- Email: [email protected]
Privacy protection in record-keeping systems
Briefings ______ _i_._~ _
Prmctisn
in Record-Keeping
t:i-
operational implementation can vary widely. especially as they relate to the differences in privacy protection
requirements
placed
on the public and the
private sectors, procedures to be huplcnrented by record-keeping organization, ?nforccmcnt of compliance, and the associated costs. Privacy protccnnn issues beconrc intcrnatioual in scope wh
transnational
tlaws
or persoual
data are
taken into a~~ou~~t.Such data llows are on the increase due to rapid growth of intcmarional conlplater-coinmullit:atioll n~‘tworks and services they provide. Several intclnaiional bodies have expressed their concerns with the privacy protection problenl and are exploring ways to assure that the privacy rights of individuals available in their home countries can bc extended to other countries where personal data about than may be tuaintaincd. The Council of two fomial resolutions on Europe has 2opted privacy protection 110.1 11 and is now developing an international Convention [ 121.Studies have been sponsored by rl~e [Wed Nations 1131. and the Orgrinization of Iicnnoniic Cooperation and Dewlop~ nient (OECC)) 5:1s sponsored sympask ou I ire rt@ [ 141. OECD is now developing guiurlntes f01 ptivac) protection in tr.~~s~naticriuI data 110~.simstioris. The pro21 ss pf Ixu\ idinp privacy pmk*‘!io,ri in automaWi rxwd-krqhlg systfmbis ably uI its initid siz3g& Msllj ibw pllvaq ~r~~t’tcctiw &\f6 wilt !rt ~‘I”pw
experience In conntrics privacy legislation.
that have already enacted
2. Privacy protection requirements In daily hl!ersctions with public and private organizations, individuals provide petsuoal data to obtain services, benefits. of privileges, or as requested by law. Sorne organizations also collect, store. and tse personrl data on their own initiative. There is a general expectation by individuals concerned &at the
personal data they :uust provide or arc colxottrl about ther~l .~re ~-rlrvant for SISICJ purposes. will no: he used or disseminated f
The individual privacy rights specified ul enact:d or pending iegislation have evolved concurrently in sever31 countries. Collxtively they forrn a Code of Fai: Inl’om~atian I’ractices fhst canceired by a *ovclnruental stLdv co:nntission in rhe lhnlcd States y231 and suhseqiu&y expanded in the report of tile U.S P:ivacy Prorccticrr Study Conunission [Xl. The cvde restson rhe fo:lawing tight basic prtnciplc~ wldA :m equally applicable to rescrrd-keeping sy3t~nrr in the ptiblic 4nd private sectors:
R. l’h
J IPiwt:l~ pn~r~~rriort iv ~r~rr~n:.P~~c/~ht,~stwe~m
and the legal basis for requiring be p-wdrd to such a sys~m. 2. The 1ight to know
ahout
189
that personal data
the rsistcnce
ofpcrs~nal
2313 3hout ihcnwlvcs in 211~ such sysiw. 3. Th: ‘Gghi to wcss 31181 iqwt psrso~~:ilhtn nh,at ilrCt~rs~lvos. and to cllallctyy their quality (cg.. I.elcv:u1b‘e, :wul:Ky. ~~‘1llpl~iLYlc’s’; ;Illd curK?ncy). 4. TIN r&$11 10 request i~~~~r~~~t~~ ,I c~‘;~s~~rc. addition of’ ~11pple1~~11tsl d:&~ 01. if :lLs is denied. submit rebuttals to be inclr:de~i in disputed recorcs. S.Thr ri& to con.791, o: ;at least to contest, dissetnina~ion or uw of personai data beyond p~rposc:~ that were stated .vhen the data were collected. 6. The tighr for further ~e~nedics mder rhe I: w. and to resiirulioii for hnri~s suffuetl as 3 ronser~uence ofu viokbotl of privacy ri::hls. T0 assure tha! inJivi.luals mii elelcise lliese or siw’!,~r rights. privacy protzctmn laws specify certa% cmc1iu and rcquirment~ 1l1at lecwd-keepiq orpauimtions nwsi satisfy. ndmmisfrntive procedul-es that they mus; follow. regulatory mechanisms 10 enfolcr comphance. and pcnaltics for violations. Iniport:mr cons1decntions arc the scope o1’ 3 privaoy protection lax \\hieli rypcs 01’ org,mir:itions are cowed by the Iw. and ho\v is wfotzcnwn1 achieved. In all but one cnxted laws. privacy protection is pr,wided to indlviduiis physical persons. However, in the Norwegian privacy pro!eciion law “personal infunnatiol ” is defined ;IS data traceable to indivi~13 foundations. Extending xwcistions, duds. privacy protcctiw to d3td 3n legs1 persons is a new co.,sidetation with a p;xeniial for significant new n‘quirements on record-4eepins organizations. From the pomt of view of nrpnniz~tmns covered under privacy protectic,n laws. there are three general apxoaches: 1, Dnmibus p*ivxy ?r3tection leeisl3iion which applier (~~islly w~lh t,o:ne eweptions) to :Ili public and priuate recotd.kec!~ing organizatiox. such as pwrided in the Swedish. German. French r,nd I\‘orwcgan
laws.
