DOCUMENTS AND COMMITTEE REPORTS Series 4Number 22

Issues RegardingConfidentiality of Datain the CooperativeHealth Statistics Systems

DHEW Publication No. (PHS) 80-1459

US. DEPARTMENT OF HEALTH, EDUCATION, AND WELFAREPublic Health Service

Office of Health Research, Statistics, and TechnologyNational Center for Health StatisticsHyattsville, Md. April 1980

Library of Congress Cataloging in Publication Data

Simmons, Walt R.Confidcntidit> Of’data in the cmlpcrati~c ilcdlth st~tisti~s s>stem.

(Vital and health st:~tistics : Series 4, Documents and cOmmittce rc})orts ; nO. 22)

(L)HEW pul]licati~)n ; nO. (PIIS) 80- 1459)BihliO+raph>: pi). 47 mld 49.1. Illedical statistics I..i\v and lcgisl:ition United States. 2. Cooperative lIcalth Statis-

tics System. 3. Public health--United States -Statistical services-- Access ajntrol. I. Title.11. Series: L’nitcd Stiites. National Ccl~tcr for health Statistics. Vital and health statistics :

Series 4, L)ocunlc]lts iind cOmmittcc reports ; no. 22. 111. Series: L’nite(l States. Dept. of

Health, F.ducation, and \Velf’Mc. DHF.\Y l)ut)lication ; no. (PIIS) 80-1459.

HA37.U1693 no 22> [KF3827.S73] 312’.0973s

[S13N ()-840 (;-01 75-1 ~ “ 1344’.73’0’4] 79-607109

NATIONAL CENTER FOR HEALTH STATISTICS

DOROTHY P. RICE, Director

ROBERT A. ISRAEL, Deputy Director

JACOB J. FELDMAN, Ph.D., Associate DirectorforAwa2ysis

GAIL F. FISHER, Ph.D., Associate Director for the Cooperative Health Statistics System

ROBERT A. ISRAEL, Acting Associate Director for Data Systems

ROBERT M. THORNER, SC.D., Acting Associate Director for International Statistics

ROBERT C. HUBER, Associate Director for Management

MONROE G. SIRKEN, Ph.D., Associate Director for Mathematical S tatistics

PETER L. HURLEY, Associate Director for Operations

JAMES M. ROBEY, Ph.D., Associate Director for Program Development

GEORGE A. SCHNACK, Acting Associate Director for Research

ALICE HAYWOOD, Information Officer

DIVISION OF THE COOPERATIVE HEALTH STATISTICS SYSTEM

GAIL F. FISHER, Ph. D., Associate Director

GARRIE J. LOSEE, Deputy Associate Director

PATRICIA M. GOLDEN, Acting Chiej Scientific and Technical Communications Staff

Vital and Health Statistics-Series 4-22

DHEW Publication No. (PHS) 80-1459

Library of Congress Catalog Card Number 79-607109

PREFACE

Initial articles of agreement set forth by the National Center for HealthStatistics under contract HRA 106-74-25 charged the contractor with undertakingactivities intended to define and outline a program of research, development,testing, and action to resolve the major issues regarding confidentiality of datawithin an emerging new program—the Cooperative Health Statistics System.

Specifications provided that the project should (1) identify the nature andcharacter of major issues having an impact on confidentiality in the CooperativeHealth Statistics System; (2) delineate programs or projects directed toward theresolution of these major issues including evaluation of existing methods andpractices, devising new practices that might resolve or lessen difficulties in thefield, and outlining those areas in which further research or development appearsnecessary; (3) suggest directions for training and guidance in making either policyor operating decisions; and (4) explore the possibility that a portion of the overallconfidentiality problem in the Cooperative Health Statistics System can bebypassed rather than directly confronted by using techniques and procedures thatyield adequate information while avoiding the risk of disclosing privileged data.

Since initiation of the project, various events, including passage of severalsignificant laws, persuaded the contractor (with encouragement from theGovernment) to expand certain aspects of the original investigation to address thecentral objective more fully.

In particular, the expansion takes into account new developments; includesanalysis of factors collateral to central concerns relating to privacy, confidential-ity, and access to data; and offers a variety of recommendations for policypositions to be implemented in the cooperative Federal-State-local healthstatistics system.

Many persons contributed indirectly to this report. Any brief list ofacknowledgments would be unfair, for it would omit proper credit to somesources for ideas that have more than one independent origin, and perhaps implyother views to which the referenced source does not fully subscribe. The authoraccepts responsibility for opinions expressed in the report, with deep appreciationto all those who through written or spoken words have influenced his thoughts.

...Ill

CONTENTS

Preface . . .... .. .. ... ... ... ... .. .. .. ... .. ... ... ... .. .. ... ... .. ... . .... .. .. ... .. ... . .... .. ... . ... .. .... . .. ... .. ... ... .. .. .. .. .. .. ...........................

Chapter IIntroduction .. .. ... . .... .. ... .. ... .. ... .. .. .. . ... .. .. .. .. . .... . ... .. .. ... ... .. .. .... . ... . .... . .... .. .... . .. ... .. .. .. .... .. .. ... ... . ....................

The Conditioning Environment ... ... ... .. .. ... .. ... . .... .. ... .. ... . .. ... ... .... . .. .. ... .. ... ... .. .. .... .. .. . .. ..... ... ... .. .. ... ... .. ..A Central Problem ... . .... .. ... . .... .. .. ... ... .. .. ... . .. .. .. .... . ... .. .. .. ... ... ... .. .. ... ... .. . .... . ... ... .. .. .... .. .. .. .. ... ... .. .. . . .. .....Perspectives ... .. ... ... .... . ... .. ... .. ... .. .... . .. ... ... .. ... .. .. .... .. ... . ... ... .. .. .. .. . ... .. .. .. .. .... .. ... .. . .. .. .. ... .... . ... .................Structure of the Report . . .... .. ... . .... .. .. ... ... .. . ... ... ... .. .. .. ... .... .. .. ... . .... .. .. .. .. .... .. .. . . .. ... ... .. ... ... .. .. ... ... .. .. ... ..

Chapter IIBackground .... . ... ... ... . .... . .... .. ... . .... .. ... .. . .... ... .. .. .... .. .. .. ... .. .... . .. ... ... .. . .. .. .. .... . ... ... . .. .. .. .. .. .. .. ... .....................

Wealth of Activity .. ... . .... .. ... .. .. .. ... .. ... ... ... .. . ... ... ... . .... .. ... .. ... .. ... .. ... .. .... .. . ... .. .. .. .. .. . ... .. .. .. . ... .. .... .. .. .......Immediate Stage Setting .. ... .. ... .. ... .. ... ... ... . ... .. .... . . .. .. .. .. . . .. .. .. .... . ... . ... .... . ... .. .. .... .. .. .. .. .. .. . ... ... ... .. .. ... ... .

Chapter IIISummary of Conclusions mdRecommendations .. .. ... .. .. ... .. ... .. .. .. . . .... .. .. .. . ... .. .. .. .... .. .. .. .. .. . .. ... .. .... .. .. .. .. ..

Chapter IVEthical and Humanistic Considerations ... .. .... . .. ... .. ... ... .. . .. .. . ... ... . ... ... .. ... ... .. ... . .... . ... .. ... . .. .. .. .. .. .. .. ... . .. .. ....

Interaction of Disciplines ... .. .. .. .. ... .. ... ... ... . ... .. .... .. . ... ... .. .... . .. .. ... .... .. .. .. .. ... . .... .. .. .. .... .. ... . .. .. .... .. .. .. .. .. ..Personal Rights .. .. ... .. .... . .. ... ... .. .. ... .. ... .. .... . .... . .... . ..... ... ... .. .. ... .. .. .. .. . ... .. .... .. . ... .. .... .... . .. ... .. .. .. .. .. ..........Informed Consent .. ... .. .. .. .... .. ... . .... .... .. . ... .. . .. . ... ... .. ... .. .... . ... . .... .. ... .. ... ... .. .. .. ... . .. .. .. .. .. .... .. .. .. .... .. . ... .....Inconsiderate Inquiry ... .. .. .. .. .. .. .. ... . .. .. .. .. ... ... .. .. ... .. ... ... .. .. .. . .. ... .. ... . .... . .. .. . ... ... . ... .. .... . . .... ... .. ... .. .. .. .... ..

Chapter VPolitical and Economic Factors .. ... .. .... .. .. .. .... . .... . .. ... .... .. ... . ... ... .. ... . .... .. .. .... .. . .. ... ... .. ... .. .. .. .. .. .. .. .. .. .. .. .. ....

Intent of the Chapter . ... .. .... . .. ... ... ... .. . .... .. .. ... . ... ... ... .. . ... . .. ... ... .. .. .. .... . ... .. .. .... .. .. .. .. ... . .. .. .. .. .... .. .. .. .... ...Political and Jurisdictional Concerns . .. .. .... . ... .. ... .. .. .. . ... .. .... . .. ... .. ... . .... .. ... .. ... . ... .. .. ... ... .. .. ... ... .. ... .. .. ... .Interaction of Politicaf and Economic Concerns . .. ... . .... .. ... . .. .... .. ... . .. .... .. . .. .. .. ... .. .. .. .. .. .. .. .. .. .. .. .. .... .. ..

Chapter VITwo Classes of Data and Two Pu~oses .... . .... .. ... . .. .. . ... ... ... . .. ... .. .... .... .. ... .. .. ... .. ... . .... . ... .. .. .. .. .... .. ... .. .. ... ...

Distinguishing Features .. .. ... .. ... . ... ... ... .. .... ... ... ... . ... ... .. ... . .... .. .. .. .. .... . ... .. ... .. ... .. ... .. . .... .. ... .. .. .. ... .. ... ... . ..Definitions and Labels ... ... ... .... .. ... ... .. ... . ... ... .. .... . ... .. . ..... . .... . ... .. .. ... ... .. .. ... . .. .. .. ... . ... .. .. ... . .. . ... ... ... .. ... . .Publicity . .. ... .. .... .. .. ... ... .. .. .. .. .. .. .... .. .. ... . .... .. ... ... . .. ... ... ... .. .... ... ... .. ... .. .. ... .. . .. .. .. .. ... ... .. .. ... . ....................Formal Designation . .. .... .. . .. . ... ... ... .. .. .. ... ... .. .. .. ... ... ... ... . ... .. .. .... .. . ... ... ... . ... .. ... ... . ... .. ... .. .. .. .... .. .. .. .. .... . ...Scope of tie Desi~ation ... .. ... .. . .... .. ... ... .. . .... .. ... . ..... .. ... . ... .. .. ... .. ... .. ... . ... .. ... .. ... .. .. ... . .... .. ... .. .. .. ... .. ... ..Notice to Providers . .. . .. . ... ... . .... .. .. .. .... .. .. .. ... ... .. ... . .. .. .. .. .. ... .. ... .. .. .. . .. ... .. .. .. ... ... ... . .. ... .. ... . .... .. ... .. .. .. .....Use of Administrative Records for Statistical Pu~oses .. . ... ... .. .. .. ... ... .. . .. .. . .... . .. ... .. ... . ... ... .. .. ... ... . ... .. ..A Policy Position . .... . .... . ... ... ... .. .. ... .. ... .. ... .. .. ... ... . ... .. ... .. ... .. .. .... .. .. .. ... .. .. ... . .. .. . ... ... .. .. .. ... ... .. .. ... . .........

Chapter VIIThe Statistical Discipline and Statistical Purposes ... .. .. . ... ... . ... .. .... . .. .. ... ... . .... . ... .. .. ... .. ... .. .. .. ... .. .. .... .. .. . ... .

Introduction . . .... .. ... .. .... .. ... .. .. ... ... .. .... .. .. .. ... ... .. ... . .... .. ... .. ... .. .. .. ... ... . ... .. .. .. ... ... .. .. .. ... .. ... .. .. ... . .............A Fundamentd Principle .... .. ... . ..... . .. ... ... .. ... .. .. ... ... . ... ... . .... .. ... .. .. .. ... ... . ... .. .. .. .. .. .. ... . .... .. .. .. .. ... .. ... .. .. ..Extensions of Statistical Purposes .... .. . ... .. . ... ... . ... .. ... . ... .. ... ... ... .. .... .... .. . ... .. ... ... .. .. ... . . ... .. . ... .. ... .. ... .. .. ..

Chapter VIIINames and Identification (ID) Numbers .. ... .. .. .. .. . ... .. .. .. .. .. .. .. .... .. ... . ... .. ... .. ... ... . ... .. .. ... .. . .... .. .. ... . ... ... .. .. ... .

Unit Identification . ... ... .. ... ... ... .. ... ... ... .. ... .. ... .. .. ... ... ... ... .. .. .. ... .. .. ... .. ... .. ... .. ... .. .. ... .. .. .. ... ... .. .. .. ... .. ... .....Suggested Procedural Practices .. .. .. . .... .. .... .. ... . ... .. ... ... .. ... . ... .. .... . ... .. ... .. ... .. .. ... . .... . ... .. ... ... . ... .. ... .. .. ... ...Social Security Numbers .. .. .. .. ... .... .. .... .. ... . ... ... ... .. .... . ... .. . .... .. ... . ... .. ... .. ... .. .... .. . ... .. .. .. .... . ... ... .. ... . .... . ...

.01

333

5

8888

10

131314151515151516

17171717

20202020

v

Chapter IXDatabanks and File Lh_iklng .. ... ... .. ... .. .. ... .. ... . .... .. . .... . .... .. ... .. ... .. ... .. ... . .... .. . .... . .... .. ... .. ... ... . ... .... . ... .. ...! .. ...

Introduction .. . .. .. . ... .. ... ... . ... .. .... .. ... . ... .. ... .. .. ... . .. .. . .... . .... .. .. ... .. ... ... .. .. ... ... .. ... .. ... .. .. ... . .... .. ... ... .............Pair of Definitions ... .. ... .. .. ... .. ... . .. .. .. ... . ... ... .. .. .. .... .. ... . ... ... .. .. .... . .... . ... ... . .... .. .. ... .. .... . ... ... ... .. . ..... . ... ... .. .Some Databank Cousins . ... .. ... . ... ... ... .. . ... ... . .. .. . ... .. .... . ... .. ... ... .. ... .. .. ... ... .. .. .... .. .. .. ... ... . ... .. ... .. .... . ..... .... .Technological Feasibility .. .. ... ... . ... .. .. ... . .... .. .. .. ... ... .. .. ... .. .... .. .. .. .... .. .. .. .. .... .. ... .. ... .. ... . .... .. .. ... ... .. ... .. .. ..Prevalence of Databanks ... .. .. ... . ... .. ... .. . .... .. ... .. .. .. ... ... . ... .. ... ... ... . .. . ... ... .. ... . .... .. .. ... ... .. ... ... ... .. ... .. ... ... .. .Linking Other Than for Databanks .. ... . ... .. . ... ... ... . ... .. .... . .... . .. .. . .. ... .. .... . ... ... ... .. ... ... ... . ... .. .... . .... .. ... .. ...Recapitulation ... . .... .. .. .. .. .... . ... .. .. ... .. ... . .... . ... .. .. .. ... ... ... .. . .... .. ... . .... .. .. .. ... ... .. .. .. . .. ... .. .. ... ... .. ... ... ... . .......

Chapter XNetwork of Participants in the Cooperative Health Statistics Systcm .... . ... . ... .. .. ... .. ... . .. .. .. .. .. ... ... .. ... .. ... .. .

Overview ... ... .. .. ... . .. . ... ... .. .. .. ... .. . ..... . ... . ... .. ... .. .. .. ... ... .. .... . .. ... ... ... .. .. .. .... . ... .. .... . ... ... .. .. .... . ....................Federal Agency Relationships .. ... .. .. .. .. .... .. . ... .. .... . .. ... .... . .. .. ... ... . ... ... ... .. ... .. ... .. ... .. .. ... . .... .. .. .... ... . ... ... ..Relationships Between NCHS and Non-Federal Organizations . . .. .. .. .. .. .... .. .. .. ... ... .. .. .. ......0... .... .. .. ... ...Central Processors ... .. ... .. .. .... . ... .. .... ... ... .. .. .. ... . .. .. . ... ... ... .. .. .. ... ... .. .... . ... .. ... .. ... .. .. ... .. ... . ... .. .. . ... .. .. ... ......

Chapter XILegislation, Regulations, and Rules . .. .. .. .. . . .... . ... .. ... . ... ... .. ... ... .. .. .... . ... .. ... .. ... .. ... .. .. .. . . ..... ... ... ... ... .. .. .. .. ...4.

