Appendix G

The Law Relating to HEW Personal-Data Record Keeping


The Federal law bearing on collection, storage, handling, dissemination, and other use of information about individuals (hereinafter often referred to as "personal information activities") is a large and varied assortment of statutes, regulations, Executive orders, and other directives. Little of this law applies generally to all agencies of the Federal government, and still less has general application to personal information activities of organizations outside the Federal government.

This paper discusses the law that governs the behavior of the Department of Health, Education, and Welfare1 (hereinafter referred to as "the Department" or "HEW") and its grantees and contractors in the conduct of personal information activities.

Three statutes of general application throughout the Federal government are discussed with special reference to their HEW effects: the Federal Reports Act, 44 U.S.C. 3501 et seq.; the so-called "Freedom of Information Act", 5 U.S.C. 552; and a criminal statute forbidding government officers and employees from making unauthorized disclosures of information. 18 U.S.C. 1905. This paper focuses on personal information and does not cover the law relating to trade secrets or commercial information.

The statutory sources of authority relating to HEW's conduct of personal information activities may be categorized as follows: (1) broad authority to administer and manage HEW; (2) authority for HEW to carry out particular program activities, including research, whether conducted by HEW or by others with support from HEW; (3) authority for HEW information (or personal information) activities; (4) authority (sometimes by Executive order rather than by statute) which, though not directly conferring authority on HEW, gives rise indirectly to obligations' imposed on HEW, commonly along with other government departments, to obtain, provide, and/or report personal information for its own purposes or to other government departments or agencies (e.g., Civil Service Commission, Internal Revenue Service) to the Congress, or to the public. Except in category (3), these sources of authority generally make no explicit reference to information (or personal information) activities, but it is a reasonable and necessary interpretation of the authority to include such activities.

Sources of authority for HEW's personal information activities are legion, resulting particularly from the necessity of interpreting such authority to exist in all statutes concerning program activities and research covered by category (2). This paper seeks to present a complete compilation of the sources of authority for HEW's personal information activities in categories (1), (3), and (4). With respect to category (2) it discusses only statutes that have special significance in relation to personal information activities or contain a provision relating specifically to personal information activity. It should be noted that in order to perform statutory program duties, it is often necessary to conduct personal information activities, particularly in programs that provide direct services to individuals, for example, the repatriation assistance programs of the Social and Rehabilitation Service, 24 U.S.C. 321-29, and section 1113 of the Social Security Act, 42 U.S.C. 1313. In addition, authorized research activities, for example in the health fields, frequently require extensive information about individuals. Examples of authority for the "conduct and support" of research activities include the statutes authorizing the research institutes of the National Institutes of Health. Public Health Service Act sections 402 (Cancer, 42 U.S.C. 282), 412 (Heart Diseases, 42 U.S.C. 287a), 422 (Dental Diseases, 42 U.S.C. 288a), 431 (Arthritis, Rheumatism, and Metabolic Diseases, Neurological Diseases and Stroke, and other particular diseases and groups of diseases, 42 U.S.C. 289a), 441 (Child Health and Human Development, 42 U.S.C. 289d), 442 (General Medical Sciences, 42 U.S.C. 289e), 451 (Eye Diseases and Visual Disorders, 42 U.S.C. 289i).

Because the statutes deal sparingly with personal information activities, one must also turn to regulations that have been issued to implement statutes to get a fuller understanding of the authority that governs such activities. We have sought to identify and discuss the principal regulations that have operational significance for the conduct of personal information activities, including all that are Departmental in scope (i.e., apply to all operating agencies of the Department) and those that apply throughout a particular operating agency. Of regulations limited in application to a particular program or activity, we have attempted to include only those that contain specific provisions about personal information activities. Guidance as to HEW personal information activities appears also in program materials issued at the operating level which are more detailed than statutes or regulations but which may lack the force of law. The discussion of such materials in this paper is limited to a few examples.

The law relating to personal information activities carried out in connection with HEW personnel administration is treated separately, because the legal requirements and operational considerations involved are distinctive.

Authority to Collect Information


The Department was created by Reorganization Plan No. 1 of 1953 which became effective on April 11, 1953 (67 Stat. 18) and is recognized as an executive department in 5 U.S.C. 101. The Plan provides that the Department shall be administered under the supervision and direction of the Secretary. A general grant of power enables the Secretary to act as he finds necessary in order to carry out his responsibilities in the areas of health, welfare, social security, and education. An opinion of the Attorney General, discussing general Secretarial powers, emphasized that express statutory authority is not required for every administrative act. 28 Op. Atty. Gen. 549 (January 5, 1911). The Secretary's responsibilities are further defined in part in 5 U.S.C. 301 which states:

The head of an Executive department . . . may prescribe regulations for the government of his department, the conduct of its employees, the distribution and performance of its business, and the custody, use, and preservation of its records, papers, and property.

See also section 215(b) of the Public Health Service Act, 42 U.S.C. 216(b), setting forth similar authority to promulgate regulations for administration of the Public Health Service, including regulations relating to custody, use and preservation of records.

In addition to the Secretary's general authority to manage the Department, there are numerous specific statutory provisions authorizing collection of information by HEW. The authority for the conduct of programs characteristically requires that HEW make periodic reports on the conduct and status of those programs. In addition, where HEW is authorized to contract with or grant money to States, localities, and private institutions for the conduct of programs, the legislation generally requires them to make periodic reports to the Department or its agencies. See, e.g., Elementary and Secondary Education Act, section 142(a) (3), 20 U.S.C. 241f(a) (3), (periodic reports to the Commissioner of Education evaluating effectiveness of Title I payments).


Perhaps the broadest grant of authority for collection of information is the Organic Act of 1867, 14 Stat. 434, which established a "Department of Education"

. . . .for the purpose of collecting such statistics and facts as shall show the condition and progress of education in the several States and Territories, and of diffusing such information respecting the organization and management of schools and school systems, and methods of teaching, as shall aid the people of the United States in the establishment and maintenance of efficient school systems, and otherwise promote the cause of education throughout the country. See 20 U.S.C. 1.

