1983]

COMPUTERS AND PRIVACY

475

or legal authorization exists concerning the data's use.212 Once a data file is created, the individual must, upon request, be provided with information on stored data concerning him.213 Individual access is denied under the FDPL where it would prejudice the function of the data base.214 Time limitations for the retention of data bases are not specified, but are determined by need.215 The German law lacks a provision for notification of disputes between individuals and databanks. Individuals may, however, report their differences to the Data Protection Officer.216

4. France

The French Data Processing, Files, and Liberties Law of 1978 (Law)217 created a supervisory Commission to enforce and regulate implementation of the Law. An unusual provision is that databanks must disclose to the public their authorization, purpose, access rights, categories of information, and recipient organizations.218 An individual's right of access is subject to a preliminary inquiry by the Commission, which determines the relevance and necessity of the disclosure.219 If the Commission decides in favor of the individual, the databank must release a copy of the file.220 No provision exists, however, for resolving disputes between individuals and databanks.

5. Norway, Denmark, and Austria

The Norwegian Personal Data Registers Act221 mandates the legal presumption of obsoleteness of any unfavorable personal credit information more than five years old.222 The Austrian Privacy Act of 1978223 requires databank users to correct or delete inaccurate or incomplete information on individuals.224 The burden of proving the accuracy of the information lies with the user, not the individual or databank.225 The Danish Private Registers Act 226 requires that when a credit bureau discovers inaccurate information on an individual the bureau must: make the necessary corrections, notify the individual, and send corrected reports to those who have requested credit information within the past six months.227

The previous discussion illustrates that a number of nations have begun to realize the importance of protecting confidential, personal information.

212. Id. § 3.

213. Id. § 13. 214. Id

215. Id. § 14.

216. Id. § 21.

217. France: Law No. 78-17, 5 COMPUTER L. SERV. app. 9-5.2a, No. 4 (Jan. 6, 1978).

218. Id art. 22.

219. Id. art. 21.

220. Id.

221. COMPUTER L. SERV., supra note 189.

222. Id. § 15.

223. 5 COMPUTER L. SERV. app. 9-5.2a, No. 8 (Oct. 18, 1978).

224. Id. § 11(1).

225. Id.

226. 5 COMPUTER L. SERV. app. 9-5.2a, No. 6 (June 8, 1978). 227. Id. § 14.

476

DENVER LAW JOURNAL

[Vol. 60:3

Their privacy laws suggest some basic principles that could be incorporated into privacy legislation in the United States.

V. POTENTIial DevelopmENTS TO PROTECT PRIVACY

A. Industry Self-Discipline

Self-discipline by the computerized credit industry is one inexpensive control. By developing a professional code of ethics, credit reporting agencies could police themselves. The Code of Ethics for the Association of Credit Bureaus of Canada serves as a tool for self-discipline in the Canadian credit reporting industry.228 Disadvantages of the system are that no specific person or entity may be held accountable for breaches of the code and that no specific penalties or authority exist to ensure compliance. Enforcement of the code is based on "moral suasion."229

B. Ombudsman

An ombudsman does not have regulatory or legislative powers, however, he can recommend regulations and legislation. The ombudsman could report to Congress periodically and publicize adverse effects of data collection and invasions of privacy.23 230 Suggested functions of the ombudsman include: considering specific injuries from misuse of information; advising and commenting on potential databank development; researching data classification; adjudicating complaints; establishing professional standards; examining types of information stored and used; licensing databanks; requiring periodic reports on systems procedures by operators of databanks; and approving the interchange or collation of information between systems. The simplicity and low cost of the ombudsman approach makes it particularly attractive. The ombudsman could immediately respond to an individual's privacy concerns. One problem, however, is that the ombudsman does not review systemic problems. Instead, he concentrates on individual databanks and individual complaints. Also, there can be no investigation until a complaint has been made. Difficulties may also arise when the ombudsman lacks the technical expertise to analyze a problem.231 The concept of the ombudsman has never been widely understood or accepted in the United States. Implementing such a system, therefore, could prove difficult. 232

C. Single Identification Number

A single identification number (SIN) for all records and information on an individual could reduce the social harm caused by identification errors. A SIN system compiles and retrieves information quickly and cost-effectively. It would promote centralization of data which could facilitate imple

230. Id at 162. See also R. FREed, Computers AND LAW: A REFERENCE WORK 42 (1976). 231. See TASK FORCE, supra note 121, at 162.

1983]

COMPUTERS AND PRIVACY

477

mentation of other technical controls. Germany employs a SIN system. 233 Under that system, if a person changes his residence only one agency is notified; other agencies are notified automatically. Sweden, Norway, Finland, and Denmark also have SIN systems.234 Sweden uses a ten digit number, which refers to an individual's birthdate, geographic location, and check number.235 Although there have been proposals for SIN systems in the United States and Canada; neither country has adopted one. A proposal in the United States to utilize social security numbers as the basis of a SIN system was abandoned in 1970.236

Opponents argue that SIN systems can be abused and result in the loss of anonymity.237 Other risks associated with personal data, particularly computerized credit information, may not be eliminated by a SIN system. By reducing the identification factors to a single number, the possibilities for mismatching information on an individual may be increased. Errors made with respect to the assignment of the SIN could result in the information on an individual being lost or destroyed.

