The Privacy Act of 1974 is a public sector law that regulates the use of personal information by the United States Government.  Specifically it establishes rules, similar to the Fair Information Practice Principles that determine what information may be collected and how it may be used in order to protect the personal privacy of U.S. citizens.

Data Collection and Management

The Privacy Act of 1974 applies to Federal Government Agencies and governs their use of a system of records. By definition, a system of records is “any group of records under the control of any agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”

The following rules govern the use of a system of records:

• No Federal Government record keeping system may be kept secret
• No agency may disclose personal information to third parties without the consent of the individual (with some exceptions)
• No agency may maintain files on how a citizen exercises their First Amendment rights
• Federal personal information files are limited only to data that is relevant and necessary
• Personal information may able be used for the purposes it was originally collected unless consent is received from the individual.
• Citizens must receive notice of any third party disclosures including with whom the information is shared, the type of information disclosed and the reasons for its disclosure.
• Citizens must have access to the files maintained about them by the Federal Government
• Citizens must have the opportunity to correct or amend any inaccuracies or incompleteness in their files

Data Sharing

The Privacy Act of 1974 places restrictions on the ability of Federal agencies to share a system of records with third parties, including other agencies. However, the Privacy Act does recognize the need of the government to share records in order to improve security, maintain accuracy and consolidate resources. This is often accomplished through matching programs which allow certain data elements in one system of records to be searched against records in another system in order to find any data matches. Such matches would link together the information from both systems.

In order for any agency to run a matching program with a system of records from an another agency, their must first be a written agreement between both parties. The Committee on Governmental Affairs of the Senate, and the Committee on Government Operations of the House must receive a copy of the agreement. It must also be made available to the public.

A Data Sharing Agreement:

• Must state the purposes and legal justifications for the matching program
• Must provide rational for the program by estimating the results and savings that will be achieved
• Must describe the records to be matched including the specific data elements, estimate the number of records to be matched and provide estimated start and completion dates for the program
• Must describe how the privacy principles of the Privacy Act will be implemented in the program (ie: notice to the individual, ensure accuracy and completeness, limited used of results)
• Must provide an accuracy assessment of the unmatched records
• Must include a statement allowing the Comptroller General to monitor compliance with the Privacy Act if necessary.

Federal Register

To ensure that no system of records is kept secret, the Privacy Act requires all government agencies to provide a System of Records Notice (SORN) to biennially to be published in the Federal Register. Each SORN must also be published on the agencies website under the Electronic Privacy Act Amendment.

Each SORN must contain:

• The name location of the records system
• The title and business address of the individual overseeing the system of records at the agency
• The types of individuals about whom records are kept
• The categories of records kept in the system
• The general sources from which data is collected
• The privacy and usage policies of the agency, including those for access controls, storage, retrievability and destruction.
• How an individual may determine if an agency maintains a record about them in their system of records
• How an individual may gain access to the records an agency maintains about them

Exceptions to the Privacy Act

While the Privacy Act did take significant steps towards protecting privacy, there are a few important distinctions within the act that create holes in its protection.

The Privacy Act only applies to a system of records maintained by an agency. Records systems kept by government institutions not considered an agency are exempt. Further more a system of records is defined as a group of records which uses personally identifiably information or signifiers to retrieve a file. There may be records systems which contain personal information but does not use that information to search for and gain access to a record. Such system of records would also be exempt under the Act.

The Privacy Act also contains a “routine use” exception which allows the disclosure of information without the notice or consent of the individual. Routine use is defined as “the use of such record for a purpose which is compatible with the purpose for which it was collected.” The vague definition of routine use allows agencies to expand their definition of compatible purpose at will, eventually allowing more and more information to be disclosed under the routine use exception. As long as the SORN contains a listing of the routine uses of the information, an agency is considered compliant with the Privacy Act.

Summary

Like the Freedom of Information Act, the Privacy Act of 1974 seeks to protect the privacy of U.S. citizens by giving them the ability to monitor the use of their personal information by the U.S. government. Though the Privacy Act does make significant steps in the protecting the right of privacy, it is also limited enough in its scope and implementation to only provide adequate protection. Privacy professionals and U.S. citizens should be familiar with the Privacy Act of 1974 in order to effectively understand their rights and work to create more comprehensive privacy legislation in the future.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• The Privacy Act of 1974 (I.C.b.i.-iv.)

