1

Privacy Act of 1974:Privacy Act of 1974:

A Basic OverviewA Basic Overview

Cindy Allard, Department of DefenseCindy Allard, Department of DefenseTimothy Graham, Department of Timothy Graham, Department of Veterans AffairsVeterans Affairs

PURPOSE OF THE PRIVACY ACTPURPOSE OF THE PRIVACY ACT

To regulate the collection, maintenance, To regulate the collection, maintenance, use, and dissemination of personal use, and dissemination of personal information held by the Executive Branch information held by the Executive Branch of Governmentof Governmentof Governmentof Government–– Been in effect since Sep 27, 1975. That’s Been in effect since Sep 27, 1975. That’s

over 36 years!over 36 years!

–– Public Law 93Public Law 93--579579

–– Codified as 5 U.S.C. 552aCodified as 5 U.S.C. 552a

CONGRESS’ GOALCONGRESS’ GOALTo curb the illegal surveillance and To curb the illegal surveillance and investigation of individuals by federal investigation of individuals by federal agencies that was exposed during the agencies that was exposed during the Watergate scandalWatergate scandal

Concerned with potential abuses Concerned with potential abuses presented by the Government’s increasing presented by the Government’s increasing use of computers to store and retrieve use of computers to store and retrieve personal data by means of a universal personal data by means of a universal identifieridentifier

2

Basic Policy Objectives of the Basic Policy Objectives of the Privacy ActPrivacy Act

To To restrict disclosurerestrict disclosure of personally identifiable records of personally identifiable records maintained by Executive branch agenciesmaintained by Executive branch agencies

To grant individuals increased To grant individuals increased rights of accessrights of access to to agency records maintained on themselvesagency records maintained on themselves

To grant individuals theTo grant individuals the right to seek amendmentright to seek amendment ofofTo grant individuals the To grant individuals the right to seek amendmentright to seek amendment of of agency records that are not accurate, relevant, timely, or agency records that are not accurate, relevant, timely, or completecomplete

To establish a To establish a code of "fair information practices”code of "fair information practices”which regulates the collection, use, maintenance and which regulates the collection, use, maintenance and disclosure of personally identifiable informationdisclosure of personally identifiable information

Key DefinitionsKey Definitions

Why are definitions important?Why are definitions important?The Privacy Act is a technical statute and the The Privacy Act is a technical statute and the definitions can bring an agency in or out of the definitions can bring an agency in or out of the reach of the statute.reach of the statute.

–– Who has to comply with the Privacy Act?Who has to comply with the Privacy Act?

–– Who can use the Privacy Act?Who can use the Privacy Act?

–– What does the Privacy Act apply to?What does the Privacy Act apply to?

Who has to comply?Who has to comply?An AgencyAn Agency

AgencyAgency–– Adopts the FOIA definitionAdopts the FOIA definition

–– Agencies under the Federal Executive BranchAgencies under the Federal Executive Branch

–– Section 7 applies to state and local agenciesSection 7 applies to state and local agenciesUnlawful for any Federal, state, or local agency to deny a Unlawful for any Federal, state, or local agency to deny a right, benefit or privilege because an individual refuses to right, benefit or privilege because an individual refuses to provide a SSNprovide a SSN

Any Federal, state or local agency requesting an SSN must Any Federal, state or local agency requesting an SSN must inform: if disclosure is mandatory or voluntary; by what inform: if disclosure is mandatory or voluntary; by what statute or authority; and the usesstatute or authority; and the uses

3

Who can use the Privacy Act?Who can use the Privacy Act?An IndividualAn Individual

An individualAn individual–– United States citizens or an alien lawfully United States citizens or an alien lawfully

admitted for permanent residenceadmitted for permanent residence

–– Deceased individuals are not coveredDeceased individuals are not coveredDeceased individuals are not coveredDeceased individuals are not coveredFOIA may protect next of kinFOIA may protect next of kin

