FOIA Counselor
The relationship of the Privacy Act to the Freedom of Information Act (FOIA) is a subject of
recurring concern. All agency records are subject to FOIA, while the Privacy Act applies only to
records in "systems" [defined in 5 U.S.C.
Interface questions arise in two contexts:
(1) requests from a third party for records about another individual in a Privacy Act system of records; and
(2) requests from a first party "individual" for his or her own records in a Privacy Act system.
Third party requests raise only substantive interface questions over how much information may be given to the requester. First party requests present both substantive problems and procedural questions over what "rules of the game" apply.
When a third party requests records about another person that are subject to both Acts, the
answer to the interface question is straightforward if the records are not exempt under FOIA. The
Privacy Act has no limitations on release of such records. Specific language in the Privacy Act [5
U.S.C.
If some FOIA exemption, such as (b)(6), exists to allow an agency legally to withhold the records requested by the third party, then an agency must deny access or justify any discretionary release of those records under one of the ten other types of release permitted by subsection (b) of the Privacy Act without the consent of the individual to whom the records pertain.
First party requests present much more complicated interface problems. When the Privacy Act was passed, there was disagreement as to whether it had become the exclusive vehicle for persons seeking their own records from a system of records. The answer to this question is an unqualified "no." The fact that someone is an "individual" with rights of access under the Privacy Act does not in any way change the fact that he or she is also a "person" with rights of access under FOIA.
Thus, although it need not be counted as such for statistical purposes, a Privacy Act request for access to records should normally be considered as, in effect, also a FOIA request. If, however, all or any portion of the requested material is to be denied, it must be considered under the substantive provisions of both acts. The withholding must be justified by the assertion of a legally applicable exemption in each Act.
The fact that a record is exempt under one of the two acts is not determinative; if it is not exempt under the other, it must be released to a first patty. Furthermore, this is the result whether or not the requester cites the Privacy Act only, FOIA only, both acts, or neither act.
In practice, agencies would not reach the FOIA exemption question unless the records were exempt under the Privacy Act because subsection (q) of the Privacy Act provides that no FOIA exemption may be used to deny an individual's Privacy Act rights of access.
In addition to these substantive issues, first party requests present significant procedural interface problems. FOIA requires that initial requests for access be answered in ten working days and administrative appeals in twenty. The Privacy Act contains no such administrative deadlines for responding to access requests. The Office of Management and Budget (the lead agency on Privacy Act matters) has recommended that such requests be acknowledged within ten working days and that "[w]henever practicable, that acknowledgment should indicate whether or not access can be granted, and, if so, when." 40 Fed. Reg. 28,957 (1975).
Thus, the question arises as to what procedures are to be followed in processing first party
requests for records in a Privacy Act system of records. Although technical arguments can be
made that the FOIA time limits apply, OILP believes the substantive complexities of dual
processing justify following Privacy Act procedures, including any time limits an agency has
imposed on itself by regulation. See, e.g., 28 C.F.R.
In closing, note that the above discussion applies only to first-party requests for records in a Privacy Act system of records. First-party requests for records not in such a system are processed only under FOIA.
Go to: FOIA Update Home Page