In seeking remedies for the Privacy Act's current weaknesses, the Commission found it useful to draft an illustrative revision of the Act as a means of testing the feasibility of various alternatives. The product of this drafting exercise, which itself involved many revisions, is being made available as Appendix B of this volume.1 The Commission does not pretend that its suggested changes in the language of the Act are the only ones that will correct the Act's deficiencies. However, it does believe that its illustrative language shows how the problems that its assessment of the Act uncovered could be overcome by redrafting.
The Commission's assessment of the Privacy Act of 1974 led it to three general conclusions:
(1) The Privacy Act represents a large step forward, but it has not resulted in the general benefits to the public that either its legislative history or the prevailing opinion as to its accomplishments would lead one to expect;
(2) Agency compliance with the Act is difficult to assess because of the ambiguity of some of the Act's requirements, but, on balance, it appears to be neither deplorable nor exemplary; and ;
(3) The Act ignores or only marginally addresses some personaldata record-keeping policy issues of major importance now and for the future.
With these conclusions in mind, the Commission's illustrative revision of the Act strives to clarify it by changing its structure and reconceptualizing specific sections. The revision also concentrates on articulating policyobjectives rather than on specifying details of implementation, since one goal of the revision is to allow the Act's policy objectives to be achieved without destroying the flexibility an administrator clearly must have inimplementing it.
Finally, it should be noted that, even though the Commission's approach continues the one taken in the current law, it permits adaptation to changes in information technology while at the same time recognizing that there are some information policy issues an agency cannot, and often should not, resolve by itself. The most obvious is the question of whether a particular record-keeping system should exist at all. Answering such a question requires independent judgment of the sort that the Commission believes would be best provided by the independent entity recommended in Chapter 1 of its final report. The pressures on agencies to collect increasing amounts of information for an increasing number of purposes are too great to allow them to continue to establish information systems without more of a check on their judgment than either the current Privacy Act or one that incorporates the Commission's suggested changes could reasonably be expected to sustain.
The changes in the Privacy Act that the Commission suggests are focused on three basic objectives:
The ways in which the first two objectives have been met will become apparent as specific portions of the Commission's substitute language are explained. The third objective, however, should be discussed at this point since it is central to the Commission's entire drafting strategy.
"RECORDS" AND "SYSTEMS OF RECORDS"
As indicated earlier, the Congress wanted to include in the definition of the term "record2 every agency record that contains any kind of individually identifiable information. Because it was mindful of the burden such a definition could impose on an agency, however, it limited the Act's coverage to records retrieved from "systems of records" by "name . . . or identifying number, symbol, or other identifying particular. . . ." [5 U.S.C. 552a(a)(5)] Thus, unless an agency actually retrieves recorded information by reference to a "name . . . identifying symbol, or other identifying particular . . .," the "system" in which the information is maintained is not covered by the Act. While the term "record" refers to all information about an individual which contains his name or identifier, the term "system of records" applies only to information about an individual which is retrieved by name, identifier, or identifying particular. As explored earlier, the effect of this distinction is wholesale exclusion from the Act's scope of records that are not accessed by name, identifier, or assigned particular. An individual whose record is retrieved by these means cannot avail himself of the protections the Act would otherwise afford him.
There are many examples of readily accessible individually identifiable agency records that are not retrieved by personal identifier, and currently deployed and developing computer and telecommunications technologies appear likely to create more. While the language of the Act speaks in terms of retrieval by discrete individual identifiers, most automated record systems permit identification of an individual (or, more precisely, his record) based on any combination of the individual's attributes or characteristics, natural or assigned, as well as by reference to "individual identifiers" in the more conventional sense. Thus, it would be easy to program a computer to locate particular individuals through "attribute searches."3 Moreover, retrieval of individually identifiable information by scanning (or searching) large volumes of machine-readable text is not only possible but an increasingly frequent practice.
In summary, the "system of records" definition has two limitations. First, it undermines the objective of providing an individual access to the records an agency maintains about him. Second, by serving as the sole activating, or "on/off," switch for the Act's other provisions, it unnecessarily limits the reach of the Act.
In order to reduce the problems raised by the term "system of records" and to better achieve the basic objectives of the law, the Commission believes the Act's definition of "system of records" should be abandoned and its definition of "record" amended. Specifically, the term "record" should be expanded to include attributes and other personal characteristics assigned to an individual, and a new term, "accessible record" [(a)(6)],4 should be introduced to delineate those individually identifiable records that will be available to an individual in response to his request for access to records about himself. This formulation would encompass records which, while not retrieved by an individual identifier, could be retrieved by an agency without an unreasonable burden either through normal retrieval procedures or because the subject could direct the agency to the record's location. If an individual knew he was mentioned in a particular file, for example, he would be entitled to have access to that information whether or not it was the agency's practice to access the record by reference to his name or other identifying particulars. In implementing this provision [(a)(6)(B)], however, an agency should not have to establish any new cross-referencing schemes simply for the purpose of responding to access requests. In this connection, the Commission would also urge deletion of the clause in the current Act [5 U.S.C. 552a(d)(1)] which requires an agency to allow an individual access "to any information pertaining to him which is contained in the system . . . ." This requirement is impossible to satisfy since an agency often does not know how to find all such information. .
The Commission also believes that the terms "record," "individually identifiable record," "accessible record," and "system" should operate as distinct activating, or "on/off," switches for separate provisions of the statute. This would allow more flexibility and broaden the reach of the Act, which currently relies on the "system of records" definition to delineate its scope. For example, in the proposed revision the accessible record definition (controlling access by the individual) is broader than the individually identifiable record definition (controlling the information management requirements) and the system definition (controlling Federal Register publication).
