Privacy Act of 1974

Background
Before advanced computerized techniques for aggregating, analyzing, and disseminating data came into widespread use, personal information contained in paper-based public records at courthouses or other government offices was relatively difficult to obtain, usually requiring a personal visit to inspect the records. Non-public information, such as personal information contained in product registrations, insurance applications, and other business records, was also generally inaccessible.

Indeed, at the time the Privacy Act was being debated and enacted, there were technological limitations on the use of individual records by federal agencies. The vast majority of record systems in federal agencies were manual. Computers were used only to store and retrieve, not to manipulate or exchange information. It was theoretically possible to match personal information from different files, to manually verify information provided on government application forms, and to prepare a profile of a subset of individuals of interest to an agency. However, the number of records involved made such applications impractical.

Only a few years later, however, advances in computer and data communication technology enable agencies to collect, use, store, exchange, and manipulate individual records in electronic form. Computer systems and computer networks are now widely used by the federal government, vastly increasing the potential points of access to personal record systems and the creation of new systems.

History of the Privacy Act
In the mid-1960s, Congress and certain executive agencies began to study the privacy implications of records maintained by federal agencies. The congressional concern with privacy and individual records was precipitated by the 1965 Social Science Research Council proposal that the Bureau of the Budget establish a National Data Center to provide basic statistical information originating in all federal agencies.

In 1966, the Senate Committee on the Judiciary, Subcommittee on Administrative Practice and Procedure and the House Committee on Government Operations, Special Subcommittee on Invasion of Privacy, a held hearings on the proposals for a National Data Center. Both committees were unconvinced of the need for such a center or of its ability to keep data confidential.

In 1967 and 1968, the House and Senate again held hearings on the proposal for a National Data Center, and remained unconvinced that such a center could adequately protect the privacy of individual records. The committees and various witnesses feared that once such a center was established, its limited role would not be maintained. There was also great reluctance to condone the centralization of both personal information and responsibility for that information within an executive agency. Although the committees agreed that the existing situation was inefficient, they believed that such decentralized inefficiency was amenable to congressional oversight, whereas centralized efficiency would be more difficult to check. The proposal for a National Data Center was therefore rejected.

In 1970, the Senate Judiciary Committee, Subcommittee on Constitutional Rights, chaired by Senator Sam Ervin, Jr., began a 4-year study of Federal Government databanks containing personal information and held related oversight hearings. These hearings and the survey of agencies conducted by the Ervin Subcommittee laid the groundwork for the Privacy Act of 1974.

In 1972, Alan Westin and Michael Baker, with the support of the Russell Sage Foundation and the National Academy of Sciences, released a report, Databanks in a Free Society, in which they concluded that computerization of records was not the villain it had often been portrayed to be. Their policy recommendations applied to both computerized and manual systems and included:
 * 1) a “Citizen’s Guide to Files”;
 * 2) rules for confidentiality y and data sharing;
 * 3) limitations on unnecessary data collection;
 * 4) technological safeguards;
 * 5) restricted use of the social security number; and
 * 6) the creation of information trust agencies to manage sensitive data.”

In 1973, the Secretary of Health, Education, and Welfare’s Advisory Committee on Automated Personal Data Systems released its report, Records, Computers and the Rights of Citizens, in which it discussed three changes resulting from the use of computerized recordkeeping:


 * 1. an increase in organizational data processing capacity;
 * 2. more access to personal data; and
 * 3. the creation of a class of technical recordkeepers.

It recommended the enactment of a Federal “Code of Fair Information Practice” that would apply to both computerized and manual systems. This code served as the model for the Privacy Act, as well as for the Council of Europe’s 1974 “Resolution on the Protection of the Privacy of Individuals vis~a-vis Electronic Data Banks in the Private Sector." The major principles of the code include:


 * There must be no personal data recordkeeping system whose very existence is secret.


 * There must be a way for an individual to find out what information about him or her is in a record and how it is used.


 * There must be a way for an individual to prevent information about him or her that was obtained for one purpose from being used or made available for other purposes without his or her consent.


 * There must be a way for an individual to correct or amend a record of identifiable information about him or her.

