Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

The Privacy Act of 1974: An Assessment. APPENDIX 4 TO The Report of The Privacy Protection Study Commission.

Publication Date

PRIVACY PROTECTION STUDY COMMISSION

Chairman: David F. Linowes, Certified Public Accountant, New York City, and Boeschenstein Professor of Political Economy and Public Policy, University of Illinois

Vice Chairman: Dr. Willis H. Ware, The Rand Corporation Santa Monica, California

William O. Bailey, President Aetna Life & Casualty Company Hartford, Connecticut

William B. Dickinson Retired Executive Editor, Philadelphia Evening Bulletin Philadelphia, Pennsylvania

Congressman Barry M. Goldwater, Jr. of California Washington, D.C.

Congressman Edward I. Koch of New York Washington, D.C.

State Senator Robert J. Tennessen, Attorney Grose, Von Holtum, Von Holtum, Sieben & Schmidt Minneapolis, Minnesota

"

Preface

The Privacy Protection Study Commission was given the broad mandate to investigate the personal-data record-keeping practices of governmental, regional, and private organizations and to recommend to the President and the Congress the extent, if any, to which the principles and requirements of the Privacy Act of 1974 should be applied to them. 1 Early in its inquiry, the Commission decided that to fulfill this mandate an assessment of the Privacy Act itself, its underlying philosophy, and the experience of Federal agencies to date in complying with it would be necessary. This appendix volume reports the detailed results of that assessment.

Those who have read Chapter 13 of Personal Privacy in an Information Society, the Commission's final report to the President and the Congress, will recognize the material in Chapter 3 of this volume. In Chapters 1 and 2, however, the reader will find much that we would have included in our final report had we not wanted to keep each of its 16 chapters to a reasonable length. In addition, in Chapter 4 of this volume, we discuss how the suggestions in Chapter 13 of our final report might be implemented as legislative requirements.

Our findings and conclusions are based on communications with agency heads and their designated Privacy Act points-of-contact, testimony from various Commission hearings, agency annual reports, some informal workshops, and hundreds of personal and telephone interviews by stafF. Although our inquiry was conducted in the early days of the Act's implementation, we believe that this close and continuous staff contact with agency operating personnel has allowed a fair assessment of agency implementation experience.

In conducting our inquiry, we encountered drafting problems in the current law, and, as the subsequent discussion will indicate, drafting details can have important consequences in an area which is both new to regulation and dependent upon changing technology. Thus, our conclusions concentrate on policy objectives rather than on the specifics of implementation. Our objective in setting forth our conclusions and offering suggestions for changes in the Act is to allow the policy objectives of the current law to be achieved more successfully without destroying necessary opportunities for flexibility in implementation. We have adopted this approach to allow for changing information technology and diversity of agency information needs and uses, as well as to foster the constructive creativity that can arise in the absence of overly restrictive requirements.

In many instances, the difficulty with the current law does not appear to arise from the flexibility of implementation it allows, but rather from the fact that agencies have taken advantage of that flexibility to contravene its spirit. Yet, making the law less flexible is not a desirable solution. Implementation costs would rise dramatically, and new developments in information technology could invite uncontrollable circumvention of rigidities in the statute. Hence, our approach has been to strengthen implementation flexibility while striving for clarity of interpretation and providing incentives for agencies to comply. This preserves the autonomy of each agency to decide how best to comply with each requirement.

If one accepts the view that it is best to tell an agency what to do, rather than how to do it, there are, nonetheless, issues that each agency cannot, and in some cases should not, resolve singly. The most obvious one is the question of whether a particular type of record-keeping system should exist at all; another is whether particular transfers of records among agencies are desirable. Such questions require independent policy judgments and therefore must be addressed by an entity other than the one directly involved. In Chapter 1 of Personal Privacy in an Information Society we enumerated the functions we believe such an independent entity should fulfill.

Finally, it is worth noting that the concerns expressed by the various agencies at the time of the Act's passage regarding anticipated costs of implementation, numbers of access requests, and burden of administration have generally proved to be unwarranted. Cost figures recently released by the Office of Management and Budget (OMB) show expenditures to be much lower than originally estimated. In 1974, OMB estimated that implementing the Act would cost $200-$300 million per year over the first four to five years and would require an additional one time start-up cost of $100 million, which would be expended in the first two years. In 1977, however, OMB estimated that start-up costs in the nine months between the Act's passage and the date it took effect had been $29,459,000, and that an additional $36,599,000 was spent for first-year operating expenses.2

The Commission hopefully expects that by making the details of its assessment of the Privacy Act available, it will contribute to making the law more effective. Although we describe some agency practices that seem less than exemplary, we also report many that show a constructive effort to comply with the spirit as well as the letter of the law. On balance, we believe that the Privacy Act of 1974 is an important step forward.

In conducting our assessment, we benefitted from the knowledge and counsel of hundreds of dedicated individuals throughout the Federal government. We were also fortunate to have associated with us an unusually industrious project staff. Arthur A. Bushkin served as Project Manager. Working with him as professional staff and consultants were Donald Bartlett, Justine V. R. Milliken, Timothy B. Braithwaite, Major William R. Elliott, Jr., Claudia R. Higgins, and J. Michael Taylor. Research assistance was provided by Zemphria R. Baskin. To each of them we extend our sincere appreciation.

David F. Linowes
Chairman


1 88 Stat. 1905(b)(1); P.L. 93-579.

2Federal Personal Data Systems Subject to the Privacy Act of 1974, Second Annual Report of the President, Calendar Year 1976, p. 23.

Chapter I. The Implementation Framework.

In assessing the impact of the Privacy Act of 1974 on Federal agency record-keeping practice, it is essential to understand the framework of reporting requirements, guidelines, regulations, and enforcement procedures that give structure to the mix of rights and responsibilities the Act establishes. It is also important to understand how the agencies have provided for the ordinary workaday administration of the Act, not only within the framework of rights and obligations the Act itself establishes, but also in conjunction with other statutes, such as the Freedom of Information Act [5 U.S.C. 552] and the Administrative Procedures Act [5 U.S.C 551] et seq. This chapter examines that basic implementation framework and offers examples of the ways agencies have attempted to respond and adapt to it. It explains to whom and to what the Act applies, describes how the Act's several notice and reporting requirements have been implemented, examines the guidance and oversight role of the Office of Management and Budget, and briefly assesses agency rule making and compliance monitoring, as well as the various vehicles for enforcing the Act's requirements

To Whom Does the Act Apply?

The Privacy Act of 1974 applies to an "agency" as defined in subsection 552(e) of the Freedom of Information Act (FOIA) and to certain government contractors as defined by its own subsection 3(m). [5 U.SC 552a(m)] The original FOIA, passed in 1966, contained no definition of an agency, relying instead on the Administrative Procedures Act (APA). The APA defines an agency as "each authority of the government of the United States, whether or not it is within or subject to review by another agency . . . ." [5 U.S.C 55](1)] In 1971, in Soucie v. David [448 F2d. 1067,1073], this definition was interpreted by the Court of Appeals for the District of Columbia to mean that an agency is "any administrative unit with substantial independent authority in the exercise of specific functions." In other words, as the Attorney General later put it, there may be "agencies within agencies.1

In the autumn of 1974, just prior to enacting the Privacy Act, the Congress amended the Freedom of Information Act, in part to clarify and expand the classes of organizational entities to which the FOIA would apply. No longer relying solely on the APA definition, the Congress specifically defined the term "agency" to include

. . . any executive department, military department, Government corporation, Government controlled corporation, or other estab-lishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency. [5 U.S. C. 552(e)]

The House report on the 1974 Freedom of Information Act amend-ments states that this definition includes establishments such as the U.S. Postal Service (USPS), and, within the Executive Office of the President, the Office of Management and Budget (OMB), the Council of Economic Advisers (CEA), and the National Security Council (NSC). It also includes corporations controlled by the government but not wholly owned by it, along with wholly government-owned corporations established by Congress, such as the Tennessee Valley Authority and the Federal Crop Insurance Corporation. It does not, however, include corporations that simply receive appropriated funds, such as the Corporation for Public Broadcasting, nor does it include the President's immediate personal staff or units in the Executive Office of the President whose sole function is to advise and assist the President 2

In an April 1975 letter to the Office of Management and Budget, the Justice Department advised on the Privacy Act implications of the new FOIA definition as follows:

. . . it is our firm view that . . . it is for the over-unit-the Department or other higher-level "agency"-to determine which of its substantially independent components will function indepen-dently for Freedom of Information Act purposes. Moreover, as the Attorney General [has] noted . . ., "it is sometimes permissible to make the determination differently for purposes of various provi-sions of the [FOIA]-for example, to publish and maintain an index at the over-unit level while letting the appropriate subunits handle requests for their own records." (Attorney General's Memorandum on the 1974 Amendments to the Freedom of Information Act, February, 1975, p. 25). In our view, this practice of giving variable content to the meaning of the word "agency" for various purposes can be applied to the Privacy Act as well as the Freedom of Information Act. For example, it may be desirable and in furtherance of the purposes of the Privacy Act to treat the various components of a Department as separate "agencies" for purposes of entertaining applications for access and ruling upon appeals from denials, while treating the Department as the "agency" for purposes of those provisions limiting intragovernmental exchange of records. (Of course, dissemination among components of the Department must still be only on a "need-to-know" basis.) [5 U.S.C. 552a(b)(1)]. Needless to say, this practice must not be employed invidiously, so as to frustrate rather than to further the purposes of the Privacy Act; and there should be a consistency between the practice under the Privacy Act and the practice for comparable purposes under the Freedom of Information Act.3 .

The Justice Department's position has been reaffirmed by OMB which incorporated it in the OMB Guidelines on Privacy Act Implementation.4 The interpretation that emerges is clearly one based on function, not organiza tion. The agencies can use varying definitions of agency for varying functional purposes, regardless of the organizational structures involved. The only restriction is that the definitions adopted should not needlessly frustrate the purposes of the Act and, by and large, the definitions the agencies have adopted have not done so. The one problem, discussed in Chapter 2, below, is that to allow for the free flow of information about individuals within its own organizational boundaries, each agency has defined itself as an agency at the highest possible level. Thus, within a Cabinet Department that operates many different programs, it is theoreti-cally possible for a record about an individual maintained by one program to be available to all the others on a need-to-know basis. So far, however, there is no evidence that the flexibility the Act allows in that regard has been abused.

Government contractors are another category of entities to which the Privacy Act applies. Subsection 3(m) of the Act provides that:

When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of . . . [the Act] to be applied to such system. For purposes of subsection (i) [the criminal penalties provision] of [the Act] any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of [the Act], shall be considered to be an employee of an agency. [5 U.S.C. 552a(m)]

The legislative history of subsection 3(m) is unclear regarding the Congress' intent. The drafters of the Senate bill were primarily concerned with the flow of criminal-history records to and from State and local governments, and with the amount of money that had been spent through Federal grants to establish State and local criminal justice information systems. Thus, the Senate bill would have extended the provisions of the Privacy Act to contractors or grantees in situations where the purpose of the contract or grant was to establish or alter a system of records. The compromise amendment, however, permitted Federal law enforcement agencies to exempt most of their contractors from the Act's coverage, and also removed all grantees from the purview of the Act.

The OMB Guidelines state that subsection 3(m) was intended to cover de facto as well as de jure Federal agency systems;5 that is, to cover systems "taking the place of Federal systems which, but for the contract, would have been performed by the agency and covered by the Privacy Act "6 In practice, however, deciding when a contractor's system exists to "accom-plish an agency function" has often been difficult. The OMB Guidelines say that to fall under subsection 3(m) a contract would normally provide, as one of its specific requirements, that the contractor operate a system of records. Nonetheless, a contract that does not mention a system, but which can be performed only by the operation of one, would be covered; while the Act would not reach a contractor's system "used as a result of his management discretion," such as the personnel system of a large defense contractor.7

The difficulties and pitfalls in interpreting subsection 3(m) are exemplified by the following paragraph in a May 14, 1976, memorandum from the DHEW General Counsel to all of the Department's Privacy Act contacts and procurement officers:

It is fair to conclude that a system of records established by an HEW contractor for the purpose of enabling the contractor to prepare and submit to the HEW contracting agency statistical or other reports is not a system "actually taking the place of a Federal system which, but for the contract, would have been performed" by the agency. Where the contracting agency is interested only in obtaining the results of the research or other work performed under the contract (generally in the form of a report) and does not require the contractor to furnish it individually identifiable records from the system established by the contractor, it cannot be said that the system is one which "but for" the contract, the agency would have established.8

Strictly speaking, this interpretation is consistent with the OMB Guidelines, even though the memorandum goes on to advise DHEW contracting officers to incorporate into contracts, where appropriate, ". . . the provisions designed to protect the confidentiality of the records and the privacy of individual identifiers in the records." However, a position opposite to the memorandum's basic position would also be easy to defend. That is, if the study were not funded, the records would not exist, and thus the Federal government should not consider itself wholly without responsibility for the contractor's record-keeping practices. Moreover, it is widely recognized that subsection 3(m) excludes grantees who often perform functions that are indistinguishable in practice from the functions contractors perform.

What Is Covered by the Act

Where the Act fails to meets its objectives, the failure can often be traced, in part, to the record and system-of-records definitions that further limit its scope of application. The Privacy Act applies to a "record" that is "retrieved" from a "system of records" by the name of an individual "or by some identifying number, symbol, or other identifying particular" assigned to him. [5 U.S.C. 552a(a)(5)]

As defined in subsection 3(a)(4), "record" means:
. . . any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph. [5 U.S.C 552a(a)(4)]

This definition potentially includes every record that contains any kind of information associated with an individual. Subsection 3(a)(5), however, defines a "system of records" as:

. . . a group of any records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. [5 U.S. C 552a(a)(5)] Thus, unless an agency, in fact, retrieves recorded information by reference to a "name . . . identifying symbol, or other identifying particular. . .," the system in which the information is maintained is not covered by the Act.

Whereas the record definition refers to information about an individu-al that contains his name or identifier; the system-of-records definition refers to information about an individual that is retrieved by name, identifier, or identifying particular. The crucial difference between the two definitions is obvious, and the effect has been to exclude many records from the Act's requirements about individuals that are not accessed by name, identifier, or assigned particular. The Interior Department, for example, files its records on job candidates recommended by Congressmen under the Congressmen's names rather than the names of the applicants,9 and the Maritime Administration (Department of Commerce) files information on directors of shipbuilding firms by shipyard and shipbuilding contract rather than by the directors' names.10 All of these examples, however, are within the strictures of the law.

The system-of-records definition also creates uncertainty as to which records are, or should be, subject to the Act. For example, questions have been raised about the status of the State Department's cable system, which Federal agencies use to transmit information overseas. Because this computerized communications system has the ability to retrieve information in the cables on the basis of personal identifiers, the State Department might be considered to maintain an extensive system of records derived from other agencies' cable traffic. So far, however, there has been no clear determina-tion as to whether the cable system should be considered a State Department system of records or simply a facility for communicating information in records maintained by the user agencies.

In addition, some agencies treat record-keeping systems that techni-cally do not fall under the Act as if they did. The General Services Administration, for example, allows its employees access to merit promotion information, even though such information is filed by vacancy announce-ment number.11 The Interior Department has a system that records the number of ducks that duck hunters shoot each year. This information is neither filed nor retrieved by personal identifier, but because law enforce-ment officials are given, approximately ten times a year, the names of individuals who have reported shooting an endangered species, the Department decided that it would apprise the hunters of the uses that could routinely be made of the information they report.12

A further and extraordinarily important flaw in the system-of-records definition is that it springs from a manual rather than a computer-based model of information processing. In a manual record-keeping system, records are apt to be stored and retrieved by reference to a unique identifier. This, however, is not necessary in a modern computer-based system that permits attribute searches. An attribute search, in contrast to the convention-al "name search," or "index search," starts with a collection of data about many individuals and seeks to identify those particular individuals in the system who meet a set of prescribed conditions or who have a set of prescribed attributes or combination of attributes. For example, officials of the Veterans Administration (VA) testified in the Commission's hearings on medical records that the VA has produced lists of names for another agency by using psychiatric diagnosis, age, and several other personal attributes as the search keys.13

A growing number of computer systems today are also programmed to retrieve information by what is known as the "textual search" process. Briefly, the search program is keyed to "hit" on certain arrangements of characters or items of data as it scans material that has previously been assimilated into the system as raw text; such as reports, letters, or memoranda. It would appear, however, that such a system would not be subject to the Privacy Act because, by the Act's operating definitions, it does not constitute a system of records.

Finally, there appears to be some confusion as to whether all records retrieved by personal identifier should be considered subject to the Act. For example, the Agency for International Development (AID) has taken the position that some systems, such as those listing the weight of an individual's household effects and his official itinerary, should be removed from the Act's purview and has decided that lists already in the public domain, such as telephone lists and biographic registers, will not be treated as Privacy Act systems of records.14 The Department of State made a similar determination with respect to lists of blood donors and parking lot assignments.15

Exempt Systems of Records

Although all Federal agency record-keeping operations that fit the Privacy Act's definition of a system of records are subject to some of its requirements, the Act's scope of application is significantly narrowed by the opportunity it gives some agencies to exempt whole systems from many of the Act's more important requirements. This is particularly true of systems maintained for law enforcement and investigative purposes. Subsection 3(j) of the Act permits exemption from most requirements if the records in a system of records are records maintained by the Central Intelligence Agency j5 U.S.C. 552a0)(1)]; or identification files, investigative records, or reports compiled on individuals during the time between arrest and final release and maintained by an agency "or component thereof which performs as its principal function any activity pertaining to the enforcement of criminal laws." (5 U.S.C. 552a(j)(2)] The provisions of the Act from which records cannot be exempted under subsection 3(j) are primarily those that establish certain records management responsibilities. For example, an accounting of disclosures of information from an exempt system must be kept, and an agency that maintains an exempt law enforcement system must take steps to assure the accuracy and relevance of records it discloses to anyone other than another agency, but the basic oversight and enforcement vehicles otherwise available in the Act, i.e., individual access and correction rights and civil remedies, cannot be used to make sure the agency complies.

The exemption opportunities in subsection 3(k) [5 U.S.C. 552a(k)] are less sweeping than those in Subsection 30), but they also serve to insulate many systems from fundamental protections the Act elsewhere guarantees an individual. Subsection 3(k)(2) creates an exemption opportunity for investigatory records compiled for both criminal and civil law enforcement purposes that have not already qualified for an exemption under subsection 3(j)(2). An agency that takes a 3(k)(2) exemption for a system of records is excused from granting an individual access to records about himself; from revealing to the individual its accounting of the disclosures it makes of records about him; from publishing certain portions of the required annual notice on the system; and from promulgating regulations establishing procedures by which the individual can see, copy, and correct or amend a record about himself. Subsection 3(k), like subsection 30), also allows an exemption from the Act's requirement that the information in a system be "relevant and necessary" to accomplish a purpose mandated by law.

The President's report to the Congress on Privacy Act implementation for calendar year 1975 showed that exemptions had been claimed for 889, or 13 percent of the 6,723 systems whose existence was reported during the first three months after the Act took effect on September 27, 1975. For some systems, an agency claimed both 30) and 3(k) exemptions. Figure 1 shows the type of systems for which exemptions were taken.

While one can agree with the basic public-policy determination that some Federal agency records should not be subject to all of the Privacy Act's requirements, lest ongoing law enforcement investigations or legitimate national security interests be jeopardized, it nonetheless seems clear that the exemption provisions currently in the Act unnecessarily narrow its scope of application and thus unduly frustrate the achievement of its basic objectives. The Secret Service, for example, has had to exempt its entire "Criminal Investigation Information System" [41 F. R 45437 (October 14, 1976)] in order to exempt any part of it, even though many of the records in the system could be (and, under the Freedom of Information Act, often are) open to the individuals to whom they pertain; could be susceptible to correction and amendment without undue burden on the agency; and could be maintained with relatively strict procedures for assuring their accuracy and relevance when they are disclosed to third parties. In particular, one of the four categories of information in the system-records "consisting only of identifying data and notations of arrest, the nature and disposition of criminal charges, sentencing, confinement, release, and parole and proba-tion status"-could be brought within the full scope of the Act without unreasonable difficulty. Such records, largely derived from public records, are unlikely to jeopardize ongoing investigations if disclosed to the individuals to whom they pertain and if inaccurate, but used to make a decision about an individual, either by the Service itself or by another agency, could be the cause of substantial harm to the individual.

Agencies not ordinarily thought of as investigative or law enforcement agencies are often in the same position as the Secret Service. The Federal Trade Commission's "Investigational, Legal, and Public Records" system in many respects parallels the Secret Service's Criminal Investigation Information System, but it too has been exempted in its entirety. [41 FR 39719 (September 15,1976); 16 C FR. 4.13]

Exemption Provision

Systems

Figure 1
Exemptions Claimed Under the Act

Central Intelligence Agency Records (j)(1) 60
Criminal Law Enforcement Agency Records (j)(2) 210
Classified Records (k)(1) 236
Other Law Enforcement Records (k)(2) 545
Protective Services Records (k)(3)  72
Statistical Records (k)(4) 80
Federal Service Suitability Investigative Records (k)(5) 272
Testing or Examination Records (k)(6) 101
Military Service Promotional Potential Records (k) (7) 88
   Total Systems Exempted 889*
   Total Systems Not Exempted 5834
Total Systems 6,723
*NOTE: The total number of systems exempted is less than the sum of the numbers exempted under each exemption provision because one system may have been exempted under more than one provision.

Finally, the broad scope of subsections 3(j) and 3(k) has permitted some agencies to exempt records when their connection with investigative efforts is tenuous at best, and where the rationale for excusing the records from the full force of the Act (for not letting an individual see information about himself, for instance) is difficult to understand. One example is the Department of the Interior's "Endangered Species Licensee System," which contains the "name, address, date of birth, height, weight, color of hair and eyes, business telephone number, occupation and Social Security number" of each individual requesting a license. [41 F. R 41296 (September 21,1976); 43 CF. R. 2.79 (b)] In Chapter 13 of its final report, and in Chapter 3 of this volume, the Commission suggests some ways of resolving this admittedly difficult problem.

Privacy Act Reporting Requirements

A prime objective of the Privacy Act of 1974 is to assure that there will be no Federal agency system of records about individuals whose very existence is secret. A corollary objective is to assure that agency personal-data record-keeping policy and practice will be established in a manner that allows for public scrutiny and comment, as well as for executive and legislative oversight. To facilitate the achievement of these two objectives, the Privacy Act contains four major reporting requirements: (1) the annual system notice; (2) the "Privacy Act Statement"; (3) the new system report; and (4) the President's annual report to the Congress.

Annual System Notices

Subsection 3(e)(4) of the Act requires each agency that maintains a system of records to publish in the Federal Register at least annually a notice of the existence and character of the system, which notice shall include-

(A) the name and location of the system;
(B) the categories of individuals on whom records are maintained in the system;
(C) the categories of records maintained in the system;
(D) each routine use of the records contained in the system, including the categories of users and the purpose of such use; (E) the policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal of the records;
(F) the title and business address of the agency official who is responsible for the system of records;
(G) the agency procedures whereby an individual can be notified at his request if the system of records contains a record pertaining to him;
(H)the agency procedures whereby an individual can be notified at his request how he can gain access to any record pertaining to him contained in the system of records; and how he can contest its content; and
(I)the categories of sources of records in the system . . . . j 5 U.S. C. 552a(e)(4)]

As of December 31, 1976, 97 agencies had filed notices on 6,753 systems containing 3.85 billion records.16 The preceding year 86 agencies filed notices on 6,723 systems.17 Of those, 58 percent (3,908) were maintained by three agencies: the Department of Defense (2,145); the Department of the Treasury (932); and the Department of Health, Education, and Welfare (831). Twenty Cabinet departments and major independent agencies accounted for 87 percent of all notices published in 1975.18

In the President's first annual report to the Congress, the Office of Management and Budget (OMB) analyzed the agency notices as follows:

  • Sixty-eight percent of the personal data systems maintained by Federal agencies are for in-house agency administrative purposes containing principally information pertaining to Federal employees. However, the number of individuals on whom records are maintained in these systems accounts for only 19% of the total number of individuals.
  • Thirty-one percent of the personal data systems maintained by Federal agencies, representing 81% of the records main-tained on individuals, are in support of the operation of various Federal programs. Of these slightly less than half (13% of the systems - 37% of individual records) are in support of programs which provide various forms of assistance to the American public which are described in the Catalog of Federal Domestic Assistance.
  • More than half of the 3.1 billion individual records main-tained for program purposes, however, are contained in only nine systems. These are two Census systems (406 million records), two Social Security systems (480 million records) and five Treasury Department systems (730 million records).19

OMB also attempted to assess the extent of computerization. According to the 1975 annual report:

  • Seventy-three percent . . . of the personal data systems operated by Federal agencies are totally manual systems which do not employ any computer technology.
  • The remaining 27% of the personal data systems are fully or partially automated (only 11% are categorized as fully automated). However, more than 81% of the total individual records maintained are contained in these systems since the larger systems, such as those operated by the Census Bureau, the Social Security Administration and the Internal Revenue Service, necessitate the use of computer technology.
  • The average number of records in either fully or partially automated systems is 1,732,000 while the average number of records in manual systems is only 142,000.20

In identifying systems as required by subparagraph 3(e)(4)(A) of the annual notice requirement, agencies have by and large tried to be specific. In a few instances, the system notices are all-encompassing, a good example being the one on the FBI Central Records System (Justice/FBI-002),21 which says that the "system" includes records on:

individuals who relate in any manner to official FBI investigations . . .; applicants for and current and former personnel of the FBI and persons related thereto . . .; applicants for and appointees to sensitive positions in the U.S. Government and persons related thereto . . .; individuals who are the subject of unsolicited information, who offer unsolicited information . . .; individuals associated with administrative operations or services including pertinent functions, contractors and pertinent persons related thereto.22

Most-systems, however, are specifically identified, with the main difficulties lying in the other parts of the notice.

According to the OMB Guidelines, the subparagraph 3(e)(4)(B) requirement that an agency describe the categories of individuals on whom records are maintained is intended ". . . to enable an individual to determine if information on him might be in [the] system."23 Yet, an individual would often be hard pressed to figure out from a system notice whether the system is likely to contain a record on him. OMB's instruction that descriptions of categories of individuals should be "clearly stated in nontechnical terms understandable to individuals unfamiliar with data collection techniques" has apparently been difficult for the agencies to follow and, in other cases, an agency has given an individual less help than it could. The FBI Central Records System, for example, includes various indices that tell where information on an individual is located or list all individuals named in a particular subsystem, but its annual notice does not reveal the existence of such indices or how they may be used.

Specificity and nontechnical terminology are similarly called for in the OMB guidance on describing the categories of records maintained in a system (subparagraph 3(e)(4)(C) of the notice requirement), but the systems that best fulfill that objective are those for which information is collected on forms that can be described in the notice.

Most descriptions of routine uses (subparagraph 3(e)(4)(D)) are quite general, not only in describing the disclosures that are made but also in describing the users and purposes. As discussed in Chapter 2, moreover, the Act's routine-use requirements apply only to external disclosures of information so one often learns little from a system notice about an agency's all-important internal uses of the records the system contains. Some agencies, such as the Civil Service Commission, the Federal Home Loan Bank Board, and the Department of Interior voluntarily include internal uses in the routine-use section of their annual notices, but their practice is not typical.

The Federal Register format for publishing a system notice includes a place to cite the authority for maintaining the system, but the Act does not require an agency to cite it, and generally, the agencies have cited their enabling statutes that delineate their missions and powers but not their authority to maintain a particular system of records.

With respect to the required description of records maintenance policy and practice (subsection 3(e)(4)(E)), the majority of notices state that access is limited to "authorized personnel" who have a "specific, job-related purpose." Access controls are seldom described in any detail. For manual systems, physical security measures, such as locked file cabinets and guarded buildings, are usually described. For automated systems, the notice typically describes physical security arrangements and states that a code is required for access. Normally this part of the notices also tells how long the records are to be maintained. The responsible official (subparagraph 3(e)(4)(F)) is generally identi-fied quite adequately, and the description of categories of sources (subpara-graph 3(e)(4)(1)) usually give a general picture of how an agency goes about gathering information on an individual. Some systems, however, are exempt from the requirement to describe categories of sources. The procedures for getting access to a record and correcting or amending it (subparagraphs 3(e)(4)(G) and (H)) are considered below in the discussion of "agency rules."

From the agencies' point of view, the annual notice requirement has proved to be a useful management tool. In preparing its more than 2,200 annual notices, the Department of Defense (DOD) decided to discard approximately 15 percent of its forms for collecting information about individuals,24 and officials of the United States Postal Service (USPS) indicate that implementation of the Privacy Act is enabling them for the first time to "get a handle" on record-keeping practices in thousands of USPS field offtces.25 From the individual's point of view, however, it leaves much to be desired. Overall, it would appear that the greatest problem with the agencies' system notices is their vagueness and inaccessibility to the ordinary citizen. To help solve the latter problem, the Office of the Federal Register published a special five-volume compilation of system notices entitled, Privacy Act Issuances,26 but it is very difficult to use because the order in which notices are presented is without apparent logic.

Privacy Act Statements

Subsection 3(e)(3) of the Act stipulates that an agency must:

. . . inform each individual whom it asks to supply information, on the form which it uses to collect information or on a separate form that can be retained by the individual-

(A) the authority (whether granted by statute or executive order of the President) which authorizes the solicitation of the infor-mation and whether disclosure of such information is manda-tory or voluntary;
(B) the principal purpose or purposes for which the information is intended to be used;
(C) the routine uses which may be made of the information, as published pursuant to [subparagraph (D) of subsection 3(e)(4)]; and
(D) the effects on him, if any, of not providing all or any part of the information . . . . (5 US. C. 552a(e)(3)]

There is much to be said for and against this so-called "Privacy Act Statement." On the one hand, it is the only one of the Act's public reporting requirements that specifically directs an agency to describe its internal uses of information about individuals. Because it is given to the individual at the time the agency has direct contact with him, and before he supplies any information, it helps to make the individual aware of his rights under the Act and partly compensates for his lack of familiarity with the system notices published in the Federal Register. On the other hand, anyone who has read the Privacy Act Statement on a Federal income tax return knows how little a statement that attempts to comply with the requirements of subsection 3(e)(3) can actually tell about agency record-keeping practices. For some agencies, moreover, subsection 3(e)(3) appears to be unduly burdensome. When a Federal employee has to sign daily or even weekly for the electronic office equipment he uses, for example, it seems burdensome and wasteful to make the agency give him a statement each time, explaining the authority for obtaining his signature, the principal purpose for which the information is intended to be used, its routine uses, and the effects on him of not providing it.

Several agencies have tackled such difficulties in imaginative ways. In some offices where a form requesting individually identifiable information must be completed as a matter of routine business, the Department of Defense puts the information required to be provided in the Privacy Act Statement on a conspicuously hung poster, which also advises that an individual copy of the statement can be had for the asking. Similarly, when an individual makes his initial visit to a DOD medical facility, the Department gives him a copy of the Privacy Act Statement that covers 222 medical forms the facilities use, and, in addition, places a copy of the Statement in his file. If the individual wants more copies, he need only ask for them.27 These methods of keeping the Privacy Act Statement requirement from being unduly burdensome or wasteful seem reasonable so long as the individual's attention is drawn to the Statement as frequently as the character of his relationship with the data-gathering agency and the spirit of the Act appear to warrant.

New System Reports

Subsection 3(o) of the Privacy Act requires each agency to:

. . . provide adequate advance notice to Congress and the Office of Management and Budget of any proposal to establish or alter any system of records in order to permit an evaluation of the probable or potential effect of such proposal on the privacy and other personal or property rights of individuals or the disclosure of information relating to such individuals, and its effect on the preservation of the Constitutional principles of federalism and separation of powers. [5 U.S. C. 552a(o)]

The objective of this requirement is to facilitate anticipatory oversight of agency record-keeping practice.28 The Senate draft of the Privacy Act included a "Privacy Protection Commission" with authority to determine whether a proposed record-keeping system, or system change, would meet the privacy protection standards called for in the Senate bill. In the subsequent legislative compromise, this oversight function was assigned to the Congress and the Office of Management and Budget, both of which now receive the agencies' new system reports.

Compared to the annual system notices, the documents justifying and explaining a new system are supposed to be much more detailed and informative. The OMB Guidelines require that a new system report describe:

(a) the purpose(s) of the system of records;
(b) the authority for maintaining the system of records;
(c) the probable or potential effect of the system upon "privacy and other personal or property rights of individuals" and its effect upon "the preservation of the constitutional principles of federalism and separation of powers;" and
(d) the steps taken by the agency to minimize the risk of unauthorized access to the system of records and a discussion of higher or lower risk alternatives which were considered.29

In addition, an agency must file such a report, not only when it proposes to establish a new system of records, but also whenever it proposes to make any change in an existing system of records which:

(1) increases or changes the number or types of individuals on whom records are maintained . . . [The standard to be applied is that any change which] significantly alters the
character and purpose of the system of records [shall require a new system report] . . .;
(2) expands the type or categories of information maintained
(3) alters the manner in which the records are organized or the manner in which the records are indexed or retrieved so as to change the nature or scope of those records . . .;
(4) alters the purpose for which the information is used . . .; and
(5) changes the equipment configuration (i.e., hardware and/or software) on which the system is operated so as to create the potential for either greater or easier access . . . .30

Each new system report must be accompanied by an advance copy of the new or revised annual system notice; an advance copy of any new Privacy Act regulations or changes to published regulations that pertain to the system; and an advance copy of any proposed regulations setting forth the reasons why the system is to be exempted from any of the Privacy Act's requirements.31 It must be filed

60 days before an issuance of data collection forms and/or instructions, or 60 days before any public issuance of a Request for Proposal or Invitation to Bid for computer and/or communications systems or services intended to support the system of records.32

All new system reports must be transmitted in duplicate to the President of the Senate, who forwards them to the Senate Committee on Governmental Affairs; to the Speaker of the House, who forwards them to the House Subcommittee on Government Information and Individual Rights; to the Office of Management and Budget; and (during its lifetime) to the Privacy Protection Study Commission. OMB procedures allow for the 60-day advance notice requirement to be waived, and in 1976 it received requests for waivers from 12 agencies with respect to 467 systems. Of these, 439 were approved; two were denied; and 26 were withdrawn or not acted upon.33

The Senate Committee on Governmental Affairs has assigned the task of analyzing the reports to a staff member who contacts the agency in question or the OMB office responsible for evaluating the reports, if any procedures or practices described in one of them seem to be in conflict with either the letter or the spirit of the Act. The House Subcommittee procedure is identical. A staff member reads the incoming report and, if anything appears untoward, contacts OMB. On one occasion, the Congressional Office of Technology Assessment (OTA) has also been formally contacted for evaluation of a new system proposal.

At OMB the reports are all logged by the Information Systems Division, which arranges for an announcement to be published in the Federal Register that a new system report has been received. These announcements are not required by the Act and thus far, few of them have elicited any public comment. The Information Systems Division reviews each report for compliance with the Act and concurrently sends one copy to an OMB budget examiner who reviews it for consistency with established budget guidelines. This last step is most useful when the proposal involves a major system of records, such as the Veterans Administration's new TARGET system or the Internal Revenue Service's Tax Administration System (TAS). Otherwise, the budgetary impact tends to be below the examiner's threshold of significant concern.

In 1976, 25 agencies submitted 75 new system reports covering 808 systems.34 To increase visibility OMB published a bi-weekly summary of them in the Federal Register.35

The principal problem with the new system reports has been the lack of staff to evaluate them and the ambiguity of many of the statutorily prescribed evaluation criteria. Nonetheless, OMB officials believe that the new system reports requirement has had a significant and beneficial effect, while others contend that it has discouraged the establishment of some questionable systems. The FBI, for example, has apparently abandoned its plan to establish a system on known or alleged terrorists,36 and the Department of the Navy has scaled down an extensive attitudinal study of personnel being assigned overseas .37

The President's Annual Report

Subsection 3(p) of the Act requires the President to:

. . . submit to the Speaker of the House and the President Of the Senate by June 30 of each calendar year, a consolidated report, separately listing for each Federal agency the number of records contained in any systems of records which were exempted from the application of [the Act] under the provisions of subsections Ú) and (k) of [the Act] during the preceding calendar year, and the reasons for the exemptions, and such other information as indicates efforts to administer [the Act] fully . . . . [5 U.S.C 552a(p)]

To fulfill this requirement OMB sends out a memorandum containing questions that each agency uses to construct a report to OMB. For the 1975 and 1976 annual reports, OMB has asked each agency to describe the steps it has taken to implement the Act; to list the systems it has exempted from the Act's requirements as provided in subsections 3(j) and 3(k); to provide data on items such as the number of individuals who have asked for access to records the agency keeps on them; and to evaluate its performance in implementing the Act. For example, agencies have been asked to specify the criteria they have used in deciding whether to take advantage of the Act's exemption opportunities; to assess the extent to which the public has paid attention to their rule-making and annual system notices, as well as the extent to which they have responded to that attention; and to evaluate the Act's effect on their information collection and disclosure practices. OMB has also encouraged the agencies to suggest alternative approaches to meeting the Act's objectives.

The agencies' responses to OMB's queries promise to become successively more useful. In preparing the 1975 annual report, OMB asked the agencies to assess whether the Act had reduced the amount of information they collect and maintain on individuals, but most had not anticipated the question and thus could not answer it. They had not, for example, kept track of how many records they had destroyed prior to the Act's effective date. In the beginning, agency reports were also difficult to compare because each agency was allowed, and exercised, considerable discretion as to how much detail it would supply OMB. In its 1976 instructions, however, OMB tightened the inquiry in ways that made it more difficult for the agencies to avoid supplying details and further improve-ments in the 1977 instructions are contemplated.

Guidance on Implementation

The Senate draft of the bill that became the Privacy Act of 1974 provided for a Privacy Protection Commission with power to interpret the Act and to enforce compliance. This was strongly opposed by the Executive branch, and by the House, both of which favored making each agency fully responsible for its own implementation of the Act. In the end, it was agreed that each agency would be responsible for its own implementation, but that the Office of Management and Budget would have a limited guidance and oversight role. Thus, Section 6 of the Privacy Act directs OMB to:

(1) develop guidelines and regulations for the use of agencies in implementing the provisions of [the Privacy Act]; and
(2) provide continuing assistance to and oversight of the imple-mentation of the provisions of the Act by agencies.

As a first step in fulfilling this mandate, OMB, on July 1, 1975, issued Circular A-108, "Responsibilities for the Maintenance of Records About Individuals by Federal Agencies" [40 F.R. 289481. A-108 directed all Executive branch agencies to establish specified procedures in accordance with the Act and the Guidelines that were attached to it, and delegated the responsibility for issuing additional guidance or directives on specific aspects of Privacy Act implementation to four agencies. The four agencies and their respective responsibilities were:

  • The General Services Administration-responsibility for guidance on the proper Federal Register publication format, archiving procedures, approving forms used exclusively within the Federal government, and agency procurement policies;
  • The Civil Service Commission-responsibility for guidance on personnel training and revision of the Federal Personnel Manual;
  • The National Bureau of Standards (Department of Com-merce)-responsibility for guidance on computer and data security;
  • The Office of Telecommunications Policy-responsibility for revising Federal agency data-communications policy.

OMB itself established a temporary interagency task force to review agencies' Privacy Act regulations and revised its Federal Reports Act procedures for reviewing forms used to collect information from members of the public.38 On October 3, 1975, OMB issued Transmittal Memorandum No. 1 [40 F.R. 258771, which established the rules for preparing and submitting new system reports; and on December 4, 1975, it issued further "Supplementary Guidance" [40 F.R. 46741], amending and clarifying the Guidelines it had published the previous July. On March 25, 1976, OMB issued Transmittal Memorandum No. 2, instructing agencies how to submit material for use in the President's first annual report to the Congress on Privacy Act implementation. Finally, on May 17, 1976, OMB issued Transmittal Memorandum No. 3 that provided further guidance on preparing new systems reports.

The four agencies to which OMB delegated guidance responsibilities also issued a number of implementation documents over roughly the same period. The General Services Administration issued its Federal Register publication guidelines on June 19, 1975. [40 F.R. 25988] This document outlines a model regulation and prescribes a special encoding system for printing in the Federal Register.

On September 26, 1975, GSA published Federal Procurement Regulations Amendment 155 [40 F.R. 44502], establishing procedures for complying with subsection 3(m) of the Act regarding government contrac tors. This was followed by Temporary Federal Property Management Regulation E-42 [40 F.R. 48733], published on October 7, 1975. This temporary guidance contained an "ADP and Telecommunications Requirements Checklist" for use in all automated data processing (ADP) and telecommunications equipment and service procurement proposals. Its expiration date, March 1, 1978 at this writing, has been extended three times.

On October 24, 1975, GSA published Temporary Federal Property Management Regulation E-43 [40 F.R. 49936], which establishes privacy protection and data security rules for automated data-processing and telecommunications systems. These include requirements applicable to interagency services, and specify the responsibilities of user agencies, provider agencies, and contractors. Temporary Regulation E-43 became a final regulation on April 7, 1976, when it was published as Federal Property Management Regulation Amendment E-184, "Government-Wide Automat-ic Data Management Services." [41 F.R. 14732] GSA has since published Federal Property Management Regulation Amendment F-26, a technical cross-referencing amendment [41 F.R. 22938 (June 8, 1976)], and Federal Property Management Regulation Amendment E-197. The latter, published on November 4, 1976 [41 F.R. 48519], contains a model contract clause allowing government agency access to contractor facilities and records for the purpose of conducting privacy safeguard inspections.

OMB delegated responsibility for personnel training and for revising the Federal Personnel Manual to the Civil Service Commission (CSC). On September 30, 1975, the Commission published two sets of amendments to Title 5 of the Code of Federal Regulations setting forth basic policy on the maintenance of personnel records. [40 FR. 45094] On December 4, 1975, the CSC published a further amendment to Title 5 establishing procedures for determining when a source in a government background investigation may be promised confidentiality. [40 F.R. 56651] On December 30, 1976, it published Federal Personnel Manual (FPM) Letter 711-126 explaining the circumstances in which information about an individual can be released to labor unions.39

The National Bureau of Standards (NBS) was given responsibility for guidelines on computer and data security. On May 30, 1975, it published Federal Information Processing Standards (FIPS) Publication 41, "Computer Security Guidelines for Implementing the Privacy Act of 1974."40 This was followed in October 1975 by an Index of Automated System Design Requirements.41

Finally, OMB Circular A-108 delegated, to the White House Office of Telecommunications Policy (OTP), responsibility for revising Federal agency data-communications policy to the extent necessary to bring it into compliance with the Privacy Act. OTP began soliciting comments on its draft circular at the end of December 1976, but it is not clear when the circular will be published in final form. The draft covers topics such as operational control of communications networks, the interconnection of telecommunications networks, dedicated data-communications networks, and communications security devices.

