THE USE OF CREDIT HEADERS -
DRAFT PROPOSAL BY THE FTC PRIVACY DISCUSSION GROUP

Guidelines for acceptable usage of personal information in databases, especially the credit bureaus ones

Based on dialog between privacy advocates and private investigators

Posted at the FTC Privacy Discussion group on 12/16/96 under the subject - Credit Headers-Draft Letter Drafted by - Ram Avrahami

Summary

 

1) Introduction

2) Guidelines

 

Detailed Discussion

 

3) Definitions (bureaus, recipients, categories, ..)

4) Categories of Permissible Disclosures (info per Category)

5) Qualified Recipients (per Category)

6) Request Procedures

7) Record Keeping (Bureaus, Recipients)

8) Notifications

9) Disputes and Liability

INTRODUCTION

The FTC is hosting an on-line forum to discuss current privacy issues. Recently, this forum hosted a discussion between consumers and private investigators concerning the use of credit header information by private investigators. Many participants felt that there is a way to balance the privacy needs of consumers and the legitimate needs of investigators in this issue. This letter outlines the guidelines reached.

The credit bureaus have compiled large databases about most people living in the United States. Their files include both credit and payment information as well as demographic information about consumers, including current and previous address, date of birth, SS#, employment, etc. This information has been proven useful for other non-credit purposes by private investigators, insurance companies, employers, marketers etc, but has been provided as such without consumers knowledge or permission. In addition, the lack of regulation raises concerns that information thus provided could be used for fraud or other purposes that are not desired by consumers.

To prevent misuse of personal information, it is proposed that credit bureaus will provide personal information for non-credit purposes only for specific pre-approved categories to qualified personnel with liability based on audit trail and notification. These guidelines can be summarized as follows:

GUIDELINES

1. Limit access only for certain pre-approved categories of reasons. Each category entails only pre-determined portions of the record.

 

2. Consumers have a right to accept or deny a use in each category.

 

3. Limit access to specific pre-approved groups of qualified recipients. Qualification to certain categories may require federal licensing.

 

4. Bureaus will be responsible to keep complete records and audit trail on all requests and accesses.

 

5. Bureaus will report all accesses to the subject person periodically or by request, and make their records available in disputes.

 

6. Bureaus will be automatically liable for unauthorized or undocumented ACCESS to personal records.

 

7. Recipients will be liable for unauthorized USE of accessed information.

DEFINITIONS

Credit Bureaus - The three credit bureaus: Equifax, Trans Union and Experian (TRW). Credit Bureaus are also called here as Information Bureaus or Bureaus.

 

Credit Reports - Credit related personal information that is provided by the credit bureaus. This information is regulated under the Fair Credit reporting Act.

 

Credit Headers - Non-credit personal information that is provided by the credit bureaus. This information is currently no regulated.

 

Personal Records - Any personal information provided by the credit bureau.

 

Recorded Persons - Any person whose information is stored by a credit bureau.

 

Information Broker - A company that resells personal information provided by a credit bureau.

 

Recipient - A person or organization accessing and retrieving information from the credit bureaus.

 

Subject Person - the person whose personal record/information is being accessed.

CATEGORIES OF PERMISSIBLE DISCLOSURES

* Credit

* Pre-judicial Investigation (including journalists and insurance companies)

* Judicial Support (tracking witnesses)

* Post-judicial Enforcement

* Background Checks

* Marketing (extraction of lists by criteria)

* Request by Subject Person

The various judicial categories are the only ones that do not require explicit permission from the subject person.

QUALIFIED RECIPIENTS

Credit:

Any company from which the person asked for credit and provided written permission for a credit check.

Pre-judicial Investigation:

Private investigators, journalists, insurance companies, government law agencies

 

PI's have to be federally licensed. Investigative journalists have to be federally certified as well. Insurance companies have to have contract with the person.

Judicial Support:

Sheriffs, Lawyers, PI's hired by a side to the case.

Post-judicial Enforcement

Police, PI's

 

PI's have to be federally licensed.

Background Checks:

Employers and security companies.

 

Employer has to be registered company. Security company has to be registered/licensed by the state, and can have access to more fields.

Marketing:

Any company, but only on records of people who approved such access for specific fields. (this category will likely be further developed).

 

Request by Subject Person:

 

Any designee, with written proof of non-pressured permission.

REQUEST PROCEDURES

1) Individuals and organizations can request credit bureaus to provide them with access to personal records under one of the above categories. Recipients have to submit written permission for their request and written proof of their qualification.

 

2) The credit bureaus will record and verify the request based on category and recipient qualification. After verification, the bureaus will compare the request with the permission provided by the subject person(s) for that category.

 

3) If permission is granted, the credit bureaus provide appropriate access for that request. The bureaus will also track and record the access of the recipient and what information was retrieved for the approved request.

 

4) Credit bureaus can designate Information brokers as agents to help dessiminate the information efficiently. The bureaus will retain liability for actions of these agents as if they acted themselves.

RECORD KEEPING

Bureaus will keep written confirmation of the reason to access personal records. Bureaus will keep complete records on all access to personal information and for what purpose this access was designed. The bureaus will provide periodic notification to the subject persons as below. The bureaus will also be able to provide detailed audit information upon dispute.

Recipients will keep written records on the reason for their access. If recipients provide the information to another party, then they are responsible to check the legitimacy and keep records on the reason for that party to receive the information as well as what information was released to it.

NOTIFICATIONS

Credit bureaus will have contact information for recorded persons. It is the responsibility of the person to notify the bureau on a change in the contact information.

Credit bureaus will send written Access Report to all recorded persons every year. This report will include a dated list of requests, recipients and provided information by category. Unless justifiable, the name of the ultimate recipient should be also provided.

If the subject person has an electronic email address, the bureau can also be asked to provide the report electronically every quarter.

On special circumstances, which indicate a risk for the subject person, the credit bureaus will notify the subject person immediately. It may be possible to mark specific fields/categories that will require the bureau to notify and ask permission from the subject person before releasing the information.

A person has a right to receive a written access report upon request. This report will cost a fee based on the media (telephone, letter, email). The fee will be returned if an error or an abuse is found.

DISPUTES AND LIABILITY

A person has a right to dispute a release of his/her personal information by sending a certified letter and $25 to a credit bureau. Upon receipt, the bureau has to provide a written copies of the request and the qualification of the recipient, as well as the exact information provided.

Information Bureaus will be civilly liable to the individual whose information was released for releases to unauthorized persons, regardless of any harm to the individual beyond the unauthorized release itself. It is the responsibility of the information Bureau to do proper due diligence to confirm the identification of the recipient and the legitimacy of the request.

Recipients will be civilly liable to the individual whose information was released for unauthorized use of the information, including subsequent re-releases to unauthorized persons, regardless of any harm to the individual beyond the unauthorized release or use itself. It is the responsibility of the original Recipient to do proper due diligence and confirm the identification of the downstream recipient and the legitimacy of that downstream recipient to receive the information.

Information Bureau or recipient will be civilly liable to the individual for improper protection of the personal information.

Reasonable legal costs will be awarded by a civil court to an individual who proved wrongdoing of recipients or bureaus.

******************************************************************************