Home Site Map Contact Us Benefit Online Services Benefit Forms & Publications  
Introduction
Overview
Limitations
Rights
Obligations
Summary
Finding the Right Privacy Act System of Records
Information on Individuals in the RR Industry
How to Obtain Records
RELATED LINKS
'' Agency Management & Reports
'' RRB Privacy Act Systems of Records
'' Privacy Impact Assessments
The Privacy Act and the RRB
Overview
 
To view and download PDF documents, you need the free Acrobat Reader Read RRB's external link disclaimer
. We recommend using the latest version.
Viewers with visual disabilities can go to Adobe's Access Website Read RRB's external link disclaimer
. for tools and information that will help make PDF files accessible.


The Privacy Act grew out of a growing concern in the Congress and the nation at large over the potential misuse of the vast amounts and kinds of personal information that Federal agencies collect and maintain on individuals, particularly in the light of computer technology with its enormous power to store, manipulate, and transmit data. Its aim was to prevent misuse by the granting of rights and the imposition of obligations. The rights were granted to the persons on whom the Federal agencies collect and keep information; the obligations were imposed on the Federal agencies that collect and keep such information. Indeed, most of the provisions of this complex act can best be understood by thinking in the dual terms of rights and obligations.

Limitations

Before describing those rights and obligations it is important that we become aware of some of the key limitations of the Privacy Act.

  • It applies only to Federal agencies in the executive branch of government; it does not apply to the Congressional or Judicial branches. Nor does it apply to state or local government agencies, or organizations or businesses in the private sector.
  • It applies only to information about living persons. Information about deceased persons is not covered under the Privacy Act.
  • And very importantly, the Privacy Act does not cover all individual information, even of living persons; it covers individual information only if the information is included in a "system of records." This is a key concept. As defined in the Privacy Act, a system of records is a group of records that are retrieved by some kind of personal identifier, such as a name or number.

Rights

The rights of individuals on whom Federal agencies collect and keep information (we will call them the "subject individuals) can be classified into the following eight categories:

  • Prior Notice
  • Access
  • Amendment
  • Appeal
  • Statement of Disagreement
  • Litigation
  • Restricted Disclosure
  • Accounting of Disclosures

Prior Notice:

When a potential subject individual is requested to furnish personal information to a federal agency, he or she has the right to be informed of the following: the federal agency's legal authority for requesting the information, the purpose for collecting it, the related uses that might be made of it, whether furnishing the information is mandatory or voluntary, and the consequences of refusing to furnish the information. This notice is often called the Privacy Act Notice. It may be found on the form on which the individual is asked to furnish the information, or on a separate form.

Access:

An individual has a right to be informed, in response to his or her request, whether a Federal agency maintains any record on him or her. If it does, the individual has a right to see the record and to have a copy made of it in a form that is understandable to him or her. However, agencies are permitted to publish special rules governing access to medical records. Usually, these rules permit an agency to furnish the records to the subject individual's personal physician rather than directly to the subject individual if it believes that direct disclosure could be harmful to the subject individual. In such cases, it is up to the individual's physician to review the medical records and discuss them with the individual.

Amendment:

An individual has a right to request amendment of his or her record if he or she believes it to be inaccurate or incomplete.

Appeal:

If the agency denies his or her amendment request, he or she has the right to appeal to the head of the agency or an officer assigned by the head of the agency.

Statement of Disagreement:

If the appeal is denied, the individual has the right to file a concise statement of disagreement, which the agency then is obliged to disclose each time it later discloses the information in dispute.

Litigation:

The subject individual has the right to bring a civil action in Federal Court against an agency if it denies him or her access to his or her record or if it denies his or her appeal to have his or her record amended. The individual can also sue the agency for failing to properly maintain his or her records, or otherwise comply with the provisions of the Privacy Act, in such a way as to have an adverse effect on him or her.

Restricted Disclosures:

The individual has the right to expect that the agency will not disclose his or her records, without his or her consent, except according to the specific conditions permitted in the Privacy Act. There are 12 specific conditions of permitted disclosures. The most pertinent are the following:

  • to the employees of the agency who have a need for the record in the performance of their duties;
  • when required under the Freedom of Information Act;
  • for a "routine use." A routine use is defined as a use for a purpose which is compatible with the purpose for which the record was collected. Routine use disclosures are mainly to other government agencies to enable them to fulfill their mission.

Disclosures are also permitted to the Bureau of the Census, the National Archives, the Comptroller General and either House of Congress, for certain specified purposes. Also, disclosures can be made if the record will be used for statistical purposes and will not be individually identified; for a law enforcement activity under certain restricted conditions; to a consumer credit bureau also under very specific and narrow conditions; and under compelling circumstances affecting the health or safety of the subject individual.