The chronology of all these documents is worth noting as it highlights the fact that much of the formal guidance to the agencies was not published until after the Privacy Act was already in force. The Act established September 27, 1975, as the date on which the agencies were supposed to have published their system notices and Privacy Act regulations, and to have their internal operating procedures and training programs in place. As of September 27, however, most of the guidance documents were still not available, largely because the agencies responsible for preparing them were still working on them. Moreover, neither OMB nor any of the other agencies with guidance responsibilities have subsequently played an aggressive role in making sure that the agencies are equipped to comply with the Act and are, in fact, doing so. OMB continues to comment on agency regulations promulgated under subsection 3(f) of the Act and watches the Federal Register for agency initiatives whose privacy implications have not been recognized. On March 7, 1977, the new OMB Director issued a memoran-dum to all agencies calling for "particular emphasis on eliminating or curtailing systems containing personal information."42 Yet, much of the early momentum appears to have been lost. Most important, there seems to be more variation in agency practice under the Act than is necessary, and certainly more than is desirable if a prime object of the Act is to make it easy for individuals to have a say in how agencies collect, use, and disseminate records about them.

Agency Rules

Subsection 3(f) of the Privacy Act requires an agency to promulgate regulations43 that:

(1) establish procedures whereby an individual can be notified in response to his request if any system of records named by the individual contains a record pertaining to him;
(2) define reasonable times, places, and requirements for identify-ing an individual who requests his record or information pertaining to him before the agency shall make the record or information available to the individual;
(3) establish procedures for the disclosure to an individual upon
his request of his record or information pertaining to him, including [a] special procedure, if deemed necessary for the disclosure to an individual of medical records, including psychological records, pertaining to him;
(4) establish procedures for reviewing a request from an individu-al concerning the amendment of any record or information pertaining to the individual, for making a determination on
the request, for an appeal within the agency of an initial adverse agency determination, and for whatever additional means may be necessary for each individual to be able to exercise fully his rights under this section; and
(5) establish fees to be charged, if any, to any individual for making copies of his record, excluding the cost of any search for and review of his record. [5 U.S. C 552a(f)]

Although the Office of the Federal Register developed a model format for the agencies to use in preparing their Privacy Act rules for publication [40 F.R. 25988 (June 19, 1975)], there is great variety in the way the rules have been published, and some formats are so complex that the average individual could have great difficulty understanding (and in some instances, locating) the correct procedure to follow. The rules promulgated by the Department of the Air Force in 1975, for example, were in eight parts and 58 sections [32 CF.R 806.b], and many sections had to be consulted to understand fully how to exercise the individual's access and correction rights. Similarly, the Treasury Department's rules for 1976 [31 CF.R 1.20-1.36] are in 17 sections and 12 appendices (with different procedures for 12 different components of the Department), totalling 29 pages of material.

The procedures the rules establish also vary greatly. For example, all agencies have established procedures for verifying the identity of the individual requesting a record, but while some require nothing more than a signature, others require extensive personal identification. OMB itself is one of the latter. Its regulations provide as follows:

(a) current or former employees: verification by visual observation or alternatively, some employment related documenta tion such as employee I.D. card, driver license, or "employee copy" of any official personnel document;
(b) other than (a) above: two forms of identification and whatever else may be required by a specific system notice; (c) by mail: by comparison of signature on a notarized statement of identity;
(d) if no documentation available: notarized statement of identity and knowledge of penalties for lying and (as needed) notarized statement from other individual attesting to reque-stor's identity;
(e) parent or guardian: legal documents providing guardianship and suitable personal I.D. [5 CF. R. 1302.2]

Then, too, some agencies require more or less personal identification depending on the character of the record to which the individual seeks access. For example, the Tennessee Valley Authority minimally requires an identification card and comparison of signatures, but more stringent verification (such as in-person confirmation of identity) when the record sought is "sensitive." [18 CF.R. 301.14]

Most agency rules require that a request for a record identify the system of records in which the record is thought to reside. This is permitted by subsection 3(f)(1) of the Act [5 U.S.C 552a(f)(1)], and is consistent with the Congress' desire to avoid an undue administrative burden on the agencies. However, asking the individual to identify the system of records can place a substantial burden on him. Few Americans have ever heard of the Federal Register and even fewer are likely to know how to find a system notice in it.

By and large the agencies have tried to help the individual either by giving him a copy of the agency's annual notices and asking him to identify likely systems, or by directing him to someone in the agency whose job is to help him, or both. Some agencies have even tried to dispense with the system identification requirement altogether. OMB, for example, does not require specific reference to a system notice and makes copies of its notices available to anyone who addresses his request to the Office of the Assistant Director for Administration. [5 C.F.R 1302.1(a)] Similarly, the Department of the Interior's rules do not mention any need to identify the system, although they clearly presuppose a knowledge of the Department's annual notices. [43 C.F.R. 2] All agencies' rules provide for access to a record about an individual by his parent or guardian, and, with the individual's written authorization, by someone who accompanies him at the time he exercises his access right. Many agencies also have special procedures for giving an individual access to medical records pertaining to him, although some, such as the Depart-ment of Housing and Urban Development [24 CF R. 16] and the Defense Intelligence Agency [32 C.F. R. 292a], do not. The Federal Trade Commis-sion provides for access to a medical record through a physician designated by the individual, presumably leaving it to the physician to decide whether the individual should be allowed to see and copy the record [16 C.F.R. 4.13(f)], but the Department of Health, Education, and Welfare (DHEW) provides for direct access by the individual in many instances. [45 C.F.R. 56.6]

The DHEW rules affirm the individual's right of access to his medical records and when he requests access to them he is asked to designate a responsible representative to receive them if the Department believes that giving him direct access may be upsetting or otherwise harmful to him. The responsible representative need not be a physician or other health professional. A minor's medical record will be disclosed to a physician or other health professional (neither of whom may be a family member) provided that the physician or other health professional is informed, where appropriate, that further disclosure may constitute an unwarranted invasion of the minor's personal privacy. [45 C.F.R. 56.6]

Although most agencies' rules require that an individual's request for access to a record about himself be made in writing, the request can usually be submitted either in person or by mail, whichever the individual prefers. The big differences are in the agencies' procedures for acknowledging an individual's request. The Act is silent on the question but the OMB Guidelines say that an agency should acknowledge a request for access within ten days of receiving it.44 Department of Agriculture rules call for an acknowledgement indicating whether access will be granted-and if so, when and where-within 10 working days. [7 C.F.R. 1.114(a)] Department of Commerce rules also provide for a ten-day response and, in addition, specify the official to contact if a request is not acknowledged within ten days. [15 C.F.R 46.3(f) and 46.5(a)] In contrast, Interior Department rules [43 CF.R 2.64] provide only for "prompt" acknowledgement, while the rules of the Justice Department [28 C.F.R 16] and of the Defense Intelligence Agency [32 C F.R. 29a] do not mention response time.

There is also a time limit problem which arises from the fact that the Privacy Act does not specify how quickly an agency must comply with an individual's access request. The OMB Guidelines suggest that, where possible, the acknowledgement of a request should indicate whether access will be granted, and if it is to be granted, that it should be granted within 30 days thereafter (excluding Saturdays, Sundays, and legal public holidays), unless the agency, for good cause shown, is unable to comply within that timeframe, in which case the individual should be informed in writing within 30 days of the reasons for the delay and the date on which access can be anticipated.45 This suggested procedure closely parallels the one the Freedom of Information Act specifically requires when an agency receives an FOIA request for a record. [5 U.S.C. 552a(d)(2)]

In their 1975 annual reports, most agencies indicated that they were having no problem complying with the 30-day rule, but some, such as the FBI and the CIA, were experiencing long delays due to the number of requests they were receiving and the complexity of some of their records.46 The Drug Enforcement Administration also reported difficulties in connec-tion with about 20 percent of its records,47 and the Energy Research and Development Administration described two cases, each of which took approximately 32 days to process, and which eventually resulted in a denial of at least part of the request.48

The appeals procedures present still another problem. If an agency denies an individual's request for access to a record, the Act allows him, without further ado, to seek a Federal court order directing the agency to disclose the record to him. In such cases, it is up to the court to decide whether the record has been properly withheld pursuant to one of the Act's exemptions from the individual access requirement. Some agencies, how-ever, have established an administrative appeals procedure, along the lines of the one called for in the Freedom of Information Act. These procedures raise a serious question as to whether an individual whose access request is denied may proceed directly to court without first exhausting the remedies they afford him.

The situation with respect to denials of requests to correct or amend records presents a different kind of problem. There, the Act explicitly calls for a denial to be reviewed and reaffirmed within the agency before the individual can go to court. The review process is supposed to be completed within 30 days, but the head of the agency, for good cause shown, can extend it for another 30 days. [5 U.S.C. 552a(d)(3)] Moreover, some agencies have included a time limit in their rules, within which an individual may appeal a correction or amendment refusal. Those range from 20 days at the Department of the Interior [43 C.F.R. 274] to 90 days at the Postal Service [39 CF. R. 266.7(b)(4)(c)].

There is also a small problem in the handling of the "statement of disagreement." Subsection 3(d)(3) of the Act allows an individual to file a concise statement detailing his side of an unresolved dispute with an agency over the content of a record about himself. At least one agency (the Tennessee Valley Authority) has interpreted "concise" to mean no more than 100 words [18 CF.R. 301.19(f)]. This is often too short, as the vast majority of agencies have realized.

Administration, Training, and Compliance Monitoring

Subsection 3(e)(9) of the Privacy Act requires each agency to:

establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, and instruct each such person with respect to such rules and the requirements of [the Act], including any other rules and procedures adopted pursuant to [the Act] and the penalties for noncompliance. [5 U.S.C. 552a(e)(9)]

Otherwise, however, each agency is left free to devise its own arrangements for assuring compliance with the Act's requirements and with its own Privacy Act regulations. A brief look at the experience of a few agencies will show the wide differences this approach has produced.

The Department of Defense (DOD)

The Department of Defense took a highly structured approach to implementing the Privacy Act. It established the Defense Privacy Board, composed of representatives of each major component of the Department, with a full-time staff and a mandate to develop a comprehensive implemen-tation program. Federal Register notices were published on 2,145 record-keeping systems and Privacy Act Statements were added to 15,290 forms.49 Of the approximately 371,000 forms the Board reviewed, 58,560 were withdrawn on the grounds that they were incompatible with the spirit of the Act.50 The Department's rules for implementing the Act were published as DOD Directive 5400.11. [32 C.F.R. 286a]

A three-level, department-wide training program was also established. Level I was aimed at commanders, managers, and supervisors, and included a 22-minute film and additional briefing material on the Act's main features. Copies of the film were distributed to U.S. military installations around the world, and also made available to other Federal agencies for use in their training programs. Level II was aimed at the thousands of employees who handle records about individuals on a day-to-day basis. It has relied on special courses in the Department's various technical training schools, as well as on continuous on-the-job training. For example, beginning in early 1976, the Department of Defense Computer Institute offered a three-day course on the Privacy Act as it relates to automated data processing. At least one person from every DOD computer installation was required to attend (approximately 2,500 persons in 1976), and they, in turn, trained others at their home installations. Level III training has consisted of distributing films, posters, and memoranda throughout the Department, designed to make DOD personnel aware of what the Privacy Act means to them as individual citizens rather than as agency employees obligated to comply with its requirements.51

The Defense Privacy Board's Legal Committee has first-line responsi-bility for advising the Board on how to interpret the Act. Committee opinions are reviewed by the Board and ratified by the Department's General Counsel before being published or distributed to DOD compo-nents. Compliance monitoring is the responsibility of the inspector general of each major DOD component and has been made a part of the normal inspection and audit program. By and large, DOD contractor compliance is not monitored, although the central CHAMPUS52 office in Denver, Colorado has been made responsible for keeping contractors informed as to the proper treatment of medical records under the Act.

United States Postal Service (USPS)

The United States Postal Service has treated the Privacy Act as a records management tool and has given overall responsibility for imple-menting it to the USPS Records Officer who is also responsible for the Service's implementation of the Freedom of Information Act and other records management functions. The Records Officer, within each region is responsible for oversight of Privacy Act compliance within his area and is, in turn, functionally responsible to the USPS Records Officer.

Continuing direction and guidance to lower echelon and field units is provided through bi-weekly Postal Bulletins dispatched from USPS headq-uarters. Additionally, instructional memoranda are dispatched on an irregular basis to specific components of the Service (e.g., employee and labor relations offices, regional USPS counsels, and Inspection Service field offices), giving guidance on particular subjects. To aid the headquarters and regional offices, circulars and instructions are routinely disseminated concerning USPS forms and development of new systems.

Much like DOD, the USPS has its own law enforcement arm, the Postal Inspection Service (PIS). Stated broadly, the mission of the PIS includes the protection of the United States mail, the enforcement of postal laws, plant and personnel security, postal inspection, and internal audits. To assure compliance with postal regulations, the PIS conducts operating inspections and audits for the Postal Service. At the present time, an audit program is being planned for all USPS records systems which will include Privacy Act procedures as a major element. Inspectors will inquire into the manner and degree to which the operating location is complying with the Act. Physical security of records systems will also be included as a part of the audit, as will review of disclosure accounting logs maintained at those levels. The PIS, in cooperation with the USPS Records Officer, investigates alleged violations of the Act.

Although USPS includes a standard clause in its contracts which obligates a contractor subject to subsection 3(m) to comply with the Act's requirements as an agent of the Federal government, there is currently no attempt to monitor contractor compliance.

Department of Health, Education, and Welfare (Dhew)

DHEW's compliance with the Privacy Act is coordinated through the Fair Information Practice (FIP) Staff of the Office of the Assistant Secretary for Management and Budget. The DREW Fair Information Practice staff is unique among Federal agency Privacy Act units in that it traces its organizational ancestry to the staff of the Secretary's Advisory Committee on Automated Personal Data Systems, whose report, Records, Computers, and the Rights of Citizens,53 influenced the drafting of the Privacy Act of 1974. (It is also unusual for having staffing and coordinating functions with respect to other privacy protection statutes and regulations, such as the Family Educational Rights and Privacy Act of 1974, the so-called Buckley-Pell Amendments.) The FIP staff, one member of which serves as the Department's Privacy Coordinator, is responsible for all DHEW Federal Register publications concerning record-keeping systems and practices subject to the Privacy Act, and it reviews all DHEW proposals to establish new systems of records.

In addition, each major component of the Department has its own Privacy Act Coordinator, and each component is free to publish supplemental directives which, when appropriate, are reviewed by the Fair Information Practice Staff for compatibility with Departmental directives. Privacy Act coordinators serve on the Department's Legal Policy Working Group, which is jointly chaired by the Fair Information Practice Staff and the Office of the General Counsel. The Working Group meets periodically to examine legal and policy questions raised by the Privacy Act and otherwise to assist in coordinating the Department's implementation of the statute.

The Department's administrative procedures manual has been amended to include separate chapters on information practices under the Privacy Act and to establish guidelines for compliance. There is also an ongoing computer security program within the Department and a Departmental team has been conducting a year-long inspection of DHEW computer facilities aimed at establishing and maintaining the degree of data security the Act requires. Each component, however, is responsible for regular audits of its own operations.

Civil Service Commission (CSC)

The Civil Service Commission has chosen a decentralized approach to administering the Privacy Act. While the CSC retains final authority over denials of requests for access to, and amendment of, records, responsibility for day-to-day oversight has been successively delegated down to the system-manager level. One-day seminars on the Act have been held for CSC bureau and regional directors and system managers throughout the country, and a manual has been prepared on satisfying the Act's requirements within the CSC. Each CSC employee has also received a letter outlining the Act's scope and effect.

Department of Labor (DOL )

t the Department of Labor, the task of supervising Privacy Act implementation and compliance has been assigned to the Office of the Solicitor (General Counsel). Each subunit within the department has its own procedures manual with chapters on the Freedom of Information Act, as well as the Privacy Act. The Department's personnel records manual also includes detailed compliance guidelines. The Solicitor's Office has set up a coordinating committee in which all management units are represented and which meets approximately once a month. The Solicitor's Office also conducts seminars around the country for DOL personnel who specialize in responding to Freedom of Information and Privacy Act requests for access to records.

Department of Agriculture (DOA)

For implementing the Privacy Act and monitoring compliance with it, the Department of Agriculture has been divided into 29 semi-autonomous groups, each of which has its own Privacy Act coordinator and bears the principal responsibility for its own activities. The Farmers Home Adminis-tration, for example, issues directives to its subunits on implementation and compliance and runs a modest instructional program for personnel in its various State and local offices. Similarly, the Agriculture Stabilization and Conservation Service (ASCS) issues its own implementing and instructional directives. Each ASCS State office has an official who is responsible for the administration of the Act within its jursidiction, including compliance monitoring. The ASCS periodically reviews the activities of some State and field offices to monitor compliance with the provisions of the Act.

Internal Revenue Service (IRS)

The Treasury Department's approach to administering the Privacy Act is the most decentralized of all those examined by the Commission. Each of the Department's eleven bureaus is directly responsible for its own implementation and compliance, with little or no supervision by anyone at the Department level. However, the Internal Revenue Service, a major Treasury bureau, has developed a highly structured administrative program. "Disclosure officers" in the 65 regional and district offices bear the main responsibility for day-to-day administration of the Act. Before the Act took effect, each region sent one or two representatives to IRS headquarters for two days of training in Privacy Act procedures. The regional representatives then gave similar training in their districts. All IRS employees who were not expected to be directly involved in administering the Act were briefed through a program of tape/slide presentations. In addition, all disclosure officers received two weeks of intensive training.54 The Service estimates that 35,000 man-hours were invested in implementation training even before the Act took effect.55

A compliance handbook has been prepared and disseminated throughout the Service. Compliance by IRS field units is audited by the Office of the Assistant Commissioner/Inspection, whose audits include an inspection of the accounting each unit keeps of its disclosures of information about individuals.

The Agency Experience in General

The 97 Federal agencies that maintain systems of records subject to the Privacy Act of 1974 have all taken different approaches to administra-tion, training, and compliance monitoring. No one approach by itself appears to have hindered good-faith efforts to comply. On the other hand, agencies or components of agencies that have carefully structured programs for administering the Act appear to be the ones in which the Act's objectives are being best achieved. The DOD and the IRS are good examples. Both are accustomed to dealing with sensitive information and with issues relating to its proper collection, maintenance, use, and dissemination. Information policy and information management are concepts with which they have had a great deal of practical experience, and this is reflected in their respective approaches to meeting the obligations the Privacy Act imposes on them.

In most of the other agencies, training and compliance monitoring have been weak. Nearly all agencies have revised their internal guidance manuals so that personnel responsible for records about individuals can find out what is required of them. Several agencies also have added a check for Privacy Act compliance to their existing audit and inspection procedures and others plan to do so in the future. None, however, appears to be checking on its contractors' compliance with the Act and most have relied on others to train their employees.

The Office of Management and Budget and the Civil Service Commission have established a program of one-day seminars for top agency management personnel in 11 major cities. The Civil Service Commission has also run a program of two-day workshops, followed by a one-day follow-up session, in which Privacy Act requirements have been examined in some detail. The CSC has made material available to all agencies for use in structuring their own training courses. The previously mentioned Depart-ment of Defense training program has also accepted trainees from other agencies. In nine regions, the National Archives and Record Service has conducted a one-day course for specialists in records management, and some agencies have sent their employees to seminars held by the District of Columbia Bar Association, the Federal Bar Association, and the American Civil Liberties Union. The Energy Research and Development Administration hired an outside firm, Auerbach Associates, to train its employees.56 Beyond these piecemeal efforts, however, agency employees have by and large been left to their own devices.

Enforcement

Except for the two subsections of the Privacy Act that authorize criminal sanctions against Federal employees (for failing to publish an annual system notice or for knowingly and willfully making an unauthorized disclosure of a record about an individual), action by the individuals on whom agencies maintain records is the primary means of making sure that the Act has its intended effect on agency record-keeping practices. The Act gives the individual five instruments for encouraging agency compliance: (1) a right of access to a record an agency maintains about him; (2) a right to seek correction or amendment of such a record; (3) a right to review the accounting an agency must keep of the external disclosures it makes of a record about him; (4) a right to comment on an agency's proposed procedures for implementing the Act; and (5) a right to sue an agency under specified circumstances if he believes it has failed to comply with the Act or with its own rules for implementing it.

As explained earlier, unless a record has been exempted from the individual access requirement under subsections 3(j) or 3(k), subsection 3(d)(1) of the Act gives an individual the right to see and copy it. Equally important, subsection 3(d)(2) gives an individual the right to request correction or amendment of a record pertaining to himself; and, if the agency refuses, to request a review and possible reversal of its refusal, initially by the head of the agency (as provided in subsection 3(d)(3)), and ultimately by a Federal court (as provided in subsection 3(g)(1)(A)). Moreover, if the agency head refuses to make the requested change, the individual is entitled to file a concise statement of his side of the dispute which the agency must forward to certain past and all future recipients of the disputed information.

There are no reliable data on the number of requests individuals have made for records about themselves since the Privacy Act took effect. Nor are there reliable data on the types of records individuals have asked to see and copy. Apart from the requests made to agencies like the Federal Bureau of Investigation and the Central Intelligence Agency, most requests seem to have come from agency employees. For example, the Department of Defense has reported that in 1976, 90 to 95 percent of its requests came from current or former DOD employees.57 Similarly, the Civil Service Commis-sion, Bureau of Personnel Investigations, reports that as of August 27, 1977, it had received 2,856 requests from individuals seeking access to files resulting from investigations of their suitability for employment by the Federal government or its contractors.58 The U.S. Information Agency (USIA) noticed a significant increase in the number of employee requests for access to personnel and security files following the training sessions it conducted on Privacy Act compliance.59 Nonetheless, given the number of records agencies maintain about individuals (3.85 billion as of December 31, 1976), it would appear that overall there have been very few access requests.

Leaving aside the Department of Defense which counted 116,505 requests in 1975 (56,281 of them from current employees),60 all the agencies combined reported approximately 15,855 requests during the first three months after the Act took effect 61 The actual figure was probably somewhat higher. Some unknown number of requests, by Federal employees, were not counted because they were made under agency access procedures that antedated the Privacy Act, while other would-be Privacy Act requests, by members of the public, were counted as Freedom of Information Act requests. The FBI estimates that close to 90 percent of the Freedom of Information Act requests it receives are requests by individuals trying to find out if the agency maintains a record on them.62 Overall, however, the number has not been great and also appears to be declining. In the summer of 1976, the FBI and the CIA both had a large backlog of Privacy Act and Freedom of Information Act requests, resulting in processing delays of up to nine months at the FBI.63 By the fall of 1976, however, both agencies reported that the number of new requests was decreasing, with the CIA's requests dropping about 90 percent.64 The President's 1976 annual report on the Privacy Act singled out the Justice Department as the only agency reporting a significant number of access requests-35,723 in all.65

Requests to correct or amend records and to file statements of disagreement have also been infrequent as have requests to review the agencies' accountings of disclosures of records about individuals. In 1976, DHEW reported receiving 19,202 requests for amendment of personnel records, of which only 79 were denied.66 The Department of Defense received 11,043 and fully granted 10,899, partially granted 50, and denied 94.67 The number of reported appeals of access and amendment denials was 1,852 (1,556 of them at the Justice Department which includes Freedom of Information Act appeals in its count).68

In general, there has been less use of the Act and less evidence of public interest in it than was predicted at the time the legislation was enacted. In addition to an unexpectedly small number of access and correction requests, the agencies, in their 1975 annual reports, said that they had received only 30 sets of comments on their publications in the Federal Register, four of them from other government agencies and one from an employee union .69 In the President's 1976 annual report, only five agencies were said to have received comments from the public on their rules and system notices.70

In part, this less than expected utilization of the Act can be attributed to the difficulty of finding out how to use the Federal Register, and of wending one's way through the maze of agency Privacy Act procedures. The Department of Defense appears to have received an unusually large number of access requests because of the number of records it maintains on civilian and military employees, both past and present, and because of its extensive training program. However, there is also reason to believe that use of the access right, in particular, can be strongly affected by how much confidence the public has in an agency's record-keeping operations. The comparatively large number of requests to the FBI and the CIA would certainly seem to bear that out.

There is also some evidence that the Act has served to strengthen preexisting access and correction rights. For example, the Coast Guard claims that while it has long had procedures for giving its employees access to their personnel records, the Privacy Act has made it easier for them to get their personnel records corrected.71 Individuals today also seem to find it much easier to gain access to the medical records and employment-related investigatory files that agencies maintain on them. The effect of the changes on agency practices governing the collection, use, and disclosure of records about individuals is the subject of Chapter 2, below. The Commission's general conclusion is that their impact has been much less than was originally anticipated, but, on the other hand, there is evidence that they could be an effective force for change in agency practice if the Act were clarified and strengthened.

As to the Act's civil remedies, the district courts of the United States have jurisdiction over all actions brought to enforce the Privacy Act's requirements. Civil actions by individuals are provided for in subsection 3(g). Stated briefly, an individual has a cause of action whenever an agency makes a determination not to correct or amend a record (subsection 3(g)(1)(A)); refuses him access to a record (subsection 3(g)(1)(B)); fails to maintain a record properly (subsection 3(g)(1)(C)); or fails to comply with any, other provision of the Act (subsection 3(g)(1)(D)). In suits to correct or amend or to obtain access to a record, the court is directed to determine the matter de novo and, if the complainant substantially prevails, the court may direct the government to pay his attorneys fees and other reasonable litigation fees incurred.

In cases brought under subsections 3(g)(1)(C) and 3(g)(1)(D), the court is also empowered to grant attorneys fees and litigation costs. Furthermore, upon a showing that the agency's actions were (1) intentional or willful, and (2) resulted in demonstrable injury to him, the complainant is entitled to a monetary judgment in an amount equal to his actual damages or $1,000, whichever is greater.

As is characteristic of a new statute, case law under the Privacy Act has been slow to develop. In a memorandum dated November 12, 1976, the Information and Privacy Section of the Department of Justice reported a nationwide caseload of approximately 70 ongoing court actions. Over 20 of these involved requests for records and most were being treated as Freedom of Information Act rather than Privacy Act requests. Another group of about 20 was made up of actions under subsection 3(g)(1)(A)-to force an agency to amend some portion of an individual's record. One recent case has been won on the merits by the government, the trial judge holding that the plaintiff had failed to carry his burden of proof. Some 15 individuals have sought injunctions against the disclosure of information by an agency and about a dozen have sought damages under subsections 3(g)(1)(C) or 3(g)(1)(D).72 No case seeking damages has yet been decided against the government, although one has recently been settled out of court.73

One case that bears mention involves a class action suit in the United States District Court of Northern California brought by the American Civil Liberties Union (ACLU) on behalf of a number of applicants for federally guaranteed student loans. The DHEW Guaranteed Student Loan Program included on its application a blanket statement authorizing it to disclose student-supplied information as necessary in the course of processing and servicing a loan. Its final paragraph stated:

I understand that as a result of this consent, the U.S. Office of Education will not keep an accounting of disclosures of information regarding the application and loan [45 C.F.R. 5ó.9(c); 40 F. R. 47413 (October 8, 1975)], since this notice informs me of the uses which may be made of the information. (emphasis added)

The ACLU withdrew its suit after the Office of Education agreed to delete the authorization statement and to process the 1,500 applications that had been set aside because of the applicants' refusal to sign it.74

The Privacy Act also establishes criminal penalties for certain knowing and willful violations of its requirements. Subsection 3(i) provides that an officer or employee of an agency may be found guilty of a misdemeanor and fined up to $5,000 for knowingly and willfully disclosing individually identifiable information, the disclosure of which is prohibited by the Act or agency regulations thereunder, or for willfully failing to publish an annual Federal Register notice on a system of records. The same penalties may also be assessed against anyone who knowingly and willfully requests or obtains an agency record about an individual under false pretenses. Numerous allegations of criminal violations of the Act have been made to the Public Integrity Section of the Department of Justice but almost all have involved conduct that can best be described as negligent rather than knowing and willful. Thus far, only one case has been prosecuted.75

The Privacy Act and the Freedom of Information Act

Because the Privacy Act and the Freedom of Information Act (FOIA) have certain objectives in common, the interrelation between the two statutes was an issue that had to be faced almost before implementation of the Privacy Act could begin. Three areas in particular have required interpretation: (1) the definition of an "agency," which the Privacy Act borrows from the Freedom of Information Act; (2) the responsibilities of an agency when a member of the public asks for a record about an individual under the FOIA; and (3) the responsibilities of an agency when an individual asks for a record about himself under either the FOIA or the Privacy Act, or both. The interpretation of the term "agency" has already been discussed and will be explored further in the section on internal agency disclosures in Chapter 2, below. Here, the focus is on implementation of the Privacy Act against the backdrop of FOIA requirements regarding disclosures to members of the public and to individuals who ask for access to records about themselves.

Disclosures to Members of the Public

Subsection 3(b)(2) of the Privacy Act stipulates that a record about an individual may not be disclosed to a member of the public unless its disclosure is required by the Freedom of Information Act. This provision was included to "preserve the status quo as interpreted by the courts regarding the disclosure of personal information" pursuant to the requirements of the FOIA.76 It does, however, make one important change. Prior to passage of the Privacy Act, an agency, if it so desired, could freely disclose a record about an individual to a member of the public who requested it under the Freedom of Information Act, whereas now the agency must first determine that such a disclosure is, in fact, required by the FOIA.

In particular, FOIA exemption (6) permits the withholding of "personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." [5 U.S.C. 552(6)(6)] The courts have interpreted FOIA exemption (6) to mean that there are no defined categories of records that may be withheld; that each request from a member of the public must be considered on its own merits; and that the determination as to whether complying with it would constitute a clearly unwarranted invasion of personal privacy must rest on a balancing of the private and public interests involved. [Rose v. Department of the Air Force, 425 U.S. 352, 44 L W. 4503, 4509 (April 19, 1976)] If the agency determines that disclosure would not constitute a clearly unwarranted invasion of personal privacy, it may not withhold the record. A refusal to disclose the salary and grade level of a Federal civil servant, for example, could not be justified under exemption (6). If, however, the agency determines that disclosure of the record would constitute an unwarranted invasion of personal privacy, it must either refuse to disclose it or risk violating subsection 3(b)(2) of the Privacy Act.

There are some additional complexities, such as determining whether the record is, in fact, subject to the Privacy Act, i.e., whether it is maintained in a system of records as defined in the Act. If portions of a record could be disclosed without violating the subject individual's personal privacy, those portions must be disclosed. The net effect, however, is to make an agency more careful than it used to be about how it responds to FOIA requests for individually identifiable records, since it no longer has discretion to comply with them irrespective of their privacy protection implications.

It is this situation that has given rise to some concern about the interface between the sanctions in the two Acts. Subsection (a)(4)(F) of the Freedom of Information Act authorizes the Civil Service Commission to impose administrative sanctions on agency officials whom a court finds to have arbitrarily or capriciously denied an FOIA request for records, while subsection 3(i)(1) of the Privacy Act authorizes criminal sanctions for any Federal employee who knowingly and willfully violates any of the Act's disclosure prohibitions. Nonetheless, if an agency makes a good-faith determination that disclosing a record about an individual would constitute a clearly unwarranted invasion of his personal privacy, it is hard to believe that a court would find that its decision to withhold the record had been arbitrarily or capriciously made. Nor would one expect a good-faith determination that a record must be disclosed in response to an FOIA request to be treated as a knowing and willful violation of the Privacy Act's disclosure prohibitions.

A slightly more difficult question is presented by the possibility that an individual might sue an agency, under subsection 3(g)(1)(D) of the Privacy Act, alleging that the agency was wrong in determining that the disclosure of a record about him to a member of the public would not be a clearly unwarranted invasion of his personal privacy, and that he was harmed as a result. Such an action, however, would be brought against the United States rather than the official responsible for the determination, and the plaintiff would not be entitled to damages unless the court found that the agency had acted in a manner that was "intentional or willful" [5 U.S.C 552a(g)(4)], an unlikely event if the agency did indeed determine, in good faith, that the disclosure was required by the Freedom of Information Act.

On the whole, the agencies have adapted well to the Congress' attempt to make the two Acts compliment one another where disclosures to members of the public are concerned. Press requests for access to information about individuals have been the hardest to deal with, just as they were prior to passage of the Privacy Act, and there have also been some problems involving FOIA disclosures of individually identifiable records that are not maintained in a "system of records" and thus are not subject to the Privacy Act disclosure prohibitions.

The Exclusivity Issue

While the relation between the Freedom of Information Act and the Privacy Act is quite straightforward when the issue is whether a record about an individual may be disclosed to a member of the public, it is much less so when the individual, to whom the record pertains, ask for access to it. Should he be able to submit his request under either of the two Acts? Or should he be compelled to submit it under the Privacy Act?

The question is important because the answer to it can have a great impact on how much access an individual can have to the records an agency maintains on him. An individual seeking access to an investigatory file, for example, may be able to obtain much broader access if he requests it under the the Freedom of Information Act, because the corresponding Privacy Act exemption applies to entire systems of records rather than to the records or portions of the records they contain. Thus, under the Privacy Act, an agency is absolved of any obligation to consider the merits of a request for records in light of the particular documents involved; it is enough for the agency to claim that they are maintained in an exempt system. In other circumstances, however, the individual may obtain broader access under the Privacy Act, since the Privacy Act, unlike the FOIA, does not allow an agency to withhold a record on the grounds that it constitutes a purely internal government communication.

The controversy on this matter accounts in large part for the sponginess of the data presented earlier on the numbers and types of requests for access to records since the Privacy Act took effect. It was sparked by a July 30, 1975 Justice Department letter to the Internal Revenue Service declaring that the Privacy Act should be the exclusive vehicle for an individual who wants access to a record about himself. The Justice Department letter, which OMB circulated to all the agencies, came to the attention of the then Chairman of the Senate Subcommittee on Administra-tive Practices and Procedures (Committee on the Judiciary), who strongly disagreed with it and asked the Department to reconsider its position. Justice responded by amending its own Privacy Act rules to provide that, while it would treat the Privacy Act as the exclusive vehicle for an individual asking for a record about himself, it would also make available to him, at its discretion, all records within the scope of his request to which he would have been entitled to have access under the Freedom of Information Act. [28 C.F.R. 16.57]

OMB, in a supplement to its Privacy Act Guidelines, subsequently adopted a slightly different position. It urged that agencies not deny an individual access to any record about himself that is exempt from the Privacy Act's individual access requirement but "which would otherwise have been required to be disclosed [to him] under the Freedom of Information Act" [40 F.R. 56742 (December 4, 1975)] (emphasis added). OMB, however, stopped short of stating that the agencies must grant such access. Furthermore, as to the handling of such requests, OMB advised the agencies to

. . . treat requests by individuals for information pertaining to themselves which specify either the FOIA or the Privacy Act (but not both) under the procedures established pursuant to the Act specified in the request. When, the request specifies, and may be processed under, both the FOIA and the Privacy Act, or specifies neither Act, Privacy Act procedures should be employed. The individual should be advised, however, that the agency has elected to use Privacy Act procedures, of the existence and general effect of the Freedom of Information Act, and the differences, if any, between the agency's procedures under the two Acts (i.e., fees, time limits, access and appeals). [40 F.R. 56743 (December 4, 1975)]

In the legislative history of the Privacy Act, there is no evidence that the Congress intended to make it the exclusive vehicle for individuals seeking access to records about themselves. The Justice Department argument for doing so rested, in the main, on obvious differences between the Privacy Act and FOIA exemption provisions; and on its belief that allowing concurrent application of the two statutes, or, alternatively, allowing an agency official to decide which Act should apply, would be both unreasonable and impossible to administer. In some cases, however, the position Justice took could allow a third-party member of the public broader access to a record about an individual than the individual himself would have under the Privacy Act.

The actual practice of the agencies has varied. Some have ignored OMB's guidance, treating all requests by individuals for records about themselves as Privacy Act requests, while others have done their best to follow the procedure suggested by OMB.

The Cost of Implementing the Act

In March 1977, the FBI announced that it had a backlog of 7,500 unanswered requests for access to records involving the review of some 10 million pages, and that it was planning to spend $6.5 million to bring 400 agents to Washington for six months to eliminate it. The Bureau also said that its processing of access requests so far had required a staff of 53 agents and 322 support personnel at an estimated annual cost of $6.5 million per year.77 The FBI experience, however, is not typical. Cost figures recently released by the Office of Management and Budget (OMB) show Privacy Act expenditures to be much lower than originally assessed. In 1974, OMB had assessed that implementing the Act would cost $200-$300 million per year over the first four to five years and require an additional one time start-up cost of $100 million, which would be expended in the first two years. In 1977, however, OMB estimated that start-up costs in the nine months between the Act's passage and the date it took effect were $29,459,000, and that an additional $36,599,000 was spent for first-year operating expenses.78 These costs have been broken down as shown in Figure 2.

The Act's publication requirements clearly accounted for the largest portion of the start-up cost (46 percent or an average of $2,000 per system). They account, however, for only 12 percent of the first-year operating expenses. Training was the second most costly start-up item. The $6.8-million figure includes both agency course development and employee time away from work. Implementation of the Act's security requirement was the third largest item in the start-up column, but also the lowest-cost item on the operating side. OMB speculates that this is due to a combination of minimal effort by some agencies to enforce subsection the 3(e)(10), on the one hand, and the fact that some agencies already had adequate safeguards in force, on the other. The cost of accounting for disclosures, however, was considerably higher than expected.

OMB's analysis of the $914,000 cost of establishing access procedures, and of the $10,670,000 cost of implementing them during the first year, shows that six agencies-the Treasury and Defense Departments, the Justice Department, the Department of Health, Education, and Welfare, the Veterans Administration, and the CIA-accounted for 93 percent of the expenditures. By itself, the Department of Defense, which maintains one-third of all declared systems of records, accounted for 48 percent.78 According to OMB, the six agencies' disproportionate share of access costs can only partially be explained by the number of records the six agencies maintain. Public interest in their records and, in some cases, the costly and time-consuming screening necessary before their records can be released account for the unusually high cost. In the DOD case, in particular, OMB attributes its large share to the considerable number of DOD employees who have been made aware of their rights under the Act, coupled with the wide dispersion of the Department's records. 79

Figure 2
Cost of Implementing the Privacy Act of 1974

  Summary - All agencies
(Outlays in Thousands of Dollars)
  Start Up1 Operations2
Publication Requirements $13,549 46.0% $ 4,405 12.0%
Training 6,825 23.2 3,282 9.0
Granting Access 914 3.1 10,670 29.2
Correcting Records 483 1.6 2,116 5.8
Security and Control 2,175 7.4 l,345 3.7
Accounting for Disclosures 667 2.3 9,415 25.7
New Data Collection Procedures l,164 4.0 l,507 4.l
All Other Costs 3,728 12.7 4,012 11.0
Reductions from Records/Systems Eliminated -45 -0.2 -62 -0.2
Collections - 2   -91 -0.2
         
Total3  $29,459  100.0%  $36,599  100.0% 

1 Start up costs include any one-time costs incurred from January 1, 1975 through September 30, 1976.
2 Operating costs cover the period September 27, 1975 through September 30, 1976.
3 Totals may not add due to rounding.

Source: Federal Personal Data Systems Subject to the Privacy Act of 1974, Second Annual Report of the President, Calendar Year 1976, p. 23.

Notes

1 U. S. Department of Justice, Attorney General's Memorandum on the 1974 Amendments to the Freedom of Information Act, (Washington, D.C.: U. S. Government Printing Office, February, 1975), p. 26.

2 Amending Section 552 of Title 5, United States Code, known as the Freedom of Information Act, Report of the Committee on Government Operations, U.S. House of Representatives, 93rd Congress, 2nd Session, 1974, pp. 8-9; Freedom of Information Act Amendments, Conference Report, U.S. House of Representatives, 93rd Congress, 2nd Session, 1974, pp. 14-15

3 Letter from Assistant Attorney General, Office of Legal Counsel, U. S. Department of Justice, to the Office of Management and Budget, April 19, 1975.

4 U.S. Office of Management and Budget, "Privacy Act Implementation; Guidelines and Responsibilities" (hereinafter OMB Guidelines), 40 F.R. 28951, 28959 (July 9, 1975).

5 Ibid., p. 28976.

6 Ibid.

7 Ibid.

8 Memorandum from General Counsel William H. Taft III to John Ottina, Assistant Secretary for Administration and Management, U.S. Department of Health, Education, and Welfare, regarding the application of the Privacy Act to DHEW contractors, May 14, 1976.

9 Privacy Protection Study Commission staff interview with the Privacy Act Officer, and an Attorney, Office of General Counsel, U.S. Department of the Interior, October 20, 1976.

10 Privacy Protection Study Commission staff interview with the Chief, Information Management Division, Office of Organization and Management Systems, U.S. Department of Commerce, November 2, 1976.

11 Director, Personnel Management Staff, Office of Personnel, U.S. General Services Administration, Privacy Protection Study Commission Staff Workshop on Employment and Personnel Records, October 29, 1976. None of the other agencies at the workshop (DOD, DHEW, State, Treasury, USPS, GSA, VA, the Civil Service Commission, the FAA, the National Bureau of Standards, and the NLRB) declared vacancy announcements, promotion files, or retention records (established in reduction-in-force proceedings) as systems of records under the Privacy Act.

12 Privacy Protection Study Commission staff interview with the Privacy Act Officer, and an Attorney, Office of the General Counsel, U.S. Department of the Interior, October 20, 1976.

13 Testimony of the U.S. Veterans Administration, Medical Records, Hearings before the Privacy Protection Study Commission, July 2I, 1976, pp. 444, 445.

14 U.S. Agency for International Development, "1975 Annual Report on the Privacy Act of I974," April 30, I976, p. 10.

15 Privacy Protection Study Commission staff interview with an Attorney, Legal Advisor's Office and the Chief, Document and Reference Division, Foreign Affairs Document and Reference Center, U.S. Department of State, November 12, 1976.

16 Federal Personal Data Systems Subject to the Privacy Act of 1974, Second Annual Report of the President, Calendar Year 1976 (hereinafter, President's Second Annual Report), p. 23

17 Federal Personal Data Systems Subject to the Privacy Act of 1974, First Annual Report of the President, Calendar Year 1975 (hereinafter, President's First Annual Report), p. 2.

18 Ibid, p. 3.

19 Ibid, pp. 45.

20 Ibid, pp. 5-6.

21 The number after the system name is assigned by the agencies. OMB also assigns a unique number to each system consisting of agency and bureau codes for the agency maintaining the system, plus a sequential number. Agencies are encouraged to use the same numbering system as OMB.

22 Office of the Federal Register, Protecting Your Right to Privacy-Digest of Systems of Records, Agency Rules, Research Aids, p. 266.

23 OMB Guidelines, p. 28963.

24 U.S. Department of Defense, "1975 Annual Report on the Privacy Act of 1974," p. 23.

25 Privacy Protection Study Commission staff interview with the Records Officer, U. S. Postal Service, October 12, 1976.

26 Oflice of the Federal Register, Privacy Act Issuances, 1976 Compilation, 5 vol. The 1975 compilation was published in a single volume, supra, note 22.

27 Briefing by the Defense Privacy Board for the staff of the Privacy Protection Study Commission, January 16, 1976.

28 Protecting Individual Privacy in Federal Gathering Use and Disclosure of Information, Report of the Committee on Government Operations, U. S. Senate, 93d Congress, 2nd Session, 1974, p. 399.

29 OMB Guidelines, p. 28977.

30 U.S. Office of Management and Budget, Circular A-108, Transmittal Memorandum No. 1, New Systems Reports, 40 F.R. 45877 (October 3, 1975).

