Difference between revisions of "Privacy Act"

From acus wiki
Jump to: navigation, search
(Created page with "Citations: 5 U.S.C. § 552a (2012), enacted December 31, 1974, by Pub. L. No. 93579, § 3, 88 Stat. 1897; significantly amended by Pub. L. No. 94-183, § 2(2), 89 Stat. 1057,...")
 
 
(67 intermediate revisions by 6 users not shown)
Line 1: Line 1:
Citations:
+
5 U.S.C. § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a] (2012), enacted by [https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf Pub. L. No. 93-579], § 3, 88 Stat. 1897, Dec. 31, 1974; significantly amended by [https://www.govinfo.gov/content/pkg/STATUTE-89/pdf/STATUTE-89-Pg1057.pdf Pub. L. No. 94-183], § 2(2), 89 Stat. 1057, Dec. 31, 1975; by [https://www.govinfo.gov/content/pkg/STATUTE-96/pdf/STATUTE-96-Pg1749.pdf Pub. L. No. 97-365], § 2, 96 Stat. 1749, Oct. 25, 1982; by [https://www.govinfo.gov/content/pkg/STATUTE-96/pdf/STATUTE-96-Pg1819.pdf Pub. L. No. 97-375], title II, § 201(a), (b), 96 Stat. 1821, Dec. 21, 1982; by [https://www.govinfo.gov/content/pkg/STATUTE-96/pdf/STATUTE-96-Pg2467.pdf Pub. L. No. 97-452], §2(a)(1), 96 Stat. 2478, Jan. 12, 1983; by [https://www.govinfo.gov/content/pkg/STATUTE-98/pdf/STATUTE-98-Pg2209.pdf Pub. L. No. 98-477], § 2(c), 98 Stat. 2211, Oct. 15, 1984; by [https://www.govinfo.gov/content/pkg/STATUTE-98/pdf/STATUTE-98-Pg2280.pdf Pub. L. No. 98-497], title I, §107(g), 98 Stat. 2292, Oct. 19, 1984; by [https://www.govinfo.gov/content/pkg/STATUTE-102/pdf/STATUTE-102-Pg2507.pdf Pub. L. No. 100-503], §§ 28, 102 Stat. 2507-2514, Oct. 18, 1988; by [https://www.govinfo.gov/content/pkg/STATUTE-104/pdf/STATUTE-104-Pg1388.pdf Pub. L. No. 101-508], title VII, §7201(b)(1), 104 Stat. 1388-(3), Nov. 5, 1990; by [https://transition.fcc.gov/Bureaus/OSEC/library/legislative_histories/1466.pdf Pub. L. No. 103-66], title XIII, Ch. 2, subch. A, pt. V, §13581(c), 107 Stat. 611, Aug. 10, 1993; by [https://www.govinfo.gov/content/pkg/PLAW-104publ193/pdf/PLAW-104publ193.pdf Pub. L. No. 104-193], title I, § 110(w), 110 Stat. 2175, Aug. 22, 1996; by [https://www.govinfo.gov/content/pkg/PLAW-104publ226/pdf/PLAW-104publ226.pdf Pub. L. No. 104-226], § 1(b)(3), 110 Stat. 3033, Oct. 2, 1996; by [https://www.govinfo.gov/content/pkg/PLAW-104publ316/pdf/PLAW-104publ316.pdf Pub. L. No. 104-316], title I, § 115(g)(2)(b), 110 Stat. 3835, Oct. 19, 1996; by [https://www.congress.gov/105/plaws/publ34/PLAW-105publ34.pdf Pub. L. No. 105-34], title IX, subtitle C, § 1026(b)(2), 111 Stat. 925, Aug. 5, 1997; by [https://www.govinfo.gov/content/pkg/PLAW-105publ362/pdf/PLAW-105publ362.pdf Pub. L. No. 105-362], title XIII, § 1301(d), 112 Stat.3292, Nov. 10, 1998; by [https://www.govinfo.gov/content/pkg/PLAW-108publ271/pdf/PLAW-108publ271.pdf Pub. L. No. 108-271], 118 Stat. 814, July 7, 2004; by [https://www.govinfo.gov/content/pkg/PLAW-111publ148/pdf/PLAW-111publ148.pdf Pub. L. No. 111-148], Title VI, § 6402(b)(2), 124 Stat. 756, Mar. 23, 2010; by [https://www.govinfo.gov/content/pkg/PLAW-111publ203/pdf/PLAW-111publ203.pdf Pub. L. No. 111-203], Title X, § 1082, 124 Stat. 2080, July 21, 2010; by [https://www.govinfo.gov/content/pkg/PLAW-113publ295/pdf/PLAW-113publ295.pdf Pub. L. No. 113-295], Div. B, Title I, § 102(c), 128 Stat. 4062, Dec. 19, 2014.
5 U.S.C. § 552a (2012), enacted December 31, 1974, by Pub. L. No. 93579, § 3, 88 Stat. 1897; significantly amended by Pub. L. No. 94-183, § 2(2), 89 Stat. 1057, December 31, 1975; Pub. L. No. 97-365, § 2, 96 Stat. 1749, October 25, 1982; Pub. L. No. 97-375, title II, § 201(a), (b), 96 Stat.
 
1821, December 21, 1982; Pub. L. No. 97-452, §2(a)(1), 96 Stat. 2478, January 12, 1983; Pub. L. No. 98-477, § 2(c), 98 Stat. 2211, October 15, 1984; Pub. L. No. 98-497, title I, §107(g), 98 Stat. 2292, October 19, 1984; Pub. L. No. 100503, §§ 28, 102 Stat. 2507-2514, October 18, 1988; and Pub. L. No. 101-508, title VII, §7201(b)(1), 104 Stat. 1388-(3), November 5, 1990; Pub. L. No. 103-66, title XIII, Ch. 2, subch. A, pt. V, §13581(c), 107 Stat. 611, August 10, 1993; Pub. L. No. 104-193, title I, § 110(w), 110 Stat. 2175, August 22, 1996; Pub. L. No. 104-226, § 1(b)(3), 110 Stat. 3033, October 2, 1996; Pub. L. No. 104-316, title I, § 115(g)(2)(b), 110 Stat. 3835, October 19, 1996; Pub. L. No. 105-34, title IX, subtitle C, § 1026(b)(2), 111 Stat. 925, August 5, 1997; Pub. L. No. 105-362, title XIII, § 1301(d), 112 Stat.3292, November 10, 1998; Pub. L. No. 108-271, 118 Stat. 814, July 7, 2004; Pub. L. No. 111-148, Title VI, § 6402(b)(2), 124 Stat. 756, March 23, 2010; Pub. L. No. 111-203, Title X, § 1082, 124 Stat. 2080, July 21, 2010; Pub. L. No. 113-295, Div. B, Title I, § 102(c), 128 Stat. 4062, December 19, 2014.
 
  
Lead Agency:
+
'''Lead Agency:'''
Office of Management and Budget, 725 17th Street, NW, Washington, DC 20503, (202) 395-4852.
+
 
 +
[https://www.whitehouse.gov/omb/ Office of Management and Budget]
 +
 
 +
==Overview==
 +
The Privacy Act of 1974 represents the Congressional response to concerns about government uses of information collected about private individuals. The Privacy Act gives individuals greater control over the gathering, dissemination, and accuracy of information collected about themselves by agencies. ''Miller v. United States'', 630 F. Supp. 347 (E.D.N.Y. 1986). The main purpose of the Privacy Act is to forbid disclosure unless it is required by the [[Freedom of Information Act]] (FOIA). ''Lovell v. Alderete'', 630 F.2d 428 (5th Cir. 1980). To protect individual privacy, the Privacy Act constrains executive branch recordkeeping, defines the individual’s right to access certain records, limits agency disclosure of records containing an individual’s private information, establishes safeguards to protect records concerning individuals, and provides remedies for agency violation of the Privacy Act’s provisions.
 +
 
 +
===Scope===
 +
 
 +
The Privacy Act covers records maintained by agencies as defined in FOIA. It applies to Cabinet-level departments, independent regulatory agencies, military departments, and government corporations. [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim § 552a(a)(1)]. It does not apply to the legislative branch, national banks (''United States v. Miller'', 643 F.2d 713 (10th Cir. 1981)), or Amtrak (''Ehm v. National R.R.'' ''Passenger Corp.'', 732 F.2d 1250 (5th Cir. 1984), ''cert. denied'', 469 U.S. 982 (1984)). ''See Alexander v. FBI'', 971 F. Supp. 603, 606-07 (D.D.C. 1997) (recognizing that the definition of “agency” under Privacy Act is same as in FOIA and that courts have interpreted that definition under FOIA to exclude the President’s immediate personal staff and units within Executive Office of the President whose sole function is to advise and assist the President, but, nevertheless rejecting such limitation with regard to “agency” as used in the Privacy Act due to the different purposes that the two statutes serve); ''Shannon v. Gen. Elec. Co.'', 812 F. Supp. 308, 313, 315 n.5 (N.D.N.Y. 1993) (stating there is “no dispute” that General Electric (GE) falls within the definition of “agency” subject to requirements of the Privacy Act where, pursuant to a contract, it operated a Department of Energy-owned lab under the supervision, control, and oversight of the Department and where, by terms of the contract, GE agreed to comply with the Privacy Act).
 +
 
 +
A record is a collection or grouping of information about an individual that, for example, may include educational, financial, or biographical information, together with personal identifiers such as names, photos, numbers, or fingerprints. 5 U.S.C. § 552a(a)(4). The Privacy Act does not apply to all government records and documents that may contain an individual’s name or other private information. For example, it does not include the private notes of a supervisor if such notes are not used by the agency to make decisions. ''Johnston v. Horne'', 875 F.2d 1415 (9th Cir. 1989). But such notes may become subject to the Privacy Act if they become part of an agency’s decision. ''Chapman v. NASA'', 682 F.2d 526 (5th Cir. 1982), ''cert. denied'', 469 U.S. 1038 (1984). The Act also does not apply to information in documents obtained from independent sources of information, even though identical information may be in an agency’s system of records. ''Thomas v. U.S. Dep’t of Energy'', 719 F.2d 342 (10th Cir. 1983).
 +
 
 +
The Privacy Act focuses on “systems of records” established, maintained, or controlled by an agency. A “system of records” is a group of any records where individual names or other individual identifiers can be used to retrieve the information. 5 U.S.C. § 552a(a)(5). Agencies may maintain records covered by the Privacy Act only when they are relevant and necessary to accomplish the agency’s purpose. 5 U.S.C. § 552a(e)(1). The Court of Appeals for the District of Columbia Circuit addressed the “system of records” definition in the context of computerized information in ''Henke v. U.S. Dep’t of Commerce'', 83 F.3d 1453 (D.C. Cir. 1996), and noted that “the [Office of Management and Budget] guidelines make it clear that it is not sufficient that an agency has the capability to retrieve information indexed under a person’s name, but the agency must in fact retrieve records in this way in order for a system of records to exist.” ''Id.'' at 1460 n.12. The D.C. Circuit looked to Congress’ use of the words “is retrieved” in the statute’s definition of a system of records and focused on whether the agency “in practice” retrieved information. ''Id.'' at 1459-61.
 +
 
 +
===Access to Records===
 +
Where the agency is authorized to keep records covered by the Privacy Act, an individual has a right of access to records concerning him or her. This is a central protection of the Privacy Act for individuals. The individual has a right to:
 +
 
 +
*Copy any or all of the record (§ 552a(d)(1));
 +
*Request amendment of the record (§ 552a(d)(2)) and file a concise statement of disagreement if the agency refuses to amend the record that will be provided to all persons to whom the record is disclosed (§ 552a(d)(4)); and
 +
*Request an accounting from the agency on the date, nature, and purpose of each disclosure of the record (§ 552a(c)).
 +
 
 +
The individual has an absolute right to access and need not provide any reason for seeking access. ''FTC v. Shaffner'', 626 F.2d 32 (7th Cir. 1980).
 +
 
 +
===Agency Requirements===
 +
For each system of records an agency maintains, it must:
 +
 
 +
*Publish in the ''Federal Register'' the name and location of the system; the categories of individuals contained in the system; the routine use of the records; agency policies concerning the records including storage, retrieval, access, retention, and disposal; the person, including title and address, responsible for the system; the method used to notify individuals how to gain access to records about themselves; and the sources or records in the system. Any new use of the system must be noticed for comment 30 days prior to implementing the new use. Exempt systems must also be noticed. ''See, e.g.,'' 5 U.S.C.§ [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(b)(3)], (e)(4), and (e)(11);
 +
*Maintain records in the system accurately, completely, and timely to ensure fairness to the individuals (§ 552a(e)(5));
 +
*Establish rules and training for persons designing, developing, operating, or maintaining the system to ensure compliance with the Privacy Act and the agency’s implementing policies (§ 552a(e)(9));
 +
*Establish safeguards for the protection of records (§ 552a(e)(10)); and
 +
*Inform government contractors of their duties under the Privacy Act (§ 552a(m)).
 +
 
 +
When the agency collects information that “may result in adverse determinations about an individual’s rights, benefits, and privileges under Federal programs,” the Privacy Act requires the information to be collected, to the “greatest extent practicable,” directly from the affected individual. 5 U.S.C. § 552a(e)(2). When requesting such information from individuals, the agency must disclose: (1) the authority under which collection is authorized; (2) the principal purposes for which the information is needed; (3) the routine use of the information; and (4) consequences, if any, of not providing the information. 5 U.S.C. § 552a(e)(3).
 +
 
 +
The Privacy Act mandates that information maintained in agency records be as relevant and as necessary as possible to accomplish the agency’s purpose. It must also undertake to maintain the information with such accuracy and completeness as is reasonably necessary to assure fairness to the individual. In ''Doe v. United States'', 821 F.2d 694 (D.C. Cir. 1987), the court sitting en banc held that an agency may satisfy this requirement by supplementing the information an individual considers damaging with the individual’s explanation or disagreement with the accuracy of the information. The court found that the agency made a reasonable effort to determine the accuracy of the information and that an adjudication of the disputed facts was not necessary for the agency’s purposes. The court said that in some cases, fairness may require a record to contain both versions of a disputed fact.
 +
 
 +
Agencies are prohibited from maintaining records describing how an individual exercises First Amendment rights, unless such records are authorized by statute or are pertinent to and within the scope of authorized law enforcement activity.  5 U.S.C. § 552a(e)(7). Such records are subject to the Privacy Act even if not kept in “a system of records.” ''Clarkson v. IRS'', 678 F.2d 1368, 1373-77 (11th Cir. 1982), ''cert. denied'', 481 U.S. 1031. ''Cf. Pototsky v. U.S. Dep’t of Navy'', 717 F. Supp. 20 (D. Mass. 1989). Guidelines from the Office of Management and Budget (OMB) call for the broadest reasonable interpretation of the prohibition.
 +
 
 +
===Exemptions from Access===
 +
The Privacy Act provides general (§ 552a(j)) and specific (§ 552a(k)) exemptions. These are exemptions allowing an agency to deny access to the record by the individual to whom the record pertains. The two types of exemptions are different in nature and consequences and are discretionary on the agency’s part. To be effective, the agency must first determine that a record or system of records meets the criteria for exemption under the Privacy Act and then publish the exemption as a rule under the [[Administrative Procedure Act]]’s (APA) notice-and-comment provisions. Failure to set out reasons demonstrating that the exemption meets the requirements of the Privacy Act may leave the records subject to the Privacy Act. ''Exner v. FBI'', 612 F.2d 1202 (9th Cir. 1980). The exemptions do not authorize the agency to use the record in a manner other than the manner originally set out in the ''Federal Register'' establishing the system of records. ''Doe v. Naval Air Station'', 768 F.2d 1229 (11th Cir. 1985).
 +
 
 +
A general exemption denies access by an affected individual under virtually all the Privacy Act’s provisions and is available for records maintained by the Central Intelligence Agency or by an agency whose principal functions are criminal law enforcement. The general exemption may not be used to exempt records compiled for a noncriminal or administrative purpose even if they are also a part of a system of records maintained by an agency qualified to assert the exemption. ''Vymetalik v. FBI'', 785 F.2d 1090, 1095 (D.C. Cir. 1986).
 +
 
 +
The specific exemptions (§ 552a(k)(1)(7)) are available to any agency if the head of the agency promulgates rules pursuant to the notice-and-comment provisions of the [[Administrative Procedure Act|APA]], 5 U.S.C. § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section553&num=0&edition=prelim 553]. The specific exemption is from a particular provision of the Privacy Act. The seven exemptions allowed are:
 +
 
 +
*[http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552&num=0&edition=prelim FOIA (b)(1) exemptions] (matters to be kept secret in the interest of national defense or foreign policy and properly classified by executive order);
 +
*Investigatory material compiled for law enforcement purposes that does not fall within the general exemption;
 +
*Material maintained to provide protective service to the President or pursuant to 18 U.S.C. [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title18-section3056&num=0&edition=prelim § 3056];
 +
*Confidential investigatory records relating to employment or contracts;
 +
*Statistical records required by statute;
 +
*Testing and examination material related to federal employment; and
 +
*Evaluations related to military promotions obtained confidentially.
 +
 
 +
An individual may sue to challenge a denial of access to records based on the general or specific exemptions, and the court will determine the substantive and procedural propriety of the agency’s assertion of the exemption. ''Zeller v. United States'', 467 F. Supp. 487 (E.D.N.Y. 1979).
 +
 
 +
===Restrictions on Disclosure===
 +
The Privacy Act prohibits disclosure of any record covered by the Privacy Act without the written request or prior written consent of the person whom the record concerns. 5 U.S.C. § 552a(b). The restriction on disclosure applies to any person or agency and includes any means of communication—written, oral, electronic, or mechanical [https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/inforeg/implementation_guidelines.pdf Responsibilities for the Maintenance of Records About Individuals by Federal Agencies], 40 Fed. Reg. 28948, 28953 (July 9, 1975). Information obtained (or released) through sources independent of agency records is not “disclosure” under the Privacy Act.
  
