Focusing public attention on emerging privacy and civil liberties issues

The Privacy Act of 1974

Introduction

The Privacy Act of 1974, Public Law 93-579, was created in response to concerns about how the creation and use of computerized databases might impact individuals' privacy rights. It safeguards privacy through creating four procedural and substantive rights in personal data. First, it requires government agencies to show an individual any records kept on him or her. Second, it requires agencies to follow certain principles, called "fair information practices," when gathering and handling personal data. Third, it places restrictions on how agencies can share an individual's data with other people and agencies. Fourth and finally, it lets individuals sue the government for violating its provisions.

There are, however, several exceptions to the Privacy Act. For one thing, government agencies that are engaged in law enforcement can excuse themselves from the Act's rules. Agencies have also circumvented information sharing rules by exploiting a "routine use" exemption.

History

In the course of its daily business, the federal government necessarily keeps hundreds of databases on individual people. As technology advanced through the 1960s and 70s, it became easier for agencies to cross-reference individuals' personal data. Citizens and legislators began to contemplate the ways that this information, if compiled, could be abused. With computers able to search through and cross-reference files quickly and easily, it was clear that various details of a person's life could be compiled into a single database.

The HEW Report

In 1973, the Department of Health, Education, and Welfare (HEW) issued a report entitled Records, Computers, and the Rights of Citizens. This report recommended that Congress enact legislation adopting a Code of Fair Information practice for automated personal data systems. This Code consisted of the following principles:

  • There must be no personal data record-keeping system whose very existence is secret.
  • There must be a way for an individual to find out what information about him is in a record and how it is used.
  • There must be a way for an individual to prevent information about him that was obtained for one purpose from being used or made available for other purposes without his consent.
  • There must be a way for an individual to correct or amend a record of identifiable information about him.
  • Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precaution to prevent misuse of the data.
The HEW Report also made specific recommendations for laws that would implement and enforce this Code. These recommendations required organizations keeping automated databases on individuals to: (1) enact safeguards to protect this data, and (2) report to the public each year what databases they were keeping and what kinds of information they held. The HEW Report also set out a list of rights that individual "data subjects" (people whose personal information was being stored) should have. Many of these recommendations eventually became part of the Privacy Act of 1974.

The HEW Report also extensively studied the issue of the Social Security number (SSN). This was a particular concern because the SSN seemed to be the most likely candidate for creating a "standard universal identifier," or SUI, which could be used as a key to link all of the records kept on a person by all agencies. Because of this risk, the HEW Report recommended that the SSN should only be used where it is absolutely necessary (for instance, by the Social Security Administration in delivering benefits, or where existing laws required agencies to use the SSN), and that no agency should require someone to give their SSN out unless Congress specifically required it. These recommendations were also evident in the final text of the Privacy Act.

Debate and Passage of the Act

The Privacy Act was created as a compromise between two separate bills, one introduced in the House of Representatives, one in the Senate. The Senate bill, S. 3418, tended to have stricter requirements for the government than did the House bill, including harsher penalties for violations of the Act and the creation of a Privacy Protection Commission to oversee the Act's implementation. The House bill, H.R. 16373, also required that certain violations of the Act be "willful, arbitrary, or capricious" before damages would be assessed against the government, while the Senate required only that the Act be violated. Both bodies considered the differing bills late in the session, and then decided to reconcile the language in an informal meeting between House and Senate staffers. Among the major compromises were the following:

  • The creation of the Privacy Protection Study Commission, which would not have the power to enforce violations of the Act, but instead would submit recommendations to Congress regarding further implementation and enforcement.
  • Certain government violations of the Act had to be "willful or intentional" in order for an individual to receive damages. This was thought to be an easier burden for an individual plaintiff to show than "willful, arbitrary, or capricious," but harder than just showing a violation of the Act.
  • Plaintiffs "entitled to recovery" were guaranteed to receive at least $1,000 in damages.
  • The House's "routine use" exception for information sharing was included.
  • The Senate's provision that an individual could appeal a refusal to amend a record in federal district court.

These changes, along with several others, harmonized the two bills, and with final changes made by the Senate, the amended Act was passed by the Senate on December 17, and by the House on the 18th. President Ford signed the Privacy Act into law by the new year.