The Fair Information Practice Principles

Notice/Awareness

Individuals should receive notice of an entity’s privacy practices prior to the collection of personally identifiable information. Notice allows individuals to make informed choices regarding the use of the personal information. A privacy notice must include:

• A legitimate name and physical address of the entity collecting the data
• The type of data collected
• How collected data will be used
• Any potential third party disclosure of personal information
• Any potential secondary use of personal information

Choice/Consent

Individuals must be able to consent or reject to certain uses of their personal information, particularly with regard to secondary uses and marketing purposes. Two main mechanisms are used to provide consumer with consent options:

• Opt in: Require affirmative consent from the individual. In other words, action must be taken by the individual to START the processing of personal information for secondary uses or disclosures. This may include signing up to receive marketing newsletters, special offers and similar types of communications.
• Opt Out: Requires the implicit consent of the individual. Here consent is assumed because the individual has not stated a desire otherwise. In other words, action must be taken by the individual to STOP the processing of personal information for secondary uses or disclosures. This may include opting out of third party advertising

An individual must be able to view their consent options and change them at any time. Changes should be honored within a reasonable length of time.

Access/Participation

An individual must be able to view the data an entity has on record. They must also be allowed to correct an incomplete or false information contained in their file. Access to data must be granted within a reasonable time frame and at a minimal cost.

Integrity/Security

Data must be accurate, up-to-date, complete and not stored longer than necessary. Security of data must be maintained using physical, technical and administrative safeguards to protect against unauthorized access, use, disclosure and destruction. Safeguards should be implemented in proportion to the security risk or threat, with greater risks or threats using greater resources and stronger protections.

Enforcement/Redress

An individual must be able to file complaints with the entity have their issues addressed.   Furthermore there should be a mechanism in place to ensure compliance with the above standards, either through self or government regulation.

Enforcement of Privacy Practices

The Fair Information Practice Principles are suggestions to guide the use of personal information in connection with business activities and transactions. They are not in themselves a law that must be followed, and as such are not enforceable. However, there are many privacy laws(see below) which make use of the Fair Information Practices to protect personal information.

The United States supports the use of self-regulation to enforce Fair Information Practices. Theoretically, informed consumers will choose to use businesses that implement the Fair Information practices and ensure the protection of their information, forcing those business that do not guarantee such protections out of business. Services such as the Better Business Bureau and online assurance programs build trust between businesses and consumers by providing consumers with a directory of businesses whose privacy practices have been assessed and found to provide adequate protection.

The Fair Information Practice Principles have been criticized because they do not require the creation of a general privacy authority and rely largely on self-regulation, which at times falls short of adequately regulating consumer protection. At the same time, many businesses believe implementing stronger guidelines or regulations would be too costly and detrimental to the growth of business. For now, the United States continues to use a sectoral approach, developing privacy laws as needed.

Laws Using the Fair Information Practice Principles to regulate Privacy

• Fair Credit Reporting Act– Regulated by the Federal Trade Commission, the Fair Credit Reporting Act regulates the use of consumer reports. Requires Notice of disclosure and adverse action, as well as the ability for a consumer to access and rectify inaccuracies in their consumer reports.
• Right to Financial Privacy Act– Protects the privacy of customers using financial institutions from government searches (with exceptions.) RFPA restricts government access to financial records without the individual’s consent or meeting one of the specified exemptions from the rule.
• Children’s Online Privacy and Protection Act–Protects against the collection, use and disclosure of the personal information of children under 13 without parental notice and consent.

Summary:

The Fair Information Practice Principles form the backbone of privacy laws in the United States. Though the principles put forth by the FTC are only considered guidelines, there are some laws that have turned the guidelines into law and even more businesses which choose build trust with consumers by ensuring their privacy through self regulation of the Fair Information Practice Principles. Understanding the principles and their implementation is one of the core concepts all privacy professionals need to know.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Privacy Principles and Definitions including Fair Information Principles(I.B.a.i.)

