United States Department of Commerce
THE INDIVIDUAL REFERENCE SERVICES GROUP
ON ELEMENTS OF EFFECTIVE SELF REGULATION
FOR THE PROTECTION OF PRIVACY
AND QUESTIONS RELATED TO ONLINE PRIVACY
Ronald L. Plesser
Emilio W. Cividanes
Piper & Marbury L.L.P.
1200 Nineteenth St., N.W.
Washington, D.C. 20036
Date: July 6, 1998
The Individual Reference Services Group (IRSG) welcomes this opportunity to respond to the request of the Department of Commerce (DOC) for public comment on industry efforts to establish self-regulatory regimes to ensure privacy online. Although the IRSG's self-regulatory regime does not apply exclusively—or even primarily—to the Internet, it does have growing implications for online privacy protection. Moreover, the IRSG's approach has been praised by many in this country and abroad as one of the better examples of self-regulation in the United States.
The IRSG is composed of leading companies in the business of providing information that assists users in identifying and locating individuals for variety of beneficial purposes. The customers of IRSG members include law enforcement agents, the media, attorneys, and private investigators. They use the IRSG members' data for such purposes as: crime investigation, detection and prevention of fraud, the location of blood or organ donors, and the tracking down of non-custodial parents for child support arrearages. Both of the reports to Congress by the Federal Reserve Board in March 1997 and by the Federal Trade Commission (FTC) in December 1997 underscore the beneficial uses made of individual reference services. Additional discussion of these beneficial uses can be found in the IRSG December 1997 White Paper (www.irsg.org/html/white_paper.htm).
In close consultation with FTC, the IRSG developed a comprehensive set of self-regulatory principles backed by audits and government enforcement. The IRSG members believe that these principles provide the most effective way to secure the benefits of these important information service resources while assuring effective protection of consumer privacy. The IRSG members have pledged to implement these principles fully by no later than December 31, 1998, and to have completed an assurance review of their compliance by March 15, 1999.
The signatories to the Principles are a diverse group of companies that include individual reference services companies as well as companies that supply information to such services. It was in recognition of the heightened interest in issues related to their services that the companies that comprise the IRSG came together to take a leadership role and develop self-regulatory principles. The Principles focus on non-public information and define a set of guidelines aimed at describing appropriate uses of such information. We define "non-public information" to mean information about an individual that is of a private nature and not generally available to the public nor obtained from a public record.
The Principles resulted from lengthy deliberations by companies with years of experience in these issues. We believe that these conscientious efforts are reflected in the final product. Companies that sign on to the IRSG principles commit—among other things—to:
·acquire individually identifiable information only from sources known as reputable,
·restrict their distribution of non-public information through safeguards appropriately calibrated to the type of use made of the information,
·educate the public about their database services, and
·furnish individuals with information contained in services and products that specifically identifies them, unless the information is publicly available or a matter of public record, in which case the companies will provide the individuals with guidance on how they can obtain the information from the original source.
A copy of the Principles, with a list of the signatory companies, is attached.
The IRSG principles are meaningful self-regulatory principles that the signatory companies agree to support as part of their operation practices. The principles are supported through three separate mechanisms. First, any signatory company may be responsible under existing federal and state law if the company fails to live up to these Principles.
Second, the signatories of these principles will require by contract that all companies buying non-public data from them for resale abide by the Principles. Non-complying companies risk losing access to the data. This is particularly significant in that it is estimated that 90% of all relevant information is possessed by IRSG signatories. With such a significant market presence, the IRSG has already been able within weeks, for example, to bring companies into compliance with the IRSG principle that prohibits the display in most instances of a subject's social security number.
Third, companies that are signatories to the Principles will be subject to annual outside assurance reviews by qualified independent professionals. The criteria that the reviewers will use are being developed by Price Waterhouse L.L.P. A summary of the assurance report will be made publicly available.
Since the announcement of the Principles, the IRSG has continued to take steps to ensure the realization of their goals. We believe these steps further demonstrate this industry's commitment to the principles. First, we have implemented an Internet Web site for the IRSG, which can be found at "www.irsg.org". The site serves as a central location for consumers to find a comprehensive description of the IRSG Principles and of the signatory companies. The site also provide user-friendly links to the information practice policies of each company. Second, the signatory companies are devoting considerable resources in reviewing their policies and products in order to comply with the Principles as agreed by December 31, 1998. For these companies, this is a significant undertaking.
The IRSG Principles and the "Principles of Fair Information Practices"
As shown below, the IRSG Principles respond to each of the elements that are listed in the staff discussion paper under the "principles of fair information practices."
IRSG PRINCIPLE DOC ELEMENT
IV (Public Record & Publicly
V (Distribution of Non-Public Information)
II (Reputable Sources)
V (Distribution of Non-Public Information)
XI (Assurance of Compliance)
The concept of proportionality guided the IRSG in developing its principles. The IRSG believes that privacy protection mechanisms should be commensurate to the harm that can arise from use of that information. Privacy practices should be determined by a consideration of the potential benefits, the possibility for harm, and the burden of compliance for each practice. Because the IRSG was guided by this notion of proportionality in developing its principles, the IRSG's response to some of the elements differs from the definition that the DOC uses for these elements.