Under more recent education laws the Commissioner of Education is charged specifically with collecting and disseminating information. Section 422(a) of the General Education Provisions Act provides:

The Commissioner shall

(1) prepare and disseminate to State and local educational agencies and institutions information concerning applicable programs and cooperate with other Federal officials who administer programs affecting education in disseminating information concerning such programs;

(2) inform the public on federally supported education programs;

(3) collect data and information on applicable programs for the purpose of obtaining objective measurements of the effectiveness of such programs in achieving their purposes; and

(4) prepare and publish an annual report (to be referred to as "the Commissioner's annual report") on (A) the condition of education in the nation, (B) developments in the administration, utilization, and impact of applicable programs, (C) results of investigations and activities by the Office of Education, and (D) such facts and recommendations as will serve the purpose for which the Office of Education is established (as set forth in section 403 of this Act). 20 U.S.C. 1231a(a).

Other provisions relating to collection of information are found in section 417 of the General Education Provisions Act, 20 U.S.C. 1231f, and in section 501 of the Education Professions Development Act, 20 U.S.C. 1091. The former gives the Commissioner authority to furnish various information to, and to make special statistical compilations and surveys for, State or local officials, private organizations, or individuals. The latter provides for the development of "information on the actual needs for educational personnel, both present and long range."

Although it seems clear that the foregoing provisions regarding information activities in the field of education do not contemplate the dissemination of identifiable personal information, such information may need to be collected in order to prepare the statistical compllation and analyses to be used or disseminated.


In defining the general powers and duties of the Secretary in the health area, section 301 of the Public Health Service Act states:

The Secretary shall conduct in the Service, and encourage, cooperate with, and render assistance to other appropriate public authorities, scientific institutions, and scientists in the conduct of, and promote the coordination of, research, investigations, experiments, demonstrations, and studies relating to the causes, diagnosis, treatment, control, and prevention of physical and mental diseases and impairments of man, including water purification, sewage treatment, and pollution of lakes and streams. In carrying out the foregoing the Secretary is authorized to-

(a) Collect and make available through publications and other appropriate means, information as to, and the practical application of, such research and other activities; 42 U.S.C. 241.

Further authority to collect information in the health field is provided in section 305 of the Public Health Service Act which authorizes the National Health Surveys and Studies as follows:

(a) The Secretary is authorized, (1) to make, by sampling or other appropriate means, surveys and special studies of the population of the United States to determine the extent of illness and disability and related information such as: (A) the number, age, sex, ability to work or engage in other activities, and occupation or activities of persons afflicted with chronic or other disease or injury or handicapping condition; (B) the type of disease or injury or handicapping condition of each person so afflicted; (C) the length of time that each such person has been prevented from carrying on his occupation or activities; (D) the amounts and types of services received for or because of such conditions; (E) the economic and other impacts of such conditions; (F) health care resources; (G) environmental and social health hazards; and (H) family formation, growth, and dissolution; and (2) in connection therewith, to develop and test new or improved methods for obtaining current data on illness and disability and related information . . . . 42 U.S.C. 242c.

It should be noted that a provision was added to this paragraph by P.L. 91515 to protect the privacy of persons supplying such information. (See discussion at p. 279, below.)

Section 317 of the Public Health Service Act, 42 U.S.C. 247b, authorizes support of communicable disease control programs, and calls for reports to the Secretary on communicable disease problems by grantees under the program.

Section 315 of the Public Health Service Act, 42 U.S.C. 247, authorizes the issuance of information related to public health. .

Section 313 of the Public Health Service Act, 42 U.S.C. 245, directs the Secretary to " . . . . prepare and distribute suitable and necessary forms for the collection and compilation of [mortality, morbidity, and vital statistics] which shall be published as a part of the health reports published by the Secretary." This section is authority for the operations of the National Center for Health Statistics of the Health Services and Mental Health Administration.

In addition there are programs involving health services which involve the collection of personal information (e.g., operation of Public Health Service hospitals, Public Health Service Act § 321, 42 U.S.C. 248; narcotics addict care and treatment, Public Health Service Act § 341, 42 U.S.C. 257).

The Secretary is authorized to "conduct examinations and investigations for the purposes of . . . [the Federal Food, Drug, and Cosmetic] Act . . . . " 21 U.S.C. 372.

Under the Federal Coal Mine Health and Safety Act of 1969, 30 U.S.C. 801960, the Secretary has certain obligations with respect to the medical examination of coal miners. Under the Act, coal mine operators are obliged to provide miners with chest X-rays in accordance with instructions of the Secretary, and to provide the Secretary with the results of the readings of such X-rays. Under the Act, the Secretary is obliged to provide the results of such readings to the miners involved. Sec. 203(a), 30 U.S.C. 843. There is no statutory obligation of confidentiality, but the Secretary's regulations for the program require mine operators to give assurance that they will not "solicit a physician's roentgenographic findings" and that they have instructed the physicians that duplicate X-rays will not be made. 42 C.F.R. 37.4.


The authority of the Social Security Administration (SSA) to collect information is derived primarily from its duty to carry out its program responsibilities. In this regard, Title II of the Social Security Act, Federal OldAge, Survivors, and Disability Insurance Benefits (OASDI), provides in part as follows:

(a) The Secretary shall have full power and authority to make rules and regulations and to establish procedures, not inconsistent with the provisions of this title, which are necessary or appropriate to carry out such provisions, and shall adopt reasonable and proper rules and regulations to regulate and provide for the nature and extent of the proofs and evidence and the method of taking and furnishing the same in order to establish the right to benefits hereunder. Sec. 205(a); 42 U.S.C. 405(a).

* * * * * * * * * * * * * * * *

On the basis of information obtained by or submitted to the Secretary, and after such verifications therof as he deems necessary, the Secretary shall establish and maintain records of the amounts of wages paid to, and the amounts of self-employment income derived by, each individual and of the periods in which such wages were paid and such income was derived and, upon request, shall inform any individual or his survivor, or the legal representative of such individual or his estate, of the amounts of wages and self-employment income of such individual and the periods during which such wages were paid and such income was derived, as shown by such records at the time of such request. Sec. 205 (c)(2)(A); 42 U.S.C. 405 (c)(2).

