8
Managing Confidentiality and Data Access Functions

Technology always moves ahead of sound management principles.

Stuart Sutton, 1991

The effective functioning of the federal statistical system requires responsible policies toward data providers and data users. Managers of federal statistical programs must give constant, careful attention to confidentiality and data access issues. However, new data collection and processing technologies, novel types of surveys, and innovative statistical uses of administrative records bring with them questions for which statutes, regulations, and policy statements do not always provide definitive answers.

The general principles and recommendations in this report are broadly focused. In the course of this study, the panel has identified many more questions than it could expect to provide detailed answers for. We have tried to provide useful guidelines, but we have not tried to give specific answers to questions such as the following:

  • How much detail should be included in aggregate statistics and microdata sets that are released to the public with no restrictions on their use?

  • Under what conditions should a proxy respondent be allowed to provide data for another person or household without the latter's informed consent?

  • Under what circumstances are passive waivers acceptable?

  • To what extent should lists of businesses compiled by federal statistical agencies be made publicly available?

  • What conditions should be included in interagency agreements for sharing identifiable data for statistical purposes?



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement



Below are the first 10 and last 10 pages of uncorrected machine-read text (when available) of this chapter, followed by the top 30 algorithmically extracted key phrases from the chapter as a whole.
Intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text on the opening pages of each chapter. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

Do not use for reproduction, copying, pasting, or reading; exclusively for search engines.

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics 8 Managing Confidentiality and Data Access Functions Technology always moves ahead of sound management principles. Stuart Sutton, 1991 The effective functioning of the federal statistical system requires responsible policies toward data providers and data users. Managers of federal statistical programs must give constant, careful attention to confidentiality and data access issues. However, new data collection and processing technologies, novel types of surveys, and innovative statistical uses of administrative records bring with them questions for which statutes, regulations, and policy statements do not always provide definitive answers. The general principles and recommendations in this report are broadly focused. In the course of this study, the panel has identified many more questions than it could expect to provide detailed answers for. We have tried to provide useful guidelines, but we have not tried to give specific answers to questions such as the following: How much detail should be included in aggregate statistics and microdata sets that are released to the public with no restrictions on their use? Under what conditions should a proxy respondent be allowed to provide data for another person or household without the latter's informed consent? Under what circumstances are passive waivers acceptable? To what extent should lists of businesses compiled by federal statistical agencies be made publicly available? What conditions should be included in interagency agreements for sharing identifiable data for statistical purposes?

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics What kinds of informed consent procedures are appropriate for telephone surveys? Agencies in the federal statistical system have established policies and procedures for reaching administrative decisions about these and other confidentiality and data access questions. Are those decision mechanisms adequate? If not, how might they be improved? In this chapter we look at internal agency staffing and organization of information management activities and at government-wide mechanisms for standardizing and coordinating policies and practices. We also examine the extent to which the decision processes of federal statistical agencies incorporate the views of data providers and data users. We discuss the relevant decision mechanisms, such as data protection boards, that have been established in other countries, and we explore their possible relevance for the U.S. statistical system. MANAGEMENT OF CONFIDENTIALITY AND DATA ACCESS QUESTIONS IN THE FEDERAL STATISTICAL SYSTEM WITHIN STATISTICAL AGENCIES The documentation provided to the panel by federal statistical agencies included several examples of policy manuals, policy memorandums and standards related to statistical disclosure limitation procedures, informed consent procedures, and other aspects of confidentiality and data access. The most comprehensive formal codification of these issues by any of the agencies that responded to our request for information was in two publications of the National Center for Health Statistics (NCHS): the Policy Statement on Release of Data for Individual Elementary Units and Special Tabulations (1978; first published in 1969) and the NCHS Staff Manual on Confidentiality (1984; first published in 1978). The Policy Statement is addressed primarily to data users and focuses on various ways of gaining access to NCHS microdata. The basic policy statement is as follows: Within prevailing ethical, legal, technical, technological and economic restrictions, it is the policy of the National Center for Health Statistics to augment its programs of collection, analysis, and publication of statistical information with procedures for making available, at cost, transcripts of data for individual elementary units—persons or establishments—in a form that will not in any