Finally, the Commission suggests a change in subsection 3(m) of the current law which limits its scope by applying its provisions to systems of records maintained by some contractors but not to any maintained by grantees. [5 U.S. C 552a(m)] Agency personnel interviewed by the Commission staff expressed the view that, in many cases, the implicit distinction in the Act between contractors and grantees is artificial. The Commission agrees. Moreover, in Chapter 15 of its final report, the Commission recommends that a uniform set of requirements and safeguards be applied to records collected or maintained in individually identifiable form for a research or statistical purpose under Federal authority or with Federal funds. The Commission further suggests that the Privacy Act be the basic vehicle for implementing these recommendations. [(a)(5), (d)(14), (g), and (m)]
The rest of this chapter is a commentary on the provisions of the illustrative statute in the order in which they are presented in Appendix B.
The definitions in Appendix B retain or modify those in the current law in the following ways:
Agency. The definition of the term "agency" [(a)(])] does not differ from the one in the current law. [5 U.S.C 552a(a)(1)] Its potential for undermining the Act's restrictions on disclosures to third parties has, however, been stemmed by including intra-agency disclosures in the routine-use definition. [(a)(9)] A large Cabinet Department with many different programs would no longer be permitted to transfer information about individuals among its various components without revealing that it does so. <
Individual. The term "individual" [(a)(2)] is also identical to the one currently in the Privacy Act. [5 U.S.C. 552a(a)(2)]
Record. The Commission considered abandoning the term "record" in favor of the term "personal information," but rejected the idea for three reasons. First, its expanded definition of a "record" includes everything that could be considered "personal information." Second, there is an important body of court decisions arising from the use of the term "record" in the Freedom of Information Act, which has served to clarify its meaning. Third, if an agency were required to grant access to "personal information" rather than to a "record," it might arguably be able to satisfy the requirements of the law by summarizing the information in its files in lieu of giving the individual the information in the form in which it is actually stored, used, or disclosed.
The "record" definition in Appendix B retains the language of the current law [5 U.S.C. 552a(a)(4)], but expands it by including "attributes, affiliations, or characteristics associated with, or assigned to, the individual."[(a)(3)] This change broadens the term to encompass all types of information used to identify an individual and thus would include information used to search a file for the names of individuals whose qualifications match a particular job description or who have a propensity to engage in certain activities, such as violations of law.
Individually Identifiable Record.This is a new term [(a)(4)] and is defined as "a record which could be reasonably expected to identify the individual or individuals to whom it pertains." It includes "individuals" to allow for situations in which a record refers to more than one individual, such as would be the case when a social service record is maintained on a family unit.
Research or Statistical Record. Although the definition of this term [(a)(5)] resembles the definition of a "statistical record" in the current law [5 U.S.C 552a(a)(6)], it is more precise. It specifically refers to an individually identifiable record "collected or maintained by a Federal agency or pursuant to a Federal research contract or grant, or a subcontract thereof, for a research or statistical purpose only," and makes clear that the implicit prohibition against using such a record "to make any decision or to take any action directly affecting the individual to whom the record pertains," does not include a decision made "within the context of the research plan or protocol." The reference to "section 8 of title 13" continues the current exception for census records that are disclosed to the individuals to whom they pertain for the purpose of establishing their eligibility for medicare benefits.
Accessible Record. This, too, is a new term. [(a)(6)] Its practical effect is to broaden the individual's right of access to include an individually identifiable record which is:
(A) systematically filed, stored, or otherwise maintained according to some established retrieval scheme or indexing structure and which is, in practice, accessed by use of, or reference to, such retrieval scheme or indexing structure for the principal purpose of retrieving the record, or any portion thereof, on the basis of the identity of, or so to identify an individual, or
(B) otherwise readily accessible because:
(i) the agency is able to access the record without an unreasonable expenditure of time, money, effort, or other resources, or
(ii) the individual to whom the record pertains is able to provide sufficiently specific locating information so as to render the record accessible by the agency without an unreasonable expenditure of time, money, effort, or other resources.
This definition and the term "system" [(a)(7)] replace the term "system of records" in the current law. [5 U.S.C 552a(a)(5)] When an individual seeks access to information about himself which is in an agency's possession, he wants all of the accessible information relevant to his request. However, the "system of records" definition now in the Act clearly frustrates that objective by limiting the individual's right of access to records which an agency, in fact, retrieves by reference to his name or some other identifying particular assigned to him.
The first paragraph of the new definition [(a)(6)(A)] restates and slightly broadens the increasingly popular notion of systematically stored and retrieved information, attempting to codify a concept that mirrors prevailing practice. The only significant expansion is the deliberate use of the term "retrieval scheme." This would include a keyword (or other character-pattern) search of machine-readable or computerized textual information. Paragraph (a)(6)(A), however, refers only to an agency's actual practice. If the agency does not use or retrieve the information by a retrieval scheme, it would not apply, and the principal-purpose test further narrows the scope of the definition.
The second paragraph [(a)(6)(B)], on the other hand, introduces the concept of "readily accessible." While subparagraphs (a)(6)(B)(i) and (B)(ii) attempt as clear a definition as possible of this concept, there is no way to avoid some potential for varying interpretations. One of the flaws of the current law is that it defines too precisely the information which should be readily accessible. A common problem with any attempt at precision in this context is that it can be easily circumvented, and particularly where modern computer technology is involved. Thus, the Commission suggests a flexible test for determining accessibility: namely, the amount of time, money, effort, or other resources (e.g., computer processing) the agency would have to spend to make the information accessible.