There are numerous guidelines, best practices and regulations for collecting information on customers, patients or other data subjects (for this article, let’s generally call them consumers) in the United States.  The most regularly visited is probably HIPAA, where nearly everyone signs some sort of disclosure notification that a primary care physician, pharmacy, lab, hospital or some other medical office will share your Personal Health Records with third parties that handle administrative tasks for the provider.  There’s a decent sized list of who constitutes a health care provider, a third party and what information between all parties involved may be exchanged for transactions such as an insurance claim.  The financial sector also regularly distributes privacy policy notifications, although most times inaccurate information doesn’t affect anyone outside the credit reporting industry.  What happens when the collected data aren’t right?  How can a consumer even discover the inconsistencies?  What course of action does a consumer take, and what should a corporation do to respect the rights of their customers?

Historical Perspective

This is not a new issue, and has been tackled in multiple symposia and expanded several times over the past decades.  In 1973, the US Department of Health and Human Services introduced the Code of Fair Information Practices.  The 1981 Organization for Economic Cooperation and Development (OECD) guidelines and the comprehensive 1995 European Union Data Protection Directive 95/46/EC both deal with this issue.  They define two topics – “Individual Participation” and “Data Quality”.  Individual participation centers on consumer access, or the right to view any collected information and the ability to correct errors.  The EU expounds upon individual participation, where access must be at reasonable intervals and rectification without excessive delay or expense.  The Federal Trade Commission (FTC) released an advisory on online access and security in 2000. The CIPP defines these scenarios as customer access and redress.

Problems in credit reporting

Let’s first examine the US credit reporting world.  Information collected by the credit bureaus is used by banks and other money lenders to determine an applicant’s credit worthiness, or more important to the lender, their risk of default.  The credit bureaus have reason to keep the information collected as unavailable as possible – between the three main companies they had a monopoly on the compiled credit history the lenders need and each one tries to glean every ounce of data on an individual to justify ordering their credit report product.  The bureaus were charging consumers for every access to their credit reports, by what some would consider an inordinate amount.  A 1998 survey by the Public Interest Research Group underscored the customer redress situation:

• Of the consumers that did obtain their credit reports, at least 14% of them were forced to call back 3 or more times after receiving busy signals or had to write a letter in order to receive their report;
• And 12% of the consumers waited two weeks or longer to receive their report once they finished requesting it. It took more than a month for one California man to receive his report.
• Overall, 15% of consumers who attempted to participate in the survey either made at least 3 phone calls and never got through or requested their reports but never received them.

This treatment went against the privacy principles laid out in the OECD and Fair Information Practices.  Plus, mistakes were reportedly found on 79% of consumer credit reports.  Without more readily available customer access, the system was in jeopardy.  To compound these problems, there was simultaneously a rise in identity theft.

Congress steps in

In response, the US Congress passed the Fair and Accurate Credit Transactions Act (FACT Act or FACTA) in 2003.  The FACTA amended the 1970 Fair Credit Reporting Act (FCRA), and gave rise to a free annual credit report requirement from each of the major bureaus… and the slew of funny commercials about guys in pirate hats. Congress decided the credit bureaus’ reporting was simply too important to the US financial systems stating their rationale for the legislation:

(a)Accuracy and fairness of credit reporting. The Congress makes the following findings:

1. The banking system is dependent upon fair and accurate credit reporting. Inaccurate credit reports directly impair the efficiency of the banking system, and unfair credit reporting methods undermine the public confidence which is essential to the continued functioning of the banking system.
2. An elaborate mechanism has been developed for investigating and evaluating the credit worthiness, credit standing, credit capacity, character, and general reputation of consumers.
3. Consumer reporting agencies have assumed a vital role in assembling and evaluating consumer credit and other information on consumers.
4. There is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.

(b)Reasonable procedures. It is the purpose of this title to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this title.

Unintended Consequences

It is interesting to note, that in response to the FACTA, “imposter” domains sprang up, with a World Privacy Forum study calling out 96 specific known sites.  The web site touted in the pirate hat commercials is not the free annual credit report required by Congress, but actually one of the imposter domains belonging to Experian.  The World Privacy Forum study, “Call Don’t Click: Why It’s Smarter to Order a Federally Mandated Credit Report via Phone Instead of the Internet,” found:

• 28 of the imposter domains belong to Experian, a credit bureau.
• 68 of the imposter domains belong to or are hosted at “pay per click” companies.
• 50 of the “pay per click” domains are live, and some are luring consumers to inappropriate and risky Web sites. Some of    the “pay per click” sites lead consumers to Experian and other credit companies’ commercial sites in order to cash in on the credit bureaus’ affiliate marketing programs.