31 Ibid.

32 Ibid, p. 45878.

33 President's Second Annual Report, p. 9.

34 Ibid.

35 Ibid., p. I1.

36 Robert R. Belair, "Agency Implementation of the Privacy Act and the Freedom of Information Act: Impact on the Government's Collection, Maintenance and Dissemination of Personally Identifiable Information," John Marshall Journal of Practice and Procedure, Vol. 10, No. 3, (Spring, 1977) p. 480.

37 Ibid.

38 Under the Federal Reports Act [44 U.S.C 350I et seq.], OMB approves all fortes on which agencies propose to collect information from six or more members of the public, except that 44 U.S.C. 3507 exempts forms used by the Internal Revenue Service and certain other divisions of the Treasury Department. In addition, pursuant to a 1973 amendment, [44 U.S.C.A. 3512], forms used by independent regulatory agencies are reviewed by the Comptroller General, U. S. Government Accounting Office.

39 U..S. Civil Service Commission, Federal Personnel Manual System Letter 711-126, December 30, 1976.

40 U. S. National Bureau of Standards (Department of Commerce), Federal Information Processing Standards, Publication 41, "Computer Security Guidelines for Implementing the Privacy Act of 1974" (May 30, 1975).

41 U. S. National Bureau of Standards (Department of Commerce), Federal Information Processing Standards Task Group 15, "Index of Automated System Design Requirements as Derived from the OMB Privacy Act Implementation Guidelines," (October, 1975).

42 "Additional Guidance on Reduction in Reports Required of the American Public," Memorandum from Hon. Bert Lance, Director, U.S. Office of Management Budget, to Heads of Executive Departments and Establishments, March 7, 1977.

43 In this section the terms "regulation" and "rule" are used interchangeably.

44 OMB Guidelines, pp. 28957, 28967.

45 Ibid., pp. 28957-58.

46 U. S. Central Intelligence Agency, 1975 Annual Report on the Privacy Act of 1974, III, p. 5; letter from Clarence M. Kelley, Director, U. S. Federal Bureau of Investigation, Uepartment Justice, to the Privacy Protection Study Commission, June 30, I976.

47 U. S. Drug Enforcement Administration (Department of Justice), "1975 Annual Report on the Privacy Act of I974," p. 11.

48 U. S. Energy Research and Development Administration, "1975 Annual Report on the Privacy Act of 1974," p. 6.

49 U. S. Department of Defense, 1975 Annual Report, op. cit., pp. 5,23.

50 Ibid., p. 23.

51 Briefing by the Defense Privacy Board, op. cit.

52 Civilian Health and Medical Program of the Uniformed Services.

53 Department of Health, Education and Welfare, Secretary's Advisory Committee on Automated Personal Data Systems, Records, Computers and the Rights of Citizens, (Washington: U. S. Government Printing Office, 1973).

54 U.S. Internal Revenue Service (Department of the Treasury), "1975 Annual Report on the Privacy of 1974," pp. 3, 4.

55 This represents the time spent to give every IRS employee 30 minutes of training about the Privacy Act. Privacy Protection Study Commission staff interview with the Chief, Freedom of Information Branch, Internal Revenue Service (U. S. Department of the Treasury), August 25, 1977.

56 U.S. Energy Research and Development Administration, op. cit, p.2.

57 President's Second Annual Report, p. 14.

58 Privacy Protection Study Commission staff interview with the Assistant Chief, Division of Program Planning and Management, Bureau of Personnel Investigations, U. S. Civil Service Commission, August 30, 1976.

59 Letter from Alan Carter, Assistant Director for Public Information, U. S. Information Agency, to the Privacy Protection Study Commission, November I7, 1976.

60 Briefing by the Defense Privacy Board, op. cit..

61 This figure is the sum of all requests identified in the 1975 annual reports as "Privacy Act" requests.

62 Privacy Protection Study Commission staff interview with the Inspector and Deputy Assistant Director, Freedom of Information Privacy Act Branch, Records Management Division, Federal Bureau of Investigation, U. S. Department of Justice, August 26, 1977.

63 Belair, op. cit, p. 497.

64 Ibid., p. 498.

65 President's Second Annual Report, p. 13. Of the 35,723, 14,517 were granted in full; 3,417 were partially granted; 399 were denied; and 2,105 were returned as inadequately specific. Action was pending on the remainder. For 9,705, no record on the individual could be found.

66 President's Second Annual Report, p. 14.

67 Ibid.

68 Ibid., pp. 14,15.

69 This figure is drawn from an analysis of all the discussions of public comment in the 1975 annual reports.

70 President's Second Annual Report, p. 8.

71 Privacy Protection Study Commission staff interview with the Acting Chief, Paperwork Management Branch, Management Analysis Division, U. S. Department of Transportation, October 12, 1976.

72 Letter from Jeffrey Axelrad, Chief, Information and Privacy Section, Civil Division, U. S. Department of Justice, to the Privacy Protection Study Commission, November 12, 1976.

73 Privacy Protection Study Commission staff interview with a Trial Attorney, Freedom of Information Section, U. S. Department of Justice, August 26, 1977.

74 Memorandum from Charles C. Marson, Legal Director, ACLU Foundation of Northern California, to the Privacy Protection Study Commission, June 7, I977.

75 In United States v. Gonzalez, Crim. No. 76-132 (M.D.La. Dec. 21, I976), a former United States Attorney in Baton Rouge, Louisiana was convicted and fined $1,500 for making an unauthorized disclosure of agency records.

76 "Analysis of House and Senate Compromise Amendments to the Federal Privacy Act," 120 Cong. Rec. S21817 (December 17, 1974).

77 Privacy Protection Study Commission staff interview, with the Federal Bureau of Investigation, op. cit.

78 Letter from Hon. Bert Lance, Director, Office of Management and Budget, to Senator Abraham A. Ribicoff, Chairman, Committee on Governmental Affairs, United States Senate, March, 1977, including a report on Costs of Implementing the Privacy Act of 1974, p. 5.

79 President's First Annual Report, pp. 2-3.

Chapter 2. The Information Management Requirements.

In addition to bringing Federal agency record-keeping policy more into the open, and giving individuals certain participatory rights with respect to agency record-keeping practices, the Privacy Act of 1974 requires the agencies to assume some new information management responsibilities. On the theory that most agency records about individuals ought to be made and kept for purposes of mutual interest between the agencies and those individuals to whom the records pertain, but that the agencies have had few incentives to keep their record keeping within that shared framework, the Act seeks to establish some basic ground rules regarding the acquisition, retention, and dissemination of individually identifiable records.

This chapter describes what those ground rules are, assesses their impact on agency policy and practice, and attempts to explain why some of them have not had the effect they were expected to have. The chapter explores three topics: (l) the impact on collection; (2) the impact on the type and quality of information maintained; and (3) the impact on disclosure to third parties. Like Chapter l, the picture it presents is a mixed one. Clearly, .the Act's impact has been far less resounding than prevailing opinion would suggest but there are signs nevertheless that the Act could be quite effective if it were refined and strengthened.

Impact on Information Collection

Subsections 3(e)(1), 3(e)(2), and 3(e)(7) of the Privacy Act require each agency that maintains a system of records to:

. . . maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President. . .[5 U.S.C. 552a(e)(1)];

. . . collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs . . . [5 U.S. C 552a(e)(2)] [and]

. . . maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity. . . . [5 U.S. C 552a(e)(7)]

In addition, Section 7 of the Act forbids

any Federal, State, or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual's refusal to disclose his Social Security number

and further requires that

any Federal, State, or local government agency which requests an individual to disclose his Social Security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.

None of these several collection requirements and prohibitions appears to have had a profound impact on agency record-keeping practice, mainly because they are either too broadly worded or have been perceived as nothing more than restatements of longstanding agency policy.1 Where they have had an effect, it can often be traced to their interaction with some of the public-reporting requirements discussed in Chapter l.

Subsections 3(E)(1) and 3(E)(2)

By themselves, subsections 3(e)(1) and 3(e)(2) do not appear to have changed agency practice markedly. Only when coupled with subsection 3(e)(3), the so-called "Privacy Act Statement" requirement, have they had a modest impact on agency information gathering.

In their 1975 annual reports, OMB specifically asked the agencies to evaluate the impact of subsection 3(e)(2) on the quality and quantity of information they gather directly from individuals. Of the agencies that commented, only the Department of Labor reported that responses to its survey questionnaires had improved2 but no agency reported that there had been a decline in the quality or quantity of information it was able to gather from individuals directly. This experience was reaffirmed in the 1976 annual reports of 43 agencies. Moreover, only the Department of Housing and Urban Development and a portion of the Department of Health, Education, and Welfare reported any difficulty in collecting information from individuals. The difficulty occurred only in surveys, and in the DHEW case was of minor consequence.3

During the Privacy Protection Study Commission's October 1976 staff workshop on research and statistics, the Act's effect on survey research was explored in some detail. The Department of Defense Manpower Data Center and the Agriculture Department reported that the Act had had no effect on response rates in their surveys. Veterans Administration participants, however, said that before the Privacy Act took effect, the VA's survey response rate had been 75-80 percent, but when Privacy Act Statements were incorporated into its questionnaires, the rate fell to around 60 percent .4 The Bureau of the Census also reported that since the Privacy Act took effect its participant refusal rate had increased 50 percent (from l.5 to 2.2 percent), but the Bureau's response rate is still about 97 percent. Census attributed the change to interviewers making less vigorous efforts to persuade hesitant individuals to participate.5

Information on First Amendment Rights

Subsection 3(e)(7) appears to have had little, if any, effect on the collection of information about an individual's exercise of his First Amendment rights. The National Science Foundation reports that it no longer collects such information,6 but most agencies have been able to justify continuation of their previous practices on the grounds that all government agencies are, strictly speaking, involved in some type of law enforcement.

The Civil Service Commission (CSC) experience also illustrates some of the difficulties an agency can encounter in implementing subsection 3(e)(7). Under Executive Order 10450, which the Privacy Act superseded in part, the CSC was required to collect association and affiliation information on candidates for government employment. Until April 26, 1977, when it received supplemental funds for 10 new positions, the CSC continued to release Federal employees' files to other agencies without removing the association and affiliation information that had been put in them when Executive Order 10450 was fully in effect.7 Only if an individual asked to see his file would the CSC purge the information, in which case it would give the individual a copy of both the old file and the new, and then destroy the old. With 10 additional positions, however, the CSC will now be able to purge such information before disclosing it to a third party, regardless of whether the individual has asked to see his file.8

Social Security Number

Section 7 of the Act also appears to have had little effect on agency data collection practices. The National Endowment for the Arts eliminated the Social Security number (SSN) from its grant application forms;9 NASA removed it from its aircraft crew qualification records, its training request records, and its classified visit notification forms; 10 and the Department of Labor ceased to collect it from State unemployment agencies for use in the Department's system on "Characteristics of Insured Unemployed."11 However, the prohibition on denying an individual any right, opportunity, or benefit does not nullify any requirement, established by Federal statute or regulation prior to January l, 1975, to use the SSN to verify the identity of an individual. Thus the practices associated with most agency systems remain unchanged. 12

The Third-Party Source Issue

In both 1975 and 1976, many agencies reported that third parties had become less willing than before to divulge information about individuals to government agents conducting employment and security investigations and to panels reviewing applications for research grants. Yet it is not clear that the problem is a serious one or that the Act is its chief cause. The agencies' 1975 annual reports only covered the period from September 27 through December 31 (i.e., the three months immediately after the Act took effect), and while a year later OMB reported that 14 agencies (including Justice, Treasury, Defense, State, DHEW, the Civil Service Commission, and the Veterans Administration) were still finding third parties less willing to provide information than they were before the Act took effect, it saw little evidence that agencies were unable to obtain "sufficient, relevant information to achieve their purposes."13 Furthermore, the Civil Service Commission appeared to be solving its problem by reducing the amount of marginal utility information it gathers in employment and security investigations.

The reported reluctance of third-party sources has taken many forms, and many explanations for it have been offered. The State Department reported that Foreign Service Officers had become reluctant to provide adverse information on their co-workers, but attributed the change to a "prevailing . . . reluctance" to disclose personal information and to "suspicion of government institutions."14 The Securities and Exchange Commission (SEC), on the other hand, expressed concern about the effect of the Privacy Act Statement. Reciting a long list of "routine uses" made sources "confused, tense and/or bored," the SEC said, and often curtailed their cooperation.15 NASA has claimed that third parties are less willing than before to say anything that could result in an unpleasant confrontation,16 and the Civil Service Commission has noted a decline in responses to written inquiries but not to the questions put in direct interviews. 17

Seven agencies remarked on the reluctance of record-keeping organizations to disclose information. The Department of Defense (DOD), for example, reported that many corporations would not disclose information about an individual without his written authorization.18 The Canal Zone Government19 and the Energy Research and Development Administration (ERDA)20 noted a decline in the willingness of educational institutions to disclose information about teachers and students (the latter no doubt attributable more to the Family Educational Rights and Privacy Act of 1974 than to the Privacy Act).21 The Social Security Administration noticed that some physicians and medical institutions had become less willing to provide information on applicants and recipients of benefits,22 and the Secret Service reported some difficulty in getting information from State and local law enforcement agencies, as well as from other Federal agencies.23

The Act's treatment of confidentiality pledges has been the one common thread linking the agencies' observations and complaints about its alleged effect on third-party sources. Subsections 3(k)(2) and 3(k)(5) of the Act allow an agency to exempt a system of records from the individual access requirement if the system is

. . . investigatory material compiled for law enforcement purposes, other than material within the scope of subsection Ú)(2) . . .. Provided, however, that if any individual is denied any right, privilege, or benefit that he would otherwise be entitled [to] by Federal law, or for which he would otherwise be eligible, as a result of the maintenance of such material, such material shall be provided to such individual, except to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section, under an implied promise that the identity of the source would be held in confidence; [5 U.S.C. 552a(k)(2)] [or]

. . . investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, military service, Federal contracts, or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section, under an implied promise that the identity of the source would be held in confidence. [5 U.S.C 552a(k)(5)] (emphasis added)

The OMB Guidelines, like the Senate-House floor statement on the Act, firmly assert that the two italicized clauses must not be used to "deprive an individual from knowing of the existence of any information maintained in a record about him which was received from a confidential source."24 The Guidelines also state that pledging confidentiality to sources of information on applicants must be limited to "the most compelling circumstances" and that agency

regulations and any implementing procedures will not provide that all information collected on individuals being considered for any particular category of positions will automatically be collected under a guarantee that the identity of the source will not be revealed to the subject of the record.25

The rationale for the agencies' objections to these requirements has varied. The Department of Defense, for example, claimed that its personnel, criminal, and counter-intelligence investigations in foreign countries had been jeopardized because host governments-necessary sources for DOD overseas investigators who often have no jurisdiction off the base or postdemand that the information they give, as well as their identities, be kept secret.26

The National Foundation on the Arts and Humanities reports that it has taken a subsection 3(k)(5) exemption for its files on grant applicants and claims that most third parties it asks to evaluate applicants' proposals request a pledge of confidentiality.27 The National Science Foundation (NSF) also claims that "a large percentage of references" continue to ask for confidentiality, and reports that there is a direct correlation between the rating given and the frequency with which confidentiality is requested-the lower the rating, the higher the frequency.28 The National Institutes of Health (NIH), whose current practice is to reveal the reviewer's identity (since it does not believe it can legitimately qualify for a 3(k)(5) exemption), believes that its own procedures for amending, appealing, and resubmitting a grant application are adequate without resort to Privacy Act procedures, which it too claims are making it difficult to find reviewers of grant applications.29

NIH and NSF have both attempted to develop data to support their arguments. In late 1975, NIH surveyed l,354 members of its initial grant review groups and advisory councils, asking them whether it would be beneficial to let grant applicants see the reviewers' critiques of their proposals, provided, of course, that the individual reviewers were not identified. Of the l,250 who responded, 53 percent favored allowing applicants see them, 41 percent were opposed, and 6 percent thought such a practice would have no effect, one way or the other. When asked whether the identity of the individual reviewers should also be revealed, however, 93 percent were opposed, five percent were in favor, and two percent thought the matter of no consequence.30 The NSF findings, however, were less clearcut. NSF has sections on its reference report forms in which sources can indicate if they want their identity kept confidential. In 1975, 40 percent requested confidentiality, 40 percent indicated no preference, and 20 percent made no choice whatsoever.31

The agencies have also reacted to the source disclosure issue in a variety of ways. Some, like NASA, no longer give a written pledge of confidentiality to employment references and to supervisors filling out merit-promotion appraisals, and even allow an individual access to any such record made about him prior to passage of the Privacy Act, regardless of whether the source was supposedly a confidential one.32 DHEW has interpreted the Act as not allowing pledges of confidentiality to reviewers of grant applications (hence, the NIH practice of disclosing reviewer identities), while the Treasury Department's Bureau of Alcohol, Tobacco, and Firearms allows an investigative source to be promised confidentiality without first asking for it if the Bureau agent seeking information determines that harm or embarrassment might otherwise result, or if the source is not being responsive.33 Some agencies have filed confidential references and merit-promotion appraisals by job rather than by the individual's name,34 thereby avoiding the Act's individual access requirement altogether, whereas others have attempted to solve the source disclosure problem procedurally.

At the Commission's October 1976 staff workshop on employment and personnel record keeping in the Federal government, DHEW participants stated that in spite of their efforts to keep sources in personnel investigations confidential, former supervisors were reluctant to provide information because they did not believe their identity could be adequately protected if the substance of their comments were released. Department of Transportation participants, however, said that they had solved that problem by asking their sources to indicate which items would identify them and then deleting the marked sections if, and when, the individual asks to see the record. Veterans Administration participants said that the VA gives supervisors the right not to have their names released but makes clear on its recommendation forms that the employee does have the right to see what is said. The General Services Administration (GSA) participants took an even stronger position, stating their belief that there is almost nothing in a personnel file that the individual should not see, and that GSA does not withhold the identity of anyone making a performance appraisal. The Civil Service Commission reported that it has developed a new file format for its investigations system (CSC/GOVT-4) that lists sources at the back of the file so that they can be easily separated from the information in the body of it.

Impact on Type and Quality of Information Maintained

The Privacy Act levies two obligations on the agencies with respect to their maintenance of records about individuals: subsection 3(e)(5), which requires an agency that maintains a system of records to

. . . maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness and completeness as is reasonably necessary to assure fairness to the individual in the determination; . . . [5 U.S. C 552a(e)(5)]

and subsection 3(e),(10), which requires an agency to

. . . establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained. [5 U.S. C 552a(e)(10)]

Subsection 3(E)(5)

Alone, subsection 3(e)(5) seems to have had little effect on agency information management practices, but coupled with the requirements to publish annual systems notices, to provide Privacy Act Statements, to establish individual access procedures, and to collect information to the greatest extent practicable from the subject individual himself, it appears to have made some contribution to reducing the amount of information agencies maintain about individuals.

For the President's 1975 annual report on the Act, OMB asked each agency to report on all systems of records it had eliminated from its inventory as a consequence of the Act's passage, as well as any cases in which the amount of information in a system of records had been reduced.35 As noted in Chapter l, many agencies could not give any figures because they had not kept track. Others frankly stated that, even if their destruction of records had been better monitored, some of it would still never have been accounted for, since the existence of the records had never been acknowledged.36 Nevertheless, some, such as the Export-Import Bank,37 reported that the Privacy Act requirement that a system of records be publicly acknowledged had prompted them to eliminate some systems. Others, including the Interior Department38 and the Department of Transportation,39 said that they had disposed of records so as not to have to be responsible for managing them. Cross-index files and other methods of associating records with individuals were also destroyed by the Department of the Interior in order to reduce the number of agency systems subject to the Aet.40

The Foreign Service said that it had reduced the amount of material in its personnel records by 50 to 60 percent,41 and the Drug Enforcement Administration reported that it had destroyed some records after it discovered that they were being maintained without statutory authority.42

The U.S. Information Agency (USIA) eliminated records on 9,300 individuals from its Personnel Security and Integrity Records File.43 The Department of Housing and Urban Development explained that, in conducting research, personal identifiers are no longer retained for the life of a study;44 and the National Center for Health Statistics reported that it too had begun a stepped up system of removing personal identifiers from its records.45 In addition, some of the larger agencies predicted that systems would be eliminated in calendar year 1976 as the justification for maintaining them was reviewed and as small systems were consolidated into larger ones46

Another widespread effect of the Act was the destruction of (uncounted) duplicate records and unofficial or convenience files.47 NASA changed its policy so that supervisors may now maintain uncirculated notes and duplicates of official personnel files but not create their own personnel files 48 The Community Services Administration reported that the Act had prompted the routine shredding of outdated employment history reports on employees.49 The National Transportation Safety Board has stopped preparing its Christmas mailing list that once contained the names, home addresses, and home telephone numbers of its employees, and also removed employees' home addresses and home telephone numbers from its personnel locator.50 The International Trade Commission (ITC) ceased publishing a list of employees' home telephone numbers and addresses, and removed the Social Security number, home address, and telephone number from its carpool application forms.51

Indeed, the review of government forms sparked by the Privacy Act appears to have been one of the most important contributors to reducing the amount of information agencies maintain about individuals.52 The Civil Service Commission revised Standard Form 171 (the application for Federal employment) and also eliminated 20 subsystems. By abandoning just one subsystem, the Security Research Index which contained information on private citizens, only a small portion of whom had ever been applicants for Federal jobs, it eliminated records on 1.3 million individuals.53 Similarly, by ceasing to collect the Social Security numbers of approximately two million people per year, the Department of Labor, as noted earlier, turned a system on "Characteristics of Insured Unemployed" into one that no longer contains records on identifiable individuals.54

In its 1975 annual report, the Defense Department reported that it had reviewed approximately 371,000 forms for compatibility with the Act, destroying 58,560, and simplifying another 22,866.55 Among the materials eliminated were 300 of the 6,700 data elements in the Air Force personnel system 56 The obvious result was to reduce the amount of information the Department collects, as compared to the amount it collected prior to the passage of the Privacy Act, but not the number of records it already maintained on individuals.

Other small changes have been noted. For example, the Veterans Administration reported that since the enactment of the Privacy Act its professional staff is less apt to put unsubstantiated comments in an individual's record,57 and the International Trade Commission's position and personnel roster no longer lists age, marital status, or an indication of Civil Service retention group.58

On the other hand, subsection 3(e)(5) does not appear to have induced the agencies to make any significant changes in their day-to-day procedures for assuring accuracy, timeliness, and completeness. Agencies contend that they have always striven for accuracy, and that "relevant, timely, and complete" are terms that mean different things in different contexts. The latter, of course, is true, but it still seems remarkable that so few agencies have made any attempt to give the terms specific meaning within the recordkeeping operations for which they are respectively responsible. Noteworthy among the efforts to improve accuracy is the Department of Transportation's campaign to impress upon State motor vehicle registries the importance of submitting accurate information to the National Driver Register.59 The Register now receives an average of nine hundred correc tions and updates a day from the States, whereas the previous rate was around one hundred.60

Some agencies have also taken steps to keep their personnel records accurate and up-to-date. ACTION arranges for its employees to verify their personnel files once a year, as does the Pennsylvania Avenue Development Corporation.61 The Committee for the Purchase of Products from the Blind and Other Severely Handicapped does not allow any information to be placed in an employee's personnel file unless he has verified it in writing,62 nor does the Federal Reserve Board (FRB), whose practice in that regard antedates the Privacy Act. The FRB notifies an employee every time a correction is made in his file and annually submits certain parts of the file to him for reverification.63

Most agencies, however, have addressed the timeliness issue mainly by ridding themselves of records for which they have no current or continuing need. Some Departments have applied for and received foreshortened purging schedules from the National Archives. ACTION credits the Privacy Act with reducing the retention period for its volunteer service files from 75 years to seven.64 The Federal Bureau of Investigation is currently destroying some misdemeanor information after 10 years and some felony convictions after 20. Previously, it had maintained both indefinitely, and while the change cannot be attributed exclusively or even directly to the Privacy Act, it reflects a generally heightened sensitivity to the importance of keeping records about individuals up-to-date 65

The Act has affected some agencies' retention of unsolicited information. When the Pennsylvania Avenue Development Corporation receives an unsolicited resume from a prospective applicant, it either returns it or sends

a "Privacy Act Statement" to the applicant who is asked to sign and return it, thereby acknowledging that he has read it. No resume the Corporation retains is kept on file for more than a year.66 The Veterans Administration does not keep information on an unsuccessful applicant more than two years,67 and the Federal Trade Commission destroys the letters it receives from consumers after one year.68

Perhaps the most important observation to be made is that the changes that have occurred have by no means been uniform throughout the government. The retention period for information in an employee's official personnel folder is a case in point. The right-hand side of the folder is reserved for Civil Service Commission documents whose retention periods are set by the CSC, while the documents on the left-hand side, which vary from agency to agency and are apt to include performance ratings, letters of recommendation and records concerning disciplinary actions, have varying or no set retention periods. The IRS, the Veterans Administration, and the Postal Service purge them every two years. DHEW and GSA purge them annually. The VA purges them when an employee leaves the Administration. The Postal Service purges its supervisor's personnel records when an employee is transferred to another USPS division.69

Subsection 3(E)(10)

There is a modest amount of legislative history on subsection 3(e)(10), the Privacy Act's so-called "safeguarding of information" provision, but it is enough to understand the legislative intent. According to the Senate Committee on Government Operations, it was intended that

the term "appropriate safeguards" should incorporate a standard of reasonableness and refer to those safeguards which represent current state-of-the-art procedures at any given time . . . .70

In taking this approach, moreover, the Committee believed it could "look forward to increasingly higher standards of reasonableness"-that it was purposely allowing for a "certain amount of risk management" wherein administrators would weigh the need for security measures against their cost and probable effectiveness.71

OMB assigned to the National Bureau of Standards (NBS) the task of developing and publishing guidelines to implement the computer security requirements implicit in subsection 3(e)(10). NBS took the approach of describing a wide variety of safeguards from which agencies could select those that met their needs. In its Federal Information Processing Standards (FIPS) Publication No. 31, published prior to passage of the Privacy Act, NBS had already developed a menu of fairly detailed physical security safeguards. In Computer Security Guidelines for Implementing the Privacy Act, FIPS Publication No. 41, published in August 1975, NBS described the need for risk assessment and examined the threats to data integrity which can arise from employee error and misuse, and from failing to control access to computer-based systems. NBS stressed the importance of standards for the maintenance of data, of rules of conduct for employees, of accounting and auditing mechanisms, and of physical security safeguards. Encryption, however, was only recommended for high-risk systems containing "sensitive" information.72

The implementation of subsection 3(e)(10) has varied. Some agencies have engaged in technological overkill and avoided more important administrative safeguards. Others have simply tightened their rules on locking file cabinets. The Commerce Department reports that since the passage of the Act, files are returned more quickly and kept locked more regularly.73 The Civil Service Commission provided additional locks for its files and revamped its access policies and procedures.74 The Department of Defense has likewise provided additional physical protection for its dataprocessing areas and strengthened its administrative safeguards against unauthorized access to its records on individuals.75 The Federal Aviation Administration claims that for the first time it has succeeded in getting personnel in the field to lock up investigative and medical files.76 The Overseas Private Investment Corporation has reduced the number of locations used for information storage,77 and the Drug Enforcement Administration has centralized and automated its system for monitoring disclosures.78 The Department of Health, Education, and Welfare has set an example for other agencies by establishing baseline security requirements to be met by all its components and, even more importantly, by establishing a vehicle for auditing compliance with them.79

OMB reports that in the nine months between the day the Privacy Act was passed and the day it took effect, Federal agencies spent $2.2 million on security safeguards they considered necessary to comply with the Act, and another $l.3 million in calendar year 1976.80 Despite these expenditures, however, many agency employees still wish for specific guidelines or standards that would keep them from having to worry about whether they are complying. Clearly, the Act has had a positive effect on security practices, and on employee awareness of them, but more effort must be devoted to establishing and, most important of all, to auditing compliance with administrative, physical, and technical security procedures.

Impact on the Disclosure of Information

Subsection 3(e)(4)(D) of the Privacy Act requires an agency to include in each annual system notice it publishes "each routine use of the records contained in the system, including the categories of users and purposes of such use." [5 U.S.C 552a(e)(4)(D)] The routine-use concept reflects a legislative compromise made shortly before the Privacy Act was passed. The Senate version of the Act would have required an individual's written consent before a record about him could be transferred from one agency to another, whereas the House version would have allowed all "housekeeping" disclosures to continue without restriction. The compromise routine-use concept is defined in subsection 3(a)(7) of the Act, which states that "with respect to the disclosure of a record," a "routine use" is "the use of such record for a purpose which is compatible with the purpose for which it was collected." [5 U.S.C. 552a(a)(7)]

Routine uses must be listed in annual system notices,81 in Privacy Act Statements [5 U.S.C 552a(e)(3)(C)], and, in addition, must be published for comment in the Federal Register at least 30 days before they are included for the first time in an annual system notice. [5 U.S.C 552a(e)(11)] The routine uses the agencies have established can be roughly divided into three categories: (l) government-wide; (2) agency-wide;and (3) system-specific.

Most of the government-wide routine uses have been established at the behest of the Department of Justice and the Civil Service Commission. These two agencies asked all the others to insert certain standard language in their annual system notices. Many agencies complied either with a preface to all of their published notices, or with a subparagraph of each one. The following prefatory statement published by the Environmental Protection Agency (EPA) is typical:

The following routine uses apply to and are incorporated by reference into each system of records set forth below:

1.   In the event that a record within this system of records maintained by the Environmental Protection Agency indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular statute, or by regulation, rule or order issued pursuant thereto, the relevant records in the system of records may be referred to the appropriate agency, whether Federal, State, local or foreign charged with the responsibility of investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation or order issued pursuant thereto.

2.   A record from this system of records may be disclosed to a Federal, State, or local agency maintaining civil, criminal, or other relevant enforcement information or other pertinent information, if necessary to obtain information relevant to an agency decision concerning the hiring or retention of an employee, the issuance of a security clearance, the letting of a contract, or the issuance of a license, grant, or other benefit.

3.   A record from this system of records may be disclosed, as a routine use, to a Federal agency, in response to its request, in connection with the hiring or retention of an employee, the

issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision on the matter.

4.   A record from this sytem of records may be disclosed, as a routine use, in the course of presenting evidence to a court, magistrate or administrative tribunal, including disclosures to opposing counsel in the course of settlement negotiations.

5.   A record from this system of records may be disclosed, as a routine use, to a Member of Congress submitting a request involving an individual when the Member of Congress informs the System Manager that the individual to whom the record pertains has authorized the Member of Congress to have access to the record. [41 F.R. 39695 (September 15, 1976)]

All systems include a routine use, allowing the disclosure of information to a congressional office, in response to an inquiry from the congressional office made at the request of the individual to whom the information pertains. Many, such as the following one published by the Interstate Commerce Commission, also authorize access to records by OMB:

The information contained in this system of records will be disclosed to the Office of Management and Budget in connection with the review of private relief legislation as set forth in OMB Circular No. A-19 at any stage of the legislative coordination and clearance process as set forth in that Circular. [41 F.R. 40430 (September 17,1976)]

Similarly, almost all notices allow for disclosures involving the hiring or retention of an employee, a possible violation of the law, or a statistical research program. The EPA prefatory statement quoted above is one example. Others, such as the following, are also typical:

Justice/USA-005 - Civil Case Files

(h)   a record may be disseminated to a federal, state, local, foreign, or international law enforcement agency to assist in the general crime prevention and detection efforts of the recipient agency or to provide investigative leads to such agency or to assist in general civil matters or cases; [41 F.R. 40017 (September 16, 1976)]

Federal Trade Commission 126 - General Personnel Records

(k)   [Information in the system may be used] as a data source for management information for production of summary descriptive statistics and analytical studies in support of the function for which the records are collected and maintained, or for related personnel management functions or manpower studies, may also be utilized to locate specific individuals for personnel research or other personnel management functions. [41 F.R. 39719-20 (September 15, 1976)]

Still another example of government-wide routine uses is found in the set of routine uses established for personnel records under the control of the Civil Service Commission. These read as follows:

Civil Service Commission/Govt-3 - General Personnel Records

Routine uses of records maintained in the system, including categories of users and the purposes of such uses: Information in these records may be:

a.   Used in the selection process by the agency maintaining the record in connection with appointments, transfers, promotions, or qualifications determinations. To the extent relevant and necessary, it will be furnished upon request to other agencies for the same purpose.
b. Disclosed to other Government agencies maintaining relevant enforcement or other information if necessary to obtain from these agencies information pertinent to decisions regarding hiring or retention.
c.   Disclosed to prospective employers or other organizations, at the request of the individual.
d.   Disclosed to officials of foreign Governments for clearance before employee is assigned to that country.
e.   Disclosed to educational institutions for training purposes.
f.   Disclosed to the Department of Labor; Veterans' Administration; Social Security Administration; Department of Defense; Federal agencies who may have special civilian employee retirement programs; National, State, county, municipal, or other publicly recognized charitable or social security administration agency to adjudicate a claim for benefits under the Bureau of Retirement, Insurance, and Occupational Health or the recipient's benefit program(s), or to conduct an analytical study of benefits being paid under such programs.
g.   Disclosed to health insurance carriers or plans participating in Federal Employees' Health Benefits Program in support of a claim for health insurance benefits.
h.    Disclosed to Federal Employees' Group Life Insurance Program in support of an individual's claim for life insurance benefits.
i.   Disclosed to labor organizations in response to requests for names of employees and identifying information.
j.   If information indicates a possible violation of law, it may be disclosed to law enforcement agencies.
k.   Disclosed to district courts to render a decision when an agency has refused to release to current or former Federal employee a record under the Freedom of Information Act.
l.   Disclosed to district courts for use in rendering a decision when an agency has refused to release a record to the individual under Freedom of Information Act (FOIA).
m.   Used to provide statistical reports to Congress, agencies, and the public on characteristics of the Federal work force.
n.   Used in the production of summary descriptive statistics and analytical studies; may also be used to respond to general requests for statistical information (without personal identifier) under FOIA; or to locate individuals for personnel research or other personnel research functions.
o.   Disclosed to the Office of Management and budget at any stage in the legislative coordination and clearance process in connection with private relief legislation as set forth in OMB Circular No. A-19.
p.   Disclosed to the appropriate Federal, State, or local agency responsible for investigating, prosecuting, enforcing, or implementing a statute, rule, regulation, or order where there is an indication of a violation or potential violation of civil or criminal law or regulation.
q.   Disclosed to an agency upon request for determination of an individual's entitlement to benefits in connection with the Federal Housing Administration programs.
r.   To provide information to a congressional office from the record of an individual in response to an inquiry from a congressional office made at the request of that individual. [41 F. R. 42164 (September 24, 1976)]
s.   Used to provide an official of another Federal agency any information he or she needs to know in the performance of his or her official duties related to reconciling or reconstructing data files, compiling descriptive statistics, and making analytical studies in support of the personnel functions for which the records were collected and are maintained. [41 F.R. 55568 (December 21, 1976)]
t.   Disclosed to officials of labor organizations recognized under Executive Orders 11636 and 11491, as amended, when relevant and necessary to their duties of exclusive representa tion concerning personnel policies, practices, and matters affecting working conditions. [41 F.R. 544522 (December 14, 1976)]
u.   Used to select employees for incentive awards and other honors and to publicize those granted. This may include diclosure to other public and private organizations, including news media, which grant or publicize employee awards or honors. [41 F.R. 55568 (December 21, 1976)]
v.   Disclosed to another Federal agency or to a court when the Government is party to a suit before the court. [41 F. R 55568 (December 21, 1976)]

Agency-wide routine uses, which an agency established solely for its own record-keeping systems, are fewer in number than the other two types, but they are the ones that appear to be the most indiscriminate in applying the routine-use concept. For example, the Veteran's Administration provides for information in 16 separate systems to be disclosed to debt collection firms, and USIA provides for the disclosure of information in all its systems to any other government agency that has statutory or other lawful authority to maintain it. [41 F.R. 41884, 41905-6 (September 23, 1976)]

System-specific routine uses, as the rubric suggests, are those an agency establishes for a particular system it maintains. The disclosure of merit staffing reports to union representatives for equal employment opportunity purposes is a good illustration.

Compatible and Incompatible Uses

One can find many routine uses that clearly meet the test of compatibility with the purpose for which the information was originally collected. Forwarding payroll information on a government employee to the Department of the Treasury so that a paycheck can be generated for him unquestionably meets the compatibility test. So do many other interagency transfers as the following typical notices illustrate.

Equal Employment Opportunity Commission/3 - Charge of Discrimination Case Files

1.    to conduct compliance reviews with local, state and federal agencies, such as the Office of Federal Contract Compliance, Department of Justice, Department of Labor, Office of Revenue Sharing of the Treasury Department, Law Enforcement Assistance Administration, and other federal agencies as may be appropriate or necessary to carrying out the Commission's functions under the Title [See 42 U.S.C. 2000e-4(g)(l), 8(b) and (d)]; (2) sharing information contained in these records with state and local agencies administering state or local fair employment practices laws [See 42 U.S.C. 2000e4(g)(l), 8(b) and (d)]. [41 F.R. 42171 (September 24, 1976)]

Environmental Protection Agency/1 - Payroll System

To conduct all necessary and appropriate intra-agency payroll activities. To furnish information U. S. Treasury requires to issue paychecks and distribute pay according to employees' directions. To report tax withholding to IRS and appropriate State and local taxing authorities; FICA deductions to SSA; dues deductions to labor unions; withholdings for health and life insurance to insurance carriers and U.S. C.S.C.; charity contribution deductions to agents of charitable institutions; annual W-2 statements to taxing authorities and the individual. Also see routine use paragraphs in Prefatory Statement. [41 F.R. 39689 (September 15, 1976)]

FDIC/1 - Legal Intern Applicant System

Disclosure of information may be made in requesting information of individuals or concerns whose names were supplied by the applicant as references and/or past or present employers. [41 F.R. 40424 (September 17,1976)]

FDIC/12 - Payroll and Employee Financial Records

Information developed from these records is routinely provided to State, City and Federal income tax authorities, including, at the Federal level, the Internal Revenue Service and the Social Security Administration, and, to other recipients, as authorized by the employee, including the United States Treasury Department, savings institutions, insurance carriers and charity funds. Records are periodically made available for inspection to auditors employed by the Government Accounting Office. [41 F.R. 40427 (September 17,1976)]

Other routine uses, however, merely continue disclosures, regardless of compatibility, that an agency habitually made prior to passage of the Privacy Act. The following are good examples:

Justice/USA/001 - U. S. Administrative Files

A record may be disseminated to a federal agency, in response to its request, in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information relates to the requesting agency's decision on the matter. [41 F.R. 40015 (September 16, 1976)] (emphasis added).

Federal Revenue Systems/9 - FRB Consultant File

Routine uses include, but are not restricted to, selection, monitoring, evaluation and control, audit and analysis, routine management activity and statistical use without individual identification; verification and confirmation; and referral when used as a basis for prospective employment by other than the Board; to provide information or disclose to a Federal agency, or any other employer or prospective employer, in response to its request, in connection with the hiring or retention of an employee, the letting of a contract, or issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision on the matter. [41 F.R. 39707 (September 15, 1976)] (emphasis added)

Allowing the recipient's needs to influence an agency's decision as to whether a disclosure should be deemed a proper routine use is not uncommon, and some are even more indiscriminate. For example, the routine uses established for the Department of Transportation's Documentation System countenance the disclosure of information to "anyone having business with or an interest in a documented vessel."82 Likewise, the routine uses for DOT's Merchant Vessel Casualty Reporting System include "use by the general public."83

Agencies also interpret the routine use provisions of the Act to permit the free flow of information to and between law enforcement and investigative units of government without having to comply with subsection

3(b)(7) that provides for the disclosure of a record about an individual

. . . to another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request . . . specifying the particular portion [of the record] desired and the law enforcement activity for which the record is sought. . . . [5 U.S.C 552a(b)(7)] (emphasis added)

Law enforcement agencies particularly established broad-worded routine uses to assure the easy flow of information between organizations within the law enforcement community. The Bureau of Alcohol, Tobacco, and Firearms in the Treasury Department, for example, includes as a routine use of information in its "Criminal Investigation Report System" disclosure to "personnel of the Department of Justice and other agencies, Federal, State and local, foreign and domestic, having prosecutive and civil law enforcement functions." [41 F.R. 45446 (October 14, 1976)] Non-law enforcement agencies also adopt broad routine use provisions that facilitate the exchange of information with law enforcement agencies, a good example being the provisions the Veterans Administration ordinarily incorporates in its systems notices. [41 F.R. 9294 (March 3, 1976), Routine Uses 12 and 24]

On the other hand, some agencies apply the compatible-purpose test so strictly that agencies and other organizations accustomed to receiving information from them have complained that they are no longer able to fulfill their missions. For example, prior to passage of the Privacy Act, the Railroad Retirement Board (RRB) regularly obtained name, address, and benefit information from the Social Security Administration (SSA). It used this information to monitor the accuracy of payments it made to claimants under the Railroad Unemployment Insurance Act (RUIA), since, by law, the amount of RUIA benefits paid must take into account other social insurance, unemployment, or sickness benefits payable under any other law. For almost two years after the effective date of the Act, however, SSA's strict application of the compatible-purpose test made it impossible for RRB to obtain data from SSA files.

The Department of Labor had a similar problem. Several States have laws that require their unemployment insurance programs to verify the amount of any Social Security benefits a claimant receives. Initially, however, SSA did not establish such disclosures as a routine use of the information in its Earnings Recording and Self-Employment Income System and, thus, the affected States were forced to operate their unemployment compensation programs in violation of their own statutes.

These difficulties have been resolved in various ways. Both the Labor Department and the RRB problem were resolved by the routine-use notices SSA published on June 29, 1977. [42 F.R. 33079] In at least one other instance, the Congress overrode a routine-use determination in language so sweeping that it effectively nullifies the routine-use concept. In September 1976, the Congress amended the Veterans Administration's enabling legislation to require the head of any Federal department or agency to

provide such information to the Administrator [of the Veterans Administration] as he may request for purposes of verifying other information with respect thereto. [38 U.S.C. 3006]

In other situations, agencies have pursued more than one solution to the same problem. The Civil Service Commission, which is the agency responsible for most Federal personnel files, did not issue its guidelines on disclosures to labor unions representing Federal employees until 15 months after the Privacy Act took effect. Part of the reason for the delay was the CSC's effort to coordinate the drafting with the Federal employees labor union. Meanwhile, however, the Department of Defense and the Veterans Administration reduced the amount of information they were willing to give out to labor unions, while DHEW made no change. The American Federation of Government Employees was often excluded from labormanagement negotiations in which information in records subject to the Privacy Act was to be discussed unless the union first obtained the express written consent of all employees concerned. The USPS was charged with an unfair labor practice for refusing to disclose certain records subject to the Privacy Act. At the VA, unions were not allowed to review merit promotions at all, whereas at DHEW merit promotion records were released with the names removed in response to a Freedom of Information Act request.

