In assessing the impact of the Privacy Act of 1974 on Federal agency
record-keeping practice, it is essential to understand the framework of
reporting requirements, guidelines, regulations, and enforcement procedures
that give structure to the mix of rights and responsibilities the Act establishes. It is also important to understand how the agencies have provided for the ordinary workaday administration of the Act, not only within the framework of rights and obligations the Act itself establishes, but also in conjunction with other statutes, such as the Freedom of Information Act [5 U.S.C. 552] and the Administrative Procedures Act [5 U.S.C 551] et seq. This chapter examines that basic implementation framework and offers examples of the ways agencies have attempted to respond and adapt to it. It explains to whom and to what the Act applies, describes how the Act's several notice and reporting requirements have been implemented, examines the guidance and oversight role of the Office of Management and Budget, and briefly assesses agency rule making and compliance monitoring, as well as the various vehicles for enforcing the Act's requirements
TO WHOM DOES THE ACT APPLY?
The Privacy Act of 1974 applies to an "agency" as defined in subsection 552(e) of the Freedom of Information Act (FOIA) and to certain government contractors as defined by its own subsection 3(m). [5 U.SC 552a(m)] The original FOIA, passed in 1966, contained no definition of an agency, relying instead on the Administrative Procedures Act (APA). The APA defines an agency as "each authority of the government of the United States, whether or not it is within or subject to review by another agency . . . ." [5 U.S.C 55](1)] In 1971, in Soucie v. David [448 F2d. 1067,1073], this definition was interpreted by the Court of Appeals for the District of Columbia to mean that an agency is "any administrative unit with substantial independent authority in the exercise of specific functions." In other words, as the Attorney General later put it, there may be "agencies within agencies.1
In the autumn of 1974, just prior to enacting the Privacy Act, the Congress amended the Freedom of Information Act, in part to clarify and expand the classes of organizational entities to which the FOIA would apply. No longer relying solely on the APA definition, the Congress specifically defined the term "agency" to include
. . . any executive department, military department, Government corporation, Government controlled corporation, or other estab-lishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency. [5 U.S. C. 552(e)]
The House report on the 1974 Freedom of Information Act amend-ments states that this definition includes establishments such as the U.S. Postal Service (USPS), and, within the Executive Office of the President, the Office of Management and Budget (OMB), the Council of Economic Advisers (CEA), and the National Security Council (NSC). It also includes corporations controlled by the government but not wholly owned by it, along with wholly government-owned corporations established by Congress, such as the Tennessee Valley Authority and the Federal Crop Insurance Corporation. It does not, however, include corporations that simply receive appropriated funds, such as the Corporation for Public Broadcasting, nor does it include the President's immediate personal staff or units in the Executive Office of the President whose sole function is to advise and assist the President 2
In an April 1975 letter to the Office of Management and Budget, the Justice Department advised on the Privacy Act implications of the new FOIA definition as follows:
. . . it is our firm view that . . . it is for the over-unit-the Department or other higher-level "agency"-to determine which of its substantially independent components will function indepen-dently for Freedom of Information Act purposes. Moreover, as the Attorney General [has] noted . . ., "it is sometimes permissible to make the determination differently for purposes of various provi-sions of the [FOIA]-for example, to publish and maintain an index at the over-unit level while letting the appropriate subunits handle requests for their own records." (Attorney General's Memorandum on the 1974 Amendments to the Freedom of Information Act, February, 1975, p. 25). In our view, this practice of giving variable content to the meaning of the word "agency" for various purposes can be applied to the Privacy Act as well as the Freedom of Information Act. For example, it may be desirable and in furtherance of the purposes of the Privacy Act to treat the various components of a Department as separate "agencies" for purposes of entertaining applications for access and ruling upon appeals from denials, while treating the Department as the "agency" for purposes of those provisions limiting intragovernmental exchange of records. (Of course, dissemination among components of the Department must still be only on a "need-to-know" basis.) [5 U.S.C. 552a(b)(1)]. Needless to say, this practice must not be employed invidiously, so as to frustrate rather than to further the purposes of the Privacy Act; and there should be a consistency between the practice under the Privacy Act and the practice for comparable purposes under the Freedom of Information Act.3 .
The Justice Department's position has been reaffirmed by OMB which incorporated it in the OMB Guidelines on Privacy Act Implementation.4 The interpretation that emerges is clearly one based on function, not organiza tion. The agencies can use varying definitions of agency for varying functional purposes, regardless of the organizational structures involved. The only restriction is that the definitions adopted should not needlessly frustrate the purposes of the Act and, by and large, the definitions the agencies have adopted have not done so. The one problem, discussed in Chapter 2, below, is that to allow for the free flow of information about individuals within its own organizational boundaries, each agency has defined itself as an agency at the highest possible level. Thus, within a Cabinet Department that operates many different programs, it is theoreti-cally possible for a record about an individual maintained by one program to be available to all the others on a need-to-know basis. So far, however, there is no evidence that the flexibility the Act allows in that regard has been abused.
Government contractors are another category of entities to which the Privacy Act applies. Subsection 3(m) of the Act provides that:
When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of . . . [the Act] to be applied to such system. For purposes of subsection (i) [the criminal penalties provision] of [the Act] any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of [the Act], shall be considered to be an employee of an agency. [5 U.S.C. 552a(m)]
The legislative history of subsection 3(m) is unclear regarding the Congress' intent. The drafters of the Senate bill were primarily concerned with the flow of criminal-history records to and from State and local governments, and with the amount of money that had been spent through Federal grants to establish State and local criminal justice information systems. Thus, the Senate bill would have extended the provisions of the Privacy Act to contractors or grantees in situations where the purpose of the contract or grant was to establish or alter a system of records. The compromise amendment, however, permitted Federal law enforcement agencies to exempt most of their contractors from the Act's coverage, and also removed all grantees from the purview of the Act.
The OMB Guidelines state that subsection 3(m) was intended to cover de facto as well as de jure Federal agency systems;5 that is, to cover systems "taking the place of Federal systems which, but for the contract, would have been performed by the agency and covered by the Privacy Act "6 In practice, however, deciding when a contractor's system exists to "accom-plish an agency function" has often been difficult. The OMB Guidelines say that to fall under subsection 3(m) a contract would normally provide, as one of its specific requirements, that the contractor operate a system of records. Nonetheless, a contract that does not mention a system, but which can be performed only by the operation of one, would be covered; while the Act would not reach a contractor's system "used as a result of his management discretion," such as the personnel system of a large defense contractor.7
The difficulties and pitfalls in interpreting subsection 3(m) are exemplified by the following paragraph in a May 14, 1976, memorandum from the DHEW General Counsel to all of the Department's Privacy Act contacts and procurement officers:
It is fair to conclude that a system of records established by an HEW contractor for the purpose of enabling the contractor to prepare and submit to the HEW contracting agency statistical or other reports is not a system "actually taking the place of a Federal system which, but for the contract, would have been performed" by the agency. Where the contracting agency is interested only in obtaining the results of the research or other work performed under the contract (generally in the form of a report) and does not require the contractor to furnish it individually identifiable records from the system established by the contractor, it cannot be said that the system is one which "but for" the contract, the agency would have established.8
Strictly speaking, this interpretation is consistent with the OMB Guidelines, even though the memorandum goes on to advise DHEW contracting officers to incorporate into contracts, where appropriate, ". . . the provisions designed to protect the confidentiality of the records and the privacy of individual identifiers in the records." However, a position opposite to the memorandum's basic position would also be easy to defend. That is, if the study were not funded, the records would not exist, and thus the Federal government should not consider itself wholly without responsibility for the contractor's record-keeping practices. Moreover, it is widely recognized that subsection 3(m) excludes grantees who often perform functions that are indistinguishable in practice from the functions contractors perform.
WHAT IS COVERED BY THE ACT
Where the Act fails to meets its objectives, the failure can often be traced, in part, to the record and system-of-records definitions that further limit its scope of application. The Privacy Act applies to a "record" that is "retrieved" from a "system of records" by the name of an individual "or by some identifying number, symbol, or other identifying particular" assigned to him. [5 U.S.C. 552a(a)(5)]
As defined in subsection 3(a)(4), "record" means:
. . . any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. [5 U.S.C 552a(a)(4)]
This definition potentially includes every record that contains any kind of information associated with an individual. Subsection 3(a)(5), however, defines a "system of records" as:
. . . a group of any records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. [5 U.S. C 552a(a)(5)] Thus, unless an agency, in fact, retrieves recorded information by reference to a "name . . . identifying symbol, or other identifying particular. . .," the system in which the information is maintained is not covered by the Act.
Whereas the record definition refers to information about an individu-al that contains his name or identifier; the system-of-records definition refers to information about an individual that is retrieved by name, identifier, or identifying particular. The crucial difference between the two definitions is obvious, and the effect has been to exclude many records from the Act's requirements about individuals that are not accessed by name, identifier, or assigned particular. The Interior Department, for example, files its records on job candidates recommended by Congressmen under the Congressmen's names rather than the names of the applicants,9 and the Maritime Administration (Department of Commerce) files information on directors of shipbuilding firms by shipyard and shipbuilding contract rather than by the directors' names.10 All of these examples, however, are within the strictures of the law.
The system-of-records definition also creates uncertainty as to which records are, or should be, subject to the Act. For example, questions have been raised about the status of the State Department's cable system, which Federal agencies use to transmit information overseas. Because this computerized communications system has the ability to retrieve information in the cables on the basis of personal identifiers, the State Department might be considered to maintain an extensive system of records derived from other agencies' cable traffic. So far, however, there has been no clear determina-tion as to whether the cable system should be considered a State Department system of records or simply a facility for communicating information in records maintained by the user agencies.
In addition, some agencies treat record-keeping systems that techni-cally do not fall under the Act as if they did. The General Services Administration, for example, allows its employees access to merit promotion information, even though such information is filed by vacancy announce-ment number.11 The Interior Department has a system that records the number of ducks that duck hunters shoot each year. This information is neither filed nor retrieved by personal identifier, but because law enforce-ment officials are given, approximately ten times a year, the names of individuals who have reported shooting an endangered species, the Department decided that it would apprise the hunters of the uses that could routinely be made of the information they report.12
A further and extraordinarily important flaw in the system-of-records definition is that it springs from a manual rather than a computer-based model of information processing. In a manual record-keeping system, records are apt to be stored and retrieved by reference to a unique identifier. This, however, is not necessary in a modern computer-based system that permits attribute searches. An attribute search, in contrast to the convention-al "name search," or "index search," starts with a collection of data about many individuals and seeks to identify those particular individuals in the system who meet a set of prescribed conditions or who have a set of prescribed attributes or combination of attributes. For example, officials of the Veterans Administration (VA) testified in the Commission's hearings on medical records that the VA has produced lists of names for another agency by using psychiatric diagnosis, age, and several other personal attributes as the search keys.13
A growing number of computer systems today are also programmed to retrieve information by what is known as the "textual search" process. Briefly, the search program is keyed to "hit" on certain arrangements of characters or items of data as it scans material that has previously been assimilated into the system as raw text; such as reports, letters, or memoranda. It would appear, however, that such a system would not be subject to the Privacy Act because, by the Act's operating definitions, it does not constitute a system of records.