Area-by-an3 legislations where sepera1.r laws are enacted to provide privacy protection in specific parts ~ .. oi >ub,tc or privax sectors. Examples are the Privxy Act of 1974 in the Clni:etl States. and the Canadian prhacy protection law. that apply to the federal pv:minenis only, regiorinl privacy protection laws in scwral cou~li ies, the cwsmner credii rcuorting laws 2.
in the United
States,
the criminal justice 3. international
Canada
area. conventions
and Great
Britain,
and
that serve as binding
guide!:+es for harmonization of orivacy protection laws within communities of nations such as the Coun-
cil of E.trope ot the CECD. Each
apwoach
has merits
and drawbacks,
Omni-
bus legislat01 establishes uniform requiremarts for all rewrd-hceping orgrnizaticw, but ca)\!~ot easily handle pn~blcn~s that ate unique to various specific segments of the public or privat : sectors covered by the law Area-by-area legislation ISeasier to enacl nnd
permits flexibility in handling zs;rpGons without unduly burdening other segments. but it is likely to result in scattering of privacy protection requirements throughJut the legal code of the country. Nevertheless, this approach was recommended by the Privacy Protccti XI Stud\ Commission in the United States for extending p&acy protection to the private sector [241. Different approaches are also being pursued in establishing enforcement mechanisms for privacy protection requirements. Typically. they tend to reflect the traditional approaches to inqhmrw~: legislation in the different countries, 1. Establishn!ent of adminstr;~tive ~ommis~~~n~f wirh authority to issue privacy prorccGon n@stions binding to government agencies, 10 grant or deny operating iicences to record-keeping organizations In the private sector. and to serve as focal points !‘or handling citizens’ complaints. This approach is taken in the European privacy protection lrgislstion dnd proposed on .m international scale by the Council of Europe’s draft convention. 2. Depenrence on self-compliance with the law by the record-keeping orgnirstion with enforcement through judical actions as necessary. The Privacy Acr of 1974 in the United States is an example. 3. Dev.elopment of privacy protection codes of ethics and conduct industry associations.
enforced by government or subject to public scrutiny. This
approach was identified BS a viable cption in an earlier British s!uds on record-keeping 111the private sector (201. 111 genera!. :cdulinistrative commi.ssiom are regarded as the octiy way 10 assure strong enforce nsent, but the wide powt*ts of such commissions over information practices and operations of organizations
raises other concerns, sucl. as whether such mmmlssions should be account3blc 16 hdiamrnts, to the executive branch of the government, or be totally independent? For cxsmple, mxh of the debate oxr cnactmcnt cf the French privacy protection law centered around the membership and powcn of tbe Nar~~nal Commission for Data Processing and Fr,pdam. It was ettahlishcd as an indepcndcnt govc~nment agency wlrosc seventeen tncrabcrsbi:~ Po&!ons were cs~~fi~!ly apportioned to several goterntncn:a~ bodies [e,~,, National :\ssembly. Suprc~re Cdl R. Cnnceil d’Etat) and other group:. The Swcdis!~ D tta Inspection Board was constituted in a smlilar manner. In Germany, the Federal Commissioner for D& Protection is appointed by the Federal Presidcni and. while indeper.dent in perfxming his duties. reports to the fedelrl Minister of Inxrior.
3. Implementation menrs
of privacy
pmttytion
require.
I’ompliance with privscy protection Rquiretiietits tequb+s ucnni-keeping organizations to establish nc*w record-keeping and data procc:. *P policies and procrdu~es. tnd to implement new , :hnicat capabdi. ties. In >:enerJ, the following types of requmxne~lts may be involved I. Issue ;xlbL notxes on the exis:cnce and about the purpi*ses of their automated pcrsotxd data recordbeeping syriems. 2. Notify ;ndividuals about the cxlstencr of personal data rezords abol:t :hem. 3. Estabhsii pnxedxres and fazi!L::e~ aLere individuals can inspect thci: own records, rxake the= records :wailablr in a fcrm comprehensible to the indhidual, establish prxe~turzs for reviewinp challen~e5 to data qud.ty, provide mt‘x8 lot in&& ins rebutcal statemenis. and establish mechanisms b>t notification or prior rcrepients ofdisputed records ,,f corrections ot amendments that were made. 4. Re:rain from wing data for purposes ntrt previously announced untess esplicitly permilted by law or unless prior permlttion has been obtained fror-1 individuals concerned. Vstahltih pm
ofganltatluussucl thatthe datewuld for sending correc t:nns). 6. Establish ~nxedurer
he traced (exe,.
and means
for assuring
that personal data are collest~d by lawful uui fair means, and that I wy are approx?riate and relevant for the purposes the) accurate. complet
are coliectod
for, and that they arc
’ ml \pta.datu.
security standards rhst afford reasonable pmter tmn to the data processing fa&ility. equipment, progr~‘11s and data aga+tst acctde!tta! loss or deliberate de.:ruction, and against unamhorized 1 access, alteration, or transfer. n xdiition. if 3 liscense must hc ohtaiWti, an o~.:.rrix&x~ may have to prepare a detailed descrip. tion of it; record-<:epinp opcrntions and suhnit o an on&c \nsepctiot by the hcerrsing authori, y. For example, the iictring action hy the Swedish Data lespcctmn Board involves, in addition to ev.du.rting the purpose and ,unction ot’ the system, an exarrina. tion of the te&i. al aspects of data prcxessing and storage, and the organization’s plans to .tssure dnt.t quldity, contidcntLility and security. The Board may issue directives 0’1 rectifying inad:quacie; m tecord. keepmg prior tog xttiny a license [2S]. 8.
