KDD Nugget 94:11, e-mailed 94-06-01 Contents: * G. Piatetsky-Shapiro: Correction: AT&T Calling Card does not use neural networks. But others do. * G. Piatetsky-Shapiro: NII Privacy Principles and comments The KDD Nuggets is a moderated list for the exchange of information relevant to Knowledge Discovery in Databases (KDD, also known as Data, e.g. application descriptions, conference announcements, tool reviews, information requests, interesting ideas, clever opinions, etc. It has been coming out about every two-three weeks, depending on the quantity and urgency of the material. Back issues, FAQ, and other KDD-related information are now available via Mosaic, URL http://info.gte.com/~kdd/ or by anonymous ftp to ftp.gte.com, cd /pub/kdd, get README If you have something relevant to KDD, send it to kdd@gte.com ; Add/delete requests to kdd-request@gte.com -- Gregory Piatetsky-Shapiro (moderator) ********************* Official disclaimer *********************************** * All opinions expressed herein are those of the writers (or the moderator) * * and not necessarily of their respective employers (or GTE Laboratories) * ***************************************************************************** ~~~~~~~~~~~~ Quotable Quote ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Everybody gets so much information all day long that they lose their common sense. Gertrude Stein ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Wed, 1 June 94 From: gps@gte.com (Gregory Piatetsky-Shapiro) Subject: Correction: AT&T Calling Card does not use neural networks. My earlier posting in KDD Nuggets 94:10 stating that "AT&T Corporate Calling Cards apparently uses Falcon neural network package for fraud detection" was incorrect!. Thanks to Ron Brachman (AT&T) for informing me that AT&T Calling Card people are not using Falcon. However, Falcon was purchased by AT&T Universal Card unit, although we do not know how are actively they are using it. AT&T Universal Card is a combination credit and calling card. Also, according to AI Expert (June 1994) HNC Inc. (San Diego, Calif), reported that in 1993 Falcon credit-card fraud detection system saw its usage increase from 3 million credit card accounts to over 50 million accounts. Falcon clients, in addition to AT&T Universal Card, include Colonial National Bank, Eurocard Nederland, First USA Bank, Household Credit Services, and Wells Fargo Bank. HNC estimates that Falcon saved these clients approximately $50 m in fraud losses. ------------------------------------ Date: Wed, 1 June 94 From: gps@gte.com (Gregory Piatetsky-Shapiro) Subject: NII Privacy Principles and questions -- comment by June 13. Thanks to Robert R. Jueneman, GTE Laboratories, for posting this document and bringing it to my attention. The official comment period on this document will close on June 13, 1994. Electronic comments may be sent to nii@ntia.doc.gov. If you do have any comments, please send them also to kdd@gte.com and I will summarize the discussion, if any. These principles are clearly relevant to any mining of commercial databases. They seem to inhibit some types of discovery, specifically that aimed at individuals. It is not clear however what these principles say about the discovery of aggregate rules. ================================================= The following file is posted at the request of the Information Infrastructure Task Force's Privacy Working Group, chaired by Robert Veeder, Office of Management and Budget ************************************************************ Request for Comments on the draft Principles for Providing and Using Personal Information and their Commentary. The draft Principles for Providing and Using Personal Information and the associated Commentary are the first work product of the Information Infrastructure Task Force's Working Group on Privacy. They are intended to update the Code of Fair Information Practices that was developed in the early 1970s. While many of the Code's principles are still valid, the Code itself was developed in an era when paper records were the norm. The advent of the National Information Infrastructure has caused two things to change dramatically. No longer is information usage bound by the limitations of paper -- the seamless web of networks linking us to each other is creating an interactive environment in which all of the participants must share certain responsibilities. Moreover, non-governmental usage rivals the government's, and is largely unregulated. The following Principles were developed with the goal of providing guidance to all participants in this new interactive world. The Working Group recognizes that the Principles cannot apply uniformly to all sectors. They must be carefully adapted to specific circumstances. Nevertheless, the developers believe that the responsibilities and relationships the Principles describe are basic ones. As such, they are intended to assist legislators, regulators, and companies as they develop codes of practice. The Working Group invites public comment on the Principles and Commentary. We are especially interested in understanding how the Principles would work in this new interactive electronic environment and particularly in non- governmental settings. Are they workable? How, if at all, should they be changed? We hope that those who obtain the Principles for review and comment will also share them as widely as possible with others who might be interested in them. The Comment period will close on June 13, 1994. Comments should be sent to the Working Group on Privacy c/o the NII Secretariat, National Telecommunications and Information Administration, US Department