|
Why A Deliberative Approach Is Warranted In This
Area
Information is like a natural resource to a
modern economy and democracy. Information is the raw material for the knowledge
revolution of the Information Age. Without complete and reliable information,
much of the benefit of information technology cannot be realized. Data
warehousing and relational databases, geographic information and visualization
systems, and extraordinary technological developments help us better understand
our world and behavior of chaotic and complex systems that otherwise defy
comprehensive human understanding. In such a technological environment,
information is the fuel of our future. The benefits of the Information Age can
only be realized if we have the raw materials on which it’s essential systems
depend: complete and accurate information used within the reasonable
expectations of privacy.
As we have learned from such experiences as Y2K
and various oil and gas disruptions, our technology systems are complexly
inter-related. Technologies even depend on each other as we depend on them.
Changes in one part of them tend to send cascading effects that carry the echo
of that change throughout out systems. We continue to be surprised by this at
our peril.
We also know that our government and the consumer
economy is very info-dependent. 60% of our economy is consumer spending and
marketing drives this. Our market economy itself depends on basic information
equity and access or markets are not efficient. Government oversight and
efficiency depends on enterprise wide data systems that cut across the
traditional stovepipes of government agencies. The flow of information has
become as vital as the flow of energy to our world. Neither the benefits of this
information flow nor the costs of its restriction are fully apparent or even
known, making necessary a deliberative approach to policymaking and some
watchful waiting prior to action advisable.
How do we balance privacy and access in making
public records policy in the era of electronic government?
The following principles are a suggested starting
place. The full text can be found in the attachment The Public Record:
Information Privacy and Access, A New Framework for Finding the Balance by
Cate and Varn.
1. Policymakers Should Identify and Evaluate
Conflicting Interests
Decisions regarding privacy and access inevitably
affect and are affected by other important interests. These interests are often
socially valuable and deeply held. It is therefore essential that any
policymaking process identify and examine those interests carefully to determine
how they are implicated by a proposed law or regulation and to what extent they
can and should be accommodated. In addition to the broad concepts of
"privacy" and "access," those interests often include, but
are not limited to, concerns about:
Equality: Equal and open access to public records
helps level the playing field in such endeavors as issue advocacy, lobbying, and
elections. It also gives small and start-up businesses access to some of the
same databases as large and established players.
Freedom: Public records about the functioning of
government, private individuals, and companies can be used to keep them in check
so they do not impinge on the rights of others.
Participation: The more people know about their
world and about government in particular, the greater the likelihood that they
will increase the quantity and quality of their contributions to participatory
and representative democracy.
Security: Public record security and integrity
systems must be adequate to the task or their failure will defeat the goals of
both privacy and access, cause explosive public reactions, and create
governmental liability.
Economic Opportunity: A substantial portion of
the current economy is in part dependent on the free flow of public records and
limiting their use or availability will have economic consequences. Moreover,
public and private records are the raw materials for the emerging economy and
for the knowledge revolution of the Information Age.
Quality of Life: The use of information systems
can free people from rote tasks and greatly speed transactions. Getting the
amount of privacy one needs, however, also may affect quality of life.
Intangible Values and Uncertain Fears: A catchall
value for things people like and dislike. Often we dress up our likes and
dislikes in more eloquent terms, but often decisions and opinions are really
based on this simple amalgamation of our feelings.
Efficiency: Efficient access to public records
saves time, resources, and money. Without complete and reliable information,
much of the benefit of information technology cannot be realized. However, we
can also be so efficient as to impinge on individual freedoms.
Fairness: Is the process by which a law or rule
is enacted, or by which a decision is reached, fair, and is the outcome fair to
all of the parties involved?
2. Privacy solutions must respond reasonably to
defined problems
Those privacy problems or harms used to justify
restricting access to public records should be stated explicitly and should
reflect reasonable expectations of privacy. The Supreme Court has long asked in
the context of various constitutional issues, such as Fourth Amendment
challenges to government searches and/or seizures: What expectation of privacy
is implicated by access and how reasonable is that expectation? When evaluating
wiretaps and other seizures of private information, the Court has inquired into
whether the data subject in fact expected that the information was private and
whether that expectation was reasonable in the light of past experience and
widely shared community values.14 The inquiry regarding the reasonableness of
the privacy concern should take into account three specific issues: (1) the
sensitivity of the information disclosed; (2) the use to which the information
is to be put; and (3) privacy protection afforded similar information in the
past. These inquiries help prospectively arrive at a common-sense value on the
privacy side of the access-privacy balance. Furthermore, the solution should go
no further than is necessary to solve the problem: Access should be limited no
longer and to no more data than necessary to protect privacy. Laws that purport
to stop a harm to privacy but are ineffective harm both privacy and access. Such
laws at once constitute an empty promise and a restraint on openness and freedom
of information.