Legislative Control and Protection . .. ... .. ... . .. ... .. ... . ... ... ... ... .. .. ... .. .. .. .... .. .. ... .. ... .. .. ... ... . ... ... .. ... . .... . ... .... .The NCHS Statutory Keystone . . .. .. .. .. .. .... . ... .. .. ... .. ... ... ... . ... .. .... . .. .. ... .... .. . ... ... .. ... .. ... . .. . ... .. .. ... ... .. .. .... .The Privacy Act of 1974 .. .. .. .. .. .... .. . ... .. .... . ..... . ..... . ... .. ... ... ... .. ... .. .. .. ... .. .. ... . ... ... ... . ... .. ... .. . .. .. .. ... .. ... .. .. .The Freedom of Information Act . .. .. .. ... ... . .... . ... ... .. .. ... ... .. ... .. ... ... . ... ... .. ... . ... ... .. ... .. .. ... .. .. ... .. ... .. ... . ... .The Federal Reports Act .. ... .. .. .. .... . ... .. .. ... .. ... .. .... . .... . .... .. ... .. ... .. .. ... ... .. .. ... .. .. .. ... ... ... . .... .. .. ... ... . .. ... .. ...The Paperwork Commission .. .. .. .. .. ... ... .. ... .. ... ... .. .. .... ... .. ... .. ... .. .. ... .. ... .. .. ... .. ... . ... .. ... .. .... .. ... .. .. .. .. ... .. ...Emerging Principles . .. .. ... .. ... . ... .. .... .. .. .. ... ... .. ... ... .. .. .... . ... ... ... . .. ... .. ... .. ... . ... .. .... . .... . ... .. .. ... .. .. ... .. ... .. .. ... .Unresolved Legal Issues . .. .. . ... .. .. .. ... ... .. .. .. .. .. .. ... ... ... ... ... ... .. .. .. ... .. ... . ... .. ... .. .. ... .. .. .. ... .. ... . ... .. .... . .. ... .. ....

Chapter XIIUnintentional Disclosure ... .. .... . .. ... .. .... . ... .. ... ... .. .. .... . ... ... .. ... .. ... . .... .. ... .. ... .. .. ... ... . ... .. .. .. . .. ... . .... . .. .... . ... .. . ..

Intent and Consequence ... ... . ... .. .. ... ... .. .. .... . .... . .... .. ... ... ... .. .. .. ... ... ... .. .. ... ... . ... .. .. ... ... .. .. .... . .. .. ... .. ... .. .. ...

Chapter XIIIPublic-Use Tapes . ... .. . ... .. ......0... .. ... .. ... .. ... . .. .. .. .. ... ... .. .. .. .. ... ... ... .. .. ... .. ... .. ... ...0... ... . ... .. .. ... . .. .. .. .. .. ... ... .. ... .. .

Chapter XIVAvoidance Techniques .. . ... ... . .... . ... .. . .... .. ... .. ... . .... .. ... .. ... .. ... .. .... .. .... . ... .. .... . ... .. ... .. ... .. .. ... .. .. .... . .. .. ... .. ... .....

General Comment ... . ... ... .. ... . ... .. .... . ... .. .. .... . ... .. ... ... ... .. ... ... .. .. ... ... ... . .... . ... ... ... .. .. .. .. ... . ... ... .. ... ..t ... .. .. ....Conclusion .o.. . ... ...o.$.. .. .. ... ... . .....o.. .. .. ... .. ... . ..... . ... .. ... .. ..oo..$o.$.... .. ... .. ... .. .. ... ....e.. ...o.. .. .. .. ... .. ... .. ..c. .. .. ...c

Chapter XVCustomized Variations of Procedure . . .. ... . ... .. ... .. ... .. .. ..... .... .. .... .. ... ... .. .. ... .. ... .. ... .. ... . .. ... .. ... .. .. .. ..... .. .. .. ... .

Need for Flexibility . . .... . ... .. ... .. .. ... .. ... .. .. .. ... ... . .... .. ... .. ... ... ... .. ... .. ... .. ... ... .. .. .... . ... .. ... . .. .... .. .. .. ... ... .. .. ....

Chapter XVITraining, Perceptions, and Public Relations . .. .. ... ... .. .. ... .. ... .. .... .. .... . ... .. ... ... .. .. .. ... ... .. .. ... . ... .. ... .. .. .. .. . ... .... .

Training in Ethical Standards ... . ... .. .. ... .. .... ... ... ... ... ... . ... .. .. ... . ... .. .... .. .. .. .... . ... .. ... . .... .. .. ... .. ... . .... . .. ... .. ...Real and Perceived Situations . .. .. ... ... .. . .... .. ... .. .. .. ... ... ... ... .. .... .. .... .. . ... ... .. ... .. .. ... .. .. ... .. .. .. ... .. ... .. ... ... . ...

Chapter XVIIUnresolved Problems and Lesser Issues .. .. . .... . .... .. .. ... .. ... .... .. ... ... .. ... .. ... .. ... ... .. .. .. .. ... .. .. ... ... .. .. .. ... ... . .. . ... .. .

Role of This Chapter ... ... . ... .. . .. .. .. .. .. .... . ... .. . .... .. ... .. ... ... .. .. .... .. ... ... .. .... .. .. .. ... ... .. ... .. ... .. .. ... .. .. ... .. .. .. ... ...

Rt.fcrenccs .. .. .. .. .. .... . ... .. ... . .. .. . . .... . ... ... ... . .. .. . ... .... . .... .. ... . .... ... ... .. ... ... .. ... ... .. .. . .. ... .... ... .. ... .. .........................

AppendixSelected Bibliography .. .. .. .. . ... .. .. .. ... ... .. .. .. .. .... ... . .. .... ... ... .. ... .... . .... . ... .. .. ... .. ... . .... ... .. . .... .. . .... . ... .. ... .. ... .

222222232s232424

2626262727

2929293031

::3233

3434

35

363637

3838

414141

4242

47

49

vi

ISSUES REGARDING CONFIDENTIALITY OF DATA

IN THE COOPERATIVEHEALTH STATISTICS SYSTEM

Walt Simmons, former Assistant Director for Research

CHAPTER I

INTRODUCTION

and Scientific Development

The Conditioning Environment

In recent years, and especially during thepast decade, a complex of related and partiallyconflicting principles and doctrines has taxedour ingcmuity. Issues of confidentiality, freedomof information, and invasion of privacy and theirinter:tctions have received extensive and steadilyincreasing attention from administrators, legis-lators, the courts, the press, students, andcertain sectors of the general public. Theaters ofdiscussion have varied: legislative bodies; thecourts; public, interagency, and intraagencycommittees; formal commissions; conferences;mticks in professional journals, magazines, andncwsptipcrs; regulations and procedural docu-ments; and voluminous correspondence andconversation.

This complex of confidentiality, freedom ofinformation, and invasion of privacy and itsresolution tire critical to society’s wise handlingof information. Recognition of that fact hasbrought forth many opinions on these matters.Yet there is no satisfactory synthesis of thisoutpouring as it relates to the CooperativeHcitlth Statistics System (CHSS).

A Central Problem

A common viewpoint, which is also that ofthe Icading Federal statistical agencies, is that

statistical information is most accurate when itis secured and handled in such a manner thatanonymity of persons, business establishments,and individual products is assured. The U.S.Bureau of the Census, the U.S. Bureau of LaborStatistics (BLS), the National Center for HealthStatistics (NCHS), and certain other Federalagencies have a tradition of giving such assuranceand faithfully holding to their promises. Typi-cally, a respondent to these agencies is assuredof anonymity by statements such as “All infor-mation that would permit identification of theindividual will be held confidential, will bc usedonly by persons engaged in and for the purposesof the survey, and will not be disclosed orreleased to others for any other purpose.”1Often this guarantee is underscored by declaringexplicitly that the reported information will notbe used for taxation, regulation, inspection,investigation, or any other administrative pur-pose, and will be released or published only inthe form of aggregated statistical summaries.

This policy is based on a priori judgments,supported by years of experience, that ( 1) theAmerican public is willing and even demandsthat their Govermcnt acquire sufficient informa-tion to wisely promote the ~cneral welfw-c; (2)

respondents do, in fact, sLIpply acceptably accu-rate answers to J considerable variety of govern-mental statistical inquiries when they are assuredthat those replies are handled confidentially and

are not used in any way to make administrativedecisions with respect to an identifiable personor corporate entity; and (3) there is suspicion,distrust, and a less satisfactory response whenthe respondent concludes that his answers willbe used either overtly or covertly to his personaldisadvantage.

Competing doctrines to this tradition ofstatistical confidentiality exist. One significantfactor is the presumption that democracy worksbest when the public has access to informationused by the Government in the administrationof its programs and activities and in the makingof decisions. Congress has given validity to thispresumption with the passage of the Freedom ofInformation Act (FOIA) (5 U.S.C. section 552as amended by Public Law 93-502), which, withcertain important exceptions, provides for accessto data possessed by the Federal Government.

Another qualifying consideration is funda-mental to economy of effort and burden onrespondents. If a datum has been reported toone governmental agency, the better course maybe to permit that agency to transfer the informa-tion to another agency, under specified safe-guards, rather than to allow the second agencyto collect the same datum. The Federal ReportsAct of 1942 (44 U.S.C. section 3501) tries todeal with this matter, although its ability toreach local or State data is limited.

Another perspective deserving special atten-tion in the collection, processing, and dissemi-nation of data is the concept of invasion ofprivacy. Definitions of the concept vary. Oneview is that privacy is the right to determinewhat information about ourselves we will sharewith others. Confidentiality and invasion ofprivacy are quite separate matters, but they haveintersecting domains. Confidentiality would bemuch less of an issue if no topics were consid-ered private by persons or corporations. Iftransmission of information from one entity toanother were totally suppressed, then privacywould not be a matter for concern.

These competing doctrines–the value ofassurances of confidentiality by leading statis-tical agencies, the principle of freedom ofinformation, the economy of use of the samedata by more than one agency for more thanone purpose, and the conflict between “need to

know” and “right to privacy ’’—constitute thecentral problem. They are the basic sources ofthe issues that confront the CHSS for which ap-proaches to compromise are sought in thisreport. The economy aspect is one of the keyreasons for building a cooperative statisticalsystem among local, State, and Federal agenciesin the health field. Yet the fact that operatingagencies, especially at the State and local levels,need to use specific data for various administra-tive purposes and often identify individual per-sons or business establishments tremendouslycomplicates the confidential handling of thesame or allied data by statistical agencies.

Perspectives

Resolution of the competing forces is muchmore difficult because the problem is multidi-mensional. Significantly relevant considerationsare found in the ethical, political, economical,legal, and administrative disciplines; and effec-tive operational solutions require successfulhandling of a variety of jurisdictional, proce-dural, technical, and technological matters. Thisreport discusses each of these perspcct ives.Analysis attempts to identify certain prioritiesamong conflicting objectives. However, the key-note of recommendations is the concept thatpolicies and procedures should accomplish abalance among competing goals that are de-sirable.

Structure of the Report

Chapter II outlines the background andenvironment that condition the privacy, confi-dentiality, and freedom of information complexwith which the CHSS must be concerned. Chap-ter III presents an abstract and summary ofmajor conclusions and recommendations. Chap-ters IV through XVI analyze leading issues and,in most cases, suggest resolutions of those issues.These chapters are the main body of the reportand are the basis for the summary conclusions ofchapter III. Chapter XVII discusses more brieflya number of other important, but less critical,issues and focuses attention on gaps in the anal-ysis and on problems that are not fully resolved,The appendix contains a selected bibliography.

2

CHAPTER II

BACKGROUND

Wealth of Activity

The interlocking fields of privacy and confi-dentiality are receiving searching attention fromvarious organizations, The reasons for theseinvestigations (and subsequent pronouncements)are likewise varied, and include concern overdata banks and the capacity through computersto marshall pieces of information; access toinformation by officials, researchers, statisti-cians, or citizens; doctor-patient, scientist-subject, and other provider-client relationships;police systems, insurance mechanisms, and otherdevices of social control; immunity of certainclasses of information to subpoena by courts orlegislative bodies; the need for increased volumeand detail of data demanded by today’s morecomplex social structures; physical security ofconfidential information; a person’s inherentright to privacy; and efforts to clarify distinc-tions among administrative, statistical, and re-search uses of data,

Several hundred substantial articles and re-ports, including at least a score of quite promi-nent and influential documents, have emergedfrom the investigations. Some elements of con-sensus are developing, but the wide range ofauspices and perspectives are yielding contrast-ing and conflicting proposed guidelines forformation of social policy. Inasmuch as statisti-cal activities and practices are generic conse-quences of access to and use of data, it is highlydesirable that evolving guidelines include a so-cially appropriate role for those activities andpractices.

Immediate Stage Setting

Later chapters deallegislative developments

more specifically withand with certain other

formal actions that are taking place. However, itwill be helpful to identify three relatively recentmajor events—among a number of others—thathave a special significance for confidentialityissues in the CHSS.

The first event is the passage by Congress ofthe Privacy Act of 1974. The Act is a compro-mise and amalgamation of a number of otherlegislative proposals. It is a comprehensive meas-ure, and its purpose is to provide safeguardsagainst invasion of personal privacy by requiringFederal agencies to establish procedures thatinsure that a person can learn what personalinformation the Government has, why it wasrecorded, and how it is to be used. Furthermore,this Act gives the person some degree of controlover whether he must supply information re-quested by the Federal Government. The Actwas intended to have primary impact on datathat identify individuals and are used for admin-istrative purposes. However, through draftingambiguities and varying interpretations, the Actand consequent executive regulations have hadsignificant repercussions in statistical affairs.

The second situation is the fundamentallydifferent character of certain confidentialitymatters that arise as the Nation’s major healthstatistics system changes from a highly central-ized Federal operation to a more decentralizedFederal-State-local cooperative enterprise.Through policy, legislation, regulation, and yearsof attention to the issues, NCHS has establishedsatisfactory procedures for handling confiden-tiality matters in the tightly controlled central-ized system. However, the expanded CHSSintroduces new sovereignities, new laws, newobjectives, new procedures, and a greatly en-larged arena of concern for both the rights ofindividuals and society’s need for efficientlyassembled and disseminated data.

3

The third factor, which has both influenced The Task Force and this contractor have com-the contractor’s activities and hasbeen influenced municated frequently. Although neither is .re-by those activities, is the deliberations and draft sponsible for the recommendations of the other,reports of the Task Force on Confidentiality this report and the Task Force report do haveappointed in 1974 by the Advisory Committee some common ground in both analysis andon the Cooperative Health Statistics System. conclusion.

CHAPTER Ill

SUMMARY OF CONCLUSIONS AND

1. The interlocking domains of privacy,con fidcntialit y, and informational requirementsarc receiving both extensive and intensive scru-tiny. Rightfully, the y are subjects of thoughtfuldclxite and varied actions as the Nation seeks toresolve different perspectives and partially con-flicting desiderata.

2. The central and most pervasive principlegovmning wise resolution is this: Appropriatebalance must be sought between a person’sfundamental right to a degree of privacy andsociety’s acquisition of information about itselfin order to guide its activities, and, indeed, toassure its freedom. This principle is consistentwith the basic objective of the CHSS, which is todevelop find maintain systems that provide thecountry with the maximum of useful andneeded health information at the minimum costin terms of both the rights of persons andcorporate entities and required resources.

3. No single proposition can guide the CHSSthrough the confidentiality -dissemination mwe.The search for balanced guidance must takesimultaneous account of a multiplicity of tenetstind perspectives, including ethical, political,Icgd, economical, administrative, and technolog-ic:d ones. (See chapters IV, V, X, and XI.)

4. Fundamental to productive informationalpolicies throughout the social sciences are recog-nition and widespread acceptance that there aretwo very different kinds of informational objec-tives, served by two different kinds of data. Oneobjective is the collection, processing, transfer,retriewd, tind utilization of data to deal withspecific persons or other entities. “Dealing with”encompasses such actions as licensing, registra-tion, inspection, insuring, training, regulating,servicing, diagnosing, treating, charging, and

paying,

RECOMMENDATIONS

and, thus, conveys either benefits orpenalties. This class is termed “case-actiondata”a in this report.

The other class of objectives and data isdistinguished by the fact that the identity ofindividual elements of information—persons,corporate units, products—has no significanceand accordingly is suppressed. These data arecollected and disseminated for statistical pur-poses only, which means that they appear in theformat of aggregates, averages, rates, ratios,percentages, distributions, and other functionalrelationships, and never in a manner that permitsidentification of individual entities. Typically,the statistical inquiry or compilation is accompa-nied by assurance of confidentiality given to theprovider of information, which guarantees thatdata will be used for statistical purposes only(see chapter VII for further delineation ofstatistical purposes) and will not be used, inwhole or in part, for regulation, inspection,taxation, or any administrative purpose or deter-mination about identifiable individuals; or pub-lished or released in a form that would identifyindividuals. This report advocates the term“protected data” for such statistical in forma-tion. The CHSS is concerned with systems forhandling both protected data and case-actiondata. The two systems overlap in some areas, butare fundamentally different and must be gov-erned by very different guidelines. (See chapterVI.)

5. Federal law recognizes essentials of theconcept of protected data and gives adequateprotection to data once acquired by NCHS,

a “Case-action data” replaces the term “micro-actiondata” proposed earlierby the author.

5

when the providers have been given assumncesof confidentiality. Steps should be taken toestablish further Federal and State statutoryrecognition of protected data, and of its distinc-tive characteristics throughout the CHSS. Theselaws and derivative regulations should includeprovisions that give protected data immunityfrom subpoena by courts or legislative bodies.Such legislation will facilitate the collection ofhigh-quality data, contribute greatly to theproduction of useful health information, withminimum risks to and burden on respondents.

Following a study of existing State laws,NCHS should undertake the drafting of a modelState law on CHSS confidentiality y, which canserve as both a starting point and a coordinatinginfluence on an emerging body of State law andregulations. Action on this recommendation hasbeen taken. See Model State Health StatisticsAct–a model State law for the collection,sharing, and confidentiality of health statistics.