An example of proportionality can be seen in the IRSG's approach to the DOC element of consumer access. The IRSG principles require an individual reference service to provide information about the nature of public record and publicly available information that it makes available in its products and services and the sources of such information. Subject to limited legal and security exceptions, the companies will make available to individuals, upon request and under reasonable conditions, non-public information contained in products or services that specifically identifies them and that is distributed as part of an individual reference service to users.
The FTC disagrees with the IRSG's approach to responding to requests by individuals for public record information about themselves contained in a company's databases. Where the requested information is publicly available or a matter of public record, the principles allow the individual reference service to provide guidance on how the requester can obtain the information directly from the source. The FTC proposes that companies furnish individuals with all public record and publicly available information about themselves contained in the companies' databases in order to address two accuracy-related issues: first, the possibility that errors might arise in the transmission of information from the source to the company's database; and second, the possibility that information about different individuals might be mistakenly linked in compilations about a single individual.
The signatories of the IRSG principles understand the public's interest in enabling individuals to verify that errors do not occur when public record and publicly available information is transmitted or compiled about them. However, technological advancements have eliminated the need for most companies to keystroke or otherwise manually input this type of information, thereby significantly reducing the possibility for error. This, the signatories believe, when coupled with quality assurance measures implemented by the industry, yields information that reliably reflects the data provided by the originating public record source.
Moreover, there is an enormous potential burden associated with retrieving and verifying relevant information from the large number of databases of public records. This contrasts with the modest burden associated with retrieving information about an individual from the far smaller number of databases of non-public information. It should also be noted that many of the potential harms that might befall an individual whose public record information is inaccurate are already addressed by existing laws, including the Fair Credit Reporting Act.
Nevertheless, the signatories have pledged to reexamine, in 18 months from the announcement of the principles, the issue of responding to requests by individuals for public record information about themselves.
In addition, the experience of applying these principles and conducting the assurance reviews will shed further light on the accuracy issue to the extent to which any inaccuracies might be derived from transmission or compilation errors that may occur under the control of an individual reference service. Based upon this experience over the 18-month period, the signatories will collectively or individually carefully consider undertaking a study to assess the accuracy of information about individuals in their databases as a reflection of the information about such individuals provided by the originating public record source.
The staff discussion paper implies that a consumer recourse mechanism is necessary to ensure that companies are held accountable for complying with any self-regulatory regime they adopt. Consumer recourse is, however, but one of a range of methods of enforcement against a company that lacks sufficient data protection practices. Voluntary submission to governmental regulation, ethics peer review of information practices, and the need to respond to market forces are among many other factors that generate compliance.
The signatories of the IRSG principles have adopted a very effective approach that nevertheless does not contain a consumer recourse mechanism. Specifically, the signatory companies have adopted a verification approach that will result in data suppliers cutting off non-complying companies from access to the data and will subject every signatory company to a governmental enforcement regime.
The verification will be accomplished by annual assurance reviews conducted of those services that the signatories offer and identify as being subject to the principles. These reviews will be conducted by qualified independent professional services such as accounting firms, law firms, or security consultants. These independent professional services will use criteria developed by assurance professionals and approved by the signers as a group. As experience and changing circumstances require changes in the principles or in the criteria used for assurance reviews, the approval of the signers as a group will be needed to adopt such changes.
Companies will have a reasonable opportunity, determined by the nature of the concern and circumstances that surround it, to respond to any concerns that are expressed in such assurance reviews. Because individual reference services that obtain non-public information from IRSG members will be required by contract to abide by the principles, they, too, will need to have assurance reviews conducted annually.
While a summary of each assurance report shall be made publicly available, the signatories of these principles are exploring additional means of enabling the public to identify individual reference services that are in compliance with these principles.
By voluntarily and publicly self-certifying their adoption of specific information practices, companies submit themselves to a governmental enforcement regime. Any signatory company may be responsible under existing federal and state law if the company fails to live up to these Principles.
The IRSG adopted this approach to enforcement for several reasons. First, it provides a mechanism whereby data suppliers can verify that their customers are reselling the data appropriately and, if not, can bring individual reference service companies into compliance without delay by threatening to cut off their access to data. Second, this same mechanism enables governmental entities to determine whether companies are failing to comply with specific practices that they hold themselves out as following.
Finally, this approach recognizes the fact that consumers do not have a direct relationship with the signatory companies and, indeed, usually are unaware when information about them has been reviewed by a customer of an individual reference service company. Consequently, the IRSG concluded that an enforcement mechanism whereby consumer complaints are the linchpin to consumer redress would be a very ineffective means of assuring compliance with the IRSG Principles. Moreover, for those most sensitive of areas involving transfers and uses of information—for example, to determine eligibility for employment, insurance, or consumer credit—existing laws such as the Fair Credit Reporting Act already provide mechanisms for consumer redress.
In short, without meeting every element of the staff discussion paper's approach to enforcement, the IRSG's approach to enforcement assures compliance with the IRSG principles and holds companies accountable for complying with their privacy policies.
The IRSG principles provide the most effective way to secure the benefits of these important information service resources while assuring effective protection of consumer privacy. Guided by the notion that privacy protection mechanisms should be commensurate to the harm that can arise from use of that information, and by a commitment to accountability and enforcement, the IRSG principles demonstrate that effective privacy protection can be achieved without meeting every element of the DOC's staff discussion paper.