Electronic Health Records & HIPAA

Consumer access is probably not as obvious of a problem with the health care community.  Most of the work currently happens on the back end, where insurance companies and health care provider’s offices wrangle over receiving the right amount of money for procedures.  As an uninsured American, you may have to pick up the torch of dealing with doctor’s office blunders, but in those cases, you’re likely handling them at the time of service and wont pay until they get it right.  Most people simply don’t see the man behind the curtain.

The scary part will surround electronic health records (EHR) and the push to incorporate them through ARRA.  As digital bits, EHR integrity could become more questionable.  It will also uncover a slew of inconsistencies that have yet to reach the light of day – the proverbial Garbage In, Garbage Out.  A recent adopter of Google Health recounts his experience utilizing his hospital’s auto-migrate feature.  Some of his revelations:

• [T]he docs in the back room… quickly figured out what was going on… the system transmitted insurance billing codes to Google Health, not doctors’ diagnoses. [I]nsurance billing codes bear no resemblance to reality… if a doc needs to bill insurance for something and the list of billing codes doesn’t happen to include exactly what your condition is, they cram it into something else so the stupid system will accept it.
• EMR pontificators are saying “Online data in the hospital won’t do any good at the scene of a car crash.” Well, GOOD: you think I’d want the EMTs to think I have an aneurysm, anxiety, migraines and brain mets?? Yet if I hadn’t punched that button, I never would have known my data in the system was erroneous.
• [M]y 12/6/2003 x-ray identified me as a 53 year old woman… it took me months to get that error corrected, because nobody’s in the habit of actually fixing errors…

This was a contemporary hospital.  Their CIO touted the EHR revolution and already took steps embracing customer advocacy.  There will undoubtedly be push back with older hospitals or stodgier doctors.  The documented excavations are inevitable, especially with so many people involved in providing healthcare.  An article in Fast Company chronicled the clinical staff access associated with the writer’s medical care:

… a list of everybody that accessed the medical record from the time he was seen in the clinic to two weeks post-op.’There were 113 people listed — and every one had an appropriate reason to be in that chart. It shocked all of us. We all knew this was a team sport, but to recognize it was that big a team,every one of whom is empowered to screw it up — that makes me toss and turn in my sleep.”

To top it all off, there are already questions as to how older, paper records might be brought into the digital realm.  Who’s to handle the scanning?  What’s to be had of the old records?  Will the security provisions be in place to prevent EHR compromise?  It’s already time consuming to update a digitized hospital’s records – how about those of a newly computer literate doctor’s office?

International Example

The US doesn’t have a lock on the access and redress problem.  Even with the heavy emphasis placed on privacy in the EU and a separate Information Commissioner’s Office (ICO) responsible for privacy, the United Kingdom has had it’s share of reporting and correction problems, most recently with their national health database.  Until late May, citizens only had the option of opting out of the National Healthcare System (NHS) electronic health database or masking their data in the system.  With the socialized health care in the UK, there were instances where the opt out had serious consequences.  In British health care, a summary care record (SCR) includes information such as allergy information, current medications, medical conditions and resuscitation preferences.  There is obviously personal information included in the SCRs, and security of the communications medium between the hospitals (called the Spine) has been called into question.  Additionally, access controls on the system allow any authorized users to view any patient’s information, not just those currently being treated.

The NHS agency Connecting for Health (CfH) runs the records system.  An ICO spokeswoman confirmed medical record deletion would now be possible after discussions with the ICO privacy watchdogs and CfH managers.

People want the assurance that they can restrict who can access their personal details in NHS electronic records.  We met recently with Connecting for Health (CfH) to discuss the permanent deletion of summary care records once a patient requests their summary record no longer appears on the database.  We are pleased that as a result of these discussions CfH have found a way to ensure that these records are permanently removed from the database when appropriate and we are continuing to talk to them about how this is put into practice.

Summary

When drawing corporate or group policies, general best practices dictate data subjects should have the ability to review all information an organization holds on them and have the right to change any errors.  Those changes must be reconciled across the organization, either pushed upward from third party partners or downward from the main collecting organization.  By adhering to this standard, nearly every organization will be kept in lock step with multi-national laws with regard to data subject access and redress.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Privacy Regulations (Foundations:I.F.b, CIPP: I.B) and Compliance Requirements (Foundations:II.B)
• Data Subject Access & Redress (Foundations: III.B.d)