In 1974, in the wake of Watergate, hearings on numerous privacy bills were held in both the Senate and the House. In the subcommittee hearings, there was little disagreement on the need for individual rights with respect to personal information held by Federal agencies. Discussions centered instead on the logistics of enabling individuals to use these rights, and the specific fair information practices that agencies were to follow. The Senate version also provided for a permanent Federal Privacy Board with regulatory powers, while the House version provided no such oversight mechanism. As a compromise, the Privacy Protection Study Commission was created, and oversight responsibilities were given to the Office of Management and Budget.
 * Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

In 1977, the Privacy Protection Study Commission released its comprehensive report, Personal Privacy in an Information Society, which analyzed the policy implications of personal record-keeping in a number of areas including credit, insurance, employment, medical care, investigative reporting, education, and State and local government.

Legislative History
The entire legislative history of the Privacy Act of 1974 is contained in a convenient, one-volume compilation.

The Act was passed in great haste during the final week of the Ninety-Third Congress. No conference committee was convened to reconcile differences in the bills passed by the House and Senate. Instead, staffs of the respective committees &mdash; led by Senators Ervin and Percy, and Congressmen Moorhead and Erlenborn &mdash; prepared a final version of the bill that was ultimately enacted.

The original reports are thus of limited utility in interpreting the final statute, while the more reliable legislative history consists of a brief analysis of the compromise amendments &mdash; entitled "Analysis of House and Senate Compromise Amendments to the Federal Privacy Act" &mdash; prepared by the staffs of the counterpart Senate and House committees and submitted in both the House and Senate in lieu of a conference report.

Provisions of the Act
The Privacy Act of 1974 was implemented to protect the privacy of individuals identified in information systems maintained by federal executive branch agencies, and to control the collection, use, and sharing of information. It governs the collection, use, and dissemination of a "record” about an “individual” maintained by federal agencies in a “system of records.”

The Act requires that when a federal government agency establishes or makes changes to a system of records, it must notify the public by a notice in the Federal Register identifying, among other things, the type of data collected, the types of individuals about whom information is collected, the intended “routine” uses of data, and procedures that individuals can use to review and correct personal information.

Fair Information Practice Principles
The provisions of the Privacy Act are largely based on a set of principles for protecting the privacy and security of personal information, known as the Fair Information Practice Principles, which were first proposed in 1973 by a U.S. government advisory committee. These principles, now widely accepted, include:


 * collection limitation,
 * data quality,
 * purpose specification,
 * use limitation,
 * security safeguards,
 * openness,
 * individual participation, and
 * accountability.

The Act regulates federal government agency record-keeping and disclosure practices, and prohibits the disclosure of any record maintained in a system of records to any person or agency without the written consent of the record subject, unless the disclosure falls within one of twelve statutory exceptions. The Act allows most individuals to seek access to records about themselves, and requires that personal information in agency files be accurate, complete, relevant, and timely. The subject of a record may challenge the accuracy of information.

Several provisions of the act require agencies to define and limit themselves to specific predefined purposes. For example, the act requires that to the greatest extent practicable, personal information should be collected directly from the subject individual when it may affect an individual’s rights or benefits under a federal program. The Act also requires that an agency inform individuals whom it asks to supply information of (1) the authority for soliciting the information and whether disclosure of such information is mandatory or voluntary; (2) the principal purposes for which the information is intended to be used; (3) the routine uses that may be made of the information; and (4) the effects on the individual, if any, of not providing the information. This requirement is based on the assumption that individuals should be provided with sufficient information about the request to make a decision about whether to respond. In handling collected information, the Privacy Act also requires agencies to, among other things, allow individuals to (1) review their records (meaning any information pertaining to them that is contained in the system of records), (2) request a copy of their record or information from the system of records, and (3) request corrections in their information. Such provisions can provide a strong incentive for agencies to correct any identified errors.

No Secret Database Principle
The first requirement of the Act permits an individual to determine what records pertaining to him are collected, maintained, used, or disseminated by such agencies. To this end, agencies are to publish in the Federal Register an annual notice of the existence and character of all systems of records containing personal information, and a notice of any new systems of records or new uses of the information in an existing system.

