Difference between revisions of "Privacy Act"

From acus wiki
Jump to: navigation, search
(Selected Books and Articles)
(Added OMB Circular A-108 and three 2019 cases.)
(11 intermediate revisions by 2 users not shown)
Line 6: Line 6:
  
 
==Overview==
 
==Overview==
The Privacy Act of 1974 represents the Congressional response to concerns about government uses of information collected about private individuals. The Privacy Act gives individuals greater control over gathering, dissemination, and ensuring accuracy of information collected about themselves by agencies. (''Miller v. United States'', 630 F. Supp. 347 (E.D.N.Y. 1986)). The main purpose of the Privacy Act is to forbid disclosure unless it is required by the [[Freedom of Information Act]]. (''Lovell v. Alderete'', 630 F.2d 428 (5th Cir. 1980)). To protect individual privacy, the Privacy Act constrains executive branch recordkeeping, defines the individual’s right to access certain records, limits agency disclosure of records containing an individual’s private information, establishes safeguards to protect records concerning individuals, and provides remedies for agency violation of the Privacy Act’s provisions.
+
The Privacy Act of 1974 represents the Congressional response to concerns about government uses of information collected about private individuals. The Privacy Act gives individuals greater control over the gathering, dissemination, and accuracy of information collected about themselves by agencies. (''Miller v. United States'', 630 F. Supp. 347 (E.D.N.Y. 1986)). The main purpose of the Privacy Act is to forbid disclosure unless it is required by the [[Freedom of Information Act]] (FOIA). (''Lovell v. Alderete'', 630 F.2d 428 (5th Cir. 1980)). To protect individual privacy, the Privacy Act constrains executive branch recordkeeping, defines the individual’s right to access certain records, limits agency disclosure of records containing an individual’s private information, establishes safeguards to protect records concerning individuals, and provides remedies for agency violation of the Privacy Act’s provisions.
  
 
===Scope===
 
===Scope===
  
The Privacy Act covers records maintained by agencies as defined in FOIA. It applies to Cabinet level departments, independent regulatory agencies, military departments, and government corporations (5 U.S.C. § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(a)(1)]). It does not apply to the legislative branch, national banks (''United States v. Miller'', 643 F.2d 713 (10th Cir. 1981)), or Amtrak (''Ehm v. National R.R.'' ''Passenger Corp.'', 732 F.2d 1250 (5th Cir. 1984), ''cert. denied'', 469 U.S. 982 (1984)). ''See Alexander v. FBI'', 971 F. Supp. 603, 606-07 (D.D.C. 1997) (although recognizing that the definition of “agency” under Privacy Act is same as in FOIA and that courts have interpreted that definition under FOIA to exclude the President’s immediate personal staff and units within Executive Office of the President whose sole function is to advise and assist the President, nevertheless rejecting such limitation with regard to “agency” as used in Privacy Act due to different purposes that the two statutes serve); ''Shannon v. Gen. Elec. Co.'', 812 F. Supp. 308, 313, 315 n.5 (N.D.N.Y. 1993) (“no dispute” that GE falls within definition of “agency” subject to requirements of Privacy Act where pursuant to contract it operated Department of Energy-owned lab under supervision, control, and oversight of department and where by terms of contract GE agreed to comply with Privacy Act).
+
The Privacy Act covers records maintained by agencies as defined in FOIA. It applies to Cabinet level departments, independent regulatory agencies, military departments, and government corporations ([http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim § 552a(a)(1)]). It does not apply to the legislative branch, national banks (''United States v. Miller'', 643 F.2d 713 (10th Cir. 1981)), or Amtrak (''Ehm v. National R.R.'' ''Passenger Corp.'', 732 F.2d 1250 (5th Cir. 1984), ''cert. denied'', 469 U.S. 982 (1984)). ''See Alexander v. FBI'', 971 F. Supp. 603, 606-07 (D.D.C. 1997) (although recognizing that the definition of “agency” under Privacy Act is same as in FOIA and that courts have interpreted that definition under FOIA to exclude the President’s immediate personal staff and units within Executive Office of the President whose sole function is to advise and assist the President, nevertheless rejecting such limitation with regard to “agency” as used in Privacy Act due to different purposes that the two statutes serve); ''Shannon v. Gen. Elec. Co.'', 812 F. Supp. 308, 313, 315 n.5 (N.D.N.Y. 1993) (“no dispute” that GE falls within definition of “agency” subject to requirements of Privacy Act where pursuant to contract it operated Department of Energy-owned lab under supervision, control, and oversight of department and where by terms of contract GE agreed to comply with Privacy Act).
  
A record is a collection or grouping of information about an individual that, for example, may include educational, financial, or biographical information, together with personal identifiers such as names, photos, numbers, or fingerprints. (5 U.S.C. § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(a)(4)]). It does not apply to all government records and documents that may contain an individual’s name or other private information. For example, it does not include private notes of a supervisor if such notes are not used by the agency to make decisions (''Johnston v. Horne'', 875 F.2d 1415 (9th Cir. 1989)), but such notes may become subject to the Privacy Act if they become part of an agency’s decision. (''Chapman v. NASA'', 682 F.2d 526 (5th Cir. 1982), ''cert. denied'', 469 U.S. 1038 (1984)). It also does not apply to information in documents obtained from independent sources of information, even though identical information may be in an agency’s system of records (''Thomas v. U.S. Dep't of Energy'', 719 F.2d 342 (10th Cir. 1983)).
+
A record is a collection or grouping of information about an individual that, for example, may include educational, financial, or biographical information, together with personal identifiers such as names, photos, numbers, or fingerprints. (§ 552a(a)(4)). It does not apply to all government records and documents that may contain an individual’s name or other private information. For example, it does not include private notes of a supervisor if such notes are not used by the agency to make decisions (''Johnston v. Horne'', 875 F.2d 1415 (9th Cir. 1989)), but such notes may become subject to the Privacy Act if they become part of an agency’s decision. (''Chapman v. NASA'', 682 F.2d 526 (5th Cir. 1982), ''cert. denied'', 469 U.S. 1038 (1984)). It also does not apply to information in documents obtained from independent sources of information, even though identical information may be in an agency’s system of records (''Thomas v. U.S. Dep’t of Energy'', 719 F.2d 342 (10th Cir. 1983)).
  
The Privacy Act focuses on “systems of records” established, maintained, or controlled by an agency. A “system of records” is a group of any records where individual names or other individual identifiers can be used to retrieve the information (5 U.S.C. § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(a)(5)]). Agencies may maintain records covered by the Privacy Act only when they are relevant and necessary to accomplish the agency’s purpose (5 U.S.C. § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(e)(1)]). The Court of Appeals for the District of Columbia Circuit addressed the “system of records” definition in the context of computerized information in ''Henke v. U.S. Dep't of Commerce'', 83 F.3d 1453 (D.C. Cir. 1996), and noted that “the OMB guidelines make it clear that it is not sufficient that an agency has the capability to retrieve information indexed under a person’s name, but the agency must in fact retrieve records in this way in order for a system of records to exist.” ''Id.'' at 1460 n.12. The D.C. Circuit looked to Congress’ use of the words “is retrieved” in the statute’s definition of a system of records and focused on whether the agency “in practice” retrieved information. ''Id.'' at 1459-61.
+
The Privacy Act focuses on “systems of records” established, maintained, or controlled by an agency. A “system of records” is a group of any records where individual names or other individual identifiers can be used to retrieve the information (§ 552a(a)(5)). Agencies may maintain records covered by the Privacy Act only when they are relevant and necessary to accomplish the agency’s purpose (§ 552a(e)(1)). The Court of Appeals for the District of Columbia Circuit addressed the “system of records” definition in the context of computerized information in ''Henke v. U.S. Dep’t of Commerce'', 83 F.3d 1453 (D.C. Cir. 1996), and noted that “the OMB guidelines make it clear that it is not sufficient that an agency has the capability to retrieve information indexed under a person’s name, but the agency must in fact retrieve records in this way in order for a system of records to exist.” ''Id.'' at 1460 n.12. The D.C. Circuit looked to Congress’ use of the words “is retrieved” in the statute’s definition of a system of records and focused on whether the agency “in practice” retrieved information. ''Id.'' at 1459-61.
  
 
===Access to Records===
 
===Access to Records===
 
Where the agency is authorized to keep records covered by the Privacy Act, an individual has a right of access to records concerning him or her. This is a central protection of the Privacy Act for individuals. The individual has a right to:
 
Where the agency is authorized to keep records covered by the Privacy Act, an individual has a right of access to records concerning him or her. This is a central protection of the Privacy Act for individuals. The individual has a right to:
*Copy any or all of the record (§ [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(d)(1)]);
+
 
*Request amendment of the record (§ 552a(d)(2)) and to file a concise statement of disagreement if the agency refuses to amend the record that will be provided to all persons to whom the record is disclosed (§ 552a(d)(4));
+
*copy any or all of the record (§ 552a(d)(1));
*Request an accounting from the agency on the date, nature, and purpose of each disclosure of the record (§ 552a(c)).
+
*request amendment of the record (§ 552a(d)(2)) and to file a concise statement of disagreement if the agency refuses to amend the record that will be provided to all persons to whom the record is disclosed (§ 552a(d)(4)); and
 +
*request an accounting from the agency on the date, nature, and purpose of each disclosure of the record (§ 552a(c)).
 +
 
 
The individual has an absolute right to access and need not provide any reason for seeking access (''FTC v. Shaffner'', 626 F.2d 32 (7th Cir. 1980)).
 
The individual has an absolute right to access and need not provide any reason for seeking access (''FTC v. Shaffner'', 626 F.2d 32 (7th Cir. 1980)).
  
 
===Agency Requirements===  
 
===Agency Requirements===  
 
For each system of records an agency maintains, it must:
 
For each system of records an agency maintains, it must:
*Publish in the ''Federal Register'' the name and location of the system; the categories of individuals contained in the system; the routine use of the records; agency policies concerning the records including storage, retrieval, access, retention, and disposal; the person, including title and address, responsible for the system; the method used to notify individuals how to gain access to records about themselves; and the sources or records in the system. Any new use of the system must be noticed for comment 30 days prior to implementing the new use. Exempt systems must also be noticed. ''See, e.g.,'' § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(b)(3)], (e)(4), and (e)(11).
 
*Maintain records in the system accurately, completely, and timely to ensure fairness to the individuals (§ 552a(e)(5));
 
*Establish rules and training for persons designing, developing, operating, or maintaining the system to ensure compliance with the Privacy Act and the agency’s implementing policies (§ 552a(e)(9));
 
*Establish safeguards for the protection of records (§ 552a(e)(10)); and
 
*Inform government contractors of their duties under the Privacy Act (§ 552a(m)).
 
  
When the agency collects information that “may result in adverse determinations about an individual’s rights, benefits, and privileges under Federal programs,” the Privacy Act requires the information to be collected, to the “greatest extent practicable,” directly from the affected individual (§ [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(e)(2)]). When requesting such information from individuals, the agency must disclose: (1) the authority under which collection is authorized; (2) the principal purposes for which the information is needed; (3) the routine use of the information; and (4) consequences, if any, of not providing the information (§ 552a(e)(3)).
+
*publish in the ''Federal Register'' the name and location of the system; the categories of individuals contained in the system; the routine use of the records; agency policies concerning the records including storage, retrieval, access, retention, and disposal; the person, including title and address, responsible for the system; the method used to notify individuals how to gain access to records about themselves; and the sources or records in the system. Any new use of the system must be noticed for comment 30 days prior to implementing the new use. Exempt systems must also be noticed. ''See, e.g.,'' § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(b)(3)], (e)(4), and (e)(11).
 +
*maintain records in the system accurately, completely, and timely to ensure fairness to the individuals (§ 552a(e)(5));
 +
*establish rules and training for persons designing, developing, operating, or maintaining the system to ensure compliance with the Privacy Act and the agency’s implementing policies (§ 552a(e)(9));
 +
*establish safeguards for the protection of records (§ 552a(e)(10)); and
 +
*inform government contractors of their duties under the Privacy Act (§ 552a(m)).
 +
 
 +
When the agency collects information that “may result in adverse determinations about an individual’s rights, benefits, and privileges under Federal programs,” the Privacy Act requires the information to be collected, to the “greatest extent practicable,” directly from the affected individual (§ 552a(e)(2)). When requesting such information from individuals, the agency must disclose: (1) the authority under which collection is authorized; (2) the principal purposes for which the information is needed; (3) the routine use of the information; and (4) consequences, if any, of not providing the information (§ 552a(e)(3)).
  
 
The Privacy Act mandates that information maintained in agency records be as relevant and as necessary as possible to accomplish the agency’s purpose. It must also undertake to maintain the information with such accuracy and completeness as is reasonably necessary to assure fairness to the individual. In ''Doe v. United States'', 821 F.2d 694 (D.C. Cir. 1987), the court sitting en banc held that an agency may satisfy this requirement by supplementing the information an individual considers damaging with the individual’s explanation or disagreement with the accuracy of the information. The court found that the agency made a reasonable effort to determine the accuracy of the information and that an adjudication of the disputed facts was not necessary for the agency’s purposes. The court said that in some cases, fairness may require a record to contain both versions of disputed fact.
 
The Privacy Act mandates that information maintained in agency records be as relevant and as necessary as possible to accomplish the agency’s purpose. It must also undertake to maintain the information with such accuracy and completeness as is reasonably necessary to assure fairness to the individual. In ''Doe v. United States'', 821 F.2d 694 (D.C. Cir. 1987), the court sitting en banc held that an agency may satisfy this requirement by supplementing the information an individual considers damaging with the individual’s explanation or disagreement with the accuracy of the information. The court found that the agency made a reasonable effort to determine the accuracy of the information and that an adjudication of the disputed facts was not necessary for the agency’s purposes. The court said that in some cases, fairness may require a record to contain both versions of disputed fact.
  
