the NII in the fair use of personal information. Traditional fair information practices, developed in the age of paper records, must be adapted to this new environment where information and communications are sent and received over networks on which users have very different capabilities, objectives and perspectives. Specifically, new principles must acknowledge that all members of our society (government, industry, and individual citizens), share responsibility for ensuring the fair treatment of individuals in the use of personal information, whether on paper or in electronic form. Moreover, the principles should recognize that the interactive nature of the NII will empower individuals to participate in protecting information about themselves. The new principles should also make it clear that this is an active responsibility requiring openness about the process, a commitment to fairness and accountability, and continued attention to security. Finally, principles must recognize the need to educate all participants about the new information infrastructure and how it will affect their lives. These "Principles for Providing and Using Personal Information" recognize the changing roles of government and industry in information collection and use. Thus, they are intended to be equally applicable to public and private entities that collect and use personal information. However, these Principles are not intended to address all information uses and protection concerns for each segment of the economy or function of government. Rather, they should provide the framework from which specialized principles can be developed as needed. I. General Principles for All NII Participants Participants in the NII rely upon the privacy, integrity, and quality of the personal information it contains. Therefore, all participants in the NII should use whatever means are appropriate to ensure that personal information in the NII meets these standards. A. Information Privacy Principle: An individual*s reasonable expectation of privacy regarding access to and use of his or her personal information should be assured. B. Information Integrity Principle: Personal information should not be improperly altered or destroyed. C. Information Quality Principle Personal information should be accurate, timely, complete, and relevant for the purpose for which it is provided and used. II. Principles for Users of Personal Information A. Acquisition and Use Principles: Users of personal information should recognize and respect the privacy interests that individuals have in the use of personal information. They should: 1. Assess the impact on privacy of current or planned activities in deciding whether to obtain or use personal information. 2. Obtain and keep only information that could be reasonably expected to support current or planned activities and use the information only for those or compatible uses. B. Notice Principle: Individuals need to be able to make an informed decision about providing personal information. Therefore, those who collect information directly from the individual should provide adequate, relevant information about: 1. Why they are collecting the information; 2. What the information is expected to be used for; 3. What steps will be taken to protect its confidentiality, integrity, and quality; 4. The consequences of providing or withholding information; and 5. Any rights of redress. C. Protection Principle: Users of personal information should take reasonable steps to prevent the information they have from being disclosed or altered improperly. Such users should use appropriate managerial and technical controls to protect the confidentiality and integrity of personal information. D. Fairness Principle: Individuals provide personal information on the assumption that it will be used in accordance with the notice provided by collectors. Therefore, users of personal information should enable individuals to limit the use of their personal information if the intended use is incompatible with the notice provided by collectors. E. Education Principle: The full effect of the NII on the use of personal information is not readily apparent, and individuals may not recognize how their lives may be affected by networked information. Therefore, information users should educate themselves, their employees, and the public about how personal information is obtained, sent, stored, processed, and protected, and how these activities affect individuals and society. III. Principles for Individuals who Provide Personal Information A. Awareness Principle: While information collectors have a responsibility to inform individuals why they want personal information, individuals also have a responsibility to understand the consequences of providing personal information to others. Therefore, individuals should obtain adequate, relevant information about: 1. Why the information is being collected; 2. What the information is expected to be used for; 3. What steps will be taken to protect its confidentiality, integrity, and quality; 4. The consequences of providing or withholding information; and 5. Any rights of redress. B. Redress Principles: Individuals should be protected from harm caused by the improper disclosure or use of personal information. They should also be protected from harm caused by decisions based on personal information that is not accurate, timely, complete, or relevant for the purpose for which it is used. Therefore, individuals should, as appropriate: 1. Have the means to obtain their personal information and the opportunity to correct information that could harm them; 2. Have notice and a means of redress if harmed by an improper disclosure or use of personal information, or if harmed by a decision based on personal information that is not accurate, timely, complete, or relevant for the purpose for which it is used. Commentary on the Principles Preamble 1. The National Information Infrastructure ("NII"), with its promise of a seamless web of communications networks, computers, databases, and consumer electronics, heralds the arrival of the information age. The ability to obtain, process, send, and store information at an acceptable cost has never been greater, and continuing advances in computer and telecommunications technologies will result in ever- increasing creation and use of information. 