D. Centralized Databanks

Centralized databanks serve a function similar to the SIN system. Centralization standarizes all records into one central intelligence system. Like the SIN, the centralized databank concept is attacked because of the potential for too much power and control. In an investigation by the House Special Subcommittee on Invasions of Privacy in 1966, the concern for misuse and control became paramount. 238 Public discussions indicated the need for a system of safeguards through federal legislation which would include coding procedures, codes of conduct, and a system for data verifications. Centralized databanks might perpetuate facts without methods or provisions for updating the information. Another privacy consideration is the high probability of error that exists when data are collected from several sources.

E. Open Access

Open access provides a means of holding the databank and its personnel accountable. 239 In Canada, an individual who disagrees with the information may insert statements into the file.240 Legal problems arise when someone other than the individual inspects the record, as in the case of minors or incompetents.241 If access is extended to include sources and uses of the information, an undue burden might be placed on the custodian of the

233. TASK FORCE, supra note 121, at 86.

234. Id. at 87.

235. Id.

236. Id

237. Id at 85.

238. Hearings Before the Special Subcomm. on Invasions of Privacy of the House Comm. on Governmental Operations, 89th Cong., 2d Sess. (1966).

59.

150.

239. ORGANIZAtion for Economic Cooperation and DevelopmENT, supra note 42, at

240. TASK FORCE, supra note 121, at 155.

241. ORGANIZation for Economic Cooperation and Development, supra note 42, at

478

DENVER LAW JOURNAL

[Vol. 60:3 data thereby increasing the difficulty of obtaining confidential information.242 Costs in providing access present another problem. In 1972, the Younger Committee estimated that mailing a complete printout on every individual in the United States could cost around $2 million plus postage. 243 Reports including a full explanation of the codes could cost twice as much.244 The Fair Credit Reporting Act of 1970 allows databanks to charge an individual requesting access. 245 It is ironic that such a request and the subsequent visit to the databank allows the databank to gather more information on the individual.2

F. Systems Controls

246

Given the massive yet inexpensive storage capacities, it may be more costly to delete or update data than to retain it. Limitations can be placed on the kind of data that may be collected.247 Guidelines concerning updating and deleting data can be implemented.248 Nevertheless, problems still arise concerning the accuracy of data. Factual mistakes should clearly be corrected. The issue, however, is complicated when accuracy is a question of context. For example, an accurate account of unpaid debts may present a biased view without an explanation for nonpayment. If a question of context arises, the individual should be permitted to file a personal accounting. This approach is used in Canada.249

Data must be protected while in storage. Unauthorized persons who gain access to the databank could pirate or alter the information. One method of protecting confidentiality is to keep logs of those who access the files. Passwords, authentication, and authorization provide additional safeguards. Controls restricting access to the machinery itself may be incorporated into the software program. Physical processing restrictions which revoke certain features of the computer system also protect stored data.

Data output or dissemination must be protected. Exchanges of information between databanks could be restricted to persons having a demonstrable "need to know" or a common connection with the primary purpose for which the data was collected.250 Other controls include: individual approval for data exchanges, approval when the data are used for unintended purposes, and regularly providing lists of exchanges to the individual.251

G. Computer Security

Security is the technical means by which confidentiality is ensured.252

1983]

COMPUTERS AND PRIVACY

479

Passwords, limited access, audit logs, physical security, limitations on data links, and automatic labeling of sensitive files are examples of computer security. 253 The costs of protecting privacy within a computerized system are primarily in the area of computer security. The expenses include: analysis, design and implementation of the protective system, tests and validations, operation and maintenance, salaries of security personnel, and computer time and maintenance costs. 254 Hardware security costs include key-cards, closed circuit television, and shielded transmission cables.255 Password and audit procedures are added cost factors.

"256

One commentator suggests that safeguards may cost more in "management attention and psychic energy than in dollars." These costs should be regarded as insurance against privacy invasions. Provisions exist that charge security costs to the subjects of the data rather than to consumers of the information. Access mechanism expenses, for example, are imposed on the individual under the New York Fair Credit Reporting Act.257

H. Cryptology

Cryptology encompasses signal security and signal intelligence. Signal security involves keeping secret messages between computers such as telegrams, telephone conversations, and electronic messages. Messages may be put into secret form by code or cipher. Elements of the message can be scrambled or replaced by other elements. The receiver, knowing the key to the encryption, reverses the process to read the original message.

Signal intelligence involves extracting information from transmissions. These methods include intercepting messages which are in plain language, electronic impulses, and radio or radar transmissions. Cryptanalysis breaks the codes or ciphers. Cryptology makes it difficult to intercept messages passing over lines or by radio signal between users and computer databanks. As with general databank security measures, cryptology can restrict access to those having a right to the information. Costs may rise with the use of cryptology, however, further insurance against privacy intrusions would be provided.

VI. FUTURE Legal TrenDS TO PROTECT PRIVACY

A. The United States

Additional legal steps may be taken to ease the tension between the need for rapid availability of data and the desire to protect privacy rights.

253. ORGANIZation for Economic Cooperation and Development, supra note 42, at 244, TASK FORCE, supra note 121, at 103.

254. ORGANIZation for Economic Cooperation and DevELOPMENT, supra note 42, at 248.

255. Id at 249.

256. R. FREED, supra note 230, at 45.

257. N.Y. GEN. BUS. LAW § 380e(e) (2) (McKinney Supp. 1981).