Report of the National Task Force on Privacy, Technology
and Criminal Justice Information


Law and Policy
Change Drivers
Recommendations


Criminal Justice Information Policy


U.S. Department of Justice
Office of Justice Programs
Bureau of Justice Statistics


July 2001, NCJ 187669


U.S. Department of Justice
Bureau of Justice Statistics

Lawrence A. Greenfeld
Acting Director

Acknowledgments. This report was prepared by SEARCH,
The National Consortium for Justice Information and
Statistics, Kenneth E. Bischoff, Chair, and Gary R. Cooper,
Executive Director. The project director was Sheila J.
Barton, Deputy Executive Director. Robert R. Belair,
SEARCH General Counsel, wrote this report. Kevin L.
Coy, Associate, Mullenholz, Brimsek & Belair, assisted in
its preparation. Twyla R. Cunningham, Manager, Corporate
Communications, and Linda B. Townsdin, Writer/Editor,
edited this report, and Jane L. Bassett, Publishing
Specialist, provided layout and design assistance. The
Federal project monitor was Carol G. Kaplan, Chief,
Criminal History Improvement Programs, Bureau of Justice
Statistics.

Report of work prepared under Cooperative Agreement
number 96-BJ-CX-K010, awarded to SEARCH Group,
Incorporated, 7311 Greenhaven Drive, Suite 145,
Sacramento, California 95831. Contents of this document
do not necessarily represent the views or policies of the
Bureau of Justice Statistics or the U.S. Department of
Justice.

Copyright (c) SEARCH Group, Incorporated, dba
SEARCH, The National Consortium for Justice
Information and Statistics, 2001

The U.S. Department of Justice authorizes any person to
reproduce, publish, translate, or otherwise use all or any
part of the copyrighted material to this publication, except
for those items indicating they are copyrighted or printed by
any source other than SEARCH, The National Consortium
for Justice Information and Statistics.


I. Introduction and executive summary

Rationale for Bureau of Justice Statistics and SEARCH
project

In 1998, the Bureau of Justice Statistics (BJS) in the Office
of Justice Programs (OJP), U.S. Department of Justice, and
SEARCH, The National Consortium for Justice
Information and Statistics, -1 [Hereafter, SEARCH.]
determined that the time was appropriate to conduct a
comprehensive project -2 [The project was funded by and
operated under the auspices of the Bureau of Justice
Statistics (BJS). Since its inception, BJS has taken a
leadership role in the improvement of criminal history
record information and the development of appropriate
policies for handling this information. SEARCH is a State
criminal justice support organization comprised of one
governor's appointee from each State, the District of
Columbia, and the territories of Puerto Rico and the U.S.
Virgin Islands, as well eight at-large Members selected by
the SEARCH Chair. For over 3 decades, SEARCH has
promoted the effective and appropriate use of information,
identification, and communications technology for State
and local criminal justice agencies. For the same period of
time, SEARCH has been vitally concerned with the privacy
and public access implications of the automation and use of
personally identifiable criminal justice record information.]
to review the law and policy addressing the collection, use,
and dissemination of criminal justice record information
and, particularly, criminal history record information
(CHRI). -3 [CHRI consists of arrest and conviction
information, as well as other types of disposition
information.]

In the mid-1970s and again in the mid-1980s, BJS and its
predecessor organizations, along with SEARCH, had
looked closely and comprehensively at this very issue.
Those reviews:

* Concluded that CHRI should not be made available to the
general public.

* Recognized that there are some legitimate, noncriminal
justice uses of CHRI (for example, for background checks
for positions of trust).

* Recognized a sharp distinction between arrest-only and
conviction information, and recommended more relaxed
rules for the dissemination of conviction information.

* Strongly endorsed the view that CHRI should be made
available for various noncriminal justice purposes only
after a search conducted on the basis of fingerprints.

* Recommended that various privacy and fair information
practice protections should attach to the handling of CHRI,
including a right on the part of the record subject to see and
correct the record.

Those efforts and recommendations by BJS and SEARCH
made a direct contribution to the development of law and
policy for the handling of CHRI in all 50 States.

By the late 1990s, however, it had become apparent that
changes in technology, as well as in the public's attitude
about access to information and privacy, made it
appropriate and important to take a new look at CHRI law
and policy. In particular, the existing CHRI law takes a
"smokestack" approach: one body of law for the
comprehensive CHRI maintained by law enforcement at a
central State repository (sometimes referred to as a "rap
sheet"); an entirely separate body of law regulating the
dissemination and use of the very same records (albeit, not
as comprehensive or complete) maintained in the courts;
another separate body of law and policy for the collection,
use, and dissemination of this information by various
commercial compilers; and a different set of laws for the
media's handling of this information. This smokestack
approach, combined with an eruption of public concern
about privacy, and further combined with a necessary and
constructive effort sweeping the Nation to integrate
criminal justice and other governmental information
systems, set the scene for an in-depth review of CHRI law
and policy.

Goals and deliverables

The goal of BJS and SEARCH was to craft a road map for
the development of a new generation of CHRI law and
policy. Specifically, the BJS/SEARCH effort consists of
four deliverables:

1. This report, which analyzes existing law and policy for
handling CHRI; identifies the technological and societal
developments that may be changing the criminal justice
privacy environment; and makes initial recommendations to
address the next generation of criminal justice information
law and policy.

2. A first-ever, public opinion survey about public access to
CHRI undertaken by the Opinion Research Corporation and
Dr. Alan F. Westin. -4 [The summary results of this survey,
along with interpretive commentary, is being published
separately by BJS in a forthcoming companion report titled
"Privacy, Technology and Criminal Justice Information:
Public Attitudes Toward Uses of Criminal History
Information, Summary of Survey Findings," (NCJ 187633).
Hereafter, Privacy Survey Report.]

3. A national conference - the proceedings of which will be
published separately - to address and highlight emerging
criminal justice information privacy issues, which was held
in Washington, D.C., on May 31 and June 1, 2000.

4. Targeted standards applying the recommendations of the
National Task Force on Privacy, Technology and Criminal
Justice Information, -5 [Hereafter, Privacy Task Force or
Task Force.] as set forth in this report, to specific types of
criminal justice record information and integrated systems.
Work in this area began with the development of design
principles for safeguarding the privacy of personal
information in integrated criminal justice systems (to be
published separately). Additional projects to promote the
next generation of criminal justice information privacy law
and policy recommended in this report are under
development.

To assist in conducting the project, BJS and SEARCH
convened a Task Force of preeminent academics, criminal
justice officials (including representatives from law
enforcement, the courts, corrections, and prosecution),
private-sector compilers and resellers of criminal justice
record information, the media, and the criminal justice
record user community. -6 [Biographies of Task Force
participants are included as Appendix 1.] The Task Force
held three, multiple-day meetings: Asilomar in Pacific
Grove, California, on January 13-14, 1999; Boston,
Massachusetts, on May 11-12, 1999; and Victoria, British
Columbia, Canada, on October 18-19, 1999. The
observations and recommendations in the report reflect the
Task Force's consensus views, but do not necessarily reflect
the views of any particular member of the Task Force or of
his or her institutional affiliations.

Key factors changing the criminal history record
information environment

The Task Force identified the following technological,
cultural, economic, and other "change drivers" that are
moving the Nation toward a new information environment
and impelling the consideration of new criminal justice
record information privacy policies.

* Public concern about privacy. In the late 1990s, the
American public registered the strongest concerns ever
recorded about threats to their personal privacy from both
government and business. In a 1999 study conducted by Dr.
Alan F. Westin, 94 percent of respondents said they are
concerned about the possible misuse of their personal
information. Of the concerned, 77 percent said they were
"very concerned."

* The "Information Culture." A new and emerging culture
of information access and use facilitated by personal
computers, browsers, search engines, online databases, and
the Internet, has helped to create a demand for, and a
market in, information, including criminal justice
information, while, at the same time, fostering in many a
sense of lack of control over one's personal information and
a loss of privacy.

* Technological change. Revolutionary improvements in
information, identification, and communications
technologies (including increasingly advanced software
applications and Internet-based technologies), and the
increased affordability of these technologies fuels the
appetite for information and creates new players in the
criminal justice information arena. 

* System integration. Initiatives to integrate criminal justice
information systems operated by law enforcement, courts,
prosecution, and corrections, as well as initiatives to
integrate these systems with information systems
maintaining other types of personal information, create
powerful new information resources. At the same time,
these integration initiatives may create uncertainty about
the types of privacy laws and policies that apply to these
new systems and which dilute existing policies designed to
keep information separate.

* New approach that closely resembles a "Business Model"
for the criminal justice system. Two fundamental changes
in the way the criminal justice system operates have had a
profound impact upon the approach that criminal justice
agencies take toward obtaining and using information - a
"data-driven, problem-solving approach." These changes
are: a new, more cooperative, community-based
relationship between criminal justice agencies and citizens;
and added criminal justice agency responsibilities to
provide information to surrounding communities, Federal,
State, and local agencies, other police departments, and
other organizations. This new approach also creates privacy
risks through a wider circulation of criminal justice
information.

* Noncriminal justice demand. A persistent and
ever-increasing demand by noncriminal justice users to
obtain CHRI has had a pervasive and important impact on
the availability of information. 

* Commercial compilation and sale. Changes in the
information marketplace - which feature the private sector's
acquisition, compilation, and sale of criminal justice
information obtained from police and, more particularly,
court-based open record systems - are making information
similar to that found in criminal history records more
widely available to those outside the criminal justice
system. 

* Government statutes and initiatives. A host of new
government initiatives and laws, aimed at providing
criminal justice information to broader audiences, on a
more cost-effective and timely basis, has also fueled the
availability of criminal justice information.

* Juvenile justice reform. Demands for juvenile justice
records, particularly those involving violent offenses that
result in treating juvenile information in a way which very
much resembles the handling of adult records, is also
putting pressure on traditional information and privacy
policies.

* Intelligence systems. Criminal justice intelligence
systems are being automated, regionalized, and armed with
CHRI and other personal information to create detailed
personal profiles for law enforcement use.

Content of project report

This project report begins with a review of information
privacy law and policy. The report identifies five interests
critical to a democracy and that are served by information
privacy: (1) due process and fairness, (2) individual dignity,
(3) individual autonomy, (4) oversight and trust in
governmental institutions, and (5) the promotion of
privacy-dependent relationships. 

In reviewing the history of information privacy, the report
describes the development of the code of fair information
practices in the early 1970s, a code that continues to shape
both U.S. and worldwide privacy policy to this day.

The report provides further background information with an
overview of the criminal justice information system
structure. The report describes the Nation's system for the
interstate exchange of CHRI, including the role of the
Federal Bureau of Investigation (FBI), the central State
repositories of CHRI, the Interstate Identification Index
(III), the National Crime Prevention and Privacy Compact
(which establishes formal procedures and governance
structures for noncriminal justice use of the III), and the
Compact Council. The report also enumerates the types of
personally identifiable information that are encompassed
within the term "criminal justice record information,"
including juvenile justice information, investigative and
intelligence information, various kinds of original records
of entry, and, of course, the criminal history record.

The report also sets forth the constitutional and common
law standards that apply to CHRI. The report emphasizes
that the courts recognize individuals have a privacy interest
in CHRI which pertains to them, but that this interest has
seldom been relied upon by the courts to strike down or
limit statutory and regulatory standards for the collection,
use, and dissemination of CHRI.

The report provides further background by tracing the
development of Federal and State criminal history record
legislation and regulation. In the period since 1967, the
Congress, the Justice Department, State legislatures, and
regulatory bodies have devoted considerable attention to
standards for collecting, maintaining, using, and
disseminating CHRI. Both BJS and SEARCH have been
active participants in the development of these standards.
The report notes that today, these standards provide for the
following: subject access and correction rights; restrictions
on the amalgamation of criminal history information with
other types of personal information; various kinds of
standards to ensure the accuracy, completeness, and
timeliness of CHRI; fingerprint support of information
entered into law enforcement criminal history systems and
obtained from those systems; various kinds of disposition
reporting requirements; sealing and purging standards in
the case of old information or arrest information without a
disposition; security standards; standards for criminal
history use or dissemination; widespread criminal justice
access to CHRI; limited noncriminal justice access to
CHRI; and very limited public access to CHRI.

The report also includes brief case studies of three States
that have taken very different approaches to public access
to law enforcement CHRI: Florida, which takes an "open
record" approach; Washington, which takes an
"intermediate" approach (providing significant access to
conviction information but very limited access to
nonconviction information); and Massachusetts, a largely
"closed-record" State that permits access only to criminal
justice entities.

The bulk of the report focuses on the "change drivers"
described above. In particular, the report gives attention to
the public's concern about privacy and the technological
changes that make previously inaccessible court records
widely available.