The Secretary is also authorized to obtain information for the purpose of any hearing, investigation or other proceeding authorized or directed under Title II of the Social Security Act or relative to any other matter within his jurisdiction thereunder, by use of the subpoena power if necessary. Sec. 205(d); 42 U.S.C. 405(d).

Section 218(e) (1)(B) of the Social Security Act, 42 U.S.C. 418(e) (I)(B), authorizes the Secretary to issue regulations prescribing reports by States under agreements extending OASDI coverage to State and local government employees.

Title XVIII of the Social Security Act, Health Insurance for the Aged (Medicare), authorizes the use of intermediaries and carriers for the administration of benefits and specifies that each contract shall provide that the intermediary or carrier shall furnish to the Secretary information it obtains in performing its functions and shall maintain records supporting such information § 1816(b)(2), 42 U.S.C. 1395h(b)(2), and § 1842(b)(3)(D) and (E), 42 U.S.C. 1395u(b)(3)(D) and (E). In addition, the Secretary is authorized to secure information "as may be necessary in the carrying out of his functions. . ." and directed to carry on studies relating to health care of the aged and to the operation and administration of the hospital and supplementary medical insurance programs for the aged. § § 1874 and 1875, 42 U.S.C. 1395kk and 139511.

The collection of information by SSA is closely related to some Internal Revenue Service activities and there is interchange of information between the agencies. See 20 C.F.R. 401.3 (d). Internal Revenue Act provisions and the regulations thereunder provide that:

Every person liable for any tax imposed by this title, or for the collection thereof, shall keep such records, render such statements, make such returns, and comply with such rules and regulations as the Secretary [of the Treasury] or his delegate may from time to time prescribe. Whenever in the judgment of the Secretary or his delegate it is necessary, he may require any person, by notice served upon such person or by regulations, to make such returns, render such statements, or keep such records, as the Secretary or his delegate deems sufficient to show whether or not such person is liable for tax under this title. 26 U.S.C. 6001; Sec 26-C.F.R. 1.6001-1.

When required by regulations prescribed by the Secretary [of the Treasury] or his delegate any person made liable for any tax imposed by this title, or for the collection thereof, shall make a return or statement according to the forms and regulations prescribed by the Secretary or his delegate. Every person required to make a return or statement shall include therein the information required by such forms or regulations. 26 U.S.C. 6011(a); See 26 C.F.R. 1.6011-1.

The Administration on Aging has the "duty and function" to

(1) serve as a clearinghouse for information related to problems of the aged and aging;

(4) develop plans, conduct, and arrange for research in the field of aging . . . .

(6) prepare, publish, and disseminate educational materials dealing with the welfare of older persons;

(7) gather statistics in the field of aging which other Federal agencies are not collecting; .... Older Americans Act of 1965, § 202.

There is also the requirement, similar to that under Titles I, IV, X, XIV, XVI and XIX of the Social Security Act (seep. 268, below), that a State agency administering a State plan program under the Older Americans Act will make reports to the Commissioner on Aging, " . . in such form and containing such information, as the Commissioner may from time to time require." Older Americans Act of 1965, § 305(a)(3).

Information and reports authority also exists in the area of juvenile delinquency prevention and control. The Secretary is directed to "collect, evaluate, publish, and disseminate information and materials relating to research and programs and projects. . . " in the juvenile delinquency field. Juvenile Delinquency Prevention Act, § 303, 42 U.S.C. 3873. Provision is made for continuing evaluation of programs and activities under the Act, which evaluations "shall include comparisons with proper control groups composed of persons who have not participated in programs" under the Act. Title IV, §405, 42 U.S.C. 3885. The Act also requires an annual report to Congress on Juvenile delinquency activities including, among other things,

the number and types of training projects, number of persons trained and in training, and job placement and other follow-up information on trainees and former trainees . . . . Title IV, §409, 42 U.S.C. 3889.

Each title of the Social Security Act authorizing a public assistance program contains a clause that the State plan for the program must

provide that the State agency will make such reports, in such form and containing such information, as the Secretary may from time to time require, and comply with such provisions as the Secretary may from time to time find necessary to assure the correctness and verification of such reports; Title I, Old Age Assistance and Medical Assistance for the Aged, § 2(a)(6), 42 U.S.C. 302(a)(6); Title IV, Aid to Families with Dependent Children, § 402(a)(6), 42 U.S.C. 602(a)(6); Title X, Aid to the Blind, § 1002(a)(6), 42 U.S.C. 1202(a)(b); Title XIV, Aid to the Permanently and Totally Disabled, §1402(a)(6), 42 U.S.C. 1202(a)(6); Title XVI, Aid to the Aged, Blind, or Disabled, and Medical Assistance for the Aged, § 1602(a)(6), 42 U.S.C. 1382(a)(6); Title XIX, Medical Assistance (Medicaid), § 1902(a)(6), 42 U.S.C. 1396(a)(6).

There is a specific reporting requirement in section 402(a)(21) of the Social Security Act, 42 U.S.C. 602(a)(21), that the States send to the Secretary the names and social security numbers of parents who have a court-ordered obligation to support AFDC recipients, but who cannot be found. Under § 410 of the Act, 42 U.S.C. 610, the Secretary is to consult the Secretary of the Treasury to see if such parents can be located through Internal Revenue Service files. Another authorization to collect information is found in the legislation establishing the Children's Bureau (a unit now placed in the Office of Child Development), which is charged with "investigating and reporting] to the Secretary . . . upon all matters pertaining to the welfare of children . . . . " Act of April 9, 1912, ch. 73 sec. 2, 37 Star. 79, 42 U.S.C. 192.


Executive Order 11246 (3 C.F.R. 342 (1964-65 Comp.), Sept. 24, 1965), which prohibited discrimination in employment practices by Federal contractors and subcontractors, provides that in every Government contract, in addition to the nondiscrimination clauses, the following clause shall be included:

(5) The contractor will furnish all information and reports required by Executive Order No. 11246 of September 24, 1965, and by the rules, regulations, and orders of the Secretary of Labor, or pursuant thereto, and will permit access to his books, records, and accounts by the contracting agency and the Secretary of Labor for purposes of investigation to ascertain compliance with such rules, regulations, and orders. § 202.

