@Info.Policy: An inch closer to a privacy disaster

Robert Gellman

For nearly 30 years, individuals have used the Privacy Act of 1974 to access their own records held by federal agencies. The act allows disclosure under many circumstances, including with the data subject's written consent. That sounds easy, but the consent onion has many layers.

Let's start with a simple case. Say the Veterans Affairs Department has my medical records, and I want them transferred to my personal physician. I sign a consent form, and the records can now be disclosed to my doctor. Anybody see a problem here? Me neither.

Now suppose that I've applied for a mortgage, and the mortgage company wants to verify my income. It asks me to sign a consent form that allows the IRS to hand over my tax return. That kind of thing has been going on at the IRS for a while.

Is it OK because it's all done with consent? When you apply for a mortgage, you sign a zillion documents that you don't understand. You do it because you must to get a mortgage. It's not exactly coerced consent, but it's troubling.

Let's go farther out on the limb. Suppose the mortgage company asks your consent to the disclosure of all your government records, including IRS, VA, military, student loan, Medicare, Social Security and so on. The Social Security Administration has your entire lifetime salary history, a particularly interesting number not otherwise available. Marketers and profilers would love to have your data.

Should agencies turn over your records just because you signed a consent form? This is where things get much messier. Many institutions have market power over consumers. Unless you are the Unabomber, you have credit cards, loans, insurance, electricity, telephones, checking accounts, jobs and the like. Companies could require you to sign consents as a condition of doing business. Nothing today stops them except lack of creativity and, perhaps, market forces.

More industries are closing in on the idea of getting your records from federal agencies with your consent. We are on the edge of a steep, slippery slope. At the bottom is a vast governmental lending library of personal information to be given to anyone who can pressure consumers.

This isn't what Congress had in mind when it passed the Privacy Act, but we may have arrived at this point because technology makes sharing easier and industry wants data. In many instances, companies want instant online access to agency files to verify identity.

For some limited purposes, sharing limited personal data with consent might be justified, but not on a wholesale basis.

Agencies facing businesses armed with signed consent forms should be wary. Consider using the usual tactics'denying requests or red-taping requesters to death. A good response is to provide records only to the subject of those records.

We are one inch away from a privacy disaster. The supposedly consensual disclosure of agency records needs a comprehensive review. Don't let your agency be the case study for the next privacy horror story.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at [email protected].


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected