WHO SHOULD MANAGE INFORMATION AND PRIVACY CONFLICTS - INSTITUTIONAL DESIGN FOR 3RD-PARTY MECHANISMS

The U.S. Census Bureau, health data providers, and credit bureaus are information organizations (IOs). They collect, store, and process larg e sets of sensitive data on individuals, households, and organizations . Storage, processing, and dissemination technologies that IOs employ have grown in capability, sophistication, and cost-effectiveness. Thes e technologies have outpaced the design and implementation of procedur es for protecting data in transfer from primary data provider to IO an d from IO to data user. On the one hand, it is necessary to protect th e confidentiality of such data; on the other hand, it is necessary to protect the accessibility to the data by users, including researchers and analysts. Conflicts ensue in the two corresponding arenas: between the IO and data providers concerned with inadequate privacy and confi dentiality protection: and between the IO and data users who find thei r access to data restricted. In this article third-party mechanisms fo r managing disputes in the privacy and information area are both theor etically justified and their empirical manifestations examined. The in stitutional mechanisms considered include privacy and information clea ringhouses, a ''Better Data Bureau,'' a privacy information advocate, a data ombuds, a privacy mediator, an internal privacy review board, a nd a data and access protection commission. Under appropriate circumst ances, these arrangements promise a more flexible and responsive resol ution of the conflict between privacy/confidentiality and legitimate i nformation access than is possible through legislative action and admi nistrative rulings alone.