Members of the pem WG of the IETF and members of the PSRG of the IRTF
may be interested in submitting comments to the U.S. Government on the
attached draft "Principles for Providing and Using Personal
Information".
Regards, -Rob- Robert W. Shirey SHIREY(_at_)MITRE(_dot_)ORG
tel 703.883.7210, sec 703.883.5749, fax 703.883.1397
Info. Security Div., The MITRE Corp., Mail Stop Z231
7525 Colshire Drive, McLean, Virginia 22102-3481 USA
The following file is posted at the request of the
Information Infrastructure Task Force's Privacy Working
Group, chaired by Robert Veeder, Office of Management and
Budget
************************************************************
Request for Comments on the draft Principles for Providing
and Using Personal Information and their Commentary.
The draft Principles for Providing and Using Personal
Information and the associated Commentary are the first work
product of the Information Infrastructure Task Force's
Working Group on Privacy. They are intended to update the
Code of Fair Information Practices that was developed in the
early 1970s. While many of the Code's principles are still
valid, the Code itself was developed in an era when paper
records were the norm.
The advent of the National Information Infrastructure has
caused two things to change dramatically. No longer is
information usage bound by the limitations of paper -- the
seamless web of networks linking us to each other is
creating an interactive environment in which all of the
participants must share certain responsibilities. Moreover,
non-governmental usage rivals the government's, and is
largely unregulated.
The following Principles were developed with the goal of
providing guidance to all participants in this new
interactive world. The Working Group recognizes that the
Principles cannot apply uniformly to all sectors. They must
be carefully adapted to specific circumstances.
Nevertheless, the developers believe that the
responsibilities and relationships the Principles describe
are basic ones. As such, they are intended to assist
legislators, regulators, and companies as they develop codes
of practice.
The Working Group invites public comment on the Principles
and Commentary. We are especially interested in
understanding how the Principles would work in this new
interactive electronic environment and particularly in non-
governmental settings. Are they workable? How, if at all,
should they be changed? We hope that those who obtain the
Principles for review and comment will also share them as
widely as possible with others who might be interested in
them.
The Comment period will close on June 13, 1994. Comments
should be sent to the Working Group on Privacy c/o the NII
Secretariat, National Telecommunications and Information
Administration, US Department of Commerce, Room 4892,
Washington, D.C. 20230. The Principles and Commentary can be
downloaded from the IITF Gopher/Bulletin Board System: 202-501-
1920. The IITF Gopher/Bulletin Board can be accessed through the
Internet by pointing your Gopher Client to iitf.doc.gov or by
telnet to iitf.doc.gov and login as gopher. Electronic comments
may be sent to nii(_at_)ntia(_dot_)doc(_dot_)gov(_dot_)
*****************************************************************
DRAFT: April 21, 1994
Principles for Providing and Using Personal Information
Preamble
The United States is committed to building a National Information
Infrastructure (NII) to meet the information needs of its
citizens. This infrastructure, essentially created by advances
in technology, is expanding the level of interactivity, enhancing
communication, and allowing easier access to services. As a
result, many more users are discovering new, previously
unimagined uses for personal information. In this environment,
we are challenged to develop new principles to guide participants
in the NII in the fair use of personal information.
Traditional fair information practices, developed in the age of
paper records, must be adapted to this new environment where
information and communications are sent and received over
networks on which users have very different capabilities,
objectives and perspectives. Specifically, new principles must
acknowledge that all members of our society (government,
industry, and individual citizens), share responsibility for
ensuring the fair treatment of individuals in the use of personal
information, whether in paper or electronic form. Moreover, the
principles should recognize that the interactive nature of the
NII will empower individuals to participate in protecting
information about themselves. The new principles should also
make it clear that this is an active responsibility requiring
openness about the process, a commitment to fairness and
accountability, and continued attention to security. Finally,
principles must recognize the need to educate all participants
about the new information infrastructure and how it will affect
their lives.