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics way compromise the confidentiality guaranteed the respondent (National Center for Health Statistics, 1978:4). The NCHS Staff Manual presents the agency's policies for the protection of confidentiality. It includes information and rules covering legal requirements and penalties, employees' responsibilities, promise of confidentiality to respondents, treatment of requests for information, physical protection of records, disclosures that may be permitted, avoidance of unintentional disclosures through published data, maintenance of confidentiality in the release of microdata files, and requirements placed on contractors. Several agencies have prepared written guidelines for the application of statistical disclosure limitation procedures in the release of tabulations and microdata. Some of the guidelines contain only one or two simple rules; others are much more detailed. Agencies with more detailed formal documentation of procedures include the Census Bureau (for microdata), the Energy Information Administration (EIA; for tabulations only), NCHS, and the Social Security Administration (SSA). The panel found that agency guidelines gave much less attention to other aspects of confidentiality and data access, such as the development of interagency data sharing agreements and the content of informed consent and notification statements for surveys. Two agencies, the Census Bureau and the National Center for Education Statistics (NCES), have internal committees that review all proposals for releases of new microdata sets. The Census Bureau's Microdata Review Panel has a formal charter and guidelines, as well as a standard prospectus that must be completed by all divisions sponsoring new microdata releases. Key elements of the Microdata Review Panel's evaluation criteria were published in the Federal Register (46(72):22017) at the time the panel was formally established in 1981. The Microdata Review Panel has no outside members; however, the Census Bureau is considering an arrangement for periodic review of the panel's policies and decisions by outside advisors selected to represent data providers and data users. The NCES's Disclosure Review Board was created more recently, in 1989. The board's primary function, like that of the Census Bureau panel, is to determine whether microdata sets proposed for release pose an acceptably low risk of disclosure of individually identifiable data. The board consists of NCES staff members and a Census Bureau representative.

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics Several federal statistical agencies have external advisory groups, and they sometimes ask them for their views on confidentiality and data access questions. The Census Bureau has asked several of its advisory groups to review its plans for the application of statistical disclosure limitation procedures to decennial census data. About 1980, when EIA was developing its confidentiality policies, it asked the American Statistical Association's (ASA's) Committee on Energy Statistics to review drafts of policy statements on more than one occasion. More recently, EIA has sought advice from the same committee on how to deal with the consequences of the Justice Department's request for identifiable records (discussed in Chapter 7). Statistical agencies have also drawn on the Committee on National Statistics to help them address specific problems. In the late 1970s, a panel established by the committee in response to a request from the Census Bureau undertook research to obtain information on ''how people in the United States currently feel and behave in their roles as respondents, or intended respondents, in household censuses and surveys" (p. viii). The main findings from that panel's report, Privacy and Confidentiality as Factors in Survey Response (National Research Council, 1979), were discussed in Chapter 3 of this report. Prior to the start of this panel's study, the Committee on National Statistics and the Social Science Research Council organized two workshops at the request of federal agencies. The first workshop, sponsored by the National Institute on Aging, explored the legal and ethical aspects of a proposed follow-up survey of surviving members of the sample panel for the SSA's Longitudinal Retirement History Survey. The second workshop, sponsored by the National Science Foundation (NSF), explored various options for improving researchers' access to microdata from two of NSF's scientific and technical personnel data systems, the Doctorate Records File and the Survey of Doctorate Recipients. During the term of this study, the panel conducted a workshop on confidentiality and data access issues for the National Center for Education Statistics, which had been seeking advice from several groups on how best to collect data and serve the needs of data users under the terms of new agency confidentiality legislation that had been passed in 1988. All three of these workshops brought together agency staff, data users, and experts on information law, statistical disclosure limitation procedures, and other relevant topics. Several members of the panel participated in one or more of the workshops.