Finally, there appears to be some confusion as to whether all records retrieved by personal identifier should be considered subject to the Act. For example, the Agency for International Development (AID) has taken the position that some systems, such as those listing the weight of an individual's household effects and his official itinerary, should be removed from the Act's purview and has decided that lists already in the public domain, such as telephone lists and biographic registers, will not be treated as Privacy Act systems of records.14 The Department of State made a similar determination with respect to lists of blood donors and parking lot assignments.15
EXEMPT SYSTEMS OF RECORDS
Although all Federal agency record-keeping operations that fit the Privacy Act's definition of a system of records are subject to some of its requirements, the Act's scope of application is significantly narrowed by the opportunity it gives some agencies to exempt whole systems from many of the Act's more important requirements. This is particularly true of systems maintained for law enforcement and investigative purposes. Subsection 3(j) of the Act permits exemption from most requirements if the records in a system of records are records maintained by the Central Intelligence Agency j5 U.S.C. 552a0)(1)]; or identification files, investigative records, or reports compiled on individuals during the time between arrest and final release and maintained by an agency "or component thereof which performs as its principal function any activity pertaining to the enforcement of criminal laws." (5 U.S.C. 552a(j)(2)] The provisions of the Act from which records cannot be exempted under subsection 3(j) are primarily those that establish certain records management responsibilities. For example, an accounting of disclosures of information from an exempt system must be kept, and an agency that maintains an exempt law enforcement system must take steps to assure the accuracy and relevance of records it discloses to anyone other than another agency, but the basic oversight and enforcement vehicles otherwise available in the Act, i.e., individual access and correction rights and civil remedies, cannot be used to make sure the agency complies.
The exemption opportunities in subsection 3(k) [5 U.S.C. 552a(k)] are less sweeping than those in Subsection 30), but they also serve to insulate many systems from fundamental protections the Act elsewhere guarantees an individual. Subsection 3(k)(2) creates an exemption opportunity for investigatory records compiled for both criminal and civil law enforcement purposes that have not already qualified for an exemption under subsection 3(j)(2). An agency that takes a 3(k)(2) exemption for a system of records is excused from granting an individual access to records about himself; from revealing to the individual its accounting of the disclosures it makes of records about him; from publishing certain portions of the required annual notice on the system; and from promulgating regulations establishing procedures by which the individual can see, copy, and correct or amend a record about himself. Subsection 3(k), like subsection 30), also allows an exemption from the Act's requirement that the information in a system be "relevant and necessary" to accomplish a purpose mandated by law.
The President's report to the Congress on Privacy Act implementation for calendar year 1975 showed that exemptions had been claimed for 889, or 13 percent of the 6,723 systems whose existence was reported during the first three months after the Act took effect on September 27, 1975. For some systems, an agency claimed both 30) and 3(k) exemptions. Figure 1 shows the type of systems for which exemptions were taken.
While one can agree with the basic public-policy determination that some Federal agency records should not be subject to all of the Privacy Act's requirements, lest ongoing law enforcement investigations or legitimate national security interests be jeopardized, it nonetheless seems clear that the exemption provisions currently in the Act unnecessarily narrow its scope of application and thus unduly frustrate the achievement of its basic objectives. The Secret Service, for example, has had to exempt its entire "Criminal Investigation Information System" [41 F. R 45437 (October 14, 1976)] in order to exempt any part of it, even though many of the records in the system could be (and, under the Freedom of Information Act, often are) open to the individuals to whom they pertain; could be susceptible to correction and amendment without undue burden on the agency; and could be maintained with relatively strict procedures for assuring their accuracy and relevance when they are disclosed to third parties. In particular, one of the four categories of information in the system-records "consisting only of identifying data and notations of arrest, the nature and disposition of criminal charges, sentencing, confinement, release, and parole and proba-tion status"-could be brought within the full scope of the Act without unreasonable difficulty. Such records, largely derived from public records, are unlikely to jeopardize ongoing investigations if disclosed to the individuals to whom they pertain and if inaccurate, but used to make a decision about an individual, either by the Service itself or by another agency, could be the cause of substantial harm to the individual.
Agencies not ordinarily thought of as investigative or law enforcement
agencies are often in the same position as the Secret Service. The Federal
Trade Commission's "Investigational, Legal, and Public Records" system in many
respects parallels the Secret Service's Criminal Investigation Information
System, but it too has been exempted in its entirety. [41 FR 39719
(September 15,1976); 16 C FR. 4.13]
Exemptions Claimed Under the Act
|Central Intelligence Agency Records (j)(1)||60|
|Criminal Law Enforcement Agency Records (j)(2)||210|
|Classified Records (k)(1)||236|
|Other Law Enforcement Records (k)(2)||545|
|Protective Services Records (k)(3)||72|
|Statistical Records (k)(4)||80|
|Federal Service Suitability Investigative Records (k)(5)||272|
|Testing or Examination Records (k)(6)||101|
|Military Service Promotional Potential Records (k) (7)||88|
|Total Systems Exempted||889*|
|Total Systems Not Exempted||5834|
*NOTE: The total number of systems exempted is less than the sum of the numbers exempted under each exemption provision because one system may have been exempted under more than one provision.
Finally, the broad scope of subsections 3(j) and 3(k) has permitted some agencies to exempt records when their connection with investigative efforts is tenuous at best, and where the rationale for excusing the records from the full force of the Act (for not letting an individual see information about himself, for instance) is difficult to understand. One example is the Department of the Interior's "Endangered Species Licensee System," which contains the "name, address, date of birth, height, weight, color of hair and eyes, business telephone number, occupation and Social Security number" of each individual requesting a license. [41 F. R 41296 (September 21,1976); 43 CF. R. 2.79 (b)] In Chapter 13 of its final report, and in Chapter 3 of this volume, the Commission suggests some ways of resolving this admittedly difficult problem.
PRIVACY ACT REPORTING REQUIREMENTS
A prime objective of the Privacy Act of 1974 is to assure that there will be no Federal agency system of records about individuals whose very existence is secret. A corollary objective is to assure that agency personal-data record-keeping policy and practice will be established in a manner that allows for public scrutiny and comment, as well as for executive and legislative oversight. To facilitate the achievement of these two objectives, the Privacy Act contains four major reporting requirements: (1) the annual system notice; (2) the "Privacy Act Statement"; (3) the new system report; and (4) the President's annual report to the Congress.
ANNUAL SYSTEM NOTICES
Subsection 3(e)(4) of the Act requires each agency that maintains a system of records to publish in the Federal Register at least annually a notice of the existence and character of the system, which notice shall include-
(A) the name and location of the system;
(B) the categories of individuals on whom records are maintained in the system;
(C) the categories of records maintained in the system;
(D) each routine use of the records contained in the system, including the categories of users and the purpose of such use; (E) the policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal of the records;
(F) the title and business address of the agency official who is responsible for the system of records;
(G) the agency procedures whereby an individual can be notified at his request if the system of records contains a record pertaining to him;
(H)the agency procedures whereby an individual can be notified at his request how he can gain access to any record pertaining to him contained in the system of records; and how he can contest its content; and
(I)the categories of sources of records in the system . . . . j 5 U.S. C. 552a(e)(4)]
As of December 31, 1976, 97 agencies had filed notices on 6,753 systems containing 3.85 billion records.16 The preceding year 86 agencies filed notices on 6,723 systems.17 Of those, 58 percent (3,908) were maintained by three agencies: the Department of Defense (2,145); the Department of the Treasury (932); and the Department of Health, Education, and Welfare (831). Twenty Cabinet departments and major independent agencies accounted for 87 percent of all notices published in 1975.18
In the President's first annual report to the Congress, the Office of Management and Budget (OMB) analyzed the agency notices as follows:
OMB also attempted to assess the extent of computerization. According to the 1975 annual report:
In identifying systems as required by subparagraph 3(e)(4)(A) of the annual notice requirement, agencies have by and large tried to be specific. In a few instances, the system notices are all-encompassing, a good example being the one on the FBI Central Records System (Justice/FBI-002),21 which says that the "system" includes records on:
individuals who relate in any manner to official FBI investigations . . .; applicants for and current and former personnel of the FBI and persons related thereto . . .; applicants for and appointees to sensitive positions in the U.S. Government and persons related thereto . . .; individuals who are the subject of unsolicited information, who offer unsolicited information . . .; individuals associated with administrative operations or services including pertinent functions, contractors and pertinent persons related thereto.22
Most-systems, however, are specifically identified, with the main difficulties lying in the other parts of the notice.
According to the OMB Guidelines, the subparagraph 3(e)(4)(B) requirement that an agency describe the categories of individuals on whom records are maintained is intended ". . . to enable an individual to determine if information on him might be in [the] system."23 Yet, an individual would often be hard pressed to figure out from a system notice whether the system is likely to contain a record on him. OMB's instruction that descriptions of categories of individuals should be "clearly stated in nontechnical terms understandable to individuals unfamiliar with data collection techniques" has apparently been difficult for the agencies to follow and, in other cases, an agency has given an individual less help than it could. The FBI Central Records System, for example, includes various indices that tell where information on an individual is located or list all individuals named in a particular subsystem, but its annual notice does not reveal the existence of such indices or how they may be used.
Specificity and nontechnical terminology are similarly called for in the OMB guidance on describing the categories of records maintained in a system (subparagraph 3(e)(4)(C) of the notice requirement), but the systems that best fulfill that objective are those for which information is collected on forms that can be described in the notice.
Most descriptions of routine uses (subparagraph 3(e)(4)(D)) are quite general, not only in describing the disclosures that are made but also in describing the users and purposes. As discussed in Chapter 2, moreover, the Act's routine-use requirements apply only to external disclosures of information so one often learns little from a system notice about an agency's all-important internal uses of the records the system contains. Some agencies, such as the Civil Service Commission, the Federal Home Loan Bank Board, and the Department of Interior voluntarily include internal uses in the routine-use section of their annual notices, but their practice is not typical.
The Federal Register format for publishing a system notice includes a place to cite the authority for maintaining the system, but the Act does not require an agency to cite it, and generally, the agencies have cited their enabling statutes that delineate their missions and powers but not their authority to maintain a particular system of records.