The purpose of this was to ensure that there were no secret systems of records by giving the individual notice of agency record-keeping practices. However, most agree that the Federal Register is not the ideal vehicle for such notice as it is not easily accessible to most people. In “The President’s Annual Report on the Agencies’ Implementation of the Privacy Act of 1974” for calendar years 1982 and 1983, OMB identified the effectiveness of the public notice process as one area for further study, noting that:


 * The problem may lie in the method used to disseminate this kind of information. While the Federal Register stands as the official organ of the government, it is a publication with limited circulation read by few ordinary citizens.

In 1983, OMB, on the basis of the Congressional Reports Elimination Act of 1982, eliminated the requirement that agencies republish all of their system notices each year in the Federal Register. The reason offered for this decision was lack of public and congressional interest. OMB viewed agency republication as a duplication of the Federal Register’s annual compilation of Privacy Act notices. OMB recently estimated that the elimination of this requirement, including its administrative expenses, had saved the government over $1 million.

Additionally, the Privacy Act requires agencies to inform individuals, on an application form or on a separate form that individuals can retain, of the following information: 1) the authority that authorizes the solicitation of the information and whether disclosure of such information is mandatory or voluntary; 2) the principal purpose or purposes for which the information is intended to be used; 3) the routine uses that may be made of the information; and 4) the effects of not providing all or any part of the requested information.

Use Limitation Principle
The Act requires that an individual be permitted to prevent records pertaining to him obtained by such agencies for a particular purpose from being used or made available for another purpose without his consent. To this end, agencies are to acquire the prior written consent of the individual to whom the record pertains before disclosing a record unless one of twelve exceptions is met.

Subsection (b) of the Privacy Act provides that “No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains, unless disclosure of the record would be


 * 1. to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties;
 * 2. required under the Freedom of Information Act;
 * 3. for a routine use as defined in the act;
 * 4. to the Bureau of the Census for planning or carrying out a census or survey or related activity;
 * 5. for statistical research, provided the information is not individually identifiable;
 * 6. to the National Archives and Records Administration for historical preservation purposes;
 * 7. to any government agency (e.g., federal, state, or local) for a civil or criminal law enforcement activity if the head of the agency has made a written request specifying the information desired and the law enforcement activity for which the record is sought;
 * 8. to a person upon showing compelling circumstances affecting the health or safety of an individual if notice is transmitted to the last known address of such individual;
 * 9. to either House of Congress or any committee or subcommittee with related jurisdiction;
 * 10. to the Government Accountability Office;
 * 11. pursuant to a court order; or
 * 12. to a consumer reporting agency for the purpose of collecting a claim of the government.”

Yet current laws and guidance impose only modest requirements for describing the purposes for personal information and limiting how it is used. For example, agencies are not required to be specific in formulating purpose descriptions in their public notices. Overly broad specifications of purpose could allow for unnecessarily broad ranges of uses, thus calling into question whether meaningful limitations had been imposed. Alternatives for addressing these issues include setting specific limits on use of information within agencies and requiring agencies to establish formal agreements with external governmental entities before sharing personally identifiable information with them. Additionally, an agency may disclose a record without the consent of the individual if the disclosure would be for a “routine use,” defined as “the use of such record for a purpose which is compatible with the purpose for which it was collected." If an agency intends to disclose personal information for a “routine use,” then it must publish a notice in the Federal Register. This exemption has proved to be quite controversial.

In the 1983 Oversight of the Privacy Act Hearings, James Davidson, former counsel to the Senate Subcommittee on Intergovernmental Relations of the Committee on Government Operations, stated that the “routine use” exemption was:


 * designed to require that the agencies examine the data, see if the use that the other agency was going to put it to was compatible with the reason for which it was collected, then issue notice so the public and other agencies and OMB could comment on the propriety of the exchange.

Davidson went on to note that this has not been the way that agencies have used the routine use exemption; rather, if agencies had been routinely exchanging information over the years, they have assumed that the routine use exemption allows them to continue.

There have been a number of legislative proposals to amend the “routine use" definition. The Privacy Protection Study Commission recommended that, in addition to the requirement that the use of a record be “compatible with the purposes for which it was collected,” the use also be “consistent with the conditions or reasonable expectations of use and disclosure under which the information in the record was provided, collected, or obtained.”

