Introduction
The Privacy Act of 1974[2] was created in response to the government creating and using computer databases. There was concern that the use of databases might infringe on an individual’s privacy rights. The act requires the government to show any records kept on individuals to those individuals. In addition, the act also places restrictions on how the government can share the information with other individuals and agencies.
Application
The Privacy Act only applies to certain federal government agencies, including the executive branch, the military, independent regulatory agencies, and corporations that are controlled by the government. Some examples include the Indian Health Service, the Department of Veterans Affairs, and the Centers for Medicare & Medicaid Services. The Privacy Act does not cover either chamber of Congress. Section 7 of the act, concerning limits on the uses of Social Security numbers, applies to federal, state, and local governments.[3]
Protection
The act protects citizens and noncitizens that have been lawfully admitted for permanent residence but does not apply to noncitizens without permanent resident status. The act does not apply to corporations.
Records
The Privacy Act defines a “record” as any type of information that includes a person’s “name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.”[4]
System of Records
The act often refers to a “system of records.” A system of records is a group of records under the control of a federal agency from which personal information “is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”[5] Just the “ability to retrieve” is not enough—actual retrieval is required. Any retrieval by “personal identifier” that is linked or linkable to an individual requires advance public notice before the federal agency begins to collect personal information for a system of records. A system of records notice (SORN) must be published in the Federal Register. The SORN must outline the administrative, technical, and physical safeguards for protecting the personally identifiable information being collected, such as role-based access, training, and audit logs.
Databases may contain personally identifiable information, but if the records are not retrieved, the databases are exempt from the provisions of the Privacy Act.
The Privacy Act requires any agency to give an individual access to any records it might have about that individual. The individual should be allowed to review the record and make copies of it. The individual can request amendments to the record if the record is incomplete or in error. The agency has 10 business days to respond, either by amending the record or by telling the person why it will not make the change. The agency must provide the necessary contact information to talk to a higher official concerning the refusal if the individual wants it.
The individual has the right to appeal, and the agency has 30 business days to complete a review of the refusal. The 30-day limit can be extended for “good cause.” If the amendment is still refused, the individual can file a statement explaining why the individual disagrees, and the statement must be included with any copies of the record that are disclosed going forward.
Public Notice Requirements
Agencies must publish the details of all their systems of records in the Federal Register. The publication must cover intended uses of the system and allow for interested persons to submit written data, views, or arguments to the agency. Any time that an agency wishes to establish or significantly change a system of records, it must also notify in advance the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and the Office of Management and Budget. These bodies will then evaluate the probable or potential effect of the proposal on the rights of individuals.
The act requires prior notice; Privacy Act Statements are required for collection of information from individuals that will be saved in a system of records. A Notice of Privacy Practices must be provided to individuals that describe use and disclosure practices. The Privacy Act Statement must indicate:
-
The name and location of the system;
-
The categories of individuals on whom records are maintained in the system;
-
The categories of records maintained in the system;
-
Each routine use of the records contained in the system, including the categories of users and the purpose of such use;
-
The policies and practices of the agency regarding storage, irretrievability, access controls, retention, and disposal of the records;
-
The title and business address of the agency official who is responsible for the system of records;
-
The agency procedures whereby an individual can be notified at the individual’s request if the system of records contains a record pertaining to the individual;
-
The agency procedures whereby an individual can be notified at the individual’s request how the individual can gain access to any record pertaining to the individual contained in the system of records, and how the individual can contest its contents; and
-
The categories of sources of records in the system.