Protecting Petsonal Privacy in Using Geographiclnformation SystemsHarlan J. Onsrud, Jeff P. Johnson, and Xavier R. Lopez

AbstractPersona] privacy is a social issue of increasing televance tothe geographic information system (cts) community. Thepower of Crc processing and the crossmatching of geogtaphicdatasets with other datasets are raising strong privacy con-cerns. This artiche discusses current practices and trends inthe collection, maintenance, and dissemination of personalinformation by government and industry thtough the use ofcis and related-technologies. It reviews the development ofIegal rights in privacy, discusses the societal importance ofpersonal priva-cy, argues that self regulation of the use ofpersonal information is a necessary god for the GIS commu-nity, and d'escribes privacy protection guidelines cunentlybeing proposed by various parties for adoption by the com-meriial secbr and government. Finally, the article recom-mends specific pilvacy protection principles fot adoptionand self-imposition throughout the GIS community.

lntroductionGeographic information systems (cIs) form part of the com-munications infrastructure that is emerging in the transitionfrom an industrial to an information oriented society. Im-proved geographic information handling capabilities are con-iinuing to find expanding applications throughout society,and thi eventual public and private investment in such capa-bilities is being estimated in many billions of dollars. Geo-graphic information systems and their associated databasesire-substantially affecting the operation of government andbusiness. The impact of the technology is immense, whichplaces a heavy social responsibility burden on those in-volved with iis promulgation. Along with its positive effects,the negative impacts of the technology and its associated da-tabaseJ need tobe considered. The negative impacts need tobe divulged, eliminated, minimized, or accommodated andweighed against the positive.-One

of the potentially negative societal effects that GIStechnology is helping to bring about is a decrease in personalprivacy. From one perspective, geographic information hasnothing to do with personal privacy-geographic informationis factual information about land and resources. By defini-tion, it's not about individual people. However, from anotherperspective, geographic information systems are proving_to-be pbwerful data integrating technologies. Experiences of themarketing community indicate that the ability to integratedata by tying those data to their geographic location is one ofthe mirk-eting industries most promising and powerful toolsin compiling data from widely disparate soutces on house-

Department of Surveying Engineering and National CenterfofGeographic Information and Analysis, 5711 BoardmanHall, Room 348, University of Maine, Orono, ME 04469-571,1,.

PE&R3

holds and individuals-something that was a practical im-possibility a few short years ago (Eitenbichler, 1993)' Therto."gu, display, and analysis capabilities o{ GIS softwaremake"qeosraplii" ittfo.maiion syitems highly effective toolsfor anilyz"ing personal information. Because of its stro-ng dataintegration anh analysis capabilities and because the data in-orT cs are inherentlv locil in nature, GIS technology hasthe potential to be far more invasive of personal privacy thanmanv other information technologies'

Farties on both sides of the piivacy debate generallyagree that the expanding capabilities of technology and tleiicreasine detail^of infoimJtion that is being incorporatedinto data6ases are combining to decrease the typical citizen'sability to keep their affairs private. Parties on both sides alsoseem to agree that most citiZens are neither aware of thelevel of dEtail that is being collected on them nor of the ex-tent that the information is being shared with others. Someadvocates of the right to gather and trade in information onindividuals have argued ihat the increased availability of .personal informatioir is merely returning society to the socialicenario of small towns where everyone knew everyone el-se's business. The typical citizen is more than willing^to giveuD some privacv in exchange for the substantial benefits thatui"rrr" from coirpiled databases' However, advocates of pri-vacv Drotection point out that the entities that use personalinformation typiially do so in an impersonal manner fromdistant locations. It is not a mutual relationship' Rather, it isgovernment and commercial sector "insider elites" that areEompiling and using expansive knowledge about individuals'lives'. Priiacy advociteJargue that, when asked, m-ost peopleare unwilling to have personal information about themselvespassed on tJothers foi non-specific commercial or-q-overn-.inent purposes. The typical citizen is seldom asked for his/her opinion or approval and therefore has no opportunity tobecome informed or to object. Advocates of greater privacyprotection argue that government and commercial sector in-iid".r

"tu -"ki.tg impLrtant decisions about the lives of indi-

viduals on the bisis of information of which the individualsaffected are often completely unaware'

As databases containing personal information come intomore prevalent use, citizenJ ire becoming more concernedabout preserving their right to privacy. Several surveys haveshown that citizen conceln has steadily increased over recentvears (Harris and Associates, 1983; Privacy and tg84, tgB4;"Smith, 1990; Madsen, 1992; Cespedes and Smith, 1993)'News articles addressing privacy issues are now frequent in

Photogrammetric Engineering & Remote Sensing,Vol. 60, No. 9, September 1994, pp. 1083-1095.

o0s9-11. 12l94/6007-OO00$3.0o/o@ 1994 American Society for Photogrammetry

and Remote Sensing

national magazines and newspapers. The voicing of citizenconcern over the privacy ramifications of proposed commer-cial and gorernment actions has begun to increasingly alteror halt such actions. For example, Lotus Corporation wasscheduled in 1991 to begin selling a marketing aid called"Marketplace" for use on desktop computers with data sup-plied on optical disks. Detailed information on the personiland shopping habits of approximately B0 million households(120 million Americans) would have been made accessible tovirtually anyone with a computer (Reitman, 1991). Althoughthe search capabilities and provided databases would havebeen extremely valuable to small businesses, they also wouldhave been valuable to those wishing to engage in burglary,fraud, sexual harassment, and a host of other illicit purposes.Lotus incurred a multi-million dollar loss when it droppedplans to make the software and data generally available twomonths before it was scheduled to go on sale, and the com-pany was subjected to extensive negative publicity (Miller,1991). One of the more visible examples in which privacyconcerns have altered government actions is the cancellationof national censuses in the Netherlands and West Germany.Because these governments were unable to assuage or accom-modate their citizens' concerns over privacy and the poten-tial misuse of personal information, citizen resistance forcedcancellation of the censuses, and the many substantial bene-fits of census taking were lost (Flaherty, 1-gB9). In light ofstrongly expressed citizens concerns, policy makers must re-consider how far to allow private industry and governmentto collect, manipulate, and disseminate information.

There is no doubt that some uses of GIS datasets, al-though currently legal, would be considered by most citizensin the U.S. to be highly intrusive and controversial. Aware-ness and concern by citizens regarding such applicationsmay lead to a legislative backlash. Backlash legislation tendsto be overreaching and piecemeal. In attempting to addressundesirable applications of cIS, such legislation may hindermany non-intrusive and socially desirable applications of ctsas well. Overreaching omnibus legislation would decreasethe ability to provide services to consumers and would harmthe Iong term development and use of cIS by governmentand industry. To avoid citizen oveneaction and protect theinvestment in ctS databases, reasonable privacy policies needto be established and implemented by the cIS community.Members of the CIS community, in the interest of the publicand in their own best interest, need a set of guidelines bywhich they can gauge their current and proposed actions inthe use of personal information.

Legal Rights in PrivacyThe ability to store and query large spatial databases is con-tinuing to expand. Future advances in information technol-ogy, such as the National Information Infrastructure (NII) andmultimedia telecommunications, are likelv to further in-crease the availability of personal data. Yet the applicabilityof current privacy law within networked digital environ-ments is far from clear.

Common LawThe legal right to privacy in the United States arose from aHarvard Law Review article written in 1890 by S. D. Warrenand Louis Brandeis. Warren and Brandeis init ially definedthe right of privacy as the "right of the individual to be letalone" and "the right to one's personality" (Warren andBrandeis, 1890). Over the years the judiciary has developedand clarified the right through case law. The right "prevents

1084

govemmental interference in intimate personal ... activitiesand freedoms of the individual to make fundamental choicesinvolvin-g himself, his family, and his relationship with oth-ers" (Industrial Foundation of the South v. Texas Indus. Acc.Bd., 679). The right protects individuals not only from intru-sions by government but also from intrusions by other indi-viduals. Invasion of privacy is a "... wrongful intrusion intoone's private activities, in such a manner as to cause mentalsuffering, shame or humiliation to a person of ordinary sensi-bilities" (Shorter v. Retail Credit Co., 330). Tort actions forinvasion of privacy fall into four general classes: intrusion(e.g., eavesdropping or persistent unwanted telephone calls),public disclosure of embarrassing private facts (e.g., publicityof private information of a highly objectionable kind eventhough the information may be true), appropriation (e.g., ap-propriating your name or likeness for commercial gain), andfalse light in the public eye (Prosser, 1960, p. 389). Withinthe second class, the constitutional right to privacy is limitedprimarily to "matters relating to marriage, procreation, con-traception, family relationships, and child rearing and educa-tion" (Paul v. Davis, 1976).

Although the word "privacy" does not appear in theU.S. Constitution, the U.S. Supreme Court over time has in-terpreted a right of privacy to exist for individuals under theFirst, Fourth, Fifth, Ninth, and Fourteenth Amendments(Schwartz, 1991). The right of individuals (or corporations)to withhold themselves and their propefty from public scru-tiny, if they so desire, is supported in equity by ihe courts ina proper case if there is no remedy at law (Federal TradeCommission v. American Tobacco Co.).

