Where Were You in 1974?

By Stephanie Jordan
in

In 1974 we went to the movies to see The Sting, we listened to Supertramp on 8-track tape and might have been reading Michener’s Centennial. (Well, you might have done those things if you were of a certain age. Yours truly probably had a babysitter and was being read to.)

The federal government was very busy that year, with impeachment considerations, president Richard Nixon’s eventual resignation and the swearing in of Gerald Ford, all by mid-summer. As if that wasn’t enough to keep federal lawmakers busy, The Privacy Act of 1974 was also passed.

The Privacy Act of 1974, 5 U.S.C. § 552a, established a code of fair information practices that governed the collection, maintenance, use, and dissemination of personally identifiable information about individuals maintained in systems of records by federal agencies. According to the United States Department of Justice, “The Act was passed in great haste during the final week of the Ninety-Third Congress. No conference committee was convened to reconcile differences in the bills passed by the House and Senate. Instead, staffs of the respective committees—led by Senators Ervin and Percy, and Congressmen Moorhead and Erlenborn—prepared a final version of the bill that was ultimately enacted.”

Flash forward to earlier this month, the Center for Democracy & Technology announced its participation in updating the Privacy Act of 1974, stating: “The Privacy Act of 1974 passed as the result of a government-wide push toward the development of policies and practices to protect the information of citizens and other individuals. While the underlying framework of the law, rooted in the principles of Fair Information Practices (FIPs), is still sound, the thirty-five year-old wording of the Act renders it ill-equipped to meet many of the privacy challenges posed by modern information technology.”

CDT brought together a working group of public interest organizations, government representatives, and members of the private sector to draft the E-Privacy Act Amendments of 2009. CDT opened this policy-drafting process to the public, and created a wiki to allow the public to edit the draft before being submitted to Congress. Public comment to the wiki just closed this week.

The E-Privacy Act Amendments of 2009 propose a host of new initiatives—including the creation of a new government Chief Privacy Officer—and recommends significant amendments to two existing laws: the Privacy Act of 1974 and the E-Government Act of 2002. CDT’s recommendations come on the heels of a report by the federally appointed Information Security and Privacy Advisory Board (ISPAB) <http://www.cdt.org/privacy/20090529_ispab_rpt.pdf>.

CDT writes, “technology has evolved far beyond the letter of the Privacy Act in the thirty-five years since its passage; even the E-Government Act of 2002 failed to close this gap. The Privacy Act was designed to accommodate agency-held flat files, but computing has moved towards forms of networked centralization and relational databases beyond the Privacy Act’s reach. In addition, the Privacy Act’s drafters did not contemplate the industry that has arisen around collecting and sharing information with the government.”

Of particular concern is that the Privacy Act is invoked only when government handles data defined as “a system of records”, if collection of information is not defined as such, then the Act, and its protections, do not apply. CDT says “a recent GAO report noted that this ‘system of records’ definition is far too narrow to encompass government information use today. As an example: only data that is retrieved ‘by the name of the individual or by some identifying number [or other unique identifier]’ receives protection, leaving data retrieved by other queries —such as health condition, address, or criminal history—uncovered. The Act also does not apply to records held by other entities, like information resellers and public sources of personal information.”

CDT’s draft amendments re-define a system of records in order to clarify that all groups of records held by agencies are systems of records. The amendments also update the E-Government Act of 2002 to require privacy impact assessments for government use of information from commercial databases.

“The Privacy Act has held up well over the past 35 years,” says CDT Vice President Ari Schwartz. “We are suggesting changes to insure that it can last another 35 despite the strains that are showing from the advent of a range of new technologies that threaten to undermine the basis of the protections that have been put in place.”

CDT’s E-Privacy Act Draft.

GAO Report, Privacy: Congress Should Consider Alternatives for Strengthening Protection of Personally Identifiable Information.

Eye on Messaging is written by Stephanie Jordan, editor in chief of Messaging News. If you have story ideas or news to share, email her: sjordan(at)messagingnews.com

Published June 29, 2009