2. The NII promises enormous benefits. To name just a few, the NII holds forth the possibility of greater citizen participation in deliberative democracy, advances in medical treatment and research, and quick verification of critical information such as a gun purchaser's criminal record. These benefits, however, do not come without a cost: the loss of privacy. Privacy in this context means "information privacy," an individual's claim to control the terms under which personal information -- information identifiable to a individual -- is obtained, disclosed and used. 3. Two converging trends -- one social, the other technological -- lead to an increased risk to privacy in the evolving NII. As a social trend, individuals will use the NII to communicate, order goods and services, and obtain information. But, unlike paying cash to buy a magazine, using the NII for such purposes will generate data documenting the transaction that can be easily stored, retrieved, analyzed, and reused. Indeed, NII transactional data may reveal who communicated with whom, when, and for how long; and who bought what, for what price. Significantly, this type of personal information -- transactional data -- is automatically generated, in electronic form, and is therefore especially cheap to store and process. 4. The technological trend is that the capabilities of hardware, software, and communications networks are continually increasing, allowing information to be used in ways that were previously impossible or economically impractical. For example, before the NII, in order to build a profile of an individual who had lived in various states, one would have to travel from state to state and search public records for information on the individual. This process would have required filling out forms, paying fees, and waiting in line for record searches at local, state, and federal agencies such as the departments of motor vehicles, deed record offices, electoral commissions, and county record offices. Although one could manually compile a personal profile in this manner, it would be a time- consuming and costly exercise, one that would not be undertaken unless the offsetting reward were considerable. In sharp contrast, today, as more and more personal information appears on-line, such a profile can be built in a matter of minutes, at minimal cost. 5. In sum, these two converging trends guarantee that as the NII evolves, more personal information will be generated and more will be done with that information. Here lies the increased risk to privacy. This risk must be addressed not only to secure the value of privacy for individuals, but also to ensure that the NII will achieve its full potential. Unless this is done, individuals may choose not to participate in the NII for fear that the costs to their privacy will outweigh the benefits. The adoption of fair information principles is a critical first step in addressing this concern. 6. While guidance to government agencies can be found in existing laws and regulations, and guidance to private organizations exists in principles and practices, these need to be adapted to accommodate the evolving information environment.* This changing environment presents new concerns: [* footnote: For example, the Privacy Act of 1974, 5 U.S.C. 552a; or New York State Public Service Commission, Statement of Policy on Privacy and Telecommunication. March 22, 1991, as revised on September 20, 1991.] (a) No longer do governments alone obtain and use large amounts of personal information; the private sector now rivals the government in obtaining and using personal information. New principles would thus be incomplete unless they applied to both the governmental and private sectors. (b) The NII promises true interactivity. Individuals will become active participants who, by using the NII, will create volumes of data containing the content of communications as well as transactional data. (c) The transport vehicles for personal information --the networks -- are vulnerable to abuse; thus, the security of the network itself is critical to the NII's future success. (d) The rapidly evolving information environment makes it difficult to apply traditional ethical rules, even ones that are well understood and accepted when dealing with tangible records and documents. Consider, for example, how an individual who would never trespass onto someone's home might rationalize cracking into someone's computer as an intellectual exercise. In addition, today's information environment may present questions about the use of personal information that traditional rules do not even address. 7. These "Principles for Providing and Using Personal Information" (the "Principles") attempt to create a new set of principles responsive to this new information environment. The Principles attempt to provide meaningful guidance on this new information environment and attempt to strike a balance between abstract concepts and a detailed code. They are intended to guide all NII participants and should also be used by those who are drafting laws and regulations, creating industry codes of fair information practices, and designing private sector and government programs that use personal information. 