Basically, the "accessible record" definition embodies the notion that information should be made available to the individual unless retrieval would impose an unreasonable burden on the agency or unless there is an overriding policy reason for not making it available, such as the protection of national security. In theory, all computerized information is accessible, but to require agencies to give an individual access to any information about him that is theoretically accessible would be prohibitively costly. If, however, an agency that has organized its employee files by duty station, for example, has the capability to retrieve them by reference to name or Social Security number and can do so without undue effort or cost, then the information in the files ought to be available to the individuals to whom it pertains. The test of undue effort or cost will, of course, vary with the circumstances, the technology, and the times, but, allowing the test to vary will help to assure that the individual's ability to gain access to information about himself will keep pace with changes and improvements in the agencies' capacity to retrieve and use it.
Likewise, if the subject individual can provide locating information that is specific enough to render a record accessible without an unreasonable expenditure of time and effort, then the agency should provide it. If John Doe knows that there is a reference to him in a file labeled "XYZ Docket," for example, then it is not unreasonable for the agency to give him access to it, although it would be unreasonable (and probably undesirable) to expect an agency to develop a filing or indexing scheme just so it would know in advance that there was information about John Doe in Docket XYZ if he made a general request for access to records about himself. To multiply the opportunities to misuse records about individuals by encouraging agencies to develop elaborate cross-referencing schemes in the interest of complying with the fair information practice requirements would be ironic, indeed, and the Commission's suggested definition of an accessible record is not intended to do so.
System or Subsystem. The term "information system" is an artificial construct which helps people visualize collections of records. Information systems may be functional, such as a "payroll system," or physical, such as a "record system" contained in a particular file cabinet. Moreover, there may be systems within systems, such as the tax withholding subsystem of a payroll system.
The manual model of an information system made up of physically discrete subsystems is being rendered obsolete by computer technology. For example, computer software can present a user with the illusion of different subsystems, which, in fact, do not exist physically as discrete units.5 There are circumstances in which the concept of a physically discrete system is useful, but increasingly it only complicates matters needlessly.
The Commission suggests defining a system or subsystem as:
any collection or grouping of accessible records [that are] systematically filed, stored, or otherwise maintained according to some established retrieval scheme or indexing structure and which is, in practice, accessed by use of, or reference to, such retrieval scheme or indexing structure for the principal purpose of retrieving the record, or any portion thereof, on the basis of the identity of, or so as to identify, an individual or individuals. [(a)(7)]
Moreover, the illustrative statute relies on this concept of an information system only as it is useful for facilitating public scrutiny and management accountability; that is, in combination with the requirement in subsection (h) that an agency describe its collections of individually identifiable records which are maintained according to a pre-established retrieval scheme, and its information practices with respect to those collections of records.
Maintain. The definition the Commission suggests [(a)(8)] adds "obtain, possess, process, or disclose" to the current law's "collect, maintain, use, and disseminate." [5 U.S.C 552a(a)(3)] The revised definition would require a custodial agency to accept some responsibility for the accuracy of information it received from another agency and also permit it to honor the individual's right of access to such information. In addition, it would require an agency to publish system notices on the records in its possession that are technically under the control of another agency. An agency's personnel records, for example, are technically under the control of the Civil Service Commission, even though the agency has physical possession of them.
Routine Use. The suggested definition augments the current one by requiring not only that the use of a record be "compatible with the purposes for which it was collected" [5 U.S.C. 552a(a)(7)], but also that it be "consistent with the conditions or reasonable expectations of use and disclosure under which the information in the record was provided, collected, or obtained." [(a)(9)] In addition, the revised formulation would explicitly require that internal, as well as external, agency disclosures of information be governed by the revised subsection on "Limitations on Disclosure." [(d)(3)]
The Commission found that the routine-use-provisions in the current law, although designed as a safety valve, have had unintended effects. The compatible-purpose test has been applied loosely and exclusively from the agency's point of view. Furthermore, because the Privacy Act incorporates the Freedom of Information Act definition of an "agency," the routine-use provisions have had almost no effect on "internal" disclosures among the components of large agencies that operate many different types of programs.
Collateral Use. The term "collateral use" [(a)(10)] has been added by the Commission to encompass disclosures which are not compatible with the purposes for which the information was collected but which are specifically authorized by statute. To qualify as a collateral use, any such disclosure would have to be pursuant to a statute enacted after January 1, 1975 which establishes specific criteria for use or disclosure of specific types of information. Examples might include the statutory authorization for transfering information between Federal and State agencies to assist in determining an individual's eligibilty for disability benefits, and the Tax Reform Act of 1976 which authorizes certain disclosures of tax return information which are not compatible with the purpose for which the information was collected.
Because the collateral-use concept presupposes direct, and probably increasing, Congressional involvement in information policy decisions, it should help to keep the relationship between the Privacy Act and other information policy legislation in clear focus. The current law and its legislative history are silent on whether the Act was intended to supersede preexisting statutes authorizing uses or disclosures of information that do not meet the compatible-purpose test. The OMB Guidelines6 take the position that preexisting statutes which permit less disclosure to third parties than the Privacy Act allows were not superseded, but there was no basis for concluding that the many sections of the U.S. Code that authorize or require the disclosure of information about individuals to third parties were. Adding the concept of collateral use will assure that in the future the Congress' attention will be drawn to statutorily authorized uses and disclosures that do not meet the the compatible-purpose test and also, by virtue of the January 1, 1975 cut-off date, will precipitate a reconsideration of sections of the U.S. Code that do not meet the test today.
