Upload
lyhanh
View
222
Download
2
Embed Size (px)
Citation preview
1
Privacy Act of 1974:Privacy Act of 1974:
A Basic OverviewA Basic Overview
Cindy Allard, Department of DefenseCindy Allard, Department of DefenseTimothy Graham, Department of Timothy Graham, Department of Veterans AffairsVeterans Affairs
PURPOSE OF THE PRIVACY ACTPURPOSE OF THE PRIVACY ACT
To regulate the collection, maintenance, To regulate the collection, maintenance, use, and dissemination of personal use, and dissemination of personal information held by the Executive Branch information held by the Executive Branch of Governmentof Governmentof Governmentof Government–– Been in effect since Sep 27, 1975. That’s Been in effect since Sep 27, 1975. That’s
over 36 years!over 36 years!
–– Public Law 93Public Law 93--579579
–– Codified as 5 U.S.C. 552aCodified as 5 U.S.C. 552a
CONGRESS’ GOALCONGRESS’ GOALTo curb the illegal surveillance and To curb the illegal surveillance and investigation of individuals by federal investigation of individuals by federal agencies that was exposed during the agencies that was exposed during the Watergate scandalWatergate scandal
Concerned with potential abuses Concerned with potential abuses presented by the Government’s increasing presented by the Government’s increasing use of computers to store and retrieve use of computers to store and retrieve personal data by means of a universal personal data by means of a universal identifieridentifier
2
Basic Policy Objectives of the Basic Policy Objectives of the Privacy ActPrivacy Act
To To restrict disclosurerestrict disclosure of personally identifiable records of personally identifiable records maintained by Executive branch agenciesmaintained by Executive branch agencies
To grant individuals increased To grant individuals increased rights of accessrights of access to to agency records maintained on themselvesagency records maintained on themselves
To grant individuals theTo grant individuals the right to seek amendmentright to seek amendment ofofTo grant individuals the To grant individuals the right to seek amendmentright to seek amendment of of agency records that are not accurate, relevant, timely, or agency records that are not accurate, relevant, timely, or completecomplete
To establish a To establish a code of "fair information practices”code of "fair information practices”which regulates the collection, use, maintenance and which regulates the collection, use, maintenance and disclosure of personally identifiable informationdisclosure of personally identifiable information
Key DefinitionsKey Definitions
Why are definitions important?Why are definitions important?The Privacy Act is a technical statute and the The Privacy Act is a technical statute and the definitions can bring an agency in or out of the definitions can bring an agency in or out of the reach of the statute.reach of the statute.
–– Who has to comply with the Privacy Act?Who has to comply with the Privacy Act?
–– Who can use the Privacy Act?Who can use the Privacy Act?
–– What does the Privacy Act apply to?What does the Privacy Act apply to?