8. The limitations inherent in any such principles must be recognized. As made clear in the Preamble, the Principles do not have the force of law; they are not designed to produce specific answers to all possible questions; and they are not designed to single-handedly govern the various sectors that use personal information. The Principles should be interpreted and applied as a whole, and pragmatically and reasonably. Where an overly mechanical application of the Principles would be particularly unwarranted, phrases with the words "appropriate" or "reasonable" appear in the text. This flexibility built into the Principles to address hard or unexpected cases does not mean that the Principles need not be adhered to rigorously. 9. Moreover, the Principles are intended to be in accord with current international guidelines regarding the use of personal information and thus should support the ongoing development of the Global Information Infrastructure. 10. Finally, adherence to the Principles will cultivate the trust between individuals and information users so crucial to the successful evolution of the NII. I. General Principles for All NII Participants Participants in the NII rely upon the privacy, integrity, and quality of the personal information it contains. Therefore, all participants in the NII should use whatever means are appropriate to ensure that personal information in the NII meets these standards. 11. Three fundamental principles should guide all NII participants. These three principles -- information privacy, information integrity, and information quality -- identify the fundamental requirements necessary for the proper use of personal information, and in turn the successful implementation of the NII. I.A. Information Privacy Principle: An individual*s reasonable expectation of privacy regarding access to and use of his or her personal information should be assured. 12. If the NII is to flourish, an individual's reasonable expectation of information privacy should be ensured. A reasonable expectation of information privacy is an expectation subjectively held by the individual and deemed objectively reasonable by society. Of course, not all subjectively held expectations will be honored as reasonable. For example, an individual who posts an unencrypted personal message on a bulletin board for public postings cannot reasonably expect that personal message to be read only by the addressee. 13. What counts as a reasonable expectation of privacy under the Principles is not intended to be limited to what counts as a reasonable expectation of privacy under the Fourth Amendment of the United States Constitution. Accordingly, judicial interpretations of what counts as a reasonable privacy expectation under the Fourth Amendment should not inhibit NII participants from applying the Principles in a manner more protective of privacy. I.B. Information Integrity Principle: Personal information should not be improperly altered or destroyed. 14. NII participants should be able to rely on the integrity of the personal information it contains. Thus, personal information should be protected against unauthorized alteration or destruction. I.C. Information Quality Principle Personal information should be accurate, timely, complete, and relevant for the purpose for which it is provided and used. 15. Finally, personal information should have sufficient quality to be relied upon. This means that personal information should be accurate, timely, complete, and relevant for the purpose for which it is provided and used. II. Principles for Users of Personal Information II.A. Acquisition and Use Principles: Users of personal information should recognize and respect the privacy interests that individuals have in the use of personal information. They should: 1. Assess the impact on privacy of current or planned activities in deciding whether to obtain or use personal information. 2. Obtain and keep only information that could be reasonably expected to support current or planned activities and use the information only for those or compatible uses. 16. The benefit of information lies in its use, but therein lies an often unconsidered cost: the threat to information privacy. A critical characteristic of privacy is that once it is lost, it can rarely be restored. Consider, for example, the extent to which the inappropriate release of sensitive medical information could ever be rectified by public apology. 17. Given this characteristic, privacy should not be addressed as a mere afterthought, after personal information has been obtained. Rather, information users should explicitly consider the impact on privacy in the very process of deciding whether to obtain or use personal information in the first place. In assessing this impact, information users should gauge not just the effect their activities may have on the individuals about whom personal information is obtained. They should also consider other factors, such as public opinion and market forces, that may provide guidance on the appropriateness of any given activity. 