of Commerce, Room 4892, Washington, D.C. 20230. The Principles and Commentary can be downloaded from the IITF Gopher/Bulletin Board System: 202-501- 1920. The IITF Gopher/Bulletin Board can be accessed through the Internet by pointing your Gopher Client to iitf.doc.gov or by telnet to iitf.doc.gov and login as gopher. Electronic comments may be sent to nii@ntia.doc.gov. ***************************************************************** DRAFT: April 21, 1994 Principles for Providing and Using Personal Information Preamble The United States is committed to building a National Information Infrastructure (NII) to meet the information needs of its citizens. This infrastructure, essentially created by advances in technology, is expanding the level of interactivity, enhancing communication, and allowing easier access to services. As a result, many more users are discovering new, previously unimagined uses for personal information. In this environment, we are challenged to develop new principles to guide participants in the NII in the fair use of personal information. Traditional fair information practices, developed in the age of paper records, must be adapted to this new environment where information and communications are sent and received over networks on which users have very different capabilities, objectives and perspectives. Specifically, new principles must acknowledge that all members of our society (government, industry, and individual citizens), share responsibility for ensuring the fair treatment of individuals in the use of personal information, whether in paper or electronic form. Moreover, the principles should recognize that the interactive nature of the NII will empower individuals to participate in protecting information about themselves. The new principles should also make it clear that this is an active responsibility requiring openness about the process, a commitment to fairness and accountability, and continued attention to security. Finally, principles must recognize the need to educate all participants about the new information infrastructure and how it will affect their lives. These "Principles for Providing and Using Personal Information" recognize the changing roles of government and industry in information collection and use. Thus they are intended to be equally applicable to public and private entities that collect and use personal information. However, these Principles are not intended to address all information uses and protection concerns for each segment of the economy or function of government. Rather, they should provide the framework from which specialized principles can be developed. I. General Principles for the National Information Infrastructure A. Information Privacy Principle 1. Individuals are entitled to a reasonable expectation of information privacy. B. Information Integrity Principles Participants in the NII rely upon the integrity of the information it contains. It is therefore the responsibility of all participants to ensure that integrity. In particular, participants in the NII should, to the extent reasonable: 1. Ensure that information is secure, using whatever means are appropriate; 2. Ensure that information is accurate, timely, complete, and relevant for the purpose for which it is given. II. Principle for Information Collectors (i.e. entities that collect personal information directly from the individual) A. Collection Principle Before individuals make a decision to provide personal information, they need to know how it is intended to be used, how it will be protected, and what will happen if they provide or withhold the information. Therefore, collectors of this information should: 1. Tell the individual why they are collecting the information, what they expect it will be used for, what steps they will take to protect its confidentiality and integrity, the consequences of providing or withholding information, and any rights of redress. III. Principles for Information Users (i.e. Information Collectors and entities that obtain, process, send or store personal information) A. Acquisition and Use Principles Users of personal information must recognize and respect the stake individuals have in the use of personal information. Therefore, users of personal information should: 1. Assess the impact on personal privacy of current or planned activities before obtaining or using personal information; 2. Obtain and keep only information that could reasonably be expected to support current or planned activities and use the information only for those or compatible purposes; 3. Assure that personal information is as accurate, timely, complete and relevant as necessary for the intended use; B. Protection Principle Users of personal information must take reasonable steps to prevent the information they have from being disclosed or altered improperly. Such users should: 1. Use appropriate managerial and technical controls to protect the confidentiality and integrity of personal information. C. Education Principle The full effect of the NII on both data use and personal privacy is not readily apparent, and individuals may not recognize how their lives can be affected by networked information. Therefore, information users should: 1. Educate themselves, their employees, and the public about how personal information is obtained, sent, stored and protected, and how these activities affect others. D. Fairness Principles Because information is used to make decisions that affect individuals, those decisions should be fair. Information users should, as appropriate: 1. Provide individuals a reasonable means to obtain, review, and correct their own