Effective since September 27, 1975, the US Privacy Act 1974 (5 U.S.C. § 552a) was enacted in response to the growing public concerns over govt. surveillance and misuse of personal information including Social Security Numbers (SSN). This was highlighted during the Watergate scandal, and findings from a 1973 government report by the US Department of Health, Education, and Welfare. The report highlighted how the SSN created under the Social Security Act of 1935 was used against its original purpose of tracking salary information of the working US population to determine their entitled benefits. It recommended several limitations including the prohibition of SSN use for commercial and promotional purposes in order to safeguard individual privacy.
The Privacy Act of 1974 was formed to address the concerns of people regarding their privacy of personal information and was based on the recommendations of the 1973 HEW report. The Act provides the rights to an individual, specifically, US citizens or aliens lawfully admitted for permanent residence to:
- Review records maintained about them by federal agencies
- Amend and correct records
- Be informed of any disclosure of their records made by the agency
Record under the Act refers to an item, a collection of data, or grouped information about an individual which could be:
- Educational data, medical history, financial transactions, employment or criminal history
- Identifying number SSN
- Identifying symbol
- Identifying data such as a photograph, fingerprint, or voice recording
Further, the act extends rights to the parent of a minor or the legal guardian of an individual who has been declared incompetent due to age, or physical or mental incapacity to act on their behalf.
Applicability of the US Privacy Act 1974
The overall purpose of the Act is to ensure the federal agencies are able to collect, access, use, and disclose personal information without jeopardizing the privacy and rights of the individuals. The “term” agency refers to a govt. corporation, govt. controlled corporation, military department, executive department, establishment in the executive branch of the federal govt. including the executive office of the President, or any independent regulatory agency. It is to be noted that the federal courts, entities linked to the govt., and the White House are NOT considered agencies.
Core Policy Objectives of the Privacy Act 1974
The US Privacy Act of 1974 is applicable to federal agencies processing PII. The access, use, and disclosure of this information by the federal agencies is governed by the act.
The basic policy objectives of the US Privacy Act 1974 include:
- Limiting the disclosure of PII maintained by federal agencies.
- Providing individuals, the right to access agency records about them.
- Providing individuals, the right to get their information/records corrected upon proving the inaccuracy, irrelevancy, untimeliness, or incompleteness in the records maintained by the agency.
- Establish a code of “fair information practices” that the agencies are required to comply with for processing of records.
Exemptions to the Privacy Act Protections
The US Privacy Act of 1974, 5 U.S.C. § 552a Section (b) allows disclosure of records for a few specific purposes and to some particular authorities without written consent of the individual or agency, which are:
- Officers and employees whose job roles require access to the records
- Required under Section 552 (FOIA) of this Act
- Routine use as defined in Section (a)(7). Routine use of a record is defined for the purposes it was collected for; w.r.t. disclosure of the record.
- Bureau of Census for purposes of planning and carrying out a census or a survey
- Statistical research or reporting record
- National Archives and Records Administration (NARA) with historic value
- Law enforcement purposes of local state, federal, or foreign jurisdiction with a written request
- A person’s health and wellbeing getting affected (backed by compelling evidence)
- House of Congress, committee, or subcommittee for congressional activities
- Comptroller General or their representatives to fulfill duties of the Government Accountability Office (GAO)
- Pursuant to a court order
- Consumer Reporting Agency according to Section 3711(e), Title 31 w.r.t. money and finance.
While Section (b) outlines the specific circumstances under which disclosure of records is permitted, Section (e) elaborates on the responsibilities agencies must uphold when maintaining such records.
Agency Requirements As Per Section 552a(e)
Section (e) of the Privacy Act 1974 outlines the requirements that agencies maintaining a system of records should fulfill. They are required to:
- Maintain information that is necessary and relevant to fulfill the purpose as required either by a statute or an executive order of the President.
- Collect information, wherever possible, directly from the subject individual if it might result in adverse determinations about the rights, privileges, and benefits of an individual.