6. Assurances of confidentiality once givenmust be honored without exception. However,three prior conditions should exist before assur-ance is given. (1) Collectors of datia shouldexercise restraint in their inquiries; no informa-tion should be requested unless there is adefinite and real need for it and an intended usethat outweighs risks to the respondents andcosts of processing. (2) Data that are collcctcdshould not be given the shelter of “protecteddata” unless such protection is judged essentialto acquisition of quality information or deemeda privilege to which the respondent is clearlyentitled. (3) The collector should be in aposition to make certain that the promise ofconfidential treatment, if given, can be keptinviolate.

7. If a single agency, such as NCHS, oper-ating under sheltering legislation, collects a pieceof information directly from, for example, ahousehold respondent, classifies the informationas “protected data,” and does not transfer it inidentifiable form to any other organization,protection of confidentiality is relatively easy tomaintain. The CHSS presents a different prob-lem. It is a network of agencies, collecting agreat variety of information from numerous

sources and disseminating those data in various

ways. In particular, certain components of theCHSS may, at times, be in possession of a datumthat will be transferred through one authorizedand designated channel for an administmtivcpurpose, while alon~ another, the same datummay be classified as “protected data” withtransfer and access restricted to statistical pur-poses only. These differing channels must bckept distinct. The terms “protected data” and“case-action data” refer to how items of infor-mation are used, whc) has access to them, andwhat their purpose is, rather than directly relat-ing to the items. The rules for transfer of datathroughout the system must be definite, widelyunderstood, and subject to sanctions if broken,One prevailing principle is this: If element B ofthe system acquires data from element A (whomight be an original or secondary respondent), Bis required to tell A under what authority thedata are acquired, for what general purpose(s),and who, if anyone, will have further access tothe data in individually identifiable form. Anyfurther transfer of identifiable data from B to Cmust be in accordance with this declaration,unless a new reIease is obtained from A. (Seechapter VI.)

8. Because the CHSS handles differing kindsof data intended for different purposes, thesystem should contain certain elements of flexi-bility that permit customized variations of pro-cedure for controlling selected classes of data.The system should be an integrated, standard-ized operation, but not every component of thesystem should be conducted in identical fashion.(See chapter XV.)

9. Unintentional disclosure refers to anydisplay of data that results in advertent access toindividually identifiable information by partiesother than the authorized custodian of thedata. This situation can occur through carelesspublication of information in categories that aretoo finely classified, inadequate physical secu-rity, or linking of files that, in combination,contain too many descriptors of the individual.

Operational” rules must be established and en-forced to minimize these risks. However, therules should not be so constrictive that theystrangle dissemination of knowledge. Because noset of precautions can give absolute protccticm

6

against sufficiently determined and sophisticatedattacks on secrecy, the CHSS should not at-tempt a defense against every possible contin-gency. (See also recommendations 10, 11, and12 and chapters IX, XII, XIII, and XIV.)

10. Linking of two data files is more diffi-cult, less necessary, and less useful than manypersons believe. Linked micro data files haveutility at low cost in certain circumstanceswhere action is to be taken with respect to anidentified person or facility. The linking ofmicro-protected data files, however, will notoften result in a benefit in CHSS that is worththe added risks and costs, or that cannot besecured by other less troublesome procedures.(See chapter IX.)

11, The public-use tape, which containsmicro data for elementary units with individualidentifiers removed, provides a highly flexibleanalytic mechanism, and is likely to become anincreasingly important device for disseminationof data. The public-use tape not only can meetmany of the needs for microdata, but, at thesame time, should reduce the demand forindividually identifiable data. Such tapes aresubject to somewhat more restrictive rules forprotecting against inadvertent disclosure thanare necessary for published tabular material. Acell of a table usually reveals only one or two,or, at most, very few attributes of the individualunits that contribute to the cell. A microtape,however, may contain 10, 20, or even more

descriptors of each unit. It is axiomatic that thelarger the number of descriptors, the greater therisk of positive identification.

12. Various procedures permit acquisition,transfer, or manipulation of microdata, and yetmake it nearly impossible to identify individualpersons or facilities. These procedures can becharacterized as “avoidance techniques .“ Theyare a fertile field for development, and meritimaginative cultivation. (See chapter XIV.)

13. Whatever systems are developed underwhatever controls, actions in the CHSS are takenby people, many of whom are employees in thesystem. The greatest safeguard the system canhave is a workforce that understands and isdedicated to the conduction of a programbalanced between providing useful statistics andprotecting the privacy and confidence of thosewho supply the information. To this end it isproposed that a vigorous and continuing trainingprogram for CHSS staff be mounted. (See chap-ter XVI.)

14. Policy and practice must be guided bywhat people think the situation is, as well as bywhat the facts are. It is therefore critical thatNCHS and CHSS vigorously promote wide un-derstanding of the essence of statistical purposesand the role of statistical information and, inparticular, maintain a public relations programthat allays unjustified fear of imagined potentialharm to individuals from misuse of statisticaldata. (See chapter XVI.)

7

CHAPTER IV

ETHICAL AND HUMANISTIC CONSIDERATIONS

Interaction of Disciplines

As noted in chapter I, a multidisciplinarycomplex that involves ethical, political, eco-nomic, legal, administrative, and other consider-ations is of concern. All of these are important,but the ethical and humanistic factors arepreeminent. The prime objective of the CHSS isto develop a fund of information that willfacilitate and enhance the planning and execu-tion of health activities for the ultimate purposeof improving the health of the population. Thisobjective requires securing the maximum usefulinformation with minimum necessary infringe-ment of the rights of any person.

Personal Rights

An unavoidable conflict between the needfor information and a person’s right to privacyexists. A good case can be made that a personhas a “right” to expect his government to collectsufficient data from other persons to be able topromote his general welfare. Every citizen mustbe willing to give up a little bit of his freedom tolive in a free society. In a given situation, it maynot be clear precisely what ethical considera-tions may dictate. It should be clear, however,that rights of the individual and humanistic con-siderations take precedence over less than essen-tial requirements of society and governments, alower dollar cost for a piece of information, orthe convenience of an administrator. When oneis faced with choosing a course of action afteranalyzing a situation in terms of cost-benefitrisk, high priority should be given to reducingthe risk to individual persons unless the benefitto society is clear and of overriding value.

In applying this principle a reminder is inorder. James B. Rulejl in commenting oncomplaints by citizens that governments ask andstore too much information about them and are,thereby, in a position to exercise too muchsurveillance and control over them, makes aseries of perceptive observations. He reminds usthat in the British and American democracies,the overwhelming bulk of governmental surveil-lance and control exists because the majoritydemand services that can be provided only ifappropriate record systems exist. Examples areSocial Security benefits, health insurance, driverregistration, tax assessments, or even oversightsof credit card privileges.

Furthermore, ethical rights are not absolute.For example, it is argued in this report that anassurance not to reveal privileged informationmust be honored. Yet that promise should beweighed against an ethical responsibility todisclose the information in court if disclosurewould save a person’s life.

Informed Consent

A very special problem in the health fieldsurrounds the question of informed consent, Awidely held view is that when a governmentrequests data from a respondent and a reply isnot mandatory, the informed consent of theperson is a prerequisite to the recording and useof a reply.

The NCHS enabling legislation, the PrivacyAct of 1974, and most other guidelines in thefield of privacy and confidentiality put consider-able emphasis on the doctrine of informedconsent. The general concept is fairly simple: Awishes to take some action that involves B; A

explains to B what this action is and what itsimpact on B may be, and asks B’s permission toproceed; assuming that B is thus fully informed,understands, and a<grees, it is said that B gives hisinformed consent; A is then justified in takingthe proposed action.

This concept is valuable and desirable in afree society; NCHS endorses this principle.However, in medical research, medical practice,or statistical activities the exact meaning ofinformed consent may not be totally clear.Informed consent presumes that the explanationof a proposed action is “adequate,” that theaffected party “fully” understands, and thatconcurrence or consent is truly voluntary. Thesi~ming of a release by the affected party mightsatisfy some legal requirement, and still not havemet the requirements of informed consent in abroader sense, For example, the release given bya Medicaid patient may involve consequencesthat were neither well explained to, nor under-stood by, the patient, and for which he reallyhad no option if he was to receive treatment.

In statistical practice there are several specialproblems. If response is not mandatory, thecollector should clearly inform the respondent.If too much of a point is made that therespondent need not reply unless he wishes,however, the collector may only succeed inbiasing results through nonresponse, or by ob-taining inaccurate response. How detailed shouldthe explanation of intended uses of the data be?How far should all conceivable impacts on therespondent be pursued? How much pressure isjustified in securing a response? Categoricalanswers to these questions are not possible.

There arc several guidelines, however, thatshould result in courses of action that will beapproved by a majority of reasonable people.

1, It is assumed that the inquiry is author-ized by law, and that there is a definitesocial need for the information.

2. It is a fact that identifiable informationwill be treated as protected data (asdescribed later in this report) when thecollector has so declared, and that assur-

3.

4.

5.

6.

antes of confidential handli,ng will berigidly adhered to.

It is a factthat the chances are near zerothat any respondent will be harmed byhis participation in the survey.

The burden on or discomfort to therespondent that inquiry and reply mayentail are minimal compared with poten:tial social gain.

The collector does explain in generalterms the authorization for the survey,why the data are needed, and, at least,one specific way in which they will beused.

In a program such as the CHSS, thereshould be clarification of what agenciesand what kinds of personnel will haveaccess to personally identifiable data, forwhat purposes, and for how long,

These guidelines should be supplemented bya most significant principle. It is proposed thatall persons interested in statistical systems un-dertake to promote and gain wide acceptance ofthis principle. The principle is intended to applyto protected data to be used for statisticalpurposes only, and means that, except duringprocessing for a restricted time, the data willnever be used, transferred, or displayed in aform that identifies individual persons or enti-ties. The principle is that a sufficient declarationof purpose is a two-part announcement that (1)states at least one specific intended usc of thedata and (2) warrants that the data will be usedfor statistical purposes only. The significance ofthis principle is that, beyond some primaryimmediate justifying objective, the creation of“statistics” is an adequate summary of purpose.All possible future uses of those statistics cannot

be set forth in detail. The principle does imply,however, that there are no purposes that willbe served through the use of individually identi-fiable data. It is proposed that, for protected

data, this principle will meet, for example, therequirement of the Privacy Act of 1974, that

9

agencies must “permit an individual to preventrecords pertaining to him obtained by suchagencies for a particular purpose from beingused or made available for another purposewithout his consent.”

This is neither a dodge nor some deviousattempt to bypass a law or other responsibility.Governmental statistics may be compiled ini-tially for a single purpose or for a set ofpurposes. Once compiled, they belong to thepeople, and not only may, but should be usedfor any purpose for which they are helpful. Thelegal provisions such as the one just quoted areintended to relate to the use of data in micro-form: for example, they might prohibit therecord of a person’s age as reported to the SocialSecurity Administration (SSA) from being usedby a State vehicle commission to deny a driver’slicense. It would be ridiculous to argue thatstatistics on number of applicants for SocialSecurity benefits by age could not be used forsome previously unstated purpose without theconsent of the applicants.

Inconsiderate Inquiry

A word should be said about a somewhatsubtle aspect of data acquisition and use thatcould arise in the CHSS. Possibly an inquiry oran intended use of an excerpt could result in noreal harm to the respondent but could have adehumaniiiing impact in the respondent’s mind,and thus be traumatic.

Respondents should never be asked to sup-ply information for which there is no authorizeduse, particularly if the inquiry is one thatconceivably could entail mental ar+guish to therespondent. Some authorized inquiries, however,probably should not be made, because theutility of the reply is not sufficient to justify therisk of possible psychic stress. For example, itwould be wise to forego questioning a patientabout his cancer therapy if there was any doubtabout whether the patient was aware of hisdiagnosis. The contention that “it would bcinteresting to know “ is not sufficient reason forasking an embarrassing or sensitive question.

10

CHAPTER V

POLITICAL AND ECONOMIC FACTORS

Intent of the Chapter

Ethical issues are central to the privacy-confidentiality -dissemination problem. A solu-tion also requires consideration of other factors.The objective of this chapter is simply tounderscore the importance of political andeconomic components of an operating system.Later chapters suggest legal, organizational, ad-ministrative, and procedural structures that alsoare important.

Political and Jurisdictional Concerns

In a narrow sense, terms such as “politics,”“bureaucratic,” “local vested interests,’? and“the Feds” denote a jurisdictional jungle inwhich the struggle for power, authority, andcontrol is ever present. In a more enlightenedcontext, political considerations imply that at-tention is paid to the structure with the bestsocial organization. In any Federal-State-localprogram there will be elements of both thenarrow and the more enlightened view. In theCHSS, largely a technical and service activity,the broader view should prevail. It would beshortsighted, however, to plan with total dis-regard to the presence of a certain amount ofjurisdictional competition. And, indeed, what toone observer may appear to be petty, narrowjurisdictional pressure, is to another responsiblesupport of legitimate political interests in thevery best sense of the term. For example, theFederal Government might request permissionto examine the statistical collection techniquesof a professional association, or might require anaudit of State use of Federal funds, believingthat these actions are a necessary part of its

responsibility to acquire quality data at reason-able cost. The professional association or theState agency, however, may feel such actions areunjustified questioning of their motives andcapabilities. Furthermore, NCHS and a Statecenter may disagree about which can be themost efficient primary collector of a particulardata set. The point is that the preferences oflocal, State, and Federal agencies will not alwaysbe identical, and a successful system must reachworkable compromises among those preferences.Compromises must also take into account theinterests of a variety of third-party groups, in-cluding such bodies as the American MedicalAssociation (AMA), American Hospital Associ-ation (AHA), Professional Activities Study,Medicare, Medicaid, Blue Cross, and Blue Shield.

1nteraction of Political andEconomic Concerns

Relationships among providers, collectors,processors, and users of data must be given at-tention in any framework. The peculiar circum-stances of a cooperative Federal-State-local pro-gram in a very large theater of activity make theinteraction of political and economic arrange-ments important in the CHSS.

The health industry is a multibillion dollaractivity. More people are employed in the healthindustry than in all of the Federal Government;more than in all of the State Governments; morethan in all of the local governments if schoolsare excluded; more than in all agriculturaloccupations; more, in fact, than in any other

single industry in the United States, unless retailtrade of all kinds is counted as a single industry.

11

The implication is clear: although effectiveplanning and conduct is dependent upon theavailability of relevant information, it is neces-sary for a significant amount of data to becollected from persons and facilities. The largevolume of data required increases the dangers ofinvasion of privacy and risks of breachingconfidentiality. The volume also emphasizes theneed to not collect data that is unlikely to beused; to avoid duplication in collection, process-ing, and dissemination. However, avoiding dupli-cation could mean increasing the number ofpersons and agencies that must handle datumbeyond the initial collector who gave assurances

of protection to the respondent, and this in-creases the risk of disclosure.

Efficiency and economy in acquiring andhandling data must be sought throughout theCHSS. Yet in building this system, care shouldbe exercised to avoid centralizing any particularfunction so that a rigid monopoly is created. Adynamic, vigorous system must remain flexibleand must be constructed so that quality assur-ance and cross-checking processes are built in.This requirement means that more than oneagent often must have access to certain micro-data and adds one more constraint to theconfidentiality problem.

12

CHAPTER VI

TWO CIASSES OF DATA AND TWO PURPOSES

Distinguishing Features

Governments and society need informationto plan, execute, and evaluate in a rationalnxmncr. The only source of much of thisinformation is the behavior, opinions, measure-mcmts, and records of individual persons andother entities. Because these same persons andentities have inherent rights of protection frominvasion of their privacy, a significant conflict ofinterest results. The solution is to secure anappropriate balance between the competing re-quirmnents for information and protection ofprivacy.

Clearly, no single step will produce thisbakmce. However, one key can open the waytowqrd solution: the recognition that there aretwo quite different kinds of informational ob-jectives, and identification of two differentkinds of data that can serve those objectives.The two kinds of data have distinctive charac-teristics, are handled differently, and togetheryield high levels of needed information withminimum risk to the privacy rights of individ-uals .

One informational objective is the creationof bodies of statistical evidence—numerical in-formation in the form of aggregates, ratios,percentages, indexes, and relationships—to beused for a great variety of purposes in planning,administration, and evaluation. These purposesdo not, in themselves, require knowledge ofidentifiable individuals, establishments, or prod-ucts. Indeed, such identification usually wouldonly clutter up analysis if it were offered to theuser. The user needs the aggregative tools ofstatistics. When he wishes to see microdata, it isonly to study distributions of anonymous enti-ties around central tendency values. (A proces-

sor will need microdata temporarily for proced-ural purposes and quality control, but unitidentification can be removed as soon asprocessing has been completed, and separatedfrom the substantive information.) We are speak-ing here of the familiar concept of data used forstatistical purposes only, as understood andpracticed by such agencies as the Census Bureau,BLS, or NCHS. For convenience, we designatesuch statistics as “protected data.” These datahave full and absolute protection of confiden-tiality guaranteed by law, are, in some instances,immune from subpoena, and are further shel-tered by legal penalties for those who mightviolate the confidential status.

The CHSS is also involved with data thatserve a second objective of great importance: themore coordinated, efficient collection, process-ing, transfer, retrieval, and utilization of data forthe express objective of dealing with specificindividual persons or other entities. “Dealingwith” encompasses such actions as licensing,registration, inspection, insuring, training, regu-lating, servicing, diagnosing, treating, charging,paying, and both helping and punishing. It issuggested that this type of information betermed “case-action data.” A case-action recordmust contain a unique and readily usable identi-fier of the individual entity to which it refers.