information; 2. Inform individuals about any final actions taken against them and provide individuals with means to redress harm resulting from improper use of personal information; 3. Allow individuals to limit the use of their personal information if the intended use is incompatible with the original purpose for which it was collected, unless that use is authorized by law. IV. Principles for Individuals who Provide Personal Information A. Awareness Principles While information collectors have a responsibility to tell individuals why they want information about them, individuals also have a responsibility to understand the consequences of providing personal information to others. Therefore, individuals should obtain adequate, relevant information about: 1. Planned primary and secondary uses of the information; 2. Any efforts that will be made to protect the confidentiality and integrity of the information; 3. Consequences for the individual of providing or withholding information; 4. Any rights of redress the individual has if harmed by improper use of the information. B. Redress Principles Individuals should be protected from harm resulting from inaccurate or improperly used personal information. Therefore, individuals should, as appropriate: 1. Be given means to obtain their information and be provided opportunity to correct inaccurate information that could harm them; 2. Be informed of any final actions taken against them and what information was used as a basis for the decision; 3. Have a means of redress if harmed by an improper use of their personal information. ***************************************************************** Draft - April 21, 1994 PRINCIPLES FOR PROVIDING AND USING PERSONAL INFORMATION Commentary 1. With the initiation and expansion of the National Information Infrastructure (NII), the information age is clearly upon us. The ability to access, collect, store, analyze, and disseminate data at an acceptable cost has never been greater, and continuing advances in computer and telecommunications technologies, especially interactive applications, will serve to ensure that the amount of electronically stored personal information and transactional data will continue to grow at a healthy pace. 2. Cost is, of course, the overriding factor. Continually decreasing hardware, software and networking costs allow individuals and organizations to use data in ways that were previously, in a non-electronic world, cost-prohibitive. For example, if someone were interested in building a dossier on a citizen who had lived in four different states, that dossier could have been built "manually" by travelling from state to state (or hiring individuals in each state) to compile public records pertaining to that individual's birth, motor vehicle registration, driver's license, real property holdings, voting, etc. This would have required, however, filling out forms, paying fees, and perhaps waiting in long lines for record searches at various state and local office buildings. In short, it could be done, but it would have been a time-consuming and costly exercise; thus, it would not be done unless the reward for building this dossier were considerable. If the ultimate goal were to collate data on thousands of individuals,analytical processing costs would also be added to the mix. 3. Today, such a dossier can be built in a matter of minutes, at minimal cost, assuming all the needed information is on-line. Indeed, with the NII, the assumption is that large amounts of sensitive information will be on line, and can be accessed, perhaps without authority, by a large number of network users. With advanced networking, each link in the chain--access, collection, storage, and analysis--becomes a cost-effective method of using information, as does the ability to disseminate the final collated product to others. 4. Such networking offers considerable benefits. The NII holds forth the promise of greater public participation in society, advances in medical treatment and research, and quick verification of critical personal information (e.g., a gun purchaser's criminal record), just to name a few. There is, however, another issue: information privacy. To the extent that the ability to access, collect, store, analyze, and disseminate data has never been greater, the threat to personal information privacy has never been greater either. 5. The truth is, the NII will only achieve its full potential if individual privacy is properly protected. Absent such protections, individuals may be reluctant to participate in the NII, fearful that the risks to personal privacy outweigh the benefits. Citizens should not have to make that choice; rather, they should be assured that the use of personal information will be appropriately limited. The adoption of fair information principles is a critical first step in that direction. 