U.S. Seal

The Privacy Act of 1974: An Assessment

APPENDIX 4 TO The Report of The Privacy Protection Study Commission

July 1977

PRIVACY PROTECTION STUDY COMMISSION

Chairman: David F. Linowes, Certified Public Accountant, New York City, and Boeschenstein Professor of Political Economy and Public Policy, University of Illinois

Vice Chairman: Dr. Willis H. Ware, The Rand Corporation Santa Monica, California

William O. Bailey, President Aetna Life & Casualty Company Hartford, Connecticut

William B. Dickinson Retired Executive Editor, Philadelphia Evening Bulletin Philadelphia, Pennsylvania

Congressman Barry M. Goldwater, Jr. of California Washington, D.C.

Congressman Edward I. Koch of New York Washington, D.C.

State Senator Robert J. Tennessen, Attorney Grose, Von Holtum, Von Holtum, Sieben & Schmidt Minneapolis, Minnesota


Table of Contents

Preface

Chapter 1- The Implementation Framework
To Whom Does the Act Apply?
What is Covered by the Act
Exempt Systems of Records
Privacy Act Reporting Requirements
Annual System Notices
Privacy Act Statements
New System Reports
The President's Annual Report
Guidance on Implementation
Agency Rules
Administration, Training, and Compliance Monitoring
The Department of Defense (DOD)
United States Postal Service (USPS)
Department of Health, Education, and Welfare (DHEW)
Civil Service Commission (CSC)
Department of Labor (DOL)
Department of Agriculture (DOA)
Internal Revenue Service (IRS)
The Agency Experience in General
Enforcement
The Privacy Act and the Freedom of Information Act (FOIA)
Disclosures to Members of the Public
The Exclusivity Issue
The Cost of Implementing the Act

Chapter 2 - The Information Management Requirements
Impact on Information Collection
Subsections 3(e)(1) and 3(e)(2)
Information on First Amendment Rights
Social Security Number
The Third-Party Source Issue
Impact on Type and Quality of Information Maintained
Subsection 3(e)(5)
Subsection 3(e)(10)
Impact on the Disclosure of Information
Compatible and Incompatible Uses
Discretionary Routine Uses
Overall Impact on Disclosures to Third Parties
Keeping Track of Disclosures
Propagation of Corrections

Chapter 3 - Findings and Conclusions
General Findings and Conclusions
Specific Findings and Conclusions
The Openness Principle
The Individual Access Principle
The Individual Participation Principle
The Collection Limitation Principle
The Use Limitation Principle
The Disclosure Limitation Principle
The Information Management Principle
The Accountability Principle
Other Policy Issues To Be Addressed
Chapter 4 - Revision of the Privacy Act of 1974
"Records" and "Systems of Records"
Access to Records
Definitions
Accountings of Disclosures
Exemptions from the Access Requirement
Correction and Amendment of Records
Limitations on Disclosure
Collection and Maintenance of Information
Propagation of Corrections
Research or Statistical Records
General Notice of Agency Systems, Policies, and Practices
Rights of Parents and Legal Guardians
Agency Implementation
Civil and Criminal Remedies
Government Contractors and Grantees
Interaction with Other Laws
Other Provisions of the Law
Appendix A --Public Law 93-579: The Privacy Act of 1974
Appendix B -- An Illustrative Revision of the Privacy Act of 1974

Preface

The Privacy Protection Study Commission was given the broad mandate to investigate the personal-data record-keeping practices of governmental, regional, and private organizations and to recommend to the President and the Congress the extent, if any, to which the principles and requirements of the Privacy Act of 1974 should be applied to them. 1 Early in its inquiry, the Commission decided that to fulfill this mandate an assessment of the Privacy Act itself, its underlying philosophy, and the experience of Federal agencies to date in complying with it would be necessary. This appendix volume reports the detailed results of that assessment.

