Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter.
Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.
OCR for page 47
CHAPTER V
Privacy and Security Issues
Widespread concerns exist that only legitimate use be made of records
that deal with personal information. Since the SSA collects vast
amounts of such information, such concerns must be taken seriously into
account during system design. Among them are:
protection of client privacy;
system accountability;
system auditability;
responsibility for avoiding fraud and embezzlement;
high quality delivery of service to the client, especially
with regard to accuracy and fairness of determinations about
individuals; and
· confidentiality of records.
Cutting across many of these issues is the concept of "fairness,"
which hat many dimensions. In the privacy sense, fairness connotes
the assurance that errors, omissions, or other shortcomings in the
client's record will not contribute to an unfair decision. With regard
to delivery of service, fairness implies the assurance that each client
impacted by the system will receive all the benefits to which he or she
is entitled. With regard to the general public fairness relates to the
agency's fiscal responsibility and assurance that its funds are used for
authorized purposes only. With regard to the data base, fairness relates
to the accuracy with which the records are kept and, therefore, to system
integrity.
Computer security undergirds all the dimensions of fairness, as
well as the other social and governmental concerns listed above. It is
the basis on which access to information is controlled, information is
protected against theft or unauthorized usage, and an organization like
the SSA protects itself against loss of its computer-based record
47
OCR for page 48
48
system--on which the proper functioning of the SSA and the welfare of
many Americans so greatly depend.
Four terms that relate to these matters are defined below:
PRIVACY: The societal view that (1) an individual (and by
extension, a group of individuals, or an institution, or all of society)
must be able to determine to what extent personal information is
communicated to or used by others; (2) an individual (and by extension,
a group) must be protected against injury or humiliation because personal
information held by an organization in a record system is misused; and
(3) an individual (or class of individuals) must be protected against
unwelcome, unfair, improper, or excessive collection or dissemination of
personal information or data.
CONFIDENTIAL(ITY): (1) Status accorded to data or inflation
indicating that it is sensitive for some reason and, therefore, needs to
be protected against theft or improper use, and must be disseminated
only to individuals or organizations authorized (or priviliged) to have
it; (2) by extension, status (sometimes assured by law) accorded to data
or information that reflects an understood agreement between the person
furnishing the data and the person or organization holding it that
prescribes the protection it is to be provided and the dissemination and
use to be permitted; and (3) a legally recognized relationship between
certain individuals (e.g., lawyer-client and physician-patient) that
privileges communications between them from disclosure in court.
(Sometimes, confidential information is legally required to be given in
exchange for some benefit, privilege, right or opportunity; sometimes
it is voluntarily given.)
COMPUTER SECURITY: The totality of measures required to (1)
protect a computer-based system, including its physical hardware,
software, personnel, and data against deliberate or accidental damage
from a defined threat; (2) protect the system against denial-of-use by
its rightful owners; and (3) protect data and/or programs and/or system
privileges against divulgence to, or use by unauthorized persons.
INTEGRITY: The property of being what the item, statement, or
individual is thought to be, and, therefore, free of surprises.
Against this background, it is appropriate to suggest a set of
social objectives to which the record-keeping system of the SSA should
respond. In 1975-1977, the President's Privacy Protection Study
Commission carried out an exhaustive examination of record-keeping pro-
cesses in both private and public sectors.* The Commission summarized
its position in terms of the following three major objectives:
*The Report of the Privacy Protection Study Commission, Personal Privacy
In An Information Society, (Washington, D.C.: U. S. Government Printing
Office, 19771.
OCR for page 49
49
To create a proper balance between what an individual is
expected to divulge to a record-keeping organization and what
he seeks in return--i.e., to minimize the intrusiveness of data
collection.
To open up record-keeping operations in ways that will minimize
the extent to which recorded information about the individual
is itself a source of unfairness in any decision made about the
person on that basis--i.e., to maximize fairness.
To create and define obligations with respect to the uses and
disclosures that will be made of recorded information about an
individual--i.e., to create a legitimate and enforceable
expectation of confidentiality.
The panel views the ~en~r~1 no.; hi an ~ f the C^mmi mm~ ~~ ~ ~ _~1
~ O ~ ^^ _ _ _ &~ ~11~ ~ ~ ~ ~ V L1 ~ ~ ~ Cad ~ V [la u 1 ~
for the SSA to accept. The Commission's findings are likely to become a
standard for measuring system responsiveness to social concerns. The SSA
would do well to respond to such concerns, not only for their inherent
importance, but also to warrant public confidence in its record-keeping
systems and thereby enhance the prospect for approval of its planning
effort.
Computer system security, as defined above, has many dimensions. It
far transcends the simple physical protection of equipment, people, and
data. A salient feature for SSA to note is the comprehensive control of
access to the personal information in the data base. Only authorized
employees should have such access for well-defined actions in the course
of performing carefully stated and described tasks. The management and
administrative environment should provide the context in which the
technical safeguards function and also the mechanism to assure continuing
proper operation. Procedural safeguards are essential to ensure that the
data base is not accidentally changed during routine operations or in
emergency situations. Furthermore, system integrity is a long-term
problem. Much of the social security data base information must remain
intact and secure over several decades. Most importantly, computer
security is a system design problem and not an after-the-fact retrofit
for appending safeguards to a system already designed.
