Personal Privacy in an Information Society. Specific Recommendations

07/12/1997

With a few important exceptions, the Commission's specific recommendations on record keeping in the employee-employer relationship also embody a voluntary scheme for resolving questions of fairness in the collection, use, and dissemination of employee records. The reasons for not recommending statutory implementation of many of these recommendations should by now be clear. The Commission does, however, believe that employees, like other categories of individuals, should have certain prerogatives with respect to the records that are kept about them, and the recommendations below, if adopted, would serve to define those prerogatives as a matter of practice.

Intrusiveness

Some of the information an employer uses in making hiring and placement decisions is acquired from sources other than the individual applicant or employee. In addition to former employers and references named by the individual, such third-party sources may include physicians, creditors, teachers, neighbors, and law enforcement authorities.

One way to keep an employer's inquiries within reasonable bounds is to limit the outside sources it may contact without the individual's knowledge or authorization, as well as what the employer may seek from the individual himself. To do so, however, is to grapple with long and widely held societal views regarding the propriety of inquiries into an individual applicant or employee's background, medical history, credit worthiness, and reputation. As the Commission has agreed elsewhere in this report, the intrusions on personal privacy that seem to be taken for granted in many of the record-keeping relationships the Commission has studied usually begin with the criteria we, as a society, accept as proper ones for making decisions about people. Thus, while the Commission was struck by the extensiveness of the inquiries some employers make into matters such as medical history, it concluded that so long as society considers the line of inquiry legitimate, judgments about how extensive it should be must be largely aesthetic.

The same was not true, however, with regard to some of the techniques that are used to collect information about applicants and employees. There the Commission found a few it considers so intolerably intrusive as to justify banning them, irrespective of the relevance of the information they generate.

TRUTH VERIFICATION DEVICES

The polygraph examination, often called the lie-detector test, is one technique the Commission believes should be proscribed on intrusiveness grounds. The polygraph is used by employers to assess the honesty of job applicants and to gather evidence about employees suspected of illegal activity on the job. An estimated 300,000 individuals submitted to this procedure in 1974. 29

The main objections to the use of the polygraph in the employment context are: (1) that it deprives individuals of any control over divulging information about themselves; and (2) that it is unreliable. Although the latter is the focal point of much of the continuing debate about polygraph testing, the former is the paramount concern from a privacy protection viewpoint. During the 93rd Congress, the Senate Subcommittee on Constitutional Rights concluded that polygraph testing in the context of Federal employment raises intrusiveness issues of Constitutional proportions. 30 Similarly, the Committee on Government Operations of the House of Representatives emphasized the "inherent chilling effect upon individuals subjected to such examinations," and recommended that they no longer be used by Federal agencies for any purpose. 31

Advocates of banning the polygraph in employment describe it as humiliating and inherently coercive and suspect that some employers who use it do so more to frighten employees than to collect information from them. 32 Use of the polygraph has often been the subject of collective-bargaining negotiations and has even inspired employees to strike. The Retail Clerks Association, with more than 700,000 members, urges its locals to include anti-polygraph provisions in all contracts. 33

Other truth-verification devices now on the market, such as the Psychological Stress Evaluator (PSE), pose an even greater challenge to the notion that an individual should not be arbitrarily deprived of control over the divulgence of information about himself. Like the polygraph, the PSE electronically evaluates responses by measuring stress. Unlike the polygraph, the PSE uses voice inflections to measure stress and thus may be used without the individual knowing it is being used. 34 The use of such devices in the employment context, and the practices associated with their use, are, in the Commission's view, unreasonable invasions of personal privacy that should be summarily proscribed. The Commission, in effect, agrees with the conclusions of the two Congressional committees that have examined this issue as it arises in the Federal government and, therefore, recommends:

Recommendation (3):

That Federal law be enacted or amended to forbid an employer from using the polygraph or other truth-verification equipment to gather information from an applicant or employee.

The Commission further recommends that the Congress implement this recommendation by a statute which bans the manufacture and sale of these truth-verification devices and prohibits their use by employers engaged in interstate commerce. A clear, strong, Federal statute would preempt existing State laws with less stringent requirements and make it impossible for employers to subvert the spirit of the law by sending applicants and employees across State lines for polygraph examinations.

PRETEXT INTERVIEWS

The Commission also finds unreasonably intrusive the practices of investigators who misrepresent who they are, on whose behalf they are making an inquiry, or the purpose of the inquiry. (These so-called "pretext interviews" are discussed in some detail in Chapter 8.)

Because background checks in connection with the selection of an applicant or the promotion or reassignment of an employee are not criminal investigations, they do not justify undercover techniques. Nor, according to testimony before the Commission, are pretext interviews necessary to conduct adequate investigations in the employment context. Witnesses from private investigative firms repeatedly said that extensive information about an applicant can be developed without resorting to such ruses.35 Accordingly, in keeping with the posture it took on pretext interviews in connection with insurance underwriting and claims investigations, the Commission recommends:

Recommendation (4):

That the Federal Fair Credit Reporting Act be amended to provide that no employer or investigative firm conducting an investigation for an employer for the purpose of collecting information to assist the employer in making a decision to hire, promote, or reassign an individual may attempt to obtain information about the individual through pretext interviews or other false or misleading representations that seek to conceal the actual purpose(s) of the inquiry or investigation, or the identity or representative capacity of the employer or investigator.

Amending the Fair Credit Reporting Act in this way would be a reasonable extension of the Act's goal of assuring that subjects of investigations are treated fairly.

REASONABLE CARE IN THE USE OF SUPPORT ORGANIZATIONS

An employer should not be totally unaccountable for the activities of others who perform services for it. The Commission believes that an employer should have an affirmative obligation to check into the modus operandi of any investigative firm it uses or proposes to use, and that if an employer does not use reasonable care in selecting or using such an organization, it should not be wholly absolved of responsibility for the organization's actions. Currently, the responsibility of an employer for the acts of an investigative firm whose services it engages depends upon the degree of control the employer exercises over the firm. Most investigative reporting agencies are independent contractors who traditionally reserve the authority to determine and assure compliance with the terms of their contract. Thus, under the laws of agency, an employer may be absolved of any liability for the illegal acts of an investigative firm if those acts are not required by the terms of the contract.36 Accordingly, to establish the responsibility of an employer which uses others to gather information about applicants or employees for its own use, the Commission recommends:

Recommendation (5)

That the Federal Fair Credit Reporting Act be amended to provide that each employer and agent of an employer must exercise reasonable care in the selection and use of investigative organizations, so as to assure that the collection, maintenance, use, and disclosure practices of such organizations comply with the Commission's recommendations.

If Recommendation (5) were adopted, and it could be shown that an employer had hired or used an investigative firm with knowledge, either actual or constructive, that the organization was engaging in improper collection practices, such as pretext interviews, an individual or the Federal Trade Commission could initiate action against both the employer and the investigative firm and hold them jointly liable for the investigative firm's actions.

Fairness

Unfair practices can enter into employment record keeping in four main ways: (1) in the kinds of information collected for use in making decisions about individuals; (2) in the procedures used to gather such information; (3) in the procedures used to keep records about individuals accurate, timely, and complete; and (4) in the sharing of information across the variety of record-generating relationships that may be subsumed by the employment relationship.

FAIRNESS IN COLLECTION

When employers ask applicants and employees for more personal information than they need, unfairness may result. The process of selecting among applicants generally involves step-by-step disqualification of applicants on the basis of negative information. Where jobs require routine skills, or where many apply for a few vacancies, items of information that have little to do with job qualifications can become the basis for sifting among otherwise undifferentiated applicants. An arrest or conviction record remote in time or pertinence to the job being sought, or a less-than-honorable military discharge, are items of information that can be used in that way.

The cost of collecting information tends to limit what employers collect, but cost is not an effective deterrent when the item is easily obtained. Moreover, in employment, as well as in other areas in which records influence decisions about individuals, too much deference is often paid to records generated by other institutions. Unwarranted assumptions can be made about the validity and currency of information that other organizations record and disseminate. Questions are seldom asked about how the record came to be. As a result, records created by other institutions for their own decision-making purposes can unfairly stigmatize an individual. In the extreme case, they can set in motion a series of events which permanently exclude an individual from the economic mainstream, condemning him to marginal employment for a lifetime. Again, arrest, conviction, and military discharge records are principal culprits in this regard.