From the case law, it is plainly seen that the contextwithin which common law privacy rights were originally ar-gued and developed in the U.S. was one involving conflictsamong singulally identified individuals. Although such lawremains valid and provides some limited protection, we haveentered a new social and technological era in which privacyconflicts involve detailed data collection and identity profil-ing on large portions of the population. Historically, wherethere is a statutory gap in regulating human behavior, thecommon-law mechanism of tort fills the gap. Yet, to date,judges have been loathe to expand privacy tort law to applyto the domain of detailed information gathering on all meni-bers of society (Dansby, 1991). One may surmiie that the ju-diciary believes, as a rule, that the legislative process is thepreferred forum for determining whether, and to what extent,further rights should be carved out in protecting the informa-tion privacy of individuals.

LeglslationIn addition to judge-made law, numerous legislative enact-ments address privacy in the U.S. at both the federal andstate levels. The major federal privacy statute is the PrivacyAct of 1.974. "the Privacy Act (r) allows individuals to deter-mine what records pertaining to them are being collected,maintained, or used by federal agencies; (2) allows individu-als to prevent records obtained for a particular purpose frombeing used or made available for another purpose withouttheir consent; (3) allows individuals to gain access to suchrecords, make copies of them, and make corrections; (4) re-quires agencies to ensure that any record which identifies in-dividuals is for a necessary and lawful purpose; and (s)requires agencies to provide adequate safeguards to preventmisuse of personal information (Privacy Act of 1924). How-ever, critics argue that the provisions of the act have beenpoorly enforced and adhering to privacy protection guide-

Iines has not been a priority for federal agencies (Flaherty'1989, p. 331) .

Rmong additional U.S. federal acts addres-sing a range ofprivacy isJues are included the Freedom of Information Act,Fair Ciedit Reporting Act, Family Educational Rights -andPrivacy Act of tgzq, Right to Financial Privacy Act of 1978,Electronic Fund TransfJr Act, Privacy Protection for RapeVictims Act of 1978, Privacy Protection Act of 1980, CableCommunications Policy Act of 1984, Electronic Communica-tions Privacy Act of rsis6, Computer Matching and PrivacyProtection Act of 1988, Video Privacy Protection Act of 1988,and the Telephone Consumer Protection Act of 1991' Each ofthese provides protection of privacy under specific circum-stanceJ. For instance, the Freedom of Information Act

[ror,r), limits the types of personal information that may bedisseminated by federal agencies under FolA request!. Theprivacy provisibn of this Act has been taken seriously byih" con.tr and has occasionally been an effective deterrentto providing personal information to the^private sector (Mc-

Lein, r993). Additions and revisions to federal legislationrelating to privacy issues have been numerous, Critics arguethat th6 recent trend of amendments has been to weakenrather than strengthen federal privacy legislation in order tofurther the goals of the commercial sector and governmentagencies.

Many state governments in the U.S. have a general .pri-vacv act ihat mirrors the federal government's Privacy Act.These acts typically control the information that state age-n-cies and locii goneinments may gather on individuals. Alsosimilar to the federal law situation, most states have numer-ous separate acts addressing privacy problems in specific sit-uations.

From a review of the federal and state laws, it is readilyapparent that many of the existing acts address the limits ofp^eisonal information that government may gather on privateindividuals. Most do not apply to the private sector. For in-stance, the Right to Financial Privacy Act relates to-govem-ment access to the records of the banking, loan, and creditindustries. The act provides that government may not haveaccess to the information contained in the financial recordsof any customer of a financial institution except under cer-tain r-estricted circumstances. The act does not address orlimit the voluntary transfer of personal information amongmembers of the banking, loan, and credit industries. Thoseacts that do address priiate sector use of personal data havebeen passed to-date primarily on a patch-work basis and aretypically very limited in scope. Such legislation.frequentlypurr"r only when questionable information handling prac-ii"",

"r" r"l"t"d to highly visible or newsworthy events. For

instance, the Video Privacy Protection Act of 19BB waspassed as a direct result of the newspaper publication of thevideo rental records of U.S' Supreme Court nominee RobertBork (Doyle, 1990).

A paich-work approach in passing privacy legislation isundesiiable because it results in inconsistent treatmentamong different classes of information. For instance' per-sonal"privacy in video rental records is now protected byfederai legisiation whereas personal privacy in the groceries,magazinei, medicines, and contraceptives that are runthr6ugh the checkout scanner at your-loc-al Srocery store isnot. Ii addition, a Iegislative approach of carving out subsetsof personal information to protect with separate laws may re-suli in legislation that "appears" to address the p-roblemcomprehJnsively for that^limited cateSory but falls short ofdoing so. For instance, the Fair Credit Reporting Act states

PE&R8

that personal data may be sold or transferred to those with a

"legiiimate business need for the information in connectionwitl a business transaction involving the consumer" but the

act fails to adequately define what is meant by "legitimatebusiness need"-or what actions constitute a "business trans-

action." Determination of the meaning of the terms is there-fore left largely to the discretion of information sellers who

have a vestEd interest in interpreting the terms as broadly as

oossible. In addition, a problem exists in that those intent onbbt"ittittg consumer information under false pretenses may

be able io do to with minimal chance of detection (Roth-

feder, 1992). Even though the overall privacy protection ben-

efits of the Fair Credit {eporting Act are substantial, the

shortcomings of the Act illustrate that one may not assume

itr"t futti"i law after law covering^ 3dditional -categories of

oersonal inTormation is the most efficient or effective ap- -iroach to protecting the information privacy of individuals''

oth"ti"deral siatutes that address private sector use of

oersonal data in isolated areas include the Cable Communi-iations Policy Act of 1984, the Family Educational nigh!-s

and Privacy Act of 1974, and the Privacy Protection for Rape

Victims Aci of 1978, Each of these acts has an affect on the

use of personal information in specific cases, but the overall

"fr""t or privacy legislation on tt'e private sector is minimal

due to th'e limiled ipplication of these laws' Thus, private

sector use of personil information in the United States is

largely r'r.t.tg,tl"tud, and at the discretion of private institu-tions.

Curent Pdvacy Protection PracticesInformation p.in""y issues have regularly been publicized.asunwarranted-intruiions by information voyeurs peering intothe oersonal files and lives of celebrities and politicians(Wai'ren and Brandeis, 1890; Levinson, 1988; Rothfelder,isgz). Ho*"ver, the issue of information privacy is much.broader and pervasive. Of greater concern is th-e systematiccollection an^d maintenance of large volumes of personal databv sovernment, commercial organizations, and other institu-titris. fhe tremendous cost of collecting and maintainingsoatiallv referenced databases for large populations currentlypi"""s t,r"h activities beyond the reach of the typical indi- .iiJn"t or small business. "Only large organizations (e'g', fed-

eral agencies, local government, credit reporting bureaus,.databise marketing hrms) have the mandate or resources to

collect and mainta'in large volumes of selected datasets for asienificant population. As these organizations become more

efTective in'thLir information handling activities, they willincreasingly be able to produce infJrrmation-.mosaics or Pro-files of hJuseholds, property or individuals" (Lopez, 1994)'Con""..t orre. p"rsotiul privicy is increasing as the public be-

comes more aivare of tlie data that are being collected onthem and the uses to which databases are being put withouttheir previous knowledge or consent.

Govemment PracticesGovernment collects detailed records on individuals in order

to accomplish its statutory mandates. As such, there arecountless^ justifiable reasons for Sovernment to amass de-

tailed inf#mation on individuals. It only makes sense that

eovernment aqencies should increase their effectiveness and

Effi"i"tt"y thrJugh the use of computerize.d databases' How-

ever, the pot"t tLI fo. governmeni abuse in the use of de-

tailed databases of perJonal information and the risinginstances of questionable use practices-is leading consumersand public poti"y makers to question the adequacy of exist-

ing privacy protection laws and the ability of governmentagencies to effectively protect the personal information theyhave been allowed to collect.

In addition to legislation, administrative regulations arepromulgated by agencies in accordance with controlling sub-stantive and procedural law in order to provide direction forgovernment administrators in protecting information privacy.Maintaining confidentiality while at the same time comply-ing with open access policies requires the development ofclear and consistent information handling policiei. For ex-ample, the U.S. Census Bureau has, over the years, devel-oped commendable policies aimed at ensuring individualconfidentiality in its decennial census statistics (Nelson,1987, p. 327). This confidentiality has been maintained whileproviding meaningful small area statistics necessary for theprovision of local government services. The Census Bureaualso routinely rejects requests from other federal agencies toassist with computer matching activities (Nelson, 1,982, p,327). These confidentiality policies have engendered a levelof public trust that is critical to the success of future censuscounts. Unfortunately, such regulatory policies have not beennurtured and developed throughout all levels of federal,state, and local government.

Privacy protection is projected to erode at increasedrates at local and state government levels in those instanceswhere these governments are turning to the sale of local gov-ernment data to recover the costs of Gts implementation andmaintenance. Those local governments with experience inselling data to the private sector acknowledge that the data-sets in greatest demand and generating the greatest economicreturn are those that relate to individuals or specific house-holds. In a cIS context, reports indicate that cadastral data(i.e., the household level data that ties ownership informa-tion to the location and physical attributes of the land) hasgreater market demand than other GIS data files (Post andMclaughlin, 1993). In a time of decreasing budgets and pro-grams to rcinvent government, the sale of government datahas become a politically popular means of generating reve-nue (Onsrud, 1,992a; Onsrud, 1992b). When using a revenuegeneration approach as opposed to a marginal cost-recoveryapproach for the dissemination of government information,government has an economic incentive to sell information onprivate individuals with the greatest detail and in thegreatest amount allowed. If the regulation of sale of personalinformation is not closely controlled through privacy lawsand rigorously enforced, the sale of government informationis Iikely to further involve the government's hand in decreas-ing individual privacy both directly and indirectly.

