You are on page 1of 152

Electronic Record Systems and Individual


June 1986

NTIS order #PB87-100335

Recommended Citation:
U.S. Congress, Office of Technology Assessment, Federal Government Information
Technology: Electronic Record Systems and Individual Privacy, OTA-CIT-296
(Washington, DC: U.S. Government Printing Office, June 1986).

Library of Congress Catalog Card Number 86-600524

For sale by the Superintendent of Documents

U.S. Government Printing Office, Washington, DC 20402

Public policy on the protection of personal information collected, maintained,

or disseminated by the Federal Government has been based on a balancing of the
privacy of individual citizens versus management efficiency and law enforcement.
New technological applications— such as the computerized matching of two or more
sets of records, extensive electronic networking of diverse computerized record
systems, and preparation of computer-based profiles on specific types of individ-
uals—are challenging the existing statutory framework for balancing these in-
This report addresses four major areas: 1) technological developments rele-
vant to government record systems; 2) current and prospective Federal agency
use of electronic record systems; 3) the interaction of technology and public law
relevant to protecting privacy; and 4) possible policy actions that warrant con-
gressional attention, including amendment of existing laws such as the Privacy
Act of 1974 and establishment of new mechanisms such as a Data Protection Board
or Privacy Protection Commission.
Prepared at the request of the Senate Committee on Governmental Affairs
and the House Committee on the Judiciary, Subcommittee on Courts, Civil Liber-
ties, and the Administration of Justice, this report is the third component of the
OTA assessment of “Federal Government Information Technology: Congressional
Oversight and Civil Liberties. ” The first component, Electronic Surveillance and
Civil Liberties, was published in October 1985, and the second, Management, Secu-
rity, and Congressional Oversight, was published in February 1986.
In preparing this report on electronic record systems and privacy, OTA has
drawn on working papers developed by OTA staff and contractors, the comments
of participants at an OTA workshop on this topic, and the results of an OTA sur-
vey that was completed by over 140 agency components. Drafts of this report
were reviewed by the OTA project advisory panel, officials from the U.S. Office
of Management and Budget and the General Services Administration; U.S. Depart-
ments of Justice, State, Defense, and Health and Human Services, among other
Federal agencies; and a broad spectrum of interested individuals from the govern-
mental, academic, private industry, and civil liberty communities.
OTA appreciates the participation of the advisory panelists, workshop par-
ticipants, external reviewers, Federal agency officials, and others who helped bring
this report to fruition. The report itself, however, is solely the responsibility of
OTA, not of those who so ably advised and assisted us in its preparation.


Electronic Record Systems and Individual Privacy Advisory Panel

Theodore J. Lowi, Chairman

Professor of Political Science, Cornell University
Arthur G. Anderson Marilyn Gell Mason
IBM Corp. (Ret.) Director
Atlanta Public Library
Jerry J. Berman
Legislative Counsel Joe Skinner
American Civil Liberties Union Corporate Vice President
Electronic Data Systems Corp.
R.H. Bogumil
Past President Terril J. Steichen
IEEE Society on Social Implications President
of Technology New Perspectives Group, Ltd.
James W. Carey George B. Trubow
Dean, College of Communications Director, Center for Information
University of Illinois Technology and Privacy Law
The John Marshall Law School
Melvin Day
Vice President Susan Welch
Research Publications Professor and Chairperson
Department of Political Science
Joseph W. Duncan University of Nebraska
Corporate Economist
The Dun & Bradstreet Corp. Alan F. Westin
Professor of Public Law and Government
William H. Dutton Columbia University
Associate Professor of Communications
and Public Administration Langdon Winner
Annenberg School of Communications Associate Professor of Political Science
University of Southern California Rensselaer Polytechnic Institute
David H. Flaherty Congressional Agency Participants
Professor of History and Law
University of Western Ontario Robert L. Chartrand
Senior Specialist
Carl Hammer Congressional Research Service
Sperry Corp. (Ret.)
Robert D. Harris
Starr Roxanne Hiltz Deputy Assistant Director for
Professor of Sociology Budget Analysis
Upsala College Congressional Budget Office
John C. Lautsch Kenneth W. Hunter
Chairman, Computer Law Division Senior Associate Director for
American Bar Association Program Information
Edward F. Madigan U.S. General Accounting Office
Office of State Finance
State of Oklahoma

NOTE: OTA appreciates and is grateful for the valuable assistance and thoughtful critiques provided by the advisory
panel members. The panel does not, however, necessarily approve, disapprove, or endorse this report. OTA
assumes full responsibility for the report and the accuracy of its contents.
OTA Electronic Record Systems and Individual Privacy Project Staff

John Andelin, Assistant Director, OTA

Science, Information, and Natural Resources Division

Fred W. Weingarten, Manager

Communication and Information Technologies Program

Project Staff
Fred B. Wood, Project Director
Jean E. Smith, Assistant Project Director
Priscilla M. Regan, Principal Author and Analyst
Jim Dray, Research Analyst
Jennifer Nelson, Research Assistant

Administrative Staff
Elizabeth A. Emanuel, Administrative Assistant
Shirley Gayheart,* Secretary
Audrey Newman, Secretary
Renee Lloyd, Secretary
Patricia Keville, Clerical Assistant

William Dutton and Robert Meadow
The University of Southern California
David H. Flaherty
The University of Western Ontario
Karen B. Levitan, Patricia D. Barth, and Diane Griffin Shook
The KBL Group, Inc.
Robert Ellis Smith
The Privacy Journal

*Deceased, Dec. 11, 1985.

OTA Electronic Record Systems and Individual Privacy Workshop

Robert Belair Robert Oakley

Attorney Assistant Inspector General for Auditing
Kirkpatrick & Lockhart Veterans Administration
William Cavaney Alan Rodgers
Executive Secretary Massachusetts Law Reform Commission
Defense Privacy Board James Rule
U.S. Department of Defense Professor, Department of Sociology
Louis D. Enoff State University of New York at
Acting Deputy Commissioner for Programs Stony Brook
and Policy Andy Savitz
Social Security Administration Assistant Secretary of Administration
Robert Freeman and Finance
Committee on Open Government State of Massachusetts
Department of State Robert Ellis Smith
State of New York Editor
John Gish The Privacy Journal
Vice President Jane Tebbutt
W.R. Grace & Co. Office of Inspector General
John Grace U.S. Department of Health and
Privacy Commissioner of Canada Human Services
Richard P. Kusserow Tom Tiffany
Inspector General Acting Director of Legislative Affairs
U.S. Department of Health and Internal Revenue Service
Human Services Rob Veeder
Robert Meadow Desk Officer
Professor, Annenberg School of Office of Information and
Communications Regulatory Affairs
University of Southern California Office of Management and Budget
Philip Natcharin
Director of Program Integrity
New York State Department of
Social Services



Chapter Page
l. Summary . . . . . . . . . . . . . , . 3
2. Electronic Record Systems and the Privacy Act:An Introduction . . . . . . . . . . . . . 11

3. Computer Matching to Detect Fraud, Waste, and Abuse . . . . . . . 37

4. Computer-Assisted Front-End Verification . . . . . . . . . . . . . . . . . . . . . 67

5. Computer Profiling . . . . . . . . . . . . . . . . . . . . . . . . . . . . , 87

6. Policy Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

A, Update on Computerized Criminal History Record Systems . . . . . . . . . . ........129

B. OTA Federal Agency Data Request . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....135

c. List of Contractor Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ....145

D. Other Reviewers and Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. ...146

E. Summary of Final Rules for Income and Eligibility Verification Required Under
the Deficit Reduction Act of 1984 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ...............147
F. Privacy and Data Protection Policy in Selected Foreign Countries. . . . . . . . . . . . . . . . . . . . . ...150

Chapter 1


Chapter 1


All governments collect and use personal in- In the 12 years since the Privacy Act was
formation in order to govern. Democratic gov- passed, at least two generations of informa-
ernments moderate this need with the require- tion technology have become available to Fed-
ments to be open to the people and accountable eral agencies. Advances in computer and data
to the legislature, as well as to protect the communication technology enable agencies to
privacy of individuals. Advances in informa- collect, use, store, exchange, and manipulate
tion technology have greatly facilitated the individual records in electronic form. Micro-
collection and uses of personal information by computers are now widely used in the Federal
the Federal Government, but also have made Government, vastly increasing the potential
it more difficult to oversee agency practices points of access to personal record systems and
and to protect the rights of individuals. the creation of new systems. Computer match-
ing and computer-assisted front-end verifica-
In 1974, Congress passed the Privacy Act tion are becoming routine for many Federal
to address the tension between the individual’s benefit programs, and use of computer profil-
interest in personal information and the Fed- ing for Federal investigations is expanding.
eral Government’s collection and use of that These technological advances enable agencies
information. The Privacy Act codified princi- to manipulate and exchange entire record sys-
ples of fair information use that specified re- tems, as well as individual records, in a way
quirements agencies were to meet in handling not envisioned in 1974. Moreover, the wide-
personal information, as well as rights for in- spread use of computerized databases, elec-
dividuals who were the subjects of that infor- tronic record searches and matches, and com-
mation. To ensure agency compliance with puter networking is leading rapidly to the
these principles, the act enabled individuals creation of a de facto national databasel con-
to bring civil and criminal suits if information taining personal information on most Ameri-
was willfully and intentionally handled in vio- cans. And use of the social security number
lation of the act. In addition, the Office of as a de facto electronic national identifier fa-
Management and Budget (OMB) was assigned cilitates the development of this database.
responsibility for overseeing agency implemen-
tation of the act. These technological advances have opened
up many new possibilities for improving the
At the time the Privacy Act was debated and efficiency of government recordkeeping; the
enacted, there were technological limitations detection and prevention of fraud, waste, and
on the use of individual records by Federal abuse; and law enforcement investigations. At
agencies. The vast majority of record systems the same time, the opportunities for inappro-
in Federal agencies were manual. Computers priate, unauthorized, or illegal access to and
were used only to store and retrieve, not to use of personal information have expanded. Be
manipulate or exchange information. It was cause of the expanded access to and use of per-
theoretically possible to match personal infor- sonal information in decisions about individ-
mation from different files, to manually ver- uals, the completeness, accuracy, and relevance
ify information provided on government ap- of information is even more important. Addi-
plication forms, and to prepare a profile of a tionally, the expanded access and use make
subset of individuals of interest to an agency.
However, the number of records involved made ‘The term de facto national database is used to distinguish
it from a national database that was created by’ law, i.e. ! a de
such applications impractical. jure national database.


it nearly impossible for individuals to learn lines. The rights and remedies available to the
about, let alone seek redress for, misuse of individual, as well as agency responsibilities
their records. Even within agencies, it is often for handling personal information, are not
not known what applications of personal in- clear. Even where applications are covered by
formation are being used. Nor do OMB or rele- the Privacy Act or related OMB guidelines,
vant congressional committees know whether there is little oversight to ensure agency com-
personal information is being used in confor- pliance. More importantly, neither Congress
mity with the Privacy Act. nor the executive branch is providing a forum
in which the conflicts-between privacy inter-
Overall, OTA has concluded that Federal use
ests and management or law enforcement in-
of new electronic technologies in processing
terests—generated by Federal use of new ap-
personal information has eroded the protec-
plications of information technology can be
tions of the Privacy Act of 1974. Many of the
debated and resolved. Absent such a forum,
electronic record applications being used by
agencies have little incentive to consider
Federal agencies, e.g., computer profiling and
privacy concerns when deciding to establish
front-end verification, are not explicitly cov-
or expand the use of personal record systems.
ered by the act or by subsequent OMB guide-

OTA’S analysis of Federal agency use of elec- sponsibility and the ability of the individual
tronic record systems, specifically for comput- to monitor Federal agency practices. For ex-
er matching, front-end verification, and com- ample, individuals may not be aware that in-
puter profiling, revealed a number of common formation about them is being used in a com-
policy problems. puter match or computer profile, unless they
monitor the Federal Register or questions
First, new applications of personal informa-
about them arise as a result of the application.
tion have undermined the goal of the Privacy In computer-assisted front-end verification, in-
Act that individuals be able to control informa- dividuals may be notified on an application
tion about themselves. As a general principle, form that information they provide will be veri-
the Privacy Act prohibits the use of informa- fied from outside sources, but are unlikely to
tion for a purpose other than that for which
be told which sources will be contacted.
it was collected without the consent of the in-
dividual. New computer and telecommunica- Additionally, new computer and telecommu-
tion applications for processing personal in- nication capabilities enable agencies to exchange
formation facilitate the use of information for and manipulate not only discrete records, but
secondary purposes, e.g., use of Federal em- entire record systems. At the time the Privacy
ployee personnel information to locate student Act was debated, this capability did not ex-
loan defaulters, or use of Federal tax informa- ist. The individual rights and remedies of the
tion to evaluate a Medicaid claim. act are based on the assumption that agencies
were using discrete records. Exchanges and
The expanded use and exchange of personal
manipulations of entire record systems make
information have also made it more difficult
it more difficult for an individual to be aware
for individuals to access and amend informa-
of uses of his or her record, as those uses are
tion about themselves, as provided for in the
generally not of immediate interest to the in-
Privacy Act. In effect, the Privacy Act gave
the individual a great deal of responsibility for
ensuring that personal information was not Second, there is serious question as to the ef-
misused or incorrect. Technological advances ficacy of the current institutional arrangements
have increased the disparity between this re- for oversight of Federal agency compliance with

the Privacy Act and related OMB guidelines. Un- ● the quality (completeness and accuracy)
der the Privacy Act, Federal agencies are re- of most Privacy Act record systems is un-
quired to comply with certain standards and known even to the agencies themselves;
procedures in handling personal information— few (about 13 percent) of the record sys-
e.g., that the collection, maintenance, use, or tems are audited for record quality, and
dissemination of any record of identifiable per- the limited evidence available suggests
sonal information should be for a necessary and that quality varies widely;
lawful purpose; that the information should ● even though the Federal inventory of
be current, relevant, and accurate; and that microcomputers has increased from a few
adequate safeguards should be taken to pre- thousand in 1980 to over 100,000 in 1985,
vent misuse of information. very few agencies (about 8 percent) have
revised privacy guidelines with respect to
OMB is assigned responsibility for oversight microcomputers;
of agency implementation of the Privacy Act. ● few agencies reported doing cost-benefit
Prior studies by the Privacy Protection Study
analyses either before (3 out of 37) or af-
Commission (1977), the U.S. General Account- ter (4 out of 37) computer matches; author-
ing Office (1978), and the House Committee itative, credible evidence of the cost-ef-
on Government Operations (1975 and 1983) fectiveness of computer matching is still
have all found significant deficiencies in OMB’S lacking; and
oversight of Privacy Act implementation. For ● in most Federal agencies, the number of
example, under the Privacy Act, information
staff assigned to Privacy Act implemen-
collected for one purpose should not be used
tation is limited; of 100 agency components
for another purpose without the permission of responding to this question, 33 reported
the individual; however, a major exemption to less than 1 person per agency assigned to
this requirement is if the information is for a privacy and 34 reported 1 person.
‘‘routine use’ ‘—one that is compatible with the
purpose for which it was collected. Neither
Additionally, OTA found that there is little
Congress nor OMB has offered guidance on
or no governmentwide information on, or OMB
what is an appropriate routine use; hence this
oversight of: 1) the scope and magnitude of
has become a catchall exemption permitting
computer matching, front-end verification, and
a variety of exchanges of Federal agency in-
computer profiling activities; 2) the quality and
appropriateness of the personal information
Looking more specifically, OTA found that that is being used in these applications; and
OMB is not effectively monitoring such basic 3) the results and cost-effectiveness of these
areas as: the quality of Privacy Act records; applications.
the protection of Privacy Act records in sys-
tems currently or potentially accessible by Third, neither Congress nor the executive
microcomputers; the cost-effectiveness of com- branch is providing a forum in which the privacy,
puter matching and other record applications; management efficiency, and law enforcement im-
and the level of agency resources devoted to plications of Federal electronic record system
Privacy Act implementation. OTA also found applications can be fully debated and resolved.
that neither OMB nor any other agency or of- The efficiency of government programs and
fice in the Federal Government is currently col- investigations is improved by more complete
lecting or maintaining this information on a and accurate information about individuals.
regular basis. Given the almost total lack of The societal interest in protecting individual
information concerning the activities of Fed- privacy is benefited by standards and protec-
eral agencies with respect to personal informa- tions for the use of personal information. Public
tion, OTA conducted its own one-time survey policy needs to recognize and address the ten-
of major Federal agencies and found that: sion between these two interests.

Since 1974, the primary policy attention with Fourth, within the Federal Government, the
respect to Federal agency administration has broader social, economic, and political context
shifted away from privacy-related concerns. In- of information policy, which includes privacy-
terests in management, efficiency, and budget related issues, is not being considered. The com-
have dominated the executive and legislative plexity of Federal Government relations—
agenda in the late 1970s and early 1980s. Con- within executive agencies, between the execu-
gress has authorized information exchanges tive and legislature, between the Federal Gov-
among agencies in a number of laws, e.g., the ernment and State governments, and between
Debt Collection Act of 1982 and the Deficit the Federal Government and the private sec-
Reduction Act of 1984. In these instances, con- tor—is mirrored in interconnecting webs of in-
gressional debates included only minimal con- formation exchanges. This complexity and in-
sideration of the privacy implications of these terconnectedness is reflected in myriad laws
exchanges. and regulations, most of which have been en-
acted in a piecemeal fashion without consid-
A number of executive bodies have been es-
eration of other information policies.
tablished to make recommendations for im-
proving the management of the Federal Gov- Some of these policies may be perceived as
ernment, e.g., the President’s Council on being somewhat inconsistent with others, e.g.,
Integrity and Efficiency, the President Coun- the privacy of personal information and pub-
cil on Management Improvement, and the lic access to government information. Some
Grace Commission. All have endorsed the in- laws and regulations may only partially ad-
creased use of applications such as computer dress a problem, e.g., Federal privacy legisla-
matching, front-end verification, and computer tion does not include policy for the private
profiling in order to detect fraud, waste, and sector or for the flow of information across na-
abuse in government programs. However, these tional borders. In other instances, issues that
bodies have given little explicit consideration are inherently related and interdependent, such
to privacy interests. Some executive guidelines as privacy and security, are debated and legis-
remind agencies to consider privacy interests lated in separate forums with only passing at-
in implementing new programs, but these are tention to their relationship.
not followed up to ensure agency compliance. Additionally, the Federal Government in-
In general, decisions to use applications such formation systems, as well as its information
as computer matching, front-end verification, policy, are dependent on technological and eco-
and computer profiling are being made by pro- nomic developments. Federal funding for re-
gram officials as part of their effort to detect search and development and Federal financial
fraud, waste, and abuse. Given the emphasis and market regulations will have significant
being placed on Federal management and ef- implications for information technologies and
ficiency, agencies have little incentive to con- markets. Yet, under the present policymaking
sider privacy concerns when deciding to es- system, there is no assurance that these im-
tablish or expand the use of personal record plications will be considered. Likewise, the in-
systems. As a result, ethical decisions about ternational information policy environment, as
the appropriateness of using certain catego- well as international technological and eco-
ries of personal information, such as financial, nomic developments, affects domestic infor-
health, or lifestyle, are often made without the mation policy; again, these factors are not sys-
knowledge of or oversight by appropriate agen- tematically considered in the existing policy
cy officials (e.g., Privacy Act officers or inspec- arenas.
tors general), OMB, Congress, or the affected

OTA identified a range of policy actions for ing policy on the quality of data/records
congressional consideration: containing personal information, and,
if necessary, legislate more specific
1. Congress could do nothing at this time,
guidelines and controls for accuracy and
monitor Federal use of information tech-
nology, and leave policymaking to case
review issues concerning use of the so-
law and administrative discretion. This
cial security number as a de facto na-
would lead to continued uncertainty re-
tional identifier and, if necessary, re-
garding individual rights and remedies,
strict its use or legislate anew universal
as well as agency responsibilities. Addi-
identification number; or
tionally, lack of congressional action will, review policy with regard to access to
in effect, represent an endorsement of the
the Internal Revenue Service’s informa-
creation of a de facto national database tion by Federal and State agencies, and
and an endorsement of the use of the so-
policy with regard to the Internal Rev-
cial security number as a de facto national enue Service’s access to databases main-
tained by Federal and State agencies,
2. Congress could consider a number of prob- as well as the private sector. If neces-
lem-specific actions. For example: sary, legislate a policy that more clearly
● establish control over Federal agency delineates the circumstances under
use of computer matching, front-end which such accesses are permitted.
verification, and computer profiling, in- 3. Congress could initiate a number of insti-
cluding agency decisions to use these tutional adjustments, e.g., strengthen the
applications, the process for use and oversight role of OMB, increase the Pri-
verification of personal information, vacy Act staff in agencies, or improve con-
and the rights of individuals; gressional organization and procedures for
● implement more controls and protec- consideration of information privacy is-
tions for sensitive categories of personal sues. These institutional adjustments
information, such as medical and in- could be made individually or in concert.
surance; Additionally or separately, Congress could
● establish controls to protect the pri- initiate a major institutional change, such
vacy, confidentiality, and security of as establishing a Data Protection or Pri-
personal information within the micro- vacy Board or Commission.
computer environment of the Federal 4. Congress could provide for systematic
Government, and provide for appropri- study of the broader social, economic, and
ate enforcement mechanisms; political context of information policy, of
c review agency compliance with exist- which information privacy is a part.


Chapters 2 through 6 of this report provide Privacy Act and Paperwork Reduction Act;
technical and policy analyses relevant to elec- and management improvement legislation.
tronic record systems privacy, and to proposed
legislation such as: the “Data Protection Act Appendix A to this report updates trends
of-1985” that would establish a Data Protec- and issues relevant to the privacy of informa-
tion Board as an independent agency of the tion in computerized criminal history record
executive branch; possible amendments to the systems, the subject of a prior OTA study. Ap-
pendix B describes the methodology of and re- tronic Surveillance and Civil Liberties that dis-
spondents to the OTA survey (known officially cusses issues and options relevant to electronic
as the OTA Federal Agency Data Request). communications privacy, and the February
Appendix C lists the OTA contractor papers 1986 OTA report on Management, Security,
relevant to this report. Appendix D lists the and Congressional Oversight that discusses,
outside reviewers and contributors. Appendix among other things, management, technical,
E summarizes the Deficit Reduction Act reg- and legal issues and options relevant to pro-
ulations on front-end verification. Appendix tecting the security (and, hence, privacy) of
F describes the privacy and data protection computer systems.
policies in selected countries.
Other components of this OTA assessment
include the October 1985 OTA report on Elec-
Chapter 2

Electronic Record Systems

and the Privacy Act:
An Introduction

summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
History of the Privacy Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Implementation of the Privacy Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Finding l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Finding 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Finding 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Finding 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Table No. Page
l. Statutes Providing Protection for Information Privacy . . . . . . . . . . . . . . . . . . 15
Z. Privacy Act Record Systems Reported by Federal Agencies . . . . . . . . . . . . . . 23
3. Computerized and Manual Privacy Record Systems . . . . . . . . . . . . . . . . . . . . . 23
4. Seriousness of Breaches of Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5. Support for Potential Federal Lawson Information Abuse . . . . . . . . . . . . . . . 31

Figure No. Page
I. Beliefs That Computers Are an Actual Threat to Personal Privacy
in This Country. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2. Change in Percent of Public Believing That Files Are Kept
on Themselves. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3. Percent of Public That Believes Each Agency ’’Shares” Information
About Individuals With Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Chapter 2

Electronic Record Systems and

the Privacy Act: An Introduction

Although privacy is a value that has always public and private agencies. Computer tapes,
been regarded as fundamental, its meaning is software, and networking also make it possible
often unclear. Privacy includes concerns about to compare personal information stored in dif-
autonomy, individuality, personal space, soli- ferent record systems.
tude, intimacy, anonymity, and a host of other
related concerns. There have been many at- The Privacy Act, with the goal of providing
tempts to give meaning to the term for policy the means by which individuals could control
purposes. In 1890, Samuel Warren and Louis information about themselves, balanced the in-
Brandeis defined it as “the right to be let terests of Federal agencies in collecting and
alone. ” In 1967, Alan Westin defined it as “the using personal information against the inter-
claim of individuals, groups, or institutions to ests of individuals in controlling access to and
determine for themselves when, how and to use of that information. Technology has now
what extent information about them is com- altered that balance in favor of the agencies.
municated to others. ” This latter definition Computers and telecommunication capabilities
served as the basis for the Privacy Act of 1974 have expanded the opportunities for Federal
(Public Law 93-579). agencies to use and manipulate personal infor-
mation. For example, there has been a substan-
The Privacy Act was enacted by Congress tial increase in the matching of information
to provide legal protection for and safeguards stored in different databases as a way of de-
on the use of personally identifiable informa- tecting fraud, waste, and abuse, as will be dis-
tion maintained in Federal Government rec- cussed in chapter 3. Likewise, computers are
ord systems. The Privacy Act established a increasingly being used to certify the accuracy
framework of rights for individuals whose per- and completeness of individual information be-
sonal information is recorded, and the respon- fore an individual receives a benefit, service,
sibilities of Federal agencies that collect and or employment, as will be discussed in chap-
maintain such information in Privacy Act rec- ter 4 on front-end verification. These techno-
ord systems. logical capabilities appear to have outpaced
the ability of individuals to protect their in-
When the Privacy Act was debated and en- terests by using the mechanisms available un-
acted, Federal agency record systems were still der the Privacy Act.
based largely on paper documents. In 1986,
many Federal agency record systems are based In addition to technological threats to Pri-
largely on electronic record-keeping. Computers vacy Act protections, several studies of the
and telecommunications are used to process act’s effectiveness have been critical of both
detailed information on millions of citizens. No agency implementation and Office of Manage-
longer is personal information merely stored ment and Budget (OMB) oversight, and have
in and retrieved from file cabinets; now large questioned the individual’s ability to use the
volumes of such information are collected, remedies in a meaningful way. The technologi-
retrieved, disclosed, disseminated, manipu- cal changes have aggravated these problems,
lated, and disposed of by computers. Moreover, and have created some new ones as well.
direct on-line linkages now make it possible to OTA reached four general conclusions about
compare individual information with a host of individual privacy and electronic record sys-


terns that cut across all areas of information 4. The courts have not developed clear and
technology application: consistent constitutional principles of infor-
mation privacy, but have recognized some
1. Advances in information technology are legitimate expectations of privacy in per-
having two major, and somewhat opposing, sonal communications.
effects on the electronic record-keeping
activities of Federal agencies. They are An OTA survey of the use of information
facilitating electronic record-keeping by technology by Federal agencies revealed that:
Federal agencies, enabling them to proc- components within 12 cabinet-level de-
ess and manipulate more information with partments and 13 independent agencies
great speed. At the same time, the growth reported 539 Privacy Act record systems
in the scale of computerization, the in-
with 3.5 billion records. Forty-two percent
crease in computer networking and other
of the systems were fully computerized,
direct linkages, the electronic searches of 18 percent were partially computerized,
computerized files, and the proliferation and 40 percent were manual. Of the large
of microcomputers are threatening Pri- Privacy Act record systems (i.e., over
vacy Act protections. 500,000 persons), 57 percent were fully
2. Federal agencies have invested only limited
computerized, 21 percent were partially
time and resources in Privacy Act matters. computerized, and 22 percent were
Few staff are assigned to Privacy Act im- manual; 1
plementation, few agencies have devel- agencies responding reported an increase
oped agency-specific guidelines or updated from a few thousand microcomputers in
guidelines in response to technological
1980 to about 100,000 in 1985;
changes, and few have conducted record
only about 8 percent of Federal agencies
quality audits. that responded have revised or updated
3. Privacy continues to be a significant and their Privacy Act guidelines with respect
enduring value held by the American pub- to microcomputers; and
lic. General concern over personal privacy ● only about 12 percent of agencies reported
has increased among Americans over the that they have conducted record quality
last decade, as documented by several
public opinion surveys over the past 6
years. About one-half of the American
public believes that computers are a threat ‘Agencies were asked to report only their 10 largest Privacy
to privacy, and that adequate safeguards Act record systems. Twelve of thirteen cabinet departments
responded (only the Department of Housing and Urban Devel-
to protect information about people are opment did not), as did 20 selected independent agencies. How-
lacking. There is increasing public support ever, some major personal information collectors within cabi-
for additional government action to pro- net departments (e.g., the Internal Revenue Service within the
Department of the Treasury and the Departments of the Army
tect privacy. and Navy within the Department of Defense) did not respond.

The Federal Privacy Act of 1974 was enacted responsibilities for Federal agencies that col-
by Congress to provide legal protection for and lect and maintain personally identifiable infor-
safeguards on the use of personally identifia- mation. This framework incorporates a num-
ble information maintained in Federal Govern- ber of “fair information principles” including,
ment record systems. The Privacy Act estab- primarily, that there should be no secret rec-
lished a framework of rights for individuals and ord systems, individuals should be able to see

and correct their records, and information col- of Federal agencies in collecting and using per-
lected for one purpose should not be used for sonal information against the interests of in-
another. dividuals in that information. Computer and
telecommunication capabilities have expanded
At the time the Privacy Act was debated,
the interests of Federal agencies in personal
Federal agency record systems were still based information and enhanced their ability to proc-
largely on paper documents, with some agen- ess it. These capabilities have also over-
cies using large mainframe computers for the shadowed the ability of individuals to use the
storage and retrieval of information in very mechanisms available in the Privacy Act be-
large record systems. By 1986, Federal agen- cause, in general, it is more difficult for them
cies have become electronic environments with to follow what occurs during the information-
computers and telecommunications being used handling process.
to process detailed information on millions of
citizens. Agencies now use computers, often The use of computers and telecommunica-
microcomputers, to collect, disclose, dissemi- tions for processing personal information also
nate, manipulate, and dispose of personal in- offers opportunities for protecting that infor-
formation. Direct on-line linkages between mation. Techniques such as passwords, encryp-
computerized databases make it possible to tion, and audit trails are available to protect
almost instantaneously compare information. the confidentiality and security of information
Additionally, computer tapes and computer in an electronic environment. Although their
software make it possible to compare entire use may provide more protection for the indi-
record systems. vidual, these techniques do not necessarily give
the individual control over the stages of infor-
The Privacy Act, with the goal of providing mation processing, as provided for in the Pri-
the means by which individuals could control vacy Act.
personal information, balanced the interests

Privacy against theft and physical appropriation, but
against publication in any form, is in reality
Privacy is a value that continues to be highly not the principle of private property, but that
esteemed in American society, yet its mean- of an inviolate personality.
ing, especially for policy purposes, is often un- Subsequent legal debates have been struc-
clear. Privacy is a broad value, representing tured by two points raised by Warren and
concerns about autonomy, individuality, per- Brandeis. The first is whether privacy is an
sonal space, solitude, intimacy, anonymity, independent value whose legal protection can
and a host of other related concerns. There be justified separately from other related in-
have been many attempts to define a “right terests, such as peace of mind, reputation, and
to privacy. ” In a seminal article, Warren and intangible property. The second is controversy
Brandeis 2 defined it as “the right to be let over their definition of the “right to privacy”
alone. ” They found the primary source for a as the “right to be let alone. ” Such a defini-
general right to privacy in the common law pro- tion is so broad and vague that the qualifica-
tection for intellectual and artistic property, tions necessary to make such a definition prac-
and argued that: tical in society negate the right itself.
,.. the principle which protects personal writ- Second only to the Warren and Brandeis ar-
ings and all other personal productions, not ticle in influence on the development of legal
thinking regarding protection of privacy in the
“(The Right to Privacy, “ Harvard Law Revriew, 1890. United States is Dean Presser’s 1960 Califor-

nia Law Review article, “Privacy. ” His pri- to give individuals the means to control infor-
mary finding is that: mation about themselves. Such means include
primarily the right to know and the right to
At the present time the right of privacy, in
one form or another is declared to exist by the challenge and correct. Organizations are also
overwhelming majority of the American courts.3 expected to follow “Principles of Fair Infor-
mation Use, “6 which establish standards and
Presser analyzed four distinct torts—intru- regulations for collection and use of personal
sion, disclosure, false light, and appropria- information. See table 1 for a list of statutes
tion—that could be isolated in State common providing protection for information privacy.
law decisions and that represented four differ-
ent types of privacy invasions. Each of these History of the Privacy Act
torts depends on physical invasion or requires
publicity, and hence offers little protection for In the mid-1960s, Congress and certain ex-
privacy of personal information. Although ecutive agencies began to study the privacy
Presser’s analysis has received wide accept- implications of records maintained by Federal
ance as a way of categorizing tort law relating agencies. The congressional concern with
to privacy, most legal scholars doubt that these privacy and individual records was precipi-
traditional privacy protections in common law tated by the 1965 Social Science Research
can, or should, be extended to cover more gen- Council proposal that the Bureau of the Bud-
eral privacy concerns. get establish a National Data Center to pro-
In the mid-1960s, concern with the “privacy” vide basic statistical information originating
of computerized personal information held by in all Federal agencies.
credit agencies and the government rekindled In 1966, the Senate Committee on the Judi-
interest in defining a right to privacy. Edward ciary, Subcommittee on Administrative Prac-
Shils viewed privacy of personal information tice and Procedure7 and the House Committee
as: on Government Operations, Special Subcom-
. . . a matter of the possession and flow of in- mittee on Invasion of Privacy,a held hearings
formation, . . Privacy in one of its aspects may on the proposals for a National Data Center.
therefore be defined as the existence of a Both committees were unconvinced of the need
boundary through which information does not for such a center or of its ability to keep data
flow from the persons who possess it to confidential. In 1967 and 1968, the House and
others. 4 Senate again held hearings on the proposal for
Alan Westin conceived of privacy as “an in- a National Data Center, and remained uncon-
strument for achieving individual goals of self- vinced that such a center could adequately pro
realization, and defined it as “the claim of in- tect the privacy of individual records. The com-
dividuals, groups or institutions to determine mittees and various witnesses feared that once
for themselves when, how and to what extent such a center was established, its limited role
information about them is communicated to would not be maintained. There was also great
‘A “Code of Fair Information Practice” was first developed
The “right to privacy’ as “the right to con- in: U.S. Department of Heath, Education, and Welfare, Records,
Computers and the Rights of Citizens (Washington, DC: U.S.
trol information about oneself” has served as Government Printing Office, 1973).
the definition for policy purposes in the United ‘See U.S. Congress, Senate Committee on the Judiciary, Sub-
States. Various statutes have been designed committee on Administrative Practice and Procedure, invasions
of Privacy (Government Agencies), Hearings, 89th Cong., Feb-
ruary 1965, June 1966 (Washington, DC: U.S. Government
William L. Presser, “Privacy,” California Law Review, vol. Printing Office, 1965-67).
48, 1980, Pp. 383, 386. ‘See U.S. Congress, House Committee on Government Oper-
‘Edward Shils, “Privacy: Its Constitution and Vicissitudes, ” ations, Special Subcommittee on Invasion of Privacy, The Com-
Law and Contemporary Problems, vol. 31, 1966, pp. 281, 282. puter and Invasion of Privacy, Hearings, 89th Cong., 2d sess.,
Alan Westin, Privacy and Freedom (New York: Atheneum, July 25, 27, 28, 1966 (Washington, DC: U.S. Government Print-
1967), p. 39. ing Office, 1966).

Table 2-1 .—Statutes Providing Protection for reluctance to condone the centralization of both
Information Privacy personal information and responsibility for
Fair Credit Reporting Act of 1970 (Public Law 91-508.15 U S.C 1681) that information within an executive agency.
requires credit Investigation and reporting agencies to make their Although the committees agreed that the ex-
records available to the subject, provides procedures for correct-
ing Information, and permits disclosure only to authorized cus- isting situation was inefficient, they believed
tomers that such decentralized inefficiency was amen-
Crime Control Act of 1973 (Public Law 93-83) requires that State crimi-
nal justice Information systems, developed with Federal funds, able to congressional oversight, whereas cen-
be protected by measures to insure the privacy and security of tralized efficiency would be more difficult to
Family Educational Rights and Privacy Act of 1974 (Public Law 93-380 check. The proposal for a National Data Cen-
20 U.S.C. 1232(g)) requires schools and colleges to grant students ter was therefore rejected.
or their parents access to student records and procedures to
challenge and correct Information, and Iimits disclosure to third
part [es
In 1970, the Senate Judiciary Committee, Sub-
Privacy Act of 1974 (Public Law 93-579, 5 U S C 552(a)) places restric- committee on Constitutional Rights, chaired
tions on Federal agencies’ collection, use, and disclosure of per
sonally identifiable Information, and gives individuals rights of
by Senator Sam Ervin, Jr., began a 4-year
access to and correction of such Information study of Federal Government databanks con-
Tax Reform Act of 1976 (26 U S C 6103) protects confidentialty of
tax Information by restricting disclosure of tax Information for
taining personal information and held related
nontax purposes The Iist of exceptions has grown since 1976 oversight hearings.g These hearings and the
Right to Financial Privacy Act of 1978 (Public Law 95.630, 12 U S C survey of agencies conducted by the Ervin Sub-
3401) provides bank customers with some privacy regarding their
records held by banks and other financial Institutions, and pro- committee laid the groundwork for the Privacy
vides procedures whereby Federal agencies can gain access to
such records
Act of 1974.
Privacy Protection for Rape Victims Act of 1978 (Public Law 95-540)
amends the Federal Rules of Evidence to protect the privacy of In 1972, Alan Westin and Michael Baker,
rape victims with the support of the Russell Sage Founda-
Protection of Pupil Rights of 1978 (20 U S C 1232(h)) gives parents
the right to Inspect educational materials used in research or ex tion and the National Academy of Sciences,
perimentation projects, and restricts educators from requiring in - released a report, Databanks in a Free Soci-
trusive psychiatric or psychological testing
Privacy Protection Act of 1980 (Public Law 96.440, 42 U S C 2000(a)(a)) ety, in which they concluded that computeri-
prohibits government agents from conducting unannounced zation of records was not the villain it had often
searches of press offices and files if no one in the office IS sus-
pected of committing a crime been portrayed to be. Their policy recommen-
Electronic Funds Transfer Act of 1978 (Public Law 95-630) provides dations applied to both computerized and man-
that any Institution providing EFT or other bank services must
notify its customers about third-party access to customer ac- ual systems and included:
Intelligence Identifies Protection Act of 1982 (Public Law 97-200) pro- 1. a “Citizen’s Guide to Files”;
hibits the unauthorized disclosure of Information Identifying cer-
tain U S. Intelligence officers, agents, Informants, and sources
2. rules for confidentiality y and data sharing;
Debt Collection Act of 1982 (Public Law 97-365) establishes due 3. limitations on unnecessary data collection;
process steps (not Ice, reply. etc ) that Federal agencies must fol-
low before they can release bad debt information to credit
4. technological safeguards;
bureaus. 5. restricted use of the social security num-
Cable Communications Policy Act of 1984 (Public Law 98-549) requires ber; and
the cable service to inform the subscriber of the nature of per
sonally identifiable Information collected and the nature of the 6. the creation of information trust agencies
use of such Information, the disclosures that may be made of such
I nformation the period during which such I nformation WiII be
to manage sensitive data.l”
maintained, and the times during which an individual may access
such information Also places restrictions on the cable services’
.- ——
collection and disclosures of such Information See U.S. Congress, Senate Committee on the Judiciary, Sub-
Confidentiality provisions are Included in several statutes, including: committee on Constitutional Rights, Federal Data Banks, Com-
the Census Act (13 U S C 9214), the Social Security Act (42 puters and the Bill of Rights, Hearings, 92d Cong., 1st sess.,
U S C 408(h)), and the Child Abuse Information Act (42 U.S.C. Feb. 24-25 and Mar. 2, 3, 4, 9, 10, 11, 15, and 17, 1971, parts
5103( b(2)(e)))
1 and 11 (Washington. DC: U.S. Government Printing Office,
NOTE All statutes embody the same scheme of individual rights and fair infer 1971).
mation practices
“’Alan F, Westin and Michael A. Baker, Databanks in a Free
SOURCES Robert Aldrlch Privacy Protection Law in the United States (NTIA R e
port 82/98. May 1982 Sarah P Collins Citizens Control over Rec Society (New York: Quadrangle The New York Times Book Co.,
orals Held by Third Parties ( CRS Report No 78 255, Dec 8 1978 and 1972).
the Office of Technology Assessment

In 1973, the Secretary of Health, Education, In 1974, in the wake of Watergate, hearings
and Welfare’s Advisory Committee on Auto- on numerous privacy bills were held in both
mated Personal Data Systems released its re- the Senate and the House.13 In the subcom-
port, Records, Computers and the Rights of mittee hearings, there was little disagreement
Citizens, in which it discussed three changes on the need for individual rights with respect
resulting from the use of computerized record- to personal information held by Federal agen-
keeping: cies. Discussions centered instead on the lo-
gistics of enabling individuals to use these
1. an increase in organizational data proc-
rights, and the specific fair information prac-
essing capacity;
2. more access to personal data; and tices that agencies were to follow. The Senate
version also provided for a permanent Federal
3. the creation of a class of technical record-
Privacy Board with regulatory powers, while
the House version provided no such oversight
It recommended the enactment of a Federal mechanism. As a compromise, the Privacy Pro-
“Code of Fair Information Practice” that tection Study Commission was created, and
would apply to both computerized and man- oversight responsibilities were given to the Of-
ual systems. This code served as the model for fice of Management and Budget.
the Privacy Act, as well as for the Council of
In 1977, the Privacy Protection Study Com-
Europe’s 1974 “Resolution on the Protection
mission released its comprehensive report, Per-
of the Privacy of Individuals vis~a-vis Elec-
sonal Privacy in an Information Society, which
tronic Data Banks in the Private Sector. ‘ 11 The
analyzed the policy implications of personal
major principles of the code include:
record-keeping in a number of areas including
● There must be no personal data record- credit, insurance, employment, medical care,
keeping system whose very existence is investigative reporting, education, and State
secret. and local government.14 The report made nu-
● There must be a way for an individual to merous policy recommendations, very few of
find out what information about him or which have been realized in statutory law.
her is in a record and how it is used.
● There must be a way for an individual to Implementation of the Privacy Act
prevent information about him or her that
was obtained for one purpose from being A number of studies have evaluated the im-
used or made available for other purposes plementation and effectiveness of the Privacy
without his or her consent. Act. Most notable are analyses done by the
● There must be a way for an individual to House Committee on Government Operations,
correct or amend a record of identifiable the Privacy Protection Study Commission, and
information about him or her. the General Accounting Office. All conclude
● Any organization creating, maintaining,
‘%ee U.S. Congress, Senate Committee on Government Oper-
using, or disseminating records of iden- ations, Ad Hoc Subcommittee on Privacy and Information
tifiable personal data must assure the Systems, and Committee on the Judiciary, Subcommittee on
reliability of the data for their intended Constitutional Rights, Privacy–The Collection, Use and Comp-
uterization of Personal Data, Joint Hearings, 93d Cong., 2d
use and must take precautions to prevent sess., June 18-20, 1974 (Washington, DC: U.S. Government
misuse of the data. 12 Printing Office, 1974).
“Privacy Protection Study Commission, Personal Privacy in
an Information Society (Washington DC: U.S. Government
✎ Printing Office, 1977) with five appendices: Privacy Law in the
“Reprinted in Privacy and Protection of Personal Informa- State; The Citizen as Taxpayer; Employment Records; The
tion in Europe, Staff Report of the Senate Committee on Gov- Privacy Act of 1974: An Assessment; and Technology and
ernment Operations (Washington, DC: U.S. Government Print- Privacy.
ing Office, March 1975). “See U.S. Congress, House Committee on Government Oper-
“U.S. Department of Health, Education, and Welfare, Rec- ations, Government Information and Individual Rights Sub-
ords, Computers and the Rights of Citizens (Washington, DC: committee, Implementation of the Privacy Act of 1974: Data-
U.S. Government Printing Office, 1973). banks (1975); Privacy Protection Study Commission, The

that the act has been disappointing in provid- which OMB has implemented and enforced the
ing protection for individuals from misuse of act; and OMB guidelines issued subsequent
personal information by Federal agencies. For to the act that seem to contradict the purpose
example, the Privacy Protection Study Com- of the act. These studies report that the act
mission reached three general conclusions: has been used less than anticipated. This is at-
1. the Privacy Act represents a large step tributed to the investment of time and money
forward, but it has not resulted in the gen- an individual must make, and to the finding
eral benefits to the public that either its that agencies have not made it easy to use the
Privacy Act.
legislative history or the prevailing opin-
ion as to its accomplishments would lead The purpose of the Privacy Act is “to pro-
one to expect; vide certain safeguards for an individual
2. agency compliance with the act is difficult against an invasion of privacy” [Public Law
to assess because of the ambiguity of some 93-579, sec. 2(b)]. To this end, the act stipu-
of the act requirements, but, on balance, lates that Federal agencies meet six major re-
it appears to be neither deplorable nor ex- quirements. Each of these requirements, and
emplary; and agency experience to date in meeting each re-
3. the act ignores or only marginally ad- quirement, is discussed below.
dresses some personal-data record-keeping
policy issues of major importance now and Requirement 1
for the future. ’G
Permit an individual to determine what rec-
in his opening statement before hearings on ords pertaining to him are collected, maintained,
oversight of the Privacy Act, Representative used, or disseminated by such agencies.
Glenn English, Chairman of the Subcommit-
tee on Government Information, Justice, and To this end, agencies are to publish in the
Agriculture of the Committee on Government Federal Register an annual notice of the exis-
Operations, remarked that: tence and character of all systems of records
containing personal information, and a notice
One of my chief concerns is that the bureauc- of any new systems of records or new uses of
racy, with the approval of OMB, has drained
much of the substance out of the Act. As a the information in an existing system. The pur-
result, the Privacy Act tends to be viewed as pose of this was to ensure that there were no
strictly a procedural statute, For example, secret systems of records by giving the indi-
agencies feel free to disclose personal informa- vidual notice of agency record-keeping prac-
tion to anyone as long as the proper notices tices. However, most agree that the Federal
have been published in the Federal Register. Register is not the ideal vehicle for such no-
No one seems to consider any more whether tice as it is not easily accessible to most peo-
the Privacy Act prohibits a particular use of ple. In “The President’s Annual Report on the
information. 17 Agencies’ Implementation of the Privacy Act
All of the studies evaluating the implemen- of 1974” for calendar years 1982 and 1983,
tation and effectiveness of the Privacy Act cite OMB identified the effectiveness of the pub-
its major weaknesses to be its reliance on in- lic notice process as one area for further study,
dividual initiative; the ambiguity of some of noting that:
the act’s requirements; the casual manner in The problem may lie in the method used to
disseminate this kind of information. While
Privacy Act of 1974: An Assessment (1977); General Account-
ing Office, Agencies Implementation of and Compliance With
the Federal Register stands as the official or-
the Privacy Act Can Be Improved (1978); and House Commit- gan of the government, it is a publication with
tee on Government Operations, Government Information, Jus- limited circulation read by few ordinary citizens.’*
tice, and Agriculture Subcommittee, Oversight of the Privacy
Act of 1974 (1983).
“Privacy Protection Study Commission, app. 4, op. cit., p. 77. ‘R’’ The President’s Annual Report on the Agencies’ Imple-
“House Committee on Government Operations, 1983, op. cit., mentation of the Privacy Act of 1974, ” CY 1982-1983 (issued
p. 5. Dec. 4, 1985), p. 118.

In 1983, OMB, on the basis of the Congres- ment agency for a civil or criminal law enforce-
sional Reports Elimination Act of 1982 (Pub- ment activity; 5) either House of Congress; and
lic Law 97-375), eliminated the requirement 6) the Comptroller General. The Debt Collec-
that agencies republish all of their system no- tion Act of 1982 added an exception for agency
tices each year in the Federal Register. The disclosure of bad debt information to credit
reason offered for this decision was lack of pub- bureaus.
lic and congressional interest. OMB viewed
Additionally, an agency may disclose a rec-
agency republication as a duplication of the
ord without the consent of the individual if the
Federal Register’s annual compilation of
disclosure would be for a “routine use, ” defined
Privacy Act notices. OMB recently estimated
as “the use of such record for a purpose which
that the elimination of this requirement, in-
is compatible with the purpose for which it was
cluding its administrative expenses, had saved
collected” [Public Law 93-579, sec. 3(a)(7)]. If
the government over $1 million.l9
an agency intends to disclose personal infor-
Additionally, the Privacy Act requires agen- mation for a “routine use, ” then it must pub-
cies to inform individuals, on an application lish a notice in the Federal Register. This ex-
form or on a separate form that individuals can emption has proved to be quite controversial.
retain, of the following information: 1) the au- In the 1983 Oversight of the Privacy Act Hear-
thority that authorizes the solicitation of the ings, James Davidson, former counsel to the
information and whether disclosure of such in- Senate Subcommittee on Intergovernmental
formation is mandatory or voluntary; 2) the Relations of the Committee on Government
principal purpose or purposes for which the in- Operations, stated that the “routine use” ex-
formation is intended to be used; 3) the rou- emption was:
tine uses that may be made of the information;
. . . designed to require that the agencies ex-
and 4) the effects of not providing all or any amine the data, see if the use that the other
part of the requested information [see Public agency was going to put it to was compatible
Law 93-579, sec. 3(e)(3)]. See box A for an ex- with the reason for which it was collected, then
ample of a Privacy Act notice. issue notice so the public and other agencies
and OMB could comment on the propriety of
Requirement 2 the exchange.zo
Permit an individual to prevent records per- Davidson went on to note that this has not
taining to him obtained by such agencies for a been the way that agencies have used the rou-
particular purpose from being used or made tine use exemption; rather, if agencies had been
available for another purpose without his routinely exchanging information over the
consent. years, they have assumed that the routine use
exemption allows them to continue.
To this end, agencies are to acquire the prior
written consent of the individual to whom the There have been a number of legislative pro-
record pertains before disclosing a record un- posals to amend the “routine use’ definition.
less one of twelve exceptions is met [see Pub- The Privacy Protection Study Commission rec-
lic Law 93-579, sec. 3(b)]. Included in this list ommended that, in addition to the requirement
are the releases of information to: 1) those that the use of a record be “compatible with
officers and employees of the agency that main- the purposes for which it was collected, ” the
tains the record who have a need for the rec- use also be “consistent with the conditions or
ord in the performance of their duties; 2) the reasonable expectations of use and disclosure
Bureau of the Census for census-related activ- under which the information in the record was
ities; 3) the National Archives of the United provided, collected, or obtained. ”21 In the 1982
States for historical preservation; 4) a govern- 20
‘“House Committee on Government Operations, 1983, op. cit.,
p. 51.
‘91 bid., p. 10. *’Privacy Protection Study Commission, app. 4, op. cit., p. 120.

Box A.—U.S. Department of Education Application for Federal Student Aid, 1986=87 School Year


The Privacy Act of 1974 says that each Federal agency that Loan, and Guaranteed Student Loan programs. These sec-
asks for your social security number or other information must tions include sections 411, 4138, 443, 4&, 425, 428, and 482
tell you the following: of the Higher Education Act of 1965, as amended.

1. Its legal right to ask for the information and wheiher If you are applying for Federal student aid under all five pro-
[he law says you must give it; grams, you must fill in everything except questions 4-3 and
4-4 on either form, Step 12 on Form 1, and question 1-7 on
2. what purpose the agency has in asking for it and how Form 2. But if you are not applying for a pen Grant or a Sup
it will be used; and plemental Educational Opportunity Grant. YOU can also skiP
question 4-2 on either form. If you are using Form 1 and you
3. what could happen if you do not give it. are not applying for a Pen Grant or a Guaranteed Student
Loan, you can skip questions 5-1 through 5-3 (as well as ques-
Our legal right to require that you provide us with your social tions 4-3 and 4-4 and Step 12). Finally, if you are only apply-
security number for the Pell Grant and Guaranteed Student ing for a Pen Grant and you are using Form 1, you can skip
Loan programs is based on Section 7 (a) (2) of the Privacy 7-2, 7-3, and 6-3 as well as questions 4-3 and 4-4 and Step
Act Of 1974. 12. if you skip question 4-4, we will count your answer as
.. No” for that question.
You must give us your social security number to apply for
a Pen Grant or a Guaranteed Student Loan. We need the We ask for the information on the form so that we can figure
number on this form to be sure we know who you are, to pro- your ‘“student aid index” and “expected family contribution.”
cess your application, and to keep track of your record. We The student aid index is used to help figure out how much
also use your social security number in the Pen Grant Pro- of a Pen Grant you will get, if any. The student aid index or
gram in recording information about your college attendance the expected family contribution may also be used to figure
and progress, in making payments to you directly in case your out how much other Federal financial aid you will get. if any,
college does not, and in making sure that you have received While you are not required to respond, no Pell Grant may be
your money. If you do not give us your social security number, awarded unless this information is provided and filed as re-
you will not get a Pen Grant or a Guaranteed Student Loan. quired under 20 U.S.C. 1070a; 34 CFR 690.11.