The Privacy Protection Study Commission's Report

The Act called for the creation of the Privacy Protection Study Commission ("PPSC"), which issued its report on the Privacy Act in 1977. This report, entitled Personal Privacy in an Information Society, concluded that, while the Privacy Act of 1974 was a great step forward, it did not result in the benefits intended by Congress. The PPSC felt that much of the language of the Privacy Act was unclear, and that the reliance on the definition of "systems of records" was problematic. This is because the definition of "system of records" only included those databases that retrieved information by name, SSN, or other individually identifiable information. Thus, a database containing a person's name and Social Security number might not be covered by the Privacy Act simply because it was not indexed by name, SSN, etc. For example, to circumvent Privacy Act requirements, some agencies had created employee databases that classified individuals by rank, rather than SSN or name.

The Commission also found that the publication of databases in the Federal Register was helpful, though of limited impact, since public readership of the Federal Register is not particularly broad. Also, the PPSC said that the information disclosed by agencies in their publications was often lacking in details like how systems are used internally by agencies. Regarding individual access, the Commission found that very few people had made use of the Privacy Act's access provisions in the years since its passage. It attributed this shortcoming to the lack of awareness of the Privacy Act's provisions (compared to the relatively well-known Freedom of Information Act) and to the sweeping exceptions provided for the CIA and other major law enforcement agencies. Criticism also fell on agencies for not applying consistent criteria for measuring Privacy Act compliance. Often, many middle and lower-level personnel misunderstood the terms of the Act and would improperly cite it as a reason for withholding information from individuals.

The Privacy Act's Provisions

To Whom the Act Applies

The Privacy Act, unlike the Freedom of Information Act, only covers U.S. citizens and permanent residents. Thus, only a citizen or permanent resident can sue under the Privacy Act.

In addition, the Act applies only to certain federal government agencies (except for Section 7 of the Act, which places limits on the Social Security Number that apply to federal, state, and local governments). Aside from Section 7, state and local governments are not covered by the Privacy Act, though individual states may have their own laws regarding record keeping on individuals. Executive departments, military departments, independent regulatory agencies, and government-controlled corporations are all covered by the Act. This means that government controlled companies like the U.S. Postal Service should be covered as well as the military and executive agencies like the Department of Education, the FDA, and FBI, to name just a few. Neither house of Congress is included in this definition, though the Office of the President is.

The Act often refers to "systems of records." A system of records is defined as any group of records where information is retrieved by the name of the individual or by an individual identifier. Databases and collections of records that do not allow retrieval of information on particular individuals are not included.

Public Notice Requirements

In order to prevent the existence of secret databases, agencies must publish the details of all their systems of records in the Federal Register. The publication must cover intended uses of the system, and allow for interested persons to submit written data, views, or arguments to the agency. Any time that an agency wishes to establish or significantly change a system of records, it must also notify in advance the Committee on Government Operations of the House of Representatives, the Committee on Governmental Affairs of the Senate, and the Office of Management and Budget. These bodies will then evaluate the probable or potential effect of the proposal on the rights of individuals.

Important provisions requiring the President to submit a report every two years on oversight of the Privacy Act were repealed in 1995 by Public Law 104-66, the Federal Reports Elimination and Sunset Act of 1995.

Access to Records

The Privacy Act requires any agency maintaining a system of records to give an individual access to any records they might have about him. He should be allowed to review the record, and make copies of it. If the record is incomplete or in error, he is also entitled to ask that his record be corrected. The agency must then respond to this request within ten business days, either by making the requested changes or by telling the person why they have refused to alter his record. The agency must then tell the person who to talk to if he wants a higher official to review the refusal.

If the individual decides to appeal, the agency has thirty business days to complete a review of the refusal. The agency can extend this thirty-day limit, but only "for good cause shown." If, after the review, the agency still decides not to change the record, the individual can file a statement explaining why he disagrees with the agency's refusal. The agency must include this statement with any copies of the record that it discloses from that time on. The agency is also required to tell the individual what he can do to take the case to a court.

Requirements for Government Disclosure of Information

Subsection (b) of the Privacy Act limits a government agency's ability to disclose information placed in a system of records. The agency may only disclose such information if it has permission from the individual or if it can meet one of the twelve following conditions:

  1. The disclosure is to an agency employee who normally maintains the record and need it in the performance of duty;
  2. The disclosure is made under the Freedom of Information Act;
  3. The disclosure is for a "routine use;"
  4. The disclosure is to the Census Bureau for the purposes of a census survey;
  5. The disclosure is to someone who has adequately notified the agency in advance that the record is to be used for statistical research or reporting, and the record is transferred without individually identifying data;
  6. The disclosure is to the National Archives and Records Administration as a record of historical value;
  7. The disclosure is to an agency "of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity," and if the record is provided in response to a written request by the head of the agency;
  8. The disclosure is made where there are "compelling circumstances" affecting someone's health or safety, and the person whose health or safety is affected is sent a notification of the disclosure;
  9. The disclosure is made to Congress, or any committee or subcommittee within Congress;
  10. The disclosure is made to the Comptroller General in the course of the duties of the General Accounting Office;
  11. The disclosure is made pursuant to a court order;
  12. The disclosure is made to a consumer reporting agency in accordance with 31 U.S.C. 3711(e).