The confusion was finally dispelled at the end of December 1976 when the Civil Service Commission published Federal Personnel Manual (FPM) Letter 711-126 explaining a routine-use notice it had published two weeks earlier. The notice provided that information about an individual could be disclosed to labor unions without his consent "when relevant and necessary to their duties of exclusive representation concerning personnel policies and practices and matters affecting working conditions." The CSC, however, instructed the officials responsible for making such disclosures to provide information whenever possible without personal identities attached, and to withhold highly sensitive information that could reasonably be expected to harm the individual if disclosed, unless and until the individual authorizes its release. This was interpreted to mean that information concerning salary, title, veterans' preference, and awards received should be released, but information concerning marital status, age, grades in training courses, allegations of misconduct, or proposed disciplinary actions should not.84

At least one other knotty routine-use problem was resolved by avoiding the compatibility criterion altogether. Within days of enacting the Privacy Act, the Congress passed another law that authorized State parentlocator units to obtain information on absent parents from the Social Security Administration. SSA, however, interpreted such disclosures as incompatible with the purpose for which the information in its files was originally collected and thus resisted establishing them as a routine use. The matter was resolved when the DHEW Secretary decided that the DHEW Parent Locator Service (at the time administered by the Social and Rehabilitation Service, another DHEW component) could obtain the information from SSA on an intra-agency "need-to-know" basis (i.e., as provided in subsection 3(b)(1) of the Act) and then disclose it to the States as a routine use (i.e., as provided in subsection 3(b)(3)).85

Some agencies have also decided that a statutory requirement to disclose information enacted before the Privacy Act can be construed as automatically meeting the compatible-purpose test.86 On its face, such a determination seems reasonable, but it also assumes that each of the many disclosure requirements in the U.S. Code would survive an examination that weighed the recipient agency's need for the information against the individual's interest in protecting his personal privacy. An even murkier area is where a preexisting statute authorizes but does not require a disclosure that would not meet the Privacy Act's compatible-purpose test. How such statutory authorization should be treated is an area of interpretative controversy that remains largely unresolved.

Finally, some officials claim that agencies have begun to "trade" routine uses. That is, when one agency wants information maintained by another, it asks the agency holding the information to publish a routine use allowing the information to be disclosed to it, and the holding agency agrees so long as the requesting agency in turn publishes a reciprocal routine use allowing information in its records to flow the other way. There is nothing illegal about this so long as all published routine uses meet the compatiblepurpose test. Yet, from a privacy protection viewpoint, it would seem preferable for an agency that wants information about an individual from another agency to require the individual to sign an authorization allowing it to acquire the information it seeks rather than to handle the matter as a quid pro quo arrangement, of which the individual is likely to be unaware

Discretionary Routine Uses

To facilitate implementation of the Freedom of Information Act, several agencies have declared certain disclosures to the public to be routine uses. Examples include the following:

Interstate Commerce Commission/VII - Consumer Complaint System

This is a public file available for public review under the terms of the Freedom of Information Act. Individuals submitting special complaint correspondence to the Commission, unless identifying their desire to remain anonymous, will not be protected from disclosure of the information contained within the complaint letter. [41 F.R. 40433 (September 17,1976)]

Federal Deposit Insurance Corporation/44 - Changes in Bank Control Ownership Records

The name of the bank whose control has changed, the seller and purchaser, and the number of shares involved may be distributed to periodicals for publication. [41 F.R. 40425 (September 17, 1976)]

Privacy Protection Study Commission/] - Commission Member and Staff Personnel Records

Files on current employees and commissioners may contain biographic background information, the disclosure of which would not constitute a clearly unwarranted invasion of personal privacy and may therefore be made available to the press and the public. [41 F.R. 40436 (September 17, 1976)]

In addition, some agencies have published routine-use notices on their internal uses of information, even though the Act does not require them to do so. The following are typical examples:

U. S. International Trade Commission/1 - Employment and Financial Disclosure Records

These records and information in these records may be used:

a.   By the Deputy Counselor for Employee Responsibilities and Conduct to determine whether or not an employee has a direct or indirect financial interest which conflicts substantially, or appears to conflict substantially, with his U.S.I.T.C. duties or responsibilities.

b.   By the Deputy Counselor to determine whether a U.S.I.T.C. employee has engaged in, directly or indirectly, a financial transaction as a result of, or primarily relying on, information obtained through U.S.I.T.C. employment.

c.   For review by the Deputy Counselor. The Deputy Counselor is responsible for maintaining these records in confidence and may not disclose information from these records to other persons or agencies except as the Civil Service Commission or the Chairman of the U.S.I.T.C. may determine for good cause shown. [41 F.R. 40045 (September 16, 1976)]

U.S. International Trade Commission/2 - Budgetary and Payroll Related Records

These records are used only for the purpose of computing the budget and keeping a record of certain employees' expenses. [41 F. R. 40045 (September 16, 1976)]

Consumer Product Safety Commission/10 - Employee Merit Promotion Program

These records and information in the records may be used:
  1. To respond to requests from employees regarding the status of the merit promotion case.
  2. To provide information to the Office of Equal Employment Opportunity when an individual files a discrimination complaint.
  3. To respond to a court subpoena and/or refer to a district court in connection with a civil suit.
  4. To adjudicate an appeal, complaint, or grievance.
  5. To effectuate promotion of employees concerned. [41 F.R. 37296 (September 2, 1976)]

Overall Impact on Disclosures to Third Parties

The Privacy Act appears to have caused a modest decline in the amount of information about individuals that agencies disclose to others. By and large, however, the impact has been at the margins of agency practice.

For example, prior to the Act the State Department regularly reported to the FBI, the CIA, and the IRS on Americans living overseas. This practice has now been curtailed and the release of such information is limited to published routine uses or law enforcement requests.87 The National Labor Relations Board has stopped releasing the forwarding addresses of former employees to their credit union,88 and the Civil Service Commission no longer discloses applicants' examination scores to their parents and spouses.89 The Civil Service Commission has limited the disclosures they will make of information in an individual's retirement records 90

Other agencies have altered their policies on disclosures to the press. The Postal Service no longer releases information on individuals currently under investigation,91 and the Customs Service has limited the amount of information it makes available about an arrest 92 The Secret Service, in some cases, requires the press to obtain an individual's written authorization before it will release information about him,93 and the USIA now requires an authorization before releasing photographs or biographic information on agency personnel.94 Many agencies have also stopped disclosing information to "Call for Action" organizations and to lawyers inquiring on behalf of clients unless they have a written authorization from the individual to whom the information pertains. "Call for Action" organizations, in particular, have complained that this unduly prolongs the process of obtaining information and seriously undermines their value to the public. Researchers are another category of nongovernmental users of agency records that have had trouble getting information from the agencies since the Act took effect 95

On balance, however, not much has changed. Agencies with law enforcement functions complain about other agencies' reluctance or outright refusal to disclose information to them. The Federal Aviation Administration, for example, has reported a slight impairment of its operations as a consequence of limits placed on the release of security and enforcement information by other agencies,96 and the Postal Service has reported that several Federal agencies have been willing to respond to law enforcement requests only when the requests were made through U. S. attomeys.97 NASA says that its law enforcement requests are no longer granted automatically; that it can take two-to-three-weeks to obtain information the agency used to be able to get by telephone.98 The FBI claims that its ability to obtain information from other agencies has been hampered by the Act, although it notes that it also gives out less information today than it used to.99

In their 1975 annual reports, the most frequently cited change in agency disclosure policy was the addition of a requirement that an individual's prior written authorization be obtained before information about him is disclosed in response to credit inquiries and employment verification requests.100 Some agencies, such as the Community Services Administration, also reported that the mere existence of individual authorization procedures has greatly reduced the number of attempts to gain unauthorized access to information pertinent to complaints about discrimination and unfair labor practices.101 Still others complained about the extra time involved in obtaining an individual's written authorization, suggesting that they are, in fact, doing so more frequently than in the past.

The one type of disclosure on which the Act appears to have had no impact at all is the ubiquitous internal agency disclosure; i.e., the disclosure of information by one agency component to another. Because the Act uses the Freedom of Information Act definition of "agency," such disclosures can be handled as subsection 3(b)(1) disclosures (i.e., to officers and employees of the agency who have a need for the record in the performance of their duties) rather than as routine uses that would have to meet the compatible-purpose test. The Social Security Administration disclosures to the DHEW Parent Locator Service mentioned earlier offer one example of how subsection 3(b)(1) can work within a large agency, and DHEW is not the only large Federal agency with many different components. It appears that the ease with which such "internal" disclosures can be made is not being abused, although the potential for abuse is certainly there. In addition, by failing to put constraints on internal disclosures the Act effectively deprives an individual of the ability to find out where information about him has gone and the uses to which it was put within the agency that maintains it, unless an agency voluntarily takes steps to inform him.

Keeping Track of Disclosures

Section 3(c)(1) of the Privacy Act requires each agency to keep an accurate accounting of

(A)   the date, nature, and purpose of each disclosure of a record to any person or to another agency made under subsection (3)(b) . . .; and

(B)   the name and address of the person or agency to whom the disclosure is made . . . . [5 U.S.C. 552a(c)(1)(A), (B)]

There are only two exceptions to this requirement. No accounting need be made of disclosures "to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties" (as provided in subsection 3(b)(1)), or of disclosures that are required by the Freedom of Information Act (as provided in subsection 3(b)(2)).

The Act's accounting of disclosures requirement has three objectives: (l) to provide an individual with a listing of the uses and disclosures of a record about him; (2) to facilitate the propagation of corrections; and (3) to promote internal agency auditing and compliance monitoring. Currently the emphasis is on the first objective and the agencies have used several different methods to achieve it.

The Act calls for an "accounting" rather than a "record" of each disclosure, thereby indicating that an agency may use any method of accounting it chooses, so long as it has the capacity to respond to an individual's request for a list of the disclosures it has made of a record about him.102 Thus, it is not surprising that the agencies have handled the accounting requirement in a variety of ways.

For example, the Civil Service Commission and the Social Security Administration, will, in some cases, make a copy of whatever has been disclosed and note on it the accounting information the Act requires them to keep. The copy is filed with the individual's record so he has access to it at the same time that he has access to the record itself. Other agencies merely keep a description of each disclosure on file, either with the individual's record or as an appendage to the system of records. The latter method is commonly used in accounting for mass disclosures, such as disclosures of payroll information to the Treasury Department.

The Act requires an agency to maintain its disclosure accountings for five years or the life of the record, whichever is longer. [5 U.S. C 552a(c)(2)] It is too soon to assess the impact of this retention requirement, but the Community Services Administration claims that it has already postponed retiring some records so that the accounting of disclosures can be kept with them for the mandatory five years.103

Of all the requirements in the Privacy Act, the accounting of disclosures is the one the agencies have criticized most. OMB reported in March 1977 that, as of the previous September, complying with the accounting requirement has cost the agencies more than $10 million. Some agencies have even looked for ways around the requirement. As described earlier, the DHEW Guaranteed Student Loan Program tried, unsuccessfully, to get applicants to authorize it not to keep an accounting of the disclosures it makes about them in the course of processing loan applications. The Social Security Administration contends that to fulfill the accounting requirement effectively its computer systems would have to be totally redesigned and that only a handful of individuals have ever asked to see the accountings SSA keeps.104

The Department of Defense reports that some of its components have had a hard time implementing the accounting of disclosures requirement, but that the Department of the Air Force has developed an efficient, wholly computerized method for keeping track of its disclosures of military personnel records. Called the Privacy Act Tracking System, it not only logs all disclosures, all amendments, and all statements of dispute, but also prints out a list of all prior recipients of a record who need to be informed of any change made in it.105

A frequently heard complaint is that an accounting must be made in situations where the need to propagate corrections does not arise-for example, when payroll records are being audited, or when disclosures are made for statistical purposes only. There is also some question as to whether subsection 3(c) requires an accounting every time an individual is given access to a record about himself. Many agencies keep an accounting only if an individual specifically cites the Privacy Act when asking to see a record. For example, many agencies that permitted an employee to have access to his personnel records before the Privacy Act required them to do so, continue to use their pre-Privacy Act procedures.106 Finally, there is uncertainty about whether an accounting need be kept of a disclosure to a Congressional office that asks for a record on behalf of the individual to whom it pertains. The IRS considers a Congressman to be the designated representative of an individual, and thus, someone to whom a record may be disclosed without an accounting, so long as he has in hand a letter from the individual requesting the Congressman's assistance.107 Of the other agencies the Commission staff contacted, however, all require that an accounting be kept of such disclosures.

Although the accounting of disclosures requirement could be modified without diminishing its utility as a check on agency practice,108 it clearly should not be abandoned altogether, as some agencies have argued. The individual's interest in reviewing the accountings agencies keep of their disclosures of records about him should not be the sole measure of the requirement's value. Many individuals do not know that the accountings exist or that they have a right to review them. Moreover, the accountings can be of great help in propagating corrections and in conducting the audits of agency compliance with the Act that will become increasingly important as more and more records and record systems are automated.

Propagation of Corrections

If an agency record about an individual is inaccurate, there are three basic ways for it to get corrected: (1) the individual to whom it pertains can ask that it be corrected; (2) the agency can discover the error and correct it on its own initiative; or (3) a third party can supply information that brings the error to the agency's attention. (For simplicity's sake, amendments to records and statements of disagreement resulting from an agency's refusal to correct or amend a record are all being treated here as "corrections.")

Furthermore, when a record is, in fact, corrected there are numerous destinations to which the correction could be propagated. For example, it could be propagated to the sources of the erroneous information; to past

recipients of the erroneous information both within and without the agency; to all recipients to whom the agency provides the information in the future; and to recipients specifically designated by the individual. Obviously, there are many possible combinations of correction methods and destinations, but the Privacy Act ignores most of them. It does not require that any corrections be propagated to previous recipients of the erroneous information within the agency; does not require that corrections be propagated to sources; does not allow an individual to designate recipients to whom he would like to have corrections propagated; and does not require an agency to propagate automatically to anyone any correction it makes on its own initiative or that is precipitated by information it receives from a third party.

The OMB Guidelines attempted to cope with this situation by encouraging agencies

to provide corrected information to previous recipients, irrespective of the means by which the correction was made . . . [and] particularly when the agency is aware that the correction is relevant to the recipient's uses . . . .109

In other words, if OMB's guidance were followed, all changes except normal updates would be propagated to past recipients outside the agency. It appears, however, that OMB's guidance is not being followed because the guidance is general, the burden is high, and the agencies are under no obligation to comply.

From the individual's point of view, the most important problem stems from the Act's failure to require that corrections be propagated from one system to another within an agency. Federal employment and personnel

records, for example, frequently exist in multiple copies or in a variety of derivative record-keeping systems, so unless a correction is automatically propagated to all of them, an individual who arranges to get a record corrected in one place may still be plagued by uncorrected versions of it elsewhere. Propagating corrections internally, however, would make it necessary for an agency to maintain audit trails similar to the disclosure accountings currently required for external agency transfers, thereby adding to the accounting burden about which the agencies now complain so bitterly.

One way to reduce the existing burden would be to give the individual a role to play in determining when a correction should be propagated and to otherwise relate the propagation of corrections requirement to a measure of its likely benefit to the individual. At present, there is no time limit or test for determining the importance to the individual of having a correction propagated; where a propagation must be made, it must be made for the life of the record. In the extreme case, if an agency knew that an employee's performance rating was incorrectly transmitted to another agency 20 years previously, when he was being considered for a job there, it would have to send the agency the corrected version even though the information could no longer have any bearing on the individual's employment situation. Indeed, the current propagation requirement could even result in the reopening of a file that had long ago been sent off to storage.

The Privacy Act also contains no provision requiring a correction to be propagated to the source of the error. When the source is an individual acting on his behalf this is probably unnecessary. But when the source is another agency, or another record system within the same agency, propagation can be an important safeguard against the repeated dissemination of inaccurate information.

Finally, it is frequently, and not illogically, assumed that correction of an error in an agency record automatically generates a review of any decision or determination that has been made on the basis of the erroneous information. Yet, as far as the Privacy Act alone is concerned, the assumption is unfounded; the Act contains no "right of reconsideration." That is, the Privacy Act by itself does not obligate an agency to reconsider or re-examine any decisions or determinations it has made about an individual on the basis of erroneous information, though statutory program requirements and constitutional due process standards may.

While the Commission staff encountered frequent comments on the question of whether or not a right of reconsideration ought to be included in the Act, the Commission reached no resolution of the issue. In most instances, a right of reconsideration is not needed in the Privacy Act, since an individual ordinarily has an avenue of administrative appeal in the program area for which the record in question is maintained. For example, once an individual has corrected his personnel record or his benefit eligibility record, he can employ existing administrative remedies to cause reconsideration of any decision or determination made on the basis of the previously inaccurate information. As records increasingly substitute for direct contact between an individual and an agency, however, and as the automatic propagation of corrections made by an agency on its own initiative becomes commonplace, it may be necessary to consider whether there are circumstances in which an individual should be notified that such a correction has been made so that he will be able to avail himself of the reconsideration rights and procedures available to him.

Notes

1 It should be noted that subsection 3(a)(3) of the Act defines "maintain". as including the terms "collect, use or disseminate." Consequently, any limitation on the maintenance of information carries with it an implicit limitation on collection.

2 U.S. Department of Labor, "1975 Annual Report on the Privacy Act of 1974," p. 6.

3 Federal Personal Data Systems Subject to the Privacy Act of 1974, Second Annual Report of the President, Calendar Year 1976, (hereinafter President's Second Annual Report), pp. 11, 12.

4 Program Research Staff Assistant, Research Division, Veterans Administration at the Privacy Protection Study Commission Staff Workshop on Research and Statistical Records, October 25, 1976.

5 Chief, Program and Policy Development Office, Bureau of the Census (U. S. Department of Commerce), at the Privacy Protection Study Commission Staff Workshop on Research and Statistical Records, October 25, 1976.

6 U. S. National Science Foundation, "1975 Annual Report on the Privacy Act of 1974," p. 5.

7 This practice is being contested under the Privacy Act in Robert Gang v. United States Civil Service Commission, Civil Action No. 76-1263, (D.D.C., 1976).

8 Privacy Protection Study Commission staff interview with the Assistant Chief, Division of Program Planning and Management, Bureau of Personnel Investigations, U. S. Civil Service Commission, May, 1977.

9 U. S. National Foundation on the Arts and Humanities, "1975 Annual Report on the Privacy Act of 1974," p. 4.

10 U, S. National Aeronautics and Space Administration, "1975 Annual Report on the Privacy Act of 1974," III, p. 4.

11 U, S. Department of Labor, "1975 Annual Report on the Privacy Act of 1974," III, p. 5.

12 For a further discussion of Section 7 and its impact, see Personal Privacy in an Information Society, Final Report of the Privacy Protection Study Commission (Washington, D.C.: U. S. Government Printing Office, 1977), Chapter 16.

13 President's Second Annual Report, p. 12.

14 U. S. Department of State, "1975 Annual Report on the Privacy Act of 1974," III(b), pp. 7-8

15 U.S. Securities and Exchange Commission, "1975 Annual Report on the Privacy Act of 1974," p. 19.

16 U.S. National Aeronautics and Space Administration, op. cit., III, p. 2.

17 U.S. Civil Service Commission, "1975 Annual Report on the Privacy Act of 1974," III, p. 2.

18 U. S. Department of Defense, "1975 Annual Report on the Privacy Act of 1974," p. 32.

19 Canal Zone Government, "1975 Annual Report on the Privacy Act of 1974," III, p. 5.

20 U. S. Energy Research and Development Administration, "1975 Annual Report on the Privacy Act of 1974," III, p. 5.

21 For a discussion of the Family Educational Rights and Privacy Act of 1974 see Personal Privacy in an Information Society, op. cit..., Chapter 10.

22 2U.S. Social Security Administration (Department of Health, Education, and Welfare) "1975 Annual Report on the Privacy Act of 1974," p. 17.

23 U S. Secret Service (Department of the Treasury), "1975 Annual Report on the Privacy Act of 1974," III, p. 1.

24 U. S. Office of Management and Budget, "Privacy Act Implementation: Guidelines and Responsibilities," (hereinafter, OMB Guidelines), 40 F.R. 28973 (July 9, 1975).

25 Ibid., p. 28974.

26 U. S. Department of Defense, op. cit., pp. 31-32.

27 U. S. National Foundation on the Arts and Humanities, op. cit., p. 3.

28 Letter from Herman G. Fleming, Privacy Act Officer, U.S. National Science Foundation, to the Privacy Protection Study Commission, October 26, 1976.

29 Letter from Thomas E. Malone, Associate Director for Extramural Research and Training, Public Health Service, U. S. National Institutes of Health, (Department of Health, Education, and Welfare), to the Privacy Protection Study Commission, February 1, 1976.

30 Ibid.

31 U.S. National Science Foundation, 1975 Annual Report, op. cit., p. 5.

32 U . S. National Aeronautics and Space Administration, op. cit., III, p. 3.

33 U. S. Bureau of Alcohol, Tobacco & Firearms (Department of the Treasury), "1975 Annual Report on the Privacy Act of 1974," pp. 1-2.

34 All the agencies at the Privacy Protection Study Commission October 29, 1976 Staff Workshop on Employment and Personnel Records said they did not publish their promotion files as systems of records. This included the Civil Service Commission; the Department of Defense; the Federal Aviation Administration (Department of Transportation); the General Services Administration; the Department of Health, Education, and Welfare; the National Bureau of Standards (Department of Commerce); the National Labor Relations Board; the Postal Service; the State Department; the Treasury Department; and the Veterans Administration.

35 U. S. Office of Management and Budget, Circular No. A-108, Transmittal Memorandum No. 2, "Reporting Instructions for the Annual Report to the Congress under the Privacy Act of 1974," March 25, 1975, p. 4.

36 U.S. Department of Defense, op. cit., p. 29.

37 Export-Import Bank of the United States, "1975 Annual Report on the Privacy Act of I974," III, p. 1.

38 U. S. Department of the Interior, "1975 Annual Report on the Privacy Act of 1974," III, p. 5.

39 U. S. Department of Transportation, "1975 Annual Report on the Privacy Act of 1974," Office of the Secretary, III, p. 2.

40 U. S. Department of the Interior, op. cit.

41 Records Management Regulations Division Chief, Bureau of Personnel, U.S. Department of State, Privacy Protection Study Commission Staff Workshop on Employment and Personnel Records, October 29, 1976.

42 U. S. Drug Enforcement Administration (Department of Justice), "1975 Annual Report on the Privacy Act of 1974," II, p. 6.

43 U. S. Information Agency, "1975 Annual Report on the Privacy Act of 1974," III, p. 2.

44 U.S. Department of Housing and Urban Development, "1975 Annual Report on the Privacy Act of 1974," p. 6.

45 U.S. Department of Health, Education, and Welfare, "1975 Annual Report on the Privacy Act of 1974," p. 16.

46 In the President's 1976 annual report, however, OMB said that the number of systems had not been significantly reduced. (President's Second Annual Report, p. 21)

47 Agencies reporting such destruction included the Agriculture Department, the Community Services Administration (which reported destroying 129 cubic feet of such records), CSC, DOD, the Environmental Protection Agency, ERDA, the Federal Reserve Board, the Federal Power Commission, GSA, OMB, the Postal Rate Commission, the Department of Transportation, the Department of the Treasury, the International Trade Commission, and the Canal Zone Government.

48 U.S. National Aeronautics and Space Administration, op. cit., III, p. 1.

49 U.S. Community Services Administration, "1975 Annual Report on the Privacy Act of I974," p. 4.

50 Letter from Fritz L. Puls, General Counsel, U.S. National Transportation Safety Board, to the Privacy Protection Study Commission, October 1, I976.

51 U. S. International Trade Commission, "I975 Annual Report on the Privacy Act of 1974," p.4.

52 The Social Security Administration reported the elimination of five information collection forms and the National Institutes of Health withdrew twenty. The Departments of Treasury and State, the Federal Reserve Board, NASA and the SEC also reported discontinuation of some information collection. Other agencies reporting a reduction in the amount of information they maintain included ERDA, the FAA, the National Science Foundation, the Department of the Navy, and the Overseas Private Investment Corporation (which reported a 2 to 3 percent reduction).

53 U. S. Civil Service Commission, op. cit.., III, p. 1.

54 U . S. Department of Labor, op. cit.., p. 5.

55 U.S. Department of Defense, op. cit.., p. 23.

56 Briefing by the Department of Defense on Employment and Personnel Records for Dr. Alan F. Westin of Columbia University, August 9, I976.

57 U.S. Veteran's Administration, "1975 Annual Report on the Privacy Act of 1974," III, p. 4.

58 U. S. International Trade Commission, op. cit..

59 This program is one in which States may voluntarily participate. Its system of records contains information on 5.5 million drivers who have been denied a license or whose license has been revoked or suspended. Prior to the passage of the Privacy Act, individuals were unable to see their NDR records.

60 Privacy Protection Study Commission staff interview with the Privacy Act Coordinator, U. S. National Highway Traffic Safety Administration (Department of Transportation), August 26, 1976.

61 U.S. ACTION Agency, "1975 Annual Report on the Privacy Act of 1974," II, p. 4; Pennsylvania Avenue Development Corporation, "1975 Annual Report on the P62rivacy Act of 1974," II, p. 2.

U.S. Committee for Purchase from the Blind and Other Severely Handicapped, "I975 Annual Report on the Privacy Act 0f 1974," II, (d).

63 U.S. Federal Reserve Board, "I975 Annual Report on the Privacy Act of I974," p. 3.

64 U.S. ACTION Agency, op. cit.., III, p. 4.

65 Belair, op. cit..., p. 486.

66 U.S. Pennsylvania Avenue Development Corporation, op. cit., III, p. 3.

67 Director, Evaluation and Systems Services, Office of Personnel, U.S. Veterans Administration at the Privacy Protection Study Commission Staff Workshop on Employment and Personnel Records, October 27, 1976.

68 Privacy Protection Study Commission staff interview with the Deputy Secretary to the Commission, U.S. Federal Trade Commission, October 7, 1976.

69 Reported at the Privacy Protection Study Commission Staff Workshop on Employment and Personnel Records, October 29, 1976.

70 Protecting Individual Privacy in Federal Gathering, Use and Disclosure of Information, Report of the Committee on Government Operations, U. S. Senate, 93rd Congress, 2nd Session, 1974, p. 54.

71 Ibid, p. 55.

72 U. S. National Bureau of Standards (Department of Commerce), Federal Information Processing Standards Publication No. 41, Computer Security Guidelines for Implementing the Privacy Act (May 30, 1975).

73 Privacy Protection Study Commission staff interview with the Chief, Information Management Division, Office of Organization and Management Systems, U.S. Department of Commerce, November 2, 1976.

74 U. S. Civil Service Commission, op. cit., II, p. 2.

75 U. S. Department of Defense, op. cit., p. 25.

76 Privacy Protection Study Commission staff interview with a Personnel Management Specialist, U. S. Federal Aviation Administration (Department of Transportation), October 12, 1976.

77 U.S. Overseas Private Investment Corporation, "1975 Annual Report on the Privacy Act of 1974," II, p. 1.

78 U. S. Drug Enforcement Assistance Administration (Department of Justice), op. cit., II, p. 2.

79 It established a task force on this issue and published its own Information Processing Standards Publication.

80 President's Second Annual Report, p. 23.

81 This is required by OMB, not by the Act itself. See U.S. Office of Management and Budget, Circular A-108, Transmittal Memorandum No. 1, New Systems Reports, 40 F.R. 45877-78 (October 3, I976).

82 Office of the Federal Register, Privacy Act Issuances, I976 Compilation, Volume 2, p. 471.

83 Ibid, p. 470.

84 U. S. Civil Service Commission, Federal Personnel Manual System Letter 711-126, December 30, 1976.

85 Belair, op. cit..., pp. 503-04.

86 U. S. Interstate Commerce Commission, "System of Records," 41 F.R. 40430 (1975); 28 U.S.C. 534.

87 U. S. Department of State, 1975 Annual Report, op. cit..., III, p. 8.

88 U.S. National Labor Relations Board, "1975 Annual Report on the Privacy Act of I974," III, p. 3.

89 U. S. Civil Service Commission, 1975 Annual Report, op. cit., III, p. 3.

90 Ibid., p. 4.

91 U. S. Postal Service, "I975 Annual Report on the Privacy Act of 1974," III, p. 2.

92 U. S. Customs Service (Department of Treasury), "1975 Annual Report on the Privacy Act of 1974," p. 6.

93 U. S. Secret Service (Department of the Treasury), op. cit..., III, p. 2.

94 U.S. Information Agency, op. cit..., III, p. 3.

95 Testimony of Dr. Leonard T. Kurland, Mayo Clinic, Privacy Protection Study Commission Medical Records Hearings, June 1I, I976, pp. 569-70.

96 U. S. Federal Aviation Administration (Department of Transportation), "I975 Annual Report on the Privacy Act of 1974," III, p. I.

97 U. S. Postal Services, op. cit..., III, p. I.

98 U.S. National Aernautics and Space Administration, op. cit..., p. 2.

99 U. S. Federal Bureau of Investigation (Department of Justice), "I975 Annual Report on the Privacy Act," pp. 7-8.

100 Reported in their 1975 annual reports by the Bureau of Engraving and Printing (Treasury Department); the Department of the Air Force (DOD); the Coast Guard (Department of Transportation) which continues to give out rank, base pay, duty station and telephone number without consent; TVA, which has discontinued the practice of suggesting candidates for employment without their written consent; GSA; the Consumer Product Safety Commission; the Federal Deposit Insurance Corporation; the Federal Maritime Commission; the Federal Reserve Board, which only gives out dates of employment and title without the individual's written consent; the International Trade Commission, which gives job title, grade, salary, and duty location in response to telephone inquiries; NASA, which only releases what it would be required to disclose under the FOIA; the National Credit Union Administration; the Occupational Safety and Health Review Commission; the Pennsylvania Avenue Development Corporation; the Export-Import Bank; the Council on Environmental Quality, which only gives title, length of employment and salary without the individual's written consent. The Federal Home Loan Bank Board has made such disclosure a routine use of the information in at least one of its systems of records.

101 U.S. Community Services Administration, op. cit..., p. 4.

102 Privacy Act of 1974, Report of the Committee on Government Operations, U. S. House 0f Representatives, 93d Congress, 2nd Session, 1974, p. I4.

103 U. S. Community Services Administration, op. cit..., p. 6.

104 Privacy Protection Study Commission staff interview with the U. S. Social Security Administration (Department of Health, Education, and Welfare), January 12, 1976.

105 Briefmg by the Department of Defense 0n Employment and Personnel Records, op. cit.

106 Tbis was reported by the National Bureau of Standards (Department of Commerce), the U.S. Postal Service; the National Labor Relations Board; the General Services Administration; the Department of Defense; the Coast Guard and the Federal Aviation Administration at the Department 0f Transportation; the Treasury Department; the Veterans Administration; and the Department of Health, Education, and Welfare at the Privacy Protection Study Commission Staff Workshop on Employment and Personnel Records, October 25, I976.

107 Reported by a Personnel Management Specialist, Division of Personnel, U. S. Internal Revenue Service (Department of the Treasury), at the Privacy Protection Study Commission Staff Workshop on Employment and Personnel Records, October 29, I976.

108 Infra, Chapter 3.

109 OMB Guidelines, p. 28956.

Chapter 3. Findings and Conclusions[1].

The requirements of a law, although not always easy to interpret, derive from its words. Principles, on the other hand, are sometimes less readily apparent. The statement of principles in a law's preamble, the law's legislative history, and the conditions or problems that led to its passage must all be considered along with the language of its specific provisions.

Although many issues in the 1960's and early 1970's were loosely grouped under the category of invasions of privacy, it is clear that many of the perceived problems had very little in common. Some of the actual or potential invasions of privacy involved physical surveillance or wiretapping; some involved mail openings or burglaries conducted by government agencies; others centered on harassment of individuals for political purposes; and still others concerned the unfair use of records about individuals.

The inquiry into these matters by a number of congressional committees did not share a common analytical framework, nor were the distinctions among different types of privacy invasions sharply drawn. Nonetheless, those inquiries succeeded in focusing public attention on privacy issues and in amassing useful information regarding particular aspects of the privacy protection problem.

In 1972, the Secretary's Advisory Committee on Automated Personal Data Systems was appointed by the then Secretary of Health, Education, and Welfare, Elliot L. Richardson, to explore, as its name suggested, the impact of computers on record keeping about individuals and, in addition, to inquire into, and make recommendations regarding, the use of the Social Security number. The Advisory Committee did not examine issues arising from the physical surveillance of individuals or the wiretapping of conversations. Nor did it study mail openings, harassment of political dissidents, or violations of Fourth or Fifth Amendments rights. The Committee limited its inquiry to the use of records about individuals by government agencies and private organizations, and it focused its recommendations on automated systems while also suggesting their possible applicability to manual systems.

After examining various definitions of privacy, the Secretary's Advisory Committee concluded that the most significant aspect of the way organizations keep and use records about individuals was the extent to which individuals to whom the records pertained were unable to control their use. Accordingly, to strike a better balance between institutional and individual prerogatives, the Committee recommended a "Code of Fair Information Practices" based on the following five principles:

  • There must be no personal data record-keeping systems whose very existence is secret.
  • There must be a way for an individual to find out what information about him is in a record and how it is used.
  • There must be a way for an individual to prevent information about him obtained for one purpose from being used or made available for other purposes without his consent.
  • There must be a way for an individual to correct or amend a record of identifiable information about him.
  • Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take reasonable precautions to prevent misuse of the data.2

These five principles and the findings of the DHEW Committee, published in July 1973, are generally credited with supplying the intellectual framework for the Privacy Act of 1974, though in drafting the statute the Congress, influenced by its own inquiries, refined the five principles to eight:3

(1)   There shall be no personal-data record-keeping system whose very existence is secret and there shall be a policy of openness about, an organization's personal-data record-keeping policies, practices, and systems. (The Openness Principle)

(2)   An individual about whom information is maintained by a record-keeping organization in individually identifiable form shall have a right to see and copy that information. (The Individual Access Principle)

(3)   An individual about whom information is maintained by a record-keeping organization shall have a right to correct or amend the substance of that information. (The Individual Participation Principle)

(4)   There shall be limits on the types of information an organization may collect about an individual, as well as certain requirements with respect to the manner in which it collects such information. (The Collection Limitation Principle)

(5)   There shall be limits on the internal uses of information about an individual within a record-keeping organization. (The Use Limitation Principle)

(6)   There shall be limits on the external disclosures of information about an individual a record-keeping organization may make. (The Disclosure Limitation Principle)

(7) A record-keeping organization shall bear an affirmative responsibility for establishing reasonable and proper information management policies and practices which assure that its collection, maintenance, use, and dissemination of information about an individual is necessary and lawful and the information itself is current and accurate. (The Information Management Principle)

(8)   A record-keeping organization shall be accountable for its personal-data record-keeping policies, practices, and systems. (The Accountability Principle)

Each of these principles is manifest in one or more of the Privacy Act's specific requirements, and in their application they all require a balancing of individual, organizational, and societal interests. Hence, the Commission has used them for organizing and developing the results of its Privacy Act assessment.

General Findings and Conclusions

In assessing the Privacy Act of 1974, the Commission sought answers to the following two questions:

  • Does the Act effectively address the issues and problems it was intended to address?
  • Are there important information policy issues and problems the Act might address but does not address, or does not address adequately?

On the whole, the Commission has concluded that:

(1)   The Privacy Act represents a large step forward, but it has not resulted in the general benefits to the public that either its legislative history or the prevailing opinion as to its accomplishments would lead one to expect;

(2)   Agency compliance with the Act is difficult to assess because of the ambiguity of some of the Act's requirements, but, on balance, it appears to be neither deplorable nor exemplary;

(3)   The Act ignores or only marginally addresses some personaldata record-keeping policy issues of major importance now and for the future.

The more specific conclusions that follow stem from these three basic conclusions. The Commission believes that if the Congress seeks to remedy these deficiencies by amending the Act, three steps are essential:

First, the ambiguous language in the law should be clarified to minimize variations in interpretation, but not implementation, of the law.

Second, any clarification should incorporate "reasonableness tests" to allow flexibility and thus give the agencies incentives to attend to implementation issues and to take account of the differences between manual and automated record keeping, diverse agency record-keeping requirements, and future technological developments.

Third, the Act's reliance on its system-of-records definition as the sole basis for activating all of its requirements should be abandoned in favor of an approach that activates specific requirements as warranted.

The impact of the first two of these suggestions will become clear when the specifics of the Commission's other, more detailed, conclusions are explained. The third, however, is central to the operation of the Act. From an examination of both the language of the Act and its legislative history, it seems clear that the intent of Congress was to include in the definition of the term "record"4 every one that contains any kind of individually identifiable information about an individual. However, because the Congress was mindful of the burden such a definition could impose on an agency, it limited the Act's coverage to records retrieved from a "system of records" by "name . . . or identifying number, symbol, or other identifying particular . . . ." [5 U.S.C. 552a(a)(5)J Thus, unless an agency, in fact, retrieves recorded information by reference to a "name . . . identifying symbol, or other identifying particular . . .," the system in which the information is maintained is not covered by the Act. Whereas the current record definition refers to information about an individual which contains his name or identifier, the system-of-records definition refers to information about an individual which is retrieved by name, identifier, or identifying particular. As indicated in Chapter 1 above, the crucial difference is obvious, and the effect has been wholesale exclusion from the Act's scope of records that are not accessed by name, identifier, or assigned particular. None of the Act's protections accrue to an individual whose record is so treated.

There are many examples of readily accessible individually identifiable agency records that are not retrieved by personal identifier,5 and current and emerging computer and telecommunications technology will create more. While the language of the Act speaks in terms of retrieval by discrete individual identifiers, most automated record systems facilitate identification of an individual's record based on some combination of the individual's attributes or characteristics, natural or assigned, as well as by reference to individual identifiers in the more conventional sense. Thus, it would be easy to program a computer to locate particular individuals through attribute searches (e.g., "list all blonde, female Executive Directors of Federal Commissions") .6 Retrieval of individually identifiable information by scanning (or searching) large volumes of computer records is not only possible but an ever-increasing agency practice. The Federal Trade Commission, for example, is transcribing all written material in its litigation files for computer retrieval, thereby making it possible to search for all occurrences of a particular name, or any other character pattern for that matter.

In summary, the system-of-records definition has two limitations. First, it undermines the Act's objective of allowing an individual to have access to the records an agency maintains about him, and second, by serving as the activating, or "on/off switch" for the Act's other provisions, it unnecessarily limits the Act's scope. To solve this problem without placing an unreasonable burden on the agencies, the Commission believes the Act's definition of a system of records should be abandoned and its definition of a record amended

The term record should include attributes and other personal characteristics assigned to an individual, and a new term, accessible record should be defined to delineate those individually identifiable records that ought to be available to an individual in response to an access request. Accessible records would include those which, while not retrieved by an individual identifier, could be retrieved by an agency without unreasonably burdening it, either through its regular retrieval procedures or because the subject is able to help the agency find the record. If an individual knew he was mentioned in a particular record, for example, he would be entitled to access to it whether or not agency practice is to access the record by reference to him.

The Commission believes that when an individual asks to see and copy information an agency maintains on him, the agency should be required to provide that information if it can do so without an unreasonable expenditure of time, money, or other resources or if the individual can provide specific enough locating information to render the record accessible without an unreasonable expenditure. In implementing this provision, however, an agency should not have to establish any new cross-referencing schemes for the purpose of granting access, such as would be required if the agency had to be aware of all references to one individual in other individuals' files or in files indexed in any other manner (e.g., references to agency officers in files indexed by agency name). In this connection, the Commission would also urge deletion of the clause (in Subsection d(1)) of the Act which requires an agency to allow an individual access "to any information pertaining to him which is contained in the system . . . . " This requirement is impossible to satisfy since an agency often does not know how to find "all" such information.

The Commission also believes that the terms record, individually identifiable record and accessible record should operate as separate activators, or "on/off switches," for the appropriate provisions of the Act. For example, the Act's civil remedies could apply in all cases in which the misuse of an individually identifiable record through failure to comply with one of the Act's requirements resulted in injury to an individual, while the access to records provision could be subject to the reasonable burden test of the accessible record definition. This would allow more flexibility and broaden the scope of the current Act.

Another provision of the Act that limits its scope is the one dealing with contractors. Recipients of discretionary Federal grants who perform functions similar or identical to functions performed by contractors are not covered. Agency personnel interviewed by Commission staff frequently expressed the view that the implicit distinction in the Act between contractors and grantees is, in many cases, artificial. The Commission agrees. In Chapter 15 of its final report, moreover, it recommends that a uniform set of requirements and safeguards be applied to records collected or maintained in individually identifiable form for a research or statistical purpose under Federal authority or with Federal funds, and the Privacy Act is suggested as a basic vehicle for implementing these recommendations.

While care must be taken to avoid creating undue burdens on the contractor or grantee, the Commission believes that the Federal government must assure that the basic protections of the Privacy Act apply to records generated with Federal funds for use by the Federal government. Specifically, the Commission believes that any contractor or recipient of a discretionary Federal grant, or any subcontractor thereof, who performs any function on behalf of a Federal agency which requires the contractor or grantee to maintain individually identifiable records, should be subject to the provisions of the Act. The Act, however, should not apply to employment, personnel, or administrative records the contractor or grantee maintains as a necessary aspect of supporting the contract or grant, but which bear no other relation to its performance. The Act also should not apply to individually identifiable records to which the following three conditions all apply: (1) records that are neither required nor implied by terms of the contract or grant; (2) records for which no representation of Federal sponsorship or association is made; and (3) records that will not be provided to the Federal agency with which the contract or grant is established, except for authorized audits or investigations. The added specificity in delineating which records fall within the Act's purview represents an attempt to preserve the intent of the Act while removing some of the confusion that could result in undue burden on contractors and grantees.

The remaining analysis of agency implementation of the Privacy Act will be based on the eight Privacy Act principles identified earlier. The extent of their fulfillment will be examined and the Commission's suggestions for change in their implementation will be presented and explained.

Specific Findings and Conclusions

The Openness Principle

The Privacy Act asserts that an agency of the Federal government must not be secretive about its personal-data record-keeping policies, practices, and systems. No agency may conceal the existence of any personal-data record-keeping system, and each agency that maintains such a system must describe publicly both the kinds of information in it and the manner in which it will be used. This is accomplished in two ways. The first is through the required annual publication of system notices in the Federal Register. The second is through the "Privacy Act Statement"7 given at the time individually identifiable information is collected from an individual.

The requirements implementing the Openness Principle are intended to achieve two general goals:

(1)   facilitate public scrutiny of Federal agency record-keeping policies, practices, and systems by interested and knowledgeable parties; and

(2)   make the citizen aware of systems in which a record on him is likely to exist.

The Commission has found that the Act has made a significant step toward fulfillment of these objectives, especially the first one, but that it has still fallen short of expectations.