–– Corporations and organizations not coveredCorporations and organizations not coveredFOIA may protect sole proprietorsFOIA may protect sole proprietors

Government ContractorsGovernment Contractors

Subsection (m) makes provisions of the Subsection (m) makes provisions of the Act binding on contractors who operate a Act binding on contractors who operate a system of record to accomplish an agency system of record to accomplish an agency functionfunctionfunctionfunction

For the purposes of criminal penalties, For the purposes of criminal penalties, subsection (m) contractors are considered subsection (m) contractors are considered agency employeesagency employees

What does the Privacy Act Pertain to?What does the Privacy Act Pertain to?Records in a System of RecordsRecords in a System of Records

Privacy Act protects information on individuals Privacy Act protects information on individuals that is in a “that is in a “system of recordssystem of records””–– This is any group of records from which information is This is any group of records from which information is

retrievedretrieved by the name of an individual or by some by the name of an individual or by some other identifying particular assigned to the individualother identifying particular assigned to the individual

Must identify the individualMust identify the individualMust identify the individualMust identify the individualMust be retrieved by an identifierMust be retrieved by an identifier

–– Excludes Excludes purely personal notespurely personal notessupervisory notes (memory refreshers)supervisory notes (memory refreshers)

4

Retrieved vs. RetrievableRetrieved vs. Retrievable

OMB guidelines explain that a system of records OMB guidelines explain that a system of records exists if:exists if:

–– (1) There is an indexing or retrieval capability using (1) There is an indexing or retrieval capability using identifying particulars built into the system andidentifying particulars built into the system andidentifying particulars built into the system, andidentifying particulars built into the system, and

–– (2) The agency does in fact retrieve records about (2) The agency does in fact retrieve records about individuals by references to some personal identifierindividuals by references to some personal identifier

Henke v. Department of Commerce, 83 F. 3d 1453 (D.C. Cir. Henke v. Department of Commerce, 83 F. 3d 1453 (D.C. Cir. 1996), capability to retrieve is not sufficient1996), capability to retrieve is not sufficient

System of RecordsSystem of Records

Notice Requirements: Must Publish a Notice Requirements: Must Publish a System of Records Notice in the Federal System of Records Notice in the Federal Register. 5 USC 552a(e)(4)Register. 5 USC 552a(e)(4)

Why is this important?Why is this important?Why is this important?Why is this important?–– Most of the rights and requirements of the Most of the rights and requirements of the

Privacy Act depend on whether the definition Privacy Act depend on whether the definition is met.is met.

No Disclosure Without ConsentNo Disclosure Without Consent

General Rule General Rule -- NO disclosure unless you NO disclosure unless you have: have: (1) Written request from the subject or(1) Written request from the subject or

(2) P i itt t f th bj t(2) P i itt t f th bj t(2) Prior written consent from the subject (2) Prior written consent from the subject authorizing a 3authorizing a 3rdrd party to gain accessparty to gain access

(3) One of the 12 Exceptions established in 5 (3) One of the 12 Exceptions established in 5 U.S.C. 552a(b)U.S.C. 552a(b)

5

Accounting of Certain DisclosureAccounting of Certain Disclosure

Each agency must maintain an accounting Each agency must maintain an accounting of disclosures from a system of record of disclosures from a system of record except when disclosure are made under:except when disclosure are made under:–– (b)(1)(b)(1)( )( )( )( )–– (b)(2)(b)(2)

Agencies must make the accounting Agencies must make the accounting available to the subject except for those available to the subject except for those made under (b)(7)made under (b)(7)

Individual RightsIndividual Rights

Access rightsAccess rights

Amendment rightsAmendment rights

Private right of actions for violationsPrivate right of actions for violations–– Criminal and civil penaltiesCriminal and civil penalties

10 Exemptions10 Exemptions

1. (d)(5) 1. (d)(5) –– exempts information compiled exempts information compiled in the reasonable anticipation of a civil in the reasonable anticipation of a civil action or proceeding from the action or proceeding from the accessaccessprovisions of the Privacy Actprovisions of the Privacy Actprovisions of the Privacy Act.provisions of the Privacy Act.–– Most similar to attorney work productMost similar to attorney work product

–– Not limited to purely judicial proceedings, but Not limited to purely judicial proceedings, but also covers administrative hearingsalso covers administrative hearings

6

Exemptions (cont.)Exemptions (cont.)