Those who have read Chapter 13 of Personal Privacy in an Information Society, the Commission's final report to the President and the Congress, will recognize the material in Chapter 3 of this volume. In Chapters 1 and 2, however, the reader will find much that we would have included in our final report had we not wanted to keep each of its 16 chapters to a reasonable length. In addition, in Chapter 4 of this volume, we discuss how the suggestions in Chapter 13 of our final report might be implemented as legislative requirements.

Our findings and conclusions are based on communications with agency heads and their designated Privacy Act points-of-contact, testimony from various Commission hearings, agency annual reports, some informal workshops, and hundreds of personal and telephone interviews by stafF. Although our inquiry was conducted in the early days of the Act's implementation, we believe that this close and continuous staff contact with agency operating personnel has allowed a fair assessment of agency implementation experience.

In conducting our inquiry, we encountered drafting problems in the current law, and, as the subsequent discussion will indicate, drafting details can have important consequences in an area which is both new to regulation and dependent upon changing technology. Thus, our conclusions concentrate on policy objectives rather than on the specifics of implementation. Our objective in setting forth our conclusions and offering suggestions for changes in the Act is to allow the policy objectives of the current law to be achieved more successfully without destroying necessary opportunities for flexibility in implementation. We have adopted this approach to allow for changing information technology and diversity of agency information needs and uses, as well as to foster the constructive creativity that can arise in the absence of overly restrictive requirements.

In many instances, the difficulty with the current law does not appear to arise from the flexibility of implementation it allows, but rather from the fact that agencies have taken advantage of that flexibility to contravene its spirit. Yet, making the law less flexible is not a desirable solution. Implementation costs would rise dramatically, and new developments in information technology could invite uncontrollable circumvention of rigidities in the statute. Hence, our approach has been to strengthen implementation flexibility while striving for clarity of interpretation and providing incentives for agencies to comply. This preserves the autonomy of each agency to decide how best to comply with each requirement.

If one accepts the view that it is best to tell an agency what to do, rather than how to do it, there are, nonetheless, issues that each agency cannot, and in some cases should not, resolve singly. The most obvious one is the question of whether a particular type of record-keeping system should exist at all; another is whether particular transfers of records among agencies are desirable. Such questions require independent policy judgments and therefore must be addressed by an entity other than the one directly involved. In Chapter 1 of Personal Privacy in an Information Society we enumerated the functions we believe such an independent entity should fulfill.

Finally, it is worth noting that the concerns expressed by the various agencies at the time of the Act's passage regarding anticipated costs of implementation, numbers of access requests, and burden of administration have generally proved to be unwarranted. Cost figures recently released by the Office of Management and Budget (OMB) show expenditures to be much lower than originally estimated. In 1974, OMB estimated that implementing the Act would cost $200-$300 million per year over the first four to five years and would require an additional one time start-up cost of $100 million, which would be expended in the first two years. In 1977, however, OMB estimated that start-up costs in the nine months between the Act's passage and the date it took effect had been $29,459,000, and that an additional $36,599,000 was spent for first-year operating expenses.2

The Commission hopefully expects that by making the details of its assessment of the Privacy Act available, it will contribute to making the law more effective. Although we describe some agency practices that seem less than exemplary, we also report many that show a constructive effort to comply with the spirit as well as the letter of the law. On balance, we believe that the Privacy Act of 1974 is an important step forward.

In conducting our assessment, we benefitted from the knowledge and counsel of hundreds of dedicated individuals throughout the Federal government. We were also fortunate to have associated with us an unusually industrious project staff. Arthur A. Bushkin served as Project Manager. Working with him as professional staff and consultants were Donald Bartlett, Justine V. R. Milliken, Timothy B. Braithwaite, Major William R. Elliott, Jr., Claudia R. Higgins, and J. Michael Taylor. Research assistance was provided by Zemphria R. Baskin. To each of them we extend our sincere appreciation.

David F. Linowes
Chairman

1 88 Stat. 1905(b)(1); P.L. 93-579.

2Federal Personal Data Systems Subject to the Privacy Act of 1974, Second Annual Report of the President, Calendar Year 1976, p. 23.