The Commission believes that publishing record-system notices once each year in the Federal Register is worthwhile. It develops an inventory of agency record-keeping operations that is useful for both public scrutiny of Federal agency record-keeping practices and for internal management control. Unfortunately, however, the annual notices tend to be less informative than they could be, and they are not required to describe the extent to which information is used within the agency. Furthermore, the Act is silent on the distinction between a system and a subsystem, and there are no criteria for limiting the diversity of information, purposes, or functions that may be incorporated in any one record system, and thus subsumed in one annual Federal Register notice. As a result, some annual notices are too encompassing to be informative. Likewise, duplicate, substantially similar, or derivative systems are frequently either unlisted or not cross-referenced. The Commission believes that the primary purpose of the public notice requirement should be to facilitate internal and external oversight of agency activities, including public scrutiny. Thus, it believes that the annual notices should provide more detail than they now do and should reflect more accurately the context or manner in which an agency maintains records.

One of the specific shortcomings of the system notices has been the literal interpretation of the requirement to describe the routine uses. While limiting these descriptions to external uses is consistent with the prevailing interpretation of the Act's routine-use definition, in many cases, the more significant uses are internal ones. Therefore, the Commission believes that the section in the annual notice on routine uses of records maintained in a system, including categories of uses and the purposes of such uses, should include a description of internal uses of information as well as external disclosures.

Describing the context and manner in which an agency uses the records in a system would at least partially reveal the relationships among systems that are often obscured today. When a large, complex record system is covered by one system notice, the subsystems should be described in detail. The important concern should not be to define the level at which a subsystem must be described, or the way to describe indices, but rather that an agency present a true picture of how it uses information in a system and how the system itself is perceived by the agency. The goal should be to remain faithful to the Openness Principle by assuring that there are no secret systems. The possibility that an agency may comply with the technical requirements of the Act's notice provisions but still maintain systems that are effectively secret must be avoided.

The goal of facilitating public scrutiny is hindered by the fact that the Federal Register is at best a limited vehicle for reaching the general public. Every effort should be made to classify, compile, and index the information in notices logically. For example, it would be useful to differentiate between the large group of systems that are solely devoted to record keeping about agency personnel and the much smaller group that contains information on citizens in general. The Federal Register compilation should make it easy for a private citizen, a member of a public interest group, or a congressional staff member to pinpoint a particular type of record or system of records.

Given the limited readership of the Federal Register, however, the best way of making the citizen aware of systems in which he is included is through the "Privacy Act Statement," which is similar to the annual system notice, except that it also informs the individual of internal agency uses of information about him. Like the annual notices, however, Privacy Act Statements are often too vague or general to inform the individual adequately. They need not explain that supplementary information may be collected from other sources and not every agency or system is subject to the Statement requirement.

There is a problem in finding a balance between the length of a Privacy Act Statement and its clarity; if it is too long, individuals are not likely to read it; if it is too short, it may not convey enough information for the individual to understand fully how the information will be used. The contents of the Privacy Act Statement are discussed in the section on the Collection Limitation Principle.

The Individual Access Principle

The Privacy Act's second principle is that an individual should have a right to see and obtain a copy of a record an agency maintains about him. Prior to the Act's passage, an individual was able to obtain copies of the records a Federal agency might keep about him in several ways. The Armed Services, for example, made many personnel, medical, and performance records available to servicemen. In fact, the subjects of certain personnel records are required to review and sign them once each year. Federal agencies also have procedures that give an individual access to records about him when there is a dispute over his entitlement to benefits.

In addition, the Freedom of Information Act (FOIA) [5 U.S.C 552], which predates the Privacy Act by seven years, allows any person to see and obtain a copy of any record in the possession of the Federal government without regard to his need for or interest in it. An agency can withhold a record that falls within one of nine FOIA exemptions, but its determination to do so, if appealed by the requestor, must withstand administrative and judicial review.

Individuals could and did use the Freedom of Information Act to gain access to their own files prior to passage of the Privacy Act. There were several drawbacks, however. First, an agency could decline to release information deemed to be part of the internal deliberative processes of government.8 In certain cases, this resulted in a considerable amount of information about an individual being taken out of a file prior to giving the file to him. Second, in the early days of the Freedom of Information Act, some agencies refused to disclose personnel and medical files to an individual on the grounds that disclosure to the individual would constitute a clearly unwarranted invasion of his personal privacy.9

The individual access provision of the Privacy Act [5 U.S.C 552a(d)] was enacted in part to clarify these uncertainties with respect to an individual's right to see and obtain a copy of a record about himself. The Privacy Act has its own set of exemptions from its individual access requirement which will be discussed below. For all other systems subject to the Act, however, agencies must now facilitate access by an individual when he so requests and may never keep records about himself from him on the grounds that they constitute communications within or among agencies. Nonetheless, the Commission has found that the number of Privacy Act access requests (i.e., requests specifically citing the Privacy Act) has not been great and that most have come from agency employees or former employees. One reason for this may be that preexisting law and practice continue to be used. In addition, the public's awareness of the Freedom of Information Act still appears to be much sharper than its awareness of the Privacy Act. Another reason may also be that the Privacy Act's own exemptions from the access requirement are too sweeping. The Central Intelligence Agency and some major law enforcement systems qualify for a blanket exemption from the access requirement. Thus, individuals who want access to records about themselves in those systems must use the Freedom of Information Act as their vehicle.

The Privacy Act exemptions from the individual access requirement are permissive, not mandatory. In addition, unlike the Freedom of Information Act exemptions, they apply to systems of records rather than to specific requests for access to specific information. To invoke any one of them an agency must publish its intention to do so in advance. As a result, some over-cautious lawyers and administrators have made excessively broad claims of exemption. Once an exemption is published, moreover, agency operating personnel are inclined to use it, thus eliminating exercises of judgment in light of the particular record sought.

On the other hand, some agencies have not claimed exemptions to which they may have been entitled, and others have claimed them but do not use them. The Central Intelligence Agency, for example, processes individual access requests under the Privacy Act despite having claimed the broad exemption the Act provides it. On balance, however, the Act's requirement that exemptions be claimed in advance, and that they cover entire systems rather than types of records or specific requests, has resulted in unnecessary exclusions of records from the scope of the Act's individual access requirement.

Agency rules on individual access, and on the exercise of the other rights the Act establishes, appear, in most instances, to be in compliance with the Act's rule-making requirements. Yet, they too are often difficult to comprehend, and because the principal places to find them are in the Federal Register and the Code of Federal Regulations, it is doubtful that many people know they exist, let alone how to locate and interpret them. Furthermore, the Act's requirement that an individual specifically name the record system in which the record he desires is located is not realistic. Fortunately, many agencies have gone beyond the letter of the law in assisting individuals whose access requests reasonably describe the records sought, but the requirement to name the system still seems likely to discourage some people from asking to see their records. Finally, the Act's requirement that an agency keep an accounting of each disclosure of a record to the individual to whom it pertains appears to be an added incentive to process access requests under the Freedom of Information Act rather than the Privacy Act when an agency has a choice (i.e., when the individual does not specify that his request is being made under one Act or the other).

It would appear, in sum, that individuals continue to rely on preexisting laws and practices when they want access to agency records about themselves. From the individual's point of view, one advantage of the Freedom of Information Act is that there are specific limits on how long an agency may take to respond to a request, whereas in the Privacy Act there are none. Furthermore, although the FOIA permits agencies to charge search fees, while the Privacy Act does not, in practice such charges are rarely made when an individual is asking for information about himself.

The Privacy Act has benefitted a current or past Federal employee to the extent that it allows him to circumvent the FOIA exemption for documents pertaining to internal agency deliberations when he wants access to some of the more interesting parts of an evaluation report or inquiry into his background. The Privacy Act has retained a limited exemption for some personnel evaluations, but its net effect has been to increase the accessibility of such material. It could also be concluded that Federal employees, unlike the private citizen, are aware that the Act exists and, being comfortable with bureaucratic procedures, have quickly learned how to use it.

To aid an individual in gaining access to his record, the Commission believes that the Privacy Act should parallel the approach of the Freedom of Information Act in that an individual should be required to make a request which reasonably describes the record to which he desires access. In those situations in which an agency believes an individual has made too broad an access request, it should help him refine his request. This is the procedure most agencies are following now, but modification of the language of the Act is important. The likelihood of a private citizen being aware of the name of a system of records published in the Federal Register is too remote to be relied on.

In addition, the Commission believes that the Privacy Act should be the exclusive vehicle for individuals requesting access to records about themselves, provided that the Privacy Act's approach to exemptions from the individual access requirement is modifled to parallel that of the Freedom of Information Act (as discussed below). Making the exemption approaches parallel is necessary to assure that the individual does not receive less information using the Privacy Act as his access vehicle than he would if his request for access were processed under the Freedom of Information Act. Because agencies may currently ignore the time limits suggested in guidelines for implementation of the Privacy Act issued by the Office of Management and Budget, 10 explicit time limits should also be added to the Privacy Act so that by making the Act the individual's exclusive access vehicle he will not lose the time limit protections now in the Freedom of Information Act. The fees, appeal rights, and sanctions of the Privacy Act, however, would still apply.

Besides the direct benefits for the individual of such an approach there are certain procedural benefits to the agencies which should be noted. Currently, Freedom of Information Act offices and officers are required to respond to requests for access to both personal information about individuals and information about agency activities (e.g., regarding agency policies). By making the Privacy Act the exclusive access vehicle for any individual requesting information about himself, some stress will be removed. The actual number of requests for information will not be affected, but this approach better divides responsibility in the agencies. Perhaps some of the confusion surrounding the interrelation between the Freedom of Information Act and the Privacy Act will even be reduced.

In addition to requiring an agency to assist an individual in reasonably describing the records to which he seeks access, it is important for an individual to have access to, and the right to amend, information about which he may not have enough detailed knowledge to formulate a specific request. Thus, the Commission believes that access to substantially similar or derivative versions of records sought by an individual should be provided automatically in response to his request for the original record to the extent that providing such access does not constitute an unreasonable burden on the agency.

There are two related situations at issue here. The first is where there may be an exact duplicate of a record maintained in another part of the agency. The second, and more important, is where some portion of a record may have been copied and then subsequently amended, appended, or otherwise altered. Alternatively, two records, or portions thereof, may have been combined. In each of these cases, it can be reasonably inferred that the individual would want to know about all versions of the record were he aware of them. Thus, the burden must be on the agency to take reasonable affirmative steps to describe and, if requested, to make available to the individual the several versions. While the individual may not want to see an exact duplicate of the original record, for example, he may wish to amend it if he amends the original. Moreover, the uses and disclosures of exact duplicates of a record, as well as substantially similar or derivative versions of the record, often will not be the same as the uses and disclosures of the original, and thus it can be assumed that the individual will want to know about them.

The Commission believes that the Privacy Act's approach to exemptions from the individual access requirement should be modified to parallel that of the Freedom of Information Act. Currently, Privacy Act exemptions are claimed in advance and apply to entire systems of records. Pre-claimed exemptions can be waived on a case-by-case basis, and while there is evidence that agencies are not using all of the exemptions claimed, they still seem to be claiming every one possible (including, in some cases, exemptions to which they would not appear to be entitled), but then using them only as needed. This creates uncertainty for the individual which the framers of the Act did not intend.

Abandonment of the system-of-records definition currently in the Privacy Act necessitates a different exemption strategy than the one the Act now has. The natural model to use is the Freedom of Information Act. The FOIA allows exemptions for certain types of information rather than for entire systems of records; exemptions may be invoked only when applicable, not claimed in advance. In addition, any segregable portion of a record which by itself does not qualify for an exemption must be provided to the individual. The FOIA approach appears to be working well, and its presumption that access should be granted to any part of a record for which an agency cannot sustain an exemption claim seems highly desirable.

Using the FOIA approach to exemptions would have the unintended effect, however, of voiding the Privacy Act provision that allows the CIA and law enforcement agencies to maintain unverified information obtained from intelligence or investigative sources.11 Consequently, if the suggested exemption policy is adopted, it should allow the CIA, or any agency or component thereof which performs as its principal function any activity relating to the enforcement of criminal laws, to maintain information whose accuracy, timeliness, completeness, or relevance is questionable, provided, however, that such information is clearly identified as such to all users or recipients of it. This would preserve the Act's current policy. The only new requirement would be that the unverified information be clearly identified as such when it is disclosed to anyone else.

The Commission believes that certain of the specific exemptions in the Freedom of Information Act should actually be duplicated in the Privacy Act. These include the Freedom of Information Act exemptions dealing with information specifically authorized to be kept secret in the interest of national defense and foreign policy, certain investigative information compiled for law enforcement purposes, and operating reports used by an agency responsible for the supervision of financial institutions. This, too, would clarify, without altering current policy, and it would have the further advantage of incorporating the existing body of judicial interpretation as to what may or may not be withheld pursuant to the FOIA exemptions. Today, an individual is supposed to be granted access to the larger of the amounts of information to which he would be entitled under the FOIA or the Privacy Act, so there seems to be no practical reason for the two Acts to have different exemptions in the same area.

Finally, the Commission believes that the Act's requirements with respect to a patient's access to a medical record an agency maintains about him should be brought into line with Recommendation (5) in Chapter 7 of its final report. The Commission also believes that the Act should be refined to allow agencies to deny access to a parent or legal guardian in those situations in which another statute authorizes such withholding.

The Individual Participation Principle

The third Privacy Act principle holds that an individual should have the right to challenge the contents of a record on the grounds that it is not accurate, timely, complete, or relevant. The principle specifically recognizes that information can be a source of unfairness to an individual. In theory, the right to participate in the maintenance of a record allows for complaint, involvement, and representation in order to force a balancing of the individual's interests against the record keeper's. If this principle is enforced, the individual is able to keep some measure of control (although not absolute control) over the substance of what he himself reveals to an agency, as well as to check on what the agency collects about him from other sources.

The Act has made significant progress toward fulfillment of this principle through its requirement that agencies establish procedures whereby the individual may request correction or amendment of a record, appeal any denial of his request, and file a statement of disagreement if the denial and appeal result in a stand-off, either before or after judicial review. In allowing the individual to file a statement of disagreement, even after the agency's denial of his request is upheld by a court, the Act implicitly recognizes that the agency and the individual may have divergent interests in the content of a record, as well as the fact that there may be no clear-cut criteria for assessing accuracy, timeliness, completeness, or relevance.

Despite the Act's sophistication in this area, however, the correction and amendment rights have not been widely exercised. This doubtless reflects the small number of access requests under the Privacy Act; but it may also be due in part to the fact that so many of the agency records an individual might want to correct or amend are exempt from the individual access requirement and therefore not open for correction or amendment. Nevertheless, the right to correct or amend a record, once access has been obtained, is an area in which the Privacy Act represents a significant advance for the individual.

The Collection Limitation Principle

The fourth principle of the Privacy Act is that there shall be limits on the type of information a record-keeping institution collects about an individual, as well as certain requirements with respect to the manner in which it may be collected. An agency may not collect whatever information it wishes, nor may it collect information in whatever manner it wishes. The principle is implemented by requiring that agencies (1) collect only information that is relevant and necessary to accomplish a lawful purpose; 12 (2) collect information to the greatest extent practicable directly from the subject individual; 13 (3) give every individual a Privacy Act Statement at the time individually identifiable information is requested of him;14 and, (4) in certain instances; refrain from collecting an individual's Social Security number15 and information relating to his exercise of First Amendment rights.16

The requirement to limit collection to information that is relevant and necessary to accomplish a lawful purpose of the agency seems to have resulted in a modest amount of revision and reduction of data-collection forms, and consequently a modest reduction in data collection itself. In contrast, the requirement that agencies collect information to the greatest extent practicable from the subject individual does not appear to have changed practices at all.

The required "Privacy Act Statement" seems not to have had much of an effect on the amount of information individuals are asked to provide about themselves or on their willingness to provide it. There appears to have been a slight reduction in the willingness of individuals to answer survey questions since passage of the Act, but this cannot be confidently attributed to the Privacy Act Statement.

In addition, there appears to be some troublesome ambiguity in the subsection of the Act that contains the "Privacy Act Statement" requirement. Subsection 3(e)(3) reads in part:

Each agency that maintains a system of records shall

(3)   inform each individual whom it asks to supply information

Some agencies have interpreted this to require a statement only when individually identifiable information is collected from the subject individual and not to require it when such information is collected from a third party. The Commission believes that a Privacy Act Statement should be provided to all individuals from whom individually identifiable information is collected including third parties.

On the other hand, the Privacy Act Statement must now be supplied or read each time individually identifiable information is collected, regardless of the frequency of contact between an agency and an individual. This is burdensome to the agency and can cause the Statement to be ignored by the individual. The purpose of the Statement is to provide the individual with enough information to allow him to judge whether or not to provide the information requested. There appears to be no useful purpose in doing this repeatedly if the individual has been provided with a copy of the Statement within a reasonable period of time prior to a follow-up request for information so long as the follow-up request is consistent with the original statement. Thus, the Commission believes that the burden on agencies could be safely reduced by requiring that the individual be given a Privacy Act Statement only if he had not already been given a retention copy within a reasonable period of time prior to a subsequent request for information from him.

A second problem with the Privacy Act Statement is that it tends to state the obvious and does not explicitly spell out other possible uses of the information. The Commission, consistent with its recommendations in other areas, believes that the Statement should describe those uses of information that could reasonably be expected to influence an individual's decision to provide or not to provide the information requested. Since the individual's decision may be influenced by the techniques used to verify the information he provides, the Statement should also include a description of the scope, techniques, and sources to be used to verify or collect additional information about him.

Providing a concise statement on uses and third-party sources may, upon occasion, prove to be more confusing than enlightening. Therefore, the Statement should, in addition, identify the title, business address, and business telephone number of a responsible agency official who can answer any questions the individual may have about the Privacy Act Statement.

The proscription on the collection of information about how an individual exercises his First Amendment rights appears to have had no noticeable effect on agency collection practices. The prohibition does not apply when an agency is expressly authorized to collect such information either by statute or by the individual, or where collection is "pertinent to and within the scope of an authorized law enforcement activity." [5 U.S.C. 552a(e)(7)JBecause virtually all government agencies can be said to be involved in some type of law enforcement, the latter exception, in particular, has tended to negate the prohibition. A more accurate, and hence more effective, way of stating the congressional intent would be to refer to "an authorized investigation of a violation of the law." This change would not prohibit an agency from collecting a specific item of information whose collection is expressly required by statute or expressly authorized by the individual to whom it pertains, or whose collection would be a reasonable and proper library, bibliographic, abstracting, or similar reference function. Section 7 of the Privacy Act, which attempts to limit collection of the Social Security number from individuals, also appears to have had little effect on agency practice. Its "grandfather clause," which allows agencies to continue to demand the number if they did so under statute or regulation prior to January 1, 1975, has encompassed almost all uses of the Social Security number at the Federal level.17

The Use Limitation Principle

The fifth Privacy Act principle asserts that, once collected, there are limits to the internal uses to which an agency may put information about an individual. Once an agency has legitimately obtained information, it still may not use it internally without restriction.

The Act requires an agency to obtain an individual's written consent before disclosing a record about him to any of its employees other than "officers and employees . . . who have a need for the record in the performance of their duties." [5 U.S.C 551a(b)(1)] However, because the terms "need" and "duties" are open to interpretation, the effect of this restriction is limited.

In theory, the requirement speaks to the kind of situation described in Chapter 6 of the Commission's final report, wherein the employee-employer relationship was seen to subsume other record-keeping relationships, such as the medical-care and insurance ones. A problem inherent in the provision is the fact that one agency may have many different types of relationships with an individual but the provision takes no account of the difference between them; for that reason it has no practical effect on limiting certain internal uses of information. This is particularly true in the case of the larger cabinet departments which, for purposes of the Privacy Act, have defined themselves as one "agency."

Where differences in record-keeping relationships have been recognized in other statutes, such as where a component of the Department of Health, Education, and Welfare is subject to a confidentiality statute elsewhere in the U. S. Code, the integrity of the relationship that the statute addresses may be preserved within the framework of Subsection 3(b)(1). Section 1106 of the Social Security Act, for example, limits the disclosure of records maintained by the Social Security Administration, and thus it functions as a limitation on internal agency uses of records, even though the Department of Health, Education, and Welfare has defined itself as one agency for the purposes of the Privacy Act.

It can reasonably be assumed that the Privacy Act was not intended to nullify other statutes which limit the use and dissemination of information. Indeed, while the Act is silent on this issue, the OMB Guidelines advise that: "Agencies shall continue to abide by other constraints on their authority to disclose information to a third party including, where appropriate, the likely effect upon the individual of making that disclosure."18 One would expect the OMB guidance to be definitive, but the internal use issue is a murky one. The "confidentiality" statutes in the U.S. Code are many and various, and it is not clear how statutes that authorize use or disclosure, rather than prohibit it, should be treated in relation to Subsection 3(b)(1).

The Commission believes that the way to resolve this issue is through a revised routine-use provision that would apply to both internal and external agency uses and disclosures of information. Such a provision would act as a minimum standard against which potential uses and disclosures of information would be measured. It would supersede preexisting statutes that authorize disclosures in a vague or general manner, but not statutes in which the Congress, as a matter of public policy, has called for the use and disclosure of specific types of information m specific situations. Such a provision, moreover, would not be construed as expanding an agency's authority to use or disclose information if the agency was already subject to a preexisting statute that restricted its use and disclosure of information more narrowly than the Privacy Act does.

The only way for the individual to discover the internal agency uses of a record about himself is through the "Privacy Act Statement," which cannot anticipate future uses over which the agency has no control. For example, two days after the Privacy Act was passed, the Congress passed another law creating a Federal Parent Locator Service (PLS) authorized to obtain information from the Social Security Administration upon request, regardless of the strictures of other statutes such as the Privacy Act. As already noted, moreover, the "Privacy Act Statement" need not inform the individual that information about him may be collected from third parties, thereby diluting the effect of the Use Limitation Principle even further.

While the Commission believes that the problem of controlling internal uses of information cannot be solved by levying specific requirements on the agencies, the "routine use" provision, which forbids disclosures that are not compatible with the purpose for which the information was originally collected, should be applied to internal agency uses. In addition, by strengthening the individual enforcement mechanism and establishing a central office within each agency for Privacy Act implementation (see below), compliance with the spirit of the internal use requirements will be improved.

The Disclosure Limitation Principle

The sixth Privacy Act principle asserts that there must be limits on the external disclosures of information an agency may make. That is, once an agency has legitimately obtained information, it still may not disclose it externally without restriction.

The Privacy Act authorizes ten categories of external disclosures that may be made without the consent of the individual. The most important one is found in Subsection 3(b)(3) which authorizes any disclosure that has been

established as a "routine use"; that is, any disclosure for a "purpose which is compatible with the purpose for which [the information] was collected." [5U.S.C. 552a(b)(3), 5 U.S.C. 552a(a)(7)J]The key word is "compatible," which some agencies have interpreted quite broadly. As but one example, the United States Marshals Service published a routine-use notice on September 16, 1976, which read in part:

A record may be disseminated to a Federal agency, in response to its request, in connection with . . . the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information relates to the requesting agency's decision on the matter. 19 [emphasis added]

Another problem with the routine-use provision is its relation to Subsection 3(b)(7), which authorizes disclosures of individually identifiable information to agencies for law enforcement purposes if the head of the agency requests the information in writing and specifies the legitimate law enforcement activity for which the information is desired. While treating the routine-use provision narrowly for some purposes, most agencies have employed it in combination with other laws to facilitate the flow of information to and between law enforcement and investigative units.

The combination of the Privacy Act's routine-use provision and Section 534 of Title 28, for example, permits agencies to circumvent the requirements of Subsection 3(b)(7). Under Section 534 of Title 28, the Department of Justice is required to maintain a central law enforcement information bank and to provide a clearinghouse for such information, particularly for agencies of the Federal government. Agencies have understood this provision to be a congressional endorsement of the routine exchange of law enforcement information, at least under the auspices of the Attorney General.

Currently, agencies of the Federal government seem to be employing the routine-use provision in order to permit the free flow of law enforcement and investigative information without having to comply with the standards of Subsection 3(b)(7). Agency system notices frequently indicate that information will be supplied to appropriate Federal, State, local, and, sometimes, foreign law enforcement agencies of government. In short, the Privacy Act does not place an effective burden on, or barriers to, the free flow of information within the law enforcement and investigative community.

Concurrent with formal endorsement of relatively unrestricted information flow to and between investigative agencies, the agents of investigative units have continued to employ the informal information network that exists within the law enforcement community. An agent of one unit may call his counterpart in a second agency to see if it might have any information on the subject of an investigation or any leads to people who might be appropriate to investigate. As the system currently operates, there would be some impediments to such disclosure-though not insurmountable ones where the units of government involved only investigative agencies and the information exchanged came exclusively from their files. Today, however, the unfettered ability to exchange information between law enforcement and investigative units amounts to access by such units to virtually any governmental records without the need to comply with the strictures in Subsection 3(b)(7).

Almost all agencies have law enforcement units of one sort or another through which information desired by other units in other agencies may be channeled. Indeed, the law enforcement unit of an agency might seek information on an individual from records maintained by other components of an agency and transmit it to a second agency which could subsequently maintain it in a form (e.g., retrievable by docket number) which leaves it free of Privacy Act restrictions. Law enforcement units and investigation agencies can, and often do, operate in this fashion and thus function as a conduit for the exchange of information with other law enforcement units. The problem is not so much that law enforcement units disclose information about individuals to illegitimate recipients, but rather that the determination of legitimacy is more often than not highly informal, with the decision to disclose being made by anyone from the field agent level to the head of an agency. Such informality presents substantial potential for improper disclosure. This is a problem the Commission has not dealt with extensively, though a structure for effective examination of it is suggested later in this chapter.

Although the effect of the routine-use provision has been limited, due mainly to the fact that it has been interpreted as applying only to external transfers of information, its safety-valve aspects should be preserved. The disclosure provisions of the Privacy Act must allow for a certain amount of agency discretion, since, in an omnibus statute, it is impossible to enumerate all of the necessary conditions of disclosure. Nonetheless, the Commission believes that the compatible purpose test of the routine-use provision should be augmented by a test for consistency, with the conditions or reasonable expectations of use and disclosure under which the information was provided, collected, or obtained. The individual's point of view must be represented in the agency's decision to use or disclose information, and today the compatible-purpose test only takes account of the agency's point of view.

The routine-use definition should also apply to internal, as well as external, agency uses and disclosures of information. This is important, since the majority of uses of information are made by the agency that originally collects it.

Congress may, of course, elect, as it has done in the Tax Reform Act of 1976, to authorize particular uses or disclosures of information that are either incompatible with the purpose for which the information was collected, or inconsistent with the individual's reasonable expectations of use and disclosure. Such additional uses and disclosures of information should be treated as routine uses, provided that the statute authorizing them establishes specific criteria for use or disclosure of specific types of information. Ideally, the Congress should review all the statutes that authorize such incompatible uses and disclosures and determine which ones it wishes to retain. The point, however, is that the Commission, as in other areas, believes that blanket disclosure authorizations or limitations should be actively discouraged.

One might think of incompatible uses and disclosures as "collateral uses." The question of whether a particular use or disclosure qualifies as a "collateral use" would then arise only after it has been established that the proposed use or disclosure was not a "routine use." The "collateral use" concept would also give the Congress a means of relating subsequently enacted disclosure statutes to the Privacy Act so that there will be no question about whether such disclosures are subject to the Act's requirements. As indicated earlier, and as discussed more thoroughly in Chapter 14 of the Commission's final report, the Tax Reform Act of 1976 is a good example of how this would work.

Besides resolving the routine-use issue, there is also a need to take explicit account in the Act of agency disclosures concerning constituents of Members of Congress. In the early days of the Act's implementation, Congress had trouble obtaining information for its own use. Congressional caseworkers found that they were unable to get individually identifiable information from agencies when they called them on behalf of constituents. Agencies refused to give out information to Members of Congress unless they received prior consent from the individual, since Subsection 3(b)(9) only authorizes disclosures to congressional committees or to the House or Senate as a whole. Members of Congress felt this undermined their role as representatives of their constituents, and it was, in fact, an oversight in the drafting of the current law.

To solve this problem, the Office of Management and Budget suggested to agencies that they establish disclosures to congressional offices as a routine use,20 and this is now a government-wide practice. The Commission believes this practice should be allowed to continue but that a specific provision should be included in the Act to permit it, since the current solution puts a strain on the interpretation of the compatiblepurpose test. Disclosure of a record should be allowed to a Member of Congress, but only in response to an inquiry from the Member made at the request of the individual involved, provided the individual is a constituent of the Member. Such a request could also be made by a relative or legal representative of the individual, if the individual is incapacitated or otherwise clearly unable to request the Member's assistance himself, and the requestor or the individual is a constituent of the Member.

Finally, some observers are of the view that, because the Privacy Act limits disclosures to the public, and the Freedom of Information Act directs disclosure to the public, there is an unresolvable conflict between the two laws. This view, however, is overly simplistic and, in the final analysis, an erroneous formulation of the relationship between the two statutes. The Privacy Act and the Freedom of Information Act mesh well. There are no statutory conflicts. Recent court decisions have also better defined the balances that must be struck between the competing interests. Nonetheless, there do appear to be some practical problems in the implementation of these two laws.

The "conditions of disclosure" section of the Privacy Act that establishes the ten categories of permissible external disclosures allows an agency to disclose a record about an individual to a member of the public who requests it, if the disclosure would be required under the Freedom of Information Act.21 On the other hand, Subsection (b)(6) of the Freedom of Information Act allows an agency to refuse to disclose a record to a member of the public (i.e., anyone other than the individual to whom the record pertains) if it is a medical, personnel, or similar record, the disclosure of which would constitute a "clearly unwarranted invasion of personal privacy. "22

To understand the meshing of these requirements, it is useful to consider first the situation prior to the passage of the Privacy Act. The exemptions on access to information in the Freedom of Information Act are discretionary, not mandatory. Thus, under the FOIA (prior to the passage of the Privacy Act), an agency could withhold information, the disclosure of which would, in the agency's opinion, constitute a "clearly unwarranted invasion of personal privacy," but the agency was not required to do so. Today, after passage of the Privacy Act, an agency is still required, by the Freedom of Information Act, to disclose information that would not constitute a "clearly unwarranted invasion of personal privacy," but now an agency no longer has the discretion to disclose information it believes would constitute such a clearly unwarranted invasion.

A major problem in this area, however, is that agency operating personnel responsible for the day-to-day implementation of the two Acts have not been clearly enough apprised of how the laws mesh, of the applicable interpretations and court decisions, and of an agency's corresponding responsibilities under them. As a result, confusion, widely differing implementation, and occasional frustration of the intent of both laws have resulted. While determining what constitutes a "clearly unwarranted invasion of personal privacy" will always require a certain amount of interpretation, more can and should be done to assist and guide those who have to make such determinations in the course of their daily work. Indeed, one of the primary functions of the entity recommended by the Commission in Chapter 1 of its final report would be to assist agencies in developing policy to aid agency employees in making such determinations.

The Information Management Principle

The Privacy Act incorporates the principle that there are proper approaches to the management of information and that agencies should take affirmative steps to assure that their information management practices conform to a reasonable set of norms. Subsection 3(e)(5) of the Privacy Act requires an agency to:

maintain all records which are used . . . in making any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination; [5 U.S.C. 552a(e)(5)]

Further, Subsection 3(e)(10) requires an agency to:

establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarassment, inconvenience or unfairness to any individual on whom information is maintained; [5 U.S.C 552a(e)(10)]

In theory, these requirements, in combination with the requirements implementing the Individual Participation and Accountability Principles, keep the individual from having to bear the full burden of monitoring the content of records an agency maintains about him, and they also grant him recourse when he can prove damages as a consequence of willful behavior in violation of the Act's requirements.

The Act's several information management provisions have had a positive effect on agency conduct by focusing an agency's attention on its policies and practices relating to the collection, maintenance, use, and dissemination of records about individuals. In addition, the Act's requirement that information must be relevant and necessary to accomplish a mandatory agency purpose seems to have reduced slightly the amount of information agencies maintain.23 Likewise, the "Privacy Act Statement" requirement24 and the annual notice requirement25 have somewhat limited the number of systems of records. But the requirement that information be kept accurate, timely, complete, and relevant26 appears to have had little effect on reducing or altering the types of information maintained.

Most agencies, to the extent they have a position, stand by their prior record maintenance practices. They contend that they have always attempted to achieve accuracy, and that the terms "timely, complete, and relevant" are meaningful only in the context of a specific record or recordkeeping situation-which is true. Nonetheless, interviews with operating personnel suggest that, although some accuracy standards have been tightened and retention periods for documents have been re-examined, agencies continue to maintain a substantial amount of information that is not as accurate, timely, complete, and relevant as it should be. The fact is that there are few if any formal mechanisms to review existing records and there is seldom, if ever, enough time to do so.

Because no specific, consistently applied criteria have been established for determining when an agency is in compliance with the Act's information management principles, they are not being adequately implemented. Within agencies, there has often been little or no compliance monitoring, as well as no office to which agency operating personnel can turn for guidance. Although efforts to train agency personnel are being made, awareness of the Act's requirements is much weaker than it should be-in all areas, not just information management.

Generally speaking, each agency or major agency component has a nucleus of employees who are well versed in matters relating to the Privacy Act, but many middle-level and lower-level operating personnel still do not know enough about the Act to allow them to carry out their responsibilities under it. For example, the Privacy Act is too often cited as the reason for withholding information from the public, when, in fact, such withholding is improper. Yet, without training, it appears that the one thing an agency employee is likely to know about the Act is that it contains criminal penalties for unauthorized disclosures, and thus that he should behave warily, particularly in responding to third-party Freedom of Information Act requests of the sort discussed in the preceding section on the Disclosure Limitation Principle.

The Commission has found that those agencies that have established formal, structured approaches and mechanisms to implement the Privacy Act are the most successful in their implementation of the Act. They have provided the best training for their personnel, have issued detailed, consistent internal guidelines, and have devised procedures for auditing their own compliance with the Act. In addition, agencies with previous experience with issues relating to information policy have generally adapted more readily to the requirements of the Act than have agencies for which information policy issues can be considered a relatively new experience.

In order to provide for more effective implementation of the Act, the Commission believes that the head of each agency should designate one official with authority to oversee implementation of the Act. The official's responsibili ties would include issuing instructions, guidelines, and standards, and making such determinations, as are necessary for the implementation of the Act. He would also be responsible for taking reasonable affirmative steps to assure that all agency employees and officials responsible for the collection, maintenance, use and dissemination of individually identifiable records are aware of the requirements of the Act.

The Commission believes that this is the minimum step necessary to ensure effective implementation of the Privacy Act. It parallels, and enhances, the approach taken by the agencies which are currently most successful in their implementation of the Act. Someone other than the individual record subject must be in a position to hold agency record keepers accountable; the Act's individual enforcement model is simply ineffective on a broad scale. Moreover, someone must have the authority to make decisions under the Act (e.g., to interpret the "reasonableness" and "compatible-purpose" tests); someone must be in a position, for example, to review a particular record-keeping practice or computer system design and assert, with authority, that it is reasonable. Obviously, such an approach addresses more than information management, and it can reasonably be expected that the designated agency official's activities would span the gamut of issues relating to the Act's implementation.

The Commission looks with favor on the Act's basic assumption that each agency is in the best position to judge what is best, reasonable, or appropriate for it. As indicated in the implementation in Chapter 1, it favors abandonment of the individual agency autonomy model of the Privacy Act only in instances where a clear societal interest is at stake or where it is necessary to establish an independent check on the agency.

Strengthening the individual agency enforcement mechanisms in the Privacy Act by the appointment of a Privacy Act officer in each agency is not intended to relieve the agency's operating personnel of their responsibilities under the Act. Rather, it is intended to make their jobs easier by providing a mechanism for guidance, instruction, and interpretation. A "reasonableness" test in the law is important for a court, but it does little to provide insight and guidance for those charged with the day-to-day implementation of the law.

By the same token, creation within an agency of an enforcement mechanism will serve to hold agency employees accountable in a way that no external entity or individual record subject can. This is as it should be, for ultimately the record-keeping agency must bear the burden for assuring that its record-keeping practices are fair.

While the Commission found that the Act's requirements regarding the necessity, accuracy, timeliness, completeness, and relevance of information in records [5 U.S.C. 552a(e)(1); 5 U.S.C 552a(e)(5)J appear to have had little effect on agency practices, it suggests no specific changes in those requirements. Rather, it believes that by altering the implementation strategy and incentives for compliance along the lines it suggests, the goals of these requirements will be achieved.

The Commission has also found that the Act's requirements for propagation of corrections does not adequately assure that decisions are made on the basis of accurate, timely, complete and relevant information. Under the Act, for example, corrections do not have to be sent to prior internal agency recipients or to the sources of erroneous information. In addition, corrections of erroneous information initiated by the agency rather than by the individual, no matter how important, do not have to be propagated at all. As in other areas it has examined, the Commission believes that corrections made by the record-keeping agency, as well as those made by the individual, should be propagated; and that, with some exceptions, corrections should be sent automatically to sources and prior internal and external recipients who provided or received the erroneous information, within a reasonable period of time prior to the making of the correction, as well as to any person (organization or individual) the individual specifically designates.

The Commission believes that corrections of erroneous information by the agency, in accordance with the Act's requirements to "maintain all records which are used by the agency in making any determination about any individual with such accuracy, timeliness, completeness, and relevance as is reasonably necessary to assure fairness . . ." [5 USC 552a(e)(5)] should be automatically propagated if two conditions exist: first, if the correction could reasonably be expected to affect a determination about the individual by the source or a prior recipient of the erroneous information that provided or received the information, within a reasonable period of time prior to the making of the correction; and second, if the source or prior recipient could not reasonably be expected to otherwise become aware of the error. However, propagation should not be required to prior recipients who received the erroneous information under the Freedom of Information Act or to any source who, acting on his own behalf, rather than in an official capacity, provided the erroneous information to the agency.

This approach provides for propagation of corrections in cases in which they would make an important difference to the individual, while limiting to the greatest extent possible the burden on the agency. Relating the propagation requirement to the Act's fairness-in-decision-making provision is important because doing so excludes certain corrections, such as those made to keep an historical record accurate.

The Commission believes it appropriate to place the basic responsibility for propagating corrections on the agency because there is no other realistic way for the individual to protect himself against the spread of erroneous information about him through the Federal government. Information can flow so freely within and between agencies, and decision points are so diffuse or difficult to isolate, that linking a propagation of correction requirement to an adverse determination, or to an initiative by the individual, destroys its efficacy.

By including the requirement that corrected information be sent to internal agency recipients and to sources, the Commission is also responding to evidence that suggests that more harm or unfairness can result to an individual from inaccurate internal agency uses and disclosure than from external uses and disclosures, since the former are more frequent and less apt to be independently verified. The requirement that an agency notify any person specifically named by the individual to whom the information pertains, of any corrections made by either the individual or the agency, is included to allow for propagations that the individual determines are important to him.

The Privacy Act requirement to maintain an accounting of disclosures of information about an individual is widely regarded as the statute's single most burdensome provision. It also appears to be one which has engendered little interest on the part of the general public. There are three objectives which can be potentially served by this requirement: (1) providing the record subject with a listing of the uses and disclosures of a record about him; (2) facilitating the propagation of corrections; and (3) internal agency auditing and compliance monitoring. Currently, the emphasis is on the first objective. Consequently, the Act, with two exceptions, requires an accounting of disclosures to every recipient of information from a system of records, including the individual himself, and the accounting must include the date, nature, and purpose of the disclosure, as well as information identifying the recipient. This required accounting is frequently burdensome, as well as occasionally unnecessary, and has led a number of Federal agencies to construe it as inapplicable in cases in which the individual is the recipient of the information. Moreover, an accounting does not have to be kept of internal agency uses and disclosures, and these are frequently of the most interest to the individual and the most important insofar as the propagation of corrections is concerned.

The Commission believes that the primary emphasis of the accounting of disclosure requirement should be on its utility in propagating corrections and that a "reasonableness" test should be established for determining the period of time for which an accounting must be kept, as well as for the amount of detail about each disclosure that must be kept. In addition, the Commission believes that when an individual so requests, an agency should make available to him its accounting of disclosures about him to (a) all prior recipients to whom it could reasonably be expected to propagate corrections, and (b) other recipients of which it could reasonably be expected to be aware. This would allow an individual to see the information an agency must maintain on its disclosures about him for the purpose of propagating corrections automatically, but would not require a log in any greater detail than that. This requirement, coupled with the suggested propagation of corrections requirement, would, however, mean that an individual would be able to obtain an accounting of disclosures to internal agency recipients of information, as well as to external ones, since under the new approach all prior internal recipients will now receive corrections when they are propagated.

An agency should be left free to decide how long to keep an accounting of disclosures based on its determination of how long it needs to keep the information for propagating corrections, as well as the amount of detail that needs to be kept about each disclosure. In all accountings disclosed to the individual, however, an agency should take reasonable affirmative steps to inform the individual, in a form comprehensible to him, of the date, nature, and purpose of each disclosure and the name and address of the person or agency to whom the disclosure was made.

One principal difference between this approach and the Act's accounting requirement is that an accounting would not need to be kept for five years, or the life of the record, whichever is longer.27 The Commission would also preserve the Act's use of the word "accounting" as opposed to "record," in order to allow for any scheme that enables the agency to reconstruct a list of past disclosures; that is, an explicit record or log entry need not be made for each disclosure. This is especially important in the case of frequent bulk transfers of data (when even the nature and purpose may only be generally known.)

The Privacy Act requirement that agencies establish safeguards to assure the security of individually identifiable records28 has run the gamut from business-as-usual to extreme measures aimed at forestalling any conceivable risk, no matter how small its chance of occurring. On balance, however, the "safeguarding of information" requirement has resulted in minor modifications, and some strengthening, of agency data-security standards.

A recently publicized example of a government information system with inadequate security involved the computer and telecommunications system, SSADARS, which connects private insurance companies acting as Medicare intermediaries for the government with the Social Security Administration (SSA) data file. The Social Security Administration reported at the Commission hearings on Medical Records in July 1976 that its longstanding policy of protecting the confidentiality of individually identifiable information in its files had been adequately carried out in its administrative and technical safeguards. On October 23, 1976, however, SSA announced that it had discovered that it was mistaken in its belief that there was "no way the Medicare intermediaries and carriers can use their telecommunications system to gain access to the files used to administer"29 other SSA programs. SSA staff found that the SSADARS terminals installed in the offices of two intermediaries could have been altered relatively easily, thereby permitting access to files other than the Medicare eligibility files the intermediaries needed to see. Although no actual access to other SSA program information is believed to have occurred, the technical safeguards to assure the confidentiality of information in the SSADARS system were not as effective as SSA had thought.

In spite of the Privacy Act, and assurance by the Social Security Administration that insurance company employees are subject to criminal sanctions as if they were Federal employees, SSA's Data Acquisition and Response System (SSADARS) has created a great deal of concern among the public and press. Inasmuch as the SSADARS system is a forerunner of the type of computer and telecommunications system which would be necessary for the administration of a broad-based Federal health-insurance program, it is imperative that Federal agencies take immediate affirmative measures to prevent information in such a system from becoming a source of unfairness to the individuals to whom it pertains. Therefore, the Commission recommends:

Recommendation (1):

That a Federal agency administering a health-insurance program which employs the services of a private health-insurance intermediary provide to the intermediary only that information necessary for the intermediary to carry out its responsibilities under the program.