With respect to the required description of records maintenance policy and practice (subsection 3(e)(4)(E)), the majority of notices state that access is limited to "authorized personnel" who have a "specific, job-related purpose." Access controls are seldom described in any detail. For manual systems, physical security measures, such as locked file cabinets and guarded buildings, are usually described. For automated systems, the notice typically describes physical security arrangements and states that a code is required for access. Normally this part of the notices also tells how long the records are to be maintained. The responsible official (subparagraph 3(e)(4)(F)) is generally identi-fied quite adequately, and the description of categories of sources (subpara-graph 3(e)(4)(1)) usually give a general picture of how an agency goes about gathering information on an individual. Some systems, however, are exempt from the requirement to describe categories of sources. The procedures for getting access to a record and correcting or amending it (subparagraphs 3(e)(4)(G) and (H)) are considered below in the discussion of "agency rules."
From the agencies' point of view, the annual notice requirement has proved to be a useful management tool. In preparing its more than 2,200 annual notices, the Department of Defense (DOD) decided to discard approximately 15 percent of its forms for collecting information about individuals,24 and officials of the United States Postal Service (USPS) indicate that implementation of the Privacy Act is enabling them for the first time to "get a handle" on record-keeping practices in thousands of USPS field offtces.25 From the individual's point of view, however, it leaves much to be desired. Overall, it would appear that the greatest problem with the agencies' system notices is their vagueness and inaccessibility to the ordinary citizen. To help solve the latter problem, the Office of the Federal Register published a special five-volume compilation of system notices entitled, Privacy Act Issuances,26 but it is very difficult to use because the order in which notices are presented is without apparent logic.
PRIVACY ACT STATEMENTS
Subsection 3(e)(3) of the Act stipulates that an agency must:
. . . inform each individual whom it asks to supply information, on the form which it uses to collect information or on a separate form that can be retained by the individual-
(A) the authority (whether granted by statute or executive order of the President) which authorizes the solicitation of the infor-mation and whether disclosure of such information is manda-tory or voluntary;
(B) the principal purpose or purposes for which the information is intended to be used;
(C) the routine uses which may be made of the information, as published pursuant to [subparagraph (D) of subsection 3(e)(4)]; and
(D) the effects on him, if any, of not providing all or any part of the information . . . . (5 US. C. 552a(e)(3)]
There is much to be said for and against this so-called "Privacy Act Statement." On the one hand, it is the only one of the Act's public reporting requirements that specifically directs an agency to describe its internal uses of information about individuals. Because it is given to the individual at the time the agency has direct contact with him, and before he supplies any information, it helps to make the individual aware of his rights under the Act and partly compensates for his lack of familiarity with the system notices published in the Federal Register. On the other hand, anyone who has read the Privacy Act Statement on a Federal income tax return knows how little a statement that attempts to comply with the requirements of subsection 3(e)(3) can actually tell about agency record-keeping practices. For some agencies, moreover, subsection 3(e)(3) appears to be unduly burdensome. When a Federal employee has to sign daily or even weekly for the electronic office equipment he uses, for example, it seems burdensome and wasteful to make the agency give him a statement each time, explaining the authority for obtaining his signature, the principal purpose for which the information is intended to be used, its routine uses, and the effects on him of not providing it.
Several agencies have tackled such difficulties in imaginative ways. In some offices where a form requesting individually identifiable information must be completed as a matter of routine business, the Department of Defense puts the information required to be provided in the Privacy Act Statement on a conspicuously hung poster, which also advises that an individual copy of the statement can be had for the asking. Similarly, when an individual makes his initial visit to a DOD medical facility, the Department gives him a copy of the Privacy Act Statement that covers 222 medical forms the facilities use, and, in addition, places a copy of the Statement in his file. If the individual wants more copies, he need only ask for them.27 These methods of keeping the Privacy Act Statement requirement from being unduly burdensome or wasteful seem reasonable so long as the individual's attention is drawn to the Statement as frequently as the character of his relationship with the data-gathering agency and the spirit of the Act appear to warrant.
NEW SYSTEM REPORTS
Subsection 3(o) of the Privacy Act requires each agency to:
. . . provide adequate advance notice to Congress and the Office of Management and Budget of any proposal to establish or alter any system of records in order to permit an evaluation of the probable or potential effect of such proposal on the privacy and other personal or property rights of individuals or the disclosure of information relating to such individuals, and its effect on the preservation of the Constitutional principles of federalism and separation of powers. [5 U.S. C. 552a(o)]
The objective of this requirement is to facilitate anticipatory oversight of agency record-keeping practice.28 The Senate draft of the Privacy Act included a "Privacy Protection Commission" with authority to determine whether a proposed record-keeping system, or system change, would meet the privacy protection standards called for in the Senate bill. In the subsequent legislative compromise, this oversight function was assigned to the Congress and the Office of Management and Budget, both of which now receive the agencies' new system reports.
Compared to the annual system notices, the documents justifying and explaining a new system are supposed to be much more detailed and informative. The OMB Guidelines require that a new system report describe:
(a) the purpose(s) of the system of records;
(b) the authority for maintaining the system of records;
(c) the probable or potential effect of the system upon "privacy and other personal or property rights of individuals" and its effect upon "the preservation of the constitutional principles of federalism and separation of powers;" and
(d) the steps taken by the agency to minimize the risk of unauthorized access to the system of records and a discussion of higher or lower risk alternatives which were considered.29
In addition, an agency must file such a report, not only when it proposes to establish a new system of records, but also whenever it proposes to make any change in an existing system of records which:
(1) increases or changes the number or types of individuals on whom records are maintained . . . [The standard to be applied is that any change which] significantly alters the
character and purpose of the system of records [shall require a new system report] . . .;
(2) expands the type or categories of information maintained
(3) alters the manner in which the records are organized or the manner in which the records are indexed or retrieved so as to change the nature or scope of those records . . .;
(4) alters the purpose for which the information is used . . .; and
(5) changes the equipment configuration (i.e., hardware and/or software) on which the system is operated so as to create the potential for either greater or easier access . . . .30
Each new system report must be accompanied by an advance copy of the
new or revised annual system notice; an advance copy of any new Privacy Act
regulations or changes to published regulations that pertain to the system; and
an advance copy of any proposed regulations setting forth the reasons why the
system is to be exempted from any of the Privacy Act's requirements.31 It must be filed
60 days before an issuance of data collection forms and/or instructions, or 60 days before any public issuance of a Request for Proposal or Invitation to Bid for computer and/or communications systems or services intended to support the system of records.32
All new system reports must be transmitted in duplicate to the President of the Senate, who forwards them to the Senate Committee on Governmental Affairs; to the Speaker of the House, who forwards them to the House Subcommittee on Government Information and Individual Rights; to the Office of Management and Budget; and (during its lifetime) to the Privacy Protection Study Commission. OMB procedures allow for the 60-day advance notice requirement to be waived, and in 1976 it received requests for waivers from 12 agencies with respect to 467 systems. Of these, 439 were approved; two were denied; and 26 were withdrawn or not acted upon.33
The Senate Committee on Governmental Affairs has assigned the task of analyzing the reports to a staff member who contacts the agency in question or the OMB office responsible for evaluating the reports, if any procedures or practices described in one of them seem to be in conflict with either the letter or the spirit of the Act. The House Subcommittee procedure is identical. A staff member reads the incoming report and, if anything appears untoward, contacts OMB. On one occasion, the Congressional Office of Technology Assessment (OTA) has also been formally contacted for evaluation of a new system proposal.
At OMB the reports are all logged by the Information Systems Division, which arranges for an announcement to be published in the Federal Register that a new system report has been received. These announcements are not required by the Act and thus far, few of them have elicited any public comment. The Information Systems Division reviews each report for compliance with the Act and concurrently sends one copy to an OMB budget examiner who reviews it for consistency with established budget guidelines. This last step is most useful when the proposal involves a major system of records, such as the Veterans Administration's new TARGET system or the Internal Revenue Service's Tax Administration System (TAS). Otherwise, the budgetary impact tends to be below the examiner's threshold of significant concern.
In 1976, 25 agencies submitted 75 new system reports covering 808 systems.34 To increase visibility OMB published a bi-weekly summary of them in the Federal Register.35
The principal problem with the new system reports has been the lack of staff to evaluate them and the ambiguity of many of the statutorily prescribed evaluation criteria. Nonetheless, OMB officials believe that the new system reports requirement has had a significant and beneficial effect, while others contend that it has discouraged the establishment of some questionable systems. The FBI, for example, has apparently abandoned its plan to establish a system on known or alleged terrorists,36 and the Department of the Navy has scaled down an extensive attitudinal study of personnel being assigned overseas .37
THE PRESIDENT'S ANNUAL REPORT
Subsection 3(p) of the Act requires the President to:
. . . submit to the Speaker of the House and the President Of the Senate by June 30 of each calendar year, a consolidated report, separately listing for each Federal agency the number of records contained in any systems of records which were exempted from the application of [the Act] under the provisions of subsections Ú) and (k) of [the Act] during the preceding calendar year, and the reasons for the exemptions, and such other information as indicates efforts to administer [the Act] fully . . . . [5 U.S.C 552a(p)]
To fulfill this requirement OMB sends out a memorandum containing questions that each agency uses to construct a report to OMB. For the 1975 and 1976 annual reports, OMB has asked each agency to describe the steps it has taken to implement the Act; to list the systems it has exempted from the Act's requirements as provided in subsections 3(j) and 3(k); to provide data on items such as the number of individuals who have asked for access to records the agency keeps on them; and to evaluate its performance in implementing the Act. For example, agencies have been asked to specify the criteria they have used in deciding whether to take advantage of the Act's exemption opportunities; to assess the extent to which the public has paid attention to their rule-making and annual system notices, as well as the extent to which they have responded to that attention; and to evaluate the Act's effect on their information collection and disclosure practices. OMB has also encouraged the agencies to suggest alternative approaches to meeting the Act's objectives.
The agencies' responses to OMB's queries promise to become successively more useful. In preparing the 1975 annual report, OMB asked the agencies to assess whether the Act had reduced the amount of information they collect and maintain on individuals, but most had not anticipated the question and thus could not answer it. They had not, for example, kept track of how many records they had destroyed prior to the Act's effective date. In the beginning, agency reports were also difficult to compare because each agency was allowed, and exercised, considerable discretion as to how much detail it would supply OMB. In its 1976 instructions, however, OMB tightened the inquiry in ways that made it more difficult for the agencies to avoid supplying details and further improve-ments in the 1977 instructions are contemplated.
GUIDANCE ON IMPLEMENTATION
The Senate draft of the bill that became the Privacy Act of 1974 provided for a Privacy Protection Commission with power to interpret the Act and to enforce compliance. This was strongly opposed by the Executive branch, and by the House, both of which favored making each agency fully responsible for its own implementation of the Act. In the end, it was agreed that each agency would be responsible for its own implementation, but that the Office of Management and Budget would have a limited guidance and oversight role. Thus, Section 6 of the Privacy Act directs OMB to:
(1) develop guidelines and regulations for the use of agencies in implementing the provisions of [the Privacy Act]; and
(2) provide continuing assistance to and oversight of the imple-mentation of the provisions of the Act by agencies.