Conform
vht
Notification ptt~Ledures xc designed to implement ?he pmhibition against maintaining secret data i systems, the rig i of individuals to know about personal data re rds about them, and their ight to lontml non-mutit: dissemination and use of these data. Public n&ic .L on the existence of data iys:ems may be issued i : ofikisl pwemnmnt jaurrali. in newspapers. print d on infon utticn collectior forms, included in corre ondence wi h data subjects. and/or 1 provided opon t?iuest from public repisxrs of record.keeping sy. ‘.nrr. For c~omple, under privacy protection laws ini Atrce in the United States. (‘anada. and Germany, th fed& government agencies of these countries nust publiih notices annually in i United States, the not ices on of t?te federal government
pmparation of these notices amounted to over 12% oC the at~tl~~l cost oC inrplcmenting privacy protection requirements. in Sweden and in France, public notices are not required, but public registers are maintained by privacy protection commissions. All existing privacy protec:ion laws require that scord-keeping ~xganir.ntion~ su\)icc: to law must, ~gonrequests h\’ individuals, notif! :hcm about any j’ctaonal dnlu rcrords r1~ot.r thc:lt in data sysre,,,s. and about the procedures to be followed to gain access for insye.&n cf these records. Ar obvious short-coming of the notification upon request approach is the ! urden placed on the individuals rhey may have to submit notification requests to a large number of organizations. Automatic notificntion of all data subjects of all data shout them (i.e., the right for printout) is curruntly regarded as yrohibitevely costly. However, in scrtain systems where routine cotur\lunicatiorls already exist betwecn organi:.ations and data subjects (e.g.. billing, renewal of licenses or policies, taxatron). notices and even printouts can be included with only a marginal incrcrse in cost.
Basrc to prsvacy protection is the right ol’tiditiduals to inspect their personal records. challenge their veracity or relevance, request corrections. and submit rehuttnls when an organization refuses to make the requested changes. In order tn fxililate exercising of privacy rights, an “easy access” approach is being implemented in the Lrniied States [?6): 1.An individual requesting access to personal records does not have to provide any justification for doing so. 2. inspection can be dune in person at a location convenient to the inditidual, or by mail. 3. Identification ;>rovidrd by the individual can be of the type people normally have (such as a driver’s license) or. i? absence of such identification. a signed statement of identi*v is accept able. 4. It is not necessary for the :qdividu.i to know the precise t.ientifiers used by the organization in accessin ; person
_
the variouscodes used in the data system must
be translated in to descriptive terms. Special procedures may have to be implemented for permitting
inspection
in cases wlwrc
the
informr-
;ion is sensitive and knoxledge may by Rarmfui to tht? individual, as ma), be the c,~e v.!;cn certain medic,rl and psychiatric data arc invJix?e 1. In SWII citseS the individual will be Frmittcc to dean in lhe indiviMtl’S behalf. Another special sitn,~tion arises in !he CX& where information :~hou~ ati individual is tixMl\ed ia someone &e’s records and is not directly relricvahtc tiithout brute.force search. fending other S3htib116. this problem is handled in the United States by interpreting the intent of the Privacy Act as applying only
to records individual’s Finally.
that
are directly
retrievable
n ‘me or other identifiers. to forestall possible harassment inspection and norification
osing the through
rtyucsts. organizations are permitted to make nominal charges for each instance, or to place a limit on the number of requests that may be made an-matly. For example. the Swed:sh Data Act permits one request per year from the same individual regarding the WIIC data system. In grnc:-al. experience to date indicates that there will nor bc a,tlood of inspection mqucsts upon xming to force of a privacy protection law. Implementation of the above pmvisians usually requires increasing the organization’s staff, producing car.-puter ;rograms for translation of coded dat3 into text fr possible rebuttsi Experience in u:~Jementing the Privacy Act n the United St&es .._ :hat 30% of tp.c complianx cOsts are attribuia!.., 1 *.,Icction rciufhts. frequent
To compii Gt;. .:, prote<,t ion requirements, a record-keepin; ,)r,. ..iiati..~l! ma!, have to rnamtdn records of all n:m.:c::tine CUCI.r,x..~:‘:of I-c‘lsonai data to other organir.;:b,$:5 su;h that. 1. A list of d~rA~;~:, s csn be t'irrtish~:: .'individuals i\‘3<
upon i"%L St1
Data securiry must be maintianed in cjrdrr to prevent thrir a:cidenral or intciitional, but unau:h01. ired tlisclosun-. m0dilication or 2liisurc. it is a L*quirement 111ICI pwJcnr cl‘ tlw n:t ure o!’ tile tlat:~, but all pn’vaey yn~tcction la\vs also iecluire itnpletnentation of security safegxds. For example, the Privacy Act in the United States requires the estnb!ishment of administrative. technical and physical safeguards to insu e rho security :u~d confidel:ticlliry 0i pe~som~l data r~~t.ds and pr~>tKtio~I ‘*, .ag:linst any anticipated tiltcats tu dotn serurity or integrity which could result in substanti.d Itartn, embarrassment. inctntveiiierice, or unfainess to any individual WI whom information is maintained.” Several sets of guidelines for implementing data security : re availJble[X-31]. The need for security safeguards depends XI: I. The sensitivity. volume. and frequency of use of stored data 2. The size and diversity of the user population. 3. The structure and operating environment of the data processing system. For example, security threats are likely to be more serious in record-kccpinp systems which (a) are serviced by rc courcc-sharinp x:
agency persome xse of perso,:al
nlformdtion 2. Phvsical
they need to know. protcctio~~
demountable
provided
to
reccwds
OII
storage r iedh.