Realistically, it is highly unlikely that agencies at anygovernment level will step up their data protection policieswithout considerable prodding. The government's need to beinformed is in direct conflict with the individual's right to belet alone. This conflict means that government agencies haveIittle incentive to establish strong privacy protection guide-lines on their own because such guidelines inherently limittheir ability to collect and handle personal information.Thus, determining the level of privacy protection required issomething that governments have very little inclination orability to do for themselves (Flaherty, 1989, p. 13). In ad-dressing the level of protection question, privacy scholarshave argued that, as a matter of policy, public agenciesshould collect only that personal information that is neces-sary to carry out their organizational functions. Furthermore,personal information should only be used for the purposes itwas intended and only after receiving express consent of the

10a8

individuals who provided the information (Department ofHealth, Education and Welfare, 1923). Both of these princi-ples were incorporated into the U.S. federal Privacy Act, al-though the consent requirement has recently been weakenedto a notice requirement under some circumstances involvingcomputer matching activities accomplished by federal agen-cies (Computer Matching and Privacy Protection Act of1988). Unless state legislation requires it, state and local gov-ernment agencies are not bound to these privacy principles.

In those jurisdictions in which citizen consent is not re-quired to use personal information for other purposes, thekinds of data handling practices that governments are likelyto further pursue are illustrated by the current uses of com-puterized driver and vehicle registration systems, In somestates, the Division of Motor Vehicles (ovrv) has developedcomputerized driver and vehicle registration systems thlt arehighly effective in tracking residents. The State of Wisconsinnow has the ability to suspend people's driving privileges fornot only refusing to pay traffic fines, but also for failure topay library fees, shovel their sidewalk, or properly trim treesoverhanging a neighboring property (Garfinke, 1994, p. 8Z).In other states, DMVs are being used to undertake such activi-ties as collecting owed back taxes (California), discouragingdropping out of high school (Kentucky), and tracking downchild support payments (New Jersey) (Garfinke, 1994, p. 8Z).Lawmakers around the country have found that DMV tiackingcapabilities are so effective at controlling behavior that theyhave now begun looking for other ways to exercise this new-found power (Garfinke, 1994, p. 127). Some state govern-ments now have the ability to control individual behavior bythreatening to revoke a driver's license for actions unrelatedto driving.

The objective of tracking and correlating government in-formation on individuals obviously serves some importantand socially beneficial ends. However, the practice is trou-bling under the too often prevailing circumstance in whichlittle incentive exists for government personnel to ensure theaccuracy of the data that is being correlated from numeroussources. There also is typically little incentive for govern-ment personnel to encourage effective citizen access to data-bases for the purpose of correcting or challenging data.Detailed government tracking of individuals is particularlydisturbing in those jurisdictions in which increased numbersof state and local agencies are beginning to sell informationresources to those in the private sector whose intent is to usethe information obtained for non-government purposes.

Private and Commelcial Sector PractlcesWidespread integration of personal information by the com-mercial sector was impractical in the past because the infor-mation was contained in numerous disparate and distributedmanual files. From both technical and economic perspec-tives, the building and networking of detailed databaies onall members of a community, their property, and their habitsis now a practical reality. Under current U.S. law, there islittle to prevent those in the private sector with the resourcesto do so to cross match your name, address, height, andweight from your drivers license file (allowed in many states)with your scanned image (taken from any available photoidentification card); cross match that with your zIp++ addresslocation provided by the Census Bureau; cioss match thatwith cadastral, taxation, and facilities records provided byIocal governmenq cross match that with the scinned bar-code purchases you make at grocery and other retail stores;cross match that with your social security number (which

most of us have voluntarily released many times over to thecommercial sector); and cross match that with any of thehundreds of other electronic databases that are being useddaily to keep track of everything from magazine subscrip-tions to gasoline purchases. The practice of compiling allthis infoimation will become easier and more common withfurther development of networks and databases. Extensivecrossmatching is already occurring and the practice is grow-ing rapidly.

Detailed personal and household information has beencompiled by ihe commercial sector for most economicallyactive U.S. residents and households. Equifax, TRW, andTransunion are the big three credit reporting companies inthe U.S. while Claritas and National Decision Systems arethe most visible marketing companies with close ties to thecredit reporting companies. For example, National DecisionSystems keeps track of the following data categories on indi-viduals and households: address, phone number, age, gender,ethnicity, religion, children's ages, smoking habits, veteranstatus, marital status, household income, dwelling type, buy-ing habits, and lifestyle (Equifax and National Decision Sys-tems, 1992a, 1s92b, Lgg2c, 1992d, 1993). Such commercialfiles, with varying degrees of detail, are available on over 140million Americans in approximately 100 million households(Equifax and National Decision Systems, 1992b, 1992c,1902d). Typically, a buyer of information designates a com-bination of qualifying information in any or all of the infor-mation categories for one or more zip-code areas andreceives a list of addresses meeting the criteria. Names corre-sponding to the addresses typically are not supplied by themajor information service companies but are readily accessi-ble'in most instances by accessing either local or nationalphone directories available on CD RoM. At least one informa-iion company offers a GIS package that can. integrate many ofthese types of information for direct marketing, retail loca-tion, anil other purposes (Equifax and National Decision Sys-tems, 1993). Some of the personal data in these datasets isaggregated or inferred information; however, many of t!'emiioicommercial datasets contain actual activity or behaviorinformation on individuals that has frequently been verifiedfrom multiple sources.

Sorts by the national data service companies for a spe-cific purpose appear to be reasonably priced, and such infor-mation is gaining widespread use for numerous business andcommercial applications. It is prohibitively expensive atpresent to build your own detailed database for a commun_ityby purchasing the detailed data on individuals from one ofthe-national commercial databases. However, it should benoted that many private businesses are now building theirown marketing databases and, indeed, the fastest growingsegment in the GIS industry in the U.S. is the commercialsector (GIS World, 1993).

Within the commercial sector, personal information isbeing used in conjunction with geographic information sys-tems for many applications in marketing, insurance, retail-ing, banking, real estate, utilities, and other industries(Eitenbichler, 1993). These applications are diverse and oftenvery innovative. For example, one information company rec-ommends an application where customets' license platenumbers can be recorded at the site of business, and latercorrelated with name, address, census tract, and other infor-mation in a GIS (Melucci, 1993). One can envision future ap-plications, where cameras in drive-through establishmentsmight scan license plate numbers of customers, and havepersonal files available before the customer receives service.

PE&NS

Numerous additional commercial opportunities exist for us-ing personal information in geographic information systemswiihout the knowledge or consent of the individual.

Intemational PenpectivesThe increasing transborder flow of data will require harmo-nized guidelilies between trading nations-to ensure the pro-tection-of personal data while also providing-support and.favorable Conditions for economic activity. The Organizationfor Economic Cooperation and Development (oncn), of whichthe U.S. is a member, has adopted principles aimed at pro-tecting personal data among advanced industrial nations(Flahelty, 1989, p. 11). The European Community is cur- .rently considering even stricter rules under a CEC P-roposalon tlie Protection of Personal Data (Pearson, 1991; Rosen-baum, 1992, p. 5). The CEC proposal, however, illustrates thedifficulty in reaching a common position among nations.,TheEuropean member sfates differ in their views on personalprivacy. Only six of the twelve nations currently have na-tional hata privacy laws, and these vary in approach andscope. Some countries such as the United Kingiom' Poriu.-eal, and The Netherlands have relatively liberal laws, while6thers like Germanv have quite restrictive laws (Madsen,1992, pp. 333-650). There are also cultural differences influ-encing the definition of privacy in each- of the nations. How-ever, it should be noted that the general trend in WesternEurope is to be far more restrictive than current U.S' law.

Although the stricter Western European privacy-law^shave proven to be effective at maintaining high levels of pri-,racy, ihe effects and advisability of similar reg\lations in theU.S. are uncertain. Privacy regulations inherently hinder,limit, or eliminate a range of economic activities. Some com-mentators have argued that the stringent requirements-beingproposed for international dealings will have severe effectsin dampening current and future eco-nomic opportunities(Rosenbaum,-1.552, p' 9). There is a fear that restrictive Euro-pean Data protection policies may place North American da-tabase marteting industries at a disadvantage. National lawsor Communitv oJ European Communities (cEC) measures thatrestrict the trinsfer of national datasets to countries whichdo not maintain the same level of protection could impairthe successful growth of U.S. database marketing activitiesabroad (Potvinf rosr, p. 98). One counter argument is thatmuch of the bias in dealing with U.S' firms will rapidly dis-sipate when U.S. law provides a comparable degree of infor--ation privacy protection in the commercial sector to thatbeing pioposei ly the European Community (Trubow, 1992).

