The Privacy Act grew out of a growing concern in the Congress and the nation at
large over the potential misuse of the vast amounts and kinds of personal
information that Federal agencies collect and maintain on individuals,
particularly in the light of computer technology with its enormous power to
store, manipulate, and transmit data. Its aim was to prevent misuse by the
granting of rights and the imposition of obligations. The rights were granted to
the persons on whom the Federal agencies collect and keep information; the
obligations were imposed on the Federal agencies that collect and keep such
information. Indeed, most of the provisions of this complex act can best be
understood by thinking in the dual terms of rights and obligations.
Limitations
Before describing those rights and obligations it is important that we become
aware of some of the key limitations of the Privacy Act.
- It applies only to Federal agencies in the executive branch of government;
it does not apply to the Congressional or Judicial branches. Nor does it apply
to state or local government agencies, or organizations or businesses in the
private sector.
- It applies only to information about living persons. Information about
deceased persons is not covered under the Privacy Act.
- And very importantly, the Privacy Act does not cover all individual
information, even of living persons; it covers individual information only if
the information is included in a "system of records." This is a key concept.
As defined in the Privacy Act, a system of records is a group of records that
are retrieved by some kind of personal identifier, such as a name or number.
Rights
The rights of individuals on whom Federal agencies collect and keep
information (we will call them the "subject individuals) can be classified into
the following eight categories:
- Prior Notice
- Access
- Amendment
- Appeal
- Statement of Disagreement
- Litigation
- Restricted Disclosure
- Accounting of Disclosures
Prior Notice:
When a potential subject individual is requested to furnish personal
information to a federal agency, he or she has the right to be informed of the
following: the federal agency's legal authority for requesting the information,
the purpose for collecting it, the related uses that might be made of it,
whether furnishing the information is mandatory or voluntary, and the
consequences of refusing to furnish the information. This notice is often called
the Privacy Act Notice. It may be found on the form on which the individual is
asked to furnish the information, or on a separate form.
Access:
An individual has a right to be informed, in response to his or her request,
whether a Federal agency maintains any record on him or her. If it does, the
individual has a right to see the record and to have a copy made of it in a form
that is understandable to him or her. However, agencies are permitted to publish
special rules governing access to medical records. Usually, these rules permit
an agency to furnish the records to the subject individual's personal physician
rather than directly to the subject individual if it believes that direct
disclosure could be harmful to the subject individual. In such cases, it is up
to the individual's physician to review the medical records and discuss them
with the individual.
Amendment:
An individual has a right to request amendment of his or her record if he or
she believes it to be inaccurate or incomplete.
Appeal:
If the agency denies his or her amendment request, he or she has the right to
appeal to the head of the agency or an officer assigned by the head of the
agency.
Statement of Disagreement:
If the appeal is denied, the individual has the right to file a concise
statement of disagreement, which the agency then is obliged to disclose each
time it later discloses the information in dispute.
Litigation:
The subject individual has the right to bring a civil action in Federal Court
against an agency if it denies him or her access to his or her record or if it
denies his or her appeal to have his or her record amended. The individual can
also sue the agency for failing to properly maintain his or her records, or
otherwise comply with the provisions of the Privacy Act, in such a way as to
have an adverse effect on him or her.
Restricted Disclosures:
The individual has the right to expect that the agency will not disclose his
or her records, without his or her consent, except according to the specific
conditions permitted in the Privacy Act. There are 12 specific conditions of
permitted disclosures. The most pertinent are the following:
- to the employees of the agency who have a need for the record in the
performance of their duties;
- when required under the Freedom of Information Act;
- for a "routine use." A routine use is defined as a use for a purpose which
is compatible with the purpose for which the record was collected. Routine use
disclosures are mainly to other government agencies to enable them to fulfill
their mission.
Disclosures are also permitted to the Bureau of the Census, the National
Archives, the Comptroller General and either House of Congress, for certain
specified purposes. Also, disclosures can be made if the record will be used for
statistical purposes and will not be individually identified; for a law
enforcement activity under certain restricted conditions; to a consumer credit
bureau also under very specific and narrow conditions; and under compelling
circumstances affecting the health or safety of the subject individual.
Accounting of Disclosures:
The subject individual has a right to receive an accounting of the
disclosures that have been made of his records, with three exceptions:
disclosures within the agency, disclosures required under the Freedom of
Information Act, and disclosures made for lawful civil or criminal law
enforcement activities under certain specified conditions. The accounting
consists of the name and address of the person or organization to whom the
record was disclosed, the date of the disclosure, and the identity of the record
that was disclosed. Agencies must keep accounting records for at least 5 years
or the life of the record that was disclosed, whichever is longer.