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics The panel did not conduct a review of detailed management and organizational issues, such as where confidentiality and data access functions are placed within statistical agencies or the titles, grade levels, and qualifications of the individuals who play major roles. Based on our general knowledge of these matters, however, we can make a few broad statements. First, only a handful of statistical agencies have a staff person whose primary role is to deal with such issues as informed consent, release of microdata, interagency data sharing agreements, and other aspects of confidentiality and data access. The development and application of statistical disclosure limitation techniques is frequently assigned to mathematical statisticians in a unit responsible for methodological research and consulting assistance to operating units. In some of the smaller statistical agencies, there are no specialists on confidentiality issues, and the relevant questions are dealt with on an ad hoc basis by operating staff, some of whom have little or no pertinent background or experience. ACROSS STATISTICAL AGENCIES The Office of Management and Budget's (OMB's) original Statistical Policy Division, the interim successor—the Office of Federal Statistical Policy and Standards in the Department of Commerce—and OMB's current Statistical Policy Office have played a role in developing and monitoring government-wide standards and policies regarding protection of confidentiality and access to federal statistical data. Two of the early Statistical Policy Working Papers issued by the Federal Committee on Statistical Methodology covered relevant topics: No. 2, Report on Statistical Disclosure and Disclosure-Avoidance Techniques (1978), and No. 5, Report on Exact and Statistical Matching Techniques (1980). Working Paper 2 and the interagency seminars based on it were instrumental in raising the level of awareness of federal statisticians to the need for more careful application of statistical disclosure limitation techniques when releasing aggregate data or microdata. Subsequent to the start of this panel's study, the head of the Statistical Policy Office has taken steps to review, with agency representatives, such issues as informed consent, statistical disclosure limitation procedures, interagency data sharing, and licensing procedures for data access for external users. Early in 1992, the office formed an interagency committee to exchange information on current statistical disclosure limitation practices and on recent technical developments. (Early in 1993, this committee

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics became the Subcommittee on Disclosure Limitation Methodology of the Federal Committee on Statistical Methodology.) The office is planning a formal review, with public comment, of the data user licensing procedures that are now being used on a trial basis by NCES. As explained in Chapter 7, the Statistical Policy Office has been instrumental in persuading the Census Bureau and the Bureau of Labor Statistics to begin sharing business lists that until now have been developed and maintained independently. In addition, it is coordinating the development of proposed legislation that would permit list sharing for statistical purposes among four of the major federal statistical agencies: the Bureau of Economic Analysis, the Bureau of Labor Statistics, the Census Bureau, and the National Agricultural Statistics Service. The Statistical Policy Office has also been working for some time on a revision of the OMB Circular, Guidelines for Federal Statistical Activities. One can expect, on the basis of an early draft published for public comment, that the final version of these guidelines will cover some of the issues studied by the panel, such as the content of informed consent and notification statements and the conditions under which record matching for statistical purposes is appropriate. The Statistical Policy Office reviews all data collection requests developed by the Census Bureau and the Bureau of Economic Analysis. Data collection requests submitted to OMB by other federal agencies, including those for statistical purposes, are reviewed by OMB clearance officers who are not part of the Statistical Policy Office. The Statistical Policy Office provides advice on statistical data collections to the clearance officers on request, and on its own initiative it frequently makes recommendations concerning proposals sponsored by statistical agencies. Forms-clearance reviews provide an opportunity to examine informed consent and notification statements, but currently the OMB reviewers do not work from any written guidelines, aside from the Privacy Act regulations, about what should be included in such statements. This may change when the OMB circular mentioned above is issued. In addition to the interagency committees and other formal coordination mechanisms established by OMB's Statistical Policy Office, there are many other ways in which employees of federal statistical agencies exchange information about the policies and procedures they use to deal with confidentiality and data access questions. Many surveys and other statistical programs involve

