terms. Limits may be imposed in the form of differential levels of access for different individuals, varying time windows for access (both when data are made available and for how long), or access for certain purposes but not for others.

  • Limits on outsider access. By definition, an outsider is a party external to the organization that collects the information in question. Outsiders can be denied access through both technical and procedural means. Technical means include measures such as encryption and access control mechanisms that prevent unauthorized access; procedural means include regulation-based restrictions on who receives information.

  • Prevention of internal abuse. Even organizations with the best of intentions may have insiders (e.g., employees) who do not use the information collected in accordance with organizationally approved purposes. For example, a law enforcement agent may use a national criminal database to investigate an individual for personal reasons, in violation of departmental policy. In such instances, frequent audits to uncover improper access and penalties for improper access are essential elements of preventing such use.

  • Notification. It is generally believed that violations of privacy are in some sense worse when they occur without the knowledge of the individual in question; thus, notification when unauthorized access occurs can be regarded as a privacy protection measure.

  • Correction. The opportunity to review information collected and to ensure that it is at least correct protects the individual against decisions being made on the basis of incorrect information.


The notion of privacy is a basic starting point for this framework, and as suggested in the introduction, three essential questions arise:

  • What is the information that is being kept private (and with whom is that information associated)?

  • From whom is the information being withheld?

  • What purposes would be served by withholding or not withholding the information, and whose interests do those purposes serve?

A Worked Example of Privacy Tradeoffs

To illustrate how basic privacy tradeoffs arise, this report considers privacy and the U.S. library community. The issue of privacy in librar-

The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement