By PHILIP KOLTUN
Assistant professor of mathematical systems at Sangamon State University, he has degrees in computer science from the University of Illinois and Carnegie-Mellon University, and has lectured on computers and privacy, and legal issues in the computing field.

Can centralized record systems be both efficient and confidential?

Computers and privacy

The Illinois General Assembly has yet to pass any major proposed bills concerning privacy of individuals for reasons including complexity of the issue and the lack of a hearty push by the public. Despite these odds proponents feel the prospects for passing major privacy legislation are good

PRIVACY, the average person assumes, is guaranteed to all citizens by the U.S. Constitution. But, on April 21, 1976, the U.S. Supreme Court alarmed civil libertarians everywhere when it decided United States v. Miller, a case involving government subpoena of bank records pursuant to a criminal investigation. In so doing, the court stated that an individual has no legitimate expectation of privacy in dealings with his bank.

In times when automated record keeping systems collect and disseminate so much information about individual citizens, how far does the right to privacy extend? Does it apply to the computerized reservation systems of airlines and motels, where standard business information might be used to prove an individual's whereabouts at some given point in time? What rights to privacy does the individual have when using a telephone or a credit card, where routine accounting information could reveal much about someone's spending habits and associations? Or when seeking treatment at a hospital or mental health facility, or applying for welfare benefits?

Legislatures across the country have responded to the public's growing sensitivity to the sheer volume of accessible personal information by proposing privacy legislation, but states have jurisdiction only within the individual state. In Illinois, bills introduced in the 79th General Assembly included Senate Bill 1, the "Illinois Fair Information Practice Act," S.B. 960, the "Personal Records Privacy Act," and House Bill 125, the "Automated Personal Data Systems Safeguards Act." None passed.

With post-Watergate revelations of secret and improper surveillance activities by the Central Intelligence Agency, Federal Bureau of Investigation, Internal Revenue Service and Chicago Police Department "Red Squad," and a presidential campaign in which voters responded favorably to criticisms of burgeoning government bureaucracies, one would expect that privacy legislation would have a good chance for passage. Why, then, did none of the above bills get anywhere in the present General Assembly?

One reason, unquestionably, was the desire of concerned legislators to move cautiously on a problem of enormous complexity. According to Rep. Bruce R. Waddell (R., Dundee), chairman of the Data Information Systems Commission which is empowered to review and formulate policy for state data processing activities, "It's easy to make a statement like 'Everybody's privacy should be protected,' but then, getting down into specifics is more difficult." The General Assembly, says Waddell, will not respond as a matter of politically motivated expediency. Sen. Robert W. Mitchler(R., Aurora), sponsor of S.B. 1, agreed. "You have to go slow. Hasty legislation is bad."

Sen. Dawn dark Netsch (D., Chicago), sponsor of S.B. 960, the privacy bill drafted by the Governor's Commission on Individual Liberty and Personal Privacy, indicated that the bill was "bottled up in the bureaucracy" and was introduced too late to get a good hearing. "There's no point in trying to move a major piece of legislation in such a restricted agenda session." The bill will be introduced again next year, however.

A second major reason for failing to pass major privacy legislation was a perception by legislators that the public was not insistent on the question. Rep. John E. Porter (R., Evanston), sponsor of H.B. 125, feels that the House committees were not ready to spend the time or make the commitment to deal with the privacy bills this year, Privacy just wasn't a priority issue. "The public didn't push for it enough," he

November 1976 / Illinois Issues / 3

said. Mitchler echoed Porter's comment, "Do people really want it?"

David Hamlin, executive director of the Illinois chapter of the American Civil Liberties Union, agrees and disagrees with that perception. He feels that the public demand for privacy legislation is not sufficient to force legislative action. "But that day is not terribly far off," he says. "When the public perceives the need. they will demand legislation of more wide-reaching scope than is currently proposed. But for now, economic issues take priority."

Sen. Netsch feels that the prospects for passing major privacy legislation in the future are reasonably good. "This is the public's right to find out what government is doing to them." The interest she talks of cuts across political affiliations; conservatives and liberals could easily find themselves of one mind on the question. Hamlin agrees. "There is a demonstrated need in several areas. But it [the right to privacy] is the most elusive kind of issue, an intangible right. Finding the right kind of handle to persuade legislators is what's needed."