Overview:
 
The Privacy Act of 1974 represents the Congressional response to concerns about government uses of information collected about private individuals. The Act gives individuals greater control over gathering, dissemination, and ensuring accuracy of information collected about themselves by agencies. (Miller v. U.S., 630 F. Supp. 347 (E.D.N.Y. 1986)). The main purpose of the Act is to forbid disclosure unless it is required by the Freedom of Information Act. (Lovell v. Alderete, 630 F.2d 428 (5th Cir. 1980)). To protect individual privacy, the Act constrains executive branch recordkeeping, defines the individual’s right to access certain records, limits agency disclosure of records containing an individual’s private information, establishes safeguards to protect records concerning individuals, and provides remedies for agency violation of the Act’s provisions.
 
Scope. The Act covers records maintained by agencies as defined in FOIA. The Act applies to Cabinet level departments, independent regulatory agencies, military departments, and government corporations (5 U.S.C. § 552a(a)(1)). It does not apply to the legislative branch, national banks (U.S. v. Miller, 643 F.2d 713 (10th Cir. 1981)), or Amtrak (Ehm v. National R.R. Passenger Corp., 732 F.2d 1250 (5th Cir. 1984), cert. denied, 469 U.S. 982 (1984)). See Alexander v. FBI, 971 F. Supp. 603, 606-07 (D.D.C. 1997) (although recognizing that the definition of “agency” under Privacy Act is same as in FOIA and that courts have interpreted that definition under FOIA to exclude the President’s immediate personal staff and units within Executive Office of the President whose sole function is to advise and assist the President, nevertheless rejecting such limitation with regard to “agency” as used in Privacy Act due to different purposes that the two statutes serve); Shannon v. Gen. Elec. Co., 812 F. Supp. 308, 313, 315 n.5 (N.D.N.Y. 1993) (“no dispute” that GE falls within definition of “agency” subject to requirements of Privacy Act where pursuant to contract it operated Department of Energy-owned lab under supervision, control, and oversight of department and where by terms of contract GE agreed to comply with Privacy Act).
 
A record is a collection or grouping of information about an individual that, for example, may include educational, financial, or biographical information, together with personal identifiers such as names, photos, numbers, or fingerprints. (5 U.S.C. § 552a(a)(4)). It does not apply to all government records and documents that may contain an individual’s name or other private information. For example, it does not include private notes of a supervisor if such notes are not used by the agency to make decisions (Johnston v. Horne, 875 F.2d 1415 (9th Cir. 1989)), but such notes may become subject to the Act if they become part of an agency’s decision. (Chapman v. NASA, 682 F.2d 526 (5th Cir. 1982), cert. denied, 469 U.S. 1038 (1984)). It also does not apply to information in documents obtained from independent sources of information, even though identical information may be in an agency’s system of records (Thomas v. DOE, 719 F.2d 342 (10th Cir. 1983)).
 
The Act focuses on “systems of records” established, maintained, or controlled by an agency. A “system of records” is a group of any records where individual names or other individual identifiers can be used to retrieve the information (5 U.S.C. § 552a(a)(5)). Agencies may maintain records covered by the Act only when they are relevant and necessary to accomplish the agency’s purpose (5 U.S.C. § 552a(e)(1)). The Court of Appeals for the District of Columbia Circuit addressed the “system of records” definition in the context of computerized information in Henke v. U.S. Department of Commerce, 83 F.3d 1453 (D.C. Cir. 1996), and noted that “the OMB guidelines make it clear that it is not sufficient that an agency has the capability to retrieve information indexed under a person’s name, but the agency must in fact retrieve records in this way in order for a system of records to exist.” Id. at 1460 n.12. The D.C. Circuit looked to Congress’ use of the words “is retrieved” in the statute’s definition of a system of records and focused on whether the agency “in practice” retrieved information. Id. at 1459-61.
 
Access to Records. Where the agency is authorized to keep records covered by the Act, an individual has a right of access to records concerning him or her. This is a central protection of the Act for individuals. The individual has a right to:
 
• Copy any or all of the record (§ 552a(d)(1));
 
• Request amendment of the record (§ 552a(d)(2)) and to file a concise statement of disagreement if the agency refuses to amend the record that will be provided to all persons to whom the record is disclosed (§ 552a(d)(4));
 
• Request an accounting from the agency on the date, nature, and purpose of each disclosure of the record (§ 552a(c)).
 
The individual has an absolute right to access and need not provide any reason for seeking access (FTC v. Shaffner, 626 F.2d 32 (7th Cir. 1980)).
 
Agency Requirements. For each system of records an agency maintains, it must:
 
• Publish in the Federal Register the name and location of the system; the categories of individuals contained in the system; the routine use of the records; agency policies concerning the records including storage, retrieval, access, retention, and disposal; the person, including title and address, responsible for the system; the method used to notify individuals how to gain access to records about themselves; and the sources or records in the system. Any new use of the system must be noticed for comment 30 days prior to implementing the new use. Exempt systems must also be noticed. (See, e.g., § 552a(b)(3), (e)(4), and (e)(11)).
 
• Maintain records in the system accurately, completely, and timely to ensure fairness to the individuals (§ 552a(e)(5));
 
• Establish rules and training for persons designing, developing, operating, or maintaining the system to ensure compliance with the Act and the agency’s implementing policies (§ 552a(e)(9));
 
• Establish safeguards for the protection of records (§ 552a(e)(10)); and
 
• Inform government contractors of their duties under the Act (§ 552a(m)).
 
When the agency collects information that “may result in adverse determinations about an individual’s rights, benefits, and privileges under Federal programs,” the Act requires the information to be collected, to the “greatest extent practicable,” directly from the affected individual (§ 552a(e)(2)). When requesting such information from individuals, the agency must disclose: (1) the authority under which collection is authorized; (2) the principal purposes for which the information is needed; (3) the routine use of the information; and (4) consequences, if any, of not providing the information (§ 552a(e)(3)).
 
The Act mandates that information maintained in agency records be as relevant and as necessary as possible to accomplish the agency’s purpose. It must also undertake to maintain the information with such accuracy and completeness as is reasonably necessary to assure fairness to the individual. In Doe v. U.S., 821 F.2d 694 (D.C. Cir. 1987), the court sitting en banc held that an agency may satisfy this requirement by supplementing the information an individual considers damaging with the individual’s explanation or disagreement with the accuracy of the information. The court found that the agency made a reasonable effort to determine the accuracy of the information and that an adjudication of the disputed facts was not necessary for the agency’s purposes. The court said that in some cases, fairness may require a record to contain both versions of disputed fact.
 
Agencies are prohibited from maintaining records describing how an individual exercises First Amendment rights, unless such records are authorized by statute or are pertinent to and within the scope of authorized law enforcement activity (§ 552a(e)(7)). Such records are subject to the Act even if not kept in “a system of records.” Clarkson v. IRS, 678 F.2d 1368 at 1373-77 (11th Cir. 1982), cert. denied, 481 U.S. 1031. Cf. Pototsky v. Dept of Navy; 717 F. Supp. 20 (D. Mass. 1989). OMB guidelines call for the broadest reasonable interpretation of the prohibition.
 
Exemptions from Access. The Act provides general (§ 552a(j)) and specific (§ 552a(k)) exemptions. These are exemptions allowing an agency to deny access to the record by the individual to whom the record pertains. The two types of exemptions are different in nature and consequences and are discretionary on the agency’s part. To be effective, the agency must first determine that a record or system of records meets the criteria for exemption under the Act and then publish the exemption as a rule under the APA’s notice and comment provisions. Failure to set out reasons demonstrating that the exemption meets the requirements of the Act may leave the records subject to the Act. Exner v. FBI, 612 F.2d 1202 (9th Cir. 1980). The exemptions do not authorize the agency to use the record in a manner other than the manner originally set out in the Federal Register establishing the system of records. DOE v. Naval Air Station, 768 F.2d 1229 (11th Cir. 1985).
 
A general exemption denies access by an affected individual under virtually all the Act’s provisions and is available for records maintained by the Central Intelligence Agency or by an agency whose principal functions are criminal law enforcement. The general exemption may not be used to exempt records compiled for a noncriminal or administrative purpose even if they are also a part of a system of records maintained by an agency qualified to assert the exemption. Vymetalik v. FBI, 785 F.2d 1090, 1095 (D.C. Cir. 1986).
 
The specific exemptions (§ 552a(k)(1)(7)) are available to any agency if the head of the agency promulgates rules pursuant to the notice-and-comment provisions of the APA (5 U.S.C. § 553). The specific exemption is from a particular provision of the Act. The seven exemptions allowed are:
 
• FOIA (b)(1) exemptions (matters to be kept secret in the interest of national defense or foreign policy and properly classified by executive order);
 
• Investigatory material compiled for law enforcement purposes that does not fall within the general exemption;
 
• Material maintained to provide protective service to the President or pursuant to 18 U.S.C. § 3056;
 
• Confidential investigatory records relating to employment or contracts;
 
• Statistical records required by statute;
 
• Testing and examination material related to federal employment; and
 
• Evaluations related to military promotions obtained confidentially.
 
An individual may sue to challenge a denial of access to records based on the general or specific exemptions, and the court will determine the substantive and procedural propriety of the agency’s assertion of the exemption. Zeller v. U.S., 467 F. Supp. 487 (E.D.N.Y. 1979).
 
Restrictions on Disclosure. The Act prohibits disclosure of any record covered by the Act without the written request or prior written consent of the person whom the record concerns (§ 552a(b)). The restriction on disclosure applies to any person or agency and includes any means of communication—written, oral, electronic, or mechanical (OMB Privacy Act Guidelines, 40 Fed. Reg. 28,948, 28,953 (July 9, 1975)). Information obtained (or released) through sources independent of agency records is not “disclosure” under the Act.
 
 
The general rule of nondisclosure is subject to 12 exceptions (§ 552a(b)(1)(12)). They are:
 
The general rule of nondisclosure is subject to 12 exceptions (§ 552a(b)(1)(12)). They are:
• Internal agency use on a need to know basis;
 
• Proper requests under FOIA;
 
• Routine use;
 
• Census Bureau activities;
 
• Statistical research where the recipient has given written assurance that records are not individually identifiable;
 
• National Archives preservation;
 
• Information to Congress;
 
• Information to the Comptroller General in performing GAO duties;
 
• Showing of compelling circumstances affecting the health or safety of an individual;
 
• Pursuant to court order (subpoenas issued by clerks of courts are not “orders”; Stiles v. Atlanta Gas Light Co., 453 F. Supp. 798, 800 (N.D. Ga. 1978));
 
• To a consumer reporting agency in accordance with 31 U.S.C. § 3711(f); and
 
• Use by “any governmental jurisdiction . . . for a civil or criminal law enforcement activity. . .” as long as a written request (1) is made by the head of the agency seeking the record, (2) specifies the portion
 
of the record sought, and (3) describes the relevant enforcement activity. (See DOE v. Naval Air Station, above.)
 
“Routine use,” considered generally the most important exception, is defined as “the use of such record for a purpose that is compatible with the purpose for which it was collected” (§ 552a(a)(7)). Each routine use is identified in the Federal Register notice upon establishment or revision of each system of records (§ 552a(e)(4)(D)). This exception permits nonconsensual intra- or interagency transfer of what is generally described as “house-keeping” information. Because the language is broad, the potential for abuse is considered great, and the courts have strictly required that the use be clearly and specifically identified in the rule adopted by the agency identifying the system of records (Covert v. Harrington, 876 F.2d 751 (9th Cir. 1989); DOE v. Stephens, 851 F.2d 1457 (D.C. Cir. 1988); Zeller v. U.S., 467 F. Supp. 487 (E.D.N.Y. 1979)). The Supreme Court has found that the Privacy Act’s provisions restricting disclosure, even while allowing disclosure for “routine uses,” are sufficient to protect persons’ constitutional right to informational privacy, if such a right exists (NASA v. Nelson, 562 U.S. 134, 153-55 (2011)).
 
Review, Relief, Remedies. The Act provides that each agency shall promulgate rules that establish, among other things, procedures of notice, disclosure, and review of requests (§ 552a(f)). In the event that the rules are not followed or that a dispute persists, there are four civil actions: (1) a challenge for failure to provide access; (2) a challenge for refusal to amend; (3) a damages action for improper maintenance of the content of records; and (4) a damages action for other breaches of the Act or regulations issued thereunder that adversely affect the individual (§ 552a(g)(1)). The latter two actions require proof of damages and are limited to actual damages. A cause of action for monetary damages requires a showing of an agency’s intentional or willful failure to maintain accurate records and that the violation of the Act caused the actual damages complained of (Molerio v. FBI, 749 F.2d 815, 826 (D.C. Cir. 1984)). Because waivers of sovereign immunity are to be strictly construed, the Supreme Court held that “actual damages” do not include nonpecuniary damages (FAA v. Cooper, 566 U.S. 284 (2012)). Remedies for failure to grant access or refusal to amend are injunctive.
 
An individual bringing a claim under section 552a(g)(1) must demonstrate a causal connection between the alleged violation and the harm suffered but may not use the Privacy Act claim as the forum in which to prove the entitlement the individual claims was improperly denied (Gizoni v. Southwest Marine, Inc., 909 F.2d 385 (9th Cir. 1990)).
 
Criminal penalties are established for willful disclosure of records by those who know such disclosure is prohibited, willful maintenance of a system of records without meeting the appropriate notice requirements, and knowing and willful requests for records under false pretenses (§ 552a(i)). Each violation is classified as a misdemeanor, and the violator may be fined not more than $5,000. There have been at least two criminal prosecutions for unlawful disclosure of Privacy Act-protected records. See United States v. Trabert, 978 F. Supp. 1368 (D. Colo. 1997) (defendant found not guilty; prosecution did not prove “beyond a reasonable doubt that defendant ‘willfully disclosed’ protected material”; evidence presented constituted, “at best, gross negligence,” and thus was “insufficient for purposes of prosecution under § 552a(i)(1)”); United States v. Gonzalez, No. 76-132 (M.D. La. Dec. 21, 1976) (guilty plea entered). See generally In re Mullins (Tamposi Fee Application), 84 F.3d 1439, 1441 (D.C. Cir. 1996) (per curiam) (case concerning application for reimbursement of attorney fees where independent counsel found no prosecution was warranted under Privacy Act because there was no conclusive evidence of improper disclosure of information). In a case involving the destruction of records, Gerlich v. U.S. Dep’t of Justice, 711 F.3d 161 (D.C. Cir. 2013), the D.C. Circuit allowed a Privacy Act claim to proceed against senior officials at the Department of Justice on the ground that they created records about appellants in the form of annotations to their applications and internet printouts concerning their political affiliations. The court relied in part on a permissive spoliation inference in light of the destruction of appellants’ records, because the senior department officials had a duty to preserve the annotated applications and internet printouts given that department investigation and future litigation were reasonably foreseeable.
 