Accounting of Disclosures:

The subject individual has a right to receive an accounting of the disclosures that have been made of his records, with three exceptions: disclosures within the agency, disclosures required under the Freedom of Information Act, and disclosures made for lawful civil or criminal law enforcement activities under certain specified conditions. The accounting consists of the name and address of the person or organization to whom the record was disclosed, the date of the disclosure, and the identity of the record that was disclosed. Agencies must keep accounting records for at least 5 years or the life of the record that was disclosed, whichever is longer.

Obligations

Whereas the rights the Privacy Act grants are to individuals on whom agencies collect and keep information, the obligations which the Act imposes are on the agencies themselves. First and foremost among the agency obligations is the obligation to honor the rights of the individuals on whom they collect and keep information. That's obvious. Rights are claims against other parties. In this case, the claims are against the agencies. The ability of the individuals to enjoy their rights rests with agencies who have the obligation to honor them. Agencies have obligations that go beyond honoring the individual rights we've just described. We can classify most of these additional obligations under the following five categories:

  • Restrictions on Collecting and Maintaining Information
  • Care of Records Requirements
  • Publication Requirements
  • Rules
  • Reporting

Restrictions on Collecting and Maintaining Records:

An agency is obligated to:

  • Maintain in its record only such information about an individual as is relevant and necessary to accomplish a purpose of the agency. This purpose must be required by law or an Executive Order of the President.
  • Collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under federal programs.
  • Maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained, or unless pertinent to and within the scope of an authorized law enforcement activity.

Care of Records:

Agencies are required to take good care of the personal records they collect and maintain, not only to prevent misuse but to insure fairness and guard against careless hazards and harms. The language of the Privacy Act is instructive in describing more fully this good care requirement and bears direct quotation here.

An agency is required to:

Maintain all records which are used by the agency in making any determinations about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.

An agency is also required to:

Establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom the information is maintained.

Another requirement that can be considered a "good care" requirement is the one that requires agencies to develop rules of conduct concerning their employees' obligations under the Privacy Act.

Additional privacy protections to those afforded by the Privacy Act were contained in the E-Government Act of 2002, such as privacy impact assessments.

Publication Requirements:

One of the key ideas behind the Privacy Act is that agencies maintain no secret records. To carry out this no secrecy purpose, agencies are required to publish a description of all their systems of records in the Federal Register, an official publication published daily by the U.S. Government. The description includes the following main titles: name; location; categories of individuals covered by the system; categories of records covered in the system; authority for maintenance of the system; routine uses of the records; policies and practices for storing, retrieving, accessing, retaining and disposing of records; name and address of the system manager; notification, record access, and contesting record procedures; and record source categories. Any changes in previously published systems of records must also be published.

Special publication requirements apply to the routine uses. Agencies must allow 30 days for public comment before making any disclosures under them. If they receive any public comments, they must respond to them in the Federal Register before disclosures can be made.

Rules:

Agencies are required to publish rules on how individuals can exercise their rights under the Privacy Act. These rules are called regulations, and they, too, are published in the Federal Register. (The RRB's regulations implementing the Privacy Act can be found at 20 CFR, Section 200.5)

Reporting Requirements:

Agencies are required to provide an annual Privacy Management Report to the Office of Management and Budget on their implementation of Privacy Act and other privacy provisions required, such as privacy impact assessments required by the E-Government Act of 2002. Also, whenever they want to establish a new system of records or substantially alter an existing one, they must report their intention to OMB and to the Senate and House of Representatives. This is in addition to the requirements to publish the changes in the Federal Register.

Summary of the Privacy Act

The Privacy Act should be seen as a comprehensive attempt to protect the legitimate privacy interests of the individuals on whom Federal agencies collect and maintain information. As we have seen, it attempts to achieve this goal through the dual thrust of granting rights and imposing obligations--rights for the individual, obligations for the agencies.

Another way of viewing the Privacy Act is to see it as establishing a "code of fair information practices." The code sets standards that each Federal agency must meet as it collects, maintains, and uses information on individuals. It establishes the role of Federal agencies as stewards, rather than owners of the information they possess. Although Federal agencies have control over the information, the code of fair information practices clearly establishes that these agencies are not free to collect, use and disclose information as they please. The responsibility of stewardship requires care and fairness in the way information is collected and held, commitment that those who have the rights to this information will be given access to it, and vigilance to protect the information from those who have no legitimate use for it.
Privacy Policy Policies & Links Freedom of Information Act No FEAR Act Data Frequently Asked Questions About Us
Link to RECOVERY.gov
RECOVERY.GOV		 Link to USA.gov: The U.S. government's official web portal. U.S. Railroad Retirement Board RRB Seal links to home page
844 North Rush Street
Chicago Illinois, 60611-2092
Telephone: (312) 751-4500 TTY: (312) 751-4701
Contact an RRB office near you
     
     
Date posted: 02/12/2007
Date updated: 10/01/2007