Task Force recommendations

Finally, the report presents the 14 recommendations
adopted by the National Task Force on Privacy, Technology
and Criminal Justice Information.

Several points should be emphasized about these
recommendations:

* First, the purpose of these recommendations is not to
prescribe the specifics of a new generation of law and
policy for criminal justice record information. Rather, the
purpose of the recommendations is to address the
conceptual and structural outline of a new generation of law
and policy. Accordingly, the Task Force recommends that
further work on these specifics be undertaken by a
statutorily chartered study organization with a 3-year
sunset.

* Second, in looking at the approach to CHRI, the Task
Force recommends a global policy to address criminal
history and juvenile justice record information largely
without regard to whether this information is held by law
enforcement agencies (that is, the central State
repositories), the courts, or commercial compilers and
aggregators. The Task Force's rationale for this approach is
that the privacy and information implications are largely
unaffected by whether the information is sourced to courts,
law enforcement, or commercial compilers.

* Third, the Task Force reaffirms the importance of using
fingerprints to the extent that technology, cost, and
availability make fingerprints available to law enforcement,
the courts, and the commercial sector. Only with the use of
fingerprints can a reliable determination be made that a
criminal history record pertains to the person who is the
subject of the search.

* Fourth, the Task Force view is that the creation of
comprehensive profiles about individuals is a threat to
privacy and, importantly, is perceived by the public as a
threat to privacy. Accordingly, the Task Force recommends
that criminal justice record information not be amalgamated
with other types of personal information (such as financial
or medical information) in databases of criminal history and
criminal justice records.

* Fifth, the Task Force view is that the national initiative to
integrate various criminal justice record information
systems, in order to improve the utility, effectiveness, and
cost efficiency of these systems, is a positive development
and should be encouraged. The Task Force recognizes,
however, that the establishment of these kinds of systems
raises privacy and profiling issues and, therefore, the
structure and content of integrated information systems
should be shaped to minimize these threats.

Specifically, the Task Force adopted the following
recommendations, which were subsequently endorsed in
January 2000 by SEARCH's Membership Group
(governors' appointees):

I. The Task Force recommends that a body be statutorily
created to consider and make policy recommendations to
the Federal and State legislative, executive, and judicial
branches of government as they work to balance the
increasing demand for all forms of criminal justice
information and the privacy risks associated with the
collection and use of such information. The Task Force
recommends that the body look at information and privacy
issues arising from all types of criminal justice information,
including criminal history record information, intelligence
and investigative information, victim and witness
information, indexes and flagging systems, wanted person
information, and civil restraining orders. The Task Force
further recommends that such a body be comprised of
public and private stakeholders; that the body be limited to
an advisory role; and that it have neither rulemaking nor
adjudicatory authority. Finally, the Task Force recommends
that the body sunset after not more than 3 years, unless
statutorily reauthorized.

II. The Task Force recommends the development of a new
generation of criminal justice information and privacy law
and policy, taking into account public safety, privacy, and
government oversight interests. This law and policy should
be broad in scope, so as to address the collection,
maintenance, use, and dissemination of criminal justice
record information by law enforcement agencies, including
State central repositories and the FBI, the courts, and
commercial compilers and resellers of criminal justice
record information. 

III. The Task Force recommends that the adequacy of
existing legal remedies for invasions of privacy arising
from the use of criminal history record information should
be reexamined by legal scholars, State legislatures,
Congress, State and Federal agencies, and the courts. 

IV. The Task Force recommends the development of a new
generation of confidentiality and disclosure law and policy
for criminal history record information, taking into account
the type of criminal history record information; the extent
to which the database contains other types of criminal
justice information (victim and witness information, or
intelligence or investigative information) and sensitive
personal information (medical or financial information, and
so on); the purpose for the intended use of the information;
and the onward transfer of the information (the
redissemination of the criminal history information by
downstream users).

V. The Task Force recommends that intelligence and
investigative information also be addressed by new privacy
law and policy, but that this process should begin with the
establishment of a Task Force dedicated exclusively to a
review of intelligence and investigative systems, and the
law and privacy issues related to those systems.

VI. The Task Force recommends that legislators and
criminal history record information system managers
develop, implement, and use the best available technologies
to promote data quality and data security.

VII. The Task Force recommends that criminal history
record information, whether held by the courts, by law
enforcement, or by commercial compilers and resellers,
should, subject to appropriate safeguards, be supported by
and accessible by fingerprints to the extent legally
permissible and to the extent that technology, cost, and the
availability of fingerprints to both database managers and
users make this practicable.

VIII. The Task Force recommends that criminal history
record information should be sealed or expunged (purged)
when the record no longer serves an important public safety
or other public policy interest. A sealed record should be
unsealed and available for criminal justice and/or public
use only when the record subject has engaged in a
subsequent offense or when other compelling public policy
considerations substantially outweigh the record subject's
privacy interests. During the period that a criminal history
record is sealed, use and disclosure should be prohibited.

IX. The Task Force recommends that individuals who are
the subject of criminal history record information be told
about the practices, procedures, and policies for the
collection, maintenance, use, and disclosure of criminal
history information about them; be given a right of access
to and correction of this information, including a right to
see a record of the disclosure of the information in most
circumstances; and enjoy effective remedies for a violation
of any applicable privacy and information standards. In
addition, the Task Force recommends that States establish
meaningful oversight mechanisms to ensure that these
privacy protections are properly implemented and enforced.

X. The Task Force recommends that where public safety
considerations so require, the record of a juvenile offender
who commits an offense which, if committed by an adult,
would be a felony or a violent misdemeanor, be treated in
the same manner that similar adult records are treated. Even
if a State opts to retain stronger privacy and confidentiality
rules for these types of juvenile records, these records
should be fingerprint-supported and should be capable of
being captured in an automated, national system.

XI. The Task Force recommends that criminal justice
record information law and policy should restrict the
combining of different types of criminal justice record
information into databases accessible to noncriminal justice
users and should restrict the amalgamation of criminal
justice record information in databases with other types of
personal information, except where necessary to satisfy
public policy objectives.

XII. 
The Task Force recommends that where public policy
considerations require amalgamation of information,
systems be designed to recognize and administer differing
standards (including dissemination policies and standards)
based upon differing levels of data sensitivity, and allow
the flexibility necessary to revise those standards to reflect
future changes in public policy.

XIII. The Task Force recommends that the integration of
criminal justice information systems should be encouraged
in recognition of the value of integrated systems in
improving the utility, effectiveness, and cost efficiency of
information systems. Prior to establishing integrated
systems, however, privacy implications should be
examined, and legal and policy protections in place, to
ensure that future public- and private-sector uses of these
information systems remain consistent with the purposes
for which they were originally created. In addition, once an
integrated system is created, any future uses or expansions
of that system should be evaluated to assess the privacy
implications.

XIV. The Task Force recommends that new criminal justice
privacy law and policy should continue to give weight to
the distinction between conviction information and
nonconviction information. The Task Force recognizes,
however, that there are certain instances in which
disclosure of nonconviction information may be
appropriate.



II. Report purpose and scope

It hardly comes as a surprise that Federal agencies collect
vast amounts of personal information, including
information collected through the criminal justice system. It
is also no surprise that this information collection activity
serves critical public safety and other public values.
Moreover, access to public record information, including
criminal justice information, promotes interests critical to a
democratic society, including:

* Promoting government accountability. Access to public
records helps the public monitor government activities,
thereby assisting the public to hold elected officials and
nonelected civil servants accountable and protecting against
secret government activities.

* Promoting first amendment rights. Access to public
record information helps to create the informed citizenry
necessary for the robust, wide-open public debates that play
an important structural role in securing and fostering free
speech and republican self-government. 

* Promoting confidence in the judicial and political
systems. Access to public record information bolsters
public knowledge about, and helps instill confidence in, the
operation of the political system as well as the judicial
system. 

* Promoting private-sector accountability. The use of
background checks that rely on public record information
allows the verification of assertions made by individuals (or
facts omitted by individuals), thereby permitting
prospective employers and business partners to protect
themselves and vulnerable populations which may be in
their care, including children, the disabled, and the elderly.

* Promoting meritocracy. In a mobile society where merit
(often initially represented by credentials) is often used
rather than family connections and lineage for purposes
such as employment, access to public records provides an
important means of verifying an individual's credentials,
including whether the individual has a criminal record.

Because this information is collected and used for the good
of society, why isn't that the end of the debate? Why not
make all information, including personal information
collected by Federal agencies, publicly available?

The answer, of course, is that there are powerful competing
values, interests, and concerns. One such interest is privacy.
Privacy encompasses not only secrecy but also fair
information practices regarding the use, access, accuracy,
right to challenge inaccurate information, and knowledge
that record systems even exist. -7 [Other values and
interests include national security interests, secrecy
requirements necessary to facilitate ongoing law
enforcement investigations, the protection of trade secrets,
and so on.] These information privacy interests were given
voice in the 1970s, at a time when centralized and
automated record systems were chiefly associated with
governmental activities. During the 1970s, a set of broad
fair information practice policies emerged, with specific
applications for criminal justice information. Since the
1970s, there have been many changes, including
technological, political, and marketplace changes, that have
changed the information environment.

This report identifies developments that may be outpacing
established privacy and fair information practices
protections for criminal justice information, and which may
necessitate a new look at appropriate law and policy for
managing this information. The report is intended to serve
as a resource for State and Federal policymakers, the courts,
criminal justice agencies, private-sector, self-regulatory
organizations, privacy advocates, and individuals interested
in privacy and criminal justice issues. 

For purposes of this report, "criminal justice information" is
defined broadly to include all information obtained,
maintained, or generated about an individual by the courts
or a criminal justice agency as a result of suspicion that the
individual may be engaging in criminal activity or in
relation to his or her arrest and the subsequent disposition
of this arrest. "Criminal justice information" includes:
criminal history record information (CHRI); criminal
intelligence information; criminal investigative
information; disposition information; identification record
information; nonconviction information; and wanted person
information. -8 [Technical Report No. 13: Standards for the
Security and Privacy of Criminal History Record
Information, 3rd ed. (Sacramento: SEARCH Group, Inc.,
1988) pp. 8-9. Hereafter, Technical Report No. 13, 3rd ed.
A glossary of justice information terms is included as
Appendix 2.]

Criminal intelligence and criminal investigative
information are within the definition of criminal justice
information as it is addressed in this report. The Task Force
concluded after considerable deliberation, however, that
changes in criminal intelligence and investigative
information systems raise complex and discrete privacy
issues. Those issues merit examination by a separate Task
Force or other group devoted solely to that issue,
particularly a group with more representation from the
investigative and intelligence communities than is reflected
in the membership of the Task Force on Privacy,
Technology and Criminal Justice Information.


III. Information privacy standards: Background

Customarily, the term "information privacy" is used to refer
to standards for the collection, maintenance, use, and
disclosure of personally identifiable information. A central
component of "information privacy" is the ability of an
individual to control the use of information about him or
herself. -9 [See, for example, Alan F. Westin, Privacy and
Freedom (New York: Atheneum, 1967) p. 7. Hereafter,
Privacy and Freedom.]

Information privacy is frequently distinguished from other
clusters of personal interests that are nourished by the
privacy doctrine, including surveillance privacy - the
interest in being free from governmental and other
organized surveillance of individual activities under
circumstances where the individual has a reasonable
expectation of privacy; and behavioral privacy - the right to
engage in certain intimate and sensitive behaviors (such as
behaviors relating to reproductive rights) free from
governmental or other control. -10 [In Whalen v. Roe, 429
U.S. 589, 599, 600 (1977), the Supreme Court discussed
the various clusters of interests protected by the broad term
"privacy."]

Protection of information privacy is widely seen as serving
at least five interests that are critical to a democracy:

1. An interest in ensuring society (both public and private
sectors) makes decisions about individuals in a way that
comports with notions of due process and fairness.
Accuracy of CHRI and use of that information which
includes providing notice to the individual and giving the
individual an opportunity to respond, is consistent with
notions about fairness. The absence of these protections
may produce erroneous or unjustified decisions about
employment, credit, health care, housing, or other valued
benefits or statuses.

2. An interest in protecting individual dignity. When
individuals endure stigma, embarrassment, and humiliation
arising from the uncontrolled use and disclosure of
information about them, they lose the sense of dignity and
integrity essential for effective participation in a free and
democratic society.

3. An interest in protecting individual autonomy. When
individuals lack control over personal information about
themselves, they lose a sense of control over their lives.
The ability of individuals to control personal information
about themselves promotes personal autonomy and liberty. 

4. An interest in promoting a sense of trust in, and a check
upon the behavior of, institutions. When individuals lose
the ability to selectively disclose their sensitive personal
information, they lose trust in the public and private
institutions that collect, hold, use, and disclose this personal
information. (Public opinion surveys indicate that the
public's "distrust index" (the extent to which the public
distrusts the government) is at all-time high levels of
approximately 80 percent.) -11 [See note 75 infra.]