As a first step in fulfilling this mandate, OMB, on July 1, 1975, issued Circular A-108, "Responsibilities for the Maintenance of Records About Individuals by Federal Agencies" [40 F.R. 289481. A-108 directed all Executive branch agencies to establish specified procedures in accordance with the Act and the Guidelines that were attached to it, and delegated the responsibility for issuing additional guidance or directives on specific aspects of Privacy Act implementation to four agencies. The four agencies and their respective responsibilities were:
OMB itself established a temporary interagency task force to review agencies' Privacy Act regulations and revised its Federal Reports Act procedures for reviewing forms used to collect information from members of the public.38 On October 3, 1975, OMB issued Transmittal Memorandum No. 1 [40 F.R. 258771, which established the rules for preparing and submitting new system reports; and on December 4, 1975, it issued further "Supplementary Guidance" [40 F.R. 46741], amending and clarifying the Guidelines it had published the previous July. On March 25, 1976, OMB issued Transmittal Memorandum No. 2, instructing agencies how to submit material for use in the President's first annual report to the Congress on Privacy Act implementation. Finally, on May 17, 1976, OMB issued Transmittal Memorandum No. 3 that provided further guidance on preparing new systems reports.
The four agencies to which OMB delegated guidance responsibilities also issued a number of implementation documents over roughly the same period. The General Services Administration issued its Federal Register publication guidelines on June 19, 1975. [40 F.R. 25988] This document outlines a model regulation and prescribes a special encoding system for printing in the Federal Register.
On September 26, 1975, GSA published Federal Procurement Regulations Amendment 155 [40 F.R. 44502], establishing procedures for complying with subsection 3(m) of the Act regarding government contrac tors. This was followed by Temporary Federal Property Management Regulation E-42 [40 F.R. 48733], published on October 7, 1975. This temporary guidance contained an "ADP and Telecommunications Requirements Checklist" for use in all automated data processing (ADP) and telecommunications equipment and service procurement proposals. Its expiration date, March 1, 1978 at this writing, has been extended three times.
On October 24, 1975, GSA published Temporary Federal Property Management Regulation E-43 [40 F.R. 49936], which establishes privacy protection and data security rules for automated data-processing and telecommunications systems. These include requirements applicable to interagency services, and specify the responsibilities of user agencies, provider agencies, and contractors. Temporary Regulation E-43 became a final regulation on April 7, 1976, when it was published as Federal Property Management Regulation Amendment E-184, "Government-Wide Automat-ic Data Management Services." [41 F.R. 14732] GSA has since published Federal Property Management Regulation Amendment F-26, a technical cross-referencing amendment [41 F.R. 22938 (June 8, 1976)], and Federal Property Management Regulation Amendment E-197. The latter, published on November 4, 1976 [41 F.R. 48519], contains a model contract clause allowing government agency access to contractor facilities and records for the purpose of conducting privacy safeguard inspections.
OMB delegated responsibility for personnel training and for revising the Federal Personnel Manual to the Civil Service Commission (CSC). On September 30, 1975, the Commission published two sets of amendments to Title 5 of the Code of Federal Regulations setting forth basic policy on the maintenance of personnel records. [40 FR. 45094] On December 4, 1975, the CSC published a further amendment to Title 5 establishing procedures for determining when a source in a government background investigation may be promised confidentiality. [40 F.R. 56651] On December 30, 1976, it published Federal Personnel Manual (FPM) Letter 711-126 explaining the circumstances in which information about an individual can be released to labor unions.39
The National Bureau of Standards (NBS) was given responsibility for guidelines on computer and data security. On May 30, 1975, it published Federal Information Processing Standards (FIPS) Publication 41, "Computer Security Guidelines for Implementing the Privacy Act of 1974."40 This was followed in October 1975 by an Index of Automated System Design Requirements.41
Finally, OMB Circular A-108 delegated, to the White House Office of Telecommunications Policy (OTP), responsibility for revising Federal agency data-communications policy to the extent necessary to bring it into compliance with the Privacy Act. OTP began soliciting comments on its draft circular at the end of December 1976, but it is not clear when the circular will be published in final form. The draft covers topics such as operational control of communications networks, the interconnection of telecommunications networks, dedicated data-communications networks, and communications security devices.
The chronology of all these documents is worth noting as it highlights the fact that much of the formal guidance to the agencies was not published until after the Privacy Act was already in force. The Act established September 27, 1975, as the date on which the agencies were supposed to have published their system notices and Privacy Act regulations, and to have their internal operating procedures and training programs in place. As of September 27, however, most of the guidance documents were still not available, largely because the agencies responsible for preparing them were still working on them. Moreover, neither OMB nor any of the other agencies with guidance responsibilities have subsequently played an aggressive role in making sure that the agencies are equipped to comply with the Act and are, in fact, doing so. OMB continues to comment on agency regulations promulgated under subsection 3(f) of the Act and watches the Federal Register for agency initiatives whose privacy implications have not been recognized. On March 7, 1977, the new OMB Director issued a memoran-dum to all agencies calling for "particular emphasis on eliminating or curtailing systems containing personal information."42 Yet, much of the early momentum appears to have been lost. Most important, there seems to be more variation in agency practice under the Act than is necessary, and certainly more than is desirable if a prime object of the Act is to make it easy for individuals to have a say in how agencies collect, use, and disseminate records about them.
Subsection 3(f) of the Privacy Act requires an agency to promulgate regulations43 that:
(1) establish procedures whereby an individual can be notified in response to his request if any system of records named by the individual contains a record pertaining to him;
(2) define reasonable times, places, and requirements for identify-ing an individual who requests his record or information pertaining to him before the agency shall make the record or information available to the individual;
(3) establish procedures for the disclosure to an individual upon
his request of his record or information pertaining to him, including [a] special procedure, if deemed necessary for the disclosure to an individual of medical records, including psychological records, pertaining to him;
(4) establish procedures for reviewing a request from an individu-al concerning the amendment of any record or information pertaining to the individual, for making a determination on
the request, for an appeal within the agency of an initial adverse agency determination, and for whatever additional means may be necessary for each individual to be able to exercise fully his rights under this section; and
(5) establish fees to be charged, if any, to any individual for making copies of his record, excluding the cost of any search for and review of his record. [5 U.S. C 552a(f)]
Although the Office of the Federal Register developed a model format for the agencies to use in preparing their Privacy Act rules for publication [40 F.R. 25988 (June 19, 1975)], there is great variety in the way the rules have been published, and some formats are so complex that the average individual could have great difficulty understanding (and in some instances, locating) the correct procedure to follow. The rules promulgated by the Department of the Air Force in 1975, for example, were in eight parts and 58 sections [32 CF.R 806.b], and many sections had to be consulted to understand fully how to exercise the individual's access and correction rights. Similarly, the Treasury Department's rules for 1976 [31 CF.R 1.20-1.36] are in 17 sections and 12 appendices (with different procedures for 12 different components of the Department), totalling 29 pages of material.
The procedures the rules establish also vary greatly. For example, all agencies have established procedures for verifying the identity of the individual requesting a record, but while some require nothing more than a signature, others require extensive personal identification. OMB itself is one of the latter. Its regulations provide as follows:
(a) current or former employees: verification by visual observation or alternatively, some employment related documenta tion such as employee I.D. card, driver license, or "employee copy" of any official personnel document;
(b) other than (a) above: two forms of identification and whatever else may be required by a specific system notice; (c) by mail: by comparison of signature on a notarized statement of identity;
(d) if no documentation available: notarized statement of identity and knowledge of penalties for lying and (as needed) notarized statement from other individual attesting to reque-stor's identity;
(e) parent or guardian: legal documents providing guardianship and suitable personal I.D. [5 CF. R. 1302.2]
Then, too, some agencies require more or less personal identification depending on the character of the record to which the individual seeks access. For example, the Tennessee Valley Authority minimally requires an identification card and comparison of signatures, but more stringent verification (such as in-person confirmation of identity) when the record sought is "sensitive." [18 CF.R. 301.14]
Most agency rules require that a request for a record identify the system of records in which the record is thought to reside. This is permitted by subsection 3(f)(1) of the Act [5 U.S.C 552a(f)(1)], and is consistent with the Congress' desire to avoid an undue administrative burden on the agencies. However, asking the individual to identify the system of records can place a substantial burden on him. Few Americans have ever heard of the Federal Register and even fewer are likely to know how to find a system notice in it.
By and large the agencies have tried to help the individual either by giving him a copy of the agency's annual notices and asking him to identify likely systems, or by directing him to someone in the agency whose job is to help him, or both. Some agencies have even tried to dispense with the system identification requirement altogether. OMB, for example, does not require specific reference to a system notice and makes copies of its notices available to anyone who addresses his request to the Office of the Assistant Director for Administration. [5 C.F.R 1302.1(a)] Similarly, the Department of the Interior's rules do not mention any need to identify the system, although they clearly presuppose a knowledge of the Department's annual notices. [43 C.F.R. 2] All agencies' rules provide for access to a record about an individual by his parent or guardian, and, with the individual's written authorization, by someone who accompanies him at the time he exercises his access right. Many agencies also have special procedures for giving an individual access to medical records pertaining to him, although some, such as the Depart-ment of Housing and Urban Development [24 CF R. 16] and the Defense Intelligence Agency [32 C.F. R. 292a], do not. The Federal Trade Commis-sion provides for access to a medical record through a physician designated by the individual, presumably leaving it to the physician to decide whether the individual should be allowed to see and copy the record [16 C.F.R. 4.13(f)], but the Department of Health, Education, and Welfare (DHEW) provides for direct access by the individual in many instances. [45 C.F.R. 56.6]
The DHEW rules affirm the individual's right of access to his medical records and when he requests access to them he is asked to designate a responsible representative to receive them if the Department believes that giving him direct access may be upsetting or otherwise harmful to him. The responsible representative need not be a physician or other health professional. A minor's medical record will be disclosed to a physician or other health professional (neither of whom may be a family member) provided that the physician or other health professional is informed, where appropriate, that further disclosure may constitute an unwarranted invasion of the minor's personal privacy. [45 C.F.R. 56.6]
Although most agencies' rules require that an individual's request for access to a record about himself be made in writing, the request can usually be submitted either in person or by mail, whichever the individual prefers. The big differences are in the agencies' procedures for acknowledging an individual's request. The Act is silent on the question but the OMB Guidelines say that an agency should acknowledge a request for access within ten days of receiving it.44 Department of Agriculture rules call for an acknowledgement indicating whether access will be granted-and if so, when and where-within 10 working days. [7 C.F.R. 1.114(a)] Department of Commerce rules also provide for a ten-day response and, in addition, specify the official to contact if a request is not acknowledged within ten days. [15 C.F.R 46.3(f) and 46.5(a)] In contrast, Interior Department rules [43 CF.R 2.64] provide only for "prompt" acknowledgement, while the rules of the Justice Department [28 C.F.R 16] and of the Defense Intelligence Agency [32 C F.R. 29a] do not mention response time.