3. Limits on access to protect privacy should be
effective and no more restrictive than necessary
The accommodation between access and privacy
needs to be carefully crafted, so that we continue to permit as much access as
possible without unnecessarily invading privacy. For example, both access and
privacy interests might be served by delaying access to certain law enforcement
records until a pending investigation is completed. In other cases, removing
(known as "redacting") particularly sensitive information from
documents otherwise made public might protect the individual’s privacy
interests and be preferable to denying access altogether. In no event should
limits be imposed on access to, or use of, public record information to protect
privacy if those limits will not in fact be effective in solving identified
problems. Government should not impose broad limits on access to protect
information privacy where effective, extra-legal mechanisms exist that permit a
more sensitive and individualized balancing of access and privacy interests. The
development of privacy seals and certification programs, anonymizing software,
user-determined browser privacy settings, prominent privacy policies, industry
codes of conduct, and technologies that allow persons to opt out of specified
uses of some types of government records are examples of market responses to
privacy concerns generally that diminish the need for government action by
allowing individuals to protect effectively the privacy of data about them.
Clearly, these and similar developments will not eliminate the need for
government attention to information privacy, but the number and variety of these
initiatives, and the speed with which they are emerging, suggest that they may
supplant the need for at least some government actions to protect information
privacy.
4. Privacy interests are limited to personally
identifiable records
Access to government records that do not identify
individuals should not be restricted on the basis of protecting privacy.
Anonymous and pseudonymous records pose no meaningful privacy threat. Aggregate
data can be used in ways offensive to the privacy concerns of some, but by far
these concerns have been best addressed by market- based solutions and private
sector codes of conduct. If government action is considered, it should be aimed
at the behavior of the offenders and not the records themselves.
5. Enhancing state revenue is not a privacy
problem
The government should not use privacy claims as a
pretense for raising revenue or enhancing the competitive position of
state-published information products. This principle does not suggest that the
government cannot seek to recoup the marginal or even the operational cost of
providing records. But levying excessive charges on citizens to use a public
infrastructure that is already paid for with tax dollars is wrong. Moreover, the
government should not use claims of protecting privacy as a justification for
restricting access to information for other purposes. This principle would seem
to many so obvious as to not warrant stating, but many calls for privacy
protection today are in fact seeking protection from other harms or are
unrelated schemes for generating revenue.
6. Public information policy should promote
robust access
Information policy should facilitate as much
access as possible without harming privacy interests. The more robust the flow
of data, the more robust the information infrastructure that supports both
democratic processes as well as growth of our economy. This reflects the
constitutional importance of open public records and the law in most U.S.
jurisdictions today: access is presumed unless a specific privacy exemption
applies. It also reflects the importance of the public record infrastructure to
our polity and our economy. As noted above, it is often possible to target
specific privacy harms and leave the public record infrastructure largely
intact.
7. There should be no secret public records
An informed citizenry is essential to all checks
and balances systems and that includes public record systems. The public should
be able to easily discover the existence and the nature of public records and
the existence to which data are accessible to persons outside of the government.
In many cases, it may be desirable and appropriate for the government to inform
citizens about who is using their public records and for what purposes.
Obviously, access to records is not appropriate in all cases (one notable
exception in many jurisdictions is investigative files before a criminal case is
brought), nor will it always be feasible or advisable to provide information to
citizens about the uses made of their records. But this principle recognizes
that access not only serves broad social purposes, but also helps build citizen
confidence in the public record system, improve the accuracy of public records,
helps sharpen citizen understanding of privacy and access implications of the
uses of their records so that they may respond appropriately, and contributes to
educating all of us about the actual costs and benefits of public record access.