The Act provides a two-year statute of limitations (§ 552a(g)(5)). The time begins to run when a reasonable person should have known of the alleged violation. Rose v. United States, 905 F.2d 1257, 1259 (9th Cir. I990); Diliberti v. United States, 817 F.2d 1259, 1262 (7th Cir. 1987).
 
Computer Matching. The Act was amended in 1988 by Pub. L. No. 100-503, the Computer Matching and Privacy Protection Act of 1988. The Office of Management and Budget issued final guidance implementing the amendment’s provisions on June 19, 1989 (54 Fed. Reg. 25,818 (June 19, 1989)). The amendments added sections 552a(o)-(q) to establish procedural safeguards affecting agencies’ use of Privacy Act records when performing computerized matching programs. The amendments require agencies to conclude written agreements specifying terms and safeguards under which matches are to be done. They provide procedures for individuals whose information is contained in the affected records to use to prevent agencies from taking adverse actions unless they have independently verified the results of matching and given the individual advance notice. Oversight is established by requiring Federal Register notice of matching agreements, by requiring reports to OMB and Congress, and by requiring the establishment of internal “data integrity boards” to oversee and coordinate the agency’s implementation of matching programs.
 
Relationship to the FOIA. Two provisions relate to the Freedom of Information Act (5 U.S.C. § 552). Section 552a(b)(2) exempts agencies from the requirement of obtaining an individual’s consent to release of information subject to disclosure under FOIA. In 1984, Congress added provisions delineating an individual’s access rights to records exempt from disclosure under FOIA or the Privacy Act. An agency must give an individual access to a record if it is accessible under either act irrespective of whether it might be withheld under the other (§ 552a(t)). This gives maximum access to records by an individual whose personal information is contained therein. An accounting of the number of FOIA releases of Privacy Act information is not required (§ 552a(c)(1)). If released under FOIA, the agency is relieved from ensuring the accuracy, completeness, timeliness, and relevance of the record (§ 552a(e)(6)). If the system of records is made necessary by FOIA, the agency may exempt the system from the Privacy Act (§ 552a(k)(1)).
 
Social Security Numbers. The Act restricts use of an individual’s Social Security account number (Section 7 of Pub. L. No. 93-579, 88 Stat. 1896) (not codified as part of 5 U.S.C. § 552a). This provision applies to state and local governments as well as the federal government and makes it unlawful to deny any right, benefit, or privilege based on an individual’s failure to disclose the Social Security account number, unless the disclosure was required by any federal, state, or local system of records in operation before January 1, 1975, or the disclosure is required by federal law. Since enactment, Congress has required disclosure in the Tax Reform Act of 1976, the Deficit Reduction Act of 1984, and the Debt Collection Act of 1982. In the Tax Reform Act of 1976, Congress declared it to be U.S. policy to use Social Security account numbers “in the administration of any tax, general public assistance, driver’s license, or motor vehicle registration law . . . .” Pub. L. No. 94-55, 90 Stat. 1520, 1711 (1976), amending 42 U.S.C. § 405(c)(2)).
 
Oversight:
 
The Office of Management and Budget is required by the Act to develop guidelines and regulations for its implementation and to provide continuing assistance and oversight. The OMB guidelines are entitled to the usual deference accorded the interpretations of the agency charged with administration of a statute. (Albright v. U.S., 631 F.2d 915, 919 n.5 (D.C. Cir. 1980); Quinn v. Stone, 978 F.2d 126, 133 (3d Cir. 1992)). However, a few courts have rejected particular aspects of the OMB Guidelines as inconsistent with the statute. See, e.g., Kassel v. VA, No. 87-217-S, slip op. at 24-25 (D.N.H. Mar. 30, 1992) (subsection (e)(3)); Doe v. Chao, 540 U.S. 614, 627 n.11 (2004) (disagreeing with dissent’s reliance on OMB interpretation of damages provision since the Court does “not find its unelaborated conclusion persuasive”).
 
The vast majority of OMB’s Privacy Act guidelines are published at 40 Fed. Reg. 28,948-78 (1975). However, these original guidelines have been supplemented in particular subject areas over the years. See Appendix I to OMB Circular No. A-130 (initially published at 50 Fed. Reg. 52,730 (Dec. 24, 1985); most recently revised at 61 Fed. Reg. 6,428 (Feb. 20, 1996)). See also 40 Fed. Reg. 56,741-43 (1975) (system of records definition, routine use and intra-agency disclosures, consent and congressional inquiries, accounting of disclosures, amendment appeals, rights of parents and legal guardians, relationship to FOIA); 48 Fed. Reg. 15,556-60 (1983) (relationship to Debt Collection Act); 52 Fed. Reg. 12,990-93 (1987) (“call detail” programs); 54 Fed. Reg. 25,818-29 (1989) (computer matching); 56 Fed. Reg. 18,599-601 (proposed Apr. 23, 1991) (computer matching); 61 Fed. Reg. 6428, 6435-39 (1996)(“Federal Agency Responsibilities for Maintaining Records About Individuals”). Thus, when researching in this area, it may be important to check subsequent supplements.
 
In 1998, President Clinton called upon all federal agencies to take further privacy-protection steps within the next year. Memorandum on Privacy and Personal Information in Federal Records (May 14, 1998). Specifically, the President directed each agency to designate a senior official with responsibility for privacy policy to apply the Principles for Providing and Using Personal Information that were developed through the Information Infrastructure Task Force under the auspices of the Department of Commerce in 1995, and to conduct a series of reviews of agency record systems in order to ensure compliance with Privacy Act requirements. The Privacy Act related reviews, conducted in accordance with instructions issued by OMB, reported results to OMB. The memorandum also provided that OMB issue further guidance on the making of “routine use” disclosures under the Act.
 
Section 208 of the E-Government Act of 2002 (Public Law 107-347, 44 U.S.C. ch. 36) requires that OMB issue guidance to agencies on implementing the privacy provisions of the E-Government Act. Under this guidance, agencies are required to conduct privacy impact assessments for electronic information systems and collections; make them publicly available; post privacy policies on agency websites used by the public; translate privacy policies into a standardized machine-readable format; and report annually to OMB on compliance with the E-Government Act.
 
In 2002 GAO conducted an extensive review of agency Privacy Act practices, and reported on its findings in June 2003 (Privacy Act: OMB Leadership Needed to Improve Agency Compliance, GAO-03-304).
 
While most questions concerning the Act should first be directed to agency Privacy Act officers, important policy or litigation questions, or questions concerning the OMB Guidelines, may be directed to the Office of Information and Regulatory Affairs, OMB.
 
Legislative History:
 
The Act reflects the merger of seemingly disparate bills from the Senate and the House: S. 3418, introduced by Senator Sam Ervin (D-NC), and H.R. 16373, supported by the Administration. The Senate bill would have granted sweeping powers to a Federal Privacy Board for the oversight of collection, maintenance, and dissemination of individually identifiable information by both the public and private sectors, while the House bill focused on access to and correction of records, as well as data collection and maintenance standards. The Senate approved its bill on November 21, 1974, after consideration and, on the same day, the House bill was passed by a 353 to 1 vote, after two days of floor debate.
 
The bills were not reconciled by the usual conference committee because of the limited time available between the end of Thanksgiving recess and the end of the session. Instead, the respective staffs of the committees studied the differing bills, reported to the committees and, after informal meetings, reached an agreement. The description of the amendments that made the two bills identical (thus avoiding a conference committee) was inserted into the record of both sides, and both houses passed identical bills. Thus, many of the most important provisions of the bill are not explained by committee reports. The only record of the final negotiations leading to the bill actually adopted is a staff memorandum entitled “Analysis of House and Senate Compromise Amendments to the Federal Privacy Act” (see 120 Cong. Rec. 40,445, Dec. 17, 1974; see also Source Book on Privacy, at 858).
 
The final product included most of the fair information practices defined in the Senate version and the access and correction provisions of the House bill. None of the Senate provisions relating to a Federal Privacy Board was included. However, the Act provided for two important means of further development and oversight:
 
• It instructed OMB to develop guidelines for the implementation of the Act throughout the executive branch; and
 
• The Privacy Protection Study Commission was created by the Act to study the issues raised by the Act and to recommend further legislation, and it subsequently completed its thorough and informative report, Personal Privacy in an Information Society.
 
The bill was signed by President Ford on December 31, 1974 and became effective September 1975.
 
Source Note:
 
The legislative history of the original Act is exhaustively collected in Legislative History of the Privacy Act of 1974, S. 3418 (Pub. L. No. 93579): Source Book on Privacy (1976). The Department of Justice’s Overview of the Privacy Act of 1974 is updated periodically and discusses the extensive case law under the Act.
 
Bibliography:
 
I. Legislative History
 
1. Analysis of House and Senate Compromise Amendments to the Federal Privacy Act, 120 Cong. Rec. 12,243 (daily ed. Dec. 18, 1974); id. at 21,815 (daily ed. Dec. 17, 1974).
 
2. Joint Comm. on Government Operations, Legislative History of the Privacy Act of 1974, S. 3418 (Pub. L. No. 93579): Source Book on Privacy, 94th Cong., 2d Sess., September 1976 (available from the U.S. Government Printing Office).
 
3. H.R. Rep. No. 100-802, 100th Cong., 2d Sess. (1988), 134 Cong. Rec. S13001 (daily ed. Sept. 20, 1988).
 
4. S. Rep. No. 100-516, 100th Cong., 2d Sess. (1988), 134 Cong. Rec. S13001 (daily ed. Sept. 20, 1988).
 
5. Who Cares About Privacy? Oversight of the Privacy Act of 1974 by the Office of Management and Budget and by the Congress, H.R. Rep. No. 98-455, 98th Cong., 1st Sess. (1983); Hearings on Oversight of the Privacy Act of 1974 Before a Subcomm. of the H. Comm. on Gov’t Operations, 98th Cong., 1st Sess. (1983).
 
6. America’s Healthy Future Act of 2009: Report to Accompany S. 1796, Comm. on Finance, Senate, 111th Cong., 2d Sess., Senate Report 111-89, at 308 (Oct. 19, 2009).
 
7. Report together with Minority Views to Accompany S. 3217, Senate, 111th Cong. 2d Sess., Senate Report 111-176, at 180 (Apr. 30, 2010).
 
8. Comments of Senator Enzi on Financial Regulatory Reform, May 17, 2010, S3800-3801.
 
9. Comments of Senator Dodd on the Restoring American Financial Stability Act of 2010, April 30, 2010, S 3003.
 
10. Comments of Senator Enzi on the Restoring American Financial Stability Act of 2010, May 20, 2010, S 4059-4062.
 
II. Other Government Documents
 
1. Office of Management and Budget, Implementation of the Privacy Act of 1974, Supplementary Guidance, 40 Fed. Reg. 5674 (Dec. 4, 1975).
 
2. Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission (GPO, July 1977).
 
3. Office of Management and Budget, Revised Supplemental Guidance for Conducting Matching Programs, 47 Fed. Reg. 21,656 (May 19, 1982).
 
4. Office of Management and Budget, Debt Collection Act Guidelines, 48 Fed. Reg. 15,556 (Apr. 11, 1983).
 
5. Office of Management and Budget, Privacy Act Guidelines, 40 Fed. Reg. 28,948 (July 9, 1975), supplemented at 56,741 (1975); 49 Fed. Reg. 12,338 (1984); and 54 Fed. Reg. 25,818 (1989).
 
6. Office of Management and Budget, Management of Federal Information Resources, Circular A130, 50 Fed. Reg. 52,730 (Dec. 24, 1985).
 
7. General Accounting Office, Computer Matching: Assessing its Costs and Benefits, GAO/PEMD872 (Nov. 1986).
 
8. Office of Management and Budget, Final Guidance on Privacy Act Implications of “call detail” Programs, 52 Fed. Reg. 12,290 (Apr. 20, 1987).
 
9. Office of Management and Budget, Final Guidance Interpreting the Provisions of Public Law No. 100-503, the Computer Matching and Privacy Protection Act of 1988, 54 Fed. Reg. 25,818 (June 19, 1989).
 
10. General Accounting Office, Peer Review: Compliance with the Privacy Act and the Federal Advisory Committee Act, GAO/GG D91 48 (1991) (available at https://www.gao.gov/assets/220/213974.pdf).
 
11. Office of Management and Budget, Proposed Revision of OMB Circular A130, 57 Fed. Reg. 18,296 (Apr. 29, 1992).
 
12. Memorandum on Privacy and Personal Information in Federal Records,34 Weekly Comp. Pres. Doc. 870 (May 14, 1998).
 
13. Office of Management and Budget, Guidance on Inter-Agency Sharing of Personal Data—Protecting Personal Privacy, Dec. 20, 2000 (M-0105).
 
14. Office of Management and Budget, Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (Sept. 26, 2003) (M-0322).
 
15. U.S. General Accounting Office, Privacy Act: OMB Leadership Needed to Improve Agency Compliance, GAO-03-304 (2004).
 
16. Office of Management and Budget, FY 2005 Report to Congress on Implementation of the E-Government Act of 2002 (2006).
 
17. Office of Management and Budget, FY 2007 Report to Congress on Implementation of the E-Government Act of 2002 (2008), available at http:/
 
/www. whitehouse.gov/omb/assets/omb/inforeg/reports/ fy2007_egov_report.pdf.
 
18. Executive Order 13,478, Amendments to Executive Order 9397 Relating to Federal Agency Use of Social Security Numbers, 73 Fed. Reg. 70,239 (Nov. 20, 2008).
 
19. Office of Management and Budget, FY 2008 Report to Congress on Implementation of the E-Government Act of 2002 (Mar. 1, 2009), available at http://www.whitehouse.gov/sites/default/files/omb/assets/reports/ 2008_egov_report.pdf.
 
20. Office of Management and Budget, FY 2009 Report to Congress on Implementation of the E-Government Act of 2002 (Apr. 15, 2010), available at http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/ 2009_egov_report.pdf.
 
21. Office of Management and Budget, FY 2010 Report to Congress on Implementation of the E-Government Act of 2002 (Mar. 30, 2011), available at http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/ FY10_E-Gov_Act_Report.pdf.
 
22. Office of Management and Budget, FY 2011 Report to Congress on Implementation of the E-Government Act of 2002 (Mar. 7, 2012), available at http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/ fy11__e-gov_act_report.pdf.
 
23. A Citizen’s Guide on Using the Freedom of Information Act and The Privacy Act of 1974 to Request Government Records, Report by the Committee on Oversight and Government Reform, 112th Cong., 2d Sess. (Sept. 21, 2012).
 
24. U.S. Department of Justice, Overview of the Privacy Act of 1974 (2012), available at http://www.justice.gov/sites/default/files/opcl/docs/ 1974privacyact-2012.pdf.
 
25. Office of Management and Budget, FY 2012 Report to Congress on Implementation of the E-Government Act of 2002 (Mar. 2013), available at http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/ fy12_fisma_0.pdf.
 
26. Office of Management and Budget, FY 2013 Report to Congress on Implementation of the E-Government Act of 2002 (Mar. 1, 2014), available at http://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/ fy_2013_e-government_act_implementation_report_final_03_01_2014_0.pdf.
 
III. Selected Books and Articles
 
1. Lillian R. Bevier, Information about Individuals in the Hands of Government: Some Reflections on Mechanisms for Privacy Protection, 4 Wm. & Mary Bill Rights J. 455 (1991).
 