6. Although Fair Information Principles currently exist, [see Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, (Washington, D.C., Department of Health, Education and Welfare, 1973)], it is clearly time that they be rewritten to address the issues raised by our new electronic environment, as well as cover paper records. The most major concerns: (1) It is no longer governments alone that collect and use large quantities of personal data; the private sector clearly rivals the government sector in information usage. As such, these new principles should apply to both the government and private sectors. (2) The NII will, if it fulfills its promise, be interactive; i.e., individuals about whom data relates (so-called "data subjects") will become increasingly active participants, creating volumes of communicative and transactional data. To the extent that individuals are providing information about themselves, they too should have obligations when using the NII. (3) The transport vehicles for this information (the networks) are vulnerable to abuse; thus, the reliability of the network itself becomes critical to the future success of the NII. (4) Traditional ethical rules, long-accepted when dealing with tangible objects, are not easily applied in the new electronic environment, and all NII participants must be educated in the proper use of the NII. Consider, for example, how an individual who would never trespass in the home of another might attempt to justify computer hacking as an intellectual exercise. Indeed, what constitutes a proper use of the NII or NII information might not be intuitively obvious. Whether a particular use is acceptable may depend on a host of factors including, but by no means limited to, the purpose for which the data was collected, whether the use is compatible with that purpose, and whether the use is specifically authorized by law. In such an environment, individuals need to be educated about the proper use of both the NII and the information it contains. 7. As ambitious as the task is, these Principles attempt to address these issues. That said, one must recognize the limitations inherent in any such principles. First, the Principles are not intended to have the force of law. Broad sweeping principles provide a framework for addressing fair information practices, but any specific regulatory implementation must be sector by sector. This is because each information sector (e.g., medical, financial, law enforcement, national security, research and statistics) has specific and unique needs that cannot be addressed by general principles. 8. Second, the Principles are only intended to apply domestically; although, to the best of our knowledge, these Principles are in accord with current international guidelines regarding personal privacy and data protection, and should not hinder the ongoing development of an international information infrastructure. 9. Third, the Principles only address information identifiable to a living individual. It makes little sense to restrict the use of information that does not relate to an identifiable living person, and to do so would unduly hamper researchers and others who use large quantities of data for generic statistical purposes. 10. Finally, although the Principles are written broadly, there will no doubt be times when their strict application would be inappropriate. For example, public safety could be undermined if law enforcement had to seek a data subject's approval before obtaining transactional records relevant to an ongoing criminal investigation on the theory that this use was incompatible with the purpose for which the records were originally created. To account for such cases, the words "as appropriate" or "to the extent reasonable" appear in the Principles. This is not to suggest, however, that the Principles need not be rigorously adhered to. To the contrary, the need to diverge from a given principle should be the exception, not the rule, and should only occur when there is an compelling reason. For in the end, it is adherence to these Principles that is critical to developing trust between data users and data subjects in the electronic information age. General Principles for the National Information Infrastructure 11. We begin with the three principles that apply to all NII participants: information collectors, information users, and individuals ("data subjects"). These three principles, relating to privacy and information integrity, provide the underpinnings for the successful implementation of the NII. They state clearly that individuals are entitled to a reasonable expectation of information privacy, and that efforts should be made to ensure that information is adequately protected and used appropriately. 12. If the NII is to be trusted, participants must have a reasonable expectation of privacy in personal information. Although individuals harbor subjective expectations of privacy, these must be honored only to the extent that society is prepared to recognize those subjective expectations as objectively reasonable. For example, an individual who posts an unencrypted personal message in an area of a bulletin board service that is provided for open, public messages cannot reasonably expect that his/her message will only be read by the individual listed in the salutation. Where a subjective expectation of privacy is made clear and is objectively reasonable, however, individuals should have their privacy respected. 13. NII participants must also be able to rely upon the integrity of the information contained in and transmitted through the NII. This will be the case only if the information is secure from improper disclosure and alteration, and if the information is accurate, timely, complete, and relevant for the purpose for which it is used. The responsibility of providing adequate security and reliable information falls properly on all participants in the NII. 14. We recognize, of course, that individuals and organizations do not always provide accurate and complete data when requested. Large data brokers, as well as privacy advocates, may intentionally provide false data as a method of monitoring data flow. For example, an individual who misspells his name slightly when dealing with one company and then receives mail, with the name similarly misspelled, from a second company, may now be aware that the first company has disseminated his name to others. We do not intend to suggest that