Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide
range of content in a trusted digital archive. We use information technology and tools to increase productivity and
facilitate new forms of scholarship. For more information about JSTOR, please contact support@jstor.org.
Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at
https://about.jstor.org/terms
American Bar Association is collaborating with JSTOR to digitize, preserve and extend access
to Administrative Law Review
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
MANAGING INFORMATION PRIVACY IN THE
INFORMATION AGE
Table of Contents
Introduction
Conclusion
Introduction
659
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
660 ADMINISTRATIVE LAW REVIEW [53:2
2. See id. Congress has set aside $577 million as a special information technology
investment account for 1RS modernization. See National Tax Publications, Tax Talk, at
http://www.nattax.com/taxtalk.htm (last updated Feb. 5, 2001).
3. See Senate Comm. on the Judiciary, Know the Rules, Use the Tools, Privacy
in the Digital Age: A Resource for Internet Users 9 (undated), available at
httpV/judiciary.senate.gov/privacy.htm (explaining that consumers constantly leave behind
information trails that can be utilized by third parties).
4. "[Technological advances have made the collecting, storing and disseminating of
personally identifiable information on the Internet easier and faster . . . ." Id.
5. Robert Scheer, Nowhere to Hide, Yahoo! Internet Life, Oct. 2000, at 100.
6. See Charles J. Sykes, Your Best Defense Against Big Brother: You, WALL ST. J.,
Jan. 24, 2000, at A27 (citing a Wall Street Journal/NBC poll which found that Americans
ranked the loss of personal privacy as their top concern about the 21st century).
7. See Heather Ureen et al., It s Time Jor Rules in Wonderland, BUS. WK., Mar. 20,
2000, at 84.
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
200 1 ] MANAGING INFORMA TION PRIVACY 66 1
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
662 ADMINISTRATIVE LAW REVIEW [53:2
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
200 1 ] MANAGING INFORMA TION PRIVACY 663
21. In 1998, it was estimated that the 1RS processed over 200 million tax ret
ally and collected over $1.5 trillion in tax revenues, using a wide range of inform
nology, most of it developed in the late 1950s and 1960s. See Staff Paper Prepa
President's Commission to Study Capital Budgeting, Internal Revenue Service
tion (June 19, 1998), at http://clinton2.nara. go v/pcscb/rmoirs.html.
22. See Charles O. Rossotti, Collecting Taxes: How Americans Expect Thei
ment to Work, Vital Speeches of the Day, Oct. 15, 2000, at 4, 5-6 (describ
panding use of computer systems at the 1RS).
23. The 1RS was responding to a report released by the Privacy Protect
Commission, which was established by the Privacy Act of 1974. In its report,
sion evaluated the statute and determined whether it could be improved. The
issued its report, which included over 160 recommendations, in 1977. See U
Protection Study Comm'n, Personal Privacy in an Information Society (19
commission specifically referred to 1RS records as requiring special care. "The f
collection is essential to government justifies an extraordinary intrusion on perso
by the 1RS, but it is also the reason why extraordinary precautions must be t
misuse of the information the Service collects from and about taxpayers." Id. at 5
24. Internal Revenue Service, Privacy Project Report (1992). The report was
completed in September 1992.
25. The Privacy Project Report identified elements for a "sound" Privacy Program, in-
cluding: (1) institutionalizing the Privacy Program within the 1RS; (2) communicating
clearly 1RS privacy protection policy; (3) serving as the taxpayer's advocate on privacy
rights; (4) assessing the best approach to implement and institutionalize privacy principles,
rules and procedures within the Service; (5) incorporating privacy into annual business
plans; (6) identifying and assessing privacy issues to heighten awareness of privacy impli-
cations of planned activities; (7) establishing a public relations program to enhance the pub-
lic's understanding of the Privacy Program and to reduce any credibility gap with the public;
(8) enhancing the orientation program for new employees to include privacy's importance to
the 1RS mission; and (9) establishing a privacy training program. Id. at 7-8.
