Fourteen leading information industry companies^* as part of the Individual Reference Services Group (IRSG), in December 1997 pledged to adopt self-regulatory principles governing the dissemination and use of personal data. The IRSG developed these principles in conjunction with the Federal Trade Commission during its examination of privacy concerns and the uses of personal information.

Individual reference services are commercial services that provide data to help identify, verify, or locate individuals. These services play an important role in facilitating law enforcement, fraud prevention and detection, and a range of business transactions and legal proceedings.

The principals impose significant restrictions on the access and distribution of non-public information, such as non-financial identifying information in a credit report. For example, social security numbers obtained from non-public sources may not be displayed to the general public on the Internet by IRSG companies. IRSG members also have agreed to restrictions on the dissemination of social security numbers and dates of birth to commercial and professional subscribers. Furthermore, information from non-public sources about persons identifiable as minors will not be available to either the public or commercial and professional markets.

Each IRSG member has pledged to be in compliance with the principles by December 31, 1998. After the initial compliance period, companies will be subject to yearly audits by a qualified independent auditor or assurance organization. In addition, the principal suppliers of non-public information will enforce these provisions through contracts with vendors. All companies in the industry that obtain information from these suppliers and fail to comply with the principles risk losing access to the data.

PRINCIPLES:

I. Education: Individual reference services shall individually and through their industry groups make reasonable efforts to educate users and the public about privacy issues associated with their services, the types of services they offer, these principles, and the benefits of the responsible flow of information.

II. Reputable Sources: Individually identifiable information shall be acquired from only sources known as reputable in the government and private sectors.

A. Reasonable measures shall be employed to understand an information source's data collection practices and policies before accepting information from that source.

B. Individually identifiable information that is collected for marketing purposes shall not knowingly be purchased, sold or retained for creating or inclusion in individual reference services, unless it is public record information or publicly available information; its use is specifically permitted by law; or it is collected with notice to the individual that such information will be used for inclusion in individual reference service products.

III. Accuracy: Reasonable steps shall be taken to help assure the accuracy of the information in individual reference services. The goal of individual reference service products is to furnish customers with accurate reproductions of information.

A. When contacted by an individual concerning an alleged inaccuracy about that individual, the individual reference service, as appropriate, shall either correct any inaccuracy or inform the individual of the source of the information and, if reasonably available, where a request for correction may be directed.

B. The individual reference service's commitment to furnish users with reasonably accurate reproduction of information in public record information systems does not permit alteration of the substantive content of public record information products or services.

IV. Public Record and Publicly Available Information: public record information and publicly available information shall be usable without restriction unless legally prohibited.

V. Distribution of Non-Public Information: Except as provided in section IX, non-public information will be distributed only according to the criteria set forth below. The nature of non-public information being requested and the intended uses of such information shall determine the level of review of the subscriber. Companies who supply information covered by this section to individual reference services shall provide such information only to individual reference services that adopt or comply with these principles.

A. Selective and Limited Distribution of Non-Public Information: Individual reference services may distribute non-public information without restriction of its contents only to qualified subscribers.

1. Qualified subscribers for the selective and limited distribution of non-public information must satisfy the following conditions:

a. The subscribers must state their appropriate uses for such information.

b. The subscribers must agree to limit their use and redissemination of such information to such appropriate uses.

c. The subscribers shall be reasonably identified and meet qualification requirements that establish them as appropriate users of the information and agree to terms and conditions consistent with these principles prior to accessing the information.

2. Each individual reference service shall take reasonable steps to protect against misuse of non-public information distributed pursuant to this subsection which will include:

a. Each individual reference service shall make available upon request an explanation of what uses of its information are appropriate and to which types of qualified subscribers such information is available.

b. Individual reference services shall conduct a reasonable review of the subscriber and its intended uses of the information prior to making non-public information available to the subscriber.

c. Individual reference services shall maintain a record of the identity of subscribers, the types of uses, and the terms and conditions agreed to by the subscriber for three years after termination of each subscriber's relationship with the individual reference service.

d. Reasonable measures shall be employed to help assure that qualified subscribers use non-public information appropriately.

e. Individual reference services shall implement reasonable mechanisms to remedy subscriber abuses of the information.