Who has to comply?Who has to comply?An AgencyAn Agency
AgencyAgency–– Adopts the FOIA definitionAdopts the FOIA definition
–– Agencies under the Federal Executive BranchAgencies under the Federal Executive Branch
–– Section 7 applies to state and local agenciesSection 7 applies to state and local agenciesUnlawful for any Federal, state, or local agency to deny a Unlawful for any Federal, state, or local agency to deny a right, benefit or privilege because an individual refuses to right, benefit or privilege because an individual refuses to provide a SSNprovide a SSN
Any Federal, state or local agency requesting an SSN must Any Federal, state or local agency requesting an SSN must inform: if disclosure is mandatory or voluntary; by what inform: if disclosure is mandatory or voluntary; by what statute or authority; and the usesstatute or authority; and the uses
3
Who can use the Privacy Act?Who can use the Privacy Act?An IndividualAn Individual
An individualAn individual–– United States citizens or an alien lawfully United States citizens or an alien lawfully
admitted for permanent residenceadmitted for permanent residence
–– Deceased individuals are not coveredDeceased individuals are not coveredDeceased individuals are not coveredDeceased individuals are not coveredFOIA may protect next of kinFOIA may protect next of kin
–– Corporations and organizations not coveredCorporations and organizations not coveredFOIA may protect sole proprietorsFOIA may protect sole proprietors
Government ContractorsGovernment Contractors
Subsection (m) makes provisions of the Subsection (m) makes provisions of the Act binding on contractors who operate a Act binding on contractors who operate a system of record to accomplish an agency system of record to accomplish an agency functionfunctionfunctionfunction
For the purposes of criminal penalties, For the purposes of criminal penalties, subsection (m) contractors are considered subsection (m) contractors are considered agency employeesagency employees
What does the Privacy Act Pertain to?What does the Privacy Act Pertain to?Records in a System of RecordsRecords in a System of Records
Privacy Act protects information on individuals Privacy Act protects information on individuals that is in a “that is in a “system of recordssystem of records””–– This is any group of records from which information is This is any group of records from which information is
retrievedretrieved by the name of an individual or by some by the name of an individual or by some other identifying particular assigned to the individualother identifying particular assigned to the individual
Must identify the individualMust identify the individualMust identify the individualMust identify the individualMust be retrieved by an identifierMust be retrieved by an identifier
–– Excludes Excludes purely personal notespurely personal notessupervisory notes (memory refreshers)supervisory notes (memory refreshers)
4
Retrieved vs. RetrievableRetrieved vs. Retrievable
OMB guidelines explain that a system of records OMB guidelines explain that a system of records exists if:exists if:
–– (1) There is an indexing or retrieval capability using (1) There is an indexing or retrieval capability using identifying particulars built into the system andidentifying particulars built into the system andidentifying particulars built into the system, andidentifying particulars built into the system, and
–– (2) The agency does in fact retrieve records about (2) The agency does in fact retrieve records about individuals by references to some personal identifierindividuals by references to some personal identifier
Henke v. Department of Commerce, 83 F. 3d 1453 (D.C. Cir. Henke v. Department of Commerce, 83 F. 3d 1453 (D.C. Cir. 1996), capability to retrieve is not sufficient1996), capability to retrieve is not sufficient
System of RecordsSystem of Records
Notice Requirements: Must Publish a Notice Requirements: Must Publish a System of Records Notice in the Federal System of Records Notice in the Federal Register. 5 USC 552a(e)(4)Register. 5 USC 552a(e)(4)
Why is this important?Why is this important?Why is this important?Why is this important?–– Most of the rights and requirements of the Most of the rights and requirements of the
Privacy Act depend on whether the definition Privacy Act depend on whether the definition is met.is met.
No Disclosure Without ConsentNo Disclosure Without Consent
General Rule General Rule -- NO disclosure unless you NO disclosure unless you have: have: (1) Written request from the subject or(1) Written request from the subject or
(2) P i itt t f th bj t(2) P i itt t f th bj t(2) Prior written consent from the subject (2) Prior written consent from the subject authorizing a 3authorizing a 3rdrd party to gain accessparty to gain access
(3) One of the 12 Exceptions established in 5 (3) One of the 12 Exceptions established in 5 U.S.C. 552a(b)U.S.C. 552a(b)
5
Accounting of Certain DisclosureAccounting of Certain Disclosure
Each agency must maintain an accounting Each agency must maintain an accounting of disclosures from a system of record of disclosures from a system of record except when disclosure are made under:except when disclosure are made under:–– (b)(1)(b)(1)( )( )( )( )–– (b)(2)(b)(2)
Agencies must make the accounting Agencies must make the accounting available to the subject except for those available to the subject except for those made under (b)(7)made under (b)(7)
Individual RightsIndividual Rights
Access rightsAccess rights
Amendment rightsAmendment rights
Private right of actions for violationsPrivate right of actions for violations–– Criminal and civil penaltiesCriminal and civil penalties
10 Exemptions10 Exemptions
1. (d)(5) 1. (d)(5) –– exempts information compiled exempts information compiled in the reasonable anticipation of a civil in the reasonable anticipation of a civil action or proceeding from the action or proceeding from the accessaccessprovisions of the Privacy Actprovisions of the Privacy Actprovisions of the Privacy Act.provisions of the Privacy Act.–– Most similar to attorney work productMost similar to attorney work product
–– Not limited to purely judicial proceedings, but Not limited to purely judicial proceedings, but also covers administrative hearingsalso covers administrative hearings
6
Exemptions (cont.)Exemptions (cont.)