ACCESS TO RECORDS
As the suggested subsection [(b)] illustrates, the Commission believes that an individual ought to have the greatest possible access to information about himself without causing an undue burden on the agency. The Commission also believes, however, that the current law's intent that an individual's request for access identify the information sought as specifically as possible [5 U.S.C. 552a(d),(f)(1)] should be preserved so long as the agency has a corresponding responsibility to assist the individual in framing his request so that it "reasonably describes" the records he wants to see. Most agencies, as indicated earlier, do make an effort to assist the individual, but the Commission believes that requiring such assistance in the statute is important assurance that it will continue to be given. The Commission envisions a dialogue between the agency and the individual in which the agency might ask the individual to narrow his request by reference to systems named on a list that the agency would give him. The likelihood of a private citizen being aware of the name of a system of records published in the Federal Register is too remote to be relied on exclusively. Moreover, the reasonable-description standard [(b)(1)] is one with which the agencies have had considerable experience in the context of the Freedom of Information Act as amended.7
Suggested subsection (b)(6) would introduce a new provision establishing time limits within which an agency must respond to an individual's request for access to records about himself. The provision would require an agency, within 30 working days after receiving a request for access, to determine whether it will comply and to notify the individual of its determination. Thereafter, the agency would have to make the records available to the individual "within a reasonable period of time." Subsection (b)(6) takes to heart a lesson learned from experience with the Freedom of Information Act, which had to have time limits added to it in order to assure prompt agency response to access requests.8
The suggested revision expands upon the requirements of the current Act that "information be provided in a form comprehensible to the individual" [5 U.S.C 552a(d)(1)] by requiring that the form in which a record is disclosed to an individual reflect "as accurately as can be reasonably expected, the context or manner in which the agency maintains and uses" it. [(b)(1)(B)] This formulation seeks to help an individual determine how and in what manner he should, for example, exercise his right to correct, amend, or dispute a record to which he gains access.
The current access requirement would also be expanded to require an agency to supply information from "derivative" records to the extent that the agency "can be reasonably expected to be aware of substantially similar or derivative versions" that fall within the definition of an "accessible record." [(b)(1)(C)] An individual can be, and often is, unaware of such records, even though he could be as easily harmed by some of them as by the original. Two kinds of recorded information are clearly covered by this provision: (1) an exact duplicate of the original record maintained in another part of the agency; and (2) some portion of the original which has been copied and subsequently amended or merged with other records. In both cases, an agency should be obliged to take reasonable affirmative steps to describe and make the several versions available to the individual. While an individual may not wish to see every duplicate of the original record, he may wish to assure that some duplicates are amended if he amends the original. Moreover, the uses and disclosures of duplicates of a record, as well as of substantially similar or derivative versions of it, may well not be the same as the uses and disclosures of the original, and when that is the case, the individual should be so informed.
Finally, a portion of subsection (d)(1) of the current law has been eliminated. This is the subsection [5 U.S.C 552a(d)(1)] that requires an agency to grant an individual access to "any information pertaining to him which is contained in the system." The requirement is impossible for an agency to satisfy without a complete review of all its records and the development of elaborate indices or cross-referencing schemes. An agency is simply not aware of all the places in its records where an individual may be named and should not be required to be in the name of fair information practice.
ACCOUNTINGS OF DISCLOSURES
The Commission believes that the primary value of the accounting of disclosures requirement should be its utility for propagating corrections and that a reasonableness test should, therefore, be used in determining the period of time for which an accounting must be kept. [(b)(1)(B)] The existing provision [5 U.S. C.552a(c)(4)] is inadequate in that it does not require that corrections be propagated within an agency where inaccuracies can be every bit as harmful to the individual as inaccuracies in records disclosed to users outside the agency.
The proposed revision of the accounting of disclosures requirement stipulates that an accounting be kept of all disclosures to: (1) recipients to whom the agency could reasonably be expected to propagate a correction pursuant to the revised propagation of corrections requirement [(f)]; and (2) recipients of which the agency could reasonably be expected to be aware but to whom it could not be reasonably expected to propagate corrections. This means, of course, that an accounting would have to be made of internal as well as external disclosures, although not necessarily of all of them. For example, no accounting would be required of a disclosure to the individual himself, or of a disclosure to a member of the public (be it the individual or someone else) pursuant to a Freedom of Information Act request.
While the revised accounting of disclosures requirement has a broader reach than the corresponding provision in the current law, it is also narrowing in that an accounting need be given to the individual only upon his specific request, and only of those disclosures made "within a reasonable period of time prior to the request." The "reasonable period of time" should be commensurate with the period of time the agency needs to keep an accounting in order to propagate corrections; that is, so long as information in derivative records could affect determinations as to an individual's rights, opportunities, or benefits. In providing the accounting, the agency shall take reasonable affirmative steps to inform the individual, in a form comprehensible to him, of (a) the date, nature, and purpose of each disclosure; and (b) the name and address of the person or agency to whom the disclosure was made. [(b)(1)(B)(iii)] The revision preserves the current law's use of the word "accounting," as opposed to "record," of disclosures so as to allow for any scheme that enables the agency to reconstruct a list of past disclosures; that is, an explicit record or log entry need not be made for each disclosure if an accounting can otherwise be rendered. This is especially important in the case of frequent bulk transfers of data on large numbers of individuals. As with the current law, the Commission also does not intend that an accounting be considered a "record" as defined in revised subsection (a)(3).
