WASHINGTON, DC (April 22, 1996) -- Too many of the nation's largest industrial corporations still don't have adequate policies to protect sensitive confidential employee data from possible abuse, a new major study of privacy practices in the workplace finds.
"Not only do two-thirds of the companies disclose employee information to creditors requesting it, but also many employees are isolated from knowing what's in their own records," says David Linowes, who directed the comprehensive study of Fortune 500 companies, and is one of the nation's foremost experts on privacy issues.
"Many employees still are not being told much about their own records," Linowes said in remarks prepared for a news conference on April 22 at the National Press Club in Washington, D.C. Of the companies who participated in the survey, Linowes found that 38 percent do not inform employees of the types of records maintained on them; 44 percent do not tell personnel how records are used; nearly 60 percent don't inform employees about disclosure practices to government; and 18 percent don't tell personnel which records they have access to.
"This limited approach is not sufficient," said Linowes, author of "Privacy in America," adding that "a uniform federal law is needed to protect individuals and to set guidelines of fair- information practices for businesses." In 1977, Linowes chaired the U.S. Privacy Protection Commission that submitted recommendations to President Jimmy Carter and Congress, urging business to voluntarily adopt privacy safeguards.
For the new study, 84 Fortune 500 corporations, representing more than 3.2 million employees, responded to a 15-page questionnaire, which surveyed their policies and practices in the areas of disclosure of personal employment data; individual access; informing the individual; authorizing personal data collection; medical records; drug testing; AIDS testing; polygraph use; use of investigative firms; and arrest, conviction and security records.
This is the third time Linowes, who is a professor of political economy and public policy, and senior policy adviser to the Institute of Government and Public Affairs at the University of Illinois, has surveyed the privacy practices of Fortune 500 companies.
In the new study, 35 percent of the companies polled said they use medical records in making employment-related decisions. "Inasmuch as medical information can be misunderstood by an uninformed layman, this is undesirable," he said.
In the policy area, Linowes found that more than two of five corporations (42 percent) do not have a policy for conducting periodic evaluations of their personnel record-keeping systems, and the same number have not designated an executive-level person to be responsible for maintaining privacy safeguards in employment record-keeping practices. In addition, three out of 10 corporations report that they do not have a policy concerning which records will be routinely disclosed to inquiries from government agencies.
"When no such policy exists, the person in charge – whether an executive or record clerk – decides for himself or herself what and when sensitive personal information is routinely released to any government agency representative, whether that person is entitled to have it or not."
Linowes also found that 70 percent of the companies surveyed disclosed personal information to nongovernment credit grantors, 47 percent gave information to landlords, and 19 percent gave information to charitable organizations.
"If this kind of liberal cooperation with credit grantors is to prevail, the subject individual at least should be informed. More than one-half are not," Linowes said.
As a result of the findings, Linowes is calling on President Clinton and Congress to consider new steps for action. "It is apparent that adequate universal information privacy safeguards can only be achieved by the enactment of public policy legislation by Congress and the president, Linowes said.
"Further, such legislation would serve to help bring our nation up to the standards already adopted by practically all other industrialized nations."
Linowes suggests that such legislation would require that 1) in dealings between an organization and an individual, there should be minimum intrusiveness into the personal affairs of a person, thereby eliminating the collection of data that is irrelevant to the decision at hand, 2) that fairness should be emphasized, thereby permitting the individual to see the data about himself or herself upon which a decision is based, and 3) that there should be a means for enforcing confidentiality when information privacy is expected, by allowing for punitive damages, capped at $10,000, for violations.
The survey was conducted for Linowes during the summer and fall of 1995 by the Survey Research Laboratory; Ray Spencer, coordinator of research programs at the U. of I. College of Liberal Arts and Sciences, was co-director of the project. The purpose of the survey was to determine the extent to which the largest industrial corporations of America have policies safeguarding the personal information they collect and maintain about their employees, former employees and applicants for employment.
"Because major corporations are standard setters of business practices, the impact of the policies described in this survey goes well beyond the Fortune 500 corporations," Linowes said. Other findings include:
Copies of the survey report, including an executive summary of highlights, are available by contacting Helen Brighton or Ray Spencer at (217) 333-0670 or by e-mailing firstname.lastname@example.org
CONTACT: Andrea Lynn, News Editor (217) 333-2177
University of Illinois at Urbana-Champaign News Bureau
807 S. Wright St., Suite 520 East
Champaign, IL 61820-6219