There is also a time limit problem which arises from the fact that the Privacy Act does not specify how quickly an agency must comply with an individual's access request. The OMB Guidelines suggest that, where possible, the acknowledgement of a request should indicate whether access will be granted, and if it is to be granted, that it should be granted within 30 days thereafter (excluding Saturdays, Sundays, and legal public holidays), unless the agency, for good cause shown, is unable to comply within that timeframe, in which case the individual should be informed in writing within 30 days of the reasons for the delay and the date on which access can be anticipated.45 This suggested procedure closely parallels the one the Freedom of Information Act specifically requires when an agency receives an FOIA request for a record. [5 U.S.C. 552a(d)(2)]
In their 1975 annual reports, most agencies indicated that they were having no problem complying with the 30-day rule, but some, such as the FBI and the CIA, were experiencing long delays due to the number of requests they were receiving and the complexity of some of their records.46 The Drug Enforcement Administration also reported difficulties in connec-tion with about 20 percent of its records,47 and the Energy Research and Development Administration described two cases, each of which took approximately 32 days to process, and which eventually resulted in a denial of at least part of the request.48
The appeals procedures present still another problem. If an agency denies an individual's request for access to a record, the Act allows him, without further ado, to seek a Federal court order directing the agency to disclose the record to him. In such cases, it is up to the court to decide whether the record has been properly withheld pursuant to one of the Act's exemptions from the individual access requirement. Some agencies, how-ever, have established an administrative appeals procedure, along the lines of the one called for in the Freedom of Information Act. These procedures raise a serious question as to whether an individual whose access request is denied may proceed directly to court without first exhausting the remedies they afford him.
The situation with respect to denials of requests to correct or amend records presents a different kind of problem. There, the Act explicitly calls for a denial to be reviewed and reaffirmed within the agency before the individual can go to court. The review process is supposed to be completed within 30 days, but the head of the agency, for good cause shown, can extend it for another 30 days. [5 U.S.C. 552a(d)(3)] Moreover, some agencies have included a time limit in their rules, within which an individual may appeal a correction or amendment refusal. Those range from 20 days at the Department of the Interior [43 C.F.R. 274] to 90 days at the Postal Service [39 CF. R. 266.7(b)(4)(c)].
There is also a small problem in the handling of the "statement of disagreement." Subsection 3(d)(3) of the Act allows an individual to file a concise statement detailing his side of an unresolved dispute with an agency over the content of a record about himself. At least one agency (the Tennessee Valley Authority) has interpreted "concise" to mean no more than 100 words [18 CF.R. 301.19(f)]. This is often too short, as the vast majority of agencies have realized.
ADMINISTRATION, TRAINING, AND COMPLIANCE MONITORING
Subsection 3(e)(9) of the Privacy Act requires each agency to:
establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, and instruct each such person with respect to such rules and the requirements of [the Act], including any other rules and procedures adopted pursuant to [the Act] and the penalties for noncompliance. [5 U.S.C. 552a(e)(9)]
Otherwise, however, each agency is left free to devise its own arrangements for assuring compliance with the Act's requirements and with its own Privacy Act regulations. A brief look at the experience of a few agencies will show the wide differences this approach has produced.
THE DEPARTMENT OF DEFENSE (DOD)
The Department of Defense took a highly structured approach to implementing the Privacy Act. It established the Defense Privacy Board, composed of representatives of each major component of the Department, with a full-time staff and a mandate to develop a comprehensive implemen-tation program. Federal Register notices were published on 2,145 record-keeping systems and Privacy Act Statements were added to 15,290 forms.49 Of the approximately 371,000 forms the Board reviewed, 58,560 were withdrawn on the grounds that they were incompatible with the spirit of the Act.50 The Department's rules for implementing the Act were published as DOD Directive 5400.11. [32 C.F.R. 286a]
A three-level, department-wide training program was also established. Level I was aimed at commanders, managers, and supervisors, and included a 22-minute film and additional briefing material on the Act's main features. Copies of the film were distributed to U.S. military installations around the world, and also made available to other Federal agencies for use in their training programs. Level II was aimed at the thousands of employees who handle records about individuals on a day-to-day basis. It has relied on special courses in the Department's various technical training schools, as well as on continuous on-the-job training. For example, beginning in early 1976, the Department of Defense Computer Institute offered a three-day course on the Privacy Act as it relates to automated data processing. At least one person from every DOD computer installation was required to attend (approximately 2,500 persons in 1976), and they, in turn, trained others at their home installations. Level III training has consisted of distributing films, posters, and memoranda throughout the Department, designed to make DOD personnel aware of what the Privacy Act means to them as individual citizens rather than as agency employees obligated to comply with its requirements.51
The Defense Privacy Board's Legal Committee has first-line responsi-bility for advising the Board on how to interpret the Act. Committee opinions are reviewed by the Board and ratified by the Department's General Counsel before being published or distributed to DOD compo-nents. Compliance monitoring is the responsibility of the inspector general of each major DOD component and has been made a part of the normal inspection and audit program. By and large, DOD contractor compliance is not monitored, although the central CHAMPUS52 office in Denver, Colorado has been made responsible for keeping contractors informed as to the proper treatment of medical records under the Act.
UNITED STATES POSTAL SERVICE (USPS)
The United States Postal Service has treated the Privacy Act as a records management tool and has given overall responsibility for imple-menting it to the USPS Records Officer who is also responsible for the Service's implementation of the Freedom of Information Act and other records management functions. The Records Officer, within each region is responsible for oversight of Privacy Act compliance within his area and is, in turn, functionally responsible to the USPS Records Officer.
Continuing direction and guidance to lower echelon and field units is provided through bi-weekly Postal Bulletins dispatched from USPS headq-uarters. Additionally, instructional memoranda are dispatched on an irregular basis to specific components of the Service (e.g., employee and labor relations offices, regional USPS counsels, and Inspection Service field offices), giving guidance on particular subjects. To aid the headquarters and regional offices, circulars and instructions are routinely disseminated concerning USPS forms and development of new systems.
Much like DOD, the USPS has its own law enforcement arm, the Postal Inspection Service (PIS). Stated broadly, the mission of the PIS includes the protection of the United States mail, the enforcement of postal laws, plant and personnel security, postal inspection, and internal audits. To assure compliance with postal regulations, the PIS conducts operating inspections and audits for the Postal Service. At the present time, an audit program is being planned for all USPS records systems which will include Privacy Act procedures as a major element. Inspectors will inquire into the manner and degree to which the operating location is complying with the Act. Physical security of records systems will also be included as a part of the audit, as will review of disclosure accounting logs maintained at those levels. The PIS, in cooperation with the USPS Records Officer, investigates alleged violations of the Act.
Although USPS includes a standard clause in its contracts which obligates a contractor subject to subsection 3(m) to comply with the Act's requirements as an agent of the Federal government, there is currently no attempt to monitor contractor compliance.
DEPARTMENT OF HEALTH, EDUCATION, AND WELFARE (DHEW)
DHEW's compliance with the Privacy Act is coordinated through the Fair Information Practice (FIP) Staff of the Office of the Assistant Secretary for Management and Budget. The DREW Fair Information Practice staff is unique among Federal agency Privacy Act units in that it traces its organizational ancestry to the staff of the Secretary's Advisory Committee on Automated Personal Data Systems, whose report, Records, Computers, and the Rights of Citizens,53 influenced the drafting of the Privacy Act of 1974. (It is also unusual for having staffing and coordinating functions with respect to other privacy protection statutes and regulations, such as the Family Educational Rights and Privacy Act of 1974, the so-called Buckley-Pell Amendments.) The FIP staff, one member of which serves as the Department's Privacy Coordinator, is responsible for all DHEW Federal Register publications concerning record-keeping systems and practices subject to the Privacy Act, and it reviews all DHEW proposals to establish new systems of records.
In addition, each major component of the Department has its own Privacy Act Coordinator, and each component is free to publish supplemental directives which, when appropriate, are reviewed by the Fair Information Practice Staff for compatibility with Departmental directives. Privacy Act coordinators serve on the Department's Legal Policy Working Group, which is jointly chaired by the Fair Information Practice Staff and the Office of the General Counsel. The Working Group meets periodically to examine legal and policy questions raised by the Privacy Act and otherwise to assist in coordinating the Department's implementation of the statute.
The Department's administrative procedures manual has been amended to include separate chapters on information practices under the Privacy Act and to establish guidelines for compliance. There is also an ongoing computer security program within the Department and a Departmental team has been conducting a year-long inspection of DHEW computer facilities aimed at establishing and maintaining the degree of data security the Act requires. Each component, however, is responsible for regular audits of its own operations.
CIVIL SERVICE COMMISSION (CSC)
The Civil Service Commission has chosen a decentralized approach to administering the Privacy Act. While the CSC retains final authority over denials of requests for access to, and amendment of, records, responsibility for day-to-day oversight has been successively delegated down to the system-manager level. One-day seminars on the Act have been held for CSC bureau and regional directors and system managers throughout the country, and a manual has been prepared on satisfying the Act's requirements within the CSC. Each CSC employee has also received a letter outlining the Act's scope and effect.
DEPARTMENT OF LABOR (DOL)
At the Department of Labor, the task of supervising Privacy Act implementation and compliance has been assigned to the Office of the Solicitor (General Counsel). Each subunit within the department has its own procedures manual with chapters on the Freedom of Information Act, as well as the Privacy Act. The Department's personnel records manual also includes detailed compliance guidelines. The Solicitor's Office has set up a coordinating committee in which all management units are represented and which meets approximately once a month. The Solicitor's Office also conducts seminars around the country for DOL personnel who specialize in responding to Freedom of Information and Privacy Act requests for access to records.
DEPARTMENT OF AGRICULTURE (DOA)
For implementing the Privacy Act and monitoring compliance with it, the Department of Agriculture has been divided into 29 semi-autonomous groups, each of which has its own Privacy Act coordinator and bears the principal responsibility for its own activities. The Farmers Home Adminis-tration, for example, issues directives to its subunits on implementation and compliance and runs a modest instructional program for personnel in its various State and local offices. Similarly, the Agriculture Stabilization and Conservation Service (ASCS) issues its own implementing and instructional directives. Each ASCS State office has an official who is responsible for the administration of the Act within its jursidiction, including compliance monitoring. The ASCS periodically reviews the activities of some State and field offices to monitor compliance with the provisions of the Act.
