Federal Statistics, Multiple Data Sources, and Privacy Protection Next Steps (2017) / Chapter Skim
Currently Skimming:
4 Legal and Computer Science Approaches to Privacy
4 Legal and Computer Science Approaches to Privacy
Pages 61-78
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 61... ...
We then address the implications for federal statistical agencies, including the additional privacy and confidentiality laws that apply to statistical data, as well as the legal and policy issues that arise with linking records from different data sources. We continue discussion of privacy issues in the next chapter, expanding on the discussion in our first report on how federal statistical agencies can use security measures, computer science technologies, statistical methods, and administrative procedures to protect data and permit access for statistical purposes.
|
From page 62... ...
They would argue that all information could be viewed as PII, and, as a consequence, threats to individual privacy are not adequately addressed by the PII/non-PII dichotomy. Moreover, computer scientists would argue that in a networked world, the protection of privacy will require mathematically rigorous notions that can be translated with algorithms into numerical outcomes.2 The core differences, and the source of much confusion, may be understood as the difference between the central place of PII in modern privacy law and the ability of modern computer science to breach individual pri 1 See https://www.census.gov/programs-surveys/acs/about/is-my-privacy-protected.html [August 2017]
|
From page 63... ...
In recent years, computer scientists have helped make clear that what may not appear to be PII is in fact PII when new techniques or additional data are considered.3 The current situation has led some experts to suggest that PII is no longer a workable category because PII and non-PII are no longer readily distinguished. But if the legal purpose of PII -- to assign rights and responsibilities in the collection and use of data -- is combined with the scientific ability to reveal the existence of individual privacy compromise when it is not obvious, then the better solution is to recognize that the legal definition of PII should include both data that are obviously PII and "latently PII," that is, data that can be transformed into PII or, more broadly, that enable individual privacy compromise.
|
From page 64... ...
However, an important exception for records maintained by federal agencies is made for "statistical records." It is these records that are the focus of our discussion. The Privacy Act describes a statistical record as "a record in a system of records maintained for statistical research or reporting purposes only and not used in whole or in part in making any determination about an identifiable individual" (5 U.S.C.
|
From page 65... ...
the privacy of an individual is directly affected by the collection, main tenance, use, and dissemination of personal information by Federal agencies; (2) the increasing use of computers and sophisticated information technol ogy, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, main tenance, use, or dissemination of personal information; (3)
|
From page 66... ...
Prior to the enactment of the Privacy Act, there was a lengthy review of federal record-keeping systems that resulted in a major report.
|
From page 67... ...
and how it is interpreted in practice, even among federal agencies. For example, the Family Educational Rights Privacy Act and the Health Insurance Portability and Accountability Act provide different approaches to protecting data and enabling statistical use by external researchers.
|
From page 68... ...
One can call this the difference between an individual privacy breach and
|
From page 69... ...
In contrast, however, if Bob -- who may or may not have been in the study -- publishes his genetic data, and the study allows one to infer that Bob is at increased risk of the illness, it would not be considered as an individual privacy breach for Bob.6 With the distinction between group privacy loss and individual privacy breach in mind, it is useful to consider such subjects as water salinity data, ice shelf measurements, and location of the jet stream, which do not appear to be about people at all or have any implications for individual privacy. In the legal view, these data are not PII.
|
From page 70... ...
We close with a compelling example of the subtlety of the individual privacy breach determination: allele frequency statistics in genome wide association studies:7 A genome-wide association study is an approach that involves rapidly scanning markers across the complete sets of DNA, or genomes, of many people to find genetic variations associated with a particular disease. Once new genetic associations are identified, researchers can use the information to develop better strategies to detect, treat and prevent the disease.
|
From page 71... ...
IMPLICATIONS FOR FEDERAL STATISTICAL AGENCIES To this point in the chapter, we have contrasted legal and computer science definitions of PII and emphasized that the common legal interpretation of the PII status of data is not a simple, invariant function. Rather, the PII status of a record is a dynamic feature, not a static feature, of a record.
|
From page 72... ...
In the next sections of this chapter, we examine other privacy and confidentiality laws that apply to statistical data, as well as the legal and policy issues that arise with linking records from different data sources. RECOMMENDATION 4-1 Because linked datasets offer greater pri vacy threats than single datasets, federal statistical agencies should develop and implement strategies to safeguard privacy while increasing accessibility to linked datasets for statistical purposes.
|
From page 73... ...
In addition to protecting PII, statistical agencies must protect identifiable information from businesses, schools, and health care providers, and many other organizations from which they collect or acquire data. Although the Privacy Act generally does not apply to these respondents, CIPSEA and the agency's organic statutes do apply and impose strict requirements on agencies to ensure that they do not disclose identifiable information (e.g., see U.S.
|
From page 74... ...
The Computer Matching and Privacy Protection Act was enacted in 1988 as an amendment to the Privacy Act to create procedures to prevent any use of computer matching that could end program benefits without notifying individuals of the matching program or illegitimate uses of computer matching. Computer matching refers to the comparison of information that often includes PII data between two or more systems, which can be used between multiple agencies to ensure that federal ben
|
From page 75... ...
New York City recently sought to delete data about New Yorkers that could be used to prosecute immigration cases.8 The requirements of the Computer Matching and Privacy Protection Act do not apply to all federal agencies; exemptions include statistical or research purposes, law enforcement investigation, and some tax-specific matching, so this does not directly affect statistical agencies. Statistical and research exemptions are provided in 5 U.S.
|
From page 76... ...
For some surveys, including the National Health Interview Survey sponsored by the National Center for Health Statistics, interviewers ask respondents for explicit consent for record linkage. In contrast, the Survey of Income and Program Participation, sponsored by the Census Bureau, sends survey respondents an advance letter that states 9 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
|
From page 77... ...
The Census Bureau has a provision in the Privacy Act that permits it to receive identifiable information from other agencies (5 USC Section 552a(b)
|
From page 78... ...
This database was to be used for identity verification, not statistical purposes, but there may not be a clear delineation between the two purposes in public perception. If publicity about record linkage leads to greater public mistrust, that mistrust can carry over to other aspects of the federal statistical system.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.