18. After assessing the impact on information privacy, an information user may conclude that it is appropriate to obtain and use personal information in pursuit of a current activity or a planned activity. A planned activity is one that is clearly contemplated by the information user, with the present intent to pursue such activity in the future. In such cases, the information user should obtain only that information reasonably expected to support those activities. Although information storage costs decrease continually, it is inappropriate to collect volumes of personal information simply because some of the information may, in the future, prove to be of some unanticipated value. Also, personal information that has served its purpose and can no longer be reasonably expected to support any current or planned activities should not be kept. 19. Finally, information users should use the personal information they have obtained only for current or planned activities or for compatible uses. A compatible use is a use of personal information that was within the individual*s reasonable contemplation or sphere of consent when the information was collected. The scope of this consent depends principally on the notice provided by the information collector pursuant to the Notice Principle (II.B) and obtained by the individual pursuant to the Awareness Principle (III.A). Without this compatible use limitation, personal information may be used in ways that violate the understanding and consent under which the information was provided by the individual. This may subject the individual to unintended and undesired consequences, which will discourage further use of the NII. II.B. Notice Principle: Individuals need to be able to make an informed decision about providing personal information. Therefore, those who collect information directly from the individual should provide adequate, relevant information about: 1. Why they are collecting the information; 2. What the information is expected to be used for; 3. What steps will be taken to protect its confidentiality, integrity, and quality; 4. The consequences of providing or withholding information; and 5. Any rights of redress. 20. Personal information can be obtained in one of two ways: it can be either collected directly from the individual or acquired from some secondary source. By necessity, the principles governing these two different methods of obtaining personal information must differ. While notice obligations can be placed on all those who collect information directly from the individual, they cannot be imposed uniformly on entities that have no such direct relationship. If all recipients of personal information were required to notify every individual about whom they receive data, the exchange of personal information would become prohibitively burdensome, and many of the benefits of the NII would be lost. However, if such users intend to use the information for uses not compatible with the understanding and consent of the individual, individuals must be given the ability to limit such use (see II.D, the Fairness Principle). Accordingly, notice obligations apply only to those who collect personal information directly from the individual and any users who want to use the data for incompatible uses. 21. This requirement specifically applies to all parties who collect transactional data generated as a byproduct of an individual*s participation in the NII. Such parties include not only the party principally transacting with the individual in order to provide some product or service but also to those transaction facilitators such as communication providers and electronic payment providers who help consummate these transactions. For example, if an individual purchases flowers with a credit card through an on-line shopping mall accessed via modem, the Notice Principle applies to all parties who collect transactional data related to the purchase; not only to the florist, but also to the telephone and credit card companies. 22. In sum, all parties who collect personal information directly from the individual--whether they are the party principally transacting with the individual or are merely a transaction facilitator--should provide a notice that will adequately inform the individual about what the information is expected to be used for, including current and planned activities, and expected disclosures to third parties. 23. By providing notice, information collectors afford the individual a meaningful opportunity to exercise judgment in accordance with the Awareness Principle (III.A). Together, the Notice Principle and the Awareness Principle highlight the interactive nature of the NII and how responsibility must be shared between those who collect personal information and those who provide it. The importance of providing this notice cannot be overstated, however, since the terms of the notice determine the scope of the individual's consent, which must be respected by all subsequent users of that information. 24. Having said this, it is important to realize that what counts as adequate, relevant information to satisfy the Notice Principle depends on the circumstances surrounding the collection of information. In some cases, a particular use of personal information will be so clearly contemplated by the individual that providing formal notice is not necessary. For example, if an individual*s name and address is collected by a pizza operator over the telephone simply to deliver the right pizza to the right person at the right address, no elaborate notice or disclaimer need precede taking the individual*s order. However, should the pizza operator use the information in a manner not clearly contemplated by the individual--for example, to create and sell a list of consumers of pizzas containing fatty ingredients to health insurance companies--then some form of notice should be provided. In other cases, not every one of the components of the Notice Principle will need to be conveyed. For example, a long distance carrier that uses transactional data generated as part of a telecommunications transaction only to route calls and create accurate billings might need only provide notice of its data security practices. 