Merging County Social Services Data Bases: Privacy Pitfalls and a Policy Solution
San Diego County Dept. of Health and Human Services Conference, Integrating Health and Human Services
April 9, 1998
Note: This speech was given at a day-long conference hosted by San Diego County to promote the integration of social services. The conference was attended by Health and Human Services employees of the County. The speech discusses the pitfalls of merging data bases containing sensitive personal information. In it, the PRC proposes a policy framework to ensure that clients' privacy is safeguarded.
Privacy has become one of the hottest societal and public policy issues of our time. You can't open up a newspaper these days -- or watch TV news -- without being bombarded with examples of the latest privacy abuse, whether real or potential.
I look upon what you are proposing as embodying the classic double edged sword. There are obvious benefits, which have been discussed in this conference But there is also the downside, the development of a cradle to grave electronic dossier on your clients -- which can pose threats to personal privacy and which can be used for purposes of social control.
I want to start by reading a quote from a federal government study.
"The real danger is the gradual erosion of individual liberties through the automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable." End of quote.
When was that written? Not yesterday, not even last year -- but in 1977 as part of a major study conducted by the U.S. government. That statement is just as valid today as it was then, perhaps more so.
My presentation will focus on the privacy implications of the integration of health and human services. I am going to spend most of my time describing a set of privacy principles which I believe are essential to guide the merger and use of information from several agencies and department. These are called the Fair Information Principles.
When I look at what you are trying to accomplish, I think back to my early days growing up in a town of 1,600 people in western Minnesota. You've heard the saying, "It takes a village to raise a child." That was certainly the experience I had back then. A great deal was known by all of the families in that small community about each other -- not to mention the store clerks, school teachers, ministers, doctors and nurses, the one police officer, the post office, and the local newspaper.
For the most part, that shared knowledge was put to good use -- the townspeople and the staff of the local social service institutions helped each other deal with the stresses and strains of everyday life. In a way, you can think of small town life as what you're trying to replicate by merging San Diego County's social services and sharing data. The goals which you wish to achieve are all based on the well-being of families and children in need.
But what happens when that merged information is used for purposes other than the original intent. What happens when sensitive information is used to draw conclusions and make decisions that harm individuals. We all know about the harm of gossip, which in small towns, is an every-day reality. Sometimes it is extremely harmful, affecting individuals their entire lives.
There's probably no way to get rid of small town gossip and its bad effects. But there are ways to instill a "culture of confidentiality" in the workplace. And there are ways to build a policy framework that enables sensitive personal information to be handled in ways that preserve individual and family privacy. Your challenge will be to make those principles ironclad and not to water them down with exceptions. More about that later.
I return to the subject of the Fair Information Principles.
A quarter century ago, a task force of the U.S. Dept. Of Health, Education and Welfare looked at the impact of computerization on medical records. They wanted to develop policies that would allow the benefits of automation to go forward, but at the same time provide safeguards for personal privacy. They developed the Code of Fair Information Practices consisting of five clauses -- openness, disclosure, secondary use, correction, and security -- which I will expand on in a moment.
These principles have since traveled the world over, and ironically have been adopted more by other western industrialized countries than our own. And the principles have been expanded to address the advances made in the intervening years in automation and information gathering.
Let me propose a set of ten principles to guide your work: And by the way, there is a lot of information on our web site about the Fair Information Principles and their evolution -- www.privacyrights.org.
1. Consideration of privacy effects: Privacy is recognized as an issue to be considered ... in introducing and using information technologies.
What this principle suggests to me is that a privacy impact assessment should be conducted when new uses of information technologies are being considered, -- or in your situation, developing new ways of using existing information.
2. Openness: (a very American principle) There must be no record-keeping systems whose existence is secret.
3. and 4. This principles relates very closely to the 3. And 4. -- access and accuracy ( the right of correction.) Individuals shall have reasonable means to obtain and review, and when necessary, correct and amend information about them.
There is no such thing as a perfect data base, or perfect paper based record for that matter. Errors and misleading information can be compounded when information sources are merged. The best way to ensure accuracy is to enable the data subjects access to the contents.
There needs to be sufficient infrastructure in place to allow individuals the ability to view, correct and/or amend their records. I have not heard these particular principles discussed vis-a-vis the County's social service integration efforts, and I think it's important that access for purpose of accuracy be allowed..
