United States of America

PRIVACY AND THE NATIONAL INFORMATION INFRASTRUCTURE:
PRINCIPLES FOR PROVIDING AND USING PERSONALINFORMATION

Privacy Working Group Information Policy Committee Information
Infrastructure Task Force

Final Version June 6, 1995

INTRODUCTION

The National Information Infrastructure ("NII"), with its promise of a seamless
web of communications networks, computers, databases, and consumer
electronics, heralds the arrival of the information age. The ability to acquire,
process, send, and store information at an acceptable cost has never been
greater, and continuing advances in computer and telecommunications
technologies will result in ever-increasing creation, use, and storage of
information.

The NII promises enormous benefits. To name just a few, the NII offers the
possibilities of greater citizen participation in a deliberative democracy,
advances in medical treatment and research, and quick verification of critical
information such as a gun purchaser's criminal record. These benefits,
however, do not come without a cost: the loss of privacy. Privacy in this
context means "information privacy," an individual's claim to control the terms
under which personal information - information identifiable to an individual - is
acquired, disclosed, and used.

Two converging trends - one social, the other technological - lead to an
increased risk to privacy in the evolving NII. As a social trend, individuals will
use the NII to communicate, order goods and services, and obtain information.
But, unlike paying cash to buy a magazine, using the NII for such purposes
will generate data documenting the transaction that can be easily stored,
retrieved, analyzed, and reused. Indeed, NII transactional data may reveal
who communicated with whom, when, and for how long, as well as who
bought what, for what price. Significantly, this type of personal information is
automatically generated, in electronic form, and is therefore especially
inexpensive to store and process.

The technological trend is that the capabilities of hardware, software, and
communications networks are continually increasing, while costs are
continually decreasing, allowing information to be used in ways that were
previously impossible or economically impractical. For example, before the NII,
in order to build a profile of an individual who had lived in various states, one
would have to travel from state to state and search public records for
information about the individual. This process would have required filling out
forms, paying fees, and waiting in line for record searches at local, state, and
federal agencies, such as the departments of motor vehicles, deed record
offices, electoral commissions, and county record offices. Although one could
manually compile a personal profile in this manner, it would be a
time-consuming and costly exercise, one that would not be undertaken unless
the offsetting rewards were considerable. In sharp contrast, today, as more
and more personal information appears on-line, such a profile can be built in a
matter of minutes, at minimal cost.

These two converging trends guarantee that as the NII evolves, more personal
information will be generated and more will be done with that information. Here
lies the increased risk to privacy. This risk must be addressed both to secure
the value of privacy for individuals and society and to ensure that the NII will
achieve its full potential. Unless this is done, individuals may not participate in
the NII for fear that the costs to their privacy will outweigh the benefits. The
adoption of principles of fair information practice is a critical first step in
addressing this concern. While guidance can be found in existing laws and
principles, these need to be adapted to accommodate the evolving information
environment. This changing environment presents new concerns.

- No longer do governments alone acquire and use large amounts of personal
information; the private sector now rivals the government in acquiring and using
personal information. New principles would thus be incomplete unless they
applied to both the governmental and private sectors.

- The NII promises true interactivity. Individuals will become active participants
who will create volumes of data containing the content of communications as
well as transactional data.

- The transport vehicles for personal information - the networks - are vulnerable
to abuse; thus, the security of the network itself is critical to the NII's future
success.

- The rapidly evolving information environment makes it difficult at times to
know how to apply traditional ethical rules, even ones that are well understood
and accepted when dealing with tangible records and documents. Consider, for
example, how an individual who would never trespass into someone's home
might rationalize cracking into someone's computer as an intellectual exercise.
In addition, today's information environment may present questions about the
use of personal information that traditional rules do not even address.

These "Principles for Providing and Using Personal Information" ("the
Principles") are offered to respond to this new information environment. The
Principles attempt to provide meaningful guidance, striking a balance between
abstract concepts and a detailed code. They are intended to guide all NII
participants and should be used by those who are drafting laws and
regulations, creating industry codes of fair information practices, and designing
private sector and government programs that use personal information.