A third reason for the sluggishness in acting on privacy legislation is the desire of states to see what the Privacy Protection Study Commission, established by the federal Privacy Act of 1974, comes up with in the way of legislative recommendations. The commission has been actively holding hearings and is due to report its findings in March 1977. While some officials adopt a cautious stance in pushing privacy legislation, others, skeptical of the Study Commission's ability to influence constructive action, would like to see Illinois take a leadership role in protecting privacy. This has not yet occurred. A recent survey by the National Association of State Information Systems showed that only four states (Arkansas, Massachusetts, Minnesota, and Utah) had passed general privacy legislation by the end of 1975.

One way to gain a perspective on the privacy question is to consider the extent of the state's computerized record keeping systems. These systems are fundamental to planning, monitoring and evaluating state programs. While figures are hard to come by, the Data Information Systems Commission's annual report for 1975 reported that estimates of statewide data processing costs range from $60 million to $300 million annually. More than 30 different state agencies maintain data processing operations. The 1973 Annual Report of the Data Information Systems Commission and the Illinois Master Plan Applying Computer Technology in the 1970's (IMPACT - 70's) provide an overview of record keeping activities in the state. Computer systems monitor air pollution, maintain criminal justice records, compile and collect health resource and medical statistics. log medical benefits payments, register resource and medical statistics, log medical benefits payments, register drivers' licenses and automobiles, match jobs an d workers and process tax returns, to name just a few functions.

In the social services area alone the Departments of Vocational Rehabilitation, Public Health, Public Aid. Children and Family Services, and Mental Health operate record keeping systems. In response to concerns that the proliferation of individual systems was inefficient, plans were developed for a Total Health Information System to serve as "a central repository and supplier of information for comprehensive health planning, health research, health program operation and management, and health statistics."

In point of fact, the concerns of efficiency and privacy are often at odds. Pooling health records in a central repository may cut system overhead, but it also makes it hard to restrict access and dissemination of records to the purposes for which they were collected. However, when the federal Law Enforcement Assistance Administration (LEAA) issued security guidelines requiring the state criminal justice information systems it funded to operate on "dedicated" computers, the uproar over the expense and inefficiency these guidelines would create caused LEAA to withdraw them. The lesson learned from that experience was that security standards could be mandated but no specific operating procedures.

Privacy
One of the most serious record keeping abuses, and one which reveals the difficulty of drafting comprehensive privacy legislation, involves dissemination of arrest data without followup disposition data, or dissemination before that disposition data is available. The usefulness of disseminated arrest data to law enforcement agencies must be balanced against a presumption of innocence and she right to due process for the individual.

As Supreme Court Justice William O. Douglas noted in another context, "[I]n many cases the ultimate absolution never catches up with she accusation." Illinois participates in the FBI's National Crime Information Center (NCIC) network, and is one of eight states that fully participates in the Computerized Criminal History .system as well. Illinois Saw (Ill.. Rev. Stat., ch. 38. sec. 206-5 (1973)) provides that unconvicted arrestees may petition a local court to have their arrest records expunged by the arresting authorities after acquittal The catch is that there is no method for retrieving, records which have been distributed to other law enforcement agencies, employers, or private individuals, Some authorities have acted to deal with the situation. In late 1973, then Gov. Francis W. Sargent of Massachusetts, believing NCIC safeguards to be inadequate to protect the privacy of his state's citizens, refused to let Massachusetts participate in the network. Under threat of Justice Department lawsuit to compel Massachusetts' participation, the state continued to refuse participation.

Likewise, the District of Columbia's "Duncan Ordinance" prohibits the metropolitan police department's practice of "routinely disseminating to FBI, whether before conviction or after exoneration or both, arrest records which included not only arrestee's fingerprints but also data identifying persons arrested and information concerning details and surrounding circumstances of arrests, at least as long as

4 / November 1976 / Illinois Issues

Privacy legislation may have to deal with medical, insurance, law enforcement and financial records and government data banks one sector at a time

FBI continued to redisseminate that data for other than law enforcement purposes and particularly for purposes of employment and licensing" (Utz v. Cullinane, 520 F. 2d 467 (1975), emphasis in original).