INTERNAL REVENUE SERVICE (IRS)
The Treasury Department's approach to administering the Privacy Act is the most decentralized of all those examined by the Commission. Each of the Department's eleven bureaus is directly responsible for its own implementation and compliance, with little or no supervision by anyone at the Department level. However, the Internal Revenue Service, a major Treasury bureau, has developed a highly structured administrative program. "Disclosure officers" in the 65 regional and district offices bear the main responsibility for day-to-day administration of the Act. Before the Act took effect, each region sent one or two representatives to IRS headquarters for two days of training in Privacy Act procedures. The regional representatives then gave similar training in their districts. All IRS employees who were not expected to be directly involved in administering the Act were briefed through a program of tape/slide presentations. In addition, all disclosure officers received two weeks of intensive training.54 The Service estimates that 35,000 man-hours were invested in implementation training even before the Act took effect.55
A compliance handbook has been prepared and disseminated throughout the Service. Compliance by IRS field units is audited by the Office of the Assistant Commissioner/Inspection, whose audits include an inspection of the accounting each unit keeps of its disclosures of information about individuals.
THE AGENCY EXPERIENCE IN GENERAL
The 97 Federal agencies that maintain systems of records subject to the Privacy Act of 1974 have all taken different approaches to administra-tion, training, and compliance monitoring. No one approach by itself appears to have hindered good-faith efforts to comply. On the other hand, agencies or components of agencies that have carefully structured programs for administering the Act appear to be the ones in which the Act's objectives are being best achieved. The DOD and the IRS are good examples. Both are accustomed to dealing with sensitive information and with issues relating to its proper collection, maintenance, use, and dissemination. Information policy and information management are concepts with which they have had a great deal of practical experience, and this is reflected in their respective approaches to meeting the obligations the Privacy Act imposes on them.
In most of the other agencies, training and compliance monitoring have been weak. Nearly all agencies have revised their internal guidance manuals so that personnel responsible for records about individuals can find out what is required of them. Several agencies also have added a check for Privacy Act compliance to their existing audit and inspection procedures and others plan to do so in the future. None, however, appears to be checking on its contractors' compliance with the Act and most have relied on others to train their employees.
The Office of Management and Budget and the Civil Service Commission have established a program of one-day seminars for top agency management personnel in 11 major cities. The Civil Service Commission has also run a program of two-day workshops, followed by a one-day follow-up session, in which Privacy Act requirements have been examined in some detail. The CSC has made material available to all agencies for use in structuring their own training courses. The previously mentioned Depart-ment of Defense training program has also accepted trainees from other agencies. In nine regions, the National Archives and Record Service has conducted a one-day course for specialists in records management, and some agencies have sent their employees to seminars held by the District of Columbia Bar Association, the Federal Bar Association, and the American Civil Liberties Union. The Energy Research and Development Administration hired an outside firm, Auerbach Associates, to train its employees.56 Beyond these piecemeal efforts, however, agency employees have by and large been left to their own devices.
Except for the two subsections of the Privacy Act that authorize criminal sanctions against Federal employees (for failing to publish an annual system notice or for knowingly and willfully making an unauthorized disclosure of a record about an individual), action by the individuals on whom agencies maintain records is the primary means of making sure that the Act has its intended effect on agency record-keeping practices. The Act gives the individual five instruments for encouraging agency compliance: (1) a right of access to a record an agency maintains about him; (2) a right to seek correction or amendment of such a record; (3) a right to review the accounting an agency must keep of the external disclosures it makes of a record about him; (4) a right to comment on an agency's proposed procedures for implementing the Act; and (5) a right to sue an agency under specified circumstances if he believes it has failed to comply with the Act or with its own rules for implementing it.
As explained earlier, unless a record has been exempted from the individual access requirement under subsections 3(j) or 3(k), subsection 3(d)(1) of the Act gives an individual the right to see and copy it. Equally important, subsection 3(d)(2) gives an individual the right to request correction or amendment of a record pertaining to himself; and, if the agency refuses, to request a review and possible reversal of its refusal, initially by the head of the agency (as provided in subsection 3(d)(3)), and ultimately by a Federal court (as provided in subsection 3(g)(1)(A)). Moreover, if the agency head refuses to make the requested change, the individual is entitled to file a concise statement of his side of the dispute which the agency must forward to certain past and all future recipients of the disputed information.
There are no reliable data on the number of requests individuals have made for records about themselves since the Privacy Act took effect. Nor are there reliable data on the types of records individuals have asked to see and copy. Apart from the requests made to agencies like the Federal Bureau of Investigation and the Central Intelligence Agency, most requests seem to have come from agency employees. For example, the Department of Defense has reported that in 1976, 90 to 95 percent of its requests came from current or former DOD employees.57 Similarly, the Civil Service Commis-sion, Bureau of Personnel Investigations, reports that as of August 27, 1977, it had received 2,856 requests from individuals seeking access to files resulting from investigations of their suitability for employment by the Federal government or its contractors.58 The U.S. Information Agency (USIA) noticed a significant increase in the number of employee requests for access to personnel and security files following the training sessions it conducted on Privacy Act compliance.59 Nonetheless, given the number of records agencies maintain about individuals (3.85 billion as of December 31, 1976), it would appear that overall there have been very few access requests.
Leaving aside the Department of Defense which counted 116,505 requests in 1975 (56,281 of them from current employees),60 all the agencies combined reported approximately 15,855 requests during the first three months after the Act took effect 61 The actual figure was probably somewhat higher. Some unknown number of requests, by Federal employees, were not counted because they were made under agency access procedures that antedated the Privacy Act, while other would-be Privacy Act requests, by members of the public, were counted as Freedom of Information Act requests. The FBI estimates that close to 90 percent of the Freedom of Information Act requests it receives are requests by individuals trying to find out if the agency maintains a record on them.62 Overall, however, the number has not been great and also appears to be declining. In the summer of 1976, the FBI and the CIA both had a large backlog of Privacy Act and Freedom of Information Act requests, resulting in processing delays of up to nine months at the FBI.63 By the fall of 1976, however, both agencies reported that the number of new requests was decreasing, with the CIA's requests dropping about 90 percent.64 The President's 1976 annual report on the Privacy Act singled out the Justice Department as the only agency reporting a significant number of access requests-35,723 in all.65
Requests to correct or amend records and to file statements of disagreement have also been infrequent as have requests to review the agencies' accountings of disclosures of records about individuals. In 1976, DHEW reported receiving 19,202 requests for amendment of personnel records, of which only 79 were denied.66 The Department of Defense received 11,043 and fully granted 10,899, partially granted 50, and denied 94.67 The number of reported appeals of access and amendment denials was 1,852 (1,556 of them at the Justice Department which includes Freedom of Information Act appeals in its count).68
In general, there has been less use of the Act and less evidence of public interest in it than was predicted at the time the legislation was enacted. In addition to an unexpectedly small number of access and correction requests, the agencies, in their 1975 annual reports, said that they had received only 30 sets of comments on their publications in the Federal Register, four of them from other government agencies and one from an employee union .69 In the President's 1976 annual report, only five agencies were said to have received comments from the public on their rules and system notices.70
In part, this less than expected utilization of the Act can be attributed to the difficulty of finding out how to use the Federal Register, and of wending one's way through the maze of agency Privacy Act procedures. The Department of Defense appears to have received an unusually large number of access requests because of the number of records it maintains on civilian and military employees, both past and present, and because of its extensive training program. However, there is also reason to believe that use of the access right, in particular, can be strongly affected by how much confidence the public has in an agency's record-keeping operations. The comparatively large number of requests to the FBI and the CIA would certainly seem to bear that out.
There is also some evidence that the Act has served to strengthen preexisting access and correction rights. For example, the Coast Guard claims that while it has long had procedures for giving its employees access to their personnel records, the Privacy Act has made it easier for them to get their personnel records corrected.71 Individuals today also seem to find it much easier to gain access to the medical records and employment-related investigatory files that agencies maintain on them. The effect of the changes on agency practices governing the collection, use, and disclosure of records about individuals is the subject of Chapter 2, below. The Commission's general conclusion is that their impact has been much less than was originally anticipated, but, on the other hand, there is evidence that they could be an effective force for change in agency practice if the Act were clarified and strengthened.
As to the Act's civil remedies, the district courts of the United States have jurisdiction over all actions brought to enforce the Privacy Act's requirements. Civil actions by individuals are provided for in subsection 3(g). Stated briefly, an individual has a cause of action whenever an agency makes a determination not to correct or amend a record (subsection 3(g)(1)(A)); refuses him access to a record (subsection 3(g)(1)(B)); fails to maintain a record properly (subsection 3(g)(1)(C)); or fails to comply with any, other provision of the Act (subsection 3(g)(1)(D)). In suits to correct or amend or to obtain access to a record, the court is directed to determine the matter de novo and, if the complainant substantially prevails, the court may direct the government to pay his attorneys fees and other reasonable litigation fees incurred.
In cases brought under subsections 3(g)(1)(C) and 3(g)(1)(D), the court is also empowered to grant attorneys fees and litigation costs. Furthermore, upon a showing that the agency's actions were (1) intentional or willful, and (2) resulted in demonstrable injury to him, the complainant is entitled to a monetary judgment in an amount equal to his actual damages or $1,000, whichever is greater.
As is characteristic of a new statute, case law under the Privacy Act has been slow to develop. In a memorandum dated November 12, 1976, the Information and Privacy Section of the Department of Justice reported a nationwide caseload of approximately 70 ongoing court actions. Over 20 of these involved requests for records and most were being treated as Freedom of Information Act rather than Privacy Act requests. Another group of about 20 was made up of actions under subsection 3(g)(1)(A)-to force an agency to amend some portion of an individual's record. One recent case has been won on the merits by the government, the trial judge holding that the plaintiff had failed to carry his burden of proof. Some 15 individuals have sought injunctions against the disclosure of information by an agency and about a dozen have sought damages under subsections 3(g)(1)(C) or 3(g)(1)(D).72 No case seeking damages has yet been decided against the government, although one has recently been settled out of court.73
One case that bears mention involves a class action suit in the United States District Court of Northern California brought by the American Civil Liberties Union (ACLU) on behalf of a number of applicants for federally guaranteed student loans. The DHEW Guaranteed Student Loan Program included on its application a blanket statement authorizing it to disclose student-supplied information as necessary in the course of processing and servicing a loan. Its final paragraph stated:
I understand that as a result of this consent, the U.S. Office of Education will not keep an accounting of disclosures of information regarding the application and loan [45 C.F.R. 5ó.9(c); 40 F. R. 47413 (October 8, 1975)], since this notice informs me of the uses which may be made of the information. (emphasis added)
The ACLU withdrew its suit after the Office of Education agreed to delete the authorization statement and to process the 1,500 applications that had been set aside because of the applicants' refusal to sign it.74
The Privacy Act also establishes criminal penalties for certain knowing and willful violations of its requirements. Subsection 3(i) provides that an officer or employee of an agency may be found guilty of a misdemeanor and fined up to $5,000 for knowingly and willfully disclosing individually identifiable information, the disclosure of which is prohibited by the Act or agency regulations thereunder, or for willfully failing to publish an annual Federal Register notice on a system of records. The same penalties may also be assessed against anyone who knowingly and willfully requests or obtains an agency record about an individual under false pretenses. Numerous allegations of criminal violations of the Act have been made to the Public Integrity Section of the Department of Justice but almost all have involved conduct that can best be described as negligent rather than knowing and willful. Thus far, only one case has been prosecuted.75
THE PRIVACY ACT AND THE FREEDOM OF INFORMATION ACT
Because the Privacy Act and the Freedom of Information Act (FOIA) have certain objectives in common, the interrelation between the two statutes was an issue that had to be faced almost before implementation of the Privacy Act could begin. Three areas in particular have required interpretation: (1) the definition of an "agency," which the Privacy Act borrows from the Freedom of Information Act; (2) the responsibilities of an agency when a member of the public asks for a record about an individual under the FOIA; and (3) the responsibilities of an agency when an individual asks for a record about himself under either the FOIA or the Privacy Act, or both. The interpretation of the term "agency" has already been discussed and will be explored further in the section on internal agency disclosures in Chapter 2, below. Here, the focus is on implementation of the Privacy Act against the backdrop of FOIA requirements regarding disclosures to members of the public and to individuals who ask for access to records about themselves.
