generally had faith that the information they disclose to banks does not travel much further. Today this belief is less valid. Depositors and borrowers who have always had a high expectation of confidentiality concerning their assets and financial transactions now should be aware of a change in that confidential relationship. Gaping holes in the confidentiality of bank account records have been opened by banks' penetration of the open-end credit field, and this is a whole new thrust for the banking industry, as you know. This exposes their records on individuals to organizations which recognize no duty of confidentiality to the individual, such as government agencies and creditors, and to organizations, like independent authorization services, that have no direct relationship with that individual. Often this deterioration of confidentiality is beyond the control of the banks themselves. And I'm very sympathetic with the position of the banks. They are regulated and overregulated. They are required, on the one hand, to keep records for the Bank Secrecy Act, and many, many State regulations. On the other hand, from the privacy point of view, we suggest that they get rid of the records after they have served their purpose. I understand and appreciate the need for going slowly, and I think we did that in the Commission's recommendations and in the administration's proposed legislation.

We seek to accomplish three main public-policy objectives: First, to minimize intrusiveness; second, to maximize fairness; and third, to create legitimate expectations of confidentiality where such expectations are warranted. I do not believe anyone would quarrel with them in principle, but in practice, they come up against conflicting interests which can only be resolved by legislated national public policy.

What, in effect, we are talking about is fair information practices. Nobody is quite sure what we mean by privacy and I don't doubt that some of your witnesses will raise issue as to whether the subject we are talking about is a privacy issue. There is no generally accepted definition. As you know, the term privacy was never even used in Federal legislation until the Privacy Act of 1974. Although that was the first time the term was used, it was not defined. It's not defined in the Constitution although it has been implied by the courts from various amendments.

But what we are talking about is fair information practices in dealings between an organization and an individual.

When it comes to fairness in recordkeeping practices, the starting point is the recognition that an organization's records about an individual be as accurate and complete and up to date as necessary for the purposes for which the records are to be used. Here again, the legitimate interests of individual and organization are theoretically the same. On the one side, an organization that bases its decisions about individuals on inaccurate, incomplete, or obsolete information is not acting rationally.

No individual with a legitimate purpose wants an organization's record on him to be distorted. Mistakes in records are today a greater threat than ever before because they can be propagated at the speed of light all over the country and world-from banks to credit bureaus, from one insurer to another, from an employer to a bank, and from one government agency to another. Victims of such

mistakes are often helpless to stop the damage even if they can manage to identify the original error and its source.

I think an important point to be made is that prior to the computer age and prior to the complexities of society today, decisions were made based on a face-to-face interview. Under those circumstances both sides can adjust their mode of communication with the other's mode of comprehension. You're getting across. Today, those decisions are being made based on computers talking to computers. Information that's in computer data banks governs, therefore it's much more likely that errors will creep in and unfairness will develop.

In our recommendations we sought to weigh our concern for the privacy rights of the individual consumer brought on by this computerized age, alongside a clear recognition of the legitimate need of industry for developing a great deal of personal information. It is our conviction that our recommendations, as embodied in the proposed legislation, help strike the appropriate balance. And, in the long run, will strengthen the relationship between the individual and the business enterprise, while promoting appropriate public policy objectives. Of at least equal importance is our conviction that our recommendations will help shore up our democratic free enterprise society.

Incidentally, the protection of privacy rights of an individual is just as important, if not more important, for the entrepreneur of business and banking as it is for the man on the street. Without a right of privacy, an executive cannot properly function, cannot carry out his duties in a meaningful way. He must be assured of that protection.

When business executives express their concerns about building in privacy safeguards, I believe they very often are being shortsighted. They are not aware that they themselves are the people we are seeking to protect.

Senator TSONGAS. Have you addressed banking seminars, ABA and their counterparts to make that argument, and what kind of reaction do you get?

Mr. LINOWES. We get mixed reaction.