2. Jonathan C. Bond, Note, Defining Disclosure in a Digital Age: Updating the Privacy Act for the Twenty-First Century, 76 Geo. Wash. L. Rev. 1232 (2007-2008).
 
3. William S. Challis & Ann Cavoukian, The Case for a U.S. Privacy Commissioner: A Canadian Commissioner’s Perspective, 19 J. Marshall J. Computer & Info. L. 1 (2000).
 
4. Todd Robert Coles, Comment, Does the Privacy Act of 1974 Protect your Right to Privacy?: An Examination of the Routine Use Exemption, 40 Am. U. L. Rev. 957 (1991).
 
5. John M. Eden, When Big Brother Privatizes: Commercial Surveillance, the Privacy Act of 1974, and the Future of RFID, 2005 Duke L. & Tech. Rev. 20 (2005).
 
7. Haeji Hong, Dismantling the Private Enforcement of the Privacy Act of 1974: Doe v. Chao, 38 Akron L. Rev. 71 (2005).
 
8. Joseph V. Kaplan & John Mahoney, Reckless Disregard: Intentional and Willful Violations of the Privacy Act’s Investigatory Requirements, 44 Fed. Law. No. 4 at 38 (1997).
 
9 Alex Kardon, Damages under the Privacy Act: Sovereign Immunity and a Call for Legislative Reform, 34 Harv. J. L. & Pub. Pol’y 705 (2011).
 
10. Flavio Komuves, We’ve Got Your Number: An Overview of Legislation and Decisions to Control the Use of Social Security Numbers as Personal Identifiers, 16 J. Marshall J. Computer & Info. L. 529 (1998).
 
11. Frederick Z. Lodge, Note, Damages Under the Privacy Act of 1974: Compensation and Deterrence, 52 Fordham L. Rev. 611 (1984).
 
12. Lisa A. Reilly, The Government in the Sunshine Act and the Privacy Act, 56 George Washington L. Rev. 955 (1987).
 
13. Nicole M. Quallen, Damages under the Privacy Act: Is Emotional Harm Actual, 88 N.C. L. Rev. 334 (2009).
 
14. Paul M. Schwartz, Privacy and Participation: Personal Information and Public Sector Regulation in the United States, 80 Iowa L. Rev. 553 (1995).
 
15. Daniel Solove, Identity Theft, Privacy, and the Architecture of Vulnerability, 54 Hastings L.J. 1227 (2003).
 
16. Julianne M. Sullivan, Comment, Will the Privacy Act of 1974 Still Hold Up in 2004? How Advancing Technology Has Created a Need for a Change in the “System of Records” Analysis, 39 Cal. W. L. Rev. 395 (2003).
 
17. Thomas M. Susman, Privacy Act and the Freedom of Information Act: Conflict and Resolution, 21 J. Marshall L. Rev. 703 (1988).
 
18. Note, Once More unto the Breach: The Constitutional Right to Informational Privacy and the Privacy Act, 91 N.Y.U. L. Rev. 1355 (2016).
 
  
IV. Selected Cases Not Included in the Text
+
*Internal agency use on a need to know basis;
1. Stiles v. Atlanta Gas Light Co., 453 F. Supp. 798 (N.D. Ga. 1978).
+
*Proper requests under FOIA;
2. Zeller v. United States, 467 F. Supp. 487 (E.D.N.Y.1979).
+
*Routine use;
3. Albright v. United States, 631 F.2d 915 (D.C. Cir. 1980).
+
*Census Bureau activities;
4. Lovell v. Alderete, 630 F.2d 428 (5th Cir. 1980).
+
*Statistical research where the recipient has given written assurance that records are not individually identifiable;
5. Exner v. FBI, 612 F.2d 1202 (9th Cir. 1980).
+
*National Archives preservation;
6. United States v. Miller, 643 F.2d 713 (10th Cir. 1981).
+
*Information to Congress;
7. Fitzpatrick v. United States, 665 F.2d 327 (11th Cir. 1982).
+
*Information to the Comptroller General in performing Government Accountability Office (GAO) duties;
8. Clarkson v. IRS, 678 F.2d 1368 (11th Cir. 1982).
+
*Showing of compelling circumstances affecting the health or safety of an individual;
9. Johnson v. Dep’t of the Treasury, 700 F.2d 971 (5th Cir. 1983).
+
*Pursuant to court order (subpoenas issued by clerks of courts are not “orders” ''Stiles v. Atlanta Gas Light Co.'', 453 F. Supp. 798, 800 (N.D. Ga. 1978));
10. Thomas v. DOE, 719 F.2d 342 (10th Cir. 1983).
+
*To a consumer reporting agency in accordance with 31 U.S.C. § 3711(f); and
11. Molerio v. FBI, 749 F.2d 815 (D.C. Cir. 1984).
+
*Use by “any governmental jurisdiction . . . for a civil or criminal law enforcement activity” as long as a written request (1) is made by the head of the agency seeking the record, (2) specifies the portion of the record sought, and (3) describes the relevant enforcement activity. ''See Doe v. Naval Air Station'', 768 F.2d 1229 (11th Cir. 1985).
12. Elm v. National R. R. Passenger Corp., 732 F.2d 1250 (5th Cir. 1984).
+
 
13. DOE v. Naval Air Station, 768 F.2d 1229 (11th Cir. 1985).
+
“Routine use,” considered generally the most important exception, is defined as “the use of such record for a purpose that is compatible with the purpose for which it was collected.” 5 U.S.C. § 552a(a)(7). Each routine use is identified in the ''Federal Register'' notice upon establishment or revision of each system of records. 5 U.S.C. (§ 552a(e)(4)(D). This exception permits nonconsensual intra- or interagency transfer of what is generally described as “house-keeping” information. Because the language is broad, the potential for abuse is considered great, and the courts have strictly required that the use be clearly and specifically identified in the rule adopted by the agency identifying the system of records. ''Covert v. Harrington'', 876 F.2d 751 (9th Cir. 1989); ''Doe v. Stephens'', 851 F.2d 1457 (D.C. Cir. 1988); ''Zeller v. United States'', 467 F. Supp. 487 (E.D.N.Y. 1979). The Supreme Court has found that the Privacy Act’s provisions restricting disclosure, even while allowing disclosure for “routine uses,” are sufficient to protect persons’ constitutional right to informational privacy, if such a right exists. ''NASA v. Nelson'', 562 U.S. 134, 153-55 (2011).
14. Vymetalik v. FBI, 785 F.2d 1090 (D.C. Cir. 1986).
+
 
15. DOE v. United States, 821 F.2d 694 (D.C. Cir. 1987).
+
===Review, Relief, Remedies===
16. DOE v. Stephens, 851 F.2d 1457 (D.C. Cir. 1988).
+
The Privacy Act provides that each agency shall promulgate rules that establish, among other things, procedures of notice, disclosure, and review of requests. 5 U.S.C. § 552a(f). In the event that the rules are not followed or that a dispute persists, there are four civil actions: (1) a challenge for failure to provide access; (2) a challenge for refusal to amend; (3) a damages action for improper maintenance of the content of records; and (4) a damages action for other breaches of the Privacy Act or regulations issued thereunder that adversely affect the individual. 5 U.S.C. § 552a(g)(1). The latter two actions require proof of damages and are limited to actual damages. A cause of action for monetary damages requires a showing of an agency’s intentional or willful failure to maintain accurate records and that the violation of the Privacy Act caused the actual damages complained of. ''Molerio v. FBI'', 749 F.2d 815, 826 (D.C. Cir. 1984). Because waivers of sovereign immunity are to be strictly construed, the Supreme Court held that “actual damages” do not include nonpecuniary damages. https://tile.loc.gov/storage-services/service/ll/usrep/usrep566/usrep566284/usrep566284.pdf Fed. Aviation Admin. v. Cooper], 566 U.S. 284 (2012). Remedies for failure to grant access or refusal to amend are injunctive.
17. Johnston v. Horne, 875 F.2d 1415 (9th Cir. 1989).
+
 
18. Pototsky v. Dep’t of the Navy, 717 F. Supp. 20 (D. Mass. 1989).
+
An individual bringing a claim under § 552a(g)(1) must demonstrate a causal connection between the alleged violation and the harm suffered but may not use the Privacy Act claim as the forum in which to prove the entitlement the individual claims was improperly denied. ''Gizoni v. Sw. Marine, Inc.'', 909 F.2d 385 (9th Cir. 1990).
19. Covert v. Harrington, 876 F.2d 751 (9th Cir. I989).
+
 
20. Quinn v. Stone, 978 F.2d 126, 133 (3rd Cir. 1992).
+
Criminal penalties are established for willful disclosure of records by those who know such disclosure is prohibited, willful maintenance of a system of records without meeting the appropriate notice requirements, and knowing and willful requests for records under false pretenses. 5 U.S.C. § 552a(i). Each violation is classified as a misdemeanor, and the violator may be fined not more than $5,000. There have been at least two criminal prosecutions for unlawful disclosure of Privacy Act-protected records. ''See United States v. Trabert'', 978 F. Supp. 1368 (D. Colo. 1997) (finding the defendant not guilty; that the prosecution did not prove “beyond a reasonable doubt that defendant ‘willfully disclosed’ protected material”; and that the evidence presented constituted, “at best, gross negligence,” and thus was “insufficient for purposes of prosecution under § 552a(i)(1)”); ''United States v. Gonzalez'', No. 76-132 (M.D. La. Dec. 21, 1976) (guilty plea entered). ''See generally In re Mullins (Tamposi Fee Application)'', 84 F.3d 1439, 1441 (D.C. Cir. 1996) (''per curiam'') (indicating the application for reimbursement of attorney fees where independent counsel found no prosecution was warranted under the Privacy Act because there was no conclusive evidence of improper disclosure of information). In a case involving the destruction of records, [https://www.cadc.uscourts.gov/internet/opinions.nsf/1E0F642CD84E034985257B3D004E4186/$file/09-5354-1427961.pdf Gerlich v. DOJ], 711 F.3d 161 (D.C. Cir. 2013), the D.C. Circuit allowed a Privacy Act claim to proceed against senior officials at the Department of Justice on the ground that they created records about appellants in the form of annotations to their applications and internet printouts concerning their political affiliations. The court relied in part on a permissive spoliation inference in light of the destruction of appellants’ records, because the senior department officials had a duty to preserve the annotated applications and internet printouts given that department investigation and future litigation were reasonably foreseeable.
21. Kassel v. VA, No. 87-217-S (D.N.H. Mar. 30, 1992).
+
 
22. United States v. Trabert, 978 F. Supp. 1368 (D. Colo. 1997).
+
The Privacy Act provides a two-year statute of limitations. 5 U.S.C. § 552a(g)(5). The time begins to run when a reasonable person should have known of the alleged violation. ''Rose v. United States'', 905 F.2d 1257, 1259 (9th Cir. 1990); ''Diliberti v. United States'', 817 F.2d 1259, 1262 (7th Cir. 1987).
23. United States v. Gonzalez, No. 76-132 (M.D. La. Dec. 21, 1976).
+
 
24. In re Mullins (Tamposi Fee Application), 84 F.3d 1439 (D.C. Cir. 1996).
+
===Computer Matching===
25. Alexander v. FBI, 971 F. Supp. 603 (D.D.C. 1997).
+
The Privacy Act was amended in 1988 by the Computer Matching and Privacy Protection Act of 1988 ([https://www.govinfo.gov/content/pkg/STATUTE-102/pdf/STATUTE-102-Pg2507.pdf Pub. L. No. 100-503]). OMB issued final guidance implementing the amendment’s provisions on June 19, 1989. [https://obamawhitehouse.archives.gov/sites/default/files/omb/inforeg/final_guidance_pl100-503.pdf Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988], 54 Fed. Reg. 25818 (June 19, 1989)). The amendments added § 552a(o)-(q) to establish procedural safeguards affecting agencies’ use of Privacy Act records when performing computerized matching programs. The amendments require agencies to conclude written agreements specifying terms and safeguards under which matches are to be done. They provide procedures for individuals whose information is contained in the affected records to use to prevent agencies from taking adverse actions unless they have independently verified the results of matching and given the individual advance notice. Oversight is established by requiring ''Federal Register'' notice of matching agreements, reports to OMB and Congress, and the establishment of internal “data integrity boards” to oversee and coordinate the agency’s implementation of matching programs.
26. Shannon v. General Elec. Co., 812 F. Supp. 308 (N.D.N.Y. 1993).
+
 
27. Henke v. U.S. Dep’t of Commerce, 83 F.3d 1453 (D.C. Cir. 1996).
+
===Relationship to the FOIA===
28. Falwell v. Executive Office of the President, 113 F. Supp. 2d 967 (W.D. Va. 2000).
+
Two provisions relate to FOIA. 5 U.S.C. [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552&num=0&edition=prelim § 552]. Section 552a(b)(2) exempts agencies from the requirement of obtaining an individual’s consent to release of information subject to disclosure under FOIA. In 1984, Congress added provisions delineating an individual’s access rights to records exempt from disclosure under FOIA or the Privacy Act. An agency must give an individual access to a record if it is accessible under either act irrespective of whether it might be withheld under the other. 5 U.S.C. § 552a(t). This gives maximum access to records by an individual whose personal information is contained therein. An accounting of the number of FOIA releases of Privacy Act information is not required. 5 U.S.C. § 552a(c)(1). If released under FOIA, the agency is relieved from ensuring the accuracy, completeness, timeliness, and relevance of the record. 5 U.S.C. § 552a(e)(6). If the system of records is made necessary by FOIA, the agency may exempt the system from the Privacy Act. 5 U.S.C. § 552a(k)(1).
29. Dale v. Executive Office of the President, 164 F. Supp. 2d 22 (D.D.C. 2001).
+
 
30. Trulock v. United States Dep’t of Justice, No. 00-2234, slip op. (D.D.C. Sept. 18, 2001).
+
===Social Security Numbers===
31. Tripp v. Executive Office of the President, 200 F.R.D. 140 (D.D.C. 2001).
+
The Privacy Act restricts use of an individual’s Social Security account number. [https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf Pub. L. No. 93-579], § 7 (not codified as part of 5 U.S.C. § 552a). This provision applies to state and local governments, as well as to the federal government and makes it unlawful to deny any right, benefit, or privilege based on an individual’s failure to disclose the Social Security account number, unless the disclosure was required by any federal, state, or local system of records in operation before January 1, 1975, or the disclosure is required by federal law. Since enactment, Congress has required disclosure in the Tax Reform Act of 1976 ([http://uscode.house.gov/statutes/pl/94/455.pdf Pub. L. No. 94-455]), the Deficit Reduction Act of 1984 ([https://www.govinfo.gov/app/details/STATUTE-98/STATUTE-98-Pg494/summary Pub. L. No. 98-369]), and the Debt Collection Act of 1982 ([https://www.gpo.gov/fdsys/pkg/STATUTE-96/pdf/STATUTE-96-Pg1749.pdf Pub. L. No. 97-365]). In the Tax Reform Act of 1976, Congress declared it to be U.S. policy to use Social Security account numbers “in the administration of any tax, general public assistance, driver’s license, or motor vehicle registration law.” Pub. L. No. 94-455, amending 42 U.S.C. § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title42-section405&num=0&edition=prelim 405(c)(2)].
32. Broaddrick v. Executive Office of the President, 139 F. Supp. 2d 55 (D.D.C. 2001).
+
 
33. Flowers v. Executive Office of the President, 142 F. Supp. 2d 38 (D.D.C. 2001).
+
==Oversight==
34. Jones v. Executive Office of the President, 167 F. Supp. 2d 10 (D.D.C. 2001).
+
The Privacy Act requires OMB to develop guidelines and regulations for its implementation and to provide continuing assistance and oversight. The OMB guidelines are entitled to the usual deference accorded the interpretations of the agency charged with administration of a statute. ''Albright v. United States'', 631 F.2d 915, 919 n.5 (D.C. Cir. 1980); ''Quinn v. Stone'', 978 F.2d 126, 133 (3d Cir. 1992). However, a few courts have rejected particular aspects of the OMB guidelines as inconsistent with the statute. ''See, e.g.'', ''Kassel v. U.S. Dep’t of Veterans Affairs'', No. 87-217-S, slip op. at 24-25 (D.N.H. Mar. 30, 1992) (subsection (e)(3)); [https://supreme.justia.com/cases/federal/us/540/614/ Doe v. Chao], 540 U.S. 614, 627 n.11 (2004) (disagreeing with dissent’s reliance on OMB interpretation of damages provision since the Court does “not find its unelaborated conclusion persuasive”).
35. Sculimbrene v. Reno, 158 F. Supp. 2d 26 (D.D.C. 2001).
+
 