In HEW, compliance with the Executive order is handled by the Office for Civil Rights (OCR). The Executive order provides that

Each contracting agency shall be primarily responsible for obtaining compliance with the rules, regulations, and orders of the Secretary of Labor with respect to contracts entered into by such agency or its contractors. § 205.

In addition, a section of the regulations issued by the Secretary of Labor pursuant to the Executive order provides that

The head of each agency shall, subject to the prior approval of the Director [of the Office of Federal Contract Compliance], establish a program and promulgate procedures to carry out the agency's responsibilities for obtaining compliance with the order and regulations and orders issued pursuant thereto. 41 C.F.R. 60-1.6(b).

The Director of the Office of Federal Contract Compliance is further authorized to redelegate authority given to him. Such redelegated authority "shall be exercised under [the Director's] general direction and control." 41 C.F.R. 60-1.46. One further provision upon which OCR jurisdiction is based contains the definition of "compliance agency":

. . . .the agency designated by the Director on a geographical, industry or other basis to conduct compliance reviews and to undertake such other responsibilities in connection with the administration of the order as the Director may determine to be appropriate. 41 C.F.R. 60-1. 3(d).

This section continues with guidelines for when no such designation is made.

The Department of Labor regulations define the responsibilities of OCR for conducting compliance reviews, 41 C. F. R. 60-1.20, and complaint investigations. 41 C.F.R. 60-1.24 (b). The regulations also require such disclosure to OCR as is necessary to determine whether a contractor is complying with the Executive order. 41 C.F.R. 60-1.7 and 1.43.

OCR activities also include monitoring compliance with Title VI of the Civil Rights Act of 1964 which prohibits discrimination in programs and activities receiving Federal financial assistance. Under Title VI, Department regulations provide for the submission of compliance information to the Department by recipients of financial assistance and for access by Department officials to such information as is necessary to ascertain compliance with the Act. 45 C.F.R. 80.6. The regulations also require periodic compliance reviews and investigations of specific complaints. 45 C.F.R. 80.7.

Constraints on the Process of Collecting Information

Superimposed upon the authority of HEW to collect information is the Federal Reports Act, 44 U.S.C. 3501-3511, passed originally in 1942 (56 Stat. 1078). Section 3509 states that "A Federal agency may not conduct or sponsor the collection of information upon identical items, from ten or more persons, other than Federal employees, unless, in advance of adoption or revision of any plans or forms to be used in the collection-" the Office of Management and Budget (OMB) approves the proposed collection of information.

The stated purpose of this Act is to minimize both the burden upon those required to furnish information and the cost to the Government of collection. In addition, the Act provides for cooperation among agencies in sharing information. Provisions are included relating to unlawful disclosure and confidentiality of information. See p.p. 272-273, below. See generally OMB Circular No. A-40 Revised, May 3, 1973.

The Act defines "information" as

facts obtained or solicited by the use of written report forms, application forms, schedules, questionnaires, or other similar methods calling either for answers to identical questions from ten or more persons other than agencies, instrumentalities, or employees of the United States or for answers to questions from agencies, instrumentalities, or employees of the United States which are to be used for statistical compilations of general public interest. 44 U.S.C. 3502.

Under OMB instructions accompanying the report clearance request form (OMB Standard Form 83), one paragraph is specifically directed to whether sensitive questions may be included and, if so, in what form:

Additional justification must be provided for surveys which include questions of a sensitive nature, such as sex behavior and attitudes, religious beliefs and other matters which are commonly considered private. This should include the reasons why the agency considers the questions necessary and the specific uses to be made of the data obtained. The explanation to be given respondents and any steps to be taken to secure their consent (except where response is mandatory) should be stated. Describe extent of confidentiality and protection provided against disclosure of information from individual returns, including arrangements for disposition of completed report forms. Instructions, III, A-7.

Limitations on Storage, and Dissemination of Information

Limitations on the storage, handling and dissemination of information collected by HEW are found in statutes, Depart mental regulations, Civil Service Commission regulations, manuals, policy statements, contract guidelines and miscellaneous memoranda

The overall Federal government records management policy is set out in 44 U.S.C. 3101 which requires the head of each Federal agency to

....make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency's activities.

As mentioned in the previous discussion of the Federal Reports Act. (pp. 270-271, above) there is a section in that Act discussing when information collected under reports approved under the Act may be released.

(a) If information obtained in confidence by a Federal agency is released by that agency to another Federal agency, all the provisions of law including penalties which relate to the unlawful disclosure of information apply to the officers and employees of the agency to which information is released to the same extent and in the same manner as the provisions apply to the officers and employees of the agency which originally obtained the information. The officers and employees of the agency to which the information is released, in addition, shall be subject to the same provisions of law, including penalties, relating to the unlawful, disclosure of information as if the information had been collected directly by that agency.

(b) Information obtained by a Federal agency from a person under this chapter may be released to another Federal agency only-

Superimposed upon all HEW information disclosure is the Public Information Act, 5 U.S.C. 552. This Act (usually known as the "Freedom of Information Act") establishes a formalized declaration of availability of records and information of all Government agencies. The policy of the Act as implemented in the HEW Public Information Regulation, 45 C.F.R. Part 5, is ". . .one of the fullest responsible disclosure limited only by the obligations of confidentiality and the administrative necessities recognized by the Act." 45 C.F.R. 5.12. The exemptions from this policy of disclosure which are stated in the Act are:

. . .matters that are

(1) specifically required by Executive order to be kept secret in the interest of the national defense or foreign policy;

(2) related solely to the internal personnel rules and practices of an agency;

(3) specifically exempted from disclosure by statute;

(4) trade secrets and commercial or financial information obtained from a person and privileged or confidential;

(5) inter-agency or intra-agency memorandums or letters which would not be available by law to a party other than an agency in litigation with the agency;

(6) personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy;

(7) investigatory files compiled for law enforcement purposes except to the extent available by law to a party other than an agency;

(8) contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions; or

(9) geological and geophysical information and data, including maps, concerning wells. 5 U.S.C. 552 (b).