8. Not every privacy/access issue can be balanced
Despite the importance of balancing, it is not
appropriate in every case. The courts have established that there are some
instances where the societal interest in access is so great that it trumps all
privacy concerns. For example, Congress recognized the overriding importance of
access, irrespective of the significant privacy interests at stake, when it
passed Megan’s Law, requiring states to make publicly available the records of
convicted child sex offenders for at least ten years after their release from
prison. Congress believed that the societal interest in access to the record
overwhelmingly outweighed the privacy interests, however great, of the convicted
sex offenders. In other cases, information must be public to effectuate the
public policy reasons for collecting it in the first place. One example of such
a record is bankruptcy filings so that creditors have the opportunity to protect
their interests and future creditors can accurately assess risk. Similarly, the
privacy of some types of records is of such importance to our society that it
outweighs access interests. Use of certain types of records, such as medical or
individual tax records, causes such significant demonstrable harms that our
society rejects that use even when there is a substantial desirable benefit.
Productive use of other types of records causes such a visceral reaction that we
restrict that use, as demonstrated by the recent outcry over digital driver’s
license photos. However, one must exercise caution in the application of this
principle, as there are many false positives of this kind of reaction caused by
sensationalistic journalism and unscientific or biased polling. It is also true
that in most cases where a visceral reaction, rather than evidence of specific
harms, prompts legislative action, that reaction precedes any understanding of
the benefit of the use of the record so no true balancing process was used.
Ultimately, policymakers must decide whether the harms are sufficiently clear
and severe or the reaction sufficiently genuine and widespread to conclude that
it is in the best interests of state or nation to close access to the public
record.
9. Systems for accessing public records and,
where appropriate, controlling their use should not be burdensome
The mechanisms for accessing the public records
and for allowing individuals to protect the privacy of records concerning them
should be easily accessible and no more burdensome than necessary. Information
technology systems are emerging that may allow persons to opt out of specified
uses of some of their government records. These important systems should not be
exempt from the process of balancing the range of interests in the record
against the privacy interests of the individual. Moreover, these systems can be
costly to run and government must account for this as a spending priority and a
societal concern. It must balance the cost of such privacy and who benefits
against the other priorities of the government, the public, and of those parties
directly affected by the loss of access. In using this test it is rarely, if
ever, feasible or justifiable to require a person to affirmatively determine the
uses of their non- confidential records (known as opting in). This would involve
permissions from each of person in the 100 million households in America for
each record and/or for each use. The process of responding to countless requests
for permission would make the solution worse than the problem.
10. Information policy must ensure the security
of the public record infrastructure
The government must ensure that public records
are protected from unauthorized access, corruption, and destruction. Public
record security and integrity systems must be adequate to the task or their
failure will defeat the goals of both information privacy and access.
11. Education is key
An informed citizenry is essential to the
balancing process for both the individual choices they may make and in
understanding the costs, risks, and benefits of privacy and access solutions.
Government—assisted by industry, not-for- profit organizations, and the
academic community—has a duty to educate the public about privacy and access
issues. The more policymakers and the citizenry know about this issue, the more
accurate and satisfying the balancing process will become.
12. The process for balancing access and
information privacy should be sound
Government should have a process for balancing
access and information privacy issues that is informed, consistent, and trusted
by all parties. This process should be in place before one evaluates any new
access or privacy issues.
What Are the Information Policy Options and How
Can We Categorize the Choices?
First, there are four distinct issues that are
often discussed as one and confusion is the result. Keeping the following
separated will aid policymaking. The four different issues are:
Privacy—the who, what, when, where, why, and
how policies on data and records where our values are expressed and codified
Security—the enforcement of privacy policies
Integrity—maintenance and protection of records
from accidental or purposeful alteration or loss
Accuracy—quality assurance and a
customer-friendly process to detect and correct errors
Of these four, security is the ripest for action.
Government and private entities are beefing up security and hiring chief
security officers, but our investments are lagging behind what a good
risk/benefit analysis calls for. Better security programs, awareness, training,
staffing, research, and so on are easy win-win areas for Congress and state and
local government.
The following are categories of other possible
responses to any perceived gaps in our privacy or access policies.