The limitations inherent in any such principles must be recognized. The
Principles do not have the force of law and do not create any substantive or
procedural right enforceable at law. They are not designed to produce specific
answers to all possible questions; nor to single-handedly govern the various
sectors that use personal information. The Principles should be interpreted and
applied as a whole, pragmatically and reasonably. For example, those applying
these principles should consider:

- the benefits to society from the use of personal information, recognizing that
privacy interests are not absolute and must be balanced by the need for legal
accountability, adherence to the First Amendment, law enforcement needs, and
other societal benefits recognized in law;

- the extent to which the decision to provide personal information is voluntary,
and the individual's expectations regarding the use of the information (taking
into account the notice and the scope of consent provided);

- the sensitivity of the information and the potential for harm to the individual
that could result from a particular disclosure or use of the information;

- the cost and effort required to protect against harm to individuals, recognizing
that more sensitive information may require more costly and elaborate
protection procedures than less sensitive information.

Where an overly mechanical application of the Principles would be particularly
unwarranted, phrases with the words "appropriate" or "reasonable" appear in
the text. This flexibility, built into the Principles to address hard or unexpected
cases, does not mean that the Principles need not be adhered to rigorously.
Finally, the Principles are intended to be consistent with the spirit of current
international guidelines, such as the OECD Guidelines, [1] regarding the use of
personal information. The Principles invite further international cooperation
over the development and harmonization of global privacy policies, adherence
to which will bolster the ongoing development of the Global Information
Infrastructure.

PREAMBLE

The United States is committed to building a National Information Infrastructure
("NII") to meet the information needs of its people. This infrastructure, created
by advances in technology, is expanding the level of interactivity, enhancing
communication, and allowing easier access to services. As a result, many more
users are discovering new, previously unimagined ways to acquire and use
personal information. In this environment, we are challenged to develop new
principles to guide all NII participants in the fair use of personal information.

Existing codes of fair information practice must be adapted to a new
environment in which information and communications are sent and received
over networks by users who have very different capabilities, objectives, and
perspectives. In this interactive, networked environment, many new
relationships are being formed among individuals, communication providers,
and other NII participants. New principles must acknowledge that each party
has a different relationship with the individual and has different uses for
personal information.

New principles should not diminish existing constitutional and statutory
limitations on access to information, communications, and transactions, such as
requirements for warrants and subpoenas. Such principles should ensure that
access limitations keep pace with technological developments. These
principles should acknowledge that all elements of our society share
responsibility for ensuring the fair treatment of individuals in the use of personal
information, whether on paper or in electronic form. Moreover, the principles
should recognize that the interactive nature of the NII can empower individuals
to participate in protecting information about themselves. The new principles
should also make clear that this responsibility can be exercised only with
openness about the process, a commitment to fairness and accountability, and
continued attention to security. Finally, the principles should recognize the
need to educate all participants about the new information infrastructure and
how it will affect their lives.

These "Principles for Providing and Using Personal Information" ("the
Principles") recognize the changing roles of government and industry in
information acquisition and use. Thus, they are intended to apply to both public
and private entities. The Principles are designed to guide all NII participants as
well as those who are drafting legislation and crafting policy regarding the use
of personal information. They provide the basic framework from which
specialized principles can be developed as needed.

Trade-offs will be inevitable in implementing the Principles because privacy
interests are not absolute and must be balanced against the need for
accountability, the value of an unabridged flow of information, and other
societal benefits recognized in law, such as lawful law enforcement activities.
For example, certain decisions about the flow of personal information have
already been made for us by the First Amendment, and nothing in the
Principles should be read to require policies derogating the constitutionally
protected freedom of speech and the press. Given these sometimes conflicting
interests and public policies, the Principles must be implemented pragmatically
yet conscientiously, giving due consideration to issues such as the extent to
which providing personal information is voluntary, the adequacy of the notice
regarding how the personal information may be used, the scope of the
individual's consent, and the cost of protecting information in light of the
information's sensitivity.

PRINCIPLES AND COMMENTARY

I. General Principles for All NII Participants

1. Three fundamental principles should guide all NII participants. These three
principles - information privacy, information integrity, and information quality -
identify the fundamental requirements necessary for the proper use of personal
information, and in turn the successful implementation of the NII. All NII
participants should use appropriate means to ensure that these principles are
satisfied.

