WHO SHOULD MANAGE INFORMATION AND PRIVACY CONFLICTS?: INSTITUTIONAL DESIGN FOR THIRD-PARTY MECHANISMS

The U.S. Census Bureau, health data providers, and credit bureaus are information organizations (IOs). They collect, store, and process large sets of sensitive data on individuals, households, and organizations. Storage, processing, and dissemination technologies that IOs employ have grown in capability, sophistication, and cost-effectiveness. These technologies have outpaced the design and implementation of procedures for protecting data in transfer from primary data provider to IO and from IO to data user. On the one hand, it is necessary to protect the confidentiality of such data; on the other hand, it is necessary to protect the accessibility to the data by users, including researchers and analysts. Conflicts ensue in the two corresponding arenas: between the IO and data providers concerned with inadequate privacy and confidentiality protection; and between the IO and data users who find their access to data restricted. In this article third-party mechanisms for managing disputes in the privacy and information area are both theoretically justified and their empirical manifestations examined The institutional mechanisms considered include privacy and information clearinghouses, a "Better Data Bureau," a privacy information advocate, a data ombuds, a privacy mediator, an internal privacy review board, and a data and access protection commission. Under appropriate circumstances, these arrangements promise a more flexible and responsive resolution of the conflict between privacy confidentiality and legitimate information access than is possible through legislative action and administrative rulings alone.