For a long time, there was a hesitancy to express anything until a report was completed by a consulting firm they had engaged to examine our recommendations to determine how feasible it would be to implement them. That report was submitted to the American Bankers Association over 1 year ago.

As I read the report the indication was that it could be implemented. It was not unreasonably burdensome, was the essence of what it said. I believe your staff does have a copy of that report.

Senator TSONGAS. But attitudinally, what kind of reaction do you get? You're raising the issue of privacy as a worthwhile societal end in an era when we are just beginning to understand what the violations may be. You go out and ask the average person in the street what their list of concerns are and privacy would not be at the top of the list, and how many times in a democratic society do you address problems before they become obvious?

Mr. LINOWES. First, let me say there was a survey released by Louis Harris over 1 year ago in which well over 60 percentperhaps closer to 70 percent-of the public is concerned about the

privacy issue. But further, in response to how the bankers feel about it, I think the best evidence to indicate the extent to which there is concern are the findings of the survey conducted through the survey research laboratory of the University of Illinois. Even though widespread adoption of the recommendations of the Privacy Commission was lacking, in most of the critical areas I would say between one-fourth and a third of the banks surveyed indicated they had voluntarily adopted our recommendations. That minority did not consider it burdensome. As a matter of fact, it is just good business practice in their relationships with customers.

FAIR INFORMATION PRACTICES

What we are talking about is fair information practices. If a customer of a bank does not feel that his banker is dealing confidentially with him, then he's going to have something less than confidence in all his dealings with that institution. The same is true in all other business operations. As you know, we still do not have laws to require compliance with adequate safeguards. Yet our survey of the Fortune 500 companies, released in July of last year, pointed out that there was a significant percentage of compliance, even though that compliance was not universal.

I don't doubt that some companies may have to revise their procedures to comply. Others already have built in safety procedures way beyond the recommendations of the Privacy Commission because they consider it good business.

Senator TSONGAS. For example?

Mr. LINOWES. One consumer reporting company, one of the largest in the country, not only permits the subject to examine his record but will invite that subject in and will assign one of their officials-and I was informed of this by their chairman and chief executive officer-so that any of the hieroglyphics in the record can be adequately explained. What's more, even though we did not recommend disclosing the specific contents over the telephone-we realized it could be a burdensome problem for a company-I was told the policy that was been adopted during the past 2 years permits the subject to telephone and if he can identify himself adequately they will disclose all the information.

As I mentioned to him when he reported this to me, we wouldn't have had the nerve to make that kind of recommendation for fear of the problems we would be creating. He said, "There are no problems." The requests are minimal and not burdensome.

In banking I do have a report from the Citibank, for example. That institution went through its personnel records about 1 year ago and its procedures applying privacy protection policies. The officer in charge of that operation told me that she believes it resulted in substantially improved personnel operations.

In the insurance industry, Equitable Life Assurance Society adopted all of our recommendations. When the officer in chargethe vice president and general counsel-was questioned by his peers as to the cost, he responded, "I don't think it costs us anything. We periodically revise our forms and procedures. We use the same personnel." As you know, our recommendations for insurance companies were perhaps the most severe because they deal with extremely sensitive personal information.

So I think you can get all ranges of estimates as to the cost and inconvenience depending upon the disposition of the responder. Senator TSONGAS. Well, once you have a system in place, there is no serious cost. You may have a cost in the transition.

Mr. LINOWES. Yes, depending on whether you have to add more personnel for that transition. But, I can quickly say this, those whose systems are so loose that there is opportunity for considerable abuse, I don't doubt they will have to go to some expense, but-

Senator TSONGAS. Not to mention lawyers.

Mr. LINOWES. In what way?

Senator TSONGAS. Well, the next witness will explain that.