USE OF ARREST INFORMATION

Arrest information raises perplexing questions of fairness. Although the Commission's hearing testimony indicates that many employers no longer use arrest information in their employment decisions, a great many still do.37 The use of arrest information in making employment decisions is questionable for several reasons. An arrest record by itself indicates only that a law enforcement officer believed he had probable cause to arrest the individual for some offense; not that the person committed the offense. For instance, an individual may have been arrested for breaking and entering a building, while further investigation revealed that he had the owner's permission to be in the building. Constitutional standards specify that convictions, not arrests, establish guilt. Thus, denial of employment because of an unproved charge, a charge that has been dismissed, or one for which there has been an adjudication of innocence, is fundamentally unfair.

There is a balance to be struck between society's presumption of innocence until proven guilty and its concern for security. When it has been forced to strike that balance in the past, laws have been enacted declaring that arrests for certain offenses must be considered in choosing among applicants for certain kinds of employment.38 While such action is clearly the obverse of a ban on the use of arrest information in employment decision making, it can be treated as a limit on the collection and use of such information. Accordingly, the Commission recommends:

Recommendation (6):

That except as specifically required by Federal or State statute or regulation, or by municipal ordinance or regulation, an employer should not seek or use a record of arrest pertaining to an individual applicant or employee.

In addition, to give this recommendation force, the Commission further recommends:

Recommendation (7):

That existing Federal and State statutes and regulations, and municipal ordinances and regulations, which require an employer to seek or use an arrest record pertaining to an individual applicant or employee be amended so as not to require that an arrest record be sought or used if it is more than one year old and has not resulted in a disposition; and that all subsequently enacted statutes, regulations, and ordinances incorporate this same limitation.

Where an indictment is outstanding, Recommendations (6) and (7) would allow an employer to use it, even if a year had passed without disposition of the charge. Without the limitation Recommendation (7) would impose, however, the use of an arrest record is doubly unfair in that the information is untimely as well as incomplete. Because of rules requiring that cases be dropped if there is not a speedy trial and because the prosecution frequently drops cases where it does not have sufficient evidence to bring them to trial, the record of such cases may remain without disposition, and therefore be incomplete.

OCCUPATIONAL LICENSING

Many jurisdictions have occupational licensing laws that require an applicant to be of good moral character, the definition of good moral character being left to administrative boards or the courts to determine.39 Commonly, these bodies define an arrest record as pertinent to assessing moral character. The Commission obviously believes that an arrest record per se is an uncertain indicator of character; that if arrest records are to be sought, the language of the statute or regulation should specifically state both the type of occupation for which such information is necessary and the type of offense that is relevant to the required assessment of moral fitness. To do otherwise, in the Commission's view, is to invite unfair discrimination. Accordingly, the Commission recommends:

Recommendation (8):

That legislative bodies review their licensing requirements and amend any statutes, regulations, or ordinances to assure that unless arrest records for designated offenses are specifically required by statute, regulation, or ordinance, they will not be collected by administrative bodies which decide on an individual's qualifications for occupational licensing.

THE LAW ENFORCEMENT ASSISTANCE ADMINISTRATION ROLE

The Commission believes that it will be difficult to stop the inappropriate use of arrest information in employment decision making unless the dissemination of such information by law enforcement agencies and criminal justice information systems is restricted. Although no national policy or Federal legislation deals comprehensively with the collection, storage, and dissemination of criminal justice information by law enforcement authorities, some State laws do, and a start in the direction of formulating a national policy has been made. The Omnibus Crime Control and Safe Streets Act of 1968, as amended in 1973, contains some loose protections against unfair uses of records in State criminal justice information systems. It specifies that if arrest information is maintained, disposition information should also be maintained where feasible; that there should be reasonable procedures for assuring the accuracy of the information maintained and disseminated; that the subject of the information should be allowed to review it and challenge its accuracy; and that the information should only be used for lawful purposes. [42 U.S. C. 3771(b)] Even with this statute, however, and the Law Enforcement Assistance Administration regulations implementing it [28 C.F.R. 20.21], criminal histories are still too readily available to employers. Criminal justice information systems at State and local levels frequently do not have the capacity to disseminate only conviction information or records of arrest for specific offenses. Few are able to update arrest and disposition information promptly. The systems as they have developed often are incapable of making fine-grained distinctions between an arrest with pending disposition and one which has been recently dismissed. Thus, while it is feasible to correct information in a system after a year or so, the status of an arrest may be inaccurately recorded during the intervening period.

The Commission has not found a solution to this problem, but believes that the Law Enforcement Assistance Administration can and should do so. Accordingly, the Commission recommends:

Recommendation (9):

That the Law Enforcement Assistance Administration study or, by its grant or contract authority, designate others to study, alternative approaches to establishing within State and local criminal justice information systems the capacity to limit disclosures of arrest information to employers to that which they are lawfully required to obtain, and to improve the system's capacity to maintain accurate and timely information regarding the status of arrests and dispositions.

RETENTION OF ARREST INFORMATION

Because of the stigma attached to having an arrest record, and because arrest information is primarily used in hiring, the Commission believes that no employer should keep an arrest record on an individual after he is hired, unless there is an outstanding indictment or conviction. Accordingly, the Commission recommends:

Recommendation (10):

That when an arrest record is lawfully sought or used by an employer to make a specific decision about an applicant or employee, the employer should not maintain the record for a period longer than specifically required by law, if any, or unless there is an outstanding indictment.

CONVICTION RECORDS

The problems conviction records present in employment decision making are different from those presented by arrest information. A conviction is a societal judgment on the actions of an individual. Unlike arrest information, a conviction record is not incomplete.

Federal and State laws sometimes require employers to check the conviction records of applicants for jobs in particular industries. Banks, for example, are required by the Federal Deposit Insurance Corporation to have the FBI check every job applicant for conviction of crimes involving dishonesty or breach of trust. [17 C.F.R. 240.17 f -21 Similarly, the Department of Transportation requires the trucking industry to find out whether a would-be driver has been convicted of reckless driving. [49 C.F.R. 391.271 The Bureau of Narcotics and Dangerous Drugs requires drug manufacturers to check the conviction records of all job applicants. [21 C.F.R. 1301.90, 1301.93]

Nevertheless, uneasiness among employers about the relevance of conviction records to employment decisions is growing. Some employers have stopped collecting them;40 others have reworded their application forms to inquire only about convictions relevant to the position for which an individual is applying. For example, the J.C. Penney Company now asks an applicant to list only convictions for crimes involving a breach of trust.41 Other employers specify felonies only or exclude traffic offenses, and some ask applicants to list only felonies committed during the past five years.42

Thus, to encourage employers to take steps voluntarily to protect individuals against unfair uses of conviction records in employment decision making, the Commission recommends:

Recommendation (11):

That unless otherwise required by law, an employer should seek or use a conviction record pertaining to an individual applicant or employee only when the record is directly relevant to a specific employment decision affecting the individual.

RETENTION OF CONVICTION RECORDS

Once conviction information has been collected and used in making a particular decision, retaining it raises still another fairness issue. The Commission has recommended that arrest-record information be destroyed after use, but the need for conviction information may recur, as when an employee is being considered for bonding or a position of trust. For the employer to have to seek the same information again and again would inconvenience both employee and employer.

Two witnesses before the Commission, IBM and General Electric, testified that they request conviction information on a perforated section of the application form. The personnel department tears off this segment and either seals it or maintains it separately from the individual's personnel file before circulating the form to potential supervisors.43 Thus, conviction information is not available in making decisions except when it is specifically required. The Commission believes this practice is a sound one, and thus, recommends:

Recommendation (12):

That where conviction information is collected, it should be maintained separately from other individually identifiable employment records so that it will not be available to persons who have no need for it.

MILITARY-RECORD INFORMATION

SPN Codes. The use some employers make of military discharge records, and of the administrative codes found on the Department of Defense (DOD) form known as the "DD-214," raises still another set of fairness issues. Of particular concern is the use of the separation program number (SPN) codes that the DOD assigned to all dischargees beginning in 1953. These codes may indicate many things, including an individual's sexual proclivities, psychiatric disorders, discharge to accept public office, or status as sole surviving child. The DOD uses them in preparing administrative and statistical reports and in considering whether an individual should be permitted to re-enlist. The Veterans Administration uses them to determine eligibility for benefits. Employers, however, also use them, and in the employment context they can do a great deal of harm.

