PERSONAL PRIVACY AND DISTRIBUTED ACCESS: ETHICAL AND LEGAL CONSIDERATIONS FOR THE INTERNET

 

Robert P. Spindler

University Archivist

Arizona State University

rob.spindler@asu.edu

 

A revised version of the paper originally presented at:

 

American Society for Information Science Midyear Conference

Scottsdale, AZ

June 4, 1997

 

Formatted for web distribution by RPS, April, 2004.

 

© Robert P. Spindler 1997. All rights reserved.

 

__________________________________________________________________________

 

 

Last night as I was looking at the conference program on the ASIS website I realized that most sessions at this conference have dealt with very specific privacy issues. This morning I’ve been asked to step back and take a more general look at what kinds of information are considered private, and how those definitions impact how we select information for electronic distribution.

 

What is private: A much more difficult question since definitions of what is considered private are embodied in the ethical principles of individuals, communities, and professional groups, and the laws of individual states, the federal government and other nations. In order to help keep all this straight I’ve created this model which we can use to illustrate the range of privacy definitions we might consider when creating databases and applications:

 

PERSONAL VALUES

I

I

I

COMMUNITY-------------ETHICAL CONDUCT------------PROFESSION

STANDARDS

I

I

I

LEGISLATION------------LAW----------------JUDICIAL

 INTERPRETATION

 

I would like to begin at the bottom of our model so we can establish the baseline of legal requirements for privacy, and then work up from there to address other standards of privacy that could impact our work.

 

 

LEGAL CONSIDERATIONS:

 

Most privacy protections enunciated in American federal or state law address accessibility of government or public records rather than personal or corporate records. Often federal or state law establishes standards or principles of privacy protection that are explicated through more specific laws or policies of specific government agencies.

 

LAW AND GOVERNMENT RECORDS

 

There are two critical pieces of federal legislation relating to the protection of personal privacy contained in government records, the US Privacy Act of 1974 and the Freedom of Information Act.

 

The US Privacy Act of 1974 and its’ counterpart the Canadian Privacy Act of 1983 are very similar in scope and content. Four principles of privacy protection are common to both these laws, they are:

 

Prior consent: Agencies covered by the legislation shall not use or disclose personal information without prior consent of the individuals represented.

 

Access: Agencies must permit individuals to have access to information pertaining to them in government records and make provisions to allow erroneous information to be corrected.

 

Need: Agencies can collect and maintain only the information that is necessary to conduct the public business.

 

Notification: The existence of personal information banks maintained by federal agencies must be made public. This information is currently available through the Privacy Act Issuances, which are now available as a portion of the Government Printing Office web site that provides a database that allows you to search for descriptions of databases containing personal information in each federal agency.[1]

 

The Freedom of Information Act was established in 1966 and amended in 1974 to establish the publics’ right to access all federal executive branch records except those that are specifically exempted to protect compelling national interests such as individual privacy. Exemption six of FOIA protects the privacy of personnel and medical files contained in executive branch records.[2]

 

The Crime Control Act of 1973 regulates access to criminal records of individuals.

 

ARIZONA PUBLIC RECORDS LAW

 

In Arizona state public records laws require that the vast majority of records be made available to the public upon request, however certain records deemed confidential are exempted from the disclosure requirements in order to facilitate execution of public business or to protect the privacy of individuals. Exemptions to disclosure requirements that relate to personal privacy include[3]:

 

Adoption Records

Child Welfare and placement records

Arrest Records

Death Records received by County Recorder

Automobile accident reports

Health Care Information

Criminal History and Identification Data

 

 

LAW AND NON-GOVERNMENT RECORDS

 

A number of federal laws address privacy of personal information contained in non-government records. Here are a few of the major pieces of legislation:[4]

 

Fair Credit Reporting Act (1970)

 

The Fair Credit Reporting Act requires credit agencies to make their records available to the subject, provides procedures for correcting information and permits disclosure only to authorized customers of the credit agency.