Agencies are prohibited from maintaining records describing how an individual exercises First Amendment rights, unless such records are authorized by statute or are pertinent to and within the scope of authorized law enforcement activity (§ [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(e)(7)]). Such records are subject to the Privacy Act even if not kept in “a system of records.” ''Clarkson v. IRS'', 678 F.2d 1368 at 1373-77 (11th Cir. 1982), ''cert. denied'', 481 U.S. 1031. ''Cf. Pototsky v. U.S. Dep't of Navy'', 717 F. Supp. 20 (D. Mass. 1989). OMB guidelines call for the broadest reasonable interpretation of the prohibition.
+
Agencies are prohibited from maintaining records describing how an individual exercises First Amendment rights, unless such records are authorized by statute or are pertinent to and within the scope of authorized law enforcement activity (§ 552a(e)(7)). Such records are subject to the Privacy Act even if not kept in “a system of records.” ''Clarkson v. IRS'', 678 F.2d 1368 at 1373-77 (11th Cir. 1982), ''cert. denied'', 481 U.S. 1031. ''Cf. Pototsky v. U.S. Dep’t of Navy'', 717 F. Supp. 20 (D. Mass. 1989). Guidelines from the Office of Management and Budget (OMB) call for the broadest reasonable interpretation of the prohibition.
  
 
===Exemptions from Access===
 
===Exemptions from Access===
The Privacy Act provides general (§ [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(j)]) and specific (§ 552a(k)) exemptions. These are exemptions allowing an agency to deny access to the record by the individual to whom the record pertains. The two types of exemptions are different in nature and consequences and are discretionary on the agency’s part. To be effective, the agency must first determine that a record or system of records meets the criteria for exemption under the Privacy Act and then publish the exemption as a rule under the APA’s notice and comment provisions. Failure to set out reasons demonstrating that the exemption meets the requirements of the Privacy Act may leave the records subject to the Privacy Act. ''Exner v. FBI'', 612 F.2d 1202 (9th Cir. 1980). The exemptions do not authorize the agency to use the record in a manner other than the manner originally set out in the ''Federal Register'' establishing the system of records. ''Doe v. Naval Air Station'', 768 F.2d 1229 (11th Cir. 1985).
+
The Privacy Act provides general (§ 552a(j)) and specific (§ 552a(k)) exemptions. These are exemptions allowing an agency to deny access to the record by the individual to whom the record pertains. The two types of exemptions are different in nature and consequences and are discretionary on the agency’s part. To be effective, the agency must first determine that a record or system of records meets the criteria for exemption under the Privacy Act and then publish the exemption as a rule under the [[Administrative Procedure Act]]’s (APA) notice-and-comment provisions. Failure to set out reasons demonstrating that the exemption meets the requirements of the Privacy Act may leave the records subject to the Privacy Act. ''Exner v. FBI'', 612 F.2d 1202 (9th Cir. 1980). The exemptions do not authorize the agency to use the record in a manner other than the manner originally set out in the ''Federal Register'' establishing the system of records. ''Doe v. Naval Air Station'', 768 F.2d 1229 (11th Cir. 1985).
  
 
A general exemption denies access by an affected individual under virtually all the Privacy Act’s provisions and is available for records maintained by the Central Intelligence Agency or by an agency whose principal functions are criminal law enforcement. The general exemption may not be used to exempt records compiled for a noncriminal or administrative purpose even if they are also a part of a system of records maintained by an agency qualified to assert the exemption. ''Vymetalik v. FBI'', 785 F.2d 1090, 1095 (D.C. Cir. 1986).
 
A general exemption denies access by an affected individual under virtually all the Privacy Act’s provisions and is available for records maintained by the Central Intelligence Agency or by an agency whose principal functions are criminal law enforcement. The general exemption may not be used to exempt records compiled for a noncriminal or administrative purpose even if they are also a part of a system of records maintained by an agency qualified to assert the exemption. ''Vymetalik v. FBI'', 785 F.2d 1090, 1095 (D.C. Cir. 1986).
  
The specific exemptions (§ [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(k)(1)(7)]) are available to any agency if the head of the agency promulgates rules pursuant to the notice-and-comment provisions of the APA (5 U.S.C. § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section553&num=0&edition=prelim 553]). The specific exemption is from a particular provision of the Privacy Act. The seven exemptions allowed are:
+
The specific exemptions (§ 552a(k)(1)(7)) are available to any agency if the head of the agency promulgates rules pursuant to the notice-and-comment provisions of the [[Administrative Procedure Act|APA]] (5 U.S.C. § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section553&num=0&edition=prelim 553]). The specific exemption is from a particular provision of the Privacy Act. The seven exemptions allowed are:
*FOIA (b)(1) exemptions (matters to be kept secret in the interest of national defense or foreign policy and properly classified by executive order);
+
 
*Investigatory material compiled for law enforcement purposes that does not fall within the general exemption;
+
*[http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552&num=0&edition=prelim FOIA (b)(1) exemptions] (matters to be kept secret in the interest of national defense or foreign policy and properly classified by executive order);
*Material maintained to provide protective service to the President or pursuant to 18 U.S.C. § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title18-section3056&num=0&edition=prelim 3056];
+
*investigatory material compiled for law enforcement purposes that does not fall within the general exemption;
*Confidential investigatory records relating to employment or contracts;
+
*material maintained to provide protective service to the President or pursuant to 18 U.S.C. [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title18-section3056&num=0&edition=prelim § 3056];
*Statistical records required by statute;
+
*confidential investigatory records relating to employment or contracts;
*Testing and examination material related to federal employment; and
+
*statistical records required by statute;
*Evaluations related to military promotions obtained confidentially.
+
*testing and examination material related to federal employment; and
 +
*evaluations related to military promotions obtained confidentially.
  
 
An individual may sue to challenge a denial of access to records based on the general or specific exemptions, and the court will determine the substantive and procedural propriety of the agency’s assertion of the exemption. ''Zeller v. United States'', 467 F. Supp. 487 (E.D.N.Y. 1979).
 
An individual may sue to challenge a denial of access to records based on the general or specific exemptions, and the court will determine the substantive and procedural propriety of the agency’s assertion of the exemption. ''Zeller v. United States'', 467 F. Supp. 487 (E.D.N.Y. 1979).
  
 
===Restrictions on Disclosure===
 
===Restrictions on Disclosure===
The Privacy Act prohibits disclosure of any record covered by the Privacy Act without the written request or prior written consent of the person whom the record concerns (§ [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(b)]). The restriction on disclosure applies to any person or agency and includes any means of communication—written, oral, electronic, or mechanical (OMB Privacy Act Guidelines, 40 Fed. Reg. 28,948, 28,953 (July 9, 1975)). Information obtained (or released) through sources independent of agency records is not “disclosure” under the Privacy Act.
+
The Privacy Act prohibits disclosure of any record covered by the Privacy Act without the written request or prior written consent of the person whom the record concerns (§ 552a(b)). The restriction on disclosure applies to any person or agency and includes any means of communication—written, oral, electronic, or mechanical [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/implementation_guidelines.pdf Responsibilities for the Maintenance of Records About Individuals by Federal Agencies], 40 Fed. Reg. 28,948, 28,953 (July 9, 1975). Information obtained (or released) through sources independent of agency records is not “disclosure” under the Privacy Act.
  
 
The general rule of nondisclosure is subject to 12 exceptions (§ 552a(b)(1)(12)). They are:
 
The general rule of nondisclosure is subject to 12 exceptions (§ 552a(b)(1)(12)). They are:
*Internal agency use on a need to know basis;
+
 
*Proper requests under FOIA;
+
*internal agency use on a need to know basis;
*Routine use;
+
*proper requests under FOIA;
 +
*routine use;
 
*Census Bureau activities;
 
*Census Bureau activities;
*Statistical research where the recipient has given written assurance that records are not individually identifiable;
+
*statistical research where the recipient has given written assurance that records are not individually identifiable;
 
*National Archives preservation;
 
*National Archives preservation;
*Information to Congress;
+
*information to Congress;
*Information to the Comptroller General in performing GAO duties;
+
*information to the Comptroller General in performing Government Accountability Office (GAO) duties;
*Showing of compelling circumstances affecting the health or safety of an individual;
+
*showing of compelling circumstances affecting the health or safety of an individual;
*Pursuant to court order (subpoenas issued by clerks of courts are not “orders”; ''Stiles v. Atlanta Gas Light Co.'', 453 F. Supp. 798, 800 (N.D. Ga. 1978));
+
*pursuant to court order (subpoenas issued by clerks of courts are not “orders” ''Stiles v. Atlanta Gas Light Co.'', 453 F. Supp. 798, 800 (N.D. Ga. 1978));
*To a consumer reporting agency in accordance with 31 U.S.C. § 3711(f); and
+
*to a consumer reporting agency in accordance with 31 U.S.C. § 3711(f); and
*Use by “any governmental jurisdiction . . . for a civil or criminal law enforcement activity. . .” as long as a written request (1) is made by the head of the agency seeking the record, (2) specifies the portion of the record sought, and (3) describes the relevant enforcement activity. (''See Doe v. Naval Air Station'', above.)
+
*use by “any governmental jurisdiction . . . for a civil or criminal law enforcement activity” as long as a written request (1) is made by the head of the agency seeking the record, (2) specifies the portion of the record sought, and (3) describes the relevant enforcement activity. ''See Doe v. Naval Air Station'', 768 F.2d 1229 (11th Cir. 1985).
  
“Routine use,” considered generally the most important exception, is defined as “the use of such record for a purpose that is compatible with the purpose for which it was collected” (§ [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(a)(7)]). Each routine use is identified in the Federal Register notice upon establishment or revision of each system of records (§ 552a(e)(4)(D)). This exception permits nonconsensual intra- or interagency transfer of what is generally described as “house-keeping” information. Because the language is broad, the potential for abuse is considered great, and the courts have strictly required that the use be clearly and specifically identified in the rule adopted by the agency identifying the system of records (''Covert v. Harrington'', 876 F.2d 751 (9th Cir. 1989); ''Doe v. Stephens'', 851 F.2d 1457 (D.C. Cir. 1988); ''Zeller v. United States'', above). The Supreme Court has found that the Privacy Act’s provisions restricting disclosure, even while allowing disclosure for “routine uses,” are sufficient to protect persons’ constitutional right to informational privacy, if such a right exists (''NASA v. Nelson'', 562 U.S. 134, 153-55 (2011)).
+
“Routine use,” considered generally the most important exception, is defined as “the use of such record for a purpose that is compatible with the purpose for which it was collected” (§ 552a(a)(7)). Each routine use is identified in the ''Federal Register'' notice upon establishment or revision of each system of records (§ 552a(e)(4)(D)). This exception permits nonconsensual intra- or interagency transfer of what is generally described as “house-keeping” information. Because the language is broad, the potential for abuse is considered great, and the courts have strictly required that the use be clearly and specifically identified in the rule adopted by the agency identifying the system of records. ''Covert v. Harrington'', 876 F.2d 751 (9th Cir. 1989); ''Doe v. Stephens'', 851 F.2d 1457 (D.C. Cir. 1988); ''Zeller v. United States'', 467 F. Supp. 487 (E.D.N.Y. 1979). The Supreme Court has found that the Privacy Act’s provisions restricting disclosure, even while allowing disclosure for “routine uses,” are sufficient to protect persons’ constitutional right to informational privacy, if such a right exists. ''NASA v. Nelson'', 562 U.S. 134, 153-55 (2011).
  
 
===Review, Relief, Remedies===
 
===Review, Relief, Remedies===
The Privacy Act provides that each agency shall promulgate rules that establish, among other things, procedures of notice, disclosure, and review of requests (§ [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(f)]). In the event that the rules are not followed or that a dispute persists, there are four civil actions: (1) a challenge for failure to provide access; (2) a challenge for refusal to amend; (3) a damages action for improper maintenance of the content of records; and (4) a damages action for other breaches of the Privacy Act or regulations issued thereunder that adversely affect the individual (§ 552a(g)(1)). The latter two actions require proof of damages and are limited to actual damages. A cause of action for monetary damages requires a showing of an agency’s intentional or willful failure to maintain accurate records and that the violation of the Privacy Act caused the actual damages complained of (''Molerio v. FBI'', 749 F.2d 815, 826 (D.C. Cir. 1984)). Because waivers of sovereign immunity are to be strictly construed, the Supreme Court held that “actual damages” do not include nonpecuniary damages (''[https://www.supremecourt.gov/opinions/11pdf/10-1024.pdf Fed. Aviation Admin. v. Cooper]'', 566 U.S. 284 (2012)). Remedies for failure to grant access or refusal to amend are injunctive.
+
The Privacy Act provides that each agency shall promulgate rules that establish, among other things, procedures of notice, disclosure, and review of requests (§ 552a(f)). In the event that the rules are not followed or that a dispute persists, there are four civil actions: (1) a challenge for failure to provide access; (2) a challenge for refusal to amend; (3) a damages action for improper maintenance of the content of records; and (4) a damages action for other breaches of the Privacy Act or regulations issued thereunder that adversely affect the individual (§ 552a(g)(1)). The latter two actions require proof of damages and are limited to actual damages. A cause of action for monetary damages requires a showing of an agency’s intentional or willful failure to maintain accurate records and that the violation of the Privacy Act caused the actual damages complained of. ''Molerio v. FBI'', 749 F.2d 815, 826 (D.C. Cir. 1984). Because waivers of sovereign immunity are to be strictly construed, the Supreme Court held that “actual damages” do not include nonpecuniary damages. [https://www.supremecourt.gov/opinions/11pdf/10-1024.pdf Fed. Aviation Admin. v. Cooper], 566 U.S. 284 (2012). Remedies for failure to grant access or refusal to amend are injunctive.
  
An individual bringing a claim under [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim section 552a(g)(1)] must demonstrate a causal connection between the alleged violation and the harm suffered but may not use the Privacy Act claim as the forum in which to prove the entitlement the individual claims was improperly denied (''Gizoni v. Southwest Marine, Inc.'', 909 F.2d 385 (9th Cir. 1990)).
+
An individual bringing a claim under § 552a(g)(1) must demonstrate a causal connection between the alleged violation and the harm suffered but may not use the Privacy Act claim as the forum in which to prove the entitlement the individual claims was improperly denied. ''Gizoni v. Sw. Marine, Inc.'', 909 F.2d 385 (9th Cir. 1990).
  