any falsehood violates this principle. It would violate this principle, however, to provide false information to create some improper result (such as receiving illegitimate benefits or injuring another). Responsibilities of Original Collectors (i.e., Entities that Collect Information Directly from the Individual) of Personal Information 15. One of the most alluring features of the NII--easy access to and dissemination of information--also provides one of its most vexing problems: it is impossible for an individual to identify all the other individuals and organizations that may possess some personal information about himself or herself. At the risk of over-simplification, there are essentially two types of data users: those who collect information directly from the data subject, and those who do not. By necessity, the rules for these two groups must differ. 16. Those who collect information directly from the individual should inform the data subject (1) how the information collected will be used, (2) whether the information will remain confidential and be protected against improper access or alteration, and (3) the consequences of providing or withholding the requested information. The fulfilling of these obligations will ensure that individuals have a meaningful opportunity to exercise sound judgment in accordance with the Principles for Individuals Who Provide Personal Information. Juxtaposed, the Principles for Information Collectors and Principles for Individuals Who Provide Personal Information highlight the true interactive nature of the NII and the ideal symbiotic relationship between data collectors and data subjects. 17. It is simply impossible, of course, to impose these Information Collector obligations on entities that have no direct relationship with the individual. If every recipient of data were required to contact every individual on whom they receive data to provide some form of notice, the exchange of information would become unduly burdensome, and the benefits of the NII would be lost. On the other hand, information dispersion will be common on the NII and the following principles, designed to promote fair information use, should apply to all data users (including data collectors). Responsibilities of Information Users (i.e., Information Collectors and Entities that Obtain, Process, Send or Store Personal Information). 18. In an environment where individuals cannot realistically know where all personal information about them resides, and cannot account for each use of that information, it is simply impossible for individuals to ensure that personal information is used fairly. In some cases, even arguably adverse actions may go unnoticed, and therefore redress will not be available. For example, a company may decide not to include an individual in a mass mailing offer regarding a financial opportunity because an analysis of that individual's credit history suggests the individual is a bad credit risk. In such an environment, it is particularly important to ensure that data users use personal information in acceptable ways. The following principles, which apply to all users (including Collectors), fall into four categories: Acquisition and Use, Protection, Education, and Fairness. A. Acquisition and Use Principles 19. The benefit of information lies in its use, but such use may also have a negative effect on personal privacy. Additionally, that privacy, once lost, cannot always be entirely restored (consider, for example, the extent to which the inappropriate release of extremely embarrassing personal information is rectified by a public apology). To protect the information privacy of individuals adequately requires that the effect of data use be considered before personal information is obtained or used. In assessing this effect, data users will need to consider not just the effect of their action on the individual, but other factors (such as public opinion and market forces) which may be relevant in determining whether a particular data use is appropriate. 20. It may well be that the effect on personal privacy has been considered and it has been decided, appropriately, to obtain and use personal information for some purpose. In such cases, the data user should obtain only that information which could reasonably be expected to support current or planned activities. Although the cost of storing information continues to decrease, it is simply inappropriate to collect volumes of personal information because it may, in the future, prove to be of some unanticipated value. Moreover, once collected, personal information should only be used for those current or planned activities, or other compatible purposes. Incompatible uses not authorized by law should not be undertaken without consultation with the data subject. See, Fairness Principles, below. Finally, information should only be kept as long as necessary. It should be destroyed when appropriate. 