It is a fact that for the most part, the legitimate interest of the individual and the legitimate interest of the organization that keeps records about him are in parallel. In theory, both the individual and the organization have a strong interest in curbing the tendency to accumulate or disseminate any more information than is necessary for the stated purposes. It is a financial burden on the organization to collect and maintain more records than it needs, and it is dangerous for the individual to have intimate details of his personal life piling up in the organization's records. In practice, however, the individual's interest sometimes gets shortshrift. When it comes to fairness in record-keeping practices, the starting point is the recognition that an organization's records about an individual be as accurate and complete and up-to-date as necessary for the purposes for which the records are to be used. Here again, the legitimate interests of individual and organization are theoretically the same. On the one side, an organization that bases its decisions about individuals on inaccurate, incomplete, or obsolete information is not acting rationally. No individual with a legitimate purpose wants an organization's record on him to be distorted. Mistakes in records are today a greater threat than ever before because they can be propagated at the speed of light all over the country and world from banks to credit bureaus, from one insurer to -- another, from an employer to a bank, and from one government agency to another. Victims of such mistakes are often helpless to stop the damage, even if they can manage to identify the original error and its source. This and other problems are compounded by the fact that in arriving at decisions about individuals, organizations are more and more being driven to Substitute recorded information for the face-to-face interview. Face-to-face - 8% - 12 encounters offer both sides some leeway in adjusting their mode of communication to the other's mode of comprehension. With computers talking to computers, there is no allowance for such adjustments, and therefore unfairness frequently results. In our recommendations we sought to weigh our concern for the privacy rights of the individual consumer brought on by this computerized age, alongside a clear recognition of the legitimate need of industry for developing a great deal of personal information. It is our conviction that our recommendations, as embodied in the proposed legislation, help strike the appropriate balance. And, in the long run, will strengthen the relationship between the individual and the business enterprise, while promoting appropriate public policy objectives. Of at least equal importance, is our conviction that our recommendations will help shore up our democratic free enterprise society. Mr. Chairman, two years after the Privacy Commission submitted its recommendations to the President and the Congress, we at the University of Illinois undertook a research survey primarily to determine whether the legislation recommended by the Privacy Commission for financial institutions at that time was still needed. A copy of that report entitled, Privacy and Banking is included as an appendix to this testimony. I would like briefly to report to you some of the results of that research report. One hundred thirty banks were sampled from the list of the "300 Largest Commercial Banks in United States by State" as published in the February 28, 1979 issue of the American Banker. Responses were received from 34 or 26% of the institutions, representing over 13,000,000 depositors and borrowers. It was found that depositors and borrowers have little knowledge of what their bankers do with the personal financial information that is in their records. Over 4 out of 5 (85%) of the largest banks in the nation do not inform their customers of the institutions routine disclosure practices to nongovernmental inquiries, and 3 out of 4 (74%) do not inform them of the routine disclosure practices to governmental inquirers. All banks (100%) disclose information to credit grantors about their depositors and borrowers, and 25% give information to landlords. But only 1 in 4 (24%) obtains authorization of the customer before disclosing this information. However, I am pleased to point out that almost all (95%) banks do limit the type of information released to these nongovernment inquirers. The survey also revealed that over 4 out of 5 of the banks responding did not inform the individual of the types of records maintained on him or her (82%); use to which these records were put (84%); or which records he or she has access to (85%). This lack of communication between a bank and its customers discourages mutually trusting relationships so necessary in our credit-dominated society. In another finding over 4 out of 5 (82%) banks verify or supplement background information collected directly from individuals, but less than half (48%) notify the customers before such information is collected about them. Seven out of ten (72%) do not give the subject access to the information collected. If this background information collected from third parties is in error, or is furnished by jealous or vindictive business associates or neighbors and meant to be misleading, the bank customer would never have an opportunity to correct it. Thus, decisions would be made based on incorrect data, to the detriment of both the individual and the bank. Although all banks (100%) obtain information from credit bureaus, only about one-third review the way the bureaus collect the information (34%), how they maintain the records (37%), or what they do about disclosing the informa tion to outside parties (34%). Among the recommendations of the Privacy Protection Study Commission all banks, insurance companies, and employers were urged to examine the practices of those from whom they obtain personal data. It is encouraging to note that 9 of 10 (91%) banks had designated an executive-level person for maintaining privacy safeguards in their depository record-keeping practices. In the past two years, however, little more than half (55%) conducted a systematic evaluation of the record-keeping practices with particular attention to confidentiality safeguards. As is apparent from the selected results I report here, it appears there still exist many of the same weaknesses in personal privacy protections for financial records about which the Privacy Commission was so concerned in 1977. Accordingly, I find I must respectfully urge early enactment of the legislation you are now considering. Thank you for this opportunity to present my testimony before you today. University of Illinois at Urbana-Champaign Boeschenstein Professor of Political Economy and Public Policy COLLEGE OF LIBERAL ARTS AND SCIENCES 308 Lincoln Hall Urbana, Illinois 61801 (217) 333-0670 A Research Survey of PRIVACY AND BIG BUSINESS This research survey seeks to determine the extent to which the largest industrial corporations of America have policies safeguarding the personal information they collect and maintain about their employees, former employees, and applicants for employment. A sample of 145 companies was selected from among the Fortune 500 corporations. Seventy-four companies, or 51%, representing over 2 1/2 million employees responded to the eleven-page questionnaire. The findings are presented by subject classification as indicated on the Contents page. Each subject area is divided into "Highlights;" "Survey;" and "PPSC Recommendations." The "PPSC Recommendations" refers to the report of the U. S. Privacy Protection Study Commission which was submitted to President Carter and the Congress in July 1977. July 27, 1979 Washington, D. C. David F. Linowes Boeschenstein Professor of Former Chairman, U. S. Privacy |