These "Principles for Providing and Using Personal Information"
recognize the changing roles of government and industry in
information collection and use. Thus they are intended to be
equally applicable to public and private entities that collect
and use personal information. However, these Principles are not
intended to address all information uses and protection concerns
for each segment of the economy or function of government.
Rather, they should provide the framework from which specialized
principles can be developed.
I. General Principles for the National Information
Infrastructure
A. Information Privacy Principle
1. Individuals are entitled to a reasonable expectation of
information privacy.
B. Information Integrity Principles
Participants in the NII rely upon the integrity of the
information it contains. It is therefore the responsibility of
all participants to ensure that integrity. In particular,
participants in the NII should, to the extent reasonable:
1. Ensure that information is secure, using whatever means
are appropriate;
2. Ensure that information is accurate, timely, complete,
and relevant for the purpose for which it is given.
II. Principle for Information Collectors (i.e. entities that
collect personal information directly from the individual)
A. Collection Principle
Before individuals make a decision to provide personal
information, they need to know how it is intended to be used, how
it will be protected, and what will happen if they provide or
withhold the information. Therefore, collectors of this
information should:
1. Tell the individual why they are collecting the
information, what they expect it will be used for, what
steps they will take to protect its confidentiality and
integrity, the consequences of providing or withholding
information, and any rights of redress.
III. Principles for Information Users (i.e. Information
Collectors and entities that obtain, process, send or store
personal information)
A. Acquisition and Use Principles
Users of personal information must recognize and respect the
stake individuals have in the use of personal information.
Therefore, users of personal information should:
1. Assess the impact on personal privacy of current or
planned activities before obtaining or using personal
information;
2. Obtain and keep only information that could reasonably
be expected to support current or planned activities
and use the information only for those or compatible
purposes;
3. Assure that personal information is as accurate,
timely, complete and relevant as necessary for the
intended use;
B. Protection Principle
Users of personal information must take reasonable steps to
prevent the information they have from being disclosed or altered
improperly. Such users should:
1. Use appropriate managerial and technical controls to
protect the confidentiality and integrity of personal
information.
C. Education Principle
The full effect of the NII on both data use and personal privacy
is not readily apparent, and individuals may not recognize how
their lives can be affected by networked information. Therefore,
information users should:
1. Educate themselves, their employees, and the public
about how personal information is obtained, sent,
stored and protected, and how these activities affect
others.
D. Fairness Principles
Because information is used to make decisions that affect
individuals, those decisions should be fair. Information users
should, as appropriate:
1. Provide individuals a reasonable means to obtain,
review, and correct their own information;
2. Inform individuals about any final actions taken
against them and provide individuals with means to
redress harm resulting from improper use of personal
information;
3. Allow individuals to limit the use of their personal
information if the intended use is incompatible with
the original purpose for which it was collected, unless
that use is authorized by law.
IV. Principles for Individuals who Provide Personal Information
A. Awareness Principles
While information collectors have a responsibility to tell
individuals why they want information about them, individuals
also have a responsibility to understand the consequences of
providing personal information to others. Therefore, individuals
should obtain adequate, relevant information about:
1. Planned primary and secondary uses of the information;
2. Any efforts that will be made to protect the
confidentiality and integrity of the information;
3. Consequences for the individual of providing or
withholding information;
4. Any rights of redress the individual has if harmed by
improper use of the information.
B. Redress Principles
Individuals should be protected from harm resulting from
inaccurate or improperly used personal information. Therefore,
individuals should, as appropriate:
1. Be given means to obtain their information and be
provided opportunity to correct inaccurate information
that could harm them;
2. Be informed of any final actions taken against them and
what information was used as a basis for the decision;
3. Have a means of redress if harmed by an improper use of
their personal information.
*****************************************************************
Draft - April 21, 1994
PRINCIPLES FOR PROVIDING AND USING PERSONAL INFORMATION
Commentary
1. With the initiation and expansion of the National Information
Infrastructure (NII), the information age is clearly upon us.