I. A. Information Privacy Principle

Personal information should be acquired, disclosed, and used only in ways that
respectan individual's privacy.

2. The NII can flourish only if all participants respect information privacy.
Information privacy is an individual's claim to control the terms under which
personal information - information identifiable to an individual - is acquired,
disclosed, and used. The level of privacy that must be respected is an
individual's reasonable expectation, an expectation subjectively held by the
individual and deemed objectively reasonable by society. Not all subjectively
held expectations will be honored as reasonable. For example, an individual
who posts an unencrypted personal message on a bulletin board for public
postings cannot reasonably expect that personal message to be read only by
the addressee.

3. What counts as a reasonable expectation of privacy under the Principles is
not limited by what counts as a reasonable expectation of privacy under the
Fourth Amendment of the United States Constitution. In many instances,
society has deemed it reasonable to protect privacy at a level higher than that
required by the Fourth Amendment. See, e.g., Electronic Communications
Privacy Act, 18 U.S.C. $ 2701 (1988); Right to Financial Privacy Act, 12 U.S.C.
$ 3401 (1988); Privacy Act, 5 U.S.C. $ 552a (1988). The Information Privacy
Principle fully supports such possibilities.

4. As explained in later principles and commentary, an individual's privacy can
often be best respected when individuals and information users come to some
mutually agreeable understanding of how personal information will be acquired,
disclosed, and used. However, in certain cases - for example, if the individual
lacks sufficient bargaining power - purely contractual arrangements between
individuals and information users may fail to respect privacy adequately. In
such instances, society should ensure privacy at some basic level in order to
satisfy the Information Privacy Principle.

I. B. Information Integrity Principle

Personal information should not be improperly altered or destroyed.

5. NII participants should be able to rely on the integrity of the personal
information the NII contains. Thus, personal information should be protected
against improper alteration or destruction.

I. C. Information Quality Principle

Personal information should be accurate, timely, complete, and relevant for the
pur-pose for which it is provided and used.

6. Personal information should have sufficient quality to be relied upon. This
means that personal information should be accurate, timely, complete, and
relevant for the purpose for which it is provided and used.

II. Principles for Users of Personal Information

II. A. Acquisition Principles

Information users should:

1. Assess the impact on privacy in deciding whether to acquire, disclose, or use
personal information.

2. Acquire and keep only information reasonably expected to support current
orplanned activities.

7. The benefit of information lies in its use, but therein lies an often
unconsidered cost: the threat to information privacy. A critical characteristic of
privacy is that once it is lost, it can rarely be restored. Consider, for example,
the extent to which the inappropriate release of sensitive medical information
could ever be rectified by public apology.

8. Given this characteristic, privacy should not be addressed as a mere
afterthought, once personal information has been acquired. Rather, information
users should explicitly consider the impact on privacy in the very process of
designing information systems and in deciding whether to acquire or use
personal information in the first place. In assessing this impact, information
users should gauge not just the effect their activities may have on the
individuals about whom personal information is acquired, disclosed, and used;
they should also consider other factors, such as public opinion and market
forces, that may provide guidance on the appropriateness of any given activity.

9. After assessing the impact on information privacy, an information user may
conclude that it is appropriate to acquire personal information in pursuit of a
current or planned activity. A planned activity is one that is contemplated by the
information user, with the intent to pursue such activity in the future. In all
cases, the information user should acquire only that information reasonably
expected to support those activities. Although information storage costs
decrease continually, it is inappropriate to collect volumes of personal
information simply because some of the information may, in the future, prove to
be of some unanticipated value. Also, personal information that has served its
purpose and is no longer reasonably expected to support any current or
planned activities should not be kept.

10. The ability to acquire certain kinds of personal information does not mean
that it is proper to do so. In certain cases, individuals have no choice whether
to disclose personal information. For example, if the individual executes a
transaction on the NII, personal information in the form of transactional data will
typically be generated. In other cases, the choice may exist in theory only.
Exercising certain choices may result in the denial of a benefit that individuals
need to participate fully in society - for example, obtaining a license to drive an
automobile. In such cases, society should establish some basic level of privacy
protection in accordance with the Information Privacy Principle (I. A.).

