Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
CHAPTER V Privacy and Security Issues Widespread concerns exist that only legitimate use be made of records that deal with personal information. Since the SSA collects vast amounts of such information, such concerns must be taken seriously into account during system design. Among them are: protection of client privacy; system accountability; system auditability; responsibility for avoiding fraud and embezzlement; high quality delivery of service to the client, especially with regard to accuracy and fairness of determinations about individuals; and · confidentiality of records. Cutting across many of these issues is the concept of "fairness," which hat many dimensions. In the privacy sense, fairness connotes the assurance that errors, omissions, or other shortcomings in the client's record will not contribute to an unfair decision. With regard to delivery of service, fairness implies the assurance that each client impacted by the system will receive all the benefits to which he or she is entitled. With regard to the general public fairness relates to the agency's fiscal responsibility and assurance that its funds are used for authorized purposes only. With regard to the data base, fairness relates to the accuracy with which the records are kept and, therefore, to system integrity. Computer security undergirds all the dimensions of fairness, as well as the other social and governmental concerns listed above. It is the basis on which access to information is controlled, information is protected against theft or unauthorized usage, and an organization like the SSA protects itself against loss of its computer-based record 47
48 system--on which the proper functioning of the SSA and the welfare of many Americans so greatly depend. Four terms that relate to these matters are defined below: PRIVACY: The societal view that (1) an individual (and by extension, a group of individuals, or an institution, or all of society) must be able to determine to what extent personal information is communicated to or used by others; (2) an individual (and by extension, a group) must be protected against injury or humiliation because personal information held by an organization in a record system is misused; and (3) an individual (or class of individuals) must be protected against unwelcome, unfair, improper, or excessive collection or dissemination of personal information or data. CONFIDENTIAL(ITY): (1) Status accorded to data or inflation indicating that it is sensitive for some reason and, therefore, needs to be protected against theft or improper use, and must be disseminated only to individuals or organizations authorized (or priviliged) to have it; (2) by extension, status (sometimes assured by law) accorded to data or information that reflects an understood agreement between the person furnishing the data and the person or organization holding it that prescribes the protection it is to be provided and the dissemination and use to be permitted; and (3) a legally recognized relationship between certain individuals (e.g., lawyer-client and physician-patient) that privileges communications between them from disclosure in court. (Sometimes, confidential information is legally required to be given in exchange for some benefit, privilege, right or opportunity; sometimes it is voluntarily given.) COMPUTER SECURITY: The totality of measures required to (1) protect a computer-based system, including its physical hardware, software, personnel, and data against deliberate or accidental damage from a defined threat; (2) protect the system against denial-of-use by its rightful owners; and (3) protect data and/or programs and/or system privileges against divulgence to, or use by unauthorized persons. INTEGRITY: The property of being what the item, statement, or individual is thought to be, and, therefore, free of surprises. Against this background, it is appropriate to suggest a set of social objectives to which the record-keeping system of the SSA should respond. In 1975-1977, the President's Privacy Protection Study Commission carried out an exhaustive examination of record-keeping pro- cesses in both private and public sectors.* The Commission summarized its position in terms of the following three major objectives: *The Report of the Privacy Protection Study Commission, Personal Privacy In An Information Society, (Washington, D.C.: U. S. Government Printing Office, 19771.
49 To create a proper balance between what an individual is expected to divulge to a record-keeping organization and what he seeks in return--i.e., to minimize the intrusiveness of data collection. To open up record-keeping operations in ways that will minimize the extent to which recorded information about the individual is itself a source of unfairness in any decision made about the person on that basis--i.e., to maximize fairness. To create and define obligations with respect to the uses and disclosures that will be made of recorded information about an individual--i.e., to create a legitimate and enforceable expectation of confidentiality. The panel views the ~en~r~1 no.; hi an ~ f the C^mmi mm~ ~~ ~ ~ _~1 ~ O ~ ^^ _ _ _ &~ ~11~ ~ ~ ~ ~ V L1 ~ ~ ~ Cad ~ V [la u 1 ~ for the SSA to accept. The Commission's findings are likely to become a standard for measuring system responsiveness to social concerns. The SSA would do well to respond to such concerns, not only for their inherent importance, but also to warrant public confidence in its record-keeping systems and thereby enhance the prospect for approval of its planning effort. Computer system security, as defined above, has many dimensions. It far transcends the simple physical protection of equipment, people, and data. A salient feature for SSA to note is the comprehensive control of access to the personal information in the data base. Only authorized employees should have such access for well-defined actions in the course of performing carefully stated and described tasks. The management and administrative environment should provide the context in which the technical safeguards function and also the mechanism to assure continuing proper operation. Procedural safeguards are essential to ensure that the data base is not accidentally changed during routine operations or in emergency situations. Furthermore, system integrity is a long-term problem. Much of the social security data base information must remain intact and secure over several decades. Most importantly, computer security is a system design problem and not an after-the-fact retrofit for appending safeguards to a system already designed. There are significant differences in the inherent risks posed by today's manual files and electronic files of the future--risks that will require far greater attention by management. In particular: 0 New information is usually appended to manual files so that files build up by accretion. Employees are usually inhibited about discarding or destroying old records. By contrast, electronic files are usually revised, edited, modified, and, then replaced, superceded (i.e., destroyed). Because elec- tronic files must fit into finite storage areas, there are usually all sorts of local political or operational reasons for encouraging this practice. Furthermore, in many systems