PRETEXT INTERVIEWS

Let me ask you one question before you finish and that is the issue of pretext interviews. In the testimony we have had so far there have been those who argue that there are a number of examples where pretext interviews would make sense in some kind of modified, nonoutrageous situation. What do you say to that? Mr. LINOWES. Our recommendation was that there be no pretext interviews. Of course, in all of our recommendations we are always careful to make exceptions for situations where it can be shown, after the fact, that there is reason to believe a crime has been committed. I can understand the need for pretext interviews where there is a justifiable reason to believe a crime has been committed. We feel the law enforcement officer should have adequate opportunity to do his job. His hands should not be tied. With the proviso, however, that he is going to be held accountable, after the fact, when no harm can come to his investigation. As long as he knows that accountability will be expected, then innocent people will not be abused unnecessarily.

Senator TSONGAS. Let me give you a for instance that was used in the testimony last month. This is an insurance claim example where someone was alleged to be incapacitated and somebody in the insurance business goes in and pretends to be a customer or watches the claimant lift packages and so forth. Is that considered to be a pretext interview?

Mr. LINOWES. It depends on the basis of how that interview was conducted.

Let me tell about the testimony of one witness. He was a senior official of one of the largest credit investigating companies in the country. He was explaining how they operate. They would call a particular person and say, "We are making a TV commercial for a detergent company. Would you be good enough to tell us what kind of detergent you use?" The woman says, "Not at all," and she states the name of the detergent she uses. He says, "Good, we were hoping you would say that because we are working for that company. Would you mind if we came to your home on wash day and take some pictures of you using this detergent so we can use it in our television commercial?" The woman was flattered and invited them in. The investigators came and took pictures of her doing the washing, lifting the laundry into the washing machine, pouring in the detergent. The only time she saw those pictures was in court

when the lawyers for the insurance company were contesting her injury claim.

If they had reason to believe this was a fraudulent claim, and justified that reasoning after the fact, then that clearly would be one of the exceptions. But if this is just a normal procedure, then I think as Americans living in a free society we have reason to question that and to urge restraints.

With you permission, I would now like to turn to another area. About 2 years ago after the Privacy Commission submitted its recommendations to the President and the Congress, as I mentioned earlier, the University of Illinois undertook a research survey to determine whether the legislation recommended by the Privacy Commission for financial institutions at that time was still needed.

Incidentally, as you know, it was not possible for us nor did we conduct a statistically sound investigation in any of our studies as a Privacy Commission. We called in witnesses, placed them under oath, and on the basis of what they testified, we made recommendations.

On the other hand, the investigation conducted by the Survey Research Laboratory at the University of Illinois is as scientifically accurate as is possible, using the latest statistical methods.

We sampled 130 banks from the list of the 300 largest commercial banks in the United States as published in the February 18, 1979 issue of the American Banker. We received responses from 34 banks or 26 percent of those sampled, representing 13 million depositors and borrowers, a not insignificant proportion of the depositors and borrowers in this country.

It was found that the depositors and borrowers have little knowledge of what their bankers do with personal financial information that is in their records. Over four out of five of the largest banks in the Nation do not inform their customers of the institutions' routine disclosure practices to nongovernmental inquiries. Incidentally, this means one out of five do. And three out of four do not inform them of the routine disclosure practices to government inquiries.

Senator TSONGAS. Is there any evidence that the 20 percent of the institutions that do incur any higher costs?

Mr. LINOWES. We have no way of determining that.

Senator TSONGAS. Obviously, if 20 percent of them do it, at least in their minds, there cannot be any undue economic loss occasioned by that practice.

Mr. LINOWES. No, and what's more, I refer you also to the report of Touche Ross & Co. that dealt with it. There were certain elements in some of the proposed legislation that was troublesome. It was inadvertent in the drafting and was changed.

What we lack in this country, and I can't stress it enough, is a national public policy when it comes to privacy. We are behind many other democratic nations-Sweden, West Germany, France, for example, all have laws. They look at us with real concern, because their information is being transmitted here and we have no legal protections for the private sector data.

There is a conference scheduled in Rome for June, and one in Ottawa for September in which democratic societies will convene to