While many of us are familiar with the Privacy Act of 1974, we don’t know much about what came before that. In the early 1970s, the Department of Health, Education and Welfare carried out an important study regarding record-keeping practices in the computer age. The committee responsible for this study was known as the “Secretary’s Advisory Committee on Automated Personal Data Systems.” The resulting report was referred to as the “HEW Report,” and ended up being the foundation for the Privacy Act of 1974 as well as the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980).
Records, Computers and the Rights of Citizens
The HEW Report, formally known as Records, Computers and the Rights of Citizens, was published in August 1973. Its purpose was:
“… to analyze harmful consequences that might result from automated personal data systems, and to make recommendations about safeguards that might protect individuals against potentially harmful consequences and afford them redress for any harm.”
At the time of the study, the Social Security Number (SSN) was being widely used for personal identification. As such, the report focused on SSN-related issues.
The HEW Report summarized personal privacy as:
“An individual’s personal privacy is directly affected by the kind of disclosure and use made of identifiable information about him in a record. A record containing information about an individual in identifiable form must, therefore, be governed by procedures that afford the individual a right to participate in deciding what the content of the record will be, and what disclosure and use will be made of the identifiable information in it. Any recording, disclosure, and use of identifiable personal information not governed by such procedures must be proscribed as an unfair information practice unless such recording, disclosure or use is specifically authorized by law.”
Fair Information Practices
An important element in the HEW Report was the development of fair information practices, which have since been developed upon in other pieces of legislation. The Committee defined the principle of “fair information practice” as:
“adherence to specified safeguard requirements [which] would prohibit violation of any requirement as an unfair information practice, would provide both civil and criminal penalties for unfair information practice, would provide for injunctions to prevent violation of any safeguard requirements and, finally, would permit both individual and class actionable suits for actual liquidated and punitive damages.”
The so-called “fair information practices” recommended by the HEW Report are as follows:
- There must be no personal-data record-keeping systems whose very existence is secret.
- There must be a way for an individual to find out what information about him is in a record and how it is used.
- There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent.
- There must be a way for an individual to correct or amend a record of identifiable information about him.
- Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.
The Committee believed that these fair information practices represented the minimum set of rights that should be available to the individual. It was recommended that there be a centralized federal agency, which would be responsible for regulation of all automated personal data systems. This agency would register or license the operation of such systems, establishing specific safeguards as a condition of registration or licensure. In general, the proposed agency would be the watchdog over public and private databanks.
Protecting Citizens from Harm
Notably, the HEW Report reviewed some suggestions regarding protecting data subjects from harm. It discussed a proposal to license and certify computer programmers and systems designers, with the objective of improving the care with which record-keeping systems are designed and operated.
However, a major concern was that a certification approach would misplace the responsibility for a properly designed and controlled record system in the wrong place. The report writers argued that the responsibility should rest with the organization in charge of system assembly, design initiation and operation, rather than the technical professionals who implement it.
Another suggestion was the ombudsman approach to regulation and protection, similar to what was being used at that time in Scandinavian countries, and what is currently used in Canada. The ombudsman would act as a spokesperson for an individual whose privacy rights have been violated. The ombudsman would function as a communication channel between the person and a bureaucracy in dispute matters. One of the issues pointed out was that a third-party facilitator was not part of the culture in the US, nor would the scope and authority of the ombudsman be sufficient in bringing about changes in record-keeping and privacy protection.
This article takes a look at the “HEW Report,” written by the Secretary’s Advisory Committee on Automated Personal Data Systems within the Department of Health, Education and Welfare. It was one of the earliest public sector reports to analyze the potential risks caused by automated record-keeping systems and developed a set of five “fair information practices.” These fair information practices went on to become the basis for the Privacy Act of 1974 as well as the OECD Guidelines on Privacy (1980).
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/ US Government (CIPP/G), a privacy professional should be comfortable with topics related to this post, including:
- Fair information practices – HEW Report of 1973 (I.A.c.i.)