 

Family Educational Rights and Privacy Act (1974)

 

Family Educational Rights and Privacy Act of 1974, commonly known as FERPA or the Buckley Amendment, establishes the confidentiality of student records. In general student directory information (addresses, phone numbers) may be released to the public unless the student has specifically applied to keep the information confidential. However, student records such as grades and grade point averages provided in a personally identifiable form are considered confidential, with certain limitations. Often FERPA provisions are interpreted by the US Department of Education and the policies of specific educational institutions.

 

Right to Financial Privacy Act (1978)

 

Provides bank customers limited privacy protections for their financial records and establishes procedures for federal agencies to gain access to this information.

 

Privacy Protection Act (1980)

 

Prohibits government agencies from making unannounced searches of press offices and files unless there is suspicion of criminal activity.

 

Cable Communications Policy Act (1984)

 

Requires cable services to inform subscribers of the kinds of personally identifiable information collected, the nature of its use, when and why the information might be disclosed, and the length of time the information will be maintained.

 

Video Privacy Act (1988)

 

Prohibits video stores from disclosing their customers names, addresses and videotape rental histories, except under certain circumstances.

 

In addition to federal laws there are certain classes of information that are considered privileged information and these are generally substantiated through federal or state law. Virtually all jurisdictions recognize the right of attorney-client privilege as a right of absolute or total confidentiality. Other classes of information have “qualified” or limited privilege, meaning that the information may be disclosed under certain circumstances. These include doctor or psychiatrist and patient relationships, clergy and penitent and husband and wife.

 

LAWS OF OTHER NATIONS

 

In addition to American privacy laws, those of us who wish to reuse information originating in other countries need to be aware of the differences in privacy laws that exist overseas. Unfortunately I can’t review all of the specific laws in the time allotted, but there are some general principles of information privacy protection being established overseas that are similar to those embodied in our US Privacy Act of 1974.

 

In 1981 the Organisation for Economic Cooperation and Development created their Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, known as the OECD Privacy Principles. These principles require that personal information not be collected unless the person gives consent or the person is informed why the information is being collected, who will use it and how they may access it and correct it if necessary. The Principles also require that this information not be used for a purpose other than the original, and that the data not be disclosed to others without consent unless required by law.[5] In Australia the OECD Principles have been enacted for government institutions but not for the private sector.

 

In New Zealand the principles were enacted for both the public and private sectors, and they have established a Privacy Commissioner who has authority to review and approve industry privacy codes, giving them the force of law. Taiwan introduced comprehensive privacy regulation in its ”Computer Processed Personal Data Protection Law” of 1995. This law set separate privacy principles for the public and private sectors with the private sector provisions conforming to the OECD Principles.  Taiwan has 65 “professional institutions” within the Ministry of Justice responsible for privacy infringement verification.[6]

 

ETHICAL CONDUCT STANDARDS

 

Formal and informal ethical standards for identifying private information have been established as standards of professional organizations and statements of a variety of communities with common interests.

 

One professional ethical standard relating to privacy comes to us from the American Library Association’s Code of Ethics, which states that librarians “protect each users’ right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.” [7]

 

Interestingly, this ethos may not be common to other communities, as we see in the debate over the use of “Cookies”, a technology that allows web site administrators to capture and examine the clickstreams of users that access their sites. The Internet Engineering Task Force met in April to consider a recommendation to limit the ability of companies to use cookies and advertising and marketing communities were organizing to draft a counter-proposal to allow the use of cookies.[8] I think there is an interesting dichotomy between the protection of an individuals’ information uses afforded by the Video Privacy Act and the ALA Ethics statement, and the marketing communities interest in accessing users clickstreams, the virtual equivalent of a library users’ circulation records.