The HEW Public Information Regulation provides the operating requirements for the Public Information Act. Whenever certain materials, such as final opinions in the adjudication of cases, which are required to be made available under the Act, relate to an individual, the name or other identifying details shall be removed and the materials shall so indicate, if release of such information would constitute a "clearly unwarranted invasion of privacy." 45 C.F.R. 5.16. The exemptions to required disclosure as set out in the Act are reiterated in the Regulation with amplification of their scope. 45 C.F.R. 5.70 et.seq. In addition, Appendix A of the Regulation provides examples of exempt materials. Proposed amendments to these regulations take account of experience with the regulations and court decisions. 38 Fed. Reg. 8273, May 30, 1973.

An explicit statutory constraint on disclosure of information which is preserved by exemption (3) is found in section 1106(a) of the Social Security Act, 42 U.S.C. 1306(a), which prohibits disclosure of any personal information obtained by the Department in the course of administration of the Act except as specifically prescribed in regulations issued by the Secretary. (Criminal penalties are provided for violation of this provision.) There are two carefully delimited statutory exceptions from this general prohibition on disclosure of information obtained by HEW under the Social Security Act. The first is Section 1106(c) of the Act which requires the Secretary to furnish an individual's most recent address, or the address of the individual's most recent employer, to a court or a state or local public assistance agency where the individual is sought for purposes of a child support order. 42 U.S.C. 1306(c): See 20 C.F.R. 401.3(g) (3) and (4). The second, found in Section 290(c) of the Immigration and Nationality Act, provides for release of information regarding the identity and location of aliens to any official of the Department of Justice charged with the administration of Title II of that Act. 8 U.S.C. 1360(c). See 20 C.F.R. 401.3(p).

Social Security Administration Regulation No. 1, 20 C.F.R. Part 401, issued under Section 1106 of the Social Security Act, specifies with respect to any information "which in any way relates to, or is necessary to, or is used in or in connection with, the administration of the old-age, survivors, disability, or health insurance programs conducted pursuant to Titles II and XVIII of the Social Security Act," what information may be disclosed, under what circumstances and to whom. (No regulation has been issued to prescribe permissible disclosure of any information obtained by HEW in the course of its administration of the public assistance programs of the Social Security Act, viz., under Titles I, IV, V, X, XI, XIV, XVI, and XIX. Hence, disclosure of such information is barred by Section 1106(a) of the Act.) The disclosures permitted by SSA Regulation No. I relate primarily to situations in which: the claimant or his representative gives authorization; disclosure is necessary for a social security program purpose; any official of the Treasury Department or the Department of Justice charged with administration of Titles II, VIII or IX of the Social Security Act, or certain contribution and revenue laws, needs information for the purpose of such administration; any Federal official charged with administration of public assistance, retirement or other benefit payment programs needs information for the purpose of such administration; any State or local agency official charged with administration of various Federally-aided public assistance programs needs information for the purpose of such administration; any authorized Federal official is engaged in investigation or prosecution of a criminal violation of the Act or certain contributions and revenue laws; and the Federal Bureau of Investigation or the U.S. Secret Service is engaged in investigation or prosecution of threat or act of espionage, sabotage or other similar act inimical to national security and certifies in writing that the information requested is required in an investigation of major importance to protect national security. The foregoing and certain other situations when information may be dis closed are specified in careful detail in the Regulation. 20 C.F.R. 401.3.

A criminal statute of government-wide applicability provides criminal penalties for unauthorized disclosure of specified classes of information by government officers and employees. This statute states:

Whoever, being an officer or employee of the United States or of any department or agency thereof, publishes, divulges, discloses, or makes known in any manner or to any extent not authorized by law any information coming to him in the course of his employment or official duties or by reason of any examination or investigation made by, or return, report or record made to or filed with, such department or agency or officer or employee thereof, which information concerns or relates to the trade secrets, processes, operations, style of work, or apparatus, or to the identity, confidential statistical data, amount or source of any income, profits, losses, or expenditures of any person, firm, partnership, corporation, or association; or permits any income return or copy thereof or any book containing any abstract or particulars thereof to be seen or examined by any person except as provided by law; shall be fined not more than $1,000, or imprisoned not more than one year, or both; and shall be removed from office or employment. 18 U.S.C. 1905.

Its principal focus appears to be the protection of commercial secrets, but the reference to "identity. . .of any person" and "confidential statistical data" might provide some possibility of employing this statute in cases of unauthorized disclosure of personal data. In any case, however, it merely provides a criminal penalty for disclosing information "in any manner or to any extent not authorized by law." It does not of itself impose an obligation of nondisclosure and does not qualify as a statutory exemption from disclosure under exemption (3) of the Freedom of Information Act (p. 273 above).

Constraints on Grantee Behavior

In some instances HEW's program authority makes explicit statutory provision for the handling of personal information obtained by Law Relating to HEW Record Keeping 277 HEW grantees. For example, the Social Security Act requires that State plans for the programs of Old Age Assistance, Aid to the Blind, Aid to the Permanently and Totally. Disabled, Aid to the Aged, Blind or Disabled, and Medical Assistance for the Aged, pro vide safeguards which permit the use or disclosure of information concerning applicants or recipients only to public officials who re quire the information in connection with their official duties, or to other persons for purposes directly connected with, the administra tion of the plan. Social Security Act, § 2(a)(7), 42 U.S.C. 302(a)(7); § 1002(a)(9), 42 U.S.C. 1202(a)(9), § 1402(a)(9), 42 U.S.C. 1352(a)(9); § 1602(a)(7), 42 U.S.C. 1382(a)(7). State plans for Aid to Families with Dependent Children and for Medical Assistance must provide safeguards limiting use or disclosure of information to purposes directly connected with the administration of the plan. Social Security Act, § 402(a)(9), 42 U.S.C. 602(a)(9) and § 1902(a)(7), 42 U.S.C. 1396a(a)(7). All the Public Assistance programs of the Social Security Act had, until the Social Security Amendments of 1972 (P.L. 92-603, October 30, 1972) the same limitation on disclosure found in sections 402 and 1902. Those Amendments broadened the access for all the programs except AFDC and Medical Assistance, to permit public officials access to information about applicants and recipients. P.L. 92-603, § 413. The Amendments also provided the broader access in the new program of Grants to States for Services to the Aged, Blind, or Disabled, under a new Title VI which will go into effect on January 1, 1974. § 602(a)(6). The States' obligations with respect to information about recipients in the public assistance programs (other than Medical Assistance) are modified by § 618 of the Revenue Act of 1951, 42 U.S.C. 302 note, which allows States to have legislation allowing access to records of disbursement of public assistance funds as long as the legislation "prohibits the use of any list or names obtained through such access to such records for commercial or political purposes."