5. An interest in promoting the viability of relationships
critical to the effective functioning of a democratic society.
Numerous relationships, such as the doctor-patient
relationship, the lawyer-client relationship, or even the
news media and confidential source relationship, depend
upon promises of confidentiality in order to promote the
candid sharing of personal information and trust within the
relationship.

The concept of information privacy as a distinct branch of
privacy is relatively new. The concept found full voice in
the late 1960s, amid rising concerns about computers and
growing disenchantment with government, and articulated
in writings such as Alan Westin's book, Privacy and
Freedom, -12 [Privacy and Freedom, supra note 9.] with
later iterations in the 1972 National Academy of Science's
report, Databanks in a Free Society, -13 [Alan F. Westin
and Michael A. Baker, Databanks in a Free Society:
Computers, Record-Keeping and Privacy (New York:
Quadrangle Books, 1972). See also, Robert R. Belair,
"Information Privacy: A Legal and Policy Analysis," in
Science, Technology and Uses of Information (Washington,
D.C.: National Science Foundation, 1986).] and the 1973
Report of the Secretary of Health, Education and Welfare's
Advisory Committee on Automated Personal Data Systems
(HEW Report). -14 [Records, Computers and the Rights of
Citizens, DHEW Publication No. (OS) 73-97 (Washington,
D.C.: Department of Health, Education and Welfare, 1973),
available at
http://aspe.hhs.gov/datacncl/1973privacy/tocprefacemembe
rs.htm.]

These seminal works recognized the importance of
information privacy and the need to balance privacy with
other competing interests, such as public safety. As part of
this dialogue, the HEW Report's "Code of Fair Information
Practices" set forth five basic procedural principles for fair
information practices:

1.   There must be no personal-data recordkeeping
systems whose very existence is secret.

2.   There must be a way for an individual to find out
what information about him is in a record and how it is
used.

3.   There must be a way for an individual to prevent
information about him obtained for one purpose from being
used or made available for other purposes without his
consent.

4.   There must be a way for an individual to correct or
amend a record of identifiable information about him.

5. Any organization creating, maintaining, using, or
disseminating records of identifiable personal data must
assure the reliability of the data for their intended use and
must take reasonable precautions to prevent misuse of the
data. -15 [Ibid., p. 41.]

The HEW Code of Fair Information Practices was widely
influential when it was released, and served as a basis for
the Federal Privacy Act of 1974. The HEW Code of Fair
Information Practices was further examined and applied to
specific recordkeeping relationships in the 1977 Report of
the Privacy Protection Study Commission. -16 [U.S.
Privacy Protection Study Commission, Personal Privacy in
an Information Society (Washington, D.C.: U.S.
Government Printing Office, July 1977).] Balancing
privacy with competing interests has also been widely
accepted as a means of accounting for privacy concerns. -17
[Charles D. Raab, "From Balancing to Steering: New
Directions for Data Protection," in Visions of Privacy:
Policy Choices for the Digital Age, Colin J. Bennett and
Rebecca Grant, eds. (Toronto: University of Toronto Press,
1999) pp. 68-93.] Although some have questioned whether
the Code of Fair Information Practices remains a viable
approach, -18 [Ibid. Other privacy experts continue to
believe that Fair Information Practices and the "balancing
of interests" approach can continue to serve as the basis for
privacy law and policy, either as currently constituted or
with modifications. See, for example, David H. Flaherty,
"Visions of Privacy: Past, Present and Future," in ibid., pp.
19-38.] the Code and balancing privacy with competing
interests continues to provide a framework for fair
information practices in the United States. -19 [See, for
example, Testimony of Donna E. Shalala, Secretary, U.S.
Department of Health and Human Services, before the
Senate Committee on Labor and Human Resources,
September 11, 1997 (recommending that the Congress pass
health information privacy legislation based upon the 1973
Code of Fair Information Practices). Not surprisingly,
however, the Fair Information Practices outlined in the
HEW Report have been expanded upon in the nearly 30
years since they were first promulgated. Today, influenced
in part by developments in Europe, discussion of fair
information practices also frequently focus, for example, on
procedural and substantive safeguards surrounding the
collection of information to ensure that information is used
only for purposes consistent with those for which the
information is collected, and that the information collected
is relevant to the purpose for which it is being collected.]



IV. Privacy protections for criminal justice information

A brief overview of the structure of the criminal justice
information system

Before examining the legal and policy regime surrounding
criminal justice information, this section briefly reviews the
structure of the criminal justice information system as it
relates to CHRI (at both the Federal and State levels),
juvenile justice information, intelligence and investigative
information, and original records of entry.

* Criminal history record information: Federal role. At the
Federal level, the FBI functions as a criminal history record
repository, holding both Federal offender information and
records of arrest and dispositions under State law. 

- Interstate Identification Index (III). During the last 30
years, the FBI, working with the State criminal justice
information community, developed the III. The III consists
of an FBI-maintained index of all individuals with State or
Federal criminal history records, supported by a National
Fingerprint File. Authorized requestors access the III to
determine whether any State (or the FBI for Federal
offenses) maintains a criminal history record about a
particular individual.

- III Compact. In October 1998, the Congress enacted the
Crime Identification Technology Act (CITA), -20 [42
U.S.C. ¤ 14601.] which includes as Title II, the National
Crime Prevention and Privacy Compact Act (III Compact).
Once ratified by the States, the III Compact will permit the
III to be used by authorized, noncriminal justice requestors.
-21 [As of June 2001, 12 States (Montana, Georgia,
Nevada, Florida, Colorado, Iowa, Connecticut, South
Carolina, Arkansas, Alaska, Oklahoma, and Maine) had
ratified the III Compact, which became effective on April
28, 1999, following the ratification of the Compact by the
first two States. The Compact now applies between the
States that have ratified it and the Federal government. See,
"Crime Prevention and Privacy Compact," available at
http://www.search.org/policy/compact/privacy.asp.]

* Criminal history record information: central State
repositories. Every State has established a "central State
repository" of criminal history information and fingerprints,
operated by a State law enforcement agency. Central State
repositories maintain a fingerprint record of every
individual arrested in the 

State for a serious/reportable offense (standards vary among
the States, but, customarily, reportable offenses are
misdemeanors punishable by a year or more in prison, plus
felonies). The repository also maintains an automated
record of those individuals' arrests, along with all available
dispositions. This record is referred to as a criminal history
record or "rap sheet."

- Repository mission. The central State repository's
principal mission is to provide CHRI to State and local law
enforcement agencies. The repositories also provide CHRI
to the other components of the criminal justice system -
courts, prosecutors, and corrections - as well as certain
noncriminal justice users. -22 [Robert R. Belair and Paul L.
Woodard, Use and Management of Criminal History
Record Information: A Comprehensive Report, Criminal
Justice Information Policy series, NCJ 143501
(Washington, D.C.: U.S. Department of Justice, Bureau of
Justice Statistics, November 1993) pp. 14-17. Hereafter,
Use and Management of CHRI.]

- Information maintained by repositories. Traditionally,
central State repositories maintain subject identification
information (fingerprint records), criminal history
information (which historically and traditionally consists of
identifying information, arrests, and available dispositions,
but little or no information about third parties such as
witnesses, victims, or family members), -23 [See, SEARCH
Group, Inc., Increasing the Utility of the Criminal History
Record: Report of the National Task Force, Criminal
Justice Information Policy series, NCJ 156922
(Washington, D.C.: U.S. Department of Justice, Bureau of
Justice Statistics, December 1995) pp. 23-27.] and certain
other information (such as pretrial release information and
felony conviction flags). Repositories virtually never
maintain other types of personal information (employment
history, medical history, military, or citizenship status, and
so on). -24 [Ibid., pp. 22-23.]

- Liaison with FBI. Repositories serve as a contact point
and liaison with the FBI: sending fingerprints and arrest and
disposition information to the FBI; responding to search
inquiries from the FBI; and initiating search inquiries to the
FBI on behalf of authorized, in-State requestors.

- Information maintained by local agencies. Over the past
30 years, local agencies, with rare exception for the very
largest local agencies, have withdrawn from the business of
maintaining formal and comprehensive criminal history
records (other than booking information and other original
records of entry). Instead, local agencies rely on the State
repository and, through the State repository, the FBI to
provide complete and comprehensive criminal history
records. 

* Juvenile justice information. Juvenile justice information
is, broadly speaking, information on juveniles, which, but
for the age of the juvenile, would be considered criminal
justice information. -25 [This age varies by State.]
Traditionally, the repositories do not maintain juvenile
justice information; for the few repositories that do, it is
frequently not integrated with adult records of that
individual. (As a practical matter, juvenile justice
information, until very recently, was not available on any
kind of reliable or organized basis. Rather, each separate
juvenile or family court and each separate law enforcement
agency would maintain juvenile records. These records
frequently were not automated or fingerprint-supported.
Moreover, traditionally, some of these records were not
available by law (based on sealing requirements), even to
criminal justice agencies.)

* Investigative and intelligence information. Customarily,
investigative and intelligence information has rarely been
maintained at a central State repository; when maintained,
it has not been integrated with CHRI. Historically,
investigative and intelligence information was maintained
only at the local police agency or law enforcement agency
level; it was not automated or fingerprint-supported; and it
was shared on a closely held, need-to-know basis within the
law enforcement community. -26 [See, Robert R. Belair,
Intelligence and Investigative Records, Criminal Justice
Information Policy series, NCJ 95787 (Washington, D.C.:
U.S. Department of Justice, Bureau of Justice Statistics,
February 1985) pp. 43-49.]

* Original records of entry. Pieces of an individual's
criminal history record, but only infrequently an
individual's entire criminal history record, are held in "open
record" files maintained by police agencies and courts.
These original records of entry describe formal detentions
and arrests and include incident reports, arrest reports, case
reports, and other information that documents that an
individual has been detained, taken into custody, or
otherwise formally charged. In addition, records of court
proceedings maintained by the courts include indictments,
arraignments, preliminary hearings, pretrial release
hearings, and other court events that, by law and tradition,
are open to public inspection. Until very recently, both
types of open record systems were manual or, at best, only
partially automated; they were not comprehensive or
reliable, and related only to events occurring at the
particular law enforcement agency or court. As a
consequence, these systems were difficult and expensive to
use and largely unsuitable for the compilation of a reliable
or comprehensive criminal history record file. Compilation
of these records into a criminal history file on an individual
was also difficult because these record systems were
incident-focused, rather than individual-focused, and were
not comprehensive, cumulative, or otherwise linked on the
basis of the individuals involved in each incident.

By the 1990s, these relatively traditional elements of the
criminal justice information environment were changing.
Criminal justice information, particularly including
court-based CHRI, was largely automated and was
becoming more publicly available. The role of the central
repositories as the gatekeeper for CHRI was being
challenged not only by the 
courts, but also by automated, for-profit information
brokers and suppliers and by local criminal justice agencies.
Fundamental changes in expectations about the availability
and utility of criminal justice information fueled
accelerating pressures for more and easier access to
criminal justice information.


Constitutional and common law standards with respect to
the privacy of criminal history record information

- Constitutional standards

The Constitution remains largely neutral with respect to the
privacy of CHRI. In particular, the Supreme Court has held
that the Constitution does not recognize a privacy interest
in the dissemination by criminal justice agencies of
information about official acts, such as arrests. -27 [Paul v.
Davis, 424 U.S. 693, 713 (1976).] In 1989, in Department
of Justice v. Reporters Committee for Freedom of the Press,
-28 [489 U.S. 749 (1989).] the Supreme Court did
recognize, however, that there is a statutory privacy
interest, under the Federal Freedom of Information Act
(FOIA), in automated, comprehensive criminal history
records. -29 [The Court has used statutory law, rather than
constitutional law, to protect privacy in other contexts as
well. In Jaffee v. Redmond, 518 U.S. 1 (1996), for
example, the Court, recognizing the sensitivity of mental
health information, held that Rule 501 of the Federal Rules
of Evidence recognizes a psychotherapist-patient privilege,
which extends to confidential communications between a
licensed social worker and a patient in the course of
psychotherapy.] The Court held "as a categorical matter that
a third party's request for law enforcement records or
information about a private citizen can reasonably be
expected to invade that citizen's privacy, and that when the
request seeks no 'official information' about a Government
agency, but merely records that the Government happens to
be storing, the invasion of privacy is 'unwarranted'" and
therefore exempt from disclosure under FOIA's privacy
provision. -30 [489 U.S. 749, 780 (1989).]