B. Commercial and Professional Distribution of Non-Public Information: Individual reference services, when they limit the non-public information content of their products or services as set forth below, may distribute such products or services only to established professional and commercial users who use the information in the normal course and scope of their business or profession and the use is appropriate for such activities.

1. non-public information products or services distributed pursuant to this subsection shall not include:

a. Information that reflects credit history, financial history, medical records, mother's maiden name identified as such, or similar information;

b. Certain information like social security number and birth information unless truncated in an appropriate and industry consistent manner.

2. Users shall agree to terms and conditions consistent with these principles prior to accessing the non-public information, shall agree to use such information solely in the normal course and scope of their business or profession and that the use is appropriate for such activities and that they shall limit their use and redissemination of such information to such uses and in accordance with these principles.

3. Individual reference services shall take reasonable steps to protect against misuse of the non-public information distributed pursuant to this subsection which will include:

a. If not previously established, the individual reference service shall take reasonable steps to identify the user and to establish the user as an established professional or commercial entity.

b. Reasonable measures shall be employed to help assure that commercial and professional customers use non-public information appropriately.

c. Individual reference services shall implement reasonable mechanisms to remedy subscriber abuses of the information.

d. Individual reference services shall maintain a record of the identity of subscribers and the terms and conditions agreed to by the subscriber for three years after termination of each subscriber's relationship with the individual reference service.

C. General Distribution of Non-Public Information: Individual reference services, when they limit the non-public information content of their products or services as set forth in this subparagraph, may distribute such products or services to any person.

1. non-public information distributed pursuant to this subparagraph shall not knowingly include information that reflects social security number, mother's maiden name identified as such, non-published telephone number, or non-published address information obtained from telephone companies, birth information, credit history, financial history, medical records, or similar information, nor will the service be retrievable by a social security number.

2. The individual reference service shall take reasonable steps to protect against the misuse of non-public information.

VI. Security: Individual reference services shall maintain facilities and systems to protect information from unauthorized access and persons who may exceed their authorization. In addition to physical and electronic security, individual reference services shall reasonably implement:

A. Employee and contractor supervision-Employees and contractors shall be required to sign confidentiality agreements and be subject to supervision.

B. Reviews-System reviews shall be made at appropriate intervals to assure that employees are complying with policies.

VII. Openness: Each individual reference service shall have an information practices policy statement that describes what types of information it has, from what types of sources, how it is collected, the type of entities to whom it may be disclosed and the type of uses to which it is put, and shall make its policy statement available upon request. Consumers shall be notified about these practices in various ways such as:

1. Web sites;
2. Advertisements; or
3. Company or industry-initiated educational efforts.

VIII. Choice: Each individual reference service shall upon request inform individuals of the choices, if any, available to limit access or use of information about them in its data base, provided, however, that in the case of non-public information distributed to the general public (section V.C of these principles), an individual reference service shall provide an opportunity for an individual to limit the general public's access or use of such non-public information.

IX. Access: Upon request and reasonable terms, an individual reference service shall:

A. Inform an individual about the nature of public record and publicly available information that it makes available in its products and services and the sources of such information;

B. Provide individuals with non-public information contained in products and services that specifically identifies them and that are distributed as part of an individual reference service to users under section V. of these Principles unless the information was obtained on a limited use basis from a governmental agency or if its disclosure is limited by law or legally recognized privilege; and

C. Direct individuals to a consumer reporting agency regulated by the Fair Credit Reporting Act where such agency is the source of the information about the individual.

X. Children: Where an individual is identified in the product or service as being under the age of 18, no non-public information about that individual shall be provided for other than selective and limited distribution purposes or for the purposes of locating missing children.

XI. Assurance of Compliance: The signers of these principles shall have completed within 15 months of the effective date of these principles, and on a periodic basis thereafter, at least once every year, an assurance review done by a reasonably qualified independent professional service. The independent professional service shall apply assurance criteria consistent with these principles and approved by the signers as a group. Individual reference services shall have a reasonable opportunity to respond to any concerns expressed in such assurance review. A summary reflecting both the report and any subsequent actions taken or response made by the company shall be publicly available.