Certain classes of case-action data may bewithheld from most possible consumers, yetmade available to all those persons with a “needto know.” The physician’s patient record andcertain data descriptive of employees are ex-amples of information of this type. Othercase-action data may be more widely dissemi-nated, however, or even be entirely in the publicdomain–for example , name, address, size andnature of business or facilities, or name, unique

13

identifier, and occupation of licensed practi-tioners. In addition to serving their primaryindividualized objectives case-action data mayalso be aggregated and serve useful statisticalobjectives.

The CHSS is concerned with a nationalprogram to develop systems for both protecteddata and case-action data. The two systems willoverlap in some areas, but fundamentally theymust be very different systems with differentguidelines. Recognition that they are two sepa-rate systems rather than a single system is amajor step toward resolution of many perplex-ing issues. Legislation, policy, and procedureshould carry this distinction into both planningand operation. In the CHSS, the Center isconcerned primarily with protected data, andwill release other data only when they have beenjudged to be properly in the public domain.Contrastingly, State and local agencies often willbe handlers of both classes of information.

Definitions and Labels

The definitions of protected data and ofother kinds of data need to be given thoughtfuland precise formulation. The term “case-actiondata” describes a useful concept. Some mayemploy the term “administrative data” for asimilar purpose. The label “administrativedata” is, at once, both too restrictive and tooencompassing. It fails to distinguish satisfactor-ily from protected data. Protected data have thefundamental attribute that they shall not bedisclosed or knowingly cause to be disclosed bythe collector or custodian(s) by any means, in amanner that makes it possible from such dis-closure to relate the particulars obtained fromany return to any identifiable individual orentity except with the consent of the providerof the information. Protected data are utilizedonly in statistical format for statistical purposes.Case-action data are all other data, whether col-lected in their own right as descriptive informa-tion or as byproducts of other actions, but notaccorded the full nondisclosure attribute of pro-tected data. Protected data will be displayed orreleased in such aggregated forms as totals,ratios, rates, and relationships; or if in micro-

format, only with individual identification re-moved; and, in all cases, for statistical purposesonly, and never for purposes of taxation, re@a-tion, investigation, or other direct action withregard to individuals. Individually identifiableitems from protected data sets can only be trans-ferred to third parties with the consent of re-spondents. Case action or administrative datamay be used for similar statistical purposes andcan also be used in microform by those with aclear need to know, or as the holders determine,if not in violation of any other law.

The above definitions should be establishedby both Federal and State statute, at the earliestpracticable date. Pending such legislation, theyshould be promulgated as regulations of cogni-zant authority.

Another facet of these data classes must be

underscored. The terms “protected data” and“case-action data” refer to how items of infor-mation are used, who has access to the items,and for what purposes they are used, rather thanto the specific items. Any particular datum maybe case-action data in one environment orpathway and protected data in another environ-ment or pathway. To avoid latent prejudicesabout proper handling of health data, consideran illustration from another field. The circum-stances in which an original source suppliesinformation for both case-action through onechannel and protected data along another are byno means restricted to health matters.

An almost classic example is the handling ofwages and salaries by employers in the UnitedStates. An employer reports earnings for individ-uals to the Internal Revenue Service (IRS) andthe SSA for case-action purposes. Both agenciesuse the data in restricted ways and take actionsregarding individuals on the basis of the reporteddata. Many employers , using the same basicaccounting records, also report earnings to theBLS., where the information becomes protecteddata, and is used for statistical purposes only.No action is taken with respect to an individualemployee or employer on the basis of the BLSrecords, but the Nation gains valuable inf orma-tion on levels and trends of earnings andemployment in each industry from aggregatedBLS data.

14

Publicity

Successful publicity requires a climate inwhich this dichotomy of purpose is widelyrecognized and respected. Continuing vigorouspublic relations activity should have as itsobjective the development of public perceptionequal to that concerning “top secret versusother,” or “lawyer-client privileged informationversus ordinary testimony .“

Formal Designation

The term “protected data” should be desig-nated on all hard-copy documents and othertranscriptions and coded on punchcards or mag-netic tape. Forms should be printed with “PRO-TECTED DATA” in large (72-point) block let-ters. It is possible for one record to be classified“protected data” and, therefore, sheltered, andanother record containing all or a part of thesame information to have a different status be-cause of its different context.

Collectors of data have the authority todesi~nate specific information as protected data,but only within clear boundaries of authorizinglegislation and regulations. The collector onlyassigns such a designation when there are over-riding reasons for doing so. The designationmust not be overused, and never used as anexcuse for withholding administrative data.Once a record has been designated as “protecteddata,” the designation can be removed only bythe agency that made the assignment. (Legisla-tion may be necessary to prevent abuse of theprivilege of classifying information as “protecteddata.”)

Scope of the Designation

Confidentiality assured to protected datashould not be waived without consent of theprovider of the information. Numerous existinglaws, regulations, policies, and practices give, ortippear to give, exemptions to promises of con-fidentiality in certain circumstances. Prominentamong these are:

1. Court orders or subpoena for evidence.

2. Demands of legislative bodies, includingcommittees.

3.

4.

5,

Auditor’s requirements.

Rights of individuals to have access toinformation useful in promoting theirhealth, or in providing the best evidenceof their defense in legal actions.

Claims of law enforcement agencies–especially in criminal affairs.

Each of these needs has a social value, as well asa potential benefit to individuals, However,these needs can be met without overriding assur-ances guaranteed for protected data. Protecteddata invariably come from a prior provider orsource of the information. That provider orsource should be the point at which courts,legislators, or administrators seek disclosurewhen social interests require identifiable data.The only exceptions should be situations whereprofound ethical considerations outweigh theguarantee of confidentiality. (See section “Per-sonal Rights” in chapter IV.)

Notice to Providers

Whenever possible, the initial collector ofdata should inform the respondent or providerof information when information is declared“protected data.” This task may not be easy;

however, it is important to attempt it withstrong resolve. With rare exceptions, data of anindividual entity are identifiable at the point ofcollection. Through editing, processing, tran-scription, and transmission to other parties thedata are still identifiable. Therefore, policy andprocedures should provide for the separation ofsubstantive data from the identifiers at the earli-est practicable point and for notification to theoriginal provider at the time of collection, iffeasible.

Use of Administrative Recordsfor Statistical Purposes

Assume that a successful distinction is madebetween statistical and other purposes–orbetween protected data and case-action data–and that this distinction is made known toan acceptable degree to all interested parties,including relevant sectors of the general

15

public. Focus then on that other major area ofthe CHSS: the situation in which information isrecorded initially for an administrative purpose,but may be used additionally for statisticalpurposes. At this point resolution of issues ofprivacy and confidentiality is most difficult andsubject to the greatest hazards for respondents,subjects, administrators, and statisticians. Soci-ety and the CHSS must display ingenuity, care,and wisdom to secure appropriate balance be-tween need to know and protection of the indi-vidual. Under “Definitions and Labels,” at leasttwo major subclasses of data in this category arediscussed. One subclass consists of items ofinformation in the public domain-available toany person as public record. Except for misun-derstandings, errors, or mischievous actions,they constitute no serious problem. However, in-~stances of the other subclass are legion: Theyconsist of items provided or recorded initiallyfor some operational or administrative purposewith the expectation that they will be used for aparticular restricted purpose and that access tothem will be limited to persons with a definite ,need to know relevant to that purpose. Whenthey are used for any other purpose, a poten-tially serious conflict arises.

Many considerations impinge on the lattersubclass. Much of this report, as well as exten-sive literature, deals with various facets of it.Three directives are proposed:

1. When administrative data are of goodquality and pertinent to a statistical orresearch purpose, a way should befound, in the interests of cost efficiencyand improved knowledge, to make themavailable for that purpose.

2. When administrative data are made avail-able, the y must not only acquire the

shelter of other protected data but alsoretain the full protection they enjoyed asparticular kinds of administrative data.Any exception to these requirementsmust be stated in writing, and anytransfer or use must be governed by awritten protocol that has the force of acontract, if the transfer is from oneagent y to another.

3. Public perception of the consequence ofa transfer or separate use of administra-tive data may be as important as theactual effects. (See chapter XVI,) There-fore, all affected parties should beclearly informed of the actions taken,the actions to be taken, and the possibleimpact on initial respondents; or theaction and use should be restricted tocourses that cannot possibly harm af-fected individuals.

A Policy Position

Whether data are collected originally for astatistical or an administrative purpose, confi-dentiality should not be promised unless thereare persuasive reasons for doing so. In some situ-ations there are compelling arguments for assur-ances of confidentiality. However, there aremany other situations in which confidential han-dling of data would unnecessarily restrict use,and serve no important objective. The burden ofjustification for declaring a particular collectionconfidential is the responsibility of the collector,and is not to be taken lightly.

However, when confidentiality has beenassured, it must be honored by those who assureit. Preferably, their position should be protectedby shield laws–and at the very least by regula-tions and written procedures.

16

THE STATISTICAL

Introduction

CHAPTER Vll

DISCIPLINEAND STATISTICAL

enumeration of cases,

PURPOSES

presents conclusions in

The previous chapter proposes the conceptof protected data. Throughout this report andelsewhere, the expression “for statistical pur-poses” is used frequently. These terms areclosely related and already have been generallydefined. Because ideas are the substance ofstatistical agencies, further comment is merited.

The basic function of a statistical agency isto produce information useful to planners,managers, and students. This information isproduced largely by adaptation of statisticalscience methods that collect and display theessence of a body of evidence and do not allowdistracting details to overshadow main conclu-sions. Statistical discipline recognizes that thereis variation in nature and societies: single obser-vations often will be unrepresentative of theclasses from which they are drawn. Accordingly,attention is focused not on individual observa-tions or entities but on the characteristics andattributes of groups of observations and relation-ships among different groups.

The statistician provides greater informationby discovering, for example, that the averagelength of stay in a class of hospitals is 7.5 days(instead of saying that Jane Doe stayed 11 daysin St. Mary’s), or that the average length of stayis greater for cancer admissions to a hospitalthan for stroke admissions (instead of notingthat Smith stayed 3 days for a cancer admissionand Jones, 8 days for a stroke admission), orthat the average of all lengths-of-stay was 6.5days in 1974 compared with 7.3 days in 1970(instead of finding that a particular patient washospitalized in 1975 for 8 days, but washospitalized in 1970 for only 5 days for appar-ently the same condition), The statistical agency,arguing from either a sampling or complete

averages, rates, ratios, - percentages, or othermathematically expressed functional relation-ships.

A Fundamental Principle

The statistician never needs to know theidentity of individual elements of data andanalysis. The essence of his discipline is to treatelements as indistinguishable from one anotherwithin classifying categories. He has no wish toknow the individual identities, and his work isbest performed when he does not know theseidentities. He must convey this fact to allinterested parties.

Extensions of Statistical Purposes

The only legitimate exceptions to this funda-mental principle are in processing. It should bepossible in the CHSS to delineate the ex-ceptions, to write rules covering them, and toinform respondents concerning the exceptionsso that they understand and do not disapprove.

Operational control. –Case identification isnecessary for operational control to assure thatprocessing does, in fact, carry out intended datareductions. This requirement is easily met byusing a nonsense ID number that uniquely iden-tifies the datum but does not identify a personor establishment.

Quality control. –If the main processor usesinput data that are identified only by nonsenseID numbers, there must be a key some place thattranslates it to an identifiable entity to permit aquality check on the input. This key or cross-walk can be restricted to a subsample of allcases, and can be- held by someone other thanthe main processor. For example, if NCHS is the

17

main processor, the key might be held by theState partner or by a hospital supplier of data.The Center has an important responsibility,however, for the accuracy of statistics releasedunder its aegis. Therefore, NCHS must haveaccess to the key when it is necessary to exercisequality control over input. This access can belimited to selected employees under oath not todivulge the identities. The key can remain in thepossession of the original holder and neverappear on centralized Federal records.

Duplication. –A class of operations exists forwhich it is highly desirable, if not essential; thatthe main processor–for example, NCHS–haspossession of individual identifiers during aprocessing period. Two of the several situationsof this class are mentioned briefly. One situationis in the manpower field, where the State agen-cies may report to NCHS numbers and descrip-tions of licensed persons in certain occupations.Some individuals are licensed in more than oneState. Counts of persons are desired for theNation as a whole; therefore, it is necessary toeliminate duplicates from the State reports. Themost efficient way of doing this elimination isby matching individuals identified by a commondenominator, perhaps a Social Security number.

The duplication problem could be handledin a different manner, and the need for acommon identifier could be avoided. The essen-tial step would be to require that the licensingdocument and subsequent transcriptions includethe item “Number of States in which licensed.”If a particular person is licensed in three States,then in statistical tabulations this person iscounted as “1/3 person” each time he appears.The resulting totals will be correct unduplicatedcounts. In situations in which an unduplicatedcount is not the objective, the “1/3 weight” canbe appropriately adjusted.

In another situation, NCHS might samplehospitals or physicians to get information aboutpatients. The study may require for each sam-pled patient a record of his experience withhospitals and physicians. The only feasible wayto assemble such data is to know, for a period,the identity of the patient.

In both of these situations, as in others, thesolution is to (1) restrict access to the identifiersto a minimum number of sworn employees

during the processing or matching interval, (2)physically separate the key from the substantiverecord as soon as it is procedurally possible, and(3) destroy the key as soon as it is no longerneeded for processing or quality control.

Frame for sampling. –A major contributionof modern statistical theory is the introductionof probability sampling as a means of obtaininghigher quality information at lower costs. Thus,for example, it is likely that better statistics willresult from careful processing of data from aprobability sampling of 500 hospitals than froma more routine tabulation of data from auniverse of 7,000 hospitals–and at considerablyless cost. However, sampling requires at leastsome measure of identification of individualunits in the universe.

In the sampling of facilities or other businessestablishments, confidentiality is normally not areal issue. The reason is that name, address,nature of business, and “size’’-the attributesusually needed for sampling-need not be givenprotected-data status. This information can rea-sonably be considered to be in the publicdomain.

On the other hand, within a substantial classof situations, it is improper to make a list ofestablishments available as a frame for sampling.Suppose the list contains-or has been con-structed from—information that has been desig-nated as “protected data”; for example, itcontains a count of abortions performed in aparticular hospital in the previous year. It isimproper to give that list to a third party, or touse it as a frame for sampling of hospitalsconditioned on that information, or to give athird party access to the sample. The immediatereason for this impropriety is that to use the listas stated is equivalent to saying: “This is a list ofhospitals where abortions are performed,” whenthe confidentiality assurance prohibits such adisclosure. The underlying reasons are that sucha release might damage the hospital and had notbeen requested when the hospital first suppliedthe data.

Using lists of persons as frames for samplinghas most of the characteristics of the establish-ment problem with additional features. The keyhere is to explain to the respondent, when hefirst replies, the extent to which his reply may

18

be used subsequently as the frame for furthersampling or followup. Subsequent use must bewithin the bounds of that explanation. Anypotential return to the respondent might beconsidered an unreasonable demand on his time.Therefore, he needs to be given the opportunityto refuse at the first inquiry.

A delicate aspect of subsequent use ofprotected data, for frames or other purposes,hinges around the phrase “. . without his con-sent. . . .“ Suppose, in a first survey, nothing issaid about using the data for a given purpose.Later, the collector wishes to use the data forthat purpose and considers returning to theoriginal respondent and asking for consent to doso. This procedure is acceptable in most situa-tions, although it would have been better tohave foreseen the request when the data werefirst collected and to have secured consent then.In other situations, however, it is not acceptable,

for example, if the respondent has to make anew decision that is in itself compromising, heshould not be forced to make the decision.

A specialized instance of followup is foundin “two-phase” survey designs. In the first phase,the initial measurement or inquiry is to classifypersons or other entities into differing cate-gories. In the second phase, additional measure-ment or inquiries are administered to subsamplesof entities classified in the first phase. Clearlyindividual identification must be retained atleast into the second phase of operations.

The necessary and sufficient action forhandling these processing exceptions is the onestated in the first para~aph of the section“Extensions of Statistical Purposes” in thischapter: at the time of collection, informrespondents of intended procedures in such away that they understand and do not disap-prove.

19

Unit Identification

CHAPTER Vlll

NAMES AND IDENTIFICATION

Almost every datum acquired is initiallyassociated with a specific person, facility, prod-uct, or other entity. Usually the datum is taggedwith a unique identifier that relates it to thespecific entity. For persons, the likely identifieris a name or an ID number, such as a Social Se-curity Number (SSN). Sometimes the datum islinked to the person by a nonsense number, andthe key to personal identification is stored in aseparate record. Facilities likewise may belabeled with their names or with an ID number.As noted in chapter VII, the need by the statisti-cian for unit identification is not for output dis-play but for processing purposes. The recom-mended guiding principle for handling protecteddata is to separate meaningful unit identificationfrom substantive data at as early a stage in proc-essing as essential requirements permit. Thusprivacy infringements, either intentional or in-advertent, are minimized.

Suggested Procedural Practices

A mechanical device that facilitates dataprocessing while offering additional protection isthe assignment of a nonsense identificationnumber for each name of a person or establish-ment and arranging for a separate register or keythat matches on a one-to-one relationship. It ispossible, and sometimes desirable, to detach thename, address, and other identifying descriptors(along with a transcription of the ID number)from original documents at an early stage in dataacquisition and place them in a separate deposi-tory so that only the custodian of the deposi-tory knows the identity of any case.