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics two or more agencies and require joint efforts to develop appropriate methodologies. Official statisticians from different agencies often participate in discussions of confidentiality and data access matters at meetings of organizations like the Committee on National Statistics and the Council of Professional Associations on Federal Statistics. Managers and technicians from various statistical agencies have frequent contacts through their active participation in national and local professional associations, as described in the next subsection. THE INFLUENCE OF PROFESSIONAL SOCIETIES The American Society for Access Professionals is an organization whose membership consists primarily of federal government employees whose functions include activities related to agency compliance with the requirements of privacy and freedom of information statutes. The society organizes an annual symposium in the fall and sponsors tutorial sessions each spring to update its members on changes in privacy and freedom of information legislation and case law. A few of the society's members are from federal statistical agencies, and some of the presentations at their annual symposiums have covered the application of information legislation to research and statistical activities. As outlined below, the American Statistical Association has been actively involved in addressing confidentiality and data access issues: Two ASA committees, the Ad Hoc Committee on Privacy and Confidentiality and the Ad Hoc Committee on Professional Ethics, have developed guidelines relevant to census and survey activities, especially in the area of informed consent (see discussions in Chapters 3 and 4). The association now has a permanent Committee on Privacy and Confidentiality. Over the years, several members of this committee have been employees of federal statistical agencies. The current chair was Gerald Gates of the Census Bureau. As described in Chapter 3, the committee has developed an informational brochure, Surveys and Privacy. The journals and proceedings of ASA have included numerous articles on statistical disclosure limitation theory and methods and other aspects of confidentiality and data access. Several panel discussions have been held on these topics at annual and other meetings. From time to time other ASA committees, such as the

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics Census Advisory Committee and the Committee on Energy Statistics, have advised federal statistical agencies on confidentiality questions. Other U.S. professional associations, including the American Association for Public Opinion Research, the American Psychological Association, and the American Sociological Association, have developed codes or guidelines for their members, some portions of which are relevant to the conduct of surveys and experimental research. And as mentioned in Chapter 3, the International Statistical Institute's (1986) Declaration on Professional Ethics included extensive guidelines for the content of informed consent procedures. On the data access side, meetings of organizations like the Association of Public Data Users provide another forum in which agency statisticians and data users can exchange views. Also, data users tend to be well represented on the various advisory committees to federal statistical agencies, especially the ones that deal with substantive rather than methodological issues. ALTERNATIVE MODELS FOR MANAGING CONFIDENTIALITY AND DATA ACCESS QUESTIONS: A LOOK AT OTHER COUNTRIES The issues that the panel has studied are not peculiar to the United States. As a natural consequence of the coming of the information age, they have arisen in all of the countries that have led the way in the development of modern data collection, processing, storage, and dissemination methods. The panel would be remiss if it failed to ask what can be learned from other countries that have also been grappling with how to manage confidentiality and data access questions. The mechanisms described in this section go well beyond purely statistical and research uses of data about persons. The Privacy Act in the United States and the data protection boards established in other countries have jurisdiction over administrative and statistical uses of individual records. A key question, for official statisticians, is how well these mechanisms take into account the differences between statistical and other uses of personal data. Flaherty (1989:viii) has undertaken "a comparative examination of the passage, revision, and, especially, implementation of data protection laws at the national and state levels" in Canada, the Federal Republic of Germany, France, Sweden, and the United

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics States. His review, plus materials the panel obtained directly from Statistics Canada, provide the main basis for our discussion of what has happened in countries other than the United States. Also helpful were papers by Dalenius (1979) and Durbin (1979) in the Journal of the Royal Statistical Society and discussants' comments on those papers. In the United States, the responsibility for oversight of compliance with the requirements of the Privacy Act of 1974 was assigned to OMB. In contrast, in each of the four other countries that Flaherty studied, data protection legislation provided for the establishment of a commissioner or board, with a considerable degree of independence from the executive branch of the government, to monitor compliance with the fair information practices mandated by the legislation. The structure, scope of authority, and functions of those independent units vary. Canada has separate privacy and information commissioners. Both have jurisdiction only over records and information in the public sector and both function mostly in an ombudsman/advisory mode, although they may take certain cases to the Federal Court of Canada when agencies do not follow their advice. The Swedish Data Inspection Board has jurisdiction over record systems in the public and private sectors, but only those maintained in electronic form. Initially, all new electronic record systems had to be licensed by the board. This proved to be unwieldy, and the procedure was changed to require registration, rather than licensing, of new systems, with some exceptions. The board has broad regulatory powers over all electronic record systems; for example, almost all record linkages are subject to its regulation. The Federal Republic of Germany has an independent federal data protection commissioner, as well as data protection offices in the states. The federal and state commissioners have jurisdiction over record systems in the public sector only and operate mainly in an advisory capacity. They maintain registers of record systems, respond to complaints, and have the authority to conduct investigations or audits of compliance with the fair information practices mandated by law. France has a National Commission on Informatics, Data Banks and Freedoms (CNIL), whose functions extend well beyond protection of the privacy and confidentiality interests of individuals. The CNIL is an independent agency and operates under the direction of a group of part-time commissioners. It has broad authority to regulate processing of automated personal data in the public