EXEMPTIONS FROM THE ACCESS REQUIREMENT
There are three reasons for redesigning the Privacy Act's exemption provisions. First, abandoning the system of records approach as the trigger for the operational requirements of the Act necessitates some restructuring. Second, as explored in earlier chapters, the Commission found that the current exemptions encompass too many provisions of the Act and thus both permit and invite circumvention of its spirit. These findings led to the conclusion that certain types of information, not systems of records, should be exempted where necessary. Finally, having concluded that an individual should have access to the same amount of information about himself under either the Freedom of Information Act or the Privacy Act, the Commission looked for one set of standards for determining when access will not be granted. That objective, in the Commission's view, was best achieved by adopting the exemption strategy in the Freedom of Information Act and also by incorporating several of the FOIA's specific exemptions.
Although the major policy objectives reflected in the Privacy Act's current exemption strategy have been preserved in the proposed revision, the blanket exemptions in the current subsection 3(j), applicable to all records maintained by the Central Intelligence Agency or by any agency whose principal function is any activity pertaining to criminal law enforcement, have not been retained. [5 U.S.C 552a(j)] Thus, if the Commission's suggestions were adopted, those agencies would no longer be able to exempt themselves completely from requirements such as propagating corrections of records to prior recipients, reporting on new systems of records, and assuring the necessity and relevance of the information they collect.
The exemption opportunity in the current Act for information "maintained in connection with providing protective services to the President of the United States or other individuals pursuant to section 3056 of title 18" has been retained to the extent that such information falls within new subsection (b)(3)(B), which exempts law enforcement information from the individual access requirement. Most of the other provisions of current subsection 3(k) have also been retained [5 U.S.C 552a(k)], although in a form which permits them to be invoked only for the purpose of restricting individual access. [(b)(3)] The suggested exemption provisions further incorporate a new subsection ((b)(3)(C] paralleling section (b)(8) of the Freedom of Information Act [5 U.S.C 552(b)(8)] which would permit financial regulators, such as the Comptroller of the Currency, to withhold certain records.
With respect to medical records and medical-record information [(b)(5)], the Commission has adopted the approach to special procedures recommended in its final report for private-sector medical-care providers. This approach, which the Department of Health, Education, and Welfare has already tested successfully, would allow designation by the individual of a lay representative to be the recipient of a medical record or medical-record information pertaining to him, thereby allowing the lay representative (perhaps a family member) to decide whether full disclosure to the individual may be harmful to him. In this way, the lay designee, rather than the agency, would make the judgment regarding full or partial disclosure. The Commission's suggested revision also expands on the current law by allowing agencies to withhold information from the parent or legal guardian of a minor individual to whom the information pertains when such withholding is authorized by statute. [(b)(3)(H)]
Perhaps the most important aspect of the suggested revision is that it adopts the Freedom of Information Act approach of treating exemptions as available defenses to be invoked, where applicable, on a case-by-case basis, in contrast to the current Privacy Act approach which allows exemptions to be claimed in advance for entire systems of records. The revision would also require that any portion of a record which is reasonably segregable from the exempt portion must be supplied to the individual. [(b)(4)]
CORRECTION AND AMENDMENT OF RECORDS
The Commission's suggested revision would retain the correction and amendment requirements of the current law [5 U.S.C. 552a(d)(2)], while providing also for the correction or amendment of substantially similar or derivative records. [(c)(1)] The principal significance of this change lies in its relationship to new subsection (f) which provides for more complete propagation of corrections. Under (f), as examined more fully below, a correction or amendment to a record initiated by the individual will receive broader dissemination than it would under current law.
LIMITATIONS ON DISCLOSURE
In limiting disclosures, the Commission would retain the objectives of subsection (b) of the Privacy Act [5 U.S.C. 552a(b)], but incorporate the new routine-use and collateral-use definitions, and also establish certain new requirements. Internal disclosures of information would be further restricted by allowing them only if they are necessary and proper for an agency's own mission and functions, and only if they fit within the revised definition of a routine use. [(d)(3)] Routine external disclosures would also have to conform to the new routine-use and collateral-use definitions and, in addition, be certified as conforming by the agency official responsible for overseeing the Act's implementation. [(d)(4)] The Commission has also incorporated pertinent portions of its recommendations on individually identifiable records used for research or statistical purposes. [(d)(14)]
The revised provisions governing routine uses [(d)(3) and (4)] would still be a minimum standard. They would not supersede disclosure prohibitions that are more stringent, but they would supersede existing disclosure authorities that are more general.
Finally, the revision would permit disclosures to members of Congress, but only in response to a Congressional inquiry made at the express request of a constituent to whom the record pertains or, in certain situations, by a relative or legal representative. [(d)(11)] On its face, the current law does not permit a Congressman to receive an agency record about a constituent without the constituent's written consent. This problem was resolved shortly after the Act took effect by establishing such disclosures as routine uses, even though many of them would probably not meet the compatiblepurpose test. The Commission, however, believes that the matter should be addressed directly and therefore proposes the addition of a new subsection
COLLECTION AND MAINTENANCE OF INFORMATION
The suggested revision incorporates verbatim the current requirement [5 U.S.C. 552a(e)(1)] that an agency "collect or maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by Executive Order of the President." [(e)(1)(C)] Although the Commission found that the requirement does not appear to have had a significant effect on agency practice, it believes that the fault is in the vehicle for implementing it. The implementation strategy and strengthened incentives for compliance that the Commission suggests should make the requirement more effective. Furthermore, the provision provides an individual with an invaluable tool in any effort to correct or amend a record about himself, and particularly in any legal action he brings to enforce agency compliance with the law.
