Cybertelecom Federal Internet Law & Policy An Educational Project

Privacy Act

For you young'uns, Nixon is the one on the left

Back in the late 60s and early 70s, the government had gotten itself into a bit of a problem. The Government and the Committee to Reelect the President (aka CREEP - No, I am not making that up-) - that President being President Nixon - had gotten into the habit of intruding on the privacy of citizens, conducting surveillance, and building files on individuals suspected to be threats to the State, or at least people that annoyed the President. In the backlash from Watergate, came, among other things, the Privacy Act of 1974, designed to curtail the ability of the government to build those files and empower citizens ability to control the gathered and held concerning them.

As a 1974 statute, the Privacy Act would not be said to have been directed at or conscious of the Internet. However, as a result of this law, Federal online sites find themselves under powerful privacy protection (unlike the private sector). The Act "attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies." [DOJ]

The general thrust of the Privacy Act is to restrain the ability of a Federal agency to disclose personal information that it has collected.

• No agency shall disclose any record
• A "record" is defined as any item, collection, or grouping of information about an individual that is maintained by an agency. A record in question would be one with a unique identifier that could connect that information to a specific individual. The Privacy Act governs, for example, government collection and use of social security numbers. [5 U.S.C. § 552a(a)(4)]
• which is contained in a system of records
• "the term "system of records" means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual" [5 U.S.C. § 552a(a)(5)]
• by any means of communication to any person, or to another agency,
• except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.

[5 U.S.C. § 552a(b)].

The agency that maintains a system of records must comply with requirements set forth in 5 USC § 552a(e) including

• Collect only that information which is relevant and necessary [5 USC § 552a(e)(1)]
• Collect information from subject individual as much as possible [5 USC § 552a(e)(2)]
• Provide notice to individuals of authority and purpose of information collection [5 USC § 552a(e)(3)]
• the information is accurate, relevant, timely, and complete "as is reasonably necessary to assure fairness to the individual in the determination." [5 USC § 552a(e)(5)&(6)]
• Ensure appropriate safeguards for security and confidentiality of information [5 USC § 552a(e)(9)&(10)]
• Not tracking freedom of expression [5 USC § 552a(e)(7)]

The Privacy Act protects U.S. citizens and lawful permanent residents. It does not protect corporations or organizations. It also does not protect deceased individuals.

The Privacy Act applies to Federal Agencies and to Federal Contractors. [5 U.S.C. § 552a(m)] OMB Guidelines, 40 Fed. Reg. 28,948, 28,951, 28,975-76, (July 9, 1975). FAR Subpart 24-1, Protection of Individual Privacy; FAR 52.224-1 - 52.224-2 (2010). This is relevant as Feds consider Cloud Computing through third party vendors.

The federal government has ten major privacy procedures when dealing with records [5 USC s 552a(e)]:

• Limit collection
• Ensure information is accurate, timely, relevant and complete
• Public notice of system of records
• Information safeguards
• Privacy Impact Assessments
• Disclose information collection
• Train employees on Privacy Act
• Establish computer matching agreements (Computer Matching Act)
• Compliance Review
• Provide for a individuals ability to review and correct data

This rule has 12 expansive exceptions:

1. need to know,
2. required FOIA disclosure,
3. routine use,
4. Bureau of the Census,
5. statistical research,
6. National Archives,
7. law enforcement request,
8. health or safety of an individual,
9. Congress,
10. General Accounting Office,
11. court order, and
12. debt collection.

Most of these are permissive, not mandatory exceptions. Individuals have a right to access, review and correct information collected concerning themselves. [5 U.S.C. § 552a(d)]

Process:

To engage in data collection, a federal agency needs a System of Records Notice (SORN) [5 USC § 552a(e)(4)&(11)] and a Privacy Impact Assessment. OMB Circular A-130

Enforcement: If a government official

• Knowing disclosure of personally identifiable information;
• Willfully maintain identifiable info without meeting the public notice requirements; or
• Knowingly and willfully request or obtain records concerning an individual under false pretenses

Penalties include criminal misdemeanor and fines of up to $5000 under the Privacy Act and potential disciplinary action.

The Department of Justice has an extensive guidance on the Privacy Act: US DOJ, Overview of the Privacy Act of 1974 (May 2002).

Law

• Privacy Act of 1974 codified at 5 USC § 552a
  • Legislative History
• The Computer Matching and Privacy Protection Act of 1988 (Pub. L. No. 100-503) amended the Privacy Act
• 5 CFR 1302

Regulatory Activity

• White House
  • OMB Circular No. A-130, "Management of Federal Information Resources (Feb. 20, 1996).
  • Implementing the Privacy Provisions of the E-Government Act of 2002 (9/2003)
  • Guidance on Inter-Agency Sharing of Personal Data — Protecting Personal Privacy (12/2000).
  • Privacy Policies and Data Collection on Federal Web Sites (6/2000).
  • Guidance and Model Language for Federal Web Site Privacy Policies (6/1999).
  • Privacy and Personal Information in Federal Records (1/1999).
  • Privacy Act Implementation, Guidelines and Responsibilities (7/1975).
  • Privacy Act Responsibilities for Implementing the Personal Responsibility and Work Opportunity Reconciliation Act of 1996 (November 3, 1997)  (431k)
  • Computer Matching and Privacy Protection Amendments of 1990 and the Privacy Act of 1974, 56 FR 18599 (April 23, 1991) (592k)
  • Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988, 54 FR 25818 (June 16, 1989) (1.45mb
  • Guidance on Privacy Act Implications of "Call Detail" Programs, 52 FR 12290 (April 20, 1987) (543k)
  • Privacy Act Guidance -- Update (May 24, 1985) (647k
  • Implementation of the Privacy Act of 1974, Supplemental Guidance, 40 FR 5674, (December 4, 1975) (215k)
  • Privacy Act Implementation, Guidelines and Responsibilities, 40 FR 28948 (July 9, 1975) (4.62mb)
  • Congressional Inquiries which Entail Access to Personal Information Subject to the Privacy Act (October 3, 1975) (265k)
  • Memorandum on Privacy and Personal Information in Federal Records, 34 Weekly Comp. Pres. Doc. 870 (May 14, 1998)
• DOJ, Overview of the Privacy Act of 1974:
• Caselaw
• Doe v Chao SCt 2004 EPIC Info Page ("an individual must prove he has suffered actual harm before he can receive a $1,000 minimum statutory award when the government wrongfully discloses his Social Security Number.")