between the cmtsputer and remote vermin 11s. In general, the nature of the s.ifeguards impi+ rnentcd should be a hmction uf the sensitivity of the da13 stored ml proc+xsed, srid tltc estimated cisk tri Ihesystem. Thus, it is desirable to establish scnsiti\iry t atcgories fc:r pcrsw:rl da& spxify minimuii safe:;uards which should he iniplcmcn~ed for cwh sew& 1ivity category [321. and perform dais sewrit y risk xnalyses. The goal is 10 plan and implement wxuity :.ystems that can adequately mask the identified with acceptable ,wntidencz, :7rlner:.bilities and. cwntcr the perceived threats I33 351. A variety <*I 1echniqucs arc a?C&bic f~i; implcmen~ing phywxi :,ecurity, :.ystenis,
access controls ai1.1 zccurity softwax and communic;rti~),trs securhy [2Y.30.36
.19!.
1. Trans-nn~ional CCxrrrcnt!y
data flows \tith
ihe devrlopmcnt
01’ computer.
~:~)t~lln\!trication neI,wori~s withi~i naticnal Iboundaries. similar systems spanning the national hxdcrs I> we come into existence. &beit at d lesser scale and rax. For example: 1.Multinational corporations have fout:0 it nalurai and economical to establisii computer .:ommut’ic.+ tion links between their headquarter:. and their subsidi: lies in foreign countries. 2. Dab processing service bureaus arc seekin& to extend their markets into other countries. 3. Organizations in various countries dealing Tvith iqternational transactions or services hwe Maa blished common data communication syst~:ms, 4. International organizations provide information services to member countries. 5. INational governments are respondiug to common problems by exchanging informa:iotr owr cntttputer networks.
A certain system
fraction
xe personal
of the da!a
involwd
data on ir,de+-:tifmbie
in these
h&viduals.
196
Briefings
5. Concluding remarks Even thougll the existing privacy protection \egiSIation tends to be quite specitic on the privacy rights that are granted to individuals, and on the requirements that must be implemented by record.keeping organizations, there r.till is considerable Iati\ude *n interpretation of tbc:;c mpdtemento and shoice c)f proceduml snd technical details III Ih~if inrplcmnta~ tion. Espeficnce with existing and soon lo .‘e enacted privacy prnlection laws will livenlua Iv provide an empirical data base which C:IIIbe used 10 rank implementation options on the basis oz’ their suitability in various types of record-keeping and on the basis of their cos!s. Implementation of privacy protection and data security fequifelnents in transnalional WiirpuWnumerous involves conu~~llnication systems unanswered questions about policies, procedmes. and technical means. However. it appears that tramnational privacy protection requirements wcufd he easiest to satisfy when organizations hhal tf%Mer personal data to record-keepers abroad also serve as interfaces for individuals who \vW to cscrcia thcit privacy tights. Techniqu, > now es& for satisrying most of the data security :rquir~ments in cotnputer~omii~~ii~~a. tlon systems %I? their effective use in tr~ns+atiotM systems ma) iz constrained by a lack of stand-As. In particular. ef;ertive use af encryption as a conununications security techniqnc may be difficult if the countries involved wxlt to exercise their right to monitor transbofder communications tra!%.
References
1P.R.