Criminal penalties are established for willful disclosure of records by those who know such disclosure is prohibited, willful maintenance of a system of records without meeting the appropriate notice requirements, and knowing and willful requests for records under false pretenses (§ [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(i)]). Each violation is classified as a misdemeanor, and the violator may be fined not more than $5,000. There have been at least two criminal prosecutions for unlawful disclosure of Privacy Act-protected records. ''See United States v. Trabert'', 978 F. Supp. 1368 (D. Colo. 1997) (defendant found not guilty; prosecution did not prove “beyond a reasonable doubt that defendant ‘willfully disclosed’ protected material”; evidence presented constituted, “at best, gross negligence,” and thus was “insufficient for purposes of prosecution under § 552a(i)(1)”); ''United States v. Gonzalez'', No. 76-132 (M.D. La. Dec. 21, 1976) (guilty plea entered). ''See generally In re Mullins (Tamposi Fee Application)'', 84 F.3d 1439, 1441 (D.C. Cir. 1996) (per curiam) (case concerning application for reimbursement of attorney fees where independent counsel found no prosecution was warranted under Privacy Act because there was no conclusive evidence of improper disclosure of information). In a case involving the destruction of records, ''[https://www.cadc.uscourts.gov/internet/opinions.nsf/1E0F642CD84E034985257B3D004E4186/$file/09-5354-1427961.pdf Gerlich v. DOJ]'', 711 F.3d 161 (D.C. Cir. 2013), the D.C. Circuit allowed a Privacy Act claim to proceed against senior officials at the Department of Justice on the ground that they created records about appellants in the form of annotations to their applications and internet printouts concerning their political affiliations. The court relied in part on a permissive spoliation inference in light of the destruction of appellants’ records, because the senior department officials had a duty to preserve the annotated applications and internet printouts given that department investigation and future litigation were reasonably foreseeable.
+
Criminal penalties are established for willful disclosure of records by those who know such disclosure is prohibited, willful maintenance of a system of records without meeting the appropriate notice requirements, and knowing and willful requests for records under false pretenses (§ 552a(i)). Each violation is classified as a misdemeanor, and the violator may be fined not more than $5,000. There have been at least two criminal prosecutions for unlawful disclosure of Privacy Act-protected records. ''See United States v. Trabert'', 978 F. Supp. 1368 (D. Colo. 1997) (defendant found not guilty; prosecution did not prove “beyond a reasonable doubt that defendant ‘willfully disclosed’ protected material”; evidence presented constituted, “at best, gross negligence,” and thus was “insufficient for purposes of prosecution under § 552a(i)(1)”); ''United States v. Gonzalez'', No. 76-132 (M.D. La. Dec. 21, 1976) (guilty plea entered). ''See generally In re Mullins (Tamposi Fee Application)'', 84 F.3d 1439, 1441 (D.C. Cir. 1996) (''per curiam'') (case concerning application for reimbursement of attorney fees where independent counsel found no prosecution was warranted under Privacy Act because there was no conclusive evidence of improper disclosure of information). In a case involving the destruction of records, [https://www.cadc.uscourts.gov/internet/opinions.nsf/1E0F642CD84E034985257B3D004E4186/$file/09-5354-1427961.pdf Gerlich v. DOJ], 711 F.3d 161 (D.C. Cir. 2013), the D.C. Circuit allowed a Privacy Act claim to proceed against senior officials at the Department of Justice on the ground that they created records about appellants in the form of annotations to their applications and internet printouts concerning their political affiliations. The court relied in part on a permissive spoliation inference in light of the destruction of appellants’ records, because the senior department officials had a duty to preserve the annotated applications and internet printouts given that department investigation and future litigation were reasonably foreseeable.
  
The Privacy Act provides a two-year statute of limitations (§ [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim 552a(g)(5)]). The time begins to run when a reasonable person should have known of the alleged violation. ''Rose v. United States'', 905 F.2d 1257, 1259 (9th Cir. 1990); ''Diliberti v. United States'', 817 F.2d 1259, 1262 (7th Cir. 1987).
+
The Privacy Act provides a two-year statute of limitations (§ 552a(g)(5)). The time begins to run when a reasonable person should have known of the alleged violation. ''Rose v. United States'', 905 F.2d 1257, 1259 (9th Cir. 1990); ''Diliberti v. United States'', 817 F.2d 1259, 1262 (7th Cir. 1987).
  
 
===Computer Matching===
 
===Computer Matching===
The Privacy Act was amended in 1988 by [https://www.govinfo.gov/content/pkg/STATUTE-102/pdf/STATUTE-102-Pg2507.pdf Pub. L. No. 100-503], the Computer Matching and Privacy Protection Act of 1988. The Office of Management and Budget issued [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/inforeg/inforeg/final_guidance_pl100-503.pdf final guidance] implementing the amendment’s provisions on June 19, 1989 (54 Fed. Reg. 25,818 (June 19, 1989)). The amendments added [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim sections 552a(o)-(q)] to establish procedural safeguards affecting agencies’ use of Privacy Act records when performing computerized matching programs. The amendments require agencies to conclude written agreements specifying terms and safeguards under which matches are to be done. They provide procedures for individuals whose information is contained in the affected records to use to prevent agencies from taking adverse actions unless they have independently verified the results of matching and given the individual advance notice. Oversight is established by requiring Federal Register notice of matching agreements, by requiring reports to OMB and Congress, and by requiring the establishment of internal “data integrity boards” to oversee and coordinate the agency’s implementation of matching programs.
+
The Privacy Act was amended in 1988 by the Computer Matching and Privacy Protection Act of 1988 ([https://www.govinfo.gov/content/pkg/STATUTE-102/pdf/STATUTE-102-Pg2507.pdf Pub. L. No. 100-503]). OMB issued final guidance implementing the amendment’s provisions on June 19, 1989. [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/inforeg/inforeg/final_guidance_pl100-503.pdf Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988], 54 Fed. Reg. 25,818 (June 19, 1989)). The amendments added § 552a(o)-(q) to establish procedural safeguards affecting agencies’ use of Privacy Act records when performing computerized matching programs. The amendments require agencies to conclude written agreements specifying terms and safeguards under which matches are to be done. They provide procedures for individuals whose information is contained in the affected records to use to prevent agencies from taking adverse actions unless they have independently verified the results of matching and given the individual advance notice. Oversight is established by requiring ''Federal Register'' notice of matching agreements, by requiring reports to OMB and Congress, and by requiring the establishment of internal “data integrity boards” to oversee and coordinate the agency’s implementation of matching programs.
  
 
===Relationship to the FOIA===
 
===Relationship to the FOIA===
Two provisions relate to the [[Freedom of Information Act]] (5 U.S.C. § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552&num=0&edition=prelim 552]). [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552a&num=0&edition=prelim Section 552a(b)(2)] exempts agencies from the requirement of obtaining an individual’s consent to release of information subject to disclosure under FOIA. In 1984, Congress added provisions delineating an individual’s access rights to records exempt from disclosure under FOIA or the Privacy Act. An agency must give an individual access to a record if it is accessible under either act irrespective of whether it might be withheld under the other (§ 552a(t)). This gives maximum access to records by an individual whose personal information is contained therein. An accounting of the number of FOIA releases of Privacy Act information is not required (§ 552a(c)(1)). If released under FOIA, the agency is relieved from ensuring the accuracy, completeness, timeliness, and relevance of the record (§ 552a(e)(6)). If the system of records is made necessary by FOIA, the agency may exempt the system from the Privacy Act (§ 552a(k)(1)).
+
Two provisions relate to FOIA (5 U.S.C. [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title5-section552&num=0&edition=prelim § 552]). Section 552a(b)(2) exempts agencies from the requirement of obtaining an individual’s consent to release of information subject to disclosure under FOIA. In 1984, Congress added provisions delineating an individual’s access rights to records exempt from disclosure under FOIA or the Privacy Act. An agency must give an individual access to a record if it is accessible under either act irrespective of whether it might be withheld under the other (§ 552a(t)). This gives maximum access to records by an individual whose personal information is contained therein. An accounting of the number of FOIA releases of Privacy Act information is not required (§ 552a(c)(1)). If released under FOIA, the agency is relieved from ensuring the accuracy, completeness, timeliness, and relevance of the record (§ 552a(e)(6)). If the system of records is made necessary by FOIA, the agency may exempt the system from the Privacy Act (§ 552a(k)(1)).
  
 
===Social Security Numbers===
 
===Social Security Numbers===
The Privacy Act restricts use of an individual’s Social Security account number (Section 7 of [https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf Pub. L. No. 93-579], 88 Stat. 1896) (not codified as part of 5 U.S.C. § 552a). This provision applies to state and local governments as well as the federal government and makes it unlawful to deny any right, benefit, or privilege based on an individual’s failure to disclose the Social Security account number, unless the disclosure was required by any federal, state, or local system of records in operation before January 1, 1975, or the disclosure is required by federal law. Since enactment, Congress has required disclosure in the Tax Reform Act of 1976, the Deficit Reduction Act of 1984, and the Debt Collection Act of 1982. In the Tax Reform Act of 1976, Congress declared it to be U.S. policy to use Social Security account numbers “in the administration of any tax, general public assistance, driver’s license, or motor vehicle registration law . . . .” [http://uscode.house.gov/statutes/pl/94/55.pdf Pub. L. No. 94-55], 90 Stat. 1520, 1711, July 9, 1976, amending 42 U.S.C. § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title42-section405&num=0&edition=prelim 405(c)(2)]).
+
The Privacy Act restricts use of an individual’s Social Security account number ([https://www.govinfo.gov/content/pkg/STATUTE-88/pdf/STATUTE-88-Pg1896.pdf Pub. L. No. 93-579], § 7) (not codified as part of 5 U.S.C. § 552a). This provision applies to state and local governments as well as the federal government and makes it unlawful to deny any right, benefit, or privilege based on an individual’s failure to disclose the Social Security account number, unless the disclosure was required by any federal, state, or local system of records in operation before January 1, 1975, or the disclosure is required by federal law. Since enactment, Congress has required disclosure in the Tax Reform Act of 1976 ([http://uscode.house.gov/statutes/pl/94/455.pdf Pub. L. No. 94-455]), the Deficit Reduction Act of 1984 ([http://uscode.house.gov/statutes/pl/109/171.pdf Pub. L. No. 98-369]), and the Debt Collection Act of 1982 ([https://www.gpo.gov/fdsys/pkg/STATUTE-96/pdf/STATUTE-96-Pg1749.pdf Pub. L. No. 97-365]). In the Tax Reform Act of 1976, Congress declared it to be U.S. policy to use Social Security account numbers “in the administration of any tax, general public assistance, driver’s license, or motor vehicle registration law.” Pub. L. No. 94-455, amending 42 U.S.C. § [http://uscode.house.gov/view.xhtml?req=granuleid:USC-prelim-title42-section405&num=0&edition=prelim 405(c)(2)].
  
 
==Oversight==
 
==Oversight==
The Office of Management and Budget is required by the Privacy Act to develop guidelines and regulations for its implementation and to provide continuing assistance and oversight. The OMB guidelines are entitled to the usual deference accorded the interpretations of the agency charged with administration of a statute. (''Albright v. United States'', 631 F.2d 915, 919 n.5 (D.C. Cir. 1980); ''Quinn v. Stone'', 978 F.2d 126, 133 (3d Cir. 1992)). However, a few courts have rejected particular aspects of the OMB Guidelines as inconsistent with the statute. ''See, e.g.'', ''Kassel v. U.S. Dep't of Veterans Affairs'', No. 87-217-S, slip op. at 24-25 (D.N.H. Mar. 30, 1992) (subsection (e)(3)); ''[https://www.supremecourt.gov/opinions/03pdf/02-1377.pdf Doe v. Chao]'', 540 U.S. 614, 627 n.11 (2004) (disagreeing with dissent’s reliance on OMB interpretation of damages provision since the Court does “not find its unelaborated conclusion persuasive”).
+
The Privacy Act requires OMB to develop guidelines and regulations for its implementation and to provide continuing assistance and oversight. The OMB guidelines are entitled to the usual deference accorded the interpretations of the agency charged with administration of a statute. ''Albright v. United States'', 631 F.2d 915, 919 n.5 (D.C. Cir. 1980); ''Quinn v. Stone'', 978 F.2d 126, 133 (3d Cir. 1992). However, a few courts have rejected particular aspects of the OMB Guidelines as inconsistent with the statute. ''See, e.g.'', ''Kassel v. U.S. Dep’t of Veterans Affairs'', No. 87-217-S, slip op. at 24-25 (D.N.H. Mar. 30, 1992) (subsection (e)(3)); [https://www.supremecourt.gov/opinions/03pdf/02-1377.pdf Doe v. Chao], 540 U.S. 614, 627 n.11 (2004) (disagreeing with dissent’s reliance on OMB interpretation of damages provision since the Court does “not find its unelaborated conclusion persuasive”).
  