HEW implementation of the requirements for safeguarding infor mation is found in 45 C.F.R. 205.50. This regulation is in the process of revision to take account of the 1972 amendments.

The behavior of States in handling information in Public As sistance programs is further constrained by Department instructions on how the States may determine eligibility. Under 45 C.F.R. 206.10(a)(12), a State agency must get the applicant's consent before consulting records. about the applicant. Under a recent proposal (37 Fed. Reg. 28189, Dec. 21, 1972), States would have been permitted to consult public records (i.e., records of any public agency, whether or not available for public inspection), without seeking consent.

A more recent proposal (38 Fed. Reg. 9819, April 20, 1973) would remove Federal restrictions on State behavior in this area by eliminating from 45 C.F.R. 206.10 any reference to consultation of records. If this proposal is adopted, the resulting flexibility would permit States to consult any records without seeking consent.

Three grant programs in the health field carry their own specific restrictions on grantee handling of patient data. The Venereal Disease Prevention and Control Program under § 318 of the Public Health Service Act, 42 U.S.C. 247c, (added by P.L. 92-449) has a requirement that information about the examination, care, or treatment of any individual carried out under the grant program "shall not, without such individual's consent, be disclosed except as may be necessary to provide service to him . . . ." There is specific provision for disclosure of statistics, or for "clinical or research purposes" as long as the individual's identity is not disclosed.

Two programs under Title XI of the Public Health Service Act provide grants for screening, counseling, and some treatment for X sickle cell anemia and Cooley's anemia, two genetic blood disorders. The applicants for the grants "shall-..,.(2) provide for strict confidentiality of all test results, medical records, and other information regarding screening, counseling, or treatment of any person treated, except for (A) such information as the patient (or his guardian) consents to be released, or (B) statistical data compiled without reference to the identity of any such patient. . ., § 1104(a)(2) and § I 113(a)(2) of the Public Health Service Act; 42 U.S.C. 300b-3(a)(2) and 300c-2(a)(2).

The Social Security Amendments of 1972 added a new Part B to Title XI of the Social Security Act. This authorizes the Secretary to enter into agreements with organizations to review, from a technical and professional standpoint, the necessity and quality of medical services for which payment may be made under the Social Security Act. (This includes Medicare, Medicaid, and certain child health programs.) These organizations will be nonprofit associations of physicians, or other organizations found able to perform the task, and are designated Professional Standards Review Organizations.

Certain obligations with respect to confidentiality are imposed by the statute. Under § 1155(a)(4), 42 U.S.C. 1320c-4(ax4), these organizations must arrange for the maintenance and review of

profiles of care and services received and provided with respect to patients, utilizing to the greatest extent practicable in such patient profiles, methods of coding which will provide maximum confidentiality as to patient identity and assure objective evaluation consistent with the purposes of this part.

There is a prohibition on disclosure of information in § 1166, 42 U.S.C. 1320c-15, which is somewhat similar to the one in § 1106. Under § 1166, data or information acquired by any Professional Standards Review Organization shall be held in confidence and not disclosed except as necessary to carry out the purposes of the program, or under "such circumstances as the Secretary shall by regulations provide to assure adequate protection of the rights and interests of patients, health care practitioners, or providers of health care." Fine, imprisonment, and the costs of prosecution are provided as penalties.

Section 305(a) of the Public Health Service Act authorizing the Secretary to conduct the National Health Surveys and Studies, 42 U.S.C. 242C (pp. 263-264, above) includes the following constraint added by P.L. 91-515:

No information obtained in accordance with this paragraph may be used for any purpose other than the statistical purposes for which it was supplied except pursuant to regulations of the Secretary; nor may any such information be published if the particular establishment or person supplying it is identifiable except with the consent of such establishment or person.

Explicit provision to authorize constraints on disclosure of personal information in research relating to drugs is found in § 303(a) of the Public Health Service Act, 42 U.S.C. 242a, as follows:

The Secretary may authorize persons engaged in research on the use and effect of drugs to protect the privacy of individuals who are the subject of such research by withholding from all persons not connected with the conduct of such research the names or other identifying characteristics of such individuals. Persons so authorized to protect the privacy of such individuals may not be compelled in any Federal, State, or local civil, criminal, administrative, legislative, or other proceedings to identify such individuals. 42 U.S.C. 242a.

Similar authority with respect to alcohol research is found in § 333 of the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970. 42 U.S.C. 4582. The Attorney General has similar authority with respect to drug research under § 502(c) of the Comprehensive Drug Abuse Prevention and Control Act of 1970, 21 U.S.C. 872(c). In these authorities, the authorization to hold data confidential may be given to anyone conducting the specified research; there is no requirement of Federal connection. The authorization with respect to drug research has been given to Federal employees not in HEW and to employees of an OEO-funded project with no HEW connection, 37 Fed. Reg. 21547, Oct. 12, 1972, and to employees of HEW contractors doing alcoholism research. 37 Fed. Reg. 28310, Dec. 22, 1972.

Availability of Public Health Service records and information is governed by 42 C.F.R., Part 1. Clinical information as defined is confidential and is available "...only as necessary for the performance of the functions of the Service" or in certain limited instances, such as to a patient or his designee upon a reasonable showing of need; to a government agency which requested or arranged for examination, care or treatment service facilities; or to State or public health agencies "engaged in collecting data regarding disease." 42 C.F.R. 1.102. In addition, upon a court order, clinical information shall be disclosed in accordance with applicable local law regarding confidentiality of physician-patient communications.