Vingc. S~vedishIX,;3 Art. i~edcracioa 01 S\vc,iirh Indus~rics(Stc:khul~n.Drce;nher19733. 1974, Tine 5. linitcd Stairs Cc&, jettion 5S2a(Public 1‘uv93 57F. rr. !iber 3 I, 1974). 131I’ederd Dau Prol. .I.: a-:,. >I .I,. W\sclnrlt@Wtr. %nn. 27 JanKW )., : 141L7t:i ProcessingI!ilrs 1,111 t .cm t (Loi dcI’trfottnar~9nes i’ .‘uh Libcric,. P: -ir. I2 Dc.e~ber 197tj [Slfanndian : ~twnKtghl:. .\c;. Pat! 1V. Protcclion uf PersonalIn~.~rn~3~ioa (Oria,i.~. Ockb;: 1957). [Sl Pcrson~lD& RegisterAct ;i?do, 18 May 1978). [7i I;.%‘. N~mdius. Emerging d.lla ptttcction in Euope (North-H~~lbndiAlncriclnClwvier,Atnsterdam. 1975). (I
[?] l’riv:icy Act of
Prmctisn
in Record-Keeping
t:i-
operational implementation can vary widely. especially as they relate to the differences in privacy protection
requirements
placed
on the public and the
private sectors, procedures to be huplcnrented by record-keeping organization, ?nforccmcnt of compliance, and the associated costs. Privacy protccnnn issues beconrc intcrnatioual in scope wh
transnational
tlaws
or persoual
data are
taken into a~~ou~~t.Such data llows are on the increase due to rapid growth of intcmarional conlplater-coinmullit:atioll n~‘tworks and services they provide. Several intclnaiional bodies have expressed their concerns with the privacy protection problenl and are exploring ways to assure that the privacy rights of individuals available in their home countries can bc extended to other countries where personal data about than may be tuaintaincd. The Council of two fomial resolutions on Europe has 2opted privacy protection 110.1 11 and is now developing an international Convention [ 121.Studies have been sponsored by rl~e [Wed Nations 1131. and the Orgrinization of Iicnnoniic Cooperation and Dewlop~ nient (OECC)) 5:1s sponsored sympask ou I ire rt@ [ 141. OECD is now developing guiurlntes f01 ptivac) protection in tr.~~s~naticriuI data 110~.simstioris. The pro21 ss pf Ixu\ idinp privacy pmk*‘!io,ri in automaWi rxwd-krqhlg systfmbis ably uI its initid siz3g& Msllj ibw pllvaq ~r~~t’tcctiw &\f6 wilt !rt ~‘I”pw
experience In conntrics privacy legislation.
that have already enacted
2. Privacy protection requirements In daily hl!ersctions with public and private organizations, individuals provide petsuoal data to obtain services, benefits. of privileges, or as requested by law. Sorne organizations also collect, store. and tse personrl data on their own initiative. There is a general expectation by individuals concerned &at the
personal data they :uust provide or arc colxottrl about ther~l .~re ~-rlrvant for SISICJ purposes. will no: he used or disseminated f
The individual privacy rights specified ul enact:d or pending iegislation have evolved concurrently in sever31 countries. Collxtively they forrn a Code of Fai: Inl’om~atian I’ractices fhst canceired by a *ovclnruental stLdv co:nntission in rhe lhnlcd States y231 and suhseqiu&y expanded in the report of tile U.S P:ivacy Prorccticrr Study Conunission [Xl. The cvde restson rhe fo:lawing tight basic prtnciplc~ wldA :m equally applicable to rescrrd-keeping sy3t~nrr in the ptiblic 4nd private sectors:
R. l’h
J IPiwt:l~ pn~r~~rriort iv ~r~rr~n:.P~~c/~ht,~stwe~m
and the legal basis for requiring be p-wdrd to such a sys~m. 2. The 1ight to know
ahout
189
that personal data
the rsistcnce
ofpcrs~nal
2313 3hout ihcnwlvcs in 211~ such sysiw. 3. Th: ‘Gghi to wcss 31181 iqwt psrso~~:ilhtn nh,at ilrCt~rs~lvos. and to cllallctyy their quality (cg.. I.elcv:u1b‘e, :wul:Ky. ~~‘1llpl~iLYlc’s’; ;Illd curK?ncy). 4. TIN r&$11 10 request i~~~~r~~~t~~ ,I c~‘;~s~~rc. addition of’ ~11pple1~~11tsl d:&~ 01. if :lLs is denied. submit rebuttals to be inclr:de~i in disputed recorcs. S.Thr ri& to con.791, o: ;at least to contest, dissetnina~ion or uw of personai data beyond p~rposc:~ that were stated .vhen the data were collected. 6. The tighr for further ~e~nedics mder rhe I: w. and to resiirulioii for hnri~s suffuetl as 3 ronser~uence ofu viokbotl of privacy ri::hls. T0 assure tha! inJivi.luals mii elelcise lliese or siw’!,~r rights. privacy protzctmn laws specify certa% cmc1iu and rcquirment~ 1l1at lecwd-keepiq orpauimtions nwsi satisfy. ndmmisfrntive procedul-es that they mus; follow. regulatory mechanisms 10 enfolcr comphance. and pcnaltics for violations. Iniport:mr cons1decntions arc the scope o1’ 3 privaoy protection lax \\hieli rypcs 01’ org,mir:itions are cowed by the Iw. and ho\v is wfotzcnwn1 achieved. In all but one cnxted laws. privacy protection is pr,wided to indlviduiis physical persons. However, in the Norwegian privacy pro!eciion law “personal infunnatiol ” is defined ;IS data traceable to indivi~13 foundations. Extending xwcistions, duds. privacy protcctiw to d3td 3n legs1 persons is a new co.,sidetation with a p;xeniial for significant new n‘quirements on record-4eepins organizations. From the pomt of view of nrpnniz~tmns covered under privacy protectic,n laws. there are three general apxoaches: 1, Dnmibus p*ivxy ?r3tection leeisl3iion which applier (~~islly w~lh t,o:ne eweptions) to :Ili public and priuate recotd.kec!~ing organizatiox. such as pwrided in the Swedish. German. French r,nd I\‘orwcgan
laws.
