The actual draft IITF privacy principles document and request for comments is available from: ftp.eff.org, /pub/EFF/Policy/Privacy/iitf_principles.draft gopher.eff.org, 1/EFF/Policy/Privacy, iitf_principles.draft gopher://gopher.eff.org/11/EFF/Policy/Privacy, iitf_principles.draft http://www.eff.org/pub/EFF/Policy/Privacy/iitf_principles.draft IITF Document ***************************************************************** Draft - April 21, 1994 PRINCIPLES FOR PROVIDING AND USING PERSONAL INFORMATION Commentary 1. With the initiation and expansion of the National Information Infrastructure (NII), the information age is clearly upon us. The ability to access, collect, store, analyze, and disseminate data at an acceptable cost has never been greater, and continuing advances in computer and telecommunications technologies, especially interactive applications, will serve to ensure that the amount of electronically stored personal information and transactional data will continue to grow at a healthy pace. 2. Cost is, of course, the overriding factor. Continually decreasing hardware, software and networking costs allow individuals and organizations to use data in ways that were previously, in a non-electronic world, cost-prohibitive. For example, if someone were interested in building a dossier on a citizen who had lived in four different states, that dossier could have been built "manually" by travelling from state to state (or hiring individuals in each state) to compile public records pertaining to that individual's birth, motor vehicle registration, driver's license, real property holdings, voting, etc. This would have required, however, filling out forms, paying fees, and perhaps waiting in long lines for record searches at various state and local office buildings. In short, it could be done, but it would have been a time-consuming and costly exercise; thus, it would not be done unless the reward for building this dossier were considerable. If the ultimate goal were to collate data on thousands of individuals,analytical processing costs would also be added to the mix. 3. Today, such a dossier can be built in a matter of minutes, at minimal cost, assuming all the needed information is on-line. Indeed, with the NII, the assumption is that large amounts of sensitive information will be on line, and can be accessed, perhaps without authority, by a large number of network users. With advanced networking, each link in the chain--access, collection, storage, and analysis--becomes a cost-effective method of using information, as does the ability to disseminate the final collated product to others. 4. Such networking offers considerable benefits. The NII holds forth the promise of greater public participation in society, advances in medical treatment and research, and quick verification of critical personal information (e.g., a gun purchaser's criminal record), just to name a few. There is, however, another issue: information privacy. To the extent that the ability to access, collect, store, analyze, and disseminate data has never been greater, the threat to personal information privacy has never been greater either. 5. The truth is, the NII will only achieve its full potential if individual privacy is properly protected. Absent such protections, individuals may be reluctant to participate in the NII, fearful that the risks to personal privacy outweigh the benefits. Citizens should not have to make that choice; rather, they should be assured that the use of personal information will be appropriately limited. The adoption of fair information principles is a critical first step in that direction. 6. Although Fair Information Principles currently exist, [see Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, (Washington, D.C., Department of Health, Education and Welfare, 1973)], it is clearly time that they be rewritten to address the issues raised by our new electronic environment, as well as cover paper records. The most major concerns: (1) It is no longer governments alone that collect and use large quantities of personal data; the private sector clearly rivals the government sector in information usage. As such, these new principles should apply to both the government and private sectors. (2) The NII will, if it fulfills its promise, be interactive; i.e., individuals about whom data relates (so-called "data subjects") will become increasingly active participants, creating volumes of communicative and transactional data. To the extent that individuals are providing information about themselves, they too should have obligations when using the NII. (3) The transport vehicles for this information (the networks) are vulnerable to abuse; thus, the reliability of the network itself becomes critical to the future success of the NII. (4) Traditional ethical rules, long-accepted when dealing with tangible objects, are not easily applied in the new electronic environment, and all NII participants must be educated in the proper use of the NII. Consider, for example, how an individual who would never trespass in the home of another might attempt to justify computer hacking as an intellectual exercise. Indeed, what constitutes a proper use of the NII or NII information might not be intuitively obvious. Whether a particular use is acceptable may depend on a host of factors including, but by no means limited to, the purpose for which the data was collected, whether the use is compatible with that purpose, and whether the use is specifically authorized by law. In such an environment, individuals need to be educated about the proper use of both the NII and the information it contains. 7. As ambitious as the task is, these Principles attempt to address these issues. That said, one must recognize the limitations inherent in any such principles. First, the Principles are not intended to have the force of law. Broad sweeping principles provide a framework for addressing fair information practices, but any specific regulatory implementation must be sector by sector. This is because each information sector (e.g., medical, financial, law enforcement, national security, research and statistics) has specific and unique needs that cannot be addressed by general principles. 8. Second, the Principles are only intended to apply domestically; although, to the best of our knowledge, these Principles are in accord with current international guidelines regarding personal privacy and data protection, and should not hinder the ongoing development of an international information infrastructure. 9. Third, the Principles only address information identifiable to a living individual. It makes little sense to restrict the use of information that does not relate to an identifiable living person, and to do so would unduly hamper researchers and others who use large quantities of data for generic statistical purposes. 