The suggested revision also strengthens the current law by not permitting the Central Intelligence Agency and agencies whose principal function is any activity pertaining to criminal law enforcement to escape totally the requirement that the information they maintain be complete, relevant, timely, and accurate. They are permitted to maintain untimely, inaccurate, incomplete, or irrelevant information only if it is clearly identified as such to all users and recipients. [(e)(1)(D)]
The Commission would retain the current requirement that agencies collect information to the greatest extent practicable directly from the subject individual [5 U.S.C. 552(e)(2)], but broaden it by directing it both to circumstances in which an "adverse determination" may result and also to circumstances in which the information "may affect" determinations about an individual's rights, benefits, or privileges under Federal programs. [(e)(1)(A)] This revised formulation better fulfills the objective of giving an individual as extensive a role as possible in assuring the accuracy and completeness of information that may be employed to make decisions about him.
The question of whether a "Privacy Act Statement" [5 U.S.C. 552a(e)(3)] needs to be given to anyone other than the individual about whom information is being collected is resolved in the revision by designating as recipients of statements "individuals from whom [each agency] requests information about themselves or others." The Commission further suggests that the Act be revised to require that agencies take "reasonable affirmative steps" to enable an individual to decide, in "as informed and uncoerced a manner as is reasonably possible," whether to provide information about himself or others. [(e)(1)(B)] This formulation would relax the existing requirement that an individual be given a Privacy Act Statement every time he is asked to supply information, no matter how frequently, while retaining and strengthening the Act's restriction on agencies employing the notice as a coercive tool. In addition, instead of being informed in the statement of the routine uses of the information sought, an individual must be informed of "any routine or collateral uses of the information which could be reasonably expected to influence" his decision. [(e)(1)(B)(iv)] The "types of additional information, techniques, and sources that may be used to verify the information" the individual provides must also be described. [(e)(1)(B)(v)] This requirement, which the Commission recommended for the private-sector in its final report, fills an important gap in the current law. Because providing a concise description of all uses and third-party source verification procedures, however, may occasionally prove to be more confusing than enlightening, the title, business address, and telephone number of a responsible agency official who can assist the individual must be listed. [(e)(1)(B)(vi)] Finally, the revision also provides specifically for clear notice of possible redisclosures of information when it is collected for a research or statistical purpose. [(e)(1)(B)(vii)]
While the suggested revision retains the safeguarding of information provision in the current law, it substitutes a reasonableness standard for the current requirement that agencies establish "appropriate" safeguards against "any" anticipated threats or hazards. Instead, agencies would have to establish "reasonable" safeguards so as to "minimize the risk" of such hazards. [(e)(1)(E)] This language comports with prevailing practice under the Privacy Act and also reflects the Congress' original intent as expressed in the Act's legislative history .9
The Commission's draft retains the requirement that an agency notify an individual when a record about him is made available in response to compulsory legal process once that process becomes a matter of public record.[(e)(1)(F)] The Commission, however, would require an agency to take "reasonable affirmative steps" to provide notice.
The current prohibition on collecting First Amendment information would be tightened considerably. [(e)(2)] No longer would such collection be allowed simply because it was "within the scope of an authorized law enforcement activity." [5 U.S.C. 552a(e)(7)] Rather, the Commission's suggested language would tie it to certain specific kinds of situations. A description of "the content of any publication, speech, or other expression of belief or argument by an individual in the exercise of rights guaranteed by the First Amendment" would not be allowed to be collected or maintained unless it were compiled pursuant to an authorized investigation of the sedition or espionage laws of the United States, or unless it would be legally admissible evidence in a criminal prosecution compiled pursuant to an authorized investigation under the criminal laws of the United States. Similarly, a description of the forum in which an individual exercises his First Amendment rights of speech, association, or religion could not be collected or maintained unless it were compiled pursuant to an authorized investigation of a violation of the laws of the United States. Other descriptions of an individual's exercise of First Amendment rights would be limited to collecting and maintaining "the time, place, and observed associations of an individual which are compiled pursuant to, and in the course of, an authorized investigation of a violation of the laws of the United States." An agency, however, would not be prohibited from collecting or maintaining a specific item of information required to be collected by statute or authorized to be collected by the individual to whom it pertains. In addition, collection and maintenance of information for "a reasonable and proper library, bibliographic, abstracting, or similar reference function" would not be curtailed.
PROPAGATION OF CORRECTIONS
The Commission believes that the requirement that an agency take reasonable steps to assure the accuracy of any record prior to disseminating it should be extended to require that corrections and amendments of records be forwarded to sources and to previous internal agency recipients of the erroneous or incomplete information. [(f)] In addition, the suggested revisions in the current propagation of corrections requirement would make the requirement applicable whether the error is discovered by the individual or by the agency. To keep this from imposing an undue burden on the agencies, however, a correction resulting from a normal agency update would not have to be propagated, unless (a) sources or prior recipients could not otherwise be "reasonably expected" to become aware of it; and (b) it could be expected to affect the outcome of a determination about the individual by a source or prior recipient. In addition, only those sources or prior recipients who received or provided information within a reasonable period of time prior to the making of the correction would have to be notified, although an agency would be required to take "reasonable affirmative steps" to furnish the correction to any person named by the individual to whom the record in which it is made pertains. Finally, a source of erroneous information who was not acting in an official capacity as a representative, officer, employee, or agent of an agency or other organization need not be apprised of a correction.