- Inform every individual who has been asked to supply information regarding:
- The authority that allows requesting the information, and whether information disclosure is voluntary or mandatory.
- The purpose(s) for which the information is to be used.
- The routine uses made of the information.
- The consequences of not providing part or all of the requested information.
- Publish a notice in the Federal register upon establishment or revision of a system of records subject to (e) (11), including details such as
- The name and location of the system.
- The categories of individuals on which records are maintained.
- The categories of records maintained in the system.
- Every routine use of the records that includes user categories and purpose of use.
- The agency’s policies and practices about storage, retrieval, access controls, retention, and disposal of the records. [Read our article on data minimization to understand how to dispose of information after the retention period is over]
- The title and address of the agency responsible for the system of records.
- The procedures of the agency which allow notifying an individual upon their request if a system of records contains a record pertaining to them.
- The procedures of the agency which allow notifying an individual upon their request on how to gain access to and contest any content of any record pertaining to them.
- The categories of sources of records.
- Maintain all records of the individuals with reasonably necessary accuracy, relevance, timeliness, and completeness to assure fairness in making any determination.
- Make reasonable efforts to ensure records are accurate, complete, timely, and relevant for purposes before disseminating any record.
- Ensure no record describing the exercise of rights under the First Amendment by an individual is maintained unless relevant for and within the purview of an authorized law enforcement activity.
- Inform the individual that their record is being disclosed due to a mandatory legal obligation or a court order.
- Establish rules for people involved in the design, development, operation, or maintenance of any record or system of records and instruct all these people about the rules, procedures, and penalties for non-compliance. Read penalties for non-compliance in the US Privacy Act 1974.
- Establish appropriate administrative, physical, and technical safeguards in order to ensure the confidentiality and security of records, and to protect them against any threat to their security or integrity.
- Notify new or intended use of the information by publishing this in the Federal Register and provide an opportunity for submission of written opinions, data, or arguments by interested person, at least 30 days before publication of the information.
- Any agency participating as a source or a recipient with a non-federal agency in the matching program for creation or revision of information should publish a notice in the federal register 30 days before conducting this program.
Criminal Penalties Imposed by the US Privacy Act 1974
Section 552a (i) of this Act lays down the consequences in cases of non-compliance which are as follows:
- Any employee or officer of the federal agency who has access to or possession of records containing individually identifiable information that is prohibited from being disclosed, and who intentionally discloses this content in any form to any person or agency having no entitlement to receive it, will be considered guilty of a misdemeanor and fined a maximum amount of $5000.
- Any employee or officer of an agency maintaining a system of records without meeting the notice requirements of Subsection (e)4 will be considered guilty of a misdemeanor and fined a maximum amount of $5000.
- Any person who intentionally and with full awareness requests or obtains any record from the agency under false pretenses will be considered guilty of a misdemeanor and fined a maximum amount of $5000.
Note: A civil action under the Privacy Act is properly filed against an “agency” only, not against an individual, a government official, an employee, or the United States.
Recommendations for Agencies
To ensure the records of US individuals are private and protected, and ensure compliance with the Privacy Act 1974, the federal agencies should ensure that:
- The records maintained in the system are accurate, complete, and updated in a timely manner.
- The collection of records is done directly from the subject individual.
- The information collected is necessary for the agencies to fulfill the purposes.
- The agencies are fair and transparent in the establishment, implementation, and revision of their policies and practices regarding storage, access controls, retention, and disposal of records. They can create an information retention policy that includes retention periods for different types of information based on their sensitivity. Once the retention period is over, the agency must dispose of this personal information permanently using software like BitRaser that generates tamper-proof audit trails in the form of certificate of erasure.
- If the information is highly sensitive, the agency can decide to utilize physical destruction only after secure data erasure has been performed on the IT asset. This ensures the prevention of data breaches by the removal of personal data beyond recovery.
+1-844-775-0101