The ability to access, collect, store, analyze, and disseminate
data at an acceptable cost has never been greater, and continuing
advances in computer and telecommunications technologies,
especially interactive applications, will serve to ensure that
the amount of electronically stored personal information and
transactional data will continue to grow at a healthy pace.
2. Cost is, of course, the overriding factor. Continually
decreasing hardware, software and networking costs allow
individuals and organizations to use data in ways that were
previously, in a non-electronic world, cost-prohibitive. For
example, if someone were interested in building a dossier on a
citizen who had lived in four different states, that dossier
could have been built "manually" by travelling from state to
state (or hiring individuals in each state) to compile public
records pertaining to that individual's birth, motor vehicle
registration, driver's license, real property holdings, voting,
etc. This would have required, however, filling out forms,
paying fees, and perhaps waiting in long lines for record
searches at various state and local office buildings. In short,
it could be done, but it would have been a time-consuming and
costly exercise; thus, it would not be done unless the reward for
building this dossier were considerable. If the ultimate goal
were to collate data on thousands of individuals,analytical
processing costs would also be added to the mix.
3. Today, such a dossier can be built in a matter of minutes, at
minimal cost, assuming all the needed information is on-line.
Indeed, with the NII, the assumption is that large amounts of
sensitive information will be on line, and can be accessed,
perhaps without authority, by a large number of network users.
With advanced networking, each link in the chain--access,
collection, storage, and analysis--becomes a cost-effective
method of using information, as does the ability to disseminate
the final collated product to others.
4. Such networking offers considerable benefits. The NII holds
forth the promise of greater public participation in society,
advances in medical treatment and research, and quick
verification of critical personal information (e.g., a gun
purchaser's criminal record), just to name a few. There is,
however, another issue: information privacy. To the extent that
the ability to access, collect, store, analyze, and disseminate
data has never been greater, the threat to personal information
privacy has never been greater either.
5. The truth is, the NII will only achieve its full potential if
individual privacy is properly protected. Absent such
protections, individuals may be reluctant to participate in the
NII, fearful that the risks to personal privacy outweigh the
benefits. Citizens should not have to make that choice; rather,
they should be assured that the use of personal information will
be appropriately limited. The adoption of fair information
principles is a critical first step in that direction.
6. Although Fair Information Principles currently exist, [see
Advisory Committee on Automated Personal Data Systems, Records,
Computers and the Rights of Citizens, (Washington, D.C.,
Department of Health, Education and Welfare, 1973)], it is
clearly time that they be rewritten to address the issues raised
by our new electronic environment, as well as cover paper
records. The most major concerns:
(1) It is no longer governments alone that collect and use
large quantities of personal data; the private sector
clearly rivals the government sector in information
usage. As such, these new principles should apply to
both the government and private sectors.
(2) The NII will, if it fulfills its promise, be
interactive; i.e., individuals about whom data relates
(so-called "data subjects") will become increasingly
active participants, creating volumes of communicative
and transactional data. To the extent that individuals
are providing information about themselves, they too
should have obligations when using the NII.
(3) The transport vehicles for this information (the
networks) are vulnerable to abuse; thus, the
reliability of the network itself becomes critical to
the future success of the NII.
(4) Traditional ethical rules, long-accepted when dealing
with tangible objects, are not easily applied in the
new electronic environment, and all NII participants
must be educated in the proper use of the NII.
Consider, for example, how an individual who would
never trespass in the home of another might attempt to
justify computer hacking as an intellectual exercise.
Indeed, what constitutes a proper use of the NII or NII
information might not be intuitively obvious. Whether
a particular use is acceptable may depend on a host of
factors including, but by no means limited to, the
purpose for which the data was collected, whether the
use is compatible with that purpose, and whether the
use is specifically authorized by law. In such an
environment, individuals need to be educated about the
proper use of both the NII and the information it
contains.