We also ask you to voluntarily give us your social security We will send your name, address, social security number,
number if you are using this form only to apply for financial date of birth, student aid indices, student status, year in col-
aid under the ColIege Work-study, National Direct Student Iege, and State of legal residence to the college that you list
Loan, and Supplemental Educational Opportunity Grant pro- in question 4-3 (or its representative), even if you check ‘“No”
grams. We use your social security number in processing your in question 44. This Information will also go to the State
application. If you do not give us your social security number, scholarship agency in your State of legal residence to help
you may still receive financial aid under these three programs. them coordinate State financial aid programs with Federal
student aid programs. Also, we may send information to
our legal right to ask for all information except your social members of Congress if you or your parents ask them to help
security number is based on sections of the law that you with Federal student aid questions. We may also use the
authorizes the Pell Grant, Supplemental Educational Oppor- information for any purpose which is a ““routine use” listed
tunity Grant, CoIlege Work-Study, National Direct Student in Appendix B of 34 CFR 5b.

and 1983 “President’s Annual Report on the Requirement 3

Agencies’ Implementation of the Privacy Act
of 1974, ” problems with the interpretation and Permit an individual to gain access to infor-
implementation of the “routine use” disclosure mation pertaining to him in Federal agency rec-
were identified as Privacy Act issues for fur- ords, to have a copy made of all or any portion
ther study. The “Annual Report” stated that thereof, and to correct or amend such records.
it would ’be useful for the Congress to recon- These individual rights are a cornerstone of
sider this problem and provide clearer guid- the act; however, they have not been used as
ance on routine use disclosures. “22 much as anticipated. Reasons offered include:
1. the time an individual must spend in com-
’’ The President’s Annual Report, ” 1982-1983, op. cit., p. 121. municating with an agency;

2. the possible difficulty in adequately iden- cess to their records.26 In the 1982-83 Annual
tifying personal records for which access Report, OMB reported that access requests
is requested; and and requests to amend records had declined
3. the lack of public awareness of these for most of the agencies with major record hold-
rights. ings. OMB attributed this to the existence of
other agency access policies (for example, for
The Privacy Protection Study Commission
personnel records) that are used rather than
concluded that:
filing a Privacy Act request.2G
Agency rules on individual access, and on
the exercise of the other rights the Act estab- Requirement 4
lishes, appear, in most instances, to be in com-
pliance with the Act’s rule-making require- Collect, maintain, use, or disseminate any rec-
ments. Yet, they too are often difficult to ord of identifiable personal information in a man-
comprehend, and because the principal places ner that assures that such action is for a neces-
to find them are in the Federal Register and sary and lawful purpose, that the information
the Code of Federal Regulations, it is doubt- is current and accurate for its intended use, and
ful that many people know they exist,23 let alone
how to locate and interpret them. that adequate safeguards are provided to pre-
vent misuse of such information.
An additional reason that this goal has not
These “Fair Information Principles” are
been realized is that there are seven exemp-
tions to this requirement that are authorized another cornerstone of the act. Yet, the agen-
cies have loosely construed these requirements
by the Privacy Act itself. In general, these ex-
emptions include those systems of records that and have at times ignored them altogether. The
include investigatory material compiled for law Privacy Protection Study Commission con-
enforcement purposes or for the purpose of de- cluded that:
termining suitability, eligibility, or qualifica- None of these several collection require-
tions for Federal civilian employment or pro- ments and prohibitions appears to have had
motion, military service, Federal contracts, or a profound impact on agency record-keeping
access to classified material. Also exempt are practice, mainly because they are either too
those systems of records that are maintained broadly worded or have been perceived as
in connection with providing protective serv- nothing more than restatements of longstand-
ices to the President or other individuals, and ing agency policy .27
those that are required by statute to be main- In testimony before the House Subcommit-
tained and used solely as statistical records tee on Government Information, Justice, and
[Public Law 93-579, sec. 3(k)]. Agriculture, John Shattuck, then legislative
In the 1979 “Annual Report of the President director for the American Civil Liberties
on the Implementation of the Privacy Act of Union, reached a similar conclusion, stating
1974, ” the individual access provisions were
described as the “most apparently successful The Code of Fair Information Practices
provision of the Act. ”24 It was reported that which constitutes the core of the statute is so
since 1977, agencies had recorded over 2 mil- general and abstract that it has become little
lion requests for access and had complied with more than precatory in practice, and has
over 96 percent of the requests. But, the 1979 proved easy to evade.28
Annual Report noted that it was not clear The vagueness of the principles contributes
whether the access requests were the “direct to agencies’ practices. T-he act does not define,
result of the Act” because of prior procedures
by which employees and clients were given ac- .—
2g —
Priva;y Protection Study Commission, app. 4, op. cit., p. 84. “Ibid., p. 20.
“’’Fifth Annual Report of the President on the Implementa- “Privacy Protection Study Commission, app. 4, op. cit., p. 44.
tion of the Privacy Act of 1974, ” Calendar Year 1979 (released ‘*House Committee on Government Operations, 1983, op. cit.,
August 1980), p. 11. p. 273.

nor does it require agencies to set standards Requirement 6

for, such terms as “current” or “necessary.”
The act also does not develop, nor does it re- Be subject to civil suit for any damages which
quire agencies to develop, procedures to ensure occur as a result of willful or intentional action
“accurate” information or “adequate safe- which violates any individual’s rights under this
guards . . . to prevent misuse. ” Act.
This requirement is intended to provide in-
Requirement 5 dividuals the means to enforce agencies to com-
ply with the provisions of the act, if they were
Permit exemptions from the requirements not satisfied with the outcome of an adminis-
with respect to records provided in this Act only trative appeal. The time and cost involved to
in those cases where there is an important pub-
bring a suit under the Privacy Act is often pro-
lic policy need for such exemption as has been hibitive. In addition, some individuals have
determined by specific statutory authority. used the Freedom of Information Act, rather
As discussed above, the exemptions for per- than the Privacy Act, to gain access to their
mission to disclose, and for access and correc- records, and thus cannot bring suit under the
tion, are broadly defined. However, overall, Privacy Act. Where individuals have used the
agencies exempt only a small percentage of Privacy Act, their civil suits have rarely been
their systems of records. In order to ensure successful because of the need to find” willful
that agencies only exempted systems of rec- or intentional” activity, because injunctive re-
ords where necessary, the Privacy Act requires lief under the act is unclear, and because the
that the President report annually on the oper- courts have narrowly construed the circum-
ation of the exemption provision. In the 1979 stances under which an individual can recover
Annual Report, OMB concluded that agencies damages. 3’ Richard Ehlke of the Congressional
have “implemented this provision in a thought- Research Service summarized the situation as
ful and sparing manner” and that: follows:
● Only 14 percent of total systems have Despite over seven years of operation, the
been exempted. case law under the Privacy Act is relatively
● Agencies have invoked exemptions to undeveloped. The greater visibility of the Free-
completely deny access in only 0.2 percent dom of Information Act, the breadth of many
of the Privacy Act exceptions, and the limited
of cases. remedial scheme of the Act are undoubtedly
● Agencies routinely screen records in ex- factors in this development. Much of the liti-
empt systems and release material not gation has focused on these aspects of the
deemed to need protection.” Act–the limitations inherent in the “record”
In the 1982-83 Annual Report, OMB re- and “system of records” triggers to the Act;
ported that, from 1975 to 1983, the number the expansive law enforcement exemptions;
the exceptions to the consensual disclosure re-
of exempt systems declined by over 16 per- quirement; and the limited remedies available
cent.30 to redress many violations of the Act.32

See Richard Ehlke, “Litigation Trends Under The Privacy
— Act, ’ June 1983, Congressional Research Service, in Oversight
“’’President’s Annual Report, 1979, ” op. cit., p. 14. of the Privacy Act of 1974, op. cit., pp. 437-469.
‘“’’President’s Annual Report, 1982 -83,” op. cit., p. 19. ‘* Ibid., pp. 468-469.

OTA has reached four general conclusions In 1975, the First Annual Report of the Presi-
about individual privacy and electronic record dent on Implementation of the Privacy Act re-
systems that cut across all areas of applica- ported that 73 percent of the personal data sys-
tion of information technology. Each finding tems subject to the act were totally manual,
is discussed below. but the remaining 27 percent that were fully
or partially computerized contained over 80
Finding 1 percent of the total individual records.34

Advances in information technology are hav- In 1985, the increase in the number of com-
ing two major, and somewhat opposing, effects puterized records is significant. In the OTA
on the electronic record-keeping activities of Fed- survey, agencies were asked to report their 10
eral agencies. largest Privacy Act record systems. Compo-
nents within 12 cabinet-level departments35
They are facilitating electronic recordkeep- and 13 independent agencies3G reported a to-
ing by Federal agencies, enabling them to proc- tal of 539 Privacy Act record systems contain-
ess and manipulate more information with ing 3.5 billion records. Of these systems, 42
great speed. At the same time, the growth in percent were totally computerized, 18 percent
the scale of computerization, the increase in were partially computerized, and 40 percent
computer networking and other direct link- were wholly manual (see table 2). More impor-
ages, electronic searches of computerized files, tantly, of the large systems of records (i.e., over
and the proliferation of microcomputers are 500,000 persons), 57 percent were totally com-
threatening Privacy Act protections. puterized, 21 percent were partially computer-
In the early 1960s, the use of computers to ized, and 22 percent were wholly manual (see
process personal information in Federal agen- table 3).
cies was in its beginning stages and Federal The qualitative changes that have occurred
agencies were still largely paper environ- in the various stages of the information process
ments. 33 At this time, most computing was as a result of computerization are also signifi-
done on large mainframes by central process- cant. No longer is information merely stored
ing, and only record systems containing a large and retrieved by computer. Now information
number of records were stored on computers. is routinely collected on computer tapes, used
“Before the Privacy Act was passed, two surveys of the de- within an agency in computer form, exchanged
gree of computerization of Federal agency record systems were with and disclosed to regional offices or other
conducted. In 1966, the Senate Judiciary Subcommittee on agencies in computer form, manipulated and
Administrative Practice and Procedure conducted a survey of
“government dossiers” to determine the extent and nature of analyzed with sophisticated computer software,
Federal agencies’ collection of personal information. The sub- and archived on computer tapes.
committee determined that Federal files contained more than —..——.
3 billion records on individuals, and that over one-half of these “Federal Personal Data Systems Subject to the Privacy Act
records were retrievable by computers. [See: U.S. Congress, Sen- of 1974, First Annual Report of the President, Calendar Year
ate Committee on the Judiciary, Subcommittee on Adminis- 1975, Pp. 4-6.
trative Practice and Procedure, Government Dossier (Commit- 3
’Only the Department of Housing and Urban Development
tee Print) (Washington, DC: U.S. Government Printing Office, did not respond to this question at all. However, some major
1967), pp. 7-9.] The Subcommittee on Constitutional Rights, personal information collectors within cabinet departments (e.g.,
chaired by Senator Sam Ervin, surveyed agencies and found Internal Revenue Service within the Department of the Treas-
that 86 percent of the 858 databanks with 1.25 billion records ury and the Departments of the Army and Navy within DOD)
on individuals were, at least in part, computerized. The large did not respond.
percentage of computerization found by the Ervin study may “Consumer Product Safety Commission, Federal Trade Com-
be attributed in part to the fact that the study used the phrase mission, National Aeronautics and Space Administration, Nu-
“databank centaining personal information about individuals. ” clear Regulatory Commission, Securities and Exchange Com-
To many, “databank” may imply a computerized system; thus, mission, Selective Service System, Agency for International
it is likely that manual systems were underreported in the Er- Development, Federal Election Commission, Federal Reserve
vin survey. (See U.S. Congress, Senate Committee on the Judi- System, Small Business Administration, National Archives and
ciary, Subcommittee on Constitutional Rights, Federal Data Records Administration, Commission on Civil Rights, and Arms
Banks and Constitutional Rights, 93d Cong., 2d sess., 1974. ) Control and Disarmament Agency.
Table 2. —Privacy Act Record Systems Reported by Federal Agencies a
— ———
Fully computerized Partially computerized Subtotals ‘Manual Totals
Number of Number of Number of Number of Number of Number of Number of Number of Number of Number of
Agency systems records systems records systems records systems — records systems records
— .
Agriculture –
22 –
27.0 –
6 1.5 28 28.5 14 ‘- 05 42 290 -
Commerce 13 8821 3 04 16 882.5 5 14 21 883.9
DOD 15 500 4 17 19 51. 7 32 36 51 553
Education 3 17 1 00 4 17 0 00 4 17
Energy 3 04 7 04 10 08 4 03 14 15
DHHS 26 1,3046 16 90 42 1,3136 20 901 62 1,4037
Interior 32 45 11 52 43 9.7 17 04 60 10.1
Justice 28 101 2 9 2244 37 325.6 31 22 68 3278
Labor 8 16 9 09 17 25 1 00 18 25
DOT 36 100 8 30 44 130 17 02 61 132
Treasury 16 488 6 36.1 22 849 20 4603 42 5452
State o 00 1 200 1 20.0 9 902 10 1102
Independent agencies 27 224 15 10 42 23.4 44 51 4 86 748
Totals 229 2,454.3 96 3036 325 2,7579 — .
214 700.6 ——
539 3,4589
‘Aqenc)es were ,j$ked to repod only lhe(r ‘ O largest privacy Act record systems Twelve of thirteen La blnet departments responded I only lhe Deparlme N of Housing and Urban Dcielopmenl dld nor
as did 13 out of 20 independent agencies 1‘we app B al the end ot this ‘eporl for a IISI I and some major p-lvacy recordholders dld not respond (e g the Internal Revenue Service r the Deoartmer+i
of [he ~,eaw r ~ and the L?epaqments of Army and Navj m the De~artmertf 01 Defense I
‘ Mllllons of records
SGLJRCE Ofhce Of Teconqt~qY Assessment

Table 3.—Computerized and Manual Privacy Record Systems

Large systemsa Medium systems b Small systems c Totals

———— Number Number of persons Number Number of persons Number Number of persons Number Number of persons
100% computerized 43 1,653,336,199 105 11,277,938 81 237,240 229 1,664,851,377
Parilally computerized 16 285,880,382 41 3,912,622 39 213,790 96 290,006,794
100% manual 17 695,419,523 50 5,015.434 147 327,666 214 700,762,623
Over 500. 000 person:
b~o 001 i soo 000 persons

Under 10 000 persons
SOURCE Office of Technology Assessment

Another significant change is the direct link- With such computer networking, the ex-
age of computer records via telecommunica- changes of information occur rapidly, often
tion systems. This allows for easy disclosure leaving no audit trail of who had access to the
and exchange of information. On-line access data or what changes were made. Monitoring
can occur, for example, via private or public the use of agency information becomes much
telephone lines or through local networks more difficult in this environment. But, at the
within an agency. One factor supporting the same time, the environment supports a vast
transition of Federal information systems to increase in the exchange and manipulation of
direct linkages is cost–the cost of a typical information, as well as an increase in the num-
network interface was $500 in 1982, but is ex- ber of people having access to the information.
pected to drop to about $50 by 1987.37 Another In 1977, the Privacy Protection Study Com-
factor is the ease and efficiency to an agency mission warned that:
official of communicating directly with the The real danger is the gradual erosion of in-
computer as information is collected or needed, dividual liberties through the automation, in-
rather than compiling transactions, batch= tegration, and interconnection of many small,
processing them on a tape at the end of the separate recordkeeping systems, each of which
day or week, and waiting for a reply. alone may seem innocuous, even benevolent,
—— ——— and wholly justifiable.38
“See Michael Killen, “The Microcomputer Connection to Lo- — —
cal Networks, ” Data Communications, December 1982. ‘Privacy Protection Study Commission, app. 4, op. cit., p. 108.

Another technological development that has ment preparation and data entry .40 At the
implications for Privacy Act protections is administrative level, microcomputers are used
efficient electronic searching through com- for accounting, budgeting, and planning. Mi-
puter records. The two most common types crocomputers can be used by professionals for
of searches are computer matching and com- data analysis as well as document preparation.
puter profiling (or computer screening). In a For technical users, microcomputers offer con-
computer match, two sets of computer files are trol over system design and programming. 41
compared record by record to look for any in- Microcomputers complicate the monitoring
dividuals who appear in both files. In a com- of the uses of personal information for two rea-
puter profile or computer screen, a single com- sons. First, they make it easier for individual
puter file is searched for selected factors about users to create their own systems of records.
a specific type of individual. Because of the This complicates Privacy Act oversight be-
importance of these electronic searches, each
cause files created on microcomputers were not
will be discussed in depth in the following
considered when the Privacy Act was enacted,
and it may be impractical to subject them to
Another critical factor in the Federal agency the act. The Privacy Act applies to a “record”
technology environment in the mid-1980s is that is retrieved from a “system of records. ”
the microcomputer. The microcomputer puts The Privacy Act defines “record” to mean:
the power of information collection, storage, . . . any item, collection, or grouping of infor-
retrieval, exchange, manipulation, and print- mation about an individual that is maintained
ing into the hands of discrete individuals. In by an agency, including, but not limited to,
doing so, it raises privacy, security, produc- his education, financial transactions, medical
tivity, and management issues that had been history, and criminal or employment history
irrelevant or dormant in other eras of infor- and that contains his name, or the identifying
mation processing.39 number, symbol, or other identifying particu-
lar assigned to the individual, such as a finger
Because of the control over information proc- or voice print or a photograph.
essing that microcomputers give users and
because of their relatively low cost, the use The act defines “system of records” to mean:
of microcomputers has grown dramatically . . . a group of any records under the control
across all sectors of society. The Federal Gov- of any agency from which information is re-
ernment has not been immune to this trend. trieved by the name of the individual or by
All agencies are experiencing an influx of some identifying number, symbol, or other
microcomputers. The OTA survey revealed identifying particular assigned to the individ-
that the agencies surveyed had a few thousand ual. 42
microcomputers in 1980 and over 100,000 in If a file created and maintained on a micro-
1985. computer meets the criteria for a system of
A major impetus in this demand for micro- records, i.e., is retrieved by name, identifier,
computers within the Federal Government is or other identifying particular, then individ-
the perceived need to increase productivity and uals should have the right to access and amend
efficiency. The broad range of information their records. To do so, all microcomputer files
processing features that a microcomputer cent aining records that are retrievable by name
offers and the variety of software programs
available make microcomputers attractive 40
See U.S. Congress, Office of Technology Assessment, Auto-
throughout an agency. For clerical work, mation of America’s Offices, OTA-CIT-287 (Washington, DC:
U.S. Government Printing Office, December 1985) for an in-
microcomputers are used most often for docu- depth analysis of the effects of microcomputers in the workplace.
“National Bureau of Standards, Microcomputers: introduc-
—.—— tion to Features and Uses, Special Publication 500-110, March
W’he KBL Group, Inc.,“Agency Profiles of Civil Liberties 1984, pp. viii-ix.
Practices, ” OTA contractor report, December 1984, p. 153. “Privacy Act of 1974 (Public Law 93-579), sec. 3(a)(4)(5).

or other identifier would need to be reported the act. The only requirement the act places
to the Privacy Act Officer and noted in the Fed- on agencies is to:
eral Register. . . . establish rules of conduct for persons in-
The second feature of the microcomputer volved in the design, development, operation,
that makes it difficult to monitor the uses of or maintenance of any system of records, or
personal information is that a microcomputer in maintaining any record, and instruct each
serves as a remote terminal to access central- such person with respect to such rules and the
ized systems of records. Such shifting of data requirements of this section, including any
other rules and procedures adopted pursuant
from mainframes to microcomputers raises to this section and the penalties for noncom-
critical questions of data integrity and secu- pliance [Public Law 93-579, sec. 3(e)(9)].
rity. For example, when a record is being used
by one user, there may be no other access to In 1977, the Privacy Protection Study Com-
that information. More importantly, there may mission reviewed agency experience and con-
be no audit trail of additions and deletions.” cluded that:
Additionally, there may be no indication of how . . . the 97 Federal agencies that maintain sys-
current the records are, thus increasing the tems of records subject to the Privacy Act of
likelihood that inaccurate data will be dissem- 1974 have all taken different approaches to ad-
inated. 44 ministration, training, and compliance moni-
toring. . . agencies or components of agencies
At the present time, most microcomputers that have carefully structured programs for
in Federal agencies are desk-top models. The administering the Act appear to be the ones
trend to portable computers—also known as in which 45the Act’s objectives are being best
briefcase, lap, or notebook computers—and achieved.
transportable computers will aggravate the
problems of data integrity and security, espe- Based on responses to the OTA survey of
cially since information will be transported out Federal agencies, 67 percent of agencies re-
of government offices into areas that are nei- sponding reported one (34 agencies) or less than
ther controlled nor secured. Another techno- one (33 agencies) full-time equivalent (FTE)
logical development that will have implications staff assigned to Privacy Act matters. Only
for the processing of personal information is seven agencies reported ten or more FTEs as-
the multiuser microcomputers, or “super mi- signed to Privacy Act matters, and six of these
crocomputers, which are used primarily for were located in the Department of Justice. The
group work situations. FBI reported the largest number of FTEs–
65—assigned to Privacy Act issues.
Finding 2 The Privacy Act requires agencies to:
Federal agencies have invested only limited . . . maintain all records which are used by the
time and resources in Privacy Act matters. Few agency in making any determination about
staff are assigned to Privacy Act matters, few any individual with such accuracy, relevance,
timeliness, and completeness as is reasonably
agencies have developed agency-specific guide- necessary to assure fairness to the individual
lines or updated guidelines in response to tech- in the determination [Public Law 93-579,
nological changes, and few have conducted rec- sec.3(e)(5)].
ord quality audits.
OTA asked agencies to specify the proce-
The Privacy Act allows agencies much lati- dures they follow to ensure Privacy Act rec-
tude to develop their own arrangements for su- ord quality (for example, complete and ac-
pervising implementation and compliance with curate records). In response, most agencies
submitted a copy of their policy directives con-

“National Bureau of Standards, op. cit., p. 96.

“The KBI. Group, Inc., op. cit., p. 162. rnmission, app. 4, op. cit., p. 108.
45Privacy Protection Study Co

taining general information and procedures for creasing public support for additional govern-
administering the Privacy Act. Only about 24 ment action to protect privacy.
percent (30 agencies) have developed agency-
This finding is based on a comprehensive re-
specific guidelines or procedures for determin-
ing what is “relevant’ and ‘timely’ informa- view of public opinion surveys that covered
issues of technology and civil liberties, with
tion within their agency.
special attention to the question of privacy and
The results of the OTA survey also indicated information practices. 48 Most studies, although
that few agencies had conducted audits of rec- privately sponsored, were designed and con-
ord quality. Of 127 agency respondents, only ducted by major public opinion research orga-
about 13 percent (16 agencies) indicated that nizations such as Louis Harris & Associates,
they conducted record quality audits. Of these the Gallup Organization, the Roper Organiza-
16 agencies, none provided copies of the re- tion, the National Opinion Research Center,
suits. 4a With respect to record quality statis- and the major news organizations.
tics for law enforcement, investigative, and
A major difficulty in interpreting existing
intelligence record systems, only one agency
survey research is that most questions have
provided statistics (for three systems under
emphasized general concerns about privacy
its jurisdiction). No statistics were provided
and civil liberties, rather than specific concerns
for any of the other 82 systems reported.47
about the implications of particular uses of
The OTA survey also asked whether agen- computing and information technologies, such
cies had revised or updated Privacy Act guide as computer matching or computer profiling.
lines with respect to microcomputers. Of 119 As a result, much is known about abstract con-
agency respondents, only 8.4 percent (10 agen- cerns for privacy, but little about levels of sup-
cies) had done so. One agency noted that mi- port or opposition to emerging technologies
crocomputers were not used in connection with and their use by government agencies. An ad-
the maintenance of Privacy Act information; ditional problem of survey research is that the
however, as was noted above, files on micro- meaning of responses is clouded by definitional
computers or accessible through microcom- differences in what constitutes an invasion of
puters may well fall under the Privacy Act privacy, including definitions ranging from
“system of records” criteria. personal freedoms, solitude, and freedom from
gossipy neighbors to freedom from govern-
Finding 3 mental or employer surveillance. With these
caveats in mind, a number of conclusions and
Privacy continues to be a significant and en- trends about public opinion can be made.
during value held by the American public, as doc-
umented by several public opinion surveys over General concern over personal privacy has in-
the past 6 years. creased among Americans over the last decade.
When asked directly whether they are con-
About one-half of the American public be- cerned about threats to personal privacy, most
lieves that computers are a threat to society, Americans will answer in the affirmative. In
and that adequate safeguards do not exist to several Harris surveys49 the following question
protect information about people. There is in- was posed:
46A tot~ of 142 agencies were surveyed; 5 did not respond
at all, and 10 others responded that the question was not appli- 48William H. Dutton and Robert G. Meadow, “Public Perspec-
cable or the information was not available, for a net total re- tives on Government Information Technology: A Review of Sur-
sponse of 127 agencies. vey Research on Privacy, Civil Liberties and the Democratic
Again, 142 agencies were surveyed; a total of 85 computer- Process,” OTA contractor report, January 1985.
ized law enforcement, investigative, or intelligence record sys- igLouis H~ris & Associates, Inc., and Dr. Alan F. Westin,
tems were identified. Agencies responded as follows: record qual- The Dimensions of Privacy: A National Opinion Research Sur-
ity statistics maintained (3 systems); no record quality statistics vey of A ttitucies Toward Privacy (conducted for Sentry Insur-
(63 systems); no response (17 systems); not applicable or infor- ance), December 1979; and Louis Harris & Associates, Inc., The
mation not available (1 system); and classified (1 system). Road After 1984: A Nationwide Survey of the Public and Its


Now let me ask you about technology and Figure l.— Beliefs That Computers are an Actual
privacy. How concerned are you about threats Threat to Personal Privacy in This Country a
to your personal privacy in America today?
Would you say you are very concerned, some- 100
what concerned, only a little concerned, or not 90
concerned at all?
In 1983, 48 percent of the public described 70
themselves as “very concerned. ” This was t “Are an actual threat
double the 25 percent reported in January 1978 ~ 60 to personal privacy”
0 51 54
and a marked increase from 31 percent in De- ~ 50 51
cember 1978. In 1983, an additional 29 percent 40
37 41
described themselves as “somewhat concerned, ” 38
“Are not an actual threat
30 1 33
and only 7 percent said they were “not con- ~

cerned at all, ” a significant change from the

28 percent who so described themselves in Jan-
20 1 21\
to personal privacy”

“Not sure”
10 — 6
uary 1978. In addition, Americans overwhelmi- 1
ngly disagree (64 percent, compared with 27 ~
1972 1974 1976 1978 1984
percent who agree) with the statement that: Year
“Most people who complain about their pri-
vacy are engaged in immoral or illegal con- aResponse 10 Do you feel that the Dresent use of computers are an actual threat
[o personal privacy I n th(s counl ry or not?
duct. ” In other words, privacy is not merely SOURCE. Lou Is Harris & Associates Inc The Road After 1984 A Nat/onw/de
Survey of the Pub/ic and Its Leaders on the New Technology and Its
an instrument for avoiding punishment or de- Consequences for Arr?er/can l-~fe (conducted for the Southern New Eng
land Telephone for presentation at the Eighth International Sm!thso
tection–it is seen as a legitimate value itself. nran Symposium, December 19S3)

Most recently, about one-half of the American

public believed that computers were a threat to
privacy. As figure 1 indicates, the percentage An increasing percentage of the public does
perceiving computers as a threat has increased not believe that the privacy of personal infor-
since 1974. In 1974, 38 percent of the respond- mation in computers is adequately safeguarded
ents said computers were a threat and 41 per- –from 52 percent in 1978 to 60 percent in 1983.
cent said they were not. In 1977, 41 percent Although a majority of the public (60 percent)
said computers were a threat and 44 percent believes that computers have improved the
said they were not a threat. In December 1978, quality of life,50 a larger and increasing (68 per-
54 percent said they were a threat and only cent in 1983) percentage of the public believes
33 percent indicated they were not. However that the use of computers must be sharply re-
in 1983, the percentage perceiving computers stricted in the future if privacy is to be pre-
as a threat to privacy decreased slightly, while served .51
the percentage believing that computers are In general, citizens are concerned with the pro-
not a threat increased by approximately 10 per- tections organizations provide for personal in-
cent. In 1982, Roper reported that 44 percent formation. In 1979, 41 percent agreed and 41
were very concerned with reports of abuse of percent disagreed with the statement: “Most
personal information that is stored in com- organizations that use information about peo-
puters, and 39 percent were very concerned ple have enough checks and safeguards against
about “reports of embezzlements and rip-offs the misuse of personal information. ” Govern-
through the use of a computer. ” ment agencies were perceived as intrusive by
about one-third of the public, with the Central
Intelligence Agency, the Federal Bureau of In-
Leaders on the New Technology and Its Consequences for Amer- vestigation, and government welfare agencies
ican Life (conducted for the Southern New England Telephone
for presentation at The Eighth International Smithsonian Sym- Harris, op. cit., 1979, table 9.2.
posium, December 1983.) 5’Harris, op. cit., 1983, table 3-3.

being mentioned most often as asking for too The American public does not look favorably
much personal information. About one-third upon central files and databanks. Most Ameri-
of the public believe that government agencies cans, 84 percent, believe that master files con-
should be doing more to maintain the confiden- taining personal information, such as credit
tiality of personal information. 52 Most Ameri- and employment histories, organizational af-
cans believe that personal information about filiations, medical history, voting record, phone
them is being kept in “some files somewhere calls, buying habits, and travel, could be com-
for purposes not known” to them. As figure piled “fairly easily. ” Only 1 percent of the
2 indicates, the percentage of the public be- Harris respondents expressed uncertainty over
lieving this to be the case has increased over this possibility. Seventy-eight percent believed
time, with a high of 67 percent in 1983. that if such a master file were put together,
it would violate their privacy .54
Most Americans, from two-thirds to three-
fourths, believe that agencies that release the There is increasing support for additional gov-
information they gather to other agencies or ernment action to protect privacy. In 1978, the
individuals are seriously invading personal public was not sure who should be responsi-
privacy 53 (see table 4). But, as figure 3 indicates, ble for maintaining privacy. Nearly one-half
significant percentages of the public believe (49 percent) said it should rest with the people
that public and private organizations do share themselves, while 30 percent said the courts,
information about individuals with others. 26 percent Congress, 25 percent the States, 14
percent the President, and 12 percent said em-
ployers.” Despite confusion over the source of
‘*Harris, op. cit., 1979, tables 2.2, 2.5, 2.6, 2.8, 2.9, 8.1. responsibility, two-thirds of the public re-
“Harris, op. cit., 1983, table 1-6. sponded that laws could go a long way to helpf

preserve our privacy. be Sixty-two percent ‘ ‘he

public thought it was very important that
Figure 2.—Change in Percent of Public Believing there bean independent agency to handle com-
That Files”Are Kept on Themselvesa plaints about violations of personal privacy by
organizations .57 However, 46 percent were op-
90 -
r posed to the creation of a National Privacy Pro-
tection Agency to protect privacy .68
80 “ In surveys conducted by the Roper Center
70 - 67 in 1982,59 large majorities believed that laws
Believe were needed to govern how information on in-
60 -
E 54 dividuals can be used by organizations that
g 50 48 have computer files, and supported the major
al 44
4 0 43
principles of the “Code of Fair Information
\ Do not believe Practices. ” In 1982, 85 percent wanted laws
30 - 32 to ensure that corrections of information were
20 “ included in files, 82 percent said that individ-
12 “Ibid., table 1-2.
1 1 1 I “Harris, op. cit.,
1979, table 10.11.
1972 1974 1976 1978 1980 1982 1984 “Ibid., table 10.3.
“Ibid., table 10.5.
“Ibid., table 10.4.
‘The Roper Center, Institute of Social Research, University
Response to “’Do you bel!eve that personal (n formation about yourself is be-
ing kept In some files somewhere for purposes not known to you, or don’t you
of Michigan, contains surveys by the major private polling orga-
believe this IS so~” nizations, including Gallup, Harris, Yankelovich, CBS/New York
SOURCE’ Louis Harris & Associates, Inc , The Road After 1984: A Nationwide Times, and Roper. OTA commissioned a keyword search at the
Survey of the Public and Its Leaders on the New Technology and Its Roper Center to locate all previous public opinion research
Consequences for Arrrerican Life (conducted for the Southern New Eng-
land Telephone for presentation at the Eighth International Smithso. studies on any aspect of attitudes toward government infor-
nlan Symposium, December 1983). mation technology.
Table 4.—Seriousness of Breaches of Confidentiality

Q.: I’m going to read a few things which might be considered an invasion of privacy, all of which deal with comput-
erized information. Do you feel that (READ EACH ITEM) would be a serious invasion of privacy, or not?
Total Congressmen Corporate Media: science Superintendents
public and top aides executives — —editors of schools
Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .“. 1,256 ‘100 100 100 ‘- - 100
The Internal Revenue Service not keeping
individual Federal tax returns confidential:
Serious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 840/o 980/o 930/0 95 0/0 890/’0
Not serious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 2 7 5 11
The FBI not keeping information about individuals
Serious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 95 93 91 86
Not serious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 4 6 8 14
Banks sharing information about an individual’s
banking habits and size of bank accounts:
Serious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 66 60 66 78
Not serious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 30 38 33 22
A credit business selling information about an
individual credit standing:
Serious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 64 46 73 75
Not serious . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 34 54 25 25
The Census Bureau not keeping information about
individuals confidential:
Serious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 88 73 82 75
Not serious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 11 27 18 25
Insurance companies sharing information
gathered about an individual:
Serious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 64 63 66 72
Not serious . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 31 35 32 28
SOURCE Lou Is Harris & Associates, Inc , The Road After 1984 A Nationwide Survey of the Public and its Leaders on the New Technology and its Consequences for
American Life (conducted for the Southern New England Telephone for presentation at the Eighth International Smith son Ian Symposium. December 1983)

uals should be notified of the existence and con- fore being used, and laws that would regulate
tents of files containing information about what kind of information about an individual
them, 82 percent thought there should be laws could be combined with other information
to permit people to get copies of any informa- about the same individual. The authors of the
tion in files on themselves, and 71 percent Harris analysis observed that:
thought there should be laws prohibiting most Particularly striking is the pervasiveness of
private parties from asking for social security support for tough new ground rules govern-
numbers.’” In addition, 72 percent said busi- ing computers and other information technol-
nesses should have the right to get informa- ogy. Americans are not willing to endure abuse
tion only from the person directly, while only or misuse of information, and they overwhelm-
14 percent said databanks were appropriate.” ingly support action to do something about
it. This support permeates all subgroups in so-
In the 1983 Harris survey (see table 5), strong ciety and represents a mandate for initiatives
majorities of the public and majorities of all in public policy.G2
four leadership groups supported the enact-
ment of new Federal laws to deal with infor- Finding 4
mation abuse, including laws that would re-
quire that any information from a computer The Courts have not developed clear and con-
that might be damaging to people or organi- sistent constitutional principles of information
zations must be double-checked thoroughly be- privacy, but have recognized some legitimate
“’Roper 82.6, June 5-12, 1982.
“Roper 82.8, August 14-21, 1982. ‘~~ Harri s, op. cit., 1983, P. 41”

Figure 3.— Percent of Public That Believes terests under the first amendment and due
Each Agency “Shares s ’ Information About process clause, for example, “associational
Individuals With Others a
privacy, “63 “political privacy, ”G4 and the “right
to anonymity in public expression. ”e 5 The
Credit bureaus (75%) fourth amendment protection against “unrea-
sonable searches and seizures” also has a
7 privacy component. In Katz v. United States,
Loan companies (65%)
the Court recognized the privacy interests that
protected an individual against electronic sur-
veillance. But the Court cautioned that:
companies I (57%)
the Fourth Amendment cannot be trans-
lated into a general constitutional “right to
r m ;nc es
““ ’ ’’ ’ & (51%)
privacy. ” That Amendment protects individ-
ual privacy against certain kinds of govern-
mental intrusion, but its protections go fur-
Census Bureau ther and often have nothing to do with privacy
at all. Other provisions of the constitution pro-
tect personal privacy from other forms of gov-

Pubic opinion
w (50%)
ernmental invasion.eo
The fifth amendment protection against self-
incrimination involves a right to privacy against
research firms
unreasonable surveillance or compulsory dis-
closure. e7
The FBI (38%)
Until Griswold v. Connecticut, 381 U.S. 479
P (1965), any protection of privacy was simply
viewed as essential to the protection of other
more well-established rights. In Griswold, the
Court struck down a Connecticut statute that
prohibited the prescription or use of contracep-
I 1 I 1 1 I i 1 1 1 I tives as an infringement on marital privacy.
o 10 20 30 40 50 60 70 80 90 100 Justice Douglas, in writing the majority opin-
ion, viewed the case as concerning “a relation-
Response to “Now I’d like to read you a list of organizations which might have ship lying within the zone of privacy created
a lot of information about individuals. For each, tell me if you think they do have
a lot of information but treat it as strictly confidential, have information and by several fundamental constitutional guaran-
probably share it with others, or don’t really have information that people ought
to be concerned about whether they share it or not. ”
tees,” i.e., the first, third, fourth, fifth and ninth
SOURCE Louis Harris & Associates, Inc , The Road After 1984: A Nationwide
amendments, each of which creates “zones”
Survey of the Public and Its Leaders on the New Technology and Its
Consequences for American L{fe (conducted for the Southern New Eng.
or ‘penumbras’ of privacy. The majority sup-
land Telephone for presentation at the Eighth International Smithso. ported the notion of an independent right of
nian Symposium, December 1983).
privacy inhering in the marriage relationship.
Not all agreed with Justice Douglas as to its
source; Justices Goldberg, Warren, and Bren-
expectations of privacy in personal communi- nan preferred to lodge the right under the ninth
cations. amendment.
Although a “right to privacy” is not men- —- —.. .—
“NAACP v. Alabama, 357 U.S. 449 (1958).
tioned in the Bill of Rights, the Supreme Court b4~a~~ins . ~ni~~ States, 354 U.S. 178 (1957), ~d SWeeZY

has protected various privacy interests. The v. New Hampshire, 354 U.S. 234 (1957).
Court has found sources for a right of privacy %%!ley v. Cab-form-a, 362 U.S. 60 (1960).
G’~a~Z v. Um”te~ States, 389 U.S. 347, 350 (1967).
in the first, third, fourth, fifth, and ninth “See Escobedo v. Minois, 378 U.S. 478 (1964), Miranda v.
amendments. Since the late 1950s, the Su- Arizona, 384 U.S. 436 (1966); and Schmerber v. C&”fornia, 384
preme Court has upheld a series of privacy in- U.S. 757 (1966).

Table 5.—Support for Potential Federal Laws on Information Abuse a

Total Congressmen Corporate Media: science Superintendents
——— public and top aides executives editors of schools
Base ., . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1,256 ‘- 100 – 100 100 100
A Federal law that would require that any
information from a computer that might be
damaging to people or organizations must be
double-checked thoroughly before being used:
Favor, ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 920/o 850/o 72 0/0 94 “/0 94 “10
Oppose. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 12 26 5 5
Federal laws that would make it a criminal
offense if the privacy of an individual were
violated by an information-collecting business
or organization:
Favor. ... , . . . . . . . . . . . . . . ... . . . . . . . ... . . 83 80 79 94 88
Oppose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 10 17 5 12
A Federal law that would call for the
impeachment of any public official who used
confidential information to violate the privacy or
take away the freedom of an individual or a
group of individuals without a proper court
order or a court trial:
Favor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 69 89 85 91
Oppose ... . . . . . . . . . . . . . . . . . . . . . . . . . 17 26 10 15 8
Federal laws that would require punishment for
those in authority responsible for computer
mistakes, such as mistakes that hurt people’s credit
ratings, harm companies, or endanger lives:
Favor. ... . . . . . . ... . . . . . . . . . . . . . . . . . 71 53 37 69 61
Oppose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 41 61 25 37
Federal laws that could put companies out of
business which collected information about
individuals and then shared that information in
a way that violated the privacy of the individual:
Favor. . . . . . . . . . . . . . ... . . . . . . . . . . . . . . . . . 68 65 78 78 77
Oppose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 27 20 20 21
Federal regulations on just what kind of
information about an individual could be
combined with other information about the
same individual:
Favor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 77 65 81 87
Oppose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 18 31
— . 16 — 13
Response to Would you favor or oppose (READ EACH ITEM) 7

SOURCE Lou Is Harris & Associates, Inc , The Road After 1984 A Nationwide Survey of the Public and Its Leaders on the New Technology and its Consequences for
American Life (conducted for the Southern New England Telephone for presentation at the Eighth International Smithsonian Symposium December 1983)

In Eisenstadt v. Baird, 405 U.S. 438 ( 1972),’8 Roe V. Wade, 410 U.S. 113 (1973),’9 further
the Court extended the right to privacy beyond extended the right of privacy “to encompass
the marriage relationship to lodge in the indi- a woman’s decision whether or not to terminate
vidual: her pregnancy. ” The Court argued that the
right of privacy was “founded in the Four-
If the right of the individual means any-
teenth Amendment’s concept of personal lib-
thing, it is the right of the individual, married
or single, to be free from unwarranted govern- erty and restrictions upon state action. The
mental intrusion into matters so fundamen- District Court had argued that the source of
tally affecting a personas the decision whether the right was the ninth amendment reserva-
to bear or beget a child. tion of right to the people.
“In which the Court struck down a Massachusetts law that
made it a felony to prescribe or distribute contraceptives to single
persons. ~gIn which the Court struck down the Texas abortion statute.

In the earliest case that raised the issue of kinds of important decisions. ”76G In this case,
the legitimate uses of computerized personal a unanimous Court upheld a New York law re-
information systems, the Court avoided the quiring the State to maintain computerized
central question of whether the Army’s main- records of prescriptions for certain drugs, be-
tenance of such a system for domestic surveil- cause “the New York program does not, on its
lance purposes “chilled’ the first amendment face, pose a sufficiently grievous threat to ei-
rights of those whose names were contained ther interest to establish a constitutional vio-
in the system.70 In two cases decided in 1976, lation. ”77 The Court held that as long as the
the Court did not recognize either a constitu- security of a computer is adequate and the in-
tional right to privacy that protected errone- formation is only passed to appropriate offi-
ous information in a flyer listing active shop- cials, sensitive information may be stored and
lifters” or one that protected the individual’s retrieved without an invasion of a person’s
interests with respect to bank records.72 In right to privacy. In another case in 1977,78 the
Paul v. Davis, the Court specified areas of per- Court used a test similar to the one developed
sonal privacy considered “fundamental”: in Whalen, i.e., balancing the extent of the
privacy intrusion against the interests that the
matters relating to marriage, procreation,
intrusion advanced, holding that:
contraception, family relationships, and child
rearing and education.73 In sum, appellant has a legitimate expecta-
Davis’ claim of constitutional protection tion of privacy in his personal communica-
tions. But the constitutionality of the Act
against disclosure of his arrest on a shoplift- must be viewed in the context of the limited
ing charge was ‘far afield from this line of de- intrusion of the screening process, of appel-
cisions” and “we decline to enlarge them in lant’s status as a public figure, of this lack of
this manner. “74 In United States v. Miller, the any expectation of privacy in the overwhelm-
Court rejected Miller’s claim that he had a ing majority of the materials, of the important
fourth amendment reasonable expectation of public interest in preservation of the materi-
privacy in the records kept by banks “because als, and of the virtual impossibility of segre-
they are merely copies of personal records that gating the small quantity of private materi-
were made available to the banks for a limited als without comprehensive screening. 79
purpose, ” and ruled instead that “checks are The court did reaffirm that one element of pri-
not confidential communications but negotia- vacy is “the individual interest in avoiding dis-
ble instruments to be used in commercial trans- closure of personal matters. “8°
actions. ’75
In subsequent lower court cases involving
In Whalen v. Roe, the Court for the first time the question of information privacy, the cir-
recognized a right of information privacy, not- cuit courts have not uniformly followed Wha-
ing that the constitutionally protected “zone len v. Roe.81 For example, the Seventh and
of privacy” involved two kinds of interests— Ninth Circuit Courts have used autonomy in-
“One is the individual interest in avoiding dis- terests rather than informational privacy in-
closure of personal matters, and another is the
interest in independence in making certain
T~~h~en v. Roe 429 U.S. 589, 599-600 (1977).
‘“Laird v. L%tum 408 U.S. 1 (1972). “Id. at 600.
“Pau] V. ~tiViS 424 U.S. 693 (1976). ‘“Nixon v. Admim”strator of General Services, 433 U.S. 425,
‘*United States v. Miller 425 U.S. 435 (1976). in which the Court upheld a Federal law that required the na-
“Paul v. Davis, 424 U.S. 693, 713 (1976). tional archivists to examine written and recorded information
741d. at 713. accumulated by the President. Nixon challenged the act’s con-
“U.S. v. Miller, 425 U.S. 435, 442 (1976). In response to this stitutionality on the grounds that it violated his right of privacy.
decision, Congress passed the Right to Financial Privacy Act ‘gId. at 465.
of 1978 (Public 95-630) providing bank customers with some ““Id. at 457.
privacy regarding records held by banks and other financial in- “See Gary R. Clouse, “The Constitutional Right to Withhold
stitutions and providing procedures whereby Federal agencies Private Information, ” Northwestern University Law Review,
can gain access to such procedures. vol. 77, 1982, p. 536.

terests as the basis for their rulings .82 In McEl- ployee’s medical records, which may contain
rath v. Califano, the Seventh Circuit Court intimate facts of a personal nature, are well
reiterated that the constitutional right to pri- within the ambit of materials entitled to
vacy extends only to those personal rights privacy protection.86
deemed “fundamental” or “implicit in the con- In a 1981 case involving the compilation and
cept of ordered liberty, ” and that “the claim disclosure of juveniles’ social histories, the
of the appellants to receive welfare benefits on Sixth Circuit explicitly addressed the question
their own informational terms does not rise to of the relationship between Paul v. Davis and
the level of a constitutional guarantee. ”83 In Whalen v. Roe, stating that:
St. Michael’s Convalescent Hospital v. Cali-
fornia, the Ninth Circuit Court ruled that: We do not view the discussion of confiden-
tiality in Whalen v. Roe as overruling Paul v.
As in Paul v. Davis, their [appellants] claim Davis and creating a constitutional right to
is not based upon any contention that the pub- have all government action weighed against
lic disclosure of the cost information will “re- the resulting breach of confidentiality. The Su-
strict [their] freedom of action in a sphere con- preme Court’s discussion makes reference to
tended to be private. ” We conclude that no only two opinions—Griswold v. Connecticut,
cognizable constitutional right of privacy is supra in which the court found that several
implicated here. *4 of the amendments have a privacy penumbra,
and Stanley v. Georgia, supra, a first amend-
In 1980, the Third Circuit used Whalen to ment case—neither of which support the prop-
uphold the National Institute for Occupational osition that there is a general right to non-
Safety and Health’s request that an employer disclosure. 87
produce certain medical records of its employ-
ees.” The Court ruled that: The Sixth Circuit Court went on to state
The privacy interest asserted in this case
falls within the first category referred to in . . . absent a clear indication from the Supreme
Whalen v. Roe, the right not to have an indi- Court we will not construe isolated statements
vidual’s private affairs made public by the gov- in Whalen and Nixon more broadly than their
ernment. There can be no question that an em- context allows to recognize a general constitu-
— tional right to have disclosure of private in-
Wee: Mch’lrath v. Cti”fano, 615 F.2d 434 (7th Cir. 1980) which formation measured against the need for dis-
upheld Federal and State regulations that require all family mem- closure. 88
bers to disclose their social security numbers as a condition for
receiving Aid to Families With Dependent Children benefits; The Supreme Court has not yet accepted a
and St. Michael Convalescent Hospital v. Caliform”a, 643 F.2d
1369 (9th Cir. 1981) which upheld a California statute requir- case to clarify the meaning and breadth of
ing that all health care providers who are reimbursed through Whalen.
the Medi-Cal program release their cost information to the public.
~j~fc~]rath IJ. Cdjfano, 615 F.2d 434,441 (7th Cir. 1980).
“.St. Michael Convalescent Hospital ~’. California, 643 F.2d “’Id. at 577.
1369, 1375 (9th Cir. 1981). HTJIJ. ~, ~esan~j, 6 5 3 F.2d 1080, 1089 (6th Cir. 1981).
“’United States ~’. JI’estinghouse, 638 F.2d 570 (3d Cir. 1980). ““Id.
Chapter 3

Computer Matching
To Detect Fraud, Waste,
and Abuse

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Policy History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Findings. .. . ........ . ........ . ........ .............................
. 43
Finding 1 . ........ . ........ . ........ .
............................. 43
Finding 2 . ........ . ........ . ........ .
. . . . . ,,,... ..,,., . . . . . . . . . . . . 46
Finding 3 . . . . . .,,,.. . . . . . . . . . .............................
. . . . . . . . 50
Finding 4 . ........ . ........ . ........ .
............................. 52
Finding 5 . ........ . ........ . ........ .
. . . . . . . . . . . . . . . . . . . . . . . .,,,.. 53
Finding 6 . ........ . ........ . ........ .
............................. 55
Finding 7 . ........ . ........ . ........ .............................
. 57
Finding 8 . ........ . ........ . ........ .
............................. 58
Finding 9 . ........ . ........ . ........ .
............................. 59
Finding 10 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Finding 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Table No.
6. Project Match Information Disclosures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
7. Statutes Authorizing Specific Computer Matches . . . . . . . . . . . . . . . . . . . . . . 46
8. Computer Matches Reported to the PCIE Long-Term
Computer Matching Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
9. Computer Matching Programs Reported toot. . . . . . . . . . . . . . . . . . . . . . . 49
IO. Examples of Cost/Budget Analyses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
ll. Costs and Benefits of Wage Matching. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
12. Estimated Costs and Benefits of Computer Matching in Four Sites.. . . . . . 52

Figure No. Page
4. Computer From April 1980 to April 1985 . . . . . . . . . . . . 49
Chapter 3

Computer Matching To Detect

Fraud, Waste, and Abuse

Computer matching involves the comparison pose, unless, among other exemptions, it falls
of two or more sets or systems of computer- within a “routine use. Under OMB guidelines,
ized records to search for individuals who may personal information used in computer matches
be included in more than one file. Matching can be disclosed under the routine use ex-
can be done manually with paper files. But, emption.
as a practical matter, time and cost require-
ments make manual matching prohibitive in OTA’S assessment of computer matching
cases involving a large number of records. The technology and policy issues found that:
primary impetus for Federal and State use of ● Although Congress has legislated general
computer matching is to detect fraud, waste,
and specific restrictions on agency disclo-
and abuse in government welfare and social
sure of personal information, it has also
service programs. However, computer match-
endorsed computer matching and other
ing has broad applicability to government pro-
record linkages in various programmatic
grams and activities.
areas specified in several public laws.
Computer matching has the potential to im- Thus, congressional actions appear to be
prove the efficiency of government recordkeep- contradictory.
ing and management of government programs. ● It is difficult to determine how much com-
It is widely used by many States and foreign puter matching is being done by Federal
countries, the private sector, and increasingly agencies, for what purposes, and with
by the Federal Government, where the tech- what results. However, OTA estimates
nique is strongly supported by the Office of that in the 5 years from 1980 to 1984,
Management and Budget (OMB) and the in- the number of computer matches nearly
spectors general, among others, and has been tripled.
endorsed in several public laws. ● As yet, nG firm evidence is available to
determine the costs and benefits of com-
However, a number of problems have been
puter matching and to document claims
identified in Federal computer matching activ-
made by OMB, the inspectors general, and
ities, including weak oversight, little persua-
others that computer matching is cost-
sive evidence or documentation of cost-effec-
tiveness, widely variable record quality, and ● The effectiveness of computer matches
little consideration of the implications for
used to detect fraud, waste, and abuse can
privacy and civil liberties.
be compromised by inaccurate data.
In computer matching, the basic policy con- c There are numerous procedural guidelines
flict is between the efficient management of for computer matching, but little or no
government programs (including effective law oversight, follow-up, or explicit consider-
enforcement) and the rights of individuals. The ation of privacy implications.
fourth amendment protects “persons, houses, ● As presently conducted, computer match-
papers, and effects” against unreasonable gov- ing programs may raise several constitu-
ernment searches and seizures. The Privacy tional questions, e.g., whether they violate
Act of 1974 requires that information collected protection against unreasonable search
for one purpose not be used for another pur- and seizure, due process, and equal pro-


tection of the laws. But, as presently in- In response to the OTA survey of Federal
terpreted by the courts, the constitutional agencies, OTA determined that:
provisions provide few, if any, protections
Forty-three percent of agency components
for individuals who are the subjects of
that reported participation in computer
matching programs.
matching activities (16 out of 37) said that
● The Privacy Act as presently interpreted
the matches were required or authorized
by the courts and OMB guidelines offers
by legislation.
little protection to individuals who are the
Eleven cabinet-level departments and four
subjects of computer matching.
independent agencies carried out a total
● The courts have been used infrequently
of 110 matching programs, with a total
as a forum for resolving individual griev-
of 553 matches conducted from 1980 to
ances over computer matching, although
April 1985.
some organizations have brought lawsuits.
In the 5 years from 1980 to 1984, the num-
● Computer matches are commonly con-
ber of computer matches nearly tripled.
ducted in most States that have the com-
puter capability. At least four-fifths of the For 20 percent of the matches reported,
States are known to conduct computer information was available on the number
matches, most in response to Federal di- of records matched, number of hits, and
rectives. percent of hits verified.
● All Western European countries and Can- Despite the low percentage of respondents
ada are using computer matching or rec- providing information on reported matches,
ord linkages, to an increasing degree, as the number of separate records used in the
a technique for detecting fraud, waste, and reported matching programs totaled over
abuse. 2 billion; the total number of records
● In designing policy for computer match- matched was reported to be over 7 billion
ing, consideration of the following factors due to multiple matches of the same
is important: records.
— which records to make available for com- The percentage of hits (i.e., matches be-
puter matches and for what purposes, tween the specific items of interest in two
—approval required before a match takes different records) verified to be accurate
place, ranged from 0.1 to 100 percent.
—notice to individuals, Sixty-eight percent (25 of 37) of the agen-
—whether to require a cost-benefit analysis, cies indicating that they participated in
—verification of hits, and matching programs said that procedures
—appropriate action to be taken against were used to ensure that the subject rec-
an individual who has submitted false ord files contain accurate information.