21. Reasonable efforts should be made to ensure that information that will be relied upon is accurate, timely, complete, and relevant. It must be recognized that information which is accurate when collected may not be used for years, and the use of stale information may have unfair or inaccurate results. B. Protection Principle 22. In a networked environment, the risk of unauthorized access (i.e., loss of confidentiality) and unauthorized alteration (i.e., loss of data integrity) increases exponentially. Both insiders and outsiders may browse through information they have no right to see, or make hard-to-detect changes in data which will then be relied upon in making decisions that affect the individual. For example, our national health system expects to become an intentive user of the NII. A hospital in remote part of the country may pass x-rays through the NII for review by a renowned radiologist at a teaching hospital in another part of the country. For improving the quality of patient care, the benefits of such transfers are enormous. Yet, it is unlikely that such sensitive data will be passed through a system where it could be subject to unauthorized alteration and potential misuse? It is therefore incumbent on data users to protect the data commensurate with the harm that might occur if the data were improperly disclosed or altered. Additionally, the level of protection should be consistent with whatever the data subject was told if the data was collected directly from the individual. 23. It is not enough, however, to rely upon technical controls. Although technological safeguards can serve to protect data confidentiality and integrity, there is a human component that defies a solely technical solution. For example, insiders--those who are authorized to access and alter data--may not violate access controls when they improperly alter or delete data they are authorized to change. Therefore, the protections employed must be multi-faceted and include technical solutions, management solutions (e.g., creating an environment where fair information practices are the accepted norm), and educational solutions (e.g., providing data handlers with proper training). C. Education Principle 24. The Education Principle represents a significant addition to the traditional Fair Information Principles. The effect of the NII on both data use and personal privacy is by no means readily apparent. Most individuals are ignorant as to the amount of personal information already networked, and may not recognize how their lives can be affected by networked information. 25. It is important that information users appreciate how the NII affects information privacy, and that individuals understand the ways in which personal information can be used in this new environment. Thus, data users need to educate themselves, their own employees, and the public in general about how personal information is obtained, transmitted, used and stored, including what types of security measures are being used to protect data confidentiality and data integrity. D. Fairness Principles 26. If information can be used to adversely affect an individual, it is only fair that individual have a reasonable means to obtain, review, and correct personal information about himself or herself. Moreover, to the extent adverse actions are taken against the individual, the individual should be notified and have a means of redress. Equally important, the data collector should explain to the individual exactly what that means of redress is. Redress may take many forms (mediation, arbitration, civil suit, criminal prosecution) and be offered in different forums (federal, state, local) but cannot be imposed by these principles. 27. One of the most difficult issues is dealing with incompatible uses of previously collected information. An incompatible use is not necessarily a bad use; in fact, it may be of considerable benefit to either a data subject or society as a whole. A data subject may benefit, for example, when a customer mailing list is used to warn those customers that a product that they purchased is defective and may cause serious physical injury. Society as a whole may benefit when criminal conviction information is used for some purpose not originally contemplated such as screening candidates for child care positions or weapons purchases. Similarly, researchers and statisticians using previously collected information may determine the cause of a potentially fatal disease such as cancer. 28. On the other hand, without some limitation, information use may know no boundaries. Individuals who disclose information for one purpose may then be subjected to unintended and undesired consequences, and this will discourage them from disclosing personal information in the future. To ensure that this does not occur, information should only be used in ways compatible with the purposes for which it was collected and, before incompatible uses occur, they must either be authorized by law or the individual data subject should be notified so that he or she can opt out of such use. Rights and Responsibilities of Individuals who Provide Personal Information 29. As noted, the NII has significant implications for information use and personal privacy. In such an interactive environment, it is not sufficient for individuals to disclose personal information and then abdicate responsibility for the consequences; rather, individuals must take an active role in deciding whether to disclose personal information in the first instance. But if individuals are to be held responsible for making these choices, they must be empowered to make intelligent choices. This requires that they receive meaningful information on the intended uses of the information they provide, and the consequences for providing or withholding personal information. For these purposes, the "Principles for Individuals who Provide Personal Information" create two discrete categories that apply to individuals: Awareness and Redress. A. Awareness Principles 30. Awareness encompasses the notion that individuals should understand the ways in which personal information may be used, and the results that flow from such use. This will allow them to make intelligent choices regarding the disclosure of personal information. 