Societal lmportance of Personal PilvacyThe importance of privacy has been the subject of muchstudy in recent yeais (Post, 1989; Wacks, 1989; Trubow,1990; Rotenbery, 1991; Rotenberg, 1993; Reide-nberg, 1992;Tuerkheimer, 1bg3). Privacy advbcates argue that personalprivacy is essential to preserving constructive social andiommunity interactions and will be critical to maintaining.tenable democratic societies in a modern world (Post, 1989).Some argue that social control through information systemsis indeel a real threat and that extensive collection of per-sonal data is likely to lead to a society that promotes homo-geneity by discouiaging actions that are perceived,negatively6y the milority. The rampant c-ollection and use of personaliriformation by government and commercial institutions sub-stantially incr-eaies the likelihood of a "... conformist, roboticpublic seeking to avoid exposure to the risks.inherent iniunctioning in society" (Trubow, 1990). Detailed information

gathering on all individuals in society by the commercialsector and government and the ability to quickly constructdossiers on individuals will have a "chilling effect" on ourwillingness to deviate from the norm and on our willingnessto question authority. The purpose of such compilations is tomanipulate the individual, not to improve the ability of thedata subject to act and decide (Simitis, 1.987, p. 733). Aware-ness that minute records of activities are being recorded isby itself probably enough to influence behavior and hinderthe discourse of individuals (Simit is, 19S7, p. 723). Socialworth becomes increasingly measured by data profiles ratherthan through personal interactions, and human dignity islost. Diversity in opinions, perspectives, and experiencespromotes innovative ideas, and yet the productivity resultingfrom diversity decreases in a society in which detailed data-bases have the effect of decreasing risk taking by individuals.Over time, inability to control information about ourselveswill make us passive citizens rather than active participantsin society. Thus, in order to maintain viable democratic soci-eties in a modern world, information privacy is the pricethat must be paid to secure the ability of citizens to commu-nicate and part icipate (Simit is, 1987, p.746).

The claim is made that the commercial sector in the U.S.already has "... become heavily intrusive, gathering and ex-changing personal information about individuals without re-gard to the harm it may cause" (Graham, 19S7, p. 1395).Individuals that do not want their everv purchase. move-ment. hobby, or pol i t ical bel iefs known already are beingforced to resort to efforts to conceal their lives and beliefs.Privacy advocates further aigue that those who lack the re-sources, knowledge, or will to conceal their private and fi-nancial lives will be coerced into a position bf avoidingcontroversial or unpopular act ivi t ies (Graham, 1987, p. 1396)or, based on their unfavorable recorded Drofiles. will be ex-cluded from sharing in certain economii and social benefits.Because government is increasingly able to purchase addressIists and other personal data collected by the commercialsector, the boundaries between public and private collectionof personal data have also become very blurred. Privacy ad-vocates argue that democratic principles of governance willincreasingly suffer as information surveillance becomes theorder of the day and improper uses of personal informationrncrease.

Those opposed to expanded privacy rights for individu-als argue that the dangers of detailed databases are greatlyexaggerated, far-fetched, and unlikely to effect the fabric ofAmerican democracy. The benefits to be gained through re-sponsible use of databases containing detailed personal datafar outstrip the largely subjective and non-quantifiable rightsin personal privacy. Abuses in use should be controlled butnot data collection itself. They further argue that it is farmore beneficial for society to deal with privacy abuses on acase by case basis than to restrict database building and theeconomic efficiency benefits deriving from expanded data-bases. Regardless of how the debate is eventually resolvedconcerning the best means of protecting information privacy,the underlying social reasons for protecting personal privacyare probably as valid today as they have ever been.

Legislation and Self RegulationThe scope and effect of U.S. privacy protection laws are fre-quently criticized (Berman and Goldman, 1989; Flaherty,1989; Trubow, 1990; Rotenberg, 1991; Madsen, 1992). Therehave been many calls for new legislation that would activelyrequire and enforce greater protection of personal privacy in

1084

both the public and private sectors. A recent study estimatesthat during 1992 there were approximately one thousandbi-lls in state legislatures nationwide attempting to restrict da-tabase management activities (Direct Marketing Association,1992, p. 167). While most of these efforts target specific com-mercial database marketing activities, the public's intoler-ance of intrusive activities is increasing. This increase inpublic vigilance is a warning to both government and indus-try to reassess their information management activities.

The questionable acts of some businesses are invitingstrict control of the entire information industry. For example,there are frequent calls for omnibus privacy legislation simi-lar to the federal Privacy Act to apply generally to publicagencies at all levels and to the private sector (Rubin, 1988,p. 135; Flaherty, 1989, p. 309; Rotenberg, 1991). Typically,one or more privacy commissions is envisioned as a meansfor elforcing the legislation and resolving privacy complaints(Trubow, 1989; Reidenburg, 1992, p. 242). Such legislalionhas been enacted in several European countries (Flaherty,1989; Madsen, 1,992), and the European Community hasdrafted a Data Protection Directive ihat would require suchIaws in all member countries. If applied to the commercialand government sectors in the U.S., this approach could po-tentially require all those managing geographic informationsystems containing any amount of personal data to be sub-jected to a series of bureaucratic processes and the adminis-tration requirements and authority of newly institutedprivacy commissions. While privicy legislition would be tar-geted at preventing inappropriate uses of personal informa-tion, the bureaucracy of implementing and enforcing the lawhas thehas the potential to place unnecessary burdens on legitimateuses of information in seoeraphic information svstems. Al-geographic information systems. Al-though political pressure is building to apply omnibus pri-vacy regulation to the commercial sector, legislators shouldproceed cautiously. While such measures may provide a rea-sonable level ofsonable level of privacy protection, the costs to governmentand industry of the provision of public and private servicespublic and private serviceswould be markedly affected. Moreover, the impact of such aproposal on the competitiveness of the U.S. information in-dustry is unclear.

Rotenburg argues that the right of privacy should be de-fined in a modern world as "the right of the individual tocontrol the disclosure of Dersonal information. and to holdthose accountable who -'irnse information, breach a confi-dence, or who profit from the sale of information withoutfirst obtaining the consent of the individual" (Rotenberg,1991, p. 80). The consent requirement is a significant depar-ture from current U.S. commercial practice and law. Al-though the requirement is being imposed in Western Europe,legislative attempts in the U.S. to limit the personal informa-tion that the commercial sector may collect have invariablybeen converted into requirements to ensure the accuracy oithe data collected or to impose other conditions concerningthe use of the information (Post, 1989, p. 1009). The banningof private organizations from collecting personal informationwithout consent has never been imposed in the U.S. on awide scale basis. The consent requirement, if applied to thecommercial sector, would mean that data collected by onecompany could not be transferred to another company with-out the explicit consent of those individuals identified in thedatabase by name, social security number, address, or similaridentifier. The requirement would significantly alter themeans the commercial sector uses in cross matching datasets.One can envision an eventual commercial regime developingin which individuals set the price on their own privacy. Foi

example, one might explicitly agree with an informationclearinghouse to give up certain personal information in re-turn for a small fee for each piece of "junk mail" receivedfrom businesses with whom one has never done business.

The foregoing comments raise the question whether newlegislation needs to be written to redraw the legal line be-tween "permissible exchanges of personal facts" versus "im-permissible intrusions on privacy." Although the form theywill take is yet unanswered, revisions to privacy laws in theU.S. are seen as essential by commentators on both sides ofthe privacy debate. Regardless of the form such laws eventu-ally take, the cIS community should start implementing andgaining experience with sound privacy practices through anincremental process. The process should begin with the ex-pedient development and adoption of appropriate privacypractice guidelines for the industry. The GIS communityshould not wait for privacy issues to reach crisis levels be-fore taking action. If the industry is active in imposing rea-sonable information privacy practices on itself, eventual lawsfor controlling the detrimental effects of cIS on privacy areless likely to restrict the beneficial uses of cIS or will restrictthem to a far lesser extent.

Self regulation is desirable because it is likely to resultin an industry standard that is less restrictive and moreadaptable to changing circumstances than a standard im-posed by legislation or administrative rulings. Successful selfregulation would demonstrate industry responsibility in ad-dressing privacy concerns and would help ensure continua-tion of the social benefit image that geographic informationsystems currently enjoy.

The first step in creating an atmosphere of self regula-tion of the use of personal information in cIS is to developguidelines or policies. As there are many professions andcountries concerned about privacy protection, there are sev-eral sets of guidelines that may be consulted in the develop-ment of privacy guidelines for the GIS industry.

Pilvacy Protection GuidelinesThe more prominent information privacy protection guide-lines include the U.S. Code of Fair Information Practices, theoncn Guidelines on the Protection of Privacy and Transbor-der Flow of Personal Data, the Association for ComputingMachinery Code of Ethics and Professional Conduct, the Di-rect Marketing Association Guidelines, and the EuropeanCommunity Draft Council Directive on the Processing of Per-sonal Data. These sets of guidelines have many similarities,but also important differences. Examination of these privacyprotection guidelines can provide insights into the sort ofguidelines that would be appropriate for use in coniunctionwith geographic information systems.