SPN codes are frequently assigned on the basis of subjective judgments which are difficult for the dischargee to challenge. Until recently, the codes had different meanings in each branch of service, and they have been changed several times, leaving them prone to misinterpretation by employers not possessing the proper key. (Although employers are not supposed to know what the SPN codes mean, many have found out as a result of leaks from the agencies authorized to have them.) 44

In 1974, the DOD tried to stop unfair use of SPN codes by leaving them off its forms and offering anyone discharged prior to 1974 an opportunity to get a new form DD-214 without a SPN code. This solution has several defects. For one thing, not all pre-1974 dischargees know of the reissuance program. For another, a pre-1974 DD-214 without a SPN code may raise a canny employer's suspicion that the applicant had the SPN code removed because he has something to hide.

Inasmuch as this problem still seems to be a significant one, the Commission believes that the DOD should reassess its SPN code policy. The Department might consider issuing new DD-214 forms to all dischargees whose forms presently include SPN codes. Although such a blanket reissuance could be costly, without it employers will continue to draw negative inferences from the fact that an individual has exercised his option to have the SPN code removed. In any case, SPN code keys should stay strictly within the DOD and the Veterans Administration.

Issuing new DD-214s and tightening code key disclosure practices, however, will not resolve the problem if employers can continue to require that dischargees applying for jobs authorize the release of the narrative descriptions in their DOD records. The most effective control over this information would be a flat prohibition on its disclosure to employers, even when the request is authorized by the applicant. This would have to be done in such a way as not to preclude individuals from requesting narrative descriptions from the DOD for their own purposes, since they are entitled to do so under the Privacy Act.45

Military Discharge Records. The military discharge system, as it works today, still influences employment opportunities. There are five types of discharges: honorable, general, other than honorable, bad conduct, and dishonorable. General and other than honorable discharges are products of an administrative process which usually includes the right to a hearing before a board and a subsequent right of administrative appeal. Bad conduct and dishonorable discharges, on the other hand, are only given after a full court-martial.

In practice, it appears that employers tend to disregard the distinction between the administrative discharge and discharges resulting from courts-martial.46 Thus, any discharge except an honorable one can be the ticket to a lifetime of rejected job applications. Nor is that accidental. The DOD has intentionally linked discharge status to future employment as an incentive to good behavior while in the service.47

It can be argued that military service is just another kind of employment, and that discharge information is no different from information about any other past employment which applicants routinely release to prospective employers. Military service and civilian employment are not, however, comparable, since few civilian jobs involve supervision of almost every aspect of an employee's life.

On March 28, 1977, the Secretary of Defense announced a program for reviewing Viet Nam era discharges. It applies to two categories of individuals: (1) former servicemen who were discharged during the period August 4. 1964 to March 28, 1973, and who, if enlisted, received an undesirable or general discharge, or if an officer received a general or other than honorable discharge; and (2) servicemen in administrative desertion status whose period of desertion commenced between August 4, 1964 and March 28, 1973, and who meet certain other criteria. The discharge review portion of this program gives eligible veterans six months to apply for possible upgrading if positive service or extenuating personal circumstances appear to warrant it. The program aims at adjusting inequities that occurred during a particularly troubled period in our nation's history. It does not, however, address all the problems mentioned above. It does not extend to veterans with honorable discharges that carry possibly stigmatizing SPN codes. Nor does it apply to anyone separated from service with a general or undesirable discharge after March 28, 1973, although the normal channels for administrative review of such discharges are open to such individuals.

Thus, despite this welcome initiative, the Commission recommends:

Recommendation (13):

That Congress direct the Department of Defense to reassess the extent to which the current military discharge system and the administrative codes on military discharge records have needless discriminatory consequences for the individual in civilian employment and should, therefore, be modified. The reassessment should pay particular attention to the separation program number (SPN) codes administratively assigned to dischargees so as to determine how better to limit their use and dissemination, and should include a determination as to the feasibility of:

(a) issuing new DD-214 forms to all dischargees whose forms currently include SPN numbers;

(b) restricting the use of SPN codes to the Department of Defense and the Veterans Administration, for designated purposes only; and

(c) prohibiting the disclosure of codes and the narrative descriptions supporting them to an employer, even where such disclosure is authorized by the dischargee.

NOTICE REGARDING COLLECTION FROM THIRD PARTIES

The background check is the most common means of verifying or supplementing information an employer collects directly from an applicant or employee. Some employers have their own background investigators,48 but many hire an outside firm. The practices of private investigative firms are discussed in detail in Chapter 8. The discussion here focuses on the employer's responsibility when it conducts such an investigation itself, or hires a firm to do so in its behalf.

A background check may do no more than verify information provided by an applicant. It may, however, seek out additional information on previous employment, criminal history, life style, and personal reputation. The scope of such a background check depends on what the employer asks for, how much it is willing to pay, and the character of the firm hired to conduct the investigation. The Fair Credit Reporting Act (FCRA) protects the subject of certain types of pre-employment investigations by providing ways for him to keep track of what is going on and contribute to the investigative process. The Act's protections, however, do not extend to many applicants and employees, and the FCRA pre-notification requirement and the right of access the Act affords an individual to investigative reports are both too limited.

The FCRA requires that an individual be given prior notice of an employment investigation, but only if the investigation relates to a job for which he has formally applied and only if the employer retains outside help for the investigation. It does not require that an individual be told the name of the investigating firm, the types of information that will be gathered, the techniques and sources that will be used, or to whom information about him may be disclosed without his authorization. Furthermore, there is no requirement that the individual be notified if the information is or may be retained by the investigative agency and perhaps used by it in whole or in part during subsequent investigations it conducts for other employers or other users. Nor does the Act, as a practical matter, give an individual an opportunity to prevent the investigation, to suggest alternative sources, or to contradict the investigative agency's interpretation of what it discovers about him. The Act does require that an applicant be told when an adverse decision has been based on information in an investigative report and that he be given a chance to learn the nature and substance of the report, but these requirements only apply in situations where prior notice of the investigation is also required. [15 U.S.C. 1681d, g] That is, an individual need not be told anything if he has not applied for the job or promotion that has prompted the investigation, or if the investigation was conducted by the employer rather than by an outside firm. Thus, to strengthen the notice requirements of the FCRA as they protect individuals being investigated it connection with employment decisions, the Commission recommends:

Recommendation (14):

That the Federal Fair Credit Reporting Act be amended to provide that an employer, prior to collecting, or hiring others to collect, from sources outside of the employing organization the type of information generally collected in making a consumer report or consumer-investigative report (as defined by the Fair Credit Reporting Act) about an applicant, employee, or other individual in connection with an employment decision, notify the applicant, employee, or other individual as to:

(a) the types of information expected to be collected about him from third parties that are not collected on an application, and, as to information regarding character, general reputation, and mode of living, each area of inquiry;

(b) the techniques that may be used to collect such types of information;

(c) the types of sources that are expected to be asked to provide each type of information;

(d) the types of parties to whom and circumstances under which information about the individual may be disclosed without his authorization, and the types of information that may be disclosed;

(e) the procedures established by statute by which the individual may gain access to any resulting record about himself;

(f) the procedures whereby the individual may correct, amend, or dispute any resulting record about himself; and

(g) the fact that information in any report prepared by a consumer-reporting agency (as defined by the Fair Credit Reporting Act) may be retained by that organization and subsequently disclosed by it to others.

If Recommendation (14) were adopted, the current FCRA enforcement mechanisms would apply to employers who do their own investigations, as well as to investigative agencies. Employers argue that not letting a candidate for a job or promotion know he is being investigated protects him from disappointment. In the Commission's view, that argument is overridden by considerations of fairness to the individual. The purpose of requiring a notice of investigation is to alert an individual before information about him is collected. The purpose of requiring specific items in the notice is to apprise the individual of the extent of the intrusion. The purpose of the notice regarding access, correction, and amendment procedures is to assure that applicants and employees know that these rights exist and how to exercise them.