Computer matching involves the electronic for individuals who should not appear in two
comparison of two or more sets or systems of systems of records, as in the case of Federal
personal records. ’ Matching is used to check employees above a certain salary level and per-
sons receiving food stamps. Matching can also
‘The Office of Management and Budget (OMB) Guidelines, be used to locate individuals who should ap-
issued May 11, 1982, define computer matching as “a proce- pear in two systems of records but do not; for
dure in which a computer is used to compare two or more auto- example, males registered for the draft and
mated systems of records or a system of records with a set of
non-Federal records to find individuals who are common to more males over the age of 18 with driver’s licenses.
than one system or set. ” Although manually comparing the contents of
— —

two record systems is a traditional audit tech- overpayments, ineligible recipients, incongru-
nique, this practice becomes prohibitive when ous entitlements (SS1 checks mailed to de-
dealing with massive record systems that are ceased individuals, mothers claiming more
not uniformly comparable with other record children than exist), present addresses of in-
systems. Computers greatly facilitate such dividuals (Parent Locator Service, Student
comparisons. Loan defaulters), and providers billing twice
for the same service.
Because of the number of people who may
be subject to computer matching and because In order to facilitate computer matching, a
it can be done without their knowledge, com- number of computerized databanks have been
puter matching has raised a number of policy created solely for matching purposes. One
questions. The basic conflict is between the ef- example is the Medicaid Management Infor-
ficient management of government programs mation System that contains information on
and the rights of individuals. recipient records, provider data, and claims-
processing information.3 A proposed computer-
It is well known that government programs ized databank is the Internal Revenue Serv-
are subject to fraud, waste, and abuse. Al- ice (IRS) Debtor Master File that will contain
though the problem is not peculiar to welfare the names of all delinquent Federal borrowers
programs, fraud and waste in these programs to match against tax returns.4
have been particularly well documented. For
example, the General Accounting Office (GAO) A central policy issue is whether and under
reviewed improper payments for fiscal year what conditions the use of computer match-
1978-79 in 5 of the 58 federally supported wel- ing is appropriate, given the rights of individ-
fare programs, and estimated that Federal and uals who are the subjects of matching and
State welfare agencies spent about $867 mil- given the possible long-term societal effects
lion on erroneous welfare payments because of general electronic searches, as elaborated
recipients had not properly reported their in- below.
come and assets.2 As discussed in chapter 2, public opinion
Since 1977, computer matching has been polls indicate that Americans value their
used extensively by a number of Federal de- privacy and generally expect that activities in
partments and State agencies. Some specific one area of their lives are kept separate from
examples of matching include: those in other areas. In the 1983 Harris Sur-
vey, most Americans (from two-thirds to three
1. recipients of Aid to Families With Depen- fourths) responded that agencies that release
dent Children (AFDC) matched with the the information they gather to other agencies
Social Security Administration’s earnings or individuals are seriously invading personal
record, privacy.’ Two-thirds or more of Americans sur-
2. the Veterans Administration’s rolls veyed believed that the following government
matched with the supplemental security information practices would entail a “serious
income (SS1) benefit rolls, invasion of privacy’ —the IRS not keeping in-
3. AFDC recipients matched with Federal dividual tax records confidential (84 percent
civilian and military payrolls, and perceived this as a serious invasion); the Fed-
4. State AFDC rolls matched with other
State AFDC rolls. 3
U.S. Department of Health and Human Services. Health Care
Financing Administration, “Medicare and Medicaid Data
In general, matching is used to detect un- Book, ” 1982.
reported income, unreported assets, duplicate 4tJudith A. Sulli\an, “IRS To Create Debtor File, ” Go~vrn-
benefits, incorrect social security numbers, ment Computer News, Nov. 8, 1985, pp. 1, 70.
51.0uis Harris& Associates, Inc., The Road After 1984: A ,\’a-
———-——— tionwide Sur~’ey of the Public and Its I.eaders on the ,Vew 7’ech -
‘U.S. General Accounting Office, “Legislative and Adminis- nolo~’ and Its Consequences for.4merican Z.ife, (conducted for
trati~re Changes To Improve Verification of 1$’elfare Recipients Southern New England Telephone for presentation at The
Income and Assets Could Save Hundreds of Millions, ” liRD- Eighth International Smithsonian Sjmlposium, December 1983),
82-9, .Jan. 14, 1982. table 1-6,

eral Bureau of Investigation not keeping in- lic opinion research also indicates that Ameri-
formation about individuals confidential (82 cans have certain expectations about the scale
percent viewed as serious invasion); and the of government monitoring activities. Ameri-
Census Bureau not keeping information about cans assume that government investigations
individuals confidential (73 percent viewed as are predicated on evidence of individual wrong-
serious invasion). Yet, in a 1979 survey, 87 per- doing and that procedural standards and safe-
cent of respondents believed that government guards exist for investigative behavior. The
agencies were justified in using computers to public overwhelmingly believes the police
check welfare rolls against employment rec- should not be able to tap the telephones of
ords to identify people claiming benefits to members of suspicious organizations without
which they are not entitled. However, they obtaining a court order. A large majority of
were less supportive (68 percent) of the IRS the public is concerned about protecting rec-
use of matching to check tax returns against ords from examination by public authorities
credit card records.G without a court order. Over 80 percent of the
public believes that the police should not be
Public opinion polling results suggest that
able to examine the bank records of suspicious
Americans recognize that a balance must be individuals without a court order.8
struck between individual rights and the pro-
tection of society. A majority of the public be- Computer matches can also conflict with the
lieves that there are some costs in terms of expectation of being treated as an individual.
privacy that must be paid in order to have a Computer matches are inherently mass or class
more lawful society. In response to the state- investigations, as they are conducted on a cat-
ment: “In order to have effective law enforce- egory of people rather than on specific indi-
ment, everyone should be prepared to accept viduals. In theory, no one is free from these
some intrusion into their personal lives, ” 57 computer searches; in practice, welfare recipi-
percent agreed and 36 percent disagreed.7 Pub- ents and Federal employees are most often the
‘Louis Harris & Associates, Inc., and Alan F. Westin, The
Dimensions of Privacy: A National Opinion Research Survey
of Attitudes Toward Privacy (conducted for Sentry Insurance,
1979), table 9.3.
‘Ibid., table 2.2. 1bid., table 8.3.

Technology electronic linkages of computers. At the pres-
ent time, the matching of tapes is the proce-
In conducting a computer match, one com- dure commonly used. However, as systems be-
puter file is compared with another using soft- come more compatible and costs drop, direct
ware that instructs the computer to search for electronic linkages between/among systems
certain patterns, e.g., duplicate social security are likely to increase.
numbers, same names, identical addresses. Be-
fore a match is conducted, agency personnel
During the match, computer files are compared
need to determine whether the relevant data
on the basis of a specified data element as an
are formatted in a similar fashion on the two
identifier, generally the social security num-
or more systems being matched. If not, then ber. Experience from early computer matches
the data need to be reformatted or the soft-
suggested that social security numbers were
ware must be designed to take the differences often inaccurate. In order to ensure the effec-
into account. tiveness of a computer match, a search for er-
Files can be compared either by using com- roneous social security numbers can be con-
puter tapes of the record systems or by direct ducted before the match. Additionally, the

identifier used for the match can be the social cations of conducting these matches, especially
security number plus another data element, in light of the Privacy Act “routine use’ pro-
such as the first few letters of a last name. visions.’ There were also disputes between
HEW and the Civil Service Commission (CSC)
The social security number is not essential
and the Department of Defense (DOD), neither
to computer matches as databases can also be
of which wanted to release its tapes because
searched for combinations of selected factors;
of the routine use provision. 1° The general coun-
however, a unique identifier makes matching
sel at CSC raised two concerns regarding the
far easier. In 1981, congressional legislation
compatibility of the proposed match with the
required that every member of a household re-
routine use provision of the Privacy Act: first,
ceiving food stamps must have a social secu-
“it is evident that this information on employ-
rity number. Such a requirement makes match-
ees was not collected with a view toward de-
ing more efficient because it is easier to identify
tecting welfare abuses, ” and second, “that
duplicate or fraudulent recipients.
disclosure of information about a particular
The resulting match produces information individual at this preliminary stage is (not)
on individuals who are common to the two files; justified by any degree of probability that a
for example, an individual who has not repaid violation or potential violation of law has oc-
a Federal student loan may also be a Federal curred. “11 CSC and DOD eventually released
employee, or a physician may have billed Med- their tapes to HE W—CSC justifying the trans-
icaid twice for the same service. Once the fer on the argument that HEW could get the
match has identified the files having duplicate information under the Freedom of Information
or similar information, these files are consid- Act if it so chose, and DOD justifying the
ered “hits.” The hits must then be verified transfer as a new ‘routine use’ under the Pri-
manually to determine whether the same in- vacy Act. HEW lawyers, themselves, were ad-
dividual is really involved and whether there ditionally concerned that the results of the
is cause to believe that the individual has com- match would need to be transferred to the em-
mitted fraud. ploying departments for verification, which
would also raise Privacy Act issues. As table
6 indicates, it was possible to justify under ex-
Policy History
isting law all record transfers required by Proj-
In the early 1970s, a few States began to use ect Match.
computer matching to check AFDC recipients While Project Match was under way, an in-
against wage information from the State Em- teragency advisory group of Federal person-
ployment Security agencies. The first major nel officials questioned whether Federal em-
computer match at the Federal level was Proj- ployees should be notified under the Privacy
ect Match, announced in November 1977 by
Joseph Califano, Secretary of the Department ‘See Jake Kirchner, “Privacy-A History of Computer Match-
of Health, Education, and Welfare (HEW). ing in the Federal Government, ” Cmnputerwodd, Dec. 14, 1981,
pp. 1-16. Section 3b of the Privacy Act establishes the condi-
Project Match compared computer tapes of tions under which an agency can disclose personal information
welfare rolls and Federal payroll files in 18 to another party without the prior consent of the individual.
States, New York City, the District of Colum- One of these conditions of disclosure is *’for a routine use, ” de-
fined as “the use of such record for a purpose which is compat-
bia, and parts of Virginia. The goal was to ible with the purpose for which it was collected” [3(a)(7)]. All
detect government employees who were fraud- routine uses are to be published in the Federal Register, includ-
ulently receiving AFDC benefits. Privacy ad- ing “the categories of users and the purpose of such use”
[3(e) (4)(D]].
vocates in Congress, members of the Privacy l~For correspondence, see Kirchner, Op. cit., and PP. 122-125
Protection Study Commission, the American of U.S. Congress, Senate, Hearings Before the Senate Subcom-
Civil Liberties Union, and others criticized the mittee on O\’ersight of Government Management, Committee
on Governmental Affairs, Ch’er.sight of Computer hfatching To
proposed match as a “fishing expedition. ” Detect Fraud and Mismanagement in Government Programs
(Washington DC: U.S. Government Printing Office, Dec. 15-
There were disputes within the general coun- 16, 1982) [hereafter referred to as the Cohen hearings].
sel’s office at HEW regarding the legal impli- ‘] See Cohen hearings, op. cit., p. 123.

Table 6.—Project Match Information Disclosures

Disclosure Justification
Health, Education, and Welfare Department disclosure of Exception in Privacy Act
social security number and birth dates to other agencies
Office of Personnel Management disclosure to Health, Public interest outweighs personal privacy outlined in the
Education, and Welfare Department Privacy Act and information could be obtained under the
Freedom of Information Act
Defense Department disclosure of military personnel on Exception under “routine use” of the Privacy Act
active duty to Health, Education and Welfare Department
State government disclosure of State Aid to Families With Privacy Act does not apply to States; no Federal law
Dependent Children (AFDC) rolls to Health, Education, and barring such disclosure
Welfare Department
State government disclosure of State AFDC rolls to Federal New “routine use” published in the Federal Register
employer agencies based on original routine uses
Agencies disclosure of annotated work sheets to the Health, HEW Inspector General Statute requiring agencies to
Education, and Welfare Department respond to information requests by Inspector General
Agencies disclosure of civil or criminal proceedings to Exception in Privacy Act
Health, Education, and Welfare Department
Health, Education, and Welfare Department disclosure to Exception in “routine use” of Privacy Act to assist States
State or local agencies and localities enforce violated statutes
Agencies refer information and case to Department of Exception under “routine use” or law enforcement
Justice when lawbreaking is suspected exception of the Privacy Act
Agencies referral of cases to other agencies when For administrative action authorized by the “routine uses”
lawbreaking is suspected or for investigation of of Privacy Act
government employees
SOURCE Kenneth James Langan, “Computer Matching Programs A Threat to Privacy” Columbia Journal of Law and Social Problerns, VOI. 15, No 2, 1979, pp. 149-150

Act of the record transfers. The Department Act, and OMB and the Carter White House
of Justice argued against notification, saying, began to take a more active role in the proc-
‘‘We view Project Match as a law enforcement ess. In late 1977, OMB sent a letter to Repre-
program, designed to detect suspected viola- sentative Richardson Preyer to explain the Ad-
tions of various criminal statutes in (govern- ministration’s justifications for Project Match,
ment) operations." 12 Opponents of the match concluding that ‘the requirement of compati-
pointed out that such a view was hardly con- ble purpose in the routine use is difficult and
sistent with the “routine use” concept. 13 By is ultimately largely a matter of judgment.”5
March 1978, Project Match had identified
While Project Match was being run, the
7,100 employees who were possibly ineligible
White House was concurrently conducting its
for welfare. But, it had also generated so much
Privacy Initiative, following the 1977 report
information that agency officials could not fol-
of the Privacy Protection Study Commission.
low up adequately to determine the validity
The conflict between the goals of the Privacy
of that information.14
Initiative and Project Match was not ignored
After Project Match was completed, Secre- within the White House, but remained unre-
tary Califano advocated more Federal use of solved. In response to concerns about Project
matching and tried to access private sector Match’s privacy implications, OMB took on
company files. This increased public pressure the task of writing guidelines for computer
for justification of matching under the Privacy matching, with input from the President Of-
fice of Telecommunications Policy and the
“Kirchner, op. cit., p. 7. White House Privacy Initiative.
“See testimony of John Shattuck of the American Civil I.ib-
erties Union, Cohen hearings, op. cit., p. 80. In 1979, Congress required States to conduct
“Laura B. Weiss, “Government Steps Up Use of Computer wage matching for AFDC recipients. Because
Matching To Find Fraud in Programs, ” Congressional Quar-
terly Weekl-y Report, Feb. 26, 1983, p. 432. ‘sKirchner, op. cit., p. 10.
— ..-—

computer matching was perceived as an effi- (i.e., standardization of data elements); and 3)
cient tool for managing benefit programs, an inventory of State computer matching soft-
States increasingly began to use it for a num- ware packages. President Reagan has also
ber of programs and with a number of sources, formed the President’s Council on Manage-
including private institutions such as em- ment Improvement, composed of the senior
ployers and banks. One of the largest and best management official from each major depart-
publicized of the State efforts occurred in Mas- ment and agency (including central manage-
sachusetts in 1982 when welfare recipients ment agencies—OMB, the General Services
were matched against bank records, identify- Administration, and the Office of Personnel
ing about 600 people who had bank accounts Management), the Assistant to the President
larger than regulations allowed. About 160 of for Policy Development, and the Assistant to
those persons identified received termination the President for Presidential Personnel. Its
notices. But for more than 110 of these 160 purpose is to advise the President and to over-
persons, the identification based on the com- see agency implementation of management
puter match was later determined to be based reforms.
on erroneous information, e.g., inaccurate so-
In 1982, President Reagan established the
cial security number or bank account for bur-
President Private Sector Survey on Cost Con-
ial expenses held in trust. ’G
trol, popularly known as the Grace Commis-
Since 1979, concern about the size and effi- sion, to study management problems in gov-
ciency of the Federal Government and the in- ernment. Its major finding was “that the
crease in the Federal deficit has made manage- Federal Government has significant deficien-
ment a policy priority for both Congress and cies from managerial and operating perspec-
the executive branch. One effect has been to tives, resulting in hundreds of billions of dol-
encourage the use of computer matching, espe- lars of needless expenditures . . . ‘“7 There have
cially as a technique to detect fraud, waste, been criticisms of the Grace Commi ssion’s cost
and abuse. In 1981, President Reagan estab- figures and its methodology .18 In 1982, the Rea-
lished the President’s Council on Integrity and gan Administration also announced Reform
Efficiency (PCIE), chaired by the Deputy Di- ’88, a program to increase efforts to reduce
rector of OMB, to enhance interagency efforts waste, fraud, and abuse, and to restructure the
to reduce fraud and waste, and to give the in- management and administrative systems of
spectors general a direct link to the President. the Federal Government.
PCIE projects include: 1) a long-term com-
puter matching project; 2) Project Clean Data “Ellen Law, “Grace Reports To the President, ” (;oternment
Computer News, March 1984, p. 4.
“Steven Kelman, “The Grace Commission: How hluch W’astc
] ‘Ross (klhspan, “Computer Matching Stirs [Jp Criticism, ” in Government?’ The Public Interest, No. 78, winter 1985, pp.
Bostm (ilobe, ,June 9,1985, p. A 1, cont. A4. 62-82.

Finding 1 As discussed in chapter 2, Congress has
passed a number of laws that give an individ-
ual certain rights with respect to controlling
Although Congress has legislated general and the use of personal information, and that place
specific restrictions on agency disclosure of per- restrictions on the ways in which agencies may
sonal information, it has also endorsed computer legitimately use such information. These laws
matching and other record linkages in various speak both to general agency practices (e.g.,
programmatic areas specified in several public the Privacy Act of 1974) and to the practices
laws. Thus, congressional actions appear to be of specific agencies, (e.g., Section 6103 of the
contradictory. Tax Reform Act of 1976).

Congress has also legislated a number of ex- as an integrative policy statement on informa-
changes of information among agencies. Con- tion resource management policies, including
gressional concern with detecting fraud, waste, privacy and matching.2o
and abuse has resulted in several major legisla-
tive endeavors that have been viewed as au- A statute that may encourage the sharing
thorizing computer matching. First is the of information within an agency is the Federal
establishment of inspectors general offices in Managers Financial Integrity Act of 1982
a number of Federal agencies to identify and (Public Law 97-255), which requires periodic
reduce fraud, waste, and abuse, and to iden- evaluations of and reports on agency systems
tify and prosecute perpetrators (Public Law of internal control and action to reduce fraud,
94-452, Public Law 94-505, Public Law 97-252). waste, abuse, and error. OMB Circular A-123
The Departments of Health and Human Serv- (October 28, 1981) complements the act by
ices, Energy, Defense, and 15 other Federal mandating an improvement in internal control
agencies have inspectors general. The inspec- systems, including a requirement that agency
tors general are potentially very powerful heads issue specific internal control directives
officers who: and review plans for all components of their
agencies. Inspectors general have the respon-
. . . have complicated reporting relationships sibility to review directives. OMB Assistant
involving department and agency heads, and Director Wright and Comptroller General
Congress and its many committees. IGs can Bowsher have pledged that:
bypass department/agency general counsels
and take matters directly to the Criminal Di- OMB and GAO plan to work together very
vision of the Justice Department. They can ini- closely in implementing the Act and in assur-
tiate audits and investigations at any time, ing that the momentum already built up with-
which can cover fraud, abuse, and any and all in the agencies for improved internal control
management deficiencies. 19 is sustained.21
Inspectors general employ a variety of tech- A fourth statute that encourages exchanges
niques, including: 1) vulnerability assessments of personal information is the Debt Collection
to assess the risk of loss in programs, 2) man- Act of 1982 (Public Law 97-365), which estab-
agement control guides, 3) fraud bulletins and lishes a system of data-sharing between Fed-
memos, 4) fraud control training, 5) hotlines eral agencies and private credit reporting agen-
for reports of wrongdoing, and 6) audit follow- cies in order to increase the collection of
up procedures. Matching, profiling, and front- delinquent nontax debts. The act permits agen-
end verification are used by inspectors general. cies to:
A second legislative endeavor that is per- 1. refer delinquent nontax debts to credit bu-
ceived as encouraging data-sharing among reaus to affect credit ratings;
agencies is the Paperwork Reduction Act of 2. contract with private firms for collection
1980 (Public Law 96-51 1), which gives OMB services;
Federal information oversight authority and 3< require applicants for Federal loans to sup-
the responsibility y to promote the effective use ply their taxpayer identification numbers
of information technology. It establishes an (social security numbers);
Office of Information and Regulatory Affairs 4 offset the salaries of Federal employees
within OMB to carry out the purposes of the to satisfy debts owed the government;
act, oversee agency compliance, and set up a 5< screen credit applicants against IRS files
Federal Information Locator System to reg- to check for tax delinquency;
ister all information collection requests. OMB
Circular A-130 was issued in December 1985 ‘“office of Management and Budget, “Management of Fed-
eral Information Resources, ” Circular No. A-130, Dec. 12, 1985.
‘‘,John D. Young, ‘‘Reflections On the Root Causes of Fraud, ‘] Office of Management and Budget, “Agencies to Tighten
Abuse and Waste in Federal Social Programs, ” Public Admin- Internal Control Systems, ” OMB 82-26 (President Task Force
istration Re\’iew, 1983, p. 366. on Management Reform), Oct. 8, 1982.
. .

6. turn over to private contractors the mail- or State agencies to: 1) have an income and
ing addresses of delinquent debtors ob- eligibility system, 2) obligate recipients to sup-
tained from IRS; ply their social security numbers and require
7. extend from 6 to 10 years the statute of States to use those numbers in the adminis-
limitations for collection of delinquent tration of programs, 3) compel employers to
debts by administrative offset; and keep quarterly wage information, 4) exchange
8. charge interest, penalties, and administra- relevant information with other State agencies
tive processing fees on delinquent nontax and with the Department of Health and Hu-
debts. man Services, and 5) notify recipients and ap-
plicants that information available through the
The law requires agencies to provide due proc-
system will be requested and utilized. The pro-
ess to individuals before using any of the newly
grams that must participate in the income ver-
authorized methods of collection. The law pro-
ification program are: AFDC; Medicaid; un-
vides safeguards to preserve the confidentiality
employment compensation; food stamps; and
of taxpayer information, and civil and crimi-
any State program under a plan approved un-
nal penalties are included when taxpayer ad-
der Titles I, X, XIV, or XVI of the Social Secu-
dresses are improperly disclosed. OMB esti-
rity Act. Under DEFRA, no Federal, State,
mates that the improved procedures and newly
or local agency may terminate, deny, suspend,
available tools will result in an additional $500
or reduce any benefits of an individual until
million in annual collections.2z OMB has de-
such agency has taken appropriate steps to in-
cided that:
dependently verify information.
Rather than creating a new bureaucracy to
implement the credit reporting provisions of DEFRA provides certain procedural rights
the Debt Collection Act, the existing nation- for the individual, including that the agency
wide network of commercial and consumer credit shall inform the individual of the findings made
bureaus will be under contract to provide this on the basis of verified information, and give
service for all departments and agencies. z~ the individual an opportunity to contest such
The statute requiring the most far-reaching findings. DEFRA makes a number of changes
data-sharing is the Deficit Reduction Act of in the Internal Revenue Code, including that
1984 (DEFRA) (Public Law 98-369), which re- the Commissioner of Social Security shall, on
quires the establishment of new State infor- request, disclose information on earnings from
mation systems for verification purposes and self-employment, wages, and payments on re-
the use of verification in a number of federally tirement income to any Federal, State, or lo-
funded State-administered programs. This cal agency administering one of the following
1,2 10-page law provides tax reforms and spend- programs: AFDC; medical assistance; supple-
ing reforms, primarily by amending the Social mental security income; unemployment com-
Security Act and Internal Revenue Code. Pro- pensation; food stamps; State-administered
visions that are relevant to management and supplementary payments; and any benefit pro-
efficiency are in Subtitle C—’ Implementation vided under a State plan approved under Ti-
of Grace Commission Recommendations, ” Sec- tles I, X, XIV, or XVI of the Social Security
tion 2651. Act. Information with respect to unearned in-
come may also be disclosed from the IRS files
The major changes in the Social Security Act to the above agencies.
mandated by DEFRA include requiring States
In addition to these broad endorsements of
Wffice of Management and Budget, “OMB Announces and requirements for computer matches, there
Progress in Administration’s Debt Collection Effort ,“ OM13 82-
32 iReform ’88 Communications), Dec. 15, 1982.
are a number of statutes that authorize spe-
‘]Office of Management and Budget, “Government to Use cific computer matches (see table 7).
Credit Bureaus to Cut Delinquent Debts; Delinquenc~’ Growth
Halted, OMB 83-29 i Public Affairs Management), Sept. 23. Congressional restrictions on agency dis-
1983. closures of personal information and congres-

Table 7.—Statutes Authorizing Specific Two GAO reports25 recommended that SSA
Computer Matches use IRS tax information to verify eligibility.
Tax Reform Act of 1976, Public Law 94-455, permitted the De-
In deciding the case, Judge Abner Mikva rec-
partment of Health, Education, and Welfare to search the ognized that:
databanks of other Federal agencies to locate parents who
fail to pay child support. Much of the confusion , . . arises from con-
Social Security Amendments of 1977, Public Law 95-216, re- flicting signals given by the Congress. In 1972,
quired States to use wage data in determining eligibility when enacting the Social Security Amend-
for Aid to Families With Dependent Children (AFDC) Pro- ments that instituted the Benefits program,
gram benefits by providing them access to earnings in-
formation held by the Social Security Administration (SSA) Congress was concerned with ensuring that
and State employment security agencies. financially ineligible individuals not abuse the
Food Stamp Act Amendments of 1977, Public Law 96-58, system. To this end, Congress directed the
granted access to employer-reported wage information for SSA to obtain as much information as possible
recipients of supplementary security income (SSI)
to discover such ineligibility. In 1976, when
Food Stamp Act Amendments of 1980, Public Law 96-249, expanding the confidentiality provisions as
amended the Internal Revenue Code and the Social Secu- part of the Tax Reform Act of 1976, Congress
rity Act to allow State food stamp agencies to obtain and made clear that tax information was to be
use wage, benefit, and other information in SSA files and absolutely confidential, subject to certain
those of State unemployment compensation agencies.
Food Stamp and Commodity Distribution Amendments of explicit exceptions. Although Congress cre-
1981, Public Law 97-98, required States to obtain and use ated numerous exceptions, none was applica-
earnings information obtained from employers. ble to the information which SSA now seeks.
Department of Defense Authorization Act of 1983, Public Law When Congress speaks with two separate
97-252, required the Secretary of Education to prescribe
methods for verifying that individuals receiving any grant, minds, the conflicting goals can present diffi-
loan, or work assistance under Title IV of the Higher Edu- cult dilemmas.2G
cation Act of 1965 had complied with registration as nec-
essary under the Military Selective Service Act. In response to the OTA survey, 43 percent
Deficit Reduction Act of 1984, Public Law 98-369, required of agency components that reported partici-
the Internal Revenue Service (IRS) to disclose information pation in computer matching activities (16 out
about an individual’s unearned income to State welfare
agencies and the SSA to verify the income of an applicant of 37) said that the matches were required or
or beneficiary of the AFDC, SSI, and food stamp programs. authorized by legislation. However, approxi-
(Presently, IRS is required to disclose only information on mately one-third of the respondents cited gen-
earned income.) The Deficit Reduction Act also requires
States to maintain a system of quarterly wage reporting eral statutes such as an Inspector General Act,
as part of its income verification system. the Debt Collection Act, or an Omnibus Recon-
SOURCE Off Ice of Technology Assessment ciliation Act. Another one-third cited explicit
requirements for matching, such as the Uni-
form Code of Child Support or Title 7, U. S. C.,
sional authorizations of computer matching chapter 51, “Food Stamp Program. ” Another
place agencies in a position where the legiti- onethird cited more general authorization, e.g.,
macy of either a disclosure or refusal to dis- Public Law 96-473, which requires the suspen-
close can be challenged. A prime example is sion of benefits for inmates of penal institu-
Tierney v. Schweiker, 718 F.2d 449 (1983), tions and is given as the basis for matches be-
which involved the Social Security Adminis- tween inmate records and social security files.
tration’s (SSA) use of confidential tax return
information maintained by IRS for purposes of Finding 2
verifying the income and assets of supplemen-
tal security income recipients. SSA was act- It is difficult to determine how much computer
ing on its congressional mandate that SSA’S matching is being done by Federal agencies, for
determinations of eligibility be based on “rele- what purposes, and with what results. However,
vant information [that is] verified from inde- OTA estimates that, in the 5 years from 1980
pendent or collateral sources and additional to 1984, the number of computer matches nearly
information [that is] obtained as necessary. “2 4 tripled.
“U.S. General Accounting Office, HRD 81-4, Feb. 4, 1981 and
42 U.S.C. sec. 1383(3)(1)(B) as quoted inTierne-y v. Schweiker HRD 82-9, Jan. 12, 1982.
718 F,2d 449, 451 (1983). 2’Tierney v. Schweiker 718 F.2d 449, 454 (1983).

There has been no accurate accounting of the Student Loan database with the OPM’S
number of matches that have been done at the Federal Employee database, would be cov-
Federal level. In part, this is a definitional prob- ered; comparison of six individual student
lem. One distinction that affects reports of the loan defaulters with the OPM file would
amount of computer matching being done is not.
that of “matching programs” versus “matches.” 2. Checks on specific individuals to verify
The OMB guidelines define a “matching pro- data in an application for benefits, done
gram” as: soon after the application is received.
. . . a procedure in which a computer is used 3. Checks on specific individuals based on
to compare two or more automated systems information that raises questions about
of records or a system of records with a set an individual’s eligibility for benefits or
of non-Federal records to find individuals who payments, done reasonably soon after the
are common to more than one system or set. information is received.
The procedure includes all of the steps associ- 4. Matches done to produce aggregate sta-
ated with the match, including obtaining the tistical data without any personal iden-
records to be matched, actual use of the com- tifiers.
puter, administrative and investigative action 5. Matches done to support any research or
on the hits, and disposition of the personal statistical project where the specific data
records maintained in connection with the
match. It should be noted that a singIe match- are not to be used to make decisions about
ing program may involve several matches the rights, benefits, or privileges of spe-
among a number of participants.27 cific individuals.
6. Matches done by an agency using its own
Based on this definition, there will be many records .28
more matches than there are matching pro-
grams, as one matching program may include For the purposes of this report, the first three
a number of record sets (e.g., Office of Person- applications are considered front-end verifica-
nel Management (O PM) records with SSA rec- tion and are discussed in chapter 4. The fourth
ords and OPM records with Farmers’ Home and fifth applications are not relevant to this
Administration loans), and/or a matching pro- inquiry. The sixth application does include a
gram may involve a number of matches at significant number of matching programs and
certain intervals, e.g., yearly or monthly. How- matches that are relevant to this discussion,
ever, this distinction between matching pro- e.g., SSA and another component of the De-
grams and matches has not always been rec- partment of Health and Human Services.
ognized in accounts of numbers of computer In addition to definitional problems, the
matches. rules for reporting matches may not require
A second important distinction in under- that all matches be reported. Notices of com-
standing reports on the scale of computer puter matching programs that meet the cri-
matching by Federal agencies is one made by teria in the OMB guidelines may appear in the
OMB. Some compilations of computer match- Federal Register as a new routine use. How-
ing at the Federal level include only those ever, if the agency providing the data believes
matches that fall under the OMB guidelines, that the system of records already contains
others include both, and still others do not such a use, then no additional notice in the F’ed-
differentiate. OMB’S guidelines state that the end Register is required. No notice is required
following are not matching programs: for records that are matched within an agency.
1. Matches that do not compare a substan- There have been a number of attempts at
tial number of records, e.g., comparison of determining the scale of computer matching.
the Department of Education’s Defaulted Figures range from 200 programs on upwards.

‘70ffice of Management and Budget, “Privacy Act of 1974;

Re\’ised Supplemental Guidance for Conducting Matching Pro-
grams, ” FederaJ Register, vol. 47, No. 97, May 19, 1982, p. 21657. ‘mIbid., p. 21757.

For example, in 1982 hearings on computer January 1986 as an update, and reported 108
matching, Senator William Cohen estimated matches. 33 (See table 8 for breakdown by agency.)
that: A 1985 GAO study, Eligibil.z”ty Verification
As of January 1982, Federal agencies had and Privacy in Federal Benefit Programs: A
completed more than 85 matching programs Delicate Balance, reported that:
and State government agencies are now per-
forming approximately 170 matches involving Before 1976, only two benefit program-
public assistance records, unemployment com- related Federal computer matching projects
pensation records, government employee files, were conducted. However, recent inventories
and in some cases, the files of private compa- of Federal and State agencies’ computer match-
nies. These projects involve the records of hun- ing programs show that Federal agencies had
dreds of thousands of citizens.zg initiated 126 benefit-related matches, 38 of
which were recurring as of May 1984. State
At the same hearings, Thomas McBride, agencies, as of October 1982, had initiated
former Inspector General of the Department more than 1,200 matching projects, most of
of Labor, testified: them recurring.
So my guess is we are talking about a popu-
lation of roughly 500, more or less, routine re- ‘$The low fiares in the 1986 compilation can be attributed
curring matches going on, some of them sub- to two factors. The first is that some large agencies that previ-
ject to Federal legislative action, some of them ously had reported a number of matches did not respond, e.g.,
Departments of Labor, Defense, and Justice. The second fac-
not. 30 tor is that many agencies have increased their use of computer
screens and profiles rather than their use of computer matches.
The Long Term Computer Matching Project This latter factor will be discussed in ch. 4.
of the President’s Council on Integrity and
Efficiency has issued three compilations of
Federal computer applications to prevent/de-
tect fraud, waste, and abuse. These compila- Table 8.—Computer Matches Reported to the PCIE
tions do not provide complete listings of com- Long-Term Computer Matching Project
puter matching programs.31 They include those 1982 1984 1986
computer matches that agencies chose to re- Department of Agriculture . . . . . . . . . . . 11 10 23
port; some agencies submitted partial reports, Department of Commerce . . . . . . . . . . . 0 1 1
others appear not to have responded at all, or Department of Defense . . . . . . . . . . . . . . 0 30 0
Department of Education . . . . . . , . . . . . 1 1 0
to only one or two of the PCIE’S requests. General Services Administration . . . . . . 1 1 18
Some of the reported matches are one time Department of Health and
only, others are recurring. The first compila- Human Services . . . . . . . . . . . . . . . . . . 29 58 55
Department of Housing and
tion was distributed in 198232 and reported 77 Urban Development . . . . . . . . . . . . . . . 0 4 3
matches; the second was distributed in July Department of the Interior . . . . . . . . . . . 0 1 0
1984 as an expansion and update, and reported Department of Justice. . . . . . . . . . . . . . . 8 5 0
Department of Labor , . . . . . . . . . . . . . . . 12 12 0
162 matches; and the third was distributed in National Science Foundation . . . . . . . . . 0 2 0
‘gCohen hearings, op. cit., p. 2. Nuclear Regulatory Commission . . . . . . 0 1 0
1 bid., p. 20. Peace Corps . . . . . . . . . . . . . . . . . . . . . . . 0 1 0
3’It does not appear that the PCIE inventory used the OMB Pension Benefit Guaranty Corp. . . . . . . 0 1 0
guidelines’ definition of computer matching programs. Some Office of Personnel Management . . . . . 3 5 0
agencies reported matches within their agency, e.g., Depart- Railroad Retirement Board . . . . . . . . . . . 0 8 1
ment of Health and Human Services Black Lung and SSA Title Small Business Administration . . . . . . . 1 1 0
II. Some agencies reported particular matches within a match- Department of State . . . . . . . . . . . . . . . . 2 2 0
ing program. Tennessee Valley Authority . . . . . . . . . . 0 4 5
None of the compilations is dated. The phrase ‘distributed Department of the Treasury . . . . . . . . . . 0 3 0
in 1982” is used by PCIE in its second compilation to describe Veterans Administration . . . . . . . . . . . . . 9 11 2
SOURCE President’s Commission on Integr!ty and Efficiency,
the first compilation.
4 9

In response to the OTA survey of Federal Figure 4.—Computer Matches Conducted

agencies, 11 cabinet-level departments and 4 From 1980 to April 1985
independent agencies reported conducting 110
matching programs34 with a total of approxi- 127
mately 700 matches from 1980 to April 1985.
The Departments of Energy and State were
the only two cabinet-level departments that
reported no matching programs. Of the 20 in-
dependent agencies surveyed, only three (NASA,
Selective Service System, and Veterans Ad-
ministration) reported any matching programs
(see table 9 for a breakdown of matching pro-
grams by agency). 46

While the data from the responses to OTA

and to PCIE are not directly comparable, 20
the trend toward increased use of computer t
matches is clear (see figure 4). In the 5 years ( ) ~
1980 1981 1982 1983 1984 1985
from 1980 to 1984, the number of computer (April)
matches nearly tripled. Year
SOURCE: Off Ice of Technology Assessment
From 1979 to 1984, OMB received only 56
reports on matching programs from Federal
agencies. According to OMB records, there
were 11 matches reported in 1979; 2 in 1980;
11 in 1981; 13 in 1982; 6 in 1983; and 13 in 1984.
The OMB figures are obviously lower than the matching figures reported elsewhere because:
1) only those matching programs that fit the
“Some of these matching programs are conducted within an OMB definition are included; and 2) some agen-
agency and therefore do not fall within the OMB definition. cies do not submit match notices under the rou-
tine use and systems of records, but instead
fit matching programs into existing routine
Table 9.—Computer Matching Programs a use and existing systems of records.
Reported to OTA

Department of Agriculture . . . . . . . . . . . . . . . . . . . . .. ...33 In determining the scale of computer match-

Department of Commerce . . . . . . . . . . . . . . . . . . . . . . . . . 1
Department of Defense . . . . . . . . . . . . . . . . . . . . .. .....15
ing activities at the Federal level, it is also im-
Department of Education . . . . . . . . . . . . . . . . . . . . . . . . . . 3 portant to consider the number of records that
Department of Health and Human Services . . . . . . . . . . 1 have been matched. In response to the OTA
Department of Housing and Urban Development . . . . . 3
Department of the Interior. . . . . . . . . . . . . . . . . . . . . . . . . 3
data request, information on number of records
Department of Justice . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 matched, number of hits, and percent of hits
Department of Labor. . . . . . . . . . . . . . . . . . . . . . . .......21 verified was provided for 20 percent of the
Department of Transportation . . . . . . . . . . . . . . . . . . . . . . 1 matches reported. Despite this low response,
Department of the Treasury . . . . . . . . . . . . . . . . . . . . .. .14
National Aeronautics and Space Administration . . . . . . 1 the number of separate records used in the re-
Selective Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 ported matching programs totaled over z bil-
Veterans Administration . . . . . . . . . . . . . . . . . . . . . . . . . . 7 lion; the total number of records matched was
asO~e of th~s,~ r-rlatchlng programs are conducted wlthln an a9encY and there-
fore do not fall wlthln the OMB definition.
reported to be over 7 billion due to multiple
SOURCE OTA Federal Agency Data Request matches of the same records.

Finding 3 technique will help assure that individuals who

are not entitled to receive payments don’t,
As yet, no firm evidence is available to deter- making more money available for those who
mine the costs and benefits of computer match- are deserving.3b
ing and to document claims made by OMB, the
Likewise, the Grace Commission concluded
inspectors general, and others that computer
matching is cost-effective.
Computer matching is an effective manage-
Before discussing the attempts to date at ment tool for identifying fraud, waste, and
estimating costs and benefits, it is important abuse of government benefits, entitlements
to place computer matching within a context. and loan programs. Computer matching is use-
Computer matching is a technique that has ful in other ways too, such as validating bill-
been used primarily to detect client fraud, ings of large government contractors. . . Rec-
which is only one component of fraud, waste, ommendations in the task force reports to
and abuse. In order to accurately determine correct information problems related to this
the cost-effectiveness of computer matching, issue provide opportunities for cost savings
the extent of client fraud must first be docu- and revenue of $15.9 billion over 3 years ($11.3
mented. If client fraud accounts for only a billion when information gaps cited in other
small percentage of total fraud, waste, and issues in the Report are netted out). 37
abuse, then other techniques to detect other In the 1982 Cohen hearings on computer
types of fraud, waste, and abuse maybe more matching, former Inspector General McBride
cost-effective overall. In this respect, one of the Department of Labor testified that:
author cited the 1978 Annual Report of the
The hits, the overpayments, for the big ben-
HEW Inspector General, which estimated that efit programs run somewhere between 1.8 up
the Department lost between $5.5 and $6.5 bil- to maybe 4 percent, depending on what pro-
lion through management inefficiencies, pro- gram you are talking about. For AFDC, the
gram misuse, and fraud. In this instance, man- hits are probably somewhere at the lower end,
agement inefficiencies and program misuse because they do a little better job of verifica-
accounted for 97 percent of the inspector gen- tion. Food stamps is a little higher. Unemploy-
eral’s estimate of losses, while client fraud ac- ment insurance may be even higher, in some
counted for only 3 percent.36 States particularly .38
In response to the OTA survey, only 8 per- In a 1983 article, Richard Kusserow, Inspec-
cent of the agencies that reported participa- General of the Department of Health and
tion in computer matching activities (3 out of Human Services, reported:
37 agencies) said that they did cost-benefit Our own Project Spectre which matches So-
analyses prior to computer matching. Eleven cial Security beneficiary payments with Medi-
percent (4 of 37) reported doing cost-benefit care death files has led to about $7.5 million
analyses after matching. in recoveries to date. Recoveries, in this case,
covers all monies collected by our investiga-
Various individuals and organizations have tors, including checks not cashed but debited
asserted that computer matching is cost- to the treasury. We project total savings over
effective, but have provided little or no spe- time to reach $25.2 million.39
cific information on actual costs and benefits. In Computer Matching in State Admim”s-
For example, Joseph Wright, OMB’S Deputy tered Benefi”t Programs: A Manager’s Guide
Director, reported in an OMB circular that:
—— —
The IG’s are wisely using this spectacularly 0MB 83-14.
“President’s Private Sector Survey on Cost Control, A Re-
effective technique to reap for the American port to the President (1984), Part II: Issue and Recommenda-
public the savings that private industry has tion Summaries, p. 82; see pp. 84-86 for examples.
for many years been obtaining. Use of this “Cohen hearings, op. cit., p. 19.
‘gRichard P. Kusserow, “Fighting Fraud, Waste and Abuse, ”
“Young, op. cit., p. 362. The Bureaucrat, fall 1983, p. 23.

to Decision Making,’” the quantitative bene- checked, is necessary. For example, the Depart-
fits of computer matching include estimated ment of Health and Human Services’ Inspec-
savings and measures of grant reductions, col- tor General Kusserow has suggested that:
lections, and corrections. The list of qualita-
For large matches, officials would have to
tive benefits is longer, including: increased de- analyze only a sample of the hits to verify the
terrence, improved eligibility determinations, matching process. After doing this, officials
enhanced public credibility for benefit pro- should take corrective measures, proceeding
grams, more effective referral services, and im- cautiously against any individual where doubt
proved databases. exists. 42
The costs of computer matching vary accord- The PCIE Long Term Computer Matching
ing to the size of the record set, as well as the Committee has developed some information on
complexity, quality, and compatibility of the the costs of selected matches. For many of the
records. In Computer Matching in State Ad- matches, the information presented is very
ministered Benefit Programs, the quantitative sketchy. The matches for which the PCIE
costs include: hardware/software; computer offered the most complete information are
processing time; space; supplies; personnel listed in table 10.
managers, data-processing staff, eligibility
David H. Greenberg and Douglas A. Wolf
assistance workers, clerical workers, hearings
have recently completed a study43 in which
officers, fraud investigators, collections staff,
they constructed a cost-benefit framework (see
attorneys, and training staff; other public
table 11) and used it to evaluate the perform-
agency resources; and private institution re-
ance of computer wage-matching systems of
sources. The qualitative costs include: reduced
welfare agencies in four areas: Camden County,
staff morale, heightened public concerns about New Jersey; Mercer County, New Jersey; San
“big brother, ” increased political conflict,
Joaquin County, California; and the State of
gamesmanship with numbers, operational in-
New Hampshire. In each of their study sites,
efficiencies, and diversion of resources. Defi-
they reported that they obtained reliable and
nitions for these qualitative costs are not
complete information on the costs of match-
ing, but were unable to measure benefits as
All agree that verification costs are the high- precisely. Additionally, there were some ben-
est and the most difficult to compute. In Com- efits, e.g., deterrent effects and positive effects
puter Matching in State Administered Bene- on attitudes of affected parties, that they could
fit Programs, it is pointed out that: not measure at all. Thus, they regard their test
of the cost-effectiveness of wage matching to
Follow-up is the most costly, labor-intensive be a conservative one.
part of the computer matching process. Most
notably, it involves what can be a very tedi- Greenberg and Wolf concluded from their
ous and time-consuming job of verifying hits. four case studies that the benefits from com-
But it also involves other components such as puter matching outweighed the costs by “sub-
making any necessary change in a recipient stantial amounts’ ’44 (see table 12). If computer
case status, calculating and pursuing over-
payments, hearing appeals, making referrals matching were as effective nationally, they
to fraud units, and actually conducting crimi- suggested that “cost savings in the food stamp
nal investigations and pursuing convictions.41 and AFDC programs would be approximately
There is some disagreement as to how much
verification, both in terms of number of hits ‘zRichard P. Kusserow, “The Government Needs Computer
verified and in terms of records and sources Matching To Root Out Waste and Fraud, ” Communications
— of the ACM, vol. 27, No. 6, June 1984, p. 544.
4“U.S. D–epartment of Health and Human Services, Office of “David H. Greenberg and Douglas A. Wolf, “Is Wage Match-
Inspector General, Computer Matching in State Administered ing Worth All the Trouble?’ Public Welfare, winter 1985, pp.
Benefit Programs, June 1984, p. 25. 13-20.
4’ Ibid. 1 bid., p. 18.