Code of Falr Infomation PtacticesIn 1973, the Code of Fair Information Practices was proposedfor use in government automated data systems by the U.S.Department of Health, Education, and Welfare (unw). Thefive privacy protection principles contained in those guide-lines were

a There must be no secret personal data recording systems;o Individuals must have a means of learning about their stored

oersonal information, and how it is used;o tlonsent should be required for secondary uses;o Individuals must have a means of correcting personal

information; anda Data controllers must maintain data and ensure data security.

(Department of Health, Education, and Welfare, 1973)

PE&NS

While these guidelines were suggested in the dawn of thecomputer age, they were incorporated into the Privac_y Act of1,g7i.'fhe principles are still largely applicable to federalagencies today.

0EGD Guldellnes on the Protectlon of Prlvacy and Transbodel Flow of PerconalDataThe Organisation for Economic Cooperation, and Develop-ment (onco) is an organization consisting of z+ leading in-dustrialized nations,lncluding the United States, Canada,

Japan, Australia, and many European countries. In 1980 theoncn adopted a set of privacy guidelines' Tle guidelineswere meant to apply to personal data in boththe public andprivate sectors and were meant to be regarded as minimum^standards

capable of being supplemented by additional prl-vacy protection measures in each member nation. The U.S'votedwith the majority in recommending adherence to theguidelines, and the OECD Guidelines on the Protection of Pri-iacy and Transborder Flow of Personal Data are still fre-quently suggested as one of the most gppropriate sets ofprinciples lor implementation and enforcement in the U.S.(Rotenberg, 1S93, p. 64; Madsen, 1992, p. 195; Tuerkheimer,1gs3, p. zt). The OECD guidelines are composed of eight ba-sic principles:

. Collection Limitation PrincipleThere should be limits to the collection of personalinformation. Collection should be lawful, fair, andwith the knowledge and consent of the individual'

o Data Quality PrincipleData should be relevant, accurate, complete, and up-to-date.

. Purpose Specification PrincipleThe puipose of the information should be statedupon collection, and subsequent uses should be lim-ited to those purposes.

. Use Limitation PrincipleThere should not be any secondary uses of personalinformation without the consent of the data subjector by the positive authorization of law.

o Security Safeguards PrinciPlePersonal data should be reasonably protected by thedata collector.

o Openness PrincipleDevelopments, practices, and policies with respectto personal data should follow a general policy ofopenness.

o Individual Participation PrincipleData subjects should be allowed to determine theexistence of data files on themselves and be able toinspect and correct data.

o Accountabil ity PrincipleData controllers, whether in the public or privatesectors, should be held accountable for complyingwith the guidelines.

(Organisation for Economic Cooperation and Develop-ment, 1980)

These principles are quite comprehensive and technol-ogy indepeirdent; they may be applied to the protection ofpiinacy in geographic information systems as well-as anybther information technology. It should be noted that theoEcD principles logically extend and expand those articu-lated by HEW in 1973. The fundamental principlesfor pr-o-tecting personal privacy have not changed greatly from thistime peiiod. The most significant change appears to be in-creased calls for application of the fundamental principles to

the private sector. Calls also have been issued advocating theapplication of similar privacy protection principles in devel-oping the National Information Infrastructure (American Li-brary Association, 1993).

ACM Code of Ethics and Pmfe$ional ConductBecause of concern with use of personal information by theprivate sector, professional organizations have begun to alsoaddress the privacy issue. The Association of Computing Ma-chinery (acu) recently adopted a Code of Ethics and Profes-sional Conduct for its members (Anderson et aL.,7992). Aquestionnaire requiring responses to a wide range of hypo-thetical ethical conflict scenarios was widely distributedamong computer professionals (Parker et o/., 1990). Re-sponses to the questionnaire and proposed provisions in thecode were widely discussed at conferences and in the profes-sional literature prior to passage. Although the code coversnumerous topics, the provision on ethical conduct relative toprotecting individual privacy now states that computing pro-fessionals should

... take precautions to ensure the accuracy of data ... protect itfrom unauthorized access ... allow indlviduals to review andcorrect their records ... [and] not use personal information gath-ered for a specific purpose for other purposes without consentof the individual (Anderson et al., 1993).

These provisions are very closely related to the oECD guide-lines. Most notably, secondary use of personal informationwithout consent is deemed unethical professional behavior.

Marketlng Communlty GuldellnesThe Direct Marketing Association has also developed guide-lines to advise its members of practice deemed acceptable byits membership. The provision relating to personal informa-t ion states:

An individual shall have the right to request whether personaldata about him/her appear on a direct marketer's files and re-ceive a summary of the information within a reasonable time af-ter a request is made. An individual has the right to challengethe accuracy of personal data relating to him/her. Personal datawhich are shown to be inaccurate should be corrected (DMAGuidelines, Article 4).

These marketing guidelines are far Iess stringent than theprevious guideline examples because there is neither a re-guirement to notify data subjects nor a limit on secondary

Cespedes and Smith (1993) argue that the marketingcommunity in its own interest must go much further in pro-tecting the privacy of individuals that are included in mar-keting databases. They are advocating wide scale adoptionby, the U.S. marketing community of the following generalprrncrpres:

Rule 1: Data users must have the clear assent ofthe data subjectto use personal data for database managementpurposes.Rule 2: Companies are responsible for the accuracy ofthe datathey use, and the data subjects should have the right to access,verify, and change information about themselves.Rule 3: Categorizations should be based on actual behavior aswell as the more traditional criteria of attitudes, lifestyles, anddemographics.

They go on to state that Rule 1 includes the followingcorollaries:

. Companies should avoid deception and secrecy in datacollection,

1090

o Targeted consumers should know the marketer' source for in-formation about them.

o Individuals should have the opportunity to opt out of subse-quent uses of data, and

. A consumer's assent to data use by one company does notautomatically transfer to companies sharing that information.(Cespedes and Smith, 1993, p. 16)

- Once again we see expressed the same set of long articu-lated privacy principles, although here they have beenadapted to a specific information use domain.

Inbmatlon Industry Assoclatlon (llA) Fah Infomatlon Practlces GuldellnesThe Information Industry Association has adopted a set offair information guidelines that consists of five general prin-ciples. Essentially, the principles encourage private compa-nies to (1) establish a policy on fair information practicesand monitor compliance with iU (2) protect personal infor-mation against unauthorized access, use, modification, dis-closure, or destruction and ensure that others to whompersonal information is transferred provide comparable pro-tection; (a) disclose to data subjects the intended use of thepersonal information acquired from them or, if acquired fromother than the data subiect, use the information only for pur-poses consistent with the purposes of its initial acquisition;(4) maintain the highest level of information quality consis-tent with industry practice and customer needs; and (S) im-plement an inquiry and inspection procedure for datasubjects {Information Policy Online).

The ILA publishes their Fair Information Practices Guide-lines along with a commentary and an 18-point checklist inorder to help companies to improve their information prac-tices. Similar to the Marketing Community Guidelines, theburdens imposed in these guidelines in meeting informedconsent and in protecting and correcting data are substan-tially less than the requirements recommended in most ofthe competing guidelines.

t{ll Working Gruup on PrtvacyCurrently, the Working Group on Privacy of the interagencyNational Information Infrastructure (Ntt) Task Force is updat-ing the privacy provisions of the previously discussed Codeof Fair Information Practices. The working group recentlycirculated a draft of "Principles for Providing and Using Per-sonal Information" (ntr Gopher/Bulletin Board). The goal ofthese principles, similar to that of the original Code of FairInformation Practices, is to provide a broad framework foraddressing privacy issues that spans all sectors of the econ-omy, including all public and private entities. It is hopedthat legislators, regulators, and companies will consuli thisbasjc set of responsibilities and relationships as they developcodes of practice to meet specialized circumstances. The pro-posed principles and accompanying commentary are muchmore specific than the previous Code of Fair InformationPractices and have been framed to apply primarily in thecontext of data handling over the National Information Infra-structure. The current draft (|une 1994) includes principlesorganized under the following headings:

L General Principles for the National Information Infrastruc-ture

A. Information Privacv PrincioleB. Information Integriiy Principles

II. Principle for Information Collectors (i.e., entities that collectpersonal information directly from the individual)

A. Collection Princiole

III. Principles for Information Users (i.e., Information Collectorsand entities that obtain, process, send, or store personal in-formation)

A. Acquisition and Use PrinciPlesB. Protection PrincipleC. Education PrincipleD. Fairness Principles

IV. Principles for Individuals who Provide Personal InformationA. Awareness PrinciplesB. Redress Principles (urr Gopher/Bulletin Board)

The principles go further in protecting personal privacythan those being recommended by the Information IndustryAssociation or the marketing community. However, noticea-bly lacking in the principles is the requirement of explicitconsent in the situation where personal information is trans-ferred to a third party. Instead, a middle Sround position is

taken in which data collectors are required to inform indi-viduals what they "expect" personal data to be used for andmust provide the informed opportunity for individuals tolimit data use if a sqbsequent intended data use is incompat-ible with the original purpose for which it was collected.The accompanying commentary goes on to explicitly pointout that "... before incompatible uses occur, they must eitherbe authorized by taw or the individual data subject shouldbe notified so that he or she can opt out of such use" (nTn

Gopher/Bulletin Board, paragraph 28). However, the interpre-tation of whether subsequent use is incompatible with theoriginal purpose for which it was collected appears to be leftorimarilv in the hands of the data user rather than in theiata sublect, from a practical perspective. The guidelines as-sume that, within the bounds of the "original purpose of col-lection," the secondary use of personal information and thetransfer of personal data to third parties will be very com-mon and should be expected by individuals providing per-sonal data.