For many sets of protected data in theCHSS–perhaps most–NCHS does not need to

possess

(ID) NUMBERS

either the name or the key. The Centerneeds only the ID number and contractualassurance that the State or other provider ofdata (and possessor of the key) will provideidentification and/or matching in a limitednumber of cases for purposes of editing, qualitycontrol, or followup. For such data sets, aconsiderable part of the Federal confidentialityproblem is resolved.

An extension of this principle and its im-plied procedure is possible in several othersituations. The State statistical agency can useit to provide protected data to other State agen-cies, to local agencies, and to certain otherconsumers, always being careful to delete fromthe microrecord items that might identify theindividual entity.

A record that contains numerous descriptorscould lead to identification of the individual,even if direct identification is removed, withsufficient desire and detective work. Althoughthis occurrence is possible, it is doubtful that theCHSS needs to protect itself against the combi-nation of malicious intent and scale of effortthat would be required.

Social Security Numbers

One of the more controversial issues inprivacy debates is the extent to which the SSNshould appear on records and be used as anidentifier. Thousands of words have been writ-ten pro and con on the matter. Several pointsstand out:

1. The SSN was not originally intended asgeneral identification as indicated oncards issued to individuals.

20

2. The Social Security Administration hasdiscouraged the use of the SSN as ageneral identifier.

3. The Federal Government has used theSSN for a wide range of identificationpurposes and, indeed, since 1943 hasrequired its agencies to use the SSN as anidentifier in any new system of person-nel records.

4. ‘ The Privacy Act of 1974, however, states,in effect, that the SSN shall not berequired by any Federal, State, or localagency under any record system inwhich it was not compulsory prior to

January 1, 1975, unless it is mandatedby specific Federal statute.

5. In fact, the SSN is widely used as apersonal identifier in the U.S. Civil Serv-ice Commission, the military, all levels oftaxing agencies, automobile and drivers’licenses, banks, insurance companies,credit card companies, private payrolls,schools, immigration authorities, andwelfare agencies.

6. Despite the Privacy Act, an increasingnumber of students of privacy mattersbelieve that the SSN is nearly a universalidentifier and is likely to become moreso.

21

CHAPTER IX

DATABANKS AND FILE LINKING

Introduction

Much of the public concern about confi-dentiality hinges on potential harmful conse-quences that might stem from the linking ofdata sets through common ID numbers or namesand the building of personal dossiers in giantdatabanks. For example, Arthur R. Miller, pro-fessor at the Harvard Law School and a seriousstudent of privacy matters, confessed that he,much like others, had “voiced the fear that thecomputer, with its insatiable appetite for infor-mation, its image of infallibility, its inability toforget anything that has been put into it, maybecome the heart of a surveillance system thatwill turn society into a transparent world inwhich our home, our finances, and our associ-ations are bared to the most casual observer:”zMany similar statements have appeared in news-papers, magazines, and books.

It is much easier to talk about such data-

banks than to construct them. However, ifconstructed, databanks could serve dangerouspurposes as well as beneficial functions. Further-more, many people advocate the building ofintegrated health records for individual persons,storing these records in databanks, and makingaccess to the record relatively easy.

Most commonly the entities in databanks arethought to be persons o? business establish-ments. However, banks in which the smallestentity or unit is a collective, such as a county orindustry, are possible. In such banks mostconfidentiality problems disappear.

Pair of Definitions

Because thisso many facets,

emotionally charged topic hasuseful communication is likely

to occur only when discussion can be focused ona few areas with recognizable boundaries. Con-sider first these definitions.

Suppose a file consists of records of individ-ual units, persons, business establishments, orother entities. The record for each entity con-tains unit-identifying characteristics 11, 12,. . .(such as name or ID number) and attributes Al,A2, A3, . . . (such as date of birth, maritalstatus, or income). A second file contains unitrecords with the same identifying characteristics11,12, . . . and another set of characteristics B] ,B2, B3, . . . (perhaps State of residence, make ofautomobile owned, and number of timesarrested in the last 3 years). The process ofmatching these two files in identifying charac-teristics and creating a new unit that containsthe information, Al , A2, A3, . . ., B1 , B2, B3,

. . . is called “file linking.” The new record mayor may not include the common unit-identifiers11, 12, . . . . (It may also be possible to mergethe two files without using the common identi-fiers, but that possibility is excluded fromdiscussion.) Either of the files might containmany entities, just a few, or even a single entity,but only files that contain a substantial numberof entities are of interest.

Clearly, it is theoretically possible to linkthree or more files to form the new record. Ifthree or more files are linked and if the unitidentifiers are retained in the new record, thenthe collection of new records is called a “data-bank.”

In the discussion that follows, attention willbe restricted to instances where the linking is ofunit records of persons or facilities, although, asnoted, the process can be applied to units thatare small collectives, such as a county, anindustry, or an occupation.

22

Some Databank Cousins

Many record keeping activities have featuressimilar to those just described, but should not beconsidered to be databanks-perhaps they couldbe called “databank cousins.” The CHSS is notmuch concerned here with databank cousins,but for background purposes a few might benoted.

Ordinary double entry bookkeeping involvesthe posting of similar items to a common ac-count; however, it is not intended that differ-ing kinds of information about a person or facil-ity be merged. The more extensive charge sys-tems such as American Express or VISA aresingle files and not databanks. The same can besaid for the university’s file of student grades,the airline’s reservation system, or the businessoffice’s records of a hospital. Merging any twoof these separate files creates linked files. Merg-ing payroll records, student records, and hospitalrecords into a file that retained person identifi-cation constitutes a databank.

Technological Feasibility

It was always theoretically possible to com-pile dossiers on persons or facilities by manualtechniques. Where policy, will, time, personnel,and financial resources are present, it is possiblemanually to merge birth, death, employment,health, military, church, financial, tax, and otherrecords for individual persons. To some degreethis merging has been done by most societies,and to a high degree by a few. However, it isdifficult and expensive. Increased use of com-mon identification numbers, such as birth orSSN’S, and the capabilities of the computer havemade linking of files and construction of data-banks less difficult and less costly. However, thisprocess is still neither easy nor inexpensive.

Even with the computer, constructing adatabank presents many difficulties. After study-ing numerous record systems, Alan Westin andMichael Baker identified four major hurdles indatabank building:3

1. Requirements for proposed databanksusually demand massive changes in com-ponent record keeping and reporting,

2.

3.

4.

and these changes meet with resistancefrom the managers of the components.

Conceptual problems in determiningwhat items are truly useful and signifi-cant result in failure to establish agreed-upon data sets that are properly main-tained, or that can be utilized for anysignificant purpose.

Software for appropriate edit, input, andretrieval of stored data in unforeseenformat demands is rare, if existent at all.People can browse through or muddlealong with imprecise records—but thecomputer, which must be instructed ingreat detail for every contingency, can-not.

Costs of problem solution and evenroutine op&ations are great, and topmanagers are most reluctant to allocatescarce resources to a low-yield databank.

Prevalence of Databanks

The construction and maintenance of largedatabanks are certainly technologically possible.However, except for a few special-purpose data-banks, notably in the fields of credit, insurance,and law enforcement, the databank in theUnited States is a possibility, not a reality. In1972, Westin and Baker found not a singlegeneral-purpose databank, either local or na-tional, in the country.3

In the medical and health fields there areproponents of and experimenters with databank-ing information pertinent to individuals. Theirlong-range goal is to accelerate diagnosis andtreatment by enabling physicians to retrieve apatient’s medical history from a remotely lo-cated central databank. Physicians may also beable to tap stored statistical data to assign“probabilities” to specified courses of treat-ment. Such databanks are future goals, notpresent realities. A few less ambitious embryoniclocal medical systems are operating, for exam-ple, the multi-state information system, whichlinks psychiatric hospitals, clinics, and outpa-tient centers in the New England area.

23

Linking Other Than for Databanks

Other demands for files do not createdatabanks. In various Federal Governmentoperations, two data files can be linked forstatistical purposes only. For illustration, busi-ness data from the Social Security Administra-tion, the Internal Revenue Service (IRS), andthe Census Bureau are linked to produce de-tailed economic information in industrial andcommercial fields. The linked data are releasedonly in aggregated form and are never used forgovernmental action regarding an establishment.

Another illustration is the use of one agen-cy’s data by another. The Form 1040 PersonalIncome Tax information for consecutive years islinked through SSN’S to show an individual’smigration and then fed into Census Bureauprocedures to estimate local population mobil-ity. The local population data then becomeinput for calculation of revenue sharing. Again,such uses are strictly statistical and not foraction concerning an individual. The IRS mayexercise enforcement action regarding individ-uals, but this action has nothing to do with thislinking operation. This situation illustrates anadministrative record as the source of both aprotected data set and a case-action datum.

In the 1970 Decennial Census, a complexevaluation project involved the linking of censusdata with birth registrations. The project wasconducted by the Census Bureau, using NCHSbirth records (with the permission of Stateagencies). The ultimate objective was to estimatethe lack of coverage in the 1970 Census bycomparing those counts with aged birth cohortsfrom earlier years. However, it was necessary todiscover the extent of underreporting of birthsthrough a reverse record check on a sample ofpersons to determine if birth certificates existedfor them.

In some situations, (see chapter VII), twofiles may be linked to forma comprehensive butunduplicated frame or directory of a universe offacilities. Such situations occur if a mailing ofnotices to all firms in the universe is requested,or if one wishes to draw a probability samplefrom a high-quality frame.

Researchers and program planners makepersistent demands for linked files for multi-variate analysis. The objective is to identify

variables that explain or predict a dependentphenomenon of prime interest. With a single file,the analysis may be able to relate, for example,only the dependent and two independent vari-ables. By linking two files, the analysis may beexpanded by considering three additional signifi-cant predictors. The logic of this argument ispersuasive. Yet aside from questions of confi-dentiality, three considerations that lessen theforce of the demand for linked microdata filesare:

1.

2.

3.

Only in a few examples of this tech-nique, important results that could nothave been obtained by other methodswere secured from linked microfilms.

A method that deserves more intensivestudy is substituting small collectives ofpersons for individuals as the units ofanalysis in multivariate equations.

Often the attempt to integrate twobodies of data into clean individualrecords faces substantial operational dif-ficulties. Such hurdles are different clas-sification systems in the two files, dif-ferent coverages , incomplete individualrecords, different time references, differ-ent substantive definitions, differentcomputer formatting, lost or incorrectdocumentation, and inadequateresources.

Recapitulation

Many people fear linking of two files ofidentifiable microdat a. Even when the linkingis for statistical purposes only, it does increasethe risk of undesirable disclosure or exposure toinvasion of privacy—albeit, nearly always to atrivial degree. Earlier sections of this chapterdiscuss significant features of the linking prob-lem. The linking of microdata files is some-times useful, but it is usually difficult andexpensive and often neither necessary nor veryproductive. Recommendations are as follows:

1. Use the linking of micro data files infre-quently because it is potentially danger-ous to confidentiality and use it onlywhen the intended product is both

24

highly valuable and unattainable byother means at a tolerable cost.

2. Employ available techniques to camou-flage the identity of the linked micro-data, and make certain that the ensuingrisk of harm to individuals or facilities isinconsequential.

3. Inform the respondent at the time oforiginal collection of a data set that alinking operation is intended.

4. Never use protected data in a linkingoperation that results in a data set usedfor case-action purposes.

25

NETWORK

COOPERATIVE

Overview

CHAPTER X

OF PARTICIPANTS IN

HEALTH STATISTICS

THE

SYSTEM

experience. However, specific and clearly under-

The concept of the CHSS encompassescollection, processing, analysis, and use of dataand implies corresponding interacting relation-ships among the collectors, analysts, and theultimate users. This report cannot declare whatthe organizational structure of this systemshould be. A broad spectrum of political andeconomic considerations will be the major deter-minants of that structure. Legislation is not theleast of these considerations, and certain legisla-tive concepts will be discussed in the nextchapter. This chapter discusses the impact ofmatters of privacy and confidentiality on organi-zations and the influence of organizationalstructure on both policy and procedures in datahandling.

Entities that are or may be participants inthe system are NCHS and other Federal agen-cies, State Centers for Health Statistics andother State departments, municipal bodies, Pro-fessional Standards Review Organizations(PSRO’S), Regional Medical Pro~ams (RMP’s),the Planning Organizations under Public Law93-641, AMA, AHA, other professional associa-tions, Professional Activities Study (PAS), othercentral processors, and subcontractors. Essentialelements, too, are the health services providersand recipients, which are the sources of thedata: hospitals, institutions, physicians, nurses,patients, registrars, laboratories, and households.Legislators, budget authorities, schools, stu-dents, and the general public for whom theentire enterprise is undertaken also participate inthe system.

A viable system should be flexible to adaptto changing situations and to take advantage of

st;od relationships r~garding confidentialityshould be established among all the participantsin the system. The target should be clear, andthere should be a common understanding ofwhat information will be made available bywhich providers and to which collectors; whatdegree of confidential handling of data will beexercised by those collectors; and, in particular,for whom further access to the data will beauthorized and for what purposes.

Thus, guidelines and rules governing confi-dentiality throughout the system are needed.The organizational structure should be con-structed so that the rules are known to all af-fected parties and can be enforced, No singleagency or component of the system is autono-mous–cooperative development is the main-spring of successful operation. However, everycomplex activity needs a coordinator, and onissues of confidentiality in the CHSS, NCHSshould accept the responsibility of coordinator.

Federal Agency Relationships

Confidentiality relationships among Federalagencies, and particularly between NCHS andother Federal agencies, are largely fixed by law(see chapter XI). Although certain modificationsof existing law may be desirable, confidentialityrisks to which NCHS and the CHSS may besubject are minimal within the Federal establish-ment. Data acquired by NCHS under assurancesof a classification equivalent to protected datahave immunity from use in individually identifi-able form by any agency (including all FederalGovernment agencies) outside NCHS, withoutthe consent of the provider. Contrastingly, any

26

data acquired by NCHS but not given protecteddata shielding can be potentially in the publicdomain and available to all, including anyFederal agency.

As an integral part of its role as architect andhandler of protected data, the Center shouldensure that other units of the Public HealthService and the Department of Health, Educa-tion, and Welfare (DHEW) stand in the samerelationship to NCHS regarding dissemination ofdata as does any other component of theFederal Government. Legislation may be intro-duced to give special status to a designated set ofFederal general-purpose statistical agenciesamong whom protected data may be shared. Asomewhat controversial issue is whether NCHSmight be required to permit use of identifiableprotected data for statistical purposes only byother units of DHEW under provisions of thePrivacy Act of 1974 or even by Federal agenciesoutside DHEW under provisions of the ReportsAct of 1942. The Center has opposed success-fully such interpretations up to the present,Even if this use were permitted, the data couldcertainly not be used “in whole or in part inmaking any determination about an identifiableindividual.”A

Relationships Between NCHSand Non-Federal Organizations

NCHS formal agreements regarding confi-dentiality outside Federal Government agenciesshould be restricted to two categories. Onecategory is a single designated agency withineach State. According to Section 306(e) ofPublic Law 95-623 “States participating in theSystem shall designate a State agency to admin-ister or be responsible for the administration ofthe statistical activities within the State underthe System.” Preferably this agency wiIl be aState Center for Statistics or a State Center forHealth Statistics, but it could be any governme-ntalunit chosen by the Governor.

To maximize understanding and minimizeState-Federal confusion, the basic guidelines,authorities, and contracts involving healthbodies within the State and regarding healthstatistics should be between those bodies andthe State Center or between the State Center

and NCHS. Special agreement might grant lati-tude for division of a State into two parts-forexample, New York City and upstate New Yorkor Chicago and downstate Illinois-if the Statechose to do so.

For metropolitan areas that cross State lines,one State could serve as the official contact forNCHS, with local arrangements being coordi-nated in both States by one designated StateCenter.

The second category with which NCHSmight have formal arrangements is original sup-pliers of data. These arrangements would bemade with the knowledge of, and at timesthrough, the State Centers. However, in somesituations NCHS must proceed independently ofState Centers and inform them of arrangementsthat have been made. Such situations are theHealth Interview SurVey, the Health Exami-nation Survey, the Survey of Ambulatory Care,other national surveys that are not operationallya part of the CHSS, and agreements reachedwith certain agencies such as SSA, PAS, AHA, orthe Census Bureau. A particular subclass of thistype is State or local agreements in otherprograms in States that have not established aState Center.

Central Processors

Much can be said for the establishment of aState Center for Health Statistics or even a StateStatistical Center, as a central depository and asan initial data collector, central processor, anddistributor of data to Federal, State, municipal,PSRO, planning agencies, and other consumers.This idea is not fully developed here; but de-tailed development of the concept of the imme-diate question of central processing and theoverall network treated in chapter IX is needed.The Statistics Center should be a permanentState agency, or a State corporation charteredspecifically for this purpose. It cannot be eitheran ordinary private establishment or some adhoc component of a temporary communitycoalition.

Metropolitan areas that cross State lines maybe handled by formal State compacts.

The statistics center should be established bystatute, and the nature of operation should be

27

watched carefully, Enabling legislation such as be a governmentally chartered organization isStatistics Canada (with much modification) gives that NCHS and the CHSS cannot avoid responsi-a starting point for new enactment. bility for the integrity of the system, and yet

The reason for this latter recommendation cannot exercise effective control without lineand the reason that the central processor should authority based on law.

