How Government Gets it Right on Privacy
We need to take additional steps to protect privacy and data security, while also allowing data to be used as a strategic asset.
The American public rightfully expects government and businesses alike to be responsible stewards of information. Emerging trends to use more data for enhancing decisions face reasonable tensions with what is ethical, practical, and necessary in modern society. This is why data privacy now affects every household, family, business, and person in the country.
While the National Academy of Public Administration identified the need to ensure data security and individual privacy as a “Grand Challenge” facing public administrators, this is not a new issue. In fact, the dialogue about data protections and rights has been ongoing for half a century.
In the 1970s, the United States passed a major legal reform—the Privacy Act of 1974—to establish new expectations for how the federal government responsibly collected and managed information on behalf of the American public. But the reforms didn’t stop there. The Privacy Act was strengthened over time and other broad laws with privacy benefits were added with restrictions on what data can be collected, what data can be used and for what purpose, to require privacy impact assessments and to establish Chief Privacy Officers in agencies.
Then, in 2018, Congress quietly reauthorized and expanded the monumental Confidential Information Protection and Statistical Efficiency Act, one of the strongest privacy laws in the world. Built on unanimous recommendations from the U.S. Commission on Evidence-Based Policymaking, this bipartisan law guarantees that information collected by the U.S. government under a pledge of confidentiality is kept, well, confidential. Violations of this law are paired with major criminal and civil penalties.
Collectively, this body of federal privacy law embodies democratic principles for the Information Age and separates democracies from authoritarian systems, where privacy and confidentiality are not well-protected. As the race to advance artificial intelligence (AI) applications continues, as articulated in the National AI R&D Strategic Plan, the federal laws that ensure privacy will provide meaningful guardrails for our democracy.
Both the public and private sectors continue to struggle with managing information and ensuring that no more information than necessary is collected. Our entire society will need to take additional steps to protect privacy and data security, while also allowing data to be used as a strategic asset. In doing so, it is important to incorporate lessons learned from government’s experience to date:
- Establishing clear rules will help data managers apply ethical practices. A widely accepted and understood legal framework ensures that employees operate within a consistent system and that violations of expectations can be publicly acknowledged to hold organizations accountable.
- Allowing individuals to request data held about themselves promotes accountability. The Privacy Act, the European Union’s General Data Protection Regulation, and the California Consumer Protection Act all enable individuals to access the information collected about them—allowing concerned individuals to challenge the application of existing rules for data management and use. In some instances, this may even encourage organizations to improve practices for data minimization by choosing not to collect certain data elements.
- Setting expectations for limited data use supports ethical practice. When information is collected from the public, collectors should only allow data to be used for a specific purpose, articulated at the point of collection. By more clearly explaining the potential benefits for individuals and society at the start, it will be easier to get public buy-in and trust.
- Applying cutting edge data protection approaches and strong enforcement can sustain public trust. Hallmarks of data protection should include removing personally identifiable information from data, limiting access to sensitive data from only secure centers, and exploring new technologies. With strong enforcement mechanisms establishing penalties for violations, data managers and users have real obligations to ensure intentional and inadvertent violations are avoided.
Managers too often view privacy as a roadblock or a burden, applied to prevent using data. But when strong protections and responsible policies are in place, privacy is a meaningful benefit in addition to an expectation in democracies.
The U.S. Census Bureau is a great model of each of these four lessons. It has operated under a strong model for decades—protecting private information about the entire American population and simply disclosing aggregate information necessary for key insights about the economy and the country’s people. With the decennial count this year, these protections encourage full participation from the American public. With clear rules about data collection and privacy, the Census will be able to collect the information necessary to provide insights that help policymakers develop solutions to problems, enable our democracy to function, and encourage private firms to provide needed services.
Government is by no means perfect, but the existing bipartisan privacy laws offer critical lessons for how data can be both protected and utilized to benefit American society.
Nick Hart, PhD, is the Chief Executive Officer of the Data Coalition and Jane Fountain, PhD, is Co-Founder and Director of the National Center for Digital Government at the University of Massachusetts-Amherst. Both are Fellows of the National Academy of Public Administration.