Proactive Measures To Get Ahead Of Or More
Directly React To The Problems
For example we could be investing more in
law enforcement teams to directly combat identity theft and go after the bad
actors instead focusing on restricting the information flows. Another area ripe
for action is to fix our broken identity system by improving the birth,
marriage, and death certificate issuance system and better coordinating them
with our social security number issuance, driver’s license, passport, and
voter registration systems. The reason identity theft is rampant and many
privacy problems occur is because we rely on an antiquated system of identity. A
paper birth certificate, a social security number, your mother’s maiden name,
your city of birth, your name, and an address are the crumbling pillars of
identity. All of these are easily stolen or forged and it is unlikely this genie
will ever be put back in the bottle. These components of identity come from a
time when people worked with and did business with their friends and neighbors,
often on a handshake or a bare signature. There was no need to be able to prove
you were whom you said: these people knew you. Today, we do business we
people will never see or know. Many states, including mine, are moving forward
with such systems as Public Key Infrastructure and digital signatures with
optional biometrics to prove and repudiate identity. Iowa is also just beginning
a project to strengthen our identity system to give our citizens greater
security and more choices to prove and protect their identity. Congress should
do the same. While this is not politically easy, we have made such moves
successfully in the recent past. Remember when driver’s licenses did not have
photos? Our citizens often renewed early to get the new photo licenses to make
it easier to cash or write checks. We are ready for the next steps.
Organizational Infrastructure
There should be information policymaking
entities in all three branches of government. These could be the CIO or another
entity. The structures need to include both privacy advocacy and access advocacy
in their makeup to provide a balanced approach. Privacy and policy enforcement
entities are needed as well. Care needs to be given to creating policies that
offer a hollow promise of protection because no effective enforcement policy,
mechanism, and/or entity are created with the policy. Consideration must be
given to likelihood of enforcement success and its cost to see if the
information policy is cost effective or enforceable at all. A good question is:
how far are you willing to go to detect violations? Will we use citizen trackers
to help detect violations? Will we salt lists? Will we use stings, surveillance,
and even undercover agents to detect violations? The allusion to the drug war is
purposeful here as information is even more difficult to control. Be prepared
for the cost of investment in money and in its invasiveness when you adopt
information policy.
Services and Support
Government could go a long way to solving
some of these problems with some public services. An example would be an
identity theft advocate for the victims of this crime. This advocate would help
the victim restore their good name and credit and could determine the
authenticity of the victims claims and place a stamp of authority on their
requests for record corrections to speed that process. They can also act as
guide to help use existing law to repair the damage. Another service is that of
gatekeeper to shield those for whom ordinary open records laws pose a special
threat. Keeping one’s name and address secret cannot be the pillar of security
on which build a safety system for most people in a democratic society with a
market economy. However, some people need special protection such as a battered
spouse and a service that mediates contact with them to facilitate the normal
business of living in our society would help address that problem directly. A
final service would be to support P3P and other software-based solutions to make
privacy choices practical and not unduly burdensome for transacting business
with government.
Law and Policy
When considering any law or policy, it is helpful to consider each step in
the public records process and narrowly tailor your solution to that step or
steps that best effectuates your policy. The key steps are as follows:
Collect
Weigh the burdens and benefits of collecting, using, managing, protecting,
disseminating or keeping secret, storing, archiving, and preserving or purging
the information. If you do not want the information in the public record, do not
collect it in the first place.
Use
What use will be made of the information, keeping in mind that not all uses nor
their value can be judged in advance, and what is the value of that use.
Notice
What kind of notice should be required to properly inform the customer. Consider
more multimedia notices using , for example, distance learning tools instead of
just print notices.
Choice
If a choice is possible and if one is offered, how should it be exercised? Keep
in mind that the transactional costs of opting in or out can be high and that
for many government records (bankruptcy filings for example), opting is not an
option.
Knowledge and Education
Can you help people make more knowledgeable choices? North Carolina build such
education into their K-12 curriculum.
Access
To whom will access be granted and for what purposes?
Secondary use
Many government programs such as the enforcement of child support orders require
the secondary use of government records to work. For example, tax refunds and in
some states, professional licenses are withheld for delinquency. Some
unauthorized information reuse by government is inevitable. Still, consider
whether government or others will be allowed such use.
Downstream use
Most public records not restricted any more than any free speech is in our
society. Consider both the value of this and the cost before restricting such
use and how it would be enforced.
Dispose
You can deal with sensitive information such as credit card numbers by making it
a transactions collection only and not keeping it after that step. Like the
credit card number, get rid of information that government does not need to do
business or administer the laws.
Redact
Eliminate sensitive information from records instead of restricting the entire
record. This often solves the privacy problem and preserves the benefits of
robust access and openness.
Expunge
This tool has been used in the criminal history area for both adults and
juveniles. Consider whether other records should be handled in the same way.