To avoid confusion, it should be noted that the NationalTelecommunications and Information Administration (rurn)'

an agency of the federal executive branch, also is currentlyexamining privacy issues. However, their study and pro-posed poliry positions are focused specifically on the mediaand telecommunications industries.

European Community Draft Council Dilective on the Prccessint of Pesonal DataFinallv, the cIS communitY should be aware of the informa-tion piivacy principles being advocated and legislated in theinternational arena. In ]uly 1990, in an attempt to addressdifferences in the national privacy legislation among thenations of Europe, the European Community presented to theCouncil of Europe a draft directive concerning the protectionof individuals in relation to the processing of personal data.The eventual goal is that all European nations will alter theirnational laws to conform to a common set of privacy princi-ples. Consistency in laws is necessary in order to more read-ily transfer data among nations and to accomplish a unifiedEuropean market.

Maior sections included in the Directive include thoseaddressing the lawfulness of processing personal data in thepublic sector, the lawfulness of processing personal data inihe private sector, the rights of data subjects, data quality,provisions specifically relating to certain sectors, liability-andsanctions, and the transfer of personal data to parties in thirdcountries (Council of the European Communities, 1990)'Most germane to the present discussion are the general rightsto be granted to data subjects in all nations adhering to the

PE&R5

Directive. Article 14 states that all member nations of theEuropean Community shall grant a data subject the followingrighti relative to proiessing of personal data in both the pub-lic and private sectors:

1. To oppose, for legitimate reasons, the processing of personaldata relating to him.

2. Not to be subject to an administrative or private decision in-volving an asiessment of his conduct which has as its solebasis the automatic processing of personal data defining hisprofile or PersonalitY.

3. io know of the existence of a file and to know its main pur-poses and the identity and habitual residence, headquarters,or olace of business of the controller of the file.

e. To obtain at reasonable intervals and without excessive de-lay or expense confirmation of whether personal data relat-ing to him are stored in a file and communication to him ofsrrih data in an intelligible form' The Member States mayprovide that the right of access to medical data may be exer-cised only through a doctor.

5. To obtain, as thJcase may be, rectification, erasure, or block-ing of such data if they have been processed in violation ofthe provisions of this Directive'

6. To obtain upon request and free of charge the erasure of datarelating to him held in files used for market research or ad-vertising purposes.

7. To obtain, irithe event of the application of paragraph s andif the data have been communicated to third parties, notifica-tion to the latter of the rectification, erasure, or blocking.

8. To have a iudicial remedy if the rights guaranteed in this Ar-ticle are infringed.

Article 12 ensures that any consent given by a data subject to

use personal information is "informed consent" and Article

t3 s^pecifies the minimum information that mus-t be syPPliedto a hata subject at the time personal data is collected from a

subject.-The European Draft Council Directive is far from being fi-

nal. The current draft has been rejected by the European Par-

liament and is currently undergoing revision (Bradgate, -1994)'The current draft has b-een severely criticized for going far be-yond the level of protection necessary tg he1{ off likelyincur-

iionr o.t personal privacy. The next draft is likely to be less-

stringent in protecling personal data, but the degree to which

it will be watered down is yet difEcult to predict.

Privacy Protection Principles for the GIS CommunitySpecific to geographic databases, one might ponder whetherlarge scale ieriil ptrotography, orthophotography, and highresolution remote sensing imagery raise privacy concernsand therefore should be iubjected to some form of societalcontrol. For instance, Dow Chemical v United States con-cerned aerial photography of a Dow Chemical facility whereDow claimed ih"t tf," iollection of high detail imagery overtheir site was an invasion of privacy and a violation of theirFourth Amendment rights. Although the District Court heldthat the aerial photography was a "violation of Dow's reason-able expectation of p'*rivacy and an unreasonable search in vi-olationbf the Fourth Amendment," the U.S. Supreme Courtheld that the "open field" doctrine applied to the case, andthere was no invasion of privacy (Dow Chemical v. U'S.,1986). We contend that the finding in this case was appropri-ate and that there should be little legal control over the datathat may be collected through conventional forms of aerialmapping and imaging systems, whether by government orthe private sector.

it ir pe.to.t"l attribute information extracted hom aerial

imagery that may infringe upon a citizen's privacy ratherthan the imagery itself. Personal information extracted fromaerial imagery would necessarily be subject to any guidelinesproposed for regulating the uses of personal information inconjunction with geographic data handling. However, pri-vacy guidelines should not extend into the realm of placinglimits on imaging technology itself or placing limits on thescale of imagery that may be collected. To do so would behighly impractical, and any privacy benefits likely to accruewould be far outweighed by the detrimental effects of nothaving such imagery available. Rather than resorting toguidelines or legislation that extend into this domain, use ofgeographic data that infringes on the existing privacy rightsof individuals should be dealt with by the courts on a caseby case basis.

In a sense, the general principles for the protection of in-formational privacy in the U.S. in the use of cIs have alreadybeen developed. The following list was developed by observ-ing common threads in the privacy protection guidelines andlaws that have already been recommended by others for theinformation industry generally. The principles are an attemptat a middle ground approach that considers not only the pri-vacy needs of individuals but also the needs of governmentand commercial interests to have access to personal informa-tion. In the following guidelines, "personal data" means anyinformation relating to an identified or identifiable individualor household.

Because the OECD Guidelines have already been agreedto in principle by the leading industrial nations of the world,those principles provide a rational basis upon which to baseprivacy guidelines for the cls community. Following closelythe language of those guidelines, we recommend adherenceto the following fundamental principles in handling personaldata in the cls community:

o Collection Limitation PrincioleThere should be limits inihe types and extent of personalinformation collected for, contained within, or used in con-junction with geographic information systems. Collectionshould be lawful, fair, and with the knowledge and consentof the individual.More soecificallv, no data identifiable to individuals orhousehblds should be collected or maintained in a cts that

' relates to family matters, child rearing and education, mari-tal matters, procreation, or contraception. Further, no datashould be collected in a cIS on individuals or households ifthe exposure of the data, even if true, is likely to causemental suffering, shame, or humiliation to a person of ordi-nary sensibilities or if exposure is likely to interfere withthe ability of the data subiects to make fundamentalchoices involving themselves, their families, and their rela-tionshios with others.Data oi individuals or households regarding age, gender,ethnicity, religion, health, marital status, and consumerpurchases are specifically allowed to be collected and proc-essed in conjunction with the use of cIS, provided thatsuch collection and processing do not otherwise breach therequirements of the preceding paragraph and are accom-olished in strict accordance with the other provisions im-posed bv this code.

o Dala Quality PrinciplePersonal data should be relevant to the purposes for whichthey are to be used. To the extent tt"""tiary for those pur-poses, personal data contained within or used in conjunc-tion with a geographic information system should beaccurate, complete, and up-to-date.This principlip.esrrpposei that the purposes of personaldata use must be explicitly articulated prior to collectionand that personal data are not to be collected for future un-

LOg2

known or speculative pu-rposes. If personal data cannot bemaintained as accurate, complete, and up-to-date, this prin-ciple requires that the personal data be expunged from thesystem.

. Purpose Specification PrincipleThe purposes for collecting personal information should bestated upon collection. In most instances, this statementshould be made directly to the data subject from whom thedata is being collected. Subsequent uses of personal datashould be limited to those purposes or to those purposesthat are not incompatible with the original collection pur-poses.

o Use Limitation PrinciolePersonal data should not be disclosed to others, madeavailable to others, or used for purposes ot}rer than forwhich the data were collected without the explicit consentof the data subject or by the positive authorization of law.Consent to the transfer of personal data to others must beinformed and the data subiect should be allowed to with-draw consent at any time.

o Security Safeguards PrinciplePersonal data should be reasonably protected by the datacontroller/administrator. Security safeguards should be pro-vided by the GIS controller against such risks asunauthorized access, destruction, use incompatible withoriginal collection, and unauthorized modification of data.

o Openness PrincipleDevelopments, practices, and policies with respect to per-sonal data should follow a general policy of openness. Se-crecy in collecting data and deception in obtaining consentmust be.avoided. The cls controller should be able to read-ily determine the existence and nature of personal datacontained in the system for any specific individual, and thesystem should keep track of the sources from which dataabout individuals and households has been obtained.

o Individual Participation PrincipleData subiects should be allowed to determine the existenceof data files on themselves and be able to inspect and cor-rect data at no cost or marginal cost. Upon request to thects administrator, data subjects should be provided withthe sources from which data about them has been obtained.

. AccountabilityPrincipleGIS data controllers, whether in the public or private sec-tors, should be held accountable for complying with theseguidel ines.

We recommend that these fundamental principles bediscussed, revised as necessary, and then formally incorpo-rated into the professional codes of conduct of professionalsand practitioners affiliated with the cIS community. Other in-ternational, national, and commercial guidelines should ad-ditionally be referenced when working within a particularcontext, such as direct marketing.