Audit Trails

Subsection (c) states that an agency must also keep accurate accounts of when and to whom it has disclosed personal records. This includes contact information for the person or agency that requested the personal records. These accounts should be kept for five years, or the lifetime of the record, whichever is longer. Unless the records were shared for law enforcement purposes, the accounts of the disclosures should be available to the data subject upon request.

Data Minimization Requirements

An agency should maintain in its records only the minimum amount of information "relevant and necessary" to accomplish its purposes. If the information to be collected might have an adverse effect upon an individual (by reducing her rights, benefits, or privileges), the agency must collect as much data as it practicably can from the individual herself. When collecting this information from the individual, the agency must tell the individual what law or executive order authorized the agency to collect the information; the routine uses to which the data may be put; and the effects that might result from the individual not providing the information requested.

Protection of First Amendment Rights

Agencies cannot maintain any records "describing how an individual exercises rights guaranteed by the First Amendment" unless: (1) a separate statute authorizes the agency to maintain the records; (2) the individual authorizes the agency to maintain the records; or (3) the records are maintained "pertinent to and within the scope of an authorized law enforcement activity."

Limits on Agency Data Sharing

One of the most important aspects of the Privacy Act is that it restricts the sharing of information between government agencies. It does this by limiting "matching programs," which it defines as the computerized comparison of databases in order to determine the status, rights, or benefits of the individuals within those systems of records. Matching programs can be used to share information between federal agencies, or between a federal and a non-federal agency (remember that in the text of the Privacy Act, "agency" almost always means a federal agency. However, the provisions limiting matching programs apply to non-federal agencies as well).

The Privacy Act prohibits agencies from running matching programs on systems of records, unless there is a written agreement between the agencies. This agreement must be given to the Committee on Governmental Affairs of the Senate and the Committee on Government Operations of the House, and should also be made available to the public. The agreement can only last 18 months, though it can be renewed each year as long as it does not change. Any changes must be reported just as a new system of records would be. The matching agreement must state:

  • The purpose and legal authority for conducting the matching program;
  • the justification for the program and its anticipated results, including an estimate of any savings;
  • a description of the records that will be matched, including each data element used, the approximate number of records to be matched, and the projected starting and completion dates of the matching program;
  • various procedures for: giving notice to potentially affected individuals; verifying the accuracy of the program's results; keeping the records current and secure; and regulating the use of the results;
  • any assessments of how accurate the records used are; and
  • a section allowing the Comptroller General to all of the records it deems necessary in order to monitor compliance with the agreement.

If an agency sharing information (the "source agency") thinks that the recipient agency is not abiding by all of the necessary regulations, it cannot disclose any records to the recipient agency. Nor may the matching agreement be renewed unless the recipient agency certifies that it has complied with all of the provisions of the matching agreement, and the source agency has no reason to believe that this certification is inaccurate.

Every agency that uses a matching program must have a Data Integrity Board. This Board must consist of senior officials of the agency, including the Inspector General of the agency (if there is one) and any official selected to oversee Privacy Act compliance. The Data Integrity Board must review and approve all data matching agreements, to make sure that the agency is complying with all laws and guidelines. This review must be carried out each year for all new and existing matching programs. The results of this review must be submitted in an annual report to the Office of Management and Budget, and the report must also be made available to the public on request. The Board also should act as a clearinghouse for any information on the accuracy, completeness, and reliability of records. The authority of the Data Integrity Board also extends to any agency matching activities, not just matching programs.

If the Data Integrity Board refuses to allow a proposed matching agreement, either agency proposing the agreement can appeal to the Director of the Office of Management and Budget.

Penalties for Violating the Act: Civil Remedies

The Privacy Act provides for both civil and criminal penalties for violating certain sections. If an agency refuses to amend an individual's record upon request, the individual can sue in civil court to have the record amended. In this case, the court can also award the individual reasonable attorney's fees and other litigation costs, to be paid by the United States.

If an agency refuses to allow an individual access to his records as required in subsection (d)(1), the individual can sue in civil court to have the records produced. The court that decides this suit will have the ability to review the records "in camera" (privately) to see if the agency has properly claimed one of the exemptions allowed to them. The court can also make the United States pay for reasonable attorney's fees.

