produced by two agencies can be found at the Department of Homeland Security and National Science Foundation Web sites.15 But the advantages of producing PIAs are not limited to government agencies, and the committee believes that they may have considerable utility in the context of private organizations as well.
Recommendation 5. Organizations should strengthen their privacy policies by establishing a mechanism for recourse if an individual or a group believes that they have been treated in a manner inconsistent with an organization’s stated policy.
Finally, the limits on self-regulation must be acknowledged. As noted in Section 9.2.4, organizations are sometimes willing to violate their stated policies without advance notice under some circumstances, especially when those circumstances are both particularly exigent and also unanticipated. For these reasons, it is important to consider mechanisms other than self-regulation to protect privacy. Public policy is one source of such mechanisms. But an organization that establishes a mechanism for recourse should its policy be violated does much to enhance the credibility of its stated policy.
Recommendation 6. Organizations that deal with personal information should establish an institutional advocate for privacy.
The NSF Web site includes a PIA for its Personnel Security System and Photo Identification Card System (http://www.nsf.gov/publications/pub_summ.jsp?ods_key=pia0503); the DHS Web site includes a PIA for the US-VISIT program (for the automatic identification of non-immigrants exiting the United States at certain land points of entry; see http://www.dhs.gov/interweb/assetlibrary/privacy_pia_usvisitupd1.pdf).