The Privacy Act of 1974 is a public sector law that regulates the use of personal information by the United States Government. Specifically it establishes rules, similar to the Fair Information Practice Principles that determine what information may be collected and how it may be used in order to protect the personal privacy of U.S. citizens.
The Privacy Act of 1974 applies to Federal Government Agencies and governs their use of a system of records. By definition, a system of records is “any group of records under the control of any agency from which information is retrieved by the name of an individual or by some identifying number, symbol, or other identifying particular assigned to the individual.”
The following rules govern the use of a system of records:
- No Federal Government record keeping system may be kept secret
- No agency may disclose personal information to third parties without the consent of the individual (with some exceptions)
- No agency may maintain files on how a citizen exercises their First Amendment rights
- Federal personal information files are limited only to data that is relevant and necessary
- Personal information may able be used for the purposes it was originally collected unless consent is received from the individual.
- Citizens must receive notice of any third party disclosures including with whom the information is shared, the type of information disclosed and the reasons for its disclosure.
- Citizens must have access to the files maintained about them by the Federal Government
- Citizens must have the opportunity to correct or amend any inaccuracies or incompleteness in their files
The Privacy Act of 1974 places restrictions on the ability of Federal agencies to share a system of records with third parties, including other agencies. However, the Privacy Act does recognize the need of the government to share records in order to improve security, maintain accuracy and consolidate resources. This is often accomplished through matching programs which allow certain data elements in one system of records to be searched against records in another system in order to find any data matches. Such matches would link together the information from both systems.
In order for any agency to run a matching program with a system of records from an another agency, their must first be a written agreement between both parties. The Committee on Governmental Affairs of the Senate, and the Committee on Government Operations of the House must receive a copy of the agreement. It must also be made available to the public.
A Data Sharing Agreement:
- Must state the purposes and legal justifications for the matching program
- Must provide rational for the program by estimating the results and savings that will be achieved
- Must describe the records to be matched including the specific data elements, estimate the number of records to be matched and provide estimated start and completion dates for the program
- Must describe how the privacy principles of the Privacy Act will be implemented in the program (ie: notice to the individual, ensure accuracy and completeness, limited used of results)
- Must provide an accuracy assessment of the unmatched records
- Must include a statement allowing the Comptroller General to monitor compliance with the Privacy Act if necessary.
To ensure that no system of records is kept secret, the Privacy Act requires all government agencies to provide a System of Records Notice (SORN) to biennially to be published in the Federal Register. Each SORN must also be published on the agencies website under the Electronic Privacy Act Amendment.
Each SORN must contain:
- The name location of the records system
- The title and business address of the individual overseeing the system of records at the agency
- The types of individuals about whom records are kept
- The categories of records kept in the system
- The general sources from which data is collected
- The privacy and usage policies of the agency, including those for access controls, storage, retrievability and destruction.
- How an individual may determine if an agency maintains a record about them in their system of records
- How an individual may gain access to the records an agency maintains about them
While the Privacy Act did take significant steps towards protecting privacy, there are a few important distinctions within the act that create holes in its protection.
The Privacy Act only applies to a system of records maintained by an agency. Records systems kept by government institutions not considered an agency are exempt. Further more a system of records is defined as a group of records which uses personally identifiably information or signifiers to retrieve a file. There may be records systems which contain personal information but does not use that information to search for and gain access to a record. Such system of records would also be exempt under the Act.
The Privacy Act also contains a “routine use” exception which allows the disclosure of information without the notice or consent of the individual. Routine use is defined as “the use of such record for a purpose which is compatible with the purpose for which it was collected.” The vague definition of routine use allows agencies to expand their definition of compatible purpose at will, eventually allowing more and more information to be disclosed under the routine use exception. As long as the SORN contains a listing of the routine uses of the information, an agency is considered compliant with the Privacy Act.
Like the Freedom of Information Act, the Privacy Act of 1974 seeks to protect the privacy of U.S. citizens by giving them the ability to monitor the use of their personal information by the U.S. government. Though the Privacy Act does make significant steps in the protecting the right of privacy, it is also limited enough in its scope and implementation to only provide adequate protection. Privacy professionals and U.S. citizens should be familiar with the Privacy Act of 1974 in order to effectively understand their rights and work to create more comprehensive privacy legislation in the future.
CIPP/G Candidate Preparation
In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:
- The Privacy Act of 1974 (I.C.b.i.-iv.)