In 1995, the Court again addressed the privacy risk posed
by computerized criminal history information. In Arizona v.
Evans, -31 [514 U.S. 1 (1995).] the Court found that the
"exclusionary rule" does not require suppression of
evidence seized incident to an arrest resulting from an
inaccurate computer record when the error was caused by
court, rather than police, personnel. In a concurring
opinion, Justice O'Connor noted that "the advent of
powerful, computer-based recordkeeping systems ...
facilitate[s] arrests in ways that have never before been
possible. The police ... are entitled to enjoy the substantial
advantages this technology confers. They may not,
however, rely on it blindly. With the benefits of more
efficient law enforcement mechanisms comes the burden of
corresponding constitutional responsibilities." -32 [Ibid., at
17-18 (O'Connor, J., concurring).] Justice Ginsburg, in
dissent, also expressed concern over the impact of modern
technology on privacy: "Widespread reliance on computers
to store and convey information generates, along with
manifold benefits, new possibilities of error, due to both
computer malfunctions and operator mistakes ..._.
[C]omputerization greatly amplifies an error's effect, and
correspondingly intensifies the need for prompt correction;
for inaccurate data can infect not only one agency, but the
many agencies that share access to the database." -33 [Ibid.,
at 26 (Ginsburg, J. dissenting).]

During the 1999-2000 term, the Supreme Court handed
down two decisions regarding statutory controls on access
to public record information, which, while not decided on
privacy grounds, are likely to encourage stronger privacy
initiatives.

The first opinion, Los Angeles Police Department v. United
Reporting Publishing Corp., -34 [528 U.S. 32 (1999).]
arose from a 1996 change in California law governing the
release of arrest information. -35 [CAL. GOV. CODE ¤
6254(f).] The change limited the release of arrestee and
victim address information to those who certify that the
request is made for scholarly, journalistic, political, or
governmental purposes, or for investigative purposes by a
licensed private investigator. The law specifically prohibits
the use of such information "directly or indirectly to sell a
product or service to any individual or group of
individuals."

United Reporting Publishing Corp., a private publishing
service that had been providing arrestee address
information to clients under the old statute, filed suit,
alleging that the statute was an unconstitutional violation of
its first amendment commercial speech rights. The Ninth
Circuit, while finding that arrestees have a substantial
privacy interest in the information at issue, nevertheless
concluded (as did the district court) the California law was
an unconstitutional infringement on United Reporting's first
amendment commercial speech rights because the "myriad
of exceptions ... precludes the statute from directly and
materially advancing the government's purported privacy
interest." -36 [United Reporting Publishing Corp. v. Los
Angeles Police Department, 146 F.3d 1133, 1140 (9th Cir.
1998).]

On December 7, 1999, the Supreme Court voted 7 to 2 to
reverse, reinstating the California statute. In its opinion, the
majority characterized United Reporting as a case dealing
with access to government records rather than restrictions
on free speech. -37 [The Court's decision did not address
the commercial speech interests at issue in the regulation of
the use of personal information in private records, an issue
that has also drawn the attention of the appellate courts.
The Tenth Circuit Court of Appeals, for example, acted on
first amendment commercial speech grounds, to vacate a
rule issued by the Federal Communications Commission
that required consumers to opt-in to most disclosures of
their consumer proprietary network information (CPNI).
U.S. West, Inc. v. Federal Communications Commission,
182 F.3d 1224 (10th Cir. 1999), cert. denied, 530 U.S. 1213
(2000). CPNI is information that relates to the quantity,
technical configuration, type, destination, and amount of
use of a telecommunications service subscribed to by any
customer of a telecommunications carrier that is made
available to the carrier by the customer solely by virtue of
the carrier-customer relationship, including most
information contained in telephone bills. See, 47 U.S.C. ¤
222(f)(1)(A)-(B).] The Supreme Court also characterized
the case as a challenge to the "facial validity" of the
California statute and not a challenge based upon the
implementation or actual experience with the statute. -38
[In a related development, on December 13, 1999, the
Supreme Court issued an order in McClure v. Amelkin, 528
U.S. 1059 (1999), setting aside a decision by the Sixth
Circuit Court of Appeals that struck down a Kentucky law
limiting access to motor vehicle accident reports. The Sixth
Circuit struck down the law - which allows access to
accident victims, victims' lawyers, victims' insurers, and the
news media (but not for commercial purposes) - after
finding that the law violates commercial free speech rights.
The Supreme Court sent the case back to the Sixth Circuit
and ordered the lower court to restudy the case, taking into
consideration the Supreme Court's decision in United
Reporting.] For these reasons the Court opined that
California could distinguish among users and uses in
crafting rules for access to State-held records. The Court
left open the possibility, however, that the statute, as
applied, might impinge on United Reporting's commercial
speech rights.

In the second opinion, Reno v. Condon, -39 [528 U.S. 32,
120 S.Ct. 483 (2000). The Fourth Circuit case was the first
of four decisions issued by the Courts of Appeals on the
constitutionality of the DPPA; two decisions upheld the
constitutionality of the DPPA, two held it to be
unconstitutional. See, Condon v. Reno, 155 F.3d 453 (4th
Cir. 1998) (holding DPPA is unconstitutional); Pryor v.
Reno, 171 F.3d 1281 (11th Cir. 1999) (holding DPPA is
unconstitutional); Travis v. Reno, 160 F.3d. 1000 (7th Cir.
1998) (upholding DPPA); Oklahoma v. United States, 161
F.3d 1266 (10th Cir. 1998) (upholding DPPA). The DPPA
has also been challenged on first amendment grounds;
however, discussions of first amendment challenges are
omitted here. See, for example, Travis v. Reno and
Oklahoma v. United States.] the Supreme Court
unanimously reversed the Fourth Circuit Court of Appeals,
rejecting a tenth amendment -40 ["The powers not
delegated to the United States by the Constitution, nor
prohibited by it to the States, are reserved to the States
respectively, or to the people." U.S. Const., Amend. X.]
challenge by the State of South Carolina to the
constitutionality of the Driver's Privacy Protection Act of
1994 (DPPA). -41 [18 U.S.C. ¤ 2721 et seq.] The DPPA
provides that State departments of motor vehicles (DMVs)
"shall not knowingly disclose or otherwise make available
to any person or entity personal information about any
individual obtained by the department in connection with a
motor vehicle record." -42 [18 U.S.C. ¤ 2721(a).] The
DPPA does contain 14 exceptions pursuant to which States
may elect to disclose DMV records in certain instances. -43
[18 U.S.C. ¤ 2721(b).] Violation of the DPPA may result in
criminal fines and a civil cause of action against a person
who knowingly violates the statute. -44 [18 U.S.C. ¤¤
2723(a), 2724(a).] Although the Court's brief opinion was
based on tenth amendment rather than privacy grounds, the
decision potentially opens the door for further Federal
regulation of access to State records on privacy grounds.
-45 [The Court concluded that "the DPPA does not require
States in their sovereign capacity to regulate their own
citizens. The DPPA regulates the States as the owners of
databases. It does not require the South Carolina
Legislature to enact any laws or regulations, and it does not
require State officials to assist in the enforcement of
Federal statutes regulating private individuals. We
accordingly conclude that the DPPA is consistent with the
constitutional principles enunciated in [New York v. United
States, 505 U.S. 144 (1992); and Printz v. United States,
521 U.S. 898 (1997)]." Reno v. Condon, 528 U.S. 32, 120
S.Ct. 666, 672 (2000). In addition, the Court disagreed with
the Fourth Circuit's holding that the DPPA exclusively
regulated the States, finding instead that the "DPPA
regulates the universe of entities that participate as
suppliers to the market for motor vehicle information - the
States as initial suppliers of the information in interstate
commerce and private resellers or redisclosers of that
information in commerce." Ibid. As a result, the Court did
not address the "question whether general applicability is a
constitutional requirement for federal regulation of the
States."]

- Common law standards

Common law privacy doctrines, such as the widely
recognized privacy tort of public disclosure of private facts,
have proven largely ineffectual when applied to CHRI.
Sovereign immunity, civil and official immunity, and the
need to show tangible harm arising from the alleged
disclosure or misuse of criminal history records have
proven to be virtually insurmountable obstacles to common
law privacy actions. -46 [See, Technical Memorandum No.
12: Criminal Justice Information, Perspective on Liabilities
(Sacramento: SEARCH Group, Inc., August 1977) (and as
updated in 1981) pp. 5-20.] The limited nature of common
law and constitutional privacy protections has meant that
safeguarding information privacy interests has been left
largely to the legislative arena.

Federal criminal history record legislation and regulations

Beginning in the late 1960s and extending throughout the
1970s, information privacy standards for criminal justice
information and, in particular, criminal history records,
received considerable attention in statutory provisions and
U.S. Department of Justice (DOJ) regulations. Although the
privacy protections that emerged from that debate were not
driven by constitutional requirements, constitutional values
- such as the presumption that an individual is innocent
until proven guilty - have played a role in the development
of the law and regulations governing the management of
CHRI. -47 [As the Privacy Protection Study Commission
noted in its 1977 report: "Constitutional standards specify
that convictions, not arrests establish guilt. Thus denial of
employment [for example] because of an unproved charge,
a charge that has been dismissed, or one for which there has
been an adjudication of innocence, is fundamentally
unfair." Supra note 16, Appendix 3, Employment Records,
p. 50. The value of arrest records as a decisionmaking tool,
particularly in the employment context, has also been
challenged on the grounds that racial minorities are arrested
in disproportionately high numbers. As a result, the Equal
Employment Opportunity Commission and several courts
have found that inquiries about arrest records can be a
violation of Title VII of the Civil Rights Act of 1964. See,
for example, 29 C.F.R. ¤ 1607.4(c)(1); and Gregory v.
Litton Sys., 316 F. Supp. 401 (C.D. Cal. 1970), aff'd as
modified, 472 F.2d. 631 (9th Cir. 1972) (fact that an
individual suffered a number of arrests without any
convictions was not conclusive as to wrongdoing and was
irrelevant to work qualifications and, because the mere
inquiry into arrest records tends to have a chilling effect on
minority job applicants, inquiries about arrests may violate
Title VII). The U.S. DOJ requires that federally funded
criminal justice information systems distinguish between
nonconviction information (including certain arrest
information) and conviction information. 20 C.F.R. ¤
20.21(b).]

In 1967, the Report of the President's Commission on Law
Enforcement and the Administration of Justice spoke of the
need for an "integrated national information system" and
recommended that there be established a "national law
enforcement directory that records an individual's arrests
for serious crimes, the disposition of each case and all
subsequent formal contacts with criminal justice agencies
related to those arrests." The report also emphasized that it
is "essential" to identify and protect security and privacy
rights to ensure a fair, credible, and politically acceptable
national criminal justice information system. -48 [Project
SEARCH, Technical Report No. 2: Security and Privacy
Considerations in Criminal History Information Systems
(Sacramento: California Crime Technological Research
Foundation, 1970) pp. 3-5 (quoting from the President's
Commission Report).]

For most of the last 30 years, the U.S. DOJ, working
through the FBI, the Law Enforcement Assistance
Administration (LEAA) and its successor agencies,
including, in particular, OJP, BJS, and the Bureau of
Justice Assistance (BJA), and the State and local criminal
justice information community, including SEARCH and the
FBI Criminal Justice Information Services Division's
Advisory Policy Board (CJIS APB), have worked toward
the implementation of an automated national system for the
exchange of criminal history records, along with a set of
comprehensive privacy standards. Several prominent
features dominated that environment.

Privacy standards for CHRI have been left largely to
statutory and regulatory initiative. During the 1970s, when
public concern about privacy, automation, and
governmental and private information systems was running
high, the Congress considered several legislative proposals
that would have imposed uniform, national information and
privacy standards for CHRI. All of those proposals failed.
-49 [See, Use and Management of CHRI, supra note 22, p.
36. The FBI's basic statutory authority to maintain and
disseminate criminal history records is at 28 U.S.C. ¤ 534.
This provision authorizes the Attorney General to "acquire,
collect, classify and preserve criminal identification, crime
and other records" and to "exchange such records and
information with and for the official use of, authorized
officials of the federal government, the States, cities and
penal and other institutions."]

While the comprehensive proposals for uniform,
nationwide standards failed, Congress was not idle. In
1972, for example, Congress authorized the FBI to
"exchange identification records" with State and local
officials for "purposes of employment and licensing,"
provided that the exchange of information is authorized by
State statute and approved by the Attorney General, and
provided that the exchange of information is made only for
official use and is subject to the same restrictions with
respect to dissemination as would apply to the FBI. -50
[Pub. L. No. 92-544, Title II, ¤ 201, 86 Stat. 1115.]

