Don't fear privacy protectionarm yourself with fairness checks
Horror stories are making individual data privacy a hot issue.
But privacy is such an amorphous concept that people responsible for personal data are
often not sure to how to approach it. Of the myriad issues that fall under the broad
heading of privacy, information privacy quandaries are the ones federal and state agencies
are most likely to face.
The most pitfalls for privacy custodians lie in the collection, maintenance, use and
disclosure of personally identifiable information. Proposals--either in law or
regulation--for databases, identifiers or computer links all raise information privacy
Europeans use the term "data protection," which is much more precise than
"privacy" because it focuses on information privacy and avoids other privacy
issues such as child rearing, abortions and self-incrimination. Some people incorrectly
think that data protection only means data security.
Suppose you are engaged in a project that uses citizens' personal information. How do
you begin to think about the privacy interests involved? One handy place to start is with
fair information practices.
Fair information practices were first proposed by a federal advisory committee in 1973.
Congress used the concept to draft the Privacy Act of 1974, the first fair information
practice law in the world. The European data protection movement picked up the idea. Now
just about every foreign privacy law uses fair information practices as the source for
basic privacy policies.
Although there are no universally agreed-upon components, most fair information
practices are quite similar and include these eight principles:
Of course, the right of access may not be absolute. You may not always be
entitled to see your FBI file because law enforcement or national security interests may
trump your privacy rights. Felons can't erase their own criminal records.
The trick with fair information practices is to apply them correctly to each given set
of personal records. For example, medical record-keepers should meet a higher standard of
data quality than pizza delivery companies. Incorrect medical records could kill somebody.
Unwanted anchovies will only ruin a good pizza.
So what do you do when confronted with a brand new information privacy issue? Now that
you know about fair information practices, starting is easy. Just bring out this
checklist. Then order a really large pizza because making decisions about how to apply the
principles to real records can be a lot more difficult than it looks.n
Robert Gellman, former chief counsel to the House Government Operations Subcommittee on
Information, Justice, Transportation and Agriculture, is a Washington privacy and
information policy consultant. His e-mail address is email@example.com.