36. Schwarz v. U.S. Dep’t of Treasury, 131 F. Supp. 2d 142 (D.D.C. 2000).
+
The vast majority of OMB’s Privacy Act guidelines are published in [https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/inforeg/implementation_guidelines.pdf Privacy Act Implementation Guidelines and Responsibilities], 40 Fed. Reg. 28948 (1975). However, these original guidelines have been supplemented in particular subject areas over the years, including:
37. Cobell v. Norton, 157 F. Supp. 2d 82 (D.D.C. 2001).
+
 
38. Cummings v. Department of the Navy, 279 F.3d 1051 (D.C.Cir.2002).
+
*[https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf Appendix I to OMB Circular No. A-130], most recently revised at [https://www.govinfo.gov/content/pkg/FR-2016-07-28/pdf/2016-17874.pdf#page=1 81 Fed. Reg. 49689] (July 28, 2016)).
39. Cready v. Principi, 297 F. Supp. 2d 178 (D.D.C. 2003).
+
*[https://archives.federalregister.gov/issue_slice/1975/12/4/56740-56743.pdf Implementation of the Privacy Act Supplemental Guidance], 40 Fed. Reg. 56741 (Dec. 4,1975) (system of records definition, routine use and intra-agency disclosures, consent and congressional inquiries, accounting of disclosures, amendment appeals, rights of parents and legal guardians, relationship to FOIA).
40. Chang v. Dep’t of the Navy, 314 F. Supp.2d 35 (D.D.C. 2004).
+
*[https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/inforeg/guidance1983.pdf Guidelines on the Relationship of the Debt Collection of 1982 to the Privacy Act of 1974], 48 Fed. Reg. 15556 (Apr. 11, 1983) (relationship to Debt Collection Act).
41. Maydak v. United States, 363 F.3d 512 (D.C. Cir. 2004).
+
*[https://archives.federalregister.gov/issue_slice/1987/4/20/12988-12993.pdf Guidance on the Privacy Act Implications of “Call Detail” Programs to Manage Employees’ Use of the Government’s Telecommunications Systems], [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/guidance_privacy_act.pdf 52 Fed. Reg. 12,990-93] (Apr. 20, 1987) (“call detail” programs).
42. Doe v. Chao, 540 U.S. 614 (2004).
+
*[https://archives.federalregister.gov/issue_slice/1989/6/19/25805-25829.pdf Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988], [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/inforeg/inforeg/final_guidance_pl100-503.pdf 54 Fed. Reg. 25,818] (June 19, 1989) (computer matching).
43. NASA v. Nelson, 562 U.S. 134 (2011).
+
*[https://archives.federalregister.gov/issue_slice/1991/4/23/18598-18601.pdf The Computer Matching and Privacy Protection Amendments of 1990 and the Privacy Act of 1974], [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/computer_amendments1991.pdf 56 Fed. Reg. 18,599] (proposed Apr. 23, 1991) (computer matching);
44. FAA v. Cooper, 132 S. Ct. 1441 (2012).
+
*[https://www.federalregister.gov/documents/1996/02/20/96-3645/management-of-federal-information-resources Management of Federal Information Resources], 61 Fed. Reg. 6428 (1996) (“Federal Agency Responsibilities for Maintaining Records About Individuals”).
45. Logan v. Dep’t of Veterans Affairs, 357 F. Supp. 2d 149 (D.D.C. 2004).
+
 
46. Oja v. U.S. Army Corps of Engineers, 440 F.3d 1122 (9th Cir. 2006).
+
Thus, when researching in this area, it may be important to check subsequent supplements.
47. McCready v. Nicholson, 465 F.3d 1 (D.C. Cir. 2006).
+
 
48. Bassiouni v. F.B.I., 436 F.3d 712 (7th Cir. 2006).
+
In 1998, President Clinton called upon all federal agencies to take further privacy-protection steps within the next year. [https://www.govinfo.gov/content/pkg/WCPD-1998-05-18/pdf/WCPD-1998-05-18-Pg870.pdf Memorandum on Privacy and Personal Information in Federal Records] (May 14, 1998). Specifically, the President directed each agency to designate a senior official responsibile for the agency's privacy policy to apply the Principles for Providing and Using Personal Information, which was developed through the Information Infrastructure Task Force under the auspices of the Department of Commerce in 1995, and to review agency record systems to ensure compliance with the Privacy Act requirements. The agencies then reported the results of these reviews to OMB. The presidential memorandum also called for OMB to issue further guidance on the making of “routine use” disclosures under the Privacy Act.
49. Sussman v. U.S. Marshals Serv., 494 F.3d 1106 (D.C. Cir 2007).
+
 
50. Wilson v. Libby, 535 F.3d 697 (D.C. Cir. 2008).
+
Section 208 of the [[E-Government Act of 2002]] (44 U.S.C. [http://uscode.house.gov/view.xhtml?req=(title:44%20section:3501%20edition:prelim)%20OR%20(granuleid:USC-prelim-title44-section3501)&f=treesort&edition=prelim&num=0&jumpTo=true § 3501 note]) requires that OMB issue guidance to agencies on implementing the privacy provisions of the E-Government Act. Under this guidance, agencies are required to conduct privacy impact assessments for electronic information systems and collections, make those assessments publicly available, post privacy policies on agency websites used by the public, translate privacy policies into a standardized machine-readable format, and report annually to OMB on the agency's compliance with the E-Government Act.
51. Lane v. Dep’t of Interior, 523 F.3d 1128 (9th Cir. 2008).
+
 
52. Doe v. Dep’t of Veterans Affairs, 519 F.3d 456 (8th Cir. 2008).
+
In 2002, the Government Accountability Office (GAO) conducted an extensive review of agency Privacy Act practices and reported on its findings in June 2003. GAO-03-304, [https://www.gao.gov/assets/240/238818.pdf Privacy Act: OMB Leadership Needed to Improve Agency Compliance] (2003).
53. Rouse v. U.S. Dep’t of State, 567 F.3d 408 (9th Cir. 2009).
+
 
54. Maydak v United States, 630 F.3d 166 (D.C. Cir. 2010).
+
While most questions concerning the Privacy Act should first be directed to agency Privacy Act officers, important policy or litigation questions, or questions concerning the OMB guidelines, may be directed to the [https://www.whitehouse.gov/omb/information-regulatory-affairs/ Office of Information and Regulatory Affairs].
55. Speaker v. U.S. Dep’t of Health and Human Serv. Ctr. for Disease Control and Prevention, F.3d 1371 (11th Cir. 2010).
+
 
56. Sieverding v. U.S. Dep’t of Justice, 693 F. Supp. 2d 93 (D.D.C. 2010).
+
==Legislative History==
57. Shearson v U.S. Dep’t of Homeland Sec., 638 F.3d 498 (6th Cir. 2011).
+
The Privacy Act reflects the merger of seemingly disparate bills from the Senate and the House: S. 3418, introduced by Senator Sam Ervin (D-NC), and H.R. 16373, supported by the Administration. The Senate bill would have granted sweeping powers to a Federal Privacy Board for the oversight of collection, maintenance, and dissemination of individually identifiable information by both the public and private sectors, while the House bill focused on access to and correction of records, data collection, and maintenance standards. The Senate approved its bill on November 21, 1974, after consideration and, on the same day, the House bill was passed by a 353 to 1 vote, after two days of floor debate.
58. Mobley v. CIA, 806 F.3d 568 (D.C. Cir. 2015).
+
 
59. Liff v. Office of Inspector Gen. for the United States Dep’t of Labor, 881 F.3d 912 (D.C. Cir. 2018)
+
The bills were not reconciled by the usual conference committee because of the limited time available between the end of Thanksgiving recess and the end of the session. Instead, the respective staffs of the committees studied the differing bills, reported to the committees and, after informal meetings, reached an agreement. The description of the amendments that made the two bills identical (thus avoiding a conference committee) was inserted into the record of both sides, and both houses passed identical bills. Thus, many of the most important provisions of the bill are not explained by committee reports. The only record of the final negotiations leading to the bill actually adopted is a staff memorandum entitled ''Analysis of House and Senate Compromise Amendments to the Federal Privacy Act''. ''See also'' [http://www.loc.gov/rr/frd/Military_Law/pdf/LH_privacy_act-1974.pdf Legislative History of the Privacy Act of 1974, S.3418 (Pub. L. No. 93-579): Source Book on Privacy] (1976).
Appendix:
+
 
1. Privacy Act, 5 U.S.C. § 552a (2012).
+
The final product included most of the fair information practices defined in the Senate version and the access and correction provisions of the House bill. None of the Senate provisions relating to a Federal Privacy Board was included. However, the Privacy Act provided for two important means of further development and oversight. First, it instructed OMB to develop guidelines for the implementation of the Privacy Act throughout the executive branch. Second, it created the Privacy Protection Study Commission tasked with studying the issues raised by the Privacy Act and recommending further legislation. The Commission subsequently completed its thorough and informative report, [https://www.ncjrs.gov/pdffiles1/Digitization/49602NCJRS.pdf Personal Privacy in an Information Society].
 +
 
 +
The bill was signed by President Ford on December 31, 1974 and became effective in September 1975.
 +
 
 +
===Source Note===
 +
The legislative history of the original Act is exhaustively collected in [http://www.loc.gov/rr/frd/Military_Law/pdf/LH_privacy_act-1974.pdf Legislative History of the Privacy Act of 1974, S. 3418 (Pub. L. No. 93-579): Source Book on Privacy] (1976).
 +
 
 +
The Department of Justice’s [https://www.justice.gov/opcl/overview-privacy-act-1974-2020-edition Overview of the Privacy Act of 1974] is updated periodically and discusses the extensive case law under the Privacy Act.
 +
 
 +
==Bibliography==
 +
===Legislative History and Congressional Documents===
 +
 
 +
*Joint Comm. on Government Operations, [http://www.loc.gov/rr/frd/Military_Law/pdf/LH_privacy_act-1974.pdf Legislative History of the Privacy Act of 1974, S. 3418 (Pub. L. No. 93-579): Source Book on Privacy], 94th Cong. (1976).
 +
*H.R. Rep. No. 100-802 (1988).
 +
*S. Rep. No. 100-516 (1988).
 +
*''Who Cares About Privacy? Oversight of the Privacy Act of 1974 by the Office of Management and Budget and by the Congress,'' ''H.R. Rep. No. 98-455'', Hearings Before Subcomm. of the H. Comm. on Gov’t Operations, 98th Cong. (1983).
 +
*America’s Healthy Future Act of 2009, [https://www.congress.gov/111/crpt/srpt89/CRPT-111srpt89.pdf S. Rep. No. 111-89] (2009).
 +
*The Restoring American Financial Stability Act of 2010, [https://www.congress.gov/111/crpt/srpt176/CRPT-111srpt176.pdf S. Rep. No. 111-176] (2010).
 +
*A Citizen’s Guide on Using the Freedom of Information Act and the Privacy Act of 1974 to Request Government Records, [https://www.govinfo.gov/content/pkg/CRPT-112hrpt689/pdf/CRPT-112hrpt689.pdf H.R. Rep. 112-689] (2012).
 +
 
 +
===Executive Orders and White House Documents===
 +
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2">
 +
*[https://www.govinfo.gov/content/pkg/WCPD-1998-05-18/pdf/WCPD-1998-05-18-Pg870.pdf Memorandum on Privacy and Personal Information in Federal Records] (May 14, 1998).
 +
*Executive Order 13478, [https://www.govinfo.gov/content/pkg/FR-2008-11-20/pdf/E8-27771.pdf Amendments to Executive Order 9397 Relating to Federal Agency Use of Social Security Numbers], 73 Fed. Reg. 70,239 (Nov. 20, 2008).
 +
</div>
 +
 
 +
===ACUS Recommendations===
 +
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2">
 +
*2020-2, [https://www.acus.gov/sites/default/files/documents/Recommendation%202020-2%2C%20Protected%20Materials%20CLEAN%2012%2028%202020.pdf Protected Materials in Public Rulemaking Dockets]
 +
*2021-6, [https://www.acus.gov/sites/default/files/documents/2021-6_Public_Access_to_Agency_Adjudicative_Proceedings.pdf Public Access to Agency Adjudicative Proceedings]
 +
</div>
 +
 
 +
===OMB/OIRA Documents===
 +
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2">
 +
*[https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf Circular A-130] (2016).
 +
*[https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A108/omb_circular_a-108.pdf Circular A-108] (2016).
 +
*[https://archives.federalregister.gov/issue_slice/1975/12/4/56740-56743.pdf Implementation of the Privacy Act of 1974, Supplementary Guidance], 40 Fed. Reg. 56741 (Dec. 4, 1975).
 +
*''Revised Supplemental Guidance for Conducting Matching Programs'', 47 Fed. Reg. 21656 (May 19, 1982).
 +
*https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/inforeg/guidance1983.pdf Debt Collection Act Guidelines], 48 Fed. Reg. 15556 (Apr. 11, 1983).
 +
*[https://www.govinfo.gov/app/details/FR-1975-07-09 Privacy Act Implementation Guidelines and Responsibilities], 40 Fed. Reg. 28948 (July 9, 1975); supplemented at:
 +
**[https://archives.federalregister.gov/issue_slice/1975/12/4/56740-56743.pdf 40 Fed. Reg. 56741] (1975).
 +
**49 Fed. Reg. 12338 (1984).
 +
**[https://archives.federalregister.gov/issue_slice/1989/6/19/25805-25829.pdf 54 Fed. Reg. 25818] (1989).
 +
*''Management of Federal Information Resources'', Circular A130, 50 Fed. Reg. 52730 (Dec. 24, 1985).
 +
*[https://archives.federalregister.gov/issue_slice/1987/4/15/12283-12339.pdf Final Guidance on Privacy Act Implications of “Call Detail” Programs], 52 Fed. Reg. 12290 (Apr. 20, 1987).
 +
*[https://archives.federalregister.gov/issue_slice/1989/6/19/25805-25829.pdf Final Guidance Interpreting the Provisions of Pub. L. No. 100-503, the Computer Matching and Privacy Protection Act of 1988], 54 Fed. Reg. 25818 (June 19, 1989).
 +
*[https://archives.federalregister.gov/issue_slice/1991/4/23/18598-18601.pdf The Computer Matching and Privacy Protection Amendments of 1990 and the Privacy Act of 1974], 56 Fed. Reg. 18599 (Apr. 23, 1991).
 +
*''Proposed Revision of OMB Circular A130'', 57 Fed. Reg. 18296 (Apr. 29, 1992).
 +
*[https://www.govinfo.gov/content/pkg/FR-1996-02-20/pdf/96-3645.pdf Management of Federal Information Resources], 61 Fed. Reg. 6428 (Feb. 20, 1996).
 +
*M-0105, [https://www.whitehouse.gov/wp-content/uploads/2017/11/2001-M-01-05-Guidance-on-Inter-Agency-Sharing-of-Personal-Data-Protecting-Personal-Privacy.pdf Guidance on Inter-Agency Sharing of Personal Data—Protecting Personal Privacy] (2000).
 +
*M-0322, [https://www.whitehouse.gov/wp-content/uploads/2017/11/203-M-03-22-OMB-Guidance-for-Implementing-the-Privacy-Provisions-of-the-E-Government-Act-of-2002-1.pdf Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002] (2003).
 +
*[https://www.govinfo.gov/content/pkg/FR-2016-07-28/pdf/2016-17874.pdf#page=1 Revision of OMB Circular No. A-130 “Managing Information as a Strategic Resource”], 81 Fed. Reg. 49689 (July 28, 2016).
 +
*[https://www.whitehouse.gov/omb/management/egov/#R Archived Reports on E-Government Act Implementation from 2003-2015]
 +
*[https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/egov_implementation_report_6_17_16.pdf 2015 Annual Report to Congress: E-Government Act Implementation]
 +
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/egov/documents/omb-fy-2016-egov-act-report.pdf 2016 Annual Report to Congress: E-Government Act Implementation]
 +
*M-21-04, [https://www.whitehouse.gov/wp-content/uploads/2020/11/M-21-04.pdf Modernizing Access to and Consent for Disclosure of Records Subject to the Privacy Act] (2020).
 +
</div>
 +
 