50 the detailed accounts or histories of how and by whom the file was modified are not kept. Access to manual files is usually limited by geographic proxi- mity, while electronic files can be reached by literally thousands throughout the system. The need for audit trails of all accesses and modifications becomes extremely important with electronic files because most of the employees with access rights are unknown to one another. . In judging what safeguards to provide, an assessment needs to be made of physical risks to the system--e."., fire, water, earthquake, power failure. In addition, the SSA needs to assess the threats that are likely to be mounted against information contained in the system by such means as deliberate attempts to penetrate access controls, by theft of copies of information, or misbehavior of employees authorized to have information. The delineation of threat is important for guiding the system design and the choice of security safeguards, for guiding vendors in preparing responses to SSA requests for proposals, and for guiding the SSA in its evaluation of the adequacy of security safeguards in vendor proposals. The SSA project management must not relinquish its responsi- bility to define the threats to be protected against. It is completely inappropriate to expect a vendor to solve the privacy/ security/confiden- tiality problem for the SSA. The computer industry can provide a variety of technical safeguards with equipment now available. The adequacy and scope of such safeguards are bound to increase over the next few years. It is likely that the industry will be able to meet SSA's requirements for technical safeguards. The panel concludes, therefore, that comprehensive computer security is not only essential, it is also feasible. In summary: SSA must define its policy on what system privacy, confidential- ity, and integrity approaches it plans to implement. Computer security is a design requirement on a par with other system requirements. Because security safeguards increase system cost, there is an inevitable balance between safeguards and the extent of the anticipated threat. The SSA should conduct whatever cost/ benefit analyses may be required to determine the safeguards to be included in the system. In making such analyses, SSA should note that part of the cost of inadequate safeguards could be potential lawsuits by individuals whose privacy rights may have been violated or whose personal records may have been mis- treated. The technical details of computer security can be proposed by . vendors. It is imperative, however, that SSA specify its criteria for
51 the functional requirements and general posture on the privacy/security/ confidentiality issue; it is not sufficient to simply assert in an REP that "adequate safeguards must be supplied." Without sufficient depth of discussion, not only will vendors be unable to respond adequately to this dimension of the REP, but also the SSA will be unable to judge properly whether a particular proposal responds adequately to social and governmental concerns. A substantial portion of computer security must be done by the SSA itself on aspects such as physical precautions, administrative and management arrangements, and procedural details. The following are a few observations about relevant technologies. . . Personal identification technology has progressed to the point that individuals can now be identified automatically by voice- print, signature analysis, fingerprint, and perhaps even photo- graphs. Positive, accurate identification of everyone who interacts with an information system is a vital prerequisite in secure system design. Encryption and authentication technology is available to assure that records and files are concealed from unauthorized perusal and that such records and files have not been altered by unauthorized (and unidentified) people. · Mass memory technology combines archival storage qualities with the built-in guarantee that its contents cannot be changed. Read-only memories with metalized tape or discs written on by lasers to store information facilitate system design to assure data integrity and security through guaranteed audit trails. With regard to the privacy aspect per se, on July 12, 1977, the Privacy Protection Study Commission submitted its report to the President and the Congresss. The Commission also published a series of supplementary reports, one of which is "An Assessment of the Compliance of Federal Agencies with the 1974 Privacy Act." Parts of both the major report and this supplementary report are directly applicable to the SSA, and should be carefully considered in its-planning for a new computer- based system. The Commission made a series of recommendations applying to a broad variety of record-keeping areas in the private and public sectors. The areas in the report that are most likely to be of interest to the SSA are Chapter V, The Insurance Relationship; Chapter VI, The Employment Relationship; Chapter VII, Record-Keeping in the Medical Care Relation- ship; Chapter IX, Government Access to Personal Records and Private Papers; and Chapter XI, the Citizen as Beneficiary of Government Assistance. The detailed recommendations in many of these chapters deal with the record-keeping practices and organizational behavior of institutions in the private sector. The SSA does have some interaction with the private sector and would be affected, therefore, by the recom- mendations and ensuing law.