2. (j)(1) information maintained by the CIA2. (j)(1) information maintained by the CIA3. (j)(2) information maintained by a 3. (j)(2) information maintained by a principal function criminal law enforcement principal function criminal law enforcement agency agency andand compiled for a criminal law compiled for a criminal law g yg y ppenforcement purposeenforcement purpose–– Threshold question Threshold question –– Is the agency a criminal Is the agency a criminal

law enforcement agency?law enforcement agency?–– Once threshold is met Once threshold is met –– was the information was the information

compiled for a criminal law enforcement compiled for a criminal law enforcement purpose?purpose?

Exemptions (cont.)Exemptions (cont.)

4. (k)(1) classified information4. (k)(1) classified information

5. (k)(2) investigatory material compiled for 5. (k)(2) investigatory material compiled for law enforcement purposes, other than law enforcement purposes, other than material within the scope of (j)(2)material within the scope of (j)(2)material within the scope of (j)(2)material within the scope of (j)(2)–– 2 elements2 elements

1. Is the material investigatory not covered by (j)(2)1. Is the material investigatory not covered by (j)(2)

2. Was an individual denied a right, privilege, or 2. Was an individual denied a right, privilege, or benefit as a result of the maintenance of the benefit as a result of the maintenance of the record?record?

Exemptions (cont.)Exemptions (cont.)

6. (k)(3) maintained in connection with providing 6. (k)(3) maintained in connection with providing protective services for the President of the protective services for the President of the United States or other individualsUnited States or other individuals7. (k)(4) required by statute to be maintained 7. (k)(4) required by statute to be maintained and used solely as a statistical recordand used solely as a statistical recordyy8. (k)(5) information that reveals a source who 8. (k)(5) information that reveals a source who was provided an express promise of was provided an express promise of confidentiality in the context of background confidentiality in the context of background investigation materialsinvestigation materials–– Includes determinations for Federal civilian Includes determinations for Federal civilian

employment, military service, Federal contracts or employment, military service, Federal contracts or access to classified recordsaccess to classified records

7

Exemptions (cont.)Exemptions (cont.)

9. (k)(6) testing materials used solely to 9. (k)(6) testing materials used solely to determine an individuals qualifications for determine an individuals qualifications for appointment or promotions in the Federal appointment or promotions in the Federal serviceservice–– Disclosure would compromise the objectivity orDisclosure would compromise the objectivity or–– Disclosure would compromise the objectivity or Disclosure would compromise the objectivity or

fairness of the examination processfairness of the examination process–– Typically exempt under FOIA (b)(2)Typically exempt under FOIA (b)(2)

10. (k)(7) evaluation materials used to determine 10. (k)(7) evaluation materials used to determine potential for promotion in the militarypotential for promotion in the military–– Only in instances where disclosure would reveal the Only in instances where disclosure would reveal the

identity of a confidential sourceidentity of a confidential source

Agency RequirementsAgency RequirementsMaintain only relevant and necessary informationMaintain only relevant and necessary information

Collect information directly from the sourceCollect information directly from the source

At the time of collection disclose: authority, principle At the time of collection disclose: authority, principle purpose for collection, how records will be used and purpose for collection, how records will be used and di l d d th ff t if f t idi thdi l d d th ff t if f t idi thdisclosed, and the effects, if any, of not providing the disclosed, and the effects, if any, of not providing the information. information.