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics and private sectors, carry out inspections, rule on complaints, maintain a register of data processing activities, and assist persons to gain access to their own data. What impact have these independent boards and commissions had on the collection and use of data about individuals for statistical and research purposes? In Sweden, which pioneered formal data protection activities at the national level, the Data Inspection Board initially focused considerable attention on the central statistical agency, Statistics Sweden. An early ruling of the board prevented Statistics Sweden from using imputation for persons not responding to the Swedish labor force survey. Another ruling prohibited the use of proxy respondents in the same survey; in other words, persons asked to participate in the survey could respond to the questions only for themselves, not for other members of their families or households. This ruling was appealed and it was decided that proxies could be used for objective data items only, provided the proxy respondent was closely related to the data subject (Dalenius, 1979). Other rulings requiring the removal of identifiers placed severe constraints on the conduct of longitudinal surveys and record linkages for statistical purposes. In the early 1980s, a widely publicized debate between the heads of the Data Inspection Board and Statistics Sweden about proposed uses of administrative records in the national census of population eventually led to a government decision to conduct a more traditional census. According to Flaherty (1989), the two agencies are by now able to reach understandings on most issues, but some minor ones remain outstanding. Like the U.S. Privacy Act, the Swedish Data Act allows individuals to inspect their own records in government record systems. Unlike the U.S. act, however, the Swedish act does not allow any exceptions for statistical record systems. As a consequence, Statistics Sweden has "faced a major financial and administrative burden of replying to requests for access from individuals. There were 67,000 such requests during the first four years" (Flaherty, 1989:152). In the mid-1980s important privacy issues were raised by Project Metropolitan, a longitudinal research data base maintained at the University of Stockholm that linked information from many sources, much of it highly sensitive, for 15,000 persons born in the Stockholm area in 1953. About 1980, after the researchers had adopted recommended data protections, the Swedish Data Inspection Board licensed the data base, showing "a high degree of tolerance for the

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics linkage of a large amount of sensitive personal information" (Flaherty, 1989:154). However, in 1986 the project came to the attention of the data subjects and the general public, and a major debate ensued. The debate finally led to the board's requiring the removal of all identifiers from the system, so that no further data from other sources could be linked to the existing records. It is more difficult to define the role of the German data protection commissioners in connection with the controversies that led to a four-year delay in carrying out the scheduled 1983 census of population for the Federal Republic of Germany. The federal commissioner's office had warned the federal Statistical Office that potential problems with data protection were associated with the census procedures, but the Statistical Office did little to respond. Nevertheless, in March 1983 the commissioner's office issued a press release stating that "people's fears about the census were unfounded, and that adequate safeguards were in place" (Flaherty 1989:81). Continued public concern and legal challenges to the census, however, forced postponement, and it was not until after the passage of new census legislation in 1986 that the census was finally undertaken in 1987, still in a very controversial atmosphere. According to Flaherty, these difficulties occurred, at least in part "because the strong data protection laws and statistical laws currently in place are not well enough known to the general public, and because public anxieties about surveillance practices using administrative data are so great" (p. 83). Flaherty does not detail any specific instances of actions by the privacy commissioner of Canada having direct effects on the programs of Statistics Canada. However, he does describe measures that have been introduced to reduce substantially the administrative uses of Canada's Social Insurance number (comparable to the Social Security number in the United States). As a consequence, there may be a reduction in the number and scope of administrative record systems that can readily be used for research studies and statistical analyses that require linking of records from different sources. Nevertheless, Statistics Canada has an active and successful program to produce current demographic data from administrative sources, and it is possible that this system may at some time take the place of the more traditional kind of population census. From other sources, it is clear that the former privacy commissioner of Canada, John Grace (in an interesting change of hats, he became the information commissioner in 1990), had serious doubts about record linkages and longitudinal studies for research

