The Best of Intentions: Public Policy Goals and Employee Privacy

Now that the infrastructure of computerized employee records is well established and businesses are familiar (if not happy) with the process of reporting employee information to government agencies, Congress is constantly tempted to use businesses as agents of public policy. In military circles, this phenomenon is known as "mission creep," i.e., the tendency for objectives and goals to expand over time beyond their original boundaries.

None of the individual information-gathering policies enacted by Congress are, in and of themselves, especially invasive of employee privacy. Of far greater concern is the cumulative effect of all of these various information-gathering requirements—after all, the value of any potential pool of data is based on its breadth and depth. As marketers are keenly aware, the more information that they have about a potential purchaser, the easier it is to tailor a sales pitch. The federal government, ostensibly, is not in the business of selling anything, but the ever-growing capability of governments and employers to compile increasingly detailed profiles of individuals is troubling.

In England, where the government has installed and watches an estimated 2.5 million surveillance cameras, citizens concerned about their personal privacy are told that if they've done nothing wrong, they've got nothing to fear. The critical question, of course, is who gets to define "wrong." We can't honestly kid ourselves about possible abuses of governmental power, as two recent examples painfully demonstrate:

• J. Edgar Hoover and the FBI. During J. Edgar Hoover's forty-eight-year tenure as the head of the FBI, he oversaw the compilation of extensive dossiers on leading politicians, social activists, academics, actors, and anyone else who he thought merited scrutiny. While there is disagreement about whether Hoover or his associates actually used the dossiers for black-mail, there's no question that the compilation of these files involved serious invasions of personal and workplace privacy.

• Watergate. On August 17, 1971, John Dean wrote a memo to Lawrence Higby, an assistant of White House Chief of Staff Bob Haldeman, in which he stated:

  This memorandum addresses the matter of how we can maximize the fact of our incumbency in dealing with persons known to be active in their opposition to our Administration, Stated a bit more bluntly— how we can use the available federal machinery to screw our political enemies? After reviewing this matter with a number of persons possessed of experience in the field, I have concluded that we do not need an elaborate mechanism or game plan, rather we need a good project coordinator and full support for the project. In brief, the system would work as follows:

  • Key members of the staff (e.g., Colson, Dent, Flanigan, Buchanan) could be requested to inform us as to who they feel we should be giving a hard time.

  • The project coordinator should then determine what sorts of dealings these individuals have with the Federal Government and how we can best screw them (e.g., grant availability, federal contracts, litigation prosecution, etc.)

  • The project coordinator then should have access to and the full support of the top officials of the agency or departments in proceeding to deal with the individual. ^[9]

The potential for misuse is far greater today than it was thirty years ago. The amount of employee information flowing from all corners of the country to Washington is steadily growing, and technological improvements are making it easier and easier for the government to store, evaluate, and cross-correlate the information it receives.

Occupational Safety and Health Administration

As part of an erratic but ongoing effort to improve the nation's working conditions, Congress passed the Occupational Health and Safety Act (OSHA) in 1970. The central requirement of OSHA is that every employer engaged in interstate commerce (i.e., that uses the mails or makes interstate calls, which essentially means every employer) must maintain as safe and as healthy a workplace as is reasonably possible. It was Congress's goal to "preserve our human resources" in part "by providing for appropriate reporting procedures with respect to occupational safety and health ...."

Under regulations subsequently adopted by the Occupational Safety and Health Administration (also called OSHA), employers are required to provide the agency with complete details within eight hours of any workplace accident where the accident causes the death of a worker or sends four or more workers to the hospital. The report must include the names of any injured workers, the nature and extent of any injuries they suffered, the time and place at which the accident occurred, and the type and description of any machinery involved in the accident.

In addition, employers are required to maintain a log of work-related injuries or illnesses and to provide a summary of the log to employees at the end of each year. For each log entry, employers are supposed to record the name of the individual injured, her job title, the date of the injury or illness and where it occurred, a description of what happened, the outcome (death, time away from work, job transfer or restriction, or other), and the number of days actually spent away from work.