DISCLOSURES TO MEMBERS OF THE PUBLIC
Subsection 3(b)(2) of the Privacy Act stipulates that a record about an individual may not be disclosed to a member of the public unless its disclosure is required by the Freedom of Information Act. This provision was included to "preserve the status quo as interpreted by the courts regarding the disclosure of personal information" pursuant to the requirements of the FOIA.76 It does, however, make one important change. Prior to passage of the Privacy Act, an agency, if it so desired, could freely disclose a record about an individual to a member of the public who requested it under the Freedom of Information Act, whereas now the agency must first determine that such a disclosure is, in fact, required by the FOIA.
In particular, FOIA exemption (6) permits the withholding of "personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." [5 U.S.C. 552(6)(6)] The courts have interpreted FOIA exemption (6) to mean that there are no defined categories of records that may be withheld; that each request from a member of the public must be considered on its own merits; and that the determination as to whether complying with it would constitute a clearly unwarranted invasion of personal privacy must rest on a balancing of the private and public interests involved. [Rose v. Department of the Air Force, 425 U.S. 352, 44 L W. 4503, 4509 (April 19, 1976)] If the agency determines that disclosure would not constitute a clearly unwarranted invasion of personal privacy, it may not withhold the record. A refusal to disclose the salary and grade level of a Federal civil servant, for example, could not be justified under exemption (6). If, however, the agency determines that disclosure of the record would constitute an unwarranted invasion of personal privacy, it must either refuse to disclose it or risk violating subsection 3(b)(2) of the Privacy Act.
There are some additional complexities, such as determining whether the record is, in fact, subject to the Privacy Act, i.e., whether it is maintained in a system of records as defined in the Act. If portions of a record could be disclosed without violating the subject individual's personal privacy, those portions must be disclosed. The net effect, however, is to make an agency more careful than it used to be about how it responds to FOIA requests for individually identifiable records, since it no longer has discretion to comply with them irrespective of their privacy protection implications.
It is this situation that has given rise to some concern about the interface between the sanctions in the two Acts. Subsection (a)(4)(F) of the Freedom of Information Act authorizes the Civil Service Commission to impose administrative sanctions on agency officials whom a court finds to have arbitrarily or capriciously denied an FOIA request for records, while subsection 3(i)(1) of the Privacy Act authorizes criminal sanctions for any Federal employee who knowingly and willfully violates any of the Act's disclosure prohibitions. Nonetheless, if an agency makes a good-faith determination that disclosing a record about an individual would constitute a clearly unwarranted invasion of his personal privacy, it is hard to believe that a court would find that its decision to withhold the record had been arbitrarily or capriciously made. Nor would one expect a good-faith determination that a record must be disclosed in response to an FOIA request to be treated as a knowing and willful violation of the Privacy Act's disclosure prohibitions.
A slightly more difficult question is presented by the possibility that an individual might sue an agency, under subsection 3(g)(1)(D) of the Privacy Act, alleging that the agency was wrong in determining that the disclosure of a record about him to a member of the public would not be a clearly unwarranted invasion of his personal privacy, and that he was harmed as a result. Such an action, however, would be brought against the United States rather than the official responsible for the determination, and the plaintiff would not be entitled to damages unless the court found that the agency had acted in a manner that was "intentional or willful" [5 U.S.C 552a(g)(4)], an unlikely event if the agency did indeed determine, in good faith, that the disclosure was required by the Freedom of Information Act.
On the whole, the agencies have adapted well to the Congress' attempt to make the two Acts compliment one another where disclosures to members of the public are concerned. Press requests for access to information about individuals have been the hardest to deal with, just as they were prior to passage of the Privacy Act, and there have also been some problems involving FOIA disclosures of individually identifiable records that are not maintained in a "system of records" and thus are not subject to the Privacy Act disclosure prohibitions.
THE EXCLUSIVITY ISSUE
While the relation between the Freedom of Information Act and the Privacy Act is quite straightforward when the issue is whether a record about an individual may be disclosed to a member of the public, it is much less so when the individual, to whom the record pertains, ask for access to it. Should he be able to submit his request under either of the two Acts? Or should he be compelled to submit it under the Privacy Act?
The question is important because the answer to it can have a great impact on how much access an individual can have to the records an agency maintains on him. An individual seeking access to an investigatory file, for example, may be able to obtain much broader access if he requests it under the the Freedom of Information Act, because the corresponding Privacy Act exemption applies to entire systems of records rather than to the records or portions of the records they contain. Thus, under the Privacy Act, an agency is absolved of any obligation to consider the merits of a request for records in light of the particular documents involved; it is enough for the agency to claim that they are maintained in an exempt system. In other circumstances, however, the individual may obtain broader access under the Privacy Act, since the Privacy Act, unlike the FOIA, does not allow an agency to withhold a record on the grounds that it constitutes a purely internal government communication.
The controversy on this matter accounts in large part for the sponginess of the data presented earlier on the numbers and types of requests for access to records since the Privacy Act took effect. It was sparked by a July 30, 1975 Justice Department letter to the Internal Revenue Service declaring that the Privacy Act should be the exclusive vehicle for an individual who wants access to a record about himself. The Justice Department letter, which OMB circulated to all the agencies, came to the attention of the then Chairman of the Senate Subcommittee on Administra-tive Practices and Procedures (Committee on the Judiciary), who strongly disagreed with it and asked the Department to reconsider its position. Justice responded by amending its own Privacy Act rules to provide that, while it would treat the Privacy Act as the exclusive vehicle for an individual asking for a record about himself, it would also make available to him, at its discretion, all records within the scope of his request to which he would have been entitled to have access under the Freedom of Information Act. [28 C.F.R. 16.57]
OMB, in a supplement to its Privacy Act Guidelines, subsequently adopted a slightly different position. It urged that agencies not deny an individual access to any record about himself that is exempt from the Privacy Act's individual access requirement but "which would otherwise have been required to be disclosed [to him] under the Freedom of Information Act" [40 F.R. 56742 (December 4, 1975)] (emphasis added). OMB, however, stopped short of stating that the agencies must grant such access. Furthermore, as to the handling of such requests, OMB advised the agencies to
. . . treat requests by individuals for information pertaining to themselves which specify either the FOIA or the Privacy Act (but not both) under the procedures established pursuant to the Act specified in the request. When, the request specifies, and may be processed under, both the FOIA and the Privacy Act, or specifies neither Act, Privacy Act procedures should be employed. The individual should be advised, however, that the agency has elected to use Privacy Act procedures, of the existence and general effect of the Freedom of Information Act, and the differences, if any, between the agency's procedures under the two Acts (i.e., fees, time limits, access and appeals). [40 F.R. 56743 (December 4, 1975)]
In the legislative history of the Privacy Act, there is no evidence that the Congress intended to make it the exclusive vehicle for individuals seeking access to records about themselves. The Justice Department argument for doing so rested, in the main, on obvious differences between the Privacy Act and FOIA exemption provisions; and on its belief that allowing concurrent application of the two statutes, or, alternatively, allowing an agency official to decide which Act should apply, would be both unreasonable and impossible to administer. In some cases, however, the position Justice took could allow a third-party member of the public broader access to a record about an individual than the individual himself would have under the Privacy Act.
The actual practice of the agencies has varied. Some have ignored OMB's guidance, treating all requests by individuals for records about themselves as Privacy Act requests, while others have done their best to follow the procedure suggested by OMB.
THE COST OF IMPLEMENTING THE ACT
In March 1977, the FBI announced that it had a backlog of 7,500 unanswered requests for access to records involving the review of some 10 million pages, and that it was planning to spend $6.5 million to bring 400 agents to Washington for six months to eliminate it. The Bureau also said that its processing of access requests so far had required a staff of 53 agents and 322 support personnel at an estimated annual cost of $6.5 million per year.77 The FBI experience, however, is not typical. Cost figures recently released by the Office of Management and Budget (OMB) show Privacy Act expenditures to be much lower than originally assessed. In 1974, OMB had assessed that implementing the Act would cost $200-$300 million per year over the first four to five years and require an additional one time start-up cost of $100 million, which would be expended in the first two years. In 1977, however, OMB estimated that start-up costs in the nine months between the Act's passage and the date it took effect were $29,459,000, and that an additional $36,599,000 was spent for first-year operating expenses.78 These costs have been broken down as shown in Figure 2.
The Act's publication requirements clearly accounted for the largest portion of the start-up cost (46 percent or an average of $2,000 per system). They account, however, for only 12 percent of the first-year operating expenses. Training was the second most costly start-up item. The $6.8-million figure includes both agency course development and employee time away from work. Implementation of the Act's security requirement was the third largest item in the start-up column, but also the lowest-cost item on the operating side. OMB speculates that this is due to a combination of minimal effort by some agencies to enforce subsection the 3(e)(10), on the one hand, and the fact that some agencies already had adequate safeguards in force, on the other. The cost of accounting for disclosures, however, was considerably higher than expected.
OMB's analysis of the $914,000 cost of establishing access procedures, and of the $10,670,000 cost of implementing them during the first year, shows that six agencies-the Treasury and Defense Departments, the Justice Department, the Department of Health, Education, and Welfare, the Veterans Administration, and the CIA-accounted for 93 percent of the expenditures. By itself, the Department of Defense, which maintains one-third of all declared systems of records, accounted for 48 percent.78 According to OMB, the six agencies' disproportionate share of access costs can only partially be explained by the number of records the six agencies maintain. Public interest in their records and, in some cases, the costly and time-consuming screening necessary before their records can be released account for the unusually high cost. In the DOD case, in particular, OMB attributes its large share to the considerable number of DOD employees who have been made aware of their rights under the Act, coupled with the wide dispersion of the Department's records. 79
Cost of Implementing the Privacy Act of 1974
|Summary - All agencies
(Outlays in Thousands of Dollars)
|Publication Requirements||$13,549||46.0%||$ 4,405||12.0%|
|Security and Control||2,175||7.4||l,345||3.7|
|Accounting for Disclosures||667||2.3||9,415||25.7|
|New Data Collection Procedures||l,164||4.0||l,507||4.l|
|All Other Costs||3,728||12.7||4,012||11.0|
|Reductions from Records/Systems Eliminated||-45||-0.2||-62||-0.2|
1 Start up costs include any one-time costs incurred from
January 1, 1975 through September 30, 1976.