25. While the Notice Principle indicates what might constitute the elements of adequate notice, it does not prescribe a particular form for that notice. Rather, the goal of the Principle is to ensure that the individual has sufficient information to make an informed decision. Thus the drafters of notices should be creative about informing in ways that will help the individual achieve this goal. 26. Finally, although the Notice Principle requires information collectors to inform individuals what steps will be taken to protect personal information, they are not required to provide overly technical descriptions of such security measures. Indeed, such descriptions might be unwelcome or unhelpful to the individual. Furthermore, they may be counterproductive since widespread disclosure of the technical security measures might expose system vulnerabilities, in conflict with the Protection Principle (II.C). II.C. Protection Principle: Users of personal information should take reasonable steps to prevent the information they have from being disclosed or altered improperly. Such users should use appropriate managerial and technical controls to protect the confidentiality and integrity of personal information. 27. On the NII, personal information is maintained in a networked environment, an environment that poses tremendous risk of unauthorized access, disclosure, alteration, and destruction. Both insiders and outsiders may gain access to information they have no right to see, or make hard-to-detect changes in data that will then be relied upon in making decisions that may have profound effects. 28. For example, our national health care system expects to become an intensive participant in the NII. Through the NII, a hospital in a remote locale will be able to send x-rays for review by a renowned radiologist at a teaching hospital in another part of the country. The benefits to the patient are obvious. Yet, such benefits will not be reaped if individuals refuse to send such sensitive data because they fear that the NII lacks safeguards needed to ensure that sensitive medical data will remain confidential and unaltered. 29. In deciding what controls are appropriate, information users should recognize that personal information should be protected in a manner commensurate with the harm that might occur if it were improperly disclosed or altered. Also, personal information collected directly from the individual should be protected in accordance with the information provided to the individual pursuant to the Notice Principle (II.B). 30. Finally, technical controls alone cannot provide adequate protection of personal information. Although technical safeguards are well-suited to protect against unauthorized outsiders, they are less well suited to protect against insiders who may be able to alter or delete data improperly without breaching any technical access controls. Therefore, to protect personal information, information users should adopt a multi-faceted approach that includes both managerial and technical solutions. One management technique, for example, could strive to create an organizational culture in which individuals learn about fair information practices and adopt these practices as the norm. II.D. Fairness Principle: Individuals provide personal information on the assumption that it will be used in accordance with the notice provided by collectors. Therefore, users of personal information should enable individuals to limit the use of their personal information if the intended use is incompatible with the notice provided by collectors. 31. Two principles work together to ensure the fair use of information in the NII. The Acquisition and Use Principle (III.A.2) requires information users to use personal information only for current or planned activities or for compatible uses. In conjunction with this principle, the Fairness Principle requires users to enable individuals to limit incompatible uses of personal information. Juxtaposed, these two principles highlight again the interactive and interrelated relationships on the NII, which require participants to share the power and responsibility for the proper use of personal information. 32. An incompatible use occurs when personal information is used in a way neither reasonably contemplated nor consented to by the individual when the information was collected. As explained earlier, the scope of this consent depends principally on the notice provided by the information collector pursuant to the Notice Principle (II.B) and obtained by the individual pursuant to the Awareness Principle (III.A). 33. An incompatible use is not necessarily a harmful use; in fact, it may be extremely beneficial to the individual and society. For example, society may benefit when researchers and statisticians use previously collected personal information to determine the cause of a potentially fatal disease such as cancer. 34. On the other hand, without some limitation, information use may know no boundaries. Without a Fairness Principle, personal information provided under the terms disclosed and obtained pursuant to the Notice (II.B) and Awareness (III.A) Principles may be used in ways that violate those terms and thus go beyond the individual's understanding and consent. To guard against this result, before information is used in an incompatible manner, such use should be communicated to the individual and his or her explicit or implicit consent obtained. The nature of the incompatible use will determine whether such consent should be explicit or implicit. In some cases, the consequences to an individual may be so significant that the prospective data user should proceed only after the individual has specifically opted into the use by explicitly agreeing. In other cases, a notice offering the individual the ability to opt out of the use within a certain specified time may be adequate. It is the responsibility of the data user to ensure that the individual is able to prevent such incompatible use. Implicit in this principle is the idea that the original data collector will convey to every new user information about the original notice. 