Information Technology Reference
In-Depth Information
At about the same time that the Richardson Committee was established in the
United States, similar efforts were under way in Europe. In fact, a year before the
Richardson Committee issued the report containing the Code of Fair Information Prac-
tices, a Committee on Privacy in the United Kingdom released its own report containing
many of the same principles. Sweden passed privacy laws consistent with fair informa-
tion practices in 1973, and later that decade the Federal Republic of Germany and France
followed suit [65].
The Privacy Act of 1974 represents Congress's codification of the principles described in
the Code of Fair Information Practices. While the Privacy Act does allow individuals in
some cases to get access to federal files containing information about them, in other
respects it has fallen short of the desires of privacy advocates. In particular, they say
the Privacy Act has not been effective in reducing the flow of personal information
into governmental databases, preventing agencies from sharing information with each
other, or preventing unauthorized access to the data. They claim agencies have been
unresponsive to outside attempts to bring them into alignment with the provisions of
the Privacy Act. The Privacy Act has the following principal limitations [66]:
1.
The Privacy Act applies only to government databases.
Far more information is held in private databases, which are excluded. This is an
enormous loophole, because government agencies can purchase information from
private organizations that have the data they want.
2.
The Privacy Act only covers records indexed by a personal identifier.
Records about individuals that are not indexed by name or another identifying
number are excluded. For example, a former IRS agent tried to gain access to a
file containing derogatory information about himself, but the judge ruled he did
not have a right to see the file, since it was indexed under the name of another IRS
employee.
3.
No one in the federal government is in charge of enforcing the provisions of the Privacy
Act.
Federal agencies have taken it upon themselves to determine which databases they
can exempt. The IRS has exempted its database containing the names of taxpayers
it is investigating. The Department of Justice has announced that the FBI does not
have to ensure the reliability of the data in its NCIC databases.
4.
The Privacy Act allows one agency to share records with another agency as long as they
are for a “routine use.”
Each agency is able to decide for itself what “routine use” means. The Department
of Justice has encouraged agencies to define “routine use” as broadly as possible.
Although the Privacy Act applies only to government databases, Congress has
passed legislation regulating how some private institutions manage databases contain-
ing sensitive information about individuals, and these laws put into effect many of the
principles of the Code of Fair Information Practices. In the remainder of this section,