2. (j)(1) information maintained by the CIA2. (j)(1) information maintained by the CIA3. (j)(2) information maintained by a 3. (j)(2) information maintained by a principal function criminal law enforcement principal function criminal law enforcement agency agency andand compiled for a criminal law compiled for a criminal law g yg y ppenforcement purposeenforcement purpose–– Threshold question Threshold question –– Is the agency a criminal Is the agency a criminal
law enforcement agency?law enforcement agency?–– Once threshold is met Once threshold is met –– was the information was the information
compiled for a criminal law enforcement compiled for a criminal law enforcement purpose?purpose?
Exemptions (cont.)Exemptions (cont.)
4. (k)(1) classified information4. (k)(1) classified information
5. (k)(2) investigatory material compiled for 5. (k)(2) investigatory material compiled for law enforcement purposes, other than law enforcement purposes, other than material within the scope of (j)(2)material within the scope of (j)(2)material within the scope of (j)(2)material within the scope of (j)(2)–– 2 elements2 elements
1. Is the material investigatory not covered by (j)(2)1. Is the material investigatory not covered by (j)(2)
2. Was an individual denied a right, privilege, or 2. Was an individual denied a right, privilege, or benefit as a result of the maintenance of the benefit as a result of the maintenance of the record?record?
Exemptions (cont.)Exemptions (cont.)
6. (k)(3) maintained in connection with providing 6. (k)(3) maintained in connection with providing protective services for the President of the protective services for the President of the United States or other individualsUnited States or other individuals7. (k)(4) required by statute to be maintained 7. (k)(4) required by statute to be maintained and used solely as a statistical recordand used solely as a statistical recordyy8. (k)(5) information that reveals a source who 8. (k)(5) information that reveals a source who was provided an express promise of was provided an express promise of confidentiality in the context of background confidentiality in the context of background investigation materialsinvestigation materials–– Includes determinations for Federal civilian Includes determinations for Federal civilian
employment, military service, Federal contracts or employment, military service, Federal contracts or access to classified recordsaccess to classified records
7
Exemptions (cont.)Exemptions (cont.)
9. (k)(6) testing materials used solely to 9. (k)(6) testing materials used solely to determine an individuals qualifications for determine an individuals qualifications for appointment or promotions in the Federal appointment or promotions in the Federal serviceservice–– Disclosure would compromise the objectivity orDisclosure would compromise the objectivity or–– Disclosure would compromise the objectivity or Disclosure would compromise the objectivity or
fairness of the examination processfairness of the examination process–– Typically exempt under FOIA (b)(2)Typically exempt under FOIA (b)(2)
10. (k)(7) evaluation materials used to determine 10. (k)(7) evaluation materials used to determine potential for promotion in the militarypotential for promotion in the military–– Only in instances where disclosure would reveal the Only in instances where disclosure would reveal the
identity of a confidential sourceidentity of a confidential source
Agency RequirementsAgency RequirementsMaintain only relevant and necessary informationMaintain only relevant and necessary information
Collect information directly from the sourceCollect information directly from the source
At the time of collection disclose: authority, principle At the time of collection disclose: authority, principle purpose for collection, how records will be used and purpose for collection, how records will be used and di l d d th ff t if f t idi thdi l d d th ff t if f t idi thdisclosed, and the effects, if any, of not providing the disclosed, and the effects, if any, of not providing the information. information.