Compliance with this recommendation would require that Federal agencies administering health-insurance plans develop administrative, physical, and technical safeguards as required by Section 3(e)(10) of the Privacy Act to assure the integrity of, and to prevent unauthorized access to, federally maintained data bases.

To correct the drafting deficiencies in the current safeguard requirement, as well as to make the obligation imposed by the requirement more realistic, the Commission believes that an agency should be required to establish reasonable administrative, technical, and physical safeguards to assure the integrity, confidentiality, and security of its individually identifiable records so as to minimize the risk of substantial harm, embarrassment, inconvenience, or unfairness to the individual to whom the information pertains. Such a change would be consistent with the Act's legislative history and should protect against the overreaction occasioned in some agencies by the current language of the Act which requires agencies to establish appropriate safeguards against any anticipated threats or hazards.

There is another related issue which also must be addressed. The Commission was specifically required by Subsection 5(c)(2)(B)(iv) of Public Law 93-579, to examine the issue of:

whether and how the standards for security and confidentiality of records under section 3(e)(10) of [the Privacy Act] should be applied when a record is disclosed to a person other than an agency.

The use of the word "standards" in this directive raises the question of the type of standards contemplated by the drafters. Within the Federal sector, the term standards has a precise meaning, and there are well defmed procedures for establishing Federal Information Processing Standards (FIPS). A standard may be considered as synonymous with a "requirement," and, once established, is binding on Federal agencies. On the other hand, the term "guideline" may be equated with a "suggestion," and is not binding on Federal agencies. It seems clear from a reading of the Act and the legislative history, however, that the drafters did not intend the term standards, as used in Subsection 5(c)(2)(B)(iv), to be interpreted precisely, but rather to be interpreted more broadly as meaning "general criteria" for the establishment of security and confidentiality safeguards. Regardless of the meaning intended, however, the conclusion of the Commission remains the same.

The Commission's inquiry has shown that there are currently no standards, in the strict sense of the word, for security and confidentiality at the Federal level. Guidelines have been issued by the National Bureau of Standards, but their specificity and hence their utility is uneven. FIPS Publication No. 31,30 which establishes guidelines for automatic data processing physical security and risk management, is much more detailed and specific than FIPS Publication No. 41,31 which is intended to establish computer. security guidelines for implementing the Privacy Act of 1974. As already noted, the Commission's assessment of the Federal experience indicates that agency practice in response to the safeguard requirement in Subsection 3(e)(10) is extremely varied, ranging from no response whatsoever to what could be termed technological overkill. At the Federal level, in other words, there are, at best, limited standards, guidelines, or general criteria for safeguards which are susceptible to extension to any non-Federal agency recipient of information subject to the Privacy Act. Thus, in response to the mandate given it in Subsection 5(c)(2)(B)(iv), the Commission recommends:

Recommendation (2):

That there should be a continued examination of the standards, guidelines, and general criteria for safeguards within the Federal government, but there should not be a general extension of any Federal standards, guidelines, or general criteria for safeguards for security and confidentiality of records when a record is disclosed to a person other than an agency, except as specifically provided in other recommendations of the Commission.

The Accountability Principle

The eighth principle of the Privacy Act holds that an institution should be accountable for its personal-data record-keeping policies and practices, or, more specifically, for adherence to the other seven information policy principles. Under the Privacy Act, a Federal agency can be held accountable for its record-keeping policies and practices in several ways. The individual can hold the agency accountable through exercise of his rights to see, copy, and challenge the contents of a record about himself, to review an agency's accounting of disclosures made of a record about him, and to sue for any damages he incurs as a consequence of agency misconduct. In addition, agency employees are subject to criminal sanctions for particular violations of the law's requirements 32

The access, correction, and amendment procedures have been discussed. They appear to work reasonably well, although they have not been widely used. As previously noted, the agencies regard the Act's accounting of disclosures requirement as the most burdensome of the Act's provisions. It represents 26 percent of the operating costs of the Act33 and requires extra effort by agency employees on an almost daily basis. The Social Security Administration, which keeps its accounting of disclosures manually, has stated that to perform the accounting effectively it would have to totally redesign its computer system. In addition, few individuals have asked for an accounting of the disclosures made of a record about them, perhaps because they do not know they have a right to do so. Even when an individual does ask, however, he will not learn about internal agency disclosures, as no accounting need be kept of them.

The civil remedies provided by the Act are similarly ineffective from the individual's point of view. The vast number of systems involved,34 the need to establish willful or intentional behavior on the part of the agency, and the cost and time involved in bringing a law suit, often make enforcement by the individual impractical. Moreover, an individual must show actual injury in all cases except the ones that can be brought to force an agency to allow an individual to see and copy, or correct or amend, a record.

The criminal penalties also require a showing of willfulness and apply only to unauthorized disclosures, failures to publish annual system notices, and obtaining a record from an agency under false pretenses. The circumstances in which an individual can bring suit, his possible reward for doing so, and the instances in which a court can order an agency into compliance with the Act are all too limited to provide an effective accountability mechanism. Consistent with its recommendations in other areas, the Commission believes that a suit should be permitted to force compliance with the requirements of the Act absent a demonstration of injury to, or adverse effect on, the individual and that a court should be able to order an agency to comply.

In many cases, it is simply too difficult to show injury or adverse effect as a result of a violation of the Privacy Act. In the case of a violation of the notice requirements, for example, such a showing is most likely impossible. Even in the case of inaccurate information, it can be difficult to demonstrate actual injury. Hence, the Commission believes an individual should be granted standing without the requirement to show injury. While it could be argued that this will encourage frivolous law suits, experience to date indicates that it is not likely to do so. Moreover, this approach should increase agency accountability and provide agencies with increased incentives to comply with the Act in order to avoid law suits by individuals.

Under the Privacy Act contractors and grantees are not directly liable for violations (although they are subject to the Act's criminal penalties) and the government may indemnify them for any civil liability resulting from their performance of a contract. This defeats the intent of the Act. If the Act's protections are so important that the government is waiving its sovereign immunity and thus subjecting itself to civil liability, it would seem reasonable for the same standard to apply to contractors and discretionary grantees, as discussed earlier. Therefore, the Commission believes that contractors and grantees which fall within the scope of the Act should be made civilly liable under the Act in the same manner that the government makes itself civilly liable; and no official or employee of any Federal agency should include or authorize to be included in any contract or grant any provisions indemnifying the contractor or grantee from civil liabilities under the Act.

In a related area, the Commission's mandate specifically required an examination of "whether the Federal government should be liable for general damages incurred by an individual" when an agency violates his rights under the Act. (Section 5(c)(2)(B)(iii) of Public Law 93-579] This required consideration of whether the current liability standard in the statute which limits recovery to "actual damages" should be broadened. To reach a judgment on the appropriate recovery standard, the Commission needed to answer two questions: (1) what the definitions of actual and general damages are or ought to be; and, (2) what the costs and benefits of each would be were it to be the Act's standard for recovery against the government.

Traditionally, damages have been divided into two classifications, general and special. Compensation for any injury done to an individual is available under a claim of general damages. An individual can make claims for losses due to pain and suffering, for example, even though it is impossible to fix a precise dollar value to such an injury. Special damages, on the other hand, only compensate for injury that has caused clear economic loss to the individual. The Commission has found that there is no generally accepted definition of "actual damages" in American law, but the Commission has concluded that, within the context of the Act, the term was intended as a synonym for special damages as that term is used in defamation cases. For that reason, the Commission believes the phrase "actual damages" should be discarded in favor of the more traditional and clearer term, special damages.

In addition, special damages in defamation cases are more limited than in other situations; the injuries clearly covered by them are loss of specific business, employment, or promotion opportunities, or other tangible pecuniary benefits. Injuries not provided for are those which may be labeled intangible: namely, loss of reputation, chilling of constitutional rights, or mental suffering (where unaccompanied by other secondary consequences).

The legislative history and language of the Act suggest that Congress meant to restrict recovery to specific pecuniary losses until the Commission could weigh the propriety of extending the standard of recovery. It has determined that the arguments in favor of extending recovery to general damages, within dollar limits, appear stronger than the arguments against such extension.

The restriction on recovery articulated in the "actual damage" standard of the Privacy Act reflects the ancient limitation on governmental liability embodied in the principle of sovereign immunity. Arguments in support of this limitation of liability focus primarily on the need to protect the public purse and the problems involved in making the government fully responsible for the vast scope of its operations, which it has no practical means of controlling. One set of counter-arguments to this position derives from notions of fairness, which require both that wrongdoers be responsible for their wrongdoing and that those who benefit from governmental activity be asked to pay the price of their enjoyment, instead of letting that cost fall wholly on the small group of injured parties. Another counter-argument derives from basic notions of social utility. If the costs of government information practices are borne by the government, it is in a better position to decide whether the benefits of the activity outweigh their costs. In other words, restricting liability only restricts the incentive for government to reform its practices.

If the rights and interests established by the Privacy Act are worthy of protection, then recovery for intangible injuries such as pain and suffering, loss of reputation, or the chilling effect on constitutional rights, is a part of that protection. There is evidence for this proposition both in the cases which have already been brought under the Act and in common law privacy cases. Thus, to protect individuals under the Privacy Act more fairly and effectively, while ensuring that recovery does not become too burdensome, and to clarify the meaning of the Act, the Commission recommends:

Recommendation (3):

That the Privacy Act of 1974 permit the recovery of special and general damages sustained by an individual as a result of a violation of the Act, but in no case should a person entitled to recovery receive less than the sum of $1,000 or more than the sum of $10,000 for general damages in excess of the dollar amount of any special damages.

In addition to the individual's enforcement opportunities and the modest oversight role assigned to the Office of Management and Budget (OMB) [Section 6 of Public Law 93-579], the Act also requires that reports on new or materially altered record systems be sent to OMB and both Houses of Congress [5 U.S.C. 552a(o)], and to the Privacy Protection Study Commission. (Section 5(e)(2)(A) of Public Law 93-579] None of these bodies, however, has had the staff nor the consolidated expertise necessary to evaluate each report submitted. Furthermore, there is no agreement on how to assess the potential impact of a proposed system change along the lines called for in the Act, that is:

the probable or potential effect . . . on the privacy and other personal or property rights of individuals or the disclosure of information relating to such individuals, and its effect on the preservation of the constitutional principles of federalism and separation of powers.[5 U.S.C 552a(o)]

Currently, although this requirement has had the healthy effect of forcing agencies to examine the need for, and the details of, the particular system, the kind of information needed to evaluate it is not always supplied nor is it always presented in enough detail to permit an in-depth and independent evaluation of the system in question.

Given this weak enforcement framework and the flexibility of interpretation many provisions of the Act allow, there are few incentives for more than minimal compliance with most of its provisions. For example, there is a universal lack of post-award monitoring of contractor performance; and as previously noted, many agencies have not established any effective internal compliance monitoring procedure. This can be partly explained by the fact that Congress appropriated no additional funds for Privacy Act implementation. While many of the requirements of the Act represent procedures or steps that the agencies should have been following anyway, there is still cost associated with them.35 In addition, attention to information policy issues is not usually a priority concern of agency personnel. While many employees view the Privacy Act and the issues it raises as important, a sizeable number still see the Act as a nuisance and an impediment to the performance of their agency's missions and functions.

Other Policy Issues to Be Addressed

There are some important information policy issues the Act either ignores or does not address adequately. For example, in almost any discussion of the intent of the Privacy Act, mention is made of limiting the amount of information agencies actually collect about individuals. There is a commonly held belief, evident in the Act's legislative history and voiced by numerous agency personnel, that the Act was intended to reduce the amount of information the Federal government collects about individuals. Yet the fact of the matter is that the Act only establishes the outer boundaries of legitimate government inquiry, and it does so in a way that reflects rather closely the boundaries that had grown up prior to the Act's passage. Similarly, as the discussion of the routine-use provision indicated, transfers of information among agencies have only been slightly reduced as a result of the Act's passage.

While the Section 7 proscription against compelling an individual to divulge his Social Security number, unless specifically required by law to do so, has induced minimal change in agency practice, agencies commonly rely on Executive Order 9397,36 issued in 1943, when they can find no other authority for demanding the Social Security number. Additionally, once the Social Security number is collected, its use is regulated only by the other disclosure provisions of the Privacy Act or whatever other confidentiality statutes govern agency disclosures of other types of personal information.

The Privacy Act grew out of nearly a decade of congressional examination of information systems in the Executive branch, and it followed closely on the heels of the record-keeping abuses and invasions of personal privacy associated with the Watergate affair. It was passed partially as a protection against premeditated abuses of Federal agency records but, more importantly, in recognition of the fact that even normal uses of a record about an individual can have harmful consequences for him and that this potential harm can be greatly magnified by the use of emerging computer and telecommunications technology. Despite these antecedents, however, there is little in the Privacy Act to prevent premeditated abuses of power through the misuse of recorded information, particularly where internal agency uses are concerned. Although the individual's position in relation to an agency is much stronger as a result of the Act, the safeguard provisions have not been implemented in a way that adequately deters abuse by agency personnel, especially in view of the lack of internal agency compliance monitoring or auditing.

Moreover, the problems perceived by the Congress at the time of the Act's passage have turned out to be more complex than anticipated, and by and large they are independent of the problem of premeditated abuse. Actual or potential information abuses are much more likely to result from continuing growth in the government's appetite for information about individuals and in the use of that information for growing numbers and types of purposes. The real danger is the gradual erosion of individual liberties through the automation, integration, and interconnection of many small, separate record-keeping systems, each of which alone may seem innocuous, even benevolent, and wholly justifiable. Dramatic developments in computer and communications technology, which both facilitate record-keeping functions previously performed manually and provide the impetus and means to devise new ones, can only exacerbate this problem.

The Act's failure to attend to the impact of technological advances on individual liberties and personal privacy is compounded by the manual, or file-cabinet, view of record keeping that underlies it. As indicated early in this chapter, reliance on a traditional view of individual identifiers and their role in retrieving records serves to exclude certain types or forms of individually identifiable records from the Act's coverage. Because a record retrieved by attribute or characteristic, as opposed to identifier, does not fall within the definition of a "record" maintained in a "system of records," the Act's notice access, correction, and accountability requirements do not apply to it.

In addition, there is no compatible-purpose test in the Act for internal agency uses of records; hence, such uses are unregulated. One exception is the case in which there is a confidentiality statute governing the uses or disclosures of certain types of records of a particular component of an agency. Section 1106 of the Social Security Act was cited earlier as one such example. Unfortunately, however, the assortment of such confidentiality statutes is incomplete and uncoordinated.

Furthermore, it is probable, again because of technological advances, growth in government programs, and pressures to reduce paperwork, that the prediction of significant new uses of information will become even more difficult-and, hence, more difficult to deal with as a matter of public policy. A compromise which would achieve a reasonable balance between individual knowledge and agency efficiency concerns would seem to be in order.

The increased demand for information is changing the relationship between the record keeper and the record subject, as well as the character of the record-keeping relationship itself. As the Federal government has become increasingly involved in providing services and financial assistance, there have been increased pressures to ensure that all recipients are, in fact, eligible. This has led agencies into areas normally associated with civil or criminal law enforcement functions. In assessing this phenomenon, it must be remembered that much of what the agencies do in the area of record keeping and investigating is in response to direct or perceived mandates from the Legislative branch; in order to accomplish the tasks set for them, agencies need enforcement units with investigative capabilities. The recent creation of an office to investigate fraud and abuse in the Medicaid program provides an example of a unit which developed as a response to congressional direction.

Parallel to this increasing role for Federal agencies in law enforcement and investigative activities, the Federal government has begun to develop sophisticated criminal justice information systems, and to offer the services , of those systems, as well as related technical and financial assistance, to State and local law enforcement agencies. While a number of questions need to be resolved in regard to this use of technologically sophisticated information systems by Federal or State law enforcement and investigative agencies, three problems are particularly pertinent to the protection of personal privacy.

The first emerges from even the briefest consideration of how information enters criminal justice information systems and how it is used. As such systems are currently structured, there is little control over the accuracy and reliability of information when it passes from one investigative agency to another. In particular, there is minimal control over the accuracy of criminal history information-often the most revealing and potentially the most damaging recorded information routinely exchanged by law enforcement agencies. The criminal history files of the FBI's Identification Division illustrate the inability of a central record keeper to control the quality of the information in its records, since by and large the central record keeper has little enforceable authority over other agencies reporting to it. [See Menard v. Saxbe, 498 F.2d 1017 (D.C. Cir. 1974)] Further, the information in such systems is ordinarily derivative; in other words, the record maintained in an automated system is often copied from another record which in turn may be a copy of a third. The chances for error in transferring information from one record to another are great, particularly when the first transfer is from a paper record. These vulnerabilities to error create a system with inherent accuracy and reliability problems, but one which nonetheless is used to make decisions that affect individuals powerfully and immediately.

The second problem generated by these new systems grows out of the current pattern of unrestricted information flows between law enforcement and investigative agencies at all levels of government. Those flows, formal and informal, are usually justifiable, but they are also easily amenable to abuse. Easier access to information by agents within a unit, and greater facility to exchange information between units, will increase the potential for abuse and thus for the misapplications of police powers of the sort Americans experienced in the late 1960's and early 1970's. Moreover, the unsupervised information flows that facilitated improper domestic intelligence activities, and the government operations based on them, are still without oversight mechanisms to assure their accountability. As the deployment of technology increases the ease with which current information flows can be abused, the Congress should work rapidly to discover the extent and patterns of such flows and to develop statutorily mandated protections against their abuse.

The final problem that needs resolution results from Federal agencies providing computer-communications services to State and local law enforcement agencies. At one level, it is a classic problem of federalism, of the proper role of the central government in furnishing local services; at another level, however, it is a problem posed by one agency operating the information services on which other agencies depend and thus being able, at least potentially, to control the format of the other agencies' records and to use those records for its own purposes. Some of the consequences of a Federal law enforcement agency controlling the flow of State and local criminal justice information are illustrated in the continuing controversy over whether the Federal Bureau of Investigation should supply a messageswitching, or interstate data communications, service through its National Crime Information Center (NCIC).

As the operator of NCIC, the FBI would exercise central control over, and have the ability to reach into, any State or local records that were directly hooked into the system, as well as the ability to monitor the flow of information through the system. While such an ability is only a potential, the transformation of that potential into an actuality has occurred before,37 and would permit the agency controlling the system to collect and use information to which it might not be legitimately entitled. For example, intelligence might be gathered on individuals whom the Administration in power considered politically undesirable, . and be gathered by more sophisticated and comprehensive methods than those employed by the infamous Special Services Staff of the Internal Revenue Service.

Given the particularly damaging character of the information involved and the potential for misuse, any long-range decision to permit Federal agencies to provide such services should be made only if there is no alternative. Further, the Commission believes that the decision to permit Federal agency operation of such services ought to be made through the legislative process, not unilaterally by the Executive branch of government.

Perhaps the most significant finding in the Commission's assessment of the Privacy Act arises from its examination of the vehicles available for evaluating and assessing existing record systems, new systems, and agency practices and procedures. Quite simply, there is no vehicle for answering the question: "Should a particular record-keeping policy, practice, or system exist at all?" While the Act takes an important step in establishing a framework by which an individual may obtain and question the contents of his record, it does not purport to establish ethical standards or set limits to the collection or use of certain types of information. Without such standards, however, the principal threat of proliferating records systems is not addressed. Nowhere, other than in the ineffective section requiring the preparation and review of new system notices, does the Act address the question of who is to decide what and how information should be collected, and how it may be used. To deal with this situation, the Congress and the Executive Branch will have to take action.

Notes

1 This chapter has previously been published as Chapter 13 of Personal Privacy in an Information Society, the Privacy Protection Study Commission's fmal report to the President and the Congress.

2 DHEW Secretary's Advisory Committee on Automated Personal Data Systems, Records; Computers and the Rights of Citizens (Washington: U.S. Government Printing Office, 1973), p. 41.

3 This identification of eight principles results from Commission analysis, not a specific Congressional statement.

4 The Act defines a "record" as "any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph." [5 U.S.C. 552a(a)(4)J

5 Two examples will illustrate the extremes of agency implementation of the "system of records" provision. A small component of one agency rearranged its personnel records by Civil Service grade, instead of individual identifier, in order to avoid the Act's requirements. The Department of the Navy, on the other hand, elected to bring a file of interview records under the Act even though they were filed (and hence retrieved) by the date of the interview.

6 An "attribute search," contrary to the more common "name search," or "index search," starts with a collection of data about many individuals and seeks to identify those particular individuals in the system who meet the prescribed conditions or who have the prescribed attributes.

7 The "Privacy Act Statement" contains the authority for the solicitation of the information, the principal purposes for which it will be used, its "routine uses," and the effect on the individual of not providing the information. [5 U.S.C. 552a(e)(3)]

8 5 U.S.C.. 552(b)(5).

9 5 U.S.C. 552(b)(6).

10 U.S. Office of Management and Budget, "Privacy Act Implementation: Guidelines and Responsibilities" (hereinafter OMB Guidelines), 40 F.R. 28948-78 (July 9, 1975).

11 5 U.S.C. 552a(j).

12 5 U.S.C. 552a(e)(1).

13 5 U.S.C. 552a(e)(2).

14 5 U.S.C. 552a(e)(3).

15 Section 7 of Public Law 93-579.

16 5 Ú.S.C. 552a(e)(7).

17 For a more detailed discussion of the Social Security number issue, see Chapter 16 of the Commission's final report.

18 OMB Guidelines, p. 28953.

19 41 F.R 40015 (September 16, 1976).

20 Ofrice of Management and Budget, Implementation of the Privacy Act of 1974, Supplementary Guidance, 40 F.R. 56741-43 (December 4, 1975).

21 5 U.S.C. 552a(b)(2).

22 5 U.S.C. 552(b)(6).

23 5 U.S.C. 552a(e)(1).

24 5 U.S.C. 552a(e)(3).

25 5 U.S.C. 552a(e)(4).

26 5 U.S.C. 552a(e)(5).

27 5 U.S.C. 552a(c)2).

28 5 U.S.C. 552a(e)10).

29 Written statement of the Bureau of Health Insurance, Social Security Administration, Medical Records, Hearings before the Privacy Protection Study Commission, July 20, 1976, p. 11.

30 U.S. National Bureau of Standards (Department of Commerce), Guidelines for Automatic Data Processing Physical Security and Risk Management, June, 1974.

31 U.S. National Bureau of Standards (Department of Commerce), Computer Security Guidelines for Implementing the Privacy Act, May 30, 1975.

32 5 U.S.C. 552a(i).

33 Letter from Hon. Bert Lance, Director, Office of Management and Budget, to Senator Abraham A. Ribicoff, Chairman, Committee on Governmental Affairs, United States Senate, March, 1977, including a report on Costs of Implementing the Privacy Act of 1974, p. 5.

34 As of December 21, 1975, there were 6,723 systems of records of varying size containing 3.8 billion records about individuals which had been declared.

35 Letter from Hon. Bert Lance to Senator Ribicoff, op. cit.

36 Federal Register, Volume 8, Number 237, November 30, 1943. This order provides that whenever a head of a Federal agency "fmds it advisable to establish a new system of permanent account numbers pertaining to individual persons, [he] shall utilize exclusively the Social Security Act account numbers. . . . " This was ordered "in the interest of economy and orderly administration." (See Chapter 16 of the Commission's final report for a more detailed discussion of this topic.)

37 Between April 1971 and February 1974 the FBI monitored requests for information in the NCIC made by State and local government agencies. The monitoring was conducted on behalf of the Department of Justice and other agencies of the Federal Government. The monitoring involved flagging the names of persons in whom the Federal agencies had some interest, including 4,700 who had no criminal record. In other words, any inquiry by a State or local government agency that included a flagged name was automatically noted and recorded for later examination by Federal agents. See letter of July 18, 1975, from Hon. John V. Tunney, U.S. Senator, to Hon. Harold Tyler, Deputy U.S. Attorney General; letter of August 29, 1975, from Hon. Harold Tyler to Hon. John V. Tunney.

Chapter 4. Revision of the Privacy Act of 1974.

In seeking remedies for the Privacy Act's current weaknesses, the Commission found it useful to draft an illustrative revision of the Act as a means of testing the feasibility of various alternatives. The product of this drafting exercise, which itself involved many revisions, is being made available as Appendix B of this volume.1 The Commission does not pretend that its suggested changes in the language of the Act are the only ones that will correct the Act's deficiencies. However, it does believe that its illustrative language shows how the problems that its assessment of the Act uncovered could be overcome by redrafting.

The Commission's assessment of the Privacy Act of 1974 led it to three general conclusions:

(1)   The Privacy Act represents a large step forward, but it has not resulted in the general benefits to the public that either its legislative history or the prevailing opinion as to its accomplishments would lead one to expect;

(2)   Agency compliance with the Act is difficult to assess because of the ambiguity of some of the Act's requirements, but, on balance, it appears to be neither deplorable nor exemplary; and ;

(3)   The Act ignores or only marginally addresses some personaldata record-keeping policy issues of major importance now and for the future.

With these conclusions in mind, the Commission's illustrative revision of the Act strives to clarify it by changing its structure and reconceptualizing specific sections. The revision also concentrates on articulating policyobjectives rather than on specifying details of implementation, since one goal of the revision is to allow the Act's policy objectives to be achieved without destroying the flexibility an administrator clearly must have inimplementing it.

Finally, it should be noted that, even though the Commission's approach continues the one taken in the current law, it permits adaptation to changes in information technology while at the same time recognizing that there are some information policy issues an agency cannot, and often should not, resolve by itself. The most obvious is the question of whether a particular record-keeping system should exist at all. Answering such a question requires independent judgment of the sort that the Commission believes would be best provided by the independent entity recommended in Chapter 1 of its final report. The pressures on agencies to collect increasing amounts of information for an increasing number of purposes are too great to allow them to continue to establish information systems without more of a check on their judgment than either the current Privacy Act or one that incorporates the Commission's suggested changes could reasonably be expected to sustain.

The changes in the Privacy Act that the Commission suggests are focused on three basic objectives:

  • To clarify ambiguous language in the law in order to minimize variation in interpreting it;
  • To incorporate "reasonableness" tests to allow flexibility in implementation and thus give the agencies incentives to take account of differences between manual and automated record-keeping, diverse agency record-keeping requirements, and future technological developments; and
  • To substitute for the Act's current reliance on the "system of records" definition as the sole basis for activating all of its requirements an approach that activates specific requirements as warranted.

The ways in which the first two objectives have been met will become apparent as specific portions of the Commission's substitute language are explained. The third objective, however, should be discussed at this point since it is central to the Commission's entire drafting strategy.

"Records" And "Systems of Records"

As indicated earlier, the Congress wanted to include in the definition of the term "record2 every agency record that contains any kind of individually identifiable information. Because it was mindful of the burden such a definition could impose on an agency, however, it limited the Act's coverage to records retrieved from "systems of records" by "name . . . or identifying number, symbol, or other identifying particular. . . ." [5 U.S.C. 552a(a)(5)] Thus, unless an agency actually retrieves recorded information by reference to a "name . . . identifying symbol, or other identifying particular . . .," the "system" in which the information is maintained is not covered by the Act. While the term "record" refers to all information about an individual which contains his name or identifier, the term "system of records" applies only to information about an individual which is retrieved by name, identifier, or identifying particular. As explored earlier, the effect of this distinction is wholesale exclusion from the Act's scope of records that are not accessed by name, identifier, or assigned particular. An individual whose record is retrieved by these means cannot avail himself of the protections the Act would otherwise afford him.

There are many examples of readily accessible individually identifiable agency records that are not retrieved by personal identifier, and currently deployed and developing computer and telecommunications technologies appear likely to create more. While the language of the Act speaks in terms of retrieval by discrete individual identifiers, most automated record systems permit identification of an individual (or, more precisely, his record) based on any combination of the individual's attributes or characteristics, natural or assigned, as well as by reference to "individual identifiers" in the more conventional sense. Thus, it would be easy to program a computer to locate particular individuals through "attribute searches."3 Moreover, retrieval of individually identifiable information by scanning (or searching) large volumes of machine-readable text is not only possible but an increasingly frequent practice.

In summary, the "system of records" definition has two limitations. First, it undermines the objective of providing an individual access to the records an agency maintains about him. Second, by serving as the sole activating, or "on/off," switch for the Act's other provisions, it unnecessarily limits the reach of the Act.

In order to reduce the problems raised by the term "system of records" and to better achieve the basic objectives of the law, the Commission believes the Act's definition of "system of records" should be abandoned and its definition of "record" amended. Specifically, the term "record" should be expanded to include attributes and other personal characteristics assigned to an individual, and a new term, "accessible record" [(a)(6)],4 should be introduced to delineate those individually identifiable records that will be available to an individual in response to his request for access to records about himself. This formulation would encompass records which, while not retrieved by an individual identifier, could be retrieved by an agency without an unreasonable burden either through normal retrieval procedures or because the subject could direct the agency to the record's location. If an individual knew he was mentioned in a particular file, for example, he would be entitled to have access to that information whether or not it was the agency's practice to access the record by reference to his name or other identifying particulars. In implementing this provision [(a)(6)(B)], however, an agency should not have to establish any new cross-referencing schemes simply for the purpose of responding to access requests. In this connection, the Commission would also urge deletion of the clause in the current Act [5 U.S.C. 552a(d)(1)] which requires an agency to allow an individual access "to any information pertaining to him which is contained in the system . . . ." This requirement is impossible to satisfy since an agency often does not know how to find all such information. .

The Commission also believes that the terms "record," "individually identifiable record," "accessible record," and "system" should operate as distinct activating, or "on/off," switches for separate provisions of the statute. This would allow more flexibility and broaden the reach of the Act, which currently relies on the "system of records" definition to delineate its scope. For example, in the proposed revision the accessible record definition (controlling access by the individual) is broader than the individually identifiable record definition (controlling the information management requirements) and the system definition (controlling Federal Register publication).

Finally, the Commission suggests a change in subsection 3(m) of the current law which limits its scope by applying its provisions to systems of records maintained by some contractors but not to any maintained by grantees. [5 U.S. C 552a(m)] Agency personnel interviewed by the Commission staff expressed the view that, in many cases, the implicit distinction in the Act between contractors and grantees is artificial. The Commission agrees. Moreover, in Chapter 15 of its final report, the Commission recommends that a uniform set of requirements and safeguards be applied to records collected or maintained in individually identifiable form for a research or statistical purpose under Federal authority or with Federal funds. The Commission further suggests that the Privacy Act be the basic vehicle for implementing these recommendations. [(a)(5), (d)(14), (g), and (m)]

The rest of this chapter is a commentary on the provisions of the illustrative statute in the order in which they are presented in Appendix B.

Definitions

The definitions in Appendix B retain or modify those in the current law in the following ways:

Agency. The definition of the term "agency" [(a)(])] does not differ from the one in the current law. [5 U.S.C 552a(a)(1)] Its potential for undermining the Act's restrictions on disclosures to third parties has, however, been stemmed by including intra-agency disclosures in the routine-use definition. [(a)(9)] A large Cabinet Department with many different programs would no longer be permitted to transfer information about individuals among its various components without revealing that it does so. <

Individual. The term "individual" [(a)(2)] is also identical to the one currently in the Privacy Act. [5 U.S.C. 552a(a)(2)]

Record. The Commission considered abandoning the term "record" in favor of the term "personal information," but rejected the idea for three reasons. First, its expanded definition of a "record" includes everything that could be considered "personal information." Second, there is an important body of court decisions arising from the use of the term "record" in the Freedom of Information Act, which has served to clarify its meaning. Third, if an agency were required to grant access to "personal information" rather than to a "record," it might arguably be able to satisfy the requirements of the law by summarizing the information in its files in lieu of giving the individual the information in the form in which it is actually stored, used, or disclosed.

The "record" definition in Appendix B retains the language of the current law [5 U.S.C. 552a(a)(4)], but expands it by including "attributes, affiliations, or characteristics associated with, or assigned to, the individual."[(a)(3)] This change broadens the term to encompass all types of information used to identify an individual and thus would include information used to search a file for the names of individuals whose qualifications match a particular job description or who have a propensity to engage in certain activities, such as violations of law.

Individually Identifiable Record.This is a new term [(a)(4)] and is defined as "a record which could be reasonably expected to identify the individual or individuals to whom it pertains." It includes "individuals" to allow for situations in which a record refers to more than one individual, such as would be the case when a social service record is maintained on a family unit.

Research or Statistical Record. Although the definition of this term [(a)(5)] resembles the definition of a "statistical record" in the current law [5 U.S.C 552a(a)(6)], it is more precise. It specifically refers to an individually identifiable record "collected or maintained by a Federal agency or pursuant to a Federal research contract or grant, or a subcontract thereof, for a research or statistical purpose only," and makes clear that the implicit prohibition against using such a record "to make any decision or to take any action directly affecting the individual to whom the record pertains," does not include a decision made "within the context of the research plan or protocol." The reference to "section 8 of title 13" continues the current exception for census records that are disclosed to the individuals to whom they pertain for the purpose of establishing their eligibility for medicare benefits.

Accessible Record. This, too, is a new term. [(a)(6)] Its practical effect is to broaden the individual's right of access to include an individually identifiable record which is:

(A)   systematically filed, stored, or otherwise maintained according to some established retrieval scheme or indexing structure and which is, in practice, accessed by use of, or reference to, such retrieval scheme or indexing structure for the principal purpose of retrieving the record, or any portion thereof, on the basis of the identity of, or so to identify an individual, or

(B)   otherwise readily accessible because:

(i)   the agency is able to access the record without an unreasonable expenditure of time, money, effort, or other resources, or

(ii)   the individual to whom the record pertains is able to provide sufficiently specific locating information so as to render the record accessible by the agency without an unreasonable expenditure of time, money, effort, or other resources.

This definition and the term "system" [(a)(7)] replace the term "system of records" in the current law. [5 U.S.C 552a(a)(5)] When an individual seeks access to information about himself which is in an agency's possession, he wants all of the accessible information relevant to his request. However, the "system of records" definition now in the Act clearly frustrates that objective by limiting the individual's right of access to records which an agency, in fact, retrieves by reference to his name or some other identifying particular assigned to him.

The first paragraph of the new definition [(a)(6)(A)] restates and slightly broadens the increasingly popular notion of systematically stored and retrieved information, attempting to codify a concept that mirrors prevailing practice. The only significant expansion is the deliberate use of the term "retrieval scheme." This would include a keyword (or other character-pattern) search of machine-readable or computerized textual information. Paragraph (a)(6)(A), however, refers only to an agency's actual practice. If the agency does not use or retrieve the information by a retrieval scheme, it would not apply, and the principal-purpose test further narrows the scope of the definition.

The second paragraph [(a)(6)(B)], on the other hand, introduces the concept of "readily accessible." While subparagraphs (a)(6)(B)(i) and (B)(ii) attempt as clear a definition as possible of this concept, there is no way to avoid some potential for varying interpretations. One of the flaws of the current law is that it defines too precisely the information which should be readily accessible. A common problem with any attempt at precision in this context is that it can be easily circumvented, and particularly where modern computer technology is involved. Thus, the Commission suggests a flexible test for determining accessibility: namely, the amount of time, money, effort, or other resources (e.g., computer processing) the agency would have to spend to make the information accessible.

Basically, the "accessible record" definition embodies the notion that information should be made available to the individual unless retrieval would impose an unreasonable burden on the agency or unless there is an overriding policy reason for not making it available, such as the protection of national security. In theory, all computerized information is accessible, but to require agencies to give an individual access to any information about him that is theoretically accessible would be prohibitively costly. If, however, an agency that has organized its employee files by duty station, for example, has the capability to retrieve them by reference to name or Social Security number and can do so without undue effort or cost, then the information in the files ought to be available to the individuals to whom it pertains. The test of undue effort or cost will, of course, vary with the circumstances, the technology, and the times, but, allowing the test to vary will help to assure that the individual's ability to gain access to information about himself will keep pace with changes and improvements in the agencies' capacity to retrieve and use it.

Likewise, if the subject individual can provide locating information that is specific enough to render a record accessible without an unreasonable expenditure of time and effort, then the agency should provide it. If John Doe knows that there is a reference to him in a file labeled "XYZ Docket," for example, then it is not unreasonable for the agency to give him access to it, although it would be unreasonable (and probably undesirable) to expect an agency to develop a filing or indexing scheme just so it would know in advance that there was information about John Doe in Docket XYZ if he made a general request for access to records about himself. To multiply the opportunities to misuse records about individuals by encouraging agencies to develop elaborate cross-referencing schemes in the interest of complying with the fair information practice requirements would be ironic, indeed, and the Commission's suggested definition of an accessible record is not intended to do so.

System or Subsystem. The term "information system" is an artificial construct which helps people visualize collections of records. Information systems may be functional, such as a "payroll system," or physical, such as a "record system" contained in a particular file cabinet. Moreover, there may be systems within systems, such as the tax withholding subsystem of a payroll system.

The manual model of an information system made up of physically discrete subsystems is being rendered obsolete by computer technology. For example, computer software can present a user with the illusion of different subsystems, which, in fact, do not exist physically as discrete units.5 There are circumstances in which the concept of a physically discrete system is useful, but increasingly it only complicates matters needlessly.

The Commission suggests defining a system or subsystem as:

any collection or grouping of accessible records [that are] systematically filed, stored, or otherwise maintained according to some established retrieval scheme or indexing structure and which is, in practice, accessed by use of, or reference to, such retrieval scheme or indexing structure for the principal purpose of retrieving the record, or any portion thereof, on the basis of the identity of, or so as to identify, an individual or individuals. [(a)(7)]

Moreover, the illustrative statute relies on this concept of an information system only as it is useful for facilitating public scrutiny and management accountability; that is, in combination with the requirement in subsection (h) that an agency describe its collections of individually identifiable records which are maintained according to a pre-established retrieval scheme, and its information practices with respect to those collections of records.

Maintain. The definition the Commission suggests [(a)(8)] adds "obtain, possess, process, or disclose" to the current law's "collect, maintain, use, and disseminate." [5 U.S.C 552a(a)(3)] The revised definition would require a custodial agency to accept some responsibility for the accuracy of information it received from another agency and also permit it to honor the individual's right of access to such information. In addition, it would require an agency to publish system notices on the records in its possession that are technically under the control of another agency. An agency's personnel records, for example, are technically under the control of the Civil Service Commission, even though the agency has physical possession of them.

Routine Use. The suggested definition augments the current one by requiring not only that the use of a record be "compatible with the purposes for which it was collected" [5 U.S.C. 552a(a)(7)], but also that it be "consistent with the conditions or reasonable expectations of use and disclosure under which the information in the record was provided, collected, or obtained." [(a)(9)] In addition, the revised formulation would explicitly require that internal, as well as external, agency disclosures of information be governed by the revised subsection on "Limitations on Disclosure." [(d)(3)]

The Commission found that the routine-use-provisions in the current law, although designed as a safety valve, have had unintended effects. The compatible-purpose test has been applied loosely and exclusively from the agency's point of view. Furthermore, because the Privacy Act incorporates the Freedom of Information Act definition of an "agency," the routine-use provisions have had almost no effect on "internal" disclosures among the components of large agencies that operate many different types of programs.

Collateral Use. The term "collateral use" [(a)(10)] has been added by the Commission to encompass disclosures which are not compatible with the purposes for which the information was collected but which are specifically authorized by statute. To qualify as a collateral use, any such disclosure would have to be pursuant to a statute enacted after January 1, 1975 which establishes specific criteria for use or disclosure of specific types of information. Examples might include the statutory authorization for transfering information between Federal and State agencies to assist in determining an individual's eligibilty for disability benefits, and the Tax Reform Act of 1976 which authorizes certain disclosures of tax return information which are not compatible with the purpose for which the information was collected.

Because the collateral-use concept presupposes direct, and probably increasing, Congressional involvement in information policy decisions, it should help to keep the relationship between the Privacy Act and other information policy legislation in clear focus. The current law and its legislative history are silent on whether the Act was intended to supersede preexisting statutes authorizing uses or disclosures of information that do not meet the compatible-purpose test. The OMB Guidelines6 take the position that preexisting statutes which permit less disclosure to third parties than the Privacy Act allows were not superseded, but there was no basis for concluding that the many sections of the U.S. Code that authorize or require the disclosure of information about individuals to third parties were. Adding the concept of collateral use will assure that in the future the Congress' attention will be drawn to statutorily authorized uses and disclosures that do not meet the the compatible-purpose test and also, by virtue of the January 1, 1975 cut-off date, will precipitate a reconsideration of sections of the U.S. Code that do not meet the test today.

Access to Records

As the suggested subsection [(b)] illustrates, the Commission believes that an individual ought to have the greatest possible access to information about himself without causing an undue burden on the agency. The Commission also believes, however, that the current law's intent that an individual's request for access identify the information sought as specifically as possible [5 U.S.C. 552a(d),(f)(1)] should be preserved so long as the agency has a corresponding responsibility to assist the individual in framing his request so that it "reasonably describes" the records he wants to see. Most agencies, as indicated earlier, do make an effort to assist the individual, but the Commission believes that requiring such assistance in the statute is important assurance that it will continue to be given. The Commission envisions a dialogue between the agency and the individual in which the agency might ask the individual to narrow his request by reference to systems named on a list that the agency would give him. The likelihood of a private citizen being aware of the name of a system of records published in the Federal Register is too remote to be relied on exclusively. Moreover, the reasonable-description standard [(b)(1)] is one with which the agencies have had considerable experience in the context of the Freedom of Information Act as amended.7

Suggested subsection (b)(6) would introduce a new provision establishing time limits within which an agency must respond to an individual's request for access to records about himself. The provision would require an agency, within 30 working days after receiving a request for access, to determine whether it will comply and to notify the individual of its determination. Thereafter, the agency would have to make the records available to the individual "within a reasonable period of time." Subsection (b)(6) takes to heart a lesson learned from experience with the Freedom of Information Act, which had to have time limits added to it in order to assure prompt agency response to access requests.8

The suggested revision expands upon the requirements of the current Act that "information be provided in a form comprehensible to the individual" [5 U.S.C 552a(d)(1)] by requiring that the form in which a record is disclosed to an individual reflect "as accurately as can be reasonably expected, the context or manner in which the agency maintains and uses" it. [(b)(1)(B)] This formulation seeks to help an individual determine how and in what manner he should, for example, exercise his right to correct, amend, or dispute a record to which he gains access.

The current access requirement would also be expanded to require an agency to supply information from "derivative" records to the extent that the agency "can be reasonably expected to be aware of substantially similar or derivative versions" that fall within the definition of an "accessible record." [(b)(1)(C)] An individual can be, and often is, unaware of such records, even though he could be as easily harmed by some of them as by the original. Two kinds of recorded information are clearly covered by this provision: (1) an exact duplicate of the original record maintained in another part of the agency; and (2) some portion of the original which has been copied and subsequently amended or merged with other records. In both cases, an agency should be obliged to take reasonable affirmative steps to describe and make the several versions available to the individual. While an individual may not wish to see every duplicate of the original record, he may wish to assure that some duplicates are amended if he amends the original. Moreover, the uses and disclosures of duplicates of a record, as well as of substantially similar or derivative versions of it, may well not be the same as the uses and disclosures of the original, and when that is the case, the individual should be so informed.