I would add to this principle, the sub-principle of education -- the importance of notifying clients of the rights of access and correction -- the nature of the data compiled on them, what is done with it, how it is safeguarded and so on. Without education, there will no doubt be conspiracy theories and pie in the sky horror stories hatched -- you'll have that anyway, but with a concerted education effort, these will be lessened.
5. Collection limitation, or identifying purpose: Only the personal information necessary for the stated purpose of the agency shall be collected
6. And closely related to that is the sixth, limiting use, disclosure and retention.
There is the temptation to collect and disseminate more information than is necessary for the matter at hand, especially in this era of computerized data collection, when computers are getting more powerful at the same time as they are becoming less expensive to operate.
How will all the data that you are merging be handled over time? Will files be expunged when no longer needed? And what are the risks of compiling extensive data bases, only to have them accessed for entirely different purposes, including law enforcement and surveillance?
7. That brings me to probably the most powerful and least enacted principle, secondary usage. This seventh principle states that information gathered for one purpose shall not be used for other unrelated purposes without the consent of the data subject.
The temptation in any compilation of data, especially data as sensitive as that gathered by social service agencies and health care facilities, is to use that data for other purposes.
As an example of secondary usage, I bring to your attention a San Diego County Supervisors measure approved in April 1997 which would enable social services information to be shared with immigration officials. This is a classic example of secondary usage.
One of the toughest decisions for policy makers to make is to segment that data so as not to alter the original purpose for the data gathering, and not to ultimately, change the focus from true service and betterment of lives to that of surveillance. The shared data that you are collecting is going to be terribly tempting for law enforcement at all levels of government, for the Immigration and Naturalization Service, the Drug Enforcement Agency, and so on. How will you ensure that the data not be used for fishing expeditions.
8. The eighth principle is informed consent. The knowledge and consent of the individual are required for the collection, use or disclosure of personal information. This is especially critical when data will be compiled from a number of sources and then used for multiple purposes. The foundation of any efforts regarding sharing of information between and among agencies is the use of a very specific authorization form. We hear many complaints from consumers calling our hotline who have been asked to sign off on overly broad authorization forms for medical care, for example.
With informed consent comes the notion of choice. Will clients have the ability to say no to the sharing of information about them? If they say no, will they be unable to obtain service? I would be interested in learning what is being considered regarding choice.
9. Security: The establishment of physical, technical and administrative safeguards to protect personal information against the risk of unauthorized access, collection, use, disclosure or disposal.
I am not referring only to the security of computerized systems from hackers -- from those outsiders who threaten the security and integrity of the data -- but also to individuals within the agency. Are there electronic and paper-based audit trails so access can be tracked? Are especially sensitive records segmented for limited access? Are certain records restricted only to those with a need to know?
A vitally important aspect of security is ongoing training of all staff who access sensitive information. Training should stress what are the legitimate and illegitimate uses. There should be strict penalties, including termination, of misuse.
10. The tenth and final principle is Accountability, including Oversight and Review.
There should be a commission, perhaps, or a task force comprised of citizens and government officials to monitor on a regular basis the compliance with and efficacy of these principles -- and whether or not they're up to date. Perhaps spot checks of agency practices could be done, and goals established for certain practices to be adopted, as well as a grievance forum for citizens and agency staff members.
In addition to some sort of oversight board, there should be an individual or team responsible for safeguarding the personal information being compiled, someone in the agency who is accountable for compliance with the principles. I want to stress once again, the enactment of meaningful sanctions for privacy abuses.
I want to close by discussing the importance of trust in your data sharing endeavor. It is going to be difficult to instill a high level of trust in your clients unless they feel confident that information about them is held in the highest standards of confidentiality.
In that regard, I will close with a quote from testimony provided by the Center for Democracy and Technology at a federal government hearing last summer. I think it nicely summarizes the "social, political and economic consequences [that] can result from our ... failure to adequately preserve individual privacy." And I quote:
"If people continue to lose control over their ability to choose when, what, and to whom to divulge personal, sensitive information, they will not only lose the capacity to retreat from society and seek solitude, they will also be reluctant and unwilling to step forward and fully participate in society, fearing unwanted exposure, judgements, discrimination and government surveillance and repression."
Thank you for your attention.