7. As ambitious as the task is, these Principles attempt to
address these issues. That said, one must recognize the
limitations inherent in any such principles. First, the
Principles are not intended to have the force of law. Broad
sweeping principles provide a framework for addressing fair
information practices, but any specific regulatory implementation
must be sector by sector. This is because each information
sector (e.g., medical, financial, law enforcement, national
security, research and statistics) has specific and unique needs
that cannot be addressed by general principles.
8. Second, the Principles are only intended to apply
domestically; although, to the best of our knowledge, these
Principles are in accord with current international guidelines
regarding personal privacy and data protection, and should not
hinder the ongoing development of an international information
infrastructure.
9. Third, the Principles only address information identifiable
to a living individual. It makes little sense to restrict the
use of information that does not relate to an identifiable living
person, and to do so would unduly hamper researchers and others
who use large quantities of data for generic statistical
purposes.
10. Finally, although the Principles are written broadly, there
will no doubt be times when their strict application would be
inappropriate. For example, public safety could be undermined if
law enforcement had to seek a data subject's approval before
obtaining transactional records relevant to an ongoing criminal
investigation on the theory that this use was incompatible with
the purpose for which the records were originally created. To
account for such cases, the words "as appropriate" or "to the
extent reasonable" appear in the Principles. This is not to
suggest, however, that the Principles need not be rigorously
adhered to. To the contrary, the need to diverge from a given
principle should be the exception, not the rule, and should only
occur when there is an compelling reason. For in the end, it is
adherence to these Principles that is critical to developing
trust between data users and data subjects in the electronic
information age.
General Principles for the National Information Infrastructure
11. We begin with the three principles that apply to all NII
participants: information collectors, information users, and
individuals ("data subjects"). These three principles, relating
to privacy and information integrity, provide the underpinnings
for the successful implementation of the NII. They state clearly
that individuals are entitled to a reasonable expectation of
information privacy, and that efforts should be made to ensure
that information is adequately protected and used appropriately.
12. If the NII is to be trusted, participants must have a
reasonable expectation of privacy in personal information.
Although individuals harbor subjective expectations of privacy,
these must be honored only to the extent that society is prepared
to recognize those subjective expectations as objectively
reasonable. For example, an individual who posts an unencrypted
personal message in an area of a bulletin board service that is
provided for open, public messages cannot reasonably expect that
his/her message will only be read by the individual listed in the
salutation. Where a subjective expectation of privacy is made
clear and is objectively reasonable, however, individuals should
have their privacy respected.
13. NII participants must also be able to rely upon the
integrity of the information contained in and transmitted through
the NII. This will be the case only if the information is secure
from improper disclosure and alteration, and if the information
is accurate, timely, complete, and relevant for the purpose for
which it is used. The responsibility of providing adequate
security and reliable information falls properly on all
participants in the NII.
14. We recognize, of course, that individuals and organizations
do not always provide accurate and complete data when requested.
Large data brokers, as well as privacy advocates, may
intentionally provide false data as a method of monitoring data
flow. For example, an individual who misspells his name slightly
when dealing with one company and then receives mail, with the
name similarly misspelled, from a second company, may now be
aware that the first company has disseminated his name to others.
We do not intend to suggest that any falsehood violates this
principle. It would violate this principle, however, to provide
false information to create some improper result (such as
receiving illegitimate benefits or injuring another).
Responsibilities of Original Collectors (i.e., Entities that
Collect Information Directly from the Individual) of Personal
Information
15. One of the most alluring features of the NII--easy access to
and dissemination of information--also provides one of its most
vexing problems: it is impossible for an individual to identify
all the other individuals and organizations that may possess some
personal information about himself or herself. At the risk of
over-simplification, there are essentially two types of data
users: those who collect information directly from the data
subject, and those who do not. By necessity, the rules for these
two groups must differ.
