produced by two agencies can be found at the Department of Homeland Security and National Science Foundation Web sites.15 But the advantages of producing PIAs are not limited to government agencies, and the committee believes that they may have considerable utility in the context of private organizations as well.

Recommendation 5. Organizations should strengthen their privacy policies by establishing a mechanism for recourse if an individual or a group believes that they have been treated in a manner inconsistent with an organization’s stated policy.

Finally, the limits on self-regulation must be acknowledged. As noted in Section 9.2.4, organizations are sometimes willing to violate their stated policies without advance notice under some circumstances, especially when those circumstances are both particularly exigent and also unanticipated. For these reasons, it is important to consider mechanisms other than self-regulation to protect privacy. Public policy is one source of such mechanisms. But an organization that establishes a mechanism for recourse should its policy be violated does much to enhance the credibility of its stated policy.

Recommendation 6. Organizations that deal with personal information should establish an institutional advocate for privacy.

Organizations that deal with personal information would benefit from some kind of institutional advocacy for privacy, as many healthcare-providing organizations have done in response to the Health Insurance Portability and Accountability Act of 1996 (Section 7.3.4). By analogy to an organizational ombudsman who provides high-level oversight of everyday activities conducted in the name of the organization that might not be entirely consistent with the organization’s stated policies or goals, an organizational privacy advocate could have several roles. For example, it might serve as an internal check for the organization, ensuring that the organization has and makes public some stated privacy policy. It might also help to ensure that the privacy policy is actually followed by the organization. Internally, it might serve a red-team role, pushing on the


The NSF Web site includes a PIA for its Personnel Security System and Photo Identification Card System (; the DHS Web site includes a PIA for the US-VISIT program (for the automatic identification of non-immigrants exiting the United States at certain land points of entry; see

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement