THE OPENNESS PRINCIPLE
The Privacy Act asserts that an agency of the Federal government must not be secretive about its personal-data record-keeping policies, practices, and systems. No agency may conceal the existence of any personal-data record-keeping system, and each agency that maintains such a system must describe publicly both the kinds of information in it and the manner in which it will be used. This is accomplished in two ways. The first is through the required annual publication of system notices in the Federal Register. The second is through the "Privacy Act Statement"9 given at the time individually identifiable information is collected from an individual.
The requirements implementing the Openness Principle are intended to achieve two general goals:
(1) facilitate public scrutiny of Federal agency record-keeping policies, practices, and systems by interested and knowledge-able parties; and
(2) make the citizen aware of systems in which a record on him is likely to exist.
The Commission has found that the Act has made a significant step toward fulfillment of these objectives, especially the first one, but that it has still fallen short of expectations.
The Commission believes that publishing record-system notices once each year in the Federal Register is worthwhile. It develops an inventory of agency record-keeping operations that is useful for both public scrutiny of Federal agency, record-keeping practices and for internal management control. Unfortunately, however, the annual notices tend to be less informative than they could be, and they are not required to describe the extent to which information is used within the agency. Furthermore, the Act is silent on the distinction between a system and a subsystem, and there are no criteria for limiting the diversity of information, purposes, or functions that may be incorporated in any one record system, and thus subsumed in one annual Federal Register notice. As a result, some annual notices are too encompassing to be informative. Likewise, duplicate, substantially similar, or derivative systems are frequently either unlisted or not cross-referenced. The Commission believes that the primary purpose of the public notice requirement should be to facilitate internal and external oversight of agency activities, including public scrutiny. Thus, it believes that the annual notices should provide more detail than they now do and should reflect more accurately the context or manner in which an agency maintains records.
One of the specific shortcomings of the system notices has been the literal interpretation of the requirement to describe the routine uses. While limiting these descriptions to external uses is consistent with the prevailing interpretation of the Act's routine-use definition, in many cases, the more significant uses are internal ones. Therefore, the Commission believes that the section in the annual notice on routine uses of records maintained in a system, including categories of uses and the purposes of such uses, should include a description of internal uses of information as well as external disclosures.
Describing the context and manner in which an agency uses the records in a system would at least partially reveal the relationships among systems that are often obscured today. When a large, complex record system is covered by one system notice, the subsystems should be described in detail. The important concern should not be to define the level at which a subsystem must be described, or the way to describe indices, but rather that an agency present a true picture of how it uses information in a system and how the system itself is perceived by the agency. The goal should be to remain faithful to the Openness Principle by assuring that there are no secret systems. The possibility that an agency may comply with the technical requirements of the Act's notice provisions but still maintain systems that are effectively secret must be avoided.
The goal of facilitating public scrutiny is hindered by the fact that the Federal Register is at best a limited vehicle for reaching the general public. Every effort should be made to classify, compile, and index the information in notices logically. For example, it would be useful to differentiate between the large group of systems that are solely devoted to record keeping about agency personnel and the much smaller group that contains information on citizens in general. The Federal Register compilation should make it easy for a private citizen, a member of a public interest group, or a congressional staff member to pinpoint a particular type of record or system of records.
Given the limited readership of the Federal Register, however, the best way of making the citizen aware of systems in which he is included is through the "Privacy Act Statement," which is similar to the annual system notice, except that it also informs the individual of internal agency uses of information about him. Like the annual notices, however, Privacy Act Statements are often too vague or general to inform the individual adequately. They need not explain that supplementary information may be collected from other sources and not every agency or system is subject to the Statement requirement.
There is a problem in finding a balance between the length of a Privacy Act Statement and its clarity; if it is too long, individuals are not likely to read it; if it is too short, it may not convey enough information for the individual to understand fully how the information will be used. The contents of the Privacy Act Statement are discussed in the section on the Collection Limitation Principle.
THE INDIVIDUAL ACCESS PRINCIPLE
The Privacy Act's second principle is that an individual should have a right to see and obtain a copy of a record an agency maintains about him. Prior to the Act's passage, an individual was able to obtain copies of the records a Federal agency might keep about him in several ways. The Armed Services, for example, made many personnel, medical, and performance records available to servicemen. In fact, the subjects of certain personnel records are required to review and sign them once each year. Federal agencies also have procedures that give an individual access to records about him when there is a dispute over his entitlement to benefits.
In addition, the Freedom of Information Act (FOIA) [5 U.S.C. 552], which predates the Privacy Act by seven years, allows any person to see and obtain a copy of any record in the possession of the Federal government without regard to his need for or interest in it. An agency can withhold a record that falls within one of nine FOIA exemptions, but its determination to do so, if appealed by the requestor, must withstand administrative and judicial review.