16. Those who collect information directly from the individual
should inform the data subject
(1) how the information collected will be used,
(2) whether the information will remain confidential and be
protected against improper access or alteration, and
(3) the consequences of providing or withholding the
requested information.
The fulfilling of these obligations will ensure that individuals
have a meaningful opportunity to exercise sound judgment in
accordance with the Principles for Individuals Who Provide
Personal Information. Juxtaposed, the Principles for Information
Collectors and Principles for Individuals Who Provide Personal
Information highlight the true interactive nature of the NII and
the ideal symbiotic relationship between data collectors and data
subjects.
17. It is simply impossible, of course, to impose these
Information Collector obligations on entities that have no direct
relationship with the individual. If every recipient of data
were required to contact every individual on whom they receive
data to provide some form of notice, the exchange of information
would become unduly burdensome, and the benefits of the NII would
be lost. On the other hand, information dispersion will be
common on the NII and the following principles, designed to
promote fair information use, should apply to all data users
(including data collectors).
Responsibilities of Information Users (i.e., Information
Collectors and Entities that Obtain, Process, Send or Store
Personal Information).
18. In an environment where individuals cannot realistically
know where all personal information about them resides, and
cannot account for each use of that information, it is simply
impossible for individuals to ensure that personal information is
used fairly. In some cases, even arguably adverse actions may go
unnoticed, and therefore redress will not be available. For
example, a company may decide not to include an individual in a
mass mailing offer regarding a financial opportunity because an
analysis of that individual's credit history suggests the
individual is a bad credit risk. In such an environment, it is
particularly important to ensure that data users use personal
information in acceptable ways. The following principles, which
apply to all users (including Collectors), fall into four
categories: Acquisition and Use, Protection, Education, and
Fairness.
A. Acquisition and Use Principles
19. The benefit of information lies in its use, but such use may
also have a negative effect on personal privacy. Additionally,
that privacy, once lost, cannot always be entirely restored
(consider, for example, the extent to which the inappropriate
release of extremely embarrassing personal information is
rectified by a public apology). To protect the information
privacy of individuals adequately requires that the effect of
data use be considered before personal information is obtained or
used. In assessing this effect, data users will need to consider
not just the effect of their action on the individual, but other
factors (such as public opinion and market forces) which may be
relevant in determining whether a particular data use is
appropriate.
20. It may well be that the effect on personal privacy has been
considered and it has been decided, appropriately, to obtain and
use personal information for some purpose. In such cases, the
data user should obtain only that information which could
reasonably be expected to support current or planned activities.
Although the cost of storing information continues to decrease,
it is simply inappropriate to collect volumes of personal
information because it may, in the future, prove to be of some
unanticipated value. Moreover, once collected, personal
information should only be used for those current or planned
activities, or other compatible purposes. Incompatible uses not
authorized by law should not be undertaken without consultation
with the data subject. See, Fairness Principles, below.
Finally, information should only be kept as long as necessary.
It should be destroyed when appropriate.
21. Reasonable efforts should be made to ensure that information
that will be relied upon is accurate, timely, complete, and
relevant. It must be recognized that information which is
accurate when collected may not be used for years, and the use of
stale information may have unfair or inaccurate results.
B. Protection Principle
22. In a networked environment, the risk of unauthorized access
(i.e., loss of confidentiality) and unauthorized alteration
(i.e., loss of data integrity) increases exponentially. Both
insiders and outsiders may browse through information they have
no right to see, or make hard-to-detect changes in data which
will then be relied upon in making decisions that affect the
individual. For example, our national health system expects to
become an intentive user of the NII. A hospital in remote part
of the country may pass x-rays through the NII for review by a
renowned radiologist at a teaching hospital in another part of
the country. For improving the quality of patient care, the
benefits of such transfers are enormous. Yet, it is unlikely
that such sensitive data will be passed through a system where it
could be subject to unauthorized alteration and potential misuse?
It is therefore incumbent on data users to protect the data
commensurate with the harm that might occur if the data were
improperly disclosed or altered. Additionally, the level of
protection should be consistent with whatever the data subject
was told if the data was collected directly from the individual.