The vast majority of OMB’s Privacy Act guidelines are published at [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/implementation_guidelines.pdf 40 Fed. Reg. 28,948-78] (1975). However, these original guidelines have been supplemented in particular subject areas over the years. ''See'' [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf Appendix I to OMB Circular No. A-130] (initially published at 50 Fed. Reg. 52,730 (Dec. 24, 1985); most recently revised at [https://www.govinfo.gov/content/pkg/FR-2016-07-28/pdf/2016-17874.pdf#page=1 81 Fed. Reg. 49,689] (July 28, 2016)). ''See also'' [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/implementation1974.pdf 40 Fed. Reg. 56,741-43] (1975) (system of records definition, routine use and intra-agency disclosures, consent and congressional inquiries, accounting of disclosures, amendment appeals, rights of parents and legal guardians, relationship to FOIA); [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/guidance1983.pdf 48 Fed. Reg. 15,556-60] (1983) (relationship to Debt Collection Act); [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/guidance_privacy_act.pdf 52 Fed. Reg. 12,990-93] (1987) (“call detail” programs); [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/inforeg/inforeg/final_guidance_pl100-503.pdf 54 Fed. Reg. 25,818-29] (1989) (computer matching); [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/computer_amendments1991.pdf 56 Fed. Reg. 18,599-601] (proposed Apr. 23, 1991) (computer matching); [https://www.govinfo.gov/content/pkg/FR-1996-02-20/pdf/96-3645.pdf 61 Fed. Reg. 6428, 6435-39] (1996)(“Federal Agency Responsibilities for Maintaining Records About Individuals”). Thus, when researching in this area, it may be important to check subsequent supplements.
+
The vast majority of OMB’s Privacy Act guidelines are published in [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/implementation_guidelines.pdf Privacy Act Implementation Guidelines and Responsibilities], 40 Fed. Reg. 28,948 (1975). However, these original guidelines have been supplemented in particular subject areas over the years, including:
  
In 1998, President Clinton called upon all federal agencies to take further privacy-protection steps within the next year. [https://www.govinfo.gov/content/pkg/WCPD-1998-05-18/pdf/WCPD-1998-05-18-Pg870.pdf Memorandum on Privacy and Personal Information in Federal Records] (May 14, 1998). Specifically, the President directed each agency to designate a senior official with responsibility for privacy policy to apply the Principles for Providing and Using Personal Information that were developed through the Information Infrastructure Task Force under the auspices of the Department of Commerce in 1995, and to conduct a series of reviews of agency record systems in order to ensure compliance with Privacy Act requirements. The Privacy Act related reviews, conducted in accordance with instructions issued by OMB, reported results to OMB. The memorandum also provided that OMB issue further guidance on the making of “routine use” disclosures under the Privacy Act.
+
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf Appendix I to OMB Circular No. A-130], most recently revised at [https://www.govinfo.gov/content/pkg/FR-2016-07-28/pdf/2016-17874.pdf#page=1 81 Fed. Reg. 49,689] (July 28, 2016)).
 +
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/implementation1974.pdf Implementation of the Privacy Act Supplemental Guidance], 40 Fed. Reg. 56,741 (Dec. 4,1975) (system of records definition, routine use and intra-agency disclosures, consent and congressional inquiries, accounting of disclosures, amendment appeals, rights of parents and legal guardians, relationship to FOIA).
 +
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/guidance1983.pdf Guidelines on the Relationship of the Debt Collection of 1982 to the Privacy Act of 1974], 48 Fed. Reg. 15,556 (Apr. 11, 1983) (relationship to Debt Collection Act).
 +
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/guidance_privacy_act.pdf Guidance on the Privacy Act Implications of “Call Detail” Programs to Manage Employees’ Use of the Government’s Telecommunications Systems], [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/guidance_privacy_act.pdf 52 Fed. Reg. 12,990-93] (Apr. 20, 1987) (“call detail” programs).
 +
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/inforeg/inforeg/final_guidance_pl100-503.pdf Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988], [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/inforeg/inforeg/final_guidance_pl100-503.pdf 54 Fed. Reg. 25,818] (June 19, 1989) (computer matching).
 +
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/computer_amendments1991.pdf The Computer Matching and Privacy Protection Amendments of 1990 and the Privacy Act of 1974], [https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/computer_amendments1991.pdf 56 Fed. Reg. 18,599] (proposed Apr. 23, 1991) (computer matching);
 +
*[https://www.govinfo.gov/content/pkg/FR-1996-02-20/pdf/96-3645.pdf Management of Federal Information Resources], 61 Fed. Reg. 6428 (1996) (“Federal Agency Responsibilities for Maintaining Records About Individuals”).
  
Section 208 of the [[E-Government Act of 2002]] ([https://www.govinfo.gov/content/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf Pub. L. No. 107-347], [http://uscode.house.gov/view.xhtml?path=/prelim@title44/chapter36&edition=prelim 44 U.S.C. ch. 36]) requires that OMB issue guidance to agencies on implementing the privacy provisions of the E-Government Act. Under this guidance, agencies are required to conduct privacy impact assessments for electronic information systems and collections; make them publicly available; post privacy policies on agency websites used by the public; translate privacy policies into a standardized machine-readable format; and report annually to OMB on compliance with the E-Government Act.
+
Thus, when researching in this area, it may be important to check subsequent supplements.
  
In 2002 GAO conducted an extensive review of agency Privacy Act practices, and reported on its findings in June 2003. GAO-03-304, [https://www.gao.gov/assets/240/238818.pdf Privacy Act: OMB Leadership Needed to Improve Agency Compliance] (2003).  
+
In 1998, President Clinton called upon all federal agencies to take further privacy-protection steps within the next year. [https://www.govinfo.gov/content/pkg/WCPD-1998-05-18/pdf/WCPD-1998-05-18-Pg870.pdf Memorandum on Privacy and Personal Information in Federal Records] (May 14, 1998). Specifically, the President directed each agency to designate a senior official with responsibility for privacy policy to apply the Principles for Providing and Using Personal Information that were developed through the Information Infrastructure Task Force under the auspices of the Department of Commerce in 1995 and to conduct a series of reviews of agency record systems in order to ensure compliance with Privacy Act requirements. The Privacy Act related reviews, conducted in accordance with instructions issued by OMB, reported results to OMB. The memorandum also provided that OMB issue further guidance on the making of “routine use” disclosures under the Privacy Act.
  
While most questions concerning the Privacy Act should first be directed to agency Privacy Act officers, important policy or litigation questions, or questions concerning the OMB Guidelines, may be directed to the [https://www.whitehouse.gov/omb/information-regulatory-affairs/ Office of Information and Regulatory Affairs], OMB.
+
Section 208 (44 U.S.C. [http://uscode.house.gov/view.xhtml?req=(title:44%20section:3501%20edition:prelim)%20OR%20(granuleid:USC-prelim-title44-section3501)&f=treesort&edition=prelim&num=0&jumpTo=true § 3501 note]) of the [[E-Government Act of 2002]] requires that OMB issue guidance to agencies on implementing the privacy provisions of the E-Government Act. Under this guidance, agencies are required to conduct privacy impact assessments for electronic information systems and collections, make them publicly available, post privacy policies on agency websites used by the public, translate privacy policies into a standardized machine-readable format, and report annually to OMB on compliance with the E-Government Act.
 +
 
 +
In 2002, GAO conducted an extensive review of agency Privacy Act practices, and reported on its findings in June 2003. GAO-03-304, [https://www.gao.gov/assets/240/238818.pdf Privacy Act: OMB Leadership Needed to Improve Agency Compliance] (2003).
 +
 
 +
While most questions concerning the Privacy Act should first be directed to agency Privacy Act officers, important policy or litigation questions, or questions concerning the OMB Guidelines, may be directed to the [https://www.whitehouse.gov/omb/information-regulatory-affairs/ Office of Information and Regulatory Affairs].
  
 
==Legislative History==
 
==Legislative History==
The Privacy Act reflects the merger of seemingly disparate bills from the Senate and the House: S. 3418, introduced by Senator Sam Ervin (D-NC), and H.R. 16373, supported by the Administration. The Senate bill would have granted sweeping powers to a Federal Privacy Board for the oversight of collection, maintenance, and dissemination of individually identifiable information by both the public and private sectors, while the House bill focused on access to and correction of records, as well as data collection and maintenance standards. The Senate approved its bill on November 21, 1974, after consideration and, on the same day, the House bill was passed by a 353 to 1 vote, after two days of floor debate.
+
The Privacy Act reflects the merger of seemingly disparate bills from the Senate and the House: S. 3418, introduced by Senator Sam Ervin (D-NC), and H.R. 16373, supported by the Administration. The Senate bill would have granted sweeping powers to a Federal Privacy Board for the oversight of collection, maintenance, and dissemination of individually identifiable information by both the public and private sectors, while the House bill focused on access to and correction of records, data collection, and maintenance standards. The Senate approved its bill on November 21, 1974, after consideration and, on the same day, the House bill was passed by a 353 to 1 vote, after two days of floor debate.
  
The bills were not reconciled by the usual conference committee because of the limited time available between the end of Thanksgiving recess and the end of the session. Instead, the respective staffs of the committees studied the differing bills, reported to the committees and, after informal meetings, reached an agreement. The description of the amendments that made the two bills identical (thus avoiding a conference committee) was inserted into the record of both sides, and both houses passed identical bills. Thus, many of the most important provisions of the bill are not explained by committee reports. The only record of the final negotiations leading to the bill actually adopted is a staff memorandum entitled ''Analysis of House and Senate Compromise Amendments to the Federal Privacy Act'' (''see'' 120 Cong. Rec. 40,445, (Dec. 17, 1974); ''see also'' [http://www.loc.gov/rr/frd/Military_Law/pdf/LH_privacy_act-1974.pdf Legislative History of the Privacy Act of 1974, S.3418 (Pub. L. No. 93-579): Source Book on Privacy (1976)] at 858).
+
The bills were not reconciled by the usual conference committee because of the limited time available between the end of Thanksgiving recess and the end of the session. Instead, the respective staffs of the committees studied the differing bills, reported to the committees and, after informal meetings, reached an agreement. The description of the amendments that made the two bills identical (thus avoiding a conference committee) was inserted into the record of both sides, and both houses passed identical bills. Thus, many of the most important provisions of the bill are not explained by committee reports. The only record of the final negotiations leading to the bill actually adopted is a staff memorandum entitled ''Analysis of House and Senate Compromise Amendments to the Federal Privacy Act''; ''see also'' [http://www.loc.gov/rr/frd/Military_Law/pdf/LH_privacy_act-1974.pdf Legislative History of the Privacy Act of 1974, S.3418 (Pub. L. No. 93-579): Source Book on Privacy] (1976)).
  
 
The final product included most of the fair information practices defined in the Senate version and the access and correction provisions of the House bill. None of the Senate provisions relating to a Federal Privacy Board was included. However, the Privacy Act provided for two important means of further development and oversight:
 
The final product included most of the fair information practices defined in the Senate version and the access and correction provisions of the House bill. None of the Senate provisions relating to a Federal Privacy Board was included. However, the Privacy Act provided for two important means of further development and oversight:
*It instructed OMB to develop guidelines for the implementation of the Privacy Act throughout the executive branch; and
+
 
*The Privacy Protection Study Commission was created by the Privacy Act to study the issues raised by the Privacy Act and to recommend further legislation, and it subsequently completed its thorough and informative report, [https://www.ncjrs.gov/pdffiles1/Digitization/49602NCJRS.pdf Personal Privacy in an Information Society].
+
*it instructed OMB to develop guidelines for the implementation of the Privacy Act throughout the executive branch; and
 +
*the Privacy Protection Study Commission was created by the Privacy Act to study the issues raised by the Privacy Act and to recommend further legislation, and it subsequently completed its thorough and informative report, [https://www.ncjrs.gov/pdffiles1/Digitization/49602NCJRS.pdf Personal Privacy in an Information Society].
  
 
The bill was signed by President Ford on December 31, 1974 and became effective September 1975.
 
The bill was signed by President Ford on December 31, 1974 and became effective September 1975.
Line 121: Line 137:
 
==Bibliography==
 
==Bibliography==
 
===Legislative History and Congressional Documents===
 
===Legislative History and Congressional Documents===
*''Analysis of House and Senate Compromise Amendments to the Federal Privacy Act'', 120 Cong. Rec. 12,243 (daily ed. Dec. 18, 1974); ''id''. at 21,815 (daily ed. Dec. 17, 1974).
+
 
 
*Joint Comm. on Government Operations, [http://www.loc.gov/rr/frd/Military_Law/pdf/LH_privacy_act-1974.pdf Legislative History of the Privacy Act of 1974, S. 3418 (Pub. L. No. 93-579): Source Book on Privacy], 94th Cong. (1976).
 
*Joint Comm. on Government Operations, [http://www.loc.gov/rr/frd/Military_Law/pdf/LH_privacy_act-1974.pdf Legislative History of the Privacy Act of 1974, S. 3418 (Pub. L. No. 93-579): Source Book on Privacy], 94th Cong. (1976).
*''H.R. Rep. No. 100-802'' (1988).
+
*H.R. Rep. No. 100-802 (1988).
*''S. Rep. No. 100-516'' (1988).
+
*S. Rep. No. 100-516 (1988).
*Who Cares About Privacy? Oversight of the Privacy Act of 1974 by the Office of Management and Budget and by the Congress, ''H.R. Rep. No. 98-455'', Hearings Before a Subcomm. of the H. Comm. on Gov’t Operations, 98th Cong., 1st Sess. (1983).
+
*''Who Cares About Privacy? Oversight of the Privacy Act of 1974 by the Office of Management and Budget and by the Congress,'' ''H.R. Rep. No. 98-455'', Hearings Before Subcomm. of the H. Comm. on Gov’t Operations, 98th Cong. (1983).
*America’s Healthy Future Act of 2009: Report to Accompany S. 1796, Comm. on Finance, [https://www.congress.gov/111/crpt/srpt89/CRPT-111srpt89.pdf S. Rep. No. 111-89] (2009).
+
*America’s Healthy Future Act of 2009, [https://www.congress.gov/111/crpt/srpt89/CRPT-111srpt89.pdf S. Rep. No. 111-89] (2009).
*The Restoring American Financial Stability Act of 2010: Report together with Minority Views to Accompany S. 3217, [https://www.congress.gov/111/crpt/srpt176/CRPT-111srpt176.pdf S. Rep. No. 111-176] (2010).
+
*The Restoring American Financial Stability Act of 2010, [https://www.congress.gov/111/crpt/srpt176/CRPT-111srpt176.pdf S. Rep. No. 111-176] (2010).
*[https://www.govinfo.gov/content/pkg/CREC-2010-05-17/pdf/CREC-2010-05-17-pt1-PgS3800.pdf Comments of Senator Enzi on Financial Regulatory Reform], May 17, 2010, S3800-3801.
+
*A Citizen’s Guide on Using the Freedom of Information Act and the Privacy Act of 1974 to Request Government Records, [https://www.govinfo.gov/content/pkg/CRPT-112hrpt689/pdf/CRPT-112hrpt689.pdf H.R. Rep. 112-689] (2012).
*[https://www.congress.gov/crec/2010/04/30/CREC-2010-04-30-pt1-PgS2988-2.pdf Comments of Senator Dodd on the Restoring American Financial Stability Act of 2010], April 30, 2010, S3003.
 
*[https://www.congress.gov/crec/2010/05/20/CREC-2010-05-20-pt1-PgS4034-2.pdf Comments of Senator Enzi on the Restoring American Financial Stability Act of 2010], May 20, 2010, S4059-4062.
 