The cIS industry should explore means for encouragingand extracting compliance with the guidelines. One meanswould be for professional organizations or industry groups togrant a "Good Data Handling Seal of Approval" to thosebusinesses and government agencies complying with the pri-vacy guidelines (analogous to the "Good HousekeepingSeal") (Cespedes and Smith, 1993, p. 20). Existence of theprogram should be widely advertised and promoted through-out the industry and to the public. Conversely, professionalorganizations and industry groups should "... publicize andostracize bad practice" (Cespedes and Smith, 1993, p. 20).Perhaps an award analogous to former Senator Proxmire's"Golden Fleece Award" might be appropriate in cases wherehighly questionable business practices in violation of the co-de's provisions have caused substantial damage to the pub-lic's trust in the industry.

Adoption of the proposed guidelines would show a seri-

ous commitment by the GIS community to protect informa-tional privacy. The cIS industry needs to ensure thatgeographic information technologies do not become part ofitre p.oltem rather than part of the solution in addressing so-ciety's pressing social needs. Through self regulatiol 9f ap-propriate privacy practices, the GIS community can helpensure thal cts technologies and databases will continue tobe perceived as socially desirable and beneficial.

SummaryThe vasi collection, maintenance, and dissemination of per-sonal information by government and industry has increasedpublic suspicion that their personal information privacy iseroding. Personal privacy is an issue that will continue togrow in importance as the potential for invasive informationLandling grows and the public becomes more aware of thethreats to their personal privacy.

The privacy regulations of individual countries reflectnational differenceJ in culture, politics, and the expectedroles of their institutions. However, as trade in informationcommodities becomes increasingly important internationally,the need for international data protection standards increasesdramatically. It is important that the U.S. become a leader inshaping these standards. U.S. policy makers must craft a so-lutibn ihat effectively balances amo.tg the right to privacy,the right of citizens to access Sovernment information, andeconomic interests of the nation. Such a solution must pro-vide information privacy for the American people withoutdestroying the competitiveness of our information industries(Potvin, 1991, p. 98).

GeographiC information systems are contributing to.theinformation privacy problems currently confronting- socie-ty.Uncertaintiei in curr-ent privacy law in the U'S. and confusionover the appropriateness of various privacy protection prac-tices are significant impediments to the development, sharing'and integration of geographic data sets. Although most GIS ap-plicationl are view-ed by the public as socially beneficial,ma.ry

"rrrre.tt and future applications may be considered as

highiy intrusive. "... Failure to reassure a skeptical publicab"oui the civil liberties implications of new information tech-nologies may make it impossible to put promising technologi-cal solutions to work" (Flaherty, 1989, p. 309). The GIScommunity has a substantial interest in maintaining citizen -trust in geographic information technology' To maintain andearn thai trust, reasonable privacy policies need to be estab-lished and implemented in deveioping spatial databases andin networking them with other databases. Awareness ty 4"ctS community of privacy protection issues will promote fairinformation practices generally and prepare the GIS commu-nity to have i voice in the drafting of future privacy lugr.s|l-tion. Adoption and promotion of privacy protection guidelinessuch as those set forth in this article will contribute to thelong term health and growth of the GIS industry.

AcknowledgmentsThis work is based upon work partially supported by the Na-tional Center for Geographic Information and Analysis(NCGIA) under NSF grant No. SBR 88-10917. Any opinions'_findings, and conclusions or recommendations expressed.inthis miterial are those of the authors and do not necessarilyreflect the views of the National Science Foundation,

RefelencesAmerican Library Association, 1993. Principles for the Development

of the National Information Infrastructure, Proceedings from the

PE&RS

Telecommunications and Information Infrastructure Policy Fo-

rum, 8-10 September, ALA, Washington, D'C'

Anderson, R.E., G. Engel, D. Gotterbarn, G.C. Hertlein, A' Hoffman'

B. fawer, D.G. Johnson, D.K' Lidtke, J.C. Little, D. Martin' D'B'Parker, |.A. Perrolle, and R.S. Rosenburg, 1992' ACM Code ofEthics and Professional Conduct, Communications of the ACM'33(5):94-99.

Anderson, R.E., D.G. fohnson, D. Gotterbarn, and f' Perrolle, 1993'

Using the New ACM Code of Ethics in Decision Making, Com-munications of the ACM, 36(2):98-107.

Berman, J., and l. Goldman, 19s9. A Federal Right of InfotmationPrtvaiyt The Need for Reform, The Benton Foundation, Wash-ington, D.C.

Bradqate, R., 1994. Privacy and Telecommunications, working paper,Jniversitv of Sheffield, Sheffield, U.K.

Cespedes, f.V., and H.f. Smith, 1993. Database Marketing: New'Rules for Policv and Practice, Sloan Management Review,34(4):

7-22.Council of the European Communities, 1990. Proposal for a Council

Directive Conceining the Protection of Individuals in Relation to

the Processing of Peisonal Data. OfEce of OfEcial Publications ofthe European Communities, Luxembourg.

Dansby, H. Bishop, 1991. Informational Privacy and GIS, AnnualConference oi the URISA, URISA, San Francisco, California, 4:78-28.

Deoartment of Health, Education and Welfare, !973' Records, Com-' puters, and the Riglts of Citizens, U.S. Government Printing Of-hce, Washington, b.C., is reported in Tuerkheimer (1993)'

Direct Marketing Association, Tgg2. 1991-1992 Compendium 9f G9v-ernment Iss"ues Affecting Direct Morketing, Direct Marketing As-sociation, New York, asleported in Cespedes and Smith (1993)'

p. 10.Doyle, Charles, 1990. Privacy in the Age of Computers, CRS Review'

July/August, PP. 6-8'

Eitenbichler, S.B. (editor'|, 1993. GIS rn Business '93 Conference Pro'ceedings, GIS World, Inc.

Eouifax and National Decision Systems, 1992a. Introducing Dircct- Marketing Solutions, Equifax, Inc., Atlanta.

7gg2b. Polk Totalist File Rate Card, Equifax, Inc', Atlanta'

7992c. Metromail Rate Card, Equifax, Inc., Atlanta'

7992d. MicroSelects* Database Rate Catd, Equifax' Inc', At-lanta.

1993. InloMork-GIS: Tomottow's Technologlt fot Today'sBusrhess Success, Equifax, Inc., Atlanta.

Flaherty, David H., 7g1g. Protecting Privacy in Surveillance Socie-tiei,fhe University of North Carolina Press, Chapel Hill andLondon, 467 P.

Garflnke, S.L., 1ss4' Nobody Fucks with the DMV, Wircd,2(021:a7-7 2 7 .

GIS World, 1993. Business Geographics Growth Leads GIS Market,GIS World, October, P. 11'

Gootee, fane M., 1990. Aerial Searches: A Defendent's Perspective-Dow Chemical v. United States, Eorth Obsewation Systems: Le-gal Considerations for the '90's, American Society for Photo-

lrammetry and Remote Sensing and American Bar Association'Bethesda, pp. a2-86.

Graham, fonathan P., 1s87. Privacy, Computers, and the CommercialDissemination of Personal Information, Texas Law Review, lune,pp .1395-1439.

Harris and Associates, 7989. The Road After 1989: "A NationwideSurvev of the Public and its Leaders on the New Technologyand lis ionsequences fot American Life," as reported in Berman

and coldman (1989).

Kusserow, Richard F., 1984. The Government Needs Computer -Matching to Root Out Waste and Fraud, Communications of theACM, 27(6):542-545.

Levinson, Sanford, 1988. Public Lives and the Limits to Privacv. Po-litical Science and Politics, 27(2):263-28O

Lopez, Xavier, 1994. Balancing Information Privacy with Efficiencyand Open Access, Government Information Quarterly, 11(3):255-260.

Madsen, Wayne, 1992. Handbook of Personal Data Protection, Stock-lon Press, New York.

Mclean, Deckle, 1993. Privacy Gaining Heft as an FOIA Exemption,Communications and the Law, 75(7)i2546.

Melucci, John A., 1993. "Using License Plate Surveys to Define Re-tail Trade Patterns, GIS in Business '93, GIS World, Boston, 1:739-742.

Miller, M.W., 1991. Lotus Is Likely to Abandon Consumer Data Pro-ject, Wall Street lournal,23 lanuary, p. 81.

Nelson, Dawn D., 1987. Record Linkage v. Confidentiality from thePerspective of the U.S. Bureau of Census, Protection of Privacy,Automatic Data Processing and Progrcss in Statistical Documen-fdtion, Eurostat: Statistical Office of the European Communities,OfEce of Offrcial Publications of the European Communities,Brussels, pp. 325-336.

Organisation for Economic Cooperation and Development, 1980.OECD Guidelines on the Protection of Privacv and TransborderFIow ol Personal Data, OECD, Paris.

Onsrud, H.I., 1992a. In Support of Open Access for Publicly HeldGeographic Information, GIS Law, 1(1):3-6.

1992b. In Support of Cost Recovery for Publicly Held Geo-graphic Information, GIS Law, 7(2):1-7.

1993. GIS and Privacy, GIS/LIS'9J, Minneapolis, Minnesota.Pearson, Hilary E., 1991. Data Protection in Europe, The Computer

Lawyer, 8(8):2a.Parker, D.8., S. Swope, and B.N. Baker, 1990. Ethical Conflicts in In-

formation and Computer Science, Technology, and Business,QED Information Sciences, Inc., Wellesley, Massachusetts.

