Economic and social issues, together with technological advances, have resulted in an erosion of the confidential relationship traditionally existing between patient and health care professional. The proliferation of health insurance programs has been accompanied by an ever increasing number of requests for information from patient health records in substantiating claims for payment. At the same time, a growing emphasis on accountability has resulted in further demands for patient health information for medical care evaluation, including utilization review, which has caused a tremendous growth in the number of automated data storage and retieval systems for information manage

ment.

The primary purpose of the medical record is to document the course of the patient's health care and to provide a medium of communication among direct care professionals for current and future patient care. Unless the patient can feel assured that the highly sensitive and personal information he shares with health care professionals will remain confidential, he may withhold information critical to his treatment, thereby diminishing the quality of the care provided him.

The American Medical Record Association (AMRA)

recognizes the need for patient health information in providing a sound basis both for substantiating claims and for conducting medical care evaluation. Through this statement, however, AMRA reaffirms the patient's right to privacy in relation to his medical record. While the patient does not have the property right to his record, he does have the protected right of information. Therefore, subject to applicable legal provisions, release of any individually-identifiable medical information for any purpose other than patient care must be done only with the express informed authorization of the patient or his legal agent.

With respect to this right of privacy, AMRA endorses the development of legislative and regulatory activities to: (1) protect the patient from invasion of privacy as a result of indiscriminate and unauthorized access to confidential health information and (2) assure appropriate usage of medical information once it is disseminated by authorized persons.

Further, AMRA recommends greater emphasis on. the patient's right to privacy by health care institutions throuhg the establishment of written policies for the release of informaiton, together with active educational programs for all staff personnel to enforce these policies.

As day-to-day guardians of large volumes of personalized information both in automated and manual systems, we in state and local government feel that a great measure of responsibility for the protection of this kind of information rests with us. As operators of government information centers we believe that we stand in a position where we can be useful in the design and implementation of procedures for the protection of the privacy of personal information.

To this end, two organizations representing all 50 states and many municipal governments have been studying the problem of legislation in this area. They are NASIS (National Association of State Information Systems and G-MIS (Government Management Information Sciences). Their work was based on research

done for the SAFE (Secure and Automated Facility Environment) in the State of Illinois. The fruits of this effort are now being realized. It is model legislation for state governments covering the regulation of personal information in the possession of the states. With this document we believe that we have come a long way towards a practical means of dealing with the problems of privacy and towards protection of the individual. We have also addressed the management and regulatory needs of government data centers.

The significant features of this legislation are:

1. It regulates any personal data, not just data in automated systems. It applies only to data in the possession of state and local governments, but can be expanded to cover the private sector as well.

3. It creates a regulatory body, an Information Prac tices Board with a staff. The duties of the Board include the promulgation of administrative regulation for or ganizations which own personal data to insure security and confidentiality of data. The Board also would conduct investigations of questions which arise concerning the law and regulations and lend flexibility in situa tions where strict adherence may not be merited. It would hear appeals on decisions regarding privacy by state and local agencies and data processing authorities 4. It gives the Board the power to establish local boards to regulate data at that level.

Those interested in obtaining a copy of the finished document may write to:

G-MIS

138 E. Court St. Cincinnati, Ohio 45202.

To my knowledge at the present there are only two universities in this nation which currently have courses on the subject of "Privacy and Security in Computer Systems." I want to thank you in helping me to plan teaching a course on this subject. The many conflicting and cooperative viewpoints represented here at this conference have been most valuable.

In the following few minutes I would like to share with you several ideas which have not been mentioned and which merit consideration. The first of these is the notion of "information flashpoint." It is clear that the advent of large-scale computer systems results in a larger quantity of information available. However, as computer networks, and especially, information processing utilities come of age there is a possibility of qualitative changes in the information as files become merged or easily accessible from a terminal. For example, when we bring together unclassified files containing codes and data and a simple algorithm for analysis it is often possible for that information then to become classified in nature.

A second item which computer scientists, managers, and public policymakers would do well to guard against woud be the growing trend of what might be termed "information pollution." If we do not take measures to constantly eliminate what is not needed in files then we will have information systems so cluttered with meaningless or irrelevant data that the information which is required will be buried and less usable. Insuring the clarity and accuracy of information is also related to this notion of information pollution.

Thirdly, we might begin to look at an individual's personal space as being extended by and related to his information space. Before the advent of large information files a person's private space was pretty much equivalent to his home and place of work. When we increase the information available about a person we increase what we might term his "information space," which is to say, that his personal identity in an information sense has been increased and even redefined.

In closing, I would like to share with you the words of a Chinese sage named Lao Tse, who lived in fourth century B.C. China. In his "Treatise on Response and Retribution," he wrote:

"If a man's heart be awakened to the good, though the good be not yet accomplished, good spirits are already following him.