 +
===Other Government Documents===
 +
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2">
 +
*[https://www.ncjrs.gov/pdffiles1/Digitization/49602NCJRS.pdf Personal Privacy in an Information Society: The Report of the Privacy Protection Study Commission] (1977).
 +
*Gen. Accounting Office, GAO/PEMD-87-2, [https://www.gao.gov/assets/150/144893.pdf Computer Matching: Assessing its Costs and Benefits] (1986).
 +
*Gen. Accounting Office, GAO/GGD-91-48, [https://www.gao.gov/assets/220/213974.pdf Peer Review: Compliance with the Privacy Act and the Federal Advisory Committee Act] (1991).
 +
*Gen. Accounting Office, GAO-03-304, [https://www.gao.gov/assets/240/238818.pdf Privacy Act: OMB Leadership Needed to Improve Agency Compliance] (2003).
 +
*[https://oversight.house.gov/wp-content/uploads/2012/09/Citizens-Guide-on-Using-FOIA.2012.pdf A Citizen’s Guide on Using the Freedom of Information Act and The Privacy Act of 1974 to Request Government Records], Report by the Comm. on Oversight and Gov’t Reform, 112th Cong. (2012).
 +
*Dep’t of Justice, [https://www.justice.gov/archives/opcl/overview-privacy-act-1974-2015-edition Overview of the Privacy Act of 1974] (2015).
 +
</div>
 +
 
 +
===Selected Books and Articles===
 +
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2">
 +
*Lillian R. Bevier, [https://core.ac.uk/download/pdf/73966670.pdf Information about Individuals in the Hands of Government: Some Reflections on Mechanisms for Privacy Protection], 4 Wm. & Mary Bill Rights J. 455 (1991).
 +
*Babette Boliek, ''Prioritizing Privacy in the Courts and Beyond'', 103 Cornell L. Rev. 1101 (2018).
 +
*Jonathan C. Bond, Note, [http://www.gwlr.org/wp-content/uploads/2012/08/76-5-Bond.pdf Defining Disclosure in a Digital Age: Updating the Privacy Act for the Twenty-First Century], 76 Geo. Wash. L. Rev. 1232 (2008).
 +
*William S. Challis & Ann Cavoukian, [https://repository.jmls.edu/cgi/viewcontent.cgi?article=1148&context=jitpl The Case for a U.S. Privacy Commissioner: A Canadian Commissioner’s Perspective], 19 J. Marshall J. Computer & Info. L. 1 (2000).
 +
*Todd Robert Coles, Comment, [https://digitalcommons.wcl.american.edu/cgi/viewcontent.cgi?referer=https://www.google.com/&httpsredir=1&article=1848&context=aulr Does the Privacy Act of 1974 Protect Your Right to Privacy?: An Examination of the Routine Use Exemption], 40 Am. U. L. Rev. 957 (1991).
 +
*John M. Eden, [https://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=1140&context=dltr When Big Brother Privatizes: Commercial Surveillance, the Privacy Act of 1974, and the Future of RFID], 2005 Duke L. & Tech. Rev. 20 (2005).
 +
*Haeji Hong, [https://www.uakron.edu/dotAsset/727663.pdf Dismantling the Private Enforcement of the Privacy Act of 1974: Doe v. Chao], 38 Akron L. Rev. 71 (2005).
 +
*Margaret Hu, ''The Ironic Privacy Act'', 96 Wash. U.L. Rev. 1267 (2019).
 +
*Joseph V. Kaplan & John Mahoney, ''Reckless Disregard: Intentional and Willful Violations of the Privacy Act’s Investigatory Requirements'', 44 Fed. Law. No. 4, at 38 (1997).
 +
*Alex Kardon, [http://www.harvard-jlpp.com/wp-content/uploads/2013/10/KardonFinal.pdf Damages under the Privacy Act: Sovereign Immunity and a Call for Legislative Reform], 34 Harv. J. L. & Pub. Pol’y 705 (2011).
 +
*Flavio Komuves, [https://repository.jmls.edu/cgi/viewcontent.cgi?article=1243&context=jitpl We’ve Got Your Number: An Overview of Legislation and Decisions to Control the Use of Social Security Numbers as Personal Identifiers], 16 J. Marshall J. Computer & Info. L. 529 (1998).
 +
*Frederick Z. Lodge, Note, [https://ir.lawnet.fordham.edu/cgi/viewcontent.cgi?article=2579&context=flr Damages Under the Privacy Act of 1974: Compensation and Deterrence], 52 Fordham L. Rev. 611 (1984).
 +
*Caleb A. Seeley, Note, [https://www.nyulawreview.org/wp-content/uploads/2018/08/NYULawReview-91-5-Seeley.pdf Once More unto the Breach: The Constitutional Right to Informational Privacy and the Privacy Act], 91 N.Y.U. L. Rev. 1355 (2016).
 +
*Lisa A. Reilly, ''The Government in the Sunshine Act and the Privacy Act'', 55 Geo. Wash. L. Rev. 955 (1987).
 +
*Nicole M. Quallen, [https://scholarship.law.unc.edu/cgi/viewcontent.cgi?referer=https://www.google.com/&httpsredir=1&article=4408&context=nclr Damages under the Privacy Act: Is Emotional Harm Actual], 88 N.C. L. Rev. 334 (2009).
 +
*Paul M. Schwartz, [https://lawcat.berkeley.edu/record/1115037 Privacy and Participation: Personal Information and Public Sector Regulation in the United States], 80 Iowa L. Rev. 553 (1995).
 +
*Daniel Solove, [https://scholarship.law.gwu.edu/cgi/viewcontent.cgi?article=2085&context=faculty_publications Identity Theft, Privacy, and the Architecture of Vulnerability], 54 Hastings L.J. 1227 (2003).
 +
*Julianne M. Sullivan, Comment, [https://scholarlycommons.law.cwsl.edu/cgi/viewcontent.cgi?referer=https://www.google.com/&httpsredir=1&article=1168&context=cwlr Will the Privacy Act of 1974 Still Hold Up in 2004? How Advancing Technology Has Created a Need for a Change in the “System of Records” Analysis], 39 Cal. W. L. Rev. 395 (2003).
 +
*Thomas M. Susman, [https://repository.jmls.edu/cgi/viewcontent.cgi?article=2035&context=lawreview Privacy Act and the Freedom of Information Act: Conflict and Resolution], 21 J. Marshall L. Rev. 703 (1988).
 +
*Ari Ezra Waldman, ''Privacy Law's False Promise'', 97 Wash. U.L. Rev. 773 (2020).
 +
</div>
 +
 
 +
===Selected Cases Not Included in the Text===
 +
<div style="column-count:3;-moz-column-count:3;-webkit-column-count:3">
 +
*''Stiles v. Atlanta Gas Light Co.'', 453 F. Supp. 798 (N.D. Ga. 1978).
 +
*''Zeller v. United States'', 467 F. Supp. 487 (E.D.N.Y. 1979).
 +
*''Albright v. United States'', 631 F.2d 915 (D.C. Cir. 1980).
 +
*''Lovell v. Alderete'', 630 F.2d 428 (5th Cir. 1980).
 +
*''Exner v. FBI'', 612 F.2d 1202 (9th Cir. 1980).
 +
*''United States v. Miller'', 643 F.2d 713 (10th Cir. 1981).
 +
*''Fitzpatrick v. United States'', 665 F.2d 327 (11th Cir. 1982).
 +
*''Clarkson v. IRS'', 678 F.2d 1368 (11th Cir. 1982).
 +
*''Johnson v. U.S. Dep’t of the Treasury'', 700 F.2d 971 (5th Cir. 1983).
 +
*''Thomas v. U.S. Dep’t of Energy'', 719 F.2d 342 (10th Cir. 1983).
 +
*''Molerio v. FBI'', 749 F.2d 815 (D.C. Cir. 1984).
 +
*''Elm v. Nat’l R.R. Passenger Corp.'', 732 F.2d 1250 (5th Cir. 1984).
 +
*''Doe v. Naval Air Station'', 768 F.2d 1229 (11th Cir. 1985).
 +
*''Vymetalik v. FBI'', 785 F.2d 1090 (D.C. Cir. 1986).
 +
*''Doe v. United States'', 821 F.2d 694 (D.C. Cir. 1987).
 +
*''Doe v. Stephens'', 851 F.2d 1457 (D.C. Cir. 1988).
 +
*''Johnston v. Horne'', 875 F.2d 1415 (9th Cir. 1989).
 +
*''Pototsky v. U.S. Dep’t of the Navy'', 717 F. Supp. 20 (D. Mass. 1989).
 +
*''Covert v. Harrington'', 876 F.2d 751 (9th Cir. 1989).
 +
*''Quinn v. Stone'', 978 F.2d 126, 133 (3rd Cir. 1992).
 +
*''Kassel v.'' U.S. ''Dep’t of Veterans Affairs'', No. 87-217-S (D.N.H. Mar. 30, 1992).
 +
*''United States v. Trabert'', 978 F. Supp. 1368 (D. Colo. 1997).
 +
*''United States v. Gonzalez'', No. 76-132 (M.D. La. Dec. 21, 1976).
 +
*''In re Mullins (Tamposi Fee Application)'', 84 F.3d 1439 (D.C. Cir. 1996).
 +
*''Alexander v. FBI'', 971 F. Supp. 603 (D.D.C. 1997).
 +
*''Shannon v. General Elec. Co.'', 812 F. Supp. 308 (N.D.N.Y. 1993).
 +
*''Henke v. U.S. Dep’t of Commerce'', 83 F.3d 1453 (D.C. Cir. 1996).
 +
*[http://www.vawd.uscourts.gov/OPINIONS/WILSON/600CV0005(3).PDF Falwell v. Exec. Office of the President], 113 F. Supp. 2d 967 (W.D. Va. 2000).
 +
*''Dale v. Exec. Office of the President'', 164 F. Supp. 2d 22 (D.D.C. 2001).
 +
*''Trulock v. DOJ'', No. 00-2234, slip op. (D.D.C. Sept. 18, 2001).
 +
*''Tripp v. Exec. Office of the President'', 200 F.R.D. 140 (D.D.C. 2001).
 +
*''Broaddrick v. Exec. Office of the President'', 139 F. Supp. 2d 55 (D.D.C. 2001).
 +
*''Flowers v. Exec. Office of the President'', 142 F. Supp. 2d 38 (D.D.C. 2001).
 +
*''Jones v. Exec. Office of the President'', 167 F. Supp. 2d 10 (D.D.C. 2001).
 +
*''Sculimbrene v. Reno'', 158 F. Supp. 2d 26 (D.D.C. 2001).
 +
*''Schwarz v. U.S. Dep’t of the Treasury'', 131 F. Supp. 2d 142 (D.D.C. 2000).
 +
*''Cobell v. Norton'', 157 F. Supp. 2d 82 (D.D.C. 2001).
 +
*''Cummings v. U.S. Dep’t of the Navy'', 279 F.3d 1051 (D.C. Cir. 2002).
 +
*''McCready v. Principi'', 297 F. Supp. 2d 178 (D.D.C. 2003).
 +
*''Chang v. U.S. Dep’t of the Navy'', 314 F. Supp.2d 35 (D.D.C. 2004).
 +
*''Maydak v. United States'', 363 F.3d 512 (D.C. Cir. 2004).
 +
*[https://supreme.justia.com/cases/federal/us/540/614/ Doe v. Chao], 540 U.S. 614 (2004).
 +
*''NASA v. Nelson'', 562 U.S. 134 (2011).
 +
*[https://casetext.com/case/fed-aviation-admin-v-cooper Fed. Aviation Admin. v. Cooper], 132 S. Ct. 1441 (2012).
 +
*''Logan v. U.S. Dep’t of Veterans Affairs'', 357 F. Supp. 2d 149 (D.D.C. 2004).
 +
*[http://cdn.ca9.uscourts.gov/datastore/opinions/2006/03/13/0335877.pdf Oja v. U.S. Army Corps of Engineers], 440 F.3d 1122 (9th Cir. 2006).
 +
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/013337AFDE8A8304852574400044F8CC/$file/04-5425a.pdf McCready v. Nicholson], 465 F.3d 1 (D.C. Cir. 2006).
 +
*[http://media.ca7.uscourts.gov/cgi-bin/rssExec.pl?Submit=Display&Path=Y2006/D01-30/C:04-3888:J:_:aut:T:op:N:0:S:0 Bassiouni v. FBI], 436 F.3d 712 (7th Cir. 2006).
 +
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/E94B1B7BAE4935098525744000455619/$file/06-5085b.pdf Sussman v. U.S. Marshals Serv.], 494 F.3d 1106 (D.C. Cir 2007).
 +
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/9F94563D7D135A85852578000052F342/$file/07-5257-1132633.pdf Wilson v. Libby], 535 F.3d 697 (D.C. Cir. 2008).
 +
*[http://cdn.ca9.uscourts.gov/datastore/opinions/2008/05/02/0615191.pdf Lane v. U.S. Dep’t of the Interior], 523 F.3d 1128 (9th Cir. 2008).
 +
*[http://media.ca8.uscourts.gov/opndir/08/03/071576P.pdf Doe v. U.S. Dep’t of Veterans Affairs], 519 F.3d 456 (8th Cir. 2008).
 +
*[http://cdn.ca9.uscourts.gov/datastore/opinions/2009/05/21/06-15967.pdf Rouse v. U.S. Dep’t of State], 567 F.3d 408 (9th Cir. 2009).
 +
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/EAC6966EA3FE7C2885257807005C6E66/$file/07-5352-1285040.pdf Maydak v United States], 630 F.3d 166 (D.C. Cir. 2010).
 +
*[http://media.ca11.uscourts.gov/opinions/pub/files/200916154.pdf Speaker v. U.S. Dep’t of Health and Human Serv. Ctr. for Disease Control and Prevention], F.3d 1371 (11th Cir. 2010).
 +
*[https://ecf.dcd.uscourts.gov/cgi-bin/show_public_doc?2009cv0562-58 Sieverding v. DOJ], 693 F. Supp. 2d 93 (D.D.C. 2010).
 +
*[http://www.opn.ca6.uscourts.gov/opinions.pdf/11a0098p-06.pdf Shearson v. DHS], 638 F.3d 498 (6th Cir. 2011).
 +
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/0BB43C9F640B98C685257EFC00544828/$file/13-5286-1583392.pdf Mobley v. CIA], 806 F.3d 568 (D.C. Cir. 2015).
 +
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/57E67EBF550EDDAB8525822C005378F2/$file/16-5045-1716627.pdf Liff v. Office of Inspector Gen. for the U.S. Dep’t of Labor], 881 F.3d 912 (D.C. Cir. 2018).
 +
*[https://casetext.com/case/fazaga-v-fed-bureau-of-investigation-3 Fazaga v. FBI], 916 F.3d 1201 (9th Cir. 2019).
 +
*[http://cdn.ca9.uscourts.gov/datastore/opinions/2019/10/22/17-17349.pdf Rojas v. FAA], 941 F.3d 392 (9th Cir. 2019).
 +
*[http://cdn.ca9.uscourts.gov/datastore/opinions/2019/09/11/18-15416.pdf Garris v. FBI], 937 F.3d 1284 (9th Cir. 2019).
 +
*[https://law.justia.com/cases/federal/appellate-courts/cadc/17-5117/17-5117-2019-06-21.html In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig.], 928 F.3d 42 (D.C. Cir. 2019).
 +
</div>
 +
 
 +
==Statutory Provisions==
 +
Privacy Act
 +
 
 +
Title 5 U.S. Code
 +
 
 +
[http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim § 552a. Records maintained on individuals]

Latest revision as of 21:15, 15 August 2023

5 U.S.C. § 552a (2012), enacted by Pub. L. No. 93-579, § 3, 88 Stat. 1897, Dec. 31, 1974; significantly amended by Pub. L. No. 94-183, § 2(2), 89 Stat. 1057, Dec. 31, 1975; by Pub. L. No. 97-365, § 2, 96 Stat. 1749, Oct. 25, 1982; by Pub. L. No. 97-375, title II, § 201(a), (b), 96 Stat. 1821, Dec. 21, 1982; by Pub. L. No. 97-452, §2(a)(1), 96 Stat. 2478, Jan. 12, 1983; by Pub. L. No. 98-477, § 2(c), 98 Stat. 2211, Oct. 15, 1984; by Pub. L. No. 98-497, title I, §107(g), 98 Stat. 2292, Oct. 19, 1984; by Pub. L. No. 100-503, §§ 28, 102 Stat. 2507-2514, Oct. 18, 1988; by Pub. L. No. 101-508, title VII, §7201(b)(1), 104 Stat. 1388-(3), Nov. 5, 1990; by Pub. L. No. 103-66, title XIII, Ch. 2, subch. A, pt. V, §13581(c), 107 Stat. 611, Aug. 10, 1993; by Pub. L. No. 104-193, title I, § 110(w), 110 Stat. 2175, Aug. 22, 1996; by Pub. L. No. 104-226, § 1(b)(3), 110 Stat. 3033, Oct. 2, 1996; by Pub. L. No. 104-316, title I, § 115(g)(2)(b), 110 Stat. 3835, Oct. 19, 1996; by Pub. L. No. 105-34, title IX, subtitle C, § 1026(b)(2), 111 Stat. 925, Aug. 5, 1997; by Pub. L. No. 105-362, title XIII, § 1301(d), 112 Stat.3292, Nov. 10, 1998; by Pub. L. No. 108-271, 118 Stat. 814, July 7, 2004; by Pub. L. No. 111-148, Title VI, § 6402(b)(2), 124 Stat. 756, Mar. 23, 2010; by Pub. L. No. 111-203, Title X, § 1082, 124 Stat. 2080, July 21, 2010; by Pub. L. No. 113-295, Div. B, Title I, § 102(c), 128 Stat. 4062, Dec. 19, 2014.