Table 10.—Examples of Cost/Benefit Analyses

Selected matches
Equipment costs . . . . . . . . . . . . . . . . . . . . . 1,500 125,000 10,950 2,291 6,124 1,000
ADP staff costs . . . . . . . . . . . . . . . . . . . . . . 1,200 25,000 3,213 2,142 1,831 1,150
Staff verification costs . . . . . . . . . . . . . . . . 4,500 1,000,000 94,163 12,968 15,763 96
Travel and other costs . . . . . . . . . . . . . . . . 10,000 — 39,416 — 10,028 100
Cases found . . . . . . . . . . . . . . . . . . . . . . . . . 21 219 770 170 405 340
Overpayments identified . . . . . . . . . . . . . . 35,000 103,000 9,100,000 640,800 2,263,927 71,000
Cases with recoveries made . . . . . . . . . . . 2 219 — — 364 —
Overpayments recovered . . . . . . . . . . . . . . 2,500 139,000 — — 993,118 —
Overpayments prevented . . . . . . . . . . . . . . — — 770 170 — 1,300
Amount prevented . . . . . . . . . . . . . . . . . . . . — 50,000 4,089,600 46,300 — 274,000
Questioned costs . . . . . . . . . . . . . . . . . . . . — — — — — —
Disallowed costs . . . . . . . . . . . . . . . . . . . . . — — — — — —
KEY: DOL = Department of Labor, TVA = Tennessee Valley Authority, IRS = Internal Revenue Service; OPM = Office of Personnel Management; SSA = Social Security
Administration; RRB = Railroad Retirement Board; HCFA = Health Care Financing Administration, USAF = U S Air Force, VA = Veterans Administration.
SOURCE President’s Council on Integrity and Efficiency Long Term Matchlng Committee, ‘(Draft/Summary of Federal Computer Applications for Prevention of Fraud
and Abuse “

Table 11 .—Costs and Benefits of Wage Matching 1 or 2 percent. ”45 However, they caution that
this may not be the case because they chose
Benefits: wage-matching programs that were function-
Restitution of previous overpayments
Savings from food stamp disqualifications ing well:
Savings from benefit reductions and discontinuances:
● prevention of future overpayments For example, the employer-reported data
● administrative savings used by these systems clearly were adequate
Changes in behavior and attitudes: in terms of coverage, content, and timeliness.
● deterrent effects
● improved cIient attitudes Equally important: follow-up procedures were
● improved staff morale well-structured, adequate resources were avail-
● improved relations with the public able for follow-up, and supervisors were gen-
costs: uinely committed to the program. Without
Personnel costs (salaries and fringe benefits): such conditions, it certainly is possible that
● income maintenance staff
wage matching could prove ineffective.46
fraud investigative staff
● district attorney staff
● other Finding 4
Materials and facilities costs:
● computers
The effectiveness of computer matches that
● word processors
● forms
are used to detect fraud, waste, and abuse can
● general overhead such as office space, telephone, be compromised by inaccurate data.
SOURCE: David H. Greenberg and Douglas A Wolf, “IS Wage Matching Worth The Massachusetts case discussed earlier,
All the Trouble?’’Public We/fare, winter 1985, p 16
in which 110 of the 160 termination notices
that were sent following a computer match
were based on erroneous information, is the
Table 12.—Estimated Costs and Benefits of best known example of use of inaccurate data.
Computer Matching in Four Sites
However, many matches experience some prob-
costs Benefits Ratio lems with inaccurate data, and, in part, com-
Mercer County . . . . . . . . . . $786,821 $ 932,958 1.19 puter matching can be effective in detecting
Camden County . . . . . . . . . 753,662 1,452,367 1.93 errors in data.
San Joaquin County . . . . . 308,128 762,355 2.47
New Hampshire . . . . . . . . . 264,856 707,316 2.67
(DES Wage Crosshatch Project)
NOTE” All figures are in annual terms pertaining mainly to 1982

SOURCE David H. Greenberg and Douglas A. Wolf, “IS Wage Matching Worth
All the Trouble?” Pub/K We/fare, winter 1985, p t8 Ibid.
— —

One indicator, although not complete, of the cedures were used to ensure that the subject
quality of data used in computer matching is record files contain accurate information.
the percentage of hits verified as accurate. In
response to the OTA survey, this percentage
ranged from 0.1 to 100 percent. For example: Finding 5
The Department of Housing and Urban
There are numerous procedural guidelines for
Development conducted computer matches
computer matching, but little or no oversight,
to identify tenants in five different cities
follow-up, or explicit consideration of privacy im-
who had not reported all income when ap-
plying for federally assisted housing. The
hit rates varied from about 6 to 54 per- Program personnel appear to have substan-
cent, and the hit verification rates varied tial discretion in deciding whether or not to
from 13 to 55 percent. The actual number use computer matching as an audit technique
of matches that resulted in valid hits or means to detect fraud, waste, and abuse.
ranged from 0.8 to 29 percent. There are few internal agency checks. The In-
● The Department of Commerce Inspector spector General’s Office may be involved in
General’s office conducted a match to planning a computer match; and the General
identify departmental employees who Counsel’s Office and the Privacy Act officer
were collecting unemployment benefits. may be involved. But it appears that there are
A total of 22,000 records were matched no agency or general policy guidelines regarding
resulting in 98 hits, of which about 10 per- what types of information should be matched,
cent were verified. against which records of what other agencies,
● The Department of Education conducted and for what purposes. These substantive is-
a match to identify current and former sues are rarely addressed.
Federal employees who were delinquent
For those matching programs that meet the
on student loans. About 10 million records
OMB definition, agencies providing informa-
were matched resulting in 46,860 hits, of
tion “are responsible for determining whether
which 100 percent were verified, accord-
or not to disclose personal records from their
ing to Department officials.
systems and for making sure they meet the
● The Veterans Administration conducted
necessary Privacy Act disclosure when they
a match to identify Federal employees and do. ” In making this determination, agencies
annuitants who were erroneously receiving are instructed to consider the following:
VA compensation. About 15 million rec-
ords were matched resulting in 5,166 hits, ● legal authority for the match;
of which about 23 percent were verified. ● purpose and description of the match;
● description of the records to be matched;
For the majority of matches reported to ● whether the record subjects have con-
OTA, information on hits verified was either sented to the match; whether disclosure
unknown or unavailable. of records for the match would be com-
patible with the purpose for which the
Proponents of matching programs are tak- records where originally collected, i.e.,
ing measures to improve the quality of data whether disclosure under a‘ ‘routine use’
used in matches. SSA has developed a com- would be appropriate; whether the solicit-
puter software program to screen social secu- ing agency is seeking the records for a
rity numbers and pull out inaccurate or in- legitimate law enforcement activity; or
congruous numbers. Other agencies engaging any other provision of the Privacy Act un-
in matching programs are likewise concerned. der which disclosure may be made;
In response to the OTA survey, 68 percent (25 ● description of additional information that
of 37) of the agencies indicating that they par- may be subsequently disclosed in relation
ticipated in matching programs said that pro- to “hits”;

● subsequent actions expected of the agency agency within 6 months. The guidelines also
providing information (e.g., verification of suggested that matching should be done in-
the identity of the “hits” or follow-up with house by agency personnel, not by contractors.
individuals who are “hits”); and
● safeguards to be afforded the records in- The application of these guidelines was not
volved, including disposition. very satisfactory for any party concerned.
Agencies did not conduct cost-benefit analy-
However, neither the source agency, the
ses in a systematic fashion; instead, they were
matching agency, nor OMB is accountable for
quickly estimated when asked for by OMB in
the decision whether or not to disclose records
order to comply with the letter of the guide-
for a matching program. For matching pro-
lines. There was almost no public comment in
grams that do not fall under the OMB guide-
response to matches proposed in the Federal
lines, there are no formal procedures or guide-
Register. There was little congressional re-
lines-one program manager may ask another
action to matching programs. There was min-
for access to records for matching purposes,
imal to no oversight by OMB; it processed the
and no one else need know.
necessary paperwork, but never ‘disapproved’
OMB has developed a number of procedural a match. In part, OMB’S behavior can be at-
guidelines. The initial guidelines, OMB Guid- tributed to the lack of clarity in the guidelines
ance to Agencies on Conducting Automated concerning its role. For example, it was not
Matching Programs, became effective on clear from the guidelines whether OMB had
March 30, 1979. The purpose of the guidelines the authority to disapprove a match.
was “to aid agencies in balancing the govern-
ment need to maintain the integrity of Fed- Based on the unsatisfactory experience
eral programs with the individual’s right to under the 1979 guidelines, the PCIE’S Long
personal privacy. ” Under the guidelines, a Term Computer Matching Project decided that
match was to be performed “only if a demon- one of its first projects would be to revise the
strable financial benefit can be realized that OMB guidelines. In conjunction with advice
significantly outweighs the costs of the match from PCIE, OMB’S Revised Supplementary
and any potential harm to individuals that Guidance for Conducting Matching Programs
could be caused by the matching program. ” became effective May 1,1982. The 1982 guide-
To this end, the guidelines required documen- lines simplified the administrative reporting
tation of benefits, costs, potential harm, and requirements of the 1979 guidelines by elimi-
alternatives considered to detect or curtail nating the cost-benefit analysis, reducing the
fraud and abuse or to collect debts owed to the notice and reporting requirements, and ex-
Federal Government (see 5a of guidelines for empting intra-agency matching programs.
listing). A report describing the match (see 9b.1 Publication of “routine uses” in the Federal
and 2 of guidelines for details) was to be sub- Register was still required, but the 30-day pub-
mitted, 60 days before the match was initiated, lic comment period for matching reports and
to the Director of OMB, the Speaker of the advance notice to Congress and OMB were
House, and the President of the Senate. Nec- eliminated.
essary notices of system of records, new or
altered systems, or routine use were to repub- OMB and PCIE also developed a Model Con-
lished in the Federal Register, allowing 30 days trol System for Conducting Computer Match-
for public comment. Any disclosures of per- ing Projects Involving Individual Privacy
sonal information during the match were to Data (1983). The Model Control System is de-
be made in accordance with the “routine use” signed to provide procedural guidance to agen-
limitations noted in the Federal Register. Un- cies conducting computer matching projects
less it was a continuing matching program, the to help them comply with the Privacy Act and
guidelines stipulated that personal records the OMB guidelines. The model includes 10
should be destroyed or returned to the source steps that agencies should follow:
-. . .

1. define the match program, against unreasonable search and seizure, due
2. determine the feasibility of the match, process, and equal protection of the laws. But,
3. establish matching and follow-up pro- as presently interpreted by the courts, the con-
cedures, stitutional provisions provide few, if any, pro-
4. confer with the agencies providing infor- tections for individuals who are the subjects of
mation, matching programs.
5. publish routine use notice,
6. make a matching report, The fourth amendment provides individuals
7. obtain the agency data file, the right “to be secure in their persons, houses,
8. conduct computer matching, papers, and effects, against unreasonable
9. analyze and refine the raw hits, and searches and seizures. ” The fourth amendment
10. perform follow-up procedures. presumption, reinforced by case law and by
the presumption of innocence additionally re-
Agencies are not required to follow the Model flected in the fifth and sixth amendments, is
Control System, or to report to OMB on which that searches are not warranted unless there
procedures were followed. is indication of a crime. If there is probable
In late 1983, OMB developed a Computer cause of a crime and the individual’s involve-
Match Checklist that must be on file for re- ment, then a court may issue a search warrant.
view by OMB, GAO, or other Federal entities. Fourth amendment case law has resulted in
The checklist must be completed by both the the concept of “expectation of privacy. ”
agency providing information and the agency The question of whether or not computer
conducting the match immediately following matches raise fourth amendment issues turns,
Federal Register publication of an intent to in large part, on the ‘expectation of privacy”
match. Items on the checklist include: compli- that individuals have in records about them
ance with notification requirements, number maintained by a third party, in this case pri-
of individuals whose records are to be matched, marily a government agency. Based on the Su-
contractor involvement, and the date on which preme Court ruling in United States v. Miller,
a cost/benefit analysis on the match will be 425 U.S. 435 (1976), records that are held by
available. Estimates of cost/benefit analyses a third party, and used by that party for admin-
are to be attached to the checklist. istrative purposes, are considered the property
In December 1985, OMB issued Circular A- of the third party. Under such circumstances,
130, Management of Federal Information Re- the individual does not have an assertible
sources, which directs agencies to review an- fourth amendment privacy interest in those
nually every matching program in which they records. Although Miller applied to records
have participated, either as a matching or held by a bank, the logic of the holding may
source agency, to ensure that the requirements apply similarly to records held by the gov-
of the Privacy Act, the OMB Matching Guide- ernment.
lines, and the OMB Model Control System and In Jaffess v. Secretary HE W, 393 F. Supp.
Checklist have been met. Additionally, agen- 626 (S.D. N.Y. 1975), a district court allowed
cies are to include in the Privacy Act Annual
a computer match of recipients of veterans’
Report the number and description of match-
disability benefits with those receiving social
ing programs participated in as a source or
security benefits. The court held that the dis-
matching agency.
closure under the matching program was ‘for
the purpose of proper administration. Jaffess
Finding 6 had not reported his social security income,
and after the match his {eterans’ benefits were
As presently conducted, computer matching reduced. He claimed that a constitutional right
programs may raise several constitutional ques- of privacy protected his records. The court re-
tions, e.g., whether they violate protection jected this claim:

. . . the present thrust of decisional law does a search under the fourth amendment. Such
not include within its compass the right of an a match may also conflict with the presump-
individual to prevent disclosure by one gov- tion of innocence, as reflected in the fourth and
ernmental agency to another of matters ob- fifth amendments, if the individual is required
tained in the course of transmitting agency’s to prove that he or she has not engaged in
regular functions.47 wrongdoing. If the purpose of a match is to
But, the legal question of what kind of fourth detect and correct errors, and not to detect
amendment “expectation of privacy” an indi- wrongdoing, then a match would probably not
vidual has when he or she fills out a form and be regarded as a search under the fourth
swears that the information provided is true amendment.
and correct has not been specifically decided.
The due process clause of the fifth48 (Federal
Nor has the question of the privacy rights of
Government) and 14th (State governments)
Federal workers in information provided and
amendments ensures procedural protections
maintained for employment purposes. In both
before the government takes action against an
instances, statutes, especially the Privacy Act,
individual. Generally, this clause has been held
may give more precise legal guidance than the
to require that individuals be given notice of
U.S. Constitution. However, the constitutional
their situation, the opportunity to be heard,
question could still be subject to further liti-
and the opportunity to present evidence on
their own behalves. In agency proceedings, this
A second fourth amendment issue that is constitutional principle is given specific mean-
raised by computer matches is the scope of the ing in the Administrative Procedures Act
search. Computer matches are general elec- (1946). Additional elements of due process that
tronic searches of, frequently, millions of rec- apply specifically to eligibility for benefit pro-
ords. Under the fourth amendment, searches grams include: the right to a pre-termination
are not to be overly inclusive—no ‘fishing ex- hearing, placing the burden of proof on the gOV-
peditions” or “dragnet investigations. ” Yet, ernment to prove ineligibility if the individual
in matches, many people who have not engaged swears to eligibility, and entitlement to bene-
in fraud are subject to the computer search. fits pending resolution. These procedural due
If matches were to be considered a fourth process protections were extended to welfare
amendment search, then some limitations on recipients in Goldberg v. Kelly, 397 U.S. 254
the breadth of the match and/or justifications (1970).
for a match may be necessary. For example,
Under the 1979 OMB guidelines, notice of
the agency may need to show that a less in-
a proposed match is to be published in the Fed-
trusive means to carry out the search was not
eral Register 30 days before to allow time for
available, and that procedural safeguards limiti-
comments. Many have questioned the ade-
ng the dangers of abuse and agency discre-
quacy of this, as the vast majority of individ-
tion were applied. These may also be required
uals do not read the Federal Register. Addi-
under due process protections as discussed tionally, there is evidence that agencies have
not complied with the 30-day time period and
A final fourth amendment issue that may that some agencies have provided notice after
be raised by computer matches is that of sus- the match was well under way.49 This require-
picion that criminal activity is occurring. If ment was eliminated in the 1982 OMB guide-
the purpose of a match is to produce evidence lines. DEFRA now requires more specific no-
that someone has defrauded the government,
“It does not specifically provide for equal protection, but the
then a computer match could be regarded as Court ruled in BolJing v. Sharpe (347 U.S. 497, 19854) that “the
concepts of equal protection and due process, both stemming
from our American ideal of fairness, are not mutually exclu-
“Kenneth James Langan, “Computer Matching Programs: sive” and that the fifth amendment also provided equal pro-
A Threat to Privacy?” Columbia Journal of Law and Social Prob- tection.
lems, vol. 15, No. 2, 1979, pp. 158-159. ‘gSee Cohen hearings, op. cit.

tice prior to some matches. It is important to the government. In this case, the purpose, i.e.,
recognize that notice can take place at various detecting fraud, waste, and abuse, would prob-
points in the matching process, i.e., before the ably be regarded as legitimate, and the means
match occurs, once an individual appears as a chosen, i.e., computer matching, rationally
“hit,” and prior to any outside verification. No- related.
tice can also be provided rather passively, e.g.,
Despite this development of constitutional
a statement on a form, or requiring the active
decisions, matching may conflict with the
acknowledgment of the individual. Based on
equal protection clause in that categories of
results of the OTA survey, 8 percent (3 out of
people, not individual suspects, are subject to
37 agency components) of the agencies report-
these electronic searches. In the computer
ing that they participated in computer match-
matching that has been done to date, two groups
ing said that individual subjects of the match
of people—welfare recipients and Federal
had provided written consent prior to a match.
employees—have been used frequently. This
Once a match has taken place, the resulting is true despite arguments by supporters of
“hits” are further investigated in order to ver- matching that computer matches are effective
ify their status. At this time, these individuals tools in a number of situations. Although the
may not be given notice of their situation, or Grace Commission and others have recognized
the opportunity to be heard and present evi- the usefulness of matching in detecting fraud,
dence on their own behalves. They may not be waste, and abuse in government contracting,
notified until and unless the agency decides it has not been used to any significant extent
to take some action against them. Based on for this purpose. DEFRA, in its section incor-
the Court’s ruling in Goldberg, due process porating the Grace Commission recommenda-
would require a hearing for an individual whose tions, did not require or endorse the use of
benefits are to be terminated or lowered based matching in government contracting.
on information from computer matching. Such
hearings may be quasi-judicial in nature, but
the individual would not have the right to a Finding 7
lawyer or jury, the burden of proof would be The Privacy Act as presently interpreted by
on the individual, and the individual may in- the courts and OMB guidelines offers little pro-
criminate himself or herself in these hearings. tection to individuals who are the subjects of
If such hearings are the starting point for an computer matching.
investigation leading to criminal charges, then
it maybe necessary to conduct them in a more The Privacy Act gives individuals certain
formal judicial setting. rights of notice, access, and correction in or-
der that they may control information about
The equal protection clause of the 14th and, themselves. It also places certain requirements
by implication, the fifth amendments prohibits on agencies to make certain that the informa-
the States and Federal Government from cre- tion they maintain is relevant, timely, and
ating legal categories and taking actions that complete.
discrimin ate against members of that category
(e.g., race, national origin, and gender). Eco- Under the Privacy Act, the individual has
nomic status has never been regarded as a sus- the right to prevent information being used
pect classification,’” and therefore the govern- without his or her consent for a purpose other
ment interest in subjecting welfare recipients than that for which it was collected. An ex-
to computer matching would only need to be ception to this rule is if information falls within
rationally related to a legitimate purpose of a “routine use” of the particular record sys-
tem. Under the OMB Matching Guidelines,
matching can be considered such a routine use;
‘“see llmdricige v. WiLliaxns, 397 U.S. 471 (1970) and San ArI-
tonio Independent School District v. Rodriguez, 411 U.S. 1 therefore, individual consent is not required.
(1973). Many argue that matching of information is

not consistent with the legislative intent that computer matching, although some organiza-
information should be used only for the pur- tions have brought lawsuits.
pose collected. As table 6 indicated, it is quite
It does not appear likely that the courts will
easy to find justification in the Privacy Act
protect individual privacy in computer match-
for disclosures of information for matching
ing programs .51 There are at least four reasons.
The first is that the courts have not extended
Additionally, the Privacy Act requires agen- constitutional protections for computerized
cies to ‘collect information to the greatest ex- records, and the fourth amendment “search
tent practicable directly from the subject in- and seizure” doctrine has not been applied. The
dividual when the information may result in second reason is that courts only require ra-
adverse determinations about an individual’s tionality in such programs, i.e., that the means
rights, benefits, and privileges under Federal used be reasonably related to a legitimate gov-
programs” [see.e(2)]. In computer matching, ernment purpose. The purpose of achieving
information that will be used to determine efficiency and detecting fraud, waste, and
whether benefits should be eliminated, de- abuse is a legitimate one. With respect to the
creased, or increased is collected from third choice of means, courts have traditionally
parties-not from the individual. given deference to administrative discretion.
The third reason is that when courts balance
Although not specifically prohibited in the
individual privacy against the public interest,
Privacy Act, the legislative history reflects
the weight generally favors the public inter-
censure of a national data center. The linking
est—all else being equal. The fourth reason is
of systems in computer matching can be re-
that the damage requirements of the Privacy
garded as moving towards a de facto national
Act are so difficult to prove that they act as
data center or national recipient system. Ad-
a deterrent to its use.
ditionally, new computerized databases are be-
ing created solely for the purpose of provid- Additionally, with large-scale computer
ing information for computer matches and matching, no one individual is sufficiently
other record searches. The Federal Govern- harmed to litigate a claim and most individ-
ment, under the auspices of the inspectors gen- uals are not even aware of the match. The cases
eral, is developing a national computerized file that have gone to court have generally been
of deceased individuals (who have no rights brought by welfare rights organizations. These
under the Privacy Act) for screening benefici- cases include:sz
ary records and preventing payments to de-
15, 844 Welfare Recipients v. King, 474 F.
ceased persons. Two other examples mentioned Supp. 1374 (D. Mass., 1979)–State welfare
previously are the Medicaid Management In- agency was required to restore benefits to re-
formation System and the proposed IRS Debt- cipients whose aid had been terminated either
or Master file. The State wage reporting sys- by fraud investigators improperly acting as
tems, required under the proposed DEFRA caseworkers, or by caseworkers improperly
regulations, could also be regarded as the first acting as fraud investigators.
stage of a national data system. Tierney v. Schweiker, 718 F. 2d 449 (D.C.
The OMB guidelines require that the files Cir., 1983)–Coerced signatures to notice-and-
consent forms, extracted from SS1 recipients
used for matching be returned to the custo- in preparation for an IRS matching, were in-
dian agency or destroyed. However, since there validated because the agency action violated
is no oversight of this, records could be used IRS confidentiality rules.
for additional purposes.

Finding 8 61 Lmgw, op. cit., p- 175”

‘*See: Henry Korman, “Creating the Suspicious Class–
The courts have been used infrequently as a Surveillance of the Poor by Computer Matching, ” unpublished
forum for resolving individual grievances over paper, August 1985, esp. pp. 52-53.

Greater Cleveland Welfare Rights Organiza- ment security office; criminal records and
tion v. Bauer, 462 F. Supp. 1313 (N. D. Ohio, criminal intelligence in the State police or De-
1978)–An Ohio wage match was invalidated partment of Public Safety; educational, finan-
insofar as subject AFDC recipients were not cial aid, and vocational training information
informed of use of their social security num- in the Department of Education; occupational
bers as identifiers in the match. information in the various State licensing
Lessard v. Atkins, CA 82-3389-MA (D, boards (attorneys, beauticians, auctioneers,
Mass., Apr. 23, 1985)–Defendants in a bank
boxers, vendors, physicians, etc.); patient in-
match case agreed to both the use of second- formation and physicians earnings records in
ary identifiers and enhanced follow-up inves-
tigations that plaintiffs argued were required the State agency administering Medicaid; sus-
by Federal law. picions of child abuse in the appropriate State
agency; and birth records of adoptees in the
Finding 9 adoption agency.
Most matching occurs in programs that are
Computer matches are conducted in most federally funded or controlled by Federal law.
States that have the computer capability. At For example, States conduct matches in un-
least four-fifths of the States are known to con- employment insurance programs to detect
duct computer matches, most in response to Fed- fraudulent and duplicative payments, and to
eral directives. monitor employers’ contributions. Forty-one
In many respects, the personal information States reported conducting such matches, and
gathered by State agencies is more sensitive 23 States reported matching unemployment
and more extensive than that gathered by Fed- insurance records with other jurisdictions. 54
eral agencies. <51 Many Federal agencies fund Less than 20 States report matching for work-
programs that are administered through the ers’ compensation programs. fi5 In public assis-
States (or local educational agencies). The Fed- tance programs, States generally match re-
eral agencies do not store individually identifi- cipient files against quarterly wage reports
able information on all of the beneficiaries of submitted by employers to detect recipients
these programs, but the States do. Federal au- who are receiving wages over an allowable
ditors regularly have access to individually limit. An OTA survey of eight States revealed
identifiable information to monitor program that six (California, Colorado, Georgia, Illinois,
effectiveness, but the personal data on all part- Indiana, and Michigan) conducted such matches,
icipants is not stored in Federal agencies while two States (Florida and Minnesota) did
themselves. not. DEFRA now requires that this be done
by all States.
At the State level, the following information
is typically stored: income or business tax- Other examples of State matching activities
payer records in the revenue department; driv- include:
ing records in the Department of Motor Vehi- ● Thirty-seven States submit social security
cles; public assistance in the welfare agency; numbers of welfare recipients to SSA for
drug and alcohol treatment records in the computerized verification that the num-
appropriate agencies; communicable diseases bers are accurate.
and abortions in the Department of Health; ● At least two States, Massachusetts and
treatment at State institutions in the Depart- Maryland, have authorizations in their
ments of Health, Mental Health, or Public laws for the public assistance program to
Health; current earnings in the quarterly conduct computer matches against the ac-
reports submitted by employers (a few States counts of all bank customers in the State.
require reporting less often) to the unemploy - —
See U.S. Department of Labor Inspector General, Zn~’en-
5’Information for this section is derived from Robert Ellis tor~’ of Computer ilfatching .~cti~rities in State I.abor and Re-
Smith, Report on Data Protection and Privacl’ in Seven Selected lated Agencies, 1982.
States, OTA contractor report, February 1985. “Ibid.

● The I remigration and Naturalization Serv- Service System had nearly 100 percent
ice is encouraging States to match motor participation.
vehicle, welfare, and unemployment files ● More than 80 percent of the motor vehi-

with its databank of current registered cle departments disclose driving records
aliens. Colorado, Illinois, and California and accident reports to Dataflo Systems,
have agreed. California must approve new a division of Equifax, Inc., so that Dataflo
regulations before this can be done, and can computerize the data and market it
the regulations have not yet been pub- to insurance companies. The abstract in-
lished. cludes social security number, driver’s
● California, Minnesota, and several other license number, birth date, physical de-
States conduct Project Intercept. Lists of scription, restrictions on the permit, and
persons owing money to the State—either a chronological list of violations. An insur-
in delinquent taxes, welfare overpayments ance company can then query one of five
or frauds, faulty unemployment compen- regional computers operated by Dataflo.
sation, etc. —or those reported delinquent ● Motor vehicle departments also disclose

in child support payments are submitted suspended or revoked licenses to the Na-
to the public assistance agency (or any tional Driver Register operated by the
other agency making periodic payments) U.S. Department of Transportation in
so that the amount owed is offset against Washington and, in turn, query the system
the State payments. This is also done with when persons apply for drivers’ licenses.
tax refund checks (not only in the States, Just about all motor vehicle departments
but by the IRS as well). rent mailing lists of licensees and of auto-
● Many States compare their lists of recip- mobile owners to mailing list firms and
ients, whether public assistance, unem- other marketers. A report by the Secre-
ployment compensation, or other payment tary of State of Illinois in 1983 stated that
programs, against comparable lists of re- 44 States answered in the affirmative when
cipients in neighboring jurisdictions, to surveyed on whether they rent mailing
determine who is “double-dipping.” Ex- lists. The other six States did not respond.
amples are Virginia’s unemployment com- Many States, however, have regulations
pensation records matched with those of or laws limiting, if not fully prohibiting,
Maryland and the District of Columbia; such disclosures.
or Indiana’s records matched with those ● Every State with a State income tax has

of Kentucky. an agreement with the IRS to exchange

computerized data on its taxpayers with
There are other generic exchanges of per- IRS and to receive comparable informa-
sonal data by most States that are significant, tion from IRS.
although they may not be classified strictly
as “matches.” Many of them predate the cur- An analysis of State matching activities in
rent Federal initiative on matching, which be- light of State Privacy Acts or Fair Informa-
gan in 1978. They include: tion Practices Acts indicates that the presence
of such laws does not deter computer match-
● Motor vehicle departments in 49 States ing. However, it often assures that there is a
provide lists of young, male drivers to the review of a State agency’s decision to match,
Selective Service System for matching that there are specific procedures to follow, and
against lists of men who have registered that information is checked for accuracy. The
for a military draft. Objections, based on critical factor in determining the extent of
invasion of privacy, were expressed in matching at the State level appears to be the
many States. Some laws or regulations size of the population. States with larger pop-
governing DMVS seem to prohibit such ulations engage in more computer matching
disclosures. But in the end, the Selective than States with smaller populations.

Finding 10 Sweden

All Western European countries and Canada Under Section 2 of the Data Act, specific per-
are using computer matching or record linkages, mission is required from the Data Inspection
to an increasing degree, as a technique for de- Board (DIB) for the linkage of files that con-
tecting fraud, waste, and abuse. tain “personal data procured from any other
personal file, unless the data are recorded or
In general, the specific uses of matching in disseminated by virtue of a statute, a decision
Western Europe and Canada are similar to of the Data Inspection Board, or by permis-
those in the United States—primarily
in so- sion of the person registered. ” DIB evaluates
cial welfare programs. In Western European all proposals for record linkages and has ap-
countries, computer matching and other rec- proved an estimated 80 to 90 percent of the
ord linkage issues are handled within the con- proposed record linkages. In reviewing propos-
text of data protection laws and oversight. In als, DIB looks especially at the purpose of the
general, European data protection laws require match and the quality, e.g., timeliness, accu-
the advice or consent of the data protection racy, and completeness, of the data to be used.
agency before any records can be Linked. A brief In general, DIB is opposed to linkages of very
review of matching activities in different coun- sensitive personal information, e.g., alcoholism
tries follows. and drug addiction records, and linkages where
the users do not know why personal informa-
Canada tion was originally collected.
The Canadian Privacy Act of 1982 does not DIB has not always been successful at pre-
address computer matching specifically, but venting record linkages. For example, when
does contain the principle that information the tax authorities sought information on in-
should be used only for the purpose for which come from interest and dividends from the
it was collected. The Canadian Privacy Com- banks, DIB said that the banks were not li-
missioner, John W. Grace, has spoken out censed to divulge such information to the tax
strongly on the privacy implications of match- authorities. Regardless, the banks gave the in-
ing. As he sees it: formation to the tax authorities. DIB sought
That computer-matching is carried on in the to prosecute the banks under the Data Act and
name of efficiency, good government and law the case is still under appeal.
enforcement makes it potentially a more, not
less, dangerous instrument in the State’s France
hands.” The National Commission on Informatics
Specific instances of matching include: open- and Freedoms (CNIL) has to authorize record
ing Federal databanks to obtain information linkages. In general, CNIL is opposed to link-
for collecting alimony and child support pay- ages because of the principle that data should
ments from recalcitrant fathers, Revenue Can- be used only for the purposes for which they
ada’s matching of a provincial voters’ list with were collected. In contrast to other countries,
tax records to identify individuals who had not there are few plans for record linkages.
filed tax returns, and matches by the Cana-
dian Employment and Immigration Commis- Federal Republic of Germany
sion to detect overpayment of unemployment The Republic’s Federal Data Protection Act
insurance benefits. contains a general prohibition against the dis-
semination of personal data from one public
body to another, unless the release of the in-
“Information for this section is derived from David H. Fla- formation “is necessary for the legitimate ac-
herty, “Data Protection and Privacy: Comparative Policies, ”
OTA contractor report, January 1985. complishment of the tasks for which the dis-
“Privacy Commissioner, Annual Report, 1983-84, p. 3. semination unit or the recipient is competent. ”
— .—

Computer linkages among social services occur scrutinized. If the use of records is to depend
frequently and do not have to be reported to on the purpose of the match, then the purposes
the Data Protection Commissioners. Most link- that would legitimate the use of particular sys-
ages of social service data outside the social tems of records need to be specifically estab-
service administrations are prohibited by the lished in advance of proposals to match.
Social Code unless the information is necessary
Another issue in determining what records
to prevent premeditated crimes, to protect pub-
lic health under certain circumstances, to im- are to be available is the quality of records
plement specific stages of the taxation process, used in computer matching. Inaccurate rec-
ords detract from the effectiveness of computer
and to assist the registered alien authorities.
matching and increase the problems individ-
uals experience as a result of a match. Record
Finding 11 systems could be required to meet specific data
quality standards prior to being used in a com-
Computer matching raises a number of policy puter match.
questions that warrant congressional attention,
Approval required before a match takes
including availability of records for matching,
place. —Both a process for approving matches
approval before matches, notice for individuals,
and a substantive review of the purpose of the
requirement of cost-benefit analysis, and verifi-
match must be considered. In terms of proc-
cation of hits.
ess, one task is to check on and oversee pro-
In designing policy for computer matching, gram managers’ decisions to match. This check
consideration of the following factors is im- could be carried out within an agency, as often
portant: appears to be the case at present, by a formal
executive branch review process, or by review
Records to be made available for computer
by a legislative body. In addition to the proc-
matches and for what purposes. —Currently,
ess, criteria need to be developed to determine
there are few restrictions on the systems of
the appropriateness of matching under the cir-
records that can be used. If a “routine use”
cumstances. Such criteria could be based on
can be crafted to justify the match, then almost
both the privacy interests involved and the
any Federal system can be made available. The
management interests.
primary exception to this is IRS information,
but this restriction can be circumvented some- Notice to individuals. –This depends in part
what by matching with a system of records on the purposes of notification. Originally, no-
that has already been matched against IRS tice as part of due process was viewed as a
information. Another long-standing exception means of empowering the individual. If an in-
has been private sector information; however, dividual knew what was to take place, he or
a number of new Federal and State laws now she could take measures to try to stop the ac-
allow for such access. tion. This original goal seems to have been
replaced with a more passive view of notice.
In determining what records should be avail- In part this may be attributed to the lack of
able, several possibilities exist. One is to make
options available to an individual who is de-
all records available for all matches. Another
pendent on government benefits or employ-
is to prohibit the use of some systems of rec-
ment. If this is indeed the case, i.e., that in-
ords, e.g., health information, bank records,
dividuals could be told of an action with no
or IRS records. A third is to make the avail- recourse, its implications need to be ac-
ability of records dependent on the purpose of
the match. The difficulty with this alternative,
which may be otherwise attractive because it There are limitations to the present system
allows flexibility, is that it could easily evolve of placing notices in the Federal Register.
into a system similar to what currently exists Other alternatives include placing a notice on
where routine use exceptions are not carefully the original application form, having an indi-

vidual sign a consent form at the time of ap- Verification of hits. -Other than for matches
plication, writing all individuals prior to the conducted under DEFRA, there are no require-
match, and writing to obtain signed consent ments on verifying hits. Again, this involves
prior to the match. two issues—the process of verification and the
substance of what is to be verified. Specific
An additional question is when to notify in-
questions include: do all hits have to be veri-
dividuals–before they become part of the fied or only some predetermined percentage;
program, before the match, after matching
what sources are to be used in verifying hits;
has produced a hit, or after the hit has been if there is a discrepancy in information re-
ceived, how is it resolved; and what is the role
Requiring cost-benefit analysis. –Originally, of the individual in the verification process?
cost-benefit analyses were required prior to a Appropriate action to be taken against an
match. Currently, cost-benefit analyses are to individual who has submitted false in forma-
be filed with OMB following a match. Agen- tion.—Presently, the individual is given an
cies have not welcomed the requirement of do- administrative hearing and can then be sub-
ing cost-benefit analyses. In part, this is be- ject to criminal charges. If the purpose of the
cause there are many qualitative costs that are hearing is indeed to refine evidence for crimi-
difficult to measure. In part, it is because many nal proceedings, then it may be more appro-
of the quantitative costs are difficult to sepa- priate to conduct the hearing in a formal judi-
rate from other administrative costs. In deter- cial setting. Alternatively, the use of evidence
mining what kind of a cost-benefit analysis to from a computer match could be prohibited
require, questions of time of submission, re- from criminal proceedings, allowing its use
view, and components to be addressed need only in civil proceedings.
to be answered.
Chapter 4

Front-End Verification

summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Introduction and Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Findingl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Finding2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Finding3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Finding4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Finding5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Table No.
13. Computerized Databases Used for Front-End Verification . . . . . . . . . . . . . . . 73
14. Examples of State Front-End Verification Programs . . . . . . . . . . . . . . . . . . . 75

FigureNo. Page
5.Current Database Linkages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
6. Composite of Data Linkages Through Computer Matches by
AFDC Programs in Various States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
7. A Representative Income and Eligibility Verification System (IEVS) for a
State Food Stamp Agency as Required by the Deficit Reduction
Act of 1984 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Chapter 4

Computer-Assisted Front-End Verification

Whereas computer matching involves com- islation, either recently enacted and/or
paring records after an individual is already proposed, will expand the use of front-end
receiving government benefits or services, verification at the Federal as well as the
front-end verification is used to certify the ac- State level.
curacy and completeness of personal informa- ● Front-end verification raises due process
tion at the time an individual applies for gov- and privacy issues that have not been sys-
ernment benefits, employment, or services. tematically studied.
Like computer matching, any large-scale ap- ● There has been no comprehensive study
plication of front-end verification is dependent of how to conduct front-end verification
on computers and telecommunication systems. in the most cost-effective manner and with
the highest possible data quality.
OTA found that: ● There are no general Federal regulations,
The use of front-end verification is creat- either statutory or administrative, guid-
ing a de facto national database covering ing the use of front-end verification. In de-
nearly all Americans. The technological signing guidelines, a number of factors
requisites for front-end verification lead warrant consideration, including:
to the establishment of individual data- —the responsibility for determining ac-
bases for verification purposes and to the cess to and record quality of the data-
connection of these databases through on- bases used for verification purposes;
line telecommunication linkages. —the frequency of front-end verification,
There is no comprehensive information on i.e., routine or selective;
the use of front-end verification by Fed- –the rights of individuals;
eral agencies. Front-end verification is –the types of information used; and
used by many States, mostly in federally —the possible requirement of a cost-ben-
funded programs, and is initiated or re- efit analysis.
quired bvy the Federal Government. Le~-


Computer-assisted front-end verification is manually on a random basis or when the accu-
used to certify the accuracy and completeness racy of information provided was suspect. To-
of personal information by checking it against day, the number of applications and details to
similar information held in a computerized be verified makes manual verification prohibi-
database, generally of a third party. It may tive in terms of cost and time; however, com-
involve certifying information that the indi- puterized databases and on-line networking
vidual has supplied, checking a database to de- make it possible to carry out such verification
termine if there is additional relevant informa- routinely.
tion, or both. Front-end verification is used
when an individual initially applies for govern- Front-end verification is similar to computer
ment benefits, employment, credit, contracts, matching in that it involves an electronic
or some other government program or serv- search for the purpose of ensuring the accuracy
ice. In the past, such verification was done and completeness of information to maintain


the integrity of government programs. How- ing is used, the agency compiles (usually on
ever, front-end verification differs from com- magnetic tape) all information needing a spe-
puter matching in four ways: 1) information cific type of verification, either at the end of
is verified on an individual basis, rather than the day or week, and sends it to the relevant
for a category or class of people; 2) informa- source for verification. A tape-to-tape match
tion is verified before an individual receives reveals inconsistencies in the data. The second
any government benefits or employment; 3) its method is a direct on-line inquiry from an agen-
purpose is to prevent and deter, rather than cy terminal to the computerized source data-
to detect and punish; and 4) it is done most base as each individual case is considered. An
effectively at the time of the initial transaction, immediate on-line response reveals inconsisten-
and thus accelerates the trend to on-line data cies in the data. Because of its speed and effi-
linkages. For these reasons, some of the pol- ciency, the trend is toward more direct on-line
icy issues (e.g., data quality, cost-effectiveness, verification. For example, the Department of
and administrative discretion) are essentially Health and Human Services found that 73 per-
the same for both front-end verification and cent of front-end verification in the Aid to Fam-
computer matching. However, other issues, ilies With Dependent Children (AFDC), food
such as due process and privacy concerns, are stamp, and Medicaid programs at the State
different for front-end verification than for level was conducted on-1ine.1
‘U.S. Department of Health and Human Services, Office of
Computer-assisted front-end verification can inspector General, Catalog of Automated Front-End Eligibil-
ity Verification Techniques: A Project of the President Coun-
be done in two ways– by batch processing or cil on Integrity and Efficiency, OAI-85-H-51, September 1985,
by a direct on-line inquiry. If batch process- p. 13.

Finding 1 combining and comparing information from
several separate, usually remote, record sys-
The use of front-end verification is creating tems. If enough separate record systems are
a de facto national database covering nearly all queried, the result can be the creation of a de
Americans. The technological requisites for facto electronic dossier on specific individuals.
front-end verification lead to the establishment See figures 5 and 6 for attempts to portray the
of individual databases for verification purposes current state of computerized linkages among
and to the connection of these databases through separate databases.
on-line telecommunication linkages.
This de facto national database is not a cen- Part of the explanation for this decentralized
tralized database in the sense that all infor- approach to databanks and dossiers, rather
mation is contained in one mainframe comput- than a centralized approach, is that advances
er housed in one building. Instead, the present in computer and data communication technol-
dominant approach is to create a “virtual” cen- ogy have reduced the technical and cost bar-
tral databank by electronically (via direct on- riers to such interconnections. However, part
line linkages2 or exchange of computer tapes) of the explanation is also political in nature.
The decentralized approach reflects the frag-
‘On-1ine telecommunication linkages involve data communic- mented and complex structure of the execu-
ations, the contents of which are not protected by existing stat-
utory (e.g., Title III of the Omnibus Crime Control and Safe tive branch of the Federal Government. Al-
Streets Act) and constitutional prohibitions on the interception though Federal agencies may collect and use
of phone calls. See U.S. Congress, Office of Technology Assess- similar information on individuals, they also
ment, Federal Government Information Technology: Electrom”c
Surveillance and Civil Liberties, OTA-CIT-293 (Washington, collect information that is specific to their mis-
DC: U.S. Government Printing Office, October 1985). sions and would prefer to maintain their own

Figure 5.—Current Database Linkages

- F e d e r a l

- S t a t e
- Both Federal and State
\—l Private sector

-] Mixed public/private

empIoymen t
NOTES Solid lines=automated exchanges, dotted lines=manual exchanges
SOURCE The Privacy Journal, April 1984, p 5

Figure 6.–Composite of Data Linkages Through Computer Matches by

AFDC a Programs in Various-States -

Employment Security
SSA Agency:
BENDEX (Social Security) Wages

SDX (SS1) state Unemployment
BEER (Earnings) employees/
Enumeration (SSN) retirement Workman’s

Dept. of Motor
Vehicles Veterans
(Composite of all records

inmate files

Other programs within

state: Private
Refugee Assistance sector
Low Income Home employers Unemp. compensation
Energy Assistance General assistance
SSI Supplemental MEDICAID
General Assistance Food Stamp
Aid to Families With Dependent Children.
NOTE” No single State has all of these links, but each link occurs in at least one State. With a few exceptions, however, these
types of sources could be available in every State
SOURCE U S Department of Health and Human Services, Office of Inspector General, Inventory of State Computer Matching
Technology, and GAO observation.

databases for their clients or employees. Ad- The decentralized approach also reflects po-
ditionally, the decentralized approach reflects litical concerns frequently expressed about cen-
incremental responses to policy problems. tralized databanks and dossiexs. Indeed, when
Databases usually are created to deal with a proposals for various national databanks were
specific problem as seen at a particular time. first made 15 to 20 years ago, the reaction was
Rarely is the opportunity taken to review re- quite negative. Concern was expressed that,
lated problems and look for a common solution. even if central databanks were technically fea-


sible, they might be more open to abuse, and is a voluntary Federal/State cooperative pro-
might consolidate power and control in the gram to aid States in exchanging information
Federal Government.’ Since that time, few pro- about the driving records of certain individ-
posals for national databanks of personal in- uals. Currently all States participate in report-
formation have been made or seriously consid- ing license withdrawals, submitting names to
ered. In cases where there has been a serious be checked against the NDR file, or both. NDR
debate, the common result has been a decen- has been in operation since 1961 under the au-
tralized approach. Two cases in point are the thority of Public Law 86-660, which directed
Interstate Identification Index (known as Tri- the Secretary of Commerce to establish a reg-
ple I), run by the Federal Bureau of Investiga- ister of all names of individuals reported by
tion (FBI), and the National Drivers Register the States for revocation of a driver’s license
(NDR) run by the Department of Transporta- because of driving while intoxicated or viola-
tion’s National Highway Traffic Safety Ad- tion of a highway safety code involving loss
ministration (NHTSA). of life. Until 1982, reports on license with-
In both of these situations, proposals to drawals and denials contained descriptive in-
maintain central databanks (on criminal his- formation about the individual and details of
tory records and motor vehicle operator rec- the adverse action taken. The National Drivers
ords, respectively) run by the Federal Govern- Register Act of 1982 (Public Law 97-364) re-
quires that the content of the Federal NDR
ment were strongly opposed by various States
and civil liberty groups and ultimately de- file be limited to minimal, personal, identify-
feated, even after partial implementation. In ing information with case-specific information
both cases, a decentralized index approach was being maintained only by the State institut-
ing the adverse action. The 1982 law also con-
adopted (with support from the States and civil
verted NDR to a fully automated system.
liberty groups) as an alternative to the central
databank approach. In the index approach, the The FBI’s Triple I, which became opera-
Federal Government (in these examples, the tional on February 7, 1983, contained 9,268,332
FBI and NHTSA) maintains, in effect, an in- records as of May 1, 1985.4 Triple I is essen-
dex to records in State record systems. Only tially an index of persons with criminal history
names and identifiers are contained in the in- records on file at the FBI and/or in State crimi-
dex–it does not include information about spe- nal history record repositories. For each person
cific offenses, charges, and dispositions (for listed, Triple I includes only information on
criminal history records indexed by the Tri- personal descriptors, identifying numbers, and
ple I) or about specific driver violations and the location(s) of the criminal history record(s).
license suspensions (for vehicle operator rec- At present, use of Triple I is limited to crimi-
ords indexed by NDR). nal justice and criminal justice employment
purposes, although the question of noncrimi-
The NDR contains 10 million records with
nal justice use (primarily for employment and
information on drivers’ licenses that have been
licensing checks) has not been resolved (see
revoked or suspended in various States. NDR
app. A at the end of this report for further dis-
‘See U.S. Congress, House (’ommittee on (government Oper- 4F131 response to OTA Federal Agenc3’ Data Request. Also
ations, Special Subcommittee on I mrasion of Privac3’, The COm - see U.S. Department of Justice, Federal Bureau of I n\estiga-
puter and ln~wsion of Pri\rac~’. hearings, 89th Cong., 2d sess. tion, Technical Services Division, Statement of Ilbrk for .VCIC
tJuly 25, 2’7, 28, 1966 (Lf’ashington, DC: U.S. Government Print- 2000 (2K) Project—PHASE 1: A Comprehensi\’e Stud~’ To Ile-
ing Office, 1966): and U.S. Congress, Senate Committee on the fine: System Requirements, Functioned Design and S?’stem
,Judiciary, Suhcommittw on Administrati~’e practice and pro- Specs (Consistent R?th a Rigorous En\ ”ironmental .4nal.\wis
cwiure, ln~’asion of ~+-i~’ac.~’, hearings, 89th Cong., Februavr 1965 E\raluation), Januarjr 1985, p. A9: and David F. Nemecek, “The
to +Junc 1966 (\\’ashington, I)C: (1. S. fimernnlent l’rint,ing of- Interstate Identification Index (1 I I), ” Interface, S14~ARCll
fice 1 965-67). Group, Inc., 101.9, No. 1, summer 1984, pp. 1011.

cussion). If authorized criminal justice agencies are any matches, or “hits,” and then follow
obtain a “hit” or match on Triple I, the agen- up to obtain more detailed information.
cies obtain the actual criminal history record
information from the FBI (for Federal offend- Agencies may also maintain a centralized in-
ers and offenders from States not yet particip- dex of individuals whose records are main-
ating in Triple I) or from State criminal rec- tained in their computerized databases. For
ord repositories (for Triple I participants). Triple example, the OTA survey revealed that the Im-
I inquiries are made electronically via the migration and Naturalization Service (INS) has
National Crime Information Center’s (NCIC) a Central Index System (CIS) of 152 million
communication lines and, if a hit occurs, are records that contains file location, immigra-
referred or switched automatically to the ap- tion status, and biographical data on individ-
propriate holder of the original criminal his- uals of interest to INS. On-line access to CIS
tory record. Records are provided by one or is provided at ports of entry, file control offices,
a combination of the following: on-line via border patrol headquarters, and other agencies
NCIC, electronically from a State via the Na- involved in intelligence or law enforcement. On
tional Law Enforcement Telecommunications an average, 600 users generate 100,000 file ac-
System, or by mail from the FBI or State re- cesses per day.
Although electronically linked, on-line data-
Triple I represents an alternative to the now- bases are distributed in a physical sense, they
defunct Computerized Criminal History (CCH) constitute a centralized database in a practi-
file previously maintained in NCIC. By includ- cal sense. As more and more systems automate
ing index entries for computerized criminal and have on-line communication capability,
history records maintained by the FBI’s Iden- this virtual database will grow. There are a
tification Division, as well as records from par- number of computerized databases that are
ticipating States, Triple I has been able to fa- accessible by selected government agencies for
cilitate access to and exchange of over 9 million computer-assisted verifications—for example,
criminal history records, compared to the rough- the computer files of the FBI’s NCIC and those
ly 2 million records contained in the old of the Bureau of the Customs’ Treasury En-
NCIC/CCH file. However, there still are sev- forcement Communication System. INS main-
eral unresolved issues concerning Triple I— tains a number of computerized record systems
noncriminal justice use, record quality, and pol- —the Anti-Smuggling Information System,
icy oversight. These are discussed in further the Central Index System, the Non-Immigrant
detail in appendix A to this report. Information System, the Student School Sys-
tem, and the National Automated Immigra-
The decentralized approach in these in- tion Lookout System. The Social Security Ad-
stances is generally perceived as minimizing ministration (SSA) also maintains a number
adverse impacts on Federal-State relations, of databases for verification purposes—the
since the States retain primary control over State Data Exchange, the Beneficiary and
the source records. Also, the risk of abuse or Earnings Data Exchange, the Third Party
misuse by the Federal Government is thought Query, and the Enumeration Search and Veri-
to be lessened, since there is no central file. fication Response System. Additionally, pri-
However, authorized Federal, State, and local vate sector firms, such as credit bureaus and
agencies can determine, via the index, the loca- medical insurers, maintain a number of cen-
tion of records of interest and request such tralized databases that are accessible by gov-
records directly from the State record reposi- ernment agencies. See table 13 for a descrip-
tories. Thus, a dossier on any given individ- tion of these databases.
ual can be compiled by consolidating various
records from separate State agencies. It is also Centralized databases are also created from
possible for Federal agencies to run a longer existing decentralized databases. One exam-
list of persons against the index to see if there ple is the IRS’s Debtor Master File, which was

Table 13.—Computerized Databases Used for Front-End Verification

National Crime Information Center (A/C/C) .-There are 12 files National Automated Immigration Lookout System (NAILS).—
containing a total of 16,395,662 files (as of 5/1/85) that can Provides on-line information for the detection of inad-
be accessed through the NCIC system.a The 12 files in- missible persons and others of particular interest to INS
clude: the Interstate Identification Index (Ill) File, the and other law enforcement agencies. Presently contains
Stolen Securities File, the Stolen Guns File, the Stolen 40,000 records.
Articles File, the Stolen Vehicles File, the Stolen License State Data Exchange (SDX—Social Security Administration
Plates File, the Wanted Persons File, the Missing Persons [SSA]).–Contains 7.5 million records with title XVI infor-
File, the Stolen Boats File, the Canadian Warrant File, the mation extracted from the supplemental security record,
U.S. Secret Service Protective File, and the Unidentified as well as Medicaid eligibility data for specified States.
Persons File. NCIC functions as a nationwide computer- SDX has been in operation since December 1973 and is
ized Information service for Federal, State, and local crimi- accessible by State Welfare/Human Resources Depart-
nal justice agencies. ments for use in adminitration of income maintenance
Treasury Enforcement Communication System (TECS).– and Medicaid programs.
Includes a range of information on persons suspected of, Beneficiary and Earnings Data Exchange (BENDEX–SSA), –
or wanted for, violations of U.S. Customs or related Contains 64 million records with information on title II
Iaws —e. g., persons suspected of or wanted for thefts from eligibility, Medicare entitlement, wage data, and eligibility
international commerce, and persons with outstanding entitlement to other SSA-administered programs. BENDEX
Federal or State warrants, The Border Enforcement Sys- has been in operation since 1968 and is accessible by
tem is the major component and is used to: assist Cus- State Welfare/Human Resources Departments for use In
toms and the Immigration and Naturalization Service (INS) administration of income maintenance programs.
personnel screen persons and property entering and ex- Third Party Query (TPQY—SSA). —Contains the 7.5 million
iting the United States; provide investigative data to Cus- SDX records and the 64 million BENDEX records. TPQY
toms or other agency law enforcement or intelligence has been in operation since November 1984 and is acces-
officers; and aid i n the exchange of data with other Fed- sible for purposes of speeding up the SSA-administered
eral, State, or local law enforcement agencies. As of May benefit verification process by all State, local, and Fed-
1, 1985, the Border Enforcement System included com- eral agencies that administer a health and/or income main-
puterized records on over 2 million persons. tenance program (including commercial vendors).
Nonimmigrarft /formation System (N//S), —Contains over 32 Enumeration Search Verification and Response System
miIlion records on foreign visitors, diplomats, and stu- (ESVARS—SSA). –Contains identification data for every
dents for purposes of tracking their movements, The sys- social security number that has been issued. There are
tem has been operational since January 1983, The student/ 280 million base records, which are expanded to 420 mil-
schools subsystem became operational in August 1984 lion iterations because of name changes, duplicate cards,
and tracks 500,000 students at 15,000 schools, and such, ESVARS has been in operation since Apr. 1,
Anti-Smuggling Inforrnation System (AS/S). —Incorporates 1985 and is accessible by all SSA employees who need
750,000 records containing information relating to alien to verify social security numbers and Federal, State, lo-
smugglers, including names (and aliases), addresses, cal, and private agencies that justify their need to verify
phone numbers, and license plates. social security numbers.
For !urt her dl sc u SSI on see app A at the end of thls report Also see U S Con gre$,s office of Technology A s s e s s m e n t , An Assess men I of A /ferr?a(l ves for a National

Compufer/zed Cr/m(na/ Hw(ory System OTA CIT-161 (Springfield VA National Technical Information Servtce October 1982)
SOURCE Off Ice of Technology Assessment

created in 1986 using information from the notices were sent to these individuals and re-
databases of a number of agencies. The Debtor sulted in payments from 41,000 persons total-
Master File was authorized in the Deficit Re- ing $14 million. G
duction Act. The purpose of the Debtor Mas-
As the exchange of information becomes fast-
ter File is to aid in administering the offset
er and easier, there will be pressure to increase
of tax refunds to collect on delinquent Federal
computer connections and on-line processing.
debts, such as student loans.5 The 1986 Debtor The Deficit Reduction Act and the establish-
Master File contains the names of 750,000 in-
ment of Income Eligibility Verification Sys-
dividuals who are indebted to at least one of
tems (IEVS) is a good example (see app. E of
the following agencies: the Departments of Ed-
this report). Under the rules issued by the De-
ucation, Housing and Urban Development, or
Agriculture; the Veterans Administration; and %See David Bumham, ” I.R.S. To Withhold Tax Refunds Owed
the Small Business Administration. Preoffset Loan Defaulters, ” New York Times, Jan. 10, 1986, pp. Al, Al 1;
Keith B. Richburg, ‘i Agencies Give Defaulters’ Names to IRS, ”
‘U.S. Department of the Treasury, Internal Revenue Serv- Washington Post, Jan. 10, 1986, p. A21; and Judith A. Sullivan,
ice, “Privacy Act of 1974: System of Records, ” Federal Re&”s- “IRS To Collect Agencies’ Debts, ” Government Computer
ter, vol. 50, No. 195, Oct. 8, 1985, p. 41085. News, Sept. 13, 1985, pp. 1, 16.

partments of Labor, Agriculture, and Health Finding 2

and Human Services,7 IEVS would contain
wage and benefit data from State Wage In- There is no comprehensive information on the
formation Collection Agencies; wage, benefit, use of front-end verification by Federal agencies,
and other income data from SSA; and unearned although the Federal Government is increasingly
income data from the Internal Revenue Serv- requiring front-end verification in many federally
ice (IRS). The Deficit Reduction Act requires funded programs administered by the States. Re
each State to establish an Income Eligibility cently enacted legislation will expand the use
Verification System. The rules do not inter- of front-end verification at the Federal as well
pret this as mandating a physical system, but as the State level.
a logical process that would assure timely and
efficient exchange of data. Compatibility to al- Because the personal information provided
low exchanges of data among various IEVS by applicants for government programs is of-
is a possibility. The Deficit Reduction Act also ten inaccurate or incomplete, front-end verifi-
requires each State to collect quarterly wage cation is useful for checking eligibility for Fed-
reports from all employers and to establish a eral benefit programs, checking on current
State Wage Information Collection Agency debts and earnings for loan applicants, and
that will maintain records of social security checking financial and criminal histories for
numbers; full name; quarterly wages; and em- employment applicants.
ployer’s name, address, and identifier. As of
1982, 12 States did not collect wage informa- The existence of the numerous computerized
tion on a quarterly basis.8 databases discussed above would seem to in-
dicate that many agencies use front-end veri-
The result of IEVS will be uniformity among fication. However, only two agencies–the Bu-
State systems. The Department of Agriculture reau of Indian Affairs in the Department of
has agreed that State Wage Information Col- the Interior and the Veterans Administra-
lection Agencies should collect the following tion—responded affirmatively to the OTA sur-
information: social security number; full name; vey’s question on front-end verification. In
quarterly wages; and employer’s name, address, part, the small number of affirmative re-
and identifier. Additionally, the need to follow sponses to the question may be attributed to
specific guidelines in accessing IRS-and SSA a lack of understanding of what would be
information will also create more uniform sys- termed “front-end verification. ”
tems throughout the States, and is tantamount
to the establishment of a de facto wage and Until recently, there was almost no informa-
eligibility recipient system. In the congression- tion on State use of front-end verification.
al debates on the Deficit Reduction Act there However, the Department of Health and Hu-
was no explicit discussion of such a system. man Services has recently completed a survey
——.—— of automated front-end eligibility y verification
‘Departments of Labor, Agriculture, and Health and Human applications currently used or being developed
Services, “Income & Eligibility Verification Procedures for Food
Stamps, Aid to Families With Dependent Children, State Ad- at the State level for use in AFDC, food stamp,
ministered Adult Assistance, Medicaid and Unemployment Medicaid, and unemployment insurance pro-
Compensation Programs: Final Rule, ” Federal Register, vol. grams. With a 92 percent response rate from
51, No. 40, Feb. 28, 1986, pp. 7178-7217.
“U.S. Congress, Hearings Before the Senate Committee on
the States, the survey found 75 front-end ver-
Governmental Affairs, Subcommittee on Oversight of Govern- ification applications being used in AFDC, food
ment Management, Oversight of Computer Matching To De- stamp, and Medicaid programs in 36 States,
tect Fraud and Mismanagement in Government Programs, Dec.
15-16, 1982 (Washington, DC: U.S. Government Printing Of- and 53 front-end verification applications be-
fice, 1982), p. 14. ing used in unemployment insurance programs
.. . .