10. Finally, although the Principles are written broadly, there will no doubt be times when their strict application would be inappropriate. For example, public safety could be undermined if law enforcement had to seek a data subject's approval before obtaining transactional records relevant to an ongoing criminal investigation on the theory that this use was incompatible with the purpose for which the records were originally created. To account for such cases, the words "as appropriate" or "to the extent reasonable" appear in the Principles. This is not to suggest, however, that the Principles need not be rigorously adhered to. To the contrary, the need to diverge from a given principle should be the exception, not the rule, and should only occur when there is an compelling reason. For in the end, it is adherence to these Principles that is critical to developing trust between data users and data subjects in the electronic information age. General Principles for the National Information Infrastructure 11. We begin with the three principles that apply to all NII participants: information collectors, information users, and individuals ("data subjects"). These three principles, relating to privacy and information integrity, provide the underpinnings for the successful implementation of the NII. They state clearly that individuals are entitled to a reasonable expectation of information privacy, and that efforts should be made to ensure that information is adequately protected and used appropriately. 12. If the NII is to be trusted, participants must have a reasonable expectation of privacy in personal information. Although individuals harbor subjective expectations of privacy, these must be honored only to the extent that society is prepared to recognize those subjective expectations as objectively reasonable. For example, an individual who posts an unencrypted personal message in an area of a bulletin board service that is provided for open, public messages cannot reasonably expect that his/her message will only be read by the individual listed in the salutation. Where a subjective expectation of privacy is made clear and is objectively reasonable, however, individuals should have their privacy respected. 13. NII participants must also be able to rely upon the integrity of the information contained in and transmitted through the NII. This will be the case only if the information is secure from improper disclosure and alteration, and if the information is accurate, timely, complete, and relevant for the purpose for which it is used. The responsibility of providing adequate security and reliable information falls properly on all participants in the NII. 14. We recognize, of course, that individuals and organizations do not always provide accurate and complete data when requested. Large data brokers, as well as privacy advocates, may intentionally provide false data as a method of monitoring data flow. For example, an individual who misspells his name slightly when dealing with one company and then receives mail, with the name similarly misspelled, from a second company, may now be aware that the first company has disseminated his name to others. We do not intend to suggest that any falsehood violates this principle. It would violate this principle, however, to provide false information to create some improper result (such as receiving illegitimate benefits or injuring another). Responsibilities of Original Collectors (i.e., Entities that Collect Information Directly from the Individual) of Personal Information 15. One of the most alluring features of the NII--easy access to and dissemination of information--also provides one of its most vexing problems: it is impossible for an individual to identify all the other individuals and organizations that may possess some personal information about himself or herself. At the risk of over-simplification, there are essentially two types of data users: those who collect information directly from the data subject, and those who do not. By necessity, the rules for these two groups must differ. 16. Those who collect information directly from the individual should inform the data subject (1) how the information collected will be used, (2) whether the information will remain confidential and be protected against improper access or alteration, and (3) the consequences of providing or withholding the requested information. The fulfilling of these obligations will ensure that individuals have a meaningful opportunity to exercise sound judgment in accordance with the Principles for Individuals Who Provide Personal Information. Juxtaposed, the Principles for Information Collectors and Principles for Individuals Who Provide Personal Information highlight the true interactive nature of the NII and the ideal symbiotic relationship between data collectors and data subjects. 17. It is simply impossible, of course, to impose these Information Collector obligations on entities that have no direct relationship with the individual. If every recipient of data were required to contact every individual on whom they receive data to provide some form of notice, the exchange of information would become unduly burdensome, and the benefits of the NII would be lost. On the other hand, information dispersion will be common on the NII and the following principles, designed to promote fair information use, should apply to all data users (including data collectors). Responsibilities of Information Users (i.e., Information Collectors and Entities that Obtain, Process, Send or Store Personal Information). 18. In an environment where individuals cannot realistically know where all personal information about them resides, and cannot account for each use of that information, it is simply impossible for individuals to ensure that personal information is used fairly. In some cases, even arguably adverse actions may go unnoticed, and therefore redress will not be available. For example, a company may decide not to include an individual in a mass mailing offer regarding a financial opportunity because an analysis of that individual's credit history suggests the individual is a bad credit risk. In such an environment, it is particularly important to ensure that data users use personal information in acceptable ways. The following principles, which apply to all users (including Collectors), fall into four categories: Acquisition and Use, Protection, Education, and Fairness. A. Acquisition and Use Principles 19. The benefit of information lies in its use, but such use may also have a negative effect on personal privacy. Additionally, that privacy, once lost, cannot always be entirely restored (consider, for example, the extent to which the inappropriate release of extremely embarrassing personal information is rectified by a public apology). To protect the information privacy of individuals adequately requires that the effect of data use be considered before personal information is obtained or used. In assessing this effect, data users will need to consider not just the effect of their action on the individual, but other factors (such as public opinion and market forces) which may be relevant in determining whether a particular data use is appropriate. 