35. Having said this, it must be recognized that the Fairness Principle cannot be applied uniformly in every setting. There are some incompatible uses that will have no effect on the individual*s information privacy interest. Research and Statistical studies may be an example. Obtaining the consent of the individual to participate in such studies will add cost and administrative complexity to the process without affecting the individual*s information privacy interests. In other cases, the information is for a significant public need that would be thwarted by giving the individual a chance to limit its use, and society recognizes the need and authorizes the use in a highly formal, open way (typically in legislation). An example would be the collection of data to support a law enforcement investigation where obtaining a suspect*s consent to a new use of what has become investigatory data would be unlikely and even asking for such consent could be potentially counterproductive to the investigation. Nevertheless, given the interactive possibilities that the NII offers, data users should be creative about finding ways to satisfy the Fairness Principle. II.E. Education Principle: The full effect of the NII on the use of personal information is not readily apparent, and individuals may not recognize how their lives may be affected by networked information. Therefore, information users should educate themselves, their employees, and the public about how personal information is obtained, sent, stored, processed, and protected, and how these activities affect individuals and society. 36. The Education Principle represents a significant addition to the traditional Code of Fair Information Practices. There are many uses of the NII for which individuals cannot rely completely on governmental or other organizational controls to protect their privacy. Although individuals often rely on such legal and institutional controls to protect their privacy, many people will engage in activity outside of these controls, especially as they engage in the informal exchange of information on the NII. Thus, individuals must be aware of the hazards of providing personal information, and must make judgments about whether providing personal information is to their benefit. 37. Because it is important that information users appreciate how the NII affects information privacy, and that individuals understand the ways in which personal information can be used in this new environment, information users should participate in educating themselves and others about the handling and use of personal information in the evolving NII. III. Principles for Individuals who Provide Personal Information 38. As previously noted, the NII will be interactive. Individuals will not be mere objects that are acted upon by the NII; rather, they will actively participate in using and shaping the new information technologies and environments. In such an essentially interactive realm, individuals should assume some responsibility for their participation in instances where they can affect that participation. For example, where individuals will have choices about whether and to what degree personal information should be disclosed, they should take an active role in deciding whether to disclose personal information in the first place, and under what terms. Of course, in certain cases, individuals have no choice whether to disclose personal information. For example, if the individual wants to execute a transaction on the NII, personal information in the form of transactional data will necessarily be generated. Or, the choice may exist in theory only. For example, an individual may be permitted not to disclose certain personal information, although exercising such choice will result in the denial of a benefit that they cannot give up to participate fully in society - e.g., obtaining a license to drive an automobile. If individuals are to be held responsible for making these choices, they must be given enough information by information collectors and users to make intelligent choices. III.A. Awareness Principle: While information collectors have a responsibility to inform individuals why they want personal information, individuals also have a responsibility to understand the consequences of providing personal information to others. Therefore, individuals should obtain adequate, relevant information about: 1. Why the information is being collected; 2. What the information is expected to be used for; 3. What steps will be taken to protect its confidentiality, integrity, and quality; 4. The consequences of providing or withholding information; and 5. Any rights of redress. 39. The Awareness Principle, in conjunction specifically with the Notice Principle (II.B) and more broadly with the Education Principle (II.E), strives to cultivate an environment where individuals have been given the tools necessary to take responsibility over how personal information is disclosed and used. 40. Increasingly, individuals are being asked to surrender personal information about themselves. Sometimes the inquiry is straight-forward; for example, a bank may ask for personal information prior to processing a loan request. In such situations, the purpose for which the information is sought is clear -- to process the loan application. There may, however, be other uses that are not so obvious, such as using that information for a credit card solicitation. 