*A Citizen's Guide on Using the Freedom of Information Act and the Privacy Act of 1974 to Request Government Records, [https://www.govinfo.gov/content/pkg/CRPT-112hrpt689/pdf/CRPT-112hrpt689.pdf H.R. Rep. 112-689] (2012).
 
  
 
===Executive Orders and White House Documents===
 
===Executive Orders and White House Documents===
Line 142: Line 155:
 
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2">
 
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2">
 
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf Circular A-130] (2016).
 
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A130/a130revised.pdf Circular A-130] (2016).
 +
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf Circular A-108] (2016).
 
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/implementation1974.pdf Implementation of the Privacy Act of 1974, Supplementary Guidance], 40 Fed. Reg. 56,741 (Dec. 4, 1975).
 
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/implementation1974.pdf Implementation of the Privacy Act of 1974, Supplementary Guidance], 40 Fed. Reg. 56,741 (Dec. 4, 1975).
*Revised Supplemental Guidance for Conducting Matching Programs, 47 Fed. Reg. 21,656 (May 19, 1982).
+
*''Revised Supplemental Guidance for Conducting Matching Programs'', 47 Fed. Reg. 21,656 (May 19, 1982).
*Debt Collection Act Guidelines, 48 Fed. Reg. 15,556 (Apr. 11, 1983).
+
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/guidance1983.pdf Debt Collection Act Guidelines], 48 Fed. Reg. 15,556 (Apr. 11, 1983).
*Privacy Act Guidelines, 40 Fed. Reg. 28,948 (July 9, 1975); supplemented at:
+
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/implementation_guidelines.pdf Privacy Act Implementation Guidelines and Responsibilities], 40 Fed. Reg. 28,948 (July 9, 1975); supplemented at:
**40 Fed. Reg. 56,741 (1975).  
+
**[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/implementation1974.pdf 40 Fed. Reg. 56,741] (1975).
**49 Fed. Reg. 12,338 (1984).  
+
**49 Fed. Reg. 12,338 (1984).
**54 Fed. Reg. 25,818 (1989).
+
**[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/inforeg/inforeg/final_guidance_pl100-503.pdf 54 Fed. Reg. 25,818] (1989).
*Management of Federal Information Resources, Circular A130, 50 Fed. Reg. 52,730 (Dec. 24, 1985).
+
*''Management of Federal Information Resources'', Circular A130, 50 Fed. Reg. 52,730 (Dec. 24, 1985).
*Final Guidance on Privacy Act Implications of “Call Detail” Programs, 52 Fed. Reg. 12,290 (Apr. 20, 1987).
+
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/guidance_privacy_act.pdf Final Guidance on Privacy Act Implications of “Call Detail” Programs], 52 Fed. Reg. 12,290 (Apr. 20, 1987).
*Final Guidance Interpreting the Provisions of Pub. L. No. 100-503, the Computer Matching and Privacy Protection Act of 1988, 54 Fed. Reg. 25,818 (June 19, 1989).
+
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/inforeg/inforeg/final_guidance_pl100-503.pdf Final Guidance Interpreting the Provisions of Pub. L. No. 100-503, the Computer Matching and Privacy Protection Act of 1988], 54 Fed. Reg. 25,818 (June 19, 1989).
*Proposed Revision of OMB Circular A130, 57 Fed. Reg. 18,296 (Apr. 29, 1992).
+
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/assets/OMB/inforeg/computer_amendments1991.pdf The Computer Matching and Privacy Protection Amendments of 1990 and the Privacy Act of 1974], 56 Fed. Reg. 18,599 (Apr. 23, 1991).
 +
*''Proposed Revision of OMB Circular A130'', 57 Fed. Reg. 18,296 (Apr. 29, 1992).
 +
*[https://www.govinfo.gov/content/pkg/FR-1996-02-20/pdf/96-3645.pdf Management of Federal Information Resources], 61 Fed. Reg. 6428 (Feb. 20, 1996).
 
*M-0105, [https://www.whitehouse.gov/wp-content/uploads/2017/11/2001-M-01-05-Guidance-on-Inter-Agency-Sharing-of-Personal-Data-Protecting-Personal-Privacy.pdf Guidance on Inter-Agency Sharing of Personal Data—Protecting Personal Privacy] (2000).
 
*M-0105, [https://www.whitehouse.gov/wp-content/uploads/2017/11/2001-M-01-05-Guidance-on-Inter-Agency-Sharing-of-Personal-Data-Protecting-Personal-Privacy.pdf Guidance on Inter-Agency Sharing of Personal Data—Protecting Personal Privacy] (2000).
 
*M-0322, [https://www.whitehouse.gov/wp-content/uploads/2017/11/203-M-03-22-OMB-Guidance-for-Implementing-the-Privacy-Provisions-of-the-E-Government-Act-of-2002-1.pdf Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002] (2003).
 
*M-0322, [https://www.whitehouse.gov/wp-content/uploads/2017/11/203-M-03-22-OMB-Guidance-for-Implementing-the-Privacy-Provisions-of-the-E-Government-Act-of-2002-1.pdf Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002] (2003).
 +
*[https://www.govinfo.gov/content/pkg/FR-2016-07-28/pdf/2016-17874.pdf#page=1 Revision of OMB Circular No. A-130 “Managing Information as a Strategic Resource”], 81 Fed. Reg. 49,689 (July 28, 2016).
 
*[https://www.whitehouse.gov/omb/management/egov/#R Archived Reports on E-Government Act Implementation from 2003-2015]
 
*[https://www.whitehouse.gov/omb/management/egov/#R Archived Reports on E-Government Act Implementation from 2003-2015]
 
*[https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/egov_implementation_report_6_17_16.pdf 2015 Annual Report to Congress: E-Government Act Implementation]
 
*[https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/egov_docs/egov_implementation_report_6_17_16.pdf 2015 Annual Report to Congress: E-Government Act Implementation]
Line 166: Line 183:
 
*Gen. Accounting Office, GAO/GGD-91-48, [https://www.gao.gov/assets/220/213974.pdf Peer Review: Compliance with the Privacy Act and the Federal Advisory Committee Act] (1991).
 
*Gen. Accounting Office, GAO/GGD-91-48, [https://www.gao.gov/assets/220/213974.pdf Peer Review: Compliance with the Privacy Act and the Federal Advisory Committee Act] (1991).
 
*Gen. Accounting Office, GAO-03-304, [https://www.gao.gov/assets/240/238818.pdf Privacy Act: OMB Leadership Needed to Improve Agency Compliance] (2003).
 
*Gen. Accounting Office, GAO-03-304, [https://www.gao.gov/assets/240/238818.pdf Privacy Act: OMB Leadership Needed to Improve Agency Compliance] (2003).
*[https://oversight.house.gov/wp-content/uploads/2012/09/Citizens-Guide-on-Using-FOIA.2012.pdf A Citizen’s Guide on Using the Freedom of Information Act and The Privacy Act of 1974 to Request Government Records], Report by the Comm. on Oversight and Gov't Reform, 112th Cong. (2012).
+
*[https://oversight.house.gov/wp-content/uploads/2012/09/Citizens-Guide-on-Using-FOIA.2012.pdf A Citizen’s Guide on Using the Freedom of Information Act and The Privacy Act of 1974 to Request Government Records], Report by the Comm. on Oversight and Gov’t Reform, 112th Cong. (2012).
*Dep’t of Justice, [https://www.justice.gov/opcl/file/793026/download Overview of the Privacy Act of 1974] (2015).  
+
*Dep’t of Justice, [https://www.justice.gov/opcl/file/793026/download Overview of the Privacy Act of 1974] (2015).
 
</div>
 
</div>
  
Line 173: Line 190:
 
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2">
 
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2">
 
*Lillian R. Bevier, [https://core.ac.uk/download/pdf/73966670.pdf Information about Individuals in the Hands of Government: Some Reflections on Mechanisms for Privacy Protection], 4 Wm. & Mary Bill Rights J. 455 (1991).
 
*Lillian R. Bevier, [https://core.ac.uk/download/pdf/73966670.pdf Information about Individuals in the Hands of Government: Some Reflections on Mechanisms for Privacy Protection], 4 Wm. & Mary Bill Rights J. 455 (1991).
*Jonathan C. Bond, Note, [http://www.gwlr.org/wp-content/uploads/2012/08/76-5-Bond.pdf Defining Disclosure in a Digital Age: Updating the Privacy Act for the Twenty-First Century], 76 Geo. Wash. L. Rev. 1232 (2007-2008).
+
*Jonathan C. Bond, Note, [http://www.gwlr.org/wp-content/uploads/2012/08/76-5-Bond.pdf Defining Disclosure in a Digital Age: Updating the Privacy Act for the Twenty-First Century], 76 Geo. Wash. L. Rev. 1232 (2008).
 
*William S. Challis & Ann Cavoukian, [https://repository.jmls.edu/cgi/viewcontent.cgi?article=1148&context=jitpl The Case for a U.S. Privacy Commissioner: A Canadian Commissioner’s Perspective], 19 J. Marshall J. Computer & Info. L. 1 (2000).
 
*William S. Challis & Ann Cavoukian, [https://repository.jmls.edu/cgi/viewcontent.cgi?article=1148&context=jitpl The Case for a U.S. Privacy Commissioner: A Canadian Commissioner’s Perspective], 19 J. Marshall J. Computer & Info. L. 1 (2000).
 
*Todd Robert Coles, Comment, [https://digitalcommons.wcl.american.edu/cgi/viewcontent.cgi?referer=https://www.google.com/&httpsredir=1&article=1848&context=aulr Does the Privacy Act of 1974 Protect Your Right to Privacy?: An Examination of the Routine Use Exemption], 40 Am. U. L. Rev. 957 (1991).
 
*Todd Robert Coles, Comment, [https://digitalcommons.wcl.american.edu/cgi/viewcontent.cgi?referer=https://www.google.com/&httpsredir=1&article=1848&context=aulr Does the Privacy Act of 1974 Protect Your Right to Privacy?: An Examination of the Routine Use Exemption], 40 Am. U. L. Rev. 957 (1991).
 
*John M. Eden, [https://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=1140&context=dltr When Big Brother Privatizes: Commercial Surveillance, the Privacy Act of 1974, and the Future of RFID], 2005 Duke L. & Tech. Rev. 20 (2005).
 
*John M. Eden, [https://scholarship.law.duke.edu/cgi/viewcontent.cgi?article=1140&context=dltr When Big Brother Privatizes: Commercial Surveillance, the Privacy Act of 1974, and the Future of RFID], 2005 Duke L. & Tech. Rev. 20 (2005).
 
*Haeji Hong, [https://www.uakron.edu/dotAsset/727663.pdf Dismantling the Private Enforcement of the Privacy Act of 1974: Doe v. Chao], 38 Akron L. Rev. 71 (2005).
 
*Haeji Hong, [https://www.uakron.edu/dotAsset/727663.pdf Dismantling the Private Enforcement of the Privacy Act of 1974: Doe v. Chao], 38 Akron L. Rev. 71 (2005).
*Joseph V. Kaplan & John Mahoney, ''Reckless Disregard: Intentional and Willful Violations of the Privacy Act’s Investigatory Requirements'', 44 Fed. Law. No. 4 at 38 (1997).
+
*Joseph V. Kaplan & John Mahoney, ''Reckless Disregard: Intentional and Willful Violations of the Privacy Act’s Investigatory Requirements'', 44 Fed. Law. No. 4, at 38 (1997).
 
*Alex Kardon, [http://www.harvard-jlpp.com/wp-content/uploads/2013/10/KardonFinal.pdf Damages under the Privacy Act: Sovereign Immunity and a Call for Legislative Reform], 34 Harv. J. L. & Pub. Pol’y 705 (2011).
 
*Alex Kardon, [http://www.harvard-jlpp.com/wp-content/uploads/2013/10/KardonFinal.pdf Damages under the Privacy Act: Sovereign Immunity and a Call for Legislative Reform], 34 Harv. J. L. & Pub. Pol’y 705 (2011).
 
*Flavio Komuves, [https://repository.jmls.edu/cgi/viewcontent.cgi?article=1243&context=jitpl We’ve Got Your Number: An Overview of Legislation and Decisions to Control the Use of Social Security Numbers as Personal Identifiers], 16 J. Marshall J. Computer & Info. L. 529 (1998).
 
*Flavio Komuves, [https://repository.jmls.edu/cgi/viewcontent.cgi?article=1243&context=jitpl We’ve Got Your Number: An Overview of Legislation and Decisions to Control the Use of Social Security Numbers as Personal Identifiers], 16 J. Marshall J. Computer & Info. L. 529 (1998).
Line 197: Line 214:
 
*''Albright v. United States'', 631 F.2d 915 (D.C. Cir. 1980).
 
*''Albright v. United States'', 631 F.2d 915 (D.C. Cir. 1980).
 
*''Lovell v. Alderete'', 630 F.2d 428 (5th Cir. 1980).
 
*''Lovell v. Alderete'', 630 F.2d 428 (5th Cir. 1980).
*''Exner v. Fed. Bureau of Investigation'', 612 F.2d 1202 (9th Cir. 1980).
+
*''Exner v. FBI'', 612 F.2d 1202 (9th Cir. 1980).
 
*''United States v. Miller'', 643 F.2d 713 (10th Cir. 1981).
 
*''United States v. Miller'', 643 F.2d 713 (10th Cir. 1981).
 
*''Fitzpatrick v. United States'', 665 F.2d 327 (11th Cir. 1982).
 
*''Fitzpatrick v. United States'', 665 F.2d 327 (11th Cir. 1982).
*''Clarkson v. Internal Revenue Serv.'', 678 F.2d 1368 (11th Cir. 1982).
+
*''Clarkson v. IRS'', 678 F.2d 1368 (11th Cir. 1982).
 
*''Johnson v. U.S. Dep’t of the Treasury'', 700 F.2d 971 (5th Cir. 1983).
 
