The Privacy Act of 1974 was created in response to the government creating and using computer databases. There was concern that the use of the databases might infringe on an individual’s privacy rights. The Act requires the government to show any records kept on individuals to those individuals. In addition, the Act also places restrictions on how the government can share the information with other individuals and agencies.
The Privacy Act only applies to certain federal government agencies and includes the Executive Branch, the Military, independent regulatory agencies, and corporations that are government-controlled. Some examples include Indian Health Services, Veterans Administration and the Centers for Medicare and Medicaid Services. The Privacy Act does not cover either houses of Congress. Section 7 of the Act, concerning limits on the Social Security Number, applies to federal, state, and local governments.
The Act protects citizens and aliens that have been lawfully admitted for permanent residence but does not apply to aliens without permanent resident status. The Act does not apply to corporations.
The Privacy Act defines a “record” as any type of information that includes a person’s “name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.”
System of Records
The Act often refers to a “system of records.” A system of records is a group of records under the control of a federal agency from which personal information “is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” Just the “ability to retrieve” is not enough, actual retrieval is required. Any retrieval by “personal identifier” that is linked or linkable to an individual requires advance public notice before the federal agency begins to collect personal information for a system of records. A System of Records Notice (SORN) must be published in the Federal Register. The SORN must outline the administrative, technical and physical safeguards for protecting the Personally Identifiable Information (PII) being collected, such as role-based access, training and audit logs.
Databases may contain personally identifiable information, but if the records are not retrieved, the databases are exempt from the provisions of the Privacy Act.
The Privacy Act requires any agency to give an individual access to any records they might have about an individual. The individual should be allowed to review the record, and make copies of it. The individual can request amendments to the record if the record is incomplete or in error. The agency has 10 business days to respond, either by amending the record or by telling the person why they will not make the change. The agency must provide the individual the contact information necessary if they want to talk to a higher official concerning the refusal.
The individual has the right to appeal, and the agency has thirty business days to complete a review of the refusal. The thirty-day limit can be extended for “good cause.” If the amendment is still refused, the individual can file a statement explaining why the individual disagrees and the statement must be included with any copies of the record that it discloses going forward.
Public Notice Requirements
Agencies must publish the details of all their systems of records in the Federal Register. The publication must cover intended uses of the system, and allow for interested persons to submit written data, views, or arguments to the agency. Any time that an agency wishes to establish or significantly change a system of records, it must also notify in advance the Committee on Government Operations of the House of Representatives, the Committee on Governmental Affairs of the Senate, and the Office of Management and Budget. These bodies will then evaluate the probable or potential effect of the proposal on the rights of individuals.
The Act requires prior notice. Privacy Act Statements are required for collection of information from individuals that will be saved in a system of records. A Notice of Privacy Practices (NoPP) is provided to individuals that describe use and disclosure practices. The Privacy Act Statement must indicate the name and location of the system; the categories of individuals on whom records are maintained in the system; the categories of records maintained in the system; each routine use of the records contained in the system, including the categories of users and the purpose of such use; the policies and practices of the agency regarding storage, irretrievability, access controls, retention, and disposal of the records; the title and business address of the agency official who is responsible for the system of records; the agency procedures whereby an individual can be notified at the individual’s request if the system of records contains a record pertaining to the individual; the agency procedures whereby an individual can be notified at the individual’s request how the individual can gain access to any record pertaining to the individual contained in the system of records, and how the individual can contest its contents; and the categories of sources of records in the system.