There are significant differences in the inherent risks posed by
today's manual files and electronic files of the future--risks that will
require far greater attention by management. In particular:
0 New information is usually appended to manual files so that
files build up by accretion. Employees are usually inhibited
about discarding or destroying old records. By contrast,
electronic files are usually revised, edited, modified, and,
then replaced, superceded (i.e., destroyed). Because elec-
tronic files must fit into finite storage areas, there are
usually all sorts of local political or operational reasons
for encouraging this practice. Furthermore, in many systems
OCR for page 50
50
the detailed accounts or histories of how and by whom the file
was modified are not kept.
Access to manual files is usually limited by geographic proxi-
mity, while electronic files can be reached by literally
thousands throughout the system. The need for audit trails
of all accesses and modifications becomes extremely important
with electronic files because most of the employees with access
rights are unknown to one another.
. In judging what safeguards to provide, an assessment needs to be
made of physical risks to the system--e."., fire, water, earthquake,
power failure. In addition, the SSA needs to assess the threats that
are likely to be mounted against information contained in the system by
such means as deliberate attempts to penetrate access controls, by theft
of copies of information, or misbehavior of employees authorized to have
information. The delineation of threat is important for guiding the
system design and the choice of security safeguards, for guiding vendors
in preparing responses to SSA requests for proposals, and for guiding the
SSA in its evaluation of the adequacy of security safeguards in vendor
proposals. The SSA project management must not relinquish its responsi-
bility to define the threats to be protected against. It is completely
inappropriate to expect a vendor to solve the privacy/ security/confiden-
tiality problem for the SSA.
The computer industry can provide a variety of technical safeguards
with equipment now available. The adequacy and scope of such safeguards
are bound to increase over the next few years. It is likely that the
industry will be able to meet SSA's requirements for technical
safeguards. The panel concludes, therefore, that comprehensive computer
security is not only essential, it is also feasible.
In summary:
SSA must define its policy on what system privacy, confidential-
ity, and integrity approaches it plans to implement.
Computer security is a design requirement on a par with other
system requirements.
Because security safeguards increase system cost, there is an
inevitable balance between safeguards and the extent of the
anticipated threat. The SSA should conduct whatever cost/
benefit analyses may be required to determine the safeguards to
be included in the system. In making such analyses, SSA should
note that part of the cost of inadequate safeguards could be
potential lawsuits by individuals whose privacy rights may have
been violated or whose personal records may have been mis-
treated.
The technical details of computer security can be proposed by .
vendors. It is imperative, however, that SSA specify its criteria for
OCR for page 51
51
the functional requirements and general posture on the privacy/security/
confidentiality issue; it is not sufficient to simply assert in an REP
that "adequate safeguards must be supplied." Without sufficient depth of
discussion, not only will vendors be unable to respond adequately to
this dimension of the REP, but also the SSA will be unable to judge
properly whether a particular proposal responds adequately to social and
governmental concerns. A substantial portion of computer security must
be done by the SSA itself on aspects such as physical precautions,
administrative and management arrangements, and procedural details.
The following are a few observations about relevant technologies.
.
.
Personal identification technology has progressed to the point
that individuals can now be identified automatically by voice-
print, signature analysis, fingerprint, and perhaps even photo-
graphs. Positive, accurate identification of everyone who
interacts with an information system is a vital prerequisite in
secure system design.
Encryption and authentication technology is available to assure
that records and files are concealed from unauthorized perusal
and that such records and files have not been altered by
unauthorized (and unidentified) people.
· Mass memory technology combines archival storage qualities with
the built-in guarantee that its contents cannot be changed.
Read-only memories with metalized tape or discs written on by
lasers to store information facilitate system design to assure
data integrity and security through guaranteed audit trails.
With regard to the privacy aspect per se, on July 12, 1977, the
Privacy Protection Study Commission submitted its report to the
President and the Congresss. The Commission also published a series of
supplementary reports, one of which is "An Assessment of the Compliance
of Federal Agencies with the 1974 Privacy Act." Parts of both the major
report and this supplementary report are directly applicable to the SSA,
and should be carefully considered in its-planning for a new computer-
based system.
The Commission made a series of recommendations applying to a broad
variety of record-keeping areas in the private and public sectors. The
areas in the report that are most likely to be of interest to the SSA
are Chapter V, The Insurance Relationship; Chapter VI, The Employment
Relationship; Chapter VII, Record-Keeping in the Medical Care Relation-
ship; Chapter IX, Government Access to Personal Records and Private
Papers; and Chapter XI, the Citizen as Beneficiary of Government
Assistance. The detailed recommendations in many of these chapters deal
with the record-keeping practices and organizational behavior of
institutions in the private sector. The SSA does have some interaction
with the private sector and would be affected, therefore, by the recom-
mendations and ensuing law.