Obligations
Whereas the rights the Privacy Act grants are to individuals on whom agencies
collect and keep information, the obligations which the Act imposes are on the
agencies themselves. First and foremost among the agency obligations is the
obligation to honor the rights of the individuals on whom they collect and keep
information. That's obvious. Rights are claims against other parties. In this
case, the claims are against the agencies. The ability of the individuals to
enjoy their rights rests with agencies who have the obligation to honor them.
Agencies have obligations that go beyond honoring the individual rights we've
just described. We can classify most of these additional obligations under the
following five categories:
- Restrictions on Collecting and Maintaining Information
- Care of Records Requirements
- Publication Requirements
- Rules
- Reporting
Restrictions on Collecting and Maintaining Records:
An agency is obligated to:
- Maintain in its record only such information about an individual as is
relevant and necessary to accomplish a purpose of the agency. This purpose
must be required by law or an Executive Order of the President.
- Collect information to the greatest extent practicable directly from the
subject individual when the information may result in adverse determinations
about an individual's rights, benefits, and privileges under federal programs.
- Maintain no record describing how any individual exercises rights
guaranteed by the First Amendment unless expressly authorized by statute or by
the individual about whom the record is maintained, or unless pertinent to and
within the scope of an authorized law enforcement activity.
Care of Records:
Agencies are required to take good care of the personal records they collect
and maintain, not only to prevent misuse but to insure fairness and guard
against careless hazards and harms. The language of the Privacy Act is
instructive in describing more fully this good care requirement and bears direct
quotation here.
An agency is required to:
Maintain all records which are used by the agency in making any
determinations about any individual with such accuracy, relevance, timeliness,
and completeness as is reasonably necessary to assure fairness to the individual
in the determination.
An agency is also required to:
Establish appropriate administrative, technical, and physical safeguards to
insure the security and confidentiality of records and to protect against any
anticipated threats or hazards to their security or integrity which could result
in substantial harm, embarrassment, inconvenience, or unfairness to any
individual on whom the information is maintained.
Another requirement that can be considered a "good care" requirement is the
one that requires agencies to develop rules of conduct concerning their
employees' obligations under the Privacy Act.
Additional privacy protections to those afforded by the Privacy Act were
contained in the E-Government Act of 2002, such as
privacy impact assessments.
Publication Requirements:
One of the key ideas behind the Privacy Act is that agencies maintain no
secret records. To carry out this no secrecy purpose, agencies are required to
publish a description of all their systems of records in the Federal Register,
an official publication published daily by the U.S. Government. The description
includes the following main titles: name; location; categories of individuals
covered by the system; categories of records covered in the system; authority
for maintenance of the system; routine uses of the records; policies and
practices for storing, retrieving, accessing, retaining and disposing of
records; name and address of the system manager; notification, record access,
and contesting record procedures; and record source categories. Any changes in
previously published systems of records must also be published.
Special publication requirements apply to the routine uses. Agencies must
allow 30 days for public comment before making any disclosures under them. If
they receive any public comments, they must respond to them in the Federal
Register before disclosures can be made.
Rules:
Agencies are required to publish rules on how individuals can exercise their
rights under the Privacy Act. These rules are called regulations, and they, too,
are published in the Federal Register. (The RRB's regulations implementing the
Privacy Act can be found at 20 CFR, Section 200.5)
Reporting Requirements:
Agencies are required to provide an annual Privacy Management Report to the Office of Management and
Budget on their implementation of Privacy Act and other privacy provisions
required, such as privacy impact assessments
required by the E-Government Act of 2002.
Also, whenever they want to establish a new system of records or substantially
alter an existing one, they must report their intention to OMB and to the Senate
and House of Representatives. This is in addition to the requirements to publish
the changes in the Federal Register.
Summary of the Privacy Act
The Privacy Act should be seen as a comprehensive attempt to protect the
legitimate privacy interests of the individuals on whom Federal agencies collect
and maintain information. As we have seen, it attempts to achieve this goal
through the dual thrust of granting rights and imposing obligations--rights for
the individual, obligations for the agencies.
Another way of viewing the Privacy Act is to see it as establishing a "code
of fair information practices." The code sets standards that each Federal agency
must meet as it collects, maintains, and uses information on individuals. It
establishes the role of Federal agencies as stewards, rather than owners of the
information they possess. Although Federal agencies have control over the
information, the code of fair information practices clearly establishes that
these agencies are not free to collect, use and disclose information as they
please. The responsibility of stewardship requires care and fairness in the way
information is collected and held, commitment that those who have the rights to
this information will be given access to it, and vigilance to protect the
information from those who have no legitimate use for it. |