Electronic Records and the Right to Privacy.

• Author: BOOZ, CHARLES R.

AT THE CORE

THIS ARTICLE EXAMINES:

* the U.S. constitutional right to individual privacy

* how technology has made access to private information easier and protecting that information more difficult

* who should take the lead in ensuring the privacy of individual information

Electronic records pose career challenges to records managers. Greater numbers of information technologists are focusing on records management requirements of electronic records. One day soon, records professionals may find that records management theories and methodologies have been subsumed within information technology (IT). Information technologists certainly have the skill and power -- if not the training and perspective -- to make this happen. More traditional records managers have been slow to recognize the implications of such a convergence. Protecting people's right to privacy may create a significant opportunity for the records and information management (RIM) discipline to embrace more fully the information age. It might also make a critical difference in the long-term health of the RIM discipline.

For years, e-mail and other electronic documents have been used for document creation, communication, and storage. Most have viewed this medium as merely a document-processing vehicle with little thought to its records implications. Though electronic document management software was maturing in the middle-and late-1990s, mainstream products -- with rare exception -- ignored records management issues (e.g., retention) until the more recent emergence of RIM software components. Until recently, most records management policies and procedures in the United States reflected the view of the National Archives and Records Administration (NARA): If electronic documents qualify as records, they should be printed and managed in a physical repository. This view was most directly challenged in the now well-known lawsuit Public Citizen v. Carlin, in which it was demonstrated that NARA's General Record Schedule 20 did not produce the desired result: the reliable management of electronic records.

Privacy vs. Access

Personal information takes many forms and is collected and accessed in many ways. Almost always, the use of personal information is connected to actions within some process context (e.g., buying, selling, regulating). Even though the ability to produce explicit data -- information extracted from its original context -- has for decades been possible in an electronic form, most implicit data -- information left in its larger context -- has remained imbedded within physical documents.

The right to privacy is often a complex and contentious issue, one dependent upon many variables that can range from the constitutional guarantees against government intrusion into individual rights to the rights of individuals against those who would, for whatever reason, invade their privacy. Concerns about privacy increasingly involve collected and stored information, and that information is increasingly available electronically.

To the extent that electronic information is considered to be subject to records management policies, privacy protection becomes a concern for all records managers. In fact, records managers have always had some responsibility for privacy -- however indirect -- by controlling access to and disposition of records. Historically, the very dispersal of records into disparate physical repositories under records management control provided another inherent protection of privacy. Yet, the increasingly wide availability of electronic records for use in business processes and e-commerce is the very essence of the efficiencies hoped for in the goal of the so-called "paperless office" so highly prized in the IT community. The surprise to a lot of individuals is that this easy access to personal information by many users also threatens individual privacy in new and profound ways. And so the question looms, can there be easy access without individual privacy being threatened?

Those in the IT and records communities approach this issue from very different perspectives. Even the term record has different meaning to data managers and records managers. A data record is information managed as a unique instance in the context of a database. Since the data itself can be independent of context, it is the database that defines the relevance of otherwise meaningless data by creating context through data relationships. By contrast, for the...