Lead Agency:

Office of Management and Budget

Overview

The Privacy Act of 1974 represents the Congressional response to concerns about government uses of information collected about private individuals. The Privacy Act gives individuals greater control over the gathering, dissemination, and accuracy of information collected about themselves by agencies. Miller v. United States, 630 F. Supp. 347 (E.D.N.Y. 1986). The main purpose of the Privacy Act is to forbid disclosure unless it is required by the Freedom of Information Act (FOIA). Lovell v. Alderete, 630 F.2d 428 (5th Cir. 1980). To protect individual privacy, the Privacy Act constrains executive branch recordkeeping, defines the individual’s right to access certain records, limits agency disclosure of records containing an individual’s private information, establishes safeguards to protect records concerning individuals, and provides remedies for agency violation of the Privacy Act’s provisions.

Scope

The Privacy Act covers records maintained by agencies as defined in FOIA. It applies to Cabinet-level departments, independent regulatory agencies, military departments, and government corporations. § 552a(a)(1). It does not apply to the legislative branch, national banks (United States v. Miller, 643 F.2d 713 (10th Cir. 1981)), or Amtrak (Ehm v. National R.R. Passenger Corp., 732 F.2d 1250 (5th Cir. 1984), cert. denied, 469 U.S. 982 (1984)). See Alexander v. FBI, 971 F. Supp. 603, 606-07 (D.D.C. 1997) (recognizing that the definition of “agency” under Privacy Act is same as in FOIA and that courts have interpreted that definition under FOIA to exclude the President’s immediate personal staff and units within Executive Office of the President whose sole function is to advise and assist the President, but, nevertheless rejecting such limitation with regard to “agency” as used in the Privacy Act due to the different purposes that the two statutes serve); Shannon v. Gen. Elec. Co., 812 F. Supp. 308, 313, 315 n.5 (N.D.N.Y. 1993) (stating there is “no dispute” that General Electric (GE) falls within the definition of “agency” subject to requirements of the Privacy Act where, pursuant to a contract, it operated a Department of Energy-owned lab under the supervision, control, and oversight of the Department and where, by terms of the contract, GE agreed to comply with the Privacy Act).

A record is a collection or grouping of information about an individual that, for example, may include educational, financial, or biographical information, together with personal identifiers such as names, photos, numbers, or fingerprints. 5 U.S.C. § 552a(a)(4). The Privacy Act does not apply to all government records and documents that may contain an individual’s name or other private information. For example, it does not include the private notes of a supervisor if such notes are not used by the agency to make decisions. Johnston v. Horne, 875 F.2d 1415 (9th Cir. 1989). But such notes may become subject to the Privacy Act if they become part of an agency’s decision. Chapman v. NASA, 682 F.2d 526 (5th Cir. 1982), cert. denied, 469 U.S. 1038 (1984). The Act also does not apply to information in documents obtained from independent sources of information, even though identical information may be in an agency’s system of records. Thomas v. U.S. Dep’t of Energy, 719 F.2d 342 (10th Cir. 1983).

The Privacy Act focuses on “systems of records” established, maintained, or controlled by an agency. A “system of records” is a group of any records where individual names or other individual identifiers can be used to retrieve the information. 5 U.S.C. § 552a(a)(5). Agencies may maintain records covered by the Privacy Act only when they are relevant and necessary to accomplish the agency’s purpose. 5 U.S.C. § 552a(e)(1). The Court of Appeals for the District of Columbia Circuit addressed the “system of records” definition in the context of computerized information in Henke v. U.S. Dep’t of Commerce, 83 F.3d 1453 (D.C. Cir. 1996), and noted that “the [Office of Management and Budget] guidelines make it clear that it is not sufficient that an agency has the capability to retrieve information indexed under a person’s name, but the agency must in fact retrieve records in this way in order for a system of records to exist.” Id. at 1460 n.12. The D.C. Circuit looked to Congress’ use of the words “is retrieved” in the statute’s definition of a system of records and focused on whether the agency “in practice” retrieved information. Id. at 1459-61.

Access to Records

Where the agency is authorized to keep records covered by the Privacy Act, an individual has a right of access to records concerning him or her. This is a central protection of the Privacy Act for individuals. The individual has a right to:

  • Copy any or all of the record (§ 552a(d)(1));
  • Request amendment of the record (§ 552a(d)(2)) and file a concise statement of disagreement if the agency refuses to amend the record that will be provided to all persons to whom the record is disclosed (§ 552a(d)(4)); and
  • Request an accounting from the agency on the date, nature, and purpose of each disclosure of the record (§ 552a(c)).

The individual has an absolute right to access and need not provide any reason for seeking access. FTC v. Shaffner, 626 F.2d 32 (7th Cir. 1980).

Agency Requirements

For each system of records an agency maintains, it must:

  • Publish in the Federal Register the name and location of the system; the categories of individuals contained in the system; the routine use of the records; agency policies concerning the records including storage, retrieval, access, retention, and disposal; the person, including title and address, responsible for the system; the method used to notify individuals how to gain access to records about themselves; and the sources or records in the system. Any new use of the system must be noticed for comment 30 days prior to implementing the new use. Exempt systems must also be noticed. See, e.g., 5 U.S.C.§ 552a(b)(3), (e)(4), and (e)(11);
  • Maintain records in the system accurately, completely, and timely to ensure fairness to the individuals (§ 552a(e)(5));
  • Establish rules and training for persons designing, developing, operating, or maintaining the system to ensure compliance with the Privacy Act and the agency’s implementing policies (§ 552a(e)(9));
  • Establish safeguards for the protection of records (§ 552a(e)(10)); and
  • Inform government contractors of their duties under the Privacy Act (§ 552a(m)).

When the agency collects information that “may result in adverse determinations about an individual’s rights, benefits, and privileges under Federal programs,” the Privacy Act requires the information to be collected, to the “greatest extent practicable,” directly from the affected individual. 5 U.S.C. § 552a(e)(2). When requesting such information from individuals, the agency must disclose: (1) the authority under which collection is authorized; (2) the principal purposes for which the information is needed; (3) the routine use of the information; and (4) consequences, if any, of not providing the information. 5 U.S.C. § 552a(e)(3).

The Privacy Act mandates that information maintained in agency records be as relevant and as necessary as possible to accomplish the agency’s purpose. It must also undertake to maintain the information with such accuracy and completeness as is reasonably necessary to assure fairness to the individual. In Doe v. United States, 821 F.2d 694 (D.C. Cir. 1987), the court sitting en banc held that an agency may satisfy this requirement by supplementing the information an individual considers damaging with the individual’s explanation or disagreement with the accuracy of the information. The court found that the agency made a reasonable effort to determine the accuracy of the information and that an adjudication of the disputed facts was not necessary for the agency’s purposes. The court said that in some cases, fairness may require a record to contain both versions of a disputed fact.

Agencies are prohibited from maintaining records describing how an individual exercises First Amendment rights, unless such records are authorized by statute or are pertinent to and within the scope of authorized law enforcement activity. 5 U.S.C. § 552a(e)(7). Such records are subject to the Privacy Act even if not kept in “a system of records.” Clarkson v. IRS, 678 F.2d 1368, 1373-77 (11th Cir. 1982), cert. denied, 481 U.S. 1031. Cf. Pototsky v. U.S. Dep’t of Navy, 717 F. Supp. 20 (D. Mass. 1989). Guidelines from the Office of Management and Budget (OMB) call for the broadest reasonable interpretation of the prohibition.

Exemptions from Access

The Privacy Act provides general (§ 552a(j)) and specific (§ 552a(k)) exemptions. These are exemptions allowing an agency to deny access to the record by the individual to whom the record pertains. The two types of exemptions are different in nature and consequences and are discretionary on the agency’s part. To be effective, the agency must first determine that a record or system of records meets the criteria for exemption under the Privacy Act and then publish the exemption as a rule under the Administrative Procedure Act’s (APA) notice-and-comment provisions. Failure to set out reasons demonstrating that the exemption meets the requirements of the Privacy Act may leave the records subject to the Privacy Act. Exner v. FBI, 612 F.2d 1202 (9th Cir. 1980). The exemptions do not authorize the agency to use the record in a manner other than the manner originally set out in the Federal Register establishing the system of records. Doe v. Naval Air Station, 768 F.2d 1229 (11th Cir. 1985).

A general exemption denies access by an affected individual under virtually all the Privacy Act’s provisions and is available for records maintained by the Central Intelligence Agency or by an agency whose principal functions are criminal law enforcement. The general exemption may not be used to exempt records compiled for a noncriminal or administrative purpose even if they are also a part of a system of records maintained by an agency qualified to assert the exemption. Vymetalik v. FBI, 785 F.2d 1090, 1095 (D.C. Cir. 1986).

The specific exemptions (§ 552a(k)(1)(7)) are available to any agency if the head of the agency promulgates rules pursuant to the notice-and-comment provisions of the APA, 5 U.S.C. § 553. The specific exemption is from a particular provision of the Privacy Act. The seven exemptions allowed are:

  • FOIA (b)(1) exemptions (matters to be kept secret in the interest of national defense or foreign policy and properly classified by executive order);
  • Investigatory material compiled for law enforcement purposes that does not fall within the general exemption;
  • Material maintained to provide protective service to the President or pursuant to 18 U.S.C. § 3056;
  • Confidential investigatory records relating to employment or contracts;
  • Statistical records required by statute;
  • Testing and examination material related to federal employment; and
  • Evaluations related to military promotions obtained confidentially.

An individual may sue to challenge a denial of access to records based on the general or specific exemptions, and the court will determine the substantive and procedural propriety of the agency’s assertion of the exemption. Zeller v. United States, 467 F. Supp. 487 (E.D.N.Y. 1979).

Restrictions on Disclosure

The Privacy Act prohibits disclosure of any record covered by the Privacy Act without the written request or prior written consent of the person whom the record concerns. 5 U.S.C. § 552a(b). The restriction on disclosure applies to any person or agency and includes any means of communication—written, oral, electronic, or mechanical Responsibilities for the Maintenance of Records About Individuals by Federal Agencies, 40 Fed. Reg. 28948, 28953 (July 9, 1975). Information obtained (or released) through sources independent of agency records is not “disclosure” under the Privacy Act.

The general rule of nondisclosure is subject to 12 exceptions (§ 552a(b)(1)(12)). They are:

  • Internal agency use on a need to know basis;
  • Proper requests under FOIA;
  • Routine use;
  • Census Bureau activities;
  • Statistical research where the recipient has given written assurance that records are not individually identifiable;
  • National Archives preservation;
  • Information to Congress;
  • Information to the Comptroller General in performing Government Accountability Office (GAO) duties;
  • Showing of compelling circumstances affecting the health or safety of an individual;
  • Pursuant to court order (subpoenas issued by clerks of courts are not “orders” Stiles v. Atlanta Gas Light Co., 453 F. Supp. 798, 800 (N.D. Ga. 1978));
  • To a consumer reporting agency in accordance with 31 U.S.C. § 3711(f); and
  • Use by “any governmental jurisdiction . . . for a civil or criminal law enforcement activity” as long as a written request (1) is made by the head of the agency seeking the record, (2) specifies the portion of the record sought, and (3) describes the relevant enforcement activity. See Doe v. Naval Air Station, 768 F.2d 1229 (11th Cir. 1985).

“Routine use,” considered generally the most important exception, is defined as “the use of such record for a purpose that is compatible with the purpose for which it was collected.” 5 U.S.C. § 552a(a)(7). Each routine use is identified in the Federal Register notice upon establishment or revision of each system of records. 5 U.S.C. (§ 552a(e)(4)(D). This exception permits nonconsensual intra- or interagency transfer of what is generally described as “house-keeping” information. Because the language is broad, the potential for abuse is considered great, and the courts have strictly required that the use be clearly and specifically identified in the rule adopted by the agency identifying the system of records. Covert v. Harrington, 876 F.2d 751 (9th Cir. 1989); Doe v. Stephens, 851 F.2d 1457 (D.C. Cir. 1988); Zeller v. United States, 467 F. Supp. 487 (E.D.N.Y. 1979). The Supreme Court has found that the Privacy Act’s provisions restricting disclosure, even while allowing disclosure for “routine uses,” are sufficient to protect persons’ constitutional right to informational privacy, if such a right exists. NASA v. Nelson, 562 U.S. 134, 153-55 (2011).

Review, Relief, Remedies

The Privacy Act provides that each agency shall promulgate rules that establish, among other things, procedures of notice, disclosure, and review of requests. 5 U.S.C. § 552a(f). In the event that the rules are not followed or that a dispute persists, there are four civil actions: (1) a challenge for failure to provide access; (2) a challenge for refusal to amend; (3) a damages action for improper maintenance of the content of records; and (4) a damages action for other breaches of the Privacy Act or regulations issued thereunder that adversely affect the individual. 5 U.S.C. § 552a(g)(1). The latter two actions require proof of damages and are limited to actual damages. A cause of action for monetary damages requires a showing of an agency’s intentional or willful failure to maintain accurate records and that the violation of the Privacy Act caused the actual damages complained of. Molerio v. FBI, 749 F.2d 815, 826 (D.C. Cir. 1984). Because waivers of sovereign immunity are to be strictly construed, the Supreme Court held that “actual damages” do not include nonpecuniary damages. https://tile.loc.gov/storage-services/service/ll/usrep/usrep566/usrep566284/usrep566284.pdf Fed. Aviation Admin. v. Cooper], 566 U.S. 284 (2012). Remedies for failure to grant access or refusal to amend are injunctive.

An individual bringing a claim under § 552a(g)(1) must demonstrate a causal connection between the alleged violation and the harm suffered but may not use the Privacy Act claim as the forum in which to prove the entitlement the individual claims was improperly denied. Gizoni v. Sw. Marine, Inc., 909 F.2d 385 (9th Cir. 1990).