NOTICE As COLLECTION LIMITATION

The anticipated benefits of Recommendation (14) for the individual would be negated if an employer deviated from its notification. Moreover, many employers depend on investigative-reporting agencies whose collection practices could go considerably beyond what is stated in such a notice. Thus, to guard against these possibilities, the Commission recommends:

Recommendation (15):

That the Fair Credit Reporting Act be amended to provide that an employer limit:

(a) its own information collection and disclosure practices to those specified in the notice called for in Recommendation (14); and

(b) its request to any organization it asks to collect information on its behalf to information, techniques, and sources specified in the notice called for in Recommendation (14).

Like the notice recommendation itself, the existing Fair Credit Reporting Act enforcement mechanisms would be available to individuals when the limitations on notice have been exceeded either by employers or investigative firms. Consequently, an applicant or employee would be able to pursue Fair Credit Reporting Act remedies when an employer or investigative firm collected information from third parties or used techniques of collection other than as stated in the notice. Also, if an individual finds that the consumer investigative report has information beyond that specified in the notice, he should be able to have it deleted from his record.

AUTHORIZATION STATEMENTS

In many instances an employer must have an applicant or employee's permission before it can get personal information about him from other persons or institutions. In general, physicians and hospitals do not disclose individually identifiable information about a patient without the patient's specific written authorization. As a consequence of the Family Educational Rights and Privacy Act of 1974 (see Chapter 10), educational institutions no longer respond to an employer's inquiries about a current or former student without the individual's consent. Testimony before the Commission indicates that employers themselves are becoming reluctant to disclose information about their former employees to other employers. 49

Nonetheless, many employers' job application forms still include a release which the applicant must sign, authorizing the employer to acquire information from organizations or individuals that have a confidential relationship with the applicant. 50 Or, as noted in Chapter 8, an investigative firm may require that the employer get releases from employees to facilitate its inquiries on the employer's behalf. As in the insurance area, these authorizations are usually broad; and few warn that the information collected could be retained and reported to subsequent clients of the investigative firm.

When any authorization or waiver of confidentiality is sought from an applicant or employee, fairness demands that it be limited both in scope and period of validity. It should bear the date of signature and expire no more than one year from that date. It should be worded so that the individual who is asked to sign it can understand it, and should specify the persons and institutions to whom it will be presented and the information that each will be asked for, together with the reasons for seeking the information.

Requiring this degree of specificity in authorizations should not unduly hamper legitimate investigations and will go far to improve the quality of the personal information held not only by investigative firms and employers, but by other keepers of individually identiftable information as well. Accordingly, the Commission recommends:

Recommendation (16):

That no employer or consumer-reporting agency (as defined by the Fair Credit Reporting Act) acting on behalf of an employer ask, require, or otherwise induce an applicant or employee to sign any statement authorizing any individual or institution to disclose information about him, or about any other individual, unless the statement is:

(a) in plain language;

(b) dated;

(c) specific as to the individuals and institutions he is authorizing to disclose information about him who are known at the time the authorization is signed, and general as to others whose specific identity is not known at the time the authorization is signed;

(d) specific as to the nature of the information he is authorizing to be disclosed;

(e) specific as to the individuals or institutions to whom he is authorizing information to be disclosed;

(f) specific as to the purpose(s) for which the information may be used by any of the parties named in (e) at the time of the disclosure; and

(g) specific as to its expiration date which should be for a reasonable period of time not to exceed one year.

It should be noted that the necessary generality permitted by parts of Recommendation (16) need not apply to an employer that obtains an authorization from an applicant, employee, or former employee permitting it to release confidential information to others. In that case, the authorization form can and should be specific as to what information may be disclosed, to whom, and for what purpose.

FAIRNESS IN USE

ACCESS TO RECORDS

Fairness demands that an applicant or employee be permitted to see and copy records an employer maintains about him. Allowing an employee to see and copy his records can be as advantageous to the employer as to the employee. As discussed earlier, employment records in the private sector are generally regarded as the property of management.51 Except where limited by State statute, as in Maine52 and California,53 or where controlled by collective-bargaining agreements, all the rights of ownership in employment records vest in the employer. Although many firms permit, and some even encourage, employees to review at least some of the records kept about them, there is no generally accepted rule.54 Where records are factual, e.g., benefit and payroll records, or where they are the sole basis for making a decision about an individual, such as in a seniority system, the advantages of employee access to assure accuracy are rarely disputed. However, many employers do not give their employees access to promotion tables, salary schedules, and test scores. Some employers believe that employee access to information may weaken their position when they are potentially in an adversary relationship with an employee, e.g., in a dispute regarding a claim for benefits. Most employers do not want employees to have access to information they believe requires professional interpretation, such as medical records and psychological tests. In addition, employers are reluctant to give employees access to information supplied by sources requesting an assurance of confidentiality. While testimony before the Commission suggests that this last problem is diminishing as reliance on references diminishes,55 in the academic community, where candidates for tenure are traditionally evaluated by unidentified peers, concern about access to letters of references is great.56

Although union contracts rarely address the access issue, where formal grievances are filed, the records supporting management's decisions must, by law, be shared with the union and with the grievant. Also, certain information, such as seniority, salary, and leave, must be posted.57 Unions have won access to particular records in specific circumstances by arbitration, and even where there is no union some employers have grievance and arbitration procedures. Without a union, however, employees who complain of violations of an internal policy on employee access to records have little protection from reprisals and no right of appeal if their complaints are ignored.

Furthermore, a right to see, copy, and request correction or amendment of an employment record is of little value, so long as an employer is free to designate which records will be accessible and to determine the merits of any dispute over accessibility or record content. Nonetheless, a well-considered access policy, consistently carried out, is strong evidence of an employer's commitment to fair practice protections for personal privacy. Such a policy gives an employee a way to know what is in records kept about him, to assure that they are factually accurate, and to make reasoned decisions about authorizing their disclosure outside the employing organization.

While recognizing that periodic evaluations of employee performance contain subjective information developed by the employer for its own use, the Commission believes that employees should have a right of access to those records also. Many employers do, in fact, share performance evaluations with their employees, as guidance on how to improve performance is generally regarded as one of the more important functions of these evaluations.58 The employee's interest in these records is obvious, since negative evaluations can deny an employee opportunities for promotion or placement. They may also disqualify him from entering the pool of employees from which such selections are made. Furthermore, records pertaining to employee performance are usually maintained in individually identifiable form and could be disclosed in that form to outside requestors.

When it comes to evaluations of an employee's potential, however, the testimony suggests that the resulting records frequently are not shared with employees.59 The Commission finds it difficult to justify the difference in treatment. Performance evaluations and evaluations of potential are intimately related. Moreover, where an employee does not have access to both, supervisors can evaluate an employee one way to his face and another way behind his back, so to speak, making it impossible for him to assess his standing.

The Commission recognizes a valid difference between performance and potential evaluations when a separate set of records pertains to employees thought to have a high potential for advancement. Since such records are mainly a long-range planning tool of management, employees should not necessarily have a right to see and copy them, whether or not they are maintained in individually identiftable form. The mere existence of such records, however, should not be kept secret from employees.

Another type of evaluation record an employer might justifiably withhold from an employee is the security record concerning an ongoing or concluded investigation into suspected employee misconduct. Although employees have a right to know that their employer maintains security records, a general right to see, copy, and request correction of such records would seriously handicap security investigations. Nonetheless, as the Commission contends later in this chapter, access should be allowed to any information from a security record that is transferred to an individual's personnel file.