23. It is not enough, however, to rely upon technical controls.
Although technological safeguards can serve to protect data
confidentiality and integrity, there is a human component that
defies a solely technical solution. For example, insiders--those
who are authorized to access and alter data--may not violate
access controls when they improperly alter or delete data they
are authorized to change. Therefore, the protections employed
must be multi-faceted and include technical solutions, management
solutions (e.g., creating an environment where fair information
practices are the accepted norm), and educational solutions
(e.g., providing data handlers with proper training).
C. Education Principle
24. The Education Principle represents a significant addition to
the traditional Fair Information Principles. The effect of the
NII on both data use and personal privacy is by no means readily
apparent. Most individuals are ignorant as to the amount of
personal information already networked, and may not recognize how
their lives can be affected by networked information.
25. It is important that information users appreciate how the
NII affects information privacy, and that individuals understand
the ways in which personal information can be used in this new
environment. Thus, data users need to educate themselves, their
own employees, and the public in general about how personal
information is obtained, transmitted, used and stored, including
what types of security measures are being used to protect data
confidentiality and data integrity.
D. Fairness Principles
26. If information can be used to adversely affect an
individual, it is only fair that individual have a reasonable
means to obtain, review, and correct personal information about
himself or herself. Moreover, to the extent adverse actions are
taken against the individual, the individual should be notified
and have a means of redress. Equally important, the data
collector should explain to the individual exactly what that
means of redress is. Redress may take many forms (mediation,
arbitration, civil suit, criminal prosecution) and be offered in
different forums (federal, state, local) but cannot be imposed by
these principles.
27. One of the most difficult issues is dealing with
incompatible uses of previously collected information. An
incompatible use is not necessarily a bad use; in fact, it may be
of considerable benefit to either a data subject or society as a
whole. A data subject may benefit, for example, when a customer
mailing list is used to warn those customers that a product that
they purchased is defective and may cause serious physical
injury. Society as a whole may benefit when criminal conviction
information is used for some purpose not originally contemplated
such as screening candidates for child care positions or weapons
purchases. Similarly, researchers and statisticians using
previously collected information may determine the cause of a
potentially fatal disease such as cancer.
28. On the other hand, without some limitation, information use
may know no boundaries. Individuals who disclose information for
one purpose may then be subjected to unintended and undesired
consequences, and this will discourage them from disclosing
personal information in the future. To ensure that this does not
occur, information should only be used in ways compatible with
the purposes for which it was collected and, before incompatible
uses occur, they must either be authorized by law or the
individual data subject should be notified so that he or she can
opt out of such use.
Rights and Responsibilities of Individuals who Provide Personal
Information
29. As noted, the NII has significant implications for
information use and personal privacy. In such an interactive
environment, it is not sufficient for individuals to disclose
personal information and then abdicate responsibility for the
consequences; rather, individuals must take an active role in
deciding whether to disclose personal information in the first
instance. But if individuals are to be held responsible for
making these choices, they must be empowered to make intelligent
choices. This requires that they receive meaningful information
on the intended uses of the information they provide, and the
consequences for providing or withholding personal information.
For these purposes, the "Principles for Individuals who Provide
Personal Information" create two discrete categories that apply
to individuals: Awareness and Redress.
A. Awareness Principles
30. Awareness encompasses the notion that individuals should
understand the ways in which personal information may be used,
and the results that flow from such use. This will allow them to
make intelligent choices regarding the disclosure of personal
information.
31. Increasingly, individuals are being asked to surrender
personal information about themselves. Sometimes the inquiry is
straight-forward; for example, a bank may ask for personal
information prior to processing a loan request. In this type of
situation, it may be clear to the individual the purpose, or at
least the primary purpose, for which the information is sought
(e.g., processing the loan application). There may, however, be
secondary uses which are not so immediately obvious, such as
being put on a mailing list for a credit card solicitation.