When non-clinical information has been obtained under an assurance of confidentiality, it may be disclosed only with the consent of the person or agency to whom the assurance was given or when the Secretary determines that disclosure is necessary to prevent "an epidemic or other grave danger to the public health" or in a legal action brought against the Government. 42 C.F.R. 1.103.

The regulations contain additional limitations on release of records and information concerning actions of advisory councils; regulatory programs such as licensing of biological products; conduct of research projects; and applications for employment or Federal support.

Six other regulations provide limitations on dissemination of information.

42 C.F.R 200.12 provides that State Plans for maternal and child health and crippled children's programs shall provide for designation of all personal information as confidential with suitable regulations and safeguards to be provided. However, information which does not identify particular individuals may be disclosed in summary or statistical form. ,

42 C.F.R., Part 3 provides, among other conditions, that the Special Statistical Services of the National Center for Health Statistics may be furnished provided that "the data or statistics requested are not confidential."

42 C.F.R., Part 300 provides that the records of Saint Elizabeth's Hospital are confidential and may be disclosed only upon a court order or if the Superintendent determines that it would "not be inimical to the public interest or to the welfare of the patient." 42 C.F.R. 300.2.

21 C.F.R., Part 4 provides for procedures to be followed by persons desiring to obtain records and information of the Food and Drug Administration not specifically available under the Freedom of Information Act and the Department's implementing regulations.

The Food and Drug Administration (FDA) regulation governing investigational new drugs and approved new drugs specifically provides that the identity of individual patients need not be divulged by a clinical investigator physician unless the records of particular subjects require a more detailed study by FDA personnel of the case history or unless there is reason to believe that the records do not represent actual cases studied or do not represent actual results obtained. 21 C.F.R. 130.3(a)(12), 130.3(a)(13), and 130.13(c).

Disclosure of individual information obtained in the administration of the Social and Rehabilitation Service repatriation assistance program, authorized by Section 1113 of the Social Security Act, 42 U.S.C. 1313, is carefully constrained by regulation for the benefit of assisted individuals. 45 C.F.R. 212.9.

Other Limitations

In addition to the statutes and regulations discussed above, guidelines relating to disclosure of information exist in many other forms including manuals, circulars and instructions, policy statements, contract clauses, and assurances on data collection forms. Many of these develop and enlarge upon the policies and procedures which are prescribed in statutes and regulations. In other instances, these guidelines have been promulgated in the absence of any specific statutory or regulatory provisions. Examples of such guidelines are as follows.

The National Center for Health Statistics (NCHS) has issued a comprehensive policy statement on release of data. Simply stated, this policy is one of "absolute and uncompromising protection of confidentiality. . .with respect to data supplied by respondents as privileged communications." Data are never to be released in a manner in which a respondent's identity is revealed, but rather only as aggregate statistics. Detailed procedures for handling particular classes of data or programs are provided. Furthermore, there are restrictions placed on the use of the statistics themselves so that there will be no misuse or misrepresentation. The NCHS requires a pledge in each contract that confidentiality of records will be maintained and that access to data will be strictly limited. A document signed by Surgeon General L.E. Burney on February 26,1957 and published in the Federal Register, 22 Fed. Reg. 1687 (March 15, 1957), underscores the guarantees. This is supplemented by another similar assurance published in May, 1959. 24 Fed. Reg. 4061 (May 20, 1959). Furthermore, most data collecting questionnaires carry a confidentiality assurance. All persons engaged in datacollecting activities with NCHS must also sign an affidavit guaranteeing nondisclosure.

Health Services and Mental Health Administration Circular No. 71.1 entitled, "Assurances of Confidentiality Given in Obtaining Information" sets out the Public Health Service policy for the Health Services and Mental Health Administration (HSMHA) governing when such assurances shall be given, what form the assurance shall take and what the responsibilities are with respect to information collected subject to the assurance.

In situations where information is collected and stored by third parties under contracts with HEW, generally either the contracts themselves or contract guidelines include confidentiality provisions. The Community Care Contract Agency Series, guidelines prepared by the Narcotic Addict Rehabilitation Branch of the National Institute of Mental Health, provide that the records maintained for each patient will be kept confidential and that release of information, other than to government program personnel and the Federal courts, will be permitted only with the patient's signed consent.

Social Security Administration (SSA) contracts with intermediaries and carriers, e.g., Blue Cross, include clauses directing them to adopt policies and procedures to insure that information obtained in carrying out their functions under the Social Security Act shall be used and disclosed solely as provided in SSA Regulation No. 1 (p. 275, above). Furthermore, the contractors must agree to include in all subcontracts disclosure clauses identical to those in their own contracts.

The Social Security Claims Manual, SSA's operating instructions for its employees, contains an entire chapter devoted to disclosure of information. See Ch. 7300. This chapter, is keyed to the regulations, 20 C.F.R., Part 401, and covers in rigorous detail, circumstances under which disclosure is allowed.

The Social Security Handbook, which does not have the force of law, contains nine pages bearing directly upon the subject of what information SSA may or may not disclose under specified conditions and circumstances. Handbook, § § 141-153 and 1701. The Handbook was published to provide a detailed explanation of the social security program to the public and it does not reflect changes in the regulations since early 1968.

A guide to policies governing the provision of special statistical information, records, and related materials created pursuant to Section 417 of the General Education Provisions Act, 20 U.S.C. 1231f (p. 262, above), was adopted by the Office of Education in March, 1972. 37 Fed. Reg. 6218 (March 25, 1972). The basic policy is "to make. . .collected statistical information available. . .as widely and promptly as possible" subject to certain constraints including nonviolation of confidentiality of data.

Permanent Storage and Disposal of Information

A comprehensive statutory scheme vests authority for management of Federal government records in the General Services Administration (GSA) including generally supervising each agency's record keeping, setting standards for selective retention of records, establishing centers for storage, processing and servicing of records, and finally, regulating and handling the ultimate disposal or permanent storage of all government records. 44 U.S.C. 2901-2910 and 44 U.S.C. 33013314.