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics purposes, although he did not entirely rule them out (Grace, 1988, 1989). He believed that they should be limited in scope and only undertaken with strong justification and full knowledge by the data subjects. Statistics Canada, perhaps due in part to Grace's views, has taken a cautious approach to record linkage activities. A formal policy statement (Statistics Canada, 1986) describes the potential benefits of such activities, but it also lists a fairly rigorous set of conditions that must be satisfied before they can be undertaken. A series of agency guidelines issued over the past few years has set out requirements for notifying survey respondents of plans to link administrative record data with their survey information or to release nonpublic-use microdata to other agencies. The guidelines provide specific examples of language that can be used in the notifications, taking into account the mode of data collection. U.S. PROPOSALS FOR AN INDEPENDENT PRIVACY PROTECTION BOARD Although most drafts of the Privacy Act of 1974 provided for the establishment of a permanent privacy protection commission, the provision was eliminated just prior to final passage of the act. Consequently, responsibility for oversight of the act's fair information provisions devolved on OMB. Recently, however, there has been growing interest among U.S. privacy advocates in the possible application of at least some features of the Canadian and European models in the United States (see Rotenberg, 1991). Bills to establish an independent data protection board in the executive branch of the government were introduced by Representative Robert Wise in 1989 and 1991. The 1991 bill, which would have taken the form of an amendment to the Privacy Act, provided for a board whose functions would have been largely advisory. The board would have been required to prepare guidelines under the Privacy Act and other information statutes and to issue periodic compilations of agency record system notices. It would have had authority to investigate compliance with the Privacy Act and report on violations, to review existing and proposed data protection legislation, investigate complaints about violations of data protection rights, and request agencies to take action on matters affecting data protection. Although no legislation had been passed by early 1993, there is sufficient interest in these issues that future enactment is possible. There does not seem to be any corresponding interest or activity,

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics at least in any organized sense, aimed at furthering the ability of data users to gain access to federal data for research and statistical purposes. Paul Reynolds (1993), in a paper prepared for the panel's Conference on Disclosure Limitation Approaches and Data Access, presented a detailed proposal for the issuance of "federal data base research certificates," which would be issued to organizations presenting worthy research proposals to a "federal data base review board." The certificates would provide access to data maintained by any federal agency (with their approval), immunity from any legal subpoena, and substantial penalties for researcher disclosure of individual information. FINDINGS AND RECOMMENDATIONS AGENCY STAFFING AND MANAGEMENT OF CONFIDENTIALITY AND DATA ACCESS FUNCTIONS The panel has noted several instances, some of them recent or current, of federal agency practices that reflect inadequate knowledge of and attention to confidentiality and data access issues. As discussed in Chapter 3, some informed consent and notification statements have been inadequate in terms of accuracy, completeness, and comprehensibility. And as noted in Chapter 6, some agency standards for statistical disclosure limitation are rudimentary and do not take full advantage of current knowledge and experience in this area. Recommendation 8.1 Each federal statistical agency should review its staffing and management of confidentiality and data access functions, with particular attention to the assignment within the agency of responsibilities for these functions and the background and experience needed for persons who exercise these responsibilities. Currently, there is a dearth of opportunities (such as the seminars that were conducted following the 1978 publication of Statistical Policy Working Paper 2) for federal statisticians to obtain training in fair information practices and related subjects. Recommendation 8.2 Statistical agencies should take steps to provide staff training in fair information practices, informed consent procedures, confidentiality laws and policies,

