In 1977, at the height of the initial controversy over the legality of computer matching, the Privacy Protection Study Commission , charged by the Privacy Act to study privacy issues and recommend future legislation, issued its report: "Personal Privacy in an Information Age." The report is currently out of print and not available online (if you find otherwise, please let us know and we will link to it).

The Commission's report recommended that the Privacy Act be more vigorously enforced, and suggested a number of ways to make the Act more effective. The Commission found that the Privacy Act did not provide the benefits originally expected from its passage. The report included a proposed revision of the Act that clarified ambiguities, provided individuals with broader remedies, and tightened the exemptions. The Commission also recommended that Congress pass additional information privacy legislation to protect personal data held in private sector databases.

The report included a set of voluntary Fair Information Principles for employers' collecting personal data for hiring purposes. The Principles remain a useful guide for privacy in general.

1. Disclosures of Personal Employment Data

An employer should limit external disclosures of information in records kept on individual employees, former employees, and applicants; it should also limit the internal use of such records.

2. Individual Access

A. An employer should permit individual employees, former employees, and applicants to see, copy, correct, or amend the records maintained about them, except highly restricted security records, where necessary.

B. An employer should assure that the personnel and payroll records it maintains are available internally only to authorized users and on a need-to-know basis.

A. An employer, prior to collecting the type of information generally collected about an applicant, employees, or other individual in connection with an employment decision, should notify him/her as to:

(1) the types of information expected to be collected;

(2) the techniques that may be used to collect such information;

(3) the types of sources that are expected to be asked;

(4) the types of parties to whom and circumstances under which information about the individual may be disclosed without his authorization, and the types of information that may be disclosed;

(5) the procedures established by statute by which the individual may gain access to any resulting record about himself;

(6) the procedures whereby the individual may correct, amend, or dispute any resulting records about himself.

B. An employer should clearly inform all its applicants upon request, and all employees automatically, of the types of disclosures it may make of information in the records it maintains on them, including disclosures of directory information, and of its procedures for involving the individual in particular disclosures.

No employer should ask, require, or otherwise induce an applicant or employee to sign any statement authorizing any individual or institution to disclose information about him, or about any other individual, unless the statement is:

(1) in plain language;

(2) dated;

(3) specific as to the individuals and institutions he is authorizing to disclose information about him;

(4) specific as to the nature of the information he is authorizing to be disclosed;

(5) specific as to the individuals or institutions to whom he is authorizing information to be disclosed;

(6) specific as to the purpose(s) for which the information may be used;

(7) specific as to its expiration date, which should be for a reasonable period of time not to exceed one year.

A. An employer that maintains an employment-related medical record about an individual should assure that no diagnostic or treatment information in any such record is made available for use in any employment decision. However, in certain limited circumstances, special medical information might be so used after informing the employee.

B. Upon request, an individual who is the subject of a medical record maintained by an employer, or another responsible person designated by the individual, should be allowed to have access to that medical record, including an opportunity to see and copy it. The employer may charge a reasonable fee for preparing and copying the record.

C. An employer should establish a procedure whereby an individual who is the subject of a medical record maintained by the employer can request correction or amendment of the record.

Each employer and agent of an employer should exercise reasonable care in the selection and use of investigative organizations, so as to assure that the collection, maintenance, use, and disclosure practices of such organizations fully protect the rights of the subject being investigated.

7. Arrest, Conviction, and Security Records

A. When an arrest record is lawfully sought or used by an employer to make a specific decision about an applicant or employee, the employer should not maintain the records for a period longer than specifically required by law, if any, or unless there is an outstanding indictment.

B. Unless otherwise required by law, an employer should seek or use a conviction record pertaining to an individual applicant or employee only when the record is directly relevant to a specific employment decision affecting the individual.

C. Except as specifically required by federal or state statute or regulation, or by municipal ordinance or regulation, an employer should not seek or use a record of arrest pertaining to an individual applicant or employee.

D. Where conviction information is collected, it should be maintained separately from other individually identifiable employment records so that it will not be available to persons who have no need of it.

E. An employer should maintain security records apart from other records.

An employer should periodically and systematically examine its employment and personnel record-keeping practices, including a review of:

(1) the number and types of records it maintains on individual employees, former employees, and applicants;

(2) the items of information contained in each type of employment record it maintains;

(3) the uses made of the items of information in each type of record;

(4) the uses made of such records within the employing organization;

(5) the disclosures made of such records to parties outside the employing organization;

(6) the extent to which individual employees, former employees, and applicants are both aware and systematically informed of the uses and disclosures that are made of information in the records kept about them.

Next set of Fair Information Practices: The OECD Guidelines on the Protections of Privacy and Transborder Flows of Personal Data

Back to Chapter Two: Privacy Basics