Indeed, there are no doubt many times when individuals decide to
disclose information without being fully cognizant of the many
ways in which that information may ultimately be used.
32. It is difficult, if not impossible, to anticipate all such
uses. Individuals who pay for medical services with a charge
card may not recognize that they are creating transactional
records from which others may attempt to ascertain the current
state of the individual's health. Equally problematic is that
the assumptions drawn from such data may be false, and the
individual may never know that the data has been used to reach
some conclusion, or take some action, regarding his or her
future.
33. It is impossible to formulate any set of principles that can
cover comprehensively all possible uses of information. Nor
would such an attempt be wise for, in fact, different people
desire and expect different levels of privacy, and hold different
concerns regarding the ultimate use of personal data.
Ultimately, whether an individual chooses to disclose personal
information, or create a transactional record, should depend upon
the individual's own wishes unless, of course, the information is
required by law.
34. The Awareness Principles recognize the importance of
personal choice and cultivate an environment where these critical
personal decisions can be made intelligently. For whatever the
degree of personal interest in information privacy, it is
critical that individuals receive enough facts to make rational
choices regarding the disclosure of personal information.
35. First and foremost, an individual should know the intended
primary and secondary uses of the information. Second,
individuals should determine whether efforts will be made to
assure data confidentiality and data integrity. In some cases,
confidentiality may be required by law (e.g., tax records), but
of equal concern may be the technical and managerial controls in
place to protect the data. This principle does not mean that the
individual should obtain a technical explanation regarding the
security measures used to protect such data. Indeed, such
technical explanations might be unwelcome, unwarranted and
counterproductive (widespread disclosure of the technical
measures used might actually expose vulnerabilities in a given
system). But individuals should be told whether the information
is intended to remain confidential and whether efforts will be
made to preserve data integrity. Some individuals might choose
not to disclose personal data if they knew that the data provided
was freely obtainable by others, or might easily be altered.
36. Individuals should also be informed of the consequences of
providing or withholding information. Data subjects should be
told whether disclosing the requested information is mandatory
(i.e., required by law) or voluntary, and the consequences that
can flow from their decision. We recognize fully that even when
disclosure is legally "voluntary," it may in fact be coerced
(e.g., the refusal to "voluntarily" provide information may
result in the denial of critical life-sustaining benefits).
General principles cannot resolve such difficult issues but
clearly, whatever the consequences, they should be clearly
articulated.
37. Lastly, there will be times when individuals feel aggrieved
by the improper use of personal information. If redress is
available, individuals should be aware of that fact, and be
informed as to how such redress can be obtained.
B. Principle of Redress
38. Invariably, people will be harmed by the improper disclosure
or improper use of personal information. It is therefore
important to implement proactive measures to limit that harm, and
reactive measures to provide relief when harm occurs.
39. To the extent inaccurate information can be used to harm
individuals, it follows that individuals may wish to ensure that
collected and stored personal information is in fact accurate and
complete. For this reason, individuals should be able to obtain
from data users, as appropriate, a copy of this personal
information and have the opportunity to correct inaccurate
information. This may allow them, proactively, to prevent
anticipated harms. This principle is, however, limited in scope.
Although, idealistically, all stored personal information should
be accurate, the fact remains that inaccurate personal
information does and will exist, and correcting inaccurate data
cannot be done without cost. Pragmatically, it makes little or
no sense to devote resources to correcting data that cannot be
used to harm the individual, and therefore the opportunity to
review personal information in order to correct data inaccuracies
is limited to those cases where harm may occur.
40. When final actions are taken against individuals, they are
entitled to notice. Absent notice, it may be impossible to seek
available redress. Moreover, redress should be available for
individuals who have been harmed by the improper use of
information (including the use of inaccurate information). To
ensure that individuals can take advantage of these redress
mechanisms, the awareness principle, as noted above, requires
that individuals be informed of the remedies available.