*''Johnson v. U.S. Dep’t of the Treasury'', 700 F.2d 971 (5th Cir. 1983).
*''Thomas v. U.S. Dep't of Energy'', 719 F.2d 342 (10th Cir. 1983).
+
*''Thomas v. U.S. Dep’t of Energy'', 719 F.2d 342 (10th Cir. 1983).
*''Molerio v. Fed. Bureau of Investigation'', 749 F.2d 815 (D.C. Cir. 1984).
+
*''Molerio v. FBI'', 749 F.2d 815 (D.C. Cir. 1984).
*''Elm v. Nat'l R.R. Passenger Corp.'', 732 F.2d 1250 (5th Cir. 1984).
+
*''Elm v. Nat’l R.R. Passenger Corp.'', 732 F.2d 1250 (5th Cir. 1984).
 
*''Doe v. Naval Air Station'', 768 F.2d 1229 (11th Cir. 1985).
 
*''Doe v. Naval Air Station'', 768 F.2d 1229 (11th Cir. 1985).
*''Vymetalik v. Fed. Bureau of Investigation'', 785 F.2d 1090 (D.C. Cir. 1986).
+
*''Vymetalik v. FBI'', 785 F.2d 1090 (D.C. Cir. 1986).
 
*''Doe v. United States'', 821 F.2d 694 (D.C. Cir. 1987).
 
*''Doe v. United States'', 821 F.2d 694 (D.C. Cir. 1987).
 
*''Doe v. Stephens'', 851 F.2d 1457 (D.C. Cir. 1988).
 
*''Doe v. Stephens'', 851 F.2d 1457 (D.C. Cir. 1988).
Line 213: Line 230:
 
*''Covert v. Harrington'', 876 F.2d 751 (9th Cir. 1989).
 
*''Covert v. Harrington'', 876 F.2d 751 (9th Cir. 1989).
 
*''Quinn v. Stone'', 978 F.2d 126, 133 (3rd Cir. 1992).
 
*''Quinn v. Stone'', 978 F.2d 126, 133 (3rd Cir. 1992).
*''Kassel v.'' U.S. ''Dep't of Veterans Affairs'', No. 87-217-S (D.N.H. Mar. 30, 1992).
+
*''Kassel v.'' U.S. ''Dep’t of Veterans Affairs'', No. 87-217-S (D.N.H. Mar. 30, 1992).
 
*''United States v. Trabert'', 978 F. Supp. 1368 (D. Colo. 1997).
 
*''United States v. Trabert'', 978 F. Supp. 1368 (D. Colo. 1997).
 
*''United States v. Gonzalez'', No. 76-132 (M.D. La. Dec. 21, 1976).
 
*''United States v. Gonzalez'', No. 76-132 (M.D. La. Dec. 21, 1976).
 
*''In re Mullins (Tamposi Fee Application)'', 84 F.3d 1439 (D.C. Cir. 1996).
 
*''In re Mullins (Tamposi Fee Application)'', 84 F.3d 1439 (D.C. Cir. 1996).
*''Alexander v. Fed. Bureau of Investigation'', 971 F. Supp. 603 (D.D.C. 1997).
+
*''Alexander v. FBI'', 971 F. Supp. 603 (D.D.C. 1997).
 
*''Shannon v. General Elec. Co.'', 812 F. Supp. 308 (N.D.N.Y. 1993).
 
*''Shannon v. General Elec. Co.'', 812 F. Supp. 308 (N.D.N.Y. 1993).
*''Henke v. DOC'', 83 F.3d 1453 (D.C. Cir. 1996).
+
*''Henke v. U.S. Dep’t of Commerce'', 83 F.3d 1453 (D.C. Cir. 1996).
 
*[http://www.vawd.uscourts.gov/OPINIONS/WILSON/600CV0005(3).PDF Falwell v. Exec. Office of the President], 113 F. Supp. 2d 967 (W.D. Va. 2000).
 
*[http://www.vawd.uscourts.gov/OPINIONS/WILSON/600CV0005(3).PDF Falwell v. Exec. Office of the President], 113 F. Supp. 2d 967 (W.D. Va. 2000).
*''Dale v. Executive Office of the President'', 164 F. Supp. 2d 22 (D.D.C. 2001).
+
*''Dale v. Exec. Office of the President'', 164 F. Supp. 2d 22 (D.D.C. 2001).
 
*''Trulock v. DOJ'', No. 00-2234, slip op. (D.D.C. Sept. 18, 2001).
 
*''Trulock v. DOJ'', No. 00-2234, slip op. (D.D.C. Sept. 18, 2001).
 
*''Tripp v. Exec. Office of the President'', 200 F.R.D. 140 (D.D.C. 2001).
 
*''Tripp v. Exec. Office of the President'', 200 F.R.D. 140 (D.D.C. 2001).
Line 230: Line 247:
 
*''Schwarz v. U.S. Dep’t of the Treasury'', 131 F. Supp. 2d 142 (D.D.C. 2000).
 
*''Schwarz v. U.S. Dep’t of the Treasury'', 131 F. Supp. 2d 142 (D.D.C. 2000).
 
*''Cobell v. Norton'', 157 F. Supp. 2d 82 (D.D.C. 2001).
 
*''Cobell v. Norton'', 157 F. Supp. 2d 82 (D.D.C. 2001).
*''Cummings v. U.S. Dep't of the Navy'', 279 F.3d 1051 (D.C. Cir. 2002).
+
*''Cummings v. U.S. Dep’t of the Navy'', 279 F.3d 1051 (D.C. Cir. 2002).
 
*''McCready v. Principi'', 297 F. Supp. 2d 178 (D.D.C. 2003).
 
*''McCready v. Principi'', 297 F. Supp. 2d 178 (D.D.C. 2003).
 
*''Chang v. U.S. Dep’t of the Navy'', 314 F. Supp.2d 35 (D.D.C. 2004).
 
*''Chang v. U.S. Dep’t of the Navy'', 314 F. Supp.2d 35 (D.D.C. 2004).
Line 240: Line 257:
 
*[http://cdn.ca9.uscourts.gov/datastore/opinions/2006/03/13/0335877.pdf Oja v. U.S. Army Corps of Engineers], 440 F.3d 1122 (9th Cir. 2006).
 
*[http://cdn.ca9.uscourts.gov/datastore/opinions/2006/03/13/0335877.pdf Oja v. U.S. Army Corps of Engineers], 440 F.3d 1122 (9th Cir. 2006).
 
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/013337AFDE8A8304852574400044F8CC/$file/04-5425a.pdf McCready v. Nicholson], 465 F.3d 1 (D.C. Cir. 2006).
 
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/013337AFDE8A8304852574400044F8CC/$file/04-5425a.pdf McCready v. Nicholson], 465 F.3d 1 (D.C. Cir. 2006).
*[http://media.ca7.uscourts.gov/cgi-bin/rssExec.pl?Submit=Display&Path=Y2006/D01-30/C:04-3888:J:_:aut:T:op:N:0:S:0 Bassiouni v. Fed. Bureau of Investigation], 436 F.3d 712 (7th Cir. 2006).
+
*[http://media.ca7.uscourts.gov/cgi-bin/rssExec.pl?Submit=Display&Path=Y2006/D01-30/C:04-3888:J:_:aut:T:op:N:0:S:0 Bassiouni v. FBI], 436 F.3d 712 (7th Cir. 2006).
 
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/E94B1B7BAE4935098525744000455619/$file/06-5085b.pdf Sussman v. U.S. Marshals Serv.], 494 F.3d 1106 (D.C. Cir 2007).
 
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/E94B1B7BAE4935098525744000455619/$file/06-5085b.pdf Sussman v. U.S. Marshals Serv.], 494 F.3d 1106 (D.C. Cir 2007).
 
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/9F94563D7D135A85852578000052F342/$file/07-5257-1132633.pdf Wilson v. Libby], 535 F.3d 697 (D.C. Cir. 2008).
 
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/9F94563D7D135A85852578000052F342/$file/07-5257-1132633.pdf Wilson v. Libby], 535 F.3d 697 (D.C. Cir. 2008).
 
*[http://cdn.ca9.uscourts.gov/datastore/opinions/2008/05/02/0615191.pdf Lane v. U.S. Dep’t of the Interior], 523 F.3d 1128 (9th Cir. 2008).
 
*[http://cdn.ca9.uscourts.gov/datastore/opinions/2008/05/02/0615191.pdf Lane v. U.S. Dep’t of the Interior], 523 F.3d 1128 (9th Cir. 2008).
*[http://media.ca8.uscourts.gov/opndir/08/03/071576P.pdf Doe v. VA], 519 F.3d 456 (8th Cir. 2008).
+
*[http://media.ca8.uscourts.gov/opndir/08/03/071576P.pdf Doe v. U.S. Dep’t of Veterans Affairs], 519 F.3d 456 (8th Cir. 2008).
 
*[http://cdn.ca9.uscourts.gov/datastore/opinions/2009/05/21/06-15967.pdf Rouse v. U.S. Dep’t of State], 567 F.3d 408 (9th Cir. 2009).
 
*[http://cdn.ca9.uscourts.gov/datastore/opinions/2009/05/21/06-15967.pdf Rouse v. U.S. Dep’t of State], 567 F.3d 408 (9th Cir. 2009).
 
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/EAC6966EA3FE7C2885257807005C6E66/$file/07-5352-1285040.pdf Maydak v United States], 630 F.3d 166 (D.C. Cir. 2010).
 
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/EAC6966EA3FE7C2885257807005C6E66/$file/07-5352-1285040.pdf Maydak v United States], 630 F.3d 166 (D.C. Cir. 2010).
Line 251: Line 268:
 
*[http://www.opn.ca6.uscourts.gov/opinions.pdf/11a0098p-06.pdf Shearson v. DHS], 638 F.3d 498 (6th Cir. 2011).
 
*[http://www.opn.ca6.uscourts.gov/opinions.pdf/11a0098p-06.pdf Shearson v. DHS], 638 F.3d 498 (6th Cir. 2011).
 
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/0BB43C9F640B98C685257EFC00544828/$file/13-5286-1583392.pdf Mobley v. CIA], 806 F.3d 568 (D.C. Cir. 2015).
 
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/0BB43C9F640B98C685257EFC00544828/$file/13-5286-1583392.pdf Mobley v. CIA], 806 F.3d 568 (D.C. Cir. 2015).
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/57E67EBF550EDDAB8525822C005378F2/$file/16-5045-1716627.pdf Liff v. Office of Inspector Gen. for the U.S. Dep’t of Labor], 881 F.3d 912 (D.C. Cir. 2018)
+
*[https://www.cadc.uscourts.gov/internet/opinions.nsf/57E67EBF550EDDAB8525822C005378F2/$file/16-5045-1716627.pdf Liff v. Office of Inspector Gen. for the U.S. Dep’t of Labor], 881 F.3d 912 (D.C. Cir. 2018).
 +
*[https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A108/omb_circular_a-108.pdf Fazaga v. FBI], 916 F.3d 1201 (9th Cir. 2019).
 +
*[http://cdn.ca9.uscourts.gov/datastore/opinions/2019/10/22/17-17349.pdf Rojas v. FAA], 941 F.3d 392 (9th Cir. 2019).
 +
*[http://cdn.ca9.uscourts.gov/datastore/opinions/2019/09/11/18-15416.pdf Garris v. FBI], 937 F.3d 1284 (9th Cir. 2019).
 
</div>
 
</div>
  

Revision as of 16:38, 27 December 2019

5 U.S.C. § 552a (2012), enacted by Pub. L. No. 93-579, § 3, 88 Stat. 1897, Dec. 31, 1974; significantly amended by Pub. L. No. 94-183, § 2(2), 89 Stat. 1057, Dec. 31, 1975; by Pub. L. No. 97-365, § 2, 96 Stat. 1749, Oct. 25, 1982; by Pub. L. No. 97-375, title II, § 201(a), (b), 96 Stat. 1821, Dec. 21, 1982; by Pub. L. No. 97-452, §2(a)(1), 96 Stat. 2478, Jan. 12, 1983; by Pub. L. No. 98-477, § 2(c), 98 Stat. 2211, Oct. 15, 1984; by Pub. L. No. 98-497, title I, §107(g), 98 Stat. 2292, Oct. 19, 1984; by Pub. L. No. 100-503, §§ 28, 102 Stat. 2507-2514, Oct. 18, 1988; by Pub. L. No. 101-508, title VII, §7201(b)(1), 104 Stat. 1388-(3), Nov. 5, 1990; by Pub. L. No. 103-66, title XIII, Ch. 2, subch. A, pt. V, §13581(c), 107 Stat. 611, Aug. 10, 1993; by Pub. L. No. 104-193, title I, § 110(w), 110 Stat. 2175, Aug. 22, 1996; by Pub. L. No. 104-226, § 1(b)(3), 110 Stat. 3033, Oct. 2, 1996; by Pub. L. No. 104-316, title I, § 115(g)(2)(b), 110 Stat. 3835, Oct. 19, 1996; by Pub. L. No. 105-34, title IX, subtitle C, § 1026(b)(2), 111 Stat. 925, Aug. 5, 1997; by Pub. L. No. 105-362, title XIII, § 1301(d), 112 Stat.3292, Nov. 10, 1998; by Pub. L. No. 108-271, 118 Stat. 814, July 7, 2004; by Pub. L. No. 111-148, Title VI, § 6402(b)(2), 124 Stat. 756, Mar. 23, 2010; by Pub. L. No. 111-203, Title X, § 1082, 124 Stat. 2080, July 21, 2010; by Pub. L. No. 113-295, Div. B, Title I, § 102(c), 128 Stat. 4062, Dec. 19, 2014.

Lead Agency:

Office of Management and Budget

Overview

The Privacy Act of 1974 represents the Congressional response to concerns about government uses of information collected about private individuals. The Privacy Act gives individuals greater control over the gathering, dissemination, and accuracy of information collected about themselves by agencies. (Miller v. United States, 630 F. Supp. 347 (E.D.N.Y. 1986)). The main purpose of the Privacy Act is to forbid disclosure unless it is required by the Freedom of Information Act (FOIA). (Lovell v. Alderete, 630 F.2d 428 (5th Cir. 1980)). To protect individual privacy, the Privacy Act constrains executive branch recordkeeping, defines the individual’s right to access certain records, limits agency disclosure of records containing an individual’s private information, establishes safeguards to protect records concerning individuals, and provides remedies for agency violation of the Privacy Act’s provisions.