Another privacy policy question, as difficult to resolve as the dissemination question, is that of expungement of criminal justice data. It" a convicted criminal serves his sentence and "pays his debt to society," should the record of his conviction and sentence remain a public record, or should the slate be wiped clean, particularly when the stigma attached to conviction and the inevitable consequences of the evidence of a criminal record prevent the individual's return to full and useful membership in society? Law enforcement officials argue, justifiably, that records of an individual's criminal history are invaluable to the criminal justice system. They may be used, for instance, in investigating a crime involving a particular modus operandi, or in sentencing a repeat offender. How then are society's interests and the individual's balanced? One compromise that has been proposed involves "sealing" certain criminal justice records which are to be opened only under special conditions.

A variety of other very complex problems exist which privacy legislation needs to resolve. For instance, how long is the useful life of information? Legislation might require that "procedures be developed to insure the accuracy and timeliness of information." But how long is "timely" when the data involves mental illness, credit ratings, or a criminal history, and at what point should data be declared obsolete and expunged?

Other aspects of privacy proposals requiring considerable thought include Proposed restrictions on use of universal identifiers such as the social security number, the cost of implementing privacy protection procedures, and the merits of a Privacy Board or ombudsman to review record keeping abuses. Already, provisions of the federal Privacy Act of 1974 (P. L. 93-579) forbidding any federal, state or local government agency to deny benefits provided by law to individuals refusing to disclose their social security numbers are having an effect on the design of new record keeping systems.

Of major concern to private industry, particularly companies engaged in interstate commerce, is the fear that compliance with the welter of privacy provisions of different states would be prohibitively expensive. The Association of Data Processing Service Organizations (ADAPSO) has indicated that it supports a policy of federal preemption of the entire area of privacy and security to insure uniformity of requirements. ADAPSO further indicated that its members could not tolerate restrictions on the interstate transfer of data because of the prohibitive expense in establishing data centers in each state.

Realistically, if important privacy legislation is to come, it may have to come one sector at a time. Specific legislation to deal with medical records, with insurance records, law enforcement records, financial institution records, and government data banks appears more feasible than one omnibus bill The problems with designing a single set of standards appropriate for each sector seem too complex to conquer However, the general principles embodied in most proposed legislation include the following:

To an extent, Illinois' Constitution and statutes already reflect sensitivity to the issue of privacy. Article I, Section 6 of the state Constitution guarantees the people the right to be free from invasions of privacy. Article I, Section 12 states that "Every person shall find a certain remedy in the laws for all injuries and wrongs which he receives to his person, privacy, property or reputation."

State law says that the director of the Department of Finance shall manage the operation of all data processing equipment used by state agencies "in a manner that provides for adequate security protection and back-up facilities for such equipment, the establishment of bonding requirements and a code of conduct for all electronic data processing personnel to insure the privacy of electronic data processing information as provided by law." (Ill. Rev. Stat., ch. 127, sec. 35.3.)

Proponents of privacy legislation hope the procedures and principles of conduct they prescribe will guarantee the citizen's right to privacy. As Supreme Court Justice Felix Frankfurter stated, "The history of liberty has largely been the history of observance of procedural safeguards." 

  Vetoes for privacy

GOV. DAN WALKER vetoed one bill and recommended changes in two others in order to protect the confidentiality of records. He vetoed House Bill 3138 which would have required state and private hospitals to disclose whether a person seeking a Firearm Owner's Identification Card had been a mental patient within the preceding five years.

Walker used his amendatory veto on Senate Bills 2010 and 2011 which deal with the confidentiality of financial records in banks and savings and loan associations. The governor recommended changes to define circumstances when courts could waive serving a subpoena on the customer, thus getting records directly from the financial institution. He recommended other provisions to protect the privacy of the customer's records.

The bills as passed do not define the circumstances of permissible disclosure with sufficient precision or narrowness, according to Walker, and may expand the areas of permissible disclosure beyond those customarily followed today.

November 1976 / Illinois Issues / 5

|Home| |Back to Periodicals Available| |Table of Contents| |Back to Illinois Issues 1976|