2 Operating costs cover the period September 27, 1975 through September 30, 1976.
3 Totals may not add due to rounding.
Source: Federal Personal Data Systems Subject to the Privacy Act of 1974, Second Annual Report of the President, Calendar Year 1976, p. 23.
1U. S. Department of Justice, Attorney General's Memorandum on the 1974 Amendments to the Freedom of Information Act, (Washington, D.C.: U. S. Government Printing Office, February, 1975), p. 26.
2Amending Section 552 of Title 5, United States Code, known as the Freedom of Information Act, Report of the Committee on Government Operations, U.S. House of Representatives, 93rd Congress, 2nd Session, 1974, pp. 8-9; Freedom of Information Act Amendments, Conference Report, U.S. House of Representatives, 93rd Congress, 2nd Session, 1974, pp. 14-15
3Letter from Assistant Attorney General, Office of Legal Counsel, U. S. Department of Justice, to the Office of Management and Budget, April 19, 1975.
4U.S. Office of Management and Budget, "Privacy Act Implementation; Guidelines and Responsibilities" (hereinafter OMB Guidelines), 40 F.R. 28951, 28959 (July 9, 1975).
5Ibid., p. 28976.
8Memorandum from General Counsel William H. Taft III to John Ottina, Assistant Secretary for Administration and Management, U.S. Department of Health, Education, and Welfare, regarding the application of the Privacy Act to DHEW contractors, May 14, 1976.
9Privacy Protection Study Commission staff interview with the Privacy Act Officer, and an Attorney, Office of General Counsel, U.S. Department of the Interior, October 20, 1976.
10Privacy Protection Study Commission staff interview with the Chief, Information Management Division, Office of Organization and Management Systems, U.S. Department of Commerce, November 2, 1976.
11Director, Personnel Management Staff, Office of Personnel, U.S. General Services Administration, Privacy Protection Study Commission Staff Workshop on Employment and Personnel Records, October 29, 1976. None of the other agencies at the workshop (DOD, DHEW, State, Treasury, USPS, GSA, VA, the Civil Service Commission, the FAA, the National Bureau of Standards, and the NLRB) declared vacancy announcements, promotion files, or retention records (established in reduction-in-force proceedings) as systems of records under the Privacy Act.
12Privacy Protection Study Commission staff interview with the Privacy Act Officer, and an Attorney, Office of the General Counsel, U.S. Department of the Interior, October 20, 1976.
13Testimony of the U.S. Veterans Administration, Medical Records, Hearings before the Privacy Protection Study Commission, July 2I, 1976, pp. 444, 445.
14U.S. Agency for International Development, "1975 Annual Report on the Privacy Act of I974," April 30, I976, p. 10.
15Privacy Protection Study Commission staff interview with an Attorney, Legal Advisor's Office and the Chief, Document and Reference Division, Foreign Affairs Document and Reference Center, U.S. Department of State, November 12, 1976.
16Federal Personal Data Systems Subject to the Privacy Act of 1974, Second Annual Report of the President, Calendar Year 1976 (hereinafter, President's Second Annual Report), p. 23
17 Federal Personal Data Systems Subject to the Privacy Act of 1974, First Annual Report of the President, Calendar Year 1975 (hereinafter, President's First Annual Report), p. 2.
18Ibid, p. 3.
19Ibid, pp. 45.
20Ibid, pp. 5-6.
21The number after the system name is assigned by the agencies. OMB also assigns a unique number to each system consisting of agency and bureau codes for the agency maintaining the system, plus a sequential number. Agencies are encouraged to use the same numbering system as OMB.
22Office of the Federal Register, Protecting Your Right to Privacy-Digest of Systems of Records, Agency Rules, Research Aids, p. 266.
23OMB Guidelines, p. 28963.
24U.S. Department of Defense, "1975 Annual Report on the Privacy Act of 1974," p. 23.
25Privacy Protection Study Commission staff interview with the Records Officer, U. S. Postal Service, October 12, 1976.
26Oflice of the Federal Register, Privacy Act Issuances, 1976 Compilation, 5 vol. The 1975 compilation was published in a single volume, supra, note 22.
27Briefing by the Defense Privacy Board for the staff of the Privacy Protection Study Commission, January 16, 1976.
28Protecting Individual Privacy in Federal Gathering Use and Disclosure of Information, Report of the Committee on Government Operations, U. S. Senate, 93d Congress, 2nd Session, 1974, p. 399.
29OMB Guidelines, p. 28977.
30U.S. Office of Management and Budget, Circular A-108, Transmittal Memorandum No. 1, New Systems Reports, 40 F.R. 45877 (October 3, 1975).
32Ibid, p. 45878.
33President's Second Annual Report, p. 9.
35Ibid., p. I1.
36Robert R. Belair, "Agency Implementation of the Privacy Act and the Freedom of Information Act: Impact on the Government's Collection, Maintenance and Dissemination of Personally Identifiable Information," John Marshall Journal of Practice and Procedure, Vol. 10, No. 3, (Spring, 1977) p. 480.
38Under the Federal Reports Act [44 U.S.C 350I et seq.], OMB approves all fortes on which agencies propose to collect information from six or more members of the public, except that 44 U.S.C. 3507 exempts forms used by the Internal Revenue Service and certain other divisions of the Treasury Department. In addition, pursuant to a 1973 amendment, [44 U.S.C.A. 3512], forms used by independent regulatory agencies are reviewed by the Comptroller General, U. S. Government Accounting Office.
39U..S. Civil Service Commission, Federal Personnel Manual System Letter 711-126, December 30, 1976.
40U. S. National Bureau of Standards (Department of Commerce), Federal Information Processing Standards, Publication 41, "Computer Security Guidelines for Implementing the Privacy Act of 1974" (May 30, 1975).
41U. S. National Bureau of Standards (Department of Commerce), Federal Information Processing Standards Task Group 15, "Index of Automated System Design Requirements as Derived from the OMB Privacy Act Implementation Guidelines," (October, 1975).
42"Additional Guidance on Reduction in Reports Required of the American Public," Memorandum from Hon. Bert Lance, Director, U.S. Office of Management Budget, to Heads of Executive Departments and Establishments, March 7, 1977.
43In this section the terms "regulation" and "rule" are used interchangeably.
44OMB Guidelines, pp. 28957, 28967.
45Ibid., pp. 28957-58.
46U. S. Central Intelligence Agency, 1975 Annual Report on the Privacy Act of 1974, III, p. 5; letter from Clarence M. Kelley, Director, U. S. Federal Bureau of Investigation, Uepartment Justice, to the Privacy Protection Study Commission, June 30, I976.
47U. S. Drug Enforcement Administration (Department of Justice), "1975 Annual Report on the Privacy Act of I974," p. 11.
48U. S. Energy Research and Development Administration, "1975 Annual Report on the Privacy Act of 1974," p. 6.
49U. S. Department of Defense, 1975 Annual Report, op. cit., pp. 5,23.
50Ibid., p. 23.
51Briefing by the Defense Privacy Board, op. cit.
52Civilian Health and Medical Program of the Uniformed Services.
53Department of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, (Washington: U. S. Government Printing Office, 1973).
54U.S. Internal Revenue Service (Department of the Treasury), "1975 Annual Report on the Privacy of 1974," pp. 3, 4.
55This represents the time spent to give every IRS employee 30 minutes of training about the Privacy Act. Privacy Protection Study Commission staff interview with the Chief, Freedom of Information Branch, Internal Revenue Service (U. S. Department of the Treasury), August 25, 1977.
56U.S. Energy Research and Development Administration, op. cit, p.2.
57President's Second Annual Report, p. 14.
58Privacy Protection Study Commission staff interview with the Assistant Chief, Division of Program Planning and Management, Bureau of Personnel Investigations, U. S. Civil Service Commission, August 30, 1976.
59Letter from Alan Carter, Assistant Director for Public Information, U. S. Information Agency, to the Privacy Protection Study Commission, November I7, 1976.
60Briefing by the Defense Privacy Board, op. cit..
61This figure is the sum of all requests identified in the 1975 annual reports as "Privacy Act" requests.
62Privacy Protection Study Commission staff interview with the Inspector and Deputy Assistant Director, Freedom of Information Privacy Act Branch, Records Management Division, Federal Bureau of Investigation, U. S. Department of Justice, August 26, 1977.
63Belair, op. cit, p. 497.
64Ibid., p. 498.
65President's Second Annual Report, p. 13. Of the 35,723, 14,517 were granted in full; 3,417 were partially granted; 399 were denied; and 2,105 were returned as inadequately specific. Action was pending on the remainder. For 9,705, no record on the individual could be found.
66President's Second Annual Report, p. 14.
68Ibid., pp. 14,15.
69This figure is drawn from an analysis of all the discussions of public comment in the 1975 annual reports.
70President's Second Annual Report, p. 8.
71Privacy Protection Study Commission staff interview with the Acting Chief, Paperwork Management Branch, Management Analysis Division, U. S. Department of Transportation, October 12, 1976.
72Letter from Jeffrey Axelrad, Chief, Information and Privacy Section, Civil Division, U. S. Department of Justice, to the Privacy Protection Study Commission, November 12, 1976.
73Privacy Protection Study Commission staff interview with a Trial Attorney, Freedom of Information Section, U. S. Department of Justice, August 26, 1977.
74Memorandum from Charles C. Marson, Legal Director, ACLU Foundation of Northern California, to the Privacy Protection Study Commission, June 7, I977.
75In United States v. Gonzalez, Crim. No. 76-132 (M.D.La. Dec. 21, I976), a former United States Attorney in Baton Rouge, Louisiana was convicted and fined $1,500 for making an unauthorized disclosure of agency records.
76"Analysis of House and Senate Compromise Amendments to the Federal Privacy Act," 120 Cong. Rec. S21817 (December 17, 1974).
77Privacy Protection Study Commission staff interview, with the Federal Bureau of Investigation, op. cit.
78Letter from Hon. Bert Lance, Director, Office of Management and Budget, to Senator Abraham A. Ribicoff, Chairman, Committee on Governmental Affairs, United States Senate, March, 1977, including a report on Costs of Implementing the Privacy Act of 1974, p. 5.
79President's First Annual Report, pp. 2-3.