Store
This is both a decision and a security issue: should you store it, for how long,
and how will it be protected?
Archive
Finally, our archival policies should be considered in light of both the
interest of preserving history and in protecting privacy. The change from paper
to electronics may lead one to make different archival decicions.
Market Solutions
Consider whether government action is necessary or whether the market has or can
develop a solution. Companies will react when their customers react and looking
for market failures may be a more productive use of precious policymaking
efforts. Remember also that good customer service often requires use personal
information and many people want that kind of service. Those of us who grew up
in small towns expect our merchants to know their customer and what we need.
Technology makes that possible in mass markets and it is very popular. Those who
do not want to be treated this way usually have an alternative if the company is
smart. If they are not, there is a burgeoning privacy industry that can help you
stay anonymous and even broker you personal information for your gain.
Rights
A final tool is all of the existing and
newly created statutory and constitutional rights. Consider whether people can
protect their own rights with civil suits and whether it would be better to let
the courts sort out some of the hard questions case by case and later codify
case law as we have in many other areas.
Driver’s License Protection, Voter
Registration, Local Records, Identity and State and Local Actions on Privacy
Finally, I have been asked to address some of the
federal and state laws that relate to privacy. First, the DPPA has been
implemented by the states as mandated. However, it is questionable whether the
benefits were worth the cost. We must consider one of the main premises of the
law and the impetus for its consideration: that a person’s address can and
should be a secret to ensure ones safety. As already noted, protecting one bit
of commonly available information is not a good foundation for personal security
for most persons. If you rely on such remedies alone you will not achieve the
desired result and you will have cut off valuable uses of the information. DPPA
has been educational for the citizens, but it is questionable whether informed
choices are being made on the opt-in provisions. Furthermore, given the
exceptions in the law and the commonness of some of the " protected"
data, it is also questionable whether citizen expectations of privacy are
realistic or accurate.
Second, voter registration systems are being
studied and updated nationwide. The Motor Voter provision has encouraged more
citizens to register, but antiquated data systems have hindered the smooth or
accurate addition of these voters in many states. Investment in the basic
infrastructure of democracy continues to be a crying need, but the window of
opportunity to act may be partially closed with the financial troubles many
states are currently experiencing. Whether excuse or honest attention to other
priorities (such as HIPAA compliance), voter registration modernization may slip
through the cracks. Federal investment in matching grants would be a wise
choice.
As far as voter registration systems and privacy
is concerned, consider that voter registration privacy may be an oxymoron.
Without robust open access, our democracy does not work. Without adequate
identity controls, it cannot be trusted. If the addresses of your constituents
are secret, how can you serve them, persuade them, or reach them?
Third, local records are bedrock of government’s
information infrastructure. The basic building blocks of our data are made and
kept there. Yet, the level of investment in these systems, their security, and
their modernization is extremely varied. Much is made of countering threats to
our national infrastructures but little attention is paid this vital link in our
government system and our economy. Those local governments who are not keeping
up are a drag on privacy, security, access, and e-government. Consider ways to
encourage them, help them, and establish basic voluntary minimum requirements to
give local records advocates and administrators a spur to action.
Fourth, to reinforce the importance of
non-federal records, it should be noted that the very fact of civic and economic
citizenship for most Americans is established and extinguished by the birth,
marriage, and death records created by state and local government. These
foundational elements of our society are badly in need of modernization,
coordination, and sound policy making around their creation and use.
Finally, most states are now fully engaged in
privacy, security, access, and e-government efforts. Substantial work remains,
but much is being accomplished. Federal pre-emption while attractive for reasons
of uniformity would cut Congress off from these laboratories of democracy in a
case where they are needed most. Let them work. Offer financial encouragement
and assist them to share best practices. Let them achieve and make mistakes and
learn from both. The issue of information integrity (which includes disaster
recovery and business continuity) constantly suffers from a classic risk
management dilemma: how much do you spend to avoid a catastrophe and how do you
convince people to spend the money today when there are so many pressing needs.
We all worry about our other infrastructure—sewers, water, highways, and
buildings—a lot more than we worry about our information infrastructure. We
need to continue to grow our investment and partnerships in this area. Finally,
a federal-state-local-private-sector partnership is warranted in the area of
accuracy. We do not have as many good models nor are the investments being made
in either quality assurance or systems for finding and fixing inaccurate
information held in public and private records.
|