Finally, a portion of subsection (d)(1) of the current law has been eliminated. This is the subsection [5 U.S.C 552a(d)(1)] that requires an agency to grant an individual access to "any information pertaining to him which is contained in the system." The requirement is impossible for an agency to satisfy without a complete review of all its records and the development of elaborate indices or cross-referencing schemes. An agency is simply not aware of all the places in its records where an individual may be named and should not be required to be in the name of fair information practice.

Accountings of Disclosures

The Commission believes that the primary value of the accounting of disclosures requirement should be its utility for propagating corrections and that a reasonableness test should, therefore, be used in determining the period of time for which an accounting must be kept. [(b)(1)(B)] The existing provision [5 U.S. C.552a(c)(4)] is inadequate in that it does not require that corrections be propagated within an agency where inaccuracies can be every bit as harmful to the individual as inaccuracies in records disclosed to users outside the agency.

The proposed revision of the accounting of disclosures requirement stipulates that an accounting be kept of all disclosures to: (1) recipients to whom the agency could reasonably be expected to propagate a correction pursuant to the revised propagation of corrections requirement [(f)]; and (2) recipients of which the agency could reasonably be expected to be aware but to whom it could not be reasonably expected to propagate corrections. This means, of course, that an accounting would have to be made of internal as well as external disclosures, although not necessarily of all of them. For example, no accounting would be required of a disclosure to the individual himself, or of a disclosure to a member of the public (be it the individual or someone else) pursuant to a Freedom of Information Act request.

While the revised accounting of disclosures requirement has a broader reach than the corresponding provision in the current law, it is also narrowing in that an accounting need be given to the individual only upon his specific request, and only of those disclosures made "within a reasonable period of time prior to the request." The "reasonable period of time" should be commensurate with the period of time the agency needs to keep an accounting in order to propagate corrections; that is, so long as information in derivative records could affect determinations as to an individual's rights, opportunities, or benefits. In providing the accounting, the agency shall take reasonable affirmative steps to inform the individual, in a form comprehensible to him, of (a) the date, nature, and purpose of each disclosure; and (b) the name and address of the person or agency to whom the disclosure was made. [(b)(1)(B)(iii)] The revision preserves the current law's use of the word "accounting," as opposed to "record," of disclosures so as to allow for any scheme that enables the agency to reconstruct a list of past disclosures; that is, an explicit record or log entry need not be made for each disclosure if an accounting can otherwise be rendered. This is especially important in the case of frequent bulk transfers of data on large numbers of individuals. As with the current law, the Commission also does not intend that an accounting be considered a "record" as defined in revised subsection (a)(3).

Exemptions from the Access Requirement

There are three reasons for redesigning the Privacy Act's exemption provisions. First, abandoning the system of records approach as the trigger for the operational requirements of the Act necessitates some restructuring. Second, as explored in earlier chapters, the Commission found that the current exemptions encompass too many provisions of the Act and thus both permit and invite circumvention of its spirit. These findings led to the conclusion that certain types of information, not systems of records, should be exempted where necessary. Finally, having concluded that an individual should have access to the same amount of information about himself under either the Freedom of Information Act or the Privacy Act, the Commission looked for one set of standards for determining when access will not be granted. That objective, in the Commission's view, was best achieved by adopting the exemption strategy in the Freedom of Information Act and also by incorporating several of the FOIA's specific exemptions.

Although the major policy objectives reflected in the Privacy Act's current exemption strategy have been preserved in the proposed revision, the blanket exemptions in the current subsection 3(j), applicable to all records maintained by the Central Intelligence Agency or by any agency whose principal function is any activity pertaining to criminal law enforcement, have not been retained. [5 U.S.C 552a(j)] Thus, if the Commission's suggestions were adopted, those agencies would no longer be able to exempt themselves completely from requirements such as propagating corrections of records to prior recipients, reporting on new systems of records, and assuring the necessity and relevance of the information they collect.

The exemption opportunity in the current Act for information "maintained in connection with providing protective services to the President of the United States or other individuals pursuant to section 3056 of title 18" has been retained to the extent that such information falls within new subsection (b)(3)(B), which exempts law enforcement information from the individual access requirement. Most of the other provisions of current subsection 3(k) have also been retained [5 U.S.C 552a(k)], although in a form which permits them to be invoked only for the purpose of restricting individual access. [(b)(3)] The suggested exemption provisions further incorporate a new subsection ((b)(3)(C] paralleling section (b)(8) of the Freedom of Information Act [5 U.S.C 552(b)(8)] which would permit financial regulators, such as the Comptroller of the Currency, to withhold certain records.

With respect to medical records and medical-record information [(b)(5)], the Commission has adopted the approach to special procedures recommended in its final report for private-sector medical-care providers. This approach, which the Department of Health, Education, and Welfare has already tested successfully, would allow designation by the individual of a lay representative to be the recipient of a medical record or medical-record information pertaining to him, thereby allowing the lay representative (perhaps a family member) to decide whether full disclosure to the individual may be harmful to him. In this way, the lay designee, rather than the agency, would make the judgment regarding full or partial disclosure. The Commission's suggested revision also expands on the current law by allowing agencies to withhold information from the parent or legal guardian of a minor individual to whom the information pertains when such withholding is authorized by statute. [(b)(3)(H)]

Perhaps the most important aspect of the suggested revision is that it adopts the Freedom of Information Act approach of treating exemptions as available defenses to be invoked, where applicable, on a case-by-case basis, in contrast to the current Privacy Act approach which allows exemptions to be claimed in advance for entire systems of records. The revision would also require that any portion of a record which is reasonably segregable from the exempt portion must be supplied to the individual. [(b)(4)]

Correction and Amendment of Records

The Commission's suggested revision would retain the correction and amendment requirements of the current law [5 U.S.C. 552a(d)(2)], while providing also for the correction or amendment of substantially similar or derivative records. [(c)(1)] The principal significance of this change lies in its relationship to new subsection (f) which provides for more complete propagation of corrections. Under (f), as examined more fully below, a correction or amendment to a record initiated by the individual will receive broader dissemination than it would under current law.

Limitations on Disclosure

In limiting disclosures, the Commission would retain the objectives of subsection (b) of the Privacy Act [5 U.S.C. 552a(b)], but incorporate the new routine-use and collateral-use definitions, and also establish certain new requirements. Internal disclosures of information would be further restricted by allowing them only if they are necessary and proper for an agency's own mission and functions, and only if they fit within the revised definition of a routine use. [(d)(3)] Routine external disclosures would also have to conform to the new routine-use and collateral-use definitions and, in addition, be certified as conforming by the agency official responsible for overseeing the Act's implementation. [(d)(4)] The Commission has also incorporated pertinent portions of its recommendations on individually identifiable records used for research or statistical purposes. [(d)(14)]

The revised provisions governing routine uses [(d)(3) and (4)] would still be a minimum standard. They would not supersede disclosure prohibitions that are more stringent, but they would supersede existing disclosure authorities that are more general.

Finally, the revision would permit disclosures to members of Congress, but only in response to a Congressional inquiry made at the express request of a constituent to whom the record pertains or, in certain situations, by a relative or legal representative. [(d)(11)] On its face, the current law does not permit a Congressman to receive an agency record about a constituent without the constituent's written consent. This problem was resolved shortly after the Act took effect by establishing such disclosures as routine uses, even though many of them would probably not meet the compatiblepurpose test. The Commission, however, believes that the matter should be addressed directly and therefore proposes the addition of a new subsection

Collection and Maintenance of Information

The suggested revision incorporates verbatim the current requirement [5 U.S.C. 552a(e)(1)] that an agency "collect or maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by Executive Order of the President." [(e)(1)(C)] Although the Commission found that the requirement does not appear to have had a significant effect on agency practice, it believes that the fault is in the vehicle for implementing it. The implementation strategy and strengthened incentives for compliance that the Commission suggests should make the requirement more effective. Furthermore, the provision provides an individual with an invaluable tool in any effort to correct or amend a record about himself, and particularly in any legal action he brings to enforce agency compliance with the law.

The suggested revision also strengthens the current law by not permitting the Central Intelligence Agency and agencies whose principal function is any activity pertaining to criminal law enforcement to escape totally the requirement that the information they maintain be complete, relevant, timely, and accurate. They are permitted to maintain untimely, inaccurate, incomplete, or irrelevant information only if it is clearly identified as such to all users and recipients. [(e)(1)(D)]

The Commission would retain the current requirement that agencies collect information to the greatest extent practicable directly from the subject individual [5 U.S.C. 552(e)(2)], but broaden it by directing it both to circumstances in which an "adverse determination" may result and also to circumstances in which the information "may affect" determinations about an individual's rights, benefits, or privileges under Federal programs. [(e)(1)(A)] This revised formulation better fulfills the objective of giving an individual as extensive a role as possible in assuring the accuracy and completeness of information that may be employed to make decisions about him.

The question of whether a "Privacy Act Statement" [5 U.S.C. 552a(e)(3)] needs to be given to anyone other than the individual about whom information is being collected is resolved in the revision by designating as recipients of statements "individuals from whom [each agency] requests information about themselves or others." The Commission further suggests that the Act be revised to require that agencies take "reasonable affirmative steps" to enable an individual to decide, in "as informed and uncoerced a manner as is reasonably possible," whether to provide information about himself or others. [(e)(1)(B)] This formulation would relax the existing requirement that an individual be given a Privacy Act Statement every time he is asked to supply information, no matter how frequently, while retaining and strengthening the Act's restriction on agencies employing the notice as a coercive tool. In addition, instead of being informed in the statement of the routine uses of the information sought, an individual must be informed of "any routine or collateral uses of the information which could be reasonably expected to influence" his decision. [(e)(1)(B)(iv)] The "types of additional information, techniques, and sources that may be used to verify the information" the individual provides must also be described. [(e)(1)(B)(v)] This requirement, which the Commission recommended for the private-sector in its final report, fills an important gap in the current law. Because providing a concise description of all uses and third-party source verification procedures, however, may occasionally prove to be more confusing than enlightening, the title, business address, and telephone number of a responsible agency official who can assist the individual must be listed. [(e)(1)(B)(vi)] Finally, the revision also provides specifically for clear notice of possible redisclosures of information when it is collected for a research or statistical purpose. [(e)(1)(B)(vii)]

While the suggested revision retains the safeguarding of information provision in the current law, it substitutes a reasonableness standard for the current requirement that agencies establish "appropriate" safeguards against "any" anticipated threats or hazards. Instead, agencies would have to establish "reasonable" safeguards so as to "minimize the risk" of such hazards. [(e)(1)(E)] This language comports with prevailing practice under the Privacy Act and also reflects the Congress' original intent as expressed in the Act's legislative history .9

The Commission's draft retains the requirement that an agency notify an individual when a record about him is made available in response to compulsory legal process once that process becomes a matter of public record.[(e)(1)(F)] The Commission, however, would require an agency to take "reasonable affirmative steps" to provide notice.

The current prohibition on collecting First Amendment information would be tightened considerably. [(e)(2)] No longer would such collection be allowed simply because it was "within the scope of an authorized law enforcement activity." [5 U.S.C. 552a(e)(7)] Rather, the Commission's suggested language would tie it to certain specific kinds of situations. A description of "the content of any publication, speech, or other expression of belief or argument by an individual in the exercise of rights guaranteed by the First Amendment" would not be allowed to be collected or maintained unless it were compiled pursuant to an authorized investigation of the sedition or espionage laws of the United States, or unless it would be legally admissible evidence in a criminal prosecution compiled pursuant to an authorized investigation under the criminal laws of the United States. Similarly, a description of the forum in which an individual exercises his First Amendment rights of speech, association, or religion could not be collected or maintained unless it were compiled pursuant to an authorized investigation of a violation of the laws of the United States. Other descriptions of an individual's exercise of First Amendment rights would be limited to collecting and maintaining "the time, place, and observed associations of an individual which are compiled pursuant to, and in the course of, an authorized investigation of a violation of the laws of the United States." An agency, however, would not be prohibited from collecting or maintaining a specific item of information required to be collected by statute or authorized to be collected by the individual to whom it pertains. In addition, collection and maintenance of information for "a reasonable and proper library, bibliographic, abstracting, or similar reference function" would not be curtailed.

Propagation of Corrections

The Commission believes that the requirement that an agency take reasonable steps to assure the accuracy of any record prior to disseminating it should be extended to require that corrections and amendments of records be forwarded to sources and to previous internal agency recipients of the erroneous or incomplete information. [(f)] In addition, the suggested revisions in the current propagation of corrections requirement would make the requirement applicable whether the error is discovered by the individual or by the agency. To keep this from imposing an undue burden on the agencies, however, a correction resulting from a normal agency update would not have to be propagated, unless (a) sources or prior recipients could not otherwise be "reasonably expected" to become aware of it; and (b) it could be expected to affect the outcome of a determination about the individual by a source or prior recipient. In addition, only those sources or prior recipients who received or provided information within a reasonable period of time prior to the making of the correction would have to be notified, although an agency would be required to take "reasonable affirmative steps" to furnish the correction to any person named by the individual to whom the record in which it is made pertains. Finally, a source of erroneous information who was not acting in an official capacity as a representative, officer, employee, or agent of an agency or other organization need not be apprised of a correction.

The Commission believes it appropriate to place the basic responsibility for propagating corrections on the record-keeping agency because there is otherwise no practical way for an individual to protect himself against the spread of erroneous information about him throughout the Federal government.

Research or Statistical Records

Subsection (g) of the illustrative statue, along with subsection (d)(14) mentioned earlier, implements the relevant portions of the Commission's research and statistics recommendations presented in Chapter 15 of its final report. A complete description of the reasoning behind these recommendations is found in Chapter 15 and would not bear repetition here. Suffice it to note that, by referring to "individually identifiable records," subsection (d)(14) permits the use of administrative records for research and statistical purposes, whereas once a record fell within the definition of a "research or statistical record" [(a)(5)], its use and disclosure would be governed by subsection (g).

General Notice of Agency Systems, Policies, and Practices

The Commission's suggested revision retains the current law's requirement of an annual public notice on each record-keeping system, but with the primary object of facilitating internal agency compliance monitoring and external oversight. Thus, the revised publication requirement is drawn more specifically than the current one, requiring, for example, that a notice "describe in detail, in terms of systems and subsystems that most accurately reflect the context or manner in which the agency uses the information, the existence and character of such systems and subsystems." [(h)(1)] An agency is also required to publish notices describing "any substantially similar or derivative systems or subsystems." [(h)(1)(A)] These requirements attempt to discourage the publication of notices on record-keeping operations which are represented as single systems but which in fact are made up of many diverse subsystems that the notices do not describe. The revised notice requirement does not specify at what level a subsystem must be described, or the way to describe indices, but it does demand that an agency present a true picture of how it uses information in a system and the interrelationships among the system's various subsystems. This approach, in the Commission's view, is much more likely to assure that there are no secret systems than the one currently in the Act.

The revised notice requirement also requires all agencies to list, for all systems, the procedures whereby an individual can request access to records about himself. [(h)(1)(H)] Under the current law, systems can qualify for exemptions from this part of the notice requirement under the broad exemption opportunities provided in subsections 3(j) and 3(k). [5 U.S.C. 552a(í) and (k)] As the Commission would revise them, however, the exemptions would no longer be automatic, so there is no reason to provide an exemption opportunity for any part of the public notice requirement, except the requirement to describe categories of sources of information. The Commission allows for such an exemption in two cases: (1) if the information is authorized to be kept secret in the interest of national defense or foreign policy; or (2) if it is investigative information compiled for law enforcement purposes as described in new subsection (b)(3)(B). [(h)(1)(I)]

Finally, the Office of the Federal Register would be given the additional responsibility of publishing agency notices and rules in a form "which is indexed, arranged, or otherwise prepared to enable ease of use and reference by the public." [(h)(2)] Every effort should be made to classify, compile, and index the information into logical categories. For example, it would be useful to differentiate between the large group of systems which are solely concerned with agency personnel and the much smaller number (of bigger) systems that contain information on citizens in general. The Federal Register compilation should make it easy for a private citizen, a member of a public interest group, or a Congressional staff member to pinpoint a particular type of notice, and the compilation of systems notices should be logically organized and indexed.

Rights of Parents and Legal Guardians

Subsection (i) of the suggested revision detailing the rights of parents and legal guardians acting on behalf of the record subject is identical to subsection 3(h) in the current Act. [5 U.S.C. 552a(h)] Subsection (i) is tempered, however, by the new disclosure provision which would permit the withholding of a record from a parent or legal guardian where such withholding is authorized by statute. [(b)(3)(H)]

Agency Implementation

The Commission believes that the Privacy Act should require the head of each agency to designate one official to oversee the agency's implementation of the Act's requirements. [(j)(1)] The official should be "the head of an office designated or created by the agency head, with as many components, field offices, or other supporting structures and staff as the agency head deems necessary." [(j)(1)(A)] In a small agency, this provision need not require the full-time attention of one employee. To assure the accountability and good management, however, it is essential that responsibility for implementation of the Act be vested in a designated official.

The Commission found that those agencies that established formal, structured approaches and mechanisms to implement the Privacy Act were the most successful in their implementation of it. These agencies have provided the best training for their personnel, issued detailed, consistent internal guidelines, and devised procedures for auditing their own compliance with the Act.

The designated official would "issue such instructions, guidelines, and standards, and make such determinations" as may be necessary to implement the Act. [(j)(1)(B)] Where an agency's implementation of the current law's accuracy, timeliness, and completeness requirements, or of its safeguarding requirement, has been weak, the weakness often appears to be the product of the agency's failure to issue implementation guidelines. By placing responsibility and authority for providing such guidance in a designated office, fewer decisions should be made by default and agency employees will have a place to turn for answers to questions that arise in the course of implementation.

Finally, the Commission would retain, with little change, the requirement that agencies publish rules in the Federal Register defining their individual access, correction, and amendment procedures. [(j)(2)] The one modification is in the special procedures for the disclosure of medical records and medical-record information. [(b)(5)] Consistent with its recommendations with respect to private-sector medical-care providers and keepers of medical-record information, the Commission believes that an individual should be allowed to designate a lay representative to receive a medical record or medical-record information that an agency does not want to disclose to him directly for fear that knowledge of its contents would be harmful to him.

Civil and Criminal Remedies

The Commission suggests revising subsection 3(g) of the current law [5 U.S.C 552a(g)] to allow an individual to obtain a court order compelling an agency to comply with the Act without having to demonstrate that he has actually been harmed by its failure. [(k)(1)-(3)] In some cases, it is virtually impossible to show injury or adverse effect as a result of a violation of the Privacy Act. If a notice requirement is violated, for example, such a showing is probably impossible. Even where an agency retains and refuses to correct inaccurate information, it may be difficult to demonstrate actual injury. Hence, the Commission believes an individual should be granted standing without the requirement to show specific injury.

In those cases where an individual can show adverse effect, the Commission's suggested language incorporates new damage standards. The minimum $1,000 recovery in the current law is retained, but general damages may also be sought up to $10,000 in excess of the dollar amount of any special damages. [(k)(4)]

The provision enabling an indvidual to seek injunctive relief would also be broadened. Any exemption upon which an agency bases a refusal to permit access would be open to judicial review. Further, a court would be empowered to order an agency to comply with any of the requirements of the Act, not only the access and correction provisions. [(k)(2), (3)]

The criminal penalties currently in the Act [5 U.S.C. 552a(i)] would remain unchanged. [(l)]

Government Contractors and Grantees

The revised provision on contractors would make grantees and subcontractors susceptible to certain of the Act's provisions. [(m)] Equally important, the circumstances under which the law would apply to such parties is more precisely delineated than in the current law. "Any contractor or recipient of a Federal grant, or any subcontractor thereof, who performs any function on behalf of a Federal agency which requires the contractor or grantee to maintain individually identifiable records" would be subject to the provisions of the subsection, except that "employment, personnel, or other administrative records which the contractor or grantee maintains as a necessary aspect of supporting the performance of the contract or grant but which bear no other relation to the performance of the contract or grant" would not be covered. [(m)(1)(A)] The revised provision also would not apply to "individually identifiable records" which (a) are neither required nor implied by the terms of the contract or grant; (b) are records for which no representation of Federal sponsorship or association is made; and (c) are records which, except for audits or investigations, will not be available to the Federal agency with which the contract or grant is established. [(m)(1)(B)] These requirements would extend the coverage of the Act to Federal grantees whose functions are substantially the same as those of contractors.

Contractors and grantees would also be civilly liable under the Act, whereas currently they are only subject to the Act's criminal sanctions, and no agency would be permitted to include in a contract or grant a clause indemnifying the contractor or grantee against such civil liability. [(m)(3)(C)] This should increase the incentives for contractors and grantees to comply, since criminal sanctions are rarely enforced.

Interaction with Other Laws

The Commission has suggested language mandating that whenever an agency receives a request for access to records which could be processed under either the Freedom of Information Act (FOIA) or the Privacy Act, the request shall be processed under the Privacy Act. [(q)(1)] This subsection further provides that in no instance shall the requesting individual receive less information than he would receive under the FOIA. This comports with the current policy of some agencies, but the Act itself does not require it.

Other Provisions of the Law

The current provisions relating to archival records [5 U.S.C. 552a(I)], Reports on New Systems [5 U.S.C. 552a(o)], Mailing Lists [5 U.S.C. 552a(n)], and the Annual Report of the President [5 U.S.C. 552a(p)] are retained in the revision without significant change. [(n), (o), (p), (r)] The Commission believes, however, that the evaluation of probable or potential effect on "privacy and other personal or property rights" implicitly called for in the new system report requirement should be understood to mean an evaluation of impact on the three dimensions of intrusiveness, fairness, and legitimate expectation of confidentiality that are explicated in some detail in its final report to the President and the Congress.

Notes

1 The Privacy Act of 1974 (Public Law 93-579) has been reprinted as Appendix A of this volume. Only Section 3 of the Act, however, has been codified in the U.S. Code. Hence, a reference in the text to [5 U.S.C 552a(e)(10)], for example, refers to subsection 3(e)(10) of Appendix A. References in the text to the illustrative statute (Appendix B) will be readily distinguishable by the absence of any reference to 5 U.S.C. 552a or to subsection "3."

2 5 U.S.C. 552a(a)(4).

3 See Chapter 3, footnote 6.

4 As indicated in footnote 1, above, this is a reference to the draft statute in Appendix B.

5 This topic is discussed more extensively in Appendix Volume 5, Technology and Privacy (Washington, D.C.: U. S. Government Printing Office, 1977).

6 U. S. Office of Management and Budget, "Privacy Act Implementation: Guidelines and Responsibilities," 40 F.R. 28948-28978 (July 9,1975).

7 5 U.S.C. 552(a)(3).

8 5 U.S.C. 552(a)(6). See also, U. S. Congress, Freedom of Information Act and Amendments of 1974 (P. L 93-502) (Joint Comm. Print: House Committee on Government Operations, Senate Committee on the Judiciary), 94th Congress, 1 st Session, pp. 175-180 (1975).

9 See: U. S. Senate, Report of the Committee on Government Operations to Accompany S. 3418 (Report No. 93-1183, September 26, 1974) pp. 5456.

Appendix A. Public Law 93-579: The Privacy Act of 1974.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, That this Act may be cited as the "Privacy Act of 1974."

Sec. 2.

(a) The Congress finds that-

(1) the privacy of an individual is directly affected by the collection, maintenance, use, and dissemination of personal information by Federal agencies;

(2) the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information;

(3) the opportunities for an individual to secure employment, insurance, and credit, and his right to due process, and other legal protections are endangered by the misuse of certain information systems;

(4) the right to privacy is a personal and fundamental right protected by the Constitution of the United States; and

(5) in order to protect the privacy of individuals identified in information systems maintained by Federal agencies, it is necessary and proper for the Congress to regulate the collection, maintenance, use, and dissemination of informa-tion by such agencies.

(b) The purpose of this Act is to provide certain safeguards for an individual against an invasion of personal privacy by requiring Federal agencies, except as otherwise provided by law, to-

(1) permit an individual to determine what records pertaining to him are collected, maintained, used, or disseminated by such agencies;

(2) permit an individual to prevent records pertaining to him obtained by such agencies for a particular purpose from being used or made available for another purpose without his consent;

(3) permit an individual to gain access to information pertaining to him in Federal agency records, to have a copy made of all or any portion thereof, and to correct or amend such records;

(4) collect, maintain, use, or disseminate any record of identifi-able personal information in a manner that assures that such action is for a necessary and lawful purpose, that the information is current and accurate for its intended use, and that adequate safeguards are provided to prevent misuse of such information;

(5) permit exemptions from the requirements with respect to records provided in this Act only in those cases where there is an important public policy need for such exemption as has been determined by specific statutory authority; and

(6) be subject to civil suit for any damages which occur as a result of willful or intentional action which violates any individual's rights under this Act.

Sec. 3.

Title 5, United States Code, is amended by adding after section 552 the following new section:

"552a. Records maintained on individuals

"(a) DEFINITIONS. - For purposes of this section-

"(1) the term `agency' means agency as defined in section 552(e) of this title;

"(2) the term `individual' means a citizen of the United States or an alien lawfully admitted for permanent residence;

"(3) the term `maintain' includes maintain, collect, use, or disseminate;

"(4) the term `record' means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph;

"(5) the term `system of records' means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual;

"(6) the term `statistical record' means a record in a system of records maintained for statistical research or reporting purposes only and not used in whole or in part in making any determination about an identifiable individual, except as provided by section 8 of title 13; and

"(7) the term `routine use' means, with respect to the disclosure of record, the use of such record for a purpose which is compatible with the purpose for which it was collected.

"(b) CONDITIONS OF DISCLOSURE. - No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior consent of, the individual to whom the record pertains, unless disclosure of the record would be-

"(1) to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties;

"(2) required under section 552 of this title;

"(3) for a routine use as defined in subsection (a)(7) of this section and described under subsection (e)(4)(D) of this section;

"(4) to the Bureau of the Census for purposes of planning or carrying out a census of survey or related activity pursuant to the provisions of title 13;

"(5) to a recipient who has provided the agency with advance adequate written assurance that the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable; "(6) to the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Administrator of General Services or his designee to determine whether the record has such value;

"(7) to another agency or to an instrumentality of any governmen-tal jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the agency which maintains the record specifying the particular portion desired and the law enforcement activity for which the record is sought;

"(8) to a person pursuant to a showing of compelling circumstanc-es affecting the health or safety of an individual if upon such disclosure notification is transmitted to the last known address of such individual;

"(9) to either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee;

"(10) to the Comptroller General, or any of his authorized represen-tatives, in the course of the performance of the duties of the General Accounting Office; or

"(11) pursuant to the order of a court of competent jurisdiction.

"(c) ACCOUNTING OF CERTAIN DISCLOSURES.-Each agency, with respect to each system of records under its control, shall-

"(1) except for disclosures made under subsections (b)(1) or (b)(2) of this section, keep an accurate accounting of-

"(A) the date, nature, and purpose of each disclosure of a record to any person or to another agency made under subsection (b) of this section; and

"(B) the name and address of the person or agency to whom the disclosure is made;

"(2) retain the accounting made under paragraph (1) of this subsection for at least five years or the life of the record, whichever is longer, after the disclosure for which the accounting is made;

"(3) except for disclosures made under subsection (b)(7) of this section, make the accounting made under paragraph (1) of this subsection available to the individual named in the record at his request; and

"(4) inform any person or other agency about any correction or notation of dispute made by the agency in accordance with subsection (d) of this section of any record that has been disclosed to the person or agency if an accounting of the disclosure was made.

"(d) ACCESS TO RECORDS.-Each agency that maintains a system of records shall-

"(1) upon request by any individual to gain access to his record or to any information pertaining to him which is contained in the system, permit him and upon his request, a person of his own choosing to accompany him, to review the record and have a copy made of all or any portion thereof in a form comprehen-sible to him, except that the agency may require the individual to furnish a written statement authorizing discussion of that individual's record in the accompanying person's presence;

"(2) permit the individual to request amendment of a record pertaining to him and-

"(A) not later than 10 days (excluding Saturdays, Sundays, and legal public holidays) after the date of receipt of such request, acknowledge in writing such receipt; and

"(B) promptly, either-

"(i)make any correction of any portion thereof which the individual believes is not accurate, relevant, timely, or complete; or

"(ii) inform the individual of its refusal to amend the record in accordance with his request, the reason for the refusal, the procedures established by the agency for the individual to request a review of that refusal by the head of the agency or an officer designated by the head of the agency, and the name and business address of that official;

"(3) permit the individual who disagrees with the refusal of the agency to amend his record to request a review of such refusal, and not later than 30 days (excluding Saturdays, Sundays, and legal public holidays) from the date on which the individual requests such review, complete such review and make a final determination unless, for good cause shown, the head of the agency extends such 30-day period; and if, after his review, the reviewing official also refuses to amend the record in accordance with the request, permit the individual to file with the agency a concise statement setting forth the reasons for his disagreement with the refusal of the agency, and notify the individual of the provisions for judicial review of the review-ing official's determination under subsection (g)(1)(A) of this section;

"(4) in any disclosure, containing information about which the individual has filed a statement of disagreement, occurring after the filing of the statement under paragraph (3) of this subsection, clearly note any portion of the record which is disputed and provide copies of the statement and, if the agency deems it appropriate, copies of a concise statement of the reasons of the agency for not making the amendments requested, to persons or other agencies to whom the disputed record has been disclosed; and

"(5) nothing in this section shall allow an individual access to any information compiled in reasonable anticipation of a civil action or proceeding.

"(e) AGENCY REQUIREMENTS.-Each agency that maintains a system of records shall-

"(1) maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President;

"(2) collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, bene-fits, and privileges under Federal programs;

"(3) inform each individual whom it asks to supply information, on the form which it uses to collect the information or on a separate form that can be retained by the individual-

"(A) the authority (whether granted by statute, or by execu-tive order of the President). which authorizes the solicitation of the information and whether disclosure of such information is mandatory or voluntary;

"(B) the principal purpose or purposes for which the informa-tion is intended to be used;

"(C) the routine uses which may be made of the information, as published pursuant to paragraph (4)(D) of this subsection; and

"(D) the effects on him, if any, of not providing all or any part of the requested information;

"(4) subject to the provisions of paragraph (11) >of >this subsection, publish in the Federal Register at least annually a notice of the existence and character >of >the system of records, which notice shall include-

"(A) the name and location of the system;

"(B) the categories of individuals on whom records are maintained in the system;

"(C) the categories of records maintained in the system;

"(D) each routine use of the records contained in the system, including the categories of users and the purpose of such use;

"(E) the policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal >of >the records;

"(F) the title and business address of the agency official who is responsible for the system of records;

"(G) the agency procedures whereby an individual can be notified at his request >if >the system >of >records contains a record pertaining to him;

"(H) the agency procedures whereby an individual can be notified at his request how he can gain access to any record pertaining to him contained in the system >of >records, and how he can contest its content; and

"(I) the categories >of >sources >of >records in the system;

"(5) maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination;

"(6) prior to disseminating any record about an individual to any person other than an agency, unless the dissemination is made pursuant to subsection (b)(2) of this section, make reasonable efforts to assure that such records are accurate, complete, timely, and relevant for agency purposes;

"(7) maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity;

"(8) make reasonable efforts to serve notice on an individual when any record on such individual is made available to any person under compulsory legal process when such process becomes a matter of public record;

"(9) establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, and instruct each such person with respect to such rules and the requirements of this section, including any other rules and procedures adopted pursuant to this section and the penalties for noncompliance;

"(10) establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained; and

"(11) at least 30 days prior to publication of information under paragraph (4)(D) of this subsection, publish in the Federal Register notice of any new use or intended use of the information in the system, and provide an opportunity for interested persons to submit written data, views, or arguments to the agency.

"(f) AGENCY RULES.-In order to carry out the provisions of this section, each agency that maintains a system of records shall promulgate rules, in accordance with the requirements (including general notice) of section 553 of this title, which shall-

"(1) establish procedures whereby an individual can be notified in response to his request if any system of records named by the individual contains a record pertaining to him;

"(2) define reasonable times, places, and requirements for identify-ing an individual who requests his record or information pertaining to him before the agency shall make the record or information available to the individual;

"(3) establish procedures for the disclosure to an individual upon his request of his record or information pertaining to him, including special procedure, if deemed necessary, for the

disclosure to an individual of medical records, including psychological records, pertaining to him;

"(4) establish procedures for reviewing a request from an individu-al concerning the amendment of any record or information pertaining to the individual, for making a determination on

the request, for an appeal within the agency of an initial adverse agency determination, and for whatever additional means may be necessary for each individual to be able to exercise fully his rights under this section; and

"(5) establish fees to be charged, if any, to any individual for making copies of his record, excluding the cost of any search for and review of the record.

The Office of the Federal Register shall annually compile and publish the rules promulgated under this subsection and agency notices published under subsection (e)(4) of this section in a form available to the public at low cost.

"(g)  --

"(1) CIVIL REMEDIES.-Whenever any agency

"(A) makes a determination under subsection (d)(3) of this section not to amend an individual's record in accor-dance with his request, or fails to make such review in conformity with that subsection;

"(B) refuses to comply with an individual request under subsection (d)(1) of this section;

"(C) fails to maintain any record concerning any individual with such accuracy, relevance, timeliness, and complete-ness as is necessary to assure fairness in any determina tion relating to the qualifications, character, rights, or opportunities of, or benefits to the individual that may be made on the basis of such record, and consequently a determination is made which is adverse to the individu-al; or

"(D) fails to comply with any other provision of this section, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual, the individual may bring a civil action against the agency, and the district courts of the United States shall have jurisdiction in the matters under the provisions of this subsection.

(2)   --

"(A) In any suit brought under the provisions of subsection (gx1)(A) of this section, the court may order the agency to amend the individual's record in accordance with his request or in such other way as the court may direct. In such a case the court shall determine the matter de novo.

"(B) The court may assess against the United States reason-able attorney fees and other litigation costs reasonably incurred in any case under this paragraph in which the complainant has substantially prevailed.

(3)  --

"(A) In any suit brought under the provisions of subsection (g)(1)(B) of this section, the court may enjoin the agency from withholding the records and order the production to the complainant of any agency records improperly withheld from him. In such a case the court shall determine the matter de novo, and may examine the contents of any agency records in camera to determine whether the records or any portion thereof may be withheld under any of the exemptions set forth in subsection (k) of this section, and the burden is on the agency to sustain its action.

"(B) The court may assess against the United States reason-able attorney fees and other litigation costs reasonably incurred in any case under this paragraph in which the complainant has substantially prevailed.

"(4) In any suit brought under the provisions of subsection (g)(1)(C) or (D) of this section in which the court determines that the agency acted in a manner which was intentional or willful, the United States shall be liable to the individual in an amount equal to the sum of-

"(A) actual damages sustained by the individual as a result of the refusal or failure, but in no case shall a person entitled to recovery receive less than the sum of $1,000; and

"(B) the costs of the action together with reasonable attorney fees as determined by the court.

"(5) An action to enforce any liability created under this section may be brought in the district court of the United States in the district in which the complainant resides, or has his principal place of business, or in which the agency records are situated, or in the District of Columbia, without regard to the amount in controversy, within two years from the date on which the cause of action arises, except that where any agency has materially and willfully misrepresented any information required under this section to be disclosed to an individual and the information so misrepresented is material to establish-ment of liability of the agency to the individual under this section, the action may be brought at any time within two years after discovery by the individual of the misrepresenta-tion. Nothing in this section shall be construed to authorize any civil action by reason of any injury sustained as the result of a disclosure of a record prior to the effective date of this section.

"(h) RIGHTS OF LEGAL GUARDIANS.-For the purposes of this section, the parent of any minor, or the legal guardian of any individual who has been declared to be incompetent due to physical or mental incapacity or age by a court of competent jurisdiction, may act on behalf of the individual.

"(i)  --

"(1) CRIMINAL PENALTIES.-Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations estab-lished thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

"(2) Any officer or employee of any agency who willfully main-tains a system of records without meeting the notice require-ments of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.

"(3) Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses be guilty of a misdemeanor and fined not more than $5,000.

GENERAL EXEMPTIONS.-The head of any agency may promulgate rules, in accordance with the requirements (including general notice) of sections 553(b)(1), (2), and (3), (c), and (e) of this title, to exempt any system of records within the agency from any part of this section except subsections (b), (c)(1) and (2), (e)(4)(A) through (F), (e)(6), (7), (9), (10), and (11), and (i) if the system of records is-

"(1) maintained by the Central Intelligence Agency; or

"(2) maintained by an agency or component thereof which performs as its principal function any activity pertaining to the enforcement of criminal laws, including police efforts to prevent, control, or reduce crime or to apprehend criminals, and the activities of prosecutors, courts, correctional, proba-tion, pardon, or parole authorities, and which consists of (A) information compiled for the purpose of identifying individu-al criminal offenders and alleged offenders and consisting only of identifying data and notations of arrests, the nature and disposition of criminal charges, sentencing, confinement, release, and parole and probation status; (B) information compiled for the purpose of a criminal investigation, including reports of informants and investigators, and associated with an identifiable individual; or (C) reports identifiable to an individual compiled at any stage of the process of enforce-ment of criminal laws from arrest or indictment through release from supervision.

At the time rules are adopted under this subsection, the agency shall include in the statement required under section 553(c) of this title, the reasons why the system of records is to be exempted from a provision of this section.

"(k) SPECIFIC EXEMPTIONS.-The head of any agency may pro-mulgate rules, in accordance with the requirements (including general notice) of sections 553(b)(1), (2), and (3), (c), and (e) of this title, to exempt any system of records within the agency from subsections (c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f) of this section if the system of records is-

"(1) subject to the provisions of section 552(b)(1) of this title;

"(2) investigatory material compiled for law enforcement purpos-es, other than material within the scope of subsection G)(2) of this section: >Provided, however, That if any individual is denied any right, privilege, or benefit that he would otherwise be entitled by Federal Law, or for which he would otherwise be eligible, as a result of the maintenance of such material, such material shall be provided to such individual, except to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section, under an implied promise that the identity of the source would be held in confidence;

"(3) maintained in connection with providing protective services to the President of the United States or other individuals pursuant to Section 3056 of title 18;

"(4) required by statute to be maintained and used solely as statistical records;

"(5) investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Feder-al civilian employment, military service, Federal contracts, or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section, under an implied promise that the identity of the source would be held in confidence;

"(6) testing or examination material used solely to determine individual qualifications for appointment or promotion in the Federal service the disclosure of which would compromise the objectivity or fairness of the testing or examination process; or

"(7) evaluation material used to determine potential for promotion in the armed services, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section, under an implied promise that the identity of the source would be held in confidence.

At the time rules are adopted under this subsection, the agency shall include in the statement required under section 553(c) of this title, the reasons why the system of records is to be exempted from a provision of this section.

"(l) ARCHIVAL RECORDS.-

"(1) Each agency record which is accepted by the Administrator of General Services for storage, processing, and servicing in accordance with section 3103 of title 44 shall, for the purposes of this section, be considered to be maintained by the agency which deposited the record and shall be subject to the provisions of this section. The Administrator of General Services shall not disclose the record except to the agency which maintains the record, or under rules established by that agency which are not inconsistent with the provisions of this section.

"(2) Each agency record pertaining to an identifiable individual which was transferred to the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, prior to the effective date of this section, shall, for the purposes of this section, be considered to be main-tained by the National Archives and shall not be subject to the provisions of this section, except that a statement generally describing such records (modeled after the require-ments relating to records subject to subsections (e)(4)(A) through (G) of this section) shall be published in the Federal Register.

"(3) Each agency record pertaining to an identifiable individual which is transferred to the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, on or after the effective date of this section, shall, for the purposes of this section, be considered to be maintained by the National Archives and shall be exempt from the requirements of this section except subsections (e)(4)(A) through (G) and (e)(9) of this section.

"(m) GOVERNMENT CONTRACTORS.--When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section to be applied to such system. For purposes of subsection (i) of this section any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of this section, shall be considered to be an employee of an agency. "(n) MAILING LISTS.-An individual's name and address may not be sold or rented by an agency unless such action is specifically authorized by law. This provision shall not be construed to require the withholding of names and addresses otherwise permitted to be made public.

"(o) REPORT ON NEW SYSTEMS.--Each agency shall provide adequate advance notice to Congress and the Office of Manage-ment and Budget of any proposal to establish or alter any system of records in order to permit an evaluation of the probable or potential effect of such proposal on the privacy and other personal or property rights of individuals or the disclosure of information relating to such individuals, and its effect on the the preservation of the constitutional principles of federalism and separation of powers.

"(p) ANNUAL REPORT.--The President shall submit to the Speaker of the House and the President of the Senate, by June 30 of each calendar year, a consolidated report, separately listing for each Federal agency the number of records contained in any system of records which were exempted. from the application of this section under the provisions of subsections G) and (k) of this section during the preceding calendar year, and the reasons for the exemptions, and such other information as indicates efforts to administer fully this section.

"(q) EFFECT OF OTHER LAWS.--No agency shall rely on any exemption contained in section 552 of this title to withhold from an individual any record which is otherwise accessible to such individual under the provisions of this section."

Sec. 4.

The Chapter analysis of chapter 5 of title 5, United States Code, is amended by inserting:

"552a. Records about individuals." immediately below:

"552. Public information; agency rules, opinions, orders, and proceedings.".

Sec. 5.

(a) --

(1) There is established a Privacy Protection Study Commission (hereinafter referred to as the "Commission") which shall be composed of seven members as follows:

(A) three appointed by the President of the United States,

(B) two appointed by the President of the Senate, and

(C) two appointed by the Speaker of the House of Representatives.

Members of the Commission shall be chosen from among persons who, by reason of their knowledge and expertise in any of the following areas-civil rights and liberties, law, social sciences, computer technology, business, records man-agement, and State and local government--are well qualified for service on the Commission.

(2) The members of the Commission shall elect a Chairman from among themselves.

(3) Any vacancy in the membership of the Commission, as long as there are four members in office, shall not impair the power of the Commission but shall be filled in the same manner in which the original appointment was made.

(4) A quorum of the Commission shall consist of a majority of the members, except that the Commission may establish a lower number as a quorum for the purpose of taking testimony. The Commission is authorized to establish such committees and delegate such authority to them as may be necessary to carry out its functions. Each member of the Commission, including the Chairman, shall have equal responsibility and authority in all decisions and actions of the Commission, shall have full access to all information necessary to the performance of their functions, and shall have one vote. Action of the Commission shall be determined by a majority vote of the members present. The Chairman (or a member designated by the Chairman to be acting Chairman) shall be the official spokesman of the Commission in its relations with the Congress, Government agencies, other persons, and the public, and, on behalf of the Commission, shall see to the faithful execution of the administrative policies and decisions of the Commission, and shall report thereon to the Commis-sion from time to time or as the Commission may direct.

(5) -

(A) Whenever the Commission submits any budget estimate or request to the President or the Office of Management and Budget, it shall concurrently transmit a copy of that request to Congress.

(B) Whenever the Commission submits any legislative recommendations, or testimony, or comments on legis-lation to the President or Office of Management and Budget, it shall concurrently transmit a copy thereof to the Congress. No officer or agency of the United States shall have any authority to require the Commission to submit its legislative recommendations, or testimony, or comments on legislation, to any officer or agency of the United States for approval, comments, or review, prior to the submission of such recommendations, testimony, or comments to the Congress.