 

Community based ethical standards for privacy are being established by formal or informal groups as well. An important example of this is the concern of the Native-American community for the accessibility of ceremonial artifacts removed from their lands, which has been addressed in the Native American Graves Protection and Repatriation Act. Although the Act excludes photographic materials documenting ceremonial acts and human remains, this has become a concern of some tribal authorities. The Hopi have been particularly aggressive in asserting their right to privacy in terms of the use of ceremonial photographs. They have recently concluded an agreement with Northern Arizona University that allows the public to view photographs, but requires advance written permission of tribal authorities for reproduction or display of this information.

 

Another community-based definition of privacy is discussed in Robert Alun Jones 1994 article “The Ethics of Research in Cyberspace”. Jones’ article is a thought provoking piece on the history of ethical considerations in human subjects research conducted by the social science community and how those models are breaking down in the context of human subjects research on internet users. Jones begins by discussing the biomedical research origins of the earliest ethical research guidelines contained in the Nuremburg Code, the Belmont Principles, and university rules governing human subjects research. These ethics codes defined public information as “information about behavior that occurs in contexts in which an individual cannot reasonably expect that no observation or recording is taking place...” He also addresses issues of informed consent of subjects participating in Internet research projects and the need for full disclosure of the project to the subject. Jones notes the difficulties of applying these standards to Internet research in cases where the researcher seeks to use information originally obtained for other purposes and the information provider must determine if this new research is within the scope of the original consent given by the subjects. Interestingly Jones also notes that ethical guidelines may well alter the nature of the social behavior to be studied since consent and disclosure may well affect the behavior being scrutinized, and therefore bias the research results. Jones ends his paper with a call to the virtual research community to establish ethical guidelines for human subject research applicable to the Internet. 

 

On rare occasions large numbers of individuals have independently expressed their personal privacy ethos in reaction to a specific event. A wonderful example of this was the 1991 Lotus Marketplace project, which although it was not an Internet application raised awareness of thousands of individuals to the potential for electronic capture and reuse of personal information. In this joint venture between Lotus Development Corporation and Equifax, a major credit reporting agency, data including names addresses and financial information on 120 million American households was to be loaded on a CD-ROM product and sold for about $695. Once information about the project was leaked to the public through Internet listservs and the press Lotus received over 30,000 requests from individuals to have their information purged from the product. Most individuals were concerned that there were insufficient provisions for correcting or deleting data. The companies chose to cancel the project and stated in their announcement that the decision came “after an assessment of the public concerns and misunderstanding of the product and the substantial, unexpected additional costs required to fully address consumer privacy issues.”[9] Although news coverage of the events did not suggest the product was illegal (it may have been a violation of the Fair Credit Reporting Act of 1970), 30,000 individuals agreed that this was an invasion of their privacy and took action to intervene.

 

A similar example of individuals expressing their concerns for privacy was documented in the news in April when the federal Social Security Administration announced it was removing earnings and benefits data from the internet in response to complaints from the public and requests for investigations from legislators.[10] Although the SSA had consulted with data security experts and encrypted outbound data distributed from the site, the public perception was that the information was private and that this form of access was not secure.

 

In both the Social Security and the Lotus Marketplace stories, institutions invested substantial resources into the development of products that ultimately had to be cancelled or withdrawn in reaction to public perceptions, regardless of their legality or technical security. 

 

What does all this mean? Firstly, I hope I have communicated that the area of privacy regulation in terms of government and private sector activity is being driven by a number of forces not limited to existing laws. Legal and ethical standards for privacy are changing quite rapidly in response to perceived opportunities and threats associated with our potential for distributed access. As Guynes, Vedder and Vanacek wrote in 1996 “Recent evidence suggests that a substantial percentage of Internet users will refuse to access sites that knowingly violate what users perceive as their privacy rights.” I believe when organizations are planning creation of information products and services that contain data that might be considered private, they should not merely consider what is legal but also consider professional, community and personal definitions of privacy before they expend resources on product development. With the rapid pace of change in the various regulatory areas and the heightened public awareness of data security and privacy issues, the appearance of privacy violations may be all that is needed to compromise your institutions’ reputation. This can result in the waste of substantial and precious product development resources.