In 1973, Congress enacted the so-called "Kennedy
Amendment" to the Omnibus Crime Control and Safe
Streets Act of 1968, which provides that all CHRI
collected, maintained, or disseminated by State and local
criminal justice agencies with financial support under the
Omnibus Crime Control and Safe Streets Act must be made
available for review and challenge by record subjects and
must be used only for law enforcement and other lawful
purposes. -51 [42 U.S.C. ¤ 3789G(b), as amended by ¤
524(b) of the Crime Control Act of 1973, Pub. L. No. 93-83
(1973).]

LEAA implemented the Kennedy Amendment by adopting
comprehensive regulations - known as the "DOJ
regulations" - intended to "assure that CHRI wherever it
appears is collected, stored, and disseminated in a manner
to insure the completeness, integrity, accuracy and security
of such information and to protect individual privacy." -52
[28 C.F.R ¤ 20.01.] The regulations set relatively detailed
and ambitious standards for data quality, while giving
States discretion to set their own standards for
dissemination, recognizing that incomplete or inaccurate
criminal history data, particularly arrest information
without disposition information, could have negative
implications for the record subject and his or her
participation in society.

In addition to regulation of the handling of criminal history
information by criminal justice agencies, Federal law also
regulates private-sector uses of criminal history information
in certain circumstances. The Fair Credit Reporting Act
(FCRA), for example, regulates the compilation, disclosure,
and use of consumer reports, which may include criminal
history information. -53 [The Fair Credit Reporting Act is
discussed in greater detail in infra, chapter V, p. 58.]

SEARCH Technical Report No. 13

SEARCH has also been active in the formulation of
standards for the security and privacy of CHRI. Beginning
in 1970, the year after SEARCH was established, SEARCH
published a series of reports addressing privacy and security
in computerized criminal history files, and providing
guidance for legislative and regulatory protections for
CHRI. -54 [See, Technical Report No. 2: Security and
Privacy Considerations in Criminal History Information
Systems, supra note 48; Project SEARCH, Technical
Memorandum No. 3: A Model State Act for Criminal
Offender Record Information (Sacramento: California
Crime Technological Research Foundation, May 1971); and
Project SEARCH, Technical Memorandum No. 4: Model
Administrative Regulations for Criminal Offender Record
Information (Sacramento: California Crime Technological
Research Foundation, 1972).]

In 1975, SEARCH published the widely influential
Technical Report No. 13, SEARCH's first comprehensive
statement of 25 recommendations for safeguarding the
security and privacy of criminal justice information. -55
[See, Technical Report No. 13: Standards for the Security
and Privacy of Criminal Justice Information (Sacramento:
SEARCH Group, Inc., 1975).] These recommendations
influenced LEAA's development of the DOJ regulations
discussed above, and the Appendix to the DOJ regulations
refers States to Technical Report No. 13 for guidance in
formulating their State plans. -56 [See, 28 C.F.R. Part 20,
Appendix ¤ 20.22(a).] Technical Report No. 13 has been
revised twice since 1975 - most recently in 1988 - to reflect
technological and societal changes that have had an impact
on criminal justice information management and privacy.
-57 [Technical Report No. 13, 3rd ed., supra note 8. The
second revision occurred in 1977, at which time the
commentary to the 1975 report was expanded, but the
original recommendations were unchanged. Ibid., p. 1.]

State legislation

The bulk of the criminal justice information maintained in
the United States is maintained at the State level; therefore,
most of the legislation on governing this information is
found at the State level (with certain important exceptions,
such as the DOJ regulations discussed above). Throughout
the 1970s and into the 1980s, States adopted statutes based
in large measure on the DOJ regulations and the SEARCH
recommendations. By the early 1990s, approximately
one-half of the States had enacted comprehensive criminal
history record legislation, and every State had enacted
statutes that address at least some aspects of criminal
history records. The majority of State laws followed the
scheme in the DOJ regulations that distinguishes between
information referring to convictions and current arrests
(arrests that are no older than 1 year and that do not yet
have the disposition) and "nonconviction data," which
includes arrests more than 1 year old without a disposition
or arrests with dispositions favorable to the accused.

Under the DOJ regulations and many State laws, conviction
information can be made available largely without
restriction. Nonconviction data, on the other hand, can not
be made available under the DOJ regulations unless
authorized by a State statute, ordinance, executive order, or
court rule. -58 [28 C.F.R. ¤ 20.21(b).] Furthermore, the
DOJ regulations provide that when CHRI is disseminated
to noncriminal justice agencies, its use "shall be limited to
the purpose for which it was given." -59 [28 C.F.R. ¤
20.21(c)(1).]

Today, a relatively stable and uniform approach to protect
the privacy of CHRI is in place throughout the United
States. -60 [BJS supports a biennial survey, conducted by
SEARCH, to assess State privacy practices. See, Paul L.
Woodard and Eric C. Johnson, Compendium of State
Privacy and Security Legislation: 1999 Overview, NCJ
182294 (Washington, D.C.: U.S. Department of Justice,
Bureau of Justice Statistics, July 2000). Hereafter,
Compendium.] Five fundamental principles, in many ways
reflective of the HEW Code of Fair Information Practices,
characterize the U.S. approach to protecting the privacy of
CHRI:

1. Subject access and correction. As of 1999, 51 of the 53
jurisdictions surveyed (the 50 States plus the District of
Columbia, Puerto Rico, and the U.S. Virgin Islands) give
record subjects a right to inspect their criminal history
records, and 44 jurisdictions permit record subjects to
challenge and/or offer corrections for information in their
criminal history records. -61 [Ibid., p. 16.]

2. Restrictions on the collection and/or integration of
criminal history information. Most States have adopted
formal or informal restrictions that segregate CHRI from
other types of personal information. Thus, CHRI seldom
includes juvenile justice information; customarily never
includes investigative or intelligence information; and
customarily never includes medical information,
employment information, financial information, military or
citizenship status information, or other types of personal
information. Although repositories continue to segregate
CHRI in this manner, end-users of information increasingly
are able to combine CHRI obtained from the State
repositories with noncriminal history record information
obtained from commercial information vendors and other
sources in order to create a more detailed picture of the
individual.

3. Data quality and data maintenance safeguards. As of
1999, 52 of 53 jurisdictions have adopted standards for
ensuring the accuracy and completeness of CHRI. -62
[Ibid.]

* Fingerprint versus "name-only" access. In virtually every
State, all criminal histories maintained by a central State
repository must be supported by a fingerprint record and,
with certain exceptions, requests must be accompanied by a
fingerprint. Fingerprint support ensures that the record
maintained at the repository relates to the correct person,
and that the repository's response similarly relates to the
correct person. The principal exception for law enforcement
requests occurs in instances where the law enforcement
agency does not have the individual in custody and,
therefore, cannot provide a fingerprint, or in situations
requiring a quick turnaround. In those instances, a
"name-only" check (customarily, not just a name but also
other demographic information, such as gender, date of
birth, race, and other physical indicators) is permitted.

* Disposition reporting. Repositories attempt to obtain
disposition information from the courts. In recent years, the
percentage of arrests maintained at the repositories that
include available dispositions has increased substantially;
however, incomplete records remain a problem. -63 [As of
1999, the most recent year for which figures are available,
18 States and the District of Columbia report that 80% or
more of arrests within the past 5 years in the criminal
history database had final dispositions recorded, while 32
States and the District of Columbia report that 60% or more
of the arrests in the past 5 years have final dispositions
attached. Overall, the figures are lower when arrests older
than 5 years are factored in. When arrests greater than 5
years old are included, only 15 States report that 80% or
more arrests in their entire criminal history database have
final dispositions attached, while 32 States report that 60%
or more arrests have dispositions attached. Sheila J. Barton,
Survey of State Criminal History Information Systems,
1999, Criminal Justice Information Policy series, NCJ
184793 (Washington, D.C.: U.S. Department of Justice,
Bureau of Justice Statistics, October 2000) p. 2.]

* Sealing and purging. As of 1999, 42 States have adopted
laws that permit the purging (destruction) of nonconviction
information and 27 jurisdictions have adopted standards for
the purging of conviction information if certain conditions
are met. In addition, 33 States have adopted laws and
regulations to permit the sealing of nonconviction
information and 30 States have adopted laws and standards
to permit the sealing of conviction information. -64
[Compendium, supra note 60, p. 16.]

4. Security. As of 1999, 42 jurisdictions have adopted
formal standards for technical, administrative, physical,
and/or personnel security. -65 [Ibid.] As a practical matter,
however, security standards are in place for all 52
jurisdictions that have established central State repositories.
The extent and nature of those standards, however, vary
substantially.

5. Use and disclosure. As of 1999, all 53 jurisdictions have
adopted laws or regulations setting standards for the use
and/or dissemination of CHRI. -66 [Ibid.] As a practical
matter, every State makes all CHRI available for criminal
justice purposes. Outside of the criminal justice system,
however, conviction information is widely available but
nonconviction information remains largely unavailable or
available only to certain types of users (licensing boards
and certain kinds of employers who employ individuals in
highly sensitive positions, such as school bus drivers or
child care workers). -67 [Traditionally, law and policy has
distinguished sharply between conviction and
nonconviction information. In many jurisdictions,
conviction information is available to broad segments of
noncriminal justice employers and other authorized users, if
not the general public, through central repositories. By
contrast, nonconviction information, even in 1999, is
almost never publicly available from central repositories,
with rare exceptions in some States for special categories of
offenses, such as sex offenses.] (Of course, sealing and
purging provisions also work effectively to provide
dissemination and confidentiality safeguards.)

* Criminal justice access. Law and policy in every State
provides that criminal justice requestors can obtain all
information in the criminal history record unless the
information has been sealed by statute or court order. Most
States, however, have some process for sealing or purging
CHRI when it is no longer considered relevant.

* Noncriminal justice access. The repositories provide
CHRI to noncriminal justice requestors authorized by State
law, such as licensing boards and certain types of
employers. In most States, authorized noncriminal justice
requestors receive less than the full record - most often
limited to conviction-only information.

* Public access. Except in a few "open record" States, such
as Florida and Wisconsin, the general public is restricted in
its ability to obtain CHRI from the central State repository,
with the exception of certain classes of information, such as
sex offender registry information.

Access to criminal history record information in "open,"
"intermediate," and "closed" record States: Three case
studies

Florida: An "open records" State

In 1977, the Florida Department of Law Enforcement
(FDLE) adopted a policy of making all State-generated
criminal history records available upon request by any
member of the public for any purpose, upon payment of the
applicable fees, which are designed to offset the costs of
public record access requests.

The policy, which is designed to implement the State's
public record law, is interpreted in conjunction with
Chapter 943 of the Florida Statutes, which regulates the
collection, maintenance, and dissemination of criminal
justice information. Section 943.053(2) effectively restricts
the applicability of the State public records law to
Florida-generated records by providing that criminal justice
information obtained from the Federal government and
other States shall only be disseminated in accordance with
Federal law and policy, and the law and policy of the
originating States. Similarly, section 943.054(1) restricts
the ability of FDLE to make available any information
derived from a system of the U.S. DOJ to only those
noncriminal justice purposes approved by the Attorney
General or the Attorney General's designee. 

During fiscal year 1998-1999, FDLE responded to
1,484,273 requests for criminal history record checks.
Criminal history checks for sensitive employment,
licensing, and firearms purchases identified 264,148
individuals with criminal histories. Noncriminal justice
recipients of criminal history records fall into two broad
categories. The first category is comprised of agencies and
organizations with approved statutory authorizations to
receive information from the FBI as well as FDLE. As of
September 30, 1999, this category included 221 agencies
with FBI-assigned originating agency identifiers (ORIs)
signifying approval of their access authority by the U.S.
Attorney General. This category is comprised primarily of
State departments and agencies authorized to access
information for employment background checks, but the list
also includes licensing bureaus, universities, State
commissions, and the agency responsible for running the
State lottery. For the fiscal year ending June 30, 1999, these
agencies filed 271,230 records requests for approved
licensing and employment purposes.

The second category is comprised of agencies and
organizations without statutory authorization that are
eligible to receive information only from FDLE files
pursuant to the public records law. There is a $15 fee for
processing requests made either by letter or electronic
submission. Requestors in this second category can request
a search of Florida-generated criminal records for any
purpose, by paying the appropriate fee. These inquiries are
typically "name only," although fingerprints will be
compared if supplied by the requestor. Responses to these
requests include all unsealed, Florida-generated criminal
history records in the FDLE computerized files. As of
September 30, 1999, this category includes approximately
15,913 agencies and organizations that filed 1,001,307
criminal record access checks under the public records law
during fiscal year 1998-1999. These requests were filed by
all levels and types of agencies for a wide variety of
purposes, although FDLE officials report the most common
reason was employment screening. Most of these agencies
are regular users that have been assigned account numbers
to facilitate billing and processing. Other requests are
received on a one-time-only or irregular basis from
agencies or individuals for undetermined purposes. 