If a man's heart be awakened to evil, though evil be not yet accomplished, evil spirits are already following him.”

Translating this advice into the present computer age, this is to state that we have a need for men and women of good intent in the design, maintenance, and updating of information files, manual or computerized. Let us remember that the information files which we are creating and maintaining are about real people whom we have in many cases not met and never w meet. Nonetheless, we are continually defining and extending the information space about these people

I have heard no evidence presented that indicates that the use of automated personal data systems has created increased invasions of privacy or breaches of confidentiality. In fact, some speakers have stated that no such evidence exists. We have heard only that there is a "fear" that such may be the case.

Based upon this unsubstantiated fear, it appears that we are considering legislation that will force registration and perhaps monitoring of automated personal data systems.

It does not appear that the end justifies the means. It appears that we are placing a financial burden on the taxpayer and the businessman simply because we are afraid something might happen.

Furthermore, periodic reporting of the existence of an automated data file will not accomplish any practi cal purpose. Flooding a newspaper with 15 or 20 million data file announcements a year will not increase anyone's awareness of who has a file on him. Who has time to read the announcements or to investigate them?

Existence announcements or registration will no more prevent data misuse than registration of automobiles has prevented their misuse. In fact, such registration laws:

1. Are impractical and unenforceable on a broad scale. Therefore they are unwise, because impractical and unenforceable laws weaken respect for all law.

2. Penalize automated data file owners for what they can do, not for what they do. There is no evidence to suggest that such presumption of guilt is justified.

3. Make it possible for the government (since only it has the massive resources required) to create a complete central file on all citizens. Thus, registration would increase the potential for reducing individual

The views expressed are those of the author and not necessarily those of BAI or the banking industry.

privacy. There is no demonstrated need for such government power and I object to making such power possible "in the name of protection of privacy."

Several speakers have voiced the idea that "the individual owns data about himself." I believe this is a fallacious and unusable concept.

I can create all kinds of information about an individual, based on my own observation. He does not own this information. It is mine. If I use it to harm him, then I alone am responsible and he should have a ready and rapid method of redress. But he does not own the information any more than he owns the picture that I may take of him. Information belongs to the creator or the collector and he alone must be held responsible for its accuracy and its use.

The way to protect privacy and confidentiality is to improve the procedures of redress, not to attempt to monitor or control every personal data file at a governmental level.

I think that we should improve redress procedures. We should make it easier to trace erroneous data to its source. We should increase the personal data file owners' awareness of their responsibility. But the rules should apply to all personal data, whether automated or non-automated. With the development of mini-computers, automated personal data files will soon include Christmas card lists, YMCA swimming teams and the neighborhood Fourth-of-July picnic list. No practical purpose would be served by requiring public notification that such files were being set up.

Finally, we may find that a public notice requirement will grow into a requirement for licensing, and that licensing will pave the way for data file taxation. Should we start down such a pathway in the absence of any evidence that the misuse of data is growing? Perhaps misuse is diminishing because of automation. Let's get some facts, let's not legislate out of fear.

The supposed cure may be worse than the presumed illness.

When one discusses computer security, data confi. dentiality and privacy, there should be a general awareness that these items operate within a system of interacting elements. As a consequence, one should anticipate how the implementation of controls on any one. element of the system affects the remaining elements. For instance, there has been considerable time spent at this conference in order to describe the problems and useful solutions for the major elements involved; that is, for computer system hardware manufacturers, software generators, service centers and their users. We have not, however, given equal emphasis to probably the most important element of the system; that is, the individuals on whom the data is collected especially when they become an active part of the system per se and query agencies, organizations, etc., to find out not only what files there is data on them but also the information content of such files. The enormity of problems that could result in both administrative and dollar requirements should be clearly understood before there. is a broad institution of search and query by the general public. This is necessary in order to provide an adequate system to handle inquiries that could result.

For instance, let us hypothesize that 2 percent of the population suddenly makes inquiries and each inquiry takes 10 minutes to process fully (i.e., search files, make computer runs, prepare correspondence, etc.).

Letting E-Man-years of effort required to process inquiries by individuals with respect to what data in what files effects them

But suppose that instead of 2 percent of the population, 10 percent of the population, i.e., 20 million, are interested in making an inquiry, then:

E=333X5=1,665 man-years.

Furthermore, suppose that 10 minutes to process inquiries is too conservative, instead it takes 60 minutes; so that: E=333X5X6=10,000 man-years.

