NBS Privacy Conference From April 2 to April 4, 1975, the National Bureau of Standards and the MITRE Corporation held a symposium and workshop in McLean, Virginia in order to allow computer users from business and government to exchange their views on the impact of privacy legislation. Excerpts from some of their talks follow: Representative Edward I. Koch (D-NY): ... Notwithstanding the deficiencies of the Privacy Act, I feel it represents a monumental breakthrough in the field of personal privacy safeguards. Millions of files that are locked away from the public will become available in September 1975, so that one can see one's own file, see whether the material in it is relevant, see whether it is accurate, see whether it is current, and, if it is not, provide the mechanism whereby corrections can be made. Also significant is that the Privacy Act contains a provision forbidding all agencies, including law enforcement agencies, from maintaining a record of the political and religious beliefs or activities of any individual unless expressly authorized to do so by statute or by the individual himself. There are changes I would like to see in the Privacy Act. First of all, the law is deficient in the area covering law enforcement agencies.... I feel that criminal iustice systems should be included in the Privacy Act until the Justice Department can come forward with a proposal that the Congress can agree upon. The second change I would like to see would be a removal of the near blanket exemption given to the CIA and a tightening up of the exemptions pertaining to the FBI. The exemptions should be limited only to those files having to do with national defense and foreign policy, those containing information held pursuant to an active criminal investigation, and those maintained for statistical purposes and not identifiable to an individual. I feel that provisions allowing an agency to withhold from an individual the source of confidential information in his file should be deleted.... And, most importantly, I would like to see the establishment of a Federal Privacy Board which would monitor agencies' compliance with the Act and work in somewhat of an ombudsman's capacity and hold hearings for those individuals who want to air their grievances. We need a broad federal policy to set the basic standard for privacy protection both in the public and in the private sector. But we have to be able to move beyond the broad approach to appreciate the specific needs of different sectors of the government and private organizations. When separate pieces of legislation come before the Congress for consideration, if privacy protections can be included, I certainly will support adding such provisions. Joseph L. Gibson, senior attorney for Marcor, Inc.: Recent reports have given the appearance that the privacy issue is a national crisis which suddenly sprang forth from the anti-Vietnam war movement and Watergate. That appearance is not accurate. The issue of privacy has a substantial history: current trends began a decade ago. The issue will be satisfactorily resolved, not by restating a few general principles, but only by devising a number of specific solutions for specific problems. Charles Work, deputy administrator, Law Enforcement Assistance Administration: I am confident that law enforcement can meet the challenges posed by the regulation and proposed legislation. I am also confident that in the long run, law enforcement and law enforcement agencies will be much better for it. Many of the enumerated requirements are not difficult to meet; a much more difficult requirement is that the records must be accurate, complete and up to date. We need systems with bank-type auditing capacity so that the defendant can be traced through the system. This is a very significant challenge, .... because if management cannot get the data into the systems, it will not meet the requirements of privacy and it will not be the system's fault. lt could also be costly, because management systems cannot be significantly improved without a significant increase in manpower. But in the long run, the privacy mandate will dramatically improve the systems and must improve the overall management of concerned agencies. Naomi Seligman, McCaffery, Seligman & von Simpson, management consultants: One cannot speak of the impact of privacy legislation on the economy as a whole, but instead must separate its impact into three distinct sectors of data base users: government agencies, third party services - such as credit bureaus - and the broader run of U. S. business. The real costs of privacy violations to the individual clearly relate to a large number of social issues. Almost all analyses of the issue begin with the assumption that data is always used to an individual's disadvantage; yet, many data bases are used to provide privileges which would be impossible without such data. Specific cost is very much associated with the nature of specific data disclosed about the individual. I strongly believe that the principles of the HEW Report can be achieved by general business without any of the problems or onerous costs. Ruth M. Davis, NBS conference chairperson: The first law that we talk about in the area of privacy came into being in 1974, 194 to 198 years after manual systems of handling information had been officially used by the U. S. and by organizations operating in the U.S. The new laws come at a time of dramatic change in electronic, optical, and communications technology. This is the setting in which we are trying to formulate actions. One requirement (for action) is the "retrofitting of all existing information systems to make sure that they meet new legislative requirements. Second, there is a need to determine, validate and insure compliance with the laws of existing and new systems. Third, there is a need for developing and introducing the technologies that will allow the required changes in information handling so that the systems are operationally effective, legal, and economically possible. Last, we must dust off and refine good information management practices. The privacy mandate, along with its accompanying requirements should not be taken lightly. At the same time it should be reviewed in terms of the many kinds of effects it can have.