In addition to requests for an individual's entire criminal
history record, FDLE administers databases of sexual
offenders and sexual predators (as defined under Florida
law) that the public can search over the Internet. Searches
can be conducted online, instantly, on the basis of county,
city, ZIP code, and/or pattern for last name. FDLE
estimates that these databases, which contain records on
approximately 15,650 offenders, received 347,245 hits
during fiscal year 1998-1999.

Sources:
* Florida Department of Law Enforcement.
* Florida Department of Law Enforcement, Annual
Performance Report, Fiscal Year 1998-1999.
* Florida Department of Law Enforcement Internet site:
http://www.fdle.state.fl.us 
* Paul L. Woodard, A Florida Case Study: Availability of
Criminal History Records, The Effect of an Open Records
Policy (Sacramento: SEARCH Group, Inc., 1990).



Washington: An "intermediate records" State

The Washington State Patrol (WSP) is responsible for the
maintenance of the Washington repository of CHRI.

Certified criminal justice agencies may request and receive
CHRI without restriction for criminal justice purposes.

Noncriminal justice entities and individuals may receive
access to only conviction information. Depending upon the
purpose of the request, WSP may respond under two
different statutes, the Criminal Records Privacy Act
(Chapter 10.97 Revised Code of Washington (RCW)) or
the Child and Adult Abuse Information Act (RCW ¤¤
43.43.830-.845). Responses to information requests made
using Washington Access to Criminal History (WATCH),
an online system, are immediate. Paper requests take 3-10
weeks for processing. Fees, which are waived for nonprofit
organizations in certain circumstances, range from $10 for
a "name-only" search to $25 for a fingerprint-supported
search. WSP estimates that, from 1996 through 1999, it has
responded to 1,128,392 noncriminal justice requests for
CHRI.

Requests made pursuant to the Criminal Records Privacy
Act, which provide the requestor with conviction
information, can be made by anyone for any purpose,
without the consent of the record subject. If there is a 

record, the requestor will receive a report detailing all State
of Washington convictions and pending arrests under 1 year
old without disposition. The record will also reflect whether
the individual is a registered sex offender or kidnapper.
Secondary disclosure of CHRI obtained pursuant to the
statute, however, is restricted. WSP estimates that, from
1996 through 1999, it has responded to 392,218 requests
for CHRI by noncriminal justice agencies under this Act.

Eligibility for access to CHRI under the Child and Adult
Abuse Information Act is "limited to businesses or
organizations licensed in the State of Washington; any
agency of the State; or other governmental entities that
educate, train, treat, supervise, house, or provide recreation
to developmentally disabled persons, vulnerable adults, or
children under 16 years of age." If a record exists, it will
include "State of Washington convictions and pending
arrest offenses under one year old of crimes against
children or other persons, crimes of financial exploitation,
civil adjudications, and sex offender and kidnapper
registration information." The State requires that the
requestor provide a copy of the report to the record subject.
Use of records obtained by employers pursuant to this Act
is limited by RCW 43.43.835(5) to "making the initial
employment or engagement decision." Further
dissemination or use of the record is prohibited. Violators
are subject to civil damages. WSP estimates that, from
1996 through 1999, it responded to 692,734 requests from
businesses/organizations/employers. This includes
volunteer and employee record checks. WSP does not
maintain statistics specifically regarding the number of
employers who requested information.

WSP does not make sex offender information publicly
available over the Internet, although some local
departments do so. WSP does make some sex offender
information available for certain employment background
checks. WSP disseminates limited information on sex
offenders to the general public in response to written
requests. Based upon the risk level of the offender, local
law enforcement may notify neighbors and community
members or, in the case of high-risk offenders, issue press
releases. WSP estimates that it responded to 36 written
requests for information on specific sex offenders during
1999. These were specific requests for a list of
sex/kidnapping offenders through the WSP Public
Disclosure Office. Information provided includes name,
date of birth, registering agency, and the date of
registration.

Sources:
* Washington State Patrol.
* Washington State Patrol Internet site:
http://www.wa.gov/wsp/crime
/crimhist.htm 
* Devon B. Adams, Update 1999: Summary of State Sex
Offender Registry Dissemination Procedures, Fact Sheet
series, NCJ 177620 (Washington, D.C.: U.S. Department of
Justice, Bureau of Justice Statistics, August 1999) p. 7.



Massachusetts: A "closed records" State

The Massachusetts Criminal History Systems Board
(CHSB) was created in 1972 by the Criminal Offender
Record Information Act (CORI) and is governed by a
17-member board comprised of representatives of the
criminal justice community.

Criminal justice requests for criminal history records are
handled electronically, while public access requests, which
are restricted, are processed using the U.S. mail and email.

Public access requests must include the name and date of
birth of the person who is the subject of the inquiry. There
is a $25 fee for processing requests, which must be typed
and accompanied by a self-addressed, stamped envelope.
Not all criminal history records are available to the public.
The determination of public access depends upon a number
of factors, including the charge, the sentence, current status,
and length of time that has passed since sentence
completion. Specifically, in order for the information to be
publicly accessible, the record subject must have been:

* Convicted of a crime punishable by a sentence of 5 years
or more; or

* Convicted of any crime and sentenced to a term of
incarceration.

In addition, at the time of the request for access to the
individual's criminal history record, the record subject
must:

* Be incarcerated; or

* Be on probation; or

* Be on parole; or

* Have been convicted of a misdemeanor, having been
released from all custody (that is, incarceration, probation,
or parole) or supervision for not more than 1 year; or

* Have been convicted of a felony, having been released
from all custody (that is, incarceration, probation, or parole)
or supervision within the last 2 years; or

* Have been sentenced to the custody of the Department of
Correction, having finally been discharged therefrom, either
having been denied release on parole or having been
returned to penal custody for violating parole, for not more
than 3 years.

CHSB estimates that it received 12,373 public access
requests during 1999.

CHSB certifies applicants for access to non-publicly
available criminal history information if the requestor: (1)
qualifies as a criminal justice agency; (2) qualifies as an
agency or individual authorized to have access by State
law; and/or (3) it has been determined that the public
interest in disseminating such information clearly
outweighs individual privacy interests. There are
approximately 6,700 noncriminal justice agencies in
Massachusetts authorized to access criminal records.
Parents, for example, can seek access to all conviction and
pending case information on prospective daycare providers
with the written, notarized consent of the record subject.
Parents are prohibited from disclosing any results of the
criminal history check to third parties. In addition,
Massachusetts law prohibits a person from requesting or
requiring a record subject to produce a copy of his or her
record, unless authorized to do so by CHSB. In 1999,
CHSB processed 659,808 requests for access to criminal
history information that is not publicly available.

Sex offender information is subject to separate rules.
Massachusetts makes information available about
registered sex offenders classified by the Massachusetts
Sex Offender Registry Board (SORB) as posing a moderate
or high risk (after the offender has an opportunity for
administrative evidentiary proceedings). Registry
information may be obtained in person at local police
departments or by requesting information from the SORB
by mail.

The form of public inquiries is limited. If a member of the
public makes an in-person request, he or she may:

1. Inquire whether a specifically named individual or a
person described by sufficient identifying information to
allow the police to identify the individual is a sex offender;
or 

2. Inquire whether any sex offenders live or work within the
same city or town at a specific address, including, but not
limited to, a residential address, business address, school,
after-school program, daycare center, playground,
recreational area, or other identified address; or 

3. Inquire whether any sex offenders live or work at a
specific street address within the city or town where the
person is requesting sex offender information; or 

4. Where the police department is located in a city or town
with more than one ZIP code area, the inquiry may ask
whether any sex offenders live or work within a specified
ZIP code. In Boston, such inquiry may be made by
specified police district. 

Only option one (inquiries about named individuals) is
available in the case of written requests to the SORB.

If an in-person request results in the identification of a sex
offender, the requestor will be provided with the offender's
name, home address, work address, age, sex, height,
weight, eye and hair color, the sex offenses committed and
the dates of conviction and/or adjudication, and a
photograph of the offender, if available. If a written request
is submitted to the SORB, the requestor will be provided
with a report identifying whether the person is a sex
offender with an obligation to register; the offenses for
which he/she was convicted or adjudicated; and the dates of
such convictions or adjudications.  Responses to both
personal and mail requests are provided free of charge and
all information provided includes language cautioning that
the misuse of sex offender information for purposes of
harassment or discrimination is prohibited.

Sources:
* Massachusetts Criminal History Systems Board.
* Massachusetts Sex Offender Registry Board Internet site:
http://www.state.ma.us/sorb



V.   Change drivers and trend lines: The basis for a new
look at privacy and criminal justice information

By the late 1990s, 10 interrelated and fundamental
developments were outflanking the generation of privacy
and information safeguards that emerged in the 1970s and
the 1980s.

These trends and change drivers have overtaken traditional
rules for access and use, arguably requiring new rules to
re-establish the balance between privacy and disclosure of
criminal justice information. -68 [These trends and change
drivers reflect elements of cause and consequence. It is, of
course, not as important to assign degrees of causality to
these developments as it is to identify and understand these
developments and the nature of the challenge that they pose
to established criminal justice information policy and
privacy standards.] On one side of the equation, there is
growing public concern about privacy in general, and the
confidentiality of personal information in particular. On the
other side, there are a number of cultural-, technological-,
and policy-driven factors that tend to promote greater
access to criminal justice information. The Task Force
concludes that many of these change drivers are
irreversible. What is not irreversible, however, is the degree
to which these change drivers will inform future privacy
standards for criminal justice information. By identifying
the change drivers set forth below, the Task Force hopes to
encourage effective debate as to a new generation of
criminal justice information privacy standards. 

* Public concern about privacy. In the late 1990s, the
American public registers the strongest concerns ever
recorded about threats to their personal privacy from both
government and business. Ninety-four percent of
respondents said in a 1999 survey that they are concerned
about the possible misuse of their personal information. Of
the concerned, 77% said they were "very concerned." -69
[IBM Multi-National Consumer Privacy Survey, October
1999, p. 71, available at
http://www.ibm.com/services/e-business/priwkshop.html.
Hereafter, IBM Consumer Privacy Survey.]

* The "Information Culture." A new and emerging culture
of information access and use facilitated by personal
computers, browsers, search engines, online databases, and
the Internet has helped to create a demand for, and a market
in, information, including criminal justice information,
while at the same time fostering in many a sense of lack of
control over one's personal information and a loss of
privacy.

* Technological change. Revolutionary improvements in
information, identification, and communications
technologies (including increasingly advanced software
applications and Internet-based technologies), and the
increased affordability of these technologies, fuels the
appetite for information and creates new players in the
criminal justice information arena. 

* System integration. Initiatives to integrate criminal justice
information systems operated by law enforcement, courts,
prosecution, and corrections - as well as to integrate these
systems with information systems maintaining other types
of personal information - create powerful new information
resources. At the same time, these integration initiatives
may create uncertainty about the types of privacy laws and
policies that apply to these new systems, and dilute existing
policies designed to keep information separate.

* New approach that closely resembles a "Business Model"
for the criminal justice system. Two fundamental changes
in the way the criminal justice system operates - (1) a new,
more cooperative, community-based relationship between
criminal justice agencies and citizens; and (2) added
criminal justice agency responsibilities to provide
information to surrounding communities, Federal, State,
and local agencies, other police departments, and other
organizations - have had a profound impact upon the
approach that criminal justice agencies take to obtaining
and using information. This new approach - a "data-driven,
problem-solving approach" - also creates privacy risks
through a wider circulation of criminal justice information.

* Noncriminal justice demand. A persistent and
ever-increasing demand by noncriminal justice users to
obtain CHRI has had a pervasive and important impact on
the availability of information. 

* Commercial compilation and sale. Changes in the
information marketplace, which feature the private sector's
acquisition, compilation, and sale of criminal justice
information obtained from police and, more particularly,
court-based open record systems, are making information
similar to that found in criminal history records more
widely available to those outside the criminal justice
system. 

* Government statutes and initiatives. A host of new
government initiatives and laws, aimed at providing
criminal justice information to broader audiences, on a
more cost-effective and timely basis, has also fueled the
availability of criminal justice information.

* Juvenile justice reform. Demands for juvenile justice
records, particularly those involving violent offenses, which
result in treating juvenile information in a way that very
much resembles the handling of adult records, is also
putting pressure on traditional information and privacy
policies.

* Intelligence systems. Criminal justice intelligence
systems are being automated, regionalized, and armed with
CHRI and other personal information to create detailed
personal profiles for law enforcement use.

Information privacy concerns at a historic high level

Today, concern about information privacy in the United
States is at a high-water mark. This concern is evidenced in
public opinion survey results, government attention to the
privacy issue, and media treatment of government and
private-sector initiatives that are viewed as an impingement
on privacy or fair information practices.