28

CHAPTER Xl

LEGISLATION, REGULATIONS, AND RULES

Legislative Control and Protection

The privacy-confidentiality-freedom of in-formation complex generates conflicts and an-tagonisms, In a society governed by law, it isessential that a legal framework be built to guidedecisions made in the confidentiality realm. Forthe CHSS the framework is based on bothFederal and State law and derivative regulations,orders, and instructions; adequate coding andindexing of these legal materials are required.

This need has been widely recognized andhas resulted in a flood of statutes, regulations,rules, and court cases. More. than a dozenFederal statutes, tens of thousands of words inFederal regulations , voluminous Federal rulesand procedural statements, and uncounted Stateprovisions have important bearing on the CHSS.More than 200 bills on privacy and confidenti-ality were introduced in the 93rd Congress, andmany were reintroduced in later Congresses.Codification or even a digest of these pro-nouncements is beyond the scope of the presentproject. Here, attention is directed to some ofthe most significant Federal legislation in thearea, a few of the emerging legislative principles,and the need for further action.

The NCHS Statutory Keystone

The keystone of NCHS policy and practicein the protection of confidential data has beenrestated in the revised enabling act for theCenter. The Public Health Service Act (42KJ.S.C. 242m) provides in section 308(d) (sec-tions 304 and 306 refer to authorization forbasic NCHS activities):

“No information obtained in the course ofactivities undertaken or supported under

section 304, 305, 306, 307, or 309, may beused for any purpose other than the purposefor which it was supplied unless authorizedby guidelines in effect under section306( 1)(2) or under regulations of the Secre-tary; and (1) in the case of informationobtained in the course of health statistical orepidemiological activities under section 304or 306, such information may not be pub-lished or released in other form if theparticular establishment or person supplyingthe information or described in it is identifi-able unless such establishment or person hasconsented (as determined under regulationsof the Secretary) to its publication or releasein other form, . . .“

This statement is the current revision of theformer NCHS confidentiality section 305(a) ofthe Public Health Service Act.

All NCHS procedural controls are consistentwith this statute; equivalent Center policy ante-dates the passage of law. The clause beginning“(l) in the case of information” puts the sharp-est teeth into the law—it limits the Secretary’sdiscretion (as well as that of the Center) todefining “consent .“ This law, too, is the basisfor the following explanation in DHEW regula-tions, which exempt NCHS data from many ofthe requirements of the Privacy Act of 1974that could be troublesome to the CHSS:

6<. . . Section 308(d) of that Act requires thesesystems of records to be maintained andused solely as statistical records. . . . Theinformation contained in these records is notused in whole or in part in making anydetermination about an identifiable individ-ual, and as required by section 308(d) it is

29

not published or released in a form whichwould identify the individual who supplies itor the individual who [sic] it is about. . . .Currently, much of the information con-tained in these records is obtained throughthe voluntary cooperation of States, local-ities, hospitals, physicians, family planningagencies, and other organizations with theunderstanding that the National Center forHealth Statistics will not disclose to anyonethe personally identifiable information sup-plied by these sources.”

The Privacy Act of 1974

As a result of debate over a wide range ofrelated issues, the 93rd Congress passed a com-promise omnibus bill, sponsored by SenatorErvin and Congressmen Moorhead, entitled thePrivacy Act of 1974. This legislation is verycomplex and, in its text and accompanyingexplanation from the cognizant congressionalcommittees, includes more than 9,000 words. Itsprecise and full meaning may not be known forseveral years, until supporting regulations, inter-pretations, and perhaps court decisions clarifyambiguous and partially conflicting provisionsand objectives. Paired with the Freedom ofInformation Act, as amended in 1974, thePrivacy Act is the most comprehensive generalFederal statute on confidentiality y. The followingare especially notable:

1. The title of the Act and its introductorysections declare that protection of pri-vacy is the primary objective and thatthe right to privacy is a personal andfundamental right protected by the Con-stitution of the United States. A furtherstatement is that it is necessary andproper for Congress to regulate thecollection, maintenance, use, and dissem-inateion of information by Federalagencies.

2. The Act also declares, however, that the“use of sophisticated information tech-nology . . . is essential to efficient opera-tion of the government” and that regula-tions should permit exemptions from theprotective requirements of the Privacy

3.

4.

5.

Act in cases “in which there is animportant public policy need for suchexemption as determined by specificstatutory authority .“ (This provisionproduced the DHEW regulation quotedin the previous section.)

The Act notes the requirements of theFreedom of Information Law and doesnot seek to repeal any of its provisions,Therefore, the text of the Act and itsinterpretations are new landmarks in thesearch for balance between protection ofprivacy and confidentiality and the pub-lic’s right and need to know.

In considerable measure the Privacy Actprovides that an individual can deter-mine what records pertaining to him arecollected, maintained, used, or dissemi-nated by Federal agencies, and can pre-vent those records, collected for a partic-ular purpose, from being used or madeavaiIable for another purpose without hisconsent.

The exceptions are far reaching and (sub-ject to interpretation) may open widequite a few ‘doors. Some exceptions toprotective control (agencies are requiredto formulate regulations on these mat-ters, and the Office of Management andBudget (OMB) is their overseer) are thefollowing:

a.

b.

c.d.

e.

f,

Investigative material compiled forlaw enforcement (with some counterexceptions).Investigative material relating to suit-ability for employment and relatedtests.Certain archival records.Data transferred to a person pursu-ant to disclosure of compelling cir-cumstances affecting the health orsafety of an individual.Data in “routine use” defined as“the use of a record for a purposecompatible with the purpose forwhich it was collected.”Data given to a congressional com-mittee on a matter within its jurisdic-tion.

30

6.

7.

~“

h.

i.

j.

Data needed for the Com~trollerGeneral of the United States. ‘Data to “a recipient who has pro-vided advance written assurance thatthe record will be used solely as astatistical research or reporting re-cord, and the record is to be transfm-red in a form that is not individuallyidentifiable. ” (Substantial ambiguityof intent results from the way thisprovision is phrased.)Data pursuant to subpoena by thecourts.Material controlled by another law,such as the NCHS law quoted in thesection, “The NCHS Statutory Key-stone.” The reason for this exemp-tion is that the Act does not intendto repeal other laws.

Regarding penalties for infractions of thePrivacy Act imposed upon agencies con-tracting with a Federal agency, the con-tractor and employees of the contractorshall be considered to be employees ofthe Federal agency and thereby subjectto being declared guilty of a misde-meanor and fined up to $5,000.

The Privacy Protection Study Commis-sion was established with broad powersof investigation and study and a chargeto make further recommendationswithin 2 years. The President appointedthree members of the Commission; theHouse and Senate appointed two mem-bers each. The Commission published itsreport, entitled Personal Privacy in anInformation Society, in July 1977.

The Freedom of Information Act

The counterpoint to the Privacy Act is theFreedom of Information Act (FOIA) asamended in 1974 and 1976. The public isproperly concerned not only with unwarrantedinvasion of privacy and improper use of privi-leged data but also with refusal by governmentsto reveal information that should be in the pub-lic domain. The CHSS must be concerned withboth of these hazards.

Congress has tried to deal with the second ofthe two risks through the FOIA. This lawdeclares that—with important exceptions—records possessed by the Federal Governmentmust be made available to any person, upondemand, at cost. Among the exceptions impor-tant to the CHSS are: (1) data specificallyexempted from disclosure by statute (e.g.,NCHS 308(d))b ; (2) personnel, medical andsimilar files, the disclosure of which wouldconstitute a clear, unwarranted invasion ofpersonal privacy; and (3) certain classes ofprivileged or confidential data. The FOIA im-poses no unmanageable restraints on the CHSS,and on the contrary, is an incentive to promotewide dissemination of data in all situations inwhich confidentiality is unnecessary and has notbeen assured.

The Federal Reports Act

The Federal Statistical System is coordi-nated by OMB in the Executive Office of thePresident,’ under the provisions of the FederalReports Act of 1942 (44 U.S.C. 3501) and theAccounting Procedures Act of 1950 (31 U.S.C.18b). These two Acts give authority to OMBthat includes legislative review functions, allo-cation of budgets, and the right to withholdapproval of any reporting plan. Concern hasbeen expressed over certain sections of theReports Act that may give the OMB Directorauthority to require any Federal agency to giveto any other Federal agency information ob-tained from any person.

However, careful reading of the Act revealsrestricting provisions that, in conjunction withNCHS section 308(d), leave the CHSS immunefrom the Reports Act regarding improper access

bThe Govement ~ the sunshine Act of 1976amended this provision by adding: “(other than section552 b of this title), provided that such statute (A) re-quires that the matters be withheld from the public insuch a manner as to leave no discretion on the issue, or(B) establishes particular criteria for withhoMing orrefers to particular types of matters to be withheld.”

cAdministered in part since 1978 by the Secretaryof Commerce.

31

to confidential data. Relevant Reports Actprovisions are:

“Information obtained by a Federal agencyfrom any person or persons may, pursuantto this Act, be released to any other Federalagency only if (1) the information shall bereleased in the form of statistical totals orsummaries; or (2) the information as sup-plied by persons to a Federal agency shallnot, at the time of collection, have beendeclared by that agency or any superiorauthority to be confidential; or (3) thepersons supplying the information shall con-sent to the release of it to a second agencyby the agency to which the information wasoriginally supplied; or (4) the Federal agencyto which another Federal agency shall re-lease the information has authority to col-lect the information itself and such author-ity is supported by legal provision forcriminal penalties against persons failing tosupply such information .“

Furthermore, if any information is transferredfrom one agency to another, the data-protectinglegal restraints and penalties of both agencies forimproper use apply with full force to theofficers and employees of the receiving agency.

The Paperwork Commission

Another act passed by Congress on Decem-ber 27, 1974, created the Commission onFederal Paperwork. The charter for this Com-mission is to “study and investigate statutes,policies, rules, regulations, procedures and prac-tices of the Federal Government relating toinformation gathering, processing, and dissemi-nation, and the management and control ofthese information activities.”” The Commissionwas instructed to give a final report to Congresswithin 2 years of its first meeting (which washeld in early Ott. 1975). Clearly, the charter wasbroad enough to permit recommendations thatmight affect the CHSS in many ways, including

the issues of privacy, confidentiality, and trans-fer of data.d

dThe Commission’s report was published on Oct. 3,1977.

Emerging Principles

Various well-supported propositions likelyto condition the formulation of CHSS policiesare as follows:

1.

2.

3.

4.

5.

6.

7.

Persons have a fundamental right toprivacy, and this right should not beinfringed upon beyond the truly neces-sary requirements of society.

Providers of data to governmental agen-cies are entitled to know under whatauthority the data are being collectedand for what purposes.

An individual must be able to preventthe use of personal information that wasobtained for one purpose from beingused for other purposes without hisconsent. (See chapter VII and the sec-tion “Statistical Purposes” in chapterXVII for a discussion of “purposes” relat-ing to statistical purposes, See also thesection “Informed Consent” in chapterIV for comments on “consent.”)

Transfer of personally identifiable datafrom one custodian to another shouldoccur only in accordance with carefullyformulated and widely understood writ-ten rules.

Democratic societies and their govern-ments agree that a wide range of datashould be collected and analyzed so thatplanning and execution of social pro-grams can be performed on a rationalbasis. (This principle is embodied in theSocial Security Act, in health planninglegislation, in licensing requirements, andin many other statistics.)

A basic difference exists between infor-mation collected and used only as statis-tical evidence (what this report hastermed “protected data”) and personallyidentifiable data used directly to affectthe rights, benefits, privileges, responsi-bilities, duties, or proscriptions of indi-viduals.

Freedom of access by all to data that arenot privileged or confidential should be

32

inherent. Governments should not cate-gorize data as privileged unless the classi-fication is necessary to secure accuratereporting or to prevent individualsfrom being unjustifiably subject to harm,

8. Certain classes of privileged data should 6.be immune from subpoena by the courtsor legislative bodies.

Unresolved Legal Issues

Adequate legislation is an evolving condi-tion. Of special concern to the CHSS are legalissues that currently are oversights such as:

1.

2.

3,

4.

5.

A clear distinction between “statisticalpurposes” and “administrative pur-poses.”

Rules that secure an acceptable balancebetween the statistician’s need for access 7.to data that the holders consider confi-dential and his legal protection fromforced release of data that he has grantedprivileged status.

Guidelines for resolving situations whereFederal and State law may conflict.

Determination of what operationallyconstitutes “informed consent.”

rules, circulars, procedures, and allieddocuments must be compiled, coordi-nated, and indexed into a single printeddocument, and made available on abroad scale. This activity is urgent.

Regarding State law, it is unlikely thatthe same procedures can be accom-plished. However, steps should be takento develop guidelines, and examplesshould be assembled, Summaries alsoshould be attempted as resources permit,A contract to do this for several Stateswas a step in the right direction. Begin-ning with “zero draft” and progressingthrough many revisions, NCHS shouldwrite the model State laws, regulations,and procedures. In fact, section 306(d)of Public Law 93-353 required that thisbe done .e

Financial auditing procedures are anessential safeguard against malfeasance ingovernmental and other offices. In whatmanner and to what degree should audit-ing be allowed to infringe on privacy andconfidentiality ? This question is onlyone facet of the more general issues oflegislative oversight of the executivebranches.

Coding and abstracting Federal law. Allrelevant Federal statutes, regulations, eSee Model State Health Statistics A c t.

33

CHAPTER X11

UNINTENTIONAL DISCLOSURE

Intent and Consequence

Governments plan to secure needed informa-tion and to protect the affected respondents andsubjects. The CHSS must recognize, however,that plans and intentions may not be fullyrealized, and consequently must try to incorpo-rate safeguards that will minimize unwantedoccurrences. This subject is not treated in detail,but several types of safeguards for which provi-sion should be made are noted as follows:

1.

2.

3.

Legislation, regulations, and rules ofoperation should provide sanctions andpenalties for employees, officers, andother parties who fail to comply withguidelines.

Physical security of records should beprovided, both to assure actual protec-tion and to create a climate of recog-nized importance. Malicious violation ofsecurity in the CHSS is a.minor problem,but the public should be informed thatsuch violation is carefully monitored,

For each type of data, formal rulesshould be established and followed toprevent inadvertent disclosure from tab-

4.

5.

ulated data, with special attention to“small cells” and unusual combinations.

An individual possibly maybe identifiedfrom a record if the record containsmultiple descriptors even if it does notshow a name or an ID number. Editorsmust be alert to avoid such releases.

Another sequence that may violatesecurity of a file—either inadvertently orintentionally—even when the primaryfile contains no directly identifiablename or number and only a small num-ber of descriptors is what might betermed the “serial linking potential.”Suppose Primary File I contains attri-butes A and C and a nonsense case code1. File II contains attributes C and D andcases codes 1 and 2. File 111contains at-tributes E, F, G, and H and case code 2.Although Files I and III are not tied atall, it is still possible to establish the fullrecord: A, B, C, D, E, F, G, and H andpossibly the identity of the person, Nouniversal solution exists for this prob-lem. Fortunately, the CHSS should notbe faced with it often. Recognition ofthe possibility of serial linking shouldusually provide sufficient knowledge toavoid its happening.

34

CHAPTER Xlll

PUBLIC-USE TAPES

Traditionally, release of statistical data hasbeen intheform ofpublished tables. Transferordata in unit form has occurred most often bypaper on microfilm copy or punchcard. Concep-tually, these transcription devices make possibleevery computer activity. However, potential ofrapid computer transcription and association ofdata items are viewed as hazardous to the pro-tection of personal information. The computerdoes make the transfer of data and the mergingof different items of information about a givenperson or facility easier. The computer also hasbroadened the way for a flexible use of micro-data that may actually reduce the risk of misuseof data for individuals-the concept is one ofpublic-use tapes,

The public-use tape is a magnetic tape ofindividual records, with direct personal identifi-

cation and other potentially identifying itemsremoved so that the tape can be made publiclyavailable. This device permits researchers orother investigators to manipulate and analyzemicrodata in useful ways without access to theidentification of individuals. The public-use tapethus allows nearly all of the research benefitsthat access to identifiable records would pro-vide, with less overall cost, and significantlyreduces the demand for identifiable data.

The Center has published a report6 thatdescribes available NCHS public-use tapes andidentifies the measures taken to protect confi-dentiality. Participating units of the CHSSshould expand the public-use tape program,while preserving confidentiality by developingappropriate rules for necessary item suppressionfor the various kinds of data released.

35

CHAPTER XIV

AVOIDANCE TECHNIQUES

General Comment

Many of the problems and issues in theprivacy, confidentiality, and freedom of infor-mation complex are difficult. For some, nodirect solution that has wide acceptance can befound. Perhaps for others, no direct solution isnecessary. Identified here are a few bypassing oravoidance techniques that make it possible toreach informational objectives without yieldingaccess to microdata that identify individualpersons or establishments. Some of these meth-odologies have special relevance to those confi-dentiality problems that are present in linkedmicrodata.

Aggregated data.–The simplest avoidancetechniques are restriction of access to microdatato the collectors and processors and publicationor release of data only in aggregated format.Although these techniques are clearly not theanswer to all problems, they may be the answerto many more than is apparent. In programplanning, execution, or evaluation, aggregateddata may be fully adequate or even economi-cally more efficient than microdata.