The Commission strongly believes that employees should be able to see and copy most employment records. If an individual cannot conveniently do this in person, he should be able to arrange to do so by mail or telephone, provided the employer takes reasonable care to assure itself of the identity of the requestor. Nonetheless, as the Commission has already emphasized, to legislate a right of access to records without a more general scheme of rights to protect the employee who exercises it could be futile. When the employee-employer relationship is defined by collective bargaining, access to records is an obvious topic for contract negotiation and the resulting provisions would then be binding on the parties. When, however, employee access rights are not defined by contract, or enforceable by a government agency with rule-making powers, individual employees are in a poor position to resist their employer's refusal to honor their access and correction rights. As indicated earlier, there were differences within the Commission as to whether such a right need be a right without a remedy, and thus a right that should not be legislated. Recognizing that employers have discretion to determine which records they will make available to their employees, the Commission believes that employers should develop and promulgate access and correction policies voluntarily. Accordingly, the Commission recommends:

Recommendation (17):

That as a matter of policy an employer should

(a) designate clearly:

(i) those records about an employee, former employee, or applicant for employment (including any individual who is being considered for employment but who has not formally applied) which the employer will allow such employee, former employee, or applicant to see and copy on request; and

(ii) those records about an employee, former employee, or applicant which the employer will not make available to the employee, former employee, or applicant,

except that an employer should not designate as an unavailable record any recorded evaluation it makes of an individual's employment performance, any medical record or insurance record it keeps about an individual, or any record about an individual that it obtains from a consumer-reporting agency (as defined by the Fair Credit Reporting Act), or otherwise creates about an individual in the course of an investigation related to an employment decision not involving suspicion of wrongdoing;

(b) assure that its employees are informed as to which records are included in categories (a)(i) and (ii) above; and

(c) upon request by an individual applicant, employee, or former employee:

(i) inform the individual, after verifying his identity, whether it has any recorded information pertaining to him that is designated as records he may see and copy; and

(ii) permit the individual to see and copy any such record(s), either in person or by mail; or

(iii) apprise the individual of the nature and substance of any such record(s) by telephone; and

(iv) permit the individual to use one or the other of the methods of access provided in (c)(ii) and (iii), or both if he prefers,

except that the employer could refuse to permit the individual to see and copy any record it has designated as an unavailable record pursuant to (a)(ii), above.

ACCESS TO INVESTIGATIVE REPORTS

The Fair Credit Reporting Act requirement that an employer notify an individual when information in an investigative report was the basis for an adverse employment decision about him is inadequate. That an individual, so notified, can go to the investigative-reporting agency that made the report and demand to know what information is in it gives him some protection. [15 U.S.C. 1681h] The Commission believes, however, that in employment, as in insurance, the subject of an investigative report should have an affirmative right to see and copy it, and to correct, amend, or dispute its contents. When corrections, amendments, or dispute statements are entered into a report by an employer, it should so inform the investigative-reporting agency so that its records may also be altered. Finally, it is important for an individual to be notified in advance of his right to see, copy, correct, amend, or dispute a proposed report, and of the procedures for so doing.

The Commission's recommendations in Chapter 5 on the insurance relationship specify that the subject of an investigation has a right to see and copy, in two places, the report prepared by a support organization in connection with an underwriting investigation: at the office of the insurer that ordered it, and at the office of the firm that prepared it. Hence, the Commission does not recommend that the insurer or investigative agency routinely provide the individual with a copy of the report, either before or after using it to make a decision about him. To do so would be costly because of the volume of reports insurers order, many of which do not result in adverse decisions, and because Insurance Recommendation (13) on adverse underwriting decisions, would immediately expose a report that did result in such a decision.

In the employment context, however, several considerations urge a different approach. First, all the evidence available to the Commission indicates that there are far fewer investigative reports prepared on job applicants and employees than on insurance applicants.60 Second, the Commission's recommendations on employment records provide no guarantee that an employee will be able to see and copy an investigative report on himself that remains in an employer's files after he is hired, even though the report could become the basis for an adverse action in the future. Third, while the Commission considered tying a see-and-copy right to the making of an adverse employment decision, it rejected the proposal because the relationship between items of information and employment decisions is not always clear enough to make such a right meaningful. Fourth, it seemed to the Commission that for a rejected applicant to exercise a see-and-copy right would be awkward at best.

Hence, to balance an employer's legitimate need to collect information on applicants and employees through background checks against the procedural protections needed to insure fairness to the individual in making such investigations and using the information so acquired, the Commission recommends:

Recommendation (18):

That the Fair Credit Reporting Act be amended to provide:

(a) that an applicant or employee shall have a right to:

(i) see and copy information in an investigative report maintained either by a consumer-reporting agency (as defined by the Fair Credit Reporting Act) or by the employer that requested it; and

(ii) correct, amend (including supplement), or dispute in writing, any information in an investigative report maintained either by a consumer-reporting agency (as defined by the Fair Credit Reporting Act) or by the employer that requested it;

(b) that an employer must automatically inform a consumer-reporting agency (as defined by the Fair Credit Reporting Act) of any correction or amendment of information made in an investigative report at the request of the individual, or any other dispute statement made in writing by the individual; and

(c) that an employer must provide an applicant or employee on whom an investigative report is made with a copy of that report at the time it is made by or given to the employer.

ACCESS TO MEDICAL RECORDS

The medical records an employer maintains differ significantly in character and use from the other records created in the employee-employer relationship. Responsibility for giving physical examinations to determine possible work restrictions and for serving as primary medical-care providers is falling ever more heavily on employers, giving them increasingly extensive medical files on their employees. These records, and opinions based on them, may enter into employment decisions, as well as into other types of non-medical decisions about applicants and employees. Hence, the Commission believes that access to them should be provided in accordance with the Commission's recommendations on medical records and medical-record information in Chapter 7. That is, when an employer's relationship to an applicant, employee, or former employee is that of a medical-care provider,61 the Commission recommends:

Recommendation (19):

That, upon request, an individual who is the subject of a medical record maintained by an employer, or another responsible person designated by the individual, be allowed to have access to that medical record, including an opportunity to see and copy it. The employer should be able to charge a reasonable fee (not to exceed the amount charged to third parties) for preparing and copying the record.

However, when the employer's relationship to an applicant, employee, or former employee is not that of a medical-care provider, the Commission recommends:

Recommendation (20):

That, upon request, an individual who is the subject of medical-record information maintained by an employer be allowed to have access to that information either directly or through a licensed medical professional designated by the individual.

In Chapter 7, where the rationale for these recommendations is presented in detail, "medical-record information" is defined as:

Information relating to an individual's medical history, diagnosis, condition, treatment, or evaluation obtained from a medical-care provider or from the individual himself or from his spouse, parent, or guardian, for the purpose of making a non-medical decision about the individual.

As to Recommendation (19), the Commission would urge that if a State enacts a statute creating individual rights of access to medical records pursuant to Recommendation (2) in Chapter 7, it encompass within the statute medical records maintained by an employer whose relationship to applicants, employees, or former employees is that of a medical-care provider.

ACCESS TO INSURANCE RECORDS

In their role as providers or administrators of insurance plans, employers maintain insurance records on employees and former employees and their dependents. Since the considerations governing access to these records are largely the same as when the records are maintained by an insurance company, the Commission believes that employer policy on access to them by the individuals to whom they pertain should be consistent with the recommendation on access in Chapter 5. Accordingly, the Commission recommends:

Recommendation (21):

That an employer that acts as a provider or administrator of an insurance plan, upon request by an applicant, employee, or former employee should:

(a) inform the individual, after verifying his identity, whether it has any recorded information about him that pertains to the employee's insurance relationship with him;

(b) permit the individual to see and copy any such recorded information, either in person or by mail; or

(c) apprise the individual of the nature and substance of any such recorded information by telephone; and

(d) permit the individual to use whichever of the methods of access provided in (b) and (c) he prefers.

The employer should be able to charge a reasonable copying fee for any copies provided to the individual. Any such recorded information should be made available to the individual, but need not contain the name or other identifying particulars of any source (other than an institutional source) of information in the record who has provided such information on the condition that his or her identity not be revealed, and need not reveal a confidential numerical code.

It should be noted that this recommends ion as it would apply to insurance institutions (see Chapter 5) would not apply to any record about an individual compiled in reasonable anticipation, of a civil or criminal action, or for use in settling a claim while the claim remains unsettled. After the claim is settled, the recommendation would not apply to any record compiled in relation to a a third-party claimant (i.e., a claimant who is not an insured, policy owner, or principal insured), except as to any portion of such a record which is disseminated or used for a purpose unrelated to processing the claim.

Inasmuch as this recommendation and Recommendation (25)below, are proposed for voluntary adoption by employers, it should be noted that there is a gap in the Commission's recommendations regarding records generated in the insurance relationship (Chapter 5) and that it may affect a substantial number of individuals, given the proportion of the workforce currently insured under employer-provided or employer-administered group plans. Thus, while the Commission hopes that employers will voluntarily adopt Recommendation (21) and (25), it also hopes that because their adoption must be voluntary, employers will not seize on self-administered insurance plans as a way of avoiding the statutory access and correction requirements recommended for insurance records in Chapter 5.