- Public opinion survey results

Periodic surveys, including those conducted by Harris
Interactive and Opinion Research Corporation in
association with Dr. Alan F. Westin, -70 [As previously
noted, one of the responsibilities of the National Task Force
was to provide advice with respect to the first-ever national
opinion survey of the public's attitudes about privacy and
criminal justice information. The results of that survey,
which was developed and administered by Opinion
Research Corporation concurrent to the preparation of this
report and conducted once this report was largely finished,
is being published separately by BJS as a companion report
titled "Privacy, Technology and Criminal Justice
Information: Public Attitudes Toward Uses of Criminal
History Information, Summary of Survey Findings" (NCJ
187633).] repeatedly indicate that the public is deeply
concerned about privacy.

The growing traction of privacy as an issue can be
illustrated by the following statistics from public opinion
surveys concerning consumer privacy issues:

* A 1999 Wall Street Journal/NBC News survey asked
respondents this question: "Which one or two issues
concern them the most about the next century?" With 29
percent of respondents, the potential "loss of personal
privacy" topped the list, finishing ahead of concerns about
issues such as terrorism, overpopulation, world war, and
global warming. -71 [Albert R. Hunt, "Americans Look to
21st Century With Optimism and Confidence," Wall Street
Journal (September 16, 1999) p. A9. On the other hand, in
1995, when an Equifax/Harris survey gave respondents a
list limited to nine consumer issues to rate in importance,
privacy finished exactly in the middle (fifth) in terms of
being "very important," at 61%. Rated higher in being very
important were controlling the cost of medical insurance
(84%); staying out of excessive debt (83%); reducing
insurance fraud (74%); and controlling false advertising
(71%). See, infra, note 74.]

* In the late 1990s, the American public registered the
strongest concerns ever recorded about threats to their
personal privacy from both government and business. In a
1999 survey, 94% of respondents said they are concerned
about the possible misuse of their personal information. Of
the concerned, 77% said they were "very concerned." -72
[IBM Consumer Privacy Survey, supra note 69, p. 71.]

* In that same 1999 survey, 72% of Internet users said they
were "very" concerned about threats to their personal
privacy today when using the Internet, and 92% said they
were "very" or "somewhat" concerned. However, 66%
believed that the "benefits of using the Internet to get
information, send email, and to shop far outweigh the
privacy problems that are currently being worked on today."
-73 [Ibid., pp. 72, 77.]

* A mid-1990s survey indicated that although a narrow
majority of survey respondents worried primarily about
government invasions of privacy (52% in 1994 and 51% in
1995), a substantial minority expressed primary concern
about activities of business (40% in 1994 and 43% in
1995). And, almost two-thirds of the public disagreed with
the statement that "the Federal Government since
Watergate has not been seriously invading people's privacy
(64% in 1990 and 62% in 1995)." -74 [Louis Harris and
Associates, Equifax-Harris Mid-Decade Consumer Privacy
Survey (1995) p. 9.]

* Surveys suggest that the driving factors behind privacy
attitudes, both in general and in specific consumer areas,
are the individual's level of distrust in institutions and fears
of technology abuse. -75 [Ibid., p. 12. The Harris/Westin
Distrust Index, first used in 1978 and tested throughout the
1990s, combines measurement of distrust in institutions
(government, voting, and business) with fear that
technology is almost out of control. The surveys have found
that a respondent's score on the Distrust Index correlates
with a majority of that respondent's positions on privacy in
general and the industry-specific questions on each survey.
The higher the Distrust Score, the more a respondent will
express concern about threats to privacy, believe that
consumers have lost all control over uses of their
information by business, reject the relevance and propriety
of information sought in particular situations, call for
legislation to forbid various information practices, etc.
In 1995, for example, the American public divided as
follows on the Distrust Index:
* High (distrustful on 3-4 questions): 29%
* Medium (distrustful on 2 questions): 42%
* Low (distrustful on 1 question): 23%
* Not (no distrustful answers): 6%
In 13 of the survey's 16 questions asking about general
privacy concerns and measuring specific privacy attitudes,
the strongest privacy positions were registered by the High
Distrustful respondents; the next strongest by the Medium
Distrustful; and so on through the Low to Not Distrustful.
In survey terms, this is confirmation of the direct
relationship between the Distrust orientation and positions
on privacy issues. Ibid.]

* A large percentage of the public feels that consumers
have "lost all control over how personal information about
them is circulated and used by companies." -76 [IBM
Consumer Privacy Survey, supra note 69, p. 70.]

* Seventy-two percent said they have read or heard a great
deal or a moderate amount about invasion of privacy in the
past year. One-quarter of the public (25% in 1991 and
1995) said they have personally been victims of what they
felt was an invasion of their privacy, -77 [Louis Harris and
Associates, Inc., 1996 Equifax/Harris Consumer Privacy
Survey (1996) p. 4.] and 29% (in 1999) said they had been
victims of a business invasion of their consumer privacy.
-78 [IBM Consumer Privacy Survey, supra note 69, p. 74.]

* There has also been a major increase in privacy-asserting
behaviors by U.S. consumers. The percentage of people
who said they have refused to give information to a
business or company because they thought it was not
needed or was too personal has risen from 52% in 1990 to
78% in 1999. Also in 1999, 53% of respondents said they
have asked a company not to sell or give their name and
address to another company, and 54% said they had decided
not to use or purchase something from a company because
they were not sure how their personal information would be
used. -79 [Ibid., p. 87.]

- Activity at the Federal and State level to protect privacy

This high level of public concern about privacy issues has
not gone unnoticed by the Federal government and States.
Recent congressional activity suggests that Congress likely
will be increasingly active on a range of privacy issues. -80
[This is not to say that Congress also has not been criticized
as being insensitive to privacy concerns. Congress, for
example, passed legislation requiring a unique national
health identifier for every American (to facilitate health
care), as well as a requirement that all States use an
individual's Social Security number as the person's driver's
license number (to combat illegal immigration). Congress
later reversed itself in both cases, following complaints
about the adverse privacy implications of these measures.]
For example:

* Perhaps the most prominent piece of privacy legislation
to be enacted during the 106th Congress was Title V of the
Gramm-Leach-Bliley Act (G-L-B Act). -81 [Pub. L. No.
106-102.] It requires that financial institutions take steps to
protect the privacy of nonpublic financial information about
consumers, including providing notice and an opportunity
to opt-out of most disclosures of nonpublic personal
information to nonaffiliated third parties. The enactment of
the G-L-B Act, however, has not ended the debate. Many
members of Congress believe that still stronger protections
are needed.

* Senator Richard Shelby (R-AL) included language in the
Department of Transportation Appropriations Act for fiscal
year 2000 -82 [Pub. L. No. 106-69, ¤ 350.] that requires the
States to adopt an opt-in mechanism for use of personal
information in motor vehicle records for marketing
(excluding insurance rate setting), survey, or solicitation
purposes, and for any use of driver's license photographs.

* Other domestic privacy issues receiving congressional
attention include health information privacy issues, online
privacy, the use and disclosure of the Social Security
number, access to public record/government repository
information, and the possible creation of a privacy study
commission.
Privacy is an issue that cuts across political and ideological
boundaries. On February 10, 2000, for example, Senator
Shelby, Senator Richard Bryan (D-NV), Representative Ed
Markey (D-MA), and Representative Joe Barton (R-TX)
held a news conference to announce the formation of the
bipartisan, bicameral Congressional Privacy Caucus (CPC).
The purpose of the CPC is to: (1) educate Members of
Congress and staff about individual privacy issues; (2)
provide a forum for the discussion of individual privacy
issues; and (3) advocate for personal privacy protections.

The State legislatures have also been active on privacy
issues. During 2000, at least 1,622 consumer privacy bills
(focusing on financial services, health, insurance, direct
marketing, telecommunications, and online/Internet
services) were introduced in State legislatures and 422 bills
were enacted. Thirty-nine States enacted legislation, with
health, finance, and insurance-related measures being the
most common enactments. -83 [Privacy & American
Business, "Privacy Legislation in the States - 2000"
(January 2001).] In another example, groups as diverse as
the American Civil Liberties Union (ACLU) and Phyllis
Schlafly's Eagle Forum have supported health information
privacy legislation.

At the same time, the Federal executive branch has
launched numerous privacy protection initiatives. The
Federal Trade Commission (FTC), the Federal
Communications Commission, the U.S. DOJ, the U.S.
Department of Health and Human Services, the Office of
Management and Budget, the Office of the Vice President,
the Federal financial regulatory agencies, the National
Highway Transportation and Safety Administration (on
intelligent vehicle-tracking systems), and the U.S.
Department of Commerce have all published
privacy-related regulations or guidelines; conducted privacy
studies; initiated privacy-related, administrative actions;
and/or promoted information privacy initiatives.

State officials have also been active on the privacy issue.
The National Association of Attorneys General, for
example, has voted to make privacy one of their top
priorities and several Attorneys General have already taken
legal action against companies they believe to be misusing
consumer data. -84 [Gail Appleson, "Drive to Protect U.S.
Consumer Privacy, " Reuters (March 24, 2000, 3:47 PM
ET).] In addition, the Governor of Washington issued an
Executive Order requiring State agencies to implement a set
of privacy protections for public records to the maximum
extent permitted by State law. -85 [Governor Gary Locke,
"Public Records Privacy Protections," Washington State
Executive Order 00-03 (April 25, 2000).]

- Privacy issues are receiving increasing media attention,
often requiring companies and government agencies to
modify their practices

Media coverage and its aftermath is also illustrative of
increasing concern over information privacy issues.
Typically, this cycle begins with media reports highlighting
government or private-sector information practices that
raise privacy issues. Once these practices become
well-publicized, an ensuing firestorm of public pressure
frequently forces the private- or public-sector entity
responsible to modify or terminate the practices that
offended public sensibilities. To date, although a few of the
more prominent privacy firestorms have involved
information that may have been used by law enforcement to
some degree for intelligence or investigative purposes, the
most notable of these "firestorms" have not involved
criminal justice information.

Examples of private-sector privacy firestorms during the
past 2 years include: Internet advertising giant
DoubleClick; Image Data, a small New Hampshire
company test marketing the use of DMV photographs for
anti-fraud and identity theft prevention purposes; America
Online (AOL); and supermarkets and pharmacies, such as
Giant and CVS.

* DoubleClick. During its 4-year life, Internet advertising
giant DoubleClick has collected clickstream information
from its participating Web sites and then used that data to
help those Web sites customize the banner and pop-up
advertisements that visitors see. DoubleClick could not
identify the visitor, only the visitor's computer. The privacy
firestorm began in November 1999 when DoubleClick
spent $1.7 billion to purchase Abacus Direct, the largest
database of consumer catalogue activity. DoubleClick's
plan, which drew intense criticism, was to marry its
clickstream data with Abacus' offline data to identify
specific consumers (not just their computers), and then
create a profile of the consumer's interests and buying
activity.

Not only did DoubleClick receive a torrent of adverse
media coverage, it also received over 100,000 consumer
complaints in response to an online protest organized by the
Center for Democracy and Technology. In addition, the
FTC, as well as the attorneys general of Michigan,
Connecticut, New York, and Vermont, announced an
investigation of DoubleClick's activities; several
class-action lawsuits had been filed; and Internet-industry
players, such as search engine AltaVista Co. and Internet
home delivery service Kozmo.com Inc., took steps to
distance themselves from DoubleClick. If that had not been
enough, the company's stock price fell by more than 25
percent during the firestorm, but rebounded somewhat
following the company's announcement on March 2, 2000,
that it would not go forward with the profile plan. -86
["DoubleClick Cries 'Uncle' ...Sam (Sort of)," Privacy
Times, Evan Hendricks, ed., Vol. 20, No. 5 (March 3,
2000) pp. 5-6. See also, Bloomberg News, "DoubleClick in
Settlement Discussions" CNET News (Mar. 23, 2000),
available at
http://aolcom.cnet.com/news/0-1005-200-1582990.html.]

* Image Data. One of the largest privacy firestorms of 1999
began in January 1999 when the Washington Post reported
that Image Data, a small New Hampshire company, had
developed a product designed to combat check and credit
card fraud and identity theft, using State DMV
photographs. Image Data had entered into contracts with
several States, whereby Image Data was permitted to
digitize DMV photographs of individuals and store the
photographs in a database. Under Image Data's plan,
merchants would be able to access this database, using a
small screen installed near the merchant's cash register, to
verify the identity of the purchaser when the customer
presented the merchant with a check or credit card.