26. GAO, Tax Systems Modernization: Concerns Over Security and Privacy
Elements of the Systems Architecture (1992). GAO reported that one of its basic con-
cerns with IRS's modernization efforts was that "[t]here is no one person or organization
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
664 ADMINISTRATIVE LAW REVIEW [53:2
II. Creation of the 1RS Office of the Privacy Advocate and Its
Role in Providing Privacy Protection
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
2001] MANAGING INFORMATION PRIVACY 665
32. Id at 11.
33. Id
34. Id
35. Id
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
666 ADMINISTRATIVE LAW REVIEW [53:2
39. Privacy Impact Assessment, supra note 30, at 1 1 ; see also 5 U.S.C. § 552a(e)(2);
id. § 552a(e)(5) (stating that each agency shall "maintain all records which are used by the
agency in making any determination about any individual with such accuracy, relevance,
timeliness and completeness as is reasonably necessary to assure fairness to the individual in
the determination"); id. § 552a(p)(l)(A)-(B) ("In order to protect any individual whose rec-
ords are used in a matching program, no recipient agency . . . may suspend, terminate, re-
duce, or make a final denial of any financial assistance or payment . . . until ... the agency
has independently verified the information; or ... the individual receives a notice from the
agency containing a statement of its findings and informing the individual of the opportunity
to contest such findings . . . .").
40. Privacy Impact Assessment, supra note 30, at 12; see also 5 U.S.C. § 552a(a)(7),
(b)(3) (prohibiting agency from disclosing individual records to any person or to another
agency without prior written consent of individual unless such disclosure is compatible with
purpose for which the record was collected).
4 1 . Privacy Impact Assessment, supra note 30, at 1 2.
42. See id.; see also 5 U.S.C. § 552a(b) (stating "[n]o agency shall disclose any record
which is contained in a system of records by any means of communication to any person, or
to another agency, except pursuant to a written request by, or with the prior written consent
of, the individual to whom the record pertains . . ." unless one of the statutory exceptions
applies); 26 U.S.C. § 6103 (1994) (regarding confidentiality and disclosure of tax returns
and return information).
43. Privacy Impact Assessment, supra note 30, at 12. This principle was later codi-
fied into law. The Taxpayer Browsing Protection Act, Pub. L. No. 105-35, 111 Stat. 1104
(1997) (codified as amended at 26 U.S.C. §§ 7213A, 7431 (Supp. Ill 1997)), prohibits in-
tentional, unauthorized viewing of paper or electronic tax return information, even if such
information is not subsequently disclosed to another person. Such unauthorized "browsing"
is a misdemeanor, punishable by loss of job, and a fine and/or imprisonment. 26 U.S.C. §
7213A(b). The law requires notification to the affected taxpayer when an individual is in-
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
200 1 ] MANAGING INFORMA TION PRIVACY 667
dicted for reviewing his/her tax return information. Id. § 743 l(e). It also p
payer to receive civil penalties in the amount of $1,000 or the sum of actu
greater. Id. § 7431(c)(l). Until recently, the Office of the Privacy Advocate
ble for ensuring that all 1RS employees were trained, on an annual basis, abou
tions under this law. The office emphasized proactively preventing viola
awareness briefings. This responsibility is now being handled by the Inform
ogy Systems Division's Office of Security.
44. Privacy Impact Assessment, supra note 30, at 12; see also 5 U.S.C
(1994) ("Each agency . . . shall . . . maintain all records which are used by
making any determination about any individual with such accuracy, relevan
and completeness as is reasonably necessary to assure fairness to the indiv
termination[.]").
45. Privacy Impact Assessment, supra note 30, at 1 2.
46. Id. at 12. The Policy Statement was incorporated into the Internal Re
Manual Handbook 1.2.1.2.1 P-l-1 and the Internal Revenue Service Rules
Conduct statement.
47. Privacy Impact Assessment, supra note 30, at 1 3 .
48. See id.
49. Id.
50. See id. This involves the implementation of practices related to securi
by the language stating that the "[s]ervice will safeguard the integrity and
taxpayers' personal and financial data[,]" and practices related to records m
noted by the language stating that the "[s]ervice will . . . maintain fair inform
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
668 ADMINISTRATIVE LAW REVIEW [53:2
The Office created the PIA process to evaluate privacy risks through a
series of questions that must be answered when a new 1RS information
system is being developed.54 The questions are the basis for an exchange
between the Office and the 1RS system (business) owner and system (tech-
nology) developer, focusing on the information they intend to collect and
include in the new system. The business and technology participants' full
responses and follow-up dialogue with the Office ensure that the privacy
risks have been fully identified and addressed.55
Four categories of questions are presented for answers by the 1RS busi-
ness owner and system developer. They are expected to describe and
document their responses in detail. The first category generally addresses
the information being proposed for inclusion. The questions include: who
does the information pertain to (taxpayer, employee, or other person); who
is the source of the information (1RS, another federal agency, a state or lo-
cal agency, another party, the individual him/herself); and, if it is not from
ord keeping practices to ensure equitable treatment of all taxpayers" and "respect the indi-
vidual's exercise of his/her First Amendment rights." Id.
