periods. Linkages among data systems increase the difficulty of protecting the confidentiality of information.

The United States has 2 federal laws to protect the privacy of the individual from excessive government intrusion. One deals primarily with the collection and transfer of information, the other with its release. The latter, the Freedom of Information Act (FOIA) (5 USC 552), enacted in 1967 and amended in 1974, requires federal agencies to make most kinds of government records available to persons who request them. Health-data systems have not generally been seriously affected by FOIA, as it specifically exempts "personal and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy" (CDC, 1984, p. 6).

It is the Privacy Act of 1974 (5 U.S.C. 552a) that most affects health-information databases. The Privacy Act strictly limits what information government agencies can demand from the public and provides for legal protection of and safeguards on the use of personally identifiable information maintained in federal records systems. Congress has expressed some concern that the computerized databases in use today have outpaced the ability of individuals to protect their privacy when using the mechanisms set up to deal with the predominantly paper-record systems in use in 1974 (OTA, 1986). Specifically, the creation of record linkages between databases can run afoul of the Privacy Act which states that information may not be used for any purpose other than the purpose for which it was supplied (CDC, 1984). This can cause problems when researchers attempt creative and innovative linkages between databases that were intended for other purposes and do not have formal releases from the individuals to use their information for this purpose.

ATSDR's National Exposure Registry, for example, is subject to the Privacy Act. Although the registry is generally prohibited from disclosing personal information without written consent (which is routinely collected from participants through an informed-consent form), the Privacy Act does allow registry data to be released without consent in the following circumstances:

• To ATSDR personnel who maintain the registry.
• If required by FOIA (personal identifiers removed).
• For routine use. A routine use is defined as the use of a record for a purpose that is compatible with the purpose for which it was collected.
• To a recipient who has provided advance written assurance that the information released will be used solely for statistical research or as a reporting record. ATSDR requires that anyone seeking registry data for research purposes submit a study protocol for review to an agency review