The Commission believes it appropriate to place the basic responsibility for propagating corrections on the record-keeping agency because there is otherwise no practical way for an individual to protect himself against the spread of erroneous information about him throughout the Federal government.
RESEARCH OR STATISTICAL RECORDS
Subsection (g) of the illustrative statue, along with subsection (d)(14) mentioned earlier, implements the relevant portions of the Commission's research and statistics recommendations presented in Chapter 15 of its final report. A complete description of the reasoning behind these recommendations is found in Chapter 15 and would not bear repetition here. Suffice it to note that, by referring to "individually identifiable records," subsection (d)(14) permits the use of administrative records for research and statistical purposes, whereas once a record fell within the definition of a "research or statistical record" [(a)(5)], its use and disclosure would be governed by subsection (g).
GENERAL NOTICE OF AGENCY SYSTEMS, POLICIES, AND PRACTICES
The Commission's suggested revision retains the current law's requirement of an annual public notice on each record-keeping system, but with the primary object of facilitating internal agency compliance monitoring and external oversight. Thus, the revised publication requirement is drawn more specifically than the current one, requiring, for example, that a notice "describe in detail, in terms of systems and subsystems that most accurately reflect the context or manner in which the agency uses the information, the existence and character of such systems and subsystems." [(h)(1)] An agency is also required to publish notices describing "any substantially similar or derivative systems or subsystems." [(h)(1)(A)] These requirements attempt to discourage the publication of notices on record-keeping operations which are represented as single systems but which in fact are made up of many diverse subsystems that the notices do not describe. The revised notice requirement does not specify at what level a subsystem must be described, or the way to describe indices, but it does demand that an agency present a true picture of how it uses information in a system and the interrelationships among the system's various subsystems. This approach, in the Commission's view, is much more likely to assure that there are no secret systems than the one currently in the Act.
The revised notice requirement also requires all agencies to list, for all systems, the procedures whereby an individual can request access to records about himself. [(h)(1)(H)] Under the current law, systems can qualify for exemptions from this part of the notice requirement under the broad exemption opportunities provided in subsections 3(j) and 3(k). [5 U.S.C. 552a(í) and (k)] As the Commission would revise them, however, the exemptions would no longer be automatic, so there is no reason to provide an exemption opportunity for any part of the public notice requirement, except the requirement to describe categories of sources of information. The Commission allows for such an exemption in two cases: (1) if the information is authorized to be kept secret in the interest of national defense or foreign policy; or (2) if it is investigative information compiled for law enforcement purposes as described in new subsection (b)(3)(B). [(h)(1)(I)]
Finally, the Office of the Federal Register would be given the additional responsibility of publishing agency notices and rules in a form "which is indexed, arranged, or otherwise prepared to enable ease of use and reference by the public." [(h)(2)] Every effort should be made to classify, compile, and index the information into logical categories. For example, it would be useful to differentiate between the large group of systems which are solely concerned with agency personnel and the much smaller number (of bigger) systems that contain information on citizens in general. The Federal Register compilation should make it easy for a private citizen, a member of a public interest group, or a Congressional staff member to pinpoint a particular type of notice, and the compilation of systems notices should be logically organized and indexed.
RIGHTS OF PARENTS AND LEGAL GUARDIANS
Subsection (i) of the suggested revision detailing the rights of parents and legal guardians acting on behalf of the record subject is identical to subsection 3(h) in the current Act. [5 U.S.C. 552a(h)] Subsection (i) is tempered, however, by the new disclosure provision which would permit the withholding of a record from a parent or legal guardian where such withholding is authorized by statute. [(b)(3)(H)]
The Commission believes that the Privacy Act should require the head of each agency to designate one official to oversee the agency's implementation of the Act's requirements. [(j)(1)] The official should be "the head of an office designated or created by the agency head, with as many components, field offices, or other supporting structures and staff as the agency head deems necessary." [(j)(1)(A)] In a small agency, this provision need not require the full-time attention of one employee. To assure the accountability and good management, however, it is essential that responsibility for implementation of the Act be vested in a designated official.
The Commission found that those agencies that established formal, structured approaches and mechanisms to implement the Privacy Act were the most successful in their implementation of it. These agencies have provided the best training for their personnel, issued detailed, consistent internal guidelines, and devised procedures for auditing their own compliance with the Act.
The designated official would "issue such instructions, guidelines, and standards, and make such determinations" as may be necessary to implement the Act. [(j)(1)(B)] Where an agency's implementation of the current law's accuracy, timeliness, and completeness requirements, or of its safeguarding requirement, has been weak, the weakness often appears to be the product of the agency's failure to issue implementation guidelines. By placing responsibility and authority for providing such guidance in a designated office, fewer decisions should be made by default and agency employees will have a place to turn for answers to questions that arise in the course of implementation.