Microaggregation. –This relatively new de-vice seeks to retain a considerable part of theadvantage of micro data, while utilizing onlyaggregated quantities. Many variations exist. Anillustrative one sorts persons into small units of,for example, five people; then calculates anaverage value for each of the statistics of interestfor each unit. These average-valued small unitsbecome the units of analysis. In a refinement orvariant of this process, a distinct new value isassigned to each of the five persons in a smallunit. The new value is the average of the fiveplus a random normal deviate (the size of thenormal deviate was calculated from severalsimilar groups of five persons).

Random contamination. –A different, butsomewhat similar technique adds the randomnormal deviate to the observed value for eachperson. This process also preserves the overalltotals and means, but camouflages the data foran individual person. It tends to preserve thedistribution of cases that would result fromusing original data.

Random substitution. –In this variation, afirst random number is selected to decidewhether to leave an original microdatum un-touched” or to modify it; if it is to be modified,another random number is chosen to be theselector of a substitute measure for the observedmeasure—the substitute measure being one pos-sessed by another person in the survey,

Range measurement. –For many purposes,an exact measure of a characteristic is unneces-sary (an exact measure may be nearly impossibleanyway). If the statistic is income, then insteadof asking for annual income initially, the ques-tion is put in terms of “intervals” or “ranges,”so that, perhaps, the income is primarily re-corded as “between $5,000 and $10,000.” Therespondent may consider such information asnonsensitive, and, thus, the confidentiality issueis avoided.

Randomized inquiry. –This technique, calledby some the random response procedure, hasmany possible variations. Its essential feature isthat the original collector never knows how therespondent replied to a particular question, oreven if he did. Yet summary measures areobtained, with calculable precision.

Synthetic estimates. –This general methodol-ogy also has many possible variations. Thecentral characteristic is the use of an algorithmto calculate an “expected value” for a unit orclass of units, by utilizing a weighted average ofrates obtained from a larger conglomerate, with

36

the weights established by known, nonsensitivecharacteristics of the units or small class ofunits. Some students prefer to think of this as aspecial case of substituting the value obtainedfrom a fitted regression equation for an observeddatum.

Responsible constrain t.–Possibly the bestrule of all is the adoption of a policy ofresponsible constraint. This method advocatesthat one not collect an item at all, unless theneed is clear-cut and the value of the informa-tion outweighs the risk of privacy infringement.(What a person does not know he cannot reveal.)In a similar vein, it may be better not to linktwo microfilms, to display tabulations of mar-ginal value with possible unintentional disclo-

sures, or to employ unnecessarily refined classifi-cations of persons or facilities.

Conclusion

If the objective is a census count of hospitalsor physicians by county, the avoidance tech-niques are not relevant. However, a large part of

the CHSS output is expressed as means, aver-ages, ratios, rates, correlations, and other statisti-cal measures. Ingenuity in formulating avoidancetechniques can produce unbiased estimates ofsuch measures with adequate camouflage ofidentifiable persons. This approach may be amq”or pathway toward resolution of problemsthat are otherwise unsolvable in a climate that isincreasingly sensitive to confidentialityy issues.

37

CHAPTERXV

CUSTOMIZED VARIATIONS OF PROCEDURE

Need for Flexibility

“System” implies a structured, integrated,standardized operation that is under control.The CHSS is a system, and should govern itselfaccordingly. This fact does not mean, however,that every component of the CHSS should beconducted in identical fashion. Some compo-nents of the CHSS are, in effect, intended asefficient mechanisms for assembling, processing,and redistributing information that is largely abyproduct of certain administrative functionsand is in the public domain. Other units, givingassurances of confidential handling, collect datawhose only function is statistical. Still otherunits are engaged in activities that are a mixtureof these other, two. (See “Definitions andLabels” in chapter VI.) The policies and pro-cedures most appropriate to the differing situa-tions also vary. The present chapter offers exam-ples of how the CHSS, operating under abasically uniform set of standards, can still tailorits treatment of particular components to specialcircumstances.

The self-standing direct collection samplesurvey. —This survey refers to the classical statis-tical sample survey in the tradition of the CensusBureau Current Population Survey, or the NCHSHealth Interview Survey, in which the intent isto produce new data or newly organized infor-mation in aggregated format, with no release ordisclosure of personally identifiable microdata;thus the full force of protected data applies instrictest interpretation. The survey may becontinuing, intermittent, or one time. Respond-ent sources might be direct measurement, inter-view, mailed questionnaires, or transcribed rec-ords and may be obtained from persons,households, facilities, or other providers. Thecollector is a single agent, such as NCHS or a

State Center, and assures the provider thatresponses will be released in anonymous formonly, will not be released in identifiable micro-form outside the collecting agency, and will beused only for the purposes that have beendescribed to the respondent.

If the collector is NCHS, individually identi-fiable data will be disclosed neither to otherFederal agencies nor to any other component ofthe CHSS. Similarly, if a State Center is thecollector, individually identifiable data will notbe disclosed to NCHS.

Presumably, the respondent will have beentold at least one specific purpose for which thedata are being collected and that the intendeduse is for statistical purposes only. Furthermore,the respondent must be given a reasonableunderstanding of what is encompassed by theexpression “statistical purposes.” Thus a sum-mary of the interpretation explained in chaptersVI and VII of this report is in order. Inparticular, if the survey microdata may be theavenue for a subsequent contact with the re-spondent, he should be so informed. If thesurvey data are to be linked with other micro-data, this fact should also be made clear. Thedegree to which confidentiality assurances canbe enforced should also be made known to therespondent. Usually respondent identificationshould be removed from substantive data at theearliest feasible processing stage to minimizeexposure to risk.

The cooperative protected-data sample sur-vey. —A second class of CHSS components mightinclude several variations. All encompass most ofthe features previously, but have one veryimportant distinguishing attribute that, in turn,leads to other policy and procedural require-ments. Theaddition to

distinguishing a~tribute isthe respondent, two or

th~t, inpossibly

38

three parties would have access to the micro-data, rather than the single collector. The firstparty is the original collector–perhaps NCHS ora State Center—the second party is NCHS if theState Center is the collector, or the State Centerif NCHS is the collector. The third party is aconvenient label for any other specified personor agency to whom access may be granted forparticular stated purposes.

The Hospital Discharge Survey (HDS) canserve as an example of the third party, but thefollowing discussion is not meant necessarily torecommend a collection design for that particu-lar survey. If a master HDS sample is designed insuch a way that State strata or subuniverses aredefined, then some State agencies will collectdata from hospitals in their States and make themicro data available to NCHS. For other States,NCHS would be the collector and make micro-data available to the States. In either case, all orparts of the microdata maybe made available toa third party—perhaps a Public Health Service(PHS) planning agency–for comparing utiliza-tion in several inner cities.

The first two parties might well restrict theirown internal uses to statistical purposes. In suchcases, the general guidelines previously statedwould follow, with the critical difference thatneither party could guarantee the performanceof the other with absolute certainty. Realisti-cally, it must be assumed that actions by thethird party are administrative in character, andmay, indeed, entail results that are disadvan-tageous to some respondents. The justificationfor embarking on any activities in the CHSS thatinclude third parties of this type is based on costand efficiency; single collection and processingseems reasonable when the third party has theright to collect the same data that the first partyalready has collected. Even so, the Center maybe prudent to take part in, at most, a limitednumber of any such activities, for they almostcertainly put a strain on the NCHS image as apurely statistical agency.

When such a cooperative survey is mounted,several special steps must be taken:

1. The collector must make clear to therespondent precisely who is to haveaccess to the microdata and for what

2,

3.

purposes. The respondent must under-stand that he is authorizing transfer tothe other identified parties.

The collector must modify his assurancesof confidential handling. (See also “TheSelf-Standing Direct Collection SampleSurvey” in this chapter.) He can con-tinue to give very positive assuranceswith respect to what his immediateagency will do, but should avoid respon-sibility for guaranteeing that the otherparties will do what they have promised.

Despite the precaution just stated, thecollector, before agreeing to the survey,should secure, in writing, over the signa-ture of the responsible official of thesecond or third party, statements settingforth the uses for the data and declaringthat the data will not be used by theother part y.

Manpower components. –Some manpowerstatistics will or may arise from enterprises thatmeet the conditions described earlier, but forothers a differing protocol appears desirable inthe CHSS. As stated previously, confidentialityshould not be promised in data collection unlessneeded data could be secured only with such apromise, unless the absence of confidentialhandling constituted a clear and unnecessaryinvasion of privacy. The economy of single col-lection with multiple dissemination of micro-data, is also recognized if privacy is not unrea-sonably invaded by such action. Many data onhealth manpower are in the public domainthrough registration and licensing bureaus,schools, professional rosters, telephone director-ies, and other sources. The CHSS can perform auseful function in assembling this information inconvenient format and making it available toany person or organization that has a need forsuch information. For some purposes, statisticalaggregation is sufficient. For other objectives,however, the “statistics” need to be classifiedinto such fine categories that privacy and confi-dentiality cannot be assured.

In this situation, the preferred course for theCHSS is not to consider most manpower. itemsas “protected data” and not to give assurancesof confidentiality. Rather, the CHSS should

39

declare that it is collecting and disseminating thedata as a service to the health community, not inits role as a statistical system, but purely as anagent peculiarly equipped to do an efficient job.Precedents for such actions can be found ininstances in which the Census Bureau or the BLShave acted as collecting agents for the Depart-ment of Defense agencies. The exceptionalprocedure for manpower data can be restrictedto items of information that do not infringe onprivacy. Included are such items as name,address, professional classification, sex, and,perhaps, other attributes. Information on moresensitive items, such as income, age, race, nation-ality, number of patients, and so forth, can besecured separately through special surveys thatare accorded protected data status.

Two other considerations should be noted.In one situation it is argued that for some itemsof manpower information, good-quality data canbe secured for transmittal to Federal authoritiesonly if the transfer is in anonymous form. Yet

NCHS feels it must have a name or SocialSecurity number not to duplicate data that mayhave been reported for the same person frommore than one local source. It is doubtful thatthe first of these two premises has muchvalidity. If NCHS wished, however, it couldsolve the duplication problem by simply re-quiring that each person’s report include an itemstating the number of jurisdictions from whichthe report might have come, if a census orcomplete enumeration had been taken.

The second consideration is similar to thecaution that was urged in the section, “TheCooperative Protected Data Sample Surve y“ inthis chapter, concerning access by third parties.The policy and procedure suggested here for themanpower component in the CHSS are foreignto the main thrust of the cooperative statisticalsystem, They endanger, to some degree, publicconfidence in the system. Therefore, this patternof operation should not be extended to anyother components of the system.

40

CHAPTER XVI

TRAINING, PERCEPTIONS, AND PUBLIC RELATIONS

Training in Ethical Standards

Whatever the laws and rules may be, what-ever the structure of systems, whatever themechanics of operation—actions are taken bypeople, and many are employees of the CHSS,Perhaps the greatest single safeguard the systemcan have is a knowledgeable workforce thatunderstands and is dedicated to conducting aprogram that is equally balanced between assem-bly and dissemination of useful statistical infor-mation and appropriate protection of the pri-vacy and confidence of those who supply theinformation.

Whether it is the mark of impartiality, thedevotion to the quality of a product, or theprotection of confidentiality, the real strengthof such Federal statistical agencies as the Census‘Bureau, the BLS, and the NCHS, and the betterstructured State and private organizations, in thelast analysis, resides in the staff of thoseagencies, In the Center, the staff believes in theprotection of confidentiality, and is dedicated toit.

A series of steps should be taken to indoctri-nate all the Cooperative Health Statistics Systempersonnel on the fundamental value and impor-tance of confidentiality. These steps include (1)dissemination of written materials, (2) work-shops such as the one on Privacy and Confiden-tiality in Atlanta, Ga., on March 3-5, 1976,(3) several regional training sessions, and (4) cre-ation in the National Center for Health Statisticsof a consultant on confidentiality to provideservice to States.

The objective of this effort is to create agrass-root devotion to and advocacy of a soundpolicy on confidentiality, and to avoid myfeeling among States that confidentiality issimply another instance of burdensome Federalregulations that must be tolerated.

Real and Perceived Situations

A continuing study of this topic points tothe importance of a pervasive phenomenon:Despite significant philosophical differences be-tween real and perceived situations in general, inthe field of confidentiality issues, these situa-tions are intermingled or even indistinguishable.

Policy and practice need to be guided almostas much by what people think the situation is asby what the facts are. This state of affairs is theconsequence, in part, of deeply imbedded de-sires and fears that people have concerning theirprivacy, rights, privileges, and inhibitions beingmisused. It also reflects the widespread publicimpact of such matters as Watergate, the Ells-berg break-in, questions about the activities ofthe Federal Bureau of Investigation (FBI) andthe Central Intelligence Agency (CIA), the Pen-tagon Papers, tales about credit-rating bureaus,the horror stories that have been detailed con-cerning computers and databanks, and the evenmore frightening forecasts in the book 1984. T Inother directions there are the cries of “freedomof the press” and of the rights of patients,students, and citizens to have access to informa-tion about them that is held by physicians,schools, and the Government,

An important consequence is the necessityfor NCHS, the CHSS, and others to devotesubstantial energy to explaining the role ofstatistical information in the world, and, inparticular, to a public relations program thatallays unjustified fears. This objective will beenhanced by (1) making absolutely certain thata straightforward presentation of intentions ismade to all concerned, and that those intentionsare fully honored; and (2) assembling and dis-seminating only data for which there is definiteneed, and for which the benefits outweigh theburden on providers of the information.

41

CHAPTER XVII

UNRESOLVED PROBLEMS AND LESSER ISSUES

Role of This Chapter

Earlier chapters of this report directed atten-tion to basic fundamental concepts, principles,and issues, and to derivative problems. Proposedpolicy positions and suggested actions have beenoffered for a variety of situations. This chapterconsists of supplementary material of two kinds:(1) identification of related additional or pin-pointed issues not fully resolved and (2) a partialcatalog of specific facets of the privacy, confi-dentiality, and dissemination complex treatedsuperficially or, not at all, in earlier chapters.Some problems are quite pertinent and impor-tant. Others are intrinsically small, but their res-olution may have reverberations that grow intoor merge with larger issues. The CHSS will prob-ably not want to establish explicit guidelines fortreating each of the items in the list. However,it is desirable to overlook none entirely whenpolicies and procedures are formulated. Orderof presentation has no particular significance.

Source data that s;rve both administrativeand statistical purposes. —This report has empha-sized the distinction between protected data andcase-action data. One of the most vexing situa-tions is when a single initial source recordbecomes the basis for an administrative actiondirectly affecting an individual and an elementof a statistical body of data for which confi-dentiality is promised. Satisfactory resolution ofthis matter is critical. The problem consists ofthe need for both sound procedures and forpublic acceptance of those procedures. Policyguidelines have been suggested for such situa-tions in several parts of the report and especiallyin “The Self-Standing Direct Collection SampleSurvey” and “The Cooperative Protected-DataSample Survey” in chapter XV, and “Definitions

and Labels” and “Use of Administrative Rec-ords for Statistical Purposes” in chapter VI.The report has not left the matter entirelyunresolved. Neither is it fully resolved–particularly at the State level where a singleagency, at times, performs both statistical andcase-action functions. The key to a furthersolution will lie in the drafting of proceduralrules for handling specific data sets, in takinginto consideration the many principles analyzedin this report, and in promoting widespreadknowledge, understanding, and acceptance ofthose rules.

Statistician’s access dilemma. –Each specialinterest group-journalists, lawyers, physicians,researchers, legislators, or statisticians—tends tofeel that it should have ready access to almostany data source relevant to its perceived needsand also be protected from forced disclosure toother parties. In the CHSS, this attitude consti-tutes an unresolved dilemma for the statistician.The essence of the statistician’s position is this:He should be given access to almost any neededdata because how he uses data gives societyvaluable information without detriment to indi-viduals or facilities; he should be immune fromcompulsory release of privileged data in identifi-able form because he could not acquire betterevidence, guarantee the absence of individualdetriment, or accomplish his mission. Not every-one accepts this position; consequently, thesituation is less than ideal.

Statistical purposes. –In this report and else-where, the expression “for statistical purposesonly” is widely used. Indeed, this concept isfundamental to much that is herein recom-mended. Statisticians believe they know themeaning of the expression. Yet an unequivocal

42

short definition, acceptable to all, is stillawaited. f Consider the following questions, forexample, to which the statistician can giveanswers, but answers not agreeable to everyone:

1.

2.

3.

Is it an acceptable statistical purpose touse names or addresses collected in oneenumeration as a sample in anothersurvey? The answer is “yes,” but seelimiting conditions in “Frame for Sam-pling” in chapter VII.

Is it legitimate to link identifiable per-sonal data from two surveys taken fordifferent purposes, even if the linkeddata are not (easily) personally identifi-able? The answer is again “yes,” but withthe provisos set forth in “Recapitula-tion” in chapter IX.

Is it reasonable to release “statistics” fora small area or a small class of persons ifthe statistics show a rate or average forthe small cell that is dangerously unfa-vorable to members of the cell, eventhough data for an individual is notreleased? Once more the answer is “yes,”but again only in special circumstancesand when the value of the informationclearly outweighs the rights of potenti-ally affected individuals.