As to medical-record information maintained by an employer as a consequence of its insurance relationship with an individual employee or former employee, the Commission's intention is that Recommendation (20) apply.

CORRECTION OF RECORDS

Any employee who has reason to question the accuracy, timeliness, or completeness of records his employer keeps about him should be able to correct or amend those records. Furthermore, the procedures for correcting or amending employment records should conform to those recommended in other chapters of this report. For example, when an individual requests correction or amendment of a record, the employer should notify persons or organizations to whom the erroneous, obsolete, or incomplete information has been disclosed within the previous two years, if the individual so requests. When the information came from a consumer-reporting agency (as defined by the Fair Credit Reporting Act), any corrections should routinely be passed on to that agency so that its records on an applicant or employee will also be accurate. When the employer rejects the requested correction or amendment, fairness demands that the employer incorporate the employee's statement of dispute into the record and pass it along to those to whom the employer subsequently discloses the disputed information, as well as to those who need to know the information is disputed in order to protect the individual from unfair decisions being made on the basis of it. Moreover, if an employer attempts to verify allegedly erroneous, obsolete, or incomplete information in a record, it should limit its investigation to the particular items in dispute.

The Commission does not intend that the correction or amendment procedures alter any existing retention periods for records or require employers to keep an accounting of every disclosure made to a third party. However, when an employer does keep an accounting of disclosures to third parties, for whatever purpose, it should let an employee use it in deciding to whom corrections, amendments, or dispute statements should be forwarded. Accordingly, the Commission recommends:

Recommendation (22):

That, except for a medical record or an insurance record, or any record designated by an employer as an unavailable record, an employer should voluntarily permit an individual employee, former employee, or applicant to request correction or amendment of a record pertaining to him; and

(a) within a reasonable period of time correct or amend (including supplement) any portion thereof which the individual reasonably believes is not accurate, timely, or complete; and

(b) furnish the correction or amendment to any person or organization specifically designated by the individual who may have, within two years prior thereto, received any such information; and, automatically to any consumer-reporting agency (as defined by the Fair Credit Reporting Act) that furnished theinformation corrected or amended; or

(c) inform the individual of its refusal to correct or amend the record in accordance with his request and of the reason(s) forthe refusal; and

(i) permit an individual who disagrees with the refusal to correct or amend the record to have placed on or with the record a concise statement setting forth the reasons for his disagreement;

(ii) in any subsequent disclosure outside the employing organization containing information about which the individual has filed a statement of dispute, clearly note any portion of the record which is disputed, and provide a >copy of the statement along with the information being disclosed; and

(iii) furnish the statement to any person or organization specifically designated by the individual who may have, within two years prior thereto, received any such information; and, automatically, to any consumer-reporting agency (as defined by the Fair Credit Reporting Act) that furnished the disputed information; and

(d) limit its reinvestigation of disputed information to those record items in dispute.

The procedures for correcting and amending insurance and medical records which the Commission recommends in Chapters 5 and 7 should be voluntarily adopted by employers who maintain such records. Thus, with respect to a medical record maintained by an employer whose relationship to an employee is that of a medical-care provider, the Commission recommends:

Recommendation (23):

That an employer establish a procedure whereby an individual who is the subject of a medical record maintained by the e' plover can request correction or amendment of the record. When the individual requests correction or amendment, the employer should, within a reasonable period of time, either:

(a) make the correction or amendment requested, or

(b) inform the individual of its refusal to do so, the reason for the refusal, and of the procedure, if any, for further review of the refusal.

In addition, if the employer decides that it will not correct or amend a record in accordance with the individual's request, the employer should permit the individual to file a concise statement of the reasons for the disagreement, and in any subsequent disclosure of the disputed information include a notation that the information is disputed and the statement of disagreement. In any such disclosure, the employer may also include a statement of the reasons for not making the requested correction or amendment.

Finally, when an employer corrects or amends a record pursuant to an individual's request, or accepts a notation of dispute and statement of disagreement, it should furnish the correction, amendment, or statement of disagreement to any person specifically designated by the individual to whom the employer has previously disclosed the inaccurate, incomplete, or disputed information.

As with Recommendation (19), the Commission would urge that if a State enacts a statute creating individual rights regarding the correction of medical records pursuant to Recommendation (2) in Chapter 7, it encompass within the statute medical records maintained by an employer whose relationship to applicants, employees, or former employees is that of a medical-care provider.

In addition, when an employer maintains medical-record information about an individual applicant, employee, or former employee, the Commission recommends:

Recommendation (24):

That notwithstanding Recommendation (22), when an individual who is the subject of medical-record information maintained by an employer requests correction or amendment of such information, the employer should:

(a) disclose to the individual, or to a medical professional designated by him, the identity of the medical-care provider who was the source of the medical-record information;

(b) make the correction or amendment requested within a reasonable period of time, if the medical-care provider who was the source of the information agrees that it is inaccurate or incomplete; and

(c) establish a procedure whereby an individual who is the subject of medical-record information maintained by an employer, and who believes that the information is incorrect or incomplete, would be provided an opportunity to present supplemental information of a limited nature for inclusion in the medical-record information maintained by the employer, provided that the source of the supplemental information is also included.

Although Recommendations (22), (23) and (24) appear complex, they contain only two key requirements:

  • that an individual have a way of correcting, amending, or disputing information in a record about himself; and
  • that the employer to whom the request for correction or amendment is made shall have an obligation to propagate the resulting correction, amendment, or statement of dispute in any subsequent disclosure it makes of the information to certain prior or subsequent recipients.

Finally, with respect to the correction or amendment of insurance records maintained by an employer, the Commission recommends:

Recommendation (25):

That when an employer acts as a provider or administrator of an insurance plan, the employer should:

(a) permit an individual to request correction or amendment of a record pertaining to him;

(b) within a reasonable period of time, correct or amend (including supplement) any portion thereof which the individual reasonably believes is not accurate, timely, or complete;

(c) furnish the correction or amendment to any person or organization specifically designated by the individual who may have, within two years prior thereto, received any such information; and, automatically, to any insurance-support organization whose primary source of information on individuals is insurance institutions when the support organization has systematically received any such information from the employer within the preceding seven years, unless the support organization no longer maintains the information, in which case, furnishing the correction or amendment would not be necessary; and, auto-matically, to any insurance-support organization that furnished the information corrected or amended; or

(d) inform the individual of its refusal to correct or amend the record in accordance with his request and of the reason(s) for the refusal; and

(i) permit an individual who disagrees with the refusal to correct or amend the record to have placed on or with the record a concise statement setting forth the reasons for his disagreement;

(ii) in any subsequent disclosure outside the employing organization containing information about which the individual has filed a statement of dispute, clearly note any portion of the record which is disputed and provide a copy of the statement along with the information being disclosed; and

(iii) furnish the statement to any person or organization specifically designated by the individual who may have, within two years prior thereto, received any such information; and, automatically to an insurance-support organization whose primary source of information on individuals is insurance institutions when the support organization has received any such information from the employer within the preceding seven years, unless the support organization no longer maintains the information, in which case, furnishing the statement would not be necessary; and, automatically, to any insurance-support organization that furnished the disputed information; and

(e) limit its reinvestigation of disputed information to those record items in dispute.

FAIRNESS IN INTERNAL DISCLOSURES ACROSS RELATIONSHIPS

Just as fairness must be a concern of employers when gathering information from external sources, they have a duty to see that information generated within the several discrete relationships subsumed under the broad employee-employer relationship is not shared within the employing organization in ways that are unfair to the individual employee.

As a rule, employers large enough to have separate functional units for personnel, security, insurance, and medical-care operations have voluntarily taken steps to assure that the records each of these units generates are maintained separately and not used improperly. The biggest problems are in small organizations that cannot realistically segregate record-keeping functions. Another potential problem is the impact of technology which could make retrieval of information stored in a common data base by unauthorized persons easier than is currently the case.

PERSONNEL AND PAYROLL RECORDS

As personnel planning and management systems have become more elaborate, so have the personnel files and payroll records an employer keeps on its employees. This is not to say that all employees expect personnel and payroll records to be held in confidence within the employing organization. Some may not; but out of consideration for those who do, the Commission believes that an employer should limit the use of personnel and payroll record information to whatever is necessary to fulfill particular functions. Therefore, the Commission recommends:

Recommendation (26):

That an employer assure that the personnel and payroll records it maintains are available internally only to authorized users and on a need-to-know basis.