. ——

in 36 States.9 The primary data checked in Table 14.— Examples of State Front-End
these front-end verifications include duplicate Verification Programs
benefits, earned income, and work history. Ex- Nevada. —The Welfare Referral System under development
amples of some front-end verification programs will provide the caseworker with information about the ap-
appear in table 14. plicant’s receipt of income assistance benefits, wages,
and unemployment compensation benefits (UC B). When
There has been a marked increase in State an applicant comes into the local office, the worker will
enter the applicant’s name, social security number, and
use of front-end verification in Federal welfare other data into the “key file. ” This information will be
programs. Federal statutes, most notably the matched on-line against welfare and wage and UCB data
Deficit Reduction Act, now require front-end (welfare refers to Aid to Families With Dependent Chil-
dren (A FDC), food stamps, Medicaid, child support, and
verification in certain programs. The Deficit social services). A hardcopy of the match WIII be gener-
Reduction Act requires States to use front-end ated and transmitted to the worker.
verification in administering the food stamp, Georgia.—At the time of application, the eligibility worker
does an on-line check of the current recipient database
AFDC, unemployment compensation, Medicaid, to detect any duplicate benefits. In addition, this match
and SSA’S adult assistance programs (titles is also run during the batch processing of the application
I, X, XIV, XVI). The sources that will be used that occurs immediately prior to payment. Results are re-
ceived prior to eligibility certification. This batch match
most frequently for verifying information are: also accesses statewide records of closed benefit cases.
the agency’s own data sources, as a check The duplicate benefit check is part of Georgia’s larger Pub-
on duplicate benefits; SSA’S State Data Ex- lic Assistance Reporting System (PARIS) designed to cot-
Iect, store, and generate information utilized by the AFDC.
change System (SDX), which contains a list- food stamp, and Medicaid programs.
ing of all supplemental security income recip- New York.—As a new subsystem of the Welfare Management
ients in the State; the SSA’S Beneficiary and System, the Resource File Integration automatically pro-
vides front-end matching of all applicants for public as-
Earnings Data Exchange (BENDEX), which sistance against the State wage file. The wage data is
contains wage data and eligibility entitlements available on-line to eligibility workers. To assure that lo-
to SSA programs; SSA’S Enumeration Verifi- cal workers take action on the information, a resolution
code indicating the action is required before any further
cation System (EVS), which contains informa- processing can take place. Future plans call for adding
tion on social security numbers; IRS files for State UCB data to the resource file. This system IS used
earned and unearned income; INS files for im- statewide except in New York City, which has a slightly
different system providing the same information by over-
migration status; and State wage data systems night batch processing.
(see fig. 7). Florida. —Information on individuals who are known to have
been involved in labor disputes and who have committed
Under the rules developed by the Depart- benefit fraud is stored in the claim history file When an
ments of Labor, Agriculture, and Health and individual applies for unemployment compensation ben-
efits, employees automatically perform an on-line match
Human Services, States are required to devel- between this data and applicant data when they enter data
op a statewide IEVS, and to use SSA and IRS from a new application. Positive hits generate flags that
systems for verifying additional information. prevent any payments from being made until the issue is
Examples of front-end verification required un- SOURCE U S Department of Health a-rid Human Services,Office of Inspector

der the Deficit Reduction Act include verifi- General, Catalog of Automated Front-End Eligibility Verification Tech-
niques, OAI-85-H-51 September 1985
cation of: social security numbers through
BENDEX, SDX, or EVS; unearned income
through IRS with subsequent verification from
The Debt Collection Act requires applicants
the individual or source of unearned income;
for Federal loans to supply their taxpayer iden-
and income/wages through IEVS.10
tification number (for individuals, their social
security numbers), and requires agencies to
‘U.S. Department of ~~ealth and Human Services. Catalog screen credit applicants against IRS files to
of A utmnated Front-End fi~li~’bilit.v l’m-ification Techniques,
op. cit. check for tax delinquency. Circular A-70 of
“’See app. E of this report. the Office of Management and Budget (OMB)

Figure 7.—A Representative Income and Eligibility Verification System (IEVS) for a State Food Stamp
Agency as Required by the Deficit Reduction Act of 1984a

I k’ J
1 I

similar systems will be developed by State Aid to Families With Dependent Children (AFDC) agencies, Medicaid agencies, and unemployment Compensation agencies.

as well as for the Adult Assistance Program in the Territories,

bsocial Security Administration.
csocial securit y n u m b e r .
SOURCE Office of Technology Assessment.

mandates that Federal agencies must conduct porate Government Services was quoted as
a credit screen on a potential candidate be- saying:
fore issuing a contract, grant, loan, or loan
guarantee. Private lenders, banks, etc., who are Dun
& Bradstreet subscribers can get this data,
With debt collection and with credit screen- too. So, if you don’t pay the Feds, from now
ing, the Federal Government is relying on pri- on it’ll affect your commercial credit rating,
vate sector databases for verifying the infor- too.12
mation. As presently planned, five companies, There has also been an increased effort to
including TRW Information Services, will de- require criminal history record checks for job
velop databanks on individuals’ credit and debt applicants in sensitive categories, e.g., day-care
information from private and governmental providers for children. Congress included a pro
sources, and two companies, TRW and Dun vision in the Continuing Appropriation Act of
& Bradstreet, will do likewise for commercial 1985 (Public Law 98-473) requiring that States
firms.11 Dun & Bradstreet’s Director of Cor- establish procedures to provide for nationwide
criminal history checks for all operators and
1“’Front-End Credit Screening: How an Ounce of Prevention
Could Avoid Billions in Cure, ” Government Executive, Janu-
ary 1985, pp. 34-35. ‘*Ibid, p, 35.

employees of child-care facilities.13 States were partment of Treasury for use in personnel or
to have such procedures in place by Septem- claimant representative matters (Public Law
ber 30, 1985. ’4 According to the Office of the 98-369, 1984); Federal, State, and local child
Inspector General, U.S. Department of Health support enforcement agencies (Public Law 94-
and Human Services, as of November 1984, 455, 1976); and Federal, State, and local agen-
3 States (California Georgia Minnesota) had cies ad-ministering certain programs under the
statutes requiring FBI criminal record checks Social Security Act or Food Stamp Act of 1977
on day-care providers, 24 States conducted (Public Law 98-369, 1984). Section 2651 of the
statewide criminal record checks on day-care Deficit Reduction Act also amends Section
providers, and 20 States were anticipating new 6103(1) of the Tax Reform Act and allows re-
legislation authorizing such criminal record turn information from W-2S and unearned in-
checks.15 There has also been growing inter- come reported on 1099s to be divulged to any
est in implementing criminal record checks for Federal, State, or local agency administering
teachers, youth group leaders, and elder-care one of the following programs: AFDC; medi-
providers. ’G cal assistance; supplemental security income;
unemployment compensation; food stamps;
IRS files are also considered to be valuable
State-administered supplementary payments;
sources of information for many record link- and any benefit provided under a State plan
ages because of the variety of information on approved under Titles I, X, XIV, or XVI of
file (e.g., address, earned income, unearned in-
the Social Security Act. Section 6103(m) of the
come, social security number, and number of
Tax Reform Act also provides for disclosure
dependents) and because the information is
of taxpayer identity information to a number
relatively up to date. As a general rule, returns
of agencies, including the National Institute
and return information are to remain confiden- for Occupational Safety and Health and the
tial, as provided for in Section 6103 of the Tax Secretary of Education.
Reform Act of 1976. Under this section, infor-
mation may be disclosed for tax and audit pur- Pressure to extend the list of agencies that
poses and proceedings, and for use in criminal can access IRS information has intensified
investigations if certain procedural safeguards with interest in record linkages to detect fraud,
are met. waste, and abuse; to register men for the Selec-
tive Service; and for any program that needs
Additionally, Section 6103(1) allows for the a current address for an individual. The IRS’s
disclosure of return information for purposes position is that its goal is to maintain a volun-
other than tax administration. The list has tary tax system and that public perception
grown considerably since 1976, and includes that tax information be confidential is impor-
disclosures to: SSA and the Railroad Retire- tant to maintaining a voluntary system. Thus,
ment Board (Public Law 94-455, 1976); Fed- the IRS is, in principle, opposed to disclosing
eral loan agencies regarding tax delinquent tax information.
accounts (Public Law 97-365, 1982); the De-
The potential for expanding the use of front-
end verification for government programs,
13U.S. Department of Health and Human Services, Model loans, and employment is enormous, as evi-
Child Care Standards Act- Guidan@ to States To Prevent Child denced by the Reagan Administration’s pro-
Abuse in Day Care Facilities, Washington, DC, January 1985,
p. 2. posed Payment Integrity Act that would re-

1 bid., p. 3. quire front-end verification in 12 new programs,
1 bid., p. 27.
%ee, for example, Adrian Higgins, “Day Care Worker Checks
including Pen Grants, guaranteed student
Getting Mixd Reviews, Arlington Journal, Sept. 6, 1985, p. loans, school lunches, health education loans,
A7; Linda Lantor, “Fairfax Schools To Tighten Employee veterans’ programs, Department of Housing
Screening, ” Arlington Journal, Sept. 10, 1985; p. A4; and An-
dee Hochma~ “Youth Workers Face Additional Screening;
and Urban Development housing programs,
Change Follows Spate of Sex Abuse Cases, The Washington and railroad retirement. Additionally, the Ad-
Post, Sept. 23, 1985, pp. D1-D2. ministration would expand the types of data

available for verification beyond those speci- come, resources, bank accounts, credit bal-
fied in the Deficit Reduction Act to include ances, and employment.l8
alien status, government wages and pensions,
veterans’ benefits, and railroad retirement. Finding 3
Another section of the proposed Payment Front-end verification raises due process and
Integrity Act would set up a Health Insurance privacy issues that have not been systematically
Verification System that would enable feder- studied.
ally funded health care programs to access
third-party insurance files to verify informa- Under traditional due process principles, it
tion supplied by the person applying for insur- is arguable that individuals should be notified
ance payments. The Federal programs include that information they provide will be verified
Medicaid, Medicare, Veterans, Indian Health, by third-party sources.l9 In many of the front-
Black Lung, and Maternal and Child Health. end verification programs currently being used,
The third-party insurance files to be accessed individuals are not informed or are only in-
include private insurance companies, health formed indirectly, i.e., they are told that in-
maintenance organizations, self-insured em- formation may be verified, but not when or
ployer-based plans, State and local employee how. They are often left with the impression
health plans, Federal health insurance pro- that they will be responsible for bringing proof
grams, and Federal and State workers’ com- to verify information, not that the agency will
pensation. verify information from other sources (see box
There are presently a number of front-end
verification pilot projects being conducted at The Deficit Reduction Act and the Debt Col-
the Federal level or at the State level with Fed- lection Act include requirements that agencies
eral funds. One is the Systematic Alien Verifi- give some notice to individuals. The Deficit Re-
cation for Entitlements (SAVE) system oper- duction Act requires agencies to notify appli-
ated by the Immigration and Naturalization cants at the time of application and periodi-
Service. State welfare agencies can access cally thereafter that information about them
SAVE to determine if an applicant is a legal will be exchanged and used to verify income
alien. Such information was previously veri- and eligibility. Under the proposed rules, it is
fied by sending individual forms to INS. SAVE not clear how this will be done (“in writing at
in this way saves time for the applicant, al- application, but not necessarily on the appli-
though State laws generally require welfare cation form’ or how specific will be the infor-
agencies to act on an application within 10 mation that is provided to the individual.
days. However, INS also regards it as a “polic-
ing tool, as indicated by this statement in an
INS memo about SAVE:
“U.S. Department of Health and Human Services, Catalog
Success will be measured by the number of of Automated Front-End Eli~”bility Verification Techniques,
op. cit., p. 44.
criminal prosecutions resulting from these ef- ‘gProcedural due process traditionally means that an official
forts; the dollars of cost avoidance; and the government action must meet certain standards of fairness to
number of unentitled aliens identified and re- an individual. This Wnerally includes the rights of adequate
moved or barred from benefit rolls .17 notice and of a meaningful opportunity to be heard prior to a
decision. In deterrnining the level of procedural due process that
Another pilot project is Project Checkmate is appropriate, three issues are considered: 1 ) is there a threat
in the District of Columbia. In this project, to life, liberty, or property interests; 2) what are the interests
of the government and of the individual; and 3) what procedures
AFDC applicants are screened against credit are cost-justified. See Kenneth C. Davis, Adrm”nistrative Law
bureau records providing information on in- Treatise, 2d ed. (San Diego, CA: K.C. Davis Publishing, 1979);
Kenneth C. Davis, Discretionary Justice: A Prelimimry Inquiry
(Urbana: University of Illinois Press, 1969); and Ernest Gell-
“As quoted in American Civil Liberties Union, “computer horn and Barry L3. Boyer, Administrative Law and Process (St.
Matching-Focus Paper, ” September 1985, p. 5. Paul, MN: West Publishing, 1981).
— —

— —

Box B.—Example of Front-End Verification Notice

Penalty Warning
FEDERAL, STATE AND LOCAL OFFICIALS. IF DO NOT give false information, or hide information, to
ANY IS FOUND INACCURATE, YOU MAY BE get or continue to get food stamps.
INTENTIONALLY BREAKS ANY OF THE DO NOT trade or sell food stamps or authorization cards.
AFTER THE FIRST VIOLATION, 12 MONTHS DO NOT alter authorization cards to get food stamps
AFTER THE SECOND VIOLATION, AND you’re not entitled to receive.
THE INDIVIDUAL CAN ALSO BE FINED UP TO DO NOT use food stamps to buy ineligible items, such
$10,000, IMPRISONED UP TO 5 YEARS, OR BOTH. as alcoholic drinks and tobacco.
STAMP PROGRAM. THE INDIVIDUAL MAY ALSO DO NOT use someone else’s food stamps or
BE SUBJECT TO FURTHER PROSECUTION authorization cards for your household.

Your Signature
I understand the questions on this application and the I understand that I my have to provide documents to
penalty for hiding or giving false information or prove what I’ve said. I agree to do this. If documents
breaking any of the rules listed in the Penalty Warning. are not available, I agree to give the Food Stamp office
My answers are correct and complete to the best of my the name of a person or organization they may contact
knowledge. to obtain the necessary proof.
Your signature Today’s date
Witness if you signed with an X

You or your representative may request a fair hearing We will consider this application without regard to race,
either orally or in writing if you disagree with any color, sex, age, handicap, religion, national origin or
action taken on your case. Your case may be presented political belief.
at the hearing by any person you choose.

FORM FNS-385 (7-83) Previous Editions Obsolete

Page 5
From prototype of food stamp application approved by the Office of Management and Budget. Actual forms vary by State.

In 1983, OMB issued its Guidelines on the mation to a consumer reporting agency, the
Relationship of the Debt Collection Act of 1982 agency head or designee must review and vali-
to the Privacy Act of 1974.20 The guidelines date the disclosure, must have given notice to
specify that before an agency discloses infor- the debtor of the overdue debt and its inten-
—.— tion to disclose, must have given the individual
‘(’Apr. 11, 1983 (effective Mar. 30, 1982) (43 FR 15556). time to file for review, and must have published

a notice in the Federal Register identifying With respect to access to IRS information,
those systems of records from which they in- Sections 6103(1) and (m) of the IRS code specify
tend to disclose. Disclosure should be limited procedures that parties are to follow. More-
to that information directly related to the iden- over, Federal, State, and local employees out-
tity of the debtor and the history of the claim. side of IRS who handle IRS information are
Although under the act the consumer report- subject to the same criminal liabilities as IRS
ing agencies receiving records are exempt from employees for misuse or disclosure of the in-
criminal liability for misuse of information, the formation. The IRS also puts out a publication,
guidelines indicate that it would be appropri- Tax Iformatjon Security Guidelines for Fed-
ate to incorporate assurances to this effect in eral, State, and Local Agencies (Publication
service contracts between Federal and con- 1075; Rev. 7-83), that describes the procedures
sumer reporting agencies. The guidelines also agencies must follow to ensure adequate pro-
clarify that nothing in the wording of the Debt tection against unauthorized disclosure.
Collection Act authorizes agencies to share in-
An additional due process question that is
formation among themselves or to use infor-
raised by verifying information from govern-
mation obtained under this act for any other
mental or private sector (e.g., TRW or Dun &
Bradstreet) databanks is: what recourse does
In general, it can be a simple process to no- the individual have if the information is false?
tify applicants that information they provide Specifically, can the individual sue the data-
will be verified before benefits are granted and bank owner or operator? The Privacy Act pro-
which databases will be searched for verifica- vides means by which individuals can take ac-
tion of which data elements. Some even envi- tion against a Federal agency. The Fair Credit
sion verification being completed while the Reporting Act may provide a vehicle by which
individual waits. However, there is some ques- an individual could take action against a credit
tion whether notice is useful for the individ- reporting agency. However, in other circum-
ual under these circumstances. The purpose stances, statutes may not provide a legal means
of notice is to give the individual information by which individuals can challenge false infor-
so he or she can act.21 In the case of front-end mation and individuals would need to rely on
verification, notice generally leaves the indi- common law defamation suits.
vidual only one recourse if he or she does not
want the information verified, and that is to Finding 4
withdraw the application.
There has been no comprehensive study of how
The exchanges of personal information ne- to conduct front-end verification in the most cost-
cessitated by front-end verification may con- effective manner and with the highest possible
flict with the Privacy Act principles that in- data quality.
formation should be collected directly from the
individual and that information collected for The high costs of computer matching (e.g.,
one purpose should not be used for another pur- verifying large numbers of hits, holding hear-
pose without the consent of the individual. Al- ings, and prosecuting wrongdoers) are not
though in front-end verification information incurred in front-end verification. However,
may originally be collected directly from the front-end verification has its own costs. It may
individual, additional information is provided add to the caseworker’s time in processing an
from outside sources. Moreover, the informa- application, although it may save somewhat
tion being used to verify information provided in subsequent administrative time. Front-end
by the individual is being used for a purpose verification will increase budgets devoted to
other than that for which it was originally automated data processing and telecommuni-
collected. cations. There are also some high initial over-
head costs in terms of developing the data-
zlD~viS, op. cit., 1979. bases used for verification (e.g., State Income

Verification Eligibility Systems) and getting The costs of front-end verification are direct-
them on-line, and ongoing costs of keeping ly tied to data quality. The timeliness of data
them up to date. used is an especially critical issue; for example,
wage data are often between 3 and 6 months
The Department of Health and Human Serv-
out of date by the time they are available from
ices’ survey of front-end eligibility verification State wage reporting agencies. Unearned in-
techniques at the State level asked respond-
come from the IRS is not reported until a
ents about both developmental and operating
month after the end of the tax year and would
costs. Most States were not able to provide not be processed and available for verification
the information as they were not keeping track purposes until many months later. Other in-
of the administrative time devoted to verifi- come data can likewise be stale. Some front-
cation. 22 end verification systems, such as those re-
The major savings associated with front-end quired in the Deficit Reduction Act, require
verification result from the avoidance of pay- workers to manually check information that
ments. The General Accounting Office reported appears false. However, the costs associated
that a New York State program that matched with front-end verification will increase with
welfare applications with tax records to ver- each subsequent verification.
ify income avoided paying over $27.5 million,
and that front-end verification in AFDC and Finding 5
food stamp programs in Arkansas saved $5
to $8 million.23 In neither case was a detailed At the present time, there are no policy guide-
lines for use of computer-assisted front-end ver-
cost-benefit analysis available.
Another projected saving is a reduction in
efforts to detect fraud, waste, and abuse for There are no general Federal guidelines, stat-
those already enrolled in government pro- utory or administrative, guiding the use of
grams, as these individuals would have been front-end verification. The OMB computer
initially screened by front-end verification. matching guidelines specifically exclude from
However, front-end verification would not elim- their purview record searches that are con-
inate the need to use other techniques (e.g., ducted at the application stage. The Deficit
computer matching) because even when infor- Reduction Act due process requirements for
mation is verified initially, frequent status notice, verification, and hearings may provide
changes (e.g., address and income) may neces- a model for more general guidelines. In design-
sitate later verification. ing policy guidelines, the following factors war-
rant consideration:
The President’s Council on Integrity and Ef-
ficiency has projected that the eligibility veri- 1. The responsibility for determining access
fication required by the Deficit Reduction Act to and record quality of the databases used for
will save $1 billion over 5 years. The Congres- verification purposes.
sional Budget Office did a gross estimate that It is noteworthy that the FBI has taken the
confirmed this figure, but did not specify cat- position that it has a responsibility only for
egories or figures for costs and savings.24 the quality of the Triple I index entries, and
not for the State criminal history records on
which the index entries are largely based. Like-
ZZInterview with I~Z Handley, Project Director, Department
of Health and Human Services Front-End Eligibility Project,
wise, NHTSA officials have stated that the
Apr. 9, 1985. quality of driver’s license records maintained
z31J. s. Gene~ Accounting Office, Elim”bility Verification and by the States (and indexed in the NDR) is not
fi”v;cyin Federal Benefits fiograms: A-D&”c&e Balance, HRD-
85-22, Mar. 1, 1985.
the responsibility of NHTSA.
“U.S. Department of Health and Human Services, Office of
the Inspctor General, Semiannual Report to the Congress, Apr.
When records are maintained in a central
1, 1985 -Sept. 30, 1985. Federal records repository, access and dissem-

ination generally follow applicable Federal laws that will be most affected. Another alternative
and regulations. However, under a decentral- for doing selective verification would be to se-
ized index approach, record access and dissem- lect particular individuals rather than particu-
ination are much more complicated. There are lar programs. The individuals selected for front-
wide differences in State laws and regulations end verification could be chosen by a computer
on record access and dissemination, ranging profile. However, profiling raises additional
all the way from so-called “open record” States policy issues, as will be discussed in chapter 5.
such as Florida, where many personal records
maintained in State files are open to public ac- 3. The rights of individuals.
cess at a modest fee, to very restrictive States
like Massachusetts, where access and dissem- Based on due process principles, as well as
ination are tightly controlled. traditional information privacy principles, in-
dividuals should be given some notice of veri-
This wide disparity in approach is especially fication and some means to challenge informa-
true with respect to criminal history records, tion if discrepancies should appear as a result
but also affects many other kinds of personal of verification. There are a number of ways in
records maintained in State repositories. This which compliance with these principles could
contributes to inconsistent and incomplete ex- be achieved. Individuals could be informed in
change of record information. In some of the writing or verbally at the time they submit an
Federal social service and welfare programs, application that the information supplied will
Congress has addressed this problem by requir- be verified. Additionally, they could be given
ing States to collect and exchange information a range of details concerning the sources to
as a condition of Federal funding, as discussed be accessed in the process. Individuals want-
earlier. But in other areas such as criminal his- ing more details on the process or wishing to
tory records, while Congress previously has contest verification could be advised by the
taken action to encourage enactment of State caseworker whom they should consult within
laws, there are wide differences among the the agency and when.
many State laws that have been enacted.
2. The frequency of use of front-end verifi- If front-end verification reveals problems
cation, i.e., routine or selective. with the information provided by the individ-
ual, then a process of further checking the va-
If it is conducted routinely (e.g., for all ben- lidity of information and informing the indi-
efit programs and Federal employment, loans, vidual of the problems could be started. The
and contracts), the societal implications of sub- degree of individual involvement and the depth
jecting to scrutiny all information submitted of validation may vary based on agency direc-
to the government by individuals would need tives or the goodwill of caseworkers, and there-
to be considered. Any possible long-term soci- fore may need to be specified in the regulations.
etal effects, such as increased distrust between
citizens and government, loss of individual re-
Once these principles are recognized in pro-
sponsibility, and a sophisticated governmental cedural protections, there may also be a need
information infrastructure would need to be to ensure that agencies are providing the req-
weighed against the significant budgetary sav- uisite notices and hearings. Some method of
ings that may be achieved by routine verifi- enforcement or automatic accounting could
cation. also be specified in the regulations. Such over-
If front-end verification is used selectively sight could be conducted within the agency or
(e.g., by law, OMB regulations, or court deci- by some outside body.
sions) rather than routinely, then considera-
tion must be given to the criteria for selecting With respect to involving the individual in
Federal programs that may use it, the approval the verification of information, the Department
process for each use, and the societal groups of Education is conducting an experimental

program, the Pen Grant Electronic Pilot. 25 income and checking accounts, may change so
Under this project, Pen Grant applicants can often that the data contained in computerized
correct or verify information on their Student databanks will rarely be up to date. Addition-
Aid Reports through computer facilities at ally, the record quality of many existing data-
institutions or financial aid services that par- banks that could be used in front-end verifica-
ticipate in the project. Applicants can now tion (e.g., computerized criminal history records)
make corrections on their Student Aid Reports is questionable.
and mail them back to the Department of Edu-
5. The possible requirement of a cost-benefit
4. The types of information used.
Because a major purpose of front-end veri-
This question involves whether the use of fication is to cut programmatic costs, docu-
some types of information (e.g., medical his- mentation of how front-end verification will
tory or criminal history) should be prohibited achieve this may be necessary. If a cost-benefit
because of their sensitivity. The use of such analysis were to be required, the categories of
information could be prohibited, or its use costs and benefits to be included could be speci-
could be restricted to particular verifications, fied in regulations. The detail to which costs
for example, use of criminal history informa- and benefits should be analyzed could also be
tion in screening day-care workers. specified. The degree of detail may vary de-
pending on the category; for example, admin-
Additionally, front-end verification raises a istrative costs may be more difficult to com-
separate and potentially more serious issue be-
pute than telecommunication costs.
cause the information is being used to make
an immediate, or near immediate, decision. In Cost-benefit analyses could be used within
order for front-end verification to be most ef- an agency or program for internal improve-
fective, information should be up to date, ac- ments in ongoing front-end verifications. They
curate, and complete. However, the informa- could also be distributed among agencies or
tion in some categories, for example, unearned programs for development of new front-end
verifications. Additionally, they could be used
office of Postsecondary Edu-
251J s, I)eptiment of ~;dumtiOn,
within an agency or by an outside body as part
cation, “ In\’itation To E]articipate and Closing Date for Partic-
ipation in Pen Grant Electronic Pilot, Federal Register, vol. of a process of approval of new front-end verifi-
50, ,No. 141, Tues., ,JUIJJ 23, 1985. cations or review of ongoing ones.
Chapter 5

Computer Profiling

summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Findings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Finding l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Finding 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Finding 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Finding 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
. .

Chapter 5

Computer Profiling

While computer profiling is not currently a istrative, and intelligence purposes because
subject of major policy debate, the potential they reduce the population that is of interest
policy issues raised by the future growth of to an agency, and thus may increase the
computer profiling are important. In computer agency’s efficiency and effectiveness.
profiling, a record system (or record systems)
OTA found that:
is searched for a specified combination of data
elements, i.e., the profile. Profiling involves the ● Federal agencies are currently using com-
use of inductive logic to determine indicators puter profiling and it is likely that its use
of characteristics and or behavior patterns that will expand in the near future.
are related to the occurrence of certain be- ● Important privacy and constitutional im-
havior. plications are raised by computer profil-
ing because prople may be treated differ-
A profile is developed by a government agen-
ently before they have done anything to
cy to select characteristics of types of individ-
warrant such treatment.
uals, and to determine the probabilities of such ● The validity of computer profiles in ac-
individuals engaging in activities or behavior
curately selecting the desired subset of in-
of interest to that agency. For example, the
dividuals is subject to debate, and thus
Drug Enforcement Agency (DEA) has devel-
also raises questions about the relevancy
oped profiles of the types of persons more likely
of data used and the appropriateness of
to be engaging in illegal drug activity; the In-
using computer profiles for certain de-
ternal Revenue Service (IRS) has developed
profiles of categories of taxpayers more likely ● At the present time, there are no policy
to be under-reporting taxable income; and the
guidelines for agency use of computer pro-
Federal Bureau of Investigation (FBI) has de-
veloped profiles of violent offenders. Profiles
can be valuable tools for investigative, admin-

Before computers were used to process and file. Additionally, computers can be used to
store information, systematic data on large search a record system on the basis of a pro-
numbers of individuals were not retained (or file. These technological changes make profiles
if retained were not readily accessible). More- both more powerful and more available. Most
over, there was no easy means to analyze the importantly, technology is now making pos-
data that did exist in order to construct pro- sible many new profiling applications for which
files. Information technology in general-and judgments of social acceptability have yet to
computers in particular-have removed these be made.
constraints. Detailed, historical information on
individuals can be compiled from various com- Profiling involves the use of inductive logic
puterized databases. Computers can be used to determine indicators of characteristics and/
to analyze complex and disparate information or behavior patterns that are related to the
and, based on that analysis, to design a pro- occurrence of certain behavior. A judgment is


made about a particular individual based on Profiles have been used by the government
the past behavior of other individuals who ap- to help agencies uncover possible misrepresen-
pear statistically similar, that is, who have sim- tation of eligibility to receive Federal funds
ilar demographic, socioeconomic, physical, or or benefits, possible noncompliance with or
other characteristics. Generally, in the Federal violation of agency regulations, and possible
Government, the behavior of interest is actual violation of civil or criminal statutes. In the
or potential violation of a law or administra- government, profiles can be created, to some
tive regulation. extent, for the convenience of implementing
public policies, as they replace subjective judg-
In the past, and as is often still the case, peo-
ments with objective decisionmaking criteria.
ple who appeared suspicious or acted strangely
Profiles can be useful during any stage of an
were often watched more carefully and their
agency’s interaction with individuals. For ex-
stories were verified from outside sources. ample, in eligibility benefit programs, profil-
Searches through Federal record systems were
ing may be used at the application stage to
often conducted on the basis of a list of char-
determine if an applicant is likely to misrepre-
acteristics that experience had shown were
sent his or her income, or at the redetermina-
problematic. Such profiles were often crude and tion stage to ascertain if it is likely that an
could easily lead to the stereotyping of indi- individual’s status has changed. In law enforce
viduals. Today, profiling is much more sophis- ment, profiling may be used in discovering
ticated as a result of advances in behavioral
likely suspects (e.g., airplane hijackers) or in
psychology and statistics. As most behavior
determining an appropriate sentence for some
is complex, sophisticated modeling may be
one convicted of a crime. Profiles can be valu-
done to determine the interrelations among cer-
able tools for investigative, administrative,
tain indicators. There are two general models
and intelligence purposes because they reduce
of profiling. One is singular profiling, which
the population that is of interest to an agency,
models distinct characteristics or activities,
and thus may increase the agency’s efficiency
e.g., sex, age, income, or number of dependents.
and effectiveness.
When these characteristics appear together or
in a certain pattern, that individual is flagged
by the profile. The second model of profiling Because computer profiling may result in
is aggregative profiling, which is based on the selected individuals being treated differently
frequency with which selected factors appear from those not selected, it has raised a number
across cases. This model is designed to find of policy questions involving civil, constitu-
systematic and repetitive violators. ’ tional, and equal rights considerations. The pri-
mary conflict is between the rights of the indi-
Profiles have been used for decisionmaking
viduals selected (e.g., equal protection and due
in a variety of areas, ranging from insurance process) and the purpose of the government
and advertising to motor vehicle or real estate in using computer profiles and their effective-
licensing to entrance to the medical and legal ness in achieving that purpose. No matter how
professions. Profiles used range from those sophisticated the profile, the question of treat-
that are benign and socially acceptable (e.g., ing people differently before they have acted
granting driver’s licenses to 16 year olds, who remains.
inmost States are judged to be physically and
mentally mature enough to drive a car) to those
that are discriminatory and socially unaccept- Computerized profiling also introduces some
able (e.g., denying rental housing to minorities very important new policy issues. If the use
or students or denying professional employ- of computer profiling in the Federal Govern-
ment opportunities to women). ment were to be expanded, the long-term so-
cietal effects on behavior patterns, and the pos-
‘Gary T. Marx and Nancy Reichman, “Routinizing the Dis-
covery of Secrets, American Behavioral Scientist, vol. 27, No. sible effects on individuality and creativity,
4, March/April 1984, pp. 429-431. would warrant attention. Additionally, the va-

lidity of computer profiles in accurately select- about the relevancy of data used and the appro-
ing the desired subset of individuals is sub- priateness of using computer profiles for cer-
ject to debate, and thus also raises questions tain decisions.

Finding 1 ducted pilot programs of profiling that are no
longer in use, for example, the Office of the In-
Federal agencies are currently using computer spector General in the Department of Energy
profiling and it is likely that its use will expand developed, with DOE Defense Programs, a pro
in the near future. file of the “Insider Criminal. ”
Federal agencies have developed profiles for The use of profiles for law enforcement pur-
a number of purposes, mainly for identifying poses has been widely documented. Computers
individuals most likely to be involved in an ille- were not necessarily used in preparing these,
gal activity or most likely to misrepresent their but they are illustrative of the type of com-
financial or personal situation in applying for puter profiles already under development. The
a Federal benefit. The OTA survey revealed Drug Enforcement Agency (DEA) has devel-
that 16 Federal agencies presently use com- oped a profile of airplane passengers likely to
puter profiling. For example, the IRS uses be smuggling drugs, and a profile to detect
computer-generated generic profiles to iden- those transporting marijuana on trains.’ The
tify potential compliance deficiencies; the De- Coast Guard has a profile of vessels likely to
partment of Education uses profiles, based on be smuggling drugs into the country.’ The
criteria including taxes paid, marital status, Customs Bureau also has a “smuggler’s pro-
and size of household, to select Pen Grant ap- file.”4 The Federal Aviation Administration
plicants for validation; the Bureau of Indian used a hijacker profile as part of its screening
Affairs profiles the public social service sup- program at domestic airports until it began
port and facilities usages and needs of individ- routine searches of all carry-on items and mag-
ual corporate groups of Indians for budgetary netometer screening of all passengers.’
planning and allocation of resources; and the
Federal Reserve Board uses surveys of retail- The FBI has developed numerous profiles,
ers and consumers to obtain statistical data including those of various violent c riminals and
concerning financial status and behavior of serial murderers. This work is being expanded
households and businesses, access to and use under the auspices of the FBI National Cen-
of consumer credit, asset holdings, financial ter for the Analysis of Violent Crimes. Also,
practices, effect of charge card transactions, based in large part on interviews with felons
and the like. convicted of serial murders, the FBI has de-
veloped profiles of serial murderers, especially
According to the OTA survey, some agen-
cies are planning to add this capability to ex-
isting systems. For example, the redesign of ‘See, for example, United States v. JohnstorI, 497 F.2d 397
(9th Cir. 1974) and United States V. Chadwick, 393 F. Supp.
the Treasury Enforcement Communications 763 (D. Mass. 1975).
System, known as TECS II, will incorporate ‘Note, “High On the Seas: Drug Smuggling, the Fourth
profiling. The U.S. Army Criminal Investiga- Amendment, and Warrantless Searches at Sea, Harvard La w
Review, vol. 93, 1980, p, 725.
tion Command is considering developing a sys- ‘See, for example, United States v. Klein, 592 F.2d 909 (5th
tem of profiling potential victims and crimi- Cir. 1979), and United States v. Asbury, 586 F.2d 973 (2d Cir.
nal offenders for use in the conduct of crime 1973).
‘Note, “The Airport Search and the Fourth Amendment:
prevention surveys and in the development of Reconciling the Theories and Practices, ” U. C. L. A.—Alaska Law
investigative leads. Some agencies have con- Review, vol. 7, 1978, p. 307.

serial sex murderers.’ The FBI is currently tal Security Income’s Office of Family Assis-
developing software for preparing computer- tance reported that the following characteris-
ized profiles of violent offenders, based on the tics were used in error-prone profiles: earned
concept already implemented for arson offend- income, home ownership, age 26 to 40, recent
ers in the computer-assisted Arson Informa- separation, bank account, and overdue redeter-
tion Management System (AIMS).7 In 1983, mination of benefits.’
the Office of Juvenile Justice and Delinquency
In eligibility benefit programs, computer
Prevention of the Department of Justice funded
profiles or screens can also be used to search
the University of Pennsylvania School of Nurs-
databases of recipients prior to conducting a
ing to identify the variables that fit profiles
computer match. The records that were se-
of rapists, child molesters, and sexually ex-
lected by the profile would be the only ones
ploited children.’
subject to computer matching. A smaller num-
In the 1970s, the Law Enforcement Assis- ber of records would then be matched. If the
tance Administration funded “pre-delinquency’ computer profile was effective in selecting
programs to create computer models to iden- those records most likely to contain errors,
tify those young people who were likely to be- then the percentage of verifiable hits would
come delinquent. The computer models or pro- increase. In this way, computer profiles or
files included factors that were common among screens may make computer matching more
known delinquent youths, such as area of resi- effective and efficient. Additionally, cuts in the
dence, family situation, school performance, Federal budget may increase the pressure to
ethnic group, and medical history. Young peo- use computer profiling not only to detect and
ple who most closely matched the profile were prevent fraud and errors, but also to allocate
to be given special treatment. In 1983, the Of- the time of caseworkers or investigators.
fice of Juvenile Justice and Delinquency Pre-
There has been no survey of the use of com-
vention funded the Rand Corp. to develop
puter profiles in social service programs at the
strategies based on the “pre-delinquency’ pre-
Federal level. The President’s Council on In-
tegrity and Efficiency (PCIE) has released
Computer profiles can also be used as a way three inventories of Federal computer appli-
of avoiding errors in Federal Government eli- cations to prevent/detect fraud, waste, and
gibility and benefit programs and as a way mismanagement. The applications include
of allocating scarce investigative resources. matches, profiles, edits, scans, screens, anal-
Based on a computer profile, caseworkers can yses, and extracts. If one adopts the PCIE
determin e during the application process which categorization, there were no profiles used prior
applicants may need more careful checking. to 1982, 13 profiles used in the period 1982-
Characteristics often associated with errors 83, and five profiles used in the period 1984-
could include basic factors such as age, race, 85. ’0 However, agencies have sometimes
or education level; some combination of fac- placed computer applications that appear to
tors; or more indirect factors, such as length be profiles in a different category, e.g., Project
of family separation, residency, or living with Sonoma— Welfare Fraud Profile is listed as a
a specified relative. In 1979, the Supplemen- match. Some computer screens appear to be
based on a computer profile (e.g., a Department
‘Robert K. Ressler, Ann W. Burgess, Ralph B. D’Agonstino, of Education screen designed to identify, by
and John E, Douglas, “Serial Murder: A New Phenomenon of selected criteria, guaranteed student loans
Homicide, ” September 1984.
‘AIMS deals both with past activities, in developing pro-
files on arson incidents, and possible future activities, in profil- “’Use of Error Prone Profiles, ” i!lli~”bility Simplification
ing arson-prone properties and suspects. See U.S. Fire Admin- Project, October 1980.
istration, Arson Information Management System: Users ‘“U.S. Department of Labor, Office of Inspector General,
Manual and Documentation, Apr. 2, 1984. “Inventory of Federal Computer Applications To Prevent/De-
“’iPre-Delinquent Funding: Deja Vu, ” Privacy Journal, April tect Fraud, Waste and Mismanagement. Original distributed
1984, p. 3. July 1982; supplements distributed July 1984 and January 1986,
. —.-

.. ———.

maintained by State Guaranty Agencies that fifth and 14th amendments were designed to
are in excess of the regulatory maximum of ensure that individuals were treated in a man-
10 years), while others do not (e.g., prescrip- ner similar to other individuals, and that the
tion payments made by Blue Cross and Blue government not treat individuals differently
Shield, screened to ascertain whether that com- simply because they were members of a group.
pany was computing and claiming Medicaid Although the government can classify people
prescription drugs in accordance with Federal for special treatment, it cannot do so based on
procedures). impermissible criteria (e.g., race, religion, or
national origin), nor can it use a classification
Information on State use of computer pro-
to arbitrarily burden a group of individuals.
files is also sketchy. The Carter Administra-
In computer profiling, the criteria used might
tion’s Eligibility Simplification Project re-
be those that are already viewed as discrimina-
ported on the use of error-prone profiles,
tory under existing law—e.g., race, religion, na-
primarily at the State level. According to its
tional origin, and sex. For example, in DEA’s
study, West Virginia had used computer profil-
drug courier profile, being Hispanic has ap-
ing, or a selective case action system, for Aid
peared as one of the criteria. With sophisti-
to Families With Dependent Children (AFDC),
cated profiling, it may also be possible to use
food stamp, and Medicaid cases, based on a
a number of related indicators rather than a
quality-control sample generated monthly by
category whose use would be illegal.
the computer. The profile was based on a sta-
tistical method of evaluating previous error sit-
The equal protection clauses may also re-
uations and was modified periodically. Report-
edly, from 1973 to 1976, the case error rate and quire that the criteria on which the profile is
based be related to the behavior in question;
payment error rate declined by 20 percent.”
otherwise, the selected group may be arbitrar-
The Eligibility Simplification Project found
ily burdened. Additionally, the government
similar results with the use of error-prone
program would need to be rationally related
profiling in South Carolina and New Hamp-
to achieving a legitimate purpose such as de-
shire. The Eligibility Simplification Project
tecting fraud, waste, and abuse or apprehend-
found that other States appeared to be ex-
ing drug smugglers.
perimenting with the use of such profiles in
determining social service eligibility. A survey
of seven States conducted for OTA in 1984 re- The use of computer profiling may also con-
flict with the due process clauses of the fifth
vealed that computer profiling was not used
and 14th amendments that protect an individ-
by those States.”
ual against arbitrary treatment and provide
an individual with certain procedural guaran-
Finding 2 tees. Some argue that computer profiles elimi-
Important privacy and constitutional impli- nate the discretion and arbitrariness of inves-
cations are raised by computer profiling because tigative authorities, caseworkers, and parole
people may be treated differently before they officers. Others respond that profiles merely
have done anything to warrant such treatment. replace a crude form of profiling (hunches, for
example) with a more sophisticated one. In ei-
Computer profiles involve categorizing peo- ther case, the due process clauses require rules
ple based on selected criteria, and then select- and procedures to limit discretion and protect
ing a subset of these people for special treat- individuals from arbitrary treatment. In some
ment. The equal protection guarantees of the instances, use of computer profiling may not
provide for adequate rules and procedures.
“Robert Ellis Smith, “Report on Data Protection and With respect to the use of profiles in eligi-
Privacy in Seven Selected States, ” OTA contractor report, Feb-
ruary 1985. The seven States are California, Florida, Indiana, bility programs, Senator William Cohen re-
Minnesota, New York, Texas, and Virginia. ported that:

We have profiles that have been developed then they follow the person. If agents believe
by computer, and disability payments that it is justified, they stop the individual, iden-
have been discontinued with no human con- tify themselves as law enforcement agents, and
tact coming about until such time as those request to see identification. Based on the in-
cases are appealed to an administrative law formation revealed and the behavior of the per-
judge. Two-thirds of the cases appealed are be- son, the agents may then “request” that the
ing reversed.13
suspect accompany them to an office in the air-
The extreme result of a computer profile port. There the person is told that he or she
would be that benefits are terminated, which is suspected of carrying drugs, advised of his
would not occur without a hearing. The more or her rights, and asked for permission to
common result would be that a selected indi- search his or her luggage and person.15
vidual is subject to a more thorough investi-
In cases in which the sole or primary justifi-
gation than others because he or she fits a pro-
cation for an investigative stop has been the
file. To some extent, this individual is regarded
drug courier profile, the lower courts have not
with suspicion based on the profile. Individ-
been consistent in their rulings. For example,
uals may not know that they are being treated in United States v. McCaleb, 552 F.2d 717 (6th
differently, and even if they do, may not know
Cir. 1977) and State v. Washington, 364 So.
why. 2d 958 (La. 1979), the courts reversed the ap-
With respect to the use of computer profiles pellants’ convictions based on investigative
in law enforcement, the primary issue is wheth- stops triggered by meeting a drug courier pro-
er fitting a profile constitutes probable cause file because their activities were too consistent
or reasonable suspicion and is reason to search with innocent behavior. In United States v.
or detain an individual. In determining whether Vasquez, 612 F.2d 1338, an investigative stop
an investigative stop is lawful, the courts bal- based in part on a profile was judged valid.
ance the need for the search against the intru- In 1979, the Supreme Court ruled on two in-
sion to the person. To justify the intrusion, law stances involving the use of the drug courier
enforcement agents must be able to identify
profile. In the first case, United States v. Men-
specific and articulable f acts that show the in-
denhall, 446 U.S. 544, the Court ruled that the
trusion is reasonably warranted.” investigative stop of Mendenhall, which was
There have been a number of court cases in- based on her fitting characteristics of the drug
volving the use of the drug courier profile, and, courier profile, was constitutional. However,
hence, this will serve as an example of the le- the majority did not agree on why it was con-
gal issues that arise with use of profiles for law stitutional, giving little guidance to the lower
enforcement purposes. Although this profile courts on the acceptability of the profile in
is not currently generated by a computer nor establishing justification for an investigative
are computers necessarily used to search rele- stop. One month later, the Court handed down
vant databases, the legal issues would be sim-
ilar whether or not a computer was involved.
“For a description of the profile, its use, and court cases,
Agents typically use the drug courier profile see William V. Conley, “Mendenhall and Reid: The Drug Cou-
as a tool in conducting surveillance on a group rier Profile and Investigative Stops, ” Um”versity of Pittsburgh
of people, generally those boarding or depart- Law Review, vol. 42, summer 1981, pp. 835-867; Hon. Mark
A, Costantino, Vito A. Cannavo, and Ann Goldstein, “Drug
ing a plane. If agents see a person whose be- Courier Profiles and Airport Stops: Is the Sky the Limit?” West-
havior fits a number of criteria in the profile, ern New Enghmd Law Review, vol. 3, 1980, p. 175; Philip S.
Greene and Brian W. Wice, “The D.E.A. Drug Courier Profile:
History and Analysis,” South Texas Law Journal, vol. 22, spring
“Senate Committee on Governmental Affairs, Subcommit- 1982, p. 261; Kathleen Mahoney, “Drug Trafficking at Air-
tee on Oversight of Government Management, Oversight of ports—The Judicial Response, ” Um”versity of Mianu” Law Re-
Computer Match”ng To Detect Fraud and Mismanagement in view, vol. 36, 1981, p. 91; and Francis Karl Toto, “Drug Cou-
Government Programs, hearings, Dec. 15-16, 1982 (Washing- rier Profile Stops and the Fourth Amendment: Is the Supreme
ton, DC: U.S. Government Printing Office, 1982), p. 17. Court’s Case of Confusion in Its Terminal Stage?” Suffolk
“Terry v. Ohio, 392 U.S. 1 (1968). University Law Review, vol. 25, 1981, p. 217.

a second decision dealing with the drug cou- degree of error, as they are merely probability
rier profile, Reid v. Georgia, 448 U.S. 438. In statements.
this case, the Court held that the investiga-
In formal profiles, when a general popula-
tive stop of Reid, based on his matching char-
tion is characterized and a profile developed,
acteristics of the drug courier profile, was not
the profile is only a statistical average of that
constitutional. The Court described the drug
general population. The similarities among the
courier profile as “a somewhat informal com-
population will be accentuated, while the differ-
pilation of characteristics believed to be typical
ences will be ignored. If the profile was based
of persons unlawfully carrying narcotics.’’”
on a sufficiently large population, it will have
Based on these two cases, the legal status some value in selecting those of interest, but
of the present drug courier profile is in ques- there will also be some margin of error in the
tion. Moreover, the Reid opinion may imply profile. The types of errors will be false posi-
that the constitutionality of the profile could tives (identifying those who fit the profile, but
turn on its sophistication. If this is true, then do not fit the category sought) and false nega-
the use of computer-generated profiles in law tives (passing by those who do not fit the pro-
enforcement may be considered a more valid file, but do fit the category sought). In develop-
investigative tool than the more informal ing the profile, the statistician will incorporate
profiles. the degree of error that the user is willing to
Federal court decisions since Mendenhall
and Reid have not clarified the status of the The more informal, crude profiles are greatly
use of a drug courier profile in an investiga- influenced by the experience and concerns of
tive stop. ” In 1981, in United States v. Cor- those who develop them. For example, in the
tez, 101 S. Ct. 690, the Supreme Court approved case of the drug courier profile, the criteria that
use of a profile by border patrol agents to de- make up the profile have varied over time and
tect the smuggling of illegal aliens from Mex- with the city in which DEA agents are work-
ico to the United States. ing. Some subset of the following are gener-
ally considered as the profile: the use of small
Finding 3 bills for ticket purchase, travel to and from ma-
jor drug import centers, travel for short periods
The validity of computer profiles in accurately of time, absence of luggage or empty luggage,
selecting the desired subset of individuals is sub- travel under an alias, unusual itinerary, un-
ject to debate, and thus also raises questions usual nervousness, use of public transporta-
about the relevancy of data used and the appro- tion, making a phone call after deplaning, leav-
priateness of using computer profiles for certain ing a fictitious callback telephone number with
decisions. the airline, attempting to conceal that some-
Profiles vary in their complexity and in the one is waiting for them or that they are trav-
formality of statistical techniques on which eling with someone, purchase of a one-way
they are based. Because computers are such ticket, Hispanic origin, youth, luggage with-
powerful tools in analyzing and manipulating out identification tags, ticket purchased at the
vast quantities of data, it is likely that pro- last minute or late arrival, and deplaning last.
files will become even more complex and for- There is no record establishing how and why
mal. Regardless of their complexity and for- these characteristics have come to be included
mality, profiles by definition are prone to some in the profile. There may also be some criteria
that DEA keeps confidential.