51. Id.
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
200 1 ] MANAGING INFORMA TION PRIVACY 669
56. See Privacy Impact Assessment, supra note 30, at 9 (providing a complete list of
the privacy questions contained in the 1RS PIA).
57. See id. Both the user and the use to which the user puts the information must be
authorized.
58. See id. This is obviously an issue that would not have been present in the paper
world.
59. See id. The 1RS PIA references Internal Revenue Code section 6103, which re-
stricts the use of tax return information. See 26 U.S.C. § 6103.
60. See Privacy Impact Assessment, supra note 30, at 9. Limitation of the informa-
tion to what is necessary to fulfill the business objective of the system, assuming such pur-
pose is appropriate, is the centerpiece of this approach. For example, through application of
the PIA approach, the amount of data contemplated for use in a program proposed by the
IRS's Electronic Tax Administration was reduced from over two hundred information items
to twenty-six information items. See Amy Hamilton, Barr Discusses Proposal for Elec-
tronic Disclosure of Tax Data, 55 Tax Analysts Daily Tax Highlights & Documents,
1089, 1091 (1999); see also Bruce Horovitz, 1RS E-Sharing Raises Privacy Fears, USA
Today, Oct. 1, 1999, at 1 A.
61. See Privacy Impact Assessment, supra note 30, at 9- 1 0.
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
670 ADMINISTRATIVE LAW REVIEW [53:2
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
2001] MANAGING INFORMATION PRIVACY 671
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
672 ADMINISTRATIVE LAW REVIEW [53:2
[A]s public awareness and Internet usage increase, the demand for online Govern-
ment interaction and simplified, standardized ways to access Government information
becomes [sic] increasingly important. At the same time, the public must have confi-
dence that their online communications with the Government are secure and their pri-
vacy protected.77
74. Pub. L. No. 105-277, tit. XIII, 1 12 Stat. 2681-728 (1998) (codified as amended at
15 U.S.C. §§ 6501-6506 (Supp. IV 1998)).
75. See Electronic Privacy Information Center, EPIC Bill Track, at http://www.epic.
org/privacy/bilMrack.html (last visited Mar. 10, 2001) (tracking privacy-related legislative
proposals).
76. For example, the Congressional Privacy Caucus is made up of both Senate and
House Republican and Democratic members. See Fearsome Foursome Forms Congres-
sional Privacy Caucus, PrivacyTimes.COM, Feb. 18, 2000, at http://www.privacytimes.com
/NewWebstories/caucus_priv 2 23.htm (announcing formation of the caucus).
77. President's Memorandum on Electronic Government, 35 Weekly Comp. Près.
Doc. 2641 (1998).
78. See CIO Council, Selected Recent Privacy Initiatives by the US Federal Govern-
ment, at http^/cio.gov/docs/privacylist.htm (last visited Mar. 10, 2001) (providing list of
privacy initiatives by the federal government).
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
2001] MANAGING INFORMATION PRIVACY 673
81. Id
82. Two actions were proposed in the 1997 Report of the Vice Preside
Performance Review and the Government Information Technology Services
the Government Information Technology Board should immediately add a me
responsibility for ensuring that privacy issues are considered and addressed
ment-wide information technology initiatives, and (2) that someone conside
permanent entity within the federal government that would focus on resolv
sues. See Report of the National Performance Review and the Government
Information Technology Services Board, Access America: Reengineering Through
Information Technology pt. A 14 (1997), at httpV/www.accessamerica.gov/reports/
security.html.
83. White House Names Peter Swire to Be an Advisor on Privacy Policy, Gov'T
Computer News, Mar. 15, 1999, at http://www.gcn.com/archives/gcn/1999/Marchl5/
14a.htm.
