Congress is in the midst of addressing the issue of Personally Identifiable Information (PII) – an issue very important to survey research. The information that can be collected - regardless of whether the data collection is conducted for research purposes or other reasons - is at stake.

In July 2005, the House Energy and Commerce Committee issued to CMOR a draft version of a bill called the “Data Accountability and Trust Act” (DATA). While DATA was intended to prevent data breaches that could lead to identity theft, this version of the bill allowed the Federal Trade Commission (FTC) leeway to modify the definition of “personal information.”

Such broad rulemaking authority could lead to the inclusion of PII collected for research purposes. CMOR expressed these concerns to the Commerce Committee. We followed through on a strategy that has greatly assisted us in protecting the profession in the past: Those who leak PII, such as financial account information and credit card numbers, are the “bad actors,” along with those who work to steal information that could lead to identity theft and/or severely damaged credit. These are the types of business and activities that should be the target of legislation/regulations. The FTC should not, therefore, be put in a position to alter these terms in ways that could materially impact our profession (the “good actors”).

While CMOR certainly acknowledges and respects the right of the FTC to implement rules and regulations as necessary, we seek to limit the scope within which the Commission can do so. Otherwise, a law that is safe for research when it is passed could wind up being dangerous for research when it isimplemented.

In a more recent draft, the Committee significantly narrowed the FTC’s ability to modify the law. Specifically, DATA would be triggered by:

The collection of a person’s first and last name in combination with their:

  1. Social security number, or
  2. Driver’s license number/other State identification number, or
  3. A financial account number credit/debit card number, and any security codes or passwords needed to access an individual’s account.

The FTC would now be permitted to modify the definition of “personal information” as necessary to accommodate changes in technology or practices. (The bolded portion was missing from the July draft.)

CMOR remains cautious about how the FTC may interpret their authority. For example, might digital signatures be subject to restriction or regulation as a “change in technology or practices”? If so, that could have an impact on the research profession.

We are, however, pleased to report that the House Commerce Committee has significantly improved this bill from one draft to the next. Since DATA is still in draft form, and has not been formally considered by the Committee, there is still time for further improvements. Along with our Government Affairs Committee, CMOR will continue to strategize the best way to make this bill even safer for research, both from a legislative and regulatory perspective.