II. B. Notice Principle

Information users who collect personal information directly from the individual
shouldprovide adequate, relevant information about:

1. Why they are collecting the information;

2. What the information is expected to be used for;

3. What steps will be taken to protect its confidentiality, integrity, and quality;

4. The consequences of providing or withholding information; and

5. Any rights of redress.

11. Personal information can be acquired in one of two ways: it can be
collected directly from the individual or obtained from some secondary source.
By necessity, the principles governing these two methods of acquiring personal
information differ. While notice obligations can be placed on all those who
collect information directly from the individual, they cannot be imposed
uniformly on entities that have no such direct relationship. If all recipients of
personal information were required to notify every individual about whom they
receive data, the exchange of personal information would become prohibitively
burdensome, and many of the benefits of the NII would be lost.

12. For those who collect personal information directly from the individual, the
Notice Principle requires the individual to be given sufficient information to
make an informed decision about his or her privacy. The importance of
providing this notice cannot be overstated because the terms of the notice
substantially determine the individual's understanding of how personal
information will be used, an understanding that must be respected by all
subsequent users of that information.

13. The Notice Principle specifically applies to personal information designated
by law as a public record and to transactional data generated as a byproduct of
a transaction. With respect to transactional data, this principle applies to all
parties, including not only the party principally transacting with the individual in
order to provide some product or service, but also to those transaction
facilitators such as communication providers and electronic payment providers
who help to consummate these transactions. For example, if an individual
purchases flowers with a credit card through an on-line shopping mall
accessed via modem, the Notice Principle applies to all parties who collect
transactional data related to the purchase, not only to the florist, but also to the
telephone and credit card companies. Transaction facilitators would ordinarily
provide notice at the time they establish an account, or when billing the
customer.

14. What counts as adequate, relevant information to satisfy the Notice
Principle depends on the circumstances surrounding the collection of
information. In some cases - especially where there is a continuing relationship
between the individual and the information collector - notice need not be given
before each instance that personal information is collected. For example, an
information or communication service provider should ordinarily give notice
when the individual subscribes to a particular service and perhaps periodically
thereafter, not each time the individual uses the service. In other cases, the
ordinary and acknowledged use of personal information is so clearly
contemplated by the individual that providing formal notice is not necessary.
For example, if an individual's name and address is collected by a
pharmaceutical company that takes the order over interactive television simply
to deliver the right medicine to the right person at the right address, no
elaborate notice need precede taking the individual's order. However, should
the pharmaceutical company use the information in a manner not clearly
contemplated by the individual - for example, to create and sell a list of people
afflicted with high blood pressure to health insurance companies - then some
form of notice should be provided.

15. While the Notice Principle indicates what might constitute the elements of
adequate notice, it does not prescribe a particular form for that notice. Rather,
the goal of the Principle is to ensure that the individual has sufficient
information in an understandable form to make an informed decision. Thus the
drafters of notices should be creative about informing in ways that will help all
individuals, regardless of age, literacy, and education to achieve this goal.

16. Finally, although the Notice Principle requires information collectors to
inform individuals what steps will be taken to protect personal information, they
are not required to provide overly technical descriptions of such security
measures. Indeed, such descriptions might be unwelcome or unhelpful to the
individual. Furthermore, they may be counterproductive since widespread
disclosure of the technical security measures might expose system
vulnerabilities, in conflict with the Protection Principle (II. C.).

II. C. Protection Principle

Information users should use appropriate technical and managerial controls to
protectthe confidentiality and integrity of personal information.

17. On the NII, personal information is maintained in a networked environment,
an environment that poses tremendous risk of unauthorized access, disclosure,
alteration, and destruction. Both insiders and outsiders may gain access to
information they have no right to see or may make hard-to-detect changes in
data that will then be relied upon in making critical decisions.

18. For example, our health care providers expect to become intensive
participants in the NII. Through the NII, a hospital in a remote locale will be able
to send x-rays for review by a radiologist at a teaching hospital in another part
of the country. The potential benefits are obvious. Yet, such benefits will not be
realized if individuals refuse to send such sensitive data because they fear that
the NII cannot ensure that sensitive medical data will remain confidential and
unaltered.

19. In deciding what controls are appropriate, information users should
recognize that personal information should be protected in accordance with the
individual's understanding and in a manner commensurate with the harm that
might occur if it were improperly disclosed or altered.