Joint partnership versus purchase of data.-In a fully cooperative joint partnership, allpartners have equal responsibilities and in gen-eral are subject to the same governing rules. IfState Centers for Health Statistics and NCHS arefull partners in a joint system, then they maybesubject to responsibilities for which no partner isin a position to guarantee performance becauseone partner does not have absolute control overthe others. Is a partial solution found in anarrangement where a State collects and controlshandling of certain data for its own purposes,

fOne attractive comparison is made by Margaret E.Martin, “Information to be used administratively usually

rwircs action on individual cases, . . . Statisticalinfor-mation, on the other hand, is intended to be aggregatedor summarized in some form, and the specific identityof [individual cases] is immaterial to the usefulness ofthe results,”s

and then cooperatively sells a product to theFederal Government? Is such a purchase of dataa dodge to avoid legal requirements?

Watchdog boards. –A safe prediction is thatwhatever legislation is passed and whatever rulesare adopted, in some instances, the laws andrules are disregarded or interpreted nonuni-formly; and some situations will not be clearlycovered by the laws and rules. In these circum-stances a disinterested monitoring or watchdogboard would be established to oversee govern-mental performance and to settle citizen griev-ances. However, if such boards were established,their charters should be very carefully drafted.They would have the potential either of suppres-sing information that should be readily availableor of opening the gates so wide that confiden-tiality would have little meaning. And certainlythey would contribute to time delays in resolv-ing issues.

Additional facets. –The Iist of topics thathave relevance to privacy, confidentiality, anddissemination of information is unending. Thisfinal section is included not in any pretense ofcompleting a catalog of factors but in recogni-tion that the full story extends beyond thisreport, and brief allusion to some further ele-ments can underscore that fact.

Not much has been said about quality ofdata or quality control. This omission is not theresult of doubt or about their basic importance,but is due to the fact that they are a separatefield and outside the primary scope of thisreport. Two major intersections occur on thesubjects of quality and confidentiality of data.The first is the conviction that the quality ofreported data is better when the respondentsand the persons to whom the data relate areanonymous. The second intersection is thatmost forms of quality control require access bystatisticians to a sample of individually identi-fied cases to validate input to the system. Acollateral matter is the extent to which identifi-able microdata should be made available to peersto permit replicate treatment and verificationprocesses.

Physical security of data also has receivedlittle attention in this report. Much has beenpublished elsewhere concerning this aspect. Themain reason for nondetailed treatment here is

43

that physical’ security, although not to beoverlooked, is a relatively minor problem in theCHSS. Existing laws, buttressed by modestprecautionary measures and rigorously enforced,are probably sufficient. Although computersopen new channels for violating security, onbalance they are more likely to enhance se-curity.

There have been many suggestions and somepressure for NCHS to establish a death index;that is, a national register of all deaths so thatanyone could consult the index to determine if adeath certificate had ever been filed for adesignated person. This is a borderline situation,in which the CHSS and the Center couldperform a useful service for both researchers andadministrators—but with the risk of infringingconfidentiality, or at least the appearance ofdoing so.

Chapter XV “Customized Variations of Pro-cedure” advocated the concept of proceduralvariation in certain situations and in severaldimensions. It is appropriate for differing kindsof data, with such subjects as facilities, staff,patients, residents, inmates, outpatients, provid-ers, hospitalization, ambulatory care, emergencycare, births, deaths, dental data, fiscal matters,costs, expenditures, and insurance. It is relevantalso to uses such as reference, planning, monitor-ing, control, evaluation, databanking, case treat-ment, workload, supply, utilization, demand,inventory, standards, levels, trends, rates, rela-tionships, unit costs, incidence, and prevalence.

Duration of confidentiality may be an im-portant feature of policy. Should an assuranceof confidentiality extend into perpetuity? Or is5, 10, or 50 years sufficient, or some otherperiod?

A closely allied matter, but still distinct, isthe question of retention of original or tr&-scribed records. How long should they be keptin active files, or in archival storage?

Are there special procedures that should beinvoked when data are collected by directobservation without knowledge of the subject?Is this ipso facto an invasion of privacy? Shouldthe CHSS allow or outlaw such practices?

There may be legitimate differences of opin-ion over how completely frank interpersonalrelationships should be. There are some risks insecuring compliance and entirely truthful re-

sponse if the statistician explains ad nauseumthe reasons for and all conceivable uses ofrequested information. However, in a democ-racy, and especially in the currently prevailingenvironment in the United States, it is expectedthat Government will be forthright with citizens.In most situations, a straightforward approachby a collector to a provider of data, making clearthe reasons for a request and how the data willbe used, will result in compliance by thepossessor of the data–with the assumption thatthere is a respectable justification for the collec-tion. The Privacy Act of 1974, the DHEW Codeof Fair Information Practice, and various confer-ences and professional bodies have declared aneed for a policy of openness in the acquisition,handling, and dissemination of information. TheCHSS should embrace this policy–not onlybecause it must under the law, but also becauseit will be a productive course.

The Decennial Population Census is takenfirst for the purpose of apportioning congres-sional representation among the States, but itserves countless other purposes. The Census hasbecome preeminently a reference source thatdescribes the people who live in this country.Similarly, data collected in the CHSS serve bothspecific initial purposes and innumerable refer-ence functions. Allocation of resources betweenthese latter baseline objectives and more immed-iate specific purposes calls for a high order ofprogrammatic and managerial skills.

It has been argued in this report that theCHSS should build an integrated policy andpractice in the realm of privacy, confidentiality,and dissemination of data; and that the structuremust embrace ethical, political, economic, legis-lative, and procedural considerations. However,even this broad perspective is not enough. TheCHSS cannot stand alone on issues of privacy orconfidentiality, no more than it can in otherrespects. Significant external developments andactivities—currently, and undoubtedly more inthe future–will have impact on the CHSS. Oneneeds to recall only a few to be impressed withthe potential consequences: regulations, rules,and court decisions under the Freedom ofInformation and Privacy Acts; the Study Com-mission under the Privacy Act; the PaperworkCommission; the Health Planning Act; possiblenew legislation; PSRO actions; pronouncements

44

of the National Commission on the Confidenti-ality of and Access to Health Records; the 1975Report of the Committee on Federal AgencyEvaluation Research of the National Academyof Sciences, under the title, Protecting Individ-ual Privacy in Evaluation Research;9 a report ofthe Committee on Privacy and Confidentialityof the American Statistical Association;l 0 thereport of the Research Project on Confidenti-ality, sponsored by the American Political Sci-ence Association and seven other organiza-tions;1 1 and an international study of how to use

governmental statistics advantageously withoutinfringing confidentiality which was conductedby investigators .at the University of WesternOntario under a Ford Foundation grant.l 2

How to secure balance between the individ-ual’s right to privacy and society’s need forinformation is no new problem. It is receivingvigorous attention on a wide front and frommany perspectives. Resolution for the CHSS is adynamic and evolutionary process that shouldsoon reach a degree of operational stability, butfor which no terminal point is foreseeable.

45

REFERENCES

lRule, ~, B,; Private Lives and Public Surveillance.London. Allen Lane, 1971.

2hfiIler, A, R.: The Assault on Privacy, Presented ataConference on Confidentiality of Public Records, KeyBiscayne, Fla., Nov. 7, 1974.

awestin, A., and Baker, M.: Databanks in a FreeSociety. New York. Quadrangle Books, 1972. p. 238 ff.

4Fed. Regist. 40(158); Aug. 14, 1975.5Thcj privacy Protection Study Commission: Personal

Privacy in an Information Society. Washington. U.S.Government Printing Office, July 1977.

6Nation~ Center for He~th Statistics: StandardizedMicmdata Tape Transcripts. DHEW Pub. No. (PHS) 78-1213. Public Health Service. Washington. U.S. Govern-ment Printing Office, June 1978.

7orwell, G.: 1984. New York. Harcourt BraceJovanovich, 1971.

8Mart~, M. Et: Statistical registration and confi-dentiality issues. Int. Stat. Rev. 42(3): 267, 1974.

9Nationd Research Council/National Academy ofSciences: Protecting Individual Privacy in EvaluationResearch. Washington. National Research Council/National Academy of Sciences, 1975.

10 Report of Ad Hoc Committee on Privacy and Con-fidentiality. Am. Stat. 31(2): 59-78, May 1977.

11CwrolI, Jo: The Confidentiality of Social ScienceResearch Sources and Data. Presented to Russell SageFoundation, 1976. Unpublished paper.

12 Flaherty, D. H.: Privacy and Government DataBanks. London. Mansell Publishing, 1979.

000

47

APPENDIX

SELECTEDBIBLIOGRAPHY

A comprehensive bibliography on privacyand confidentiality was not attempted in thisreport for two reasons: First, extensive bibliog-raphies have been and are being assembled byothers; second, the monthly accretion rate tothe already massive list of written materials putsthe task outside the scope of the present project.

Amumber of documents that seem especiallyrelevant to the issues faced in the CooperativeHealth Statistics System are listed in this appen-dix. Many of the publications contain additionalbibliographical material. Other useful referencesare an annotated bibliography Ethical Issues inHealth Seruices released in 1970 by the National

American Hospital Association: Hospital MedicalRecords–Guidelines for Their Use and the Release ofMedical Information. American Hospital Association,Chicago, 111.,1972,

Barabba, V. P.: The right of privacy and the needto know, in The Census Bureau, A Numerator and De-nominator for Measuring Change, Technical Paper 37.Washington, U.S. Government Printing Office, 1975.

Bryant, E. C., and Hansen, M. H.: Invasion ofPrivacy and Surveys: A Growing Dilemma. Presented atthe Smithsonian-Navy Conference on Survey Alterna-tives, Santa Fe, N.M., 1975,

Carrel, J, D., and Knerr, C. R.: The American Polz%i-cal Science Association Confidentiality on So cial ScienceRcsoarch Project: A Final Report. PoL Science VOL 9,Fall 1976. PP. 416-419.

Commission on Human Rights: Human Rights andScientific and Technological Developments. Report bythe United Nations Economic and Social Council, E/CN4/1142, New York, 1974.

Committee on Federal Agency Evaluation Research:Protecting Individual Privacy in Evaluation Research.Washington, National Academy of Sciences–NationalResearch Council, 1975.

Committee on the Judiciary, United States Senate:Freedom of Information Act Source Book: LegislativeMaterials, Cases, Articles. Washington. U.S. GovernmentPrinting Office, 1974.

Center for Health Services Research and Devel-opment; Psychiatry and Confidentiality–An An-notated Bibliography y, a 5 O-page compilationpublished by the American Psychiatric Associa-tion in September 1974; and a 300-item appen,dix to the report Protecting Individual Privacy inEvaluation Research, included in the followinglist. Special attention is directed to a computer-based bibliography on privacy and confidential-ity being compiled by Professor Tore Dalenius atBrown University. This latter list in preliminaryform already contains more than 800 references,and is still growing.

Department of Health, Education, and Welfare:Privacy Act of 19 74–Various agencies–proposed rulesand notices of systems and records. Fed. Re@”st.Aug. 27, 1975.

Duncan, J. W.: The impact of privacy legislation onthe Federal statistical system. Public Data Use 3, 1:51-53, Jan. 1975.

Duncan, J. W.: Confidentiality and the future of theU.S. statistical system. Proceedings of the Social Statis-tics Section of the American Statistical Association,1975.

Hulett, D. T.: Confidentiality of statistical and re-search data and the Privacy Act of 1974. Stat. Rep. June1975. pp. 197-209.

Hulett, M.: Privacy and the Freedom of InformationAct. Admin. Law Rev. 27(3): 275-297, 1976.

Jabine, T. B.: The Impact of New Le@”slation onStatistical and Research Uses of SSA Data. Presented atthe 135th Annual Meeting of the American StatisticalAssociation, Atlanta, Ga., Aug. 1975.

Losee, G.: Protection of privacy and confidentialityof records maintained by NCHS. National Center forHealth Statistics memorandum, Oct. 22, 1975.

Martin, M. E.: Statistical legislation and confiden-tiality issues. Int. Stat. Rev., 42(3): 267, 1974.

Metz, D. W.: Privacy legislation yesterday, today,and tomorrow. Keynote address to Federal Bas Asso-ciation Conference, Washington, D.C., May 22, 1975.

49

Miller, A. H.: Personal privacy in the computer age:The challenge of a new technology in an information-oriented society. Mich. Law Rev. 67:1089, 1969.

Mugge, R. H.: Implications of Recent Confiden-tiality Legislation for the National Center for HealthStatistics. Presented at the annual meeting of the Ameri-can Public Health Association, Chicago, 111.Oct. 1975.

Office of Management and Budget, Executive Officeof the President: Privacy Act implementation-guidelinesand responsibilities. Fed. Regist. 40(132, pt. III): 28948-28978, 1975.

Office of Management and Budget, Executive Officeof the President: Responsibilities for the Maintenance ofRecords About Individuals by Federal Agencies. CircularNo. A-1 08 directed to the heads of executive depart-ments and establishments, 1975.

Proceedings of the Cooperative Health Statistics

System Workshop on Privacy and Confidentiality,Atlanta, Ga. Mar. 3-5, 1976.

Rule, J. B.: Private Lives and Public Surveillance.London. Allen Lane, 1971.

Spingarn, N. D.: Confidentiality, Report of theConference on Confidentiality of Health Records, KeyBiscayne, Fla. Nov. 6-9, 1974.

Task Force on Confidentiality: Report by the TaskForce of the Cooperative Health Statistics System Ad-visory Committee, 1975. Unpublished.

Ware, W. H.: Records, Computers, and the Rightsof Citizens. Report of the Secretary’s Advisory Commit-tee on Automated Personnel Data Systems, U.S. Depart-ment of Health, Education, and Welfare, Washington,D.C., 1973.

Westin, A. F., and Baker, M. A.: Databanks in aFree Society. New York. Quadrangle Books, 1972.

000

50

W,!i GOVERNMENT PRINTING OFFICE 1980 311-2f+()/12 1-3

VITAL AND HEALTH STATISTICS Series

S,$ri,’s 1. Programs and Collection Procedures. –Reports which describe the general programs of the National

Center for Health Statistics and its offices and divisions and data collection methods used and includedefinitions and other material necessary for understanding the data.

St-rim 2. Data Evaluation and A~ethods Research. –Studies of new statistical methodology including experi-mental tests of new survey methods, studies of vital statistics collection methods, new analytical

techniques, objective evaluations of reliability of collected data, and contributions to statistical theory.

Srritls 3. .4rsalytical Studies. –Reports presenting analytical or interpretive studies based on vital and health

statistics, carrying the analysis further than the expository types of reports in the other series.

Sk’rics 4. Documents and Committee Reports. –Final reports of major committees concerned with vital andhealth statistics and documents such as recommended model vital registration laws and revised birth

and death certificates.

Sertks 10. Data From the Health Interview Survey. –Statistics on illness, accidental injuries, disability, use ofhospital, medical, dental, and other services, and other health-related topics, all based on data collectedin a continuing national household interview survey.

St ’rit,s 11, Data From the Health Examination Survey and the Health and Nutrition Examination Survey .—Data

from direct examination, testing, and measurement of national samples of the civilian noninstitu-tiormlized population provide the basis for two types of reports: (1) estimates of the medically definedprevalence of specific diseases in the United States and the distributions of the population with respectto physical, physiological, and psychological characteristics and (2) analysis of relationships among the

various measurements without reference to an explicit finite universe of persons.

St’ri(s 12. Data From the Institutionalized Population Survey s.–Discontinued effective 1975. Future reports from

these surveys will be in Series 13.

St’rics 13. Data on Health Resources Utilization. –Statistics on the utilization of health manpower and facilitiesproviding long-term care, ambulatory care, hospital care, and family planning services.

Sf”rics 14. Data on Health Resources: Manpower and Facilities. –Statistics on the numbers, geographic distri-

bution, and characteristics of health resources including physicians, dentists, nurses, other health

occupations, hospitals, nursing homes, and outpatient facilities.

Series 2/2. Data on A40rtality. –Various statistics on mortality other than as included in regular annual or monthlyreports. Special analyses by cause of death, age, and other demographic variables; geographic and timeseries analyses; and statistics on characteristics of deaths not available from the vital records based onsample surveys of those records.

Series 21, Data on Natality, Marriage, and Divorce. —Various statistics on natality, marriage, and divorce other

than as included in regular annual or monthly reports. Special analyses by demographic variables;

geobwaphic and time series analyses; studies of fertility; and statistics on characteristics of births notavailable from the vital records based on sample surveys of those records.

St’ri,’s 22, Data From the National Mortality and Natality Survey s.–Discontinued effective 1975. Future reportsfrom these sample surveys based on vital records will be included in Series 20 and 21, respectively.

st-rik~xz3, Data From the Natjonal Survey of Family Growth. –Statistics on fertility, family formation and dis-

sohttion, family planning, and related maternal and infant health topics derived from a biennial surveyof a nationwide probability sample of ever-married women 15-44 years of age.

For a list of titles of reports published in these series, write to: Scientific and Technical Information Branch

National Center for Health Statistics

Public Health ServiceHyattsville, Md. 20782

NCHSU.S. DEPARTMENT OF HEALTH, EDUCATION, AND WE LFAREF%blu Health SeIVKe

Office of Health Research, Stmmcs, and TechnologyNmimd Center for Health Statm!cs3700 East W= HqfwwH@twille, Maryland 307S2

OFFICIAL BUSINESSPENALTY FOR PRIVATE USE, S3DD

POSTAGE AND FEES PAIDu S DEPARTMENT OF HEW

HEW 396

D

*

uS.MAILTHIRDCLASS