The OTA survey asked agencies to provide

“Reid v. Georgia, 448 U.S. 438, 440. both information on the development and test-
“See: United States v. Fry, 622 F.2d 1218 (5th Cir. 1980),
United States v. Robinson, 625 F.2d 1211 (5th Cir. 1980), and ing of profile programs and any evaluation
United States v. West, 495 F. Supp. 871 (D. Mass. 1980). reports. Of the 16 agencies that reported profil-

ing activities, none had this information avail- that agents at the Detroit airport had searched
able. There are no known studies of the degree 141 persons in 96 encounters, found narcotics
of error in profiles used in eligibility verifica- in 77 of these encounters, and arrested 122 per-
tion programs. sons. Forty-three of the searches in which nar-
cotics were found were nonconsensual. In 15
A principal policy issue involves determin-
of the 25 consent searches, no illegal narcotics
ing the accuracy of a computer profile and its
were found. ’g In testimony in United States
effectiveness in achieving the desired outcome. v. Price, 599 F.2d 494 (2d Cir. 1979), a DEA
The cost-effectiveness of computer profiles has agent stated that about 60 percent of those
never been systematically studied. There are he stopped, based on the drug courier profile,
a number of costs that may need to be consid- were carrying narcotics. However, it appears
ered: 1) developmental costs, including re-
that no national statistics are available on the
search, testing, validation, and evaluation; 2)
effectiveness of the drug courier profile.
computer costs, including hardware and soft-
ware; and 3) administrative costs, including
follow-up on individuals who fit the profile. The Finding 4
costs to individuals who may needlessly be sub- At the present time, there are no policy guide-
ject to investigation may also need to be con- lines for agency use of computer profiling.
sidered. Additionally, as with computer match-
ing, there may be hidden or secondary costs The use of computer profiling raises a num-
that need to be examined. ber of important policy questions. In determin-
ing the appropriate use of computer profiling,
There are also a number of benefits that need a number of factors warrant consideration, in-
to be considered, primarily increasing the ef- cluding:
fectiveness and efficiency of an investigation
because the relevant population has been nar- 1. The nature of the decision for which the
rowed, and preventing and deterring illegal be- profile is used. In other words, under what
havior. circumstances is it appropriate to use com-
puter profiling? In answering this ques-
Some information is available on the effec- tion, two distinctions may prove helpful.
tiveness of profiling for law enforcement pur- The first is the government purpose in
poses. None contains specific cost-benefit cat- using profiling-e. g., detection of fraud,
egories or figures. A 1981 FBI evaluation of waste, and abuse; detection of violent
psychological profiling found that, of 192 cases criminals; and detection of discrimination.
examined, in 77 percent the profile helped fo- It may be appropriate to use computer
cus the investigation, in 20 percent it helped profiling for all of these purposes and for
locate possible suspects, and in 17 percent the any other purposes. Alternatively, the
profile actually identified the suspect. (Totals dangers of categorizing people and the
exceed 100 percent since more than one type speculative nature of profiles may out-
of assistance may apply to a single case.) The weigh their general use, but not their use
vast majority of cases were murder or rape in- for specific purposes.
vestigations. ’8 The second distinction is whether only
There are some sketchy statistics on the one individual, or one group or class of in-
effectiveness of the drug courier profile in dividuals, is subject to the computer pro-
selecting persons carrying drugs. In United file. A profile may provide the key by
States v. Van Lewis, 409 F. Supp. 535 (E.D. which a database of many individuals is
Mich. 1976), testimony from DEA revealed searched. One individual may also be selec-
tively compared to a profile. Because an
individual may be affected differently
“Federal Bureau of Investigation, “Evaluation of the Psy-
chological Profiling Program,” December 1981. “Conley, “Mendenhall and Reid, ” op. cit., p. 839.

under the two circumstances, different remedies? If an individual is accorded

standards could be considered for its use. different treatment because of the way he
2. The nature and source of the data used. or she compares to a profile, what rights
To be consistent with equal protection does he or she have and how can they be
law, one could argue that computer pro- implemented?
files should not include criteria tradition- 4. The accuracy of the profile. Given that
ally considered discriminatory, e.g., race, profiles themselves are prone to errors,
religion, national origin, or sex. It may also some testing may be necessary prior to
be necessary to eliminate or restrict the the use of a profile. Independent valida-
use of attributes that may substitute for tion and testing of any software program
the overtly discriminatory criteria. Addi- used for profiling may be necessary to de-
tionally, it may be necessary to restrict termine bias and accuracy. If profiles are
the use of results of sophisticated inva- to be used, guidelines may need to be de-
sive or intrusive psychological or physio- veloped for validation and testing. It may
logical tests, e.g., genetic testing, in be necessary that this testing be done by
profiles. a group (or groups) other than the one that
In setting standards for the use of data, developed the profile. Although it maybe
it may also be helpful to consider the difficult to get an exact accounting of
source of the data in determining its rele- costs and benefits, some outlining of the
vance for a profile. For example, it may significant costs and benefits that are ex-
not be appropriate for IRS profiles to in- pected could also be done.
clude information not provided by the tax- With respect to the drug courier profile,
payer or not directly relevant to financial William Conley has suggested that test-
matters. ing should be done in two steps. First,
3. The rights of individuals, with respect to establishing the percentage of those pre-
both decisions based on profiles and be- viously arrested who displayed a particu-
ing the subject of profiling, regardless of lar characteristic. Second, determining
use. Should individuals be informed that what percentage of all airplane passengers
their records are being searched on the ba- exhibit the same characteristic.’”
sis of a profile or that they are being com-
pared to a profile? If they do not want to
be subiect to profiling. what are their “’Ibid., p. 863.
Chapter 6

Policy Implications

summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
● . . . . . 99
Introduction . . . . . . . ........ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Policy Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
PolicyActions. . . . . . . . . . . . . . . . . . . . . . . . . ...,.+... . . . . ....... ....** ..*, 107
Action 1: Maintaining the Status Quo. . . . . . . . . . . . . . . . ....... . . . . . . .*. 107 ●

Action 2: Problem-Specific Actions . . . . . . . . . . . . . . . . . . . ....... . . . . . 108

. . . . .

Action 3: Institutional Changes . . . . . . . . . . . . . . . . . . . . . ....... ●. . . . . 113 s...

Action 4: Consideration of a National Information Policy ....... . . . . . . . . . . 122

Table No.
Institutional Changes for Information Policy I?toposed in the
99th Congress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Chapter 6

Policy Implications

All governments collect and use personal in- ciency, and law enforcement implications of
formation in order to govern. Democratic gov- Federal electronic record system applications
ernments moderate this need with the require- can be fully debated and resolved. Fourth,
ments to be open to the people and accountable within the Federal Government, the broader
to the legislature, as well as to protect the social, economic, and political context of in-
privacy of individuals. In the United States, formation policy, which includes privacy-re-
these needs are recognized in the Constitution lated issues, is not being considered.
and various public laws.
Overall, OTA has concluded that Federal
In 1974, Congress passed the Privacy Act agency use of new electronic technologies in
to address the tension between the individual’s processing personal information has eroded the
interest in privacy and the government need protections of the Privacy Act of 1974. Many
to know. Since the act was passed, there have applications of electronic records being used
been dramatic changes in the scale and scope by Federal agencies, e.g., computer profiling
of technological innovations applied to records and front-end verification, are not explicitly
and record systems, primarily as a means to covered either by the actor subsequent OMB
detect fraud, waste, and abuse, and to aid in guidelines. Moreover, the use of computerized
law enforcement investigations. New techno- databases, electronic record searches and
logical applications —most notably the wide- matches, and computer networking is leading
spread use of microcomputers, computerized rapidly to the creation of a de facto national
record searches, and computer networking— database containing personal information on
have multiplied within Federal agencies, and most Americans. And use of the social secu-
have expanded the opportunities for inappro- rity number as a de facto electronic national
priate, unauthorized, or illegal access to and identifier facilitates the development of this
use of personal information. Individual rights database. Absent a forum in which the conflicts
and remedies, as well as administrative respon- generated by new applications of information
sibilities, are not clear under current policies. technology can be debated and resolved, agen-
At the same time, there is stronger public con- cies have little incentive to consider privacy
cern for privacy and more support for legisla- concerns when deciding to establish or expand
tive protections than there was in the past. the use of personal record systems.
OTA’S analysis of Federal use of electronic Additionally, OTA’S analysis of electronic
record systems revealed a number of common record systems and their effect on individual
policy problems. First, new applications of per- privacy has confirmed once again the complex-
sonal information have undermined the goal ity of Federal information policy. Its broad so-
of the Privacy Act that individuals be able to cial, economic, and political implications need
control information about themselves. Second, systematic policy study.
there is serious question as to the efficacy of
OTA identified a range of policy actions for
the current institutional arrangements for over-
congressional consideration:
sight of Federal compliance with the Privacy
Act and related Office of Management and 1. Congress could do nothing at this time,
Budget (OMB) guidelines. Third, neither Con- monitor Federal use of information tech-
gress nor the executive branch is providing a nology, and leave policymaking to case
forum in which the privacy, management effi- law and administrative discretion. This


would lead to continued uncertainty re- ● review issues concerning use of the so-
garding individual rights and remedies, cial security number as a de facto na-
as well as agency responsibilities. Addi- tional identifier and, if necessary, re-
tionally, lack of congressional action will, strict its use or legislate a new universal
in effect, represent an endorsement of the identification number; or
creation of a de facto national database ● review policy with regard to access to

and the use of the social security number the Internal Revenue Service’s (IRS) in-
as a de facto national identifier. formation by Federal and State agen-
2. Congress could consider a number of prob- cies, and policy with regard to the IRS’s
lem--specific actions. For example: - access to databases maintained by Fed-
● establish control over Federal agency eral and State agencies, as well as the
use of computer matching, front-end private sector. If necessary, legislate a
verification, and computer profiling, in- policy that more clearly delineates the
cluding agency decisions to use these circumstances under which such access
applications, the process for use and is permitted.
verification of personal information, 3. Congress could initiate a number of insti-
and the rights of individuals; tutional adjustments, e.g., strengthen the
● implement more controls and protec- oversight role of OMB, increase the Pri-
tions for sensitive categories of personal vacy Act staff in agencies, or improve con-
information, such as medical and in- gressional organization and procedures for
surance; consideration of information privacy is-
establish controls to protect the pri- sues. These institutional adjustments
vacy, confidentiality, and security of could be made individually or in concert.
personal information within the micro- Additionally or separately, Congress could
computer environment of the Federal initiate a major institutional change, such
Government and provide for appropri- as establishing a Data Protection or Pri-
ate enforcement mechanisms; vacy Board or Commission.
● review agency compliance with exist- 4. Congress could provide for systematic
ing policy on the quality of data/records study of the broader social, economic, and
containing personal information, and, political context of information policy, of
if necessary, legislate more specific which information privacy is a part.
guidelines and controls for accuracy and

All governments collect and use personal in- In the 1960s, Congress and the executive
formation in order to govern. Democratic gov- branch began the first modern reexamination
ernments moderate this need with the require- of the effects of government information col-
ments to be open to the people and accountable lection on individual privacy and agency ac-
to the legislature, as well as to protect the countability. This occurred in response to two
privacy of individuals. Advances in informa- factors: first, the explosion in information ac-
tion technology have greatly facilitated the col- tivities necessitated by the Great Society pro-
lection and uses of personal information by the grams; and second, the introduction in Fed-
Federal Government, but also have made it eral agencies of large mainframe computers for
more difficult to oversee agency information information storage and retrieval. This reex-
practices and to protect the rights of indi- amination went on for a number of years, and
viduals. included, most prominently, the 1966 and 1967

hearings on the reposal to establish a Nation- suit of these hearings was the enactment of
al Data Center. the 1971 Senate Committee the Privacy Act of 1974, which established
on the Judiciary hearings on Federal data- rights and remedies for individuals who are the
banks,’ the 1973 Department of Health, Edu- subjects of agency recordkeeping and speci-
cation, and Welfare’s Advisory Committee on fied requirements that Federal agencies were
Automated Personal Data Systems,3 and the to meet in handling personal information. In
1972 project on databanks sponsored by the addition, OMB was assigned responsibility for
Russell Sage Foundation and the National overseeing agency implementation of the act.
Academy of Sciences.4
Technology. —At the time the Privacy Act
The reexamination of government informa- was debated and enacted, there were techno-
tion collection, computers, and privacy culmi- logical limitations on how agencies could use
nated in the 1974 joint hearings of the Senate individual records. The vast majority of Fed-
Committee on Government Operations, Ad eral record systems were manual. Computers
Hoc Subcommittee on Privacy-and Informa- were used only to store and retrieve, not manip-
tion Systems and the Senate Committee on the ulate or exchange, information. It was theo-
Judiciary, Subcommittee on Constitutional retically possible to match personal informa-
Rights; ’-and hearings of the House Commit- tion from different files, to manually verify
tee on Government Operations.G These hear- information provided on government applica-
ings coincided with Watergate and its revela- tion forms, and to prepare a profile of a subset
tion of how those in power could use and abuse of individuals of interest to an agency. How-
personal information, especially that held by ever, the number of records involved made such
the IRS and the Federal Bureau of Investiga- applications impractical.
tion, for their own personal advantage. The re- In the 12 years since enactment of the Pri-
———— .— .— vacy Act, at least two generations of informa-
‘U.S. Congress, House Committee on Government Operations,
Special Subcommittee on Invasion of Privacy, The Computer
tion technology have become available to Fed-
and Invasion of Privacy, hearings, 89th Cong., 2d sess,, July eral agencies. Advances in computer and data
26, 27, and 28, 1966 (Washington, DC: U.S. Government Print- communication technology enable agencies to
ing Office, 1966); U.S. Congress, Senate Committee on the Ju-
diciary, Subcommittee on Administrative Practice and Proce-
collect, use, store, exchange, and manipulate
dure, Invasions of Privacy (Government Agencies), hearings, individual records, as well as entire record sys-
89th Cong., 2d sess., part 5, Mar. 23-30 and June 7-9, 14, and tems, in electronic form. Specifically:
16, 1966 (Washington, DC: U.S. Government Printing Office,
1967); and Computer Privacy Hearings, 90th Cong., 1st sess., Microcomputers were not used at all by
Mar. 14-15, 1967 (Washington, DC: U.S. Government Printing
Office, 1967).
Federal agencies in the 1970s. Agencies
‘U.S. Congress, Senate Committee on the Judiciary, Subcom- responding to the OTA survey reported
mittee on Constitutional Rights, Federal Data Banks, Comput- a few thousand microcomputers in 1980,
ers and the Bill of Rights, hearings, 92d Cong., 1st sess., Feb.
24-25 and Mar. 2,3,4,9, 10, 11, 15, and 17, 1971, part 1 (Wash-
with a dramatic increase to over 100,000
ington, DC: U.S. Government Printing Office, 197 1). in 1985.
U. S. Department of Health, Education, and Welfare, Secre- Computer matching was not used by Fed-
tary’s Advisory Committee on Automated Personal Data Sys-
tems, Records, Computers and the Rights of Citizens (Wash-
eral agencies until 1976, and from 1980
ington, DC: U.S. Government Printing Office, 1973). to 1984 there was almost a threefold in-
Alan F. Westin and Michael A. Baker, Databanks in a Free crease in the number of computer matches.
Society (New York: Quadrangle/New York Times Book Co.,
Computer matching has become routine
‘U.S. Congress, Senate Committee on Government Operations, in a number of programs, especially eligi-
Ad Hoc Subcommittee on Privacy and Information Systems, bility benefit programs.
and Committee on the <Judiciary, Subcommittee on Constitu-
tional Rights, Privac,y—The Collection, Use and Computeriza-
Use of computer-assisted front-end veri-
tion of Personal Data, joint hearings, 93d Cong., 2d sess., June fication, especially with on-line computer
18-20, 1974 (Washington, DC: U.S. Government Printing Of- searches, has intensified in the 1980s, par-
fice, 1974).
‘U.S. Congress, House Committee on Government Operations,
ticularly following the requirements of the
Privacy Act of 1974 (Report 93-1416), 93d Cong., 2d sess. (Wash- 1984 Deficit Reduction Act.
ington, DC: U.S. Government Printing Office, 1974). The widespread use of computerized data-

bases, electronic record searches and one developed by the Department of Health,
matches, and computer networking is Education, and Welfare’s Advisory Commit-
leading rapidly to the creation of a de facto tee on Automated Personal Data Systems, and
national database containing personal in- hence will serve as the basis for the analysis
formation on most Americans. And use here.
of the social security number as a de facto
The first principle is that there must be no
electronic national identifier facilitates the
personal data recordkeeping system whose very
development of this database.
existence is secret. Ensuring that all record sys-
● In the 1970s, manual profiling was used
tems containing personally-identifiable infor-
by a few agencies, especially for law en-
mation are cataloged for the public record de-
forcement purposes. In the 1980s, com-
pends on each agency carefully monitoring its
puters can be used to generate profiles, record systems. In an age of electronic record
and software programs can search data-
systems, it is difficult for an agency to keep
bases on the basis of these profiles. The
an accurate catalog of all record systems, both
use of computer profiling is expanding
because of the number of systems and because
beyond law enforcement per se to include
of the continual electronic changes and manip-
various management programs, such as
ulations. Additionally, the multiplication of
those designed to detect fraud, waste, and
personal data systems makes it difficult for
an individual to be aware of all the systems
These technological advances have opened whose existence is public.
up many new possibilities for improving the
There are two types of record systems whose
efficiency of government recordkeeping; the
status under the Privacy Act is unclear. The
detection and prevention of fraud, waste, and
first is a personal information system main-
abuse; and law enforcement investigations. At
tained on a microcomputer. Privacy Act of-
the same time, the opportunities for inappro-
ficers are unsure of their responsibilities in this
priate, unauthorized, or illegal access to and
area and are looking for either legislative or
use of personal information have expanded. Be
OMB clarification.7 The question is whether
cause of this expanded access to and use of
records maintained on microcomputers are
personal information in decisions about indi-
analogous to ‘desk notes, which are not cov-
viduals, the completeness, accuracy, and rele-
ered by the Privacy Act, or whether they are
vance of information becomes even more im-
of a different character because they can be
portant. Additionally, it is nearly impossible
retrieved by others and easily disseminated.
for individuals to learn about, let alone seek
redress for, misuse of their records. Even The second type of record system whose sta-
within agencies, it is often not known what ap- tus is unclear is one that is developed as a re-
plications of personal information are being sult of electronic record searches-primarily
used. Nor do OMB or relevant congressional computer matches, computer profiles, or com-
committees know whether personal informa- puter screens. All electronic record searches
tion is being used in conformity with the Pri- generate a new file of those who appear in both
vacy Act. systems or who meet the criteria of a profile
or screen. Agencies argue that the Privacy Act
Information Technology and Fair Information
notice procedures would not apply to these be-
Principles. –The core of the Privacy Act of
cause they are only temporary systems that
1974 is the code of fair information principles.
are destroyed in the process of verification,
Twelve years later, it is important to review
these principles in light of current information
technology applications and administrative 7
Panel on “Privacy Problems Relating to Computer Security,
practices. Although there are a number of iter- Seventh Annual Symposium on the Freedom of Information
and Privacy Acts, sponsored by the Office of Personnel Manage
ations of the code of fair information princi- ment Government Executive Institute, Washington, DC, Au-
ples, the model for the Privacy Act was the gust 1985,

and, therefore, are not record systems under some cases, this principle has been overriden
the Privacy Act. by legislation that has authorized the exchanges.
In these instances, the legislative history re-
The second principle of fair information prac-
veals little explicit consideration of the effect
tice is that there must be a way for an individ-
on the fair information principles of the Privacy
ual to find out what information about him or
Act. In the majority of cases, these new uses
her is in a record and how it is used. Technol-
of information have not been authorized by leg-
ogy makes the first requirement of this prin-
islation, but instead have been justified under
ciple even more important for individuals be-
the routine use exemption of the disclosure pr~
cause more information is being collected from
visions in the Privacy Act. This exemption has
third parties as a result of computerization and
been used for such a large number of informa-
on-line searches. While technology could offer
tion exchanges and for so many types that it
individuals more ways to learn what is in their
now appears to mean that all uses of Federal
records, OTA found that no agencies have yet
records are permitted except those that are ex-
offered individuals computer access to their
pressly prohibited.
personal information.
The fourth principle of fair information prac-
Technology has also affected the require-
tice is that there must be a way for an individ-
ment that there must be a way for an individ-
ual to correct or amend a record of identifiable
ual to find out how personal information is
information about him or her. This principle has
used. With computerization, the matching of
become even more important in an age of elec-
records, searching of files based on profiles,
tronic recordkeeping because more information
and verifying of information with numerous
is collected from parties other than the indi-
other record systems have become routine for
vidual and because information is added to files
many record systems. The fact that the uses
at indeterminate periods. The increased ex-
of information in government databases are
changes and uses of information by Federal
increasing does not necessarily mean that in-
agencies make it more difficult to determine
dividuals will not find out about such uses;
what information is maintained and how it is
however, OTA’S research indicates that agen-
used; therefore it is harder for an individual
cies have generally not informed individuals,
to corrector amend records. On the other hand,
at least not in a direct fashion.
in an age of electronic recordkeeping, it is pos-
The third principle, that there must be a way sible that corrections to individual files could
for an individual to prevent information about be negotiated via a home computer or agency
him or her that was obtained for one purpose computer, and agreed upon changes made di-
from being used or made available for another rectly into the system. Based on OTA’S re-
purpose without his or her consent, is affected search, it appears that no agency is using com-
most dramatically by new applications of tech- puters and telecommunications to provide new
nology. The principle includes not just knowl- ways for an individual to amend records.
edge of the uses of information, but also a The fifth principle is that any organization
means to prevent uses. Given the scale of gov-
creating, maintaining, using, or disseminating
ernment recordkeeping and the number of ad- records of identifiable personal data must assure
ministrative uses of information, it appears to
the reliability of the data for their intended use
be extremely difficult for an individual to take
and must take precautions to prevent misuse of
the data. It is from this principle that the
In computer matching, front-end verifica- maxim that information must be accurate,
tion, and computer profiling, information that timely, relevant, and complete has been taken
was collected for one purpose, such as person- [Public Law, 93-579, Sec. 3(e)(5)]. With elec-
nel or tax, is being used for another purpose, tronic record systems, data are collected, ma-
e.g., detection of fraud, registration for selec- nipulated, and exchanged much more quickly
tive service, or payment of child support. In than in paper systems. The speed of exchanges

and large number of users make it more diffi- files of personal information could be compiled
cult to determine who is responsible for data “fairly easily, ” and 78 percent would regard
reliability and use. Once again, the technology this as a violation of their privacy.
offers at least a partial solution in that audit
There is increasing public support for addi-
trails can be built into systems. In addition,
tional government action to protect privacy.
systems can be programmed to automatically
In 1978, two-thirds of the public responded
purge records or separate data elements after
that laws could go a long way to help preserve
a specified period of time. OTA found that
privacy. Sixty-two percent thought it was very
agencies were not, on the whole, making use
important that there bean independent agency
of the technology to ensure record quality, and
to handle complaints about violations of per-
were conducting few reviews of record quality.
sonal privacy by organizations. In 1982, over
Public Opinion.— In general, Americans do 80 percent of the public supported the major
not believe that there are adequate safeguards principles of the code of fair information prin-
for protecting the privacy of information about ciples. In 1983, large majorities of the public
people.’ The percentage of the public believ- supported the enactment of new Federal laws
ing that personal information about them is to deal with information abuse, including laws
being kept in files not known to them has in- that would require that any information from
creased from 44 percent in 1974 to 67 percent a computer that might be damaging to people
in 1983. Most Americans, from two-thirds to or organizations must be double-checked thor-
three-fourths, believe that agencies that release oughly before being used, and laws that would
information they gather to other agencies or regulate what kind of information about an in-
individuals are seriously invading personal dividual could be combined with other infor-
privacy. Yet, a significant percentage of the mation about the same individual.
public believes that public and private orga-
nizations do share personal information. Most aFor a more complete discussion of public opinion and privacy,
Americans, 84 percent, believe that master see ch. 2.

OTA’S analysis of Federal agency use of elec- The expanded use and exchange of personal
tronic record systems, specifically for comput- information have also made it more difficult
er matching, computer-assisted front-end ver- for individuals to access and amend informa-
ification, and computer profiling, revealed a tion about themselves, as provided for in the
number of common policy problems. Privacy Act. In effect, the Privacy Act gave
the individual a great deal of responsibility for
First, new applications of personal informa- ensuring that personal information was not
tion have undermined the goal of the Privacy misused or incorrect. Technological advances
Act that individuals be able to control informa- have increased the disparity between this
tion about themselves. As a general principle, responsibility and the ability of the individ-
the Privacy Act prohibits the use of informa- ual to monitor Federal agency practices. For
tion for a purpose other than that for which example, individuals may not be aware that
it was collected without the consent of the in- information about them is being used in a com-
dividual. New computer and telecommunica- puter match or computer profile, unless they
tion applications for processing personal in- monitor the F’ederal Register for notices of
formation facilitate the use of information for such uses or unless questions about their per-
secondary purposes, e.g., use of Federal em- sonal information arise as a result of the ap-
ployee personnel information for locating stu- plication. In computer-assisted front-end ver-
dent loan defaulters, or use of Federal tax in- ification, individuals may be notified on an
formation for evaluation of a Medicaid claim. application form that information they provide

will be verified from outside sources, but are More specifically, OTA found that OMB is
unlikely to be told which sources will be con- not effectively monitoring such basic areas as
tacted. the quality of Privacy Act records; the protec-
tion of Privacy Act records in systems current-
Additionally, new computer and telecommu-
ly or potentially accessible by microcomputers;
nication capabilities enable agencies to ex-
the cost-effectiveness of computer matching
change and manipulate not only discrete records,
and other record applications; and the level of
but entire record systems. At the time the
agency resources devoted to implementation
Privacy Act was debated, this capability did
of the Privacy Act. OTA also found that nei-
not exist. The individual rights and remedies
ther OMB nor any other agency or office in
of the act are based on the assumption that
the Federal Government is, on a regular ba-
agencies were using discrete records. Exchanges
sis, collecting or maintaining information on
and manipulations of entire record systems
Privacy Act implementation. Given the almost
make it more difficult for an individual to be
total lack of information on Federal agency per-
aware of uses of his or her record, as those uses
sonal information activities, OTA conducted
are generally not of immediate interest to the
its own one-time survey of major Federal agen-
individual. -
cies and found that:
Second, there is serious question as to the ef-
ficacy of the current institutional arrangements
● the quality (completeness and accuracy)
for oversight of Federal agency compliance with of most Privacy Act record systems is un-
the Privacy Act and related OMB guidelines. Un- known even to the agencies themselves,
der the Privacy Act, Federal agencies are re- few (about 13 percent) of the record sys-
quired to comply with certain standards and tems are audited for record quality, and
procedures in handling personal information— the limited evidence available suggests
e.g., that the collection, maintenance, use, or that quality varies widely;
dissemination of any record of identifiable per- ● even though the Federal inventory of
sonal information should be for a necessary and microcomputers has increased from a few
lawful purpose; that the information should thousand in 1980 to over 100,000 in 1985,
be current, relevant, and accurate; and that few agencies (about 8 percent) have re-
adequate safeguards should be taken to pre- vised privacy guidelines with respect to
vent misuse of information. microcomputers;
● few agencies reported doing cost-benefit
OMB is assigned responsibility for oversight analyses either before (3 out of 37) or af-
of agency implementation of the Privacy Act. ter (4 out of 37) computer matches; author-
Prior studies by the Privacy Protection Study itative, credible evidence of the cost-ef-
Commission (1977), U.S. General Accounting fectiveness of computer matching is still
Office (1978), and the House Committee on lacking; and
Government Operations (1975 and 1983) have ● in most Federal agencies the number of
all found significant deficiencies in OMB’S staff assigned to Privacy Act implemen-
oversight of Privacy Act implementation. For tation is limited; of 100 agency compo-
example, under the Privacy Act, information nents responding to this question, 33 re-
collected for one purpose should not be used ported less than 1 person per agency
for another purpose without the permission of assigned to privacy and 34 reported 1
the individual; however, a major exemption to person.
this requirement is if the information is for a
‘‘routine use’ —one that is compatible with the Additionally, OTA found that there is little
purpose for which it was collected. Neither Con- or no government-wide information on or OMB
gress nor OMB has offered guidance on what oversight of: 1) the scope and magnitude of
is an appropriate routine use; hence this has computer matching, computerized front-end
become a catch-all exemption permitting a va- verification, and computer profiling activities;
riety of Federal agency information exchanges. Z) the quality and appropriateness of the per-
— — —

sonal information that is being used in these and computer profiling are being made by pro-
applications; and 3) the results and cost-effec- gram officials as part of their effort to detect
tiveness of these applications. fraud, waste, and abuse. Given the emphasis
being placed on Federal management and effi-
Third, neither Congress nor the executive
ciency, agencies have little incentive to con-
branch is providing a forum in which the privacy,
sider privacy concerns when deciding to es-
management efficiency, and law enforcement imp-
tablish or expand the use of personal record
lications of Federal electronic record system
systems. As a result, ethical decisions about
applications can be fully debated and resolved.
the appropriateness of using certain catego-
The efficiency of government programs and
ries of personal information, such as financial,
investigations is improved by more complete
health, or lifestyle, are often made without the
and accurate information about individuals.
knowledge of or oversight by appropriate agen-
The societal interest in protecting individual
cy officials (e.g., Privacy Act officers or inspec-
privacy is benefited by standards and protec-
tors general), OMB, Congress, or the affected
tions for the use of personal information. Public
policy needs to recognize and address the ten-
sion between these two interests. Fourth, within the Federal Government, the
Since 1974, the primary policy attention with broader social, economic, and political context
respect to Federal agency administration has of information policy, which includes privacy-
shifted away from privacy-related concerns. In- related issues, is not being considered. The com-
terests in management, efficiency, and budget plexity of Federal Government relations—
have dominated the executive and legislative within executive agencies, between the execu-
agenda in the late 1970s and early 1980s. Con- tive and legislature, between the Federal Gov-
gress has authorized information exchanges ernment and State governments, and between
among agencies in a number of laws, e.g., the the Federal Government and the private sec-
Debt Collection Act of 1982 and the Deficit tor—is mirrored in interconnecting webs of in-
Reduction Act of 1984. In these instances, con- formation exchanges. This complexity and in-
gressional debates included only minimal con- terconnectedness is reflected in a myriad of
sideration of the privacy implications of these laws and regulations, most of which have been
exchanges. enacted in a piecemeal fashion without consid-
eration of other information policies.
A number of executive bodies have been es-
tablished to make recommendations for im- Some of these policies may be perceived as
proving the management of the Federal Gov- being somewhat inconsistent with others, e.g.,
ernment, e.g., the President’s Council on the privacy of personal information and pub-
Integrity and Efficiency, the President Coun- lic access to government information. Some
cil on Management Improvement, and the laws and regulations may only partially ad-
Grace Commission. All have endorsed the in- dress a problem, e.g., Federal privacy legisla-
creased use of applications such as computer tion does not include policy for the private
matching, front-end verification, and computer sector or for the flow of information across na-
profiling in order to detect fraud, waste, and tional borders. In other instances, issues that
abuse in government programs. However, are inherently related and interdependent, such
these bodies have given little explicit consid- as privacy and security, are debated and legis-
eration to privacy interests. Some executive lated in separate forums with only passing at-
guidelines remind agencies to consider privacy tention to their relationship.
interests in implementing new programs, but
Additionally, the Federal Government in-
these are not followed up to ensure agency com-
formation systems, as well as its information
policy, are dependent on technological and eco-
In general, decisions to use applications such nomic developments. Federal funding for re-
as computer matching, front-end verification, search and development and Federal financial
———. . —

and market regulations will have significant mation policy environment, as well as inter-
implications for these developments. Yet, un- national technological and economic develop-
er the present policymaking system, there is ments, affects domestic information policy; yet
no assurance that these implications will be these factors are not systematically considered
considered. Likewise, the international infor- in the existing policy arenas.

Overall, OTA has concluded that Federal abuse; and on effective law enforcement will
agency use of new information technologies in continue to take precedence over privacy-
processing personal information has eroded the related concerns. This emphasis will most
protections of the 1974 Privacy Act. Many of likely result in an increased use of current ap-
the electronic record applications being used plications of information technology in Fed-
by Federal agencies, e.g., computer profiling eral agencies for record searches such as com-
and front-end verification, are not explicitly puter matching, computer-assisted front-end
covered by either the act or subsequent OMB verification, and computer profiling. In addi-
guidelines. Even where applications are cov- tion, it is likely that new applications will be
ered by statute or executive guidelines, there developed.
is little oversight to ensure agency compliance.
Without congressional action, individuals
More importantly, neither Congress nor the
will continue to be unaware of the majority of
executive branch is providing a forum in which
uses and disclosures of personal information
the conflicts-between privacy interests and
by Federal agencies because there will be no
competing interests, such as management effi-
notice other than that which appears in the
ciency and law enforcement—generated by new
Federal Register. If an individual has a ques-
applications of information technology can be
tion about agency practices and procedures,
debated and resolved. Absent such a forum,
it is difficult for him or her to find the appro-
agencies have little incentive to consider pri-
priate person to contact in a Federal agency.
vacy concerns when deciding to establish or
If an individual wishes to challenge an agency
expand the use of personal record systems.
use of personal information, he or she will not
OTA has identified a range of policy actions have clearly defined or effective recourse be-
for congressional consideration, including cause of the problems with the damage reme-
maintaining the status quo, problem-specific dies of the Privacy Act.
actions, institutional changes, and considera-
Additionally, absent congressional action,
tion of a national information policy. These pol-
there will be a lack of information available to
icy actions are discussed below.
Congress and the American people, as well as
within agencies, concerning the scale and scope
of technological applications applied to records
Action 1: Maintaining the Status Quo and record systems in Federal agencies. This
will make it even more difficult for Congress
Congress could do nothing at this time, to be aware of current or proposed agency prac-
monitor Federal use of information technol- tices in order to exercise effective oversight.
ogy, and leave policymaking to case law and Moreover, the lack of information will aggra-
administrative discretion. vate the existing difficulties in monitoring the
The implication of maintaining the status quality, e.g., accuracy and completeness, of
quo is that the present policy problems and personal information that is used and exchanged
confusion will continue. It is likely that the pol- by Federal agencies.
icy emphasis on management efficiency; on de- If Congress does not address the problems
tection and prevention of fraud, waste, and resulting from Federal agency applications of

new information technology in processing per- A. Establish control over Federal agency
sonal information, then Federal agency staff use of computer matching, front-end
will be left to interpret the meaning of the fair verification, and computer profiling,
information principles in an electronic age. This including agency decisions to use these
would undermine a primary goal of the Privacy applications, the process for use and
Act because it would increase the discretion verification of information, and the
of administrative agencies in handling personal rights of individuals.
information. Additionally, this would not meet
In order to do this Congress could, in effect,
the need expressed by some agency staff for
require congressional approval for every rec-
more specific guidance from either OMB or
ord search involving personal information.
This would entail amending the “routine use”
Most importantly, lack of congressional ac- provision of the Privacy Act to eliminate
tion will, in effect, represent an endorsement matching and other record searches from this
of the creation of a de facto national database exemption. As a result, agencies would need
containing personal information on most to obtain congressional authorization each
Americans, and an endorsement of the use of time they wished to search records containing
the social security number as a de facto na- personal information. Although this approach
tional identifier. Current legislation, such as would enable Congress to monitor record
the Deficit Reduction Act of 1984, has acceler- searches and to limit agency discretion in
ated what had been the gradual development deciding to search records, it may involve a
of a national database because of the increased prohibitive time investment for Congress or
data searches and creation of computerized be a de facto prohibition on such searches. Fed-
databases authorized by this legislation. In- eral agencies likely would be opposed to such
dividual authorizations such as these have an approval process, as they might perceive
been largely unnoticed by the public. However, it as unnecessary interference in internal agen-
without consideration of the overall societal cy affairs.
and political implications, these authorizations Alternatively, Congress could authorize gen-
taken together could lead to personal informa-
eral record searches, but establish explicit
tion practices that most of the American pub-
standards and procedures. This would require
lic would find unacceptable.
amending the Privacy Act in at least three pos-
sible ways:

Action 2: Problem-Specific Actions 1. Amend the “routine use” provision to al-

low record searches under specific circum-
stances and with specific types of records.
Congress could also consider a number of
In this way, Congress would establish the
problem-specific actions, dealing with com-
criteria under which matches and other
puterized record searches, specific catego-
searches could be done, and the types of
ries of information (social security number,
records that could not be used in these
tax information, and medical or other sen-
searches (e.g., medical files or tax and secu-
sitive information), microcomputers, and rec-
rity clearance records).
ord/data quality.
2. Specify the due process protections (e.g.,
There are a number of procedural and sub- notice, right to a hearing, right to confiden-
stantive changes that Congress could legislate. tiality of results, or right to counsel) for
In fashioning such changes, it would be easi- persons whose records are to be searched,
est for Congress to deal with specific problem and the time when due process protections
areas. Each of these will be discussed below. come into effect (e.g., before the match,
These changes are not mutually exclusive. In- after the match but before verification,
deed, to provide the most comprehensive pro- and after verification).
tection for personal information, it maybe nec- 3. Require a cost/benefit analysis before and
essary to legislate in all of these areas. after every match.


Although establishing standards and pro- The Privacy Protection Study Commission
cedures may be more workable and realistic (PPSC) analyzed the privacy implications of
than requiring congressional approval for the recordkeeping practices in a number of
every record search, it does not provide any areas, including insurance, employment, and
mechanism to ensure that agencies have com- medical care, and made recommendations for
plied with the general standards. Based on the policy. Very few of these recommendations re-
experience of agency record searches to date, sulted in legislation, although some were em-
it appears that oversight and enforcement are bodied in voluntary codes by organizations
essential. such as insurance companies and employers.
In addition to any of the above amendments, Medical information is still an area in which
or as an alternative, Congress could require an individual’s interests are not protected by
agencies to adopt a 5-year plan for detecting statute. In 1977, PPSC recommended that
fraud, waste, and abuse. In this way, agency “now is the proper time to establish privacy
proposals to search record systems would be protection safeguards for medical records. ”g
placed within a context. Agencies would then The Commission was led to this conclusion by
need to justify record searches as a technique the changing conceptions of the medical rec-
according to criteria such as purpose, cost, and ord and increased automation. Although many
alternatives considered. Such plans could be bills to protect medical information have been
subject to congressional approval. Again, this introduced, none has yet passed. The Federal
would likely be ineffective without critical re- Government collects, maintains, and discloses
view, oversight, and enforcement. a great deal of sensitive medical information.
Also, in addition to the above, Congress Agencies involved include, for example, the
Department of Health and Human Services
could amend the Privacy Act to require the
(HHS), the Occupational Safety and Health
social security number on all Federal, State,
and local government forms. This might im- Administration, the Environmental Protection
prove the accuracy of information used in Agency, and the Veterans Administration.
matching, and might reduce the costs of verify- Agencies collect medical information for pur-
ing hits. However, it seems unwise to adopt poses such as delivering services, providing
this action without considering the problems cost reimbursements, and conducting research.
with using the social security number as an Legislation could address these and other
authenticator and identifier, and the problem needs.
of endorsing a national identifier. Legislating for a specific type of information
B. Implement more controls and protec- or specific organizational entity on a piecemeal
tions for sensitive categories of per- basis is not without its problems. OTA’S re-
search indicates that it is difficult to isolate
sonal information, such as medical and
collection of personal information in this way.
Instead, the information infrastructure is com-
Statutes provide specific protection in many plex and constantly overlapping. Needs, inter-
areas where personal information is collected ests, and programs converge at many points.
and used—e.g., banks, credit agencies, educa-
C. Establish controls to protect the pri-
tional institutions, and criminal history repos-
vacy, confidentiality, and security of
itories. Based on United States v. Miller, 425
personal information within the micro-
U.S. 435 (1976), if there is no specific statu-
computer environment of the Federal
tory basis for an individual’s right with respect
Government and provide for appropri-
to a particular type of personal information
ate enforcement mechanisms.
held by another party, the individual may not
‘Privacy Protection Study Commission, Personal Privacy in
be able to assert a claim about how that infor- an Information Society (Washington, DC: U.S. Government
mation is used. Printing Office, 1977), p. 290.

Agencies appear to be dealing with micro- zlement, and trespass. This makes computer
computer policy on an ad hoc basis. This ap- crime a different kind of criminal act needing
proach results in variation in the protection special legislative attention. Concern with pro-
afforded personal information by Federal agen- tecting the privacy of personal information is
cies. In establishing policy for the use of mi- related to computer crime in that such crimes
crocomputers withing Federal agencies, it is may involve unauthorized access to personal
necessary to address the management, data information. 11
integrity, security, confidentiality, and privacy However, there are important aspects of pri-
vacy protection that are not addressed by the
OTA’S companion report, Management, Se- security measures discussed above. The Pri-
curity, and Congressional Oversight,10 ana- vacy Act establishes individual rights of
lyzes in detail the management, data integrity, knowledge, access, and correction, and places
and security aspects of information systems requirements on agencies to maintain records
policy, including for microcomputers. Briefly, in a certain fashion, and to use and disclose
there are four general kinds of measures to pro- records for certain purposes. These procedural
tect information systems. First are adminis- and substantive protections are limited to rec-
trative security measures, such as requiring ords containing personal information that are
that employees change passwords every few “contained in a system of records. ” A system
months; removing the passwords of termi- of records is defined as “a group of any records
nated employees quickly; providing security under the control of any agency from which
training programs; storing copies of critical information is retrieved by the name of the in-
data off-site; developing criteria for sensitiv- dividual or by some identifying number, sym-
ity of data; and providing visible upper man- bol, or other identifying particular assigned
agement support for security. Second are phys- to the individual” [See.3(a)(5)]. It is unclear
ical security measures, such as locking up which records maintained on microcomputers
diskettes and/or the room in which microcom- come under this definition. Once this has been
puters are located, and key locks for microcom- determined, it will be necessary to provide a
puters, especially those with hard disk drives. means of monitoring these records to ensure
that the individual rights of knowledge, access,
There are also numerous technical measures
and correction are provided.
to assure security, including audit programs
that log activity on computer systems; secu- D. Review agency compliance with exist-
rity control systems that allow different layers ing policy on the quality of data/rec-
of access for different sensitivities of data; en- ords containing personal information,
crypting data when they are stored or trans- and, if necessary, legislate more spe-
mitted, or using an encryption code to authen- cific guidelines and controls for accu-
ticate electronic transactions; techniques for racy and completeness.
user identification; and shielding that prevents
A central aspect of Federal records policy,
eavesdroppers from picking up and deciphering
as embodied in the Privacy Act and Paperwork
the signals given off by electronic equipment.
Reduction Act, is that records should be com-
Lastly, there are legal remedies to discourage plete and accurate. Through the provisions in
information system abuse, generally known as these acts, Congress has recognized the impor-
computer crime, and to prosecute perpetrators. tance of record quality both to management
Because computerized information is intangi- efficiency and to the protection of individual
ble, its abuses do not fit neatly into existing
legal categories, such as fraud, theft, embez- 1 IFor further discussion of computer crime issues md policy
options, see ibid., especially ch. 5. Also see U.S. Congress, Of-
‘OU.S. Congress, Office of Technology Assessment, Federal fice of Technology Assessment, Federal Government informa-
Government Information Technology: Management, Security, tion Technology: Electroru”c Surveillance and Civil Liberties,
and Congressiomd Oversight, OTA-CIT-297 (Washington, DC: OTA-CIT-293 (Washington, DC: U.S. Government Printing Of-
U.S. Government Printing Office, February 1986). fice, October 1985).

rights. Agency decisions based on inaccurate request, the FBI was asked for and did pro-
or incomplete information can lead to waste- vide the results of partial audits of the National
ful or even harmful results. Many Federal rec- Crime Information Center (see app. A for fur-
ord systems are now computerized. While com- ther discussion).
puterized systems offer the potential to Should Congress wish to address the record
improve record quality, undetected or uncor-
quality problem directly, the appropriate con-
rected errors can be disseminated more quickly
gressional committees could conduct oversight
and widely—with potentially serious conse-
on Federal electronic record quality, and, if
satisfied that a significant problem exists, con-
Based on available evidence, including the sider amendments to the Privacy Act and/or
results of the OTA survey, OTA has concluded Paperwork Reduction Act to provide stronger
that most Federal agencies do not maintain guidance to the executive branch on this topic.
statistics on record quality or conduct audits Congress could also ask for General Account-
of record quality. While many agencies have ing Office and/or Inspector General audits of
policies and procedures intended to ensure rec- record quality of selected Federal agency rec-
ord quality, they do not measure actual qual- ord systems in order to provide additional
ity levels (by comparing record contents with independent confirmation of Federal record
primary information sources), and thus do not quality. Finally, Congress could direct one or
have a complete basis for knowing whether or more of the central agencies responsible for in-
not problems exist. formation technology management (Office of
Information and Regulatory Affairs, OMB;
OTA asked Federal agencies (major compo-
National Bureau of Standards; or Office of In-
nents of all 13 cabinet departments plus 20 in-
formation Resources Management, General
dependent agencies) for the results of any rec-
Services Administration) to develop audit
ord quality audits conducted on Privacy Act
packages and techniques that could be used
record systems and for record quality statis-
by Federal agencies to measure and monitor
tics on all computerized record systems main-
record quality.
tained for law enforcement, investigative, and/
or intelligence purposes. Only one agency pro- E. Review issues concerning use of the
vided any statistics, and very few of the other social security number as a de facto
agencies indicated that such statistics may national identifier and, if necessary,re-
exist. strict its use or legislate a new uni-
versal identification number.
With respect to audits of the quality of Pri-
vacy Act records, only 16 of 127 (or 13 per- The Privacy Act makes it “unlawful for any
cent) agencies responding indicated that they Federal, State, or local government agency to
conduct such audits; none provided the re- deny to any individual any right, benefit, or
sults. ‘2 Only one agency provided record privilege provided by law because of such in-
quality statistics (for three systems under its dividual’s refusal to disclose his social secu-
jurisdiction) for law enforcement, investiga- rity account number’ unless disclosure is re-
tive, and intelligence record systems. No sta- quired by law or unless the system of records
tistics were provided for any of the other 82 was in existence prior to January 1, 1975 (the
systems reported. l:j Subsequent to the data grandfather clause). Although the General
‘2A total of 142 agencies were surveyed; 5 did not respond
Accounting Office, HHS, and numerous task
at all, and 10 others responded that the question was not appli- forces all agree that “the social security num-
cable or that the information was not available, for a net total ber is, at best, an imperfect identifier and
response of 127 agencies. authenticator, 14 its use has expanded since
1 ~Again, 142 agencies were surveyed; a total of 85 computer-
ized law enforcement, investigative, or intelligence record sys- 1974. The social security number is an impor-
tems were identified. Agencies responded as follows: record qual-
ity statistics maintained (3 systems); no record quality statistics
(63 systems); no response (17 systems); not applicable or infor- 14
Privacy Protection Study Commission, Personal Pritmy in
mation not available ( 1 system); and classified ( 1 system). an Information Societ.v, op. cit., p. 609.

tant component in the matching process, and If the social security number is being used
HHS has developed a software program, which as a de facto standard universal identifier in
will detect erroneous social security numbers, the United States, both the benefits and haz-
that is to be used in conjunction with a match. ards of having a national identifier need to be
evaluated. The General Accounting Office,
Contrary to the stated intent of the Privacy
PPSC, congressional committees, and the So-
Act, the trend in the use of the social security
cial Security Administration itself have all dis-
number appears to be towards its adoption as
cussed parts of these issues. Congress could
a de facto national identifier. Federal, State, make a comprehensive review of issues con-
and local agencies, as well as the private sec-
cerning use of the social security number as
tor, have increased their requests, as well as a de facto national identifier and establish a
their requirements, for disclosing one’s social clear policy for the electronic age, with appro-
security number (or Taxpayer Identification priate enforcement mechanisms.
Number). In hearings on the Privacy Act, con-
cern with the possibility of the adoption of a F. Review policy with regard to access to
universal identifier was voiced. Much of the the Internal Revenue Service’s infor-
concern focused on the record searches that mation by Federal and State agencies,
a universal identifier would allow. Congress and policy with regard to the Internal
considered setting severe restrictions on the Revenue Service’s access to databases
use of the social security number, but was dis- maintained by Federal and State agen-
suaded by testimony that the costs and impli- cies, as well as the private sector. If
cations of such restrictions were unknown. necessary, legislate a policy that more
Since enactment of the Privacy Act, Congress clearly delineates the circumstances
has passed numerous laws authorizing Federal under which such access is permitted.
agencies to collect the social security number
IRS files are valuable sources of information
and requiring State agencies to collect it in ad- for many record searches because of the vari-
ministering Federal programs.
ety of information on file (e.g., address, earned
PPSC was asked to study restrictions on the income, unearned income, social security num-
use of the social security number and to make ber, number of dependents) and because the
recommendations. The major finding of PPSC information is relatively up to date. As a gen-
was “that restrictions on the collection and use eral rule, returns and return information are
of the social security number to inhibit ex- to remain confidential, as provided for in Sec-
change beyond those already contained in the tion 6103 of the Tax Reform Act of 1976. Un-
law would be costly and cumbersome in the der this section, information may be disclosed
short run, ineffectual in the long run, and would for tax and audit purposes and proceedings,
also distract public attention from the need to and for use in criminal investigations if cer-
formulate general policies on record ex- tain procedural safeguards are met.
changes. ’15 PPSC went on to recommend
Additionally, Section 6103(1) allows for the
that “the Federal Government not consider
disclosure of tax return information for pur-
taking any action that would foster the devel-
poses other than tax administration. The list
opment of a standard, universal label for indi- has grown considerably since 1976, and in-
viduals, or a central population register, until cludes: the Social Security Administration and
such time as significant steps have been taken Railroad Retirement Board (Public Law 94-
to implement safeguards and policies regard-
455, 1976); Federal loan agencies regarding tax
ing permissible uses and disclosures of records
delinquent accounts (Public Law 97-365, 1982);
about individuals. ” Such a comprehensive
the Department of Treasury for use in person-
study has not yet been conducted. nel or claimant representative matters (Pub-
lic Law 98-369, 1984); Federal, State, and lo-
Ibid., p. 614. cal child support enforcement agencies (Public