20. In protecting personal information, information users should adopt a
multi-faceted approach that includes both technical and managerial controls. As
for technical controls, information users should, for example, consider
encrypting personal information, including the contents of communications and
information generated from transactions. In addition, they should consider
computerized audit trails, which help detect improper access by both insiders
and outsiders. As for management controls, one could strive, for example, to
create an organizational culture in which individuals learn about fair information
practices and adopt these practices as the norm. Also, organizations could
establish policies to forbid information acquired for one activity from being used
for another unrelated activity.

II. D. Fairness Principle

Information users should not use personal information in ways that are
incompatiblewith the individual's understanding of how it will be used, unless
there is a compelling public interest for such use.

21. An individual's understanding encompasses the individual's objectively
reasonable contemplation and scope of consent when the information was
collected. As explained earlier, an individual's understanding depends
principally on the notice provided by the information collector pursuant to the
Notice Principle (II. B.) and obtained by the individual pursuant to the
Awareness Principle (III. A.). Without a Fairness Principle, information use may
know no boundaries and thus go beyond the individual's understanding.

22. If an information user seeks to use personal information in an incompatible
manner, the user must first notify the individual and obtain his or her explicit or
implicit consent. The nature of the incompatible use will determine whether
such consent should be explicit or implicit. In some cases, the consequences to
an individual may be so significant that the prospective data user should
proceed only after the individual has specifically opted into the use by explicitly
agreeing. In other cases, a notice offering the individual the ability to opt out of
the use within a certain specified time may be adequate. Inherent in this
principle is the requirement that whenever personal information is transferred
from information user to user, the individual's understanding of how that
personal information will be used must also be conveyed. Because all
information users must abide by the Fairness principle, both information
transferor and transferee bear a responsibility to ensure that the individual's
understanding is transferred along with the information.

23. In deciding whether a particular use of information is "incompatible" with an
individual's understanding, information users should evaluate whether the uses
are permitted explicitly in the notice or are otherwise consistent with the notice.
Any use of information beyond these conditions is incompatible with the
individual's understanding. What is incompatible under this Principle is not
limited to what has been interpreted as incompatible under the Privacy Act.
(See 5 U.S.C. $ 552 a.)

24. The Fairness Principle cannot be applied uniformly in every setting. An
incompatible use is not necessarily a harmful use; in fact, it may be extremely
beneficial to the individual and society. There are some incompatible uses that
will produce enormous benefits and have at most a trivial effect on the
individual's information privacy interest. Research and statistical studies, in
which information will not be used to affect the individual, are examples.
Obtaining the consent of the individual to permit new statistical uses of existing
data adds cost and administrative complexity to the process and risks impairing
the research project. In other cases, personal information may be used for a
significant public need recognized by society in a highly formal, open way
(typically in legislation) that would be thwarted by giving the individual a chance
to limit its use. One example would be the use of personal information in a law
enforcement investigation for which the suspect's consent would be unlikely
and even asking for such consent would be counterproductive to the
investigation. Another example would be an incompatible use of personal
information, made by the investigatory press, that is specifically protected and
sanctioned by the First Amendment.

II. E. Education Principle

Information users should educate themselves and the public about how
informationprivacy can be maintained.

25. The Education Principle represents a significant addition to the traditional
principles of fair information practice. There are many uses of the NII for which
individuals cannot rely completely on governmental or other organizational
controls to protect their privacy. Although individuals often rely on such legal
and institutional controls to protect their privacy, many people will engage in
activities outside of these controls, especially as they engage in the informal
exchange of information on the NII. Thus, individuals must be aware of the
hazards of providing personal information, and must make judgments about
whether providing personal information is to their benefit.

26. The full effect of the NII on the use of personal information is not readily
apparent, and individuals may not recognize how their lives may be affected by
networked information. Because it is important that individuals and information
users appreciate how the NII affects information privacy, all information users
should participate in education about the handling and use of personal
information. Traditionally, governments and schools have educated the public
on matters of social rights and responsibilities, and they must continue to play a
lead role. However, as major builders of the NII, the private sector has as
crucial a role to play. Such education, which would help individuals minimize
the risks to their privacy, could involve privacy telephone hotlines, Internet
privacy "help" sites, and comprehensive marketing and publicity campaigns.