Image Data had entered into agreements with South
Carolina, Colorado, and Florida to obtain driver's license
photographs and other information and was testing its
program in South Carolina when the Post story broke. A
public outcry ensued with State officials receiving a torrent
of angry telephone calls protesting the plan (a class-action
lawsuit was even filed in Florida). Public ire appears to
have been a product of several factors. As one South
Carolina woman described it: "We were livid [upon hearing
about the Image Data program]. In my opinion, a South
Carolina driver's license is a need, not a want. We have no
choice but to give our information in order to have one.
Then they turn around and sell it to a company, as personal
as it is: my weight, my height, my address - my God, my
image. There are endless possibilities as to what could be
done with it." -87 [Robert O'Harrow, Jr., "Drivers Angered
Over Firm's Purchase of Photos," Washington Post
(January 28, 1999) pp. E1, E8. See also, Robert O'Harrow,
Jr., "Posing a Privacy Problem? Driver's License Photos
Used in Anti-Fraud Database," Washington Post (January
22, 1999) pp. A1, A22; Robert O'Harrow Jr. and Liz
Leyden, "Sale of License Photos Sparks Uproar, Colorado
Governor Vows to Prevent Transfer to Private Firm,"
Washington Post (January 30, 1999) p. E1; Robert
O'Harrow, Jr., "Gov. Cancels Sale of Fla. Driver License
Photos to Private Firm," Washington Post (February 2,
1999) p. E3.] As a result of the public outcry that ensued,
all three States terminated their contracts with Image Data.
South Carolina, the only State that had transferred photos
before the story broke, sought to retrieve any photos already
transferred. Image Data is reported to be moving forward
with its program on an "opt-in" basis, giving consumers the
option of having their driver's license photograph added to
the Image Data database.

In the months subsequent to the initial story, reports arose
alleging that the Secret Service and other Federal agencies
intended to use the Image Data database of photographs for
counter-terrorism, immigration control, and other law
enforcement activities. Both the Secret Service and Image
Data have denied this charge, stating that while Federal
authorities expressed interest in the technology (and
Congress "earmarked" funds for the program in 1997), the
database developed by Image Data was never a part of these
discussions. -88 [See, David McGuire, "Feds Deny Alleged
Misuse of Photo Database," Newsbytes (September 7,
1999), available at
http://www.infowar.com/class_1/99/class1_090899a_j.sht
ml.]

* America Online. America Online announced a new
privacy policy incorporating "Eight Principles of Privacy,"
following well-publicized reports of privacy breaches of
AOL subscriber information, including the proposed sale of
subscribers' home telephone numbers and the case of
Timothy McVeigh (no relation to the convicted Oklahoma
City bomber of the same name). McVeigh was discharged
from the Navy for violating its policy on homosexuals as a
result of personal information the Navy obtained from AOL
about McVeigh, without a search warrant or McVeigh's
consent. 

* CVS/Giant Pharmacies. In February 1998, the
Washington Post reported that two pharmacy chains - CVS
and Giant - used, or planned to use, an outside contractor to
send prescription refill notices and drug promotional
materials to pharmacy patrons using prescription
information supplied by the pharmacies. Within days of the
initial media report, both companies took out full-page
advertisements announcing the cancellation of the
programs, amid a flurry of editorial criticism and customer
complaints. CVS has since been sued, with the plaintiff
alleging that CVS breached its fiduciary duty as well as its
duty of confidentiality to its pharmacy customers. A State
court rejected a motion to dismiss by the defendants,
concluding that there is enough in the complaint for a jury
to resolve, and the case is still pending. -89 [Weld v. CVS,
Superior Court of Massachusetts (Suffolk) No. 98-0897.]

Media glare and public outrage over privacy missteps is not
limited to the private sector. Examples of governmental
privacy missteps over the past few years include the "Know
Your Customer" proposal of the Federal Deposit Insurance
Corporation (FDIC); the OASIS proposal of the Health
Care Financing Administration (HCFA); a U.S. Postal
Service proposal regarding private mailboxes; and a Social
Security Administration initiative to provide individuals
with online access to their Social Security earnings records. 

* Know Your Customer. One of the most controversial
Clinton Administration proposals, from a privacy
perspective, was the FDIC's proposed "Know Your
Customer" (KYC) regulations. The proposed KYC rule
would have required all banks to develop a written program
designed to enable the bank to "provide for identification
and transaction monitoring procedures and identify
transactions that would be subject to suspicious activity
reporting requirements." According to the FDIC, the
proposed regulation was intended to protect the integrity of
the banking system and to "assist the government in its
efforts to combat money laundering and other illegal
activities that may be occurring through financial
institutions. It is intended to detect patterns of illegal
activity often characterized by large cash deposits and
withdrawals that are outside the normal and expected
activity." Some opponents characterized the measure as
turning bank tellers into government informers and citizens
into criminal suspects.

Opposition to the proposed KYC rule was widespread,
including an Internet-based campaign against the measure.
The FDIC was deluged with criticism about the proposal,
including a flood of complaints from individuals. The
agency received over 250,000 comments on the proposed
rule; all but a small handful of the comments received were
hostile to the proposal. Hostility toward the proposed KYC
rule came not only from the grass roots level, but also on
Capitol Hill where a half-dozen bills designed to prohibit
the implementation of the rules were introduced. In March
1999, the FDIC and the other agencies that sponsored the
measure announced they were withdrawing the measure in
its entirety. 

* Outcome and Assessment Information Set. The HCFA
was caught in a privacy storm in the spring of 1999 as a
result of its planned "Outcome and Assessment Information
Set" (OASIS) for home health care patients, which HCFA
planned to have all home care facilities complete about
their patients. Following adverse press coverage and
criticism from privacy advocates, Vice President Gore, and
numerous Congressmen, the agency postponed
implementation of the project while it revamped the
program. Changes were designed to ensure that: (1) only
essential information would be collected; (2) the
information gathered would be properly protected; (3)
disclosures of the information would be limited to the
minimum extent necessary to carry out the mission of
HCFA; and (4) Medicare beneficiaries would be fully
informed as to why information was being collected and
how it would be used.

* U.S. Postal Service. In March 1999, the U.S. Postal
Service issued a regulation requiring users of commercial
mail receiving agencies (CMRAs), such as Mailboxes, Etc.,
to use the acronym "CMRA" in the address, thereby
identifying that the address is at a CMRA (as opposed to a
U.S. Postal Service post office box or a regular commercial
or residential address). Mail not complying with this rule
would not be delivered. The regulation was designed to
help prevent the use of CMRAs as a tool for criminal
activity. The regulation also required that CMRAs demand
personal identification from all box renters and complete a
form for submission to the Post Office, which included the
box holder's Social Security number and other personal
information. The Post Office would then make that form
available to anyone who requested it. 

After complaints from citizens, privacy advocates, and
several members of Congress, the Postal Service modified
its regulation. It delayed the requirement that "CMRA" be
included in the address. The post office also relaxed the
registration requirements, announcing it would not make
applications by small businesses publicly available and that
it would advise CMRAs not to require Social Security cards
as a form of identification. Some privacy advocates found
these revisions insufficient and continued to oppose the
regulation.

* Social Security Administration (SSA). An April 1997
USA Today report that the SSA was making Personal
Earnings and Benefit Estimates (PEBES) available to
individuals over the Internet sparked another privacy furor.
When the story broke on April 7, 1997, SSA initially
defended the online disclosure of PEBES, which had begun
approximately a month before, as a way to provide the
information to taxpayers quickly and easily. SSA also noted
there were severe penalties for fraudulently accessing SSA
records and that in order to request a report, the individual
had to supply five separate data elements: name, Social
Security number, date of birth, place of birth, and mother's
maiden name.

This did not stem the criticism. Some privacy advocates,
while supportive of the idea of online access, noted that all
five of the data elements required for access were publicly
available information, jeopardizing the security of the
information and the privacy of taxpayers. Senators with key
oversight responsibilities for SSA voiced reservations over
the plan, and SSA was swamped with tens of thousands of
calls from citizens complaining about threats to their
privacy. On April 9, two days after the USA Today story
first appeared, SSA "temporarily" suspended the online
access initiative. Service has never been reinstated. -90
[See, "SSA Pulls Plug on Web Page Offering Americans'
Earnings," Privacy Times, Evan Hendricks, ed., Vol. 17,
No. 8 (April 17, 1997) pp. 1-2.] Instead, SSA has returned
to its prior practice of allowing individuals to request
PEBES statements using the Internet and mailing responses
several weeks later.

- Other indications of the importance of privacy concerns:
The European Union Data Protection Directive, omnibus
proposals in the United States, and self-regulatory
initiatives

The European Union Data Protection Directive

The European Union (EU) enacted the "Directive on the
Protection of Individuals with Regard to the Processing of
Personal Data and on the Free Movement of Such Data"
(the Directive) -91 [Directive 95/46/EC.] in 1995, and it
became effective on October 25, 1998. The Directive is a
comprehensive, omnibus privacy measure that regulates the
processing of personal data. 

The Directive places restrictions on the export of personal
data to countries outside the EU that are deemed to lack
"adequate" privacy protections. -92 [Under Article 2 of the
Directive, "personal data" are broadly defined to include:
"[A]ny information relating to an identified or identifiable
natural person ('data subject'); an identifiable person is one
who can be identified, directly or indirectly, in particular by
reference to an identification number or to one or more
factors specific to his physical, physiological, mental,
economic, cultural or social identity."] European Union
officials do not believe the United States has "adequate"
privacy protections; therefore, U.S. companies wishing to
move personal data across borders from EU countries to the
United States have to negotiate contractual arrangements
that satisfy the terms of the Directive or otherwise meet
specific exceptions or tests (for example, consent of the
data subject; important public interest test; protection of the
vital interests of the data subject; or public information
test). -93 [Directive, Article 26.]

The U.S. Department of Commerce spearheaded the
Clinton Administration's efforts to reach an understanding
with the EU regarding the Directive's impact on transfers of
personal data from the EU to the United States. In July
2000, the Commerce Department and the European
Commission finalized and formalized the "Safe Harbor"
agreement, after years of negotiations and several public
discussion drafts. 

Although the Safe Harbor accord explicitly states that it is
not intended to have applicability beyond international
trade, the Directive and the Safe Harbor process are having
an impact on the domestic privacy debate in the United
States. It is too soon to determine the extent of the impact;
however, at least two factors are at work. First, the
Directive and the Safe Harbor discussions have generated
considerable media coverage, further raising the profile of
privacy issues in the United States. Second, the Directive
has increased the pressure on the United States to
strengthen its privacy laws. Privacy advocates, for example,
have questioned whether the Safe Harbor accord will result
in two sets of privacy protections in the United States, one
for information pertaining to citizens of the EU and a
second, lower, standard for Americans.

Omnibus legislation

The EU Directive and growing public concern over
information privacy is also evidenced in a growing trend at
the State level: the active consideration of omnibus privacy
legislation. 

* In California, for example, State Senator Steve Peace
(D-El Cajon) introduced Senate Bill 129, "The Personal
Information and Privacy Act of 1999," which, as originally
introduced, would have prohibited the collection, use, and
disclosure of any type of personally identifiable information
without the consent of the individual subject. 

- The original bill also would have required organizations
to inform individuals how and what type of information is
collected and the purposes for which it is used; the types of
organizations to which the information is disclosed; and the
choices and means the organization offers to limit the use
and disclosure of the information.

- The final version of the bill, which was signed into law by
Governor Gray Davis in September 2000, was more limited
in scope than the original bill, creating a privacy
ombudsman with various responsibilities, including, among
others, accepting complaints about organizations from
private citizens. The bill also imposes certain requirements
on State agencies. -94 [Codified at CAL. BUS. & PROF.
CODE ¤¤ 350-352 and CAL. GOV'T CODE ¤ 11019.9.]

* Similar efforts, while ultimately largely unsuccessful,
were undertaken during the 1999-2000 legislative session
in both Massachusetts and New York. The Massachusetts
legislation, with the support of then-Governor Paul Cellucci
and then-Lieutenant Governor (now Governor) Jane Swift,
would have addressed a wide range of privacy issues
ranging from how retailers and marketers handled personal
information to surveillance of employees in the workplace.
In New York, a package of over a dozen bills designed to
safeguard the personal information of consumers, rather
than a single bill, were introduced with the support of
Assembly Speaker Sheldon Silver (D-Manhattan) and
Attorney General Eliot Spitzer.

Self-regulatory initiatives

Finally, in part as a result of the pressure generated by
media, advocacy group, and legislative and international
scrutiny, and in part because consumers increasingly expect
companies to provide adequate privacy, the private sector
has launched several efforts to develop and implement
voluntary privacy guidelines. The Individual Reference
Services Group (IRSG), a trade association for companies
that sell identification and location information products,
has developed a set of self-regulatory principles for their
member companies. -95 [The IRSG is discussed in further
detail in infra, p. 60.] In another example, th