20. It may well be that the effect on personal privacy has been considered and it has been decided, appropriately, to obtain and use personal information for some purpose. In such cases, the data user should obtain only that information which could reasonably be expected to support current or planned activities. Although the cost of storing information continues to decrease, it is simply inappropriate to collect volumes of personal information because it may, in the future, prove to be of some unanticipated value. Moreover, once collected, personal information should only be used for those current or planned activities, or other compatible purposes. Incompatible uses not authorized by law should not be undertaken without consultation with the data subject. See, Fairness Principles, below. Finally, information should only be kept as long as necessary. It should be destroyed when appropriate. 21. Reasonable efforts should be made to ensure that information that will be relied upon is accurate, timely, complete, and relevant. It must be recognized that information which is accurate when collected may not be used for years, and the use of stale information may have unfair or inaccurate results. B. Protection Principle 22. In a networked environment, the risk of unauthorized access (i.e., loss of confidentiality) and unauthorized alteration (i.e., loss of data integrity) increases exponentially. Both insiders and outsiders may browse through information they have no right to see, or make hard-to-detect changes in data which will then be relied upon in making decisions that affect the individual. For example, our national health system expects to become an intentive user of the NII. A hospital in remote part of the country may pass x-rays through the NII for review by a renowned radiologist at a teaching hospital in another part of the country. For improving the quality of patient care, the benefits of such transfers are enormous. Yet, it is unlikely that such sensitive data will be passed through a system where it could be subject to unauthorized alteration and potential misuse? It is therefore incumbent on data users to protect the data commensurate with the harm that might occur if the data were improperly disclosed or altered. Additionally, the level of protection should be consistent with whatever the data subject was told if the data was collected directly from the individual. 23. It is not enough, however, to rely upon technical controls. Although technological safeguards can serve to protect data confidentiality and integrity, there is a human component that defies a solely technical solution. For example, insiders--those who are authorized to access and alter data--may not violate access controls when they improperly alter or delete data they are authorized to change. Therefore, the protections employed must be multi-faceted and include technical solutions, management solutions (e.g., creating an environment where fair information practices are the accepted norm), and educational solutions (e.g., providing data handlers with proper training). C. Education Principle 24. The Education Principle represents a significant addition to the traditional Fair Information Principles. The effect of the NII on both data use and personal privacy is by no means readily apparent. Most individuals are ignorant as to the amount of personal information already networked, and may not recognize how their lives can be affected by networked information. 25. It is important that information users appreciate how the NII affects information privacy, and that individuals understand the ways in which personal information can be used in this new environment. Thus, data users need to educate themselves, their own employees, and the public in general about how personal information is obtained, transmitted, used and stored, including what types of security measures are being used to protect data confidentiality and data integrity. D. Fairness Principles 26. If information can be used to adversely affect an individual, it is only fair that individual have a reasonable means to obtain, review, and correct personal information about himself or herself. Moreover, to the extent adverse actions are taken against the individual, the individual should be notified and have a means of redress. Equally important, the data collector should explain to the individual exactly what that means of redress is. Redress may take many forms (mediation, arbitration, civil suit, criminal prosecution) and be offered in different forums (federal, state, local) but cannot be imposed by these principles. 27. One of the most difficult issues is dealing with incompatible uses of previously collected information. An incompatible use is not necessarily a bad use; in fact, it may be of considerable benefit to either a data subject or society as a whole. A data subject may benefit, for example, when a customer mailing list is used to warn those customers that a product that they purchased is defective and may cause serious physical injury. Society as a whole may benefit when criminal conviction information is used for some purpose not originally contemplated such as screening candidates for child care positions or weapons purchases. Similarly, researchers and statisticians using previously collected information may determine the cause of a potentially fatal disease such as cancer. 