Area-by-an3 legislations where sepera1.r laws are enacted to provide privacy protection in specific parts ~ .. oi >ub,tc or privax sectors. Examples are the Privxy Act of 1974 in the Clni:etl States. and the Canadian prhacy protection law. that apply to the federal pv:minenis only, regiorinl privacy protection laws in scwral cou~li ies, the cwsmner credii rcuorting laws 2.
in the United
States,
the criminal justice 3. international
Canada
area. conventions
and Great
Britain,
and
that serve as binding
guide!:+es for harmonization of orivacy protection laws within communities of nations such as the Coun-
cil of E.trope ot the CECD. Each
apwoach
has merits
and drawbacks,
Omni-
bus legislat01 establishes uniform requiremarts for all rewrd-hceping orgrnizaticw, but ca)\!~ot easily handle pn~blcn~s that ate unique to various specific segments of the public or privat : sectors covered by the law Area-by-area legislation ISeasier to enacl nnd
permits flexibility in handling zs;rpGons without unduly burdening other segments. but it is likely to result in scattering of privacy protection requirements throughJut the legal code of the country. Nevertheless, this approach was recommended by the Privacy Protccti XI Stud\ Commission in the United States for extending p&acy protection to the private sector [241. Different approaches are also being pursued in establishing enforcement mechanisms for privacy protection requirements. Typically. they tend to reflect the traditional approaches to inqhmrw~: legislation in the different countries, 1. Establishn!ent of adminstr;~tive ~ommis~~~n~f wirh authority to issue privacy prorccGon n@stions binding to government agencies, 10 grant or deny operating iicences to record-keeping organizations In the private sector. and to serve as focal points !‘or handling citizens’ complaints. This approach is taken in the European privacy protection lrgislstion dnd proposed on .m international scale by the Council of Europe’s draft convention. 2. Depenrence on self-compliance with the law by the record-keeping orgnirstion with enforcement through judical actions as necessary. The Privacy Acr of 1974 in the United States is an example. 3. Dev.elopment of privacy protection codes of ethics and conduct industry associations.
enforced by government or subject to public scrutiny. This
approach was identified BS a viable cption in an earlier British s!uds on record-keeping 111the private sector (201. 111 genera!. :cdulinistrative commi.ssiom are regarded as the octiy way 10 assure strong enforce nsent, but the wide powt*ts of such commissions over information practices and operations of organizations
raises other concerns, sucl. as whether such mmmlssions should be account3blc 16 hdiamrnts, to the executive branch of the government, or be totally independent? For cxsmple, mxh of the debate oxr cnactmcnt cf the French privacy protection law centered around the membership and powcn of tbe Nar~~nal Commission for Data Processing and Fr,pdam. It was ettahlishcd as an indepcndcnt govc~nment agency wlrosc seventeen tncrabcrsbi:~ Po&!ons were cs~~fi~!ly apportioned to several goterntncn:a~ bodies [e,~,, National :\ssembly. Suprc~re Cdl R. Cnnceil d’Etat) and other group:. The Swcdis!~ D tta Inspection Board was constituted in a smlilar manner. In Germany, the Federal Commissioner for D& Protection is appointed by the Federal Presidcni and. while indeper.dent in perfxming his duties. reports to the fedelrl Minister of Inxrior.
3. Implementation menrs
of privacy
pmttytion
require.
I’ompliance with privscy protection Rquiretiietits tequb+s ucnni-keeping organizations to establish nc*w record-keeping and data procc:. *P policies and procrdu~es. tnd to implement new , :hnicat capabdi. ties. In >:enerJ, the following types of requmxne~lts may be involved I. Issue ;xlbL notxes on the exis:cnce and about the purpi*ses of their automated pcrsotxd data recordbeeping syriems. 2. Notify ;ndividuals about the cxlstencr of personal data rezords abol:t :hem. 3. Estabhsii pnxedxres and fazi!L::e~ aLere individuals can inspect thci: own records, rxake the= records :wailablr in a fcrm comprehensible to the indhidual, establish prxe~turzs for reviewinp challen~e5 to data qud.ty, provide mt‘x8 lot in&& ins rebutcal statemenis. and establish mechanisms b>t notification or prior rcrepients ofdisputed records ,,f corrections ot amendments that were made. 4. Re:rain from wing data for purposes ntrt previously announced untess esplicitly permilted by law or unless prior permlttion has been obtained fror-1 individuals concerned. Vstahltih pm
ofganltatluussucl thatthe datewuld for sending correc t:nns). 6. Establish ~nxedurer
he traced (exe,.
and means
for assuring
that personal data are collest~d by lawful uui fair means, and that I wy are approx?riate and relevant for the purposes the) accurate. complet
are coliectod
for, and that they arc
’ ml \pta.datu.
