@INFO.POLICY

Anyone out there up to fixing the Privacy Act?

Robert Gellman

It's hardly news that the Privacy Act of 1974 is out of date. The obsolescence of the federal government's basic fair information practices law was well-known as far back as the late 1970s.

The computer'or more accurately, the PC'drove the law's obsolescence. The act was drafted in the mainframe era and reflects the technology of its day. As computers became smaller, faster and ubiquitous, the model of the large mainframe database envisioned in the act became only partially relevant.

PC access

Modern systems make large databases accessible to anyone in an agency who has a PC. Here's one example of why the act does not work in today's environment: Federal workers can sit at their desks and create a new database with a few keystrokes. Under the Privacy Act, that new database can be a system of record'and each agency is required to publish advance notice of new record-keeping systems in the Federal Register.

Two impediments stand in the way of fixing the law. The first is substantial: finding a new model for privacy rules. In an era characterized by PCs and the Internet, redrafting a substantive law that covers the incredibly large and diverse set of personal records maintained by all federal agencies would be a complex undertaking.

But I want to focus attention on the other major problem: Who will do the work that will lead to a revised law? None of the usual suspects is likely to be interested.

Congress is the first candidate for legislative work. But the Privacy Act isn't on anyone's radar screen. Privacy proposals are floating around Capitol Hill, but no member has proposed comprehensive changes to the Privacy Act itself. Legislative attention is directed mostly at the Internet, health records and financial information.

No one proposes changing the act because it would be so difficult to do. It would take a knowledgeable congressional staff member a year, perhaps two, to develop a good proposal. Few have the time or expertise to devote to the task, especially when they face more visible'and politically potent'privacy concerns.

The privacy advocacy community could sponsor a Privacy Act rewrite but has shown little interest. It has other fish to fry.

In theory, federal agencies themselves could do the work, although I wouldn't be happy with that choice. Agencies would probably attempt to repeal whatever requirements they haven't already undermined administratively. The new privacy counselor at the Office of Management and Budget might be able to prevent this from happening. But OMB privacy resources are scarce, and the privacy counselor has higher priorities.

So if we have a worthwhile project and none of the likely candidates is willing or able to undertake it, those in favor of a rewrite have to find someone else. I nominate the Computer Science and Telecommunications Board at the National Research Council.

CSTB has crucial technology expertise amassed from working with computers, telecommunications and applications in the real world. Those are the relevant skills for understanding the Privacy Act's limitations and for developing a new approach.

CSTB's independence is another factor. The board has no history with the Privacy Act, and a neutral perspective is essential. If you want to get a better idea about CSTB activities, visit the board's Web site, at www.cstb.org. You'll be impressed with the range and relevance of CSTB projects.

I would not limit a project strictly to the Privacy Act. Someone needs to take a long look at how changing technology is affecting privacy regulation. That is a gigantic problem. Focusing on the federal data sector is a big enough issue but a more manageable one. Fixing the Privacy Act would require the remodelers to take a fresh look at applying fair information practices in today's world.

CSTB needs financial support for its projects. Congress often mandates specific studies at the National Research Council. Perhaps Rep. Steve Horn (R-Calif.) or Sen. Fred Thompson (R-Tenn.), who chair committees with Privacy Act jurisdiction, could step up to the plate with legislation directing an agency to provide the funding. An appropriation would be necessary as well.
Somebody needs to start the ball rolling. Any takers? '

Robert Gellman is a Washington privacy and information policy consultant. His e-mail address is rgellman@cais.com.

inside gcn

  • high performance computing (Gorodenkoff/Shutterstock.com)

    Does AI require high-end infrastructure?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above