(b) The Commission shall-

(1) make a study of the data banks, automated data processing programs, and information systems of governmental, regional, and private organizations, in order to determine the standards and procedures in force for the protection of personal information; and

(2) recommend to the President and the Congress the extent, if any, to which the requirements and principles of section 552a of title 5, United States Code, should be applied to the information practices of those organizations by legislation, administrative action, or voluntary adoption of such require-ments and principles, and report on such other legislative recommendations as it may determine to be necessary to protect the privacy of individuals while meeting the legitimate needs of government and society for information.

(c) --

(1) In the course of conducting the study required under subsection (b)(1) of this section, and in its reports thereon, the Commission may research, examine, and analyze-

(A) interstate transfer of information about individuals that is undertaken through manual files or by computer or other electronic or telecommunications means;

(B) data banks and information programs and systems the operation of which significantly or substantially affect the enjoyment of the privacy and other personal and property rights of individuals;

(C) the use of social security numbers, license plate num-bers, universal identifiers, and other symbols to identify individuals in data banks and to gain access to, integrate, or centralize information systems and files; and

(D) the matching and analysis of statistical data, such as Federal census data, with other sources of personal data, such as automobile registries and telephone directories, in order to reconstruct individual responses to statistical questionnaires for commercial or other purposes, in a way which results in a violation of the implied or explicitly recognized confidentiality of such information.

(2) -

(A) The Commission may include in its examination person-al information activities in the following areas: medical; insurance; education; employment and personnel; cred it, banking and financial institutions; credit bureaus; the commercial reporting industry; cable television and other telecommunications media; travel, hotel and entertainment reservations; and electronic check pro-cessing.

(B) The Commission shall include in its examination a study of-

(i)whether a person engaged in interstate commerce who maintains a mailing list should be required to remove an individual's name and address from such list upon request of that individual;

(ii) whether the Internal Revenue Service should be prohibited from transfering individually identifi-able data to other agencies and to agencies of State governments;

(iii)whether the Federal Government should be liable for general damages incurred by an individual as the result of a willful or intentional violation of the provisions of sections 552a(g)(1)(C) or (D) of title 5, United States Code; and

(iv) whether and how the standards for security and confidentiality of records required under section 552a(e)(10) of such title should be applied when a record is disclosed to a person other than an agency.

(C) The Commission may study such other personal infor-mation activities necessary to carry out the congressio-nal policy embodied in this Act, except that the Commission shall not investigate information systems maintained by religious organizations.

(3) In conducting such study, the Commission shall-

(A) determine what laws, Executive orders, regulations, directives, and judicial decisions govern the activities under study and the extent to which they are consistent with the rights of privacy, due process of law, and other guarantees in the Constitution;

(B) determine to what extent governmental and private information systems affect Federal-State relations or the principle of separation of powers;

(C) examine the standards and criteria governing programs, policies, and practices relating to the collection, solicit-ing, processing, use, access, integration, dissemination, and transmission of personal information; and

(D) to the maximum extent practicable, collect and utilize findings, reports, studies, hearing transcripts, and re-commendations of governmental, legislative and private bodies,institutions, . organizations,and individuals which pertain to the problems under study by the Commission.

(d) In addition to its other functions the Commission may-

(1) request assistance of the heads of appropriate departments, agencies, and instrumentalities of the Federal Government, of State and local governments, and other persons in carrying out its functions under this Act;

(2) upon request, assist Federal agencies in complying with the requirements of section 552a of title 5, United States Code; (3) determine what specific categories of information, the collec-tion of which would violate an individual's right of privacy, should be prohibited by statute from collection by Federal agencies; and

(4) upon request, prepare model legislation for use by State and local governments in establishing procedures for handling, maintaining, and disseminating personal information at the State and local level and provide such technical assistance to State and local governments as they may require in the preparation and implementation of such legislation.

(e) --

(1) The Commission may, in carrying out its functions under this section, conduct such inspections, sit and act at such times and places, hold such hearings, take such testimony, require by subpoena the attendance of such witnesses and the production of such books, records, papers, correspondence, and documents, administer such oaths, have such printing and binding done, and make such expenditures as the Commission deems advisable. A subpoena shall be issued only upon an affirmative vote of a majority of all members of the Commis-sion. Subpoenas shall be issued under the signature of the Chairman or any member of the Commission designated by the Chairman and shall be served by any person designated by the Chairman or any such member. Any member of the Commission may administer oaths or affirmations to witness-es appearing before the Commission.

(2) --

(A) Each department, agency, and instrumentality of the executive branch of the Government is authorized to furnish to the Commission, upon request made by the Chairman, such information, data, reports and such other assistance as the Commission deems necessary to carry out its functions under this section. Whenever the head of any such department, agency, or instrumentality submits a report pursuant to section 552a(o) of title 5, United States Code, a copy of such report shall be transmitted to the Commission.

(B) In carrying out its functions and exercising its powers under this section, the Commission may accept from any such department, agency, independent instrumen tality, or other person any individually identifiable data if such data is necessary to carry out such powers and functions. In any case in which the Commission accepts any such information, it shall assure that the informa-tion is used only for the purpose for which it is provided, and upon completion of that purpose such information shall be destroyed or returned to such department, agency, independent instrumentality, or person from which it is obtained, as appropriate.

(3) The Commission shall have the power to-

(A) appoint and fix the compensation of an executive director, and such additional staff personnel as may be necessary, without regard to the provisions of title 5, United States Code, governing appointments in the competitive service, and without regard to chapter 51 and subchapter III of chapter 53 of such title relating to classification and General Schedule pay rates, but at rates not in excess of the maximum rate for GS-18 of the General Schedule under section 5332 of such title; and

(B) procure temporary and intermittent services to the same extent as is authorized by section 3109 of title 5, United States Code.

The Commission may delegate any of its functions to such personnel of the Commission as the Commission may designate and may authorize such successive redelegations of such functions as it may deem desirable.

(4) The Commission is authorized-

(A) to adopt, amend, and repeal rules and regulations governing the manner of its operations, organization, and personnel;

(B) to enter into contracts or other arrangements or modifi-cations thereof, with any government, any department, agency, or independent instrumentality of the United States, or with any person, firm, association, or corporation, and such contracts or other arrangements, or modifications thereof, may be entered into without legal consideration, without performance or other bonds, and without regard to section 3709 of the Revised Statutes, as amended (41 U.S.C. 5);

(C) to make advance, progress, and other payments which the Commission deems necessary under this Act without regard to the provisions of section 3648 of the Revised Statutes, as amended (31 U.S.C. 529); and

(D) to make such other action as may be necessary to carry out its functions under this section.

(f)  --

(1) Each [the] member of the Commission who is an officer or employee of the United States shall serve without additional compensation, but shall continue to receive the salary of his regular position when engaged in the performance of the duties vested in the Commission.

(2) A member of the Commission other than one to whom paragraph (1) applies shall receive per diem at the maximum daily rate for GS-18 of the General Schedule when engaged in the actual performance of the duties vested in the Commission.

(3) All members of the Commission shall be reimbursed for travel, subsistence, and other necessary expenses incurred by them in the performance of the duties vested in the Commission.

(g) The Commission shall, from time to time, and in an annual report, report to the President and the Congress on its activities in carrying out the provisions of this section. The Commission shall make a final report to the President and to the Congress on its findings pursuant to the study required to be made under subsection (b)(1) of this section not later than two years from the date on which all of the members of the Commission are appointed. The Commission shall cease to exist thirty days after the date on which its final report is submitted to the President and the Congress.

(h) --

(1) Any member, officer, or employee of the Commission, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

(2) Any person who knowingly and willfully requests or obtains any record concerning an individual from the Commission under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000.

Sec. 6.

The OfFice of Management and Budget shall-

(1) develop guidelines and regulations for the use of agencies in implementing the provisions of section 552a of title 5, United States Code, as added by section 3 of this Act; and

(2) provide continuing assistance to and oversight of the imple-mentation of the provisions of such section by agencies.

Sec. 7.

(a) --

(1) It shall be unlawful for any Federal, State or local government agency to deny to any individual any right, benefit, or privilege provided by law because of such individual's refusal to disclose his social security account number.

(2) The provisions of paragraph (1) of this subsection shall not apply with respect to-

(A) any disclosure which is required by Federal statute, or

(B) the disclosure of a social security number to any Federal, State, or local agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date to verify the identity of an individual.

(b) Any Federal, State, or local government agency which requests an individual to disclose his social security number to any Federal, State, or local agency maintaining a system of records in existence and operating before January 1, 1975, if such disclosure was required under statute or regulation adopted prior to such date to verify the identity of an individual.

(b) Any Federal, State, or local government agency which requests an individual to disclose his social security account number shall inform that individual whether that disclosure is mandatory or voluntary, by what statutory or other authority such number is solicited, and what uses will be made of it.

Sec. 8.

The provisions of this Act shall be effective on and after the date of enactment, except that the amendments made by section 3 and 4 shall become efFective 270 days following the day on which this Act is enacted.

Sec. 9.

There is authorized to be appropriated to carry out the provisions of section 5 of this Act for fiscal years 1975, 1976, and 1977 the sum of $1,500,000, except that not more than $750,000 may be expended during any such fiscal year.

Approved December 31, 1974

LEGISLATIVE HISTORY:

HOUSE REPORT No. 93-1416 accompanying H. R. 16373 (Comm. on Government Operations).

SENATE REPORT No. 93-1183 (Comm. on Government Opera-tions).

CONGRESSIONAL RECORD, Vol. 120 (1974):

  • Nov. 21, considered and passed Senate.
  • Dec. 11, considered and passed House, amended, in lieu of H. R. 16373.
  • Dec. 17, Senate concurred in House amendment with amendments.
  • Dec. 18, House concurred in Senate amendments.

WEEKLY COMPILATION OF PRESIDENTIAL DOCUMENTS, Vol. 11, No. l: Jan. 1, Presidential statement.

Appendix B. An Illustrative Revision of the Privacy Act of 1974.

The following illustrates how the Privacy Act of 1974 might be revised to incorporate the changes suggested in Chapter 3 of this volume and in Chapter 13 of Personal Privacy in an Information Society, the Commission's final report to the President and the Congress. It also reflects the majority of the recommendations on research and statistics in Chapter 15 of the Commission's final report, omitting only those that require specialized statutes. While this proposed revision is also intended to serve as a model for privacy legislation in general, Section 1 would replace all of 5 U.S.C. §552a, the Privacy Act of 1974. Section 2 would amend the Freedom of Information Act to make the revised Privacy Act the primary vehicle for an individual seeking access to records about himself. All references to "section 552 of this title" are references to the Freedom of Information Act.

Section 1. Title 5, United States Code, is amended by retitling and replacing all of section 552a with the following text in this section-

§552a. Information Maintained on Individuals:

(a) DEFINITIONS--For purposes of this section-

(1) the term "agency" means agency as defined in section 552(e) of this title;

(2) the term "individual" means a citizen of the United States or an alien lawfully admitted for permanent residence;

(3) the term "record" means any item, collection, or grouping of information about an individual including, but not limited to:

(A) normal directory information, such as the individual's name, address, telephone number, business address, or similar information,

(B) other numbers, symbols, fingerprints, voiceprints, pho-tographs, or identifying particulars assigned to, or associated with, the individual,

(C) information relating to the individual's background, education, finances, health, criminal history, or employ-ment history, or

(D) any other attributes, affiliations, or characteristics associated with, or assigned to, the individual; (4) the term "individually identifiable record" means a record which could be reasonably expected to be uniquely associated with the identity of the individual or individuals to whom it pertains;

(5) the term "research or statistical record" means an individually identifiable record which is collected or maintained by a Federal agency or pursuant to a Federal research contract or grant, or a subcontract thereof, for a research or statistical purpose only and which is not used, in whole or in part, in individually identifiable form to make any decision or to take any action directly affecting the individual to whom the record pertains (except within the context of the research plan or protocol or as provided by section 8 of title 13);

(6) the term "accessible record" means an individually identifi-able record, except a research or statistical record, which is:

(A) systematically filed, stored, or otherwise maintained according to some established retrieval scheme or indexing structure and which is, in practice, accessed by use of, or reference to, such retrieval scheme or indexing structure for the principal purpose of retrieving the record, or any portion thereof, on the basis of the identity of, or so as to identify, an individual, or

(B) otherwise readily accessible because:

(i)the agency is able to access the record without an unreasonable expenditure of time, money, effort, or other resources, or

(ii) the individual to whom the record pertains is able to provide sufficiently specific locating informa-tion so as to render the record accessible by the agency without an unreasonable expenditure of time, money, effort, or other resources;

(7) the term "system," or the term "subsystem," means any collection or grouping of individually identifiable records which is systematically filed, stored, or otherwise maintained according to some established retrieval scheme or indexing structure and which is, in practice, accessed by use of, or reference to, such retrieval scheme or indexing structure for the principal purpose of retrieving the record, or any portion thereof, on the basis of the identity of, or so as to identify, an individual or individuals;

(8) the term "maintain" includes collect, obtain, maintain, possess, process, use, disseminate, or disclose;

(9) the term "routine use" means the use or disclosure of an individually identifiable record for a purpose which is:

(A) compatible with the purpose for which the information in the record was collected or obtained, and

(B) consistent with the conditions or reasonable expecta-tions of use and disclosure under which the information in the record was provided, collected, or obtained;

(10) the term "collateral use" means the use or disclosure of an individually identifiable record for a purpose which:

(A) would not be considered a routine use as defined by subsection (a)(9) of this section, and

(B) is specifically authorized by statute, provided, however, that such statute:

(i) was enacted after January 1, 1975, and

(ii)establishes specific criteria for the use or disclosure of specific types of information;

(11) the term "medical record" means an individually identifiable record relating to an individual's medical history, diagnosis, condition, treatment, or evaluation which is created or maintained by a medical-care provider; and

(12) the term "medical-record information" means information obtained from a medical record or from the individual patient, his spouse, parent, or guardian for the purpose of making a non-medical decision about him.

(b) ACCESS TO RECORDS-Each agency that maintains accessible records shall make those records available to the individuals to whom they pertain as follows:

(1) Except as provided under subsections (b)(3) and (b)(5) of this section, each agency that maintains an accessible record shall, upon receipt of a request which reasonably describes such accessible record from the individual to whom it pertains:

(A) After receipt of satisfactory assurance that the requesting individual is who he purports to be-

(i) make such accessible record, or a copy of all or any portion thereof, available to that individual in a form which is comprehensible to him and which reflects, as accurately as can be reasonably expect-ed, the context or manner in which the agency maintains and uses that record; and

(ii) to the extent that the agency can be reasonably expected to be aware of substantially similar or derivative versions of such accessible record which it maintains, and to the extent that such substan-tially similar or derivative versions are themselves accessible records, make such substantially similar or derivative versions of such accessible record, or a copy of all or any portion thereof, available to that individual in a form which is comprehensible to him and which reflects, as accurately as can be reasonably expected, the context or manner in which the agency maintains and uses that record.

(B) Upon request by an individual who has been granted access to an accessible record pursuant to subsection (b)(1)(A) of this section, the agency shall provide the individual with an accounting of the actual uses and disclosures of such record made within a reasonable period of time prior to the request as follows:

(i)The agency shall provide the individual with an accounting of all of the prior recipients of such record to whom the agency could be reasonably expected to propagate a correction pursuant to subsection (f) of this section.

(ii) The agency shall provide the individual with an accounting of any other prior recipients of such record of which the agency could be reasonably expected to be aware but to whom the agency could not be reasonably expected to propagate corrections pursuant to subsection (f) of this section.

(iii) In providing the accounting pursuant to subsec-tions (b)(1)(B)(i) and (b)(1)(B)(ii) of this section, the agency shall take reasonable affirmative steps to inform the individual, in a form comprehensible to him, of:

(I) the date, nature, and purpose of each disclosure, and

(II) the name and address of the person or agency to whom the disclosure was made. (2) When an agency grants an individual access to an accessible record or an accounting of the uses and disclosures of such record pursuant to subsection (b)(1) of this section, the individual to whom the record pertains may, upon his request, be accompanied by a person of his own choosing, except that the agency may require the individual to furnish a written statement authorizing discussion or disclosure of that individ-ual's record, or its uses and disclosures, in the accompanying person's presence.

(3) Nothing in this section shall be construed as requiring an agency to grant an individual access to information within a record or information that accounts for the uses and disclo-sures of a record, which information is:

(A) --

(i)specifically authorized under criteria established by an Executive order to be kept secret in the interest of national defense or foreign policy, and (ii) is, in fact, properly classified pursuant to such Executive order;

(B) investigatory information compiled for law enforcement purposes, but only to the extent that the production of such information would:

(i)interfere with enforcement proceedings,

(ii) deprive a person of a right to a fair trial or an impartial adjudication,

(iii) constitute an unwarranted invasion of personal privacy,

(iv) disclose the identity of a confidential source and, in the case of a record compiled by a criminal law enforcement authority in the course of a criminal investigation, or by an agency conducting a lawful national security intelligence investigation, confi-dential information furnished only by the confi-dential source,

(v)disclose investigative techniques and procedures, or

(vi) endanger the life or physical safety of law enforce-ment personnel;

(C) contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions;

(D) information compiled in reasonable anticipation of civil action or proceeding;

(E) investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, military service, Federal contracts, or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished informa-tion to the Government under an express promise that the identity of the source would be held in confidence, or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence;

(F) testing or examination material used soley to determine individual qualifications for appointment or promotion in the Federal service the disclosure of which would compromise the objectivity or fairness of the testing or examination process;

(G) evaluation material used to determine potential for promotion in the armed services, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to September 27, 1975, under an implied promise that the identity of the source would be held in confidence; or

(H) authorized by statute to be withheld from the parent or legal guardian of the individual to whom the information pertains.

(4) Any reasonably segregable portion of an accessible record shall be provided to any individual requesting such record pursuant to subsection (b)(1)(A) of this section, and any reasonably segregable portion of the accounting of the uses and disclosures of such record shall be provided to any individual requesting such accounting pursuant to subsection (b)(1)(B) of this section, after deletion of the portions which are exempt under subsection (b)(3) of this section.

(5) While it may not deny access to an accessible record to the individual to whom the record pertains, except as provided in subsection (b)(3) of this section, an agency may establish a procedure for disclosure, to a person designated by the individual to whom the information pertains, of a medical record or medical-record information pursuant to subsection (b)(1) of this section.

(6) -

(A) Upon receipt of a request made pursuant to subsection (b)(1) of this section for access to records or to the accounting of the actual uses and disclosures thereof, an agency shall:

(i)determine within 30 days (excluding Saturdays, Sundays, and legal public holidays) after receipt of any such request whether it will comply with such request;

(ii) at the time of such determination notify the individual making such request of the determina-tion, including, if any part of such request is denied, the reasons therefor and the procedures for judicial review of that determination pursuant to subsection (k)(1)(B) of this section; and

(iii)make available to the individual within a reason-able period of time such records and accountings as the agency determines it will provide.

(B) Any individual making a request pursuant to subsection (b)(1) of this section for access to records or to the accounting of the actual uses and disclosures thereof shall be deemed to have exhausted his administrative remedies with respect to such request if the agency fails to comply with the applicable time limit provisions of subsection (b)(6) of this section.

(c) AMENDMENT OF RECORDS-Each agency that maintains accessible records shall permit the individuals to whom the records pertain to request amendment of those records as follows:

(1) When an individual has been granted access to an accessible record, or a substantially similar or derivative version thereof, pursuant to subsection (b)(1) of this section, the agency shall also permit that individual to request amendment of that record, or the substantially similar or derivative versions thereof, and:

(A) not later than 10 days (excluding Saturdays, Sundays, and legal public holidays) after the date of receipt of such request, acknowledge in writing such request; and

(B) promptly, either:

(i)make any correction of any portion thereof which the individual believes is not accurate, relevant, timely, or complete; or

(ii) inform the individual of its refusal to amend the record, or the substantially similar or derivative versions thereof, in accordance with his request, the reason for the refusal, the procedures estab-lished by the agency for the individual to request a review of that refusal by the head of the agency or an officer designated by the head of the agency, and the title and business address of that official;

(2) The agency shall permit the individual who disagrees with its refusal to amend his record, or the substantially similar or derivative versions thereof, to request a review of such refusal, and not later than 30 days (excluding Saturdays, Sundays, and legal public holidays) from the date on which the individual requests such review, complete such review and make a final determination unless, for good cause shown, the head of the agency extends such 30-day period;

(3) If, after the review made pursuant to subsection (c)(2) of this section, the reviewing official also refuses to amend the record, or the substantially similar or derivative versions thereof, in accordance with the individual's request, the agency shall:

(A) permit the individual to file with the agency a concise statement setting forth the reasons for his disagreement with the refusal of the agency, and

(B) notify the individual of the provisions for judicial review of the reviewing official's determination under subsec-tion (k)(1)(A) of this section;

(4) In any disclosure which contains information about which the individual has filed a statement of disagreement pursuant to subsection (c)(3) of this section and which occurs after the filing of such statement, the agency shall:

(A) clearly identify any portion of the record which is disputed, and

(B) provide copies of the statement and, if the agency deems it appropriate, copies of a concise statement of the reasons of the agency for not making the amendments requested, to persons or other agencies to whom the disputed information has been disclosed.

(d) LIMITATIONS ON DISCLOSURE-No agency shall disclose any individually identifiable record by any means of communication to any person or to another agency unless such disclosure would be:

(1) pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains;

(2) required under section 552 of this title;

(3) to those officers and employees of the agency who have a need for the record in the performance of their duties, provided, however, that such disclosure is:

(A) necessary and proper for the performance of the agency's own mission and functions, and

(B) a routine use as defined by subsection (a)(9) of this section;

(4) to a person other than an officer or employee of the agency, provided, however, that such disclosure is:

(A) a routine use as defined by subsection (a)(9) of this section, and

(B) certified by the designated official of subsection Ú) of this section as meeting the requirements in subsection (a)(9) of this section;

(5) a collateral use as defined by subsection (a)(10) of this section, provided, however, that such disclosure is certified by the designated official of subsection Ú) of this section as meeting the requirements in subsection (a)(10) of this section;

(6) to the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of title 13;

(7) to the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Administrator of General Services or his designee to determine whether the information has such value;

(8) to another agency or to an instrumentality of any governmen-tal jurisdiction within or under the control of the United States, or to a foreign government when specifically autho rized by treaty or statute, for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the agency which maintains the record specifying the particular portion desired and the law enforcement activity for which the record is sought;

(9) to a person pursuant to a showing of compelling circumstanc-es affecting the health or safety of any individual, provided that upon such disclosure notification thereof is transmitted to the last known address of the individual to whom the record pertains;

(10) to either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee;

(11) to a Member of Congress in response to an inquiry from that Member which is made at the express request of:

(A) the individual to whom the record pertains and that individual is a constituent of the Member, or

(B) a relative or legal representative of the individual to whom the record pertains, and

(i)the individual, or the requesting relative or legal representative of the individual, to whom the record pertains is a constituent of the Member, and

(ii) the individual to whom the record pertains is incapacitated or otherwise clearly unable to re-quest the Member's assistance himself,

(12) to the Comptroller General, or any of his authorized represen-tatives, in the course of the performance of the duties of the General Accounting Office;

(13) pursuant to the order of a court of competent jurisdiction; or (14) notwithstanding the provisions of subsections (d)(1,3,4,5,7,8,9, 10,11,12,13) of this section, for use as a research or statistical record, provided, however, that the agency:

(A) determines that such use or disclosure is consistent with the conditions or reasonable expectations of use and disclosure under which the information in the record was provided, collected, or obtained;

(B) determines that the research or statistical purpose for which the use or disclosure is to be made:

(i) cannot be reasonably accomplished unless the information is provided in individually identifiable form; and

(ii)warrants the risk to the individual which addition-al exposure of the information in the record in individually identifiable form might bring;

(C) takes reasonable affirmative steps to assure that the recipient:

(i) will take adequate steps to comply with the requirements of subsection (e)(1)(E) of this sec-tion; and

(ii)will remove or destroy the individual identifier or identifiers associated with the record or records at the earliest time at which such removal or destruction can be reasonably accomplished consistent with the purpose of the research or statistical project;

(D) prohibits any subsequent use or disclosure of the record in individually identifiable form without the agency's express authorization; and

(E) secures a written statement attesting to the recipient's understanding of, and willingness to abide by, the conditions of subsection (d)(14) of this section in those instances in which the recipient is not an officer or employee of the agency.

(e) COLLECTION AND MAINTENANCE OF INFORMATION--

(1) Each agency that collects or maintains individually identifiable records shall:

(A) collect information to the greatest extent practicable directly from the individual to whom the information pertains when such information may affect determina tions about an individual's rights, benefits, or privileges under Federal programs;

(B) take reasonable affirmative steps to enable individuals from whom it requests information about themselves or others to decide whether to supply that information in as informed and uncoerced a manner as is reasonably possible and, to that end, the agency shall make available to the individual, unless the individual has already been notified within a reasonable period of time prior to the request and has been offered a retention copy of, the following:

(i) the authority for the solicitation of the information;

(ii) whether such disclosure is mandatory or voluntary and the consequences to the individual of not providing the information;

(iii) the principal purpose or purposes for which the information is intended to be used;

(iv) any routine or collateral uses of the information which could be reasonably expected to influence an individual's decision, including the possibility of recontact when the routine or collateral use is for a research or statistical purpose;

(v) the types of additional information, techniques, and sources that may be used to verify the information;

(vi) the title, business address, and business telephone number of a responsible agency official who can assist an individual in his decision or answer any questions which an individual may have; and

(vii) when information is collected for a research or statistical purpose:

(I) the possibility, if any, that the information may be used or disclosed in individually identifiable form for additional research or statistical purposes,

(II) any requirements for disclosure of the info-mation in individually identifiable form for other than research or statistical purposes, and

(III) that if any such required disclosure is made for other than a research or statistical pur-pose, the individual will be promptly notified pursuant to subsection (g)(3) of this section. (C) collect or maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by Executive Order of the President;

(D) maintain all records which are used by the agency in making any determination about any individual with such accuracy, timeliness, completeness, and relevance as is reasonably necessary to assure fairness in the determination, although this provision shall not prohibit the CIA, or any agency or component thereof which performs as its principal function any activity relating to the enforcement of criminal laws, from maintaining unverified or otherwise potentially inaccurate, untimely, incomplete, or irrelevant information, provided, how-ever, that such information is clearly identified as such to all users or recipients of that information;

(E) establish reasonable administrative, technical, and phys-ical safeguards to assure the integrity, confidentiality, and security of such individually identifiable records so as to minimize the risk of substantial harm, embarrass-ment, inconvenience, or unfairness to the individual to whom the information pertains; and

(F) take reasonable affirmative steps to serve notice on an individual when any record on such individual is made available to any person under compulsory legal process when such process becomes a matter of public record.

(2) No agency, or officer, employee, agent, or contractor thereof, shall collect or maintain information:

(A) describing the content of any publication, speech, or other expression of belief or argument by an individual in the exercise of rights guaranteed by the First Amendment, unless such information is compiled pursu-ant to an authorized investigation of sedition or espio-nage under sections 792 through 797 and sections 2381 through 2386 of title 18, or unless such information would be legally admissible evidence in a criminal prosecution and is compiled pursuant to an authorized investigation of a violation of the criminal laws of the United States;

(B) describing the forum in which an individual publishes, speaks, or otherwise exercises his First Amendment rights of speech, association, or religion, unless such information is compiled pursuant to an authorized investigation of a violation of the laws of the United States; or

(C) otherwise describing the way any individual exercises his rights guaranteed by the First Amendment, except to the extent that such information is limited to collecting and maintaining the time, place, and observed associa-tions of an individual which are compiled pursuant to and in the course of an authorized investigation of a violation of the laws of the United States.

(D) The provisions of subsections (e)(2)(A), (e)(2)(B), and (e)(2)(C) of this section shall not prohibit an agency from collecting or maintaining:

(i) a specific item of information which is expressly required by statute, or which is expressly autho-rized by the individual to whom it pertains, to be collected or maintained, or

(ii) information the collection or maintenance of which would be a reasonable and proper library, bibliographic, abstracting, or similar reference function.

(f) PROPAGATION OF CORRECTIONS--

(1) Each agency that maintains individually identifiable records shall attempt to assure the accuracy, timeliness, and complete-ness of the records maintained by the sources and the prior recipients of the information in its records by taking reason-able affirmative steps to furnish such sources and prior recipients who have, within a reasonable period of time, provided information to, or received information from, an individually identifiable record maintained by the agency of all:

(A) corrections of that individually identifiable record made pursuant to subsection (c)(1)(B)(i) of this section, (B) statements of disagreement regarding information con-tained in that individually identifiable record made pursuant to subsection (c)(3) of this section, together with, if such exists, the corresponding statement of the agency's position made pursuant to subsection (cx4)(B) of this section, and

(C) corrections of erroneous information contained in that individually identifiable record which are normal up-dates, changes, or modifications of that information made in the performance of the agency's functions, provided, however, that:

(i) such corrections are made pursuant to subsection (e)(1)(D) of this section,

(ii)such corrections could be reasonably expected to affect the outcome of any determination on the individual if known to either the sources or prior recipients of the erroneous information, and

(iii)the sources and prior recipients of the erroneous information could not be reasonably expected by the agency to otherwise become aware of such corrections through normal means.

(2) The agency shall not be required to notify, pursuant to subsections (f)(1)(A), (f)(1)(B), and (f)(1)(C) of this section:

(A) a prior recipient who received the erroneous information pursuant to section 552 of this title, or

(B) a source of the erroneous information who provided the information as an individual acting on his own behalf and not in an official capacity as a representative, officer, employee, or agent of an agency or other organization.

(3) Notwithstanding the provisions of subsection (f)(2) of this section, the agency shall furnish to any person specifically named by the individual to whom they pertain, corrections or statements of disagreement or agency position as enumerated in subsections (f)(1)(A), (f)(1)(B), and (f)(1)(C) of this section.

(g) RESEARCH OR STATISTICAL RECORDS--

(1) Except as provided in subsections (d)(2), (d)(6), and (d)(14) of this section, no agency shall use or disclose a research or statistical record, or any portion thereof, in individually identifiable form without the authorization of the individual to whom the record pertains unless:

(A) the agency reasonably believes that such use or disclo-sure will forestall continuing or imminent physical injury to an individual, provided that the information disclosed is limited to that information necessary to secure the protection of the indivdual who may be injured;

(B) the record is furnished in compliance with a judicial order, including a search warrant or lawfully issued subpoena, and the purpose of the judicial order is to assist inquiry into an alleged violation of law by a researcher or an institution or agency maintaining research or statistical records, provided that:

(i) any record so disclosed shall not be used as evidence in any administrative, legislative, or judicial proceeding against anyone other than the researcher or research entity,

(ii) any record so disclosed shall not be used as evidence (or otherwise made public) in such a manner that the subject of the research may be identified, unless identification of an individual research subject is necessary to prove the violation of law, and

(iii) an individual identified in any record to be made public in individually identifiable form shall be given notice prior to such publication and may contest the necessity of such publication before the administrative, legislative, or judicial tribunal authorizing such publication, pursuant to subsec-tion (k) of this section;

(C) the record is disclosed in individually identifiable form for the purpose of auditing or evaluating a Federal research program and such an audit or evaluation is expressly authorized by Federal statute; or

(D) the record is disclosed to the National Archives and Records Service pursuant to section 2103 of title 44.

(2) If a research or statistical record is disclosed under any condition other than those provided under subsection (gxl) of this section, the individual research subject or subject identi-fied by the record disclosed may seek, against the person, institution, or agency disclosing the record, the person, institution, or agency seeking disclosure, and, in the case of disclosure pursuant to a court order, the person who applied for such an order, damages, injunctive relief, or any other relief a court may deem proper pursuant to subsection (k) of this section.

(3) Each agency that collects or maintains research or statistical records shall take reasonable affirmative steps to notify an individual whenever a research or statistical record pertaining to him is disclosed in individually identifiable form without:

(A) a prohibition on further use or disclosure, and

(B) assurance that the record will not be used to make any decision or take any action directly affecting the individual to whom it pertains.

(h) GENERAL NOTICE OF AGENCY SYSTEMS, POLICIES, AND PRACTICES-

(1) Each agency that maintains individually identifiable records shall publish in the Federal Register at least annually a notice which describes in detail, in terms of systems and subsystems that most accurately reflect the context or manner in which the agency uses the information, the existence and character of such systems and subsystems, which notice shall include:

(A) the name and location of each system or subsystem, as well as any substantially similar or derivative systems or subsystems;

(B) the authority for the maintenance of the system or subsystem;

(C) the categories of individuals on whom records are maintained in the system or subsystem;

(D) the categories of information or data items maintained in the system or subsystem;

(E) each use or disclosure of the records contained in the system or subsystem, including the categories of users and the purposes of such use or disclosure;

(F) the policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal of the information maintained in the system or subsystem;

(G) the title, business address, and business telephone number of the agency ofFicial responsible for the system or subsystem;

(H) the agency procedures whereby an individual can request:

(i)access to records pertaining to him in the system or subsystem, and

(ii) amendment of such records; and

(I) the categories of sources of information in the system, except to the extent that material so published would be information to which an individual would be denied access under subsections (b)(3)(A) and (b)(3)(B).

(2) The Office of the Federal Register shall annually compile and publish the notices published pursuant to subsection (h)(1) of this section and the rules published pursuant to subsection Ü) of this section in a form available to the public at low cost and which is indexed, arranged, or otherwise prepared to enable ease of use and reference by the public.

(i) RIGHTS OF PARENTS AND LEGAL GUARDIANS-For the purposes of this section, the parent of any minor, or the legal guardian of any individual who has been declared to be incompe tent due to physical or mental incapacity or age by a court of competent jurisdiction, may act on behalf of the individual.

(j) AGENCY IMPLEMENTATION-

(1) The head of each agency shall designate one ofFicial with the authority to oversee the agency's implementation of this section, and such designated official shall:

(A) be the head of an ofFice designated or created by the agency head, with as many components, field offices, or other supporting structures and staff as the agency head deems necessary,

(B) issue such instructions, guidelines, and standards, and make such determinations, as are necessary for the implementation of this section,

(C) take reasonable affirmative steps to assure that all agency employees and ofFicials responsible for the collection, maintenance, use, and dissemination of individually identifiable records are aware of the requirements of this section, and

(i)the instructions, guidelines, standards, and deter-minations, issued pursuant to subsection (j)(1)(B) of this section,

(ii) the rules promulgated pursuant to subsection Ú)(2) of this section, and

(iii)the penalties for non-compliance.

(2) In order to carry out the provisions of this section, each agency that collects and maintains individually identifiable records shall promulgate rules, in accordance with the requirements (including general notice) of section 553 of this title, which shall:

(A) define reasonable times, places, and requirements for. identifying any individual who requests access to records, or the accounting of the uses and disclosures thereof, before the agency shall make those records, or the accounting of the uses and disclosures thereof, available to the requesting individual;

(B) establish procedures for the disclosure to an individual upon his request for records pertaining to him, including procedures, if deemed necessary, pursuant to subsection (b)(5) of this section, for the disclosure of information which would adversely affect the health of the individual to whom the records pertain;

(C) establish procedures for reviewing a request from an individual concerning the amendment of any records pertaining to that individual, for making a determina tion on the request, for an appeal within the agency of an initial adverse agency determination, and for whatev-er additional means may be necessary for each individu-al to be able to exercise fully his rights under this section; and

(D) establish fees to be charged, if any, to any individual for making copies of records pertaining to him, excluding the cost of any search for and review of the records.

(k) CIVIL REMEDIES--

(1) Whenever any agency:

(A) makes a determination under subsection (c) of this section not to amend an individual's record in accor-dance with his request, or fails to make such review in conformity with that subsection;

(B) refuses to comply with an individual request under subsection (b)(1) of this section;

(C) fails to maintain any individually identifiable record with such accuracy, relevance, timeliness, and complete-ness as is necessary to assure fairness in any determina tion relating to the qualifications, character, rights, or opportunities of, or benefits to, the individual that may be made on the basis of such record, and consequently a determination is made which is adverse to the individual; or

(D) fails to comply with any other provision of this section, or any rule promulgated thereunder,

the individual may bring a civil action against the agency, and the district courts of the United States shall have jurisdiction in the matters under the provisions of this subsection.

(2) --

(A) In any suit brought under the provisions of subsection (k)(1)(A) of this section, the court may order the agency to amend the individual's record in accordance with his request or in such other way as the court may direct. In such a case, the court shall determine the matter de novo.

(B) The court may assess against the United States reason-able attorney fees and other litigation costs reasonably incurred in any case under this paragraph in which the complainant has substantially prevailed.

(3)--

(A) In any suit brought under the provisions of subsection (k)(1)(B) of this section, the court may enjoin the agency from withholding the records, or the accounting of the uses and disclosures thereof, and order the production to the complainant of any agency records, or the accounting of the uses and disclosures thereof, improp-erly withheld from him. In such a case, the court shall determine the matter de novo. The court may examine the contents of any agency records, or any accounting of the uses and disclosures thereof, in camera to determine whether the records or any portion thereof, or any accounting of the uses and disclosures thereof, may be withheld under any of the exemptions set forth in subsection (b)(3) of this section, and the burden is on the agency to sustain its action.

(B) The court may assess against the United States reason-able attorney fees and other litigation costs reasonably incurred in any case under this paragraph in which the complainant has substantially prevailed.

(4) In any suit brought under the provisions of subsections (k)(1)(C) or (k)(1)(D) of this section in which the court determines that the agency acted in a manner which was intentional or willful, the court may order the agency to act in a manner consistent with this section, and, in addition, the United States shall be liable to the individual in an amount equal to the sum of:

(A) special and general damages sustained by the individual as a result of the failure under subsections (k)(1)(C) or (k)(1)(D) of this section, but in no case shall a person entitled to recovery receive less than the sum of $1,000 or more than the sum of $10,000 in excess of the dollar amount of any special damages; and

(B) the costs of the action together with reasonable attorney fees as determined by the court.

(5) An action to enforce any liability created under this section may be brought in the district court of the United States in the district in which the complainant resides, or has his principal place of business, or in which the agency records are situated, or in the District of Columbia, without regard to the amount in controversy, within 2 years from the date on which the cause of action arises, except that where an agency has materially and willfully misrepresented any information required under this section to be disclosed to an individual and the information so misrepresented is material to the establishment of the liability of the agency to the individual under this section, the action may be brought at any time within 2 years after discovery by the individual of the misrepresentation. Nothing in this section shall be construed to authorize any civil action by reason of any injury sustained as the result of a disclosure of a record prior to the effective date of this section.

(1) CRIMINAL PENALTIES-

(1) Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.

(2) Any officer or employee of any agency who willfully main-tains any collection or grouping of records without meeting the notice requirements of subsection (h)(1) of this section shall be guilty of a misdemeanor and fined not more than $5,000.

(3) Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000.

(m) GOVERNMENT CONTRACTORS AND GRANTEES-

(1) Any contractor or recipient of a Federal grant, or any subcontractor thereof, who performs any function on behalf of a Federal agency which requires the contractor or grantee to maintain individually identifiable records shall be subject to the provisions of this section, except that this provision shall not apply to:

(A) the employment, personnel, or other administrative records which the contractor or grantee maintains as a necessary aspect of supporting the performance of the contract or grant but which bear no other relation to the performance of the contract or grant,

(B) individually identifiable records to which all of the following conditions apply:

(i) Such records are neither required nor implied by the terms of the contract or grant to be collected or maintained,

(ii) No representation of Federal sponsorship or association is made for such records, and

(iii) Except for authorized audits or investigations, such records will not be submitted or otherwise provided to the Federal agency with which the contract or grant is established.

(2) The agency with which the contract or grant is established shall, consistent with its authority, be responsible for ensuring that the contractor or grantee complies faithfully with the provisions of this section.

(3) For any contracts or grants agreed to on or after the effective date of this section to which subsection (m)(1) of this section applies:

(A) any such contractor or grantee, or any employee of such contractor or grantee, shall, for purposes of the criminal penalties of subsection (1) of this section, be considered to be an employee of the agency;

(B) any such contractor or grantee shall, for purposes of the civil remedies of subsection (k) of this section, be considered to be an agency, except that the damages, attorney fees, and litigation costs under subsections (k)(2)(B), (k)(3)(C), and (k)(4) shall be assessed against the contractor or grantee instead of against the United States; and

(C) no official or employee of any agency shall include, or authorize to be included, in any such contract or grant any provision indemnifying the contractor or grantee from the civil remedies of subsection (k) of this section.

(n) ARCHIVAL RECORDS-

(1) Each agency record which is accepted by the Administrator of General Services for storage, processing, and servicing in accordance with section 3103 of title 44 shall, for the purposes of this section, be considered to be maintained by the agency which deposited the record and shall be subject to the

provisions of this section. The Administrator of General Services shall not disclose the record except to the agency which maintains the record, or under rules established by that agency which are not inconsistent with the provisions of this section.

(2) Each agency record pertaining to an identifiable individual which was transferred to the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, prior to the effective date of this section, shall, for the purposes of this section, be considered to be main-tained by the National Archives and shall not be subject to the provisions of this section, except that a statement generally describing such records (modeled after the require-ments relating to records subject to subsections (h)(1)(A) through (h)(1)(G) of this section) shall be published in the Federal Register.

(3) Each agency record pertaining to an identifiable individual which is transferred to the National Archives of the United States as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, on or after the effective date of this section, shall, for the purposes of this section, be considered to be maintained by the National Archives and shall be exempt from the requirements of this section except subsections (h)(1)(A) through (h)(1)(G) of this section.

(o) REPORT ON NEW SYSTEMS-Each agency shall provide adequate advance notice to Congress and the Office of Management and Budget of any proposal to establish or alter any system or subsystem in order to permit an evaluation of the probable or potential effect of such proposal on the privacy and other personal or property rights of individuals or the disclosure of information relating to such individuals, and its effect on the preservation of the constitutional principles of federalism and separation of powers.

(p) ANNUAL REPORT-The President shall submit to the Speaker of the House and the President of the Senate, by June 30 of each calendar year, a consolidated report, separately listing for each Federal agency the number of records contained in any system or subsystem which were exempted under the provisions of subsection (b)(3) of this section during the preceding calendar year, and the reasons for the exemptions, and such other information as indicates efForts to administer fully this section.

(q) EFFECT OF OTHER LAWS-

(1) Whenever an agency receives a request for access to records which could be processed either under the provisions of section 552 of this title or under the provisions of this section, the agency shall process such request under the provisions of this section, provided, however, that the individual shall always receive not only the information to which he is entitled under this section but also any additional information to which he would otherwise be entitled if the request were processed under section 552 of this title.

(2) No agency shall rely upon any exemption contained in section 552 of this title to withhold from an individual any record which is otherwise accessible to the individual under the provisions of this section.

(r) MAILING LISTS-- An individual's name and address may not be sold or rented by an agency unless such action is specifically authorized by law. This provision shall not be construed to require the withholding of names and addresses otherwise permitted to be made public.

Section 2. Technical amendment to section 552 of this title [the Freedom of Information Act] in order to maintain consistency with the new 552a(q).

Section 552(a)(3) of title 5, United States Code, is amended by replacing the first word "Except" with the words "Except as provided under subsection 552a(q) of this title, and except".