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
674 ADMINISTRATIVE LAW REVIEW [53:2
91. The guidance requires posting of privacy notices not only at "the prin
site," but also "at any known, major points of entry to [the agency's] sites as well a
web page where [an agency] collects] substantial personal information from the
Id. In the case of the 1RS, postings were made at approximately fifty web pages.
92. See GAO, Internet Privacy: Agencies' Efforts to Implement OMB's Pri
Policy 3-4 & n.7 (2000). In August 1997, only eleven out of thirty-one agencies
personal information as a result of visits to agencies' Internet web sites posted info
regarding how the information would be used. Id. at 7.
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
200 1 ] MANAGING INFORMA TION PRIVACY 675
95. See Letter from John T. Spotila, Administrator, OMB Office of Informatio
Regulatory Affairs, to Roger Baker, CIO, U.S. Department of Commerce (Sept.
available at http://www.cio.gov/docs/OMBCookies2.htm (noting that some governm
line activities, such as the electronic filing of applications for Department of Educatio
dent loans, do not raise privacy concerns because they do not enable the government
users over time and across different websites).
96. To view the 1RS departure notices, go to the 1RS website, http://www.irs.go
click on any external non-federal link. The 1RS has a comparable departure notice f
ing to other federal government web sites.
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
676 ADMINISTRATIVE LAW REVIEW [53:2
Conclusion
No one believes that the public's privacy fears will simply disappe
In fact, the concern is that privacy fears will create so much un
pressure that an "incoherent body of law" will result through "scat
legislation.98 The 1RS, other federal agencies, and private industry
afford to wait for legislative solutions.99
They require the trust of the public in order to fulfill their mis
whether it is to meet their statutory responsibilities or increase co
profits.100 One means of gaining that trust is the embedding of rob
vacy protection into corporate thinking and processes. The achievem
this objective requires a mindset that is still being developed -
protection viewed as a strategic value. Privacy needs to be consi
an asset of, not as a barrier to, new product lines. In addition, the ch
increasing use of technology and the opportunities it provides will
federal agencies and private industry to frequently reexamine their
strategy. To use technology to advance privacy protection requires
partnerships between business owners, systems developers, and
advocates,101 all of whom should build privacy into the design of a
tive. We must "keep our privacy protections as up to date as our
97. In 2000, an IDC Privacy Survey found that "more respondents were conce
very concerned about the sharing or sale of their personal information that is co
online purchase than through their tax returns, which ranked second." Molly Up
vacy Costs, IDC Newsletter, at http:/www/wirehub.nl/~rick/koopgedrag%
internet.htm (last visited Mar. 24, 2001).
98. Jay Stanley & John C. McCarthy, Growing Privacy Labyrinth Hinders eB
Forrester Brief, Dec. 1, 2000 (on file with author).
99. At a symposium sponsored by the American Society oí Access Professi
panel of privacy experts addressed the issue "Privacy: Recent Initiatives and Fut
forts." The panelists, Peter Swire, OMB Chief Counselor for Privacy, Ari Schwar
Policy Analyst, Center for Democracy and Technology, and Frank Reeder, Reed
agreed that privacy is viewed as a bipartisan issue and will be the focus of future
sional actions.
100. Opinion Research Corporation International reported in May 2000 that a poll it
conducted revealed that 43% of the 1000 adults surveyed consider government posing the
greatest threat to their privacy, compared with 24% for the media, and 18% for private in-
dustry. See Jedediah Purdy, An Intimate Invasion, USA WEEKEND ONLINE, July 2, 2000, at
http://usaweekend.com/00_issues/000702/000702privacy.html.
101. Until privacy is fully recognized as a strategic value, a "privacy advocate" opera-
tion dedicated solely to recognizing privacy issues and creating protections may be required.
See President's Memorandum on Privacy, supra note 79, at 871 (describing President
Clinton's determination that all agencies should designate officials to focus on privacy con-
cerns). Of course, the level of authority given this position and its strategic alignment in the
host organization will determine how quickly privacy protection is incorporated into all
agency initiatives.
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms
2001] MANAGING INFORMATION PRIVACY 611
This content downloaded from 202.65.183.63 on Wed, 19 Sep 2018 14:51:46 UTC
All use subject to https://about.jstor.org/terms