Scope

The Privacy Act covers records maintained by agencies as defined in FOIA. It applies to Cabinet level departments, independent regulatory agencies, military departments, and government corporations (§ 552a(a)(1)). It does not apply to the legislative branch, national banks (United States v. Miller, 643 F.2d 713 (10th Cir. 1981)), or Amtrak (Ehm v. National R.R. Passenger Corp., 732 F.2d 1250 (5th Cir. 1984), cert. denied, 469 U.S. 982 (1984)). See Alexander v. FBI, 971 F. Supp. 603, 606-07 (D.D.C. 1997) (although recognizing that the definition of “agency” under Privacy Act is same as in FOIA and that courts have interpreted that definition under FOIA to exclude the President’s immediate personal staff and units within Executive Office of the President whose sole function is to advise and assist the President, nevertheless rejecting such limitation with regard to “agency” as used in Privacy Act due to different purposes that the two statutes serve); Shannon v. Gen. Elec. Co., 812 F. Supp. 308, 313, 315 n.5 (N.D.N.Y. 1993) (“no dispute” that GE falls within definition of “agency” subject to requirements of Privacy Act where pursuant to contract it operated Department of Energy-owned lab under supervision, control, and oversight of department and where by terms of contract GE agreed to comply with Privacy Act).

A record is a collection or grouping of information about an individual that, for example, may include educational, financial, or biographical information, together with personal identifiers such as names, photos, numbers, or fingerprints. (§ 552a(a)(4)). It does not apply to all government records and documents that may contain an individual’s name or other private information. For example, it does not include private notes of a supervisor if such notes are not used by the agency to make decisions (Johnston v. Horne, 875 F.2d 1415 (9th Cir. 1989)), but such notes may become subject to the Privacy Act if they become part of an agency’s decision. (Chapman v. NASA, 682 F.2d 526 (5th Cir. 1982), cert. denied, 469 U.S. 1038 (1984)). It also does not apply to information in documents obtained from independent sources of information, even though identical information may be in an agency’s system of records (Thomas v. U.S. Dep’t of Energy, 719 F.2d 342 (10th Cir. 1983)).

The Privacy Act focuses on “systems of records” established, maintained, or controlled by an agency. A “system of records” is a group of any records where individual names or other individual identifiers can be used to retrieve the information (§ 552a(a)(5)). Agencies may maintain records covered by the Privacy Act only when they are relevant and necessary to accomplish the agency’s purpose (§ 552a(e)(1)). The Court of Appeals for the District of Columbia Circuit addressed the “system of records” definition in the context of computerized information in Henke v. U.S. Dep’t of Commerce, 83 F.3d 1453 (D.C. Cir. 1996), and noted that “the OMB guidelines make it clear that it is not sufficient that an agency has the capability to retrieve information indexed under a person’s name, but the agency must in fact retrieve records in this way in order for a system of records to exist.” Id. at 1460 n.12. The D.C. Circuit looked to Congress’ use of the words “is retrieved” in the statute’s definition of a system of records and focused on whether the agency “in practice” retrieved information. Id. at 1459-61.

Access to Records

Where the agency is authorized to keep records covered by the Privacy Act, an individual has a right of access to records concerning him or her. This is a central protection of the Privacy Act for individuals. The individual has a right to:

  • copy any or all of the record (§ 552a(d)(1));
  • request amendment of the record (§ 552a(d)(2)) and to file a concise statement of disagreement if the agency refuses to amend the record that will be provided to all persons to whom the record is disclosed (§ 552a(d)(4)); and
  • request an accounting from the agency on the date, nature, and purpose of each disclosure of the record (§ 552a(c)).

The individual has an absolute right to access and need not provide any reason for seeking access (FTC v. Shaffner, 626 F.2d 32 (7th Cir. 1980)).

Agency Requirements

For each system of records an agency maintains, it must:

  • publish in the Federal Register the name and location of the system; the categories of individuals contained in the system; the routine use of the records; agency policies concerning the records including storage, retrieval, access, retention, and disposal; the person, including title and address, responsible for the system; the method used to notify individuals how to gain access to records about themselves; and the sources or records in the system. Any new use of the system must be noticed for comment 30 days prior to implementing the new use. Exempt systems must also be noticed. See, e.g., § 552a(b)(3), (e)(4), and (e)(11).
  • maintain records in the system accurately, completely, and timely to ensure fairness to the individuals (§ 552a(e)(5));
  • establish rules and training for persons designing, developing, operating, or maintaining the system to ensure compliance with the Privacy Act and the agency’s implementing policies (§ 552a(e)(9));
  • establish safeguards for the protection of records (§ 552a(e)(10)); and
  • inform government contractors of their duties under the Privacy Act (§ 552a(m)).

When the agency collects information that “may result in adverse determinations about an individual’s rights, benefits, and privileges under Federal programs,” the Privacy Act requires the information to be collected, to the “greatest extent practicable,” directly from the affected individual (§ 552a(e)(2)). When requesting such information from individuals, the agency must disclose: (1) the authority under which collection is authorized; (2) the principal purposes for which the information is needed; (3) the routine use of the information; and (4) consequences, if any, of not providing the information (§ 552a(e)(3)).

The Privacy Act mandates that information maintained in agency records be as relevant and as necessary as possible to accomplish the agency’s purpose. It must also undertake to maintain the information with such accuracy and completeness as is reasonably necessary to assure fairness to the individual. In Doe v. United States, 821 F.2d 694 (D.C. Cir. 1987), the court sitting en banc held that an agency may satisfy this requirement by supplementing the information an individual considers damaging with the individual’s explanation or disagreement with the accuracy of the information. The court found that the agency made a reasonable effort to determine the accuracy of the information and that an adjudication of the disputed facts was not necessary for the agency’s purposes. The court said that in some cases, fairness may require a record to contain both versions of disputed fact.

Agencies are prohibited from maintaining records describing how an individual exercises First Amendment rights, unless such records are authorized by statute or are pertinent to and within the scope of authorized law enforcement activity (§ 552a(e)(7)). Such records are subject to the Privacy Act even if not kept in “a system of records.” Clarkson v. IRS, 678 F.2d 1368 at 1373-77 (11th Cir. 1982), cert. denied, 481 U.S. 1031. Cf. Pototsky v. U.S. Dep’t of Navy, 717 F. Supp. 20 (D. Mass. 1989). Guidelines from the Office of Management and Budget (OMB) call for the broadest reasonable interpretation of the prohibition.

Exemptions from Access

The Privacy Act provides general (§ 552a(j)) and specific (§ 552a(k)) exemptions. These are exemptions allowing an agency to deny access to the record by the individual to whom the record pertains. The two types of exemptions are different in nature and consequences and are discretionary on the agency’s part. To be effective, the agency must first determine that a record or system of records meets the criteria for exemption under the Privacy Act and then publish the exemption as a rule under the Administrative Procedure Act’s (APA) notice-and-comment provisions. Failure to set out reasons demonstrating that the exemption meets the requirements of the Privacy Act may leave the records subject to the Privacy Act. Exner v. FBI, 612 F.2d 1202 (9th Cir. 1980). The exemptions do not authorize the agency to use the record in a manner other than the manner originally set out in the Federal Register establishing the system of records. Doe v. Naval Air Station, 768 F.2d 1229 (11th Cir. 1985).

A general exemption denies access by an affected individual under virtually all the Privacy Act’s provisions and is available for records maintained by the Central Intelligence Agency or by an agency whose principal functions are criminal law enforcement. The general exemption may not be used to exempt records compiled for a noncriminal or administrative purpose even if they are also a part of a system of records maintained by an agency qualified to assert the exemption. Vymetalik v. FBI, 785 F.2d 1090, 1095 (D.C. Cir. 1986).

The specific exemptions (§ 552a(k)(1)(7)) are available to any agency if the head of the agency promulgates rules pursuant to the notice-and-comment provisions of the APA (5 U.S.C. § 553). The specific exemption is from a particular provision of the Privacy Act. The seven exemptions allowed are:

  • FOIA (b)(1) exemptions (matters to be kept secret in the interest of national defense or foreign policy and properly classified by executive order);
  • investigatory material compiled for law enforcement purposes that does not fall within the general exemption;
  • material maintained to provide protective service to the President or pursuant to 18 U.S.C. § 3056;
  • confidential investigatory records relating to employment or contracts;
  • statistical records required by statute;
  • testing and examination material related to federal employment; and
  • evaluations related to military promotions obtained confidentially.

An individual may sue to challenge a denial of access to records based on the general or specific exemptions, and the court will determine the substantive and procedural propriety of the agency’s assertion of the exemption. Zeller v. United States, 467 F. Supp. 487 (E.D.N.Y. 1979).

Restrictions on Disclosure

The Privacy Act prohibits disclosure of any record covered by the Privacy Act without the written request or prior written consent of the person whom the record concerns (§ 552a(b)). The restriction on disclosure applies to any person or agency and includes any means of communication—written, oral, electronic, or mechanical Responsibilities for the Maintenance of Records About Individuals by Federal Agencies, 40 Fed. Reg. 28,948, 28,953 (July 9, 1975). Information obtained (or released) through sources independent of agency records is not “disclosure” under the Privacy Act.

The general rule of nondisclosure is subject to 12 exceptions (§ 552a(b)(1)(12)). They are:

  • internal agency use on a need to know basis;
  • proper requests under FOIA;
  • routine use;
  • Census Bureau activities;
  • statistical research where the recipient has given written assurance that records are not individually identifiable;
  • National Archives preservation;
  • information to Congress;
  • information to the Comptroller General in performing Government Accountability Office (GAO) duties;
  • showing of compelling circumstances affecting the health or safety of an individual;
  • pursuant to court order (subpoenas issued by clerks of courts are not “orders” Stiles v. Atlanta Gas Light Co., 453 F. Supp. 798, 800 (N.D. Ga. 1978));
  • to a consumer reporting agency in accordance with 31 U.S.C. § 3711(f); and
  • use by “any governmental jurisdiction . . . for a civil or criminal law enforcement activity” as long as a written request (1) is made by the head of the agency seeking the record, (2) specifies the portion of the record sought, and (3) describes the relevant enforcement activity. See Doe v. Naval Air Station, 768 F.2d 1229 (11th Cir. 1985).

“Routine use,” considered generally the most important exception, is defined as “the use of such record for a purpose that is compatible with the purpose for which it was collected” (§ 552a(a)(7)). Each routine use is identified in the Federal Register notice upon establishment or revision of each system of records (§ 552a(e)(4)(D)). This exception permits nonconsensual intra- or interagency transfer of what is generally described as “house-keeping” information. Because the language is broad, the potential for abuse is considered great, and the courts have strictly required that the use be clearly and specifically identified in the rule adopted by the agency identifying the system of records. Covert v. Harrington, 876 F.2d 751 (9th Cir. 1989); Doe v. Stephens, 851 F.2d 1457 (D.C. Cir. 1988); Zeller v. United States, 467 F. Supp. 487 (E.D.N.Y. 1979). The Supreme Court has found that the Privacy Act’s provisions restricting disclosure, even while allowing disclosure for “routine uses,” are sufficient to protect persons’ constitutional right to informational privacy, if such a right exists. NASA v. Nelson, 562 U.S. 134, 153-55 (2011).

Review, Relief, Remedies

The Privacy Act provides that each agency shall promulgate rules that establish, among other things, procedures of notice, disclosure, and review of requests (§ 552a(f)). In the event that the rules are not followed or that a dispute persists, there are four civil actions: (1) a challenge for failure to provide access; (2) a challenge for refusal to amend; (3) a damages action for improper maintenance of the content of records; and (4) a damages action for other breaches of the Privacy Act or regulations issued thereunder that adversely affect the individual (§ 552a(g)(1)). The latter two actions require proof of damages and are limited to actual damages. A cause of action for monetary damages requires a showing of an agency’s intentional or willful failure to maintain accurate records and that the violation of the Privacy Act caused the actual damages complained of. Molerio v. FBI, 749 F.2d 815, 826 (D.C. Cir. 1984). Because waivers of sovereign immunity are to be strictly construed, the Supreme Court held that “actual damages” do not include nonpecuniary damages. Fed. Aviation Admin. v. Cooper, 566 U.S. 284 (2012). Remedies for failure to grant access or refusal to amend are injunctive.

An individual bringing a claim under § 552a(g)(1) must demonstrate a causal connection between the alleged violation and the harm suffered but may not use the Privacy Act claim as the forum in which to prove the entitlement the individual claims was improperly denied. Gizoni v. Sw. Marine, Inc., 909 F.2d 385 (9th Cir. 1990).

Criminal penalties are established for willful disclosure of records by those who know such disclosure is prohibited, willful maintenance of a system of records without meeting the appropriate notice requirements, and knowing and willful requests for records under false pretenses (§ 552a(i)). Each violation is classified as a misdemeanor, and the violator may be fined not more than $5,000. There have been at least two criminal prosecutions for unlawful disclosure of Privacy Act-protected records. See United States v. Trabert, 978 F. Supp. 1368 (D. Colo. 1997) (defendant found not guilty; prosecution did not prove “beyond a reasonable doubt that defendant ‘willfully disclosed’ protected material”; evidence presented constituted, “at best, gross negligence,” and thus was “insufficient for purposes of prosecution under § 552a(i)(1)”); United States v. Gonzalez, No. 76-132 (M.D. La. Dec. 21, 1976) (guilty plea entered). See generally In re Mullins (Tamposi Fee Application), 84 F.3d 1439, 1441 (D.C. Cir. 1996) (per curiam) (case concerning application for reimbursement of attorney fees where independent counsel found no prosecution was warranted under Privacy Act because there was no conclusive evidence of improper disclosure of information). In a case involving the destruction of records, Gerlich v. DOJ, 711 F.3d 161 (D.C. Cir. 2013), the D.C. Circuit allowed a Privacy Act claim to proceed against senior officials at the Department of Justice on the ground that they created records about appellants in the form of annotations to their applications and internet printouts concerning their political affiliations. The court relied in part on a permissive spoliation inference in light of the destruction of appellants’ records, because the senior department officials had a duty to preserve the annotated applications and internet printouts given that department investigation and future litigation were reasonably foreseeable.