Many of the reports that are required by OSHA involve records dealing with medical conditions or exposure to hazardous materials. When that's the case, OSHA standards require that the employer use a Social Security number to identify the employee. In general, medical records are handled by medical professionals, who understand the importance of medical record confidentiality. However, exposure records are often collected and handled by people who are not traditionally considered medical professionals. That raises the potential for unwanted disclosure not merely of exposure records, but also of the employee's SSN.

Despite OSHA's extensive reliance on employee Social Security numbers, the agency has taken some steps recently to provide employees with greater privacy. In a set of rule changes that took effect on January 1, 2002, OSHA stated that:

• Employers are now prohibited from entering an individual's name ... if the individual has suffered certain types of injuries or illnesses (i.e., sexual assaults, HIV infections, or mental illnesses).

• Employers are allowed to omit a description of a sensitive injury or illness if it would reveal the employee's identity.

• Employers are required to remove the names of employees from all forms before providing the forms to people without access rights under OSHA.

The new rules are certainly a step in the right direction for protecting employee privacy. But they do little to stem the flow of information from employers to the federal government and virtually nothing to cut down on the amount of information being accumulated by employers about their employees.

The National Directory of New Hires and the Federal Case Registry

In 1995 and 1996, Congress and President Clinton wrangled over legislation aimed at reforming the nation's welfare system. The law that Congress ultimately passed and the President signed was called the Personal Responsibility and Work Opportunity Reconciliation Act (PRWORA) of 1996.

The main goal of the legislation was to set strict limits on welfare eligibility and to set up requirements for "workfare"—benefits for recipients that were contingent on employment. However, another important component of the new law was aimed at improving the ability of the states to collect child support payments from delinquent parents.

Obviously, there are few public policies more worthy than improving child support payments. Every year, state agencies struggle to collect $50 billion in back payments. In the fall of 1998, for instance, the U.S. Department of Health and Human Services estimated that only 22 percent of the back payments were actually being collected.

To accomplish the goal of improving that figure, the PRWORA required each state to create a State Directory of New Hires and a State Case Registry. Congress also used the new bill as an opportunity to expand the Federal Parent Locator Service (FPLS), a program operated by the federal government's Office of Child Support Enforcement. The FPLS was ordered to set up and begin operating a National Database of New Hires by October 1, 1997, and a Federal Case Registry a year later.

In a frequently asked questions memorandum prepared by the Administration for children and families, the "new hire" reporting requirements are described as follows:

New hire reporting is a process by which you, as an employer, report information on newly-hired employees to a designated state agency shortly after the date of hire. As an employer, you will play a key role in this important program by reporting all of your newly-hired employees to your state. ^[10]

Thus, within twenty days of hiring a new employee, each employer is required, at a minimum, to send the following information to the appropriate State Directory of New Hires: the new employee's name, address, and Social Security number, and the employer's name, address, and Employer Identification number. The state directory compares the data against records of outstanding child support orders. The employee's information is then transmitted to the National Directory of New Hires (NDNH). Eventually, everyone who is hired as an employee in the United States will be entered in the NDNH.

The potential of this information to be used for purposes other than originally intended was unequivocally demonstrated in February 2001, when Frank Fuentes, then the acting director of the Office of Child Support Enforcement, sent a letter to each of the directors of the State Directories of New Hires. Fuentes explained that under the terms of a federal law passed in November 1999, the U.S. Department of Education was given permission to access the information contained in the NDNH in an effort to collect unpaid student loans and grant overpayments. "[The Department of Education] estimates," Fuentes wrote, "that quarterly matches with the NDNH can result in the collection of $500 million of delinquent debts over the next five years." ^[11] Fuentes went on to say that the Office of Child Support Enforcement will be looking to implement other uses of the NDNH database.

^[9]Although Dean was probably speaking generally, he was also referring specifi- cally to a list of twenty individuals prepared for him by the office of Charles W. Colson. From Facts on File, Watergate and the White House, vol. 1, pp. 96–97.

^[10]"Frequently Asked Questions," U.S. Administration for Children and Families website. Downloaded on September 15, 2002, from the Web at URL www.acf.dhhs.gov/programs/cse/newhire/nh/q-apam2.htm.

^[11]Letter from Frank Fuentes to all State IV-D Directors (February 8, 2001). Available on the Administration for Children and Families website at www.acf.dhhs.gov/programs/cse/pol/dcl-01-10.htm.