The Privacy Act Needs an Overhaul

ost in the flurry of the Y2K problem late last year was an important date-the 25th anniversary of the Privacy Act signed by President Ford in December 1974. Before the law took effect in September 1975, agencies scurried to comply with the first comprehensive statute controlling federal use of personal information. But even as one who takes pride in the law we created 25 years ago, I believe it is time to reopen the issue.

The law came on the heels of the seminal report "Records, Computers and the Rights of Citizens," issued in July 1973 by a task force appointed by then-Health Education and Welfare chief Caspar Weinberger.

The Ware report, nicknamed for task force chair Willis Ware of the Rand Corp., proposed a federal "Code of Fair Information Practice" for automated personal data systems based on five principles:

• Eliminate secret personal data systems.
• Enable individuals to find out what information about them is being maintained and how it is used.
• Prevent information collected for one purpose from being used for other purposes without the individual's consent.
• Devise a way for individuals to correct information about themselves.
• Take reasonable steps in maintaining personal information to assure the reliability of that data for its intended use and prevent its misuse.

At the height of the Cold War, when tyranny of the state was seen as a real and growing threat, consensus emerged that action on the privacy issue was needed. Much work had already been done on Capitol Hill. Sponsors ranging from Ed Koch of New York to Barry Goldwater Jr. of California introduced several bills. Despite the broad base of congressional support, executive branch opposition kept legislation from moving-the classic "support in principle but find lots of flaws in the details" ploy. Then, after allegations of dirty tricks and misuse of tax information, President Nixon made protecting personal privacy a priority in his 1974 State of the Union address.

So the administration came to the table and hammered out the Privacy Act. Civil libertarians talked to spies, law enforcement types, the military and computer jocks, and what emerged closely resembled the blueprint in the Ware report. Federal agencies were required to notify the public of the existence of personal data systems called "systems of records." They also were directed to set up published procedures for granting access to and challenging the accuracy of information in those systems, and to establish restrictions on disclosure. In many ways, the Privacy Act was as much a "sunshine" law requiring public disclosure of agency practices, as it was a secrecy law. In fact, it shares the public information section of the U.S. Code with the Freedom of Information Act and the Government in the Sunshine Act.

However, lots of compromises were made, including exemptions for certain types of records, especially in the areas of criminal law enforcement, national security and intelligence-gathering. The Privacy Act also reflects the technology of its era. The notion of records was paper-based, and automated data systems were largely still electronic emulations of paper-based systems. A blanket "routine use" authorization for information was devised to deal with the problem of inundating record subjects with consent requests.

Twenty-five years later, privacy is still a hot issue-in many ways hotter than it was in 1974. The Health and Human Services Department is working on regulations that would protect individual privacy regarding medical records, and concern is growing over the power and potential for abuse of personal information being collected on the Internet. We read about Internet vendors profiling potential customers and drug stores selling records. For the most part, the stories and concerns are about private, not governmental, use of personal data.

One might therefore conclude that the 1974 law addressed the federal privacy problem once and for all, but that's not true. Thanks to the Privacy Act, federal use of information is not as pressing a problem, but it is there. The definitions of "record" and "system" do not work in an Internet world. The forms of notice and consent are antiquated at best and ineffective at worst.

OMB's new Privacy Office has provided some needed leadership in requiring privacy policy for agency Web sites, but it cannot provide the kind of creativity that a serious re-examination of the Privacy Act requires. Peter Swire, OMB's chief counselor for privacy, and his colleagues can run political interference for good ideas, but it is unreasonable to expect them to start the debate. As in the 1970s, the intellectual leadership must come from information professionals, academics and consumers to create a new privacy agenda and push the policy debate. The prospect of a new administration taking office in 2001 may present some interesting opportunities.

Franklin S. Reeder teaches, writes and consults on public management and information technology issues. As an OMB staff member, he helped draft and implement the 1974 Privacy Act, and he now serves on the National Institute of Standards and Technology's Computer Systems Security and Privacy Advisory Board.