III. Principles for Individuals Who Provide Personal Information

III. A. Awareness Principle

Individuals should obtain adequate, relevant information about:

1. Why the information is being collected;

2. What the information is expected to be used for;

3. What steps will be taken to protect its confidentiality, integrity, and quality;

4. The consequences of providing or withholding information; and

5. Any rights of redress.

27. Increasingly, individuals are being asked to surrender personal information
about themselves. Sometimes the inquiry is straight-forward; for example, a
bank will ask for personal information prior to processing a loan request. In this
case, one use for the information is clear - to process the loan application.
There may, however, be other uses that are not so obvious, such as using
some of that information for a credit card solicitation. Indeed, individuals
regularly disclose personal information without being fully aware of the many
ways in which that information may ultimately be used. For example, an
individual may not realize that paying for medical services with a credit card
creates transactional data that could reveal the individual's state of health.

28. The Awareness Principle recognizes that although information collectors
have a responsibility to inform individuals why they want personal information,
individuals also have a responsibility to understand the consequences of
providing personal information to others. This is especially true in an interactive
realm such as the NII, in which individuals can actively shape the terms of their
participation. For example, when individuals have real choices about whether
and to what degree personal information should be disclosed, they should take
an active role in deciding whether to disclose personal information in the first
place, and under what terms.

29. Of course, if individuals are to be held responsible for making these
choices, they must be given enough information to make intelligent choices.
This is how the Awareness Principle works in conjunction with the Notice
Principle (II. B.) and more broadly with the Education Principle (II. E) to enable
individuals to take responsibility over how personal information is disclosed and
used.

III. B. Empowerment Principles

Individuals should be able to safeguard their own privacy by having:

1. A means to obtain their personal information;

2. A means to correct their personal information that lacks sufficient quality
toensure fairness in its use;

3. The opportunity to use appropriate technical controls, such as encryption, to
pro-tect the confidentiality and integrity of communications and transactions;
and

4. The opportunity to remain anonymous when appropriate.

30. Individuals should have a means to obtain from information users a copy of
their personal information and to correct information about them that lacks
sufficient quality to ensure fairness in its use. The extent to which such means
are provided depends on various factors, including the seriousness of the
consequences to the individual of using the personal information and any First
Amendment rights held by the information user.

31. Further, if the terms of the information collection are unsatisfactory, the
individual should consider various self-initiated measures to safeguard privacy.
For example, to safeguard the confidentiality or integrity of a communication,
the individual should have the opportunity to use appropriate tools such as
encryption. Also, to avoid leaving a data trail of transactional records,
individuals should have the opportunity to remain anonymous, when
appropriate. For example, anonymity would be appropriate when an individual
browses a public electronic library or when an individual engages in
anonymous political speech protected by the Constitution. See McIntyre v. Ohio
Elections Commission, 131 L. Ed. 2d 426 (1995). In an ideal world, offering
undecipherable encryption or absolute anonymity would serve to protect
privacy with no negative effect. Unfortunately, in the real world, some will
abuse these technologies and, in the process, harm others. It is beyond the
scope of the Principles how encryption or anonymity can be offered to
individuals for legitimate uses while minimizing their misuse. These issues
must, however, be addressed if the NII is to achieve its full potential.

III. C. Redress Principle

Individuals should, as appropriate, have a means of redress if harmed by an
improperdisclosure or use of personal information.

32. Redress is required only when an individual is harmed. Designed for
general applicability, the Redress Principle does not answer in any particular
case whether harm has occurred at all or whether enough harm has occurred
to warrant a specific form of redress. Those questions must be answered in the
sectoral implementation of the Principles.

33. An improper use specifically includes a decision based on personal
information of inadequate quality - information that is not accurate, timely,
complete, or relevant for the purpose for which it is provided and used. The
Redress Principle does not, however, set the level of culpability on the part of
the information user necessary to warrant a specific form of redress.

34. When redress is appropriate, the Principles envision various forms
including, but not limited to, informal complaint resolution, mediation, arbitration,
civil litigation, regulatory enforcement, and criminal prosecution, in various
private, local, state, and federal forums with the goal of providing relief in the
most cost-effective manner possible.


Zuletzt geandert:
am 22.02.97