In the 1982 and 1983 “President’s Annual Report on the Agencies’ Implementation of the Privacy Act of 1974,” problems with the interpretation and implementation of the “routine use” disclosure were identified as Privacy Act issues for further study. The “Annual Report” stated that it would "be useful for the Congress to reconsider this problem and provide clearer guidance on routine use disclosures."

Individual Participation Principle
The Act permits an individual to gain access to information pertaining to him in Federal agency records, to have a copy made of all or any portion thereof, and to correct or amend such records.

These individual rights are a cornerstone of the Act; however, they have not been used as much as anticipated. Reasons offered include:


 * 1. the time an individual must spend in communicating with an agency;


 * 2. the possible difficulty in adequately identifying personal records for which access is requested; and


 * 3. the lack of public awareness of these rights.

The Privacy Protection Study Commission concluded that:


 * Agency rules on individual access, and on the exercise of the other rights the Act establishes, appear, in most instances, to be in compliance with the Act’s rule-making requirements. Yet, they too are often difficult to comprehend, and because the principal places to find them are in the Federal Register and

the Code of Federal Regulations, it is doubtful that many people know they exist, let alone how to locate and interpret them.

An additional reason that this goal has not been realized is that there are seven exemptions to this requirement that are authorized by the Privacy Act itself. In general, these exemptions include those systems of records that include investigatory material compiled for law enforcement purposes or for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment or promotion, military service, Federal contracts, or access to classified material. Also exempt are those systems of records that are maintained in connection with providing protective services to the President or other individuals, and those that are required by statute to be main- tained and used solely as statistical records. In the 1979 “Annual Report of the President on the Implementation of the Privacy Act of 1974,” the individual access provisions were described as the “most apparently successful provision of the Act.” It was reported that since 1977, agencies had recorded over 2 million requests for access and had complied with over 96 percent of the requests. But, the 1979 Annual Report noted that it was not clear whether the access requests were the “direct result of the Act” because of prior procedures by which employees and clients were given access to their records.

In the 1982-83 Annual Report, OMB reported that access requests and requests to amend records had declined for most of the agencies with major record holdings. OMB attributed this to the existence of other agency access policies (for example, for personnel records) that are used rather than filing a Privacy Act request.

Lawful Purpose Principle
The Act requires that federal agencies must collect, maintain, use, or disseminate any record of identifiable personal information in a manner that assures that such action is for a necessary and lawful purpose, that the information is current and accurate for its intended use, and that adequate safeguards are provided to prevent misuse of such information.

While these requirement is a cornerstone of the Act, federal agencies have loosely construed these requirements and have at times ignored them altogether. The Privacy Protection Study Commission concluded that:


 * None of these several collection requirements and prohibitions appears to have had a profound impact on agency record-keeping practice, mainly because they are either too broadly worded or have been perceived as nothing more than restatements of longstanding agency policy.

In testimony before the House Subcommittee on Government Information, Justice, and Agriculture, John Shattuck, then legislative director for the American Civil Liberties Union, reached a similar conclusion, stating that:


 * The Code of Fair Information Practices which constitutes the core of the statute is so general and abstract that it has become little more than precatory in practice, and has proved easy to evade.

The vagueness of the principles contributes to agencies’ practices. The Act does not define, nor does it require agencies to set standards for, such terms as “current” or “necessary.” The Act also does not develop, nor does it require agencies to develop, procedures to ensure “accurate” information or “adequate safeguards. . . to prevent misuse."

Exemptions
Agencies are allowed to claim exemptions from some of the provisions of the Act if the records are used for certain purposes.

Subsections (j) and (k) of the Privacy Act prescribe the circumstances under which exemptions can be claimed and identify the provisions of the Act from which agencies can claim exemptions. When an agency uses the authority in the act to exempt a system of records from certain provisions, it is to issue a rule explaining the reasons for the exemption.