Law 94-455, 1976); and Federal, State, and lo- affected individual less important and thus re-
cal agencies administering certain programs duce the IRS’s concern for confidentiality. For
under the Social Security Act or Food Stamp example, the IRS is moving towards a system
Act of 1977 (Public Law 98-369, 1984). Section where information provided by the individual
2651 of the Deficit Reduction Act also amends would be phased out of the tax return process
Section 6103(1) of the Tax Reform Act and al- and replaced with information disclosed di-
lows information from W-2 forms and unearned rectly to the IRS by the sources, e.g., em-
income reported on 1099 forms to be divulged ployers, banks, credit agencies, investment
to any Federal, State, or local agency admin- companies, mortgage companies, etc. If this
istering one of the following programs: Aid to becomes the case, the IRS will not need to be
Families With Dependent Children; medical as- concerned with maintaining a voluntary tax
sistance; supplemental security income; unem- system or with protecting the confidentiality
ployment compensation; food stamps; State- of tax information.
administered supplementary payments; and
Congress may wish to legislate a general, but
any benefit provided under a State plan ap-
enforceable, policy regarding the circumstances
proved under Titles I, X, XIV, or XVI of the
under which tax information may be disclosed
Social Security Act. Section 6103(m) of the Tax
and procedures for such disclosure. The ad hoc
Reform Act also provides for disclosure of tax-
process of amending Sections 6103(1) and (m)
payer identity information to a number of
when the political situation allows, as reflected
agencies, including the National Institute for
in the long list of congressionally authorized
Occupational Safety and Health and the Sec-
disclosures, may not be the most effective ap-
retary of Education.
proach to maintaining the confidentiality of
In all instances, Sections 6103(1) and (m) spe- tax information.
cify procedures that other parties are to fol-
Congress may also wish to examine IRS ac-
low in order to gain access to IRS information.
cess to other agency and private sector data-
Moreover, Federal, State, and local employees
bases, and legislate a more clearly delineated
outside of IRS who handle IRS information
policy for such access. This becomes more im-
are subject to the same criminal liabilities as
portant as the IRS relies increasingly on sources
IRS employees for misuse or disclosure of the
of information other than the taxpayer. Addi-
information. The IRS also puts out a publica-
tionally, IRS access to other databases may
tion, Tax Information Security Guidelines for
result in inaccurate or irrelevant information
Federal, State and Local Agencies (Publication
being included in IRS records.
1075; Rev. 7-83), that describes the procedures
agencies must follow to ensure adequate pro-
tection against unauthorized disclosure. Action 3: Institutional Changes

Pressure to extend the list of agencies that Congress could initiate a number of insti-
can access IRS information has intensified tutional adjustments, e.g., strengthening the
with interest in record searches to detect fraud, oversight role of OMB, increasing the Pri-
waste, and abuse; to register men for the Selec- vacy Act staff in agencies, or improving con-
tive Service; and for any program that requires gressional organization and procedures for
a current address for an individual. The IRS’s consideration of information privacy issues.
position is that its goal is to maintain a vol- These institutional adjustments could be
untary tax system and that the public’s per- made individually or in concert. Addition-
ception that tax information should remain ally or separately, Congress could initiate
confidential is important to maintaining a vol- a major institutional change, such as estab-
untary system. Thus, the IRS is, in principle, lishing a Data Protection or Privacy Board
opposed to disclosing tax information. or Commission.
Technological advances, however, may make Strengthening the institutional framework
voluntary disclosure of tax information by the for information privacy policy could achieve

three purposes, either singly or in combination. stand the potential threats posed by Federal
First, an institution could play the role of an agency collection and use of personal informa-
ombudsman in assisting individuals to resolve tion, and be willing to invest the time and mon-
individual or class grievances with a Federal ey necessary to protect their interests. These
agency about personal information practices. requirements place a burden on the individual.
Second, it could oversee Federal agency com- Every time one comes in contact with an agen-
pliance with the Privacy Act and related OMB cy seeking personal information, he or she
guidelines. Third, an institution could provide would need to question the purposes for which
a forum in which proposals to alter personal information is sought and the necessity of each
information practices and systems (e.g., to con- piece of information.
duct a computer match or to set up a new com-
To ensure that information is not misused,
puterized database) could be discussed in the
the individual would need to follow up to make
context of the implications for personal privacy
and consistency with the principles of the sure that no new information was added to the
Privacy Act. file, and that the uses and disclosures of infor-
mation were in keeping with the agency’s
In the increasingly complex, technological, stated purposes. If individuals find that files
and bureaucratic environment of the late 1980s, contain inaccurate or irrelevant information,
the fair information principles of the Privacy or that information was used for improper pur-
Act are even more important, but the Privacy poses, then they would need to know what le-
Act scheme of enforcement and oversight ap- gal remedies are available and take action
pears to be increasingly anachronistic. For in- against the Federal agency. Such a procedure
stance, it may not be realistic to ask individ- means that individuals would need to be con-
uals to control information about themselves scious of their rights at every stage of the
in view of the cost and time burdens entailed. information-handling process. Most people are
Also, the number of organizations that retain so accustomed to disclosing information that
personal information is large, and the intricacies they rarely think through all of the possible
of their uses and disclosures of information are consequences. As Michael Baker suggests:
such that it appears almost impossible for most
individuals to monitor how information is be- What we can expect in the way of self-pro-
tective action on the part of individual citizens
ing used. is severely limited by the fact that record-
Moreover, the implicit assumption that each keeping practices are of relatively low visibil-
individual has a discrete interest in protect- ity to and salience for the individual. l6
ing his or her privacy, and that there is no larg- The second weakness in the enforcement
er societal interest, can be challenged. Many scheme of the Privacy Act is that it only pro-
researchers and practitioners believe that there vides remedies once misuses have been iden-
is also a social interest in maintaining certain tified. If an individual has the right to correct
boundaries of personal information collection inaccurate information or make a case for delet-
and use. As discussed in chapter 2, the results ing or amending information in his or her rec-
of public opinion polls implicitly support this ord, the right only “rights” a wrong already
view. committed against the individual. It does not
There are three weaknesses in a personal in- protect the record from further errors or mis-
formation policy that provides for enforcement uses, nor does it prevent similar wrongs from
primarily through individual grievances and being committed against other individuals. It
requires little direct oversight of agency provides no preventive protection unless the
practices. granting of new rights to individuals can be

First, the policy relies on individuals to pro-

“Michael A. Baker, “Record Privacy as a Marginal Problem:
tect their interests. The Privacy Act requires The Limits of Consciousness and Concern, Columbia Human
that individuals be aware of their rights, under- Rights Law Review, vol. 4, 1972, p. 89,

viewed as a means of deterring agencies from record systems; and set standards for and over-
engaging in questionable information prac- see data quality in all systems.
tices. But the time and money necessary to
A number of institutional changes available
take action against a Federal agency make it
to Congress are discussed below:
unlikely that many individuals will take advan-
tage of these rights. Thus, the deterrent effect A. Strengthen the role of the Office of
of such rights on agency information practices Management and Budget in the en-
is likely to be minimal. forcement and oversight of the Pri-
vacy Act.
The third weakness is that the personal in-
formation policy is not sensitive to the exist- Under the Privacy Act, OMB is responsible
ing imbalance of power between the individ- for providing guidelines and regulations, pro-
ual and Federal agencies. Under the Privacy viding assistance to the agencies, overseeing
Act, the interests of individuals are placed in the procedural mechanisms, and preparing the
opposition to the needs of the government for President Annual Report on Implementation
information. In most situations, the individ- of the Privacy Act. OMB has issued a number
ual is dependent on the government for em- of guidelines, most significantly with respect
ployment, credit, insurance, or some other ben- to computer matching and the Debt Collection
efit or service. Therefore, the individual is not Act. However, in at least one instance–the
likely to “afford” the risk of questioning an guidelines released under the Debt Collection
agency’s information practices. Some view this Act–OMB issued its guidelines without time
as the most significant policy weakness and for public comment.’T In another instance,
argue that: OMB did not issue guidelines as promised in
a judicial action.l9 In addition, OMB has not
[the] enormous imbalance of power between
the isolated individual and the great data col- yet acted on a requirement in the Paperwork
lection organizations is perfectly obvious: un- Reduction Act to “submit to the President and
der these conditions, it is a pure illusion to the Congress legislative proposals to remove
speak of “control.” Indeed, the fact of insist- inconsistencies in laws and practices involv-
ing exclusively on means of individual control ing privacy, confidentiality, and disclosure of
can in fact be an alibi on the part of a public information. ’20
power wishing to avoid the new problems
brought about by the development of enor- From the enactment of the Privacy Act in
mous personal data files, seeking refuge in an 1974 until 1980, OMB provided assistance
illusory exaltation of the powers of the indi- through a separate office with a few staff mem-
vidual, who will thus find himself alone to run bers within its Information Policy Division.
a game in which he can only be the loser.17 At this time, as the Privacy Protection Study
Commission found, “neither OMB nor any of
Strengthening an existing institution or es-
the other agencies with guidance responsibili-
tablishing a new one would bring more visibil-
ties have subsequently played an aggressive
ity to the issue of personal information col-
role in making sure that the agencies are
lection and use; provide a central place for
equipped to comply with the act and are, in
individuals to bring complaints and for agen-
fact, doing so.’’”
cies to seek advice; and enable Congress, the —---- .- —-
agencies, and the public to get more complete, “See comments of Christopher DeMuth, Administrator, Of-
accurate, and timely information on agencies’ fice of Information and Regulatory Affairs (OIRA), Office of
Management and Budget (OMB), and Robert Bedell, Deputy
practices. The institution could also place limi- Administrator, 01 RA, OMB, in Oversight of the Privacy Act,
tations on the initial collection of information; House Committee on Government Operations, Subcommittee
review, and possibly approve, proposals to link on Government Information, Justice, and Agriculture, 1983,
pp. 123-124.
‘gSee Bruce v. Um”ted States, 621 F.2d 915 (8th Cir. 1980).
‘7S. Rodota, “Privacy and Data Surveillance: Growing Pub- “see House Report No. 98-455.
lic Concern, ” OECD Information Studies #10–Policy Issues Z} Privacy pro~ction Study Commission, Persomd PrivacY in
in Data Protection and Privacy (Paris: OECD, 1976), pp. 139-140. an Information Society, op. cit., p. 21.

The Paperwork Reduction Act created the was designed to coordinate information-related
Office of Information and Regulatory Affairs activities of Federal agencies—specifically,
with desk officers to oversee the implementa- automated data processing, telecommunica-
tion of information-related policies (including tions, office automation, information systems
the Privacy Act) within an agency. Although development, data and records management,
this style of oversight does not necessarily and, possibly, printing and libraries. The act
mean that Privacy Act concerns receive less also acknowledged the importance of informa-
attention, it appears that this has been the tion as a resource and made a commitment to
practice. Testimony from Christopher DeMuth the management concept of information re-
of OMB at the 1983 hearings on oversight of sources management, popularly known as
the Privacy Act22 indicates (and interviews IRM. 24
with OMB confirm) that the desk officers spend
Concern with protecting the confidentiality
little time on Privacy Act matters.
and security of personal information and pro-
OMB has focused its attention on the review viding individuals access to that information
of systems of records, as provided for in the is part of the IRM concept. However, privacy
Privacy Act. The act does not offer OMB any has not been centrally integrated into IRM as
other specific guidance and OMB has not taken presently implemented in Federal agencies. In
the initiative—e.g., by reviewing agencies’ part, this can be attributed to the fact that the
mechanisms for providing individual access Privacy Act and Paperwork Reduction Act are
and correction or for maintaining the accuracy distinct pieces of legislation, with different
of records. public, congressional, and agency constitu-
OMB prepares the President’s Annual Re-
port on Implementation of the Privacy Act. Another reason for the lack of integration
Annual reports for the years 1975 through and coordination is that OMB was somewhat
1978 were well-documented studies of agency slow to take a lead role in formulating IRM
practices under the Privacy Act, and included policy. In December 1985, OMB issued Circu-
descriptions of Federal personal information lar A-130, “Management of Federal Informa-
systems and agency administration, as well as tion Resources, ” which sets basic guidelines
data on use of the access and correction provi- for the collection, processing, and dissemina-
sions of the act. The information contained in tion of information by Federal agencies, and
1980 and 1981 reports was not as complete and for the management of information systems
focused mainly on systems that agencies des- and technology. The circular also revised and
ignated as exempt from the Privacy Act. In coordinated existing directives on privacy and
1982 debates on the Congressional Reports computer security. Although the circular suc-
Elimination Act, OMB recommended that the ceeds in centralizing information policy in one
Privacy Act Annual Report be eliminated. Con- document, it does not contain any significant
gress rejected this suggestion.23 The 1982-83 changes from previous congressional and OMB
Annual Report on Implementation of the Pri- policies, and, in general, does not provide
vacy Act was not delivered to Congress until detailed guidance to agencies.
December 1985. This report synthesized Fed-
In terms of strengthening OMB’S role, Con-
eral agencies’ administration of the act over
gress could to do three things. First, it could
the past 10 years, and suggested areas for con-
amend the Privacy Act, giving OMB the au-
gressional action.
thority to issue regulations-not merely guide
The goal of the Paperwork Reduction Act lines-and the authority to enforce them. Such
of 1980 was to reduce paperwork and improve
information technology management. The act 24
For a more complete discussion of IRM, see U.S. Congress,
Office of Technology Assessment, Federal Government infor-
“Oversight of the Privacy -Act, ibid., pp. 123-124. mation Technology: Management, Security, and Congressional
Zssee Hou9e Report No. 98 455.
Oversight, op. cit.

additional authority would put OMB in the role Under the Privacy Act, each agency has des-
of policing agency personal information prac- ignated an official who is responsible for Pri-
tices. The advantage of strengthening OMB vacy Act matters. In many agencies, this offi-
authority is that it could be achieved with mi- cial is also responsible for the Freedom of
nor institutional change and minimal overhead. Information Act. In most agencies, there is lit-
The major disadvantages are that agencies tle or no staff support for Privacy Act mat-
may resist this expansion in OMB’S author- ters. The OTA survey revealed that 67 percent
ity, and that continued congressional oversight of agency components responding (67 out of
would be required to ensure that OMB was ful- 100) reported one FTE (full-time equivalent)
filling its new responsibilities. Given OMB’S staff person or less assigned to Privacy Act
prior attention to this area and its other respon- matters. Only 7 percent of agency components
sibilities, some of which may conflict with data (7 out of 100) responding reported having 10
protection/privacy, it may be questionable or more FTEs assigned to Privacy Act mat-
whether OMB could improve its oversight role ters. Five of these components were located
even with additional authority. in the Department of Justice and included the
Drug Enforcement Agency, Immigration and
Second, Congress could enhance OMB’S in- Naturalization Service, Federal Bureau of In-
stitutional base for dealing with the Privacy vestigation, and Criminal Division. The other
Act. This could be done by setting up a sepa-
agencies with more than 10 FTEs assigned to
rate office with responsibility for data protec-
the Privacy Act were the Social Security Ad-
tion/privacy. In order for this office to be ef- ministration and the Office of the Secretary
fective, Congress would need to ensure that in the Department of Commerce.
adequate staff and budget are provided. Al-
ternatively, Congress could increase the staff Congress could amend the Privacy Act to
in the Office of Information and Regulatory require agencies to provide a certain level of
Affairs and provide a separate staff person per professional and staff support for Privacy Act
agency who would be responsible for the pri- matters. Such an amendment could provide for
vacy issues of that agency. Although the in- adequate training conducted by both related
stitutional framework is in place to achieve agency staff (e.g., Freedom of Information Act
these changes quickly, the problem of ensur- officers, General Counsel staff, staff in the In-
ing OMB commitment to ensure compliance spector General’s Office, and IRM personnel)
with the Privacy Act remains. and external groups (e.g., OPM’S Government
Executive Institute and the American Soci-
Third, Congress could upgrade the Office of ety of Access Professionals).
Information and Regulatory Affairs, possibly
by taking it out of OMB and establishing it In amending the Privacy Act, Congress
as anew Office of Federal Management, as pro- could also specify the responsibilities and au-
vided for in S. 2230, the “Federal Management thorities of the Privacy Act officers, e.g., to
and Reorganization and Cost Control Act of serve as liaison between individuals and agen-
1986. ” This would have the advantage of re- cies in resolution of problems or grievances;
moving the conflict that exists within OMB to approve, or be consulted about, new record
between budgetary constraints and manage- applications; and to maintain information on
ment interests. However, it would be impor- agency practices. If Privacy Act staff are to
tant to ensure that privacy be accorded equal be effective in protecting privacy interests
importance with other management interests. from within the agency, their authority must
The principal disadvantage of such a change be stated in the legislation; otherwise it is pos-
is that it would be controversial, as it repre- sible that upper management will thwart their
sents a major institutional reorganization. efforts.
B. Increase the size, stature, and author- The primary problem with this action is that
ity of privacy staff in agencies. enforcement and oversight responsibilities are

left within the agencies. Therefore, in addition mittees, or select committees, and all bills
to statutory changes, intensified congressional having privacy implications were referred
oversight of each agency may be required. jointly or sequentially to those committees,
privacy issues could be debated and resolved
C. Improve congressional organization
in a more deliberate and focused manner. It
and procedures for consideration of in-
is theoretically easy for Congress to make a
formation privacy issues.
change of this nature, but politically it is likely
At present, Congress does not have a mech- to be difficult as reform efforts of the past dec-
anism for coordinated oversight of public laws ade indicate.25
and bills having privacy implications. Indeed,
An easier alternative would be for Congress
almost every committee has responsibility for
to retain the existing committee structure, but
some aspect of the personal information prac-
provide for better monitoring of bills having
tices of Federal agencies. For example, issues
related to the Privacy Act and privacy in gen- information privacy implications, and joint
referral of such bills to committees with pri-
eral are of interest to the House Committees
vacy jurisdiction.
on Government Operations and on the Judici-
ary and the Senate Committees on Govern- D. Establish a Privacy or Data Protec-
mental Affairs and on the Judiciary; privacy tion Board.2G
issues involving school records are sent to the
House Commi“ttee on Education and Labor and The proposal to establish an entity to over-
see the personal information practices of Fed-
the Senate Committee on Labor and Human
Resources; issues involving privacy of credit eral agencies is not new. The original Privacy
Act that passed the Senate provided for the
records are sent to the Committees on Bank-
establishment of a Privacy Protection Com-
ing in each House; privacy issues arising under
mission with powers to:
the Freedom of Information Act are consid-
ered by the House Committee on Government ● monitor and inspect Federal systems and
Operations and the Senate Committee on the databanks containing information about
Judiciary; issues involving cable subscriber individuals;
privacy are sent to the House Commi ttee on ● compile and publish an annual U.S. Infor-
Energy and Commerce and the Senate Com- mation Directory so that citizens and
mittee on Commerce, Science, and Transpor- Members of Congress will have an accu-
tation; in the House, medical records confiden- rate source of up-to-date information
tiality has been discussed by the Committees about the personal data-handling prac-
on Government Operations, Energy and Com- tices of Federal agencies and the rights,
merce, and Ways and Means, as well as by the if any, of citizens to challenge the contents
Senate Committee on Energy and Commerce; of Federal databanks;
and tax record confidentiality comes under the ● develop model guidelines for implementa-
purview of the House Committee on Ways and tion of the Privacy Act and assist agen-
Means and the Senate Committee on Finance. cies and industries in the voluntary devel-
Because of the fragmentation of the commit- opment of fair information practices;
tee system and the primacy of substantive con-
● investigate and hold hearings on viola-
cerns in individual committees, privacy inter- tions of the act, and recommend correc-
ests are often not given thorough considera- tive action to the agencies, Congress, the
tion. Moreover, it is difficult for interest groups
who define their roles as protecting privacy to “See, for instance, Steven S. Smith and Christopher J. Deer-
keep track of relevant legislation and to moni- ing, Committees in Congress (Washington, DC: Congressional
tor all pertinent congressional hearings. Quarterly Inc., 1984).
28The term “data protection” is a more precise term for the
If Committees with crosscutting privacy jur- issues that arise from the collection and use of personal infor-
mation. It is the term adopted by many European countries.
isdiction were established in both Houses, ei- However, privacy is the more easily understood term in the
ther as permanent committees, new subcom- United States.

President, the General Accounting Office, Federal agencies, and to make other recommen-
and the Office of Management and Budget; dations as the commission deemed necessary.
● investigate and hold hearings on proposals
The Privacy Protection Study Commission
by Federal agencies to create new personal
released its report in 1977, and also recom-
information systems or modify existing
mended the establishment of a Federal Privacy
systems for the purpose of assisting the
Board or some other independent entity with
agencies, Congress, and the President in
responsibilities similar to those approved by
their effort to assure that the values of
the Senate in 1974. These include the respon-
privacy, confidentiality, and due process
sibility to: monitor and evaluate the implemen-
are adequately safeguarded; and
tation of statutes and regulations; participate
make a study of the state of the law
in agency proceedings; issue interpretative
governing privacy-invading practices in
rules; continue to research, study, and inves-
private databanks and in State, local, and
tigate areas of privacy concern; and advise the
multistate data systems. 27
President, Congress, government agencies,
The Senate’s Privacy Protection Commis- and the States on privacy implications of pro-
sion was to be composed of five persons who posed statutes or regulations.29
were expert in law, social science, computer
Since 1977, there have been a number of bills
technology, civil liberties, business, and State
creating a Privacy Commission or Data Pro-
and local government.
tection Board, including H.R. 1721, the “Data
A professional staff would have been pro- Protection Act of 1985, ” introduced in the 99th
vided for the commission. The Senate Commit- Congress. None has received serious congres-
tee on Government Operations concluded: sional attention.
There is an urgent need for a permanent Many Western European countries and Can-
staff of experts within the Federal Govern- ada have established boards or commissions
ment to inform Congress and the public of the with responsibilities for the protection of per-
data-handling practices of major governmental sonal information. Because these may serve
and private personal information systems. zs as a model for such an agency in the United
The Senate considered three alternative in- States, descriptions of several countries are
stitutional placements for the commission— found in appendix F.
in the U.S. General Accounting Office, in The advantages and disadvantages of a new
OMB, or in an independent commission–and privacy authority in the United States would
concluded that an independent commission be determined by the design of the agency and
was, on balance, the best solution. The House the powers with which it is vested. In this
did not approve the establishment of a Privacy respect, a number of policy choices are im-
Protection Commission as it did not see the portant.
need for outside oversight of agency practices.
As a compromise, both Houses approved the 1. Whether such an agency should have regu-
establishment of a Privacy Protection Study latory authority or advisory authority. The data
Commission to study further the personal in- protection agencies in Sweden and France are
formation systems and practices of govern- regulatory agencies, with power to determine
ment and private organizations, to make rec- the personal information systems that govern-
ommendations as to whether the principles of ment and private sector agencies can create,
the Privacy Act should be extended beyond the information that can be retained, and the
parties that can have access to the informa-
“U.S. Congress, Senate Committee on Government Opera-
tions, “Protecting Individual Privacy in Federal Gathering, Use
and Disclosure of Information, ” Report No. 93-1183, 93d Cong.,
2d sess., 1974, pp. 23-24. *gPrivacy Protection Study Commission, Personal Privac.}’ in
*’Ibid, p. 24. an Information Society, op cit, p. 37.

tion. The data protection agencies in West Ger- would be minimal. But, there are significant
many and Canada have advisory authority and disadvantages. Inevitably, the power of the
act as ombudsmen, serving as intermediaries new authority would be dependent in part on
between individuals and agencies, rendering that of the department, and its character
advisory opinions, and lobbying for protection shaped by the department. Additionally, any
of personal information across a range of pol- staff or line department, e.g., the Office of Per-
icy areas. sonnel Management or the Department of
Health and Human Services, collects and uses
In the United States, it is likely that a regu- personal information, and, therefore, may have
latory agency would be resisted by existing a conflict of interest in the resolution of infor-
Federal agencies because it would be perceived mation collection and disclosure policies.
as having too much control over internal and
day-today agency affairs. A regulatory agency A third possibility would be to have the au-
may also become unwieldy and obstructive. An thority established as an independent agency
advisory/ombudsman authority may be more of the executive branch. While the agency head
compatible with American philosophical and presumably would still report to the President,
institutional traditions. It also has a precedent top officials could be made subject to Senate
at the State level, e.g., New York. Based on confirmation and even given statutory terms
the European and Canadian experience, the of office. These measures would help protect
advisory/ombudsman model appears to have the authority from inappropriate political pres-
provided effective oversight of agency prac- sures and strengthen its institutional indepen-
tices. Another possibility would be to estab- dence, as discussed later.
lish an agency that is primarily advisory, but Alternatively, the new authority could re-
give it some veto power overparticular agency port to Congress, either directly or through a
practices. special joint committee. The advantage of this
2. The institutional placement of such an au- approach is that an independent, nonoperat-
thority. The major choice here is whether to ing authority would have no stake in the ex-
make it independent of the executive branch isting personal information exchanges of ex-
and responsible to the legislature, or to make ecutive agencies and might be more objective
it part of the executive branch. If it were to in resolving future conflicts. Moreover, an
be a new office or domestic council within the authority reporting to the legislature would
Executive Office of the President, it could have increase the means Congress has to directly
a great deal of visibility and stature if the Presi- oversee the activities of executive agencies.
dent decided to make protection of personal Theoretically, a data protection/privacy au-
information a priority. However, the stature thority reporting to the legislature, rather than
of such a new office might well change with to the executive, would have independence
changes in administrations. Also, it could be from the day-to-day operating constraints, as
politicized, especially if budgetary interests well as the political constraints, of executive
were given higher priority or if senior White agencies.
House officials were interested in using per-
The disadvantage of having the new agency
sonal information for political purposes—e.g.,
report to the legislature is that it might be sub-
getting access to IRS information on political
ject to competing political interests, especially
opponents or political activists.
if there were different partisan majorities in
Another possibility would be to have the au- the two Houses or if the executive and legisla-
thority established as a bureau within an ex- ture were controlled by different parties. But,
isting executive department. The advantages even if the authority became politicized, the
of this option would be that it probably would political maneuverings might be more visible
be easier to establish and the overhead costs to Congress and the public if the authority re-

ported to Congress than if it were part of the This process of registration is supposed to en-
executive. This would seem to ensure a certain sure that there are no secret systems of per-
degree of accountability. sonal records. Alternatively, the agency could
be given the authority not only to register the
In determining the placement and powers
systems, but also to approve their existence
of a new agency, it will be important to con-
through a process of licensing. Additional re-
sider the Supreme Court’s recent decision in
sponsibilities that could be considered include:
Immigration and Naturalization Service v.
Chadha, 103 S. Ct. 2764 (1983), as well as its ● some role in settling disputes over issues,
pending decision on the constitutionality of the such as access and accuracy, that develop
Gramm-Rudman deficit reduction proposal. between individuals and agencies;
● some role in formally making recommen-
3. The scope of issues for which the agency dations on proposed systems or new leg-
would be responsible. Some have proposed that
islation that have implications for person-
such an authority should be responsible for all al information;
privacy issues, e.g., information privacy, sur- ● establishing guidelines and standards for
veillance, autonomy/life choices, and “chilling specific personal information issues, e.g.,
effects” on first amendment rights. If this were what is an acceptable “routine use” or
the case, information privacy would receive what is “accurate, timely, and complete’
less sustained attention. Also, the size of the information;
authority would, by necessity, be larger. ● compilation and submission of an annual
Others have proposed that such an authority report on present and anticipated trends
should be responsible for all information tech- in personal information practices; and
nology issues, for example, research and de- ● monitoring technological developments
velopment, security, technology transfer, and and assessing their implications for per-
industrial competitiveness. The same difficul- sonal information practices.
ties of focus and size would also apply to an
authority with these responsibilities. 5. Staffing a new authority. Two models ex-
ist for the organization of government agencies.
The uniqueness and complexity of problems
One is to follow the independent regulatory
presented by personal information collection agency model and have multiple commission-
and use argue that if an authority is estab- ers appointed for staggered terms. Another is
lished, it should be solely responsible for per- to have a single head for a fixed term of office.
sonal information issues—not all privacy is- The advantage of the former is that partisan
sues or all information technology issues. influences are minimized, while the advantage
However, the growing interrelationships be-
of the latter is that responsibility is clear and
tween Federal and State personal information visible.
systems, and between public and private sys-
tems, argue that, to be effective, an authority An additional issue is the size of the staff.
would need the power to address all aspects The maximum number of staff reported for
of personal information exchanges. Limiting Western European and Canadian counterparts
its purview to Federal agencies could narrow of such an authority is 30. Given the greater
its effectiveness. population and complexity of Federal/State re-
lations, a somewhat larger staff may be nec-
4. Outlining the agency’s specific authority essary in the United States; however, there are
and responsibilities. Generally, such an agency advantages to keeping it small and well or-
is given some authority to require other agen- ganized.
cies to register, or list, their personal informa-
tion systems, with details on the information Congress might anticipate two arguments
held, the sources of information, the uses, the against a proposal to establish a new entity.
period for which information is retained, and The first is that it might entail another layer
the exchanges and disclosures of information. of bureaucracy. However, the purpose of a new

entity is to serve as a check on Federal agen- placations of information systems or could cre-
cies, not to become a part of the bureaucratic ate even more intractable policy problems in
establishment. Additionally, the agency could the future. At that time, OTA found that few
be kept small and its style and organization policymakers were interested in a uniform Fed-
nonbureaucratic. The second anticipated argu- eral information policy that would encompass
ment against a new entity would be that the the problems that could arise from the many
costs associated with privacy protection may possible uses of data systems.
increase. This argument may be somewhat spe
OTA identified the need for consideration
cious because, at present, there is no account-
of an “information policy” that would address
ing of the costs associated with privacy pro-
the confusing array of laws and regulations—
tection. In calculating these costs, one would
and their strengths, overlaps, contradictions,
need to include agency administrative costs
and deficiencies—within some overall policy
(e.g., the time of Privacy Act Officers, Gen-
framework. This need has not yet been met.
eral Counsels, Inspectors General, program
managers, and administrative judges); judicial There have been numerous proposals for the
costs (e.g., Department of Justice time and establishment of new organizations to study
court costs); and the time of individuals. information-related policy problems (see table
15 for a summary) .3’ Over the last several
Action 4: Consideration of a years, a growing number of Members of Con-
National Information Policy gress and industry leaders, while not neces-
sarily endorsing specific policies, have ex-
Congress could provide for systematic pressed concern about the lack of coordinated
study of the broader social, economic, and focus on national information policy issues and
political context of information policy, of the absence of adequate institutional mecha-
which privacy is a part. nisms. For example:
OTA’S analysis of Federal agency electronic ● Representative George Brown (with Rep-
record systems and individual privacy has con- resentatives Don Fuqua and Doug Wal-
firmed once again the complexity and inter- gren) has introduced legislation to estab-
relationships of Federal information policy. lish an Institute for Information Policy
The broader social, economic, and political con- and Research and a Special Assistant to
text of information policy is in need of system- the President for Information Technology
atic policy study. This discussion could occur and Science Information;32
in existing executive offices or congressional ● Senator Sam Nunn (with Senator Frank
committees. Alternatively, or in concert, a na- Lautenberg) has introduced legislation to
tional study commission could also provide a establish an Information Age Com-
forum for discussion and examination of a na- mission; 33
tional information policy. ● Representative Cardiss Collins has intro-
duced legislation to establish a new Of-
A 1981 OTA study30 found that there were
fice of Telecommunications Policy in the
numerous laws and regulations, some overlap-
Executive Office of the President;34
ping and some potentially or actually conflict- ✎ —.—
ing, that directly and indirectly affect the oper- ‘] For a more complete discussion of information policy, see
U.S. Congress, Office of Technology Assessment, “ Institution~
ators and users of information systems, the Options For Addressing Information Policy Issues: A Prelimi-
consumers of information services, and the nary Framework for Analyzing the Choices, staff memoran-
subjects of personal information databanks. dum prepared by the Communication and Information Tech-
nologies Program, Nov. 29, 1983.
OTA concluded that continuation of this situ- 32H.R. 744, “Information Science and Technology Act of
ation could inhibit many socially desirable ap- 1985”, 99th Cmg., 1st sess.
99S4 786, “Information Age Commission Act of 1985”, 99th
‘U.S. Congress, Office of Technology Assessment, Cornputer- Cong., 1st sess.
Z3awdNational Information Systems, OTA-CIT-146 (Washing- 34H.R. 642, “Telecommunications Policy Coordination Act of
ton, DC: U.S. Government Printing Office, September 1981) 1985”, 99th Cong., 1st sess.
Table 15.—Selected Institutional Changes for Information Policy Proposed in the 99th Congress
Proposed Problem or issues to Resources and
instiutional change which change directed Organizational form Functions Membership Location authority Duration
.. .—
Information Age Impact of computer Commission Research, policy formula- 23 members–6 from Con- lndependent– Hold hearings, negotiate 2 years
Commission, S 786 and communication tion and information dis- g r e s s 6 f r o m e x e c u t i v e reporting to Presi- and enter into contracts,
(Nunn and Lau- systems on society semination branch and 11 from private dent and Congress and secure cooperation and
ten berg) sector assistance from other ex-
ecutive agencies
Off Ice of Federal Management of the Off Ice Strengthen overall Federal From OMB WiII be trans- Executive Off Ice of Provide central policy Permanent
Management, Federal Government management and, in partic- ferred to the Off Ice of Fed- the President direction and leadership in
S 2230 (Roth) ular financial management eral Procurement Policy, general management
and Information resources Off Ice of information and maintain oversight of
management, and reduce Regulatory Affairs, and managerial systems and
the costs of administration other appropriate functions processes, advise Presi-
of OMB A new Off Ice of dent and Congress
Financial Systems WiII also
be established
Off Ice of Critical Identification and Off Ice Publish reports, advise — Within Executive Legislation requires Presi- On-going–prepare
Trends Analysis, analysis of critical President establish advisory Off Ice of the dent to submit report to report every 4 years
S 1031 (Gore) trends and alterna- commission, and promote President Congress and requires beginning in 1990
H R 2690 (Gmgnch) te futures public discussion Joint Economic Committee
to prepare report on similar
Institute for informa- Broad range of infor- Institute Research policy formula- 15 member board represent- An Independent — 10 years unless ex-
tion Policy and Re- mation policy tion Information dlssemma- ing government industry structure within the tended by Congress
search, H R 744 concerns t!on and promotion of and commerce, and aca- executive branch
(Brown) innovation demic and professional Director to coordi-
organizations nate with other
National Technology High-technology Foundation Analyze and make grants Transfers to the Foundation Independent govern Award grants, loans, and Authorizes appropr]-
Foundation, H R small business. and contracts for develop- the followlng agencies Pat- mental agency other assistance, conduct attons for FY 1986
745 (Brown) technology transfers, ment of high-technology ent and Trademark Off Ice, assessments, promote through FY 1988
and international small businesses, conduct NBS, NTIS, parts of NSF, technology transfers
activties technology assessments, and other speclfled agency
promote technology transfer sections
and international cooperation
Data Protection Personal records Board Develop guidelines, prowde Three members appointed Independent execu- Conduct inspections, hold Permanent
Board, H R 1721 held by Federal assistance, publlsh gutdes by Pres!dent with adwce tive agency hearings Issue subpoenas
(Engllsh) agencies Investigate compliance, Is- and consent of Senate for
sue advisory oplnlons, inter- 7-year terms
vene In agency proceedings
Department of inter- International trade Department Full range Includlng advls- Travel and Tourism Admln- Independent Leglslatlon requires Presi- Permanent
national Trade and and Industry Ing, negotlatlng, and regu - Istratlon Patent and Trade- department dent under cerfaln condi-
Industry, H R 1928 Iattng mark Off Ice, NBS, NTIS, tions to submit statement
(Watkins) Off Ice of Telecommun]ca- on Impact on International
ttons and Information, Off Ice economic competitiveness
of Small Business Trade As of slgnlflcant domestic
ststance, and Off Ice of Com - product and Service
petltlve Analysls Industries
Advanced Technolo- Technology In bush Foundation Promote the commercial ap- Wlth]n executwe Create referral service Authorizes approprl-
gy Foundation ness, commerce, plication and diffusion of branch coordinate programs pro- at]ons through FY
H R 2374 (LaFalce) and Industry advanced technology wlthln vide grants, and develop 1989
Industrial sectors Information management
— — -—
SOURCE Off Ice of Technology Assessment

● Representative Glenn English has intro- integration, such as the National Telecommu-
duced legislation to establish a Data Pro- nications and Information Administration (in
tection Board;35 the Department of Commerce) and the Office
● The American Federation of Information of Science and Technology Policy (in the Ex-
Processing Societies has formed a panel ecutive Office of the President), have not been
of experts on National Information Issues, provided the necessary mandate and resources,
and the Association of Data Processing nor do they appear, at least at present, to have
Service Organizations has proposed a the desire to carry out such activities.
Temporary National Information Com-
Proponents of a national information policy
mittee. 36
argue that it is just as important as national
Most of these proposals view information pol- economic or environmental or defense policy,
icy within the context of an information soci- and deserves a clear focus at the highest levels
ety, i.e., one in which the creation, use, and com- of government. Beyond this, proponents point
munication of information will play a central to the need for a mechanism to encourage high-
role. There are numerous, interconnected is- level identification and understanding of and
sues arising from the following factors: leadership on issues arising from the transi-
tion to an information society-including is-
● the need to have a greater understanding
sues of protecting individual civil liberties and
of the changing role of information and social equity and the development of informa-
its impact on society; tion as a valuable economic as well as public
● the economic and political transition to an good.
information society;
● the effect that the information revolution Opponents in the past have expressed con-
may have on the governmental process; cern about the dangers of centralizing too
● dealing with information as an economic much authority over information policy in one
resource, a commodity, and a property; place, and have favored continuation of a de-
● the importance of managing information centralized policy apparatus with coordination
and in trying to assure its accuracy and provided through interagency and White
high quality, especially insofar as it is gen- House working groups. Some of this concern
erated, used, and disseminated by the Fed- reflects the experience with the old Office of
eral Government; Telecommunications Policy (created in 1970
● the need to protect individual civil liber- in the Executive Office of the President and
ties and rights to privacy; terminated in 1977). OTP was perceived in part
● ensuring access to information and equity as attempting to influence the content of
that may arise when information is treated broadcast news. This raised the specter of a
more and more as a commodity and less high-level government censorship office.
and less as a public good; and
Realistically, it maybe necessary to divide
● the enhanced ability of information to the information problem into more manageable
travel across nation-al boundaries. pieces. Because of the urgency of the emerg-
In most discussions of information policy, ing privacy-related information problems and
the relative importance of these issues has not because there is no inherent group constitu-
been noted. Indeed, numerous Federal agen- ency for privacy rights, it may be timely to
cies have a role in aspects of information pol- establish a study commission with responsi-
icy, but there is no office or agency providing bility for examination of these interrelated
integration across multiple information policy issues.
issue areas. Agencies that might provide such Two recent proposals for new study commis-
—.. -. —-— sions in the information policy area include a
36H.R. 1721, “Data Protection Act of 1985”, 99th Cong., 1st
sess. “National Commission on Communications
“AFIPS, kVash@ton Report, July 1985, p. 5. Security and Privacy” proposed in 1984 by

Representative Dan Glickman, of the House resentatives from industry, labor, academia,
Committee on Science and Technology Sub- State/local government, and Federal Govern-
committee, and the “Information Age Com- ment). Establishing a new commission need
mission” noted earlier. Any national commis- not be a substitute for other congressional pol-
sion on information policy would most likely icy actions. Indeed, a commission could be
be broad in scope and encompass many of the viewed as complementing related activities by
issue areas previously identified. A commis- Federal agencies and could help to improve
sion established along the lines of these pro- public understanding of and focus on current
posals would have a finite lifetime, modest and emerging information policy issues.
budget, and broad composition (e.g., with rep-

Appendix A

Update on Computerized Criminal

History Record Systems*
Introduction operated by the Federal Bureau of Investigation
(FBI). Triple I is essentially a national electronic
OTA has carried out an extensive prior study index to persons with Federal and/or State crimi-
of Federal and State criminal history record sys- nal history records. The records themselves are
tems. The preliminary and final results were pub- maintained in FBI and State record repositories.
lished in, respectively, A Preliminary Assessment Triple I replaced the now defunct Computerized
of the National Crime Information Center and the Criminal History file on NCIC, and is the largest
Computerized Criminal History System’ (1978) and file on NCIC, as shown in table A-1.
Assessment of Alternatives for a National Com- Also since 1982, the extent of computerization
puterized Criminal History System’ (1982). in other criminal history record repositories has
The 1982 study addressed four major areas: continued to increase. The FBI’s Automated Iden-
1. the status of criminal history record systems tification Division System (a CCH record system
in the United States; separate from the NCIC) included 8,740,908 com-
2. the alternatives for a national computerized puterized records as of May 1985, compared to
criminal history (CCH) system; about 5.8 million records in October 1981. 3 At the
3. the possible impacts of such a system on the State level 35 States reported at least a partially
criminal justice process, Federal-State rela- computerized criminal history record file as of late
tions, and civil and constitutional rights; and 1984, compared to 27 States in August 1982. 4 And
4. the relevant policy issues that warranted con- 39 States reported, as of late 1984, at least a par-
gressional attention to ensure that the bene- tially automated name index to persons with crimi-
ficial impacts of a national CCH system are nal history records, as compared with 34 States
maximized and the possible adverse impacts in August 1982.5 The fully or partially computer-
controlled or minimized. ized criminal history files of the States account for
Since 1982, one particular alternative for a na- an estimated 90 percent of all criminal history rec-
tional CCH system, known as the Interstate Iden- ord activity.6
tification Index (or Triple I), has been tested and As discussed in chapter 4 and more extensively
generally accepted by the criminal justice commu- in the 1982 OTA report, the Triple I concept
nity. Triple I is now one of 12 operational files in evolved after a protracted debate, spanning more
the National Crime Information Center (NCIC) than a decade, over the appropriate Federal and
.—— — State roles in a national CCH system.’ While the
*Outside reviewers for this appendix included Robert R. Belair, Kirk-
patrick & Lockhart; Gary R. Cooper, SEARCH Group, Inc.; David F. ‘Based on Federal Bureau of Investigation data.
Nemecek, Federal Bureau of Investigation; and Fred Wynbrandt, Cali- Aug. 6, 1982 data from an OTA survey cited in U.S. Congress, Office
fornia Department of Justice. of Technology Assessment, Computerized Criminal History System, op.
‘U.S. Congress, Office of Technology Assessment, A Preliminary cit., pp. 46-48; late 1984 data from a SEARCH Group, Inc., survey cited
Assessment of the National Crime Information Center and the Com- in U.S. Department of Justice, Bureau of Justice Statistics, “State Crim-
puterized Criminal History System, OTA-1-80 (Washington, DC: U.S. inal~ Records Repositories, ” technical report, October 1985, pp. 2-3, pre-
Government Printing Office, December 1978). Also published as U.S. pared by SEARCH Group, Inc., for a Jan. 9, 1986, conference cospon-
Congress, Senate Committee on the Judiciary, Subcommittee on Admin- sored by SEARCH Group and the Bureau of Justice Statistics.
istrative Practice and Procedure and Subcommittee on the Constitu- ‘Ibid.
tion, Preliminary Report by the Office of Technology Assessment on ‘OTA previously concluded that, for fiscal year 1981, the 27 States
the Federal Bureau of Investigation National Crime Information Cen- with on-line CCH files accounted for about 85 percent of all criminal
ter (NCIC) Accompanied by Letters of Comment on the Draft Report, fingerprint cards submitted to State and Federal criminal record repos-
95th Cong., 2d sess., December 1978. itories—a valid measure of criminal history record activity. See OTA,
‘U.S. Congress, Office of Technology Assessment, An Assessment Computerized Criminal History System, op. cit., pp. 46-48 and table
of Alternatives for a National Computerized Criminal History System, 5. As of late 1984, eight other States (Louisiana, Montana, New Hamp-
OTA-CIT-161 (Washington, DC: U.S. Government Printing Office, Oc- shire, Arizona, Connecticut, Wyoming, Idaho, and Pennsylvania) had
tober 1982. Prepared at the request of the House and Senate Commit- automated at least partially, accounting collectively for an estimated
tees on the Judiciary, this study was one of four components of the OTA additional 5 percent of criminal record activity. Actually, based on 1984
‘(Assessment of Societal Impacts of National Information Systems. ” data, these eight States together held about 6.5 percent of the total num-
The other components included a September 1981 OTA report on Com- ber of State criminal history records. See Bureau of Justice Statistics,
puter-Based National Information Systems: Technology and Public Pol- “Criminal
Records Repositories, ” op. cit., P. 2.
icy Issues; a March 1982 background paper on selected Electronic Funds A1s0 see U.S. Congress, Senate Committee on the Judiciary, Sub-
Transfer Issues: Privacy, Security, and Equity; and an August 1982 committee on Patents, Copyrights, and Trademarks, Computerized
OTA report on Implications of Electronic Mail and Message Systems Criminal History Records, hearing, 98th Cong., 1st sess., May 12, 1983;
for the U.S. PostaJ Service. and U.S. General Accounting Office, Observations on the FBI Znter-


Table A.1 .–Number of Records Included in NCIC, establish procedures to provide for nationwide
by File, 1979, 1981, 1985 criminal history checks for all operators and em-
ployees of child-care facilities.8 There has also been
Number of records as of
growing interest in implementing criminal record
June October May
1981 1981 1985
checks for teachers, youth group leaders, and elder-
care providers. The primary motivation for the in-
Interstate identification
index. . . . . . . . . . . . . — — 9,268,232 creased emphasis on criminal record checks has
Computerized criminal been the intensified attention and concern about
history . . . . . . . . . . . 1,482,017 1,885,457 — child abuse (and, to a lesser extent, abuse of the
Stolen securities . . . . 1,998,778 2,361,971 2,072,785 elderly) and the perceived need to more carefully
Stolen guns. . . . . . . . . 1,337,310 1,674,814 2,052,018
1,163,771 1,170,613
screen applicants for positions entrusted with the
Stolen vehicles . . . . . . 970,714
Stolen articles. . . . . . . 1,091,461 1,427,535 1,053,415 care of persons who are likely to be especially vul-
Stolen license plates . 397,706 543,173 495,225 nerable. g In addition, there has been increased em-
Wanted persons . . . . . 148,644 190,159 219,123 phasis on criminal history record checks for cur-
Missing persons . . . . . 21,535 24,610 38,374 rent or prospective Federal employees, especially
Stolen boats . . . . . . . . 17,615 22,807 24,370
Unidentified persons . — — 1,067
those in sensitive or classified positions.l0
Canadian warrants . . . n.a. 183 249 Absent policy action, this increasing level of rec-
U.S. secret service ord check activity is likely to aggravate access, eq-
protective. . . . . . . . . — — 91 uity, and due process problems resulting from the
Total . ............7,465,780 9,294,327 16,395,662 inconsistent Federal and State laws and regula-
NOTES: — =file did not exist.
n.a. = data not available.
tions on dissemination of criminal history records
SOURCE” Federal Bureau of Investigation.
for noncriminal justice purposes. These problems
were identified in the 1982 OTA report and fur-
ther amplified in two 1984 studies commissioned
Triple I now appears to be generally accepted by by the FBI to study the implications of using Tri-
the criminal justice community, OTA reviewed the ple I for noncriminal justice record checks.
results of the 1982 study and found that at least One study, conducted by former FBI agent Ray-
three of the key policy issues previously identified mond J. Young and reflecting a Federal perspec-
have not yet been resolved: 1) noncriminal justice tive, conclude8 that:ll
use of criminal history records; 2) the quality (com- The most obvious impact (of III) would be the
pleteness and accuracy) of such records; and 3) pol- total lack of availability of criminal history record
icy oversight of the interstate exchange of crimi- information from States for many or all Federal
nal history information. The status of each is non-criminal uses. The inability to acquire crimi-
briefly updated below, along with an overview of nal history data would affect many vital uses, in-
policy implications. cluding matters involving national security. . . . In
——. -.—
Noncriminal Justice Use ‘U.S. Department of Health and Human Servicee, Afodel ChiM Care
Standards Act–Guidance to States To Prevent Child Abuse in Day
Care Facilities, Washington, DC, January 1985, p. 2.
Criminal record checks are increasingly used in ‘!%s, for example, Adrian Higgine, “Day Care Worker Checks Get-
screening applicants for a wide range of jobs and ting Mixed Reviews, ” Arlington Journal, Sept. 6, 1985, p. A7; Linda
licenses. In the 1982 study, OTA found that non- Lantor, “Fairfax Schools To Tighten Employee Screening, ” Arlington
Journal, Sept. 10., 1985, p. A4, and Andee Hochrnan, ‘dYouth Workers
criminal justice use of criminal history records was Face Additional Screening; Change Follows Spate of Sex Abuse Cases,”
already substantial (about one-half of all record re- The Washington Post, Sept. 23, 1985, pp. D1-D2.
quests received by the FBI’s Identification Divi- ‘“see, for example, Mike Caueey, “FBI Checke Background of 41,000
at HHS, ” The Washington Post, June 21, 1985, pp. Al-Al 1; S. 274,
sion and about one-seventh of all record requests the Anti-Nuclear Terroriem Act of 1985, 99th Cong., let sees., that would
received by State repositories). require c riminal record checks for nuclear powerplant pereomek S. 1203,
99th Cong., 1st eess., that would allow railroad police and private univer-
Since 1982, the trend toward criminal record sity or college police accese to FBI criminal history records; and S. 1347,
checks for employment and licensing has further the Security Clearance Information Act of 1985, 99th Cong., 1st sees.,
intensified. For example, Congress included a pro- introduced by Senator Sam Nunn (for himself and Senators William
Roth, Lawton Chiles, Albert Gore, and Ted Stevens) and enacted by
vision in Public Law 98-473 requiring that States Congress as Title VIII of Public Law 99-169, that gives the Depart-
ment of Defensq Office of Personnel Management, and Central Intelli-
gence Agency th statutory authority to access Federal and State crim-
inal history infmmation for national eecurity purposes. -

state Identification Index, Report to the Chairman, Subcommittee on : IRaymond J. Young, F~er~ Non-cri~”n~ Justice Use of the Inter
Civil and Constitutional Rights, House Committee on the Judiciary, state Identification Index, prepared for the Federal Bureau of Investi-
Oct. 16, 1984. gation, Dec. 14, 1984, pp. 5-1, 5-2.