If an agency has violated any other section of the Privacy Act, and a court finds that the violation is "intentional or willful," the court can make the United States pay to the individual actual damages suffered as a result of the violation (but in no case shall a person entitled to recovery receive less than the sum of $1,000), along with costs and reasonable attorney's fees.

Penalties for Violating the Privacy Act: Criminal Penalties

If any officer or employee of a government agency knowingly and willfully discloses personally identifiable information will be found guilty of a misdemeanor and fined a maximum of $5,000. Also, if any agency employee or official willfully maintains a system of records without disclosing its existence and relevant details as specified above can be fined a maximum of $5,000. The same misdemeanor penalty (and $5,000 maximum fine) can be applied to anyone who knowingly and willfully requests an individual's record from an agency under false pretenses.

OMB Oversight

The Privacy Act gives the Director of the Office of Management and Budget the power to develop regulations and guidelines on how agencies should implement the Act. Thus, the OMB's interpretations of the language of the Privacy Act hold a great deal of authority.

Limitations on the Use of the Social Security Number

Section 7 of the Privacy Act says that no federal, state, or local government agency can require someone to give out their Social Security number in order for the individual to receive any right, benefit, or privilege provided by law. However, this section does not apply to any disclosure that is "required by a federal statute," or that is being used in a system of records that existed before January 1, 1975. Whenever a government agency requests disclosure of the Social Security number, it must tell the individual whether the disclosure is mandatory or voluntary, what laws give the agency the authority to request the Social Security number, and how the number will be used.

Exceptions to the Privacy Act

As much as the Privacy Act does to protect individual privacy, numerous exceptions to it exist. These exceptions (as well as the practical difficulties involved with maintaining and regulating such a vast system of databases) mean that individual privacy is not often as carefully protected as the drafters of the Privacy Act might have liked. Since "records," "systems of records" and "agencies" are narrowly defined, the Act may not cover many types of databases and data-gathering activities. Also, there are certain exceptions given for "law enforcement purposes." Finally, the "routine use" exception allows government agencies to disclose individually identifiable information simply by stating their plans to disclose that type of information when they create or alter the database.

"Records" and "Systems of Records"

The Privacy Act defines a "record" as any type of information that includes a person's "name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph." While it may have been extremely difficult in 1974 to affect someone's privacy without knowing their name, Social Security number or appearance, the sophistication of today's databases make it much easier to single out an individual from a set of facts, none of which is in itself an "identifying particular."

The Act also limits "systems of records" to those groups of records "from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." As the Privacy Protection Study Commission noted, many databases contain personally identifiable information, but do not retrieve records by that information. Any such databases would be exempt from the provisions of the Privacy Act, though they might contain the same information and might still be used in the same way that an officially recognized "system of records" would be.

Law Enforcement Purposes

Exemptions for "law enforcement purposes" are scattered throughout the Privacy Act. The reasons for law enforcement exceptions are clear: it would be counterproductive to give criminal suspects under surveillance the ability to request files on current investigations about them. Thus, "matching programs" do not include matches performed during a specific investigation of a particular person. Also, law enforcement agencies can exempt themselves from many of the Privacy Act's requirements if the agency's main function pertains to the enforcement of criminal laws and if the system of records contains information on: (A) information about offenders or alleged offenders, such as arrest and sentencing records; (B) information compiled for the purpose of a criminal investigation associated with a particular individual; or (C) reports identifiable to an individual compiled at any stage of enforcing criminal laws, from arrest through release from supervision.

However, there are specific areas of the Privacy Act that law enforcement cannot exempt itself from. A law enforcement agency must abide by the disclosure rules of subsection (b), meaning that they cannot disclose personally identifiable information unless they have consent or the disclosure falls within one of the twelve conditions mentioned in the Requirements for Government Disclosure of Information section above. The agency must also still keeps records on who has requested information under the Privacy Act. The law enforcement agency also must publish the existence and character of its database in the Federal Register, including routine uses, data storage policies, and contact information for the official responsible for the system. Law Enforcement agencies must also still abide by fair information practices, meaning that they must ensure reasonable accuracy, completeness, timeliness and relevance of records; they must make reasonable efforts to tell an individual when their records have been disclosed due to a court order or a subpoena; and they must establish appropriate rules of conduct and safeguards to protect the privacy and security of the information.

Routine Use

One of the most commonly abused provisions of the Privacy Act is the "routine use" exception. One of the twelve reasons that an agency might be allowed to disclose personal information is if the disclosure is "for a routine use as defined in subsection (a)(7) of this section and described under subsection (e)(4)(D) of this section."