Each agency is required to establish “rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, or in maintaining any record, and instruct each such person with respect to such rules and the requirements of [the Privacy Act]. . . .” Each agency that maintains a system of records is also required to “establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.” Subsection (k) of the Privacy Act permits agencies to claim specific exemptions from seven provisions of the act that relate to notice to an individual concerning the use of personal information, requirements that agencies maintain only relevant and necessary information, and procedures for permitting access to and correction of an individual’s records, when the records are:


 * 1. subject to the exemption for classified information in b(1) of the Freedom of Information Act;
 * 2. certain investigatory material compiled for law enforcement purposes other than material within the scope of a broader category of investigative records compiled for civil or criminal law enforcement purposes addressed in subsection (j);
 * 3. maintained in connection with providing protective services to the President of the United States;
 * 4. required by statute to be maintained and used solely as statistical records;
 * 5. certain investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information;
 * 6. certain testing or examination material used solely to determine individual qualifications for appointment or promotion in the federal service; and
 * 7. certain evaluation material used to determine potential promotion in the armed services.

Under these circumstances, agencies may claim exemptions from the provisions of the Act, described in table 5.



Subsection (j) provides a broader set of general exemptions, which permits records maintained by the Central Intelligence Agency or certain [[record]s maintained by an agency which has enforcement of criminal laws as its principal function to be exempted from any provision of the Act, except those described in table 6.



In general, the exemptions for law enforcement purposes are intended to prevent the disclosure of information collected as part of an ongoing investigation that could impair the investigation or allow those under investigation to change their behavior or take other actions to escape prosecution.

Application to Government Contractors
The Act also applies to systems of records created by government contractors. Subsection (m) of the Privacy Act states:


 * "When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section to be applied to such system. . . .".

Remedies for Violations of the Act
The Act provides legal remedies that permit an individual to seek enforcement of the rights granted under the Act. The individual may bring a civil suit against the agency. The court may order the agency to amend the individual’s record, enjoin the agency from withholding the individual’s records, and may award actual damages of $1,000 or more to the individual for intentional or wilful violations.

Courts may also assess attorneys’ fees and costs. The Act also contains criminal penalties; federal employees who fail to comply with the act’s provisions may be subjected to criminal penalties.

Guidelines and Regulations
The Office of Management and Budget (OMB) is required to prescribe guidelines and regulations for the use by agencies in implementing the Act, and provide assistance to and oversight of the implementation of the Act. Unfortunately, various studies by the Privacy Protection Study Commission (1977), the U.S. General Accounting Office (1978), and the House Committee on Government Operations (1975 and 1983) all found significant deficiencies in OMB’s oversight of Privacy Act implementation.

For example, under the Privacy Act, information collected for one purpose should not be used for another purpose without the permission of the individual; however, a major exemption to this requirement is if the information is for a "routine use" &mdash; one that is compatible with the purpose for which it was collected. Neither Congress nor OMB has offered guidance on what is an appropriate routine use; hence this has become a catchall exemption permitting a variety of exchanges of federal agency information.

Criticism of the Act
Soon  after  passage  of the  Act,  experts  noted  loopholes  in  the law. The  Act’s  limitations  have  become  more  significant  with  the  passage  of  time,  as [[i nformation technology]]  has  become  more  prevalent  in  the  operation  of  government programs. And  while  the  fundamentals  of  the  Act &mdash; the  principles  of [[ fair  information  practices]] *mdash; remain  relevant  and  current,  the  letter  of  the  Act  and  related  law  and  policy  do  not  reflect  the  realities  of  current  technologies  and  do  not  protect  against  many  important  threats to [[ privacy]].

Inattention  by  policymakers  to  the  underlying  problems,  and  relatively  little White  House  guidance,  has meant  that  privacy  policy  is  left  to  the  individual agencies. There  has  been  a  lack  of  government‐wide  direction,  and only  a  few  privacy  leaders  in  key  agencies  have  been  empowered  by  their  internal  leadership  to  fill  the  policy vacuum.

Moreover,  new  technologies  not  covered  by  the  Act  are  generating  new  questions  and concerns. For  example,  the  Federal  government  has  provided  no  guidance on  technologies  that  allow  civilian  government  agencies  to  track  individuals  and  retain  data  about  individuals  by default. And government use of  private‐sector  databases  now  allows  the  collection and use of detailed [[personal  information]]  with  few  privacy protections. Because  little  guidance has been provided  to  the  agencies  since  the  Privacy  Act  was enacted, agency policy and procedure have not adapted to technological change.