many other instances, Federal agencies would re- rate criminal history information, including report-
ceive only limited amounts of data from States ing of court dispositions. The number of States
which, while providing some criminal history in- with statutes or regulations on record quality in-
formation from some Federal uses, place restric- creased from 14 in 1974 to 45 in 1979, and to 49
tions on the type of criminal history records fur- in 1981.13
nished. In spite of legislative and judicial mandates to
A second study, carried out by SEARCH Group, improve record quality, the 1982 OTA study doc-
Inc.—a consortium representing State perspec- umented significant record quality problems in
tives—found that:12 Federal and State criminal history record systems.
[T]here is great disparity among present State The record quality problem that stands out above
laws and policies regarding noncriminal justice ac-
cess and use. Laws and policies on dissemination all others is the lack of information on dispositions.
range from those in a few States that essentially A long series of record quality audits, including
do not permit access to any criminal history rec- OTA’S, have shown that, on the average, one-third
ords for any noncriminal justice purpose to those to one-half of the dispositions that occurred were
of a few “open record” States that permit access missing from State and Federal criminal history
to all or most of such records for anyone for any records. 14 OTA’S audits also documented that, for
purpose. Between these extremes is an almost be- the Federal and State files sampled, roughly one-
wildering variety of statutory approaches, with ac- fifth of criminal history records contained errone-
cess permitted in particular States to specified ous information.15
records for specified purposes and subject to speci- Since the 1982 OTA report, record quality has
fied conditions, including requirements that access
be authorized by separate legal authority or ap- received heightened attention. For example,
proved by a council, board, or other official. SEARCH Group, Inc. —with Department of Jus-
As a consequence of these and other as yet unre- tice (Bureau of Justice Statistics) funding—has
solved problems, noncriminal justice use of Triple held conferences and prepared reports on under-
I is currently prohibited. standing the problem and on possible solutions,
and has developed procedures for conducting rec-
ord quality audits. 16 The FBI Director has assigned
Record Quality record quality improvement a high priority .17 And
the FBI, with the support of the NCIC Advisory
The importance of accurate records has long been
Policy Board, has established an audit team to
recognized in Federal and State laws and regula-
check State compliance with NCIC procedures, in-
tions. Since 1970, Congress has explicitly ex-
cluding those on record completeness and accura-
pressed its concern about the completeness and ac-
cy. However, as yet, the audit of record quality is
curacy of criminal history records. Section 524(b) limited to the NCIC files on wanted persons and
of the Crime Control Act of 1973 required the Law stolen vehicles, and does not include the criminal
Enforcement Assistance Administration to pro- history records on which the NCIC Triple I is
mulgate regulations that, among other things, based. ”
were to provide safeguards for the completeness
The FBI has solved part of its record quality
and accuracy of criminal history records. Such reg-
problem by terminating the NCIC/CCH file. In ef-
ulations were issued in 1975 (as Title 28, Code of
fect, it was discontinued as part of the decision to
Federal Regulations, part 20) and applied to the
Federal Government and all States whose crimi- “See, U.S. Congress, Office of Technology Assessment, Computerized
nal history record systems were federally funded Criminal History System, op. cit., pp. 71-73 and 94-96.
in whole or in part. 1~Ibid$, pp. 89-96 and 99-102.
“Ibid., pp. 89-96.
Federal courts have also ruled on record quality ‘Y& SEARCH Group, Inc., Audit Manual for Crim”naf History Rec-
issues. For example, in Tarlton v. Saxbe (1974) the ords Systems, Sacramento, CA, December 1982; Audit Documentation
U.S. Court of Appeals for the District of Colum- Guide: A Model Study Approach, Sacramento, CA, January 1984;
“SEARCH Audit Clinics Take New Approach” and “National Work-
bia ruled that the FBI had a duty to prevent dis- shop To Examine Date Quah”ty, “ Interface, summer 1984, pp. 19, 31;
semination of inaccurate arrest and conviction U.S. Department of Justice, Bureau of Justice Statistics, Data QuA”ty
of Criminal History Records, prepared by SEARCH Group, Inc., OCtO-
records, and had to take reasonable precautions ber 1985; and “National Conference on Data Quality and Criminal His-
to prevent inaccuracy and incompleteness. Most tory Records,” Jan. 9-10, 1986, cosponsored by the Bureau of Justice
States now have statutes or regulations requiring Statistics and SEARCH Group, Inc.
17u.s. Depmtment of Justice, Feder~ Bureau of Investigation, Min-
agencies to ensure reasonably complete and accu- utes of National Crime Information Center Advisory Poh”cy Board,
‘2 SEARCH Group, Inc., A Sttidy To Identify Criminal Justice Infor- Washington, DC, Oct. 17-18, 1984, p. 2.
mation Law, Policy and Management Practices Needed To Accommo- InSee U.S. Department of Justice, Federal Bureau of Investigation.
date Access to and Use of III for Noncriminal Justice Purposes, pre- National Crime Information Center Control Terminal Audit Manual,
pared for the Federal Bureau of Investigation. Sept. 18, 1984, P. 4. June 4, 1985.

proceed with the Triple I.19 The FBI has initiated puterized criminal history system. Policy control
several actions to improve disposition reporting over any system for the interstate exchange of
at the Federal level, such as “computer tape ex- criminal history information is complicated by sev-
change with other Federal agencies, automatic gen- eral factors:
eration of disposition follow-up requests, and field ● the involvement of a wide range of criminal

recovery teams to review court and agency rec- justice agencies—from law enforcement and
orals, ” and reports some improvement. prosecutorial to judicial and correctional-as
However, audits and surveys of State criminal providers and users of criminal history infor-
history record files conducted since 1982 have gen- mation,
erally confirmed the results of the 1982 OTA study ● the frequently conflicting Federal and State

and suggest significant, continuing record quality laws on noncriminal justice access and use,
problems. For example, 1984 audit results from one ● the trend towards increasing use of criminal

State–Illinois-indicated that about 20 percent of history record checks for employee screening
arrest events audited had erroneous information and other noncriminal justice purposes,
and about 50 percent of arrest events audited were ● the inevitable tension between Federal and at
missing dispositions, a majority of which were in- least some State governments in a sensitive
cluded in local police records.21 Also, a 1984 na- area of interstate activity, and
tional survey of criminal history record quality ● the implications of record use for privacy and

conducted by SEARCH Group, Inc., found wide constitutional rights.

variability in disposition reporting. Many States Current policy control over the Triple I is vested
were unable to provide estimates of disposition in the Attorney General of the United States who
reporting. For those that did, the average disposi- has delegated authority to the FBI with a strong
tion reporting by law enforcement, prosecution, advisory role assigned to the NCIC Advisory Pol-
and local correctional agencies was estimated to icy Board (APB). APB is comprised of 30 repre-
be about 50 percent–a finding generally consist- sentatives: 24
ent with results of other, prior audits. 22 On the posi- ● 20 law enforcement members elected from the
tive side, disposition reporting by State correction- States and localities;
al agencies was estimated to be about 95 percent. ● 6 members appointed by the FBI Director (2

About two-thirds of the States believed that dis- each from the judiciary, prosecutor agencies,
position reporting and overall record accuracy were and correctional institutions); and
increasing, although most States did not provide ● 4 members appointed by criminal justice asso-

hard numbers or audit results to support this be- ciations (1 each by the International Associa-
lief. States cited increased automation as a major tion of Chiefs of Police, National Sheriff’s
reason for improvement. Other reasons cited in- Association, National District Attorney’s As-
clude, for example, interagency cooperation, peri- sociation, and National Probation and Parole
odic audits, training, reporting laws, and tracking Association).
systems .23 However, now that the NCIC/CCH file has been
terminated, APB has not defined a clear role for
Policy Advisory and Oversight Body itself with respect to criminal history records be-
yond the pilot testing and operation of Triple I.
The 1982 OTA study documented a long history The FBI’s Identification Division still maintains
of debate—at least since 1970—over which orga- a large, increasingly computerized criminal history
nization(s) should have a formal policy advisory record system, but has no advisory board or coun-
and oversight role with regard to a national com- cil similar to APB. Should an advisory or oversight
louts. Dep~trnent of Justice, Federal Bureau of Investigation, ~C~C board be created for criminal history record ex-
2000 Project Statement of Work, Washington, DC, January 1985, p. A-9. change, either a new board or a modification of
ZOLJ. S Deputrnent of Justice, Minutes, OP . cit., P. 226.
‘1 Illinois Criminal Justice Information Authority, “Many ‘Rap Sheets’ APB, membership could encompass groups not
Not Automated, Audit Finds, ” The Compiler, vol. 6, No. 2, summer 1985, currently represented on APB. These could include
pp. 3, 8. Also see Bureau of Justice Statistics, Data Quality, op. cit.
The State of Illinois now has a uniform disposition reporting law and
representatives of, among others, defense attor-
the Criminal Justice Information Authority has prepared an advisory neys, civil liberties groups, research criminologists
for criminal justice agencies.
ZZBWeau of Justice statistics, “state Crimimd Records, ” oP. cit., P. 4.
(from government or academia), and social scien-
~SIbid. Also SW, for ex~ple, improvements in disposition reporting tists concerned with the effects of criminal records
cited in the State of California, per Nov. 18, 1985 memo from Roy T. on rehabilitation.
Iwata, Manager, Disposition Update Section, Record Analysis and Proc-
essing Program, Bureau of Criminal Identification. tiu.s. Dep@ment of Justice, NCIC 2000, op. cit., P. A-10.
SEARCH Group, Inc., has, for example, repeat- Policy Implications
edly taken the position that an advisory body for
interstate criminal history record exchange should The issues discussed above raise the following
be more broadly constituted than the present APB. policy questions:
SEARCH Group has stated that the board “be pre- First, how should differences between and among
dominantly representative of the States” and that State and Federal laws on noncriminal justice crimi-
“its representation should ensure that it is respon- nal history record checks be reconciled? Presumably,
sive to all components of the criminal justice com- this should be done in a way that reasonably en-
munity, not just law enforcement. ” SEARCH sures that, for record checks deemed to be lawful
Group also believes that “public interest positions, and in the public interest, criminal history infor-
representing the public at large as well as compo- mation will be complete, accurate, and timely. Dif-
nents of the criminal justice community, must be ferences could be reconciled by Federal law, inter-
appropriately represented on the board to ensure state compact, or a set of uniform State laws.28
that policy decisions are consistent with broad, na- Failing any of these, an option would be to use a
tional considerations. ”25 national full-record file for noncriminal justice pur-
As long as there is no clear advisory or oversight poses, while retaining the Triple I for criminal jus-
body for criminal history records exchange, wheth- tice purposes only. A national file maintained by
er APB or some other group, the policy control is- a Federal agency, such as the FBI, would be gov-
sue is further complicated by FBI proposals for erned by Federal, not State, laws on record access
new intelligence applications of NCIC, for exam- and dissemination. ’g
ple to include files on white-collar crime and orga- Second, how can record quality be improved? In-
nized crime suspects and associates-as contrasted dependent audits of Federal and State criminal his-
with the existing wanted persons file, which is tory record files could be required. The existing
limited to persons who have been charged with a FBI audit function could be extended to include
crime. These kinds of proposals pose difficult ques- State and local criminal history records that sup-
tions. On the one hand, intelligence applications port Triple I index entries (and related Automated
aggravate already existing concerns about record Identification Division System records). An audit
quality and raise new concerns about possible abuse function could be assigned to APB or some other
or misuse.” On the other hand, the one intelligence advisory body. Congress could enact legislation,
file now on NCIC (the Secret Service file) appar- along the lines previously proposed by Represent-
ently has proved useful, and similar applications ative Charles Schumer, that would establish and
may be helpful in other areas. 27 fund a record quality audit program.’” Whatever
the mechanism, the audits could be conducted so
as to produce quantitative estimates of record com-
pleteness and accuracy to provide a firm basis for
measuring record quality improvement (or lack
Actually, the current FBI audit process provides
a good prototype. As part of the audit function,
the FBI audit team selects a statistically valid
Z6$jEARCH croup, 1nC., policy statement as reprinted in Federal Bu-
reau of Investigation, National Crime Information Center, agenda ma-
sample of NCIC entries from the NCIC wanted per-
terials for NCIC Advisory Policy Board meeting, Oct. 17-18, 1984, p. 63. sons and stolen vehicles files and compares the
2%x, for example, Privacy Journal, November 1984, p. 2, and Aug- record contents with State and local source infor-
ust 1985, pp. 1, 3; Faye A. Silas, “A Bad Rap; Snafus in Computer War-
rants, ” ABA Journal, January 1985, pp. 24-25; “Jailing the Wrong
mation (e.g., from courts and prosecutors) to de-
Man, ” Time, Feb. 25, 1985, p. 25; Donna Raimondi, “False Arrests Re- termine whether the records are accurate and valid.
quire Police To Monitor Systems Closely, ” Computerworki, Feb. 25, This FBI record quality audit procedure is similar
1985, p. 23; Charles Babcock, “On-line Crime Suspect System Impli-
cated in False Arrest, ” Computerworld, Aug. 19, 1985, p. 12; and John to that used by OTA as reported in the 1982 study.
Bennett, “White-Collar Crime File Draws Ire of Left, Right, ” Arling- Indeed, the results of FBI audits of five States in-
ton Journal, Oct. 23, 1985, p. 2. Also see U.S. Congress, House Cornrru‘t-
tee on the Judiciary, Subcommittee on Civil and Constitutional Rights,
Proposed Contract To Study and Redesign the Natiomd Crime infor- ‘aSee Young, Federal Non-criminal Justice Use, op. cit.; and SEARCH
mation Center, Oversight Hearing, 98th Cong., 2d sess., Aug. 1, 1984. Group, Inc., Use of 111 for Noncrinu”nal Justice Purposes, op. cit.
“For further discussion, see U.S. Congress, Office of Technology As- *SSEARCH Group, Inc., Ibid., P, 20.
sessment, Federal Government Information Technology: Electrom”c Sur- $OW H.R. g96, Jm. 31, 1985, H. R. 2129, Apr. 18, 1985. ~d ~ ~end-
veillance and Civil Liberties, OTA-CIT-293 (Washington, DC: U.S. Gov- ment in the nature of a substitute to H.R. 2129 (discussion draft), Nov.
ernment Printing Office, October 1985), esp. ch. 5 section on “Data Base 12, 1985, all entitled the “Criminal Justice Information Improvement
Surveillance. ” Act of 1985, ” 99th Cong., 1st sess.

dicated that an average of 5.5 percent of the NCIC ing the current APB for criminal justice applica-
wanted persons entries were invalid,31 almost iden- tions? 34
tical to the 5.8 percent result obtained by OTA.32 One option is to establish statutory guidelines
The FBI found comparable error rates in the NCIC for the role and composition of an advisory body.”
stolen vehicles files from the same five States.33 Another option, not necessarily mutually exclu-
Overall, the FBI audit process appears to be suc- sive, is to assign some oversight responsibilities
cessfully identifying record problems and possible to any independent Federal data or privacy pro-
solutions with respect to these two files, and could tection board that might be established (as dis-
be extended to include criminal history record files cussed in ch. 6). One reason that law enforcement
that are relevant to Triple I. and criminal justice record systems were exempted
Third, what kind of national policy council or board from key provisions of the Privacy Act of 1974 was
should oversee the interstate exchange of criminal his- the expectation at that time that separate crimi-
tory records? Policy oversight issues include, for nal justice record privacy legislation would be
example: 1) should an advisory policy board have enacted shortly. One of the legislative proposals
more than advisory power? 2) should the board re- at that time, introduced by the late Senator Sam
port to the Attorney General or the FBI Director? Ervin, Jr., would have established a Federal In-
3) should the board have a broader composition formation Systems Board. While congressional
when compared to the present APB to reflect the hearings were held, neither this nor related propos-
growing noncriminal justice use of criminal history als ever were reported out of committee or voted
records? 4) should the board include State repre- on by the House or Senate.36
sentatives appointed by the respective Governors
rather than, or as a complement to, those elected
“see OTA, Computerized Crim”nal History System, op. cit., pp.
by law enforcement practitioners? and 5) should 169-172.
a separate board be established with respect to $6This approach was t~en in the original version of H.R. 2129, the
noncriminal justice uses and concerns, while retain- Criminal Justice Information Improvement Act of 1985, 99th Cong.,
1st sess. A later draft version, dated Nov. 12, 1985, in the nature of
——— a substitute, was limited to record quality matters.
“see Federal Bureau of Investigation, National Crime Information $6% OTA, Computerized Crim”nid History System, op. cit., PP. 73-
Center Audit Reports for Wisconsin (September 1984), Oregon (October 74, and S. 2963, the Criminal Justice Information Control and Protec-
1984), Arizona (Decemtwr 1984), Alabama (March 1985), and South CarO tion of Privacy Act of 1974, 93d Cong., 2d sess. Also see U.S. Congress,
lina (April 1985). Senate Cornmittee on the Judiciary, Subcommittee on Constitutional
“see U.S. Congress, Office of Technology Assessment, Computerized Rights, Criminal Justice Data Banks, Hearings, 93d Cong., 2d sess.,
Crim”nal History System, op. cit., pp. 191-192; also see Kenneth C. Lau- March 1974; Crinu”md Justice Information and Protection Privacy Act
don, “Data Quality and Due Process in Large lnterorganizational Rec- of 1975, Hearings, 94th Cong., 1st sess., July 15 and 16, 1975; U.S. Con-
ord Systems, ” Commum”cations of the ACM, vol. 29, No. 1, January gress, House Coremittee on the Judiciary, Subcommittee on Civil and
1986, pp. 4-11; David Burnham, “FBI Says 12,000 Faulty Reports On Constitutional Rights, Crinu”nal Justice Information Control and Pro-
Suspects Are Issued Each Day, ” The New York Times, Aug. 25, 1985; tection of Privacy Act of 1975; Hearings, 94th Cong., 1st sess., July
and David Burnham, “Computer Data Faulted in Suit Over Wrongful 14, 17, and Sept. 5, 1975; and Donald A. Marchand, The Politics of Pri-
Arrest, ” New York Times, Jan. 19, 1986. vacy, Computers, and Crimimd Justice Records (Arlington, VA: Infor-
“see FBI NCIC Audit Reports, op. cit. mation Resources Press, 1980).
Appendix B

OTA Federal Agency Data Request

After reviewing all available sources of informa- net agencies (see attachment 2) with a turnaround
tion on Federal use of information technology, time of 5 weeks. Sufficient copies were provided
OTA determined that important information was for each of the subcomponents of the cabinet agen-
not available in certain areas critical to the OTA cies. Agencies were informed that no new data col-
assessment. To meet the need for additional infor- lection was to be conducted. An OTA staff mem-
mation, OTA drafted a request for current agency ber was identified who could be contacted to
data covering the areas in which information was provide clarification where necessary.
lacking or incomplete. The draft request was re- All agencies that were sent the request provided
viewed by congressional staff of interested com- a response, although the responses varied in com-
mittees, and then pretested in four agencies—the pleteness and quality. A total of 142 agency com-
Energy Information Administration (Department ponents provided information. While many of the
of Energy), the Food and Nutrition Service (Depart- agencies provided responses well within the time
ment of Agriculture), the Office of the Assistant allotted, the completion time for the entire request
Secretary for Postsecondary Education (Depart- (142 agency components) was approximately 2
ment of Education), and the Veterans Adminis- months. The data provided were compiled by OTA
tration. Based on the results of the pretest, the staff and appear as appropriate throughout the
data request was revised. (See attachment 1 for report.
portions of the final, revised data request relevant A draft copy of the OTA report was provided
to this report.) to each of the participating agencies for review and
In April 1985, the data request was sent to the comment.
13 cabinet-level agencies and 20 selected subcabi-



III. Privacy Act (General)

A. Please provide the following data on Privacy Act Implementation in your

1. Position and GS level of the Privacy Act Officer or agency official
with day-to-day operating authority
2. Position and level of agency official. with policy authority
3. Total number of agency staff (In full-time equivalents) assigned
to Privacy Act matters
4. Role and responsibility of your agency’s Office of Inspector General
(e.g., in developing internal agency procedures, responding to
Privacy Act requests, preparing Privacy Act materials for OMB).

B. Please specify the procedures your agency follows to ensure Privacy Act
record quality, e.g., complete and accurate records. Attach a copy of agency
regulations or procedures.

c. Does your agency conduct record quality audits? Yes No . If yes,

please provide the results of such audits, including copies of any written
audit reports.

D. Has your agency developed agency-specific guidelines or procedures for

determining what is “relevant” and “timely” information within your agency?
Yes No . If yes, please provide a copy of such guidelines.

E. Has your agency been a defendant in Privacy Act suits at any time since
1980? Yes No . If yes, please list or describe the legal action(s)
and basic issue(s) and provide citations

F. Has your agency revised or updated Privacy Act guidelines with respect to
microcomputers? Yes No . If yes, please provide a copy of such
revised or updated guidelines.

Name Agency/Unit

Title Telephone No.


Iv. Privacy Act/Computer Matching and Front-End Verification

A. Has your agency Participated in computer matching activities* as a

matching agency (the agency performing the match) or as a source agency (the
agency disclosing records to the matching Echlng agency for use in the match) at any
time since 1980? Yes No Please provide a copy of any reports on
your matching activities including the information listed below, to the
extent available- Please give priority to information on matches conducted in
1984, with complete quantitative data provided where possible.

1. Date of match
2 . Participating parties (indicate source and matching agencies):
Federal agencies
State agencies
Private sector organizations
3. Location of match
4. Frequency of match: one time or ongoing
5. Files matched
6. Method(s) used to exchange records (e.g., direct electronic~
computer tape, computer disk)
7. Purpose of match
8. Number of records involved
90 Number of hits
100 Percentage of hits verified

B. Are cost-benefit analyses done prior to- computer matching? Yes

No ● If yes, what are the quantitative and qualitative categories used for
assessing costs and benefits? How are the cost-benefit analyses used within
the agency? Please provide a copy of your agency’s three most recent cost-
benefit analyses.

c. Do the indivldual subjects of the match provide written consent prior to a

match? Yes No . If yes, please attach a copy of the consent form.

D. Are your matches explicitly required or authorized by legislation?

Yes No If yes, please list matches required or authorized and cite
public law section for each type of match.

E. Are procedures used to ensure that the subject record files contain
accurate information? Yes No . If yes, please specify the procedures

*Defined as the computerized comparison of two or more automated systems of

records to identify individuals common to two or more of the record systems or
unique to one of the record systems.

F. What is the process once a hit has occurred? What are the standards ,
procedures, and costs (estimate if necessary) for verification?
What is the appeal process, within the agency and outside, for an individual
to respond to a “hit”? Have there been any court challenges to the matches?
Yes No ● If yes, what were the results? Please attach case numbers.

G. Are cost-benefit analyses done after matches? Yes No If yes,

please provide a copy of your agency’s three most recent post-match cost-
benefit analyses.

H. Has your agency used computerized front-end verification (i.e.,

certification of the accuracy and authenticity of information supplied by an
applicant by checking against similar information from another agency or
source) at any time since 1980 as part of the application process for
participation in Federal programs or benefits? Yes No If yes,
please provide a copy of any agency reports on your use of front-end
verification and describe the process, including use of computers, notice to
applicants, and costs. If no, please describe any agency plans for use of
front-end verification.

1. What have been the average results of front-end verification as measured

by hits (i.e., applicant’s eligibility for Federal program or benefit not
verified) overall and by Federal program or benefit category. If available,
please break down by computerized and manual verifications.

J. Has your agency conducted any cost-benefit studies of front-end

verification? Yes No . If yes, please provide copies of the three
most recent studies.

Name Agency/Unit

Title Telephone No.


v. Privacy Act/Third Party Information and Profiling

A. Does your agency collect any personally-identifiable information in

electronic form from third party sources (i.e., from sources other than the
subject individual)? Yes No . If yes, please provide information on
third party collection, including nature of information sources, authority for
collection, agency use, procedures to assure accuracy, subject individual’s
rights to access, review, and challenge the information, and secondary
dissemination of third party information outside the agency (specify to whom
and for what purpose). If no, please describe any agency plans for collecting
third party information.

B. Does your agency use computer-assisted statistical programs and/or related

software co develop generic profiles of types or categories of individuals
and/or probabilities of such categories of lndividuals engaging in activities
or behavior of interest to the agency (e.g., with respect to misrepresentation
of eligibility to receive Federal aid or benefits, non-compliance with or
violation of agency regulations, violation of civil or criminal statutes)?
Yes No If yes, please provide further details below. I f n o , p l e a s e
describe any agency plans for the use of such profiling.

c* For each specific use of profiling, please provide the following

information, to the extent available:

1. Description of profiling (categories and numbers of individuals,

types of behavior)
2 . Types of programs and/or software used
3 . Development and testing of programs and/or software (please be
specific; provide a copy of any written research reports)
4* Source(s) of input data
5. Authority for the profiling (cite specific statute or regulation
where applicable)
6 . Agency use of the profiling
7 . Results of agency use of the profiling (e.g., percentage of hits
on targeted individuals, civil and/or criminal penalties
imposed). Please provide a copy of any profiling evaluation

Name Agency/Unit

Title Telephone No.


VI* Privacy Act/Debt Collection Act

A. Does your agency report or refer delinquent and/or nondelinquent

commercial and/or consumer (individual) debts to private sector credit
bureaus? Yes No If yes, please provide further details below. If

no, please describe any agency plans for the use of private sector credit
agencies o

B. For each specific type of debt referred to private sector credit bureaus,
please provide the following Information, to the extent available:

1. Description of type of debt referred

2. Format of referral (e.g., paper, microfiche, computer tape,
direct electronic)
3. Procedures/agreements between the agency and credit bureau with
regard to: o security
o record quality (completeness and accuracy)
o secondary dissemination
o subject individual’s or organization’s
access, review, and challenge rights
4. Number and type of complaints received from debtors referred to
private sector credit bureaus, and resolution of those complaints
5. Results of debt referrals by type of debt (e.g., dollars recovered
and as percentage of debt referred)

c. Does your agency use private sector credit reports in making agency
about eligibility for Federal programs and benefits? Yes
No . If yes, please provide details on the specific purposes of such use
(e.g.,when awarding loans, contracts, grants).

Name Agency/Unit


VII. privacy Act/Electronic Records Management and Electronic Mail

A. Please estimate, to the extent possible, the number and percentage of

manual versus computerized records maintained by your agency in the following
categories for fiscal years 1975 and 1984:

Manual Computerized Total

No. % No. z No. %

Records subject to Privacy

Act 1975 — — —
1 9 —8 4 — —— — —
Other records maintained
subject to public law
or agency regulation 1975 — .

-1- 9
- - 8—
4 ‘
— — —

B. If your agency maintains one or more record systems subject to the privacy
Act, please list the 10 largest Privacy Act record systems, the total number
of persona and records in each system and the percentage of manual versus
computerized records for each system.

Record System No. Persons No. Records %Manual %Computerized

1. %z %

c* For your agency’s computerized records (e.g., records stored in electronic

form on computer tape or disk), please provide the following information, to
the extent available:

1. Procedures for backup copies (please estimate percentage of records

backed up by each of the following: paper copy, microfiche or
microform, duplicate computer tape or disk, no backup, more than
one backup)

2 . Procedures for storage and maintenance of electronic records (please

specify how long such records are stored) what protections are
used to protect against alteration, and when and how electronic
records are archived, i.e. , moved off premises to a remote
storage location)

3. Procedures for purging of electronic records (under what conditions

and when are records purged, i.e., eliminated or destroyed)

4. Procedures for verification of signatures on or authenticity of

electronic records

5. Procedures for duplication or copying of electronic records (e.g.,

what is the agency definition of “record copy” of an electronic

D. Does your agency use electronic mail? Yes No If yes, please

provide further details below. If no, please decribe any agency plans for
use of electronic mail not otherwise described in response to Section I.

E. Please provide the following Information, to the extent available, on your

agency’s use of electronic mail.

1. Total volume in number of messages sent (I.e., pieces of electronic

mail) per year for fiscal year 1984
2. Type of electronic mail system used (e.g., in-house, outside
contractor, commercial)
3. Total volume in number of messages received per year for 1984
4. Content of messages sent (in percentage of 1984 total):

Purpose Percentage

Intra-agency correspondence/memos %z
Intra-agency records/reports
Interagency correspondence/memos
Interagency records/reports
External correspondence/memos
External records/reports

5. How long are backup message copies retained in electronic

and/or paper form?

6. Who participates in electronic mall? (Specify type of agency

staff, e.g., administrative, secretarial, technical, research)

F. Does your agency have a set of privacy/confidentiality/security practices

or policies developed specifically for electronic mail? Yes No . If
yes, please provide a copy or describe in detail.

Name Agency/Unit

Title Telephone No.


VIII. Investigative, Law Enforcement, and Intelligence Applications

A. Does your agency maintain computerized record systems for investigative,

law enforcement, and/or intelligence purposes? Yes . No . If yes,
please provide the detailed information below. — —

B. For each such computerized record system, please provide the following
information, to the extent available:

1. Name of record system

2 .
Purpose of record system
3 .
Number of records
4 Number of persons
5 Types of record information (e-g-, individual names,
social security number, address)
6 . Sources of record information
7 * Users of record systems and rules on access
8 . Statistics on quality of records and procedures for
maintaining record completeness and accuracy

c . Does your agency use computer-assisted statistical programs and software

to develop profiles of types or categories of individuals engaging or likely
co engage in activities of investigative, law enforcement, and/or intelligence
interest to your agency? Yes ● N O If yes, please provide further
details below. If no, please describe any agency plans for the use of such

D. For each specific use of computer-based profiling, please provide the

following information, to the extent available (and not otherwise provided in
Section V):

1. Description of profiling (categories and number

of individuals, types of behavior)
2 . Types of programs and/or software used
3 . Development and testing of programs and/or software (Please be
specific; provide a copy of any written research reports)
4 . Sources(s) of input data
5 . Authority for the profiling (cite specific statute or
regulation where applicable)
60 Agency use of the profiling
7 . Results of agency use of the profiling (e.g., percentage of hits
on targeted individuals, civil and/or criminal penalties
imposed). Please provide a copy of any profiling evaluation

Attachment 2.—Federal Departments and Agencies Responding to OTA Data Request

Number of agency
Cabjnet department components responding
Agriculture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Commerce . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Education (agencywide) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Energy (EIA, FERC, and rest of agency).. . . . . . . . . . . . . . . . . . . . . . . 3
Health and Human Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Housing and Urban Development (agencywide) . . . . . . . . . . . . . . . . . 1
Interior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Justice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Labor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
State (agencyWide) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Transportation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Treasury . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Subtotal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Independent agencies
Commission on Civil Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Consumer Product Safety Commission . . . . . . . . . . . . . . . . . . . . . . . . 1
Environmental Protection Agency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Equal Employment Opportunity commission . . . . . . . . . . . . . . . . . . . 1
Federal Communications Commission . . . . . . . . . . . . . . . . . . . . . . . . 1
Federal Elections Commission.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Federal Emergency Management Agency . . . . . . . . . . . . . . . . . . . . . . 1
Federal Reserve System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Federal Trade Commission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
General Services Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
National Aeronautics and Space Adminis ration. . . . . . . . . . . . . . . . . 1
National Archives and Records Administration . . . . . . . . . . . . . . . . . . 1
Nuclear Regulatory Commission . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Securities and Exchange Commission . . . . . . . . . . . . . . . . . . . . . . . . . 1
Selective Service System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Small Business Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Arms Control and Disarmament Agency. . . . . . . . . . . . . . . . . . . . . . . . 1
U.S. Information Agency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Agency for international Development . . . . . . . . . . . . . . . . . . . . . . . . . 1
Veterans Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Subtotal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Total . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Appendix C

List of Contractor Reports

Copies of the following contractor reports completed in support of this assessment will
be available in late 1986 from the National Technical Information Service, 5285 Port Royal
Road, Springfield, VA 22161, (703) 487-4650.
1. William H. Dutton and Robert G. Meadow, Public Perspectives on Government Infor-
mation Technology: A Review of Survey Research on Privacy, Civil Liberties, and the
Democratic Process, Annenberg School of Communications, University of Southern
California, prepared for OTA, January 1985.
2. David Flaherty, Data Protection and Privacy: Comparative Policies, prepared for OTA
by The Privacy Project, University of Western Ontario, Jan. 8, 1985.
3. Karen B. Levitan, Patricia D. Barth, and Diane Griffin Shook, Agency Profiles of Civil
Liberties Practices, prepared for OTA by The KBL Group, Inc., Dec. 28, 1984.
4. Robert Ellis Smith, Report on Data Protection and Privacy in Seven Selected States,
prepared for OTA, Feb. 15, 1985.

Appendix D

Other Reviewers and Contributors

Ralph W. Adams David Mullins
National Security Agency U.S. General Services Administration
Patricia Aronsson Dale Nesbary
National Archives and Records Administration National Conference of State Legislatures
William L. Ball Hugh O’Neill
U.S. Department of State Formerly U.S. Department of Health and
Human Services
Robert P. Bedell
Office of Management and Budget Ronald S. Plesser
Blum, Nash & Railsback
Jane Bortnick
Congressional Research Service Edward J. Regan
Manufacturers Hanover Trust Co.
Frank G. Burke
Acting Archivist of the United States Nancy Reichman
University of Denver
Richard Ehlke
Congressional Research Service Harold Relyea
Congressional Research Service
Kenneth R. Erney
U.S. Department of State David N. Richardson
Yankelovich, Skelly & White, Inc.
Liz Handley
U.S. Department of Health and Human Alice Robbin
Services University of Wisconsin, Madison
Mary C. Lawton Roger K. Salaman
U.S. Department of Justice National Telecommunications and Information
Fred Lothrop U.S. Department of Commerce
PSC, Inc.
Gail Shelton
Gary Marx U.S. Department of Health and Human
Massachusetts Institute of Technology Services
Francis A. McDonough Ollie R. Smoot
U.S. General Services Administration Computer & Business Equipment
Sandra Milevski Manufacturers Association
Congressional Research Service
Oscar W. Mueller, Jr.
U.S. Department of the Interior

Appendix E

Summary of Final Rules for Income and

Eligibility Verification Required Under
the Deficit Reduction Act of 1984*
The Departments of Agriculture, Labor, and mechanisms; not feasible, within established time-
Health and Human Services issued final rules in frames, to establish uniform guidelines and pro-
the Federal Register on February 28, 1986, to im- gr amming specifications for the required matches.
plement Section 2651 of the Deficit Reduction Act Access and Use of Information.–Data must be
of 1984 (DEFRA). Section 2651 amended the So- requested from all of the required sources on ap-
cial Security Act, the Food Stamp Act, and the plicants for Medicaid, AFDC, adult assistance, and
Internal Revenue Code to require federally funded food stamp programs at the first available oppor-
public assistance and unemployment agencies to tunity, which would be the next scheduled match
improve the accuracy of eligibility determinations for each source. The State Wage Information Col-
and benefit programs by exchanging information lection Agency (SWICA) and the State Unemploy-
with each other and by obtaining unearned income ment Compensation Agency must accept and proc-
data from the Internal Revenue Service (IRS) and ess requests for wage information at least twice a
other income and wage data from the Social Secu- month. Requests for IRS data for applicants must
rity Administration (SSA) and from State wage be made at the first available monthly IRS match
and Unemployment Insurance Benefit (UIB) data date. With regard to requesting data from SSA,
files. The rules require State agencies to develop at the first available opportunity, the applicant
an Income and Eligibility Verification System should be processed in the next cycle of the Bene-
(IEVS) for administering the following programs: ficiary and Earnings Data Exchange (BENDEX)
1. The Food Stamp Program under the Food System or queried through the Third Party Query
Stamp Act of 1977, as amended. (TPQY) System.
2. The Aid to Families With Dependent Children Timeframes. –Proposed rules required that
(AFDC) Program under Title IV-A of the So- IEVS information be used to determine eligibility
cial Security Act; the Adult Assistance Pro- within 20 calendar days of receipt. Final rules ex-
grams under Titles I, X, XIV, and XVI of the tended this to 30 days because of the need to ver-
Social Security Act. ify IEVS information.
3. The Medicaid Program under Title XIX of the Cost Effectiveness.–”. . . all of the required in-
Social Security Act. formation sources have been demonstrated to be
4. The Unemployment Compensation Program useful in preventing incorrect eligibility y and bene-
under Title III of the Social Security Act. fit amounts, either by directly offsetting costs or
Use of IEVS Data.– IEVS data can be used to by helping deter nonreporting by applicants and
obtain information for prosecutions, i.e., as the ba- recipients” (p. 7183).
sis for investigations in the same way as it is used Automation.— “We encourage States to develop
as a basis of inquiry about household circum- on-line systems and other methods for rapid turn-
stances. around of State agency requests so that wage and
Oversight and Coordination of IEVS.–No speci- UIB data can be used to determine eligibility and
fied type of oversight requirement on States; no benefits of applicants” (p. 7180). “We encourage
statutory requirement on States to organize im- the use of on-line systems for front-end verifica-
plementation of IEVS in any special or uniform tion, but our rules do not require States to have
way; no plan to add to existing Federal oversight this capability” (p. 7181). “SSA and IRS have not
found it cost effective to make the wage and self-
*The final rules appeared in the Federtd Re@”ster on Feb. 28, 1986 employment (SSA) and unearned income (IRS) in-
(vol. 51, No. 40, pp. 7178-721 7). The proposed rules were published in formation accessible on-line for their own agency
the Federal Re@”ster on Mar. 14, 1985 (50 FR 10450). Comments on the
proposed rules were received from 53 parties: 38 States, 6 client advo-
purposes. Therefore, it would not be feasible to al-
cate groups, 4 local or county welfare agencies, 4 Federal agencies, and low States on-line access to these files. SSA has
1 private citizen. the capability of providing on-line access to bene-


fit data. A pilot project is being conducted with “if a State receives what they believe [sic] is incor-
Tennessee to provide wire-to-wire exchange of ben- rect information, no adverse action should be ini-
efit data” (p. 7184). tiated until the discrepancy is resolved” (p. 7186).
In the proposed rules, it was stated that “the Interprogram and Interstate Exchange. -All
statutory requirements for IEVS mandated a log- programs in IEVS are required to exchange income
ical process and not necessarily a physical or auto- and eligibility information with each other in
mated system to assure the timely and efficient accordance with interstate and intrastate agree-
exchange of information among the various pro- ments in effect and as appropriate to the request-
grams. ” It was recognized that “an increasing ing program’s verification and eligibility determi-
number of States are operating automated on-line nation needs. State agencies are encouraged to
systems to exchange, maintain and make data request data from adjacent jurisdictions and other
available to workers, but this level of automation States where experience indicates the data would
was not required. Many commenters suggested be useful. States may also access the State Em-
that automation would be required to meet IEVS ployment Security Internet System for IEVS
requirements fully. The Federal agencies agreed matches, although this is not a requirement. The
that “automating the required IEVS functions Internet System is still under development and its
would enhance a State agency ability to respond potential uses are still being evaluated by the De-
in a timely fashion to the substantial amount of partment of Labor.
information made available to the State agencies Alternate Sources. —A State agency may obtain
as a consequence of the data exchange require- data from sources other than those specified in the
merits, ” but did not believe that such automation regulations (from banks, for example) if it can dem-
should be required in the rules (p. 7194). onstrate to the respective Secretaries that the
State Wage Information Collection Agencies. – alternate source furnishes data as timely, complete,
Final rules retain requirement for quarterly wage and useful as data from the source specified in the
matching. Employers in each State are required regulations.
to report wages quarterly. Independent Verification. -Independent verifi-
Unemployment Insurance Benefits. –Agencies cation is an inquiry about a possible discrepancy
are required to do data matches for UIB informa- in the information reported by the individual and
tion at application and for 3 months following information reported from other sources. Informa-
application or loss of employment. For the Food tion can be independently verified by contacting
Stamp Program, in addition to wage and UIB in- the applicant or a third-party source (for example,
formation, State agencies are required to request the employer or bank that reported the informa-
and utilize any information available from Unem- tion). “The option of contacting a third party is
ployment Compensation (UC) agencies to the ex- necessary in cases where the recipient fails or re-
tent permitted. fuses to cooperate, the State agency believes it to
Internal Revenue Service. –An annual match of be in the interest of the investigation of potential
recipients against IRS data on unearned income fraud or when other factors indicate that a third
is required. IRS has scheduled 11 monthly runs party contact is preferable” (p. 7188).
of State tapes against its national file of unearned DEFRA requires independent verification of
income information. IRS will only process one tape IRS unearned income. With respect to other infor-
per month per State. mation obtained through IEVS, the food stamp
Social Security Administration. –State agencies program set explicit guidelines for verification,
are required to access all available SSA data on while the AFDC, adult assistance, and Medicaid
applicants by using the TPQY system (for SSA programs require independent verification of IEVS
benefit data) or the BENDEX System (for pension, information if determined appropriate based on
earnings, and self-employment information). If agency experience. “The State agencies remain re-
TPQY is used, when the applicant becomes a re- sponsible for ensuring that any information they
cipient the State agency must add the name to use in determining eligibility and payment
BE NDEX. Regarding data quality, the final rules amounts is correct” (p. 7196).
emphasize two factors: 1) except for UC and SSA Social Security Numbers: Furnishing, Using, and
benefit data, the information obtained through Verifying.–DEFRA requires each applicant for,
IEVS will be generally treated as a lead for fur- and each recipient of, AFDC, adult assistance in
ther verification activity, for example, SSA earn- the territories, food stamps, unemployment com-
ings will almost always need to be verified; and 2) pensation, and Medicaid to furnish his or her so-

cial security number in order to associate informa- agencies should obtain assurances from provider
tion on applicants and recipients for the required agencies that their automatic data processing
matches. Existing AFDC and food stamp program methods prevent providers from recording what
rules already require the furnishing of social secu- recipient names and/or social security numbers are
rity numbers. All State agencies implementing processed and that individuals having access to
Medicaid, AFDC, food stamp, and adult assistance such information are bound by the disclosure rules
programs must verify applicant and recipient so- of the various programs” (p. 7191).
cial security numbers to ensure efficient adminis- Notice of Expiration or Adverse Action. –Under
tration of the matching programs and to prevent the proposed rules, the applicant or recipient had
improper disclosure of information. However, eligi- to be notified of any planned adverse action and
bility determinations cannot be delayed pending had to be given the opportunity for a fair hearing.
social security number verification. The food stamp program proposed rules also in-
Social security numbers can be verified through cluded a provision under which households that
the BENDEX, State Data Exchange (SDX), TPQY, failed to respond in a timely fashion to State
and social security number verification systems. agency requests for information would be sent a
There is no required order for using these systems. notice of expiration of their certification period.
SSA generally verifies the social security numbers The final rule replaces the proposed use of the no-
of recipients of title II or title XVI benefits. There- tice of expiration with a notice of adverse actions
fore, a social security number for such an individ- when a household does not respond in a timely fash-
ual received through BENDEX can be considered ion to a State agency inquiry about IEVS infor-
verified. However, not all social security numbers mation.
in BENDEX are verified. At present, the social Safeguards for Confidentiality. -DEFRA re-
security number verification system is being re- quires each State agency to institute adequate safe-
designed, and when completed, verification of so- guards to assure: “(l) that information is made
cial security numbers should be completed within available only to the extent necessary to assist in
3 weeks. On-line access to the social security num- the valid administrative needs of the program re-
ber verification system is not feasible at this time. ceiving the information and that unearned income
SSA is working on a pilot project with Tennessee data from IRS is exchanged only with those agen-
to provide wire-to-wire exchange of benefit data, cies authorized to receive it; and (2) the informa-
including verification of social security numbers. tion is adequately protected against unauthorized
SSA expects to offer the same service to other disclosure for other purposes” (p. 7192).
States. Oversight.–DEFRA did not mandate any
Routine Notice to Individuals. -DEFRA re- reporting system to gather information on actions
quires that all applicants and recipients be noti- taken and savings realized. The proposed rules
fied that information available through IEVS will asked for comments on such a system. In the final
be requested and utilized. Notification is to be rules, the Departments of Agriculture, Labor, and
given at application and periodically thereafter, i.e., Health and Human Services stated that reporting
based on existing program case-processing cycles. “is necessary to help ensure the proper and effi-
Notice must be written and must inform the indi- cient administration of the programs, ” and that
vidual that income and eligibility y information may they were “developing uniform, annual reporting
be obtained using his or her social security num- requirements intended to minimize the recordkeep-
ber and will be used in determining eligibility. The ing and reporting costs and burden on States, while
notice must include the types of agencies that will enabling the Federal Government to monitor com-
be contacted, for example, unemployment compen- pliance with the requirements for accessing and
sation agencies. using information” (p. 7197).
The Departments of Labor, Agriculture, and
Health and Human Services “believe that State
Appendix F

Privacy and Data Protection Policy

in Selected Foreign Countries
Many Western European countries and Canada really given privately at first and later as part of
have also established policy to protect the collec- a process of negotiation over competing interests
tion and use of personal information. Many of these in the use of information. The Federal Commis-
countries have created boards or commissions w i t h sioner for Data Protection is subject to supervi-
responsibilities for overseeing government and pri- sion by the government and reports to both the
vate sector information practices, and acting as Minister of the Interior and to Parliament.
ombudsmen for individuals. Because the policies Private organizations maintaining personal in-
of these countries may serve as a model for policy formation systems are supervised by the Land
actions in the United States, descriptions of the (State) authorities to which the organization belongs.
policies of several countries follow. For example, the Land authority that regulates
banking activity is now responsible for ensuring
The Federal Republic of Germany that the banks also comply with data protection
The Federal Data Protection Act became law on
January 27, 1977. Its provisions apply to both Sweden
computerized and manual personal information
systems in both the public and private sectors. Sweden was the first country to pass national
Registration of all private and computerized pub- legislation regarding the collection and use of per-
lic information systems is required under the act. sonal information. The purpose of the 1973 Data
Although the general principles regarding rights Act was to protect the confidentiality of records,
of individuals and restrictions on the collection and to rationalize the personal information policies of
use of personal information are the same for pub- organizations, and to expand individual rights and
lic and private organizations, the methods of reg- state protection to private information systems.
ulating the two sectors differ. The Data Act covers all computerized personal in-
The act provides for the appointment of a Fed- formation systems in the public and private sec-
eral Commissioner for Data Protection to super- tors. It established a regulatory agency, the Data
vise public sector information systems. This posi- Inspection Board (DIB), which is independent of
tion was added to the draft legislation at the the government and has the responsibility for
insistence of the West German legislature; the licensing all automated personal information sys-
original government bill did not call for such an tems in both the public and private sectors. The
official. The Commissioner, who serves for a 5-year 1973 statute mandated DIB licensing in advance,
term and may be reappointed once, has the author- but a more permissive and somewhat less bureau-
ity to investigate complaints, inspect information cratic system, focusing more on sensitive uses of
systems, require information from agencies, and personal information, was introduced in the 1982
make recommendations. The Commissioner does revision. The revised law was designed to reduce
not have licensing power. Nor does the office have the bureaucratic burden of data protection and to
enforcement powers; rather, the head of each pub- make the system of selective licensing of personal
lic agency is responsible for ensuring compliance information systems self-supporting. These revi-
by the agency. The Commissioner serves, there- sions occurred in response to DIB’s own internal
fore, in an advisory capacity rather than a regula- assessment of what changes were necessary and
tory one. Up to now, the advice of the Commis- the government general desire to reduce the costs
sioner has been taken seriously by the Federal of government. It is noteworthy that, because of
agencies, including the national security agencies Opposition fears of appearing to weaken data pro-
and the Federal police. In essence, it has not been tection, the 1982 amendments passed by only one
politically viable for the heads of Federal agencies vote.
to ignore the Commissioner’s advice, which is nor- The Data Inspection Board has a Board of Di-
rectors, appointed for fixed terms, representing
1 Material for this section was derived from David H. Flaherty, “Data
Protection and Privacy: Comparative Policies, ” OTA contractor report,
various political parties and interest groups, and
January 1985. a staff of less than 30. DIB exercises a great deal


of power. It has the authority to control the col- United Kingdom

lection and dissemination of personal data, to reg-
ulate the usages of the resulting register, and to The Data Protection Act became law on July 12,
set up a system of responsible keepers for com- 1984, and will gradually become fully operative
puterized databanks. DIB also has the powers to over the next 3 years. The act established an inde-
investigate complaints, to inspect information sys- pendent Data Protection Registrar with a staff of
tems, and to require information from organiza- 20 to 30 members who are not civil servants. They
tions. The power of the cabinet or legislature to are to maintain a register of personal data users
create a personal file outside the jurisdiction of and computer bureaus in the public and private
DIB is an example of several safety valves in the sectors. Although the Home Office emphasizes
legislation that prevent DIB from acting in a dis- that the law requires simple registration of auto-
cretionary fashion on any specific measure. mated systems rather than licensing, as in Sweden
The Data Act contains a few general data pro- and France, the act requires quite complete infor-
tection rules, for example, the data subject right mation on each system and the users of the sys-
of access and right to challenge are guaranteed in tem. It remains to be seen whether there are any
the act. But, DIB is responsible for designing de- practical differences in terms of the amount of
tailed rules for particular systems and users, in- paperwork required.
cluding what information may be collected, and the
uses and disclosures of this information.
France Part IV of the Canadian Human Rights Act of
1977 introduced principles of fair information prac-
The 1978 Law on Informatics, Data Banks, and
tice for the Federal public sector and created the
Freedoms is an expansive and innovative statute.
position of Privacy Commissioner. The powers of
Article 1 well illustrates this point:
the Commissioner consisted primarily in respond-
Informatics ought to be at the service of each
citizen. Its development should occur in the con- ing to complaints from individuals about denials
text of international cooperation. It ought not to of individual access to government personal data.
threaten human identity, the rights of man, private The current Privacy Commissioner was a member
life, nor individual or public freedoms. of the Canadian Human Rights Commission.
The 1978 law created an independent adminis- In 1982, the Federal Privacy Act supplanted and
trative agency with regulatory power, the National significantly strengthened the privacy provisions
Commission on Informatics and Freedoms (CNIL). of the Human Rights Act. Sections 4 to 10 of the
It is the first administrative agency in France with 1982 act regulate the collection, retention, disposal,
statutory independence from the government. protection, and disclosure of personal information
CNIL is obliged to ensure the observance of the held by the Federal Government by means of a
1978 law and to make decisions on the authoriza- code of fair information practices. Its provisions
tion of particular information systems in response are similar to the American Privacy Act. The Cana-
to requests. The Commission has 17 part-time dian law also specifies a list of 13 purposes for
members chosen for 5-year terms by various offi- which a government institution may disclose per-
cial government bodies, including the Senate, the sonal information.
National Assembly, the Council of State, the Court The Treasury Board is responsible for publish-
of Cessation, and the Court of Financial Accounts. ing an annual index of all the personal information
There are also data protection officials in each gov- systems maintained by the Federal Government
ernment agency. in both manual and automated form, including the
Critics argue that CNIL has never taken a tough fewer than 25 systems that are exempt from ac-
decision against the government with respect to cess by individuals. The current edition runs to
a proposed new personal information system. about 300 pages. Copies are available in post offices
CNIL has rarely turned down a government pro- and libraries across Canada, but it is unusual to
posal; it tends to negotiate changes during the find persons who have consulted them.
process of application for approval. Because of the The 1982 Privacy Act considerably strengthened
way it works in responding to specific requests for the general powers of investigation and monitor-
advice or licenses, CNIL has not yet reviewed in ing, and set up a separate Office of the Privacy
detail all of the databanks that existed prior to the Commissioner. The Privacy Commissioner holds
enactment of the 1978 law. office for 7 years, and is eligible for reappointment

once. His independence is assured, in theory, by Australia

the fact that he is an officer of Parliament and is
appointed by resolution of the Senate and House In April 1976, the Australian Law Reform Com-
of Commons. In practice, the initial selection is in mission was given a broad mandate to consider a
the hands of the government of the day; thereafter, variety of privacy issues, including data protec-
the Privacy Commissioner has to retain the confi- tion. After an exhaustive inquiry and the publica-
dence of these two legislative bodies. Presently, tion of a number of specialized reports, a compre-
the Information Commissioner, who is responsi- hensive three-volume report was released at the
ble for the law on access to government informa- end of 1983. With respect to its recommendations
tion, and the Privacy Commissioner share some for data protection legislation, the Commission for-
administrative staff in the same office. The Privacy mulated 10 general principles for data protection
Commissioner has a legal advisor, a director of modeled on the Organization for Economic Coop-
complaints and 5 investigators, and a director of eration and Development’s Guidelines. The Com-
compliance and 3 investigators, for a total of 15 mission concluded that the private sector, as well
direct staff and a share of 18 others. as the public sector, should come within the ambit
The Privacy Commissioner has the overall re- of legislation. It rejected the licensing model for
sponsibility to monitor the implementation of the data protection, but recommended the creation of
Privacy Act. His recommendations to government a “statutory guardian” or “administrative body
departments are likely to carry a considerable with the specific function of advocating privacy
amount of weight, although he does not have reg- interests. ” Such a Privacy Commissioner would
ulatory power, because he is an independent offi- function primarily as an ombudsman, but would
cer of Parliament. He can request a response from have regulatory power in one specific area-the
a department to one of his recommendations. He handling of individual requests to obtain access
prepares an Annual Report to Parliament and may to their own data and to amend incorrect records.
make special reports at his discretion. The act In general, the basic functions of the Australian
directs that a permanent committee of Parliament Privacy Commissioner would be similar to those
should review the administration of the statute. of his or her counterpart in Canada and data pro-
An individual may complain to the Privacy Com- tection officials in Western Europe.
missioner about any alleged form of personal in-
formation misuse by the Federal Government.
Moreover, the Commissioner has the power and
resources to initiate and investigate a complaint

58-924 0 - 86