security standards rhst afford reasonable pmter tmn to the data processing fa&ility. equipment, progr~‘11s and data aga+tst acctde!tta! loss or deliberate de.:ruction, and against unamhorized 1 access, alteration, or transfer. n xdiition. if 3 liscense must hc ohtaiWti, an o~.:.rrix&x~ may have to prepare a detailed descrip. tion of it; record-<:epinp opcrntions and suhnit o an on&c \nsepctiot by the hcerrsing authori, y. For example, the iictring action hy the Swedish Data lespcctmn Board involves, in addition to ev.du.rting the purpose and ,unction ot’ the system, an exarrina. tion of the te&i. al aspects of data prcxessing and storage, and the organization’s plans to .tssure dnt.t quldity, contidcntLility and security. The Board may issue directives 0’1 rectifying inad:quacie; m tecord. keepmg prior tog xttiny a license [2S]. 8.
Conform
vht
Notification ptt~Ledures xc designed to implement ?he pmhibition against maintaining secret data i systems, the rig i of individuals to know about personal data re rds about them, and their ight to lontml non-mutit: dissemination and use of these data. Public n&ic .L on the existence of data iys:ems may be issued i : ofikisl pwemnmnt jaurrali. in newspapers. print d on infon utticn collectior forms, included in corre ondence wi h data subjects. and/or 1 provided opon t?iuest from public repisxrs of record.keeping sy. ‘.nrr. For c~omple, under privacy protection laws ini Atrce in the United States. (‘anada. and Germany, th fed& government agencies of these countries nust publiih notices annually in i United States, the not ices on of t?te federal government
pmparation of these notices amounted to over 12% oC the at~tl~~l cost oC inrplcmenting privacy protection requirements. in Sweden and in France, public notices are not required, but public registers are maintained by privacy protection commissions. All existing privacy protec:ion laws require that scord-keeping ~xganir.ntion~ su\)icc: to law must, ~gonrequests h\’ individuals, notif! :hcm about any j’ctaonal dnlu rcrords r1~ot.r thc:lt in data sysre,,,s. and about the procedures to be followed to gain access for insye.&n cf these records. Ar obvious short-coming of the notification upon request approach is the ! urden placed on the individuals rhey may have to submit notification requests to a large number of organizations. Automatic notificntion of all data subjects of all data shout them (i.e., the right for printout) is curruntly regarded as yrohibitevely costly. However, in scrtain systems where routine cotur\lunicatiorls already exist betwecn organi:.ations and data subjects (e.g.. billing, renewal of licenses or policies, taxatron). notices and even printouts can be included with only a marginal incrcrse in cost.
Basrc to prsvacy protection is the right ol’tiditiduals to inspect their personal records. challenge their veracity or relevance, request corrections. and submit rehuttnls when an organization refuses to make the requested changes. In order tn fxililate exercising of privacy rights, an “easy access” approach is being implemented in the Lrniied States [?6): 1.An individual requesting access to personal records does not have to provide any justification for doing so. 2. inspection can be dune in person at a location convenient to the inditidual, or by mail. 3. Identification ;>rovidrd by the individual can be of the type people normally have (such as a driver’s license) or. i? absence of such identification. a signed statement of identi*v is accept able. 4. It is not necessary for the :qdividu.i to know the precise t.ientifiers used by the organization in accessin ; person
_
the variouscodes used in the data system must
be translated in to descriptive terms. Special procedures may have to be implemented for permitting
inspection
in cases wlwrc
the
informr-
;ion is sensitive and knoxledge may by Rarmfui to tht? individual, as ma), be the c,~e v.!;cn certain medic,rl and psychiatric data arc invJix?e 1. In SWII citseS the individual will be Frmittcc to dea
to records individual’s Finally.
that
are directly
retrievable
n ‘me or other identifiers. to forestall possible harassment inspection and norification
osing the through
rtyucsts. organizations are permitted to make nominal charges for each instance, or to place a limit on the number of requests that may be made an-matly. For example. the Swed:sh Data Act permits one request per year from the same individual regarding the WIIC data system. In grnc:-al. experience to date indicates that there will nor bc a,tlood of inspection mqucsts upon xming to force of a privacy protection law. Implementation of the above pmvisians usually requires increasing the organization’s staff, producing car.-puter ;rograms for translation of coded dat3 into text f
To compii Gt;. .:, prote<,t ion requirements, a record-keepin; ,)r,. ..iiati..~l! ma!, have to rnamtdn records of all n:m.:c::tine CUCI.r,x..~:‘:of I-c‘lsonai data to other organir.;:b,$:5 su;h that. 1. A list of d~rA~;~:, s csn be t'irrtish~:: .'individuals i\‘3<
upon i"%L St1
Data securiry must be maintianed in cjrdrr to prevent thrir a:cidenral or intciitional, but unau:h01. ired tlisclosun-. m0dilication or 2liisurc. it is a L*quirement 111ICI pwJcnr cl‘ tlw n:t ure o!’ tile tlat:~, but all pn’vaey yn~tcction la\vs also iecluire itnpletnentation of security safegxds. For example, the Privacy Act in the United States requires the estnb!ishment of administrative. technical and physical safeguards to insu e rho security :u~d confidel:ticlliry 0i pe~som~l data r~~t.ds and pr~>tKtio~I ‘*, .ag:linst any anticipated tiltcats tu dotn serurity or integrity which could result in substanti.d Itartn, embarrassment. inctntveiiierice, or unfainess to any individual WI whom information is maintained.” Several sets of guidelines for implementing data security : re availJble[X-31]. The need for security safeguards depends XI: I. The sensitivity. volume. and frequency of use of stored data 2. The size and diversity of the user population. 3. The structure and operating environment of the data processing system. For example, security threats are likely to be more serious in record-kccpinp systems which (a) are serviced by rc courcc-sharinp x:
agency persome xse of perso,:al
nlformdtion 2. Phvsical
they need to know. protcctio~~
demountable
provided
to
reccwds
OII
storage r iedh.