Post, G., and f.D. Mclaughlin, 1993. Developing the Spatial Informa-tion Marketplace: A Canadian Case Study, Dilfusion and Use ofGeographic Information Technologies (I. Masser and H. Onsrud,editors), Kluwer Academic Publishers, Dordrecht, The Nether-lands, pp. 277-292.

Post, R.C., 1989. The Social Foundations of Privacy: Community andSelf in the Common Law Tort, Califotnia Law Review,77(5):95 7-1 01 0.

Potvin, Louise, 1991. Pdvacy in the Information Age: What Corpora-tions Need to Know, Government Information Quarterly, S(7):95-99.

Prosser, William L., 1960. Privacy, California Law Review, a8(3):383-423.

Reidenberg, I.R., 1992. Privacy in the Information Economy: A For-tress or Frontier for Individual Rights? Federal CommunicationsLaw Journal, 44(2):795-243.

Reitman, Valerie, 1991. Firms scrap plans to sell database with per-sonal details on consumers, The Philadelphia Inquirer,24 fanu-ary, p. 1.

Rosenbaum, 1.1., 7992. The European Commission's Draft Directiveon Data Protection. lurimetrics fournal, 33:7-72.

Rotenburg, Marc, 1991. In Support ofa Data Protection Board in theUnited States, Governme nt I nformation Quarterly, S(1 ) : 79.

1993. Communications Privacy: Implications for Network De-sign, Communications of the ACM,36(8):61.

Rothfeder, Jeffrey, 1992. Privacy for Sale: How Computerization HasMade Everyone's Private Life an Open Secret, Simon and Schus-ter, New York, ZtB p.

Rubin, Michael Rogers, 7988. Private Rights, Public Wrongs: TheComputer and Personal Privacy, Ablex Publishing Corporation,Norwood, New Jersey

Schwartz, John, 1991. How did they get my name? Newsweek,3June, pp. 40-42.

1Ogrt

Simitis, Spiros, 1987. Reviewing Privacy in an Information Society,University of Pennsylvania Law Review, 135(3'):7O7-746.

Smith, Henry fefferson, \99O. Managing Information: A Study of Per-sonal Information Privacy, doctoral dissertation (D.B.A.), Har-vard University Business School.

Smith, Robert Ellis, 1992. About Privacy, Compilation of State andFederal Privacy Laws, Privacy Journal, Providence, pp. 5-6.

Trubow, G.B., 1989. Watching the Watchers: The Coordination ofFederal Privacy Policy, The Benton Foundation, Washington,D.C.

-1990. Protecting Informational Privacy in the Information So-ciety, Nortiern lllinois U niversity law Review, 7O:52t-542.

1992. The EuroDean Harmonization of DAta Protection LawsThreatens U.S. Participation in Trans Border DAta Flow, Nowti-western lournal of International Law and Business, 13:159-176.

Tuerkheimer, Frank M. 1993. The Underpinnings of Privacy Protec-tion, Communications of the ACM,36(8):69-73.

Wacks, Raymond, 1989. Personol Information, Clarendon Press, Ox-ford.

Warren, S.D., and L. Brandeis, 1890. The Right to Privacy, Harvardlnw Review, 4(5):193-220.

Appendix0ther Cited Documents, Statutes, and Cas€s.Cable Communications Policv Act of 1984. Pub. L. No. 98-

549, 98 stat.2779 (rSA+lComputer Matching and Privacy Protection Act of 1988, Pub.

L. No. 100-503, 102 Stat. 2507 (1988), Pub. L. No. 101-56, 103 Stat. 149 (1989), Pub. L. No. 101-508, 104 Stat.1388-334 (1990)

Dow Chemical v. U.S., 1986. 536 FSupp 135s (EDMI 1982)rev'd 749 Fzd 307, Affld 476 rJ.S. 227, 106 SCt 1819, 90LEd 2d 226 (1e86).

Electronic Communications Privacy Act of 1986, Pub, L. No.99- 508, 100 Stat. 1B4B (1986).

Electronic Fund Transfer Act. Pub. L. No. 95-630. 92 Stat.3728 (1578), Pub. L. No. 97-375,96 Stat. 182s (1.582),Pub. L. No. 101-703, 103 Stat. 440 (7989), Pub. L, No.] .02-242,105 Stat . 2301 (1991).

Fair Credit Reporting Act, Pub. L. No. 91-508, 84 Stat. 1128(1.970), Pub. L. No. 95-598, 92 Stat. 2676 (7s78), Pub. L.No. 101-73, 103 Stat . 439 (198s) , Pub. L. No.1.O2-242,105 Stat. 2300 (1991), Pub. L. No. 102-537, 106 Stat.3531 (1992), Pub. L. No. 102-550, 106 Stat. 4OB2 (1992).

Family Educational Rights and Privacy Act of 1924, Pub. L.No. 93-380, BB Stat. 571, (1,974.

Federal Trade Commission v. American Tobacco Co.,264u.s. 298,44 s. Ct . 336, 68 L. Ed. 696.

Freedom of Information Act, Pub. L. No. 89-482, 80 Stat. 250(1966), Pub. L. No. 90-23, 81 Stat. s4 (1962), pub. L. No.93- 502, 88 Stat. 1561 (1974), Pub. L. No. 99-570, 100Stat. 3204-48 (1e86).

IITF Gopher/Bulletin Board System | 202-501.-L920,iitf.doc.gov (Iune 1994)

Industrial Foundation of the South v. Texas Indus. Acc. Bd.,Tex., 540 S.W.2d 668, 679.

Information Policy Online. (iia.ipoephis.com) 1.2 (April1994): item 3.

Paul v. Davis (rgzo) 424 U.S. 693.Privacy Act of 1974, Pub. L. No. 93-579, 88 Stat. 1896

(1974), Pub. L. No. 94-394, 90 Stat. 119s (1926), pub. L.No. 95-38, 91 Stat. 779 (1577), Pub. L. No. 100-503, 102Stat. 25L3 (1988).

Privacy and 1984: Public Opinions on Privacy issues, Hear-ings Before a Subcommittee of the House Committee on

Government Operations, g8th Congress, 1st sess. 16(1e84).

Privacy Protection Act of 1980, Pub. L. No. 96-440, 94 Stat.1B7S-1883 (1990).

Privacy Protection for Rape Victims Act of 1978, Pub. L. No.95- 540, 92 stat. 2046 (1,578).

Right to Financial Privacy Act of 1978, Pub. L. No. 95-630,92 Stat. 3697 {1978), Pub. L. No. 96-3, 93 Stat. s (1s78),Pub. L. No. 96-443, 94 Stat. 1855 (1980), Pub. L. No. 97-320. 96 Stat.7527 (l'sqz), Pub. L. No. 98-21, 97 Stat. 83(1s83), Pub. L. No. ee-569, 100 Stat. 397 (1986), Pub' L'No. 99-570, 100 Stat, 3207- 22 (ISBG), Pub' L. No. 100-

690, 102 Stat. 4357 (1988), Pub' L' No. 101-73, 103 Stat'438, 496, 4s7,4gB (1S89), Pub. L. No. 101- 647' 7O4Stat. 4791 (1990), Pub' L. No' 't"O2-242' 105 Stat. 2375(1991), Pub. L. No. 102-550, 106 Stat. a059 (1992)' Pub.L. No. 102-568, 106 stat .4342 (1992) '

Shorter v. Retail Credit Co., D.C.S.C.' 251 F. Supp. 329' 330'Telephone Consumer Protection Act of 1991, Pub. L. No.

LOZ-Z+3,105 Stat. 2394 (1991), Pub' L' No' 102-556' 106Stat. 4186 (1s91).

Video Privacy Protection Act of 1988, Pub. L. No. 100-618'102 Stat .3195 (1988).

GIS/LIS '93Technical Papers

Proceedings of GIS/LIS '93 held in Minneapolis, Minnesota, 31 October - 4 November 1993.Sponsored by ASPRS, ACSM, AAG, URISA, and AM/FM International.

This 2 volume set provides an overview of the state-of-the-art in GIS and facilities/land usemanagement technologies. These volumes will be an invaluable resource to all those interested in GIS.

Topics included in Volume 1

Combining Positional and Attribute UncertaintyUsing Fuzzy Expectation in a GISApplying GIS to Hazardous Waste Site Selection:A Case Study of South CarolinaSpatial Analysis for Accident and EmergencyServicesAnalyzing and Generalizing TemporalGeograph ic InformationThe Shift Toward Digital GeographicInformation for Air Combat OperationsData Capture with GPS for Sewer Map UpdatesGIS in Wilderness Search and Rescue

Topics included in Volume 2

Geographic Information Systems as a Tool forIntegrated Air Dispersion ModelingGIS and PrivacyDesign and Implementation Issues ofCartographic Expert Systems in GIS ApplicationsGenerating Referenced Digital Mosaics fromAerial Videography with Parallel ProcessingCharacteristics of the 1993 GIS IndustryUsing GPS in Locating Soil Boring Holes forTransportation Proj ectsThe Representation of Time on USGS Maps

ao

ao

aa

tgg3. Two volumes. 864 pp. $75 6oficover); ASPRS Members $ 45. Stock # 4631.

For ordering information' see the ASPRS store in this journal.