28. On the other hand, without some limitation, information use may know no boundaries. Individuals who disclose information for one purpose may then be subjected to unintended and undesired consequences, and this will discourage them from disclosing personal information in the future. To ensure that this does not occur, information should only be used in ways compatible with the purposes for which it was collected and, before incompatible uses occur, they must either be authorized by law or the individual data subject should be notified so that he or she can opt out of such use. Rights and Responsibilities of Individuals who Provide Personal Information 29. As noted, the NII has significant implications for information use and personal privacy. In such an interactive environment, it is not sufficient for individuals to disclose personal information and then abdicate responsibility for the consequences; rather, individuals must take an active role in deciding whether to disclose personal information in the first instance. But if individuals are to be held responsible for making these choices, they must be empowered to make intelligent choices. This requires that they receive meaningful information on the intended uses of the information they provide, and the consequences for providing or withholding personal information. For these purposes, the "Principles for Individuals who Provide Personal Information" create two discrete categories that apply to individuals: Awareness and Redress. A. Awareness Principles 30. Awareness encompasses the notion that individuals should understand the ways in which personal information may be used, and the results that flow from such use. This will allow them to make intelligent choices regarding the disclosure of personal information. 31. Increasingly, individuals are being asked to surrender personal information about themselves. Sometimes the inquiry is straight-forward; for example, a bank may ask for personal information prior to processing a loan request. In this type of situation, it may be clear to the individual the purpose, or at least the primary purpose, for which the information is sought (e.g., processing the loan application). There may, however, be secondary uses which are not so immediately obvious, such as being put on a mailing list for a credit card solicitation. Indeed, there are no doubt many times when individuals decide to disclose information without being fully cognizant of the many ways in which that information may ultimately be used. 32. It is difficult, if not impossible, to anticipate all such uses. Individuals who pay for medical services with a charge card may not recognize that they are creating transactional records from which others may attempt to ascertain the current state of the individual's health. Equally problematic is that the assumptions drawn from such data may be false, and the individual may never know that the data has been used to reach some conclusion, or take some action, regarding his or her future. 33. It is impossible to formulate any set of principles that can cover comprehensively all possible uses of information. Nor would such an attempt be wise for, in fact, different people desire and expect different levels of privacy, and hold different concerns regarding the ultimate use of personal data. Ultimately, whether an individual chooses to disclose personal information, or create a transactional record, should depend upon the individual's own wishes unless, of course, the information is required by law. 34. The Awareness Principles recognize the importance of personal choice and cultivate an environment where these critical personal decisions can be made intelligently. For whatever the degree of personal interest in information privacy, it is critical that individuals receive enough facts to make rational choices regarding the disclosure of personal information. 35. First and foremost, an individual should know the intended primary and secondary uses of the information. Second, individuals should determine whether efforts will be made to assure data confidentiality and data integrity. In some cases, confidentiality may be required by law (e.g., tax records), but of equal concern may be the technical and managerial controls in place to protect the data. This principle does not mean that the individual should obtain a technical explanation regarding the security measures used to protect such data. Indeed, such technical explanations might be unwelcome, unwarranted and counterproductive (widespread disclosure of the technical measures used might actually expose vulnerabilities in a given system). But individuals should be told whether the information is intended to remain confidential and whether efforts will be made to preserve data integrity. Some individuals might choose not to disclose personal data if they knew that the data provided was freely obtainable by others, or might easily be altered. 36. Individuals should also be informed of the consequences of providing or withholding information. Data subjects should be told whether disclosing the requested information is mandatory (i.e., required by law) or voluntary, and the consequences that can flow from their decision. We recognize fully that even when disclosure is legally "voluntary," it may in fact be coerced (e.g., the refusal to "voluntarily" provide information may result in the denial of critical life-sustaining benefits). General principles cannot resolve such difficult issues but clearly, whatever the consequences, they should be clearly articulated. 37. Lastly, there will be times when individuals feel aggrieved by the improper use of personal information. If redress is available, individuals should be aware of that fact, and be informed as to how such redress can be obtained. B. Principle of Redress 38. Invariably, people will be harmed by the improper disclosure or improper use of personal information. It is therefore important to implement proactive measures to limit that harm, and reactive measures to provide relief when harm occurs. 39. To the extent inaccurate information can be used to harm individuals, it follows that individuals may wish to ensure that collected and stored personal information is in fact accurate and complete. For this reason, individuals should be able to obtain from data users, as appropriate, a copy of this personal information and have the opportunity to correct inaccurate information. This may allow them, proactively, to prevent anticipated harms. This principle is, however, limited in scope. Although, idealistically, all stored personal information should be accurate, the fact remains that inaccurate personal information does and will exist, and correcting inaccurate data cannot be done without cost. Pragmatically, it makes little or no sense to devote resources to correcting data that cannot be used to harm the individual, and therefore the opportunity to review personal information in order to correct data inaccuracies is limited to those cases where harm may occur. 40. When final actions are taken against individuals, they are entitled to notice. Absent notice, it may be impossible to seek available redress. Moreover, redress should be available for individuals who have been harmed by the improper use of information (including the use of inaccurate information). To ensure that individuals can take advantage of these redress mechanisms, the awareness principle, as noted above, requires that individuals be informed of the remedies available. recog