U.S. Industry Does a Poor Job of Protecting Privacy, Study Says

More than a decade after a presidential commission urged American business to take more care in using the private data it collects about employees and customers, industry has done far too little to protect privacy, according to a study released Tuesday by the commission’s former chairman.

Outdated, inaccurate records are being used to make critical decisions about hiring and promotions, said University of Illinois professor David F. Linowes, the study’s author. A growing number of investigative agencies are buying, packaging and reselling data about individuals with few controls on the information’s use or accuracy, he said.

Of the nation’s largest employers, 42% gather data about workers without telling them, Linowes’ study found, and 57% hire private investigators to probe employees’ or job applicants’ backgrounds.

The survey of Fortune 500 companies found that 38% still have no policy on releasing employee records to government agencies, and 57% do not tell employees what records about them are maintained.

“People would be surprised at how easy it is for others to obtain information about them they believe is confidential,” said Linowes, who was chairman of the U.S. Privacy Protection Commission during the terms of Presidents Gerald R. Ford and Jimmy Carter.

In 1977, the commission concluded that private industry could be relied on to voluntarily adopt “fair information practices” that minimized intrusions into individual privacy.

But in an interview and at a Washington news conference announcing results of the survey, Linowes said industry’s response had been “a little too slow to be meaningful.” He urged Congress to declare it national policy that individual privacy be protected.

“Most Americans are not aware of the tremendous impact that the accumulation of information by many institutions . . . is having on decisions being made about them without their knowledge,” said Linowes, a professor of political economy and public policy who also was chairman of presidential commissions on privatization, national energy resources and federal coal leasing during the Ronald Reagan Administration. “This information is never destroyed, and it’s obtainable instantaneously.”

On the commission’s recommendation--and in the wake of post-Watergate suspicion of government’s and industry’s ability to intrude on personal privacy--several laws were passed a decade ago, including a federal law protecting consumer credit data. Just last year, Congress adopted one of the commission’s key proposals: a near-total ban on the use of lie detectors in employment decisions.

Nonetheless, state and federal privacy laws, Linowes said, remain a “patch-quilt.” Moreover, privacy experts say advances in computer and telecommunications technology have made possible data collection and analysis that was unimaginable when the commission was at work 12 years ago.

Legislation Needed

“Today we’re seeing enormous advances in information technology and few safeguards to see that privacy rights are upheld,” said Harley Shaiken, professor of work and technology at UC San Diego. “What’s being proposed here is applying the standards of the Bill of Rights to the workplace.”

What is needed, according to Linowes, is legislation that gives individuals access to--and the right to correct the information in--records about them, requires information collectors to gather no more data than they need and allows people to sue if confidential information about them is misused.

“When there’s no policy, the file clerk, the computer technician, anybody who is dealing with that information decides for themselves what to release,” he said.

Linowes and other privacy experts said industry, for the most part, could be expected to oppose further controls on the use of personal information, citing the costs and claiming a right to use as it wishes any data it owns or collects.

But Linowes’ survey, based on responses from 126 of the Fortune 500 companies, found that large corporations have taken some steps to better guarantee the privacy of data collected from employees.

Compared to responses to a similar survey in 1979, more companies periodically evaluate their record-keeping systems, inform employees of their information disclosure practices, give employees access to their personnel records and forward corrections of errors in those records to anyone given false information in the previous two years.

AIDS Concern

Still, many companies continue to routinely release information to lenders, landlords and charities, and most fail to inform employees what kind of data is kept about them or how it is used. Concern about AIDS, drug abuse and smoking, Linowes said, seems to explain a big increase in the number of companies that use medical records in making employment-related decisions.

The results of employers’ data collection can haunt workers, Linowes said.

He told of a woman in Chicago who hired a lawyer to find out why she was passed over for a number of government jobs. It turned out, Linowes said, that the potential government employer had obtained her grade school records from a computer database and found this angry notation by her third-grade teacher: “Mother is crazy.”

Linowes said: “The appointing officer reasoned that if the mother was insane, there was a good chance she was, too.”

PRINCIPLES OF A ‘FAIR INFORMATION’ POLICY

1. Minimize intrusiveness. Don’t collect more data than is necessary.

2. Maximize fairness. Let the subject know what information is being collected and why.

3. Establish an enforceable expectation of privacy. Provide recourse if privacy is violated.

Source: University of Illinois, Prof. David F. Linowes

PROGRESS ON PRIVACY?

Fortune 500 companies were asked in 1979 and again this year about their practices for protecting the privacy of data collected from or about employees.

% of companies % of companies answering yes answering yes Practice in 1989 in 1979 Corporation has designated an executive-level person to be responsible for maintaining privacy safeguards in employment record-keeping practices. 72 78 Company discloses personal information to credit grantors. 80 85 Information given to landlords. 58 49 Information given to charitable organizations. 28 22 Company permits employees to place corrections in their personnel records. 77 79 Organization has a policy to forward corrections to anyone who received the incorrect information within the past two years. 87 25 Company informs personnel of the types of records maintained on them. 43 28 Company tells personnel to which records they have access. 62 37 Company uses medical records in making employment-related decisions. 50 26

Source: Survey Research Laboratory, University of Illinois