Records that contain information that is subject to confidentiality restrictions remain subject to such protection when transferred to GSA, as provided by a regulation that states:

Whenever any records that are transferred are subject to restrictions upon their use, imposed pursuant to statute, Executive order, or agency determination, such restrictions shall continue in effect after the transfer. Restrictions imposed by agency determination may be removed by agreement between the agencies concerned. 41 C.F.R. 101-11.409-8.

Personnel Information Activities

In addition to the authority to collect personnel information to fulfill general Departmental administrative responsibilities (pp. 260-261, above), there is a duty imposed upon the Department to collect personnel information to fulfill Civil Service Commission (CSC) requirements. Under the provisions of 5 U.S.C. 2951 and Executive Order 10577, HEW is required periodically to provide various personnel-related reports to the Civil Service Commission. Section 7.2 of Civil Service Rule VII provides that:

Each agency shall report to the Commission, in such manner and at such times as the Commission may prescribe, such personnel information as it may request relating to positions and officers and employees in the competitive service and in the excepted service, whether permanent or career, careerconditional, indefinite, temporary, emergency, or subject to contract. 5 C.F.R. 7.2.

The data required for these reports are essentially those supplied on the CSC Standard Form 50, Notification of Personnel Action. That information consists of basic personal data (name, sex, birth date); basic employment data (grade, dates of entrance into service and of potential promotion, pay plan and occupation code, insurance codes, type of personnel actions taken); veteran preference code and handicap code. See Federal Personnel Manual, Chapter 291.

Civil Service Commission regulations deal extensively with the maintenance of personnel records. The regulations require establishment of an Official Personnel Folder for each employee, 5 C.F.R. 293.202, which Folder is under the jurisdiction and control of and part of the records of the Civil Service Commission. 5 C.F.R. 293.203. In these Folders each agency is obliged to maintain reports of selection and other personnel actions as listed in 5 U.S.C. 2951 and also other records as required by Commission instructions. 5 C.F.R. 293.204. There is a provision relative to removal of records of only temporary value from the Folder. 5 C.F.R. 293.209.

Another requirement for collection of information about Federal employees is found in 5 C.F.R. 713.302 which calls for periodic reporting of employment statistics by race and national origin. CSC regulations provide that data as to race or national origin may be collected only by visual identification. 5 C.F.R. 713.302(b). In addition, anyone having the authority to take or recommend personnel action in the competitive service is prohibited from making any inquiry concerning race, religion, or political affiliation of any employee in, or any eligible or applicant for, the competitive service. 5 C.F.R. 4.2.

The disclosure of information collected for personnel purposes is limited by statutes and regulations as follows. The Freedom of Information Act specifically exempts from public disclosure matters

related solely to the internal personal rules and practices of an agency . . . .[and] personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy. 5 U.S.C. 552(b)(2) and (6).

These sections are amplified in regulations of both the Civil Service Commission, 5 C.F.R. 294.103, and the Department, 45 C.F.R. 5.72 and 5.76 (p. 274, above).

The general policy of the Civil Service Commission is to make information available unless disclosure would constitute a clearly unwarranted invasion of personal privacy or is otherwise prohibited by law. Medical information may not be made available without the individual's written consent, 5 C.F.R. 294.401, nor may informa- tion from annual and sick leave records, 5 C.F.R. 294.1101. Names, present and past positions, titles, grades, salaries and duty stations of government employees are publicly available, except when release of such information is prohibited by law or Executive order or when the information is sought for commercial or other solicitation or for political purposes. Employee's name, address, Social Security number, and amount of Federal compensation are furnished to State or local taxing authorities pursuant to Office of Management and Budget Circular No. A-38, Revised. In addition, limited information may be made available to prospective employers and home address shall be made available to a police or court official for the purpose of service of a summons, warrant, subpoena or other legal process. Approved educational and historical researchers may be granted limited access to information about separated employees which is stored with the General Services Administration; however, information that is derogatory to the former employee shall not be made available under this provision. 5 C.F.R. 294.702. With the exception of certain medical information, test material, and investigative reports, employees, former employees, and their representatives or other persons having their consent may have access to their Official Personnel Folders. Finally, Official Personnel Folders are, with limitations on material relating to loyalty and security, officially accessible to members of Congress, representatives of Congressional committees and subcommittees, government officials of the District of Columbia and Federal executive branch officials. 5 C.F.R. 294.703. Provision exists for limited disclosure to the parties concerned and to the public of information from administrative appeal and complaint files established for purposes of employee grievances and administrative appeals. 5 C.F.R. 294.801.

Instructions, letters and bulletins are issued by the Civil Service Commission periodically to amplify, update, and reinforce the requirements provided in statutes and regulations. The instructions of the Civil Service Commission, found in the Federal Personal Manual (FPM), are issued under the authority of Executive Order 10561 and under the regulations discussed above. They apply to all executive departments and agencies. Chapter 290 of the FPM, added in 1969, is designed to guide agencies in the use of automated data processing in personnel administration. It discusses modifications of standard forms necessary or desirable when automated processing is used and also lists data elements necessary to meet reporting requirements, FPM, Ch. 290, Appendix A, and-mandatory and optional data elements when an automated system is used. FPM, Ch. 290, Appendix B.

1The Department comprises a number of organizational components through which its operational programs and activities are carried out, viz.: the Public Health Service (PHS), consisting of the Food and Drug Administration (FDA), the Health Services and Mental Health Administration (HSMHA) and the National Institutes of Health (NIH); the Education Division, consisting of the National Institute of Education (NIE) and the Office of Education (OE); the Social and Rehabilitation Service (SRS); the Social Security Administration (SSA); and the Office of the Secretary (OS), consisting in put of the Office for Civil Rights (OCR), and the Office of Human Development, which includes the Administration on Aging (AOA), the Office of Child Development (OCD), and the Office of Youth Development (OYD). (Effective July 1, 1973, the operating agency constituents of the Public Health Service will be reorganized to consist of the Food Drug Administration, the Center for Disease Control, the Health Resources Administration, the Health Services Administration, and the National Institutes of Health.)