If this workload of required effort was distributed say to 50 locations, one for approximately each state, then the Effort (E) required at each location might be:

The 10,000 man-years of effort required at a central location or the 200 man-years at each of 50 locations are just possible estimates for initial requests. One can assign his own cost factor and calculate the dollar value for the man-years estimated. In addition, one should consider that there are always follow-up requests, reprogramming of computer software instruction, lengthier searches, etc., and as a result the estimates could be changed depending on what percent factor is used to estimate the effect of such action.

Again, the purpose of the above is not to down play the rights of an individual with respect to information privacy and confidentiality but to make us aware of the impact!

There are solutions. Some are extreme, like purging every file and starting all over with affidavits showing an individual's condescendence to have files structured with data specifically on him. A less extreme situation could be the structuring of particular data inventories similar to that used by the Civil Service in their Execu tive Inventory files.

In summary, before any laws are enacted, the preceding calculations seem to indicate that in depth consitderation should be given to coping with the adminis trative burdens that could be created in order to carry out the law. They could be horrendous. Thank you.

Ladies and Gentlemen: This marks the conclusion of a two-part series of Conferences which started last November. We sponsored these Conferences as part of our assigned task of resolving some of the problems of data confidentiality and computer security. We have taken this responsibility rather seriously, as have you. There has been, for example, a total attendance of around 850 between the two Conferences; this indicates widespread interest and concern for the "Privacy" issue.

We very definitely intend to carry out what we promised at the first Conference. As you remember, the first Conference was aimed principally at identifying the needs and the problems of government in assuring the confidentiality of data in automated systems. We have already published a summary of that Conference which has been distributed to all attendees and is available to everyone as an NBS publication. We have attempted to use the second Conference as a return engagement platform for anybody-any organization or any individual-who wanted to provide views on actions that might be taken. We have representatives here these last two days from Congress, from State legislative bodies, from professional associations and societies, from the legal community, from trade associations, individual computer and consulting companies and, of course, a number of private individuals. We are going to publish all papers presented at this Conference.

We also promised that we would make sure that all actions, recommendations, views and concensuses that were generated from these two Conferences would get into the hands of the people who were making or influencing policy. We believed, and you verified it, that this included Congress, the Executive Branch of the Government, the court system, State and local governments, and the computer industry as well as related industries. We intend to do as we promised. For example, a letter has been prepared for Vice President Ford, who has just been designated by the President to chair the Domestic Council Committee on Privacy, which promises that the results of these two Conferences will be given to him within ten days. We will also convey this information to the Congressional committees that are holding hearings. You will recall that one of the comments made here today was the lack of good technical input to these hearings. We want to begin to remedy this by providing the best of what was said at these Conferences and any arrived-at con

sensus.

In this regard, I really have been very much encouraged by the kinds of statements made today by representatives of institutions in our society, such as the American Medical Records Association, American Hospital Association, the Bank Administration Institute, MIT, Harvard, and some government agencies.

This is an excellent way to get your opinions known; and, we're delighted to make them available to people who will make use of them.

Where we have specific responsibilities and authorities in the Department of Commerce, it's even easier to carry out our commitments to you. Let me remind you of some of these responsibilities. We have the responsibility for developing standards which impinge on all Federal information processing activities. These standards are mandatory and can provide a tremendous leverage for action since the Federal Government is still the single largest computer customer in the country and has the responsibility for protecting the public's rights, such as privacy. We also have the responsibility within the Government for marshalling and monitoring the Federal Government's activities in the voluntary standards efforts sponsored within the private sector. We must assess the adequacy of Federal R&D in computer sciences and technology including Federal R&D in computer security and privacy. We have the responsibility for providing to GSA and OMB the technical basis for their policies on computer utilization. The Secretary of Commerce, for example, is offering the same assistance to Vice President Ford and his Committee on Privacy. Being in the Department of Commerce, we serve as a liaison with industry and have the responsibility, as related to computers, for providing the proper environment for commerce and industry.

We do not have major responsibilities in the privacy area other than influencing what's done in making privacy policy and in making sure that we don't trip ourselves up as we try to adhere simultaneously to the need for privacy, freedom of information and integrity of information.

These Conferences have suggested a wide spectrum of actions to ease the problems of data confidentiality and computer security. Some of them we can do ourselves and some we're going to recommend be done by other authorities. The spectrum is too broad to do any thing at this time except give you a few examples.

It looks as if it is going to be just as important as we had initially thought to get cohesiveness in the legis lative and judicial comments concerned with uniform State laws to get some uniformity in the State laws. We're also going to try to get better technical input to Congressional committees. Congressman Koch said it has become very clear that this needs to happen.

Another area, for example, that we have not touched on extensively but which has come up through default, is the education of everyone concerning privacy. We haven't really educated ourselves enough and certainly have not educated the public either. The American Civil Liberties Union has a publication and reports that come out on a regular basis on privacy. There is obviously a need for us in the Government to provide more