Criminal penalties are established for willful disclosure of records by those who know such disclosure is prohibited, willful maintenance of a system of records without meeting the appropriate notice requirements, and knowing and willful requests for records under false pretenses. 5 U.S.C. § 552a(i). Each violation is classified as a misdemeanor, and the violator may be fined not more than $5,000. There have been at least two criminal prosecutions for unlawful disclosure of Privacy Act-protected records. See United States v. Trabert, 978 F. Supp. 1368 (D. Colo. 1997) (finding the defendant not guilty; that the prosecution did not prove “beyond a reasonable doubt that defendant ‘willfully disclosed’ protected material”; and that the evidence presented constituted, “at best, gross negligence,” and thus was “insufficient for purposes of prosecution under § 552a(i)(1)”); United States v. Gonzalez, No. 76-132 (M.D. La. Dec. 21, 1976) (guilty plea entered). See generally In re Mullins (Tamposi Fee Application), 84 F.3d 1439, 1441 (D.C. Cir. 1996) (per curiam) (indicating the application for reimbursement of attorney fees where independent counsel found no prosecution was warranted under the Privacy Act because there was no conclusive evidence of improper disclosure of information). In a case involving the destruction of records, Gerlich v. DOJ, 711 F.3d 161 (D.C. Cir. 2013), the D.C. Circuit allowed a Privacy Act claim to proceed against senior officials at the Department of Justice on the ground that they created records about appellants in the form of annotations to their applications and internet printouts concerning their political affiliations. The court relied in part on a permissive spoliation inference in light of the destruction of appellants’ records, because the senior department officials had a duty to preserve the annotated applications and internet printouts given that department investigation and future litigation were reasonably foreseeable.

The Privacy Act provides a two-year statute of limitations. 5 U.S.C. § 552a(g)(5). The time begins to run when a reasonable person should have known of the alleged violation. Rose v. United States, 905 F.2d 1257, 1259 (9th Cir. 1990); Diliberti v. United States, 817 F.2d 1259, 1262 (7th Cir. 1987).

Computer Matching

The Privacy Act was amended in 1988 by the Computer Matching and Privacy Protection Act of 1988 (Pub. L. No. 100-503). OMB issued final guidance implementing the amendment’s provisions on June 19, 1989. Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988, 54 Fed. Reg. 25818 (June 19, 1989)). The amendments added § 552a(o)-(q) to establish procedural safeguards affecting agencies’ use of Privacy Act records when performing computerized matching programs. The amendments require agencies to conclude written agreements specifying terms and safeguards under which matches are to be done. They provide procedures for individuals whose information is contained in the affected records to use to prevent agencies from taking adverse actions unless they have independently verified the results of matching and given the individual advance notice. Oversight is established by requiring Federal Register notice of matching agreements, reports to OMB and Congress, and the establishment of internal “data integrity boards” to oversee and coordinate the agency’s implementation of matching programs.

Relationship to the FOIA

Two provisions relate to FOIA. 5 U.S.C. § 552. Section 552a(b)(2) exempts agencies from the requirement of obtaining an individual’s consent to release of information subject to disclosure under FOIA. In 1984, Congress added provisions delineating an individual’s access rights to records exempt from disclosure under FOIA or the Privacy Act. An agency must give an individual access to a record if it is accessible under either act irrespective of whether it might be withheld under the other. 5 U.S.C. § 552a(t). This gives maximum access to records by an individual whose personal information is contained therein. An accounting of the number of FOIA releases of Privacy Act information is not required. 5 U.S.C. § 552a(c)(1). If released under FOIA, the agency is relieved from ensuring the accuracy, completeness, timeliness, and relevance of the record. 5 U.S.C. § 552a(e)(6). If the system of records is made necessary by FOIA, the agency may exempt the system from the Privacy Act. 5 U.S.C. § 552a(k)(1).

Social Security Numbers

The Privacy Act restricts use of an individual’s Social Security account number. Pub. L. No. 93-579, § 7 (not codified as part of 5 U.S.C. § 552a). This provision applies to state and local governments, as well as to the federal government and makes it unlawful to deny any right, benefit, or privilege based on an individual’s failure to disclose the Social Security account number, unless the disclosure was required by any federal, state, or local system of records in operation before January 1, 1975, or the disclosure is required by federal law. Since enactment, Congress has required disclosure in the Tax Reform Act of 1976 (Pub. L. No. 94-455), the Deficit Reduction Act of 1984 (Pub. L. No. 98-369), and the Debt Collection Act of 1982 (Pub. L. No. 97-365). In the Tax Reform Act of 1976, Congress declared it to be U.S. policy to use Social Security account numbers “in the administration of any tax, general public assistance, driver’s license, or motor vehicle registration law.” Pub. L. No. 94-455, amending 42 U.S.C. § 405(c)(2).

Oversight

The Privacy Act requires OMB to develop guidelines and regulations for its implementation and to provide continuing assistance and oversight. The OMB guidelines are entitled to the usual deference accorded the interpretations of the agency charged with administration of a statute. Albright v. United States, 631 F.2d 915, 919 n.5 (D.C. Cir. 1980); Quinn v. Stone, 978 F.2d 126, 133 (3d Cir. 1992). However, a few courts have rejected particular aspects of the OMB guidelines as inconsistent with the statute. See, e.g., Kassel v. U.S. Dep’t of Veterans Affairs, No. 87-217-S, slip op. at 24-25 (D.N.H. Mar. 30, 1992) (subsection (e)(3)); Doe v. Chao, 540 U.S. 614, 627 n.11 (2004) (disagreeing with dissent’s reliance on OMB interpretation of damages provision since the Court does “not find its unelaborated conclusion persuasive”).

The vast majority of OMB’s Privacy Act guidelines are published in Privacy Act Implementation Guidelines and Responsibilities, 40 Fed. Reg. 28948 (1975). However, these original guidelines have been supplemented in particular subject areas over the years, including:

Thus, when researching in this area, it may be important to check subsequent supplements.

In 1998, President Clinton called upon all federal agencies to take further privacy-protection steps within the next year. Memorandum on Privacy and Personal Information in Federal Records (May 14, 1998). Specifically, the President directed each agency to designate a senior official responsibile for the agency's privacy policy to apply the Principles for Providing and Using Personal Information, which was developed through the Information Infrastructure Task Force under the auspices of the Department of Commerce in 1995, and to review agency record systems to ensure compliance with the Privacy Act requirements. The agencies then reported the results of these reviews to OMB. The presidential memorandum also called for OMB to issue further guidance on the making of “routine use” disclosures under the Privacy Act.

Section 208 of the E-Government Act of 2002 (44 U.S.C. § 3501 note) requires that OMB issue guidance to agencies on implementing the privacy provisions of the E-Government Act. Under this guidance, agencies are required to conduct privacy impact assessments for electronic information systems and collections, make those assessments publicly available, post privacy policies on agency websites used by the public, translate privacy policies into a standardized machine-readable format, and report annually to OMB on the agency's compliance with the E-Government Act.

In 2002, the Government Accountability Office (GAO) conducted an extensive review of agency Privacy Act practices and reported on its findings in June 2003. GAO-03-304, Privacy Act: OMB Leadership Needed to Improve Agency Compliance (2003).

While most questions concerning the Privacy Act should first be directed to agency Privacy Act officers, important policy or litigation questions, or questions concerning the OMB guidelines, may be directed to the Office of Information and Regulatory Affairs.

Legislative History

The Privacy Act reflects the merger of seemingly disparate bills from the Senate and the House: S. 3418, introduced by Senator Sam Ervin (D-NC), and H.R. 16373, supported by the Administration. The Senate bill would have granted sweeping powers to a Federal Privacy Board for the oversight of collection, maintenance, and dissemination of individually identifiable information by both the public and private sectors, while the House bill focused on access to and correction of records, data collection, and maintenance standards. The Senate approved its bill on November 21, 1974, after consideration and, on the same day, the House bill was passed by a 353 to 1 vote, after two days of floor debate.

The bills were not reconciled by the usual conference committee because of the limited time available between the end of Thanksgiving recess and the end of the session. Instead, the respective staffs of the committees studied the differing bills, reported to the committees and, after informal meetings, reached an agreement. The description of the amendments that made the two bills identical (thus avoiding a conference committee) was inserted into the record of both sides, and both houses passed identical bills. Thus, many of the most important provisions of the bill are not explained by committee reports. The only record of the final negotiations leading to the bill actually adopted is a staff memorandum entitled Analysis of House and Senate Compromise Amendments to the Federal Privacy Act. See also Legislative History of the Privacy Act of 1974, S.3418 (Pub. L. No. 93-579): Source Book on Privacy (1976).

The final product included most of the fair information practices defined in the Senate version and the access and correction provisions of the House bill. None of the Senate provisions relating to a Federal Privacy Board was included. However, the Privacy Act provided for two important means of further development and oversight. First, it instructed OMB to develop guidelines for the implementation of the Privacy Act throughout the executive branch. Second, it created the Privacy Protection Study Commission tasked with studying the issues raised by the Privacy Act and recommending further legislation. The Commission subsequently completed its thorough and informative report, Personal Privacy in an Information Society.

The bill was signed by President Ford on December 31, 1974 and became effective in September 1975.

Source Note

The legislative history of the original Act is exhaustively collected in Legislative History of the Privacy Act of 1974, S. 3418 (Pub. L. No. 93-579): Source Book on Privacy (1976).

The Department of Justice’s Overview of the Privacy Act of 1974 is updated periodically and discusses the extensive case law under the Privacy Act.

Bibliography

Legislative History and Congressional Documents

Executive Orders and White House Documents

ACUS Recommendations

OMB/OIRA Documents

Other Government Documents

Selected Books and Articles

Selected Cases Not Included in the Text

  • Stiles v. Atlanta Gas Light Co., 453 F. Supp. 798 (N.D. Ga. 1978).
  • Zeller v. United States, 467 F. Supp. 487 (E.D.N.Y. 1979).
  • Albright v. United States, 631 F.2d 915 (D.C. Cir. 1980).
  • Lovell v. Alderete, 630 F.2d 428 (5th Cir. 1980).
  • Exner v. FBI, 612 F.2d 1202 (9th Cir. 1980).
  • United States v. Miller, 643 F.2d 713 (10th Cir. 1981).
  • Fitzpatrick v. United States, 665 F.2d 327 (11th Cir. 1982).
  • Clarkson v. IRS, 678 F.2d 1368 (11th Cir. 1982).
  • Johnson v. U.S. Dep’t of the Treasury, 700 F.2d 971 (5th Cir. 1983).
  • Thomas v. U.S. Dep’t of Energy, 719 F.2d 342 (10th Cir. 1983).
  • Molerio v. FBI, 749 F.2d 815 (D.C. Cir. 1984).
  • Elm v. Nat’l R.R. Passenger Corp., 732 F.2d 1250 (5th Cir. 1984).
  • Doe v. Naval Air Station, 768 F.2d 1229 (11th Cir. 1985).
  • Vymetalik v. FBI, 785 F.2d 1090 (D.C. Cir. 1986).
  • Doe v. United States, 821 F.2d 694 (D.C. Cir. 1987).
  • Doe v. Stephens, 851 F.2d 1457 (D.C. Cir. 1988).
  • Johnston v. Horne, 875 F.2d 1415 (9th Cir. 1989).
  • Pototsky v. U.S. Dep’t of the Navy, 717 F. Supp. 20 (D. Mass. 1989).
  • Covert v. Harrington, 876 F.2d 751 (9th Cir. 1989).
  • Quinn v. Stone, 978 F.2d 126, 133 (3rd Cir. 1992).
  • Kassel v. U.S. Dep’t of Veterans Affairs, No. 87-217-S (D.N.H. Mar. 30, 1992).
  • United States v. Trabert, 978 F. Supp. 1368 (D. Colo. 1997).
  • United States v. Gonzalez, No. 76-132 (M.D. La. Dec. 21, 1976).
  • In re Mullins (Tamposi Fee Application), 84 F.3d 1439 (D.C. Cir. 1996).
  • Alexander v. FBI, 971 F. Supp. 603 (D.D.C. 1997).
  • Shannon v. General Elec. Co., 812 F. Supp. 308 (N.D.N.Y. 1993).
  • Henke v. U.S. Dep’t of Commerce, 83 F.3d 1453 (D.C. Cir. 1996).
  • Falwell v. Exec. Office of the President, 113 F. Supp. 2d 967 (W.D. Va. 2000).
  • Dale v. Exec. Office of the President, 164 F. Supp. 2d 22 (D.D.C. 2001).
  • Trulock v. DOJ, No. 00-2234, slip op. (D.D.C. Sept. 18, 2001).
  • Tripp v. Exec. Office of the President, 200 F.R.D. 140 (D.D.C. 2001).
  • Broaddrick v. Exec. Office of the President, 139 F. Supp. 2d 55 (D.D.C. 2001).
  • Flowers v. Exec. Office of the President, 142 F. Supp. 2d 38 (D.D.C. 2001).
  • Jones v. Exec. Office of the President, 167 F. Supp. 2d 10 (D.D.C. 2001).
  • Sculimbrene v. Reno, 158 F. Supp. 2d 26 (D.D.C. 2001).
  • Schwarz v. U.S. Dep’t of the Treasury, 131 F. Supp. 2d 142 (D.D.C. 2000).
  • Cobell v. Norton, 157 F. Supp. 2d 82 (D.D.C. 2001).
  • Cummings v. U.S. Dep’t of the Navy, 279 F.3d 1051 (D.C. Cir. 2002).
  • McCready v. Principi, 297 F. Supp. 2d 178 (D.D.C. 2003).
  • Chang v. U.S. Dep’t of the Navy, 314 F. Supp.2d 35 (D.D.C. 2004).
  • Maydak v. United States, 363 F.3d 512 (D.C. Cir. 2004).
  • Doe v. Chao, 540 U.S. 614 (2004).
  • NASA v. Nelson, 562 U.S. 134 (2011).
  • Fed. Aviation Admin. v. Cooper, 132 S. Ct. 1441 (2012).
  • Logan v. U.S. Dep’t of Veterans Affairs, 357 F. Supp. 2d 149 (D.D.C. 2004).
  • Oja v. U.S. Army Corps of Engineers, 440 F.3d 1122 (9th Cir. 2006).
  • McCready v. Nicholson, 465 F.3d 1 (D.C. Cir. 2006).
  • Bassiouni v. FBI, 436 F.3d 712 (7th Cir. 2006).
  • Sussman v. U.S. Marshals Serv., 494 F.3d 1106 (D.C. Cir 2007).
  • Wilson v. Libby, 535 F.3d 697 (D.C. Cir. 2008).
  • Lane v. U.S. Dep’t of the Interior, 523 F.3d 1128 (9th Cir. 2008).
  • Doe v. U.S. Dep’t of Veterans Affairs, 519 F.3d 456 (8th Cir. 2008).
  • Rouse v. U.S. Dep’t of State, 567 F.3d 408 (9th Cir. 2009).
  • Maydak v United States, 630 F.3d 166 (D.C. Cir. 2010).
  • Speaker v. U.S. Dep’t of Health and Human Serv. Ctr. for Disease Control and Prevention, F.3d 1371 (11th Cir. 2010).
  • Sieverding v. DOJ, 693 F. Supp. 2d 93 (D.D.C. 2010).
  • Shearson v. DHS, 638 F.3d 498 (6th Cir. 2011).
  • Mobley v. CIA, 806 F.3d 568 (D.C. Cir. 2015).
  • Liff v. Office of Inspector Gen. for the U.S. Dep’t of Labor, 881 F.3d 912 (D.C. Cir. 2018).
  • Fazaga v. FBI, 916 F.3d 1201 (9th Cir. 2019).
  • Rojas v. FAA, 941 F.3d 392 (9th Cir. 2019).
  • Garris v. FBI, 937 F.3d 1284 (9th Cir. 2019).
  • In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42 (D.C. Cir. 2019).

Statutory Provisions

Privacy Act

Title 5 U.S. Code

§ 552a. Records maintained on individuals