SECURITY RECORDS

Security records differ from personnel records in that they frequently must be created without the employee's knowledge. Sometimes the information in them is inconclusive; sometimes the problem that precipitated the security record is not quickly resolved. Nonetheless, an employer may have to keep security records in order to safeguard the workplace or corporate assets. As a rule, employers document any action resulting from security investigations in the individual's personnel file, but do not include the details leading up to the action.62

Security departments usually work with personnel departments in the course of investigating incidents involving employees 63When the security function is separate from the personnel department, however, security records are generally not available to management and are frequently, though not always, filed by incident rather than by name, at least until the case is resolved.64 Since security records maintained apart from personnel records can have little impact on personnel decisions about an employee, and since employee access to security records could substantially hamper legitimate security investigations, allowing the employee to see and copy them while they are being maintained as security records seems hard to justify. If, however, information in the security record of an employee is to be used for other purposes, such as discipline, termination, promotion, or evaluation, fairness demands that the employee have direct access to it. Thus, the Commission, again taking the voluntary approach, recommends:

Recommendation (27):

That an employer:

(a) maintain security records apart from other records; and

(b) inform an employee whenever information from a security record is transferred to his personnel record.

MEDICAL RECORDS AND MEDICAL-RECORD INFORMATION

As indicated earlier, an employer may maintain both medical-record information and medical records: the former as a consequence of requiring it as a condition of employment, placement, or certification to return to work; the latter as a consequence of providing various forms of medical care, including routine physicals. However collected, there is a case for requiring employers to restrict the circulation of medical records and medical-record information outside the medical department. Corporate physicians are sincerely concerned about possible misuses of the records they maintain. No matter how hard they may strive to be independent of the employing organization their allegiance is ultimately to the employer.

Many large employers have procedures that guarantee the confidentiality of medical-record information in all but the most extreme circumstances; and many corporate medical departments only make recommendations for work restrictions, carefully refraining from passing on any diagnosis or treatment details in all but the most extreme circumstances.65 Nevertheless, it is the duty of the corporate physician to tell his employer when he finds in an individual a condition that could negatively affect the interests of the employer or other employees.66 Furthermore, employers rely on corporate physicians for evaluation of an applicant or employee's health in making hiring and placement decisions. A further complication arises if, as often happens, the corporate physician also provides regular medical care for employees outside of the employment context, perhaps functioning as the family doctor.

An employee availing himself of medical services offered by his employer does so at some risk to the traditional confidential relationship between physician and patient, unless great care is taken to insulate that relationship from the usual work-related responsibilities of the medical department. Thus, when a medical department provides voluntary physicals or routine medical care for employees, the resulting records should be maintained separately from the records generated by work-related contacts and should never be used to make work-related decisions. This is a difficult policy to enforce and can work only where management understands and respects the need to separate the compulsory and voluntary functions of the medical department. Thus, the Commission recommends:

Recommendation (28):

That an employer that maintains an employment-related medical record about an individual assure that no diagnostic or treatment information in any such record is made available for use in any employment decision; and

Recommendation (29):

That an employer that provides a voluntary health-care program for its employees assure that any medical record generated by the program is maintained apart from any employment-related medical record and not used by any physician in advising on any employment-related decision or in making any employment-related decision without the express authorization of the individual to whom the record pertains.

INSURANCE RECORDS

Insurance claims records often contain information about medical diagnosis and treatment. This information is given to the employer to meet a need of the employee; that is, to protect the employee against loss of pay due to illness or to arrange for medical bills to be paid. Where an employer either self-insures or self-administers a health-insurance plan, it necessarily maintains a significant amount of information about employees and their families. Some of this information can be useful in making personnel decisions, especially if it gives details of the diagnosis or treatment of a mental condition, a terminal illness, or an illness which drains the emotions of an employee. Testimony before the Commission indicates that many employers guard claims information carefully, apparently understanding how unfair it is to make an employee choose between filing a legitimate insurance claim and jeopardizing future employment.67 Some physicians say, however, that this kind of information is available for use in personnel decision making,68 and there is evidence of its unauthorized use in making decisions unrelated to claims payment.69

In its consideration of insurance institutions and the records they maintain, the Commission saw how important a confidentiality policy is to insureds. It believes that such a policy is no less important when the insurance plan is administered by an employer. Although it may be difficult to segregate insurance claims records completely, fairness demands that the claims process be walled off from other internal functions of the employing organization.

Employment-related insurance, such as disability or sick pay, usually involves the corporate physician in claims processing, as it is his function to evaluate the medical evidence on which the claim is based. Thus, corporate physicians must have access to information about these claims. They do not, however, have to use information thus obtained in making decisions that are unrelated to the claim. If asked for an opinion of a candidate for transfer to a job at a new location, for example, the physician can determine a person's physical capacity by examination without delving into claims records for clues to potential medical problems. Nor should these records influence other employment decisions, such as determinations of tenure, promotion, or termination. Accordingly, the Commission recommends:

Recommendation (30):

That an employer that provides life or health insurance as a service to its employees assure that individually identifiable insurance records are maintained separately from other records and not available for use in making employment decisions; and further

Recommendation (31):

That an employer that provides work-related insurance for employees, such as worker's compensation, voluntary sick pay, or short- or long-term disability insurance, assure that individually identifiable records pertaining to such insurance are available internally only to authorized recipients and on a need-to-know basis.

Expectation of Confidentiality

Employers have regular access to more information about employees than do credit, depository, or insurance institutions; yet there are no legal controls on the disclosure of employment information. The confidentiality of these records is maintained today solely at the discretion of the employer and can be transgressed at any time with no obligation to the individual record subject.

Evidence before the Commission indicates that, although there is no legal requirement for them to do so, private-sector employers tend to protect information about employees against disclosure.70 In part, this is because answering requests for such information can be a substantial administrative burden with no compensating advantage to the employer. In part, it is because employers fear common law actions brought for defamation or invasion of privacy. Such restraints, however, are uneven at best; and there are circumstances under which almost any employer routinely discloses the information in its employee records, as, for example, in response to inquiries from law enforcement authorities.71

The question of how much confidentiality can be expected of employers for information in their employment records is significant. Because of the amount and nature of the information held, the pressures under which it is usually collected, and the diverse circumstances in which it could be used, the creation of an expectation of confidentiality is at least as important in the employee-employer relationship as in any other relationship the Commission studied. Furthermore, while there is generally no valid business-related reason to disclose this information, modem technology, as discussed earlier, is making the process of disclosure much easier than it has been. Thus, the employee needs protection against the disclosure of information outside of the employing organization.

Although employees, as a rule, recognize that employment information will be used within the employing organization for a variety of purposes, and that they cannot be notified of and asked to approve each use, they should be able to assume that this rather free flow will be contained within the boundaries of the employing organization. The expectation that the confidentiality of information about them will be respected as to outside requesters depends en certain assurances en the part of employers.

The Commission believes that an employer has an obligation to inform its employees as specifically as possible of the kinds of information about them that may be disclosed both during and after the employment relationship. This means that at the beginning of the relationship, the employer should tell the applicant or employee what information about him may be disclosed. This communication is essential to protect the individual's right to determine what information he will divulge in case disclosure in some particular quarter could embarrass or otherwise harm him.

NOTICE REGARDING EXTERNAL DISCLOSURES

An employer should notify each applicant and employee of its policies regarding the disclosure of directory information, that is, basic factual information freely given to all third parties. The applicant or employee should also be informed of disclosures that may be made pursuant to statute or collective-bargaining agreements, and of the procedures by which he will be notified of or asked to authorize any other disclosures. Because information may have to be released under subpoena or ether legal process, employees should be assured prior notice of subpoenas where possible in sufficient time to challenge their scope and legitimacy. Chapter 9 on government access to records about individuals examines this problem and recommends placing the notice burden en the party issuing the subpoena.

In sum, the Commission recommends:

Recommendation (32):

That an employer clearly inform all its applicants upon request, and all employees automatically, of the types of disclosures it may make of information in the records it maintains on them, including disclosures of directory information, and of its procedures for involving the individual in particular disclosures.