Finally, the Commission would retain, with little change, the requirement that agencies publish rules in the Federal Register defining their individual access, correction, and amendment procedures. [(j)(2)] The one modification is in the special procedures for the disclosure of medical records and medical-record information. [(b)(5)] Consistent with its recommendations with respect to private-sector medical-care providers and keepers of medical-record information, the Commission believes that an individual should be allowed to designate a lay representative to receive a medical record or medical-record information that an agency does not want to disclose to him directly for fear that knowledge of its contents would be harmful to him.
CIVIL AND CRIMINAL REMEDIES
The Commission suggests revising subsection 3(g) of the current law [5 U.S.C 552a(g)] to allow an individual to obtain a court order compelling an agency to comply with the Act without having to demonstrate that he has actually been harmed by its failure. [(k)(1)-(3)] In some cases, it is virtually impossible to show injury or adverse effect as a result of a violation of the Privacy Act. If a notice requirement is violated, for example, such a showing is probably impossible. Even where an agency retains and refuses to correct inaccurate information, it may be difficult to demonstrate actual injury. Hence, the Commission believes an individual should be granted standing without the requirement to show specific injury.
In those cases where an individual can show adverse effect, the Commission's suggested language incorporates new damage standards. The minimum $1,000 recovery in the current law is retained, but general damages may also be sought up to $10,000 in excess of the dollar amount of any special damages. [(k)(4)]
The provision enabling an indvidual to seek injunctive relief would also be broadened. Any exemption upon which an agency bases a refusal to permit access would be open to judicial review. Further, a court would be empowered to order an agency to comply with any of the requirements of the Act, not only the access and correction provisions. [(k)(2), (3)]
The criminal penalties currently in the Act [5 U.S.C. 552a(i)] would remain unchanged. [(l)]
GOVERNMENT CONTRACTORS AND GRANTEES
The revised provision on contractors would make grantees and subcontractors susceptible to certain of the Act's provisions. [(m)] Equally important, the circumstances under which the law would apply to such parties is more precisely delineated than in the current law. "Any contractor or recipient of a Federal grant, or any subcontractor thereof, who performs any function on behalf of a Federal agency which requires the contractor or grantee to maintain individually identifiable records" would be subject to the provisions of the subsection, except that "employment, personnel, or other administrative records which the contractor or grantee maintains as a necessary aspect of supporting the performance of the contract or grant but which bear no other relation to the performance of the contract or grant" would not be covered. [(m)(1)(A)] The revised provision also would not apply to "individually identifiable records" which (a) are neither required nor implied by the terms of the contract or grant; (b) are records for which no representation of Federal sponsorship or association is made; and (c) are records which, except for audits or investigations, will not be available to the Federal agency with which the contract or grant is established. [(m)(1)(B)] These requirements would extend the coverage of the Act to Federal grantees whose functions are substantially the same as those of contractors.
Contractors and grantees would also be civilly liable under the Act, whereas currently they are only subject to the Act's criminal sanctions, and no agency would be permitted to include in a contract or grant a clause indemnifying the contractor or grantee against such civil liability. [(m)(3)(C)] This should increase the incentives for contractors and grantees to comply, since criminal sanctions are rarely enforced.
INTERACTION WITH OTHER LAWS
The Commission has suggested language mandating that whenever an agency receives a request for access to records which could be processed under either the Freedom of Information Act (FOIA) or the Privacy Act, the request shall be processed under the Privacy Act. [(q)(1)] This subsection further provides that in no instance shall the requesting individual receive less information than he would receive under the FOIA. This comports with the current policy of some agencies, but the Act itself does not require it.
OTHER PROVISIONS OF THE LAW
The current provisions relating to archival records [5 U.S.C. 552a(I)], Reports on New Systems [5 U.S.C. 552a(o)], Mailing Lists [5 U.S.C. 552a(n)], and the Annual Report of the President [5 U.S.C. 552a(p)] are retained in the revision without significant change. [(n), (o), (p), (r)] The Commission believes, however, that the evaluation of probable or potential effect on "privacy and other personal or property rights" implicitly called for in the new system report requirement should be understood to mean an evaluation of impact on the three dimensions of intrusiveness, fairness, and legitimate expectation of confidentiality that are explicated in some detail in its final report to the President and the Congress.
1The Privacy Act of 1974 (Public Law 93-579) has been reprinted as Appendix A of this volume. Only Section 3 of the Act, however, has been codified in the U.S. Code. Hence, a reference in the text to [5 U.S.C 552a(e)(10)], for example, refers to subsection 3(e)(10) of Appendix A. References in the text to the illustrative statute (Appendix B) will be readily distinguishable by the absence of any reference to 5 U.S.C. 552a or to subsection "3."
25 U.S.C. 552a(a)(4).
3See Chapter 3, footnote 6.
4As indicated in footnote 1, above, this is a reference to the draft statute in Appendix B.
5This topic is discussed more extensively in Appendix Volume 5, Technology and Privacy (Washington, D.C.: U. S. Government Printing Office, 1977).
6U. S. Office of Management and Budget, "Privacy Act Implementation: Guidelines and Responsibilities," 40 F.R. 28948-28978 (July 9,1975).
75 U.S.C. 552(a)(3).
85 U.S.C. 552(a)(6). See also, U. S. Congress, Freedom of Information Act and Amendments of 1974 (P. L 93-502) (Joint Comm. Print: House Committee on Government Operations, Senate Committee on the Judiciary), 94th Congress, 1 st Session, pp. 175-180 (1975).
9See: U. S. Senate, Report of the Committee on Government Operations to Accompany S. 3418 (Report No. 93-1183, September 26, 1974) pp. 5456.