The Privacy Act provides a two-year statute of limitations (§ 552a(g)(5)). The time begins to run when a reasonable person should have known of the alleged violation. Rose v. United States, 905 F.2d 1257, 1259 (9th Cir. 1990); Diliberti v. United States, 817 F.2d 1259, 1262 (7th Cir. 1987).

Computer Matching

The Privacy Act was amended in 1988 by the Computer Matching and Privacy Protection Act of 1988 (Pub. L. No. 100-503). OMB issued final guidance implementing the amendment’s provisions on June 19, 1989. Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988, 54 Fed. Reg. 25,818 (June 19, 1989)). The amendments added § 552a(o)-(q) to establish procedural safeguards affecting agencies’ use of Privacy Act records when performing computerized matching programs. The amendments require agencies to conclude written agreements specifying terms and safeguards under which matches are to be done. They provide procedures for individuals whose information is contained in the affected records to use to prevent agencies from taking adverse actions unless they have independently verified the results of matching and given the individual advance notice. Oversight is established by requiring Federal Register notice of matching agreements, by requiring reports to OMB and Congress, and by requiring the establishment of internal “data integrity boards” to oversee and coordinate the agency’s implementation of matching programs.

Relationship to the FOIA

Two provisions relate to FOIA (5 U.S.C. § 552). Section 552a(b)(2) exempts agencies from the requirement of obtaining an individual’s consent to release of information subject to disclosure under FOIA. In 1984, Congress added provisions delineating an individual’s access rights to records exempt from disclosure under FOIA or the Privacy Act. An agency must give an individual access to a record if it is accessible under either act irrespective of whether it might be withheld under the other (§ 552a(t)). This gives maximum access to records by an individual whose personal information is contained therein. An accounting of the number of FOIA releases of Privacy Act information is not required (§ 552a(c)(1)). If released under FOIA, the agency is relieved from ensuring the accuracy, completeness, timeliness, and relevance of the record (§ 552a(e)(6)). If the system of records is made necessary by FOIA, the agency may exempt the system from the Privacy Act (§ 552a(k)(1)).

Social Security Numbers

The Privacy Act restricts use of an individual’s Social Security account number (Pub. L. No. 93-579, § 7) (not codified as part of 5 U.S.C. § 552a). This provision applies to state and local governments as well as the federal government and makes it unlawful to deny any right, benefit, or privilege based on an individual’s failure to disclose the Social Security account number, unless the disclosure was required by any federal, state, or local system of records in operation before January 1, 1975, or the disclosure is required by federal law. Since enactment, Congress has required disclosure in the Tax Reform Act of 1976 (Pub. L. No. 94-455), the Deficit Reduction Act of 1984 (Pub. L. No. 98-369), and the Debt Collection Act of 1982 (Pub. L. No. 97-365). In the Tax Reform Act of 1976, Congress declared it to be U.S. policy to use Social Security account numbers “in the administration of any tax, general public assistance, driver’s license, or motor vehicle registration law.” Pub. L. No. 94-455, amending 42 U.S.C. § 405(c)(2).

Oversight

The Privacy Act requires OMB to develop guidelines and regulations for its implementation and to provide continuing assistance and oversight. The OMB guidelines are entitled to the usual deference accorded the interpretations of the agency charged with administration of a statute. Albright v. United States, 631 F.2d 915, 919 n.5 (D.C. Cir. 1980); Quinn v. Stone, 978 F.2d 126, 133 (3d Cir. 1992). However, a few courts have rejected particular aspects of the OMB Guidelines as inconsistent with the statute. See, e.g., Kassel v. U.S. Dep’t of Veterans Affairs, No. 87-217-S, slip op. at 24-25 (D.N.H. Mar. 30, 1992) (subsection (e)(3)); Doe v. Chao, 540 U.S. 614, 627 n.11 (2004) (disagreeing with dissent’s reliance on OMB interpretation of damages provision since the Court does “not find its unelaborated conclusion persuasive”).

The vast majority of OMB’s Privacy Act guidelines are published in Privacy Act Implementation Guidelines and Responsibilities, 40 Fed. Reg. 28,948 (1975). However, these original guidelines have been supplemented in particular subject areas over the years, including:

Thus, when researching in this area, it may be important to check subsequent supplements.

In 1998, President Clinton called upon all federal agencies to take further privacy-protection steps within the next year. Memorandum on Privacy and Personal Information in Federal Records (May 14, 1998). Specifically, the President directed each agency to designate a senior official with responsibility for privacy policy to apply the Principles for Providing and Using Personal Information that were developed through the Information Infrastructure Task Force under the auspices of the Department of Commerce in 1995 and to conduct a series of reviews of agency record systems in order to ensure compliance with Privacy Act requirements. The Privacy Act related reviews, conducted in accordance with instructions issued by OMB, reported results to OMB. The memorandum also provided that OMB issue further guidance on the making of “routine use” disclosures under the Privacy Act.

Section 208 (44 U.S.C. § 3501 note) of the E-Government Act of 2002 requires that OMB issue guidance to agencies on implementing the privacy provisions of the E-Government Act. Under this guidance, agencies are required to conduct privacy impact assessments for electronic information systems and collections, make them publicly available, post privacy policies on agency websites used by the public, translate privacy policies into a standardized machine-readable format, and report annually to OMB on compliance with the E-Government Act.

In 2002, GAO conducted an extensive review of agency Privacy Act practices, and reported on its findings in June 2003. GAO-03-304, Privacy Act: OMB Leadership Needed to Improve Agency Compliance (2003).

While most questions concerning the Privacy Act should first be directed to agency Privacy Act officers, important policy or litigation questions, or questions concerning the OMB Guidelines, may be directed to the Office of Information and Regulatory Affairs.

Legislative History

The Privacy Act reflects the merger of seemingly disparate bills from the Senate and the House: S. 3418, introduced by Senator Sam Ervin (D-NC), and H.R. 16373, supported by the Administration. The Senate bill would have granted sweeping powers to a Federal Privacy Board for the oversight of collection, maintenance, and dissemination of individually identifiable information by both the public and private sectors, while the House bill focused on access to and correction of records, data collection, and maintenance standards. The Senate approved its bill on November 21, 1974, after consideration and, on the same day, the House bill was passed by a 353 to 1 vote, after two days of floor debate.

The bills were not reconciled by the usual conference committee because of the limited time available between the end of Thanksgiving recess and the end of the session. Instead, the respective staffs of the committees studied the differing bills, reported to the committees and, after informal meetings, reached an agreement. The description of the amendments that made the two bills identical (thus avoiding a conference committee) was inserted into the record of both sides, and both houses passed identical bills. Thus, many of the most important provisions of the bill are not explained by committee reports. The only record of the final negotiations leading to the bill actually adopted is a staff memorandum entitled Analysis of House and Senate Compromise Amendments to the Federal Privacy Act; see also Legislative History of the Privacy Act of 1974, S.3418 (Pub. L. No. 93-579): Source Book on Privacy (1976)).

The final product included most of the fair information practices defined in the Senate version and the access and correction provisions of the House bill. None of the Senate provisions relating to a Federal Privacy Board was included. However, the Privacy Act provided for two important means of further development and oversight:

  • it instructed OMB to develop guidelines for the implementation of the Privacy Act throughout the executive branch; and
  • the Privacy Protection Study Commission was created by the Privacy Act to study the issues raised by the Privacy Act and to recommend further legislation, and it subsequently completed its thorough and informative report, Personal Privacy in an Information Society.

The bill was signed by President Ford on December 31, 1974 and became effective September 1975.

Source Note

The legislative history of the original Act is exhaustively collected in Legislative History of the Privacy Act of 1974, S. 3418 (Pub. L. No. 93-579): Source Book on Privacy (1976).

The Department of Justice’s Overview of the Privacy Act of 1974 is updated periodically and discusses the extensive case law under the Privacy Act.

Bibliography

Legislative History and Congressional Documents

Executive Orders and White House Documents

OMB/OIRA Documents

Other Government Documents

Selected Books and Articles

Selected Cases Not Included in the Text

  • Stiles v. Atlanta Gas Light Co., 453 F. Supp. 798 (N.D. Ga. 1978).
  • Zeller v. United States, 467 F. Supp. 487 (E.D.N.Y. 1979).
  • Albright v. United States, 631 F.2d 915 (D.C. Cir. 1980).
  • Lovell v. Alderete, 630 F.2d 428 (5th Cir. 1980).
  • Exner v. FBI, 612 F.2d 1202 (9th Cir. 1980).
  • United States v. Miller, 643 F.2d 713 (10th Cir. 1981).
  • Fitzpatrick v. United States, 665 F.2d 327 (11th Cir. 1982).
  • Clarkson v. IRS, 678 F.2d 1368 (11th Cir. 1982).
  • Johnson v. U.S. Dep’t of the Treasury, 700 F.2d 971 (5th Cir. 1983).
  • Thomas v. U.S. Dep’t of Energy, 719 F.2d 342 (10th Cir. 1983).
  • Molerio v. FBI, 749 F.2d 815 (D.C. Cir. 1984).
  • Elm v. Nat’l R.R. Passenger Corp., 732 F.2d 1250 (5th Cir. 1984).
  • Doe v. Naval Air Station, 768 F.2d 1229 (11th Cir. 1985).
  • Vymetalik v. FBI, 785 F.2d 1090 (D.C. Cir. 1986).
  • Doe v. United States, 821 F.2d 694 (D.C. Cir. 1987).
  • Doe v. Stephens, 851 F.2d 1457 (D.C. Cir. 1988).
  • Johnston v. Horne, 875 F.2d 1415 (9th Cir. 1989).
  • Pototsky v. U.S. Dep’t of the Navy, 717 F. Supp. 20 (D. Mass. 1989).
  • Covert v. Harrington, 876 F.2d 751 (9th Cir. 1989).
  • Quinn v. Stone, 978 F.2d 126, 133 (3rd Cir. 1992).
  • Kassel v. U.S. Dep’t of Veterans Affairs, No. 87-217-S (D.N.H. Mar. 30, 1992).
  • United States v. Trabert, 978 F. Supp. 1368 (D. Colo. 1997).
  • United States v. Gonzalez, No. 76-132 (M.D. La. Dec. 21, 1976).
  • In re Mullins (Tamposi Fee Application), 84 F.3d 1439 (D.C. Cir. 1996).
  • Alexander v. FBI, 971 F. Supp. 603 (D.D.C. 1997).
  • Shannon v. General Elec. Co., 812 F. Supp. 308 (N.D.N.Y. 1993).
  • Henke v. U.S. Dep’t of Commerce, 83 F.3d 1453 (D.C. Cir. 1996).
  • Falwell v. Exec. Office of the President, 113 F. Supp. 2d 967 (W.D. Va. 2000).
  • Dale v. Exec. Office of the President, 164 F. Supp. 2d 22 (D.D.C. 2001).
  • Trulock v. DOJ, No. 00-2234, slip op. (D.D.C. Sept. 18, 2001).
  • Tripp v. Exec. Office of the President, 200 F.R.D. 140 (D.D.C. 2001).
  • Broaddrick v. Exec. Office of the President, 139 F. Supp. 2d 55 (D.D.C. 2001).
  • Flowers v. Exec. Office of the President, 142 F. Supp. 2d 38 (D.D.C. 2001).
  • Jones v. Exec. Office of the President, 167 F. Supp. 2d 10 (D.D.C. 2001).
  • Sculimbrene v. Reno, 158 F. Supp. 2d 26 (D.D.C. 2001).
  • Schwarz v. U.S. Dep’t of the Treasury, 131 F. Supp. 2d 142 (D.D.C. 2000).
  • Cobell v. Norton, 157 F. Supp. 2d 82 (D.D.C. 2001).
  • Cummings v. U.S. Dep’t of the Navy, 279 F.3d 1051 (D.C. Cir. 2002).
  • McCready v. Principi, 297 F. Supp. 2d 178 (D.D.C. 2003).
  • Chang v. U.S. Dep’t of the Navy, 314 F. Supp.2d 35 (D.D.C. 2004).
  • Maydak v. United States, 363 F.3d 512 (D.C. Cir. 2004).
  • Doe v. Chao, 540 U.S. 614 (2004).
  • NASA v. Nelson, 562 U.S. 134 (2011).
  • Fed. Aviation Admin. v. Cooper, 132 S. Ct. 1441 (2012).
  • Logan v. U.S. Dep’t of Veterans Affairs, 357 F. Supp. 2d 149 (D.D.C. 2004).
  • Oja v. U.S. Army Corps of Engineers, 440 F.3d 1122 (9th Cir. 2006).
  • McCready v. Nicholson, 465 F.3d 1 (D.C. Cir. 2006).
  • Bassiouni v. FBI, 436 F.3d 712 (7th Cir. 2006).
  • Sussman v. U.S. Marshals Serv., 494 F.3d 1106 (D.C. Cir 2007).
  • Wilson v. Libby, 535 F.3d 697 (D.C. Cir. 2008).
  • Lane v. U.S. Dep’t of the Interior, 523 F.3d 1128 (9th Cir. 2008).
  • Doe v. U.S. Dep’t of Veterans Affairs, 519 F.3d 456 (8th Cir. 2008).
  • Rouse v. U.S. Dep’t of State, 567 F.3d 408 (9th Cir. 2009).
  • Maydak v United States, 630 F.3d 166 (D.C. Cir. 2010).
  • Speaker v. U.S. Dep’t of Health and Human Serv. Ctr. for Disease Control and Prevention, F.3d 1371 (11th Cir. 2010).
  • Sieverding v. DOJ, 693 F. Supp. 2d 93 (D.D.C. 2010).
  • Shearson v. DHS, 638 F.3d 498 (6th Cir. 2011).
  • Mobley v. CIA, 806 F.3d 568 (D.C. Cir. 2015).
  • Liff v. Office of Inspector Gen. for the U.S. Dep’t of Labor, 881 F.3d 912 (D.C. Cir. 2018).
  • Fazaga v. FBI, 916 F.3d 1201 (9th Cir. 2019).
  • Rojas v. FAA, 941 F.3d 392 (9th Cir. 2019).
  • Garris v. FBI, 937 F.3d 1284 (9th Cir. 2019).

Statutory Provisions

Privacy Act

Title 5 U.S. Code

§ 552a. Records maintained on individuals