31. Increasingly, individuals are being asked to surrender personal information about themselves. Sometimes the inquiry is straight-forward; for example, a bank may ask for personal information prior to processing a loan request. In this type of situation, it may be clear to the individual the purpose, or at least the primary purpose, for which the information is sought (e.g., processing the loan application). There may, however, be secondary uses which are not so immediately obvious, such as being put on a mailing list for a credit card solicitation. Indeed, there are no doubt many times when individuals decide to disclose information without being fully cognizant of the many ways in which that information may ultimately be used. 32. It is difficult, if not impossible, to anticipate all such uses. Individuals who pay for medical services with a charge card may not recognize that they are creating transactional records from which others may attempt to ascertain the current state of the individual's health. Equally problematic is that the assumptions drawn from such data may be false, and the individual may never know that the data has been used to reach some conclusion, or take some action, regarding his or her future. 33. It is impossible to formulate any set of principles that can cover comprehensively all possible uses of information. Nor would such an attempt be wise for, in fact, different people desire and expect different levels of privacy, and hold different concerns regarding the ultimate use of personal data. Ultimately, whether an individual chooses to disclose personal information, or create a transactional record, should depend upon the individual's own wishes unless, of course, the information is required by law. 34. The Awareness Principles recognize the importance of personal choice and cultivate an environment where these critical personal decisions can be made intelligently. For whatever the degree of personal interest in information privacy, it is critical that individuals receive enough facts to make rational choices regarding the disclosure of personal information. 35. First and foremost, an individual should know the intended primary and secondary uses of the information. Second, individuals should determine whether efforts will be made to assure data confidentiality and data integrity. In some cases, confidentiality may be required by law (e.g., tax records), but of equal concern may be the technical and managerial controls in place to protect the data. This principle does not mean that the individual should obtain a technical explanation regarding the security measures used to protect such data. Indeed, such technical explanations might be unwelcome, unwarranted and counterproductive (widespread disclosure of the technical measures used might actually expose vulnerabilities in a given system). But individuals should be told whether the information is intended to remain confidential and whether efforts will be made to preserve data integrity. Some individuals might choose not to disclose personal data if they knew that the data provided was freely obtainable by others, or might easily be altered. 36. Individuals should also be informed of the consequences of providing or withholding information. Data subjects should be told whether disclosing the requested information is mandatory (i.e., required by law) or voluntary, and the consequences that can flow from their decision. We recognize fully that even when disclosure is legally "voluntary," it may in fact be coerced (e.g., the refusal to "voluntarily" provide information may result in the denial of critical life-sustaining benefits). General principles cannot resolve such difficult issues but clearly, whatever the consequences, they should be clearly articulated. 37. Lastly, there will be times when individuals feel aggrieved by the improper use of personal information. If redress is available, individuals should be aware of that fact, and be informed as to how such redress can be obtained. B. Principle of Redress 38. Invariably, people will be harmed by the improper disclosure or improper use of personal information. It is therefore important to implement proactive measures to limit that harm, and reactive measures to provide relief when harm occurs. 39. To the extent inaccurate information can be used to harm individuals, it follows that individuals may wish to ensure that collected and stored personal information is in fact accurate and complete. For this reason, individuals should be able to obtain from data users, as appropriate, a copy of this personal information and have the opportunity to correct inaccurate information. This may allow them, proactively, to prevent anticipated harms. This principle is, however, limited in scope. Although, idealistically, all stored personal information should be accurate, the fact remains that inaccurate personal information does and will exist, and correcting inaccurate data cannot be done without cost. Pragmatically, it makes little or no sense to devote resources to correcting data that cannot be used to harm the individual, and therefore the opportunity to review personal information in order to correct data inaccuracies is limited to those cases where harm may occur. 40. When final actions are taken against individuals, they are entitled to notice. Absent notice, it may be impossible to seek available redress. Moreover, redress should be available for individuals who have been harmed by the improper use of information (including the use of inaccurate information). To ensure that individuals can take advantage of these redress mechanisms, the awareness principle, as noted above, requires that individuals be informed of the remedies available.