between the cmtsputer and remote vermin 11s. In general, the nature of the s.ifeguards impi+ rnentcd should be a hmction uf the sensitivity of the da13 stored ml proc+xsed, srid tltc estimated cisk tri Ihesystem. Thus, it is desirable to establish scnsiti\iry t atcgories fc:r pcrsw:rl da& spxify minimuii safe:;uards which should he iniplcmcn~ed for cwh sew& 1ivity category [321. and perform dais sewrit y risk xnalyses. The goal is 10 plan and implement wxuity :.ystems that can adequately mask the identified with acceptable ,wntidencz, :7rlner:.bilities and. cwntcr the perceived threats I33 351. A variety <*I 1echniqucs arc a?C&bic f~i; implcmen~ing phywxi :,ecurity, :.ystenis,
access controls ai1.1 zccurity softwax and communic;rti~),trs securhy [2Y.30.36
.19!.
1. Trans-nn~ional CCxrrrcnt!y
data flows \tith
ihe devrlopmcnt
01’ computer.
~:~)t~lln\!trication neI,wori~s withi~i naticnal Iboundaries. similar systems spanning the national hxdcrs I> we come into existence. &beit at d lesser scale and rax. For example: 1.Multinational corporations have fout:0 it nalurai and economical to establisii computer .:ommut’ic.+ tion links between their headquarter:. and their subsidi: lies in foreign countries. 2. Dab processing service bureaus arc seekin& to extend their markets into other countries. 3. Organizations in various countries dealing Tvith iqternational transactions or services hwe Maa blished common data communication syst~:ms, 4. International organizations provide information services to member countries. 5. INational governments are respondiug to common problems by exchanging informa:iotr owr cntttputer networks.
A certain system
fraction
xe personal
of the da!a
involwd
data on ir,de+-:tifmbie
in these
h&viduals.
196
Briefings
5. Concluding remarks Even thougll the existing privacy protection \egiSIation tends to be quite specitic on the privacy rights that are granted to individuals, and on the requirements that must be implemented by record.keeping organizations, there r.till is considerable Iati\ude *n interpretation of tbc:;c mpdtemento and shoice c)f proceduml snd technical details III Ih~if inrplcmnta~ tion. Espeficnce with existing and soon lo .‘e enacted privacy prnlection laws will livenlua Iv provide an empirical data base which C:IIIbe used 10 rank implementation options on the basis oz’ their suitability in various types of record-keeping and on the basis of their cos!s. Implementation of privacy protection and data security fequifelnents in transnalional WiirpuWnumerous involves conu~~llnication systems unanswered questions about policies, procedmes. and technical means. However. it appears that tramnational privacy protection requirements wcufd he easiest to satisfy when organizations hhal tf%Mer personal data to record-keepers abroad also serve as interfaces for individuals who \vW to cscrcia thcit privacy tights. Techniqu, > now es& for satisrying most of the data security :rquir~ments in cotnputer~omii~~ii~~a. tlon systems %I? their effective use in tr~ns+atiotM systems ma) iz constrained by a lack of stand-As. In particular. ef;ertive use af encryption as a conununications security techniqnc may be difficult if the countries involved wxlt to exercise their right to monitor transbofder communications tra!%.
References
1P.R.
Vingc. S~vedishIX,;3 Art. i~edcracioa 01 S\vc,iirh Indus~rics(Stc:khul~n.Drce;nher19733. 1974, Tine 5. linitcd Stairs Cc&, jettion 5S2a(Public 1‘uv93 57F. rr. !iber 3 I, 1974). 131I’ederd Dau Prol. .I.: a-:,. >I .I,. W\sclnrlt@Wtr. %nn. 27 JanKW )., : 141L7t:i ProcessingI!ilrs 1,111 t .cm t (Loi dcI’trfottnar~9nes i’ .‘uh Libcric,. P: -ir. I2 Dc.e~ber 197tj [Slfanndian : ~twnKtghl:. .\c;. Pat! 1V. Protcclion uf PersonalIn~.~rn~3~ioa (Oria,i.~. Ockb;: 1957). [Sl Pcrson~lD& RegisterAct ;i?do, 18 May 1978). [7i I;.%‘. N~mdius. Emerging d.lla ptttcction in Euope (North-H~~lbndiAlncriclnClwvier,Atnsterdam. 1975). (I
[?] l’riv:icy Act of