52 In general, the Commission recommendations encourage openness and fairness in record-keeping, with an emphasis on participation by the subject of the record to assure its accuracy, completeness, and timeli- ness. Common sense practices in SSA record-keeping activities would meet the intent of most of the recommendations. A few require particular attention. The first concerns the insurance relationship. The Commission has recommended that an individual have access to his medical records, whether these are maintained by a medical care provider or by a third- party outside of the normal medical community. In view of its involvement in Medicare, the SSA could conceivably become the custodian of some health care data and could be subject, therefore, to requests to see and copy such information. Third-party access to medical and health records is a particularly troublesome aspect that has become important in disbursement and settlement of medical claims, malpractice suits and similar matters. Because health information is within the overall SSA purview, this aspect could become particularly burdensome. Further- more, the SSA has been using private sector carriers to administer and disburse insurance payments. If this policy were to continue or to be enlarged in the future, it would be even more important for the SSA to understand and adhere closely to the Commission's recommendations on insurance. The Commission has suggested that the Fair Credit Reporting Act be amended and that limited new state laws be instituted as may be required. The second matter concerns employment record-keeping. From its beginning, the SSA has had the responsibility of administering Old Age and Survivors Insurance. This mainly involves a flow of data from employers to the SSA that is mandated by law; and there is probably little new in the Commission recommendations that would affect the SSA. The Commission has urged that the recommendations for employment record- keeping be implemented by corporations on a voluntary basis. With regard to the medical care relationship, the SSA function consists largely of the payment of benefits for medical costs. The major import of the Commission's recommendations in this area would almost certainly materialize if some form of national health insurance were to be instituted, and if the SSA were to become the agency responsible for the program. In that event, the general privileges accorded to the individual by the Commission's recommendations to see, copy, challenge, and correct his medical record would directly affect the SSA. Provisions would have to be made in the record-keeping system for such access as well as for safeguards surrounding third-party access. The Commission's recommendations on government access to private papers focus primarily on the casual browsing in records about individ- uals by federal agencies, usually in the context of an enforcement action or investigation. The Commission was also concerned with the frequent superficiality of the subpoena process, whereby the government obtains personal information by the simple expedient of an administrative or pocket subpoena. The Commission has recommended a general tightening of government access to records about individuals. In particular, it has urged that the more formal judicial subpoena process be used and that
5 -1 the government agency involved assume responsibility for notifying the individual of its action. The SSA might have to become more formal in matters involving judicial efforts to seize records that it maintains or in actions in which the SSA would institute a judicial action to seize personal information. The Commission has found that federal agency compliance with the 1974 Privacy Act has been "neither exemplary nor distressing." Agencies have reacted too strongly in some instances to the intent of the Act. In others, they have taken deliberate steps to exclude a record system from the purview of the Act, where the Act's clear intent would have been to include it. The Commission's fourth appendix volume urges rather substantial recasting of the Act's language to clarify the intent of the legislation and to make more workable and uniform the response to it by agencies. Of particular interest is the recommendation that the notion of a "system of records" be abandoned and the present tightly worded definition of "record" be modified to include any body of infor- mation concerning an individual that is accessible by a variety of means. The suggestion is intended to come to terms with contemporary computer- based record-keeping systems in which items are retrieved from the file by means other than a specific identifier associated uniquely with an individual. The Commission has noted that accuracy is an important attribute of fairness in record-keeping. Therefore, the Commission's position is that the social security number (SSN) should be used when it contrib- utes to a valid record-keeping function and in so doing helps to assure the accuracy of such records. However, the Commission discourages the trivial use of SSN's for purposes other than valid record-keeping. In an effort to bring the matter in Federal agencies under somewhat tighter control, the Commission has recommended that Executive Order 9357 be amended to require an agency to seek the explicit authorization of Congress when it wishes to use the SSN for some new record-keeping purpose. The Commission has also recommended that the country take no steps to institute a uniform personal identifying document or to create a central population register until privacy safeguards have been fully implemented and are known to be effective. The thrust of the Privacy Protection Study Commission report is likely to reinforce what responsible record-keeping management already understands to be the essence of privacy and computer security. Information in record-keeping systems will have to be protected against whatever threats are perceived. It will have to be made available to authorized users on a strict need-to-know basis. A system of- account- ability and auditability will be needed to assure that the controls on disclosure of information, both within an organization and externally, are functioning properly. The record-keeping management will be required to take affirmative measures to institute the necessary personnel practices and procedures. In addition, appropriate computer security safeguards should be designed as an integral part of new record-keeping systems to ensure privacy.