41. Indeed, individuals regularly disclose personal information without being fully aware of the many ways in which that information may ultimately be used. For example, an individual who pays for medical services with a credit card may not recognize that he or she is creating transactional data that could reveal the individual's state of health. The Awareness Principle encourages individuals to learn about and take into consideration such consequences before participating in these kinds of transactions. III.B. Redress Principles: Individuals should be protected from harm caused by the improper disclosure or use of personal information. They should also be protected from harm caused by decisions based on personal information that is not accurate, timely, complete, or relevant for the purpose for which it is used. Therefore, individuals should, as appropriate: 1. Have the means to obtain their personal information and the opportunity to correct information that could harm them; 2. Have notice and a means of redress if harmed by an improper disclosure or use of personal information, or if harmed by a decision based on personal information that is not accurate, timely, complete, or relevant for the purpose for which it is used. 42. There will be times when individuals are harmed by the improper disclosure or use of personal information. Individuals will also be harmed by the use of personal information that lacks sufficient quality to ensure fairness in that use. It is therefore important to implement measures to avoid or limit that harm, as well as measures to provide relief should harm occur 43. Therefore, individuals should be able to obtain from information users, as appropriate, a copy of their personal information and have the opportunity to correct information about them that lacks sufficient quality to assure fairness in use and thus prevent potential harm. Whether this opportunity should be granted depends on the seriousness of the consequences to the individual of the use of the information. Finally, appropriate forms of redress should be available for individuals who have been harmed by the improper disclosure or use of personal information, or by the use of personal information that lacks sufficient quality to be used fairly. The Principles envision various forms of redress including, but not limited to, mediation, arbitration, civil litigation, regulatory enforcement, and criminal prosecution, in various private, local, state, and federal forums with a goal of providing relief in the most cost-effective, efficient manner possible. Appendix I. Principles for Providing and Using Information in the NII - Comparison of May 25, 1994, and Revised Version [The Appendix, which compares the May 25, 1994 and the current version in a table format, is not available on-line. It can be found in the print copy of the Federal Register.] ------------------------------ From: "Prof. L. P. Levine" Date: 29 Dec 1994 10:50:22 -0600 (CST) Subject: Info on CPD [unchanged since 12/29/94] Organization: University of Wisconsin-Milwaukee The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy or vice versa. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@uwm.edu and administrative requests to comp-privacy-request@uwm.edu. This digest is a forum with information contributed via Internet eMail. Those who understand the technology also understand the ease of forgery in this very free medium. Statements, therefore, should be taken with a grain of salt and it should be clear that the actual contributor might not be the person whose email address is posted at the top. Any user who openly wishes to post anonymously should inform the moderator at the beginning of the posting. He will comply. If you read this from the comp.society.privacy newsgroup and wish to contribute a message, you should simply post your contribution. As a moderated newsgroup, attempts to post to the group are normally turned into eMail to the submission address below. On the other hand, if you read the digest eMailed to you, you generally need only use the Reply feature of your mailer to contribute. If you do so, it is best to modify the "Subject:" line of your mailing. Contributions to CPD should be submitted, with appropriate, substantive SUBJECT: line, otherwise they may be ignored. They must be relevant, sound, in good taste, objective, cogent, coherent, concise, and nonrepetitious. Diversity is welcome, but not personal attacks. Do not include entire previous messages in responses to them. Include your name & legitimate Internet FROM: address, especially from .UUCP and .BITNET folks. Anonymized mail is not accepted. All contributions considered as personal comments; usual disclaimers apply. All reuses of CPD material should respect stated copyright notices, and should cite the sources explicitly; as a courtesy; publications using CPD material should obtain permission from the contributors. Contributions generally are acknowledged within 24 hours of submission. If selected, they are printed within two or three days. The moderator reserves the right to delete extraneous quoted material. He may change the SUBJECT: line of an article in order to make it easier for the reader to follow a discussion. He will not, however, alter or edit or append to the text except for purely technical reasons. A library of back issues is available on ftp.cs.uwm.edu [129.89.9.18]. Login as "ftp" with password identifying yourid@yoursite. The archives are in the directory "pub/comp-privacy". People with gopher capability can most easily access the library at gopher.cs.uwm.edu. Mosaic users will find it at gopher://gopher.cs.uwm.edu. Older archives are also held at ftp.pica.army.mil [129.139.160.133]. ---------------------------------+----------------------------------------- Leonard P. Levine | Moderator of: Computer Privacy Digest Professor of Computer Science | and comp.society.privacy University of Wisconsin-Milwaukee | Post: comp-privacy@uwm.edu Box 784, Milwaukee WI 53201 | Information: comp-privacy-request@uwm.edu | Gopher: gopher.cs.uwm.edu levine@cs.uwm.edu | Mosaic: gopher://gopher.cs.uwm.edu ---------------------------------+----------------------------------------- ------------------------------ End of Computer Privacy Digest V6 #010 ****************************** .