Publish new or altered notice in the Federal RegisterPublish new or altered notice in the Federal Register–– Required for each system of records. Describes categories of Required for each system of records. Describes categories of
individuals, categories of records, routine uses, access individuals, categories of records, routine uses, access procedures, etc.procedures, etc.
–– Publish at least 30 days prior to using a new routine usePublish at least 30 days prior to using a new routine use
Agency RequirementsAgency RequirementsMaintain only accurate, complete, relevant, and timely Maintain only accurate, complete, relevant, and timely information to ensure fairness to the individualinformation to ensure fairness to the individual
Make reasonable efforts to ensure that records are Make reasonable efforts to ensure that records are accurate, complete, timely, and relevant for agency accurate, complete, timely, and relevant for agency purposes prior to providing to any person other than the purposes prior to providing to any person other than the agenc (other than for FOIA)agenc (other than for FOIA)agency (other than for FOIA)agency (other than for FOIA)
Maintain no record regarding an individual’s exercise of Maintain no record regarding an individual’s exercise of their First Amendment rights unless expressly authorized their First Amendment rights unless expressly authorized by statute, the individual, or unless pertinent to and by statute, the individual, or unless pertinent to and within the scope of an authorized law enforcement within the scope of an authorized law enforcement activity activity
8
Agency RequirementsAgency Requirements
Make reasonable efforts to notify an individual Make reasonable efforts to notify an individual when their record is made available under when their record is made available under compulsory legal process when it becomes a compulsory legal process when it becomes a matter of matter of public recordpublic record
Establish rules of conduct for persons involved Establish rules of conduct for persons involved in the design, development, operation, or in the design, development, operation, or maintenance of any system of recordsmaintenance of any system of records
Establish administrative and technical Establish administrative and technical safeguards to ensure confidentiality and security safeguards to ensure confidentiality and security of recordsof records–– Rules reinforced with issuance of OMB Memos Rules reinforced with issuance of OMB Memos
concerning the protection of PIIconcerning the protection of PII
Civil RemediesCivil Remedies
Amendment lawsuitsAmendment lawsuits
Access lawsuitsAccess lawsuits
Accuracy lawsuits for damagesAccuracy lawsuits for damages
Other damages law suitsOther damages law suits
Criminal PenaltiesCriminal Penalties
Misdemeanor and fine not to exceed $5,000Misdemeanor and fine not to exceed $5,000
–– Any officer or employee who knowingly Any officer or employee who knowingly and willingly discloses identifiable and willingly discloses identifiable information to any person who is notinformation to any person who is notinformation to any person who is not information to any person who is not entitled to receive itentitled to receive it
–– Any officer or employee who willfully Any officer or employee who willfully maintains a “secret” system of recordsmaintains a “secret” system of records
–– Knowingly and willingly requests or obtains Knowingly and willingly requests or obtains Privacy Act protected records under false Privacy Act protected records under false pretenses.pretenses.
9
Privacy Act ResourcesPrivacy Act Resources
Under subsection (v). OMB has primary responsibility for Under subsection (v). OMB has primary responsibility for Privacy Act oversightPrivacy Act oversight
–– Office of Information and Regulatory AffairsOffice of Information and Regulatory Affairs–– OMB Privacy Act guidelines OMB Privacy Act guidelines -- 40 Fed Reg. 28,94840 Fed Reg. 28,948--78 (July 1975)78 (July 1975)–– http://www.whitehouse.gov/omb/inforeg/infopoltech.htmlhttp://www.whitehouse.gov/omb/inforeg/infopoltech.htmlp g g pp g g p
→→Privacy Act OfficerPrivacy Act Officer
→→Implementing regulations and Privacy Act issuancesImplementing regulations and Privacy Act issuances
→→Text of the Privacy Act and 2010 Privacy Act Overview Text of the Privacy Act and 2010 Privacy Act Overview are available online at are available online at http://www.justice.gov/opcl/prr.htmhttp://www.justice.gov/opcl/prr.htm