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics statistical disclosure limitation procedures, and related topics. Possible sites for such training include the new Joint University of Maryland-University of Michigan Program in Survey Methodology (National Research Council, 1992a; University of Maryland et al., 1993) and the U.S. Department of Agriculture Graduate School. The panel believes that it is highly desirable for data providers and data users to participate in or have greater input into agency decisions on data protection and data access policies and procedures. The existing institutions and mechanisms that we have described are useful, but not entirely adequate. Especially for data users, there are inadequate means to appeal adverse decisions by federal statistical agencies. Recommendation 8.3 Statistical agencies should establish mechanisms for allowing and encouraging greater external inputs into their decisions on confidentiality protection and data access. One possibility would be to establish data review boards, with external members representing data subjects and data users, in all federal statistical agencies that release substantial amounts of data to the public. Trade-offs between confidentiality protection and data access exist whether data releases are in aggregate or microdata form, and thus both kinds of releases should be subject to review by such boards. Alternatively, existing agency advisory committees could be asked periodically to review agency policies and practices for confidentiality protection and data access. For the latter approach to be effective, committee membership should be balanced to provide representation of data subjects and data users. INTERAGENCY COORDINATION The Office of Management and Budget and, in particular, its Statistical Policy Office, have an important role in coordinating federal data protection and access activities. The Statistical Policy Office, although handicapped by having a very small staff, has recently undertaken some important initiatives, such as its efforts to promote and facilitate business list sharing for statistical purposes and to bring agency officials together to review and evaluate new data access procedures.

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics The OMB Circular, Guidelines for Federal Statistical Activities, which is being revised, has the potential to provide an impetus for improved agency practices in such areas as informed consent and notification statements, application of statistical disclosure limitation techniques, and record linkages for statistical purposes. Recommendation 8.4 The Statistical Policy Office should give high priority to proceeding with the development and issuance of the OMB Guidelines for Statistical Activities, with the full participation of the federal statistical agencies and the public. The policy directives and memorandums issued by Statistics Canada might provide useful models for the treatment of such topics as informed consent and record linkage. DATA PROTECTION BOARD Unlike other advanced industrial societies, the United States does not have an independent advisory board or commission charged with promoting effective implementation of the Privacy Act and other information legislation. There have been recent proposals by privacy advocates and legislators to create such a body. Recommendation 8.5 The panel supports the general concept of an independent federal advisory body charged with fostering a climate of enhanced protection for all federal data about persons and responsible data dissemination for research and statistical purposes. Any such advisory body should promote the principle of functional separation and have professional staff with expertise in privacy protection, computer data bases, official statistics, and research uses of federal data. The experience of other countries has shown that data protection agencies can be a source of additional oversight for statisticians and researchers, subjecting their activities to greater scrutiny, promoting balance in data protection and data dissemination, and generating public debate. In some instances, new restrictions have been imposed on practices that do not appear to pose a threat to the confidentiality of individual data. Nevertheless, the panel believes that creating a positive climate for enhanced data protection and data dissemination requires assurances from many different

OCR for page 203
Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics quarters that legitimate protective policies and procedures are in place and are being followed. An independent advisory board, with appropriate professional staffing, could constitute a regular source of expertise on a wide spectrum of privacy issues, including those related to research and statistics. It could give advice, serve as a sounding board for data protectors and data users, and offer legitimacy to responsible initiatives by both groups. The advisory board could provide support for responsible access to personal data as needed to realize the fundamental goals of democratic accountability and constitutional empowerment, which we introduced in Chapter 1. A professionally competent, respected advisory body could also act as a mediator when there are differences of opinion among data providers, privacy advocates, data users, and statistical agencies. Orderly evaluation and resolution of such differences by an impartial ombudsman could reduce the likelihood of their escalating to the point at which they seriously disrupt key data collection and dissemination activities. Data protectors can and should be important allies of official statisticians and the general public in the achievement of an appropriate balance between the privacy interests of individuals and societal needs for research and statistical data about a complex society. In particular, data protectors can help statistical agencies resolve difficult issues in the areas of informed consent, confidentiality, data access, and record linkage. An advisory body could also promote harmonization of disparate interpretations of federal regulations under the Privacy Act of 1974 or other legislation covering all or part of the federal statistical system. It could disseminate information about innovative techniques to permit the exchange of data for statistical uses without diminishing the protection offered to individuals, and it could provide oversight of agency practices in maintaining and disseminating sensitive information.