OCR for page 52
52
In general, the Commission recommendations encourage openness and
fairness in record-keeping, with an emphasis on participation by the
subject of the record to assure its accuracy, completeness, and timeli-
ness. Common sense practices in SSA record-keeping activities would meet
the intent of most of the recommendations. A few require particular
attention.
The first concerns the insurance relationship. The Commission has
recommended that an individual have access to his medical records,
whether these are maintained by a medical care provider or by a third-
party outside of the normal medical community. In view of its
involvement in Medicare, the SSA could conceivably become the custodian
of some health care data and could be subject, therefore, to requests to
see and copy such information. Third-party access to medical and health
records is a particularly troublesome aspect that has become important
in disbursement and settlement of medical claims, malpractice suits and
similar matters. Because health information is within the overall
SSA purview, this aspect could become particularly burdensome. Further-
more, the SSA has been using private sector carriers to administer and
disburse insurance payments. If this policy were to continue or to be
enlarged in the future, it would be even more important for the SSA to
understand and adhere closely to the Commission's recommendations on
insurance. The Commission has suggested that the Fair Credit Reporting
Act be amended and that limited new state laws be instituted as may be
required.
The second matter concerns employment record-keeping. From its
beginning, the SSA has had the responsibility of administering Old Age
and Survivors Insurance. This mainly involves a flow of data from
employers to the SSA that is mandated by law; and there is probably
little new in the Commission recommendations that would affect the SSA.
The Commission has urged that the recommendations for employment record-
keeping be implemented by corporations on a voluntary basis.
With regard to the medical care relationship, the SSA function
consists largely of the payment of benefits for medical costs. The major
import of the Commission's recommendations in this area would almost
certainly materialize if some form of national health insurance were to
be instituted, and if the SSA were to become the agency responsible for
the program. In that event, the general privileges accorded to the
individual by the Commission's recommendations to see, copy, challenge,
and correct his medical record would directly affect the SSA. Provisions
would have to be made in the record-keeping system for such access as
well as for safeguards surrounding third-party access.
The Commission's recommendations on government access to private
papers focus primarily on the casual browsing in records about individ-
uals by federal agencies, usually in the context of an enforcement action
or investigation. The Commission was also concerned with the frequent
superficiality of the subpoena process, whereby
the government obtains
personal information by the simple expedient of an administrative or
pocket subpoena. The Commission has recommended a general tightening of
government access to records about individuals. In particular, it has
urged that the more formal judicial subpoena process be used and that
OCR for page 53
5 -1
the government agency involved assume responsibility for notifying the
individual of its action. The SSA might have to become more formal in
matters involving judicial efforts to seize records that it maintains
or in actions in which the SSA would institute a judicial action to
seize personal information.
The Commission has found that federal agency compliance with the
1974 Privacy Act has been "neither exemplary nor distressing." Agencies
have reacted too strongly in some instances to the intent of the Act.
In others, they have taken deliberate steps to exclude a record system
from the purview of the Act, where the Act's clear intent would have
been to include it. The Commission's fourth appendix volume urges
rather substantial recasting of the Act's language to clarify the intent
of the legislation and to make more workable and uniform the response to
it by agencies. Of particular interest is the recommendation that the
notion of a "system of records" be abandoned and the present tightly
worded definition of "record" be modified to include any body of infor-
mation concerning an individual that is accessible by a variety of means.
The suggestion is intended to come to terms with contemporary computer-
based record-keeping systems in which items are retrieved from the file
by means other than a specific identifier associated uniquely with an
individual.
The Commission has noted that accuracy is an important attribute
of fairness in record-keeping. Therefore, the Commission's position is
that the social security number (SSN) should be used when it contrib-
utes to a valid record-keeping function and in so doing helps to assure
the accuracy of such records. However, the Commission discourages the
trivial use of SSN's for purposes other than valid record-keeping.
In an effort to bring the matter in Federal agencies under somewhat
tighter control, the Commission has recommended that Executive Order
9357 be amended to require an agency to seek the explicit authorization
of Congress when it wishes to use the SSN for some new record-keeping
purpose.
The Commission has also recommended that the country take no steps
to institute a uniform personal identifying document or to create a
central population register until privacy safeguards have been fully
implemented and are known to be effective.
The thrust of the Privacy Protection Study Commission report is
likely to reinforce what responsible record-keeping management already
understands to be the essence of privacy and computer security.
Information in record-keeping systems will have to be protected against
whatever threats are perceived. It will have to be made available to
authorized users on a strict need-to-know basis. A system of- account-
ability and auditability will be needed to assure that the controls on
disclosure of information, both within an organization and externally,
are functioning properly. The record-keeping management will be
required to take affirmative measures to institute the necessary
personnel practices and procedures. In addition, appropriate computer
security safeguards should be designed as an integral part of new
record-keeping systems to ensure privacy.
Representative terms from entire chapter:
personal information