THE EMPLOYER'S DUTY OF CONFIDENTIALITY

As the first premise of a responsible confidentiality policy, disclosures to any outside entity without the employee's authorization should be prohibited. Exceptions can then be made for directory information, subpoenas, specific statutory requirements, and disclosures made pursuant to collective-bargaining agreements.

Directory Information. Although employers de not, as a rule, object to giving employees some control ever the disclosure of information in records the employer keeps on them, they fear that requiring consent in every instance will be unmanageably burdensome. To alleviate this fear, and in recognition of the fact that most external disclosures of information from employment records are made in the interest of the employee rather than of the employer, the Commission believes that disclosure by an employer of a limited category of factual data without employee authorization can be justified. This category, which the Commission has designated as "directory information," should include only information an employer considers reasonably necessary to satisfy the vast majority of third-party requests. That is, it might include the fact that an individual is or has been employed by the employer, the dates of employment, the individual's present job title or position, and perhaps wage or salary information. This is not to suggest, however, that every employer should freely disclose all of these items. The Commission commends employers whose disclosure policies are even more limiting.

Disclosures for Law Enforcement Purposes. Law enforcement authorities frequently ask employers for information about employees. In addition to the items designated as directory information, they often seek an individual's dates of attendance at work, home address, and, in some cases, personnel and payroll records. Reasonable as it may seem to some to give properly identified law enforcement authorities access to information in employee files, there can be no employee expectation of confidentiality without limits on such access. The Commission's hearing record suggests that most law enforcement requests for information can be met by disclosing directory information, the employee's home address, and specific dates of attendance at work.72 When law enforcement authorities need more extensive information than that, they can obtain it by means of a subpoena or other legal process; requiring them to do so would reinforce realistic expectations of confidentiality for employment records without unduly burdening either law enforcement authorities or employers. It would also allow an employer to give a consistent response to all law enforcement requests.

Conversely, the Commission believes that an employer should remain free to disclose information about an individual applicant, employee, or former employee to law enforcement authorities if it has reason to believe that actions of the individual threaten the employer's property or the safety or security of other employees, or if it suspects an employee of engaging in illegal activities, whether or not those activities relate to his employment. Such disclosures, in the Commission's view, should not be considered violations of an employee's reasonable expectation of confidentiality.

Other Disclosures. In addition to the types of disclosures discussed above, an employer must fulfill the obligations set by its collective-bargaining contracts. When an employer retains an outside agent or contractor to collect information about an employee or group of employees, the employer must be in a position to disclose enough information for the agent or contractor to perform its legitimate functions. The agent or contractor, however, should be prohibited from redisclosing such information, and the employee should be able to find out that it has been disclosed. In addition, when a physician in an employer's medical department, or one retained by the employer, discovers that an employee has a serious medical problem of which he may not be aware, the physician should be free to disclose that fact to the employee's personal physician.

In contrast to its duty of confidentiality recommendations with respect to credit, insurance, and medical-care record keeping, the Commission is not prepared to urge that the employer's duty of confidentiality be established by statute or regulation. The absence of legal barriers to voluntary implementation by an employer, coupled with the fact that the employee-employer relationship is not one in which the record keeper is performing a service for the individual, justifies, in the Commission's view, a voluntary approach. This is not to say that there should be no legislative or regulatory action at all. Chapter 9, on access to records by government agencies, calls for legislating constraints on access to records about individuals when the record keeper is not bound by a statutory duty of confidentiality. In addition, when an employer does perform services for employees or former employees, such as providing life and health-insurance coverage or medical care for employees or former employees who want it, the Commission's recommendations with respect to those types of record-keeping relationships could also be made applicable to employers. Earlier in this chapter, the Commission has suggested how the access and correction rights that would prevail in a normal insurance or medical-care relationship might be applied to an employer by extension. Likewise, the duty of confidentiality recommended for insurers and medical-care providers could be made applicable to employers to the extent that the relationship with an applicant, employee, or former employee mirrors those types of relationships. In the main, however, the Commission believes that the employer's duty of confidentiality, at least with respect to those records that are peculiarly the product of the employment relationship, can be implemented by voluntary compliance reinforced by mutual agreements, such as through collective-bargaining contracts. Accordingly, the Commission recommends:

Recommendation (33):

That each employer be considered to owe a duty of confidentiality to any individual employee, former employee, or applicant about whom it collects information; and that, therefore, no employer or consumer-reporting agency (as defined by the Fair Credit Reporting Act) which collects information about an applicant or employee on behalf of an employer should disclose, or be required to disclose, in individually identifiable form, any information about any individual applicant, employee, or former employee, without the explicit authorization of such individual, unless the disclosure would be:

(a) in response to a request to provide or verify information designated by the employer as directory information, which should not include more than:

(i) the fact of past or present employment;

(ii) dates of employment;

(iii) title or position;

(iv) wage or salary; and

(v) location of job site;

(b) an individual's dates of attendance at work and home address in response to a request by a properly identified law enforcement authority;

(c) a voluntary disclosure to protect the legal interests of the employer when the employer believes the actions of the applicant, employee, or former employee violate the conditions of employment or otherwise threaten physical injury to the property of the employer or to the person of the employer or any of his employees;

(d) to a law enforcement authority when the employer reasonably believes that an applicant, employee, or former employee has been engaged in illegal activities;

(e) pursuant to a Federal, State, or local compulsory reporting statute or regulation;

(f) to a collective-bargaining unit pursuant to a collective-bargaining contract;

(g) to an agent or contractor of the employer, provided:

(i) that only such information is disclosed as is necessary for such agent or contractor to perform its function for the employer;

(ii) that the agent or contractor is prohibited from redisclosing the information; and

(iii) that the individual is notified that such disclosure may be made and can find out if in fact it has been made;

(h) to a physician for the purpose of informing the individual of a medical problem of which he may not be aware; and

(i) in response to a lawfully issued administrative summons or judicial order, including a search warrant or subpoena.

DISCLOSURES OF OSHA RECORDS TO PROSPECTIVE EMPLOYERS

A confidentiality problem mentioned earlier in this chapter derives from the Occupational Safety and Health Act (OSHA), which mandates that an employer provide medical surveillance of employees known to have been exposed to certain hazardous environments or substances. This, of course, requires the employer to keep records of medical examinations and other tests made to find out if a worker's health has been adversely affected. The Commission's hearings showed that some employers have already established procedures for exchanging medical surveillance records of workers known to have had such exposures.73 A worker's former employer may disclose such a record to a prospective employer solely in the interest of continued protection of the worker's health, but the possibility remains that the prospective employer may discriminate against the worker because of its fear that previous hazardous exposure may lead in time to partial or complete disability.

The central problem with these disclosures from one employer to another is that the use of medical surveillance records as a measure of employability is not a use for which the information is collected and thus is inherently unfair. Accordingly, the Commission recommends:

Recommendation (34):

That Congress direct the Department of Labor to review the extent to which medical records made to protect individuals exposed to hazardous environments or substances in the workplace are or may come to be used to discriminate against them in employment. This review should include an examination of the feasibility of:

(a) restricting the availability of records generated by medical examinations and tests conducted in accordance with OSHA requirements for use in making employment decisions; and

(b) establishing mechanisms to protect employees whose health has been affected by exposure to hazardous environments or substances from the economic consequences of employers' decisions concerning their employability.

The Commission's recommendations assign employers an important task: to adopt policies and practices regarding the collection, use, and disclosure of information on applicants, employees, and former employees without being forced to do so by government. Unless each employer has a conscientious program on which applicants and employees can rely to safeguard the records the employer keeps about them, the voluntary approach recommended in this chapter will prove unsuccessful. Thus, a future commission or legislative bodies may have to consider compulsory measures, with all the disadvantages for the employee-employer relationship that would entail.

When asked how he thought industry would respond to guidelines for voluntary compliance in developing policies and procedures on employment record keeping, a witness representing the Ford Motor Company said:

Certainly it has the merit of allowing various corporations to develop guidelines that are appropriate to their situations . . . there is a wide diversity of situations and there are numerous ways by which the principles of privacy could be implemented . . . I would simply want to take a hold on determining whether at some later date legislation is necessary. The suggestion is that we start with the voluntary and determine to what extent the compulsory may be necessary based on experience.74

The Commission shares that view.

Finally, the Commission also believes that its recommendations with respect to the employment relationship, or at least the concepts on which they are based, apply equally to Federal, State, and local governments and their employees.75