Subsection (a)(7) simply defines "routine use" as "the use of such record for a purpose which is compatible with the purpose for which it was collected." Note that a routine use does not have to be a purpose identical to the purpose for which the record was collected, only a compatible purpose. This phrasing can often lead to "mission creep" for a system of records, in which the routine uses for a particular database gradually increase until its scope is far greater than its originally stated goals.

Subsection (e)(4)(D) simply requires that the routine uses be stated in the Federal Register. While this might suggest that all potential routine uses must be listed, the reality is that these listings are often so broad as to include all potential uses of the data. While some court decisions have limited how broadly an agency can describe "routine uses" (see Britt v. Naval Investigative Service below), a large number of uses can still be covered by a short, general statement.

The Privacy Act Modernization for the Information Age Act of 2011

On October 18, 2011, Senator Daniel Akaka, Hawaii (D) introduced the Privacy Act Modernization for the Information Age (PAMIA) Act of 2011 bill to the Senate (S. 1732). Born out of the “expansion of technology and the proliferation of personally identifiable information in the hands of government agencies,” the PAMIA Act majorly updates the Privacy Act in seven different ways: (1) the PAMIA Act clarifies several Privacy Act definitions; (2) the PAMIA Act updates exceptions for when agencies do not have to notify individuals of record disclosures; (3) the PAMIA Act updates the Privacy Act’s requirements for how agencies publish notice of systems of records; (4) the PAMIA Act strengthens civil remedies and criminal penalties for improper disclosure of information; (5) the PAMIA Act elaborates on the Privacy Act’s current definition of Personally Identifiable Information (PII); (6) the PAMIA Act creates a new Federal Chief Privacy Officer at the Office of Management and Budget (OMB); and (7) the PAMIA Act expands the investigative authority currently granted to the Department of Homeland Security Chief Privacy Officer to other agency privacy officers.

News

Resources

Cases

  • Doe v. Chao, 306 F.3d 170 (4th Cir. 2002), cert.granted, 2003 U.S. LEXIS 5035, (No. 02-1377, 2003 Term). Doe v. Chao concerns one of a group of miners who pseudonymously sued the Department of Labor for violating the Privacy Act of 1974 when the Department published the records of their black lung compensation claims with their Social Security numbers as their case numbers. This particular case, however, deals with Buck Doe, who claims actual damages for the emotional distress caused to him by the disclosure. The Fourth Circuit ruled that "actual harm" was required in order for a plaintiff to receive the statutory minimum damages of $1,000, and that Buck Doe had not met that requirement. On June 27th, 2003, the Supreme Court agreed to hear this case. EPIC has filed a brief in this case as amicus curiae.
  • Clarkson v. Internal Revenue Service, 678 F.2d 1368 (11th Cir. 1982). In this case, the Eleventh Circuit Court of Appeals held that the IRS improperly maintained records regarding the exercise of the plaintiff's First Amendment rights. The plaintiff, a tax protester, was followed and investigated by the IRS, who kept a file on him containing surveillance reports, newsletters, and press releases. The court found that these were in violation of the Privacy Act, even though the IRS contended that the records were not kept in a "system of records," since they were kept in a general "Tax Protest File," from which the IRS said it could not retrieve individual records by name.
  • Britt v. Naval Investigative Service, 886 F.2d 544 (3d Cir. 1989). In this case, the Naval Investigative Service (NIS) was investigating Britt, an employee of the Immigration and Naturalization Service (INS) and also a member of the Marine Reserves, for improper requisitions. The NIS released their preliminary investigations to the INS. Britt then sued for improper disclosure under the Privacy Act. The NIS claimed that their disclosure of the investigation fell within the "routine use" exception, since the routine uses published in the Federal Register included disclosures to "other investigative units (federal, state or local) for whom the investigation was conducted, or who are engaged in criminal investigative and intelligence activities; federal regulatory agencies with investigative units." Since the INS is a federal regulatory agency with an investigative unit, the NIA claimed that this was a routine use that was properly published in the Federal Register, and therefore not subject to the Privacy Act. The Third Circuit disagreed, saying that "the breadth of the clause relied on does not provide adequate notice to individuals as to what information concerning them will be released and the purposes of such release."
  • R.R. v. Department of the Army, 482 F. Supp. 770 (D.D.C. 1980). In this case, the D.C. District Court decided that a court can order an agency to amend or delete matters of opinion contained within an individual's file, if the factual basis for those opinions had been discredited.