Publish new or altered notice in the Federal RegisterPublish new or altered notice in the Federal Register–– Required for each system of records. Describes categories of Required for each system of records. Describes categories of

individuals, categories of records, routine uses, access individuals, categories of records, routine uses, access procedures, etc.procedures, etc.

–– Publish at least 30 days prior to using a new routine usePublish at least 30 days prior to using a new routine use

Agency RequirementsAgency RequirementsMaintain only accurate, complete, relevant, and timely Maintain only accurate, complete, relevant, and timely information to ensure fairness to the individualinformation to ensure fairness to the individual

Make reasonable efforts to ensure that records are Make reasonable efforts to ensure that records are accurate, complete, timely, and relevant for agency accurate, complete, timely, and relevant for agency purposes prior to providing to any person other than the purposes prior to providing to any person other than the agenc (other than for FOIA)agenc (other than for FOIA)agency (other than for FOIA)agency (other than for FOIA)

Maintain no record regarding an individual’s exercise of Maintain no record regarding an individual’s exercise of their First Amendment rights unless expressly authorized their First Amendment rights unless expressly authorized by statute, the individual, or unless pertinent to and by statute, the individual, or unless pertinent to and within the scope of an authorized law enforcement within the scope of an authorized law enforcement activity activity

8

Agency RequirementsAgency Requirements

Make reasonable efforts to notify an individual Make reasonable efforts to notify an individual when their record is made available under when their record is made available under compulsory legal process when it becomes a compulsory legal process when it becomes a matter of matter of public recordpublic record

Establish rules of conduct for persons involved Establish rules of conduct for persons involved in the design, development, operation, or in the design, development, operation, or maintenance of any system of recordsmaintenance of any system of records

Establish administrative and technical Establish administrative and technical safeguards to ensure confidentiality and security safeguards to ensure confidentiality and security of recordsof records–– Rules reinforced with issuance of OMB Memos Rules reinforced with issuance of OMB Memos

concerning the protection of PIIconcerning the protection of PII

Civil RemediesCivil Remedies

Amendment lawsuitsAmendment lawsuits

Access lawsuitsAccess lawsuits

Accuracy lawsuits for damagesAccuracy lawsuits for damages

Other damages law suitsOther damages law suits

Criminal PenaltiesCriminal Penalties

Misdemeanor and fine not to exceed $5,000Misdemeanor and fine not to exceed $5,000

–– Any officer or employee who knowingly Any officer or employee who knowingly and willingly discloses identifiable and willingly discloses identifiable information to any person who is notinformation to any person who is notinformation to any person who is not information to any person who is not entitled to receive itentitled to receive it

–– Any officer or employee who willfully Any officer or employee who willfully maintains a “secret” system of recordsmaintains a “secret” system of records

–– Knowingly and willingly requests or obtains Knowingly and willingly requests or obtains Privacy Act protected records under false Privacy Act protected records under false pretenses.pretenses.

9

Privacy Act ResourcesPrivacy Act Resources

Under subsection (v). OMB has primary responsibility for Under subsection (v). OMB has primary responsibility for Privacy Act oversightPrivacy Act oversight

–– Office of Information and Regulatory AffairsOffice of Information and Regulatory Affairs–– OMB Privacy Act guidelines OMB Privacy Act guidelines -- 40 Fed Reg. 28,94840 Fed Reg. 28,948--78 (July 1975)78 (July 1975)–– http://www.whitehouse.gov/omb/inforeg/infopoltech.htmlhttp://www.whitehouse.gov/omb/inforeg/infopoltech.htmlp g g pp g g p

→→Privacy Act OfficerPrivacy Act Officer

→→Implementing regulations and Privacy Act issuancesImplementing regulations and Privacy Act issuances

→→Text of the Privacy Act and 2010 Privacy Act Overview Text of the Privacy Act and 2010 Privacy Act Overview are available online at are available online at http://www.justice.gov/opcl/prr.htmhttp://www.justice.gov/opcl/prr.htm