Individuals could and did use the Freedom of Information Act to gain access to their own files prior to passage of the Privacy Act: There were several drawbacks, however. First, an agency could decline to release information deemed to be part of the internal deliberative processes of government.10 In certain cases, this resulted in a considerable amount of information about an individual being taken out of a file prior to giving the file to him. Second, in the early days of the Freedom of Information Act, some agencies refused to disclose personnel and medical files to an individual on the grounds that disclosure to the individual would constitute a clearly unwarranted invasion of his personal privacy.11
The individual access provision of the Privacy Act [5 U.S.C 552a(d)] was enacted in part to clarify these uncertainties with respect to an individual's right to see and obtain a copy of a record about himself. The Privacy Act has its own set of exemptions from its individual access requirement which will be discussed below. For all other systems subject to the Act, however, agencies must now facilitate access by an individual when he so requests and may never keep records about himself from him on the grounds that they constitute communications within or among agencies. Nonetheless, the Commission has found that the number of Privacy Act access requests (i.e., requests specifically citing the Privacy Act) has not been great and that most have come from agency employees or former employees. One reason for this may be that pre-existing law and practice continue to be used. In addition, the public's awareness of the Freedom of
Information Act still appears to be much sharper than its awareness of the Privacy Act. Another reason may also be that the Privacy Act's own exemptions from the access requirement are too sweeping. The Central Intelligence Agency and some major law enforcement systems qualify for a blanket exemption from the access requirement. Thus, individuals who want access to records about themselves in those systems must use the Freedom of Information Act as their vehicle.
The Privacy Act exemptions from the individual access requirement are permissive, not mandatory. In addition, unlike the Freedom of Information Act exemptions, they apply to systems of records rather than to specific requests for access to specific information. To invoke any one of them an agency must publish its intention to do so in advance. As a result, some over-cautious lawyers and administrators have made excessively broad claims of exemption. Once an exemption is published, moreover, agency operating personnel are inclined to use it, thus eliminating exercises of judgment in light of the particular record sought.
On the other hand, some agencies have not claimed exemptions to which they may have been entitled, and others have claimed them but do not use them. The Central Intelligence Agency, for example, processes individual access requests under the Privacy Act despite having claimed the broad exemption the Act provides it. On balance, however, the Act's requirement that exemptions be claimed in advance, and that they cover entire systems rather than types of records or specific requests, has resulted in unnecessary exclusions of records from the scope of the Act's individual access requirement.
Agency rules on individual access, and on the exercise of the other rights the Act establishes, appear, in most instances, to be in compliance with the Act's rule-making requirements. Yet, they too are often difficult to comprehend, and because the principal places to find them are in the Federal Register and the Code of Federal Regulations, it is doubtful that many people know they exist, let alone how to locate and interpret them. Furthermore, the Act's requirement that an individual specifically name the record system in which the record he desires is located is not realistic. Fortunately, many agencies have gone beyond the letter of the law in assisting individuals whose access requests reasonably describe the records sought, but the requirement to name the system still seems likely to discourage some people from asking to see their records. Finally, the Act's requirement that an agency keep an accounting of each disclosure of a record to the individual to whom it pertains appears to be an added incentive to process access requests under the Freedom of Information Act rather than the Privacy Act when an agency has a choice (i.e., when the individual does not specify that his request is being made under one Act or the other).
It would appear, in sum, that individuals continue to rely on pre-existing laws and practices when they want access to agency records about themselves. From the individual's point of view, one advantage of the Freedom of Information Act is that there are specific limits on how long an agency may take to respond to a request, whereas in the Privacy Act there are none. Furthermore, although the FOIA permits agencies to charge search fees, while the Privacy Act does not, in practice such charges are rarely made when an individual is asking for information about himself.
The Privacy Act has benefitted a current or past Federal employee to the extent that it allows him to circumvent the FOIA exemption for documents pertaining to internal agency deliberations when he wants access to some of the more interesting parts of an evaluation report or inquiry into his background. The Privacy Act has retained a limited exemption for some personnel evaluations, but its net effect has been to increase the accessibility of such material. It could also be concluded that Federal employees, unlike the private citizen, are aware that the Act exists and, being comfortable with bureaucratic procedures, have quickly learned how to use it.
To aid an individual in gaining access to his record, the Commission believes that the Privacy Act should parallel the approach of the Freedom of Information Act in that an individual should be required to make a request which reasonably describes the record to which he desires access. In those situations in which an agency believes an individual has made too broad an access request, it should help him refine his request. This is the procedure most agencies are following now, but modification of the language of the Act is important. The likelihood of a private citizen being aware of the name of a system of records published in the Federal Register is too remote to be relied on.
In addition, the Commission believes that the Privacy Act should be the exclusive vehicle for individuals requesting access to records about themselves, provided that the Privacy Act's approach to exemptions from the individual access requirement is modified to parallel that of the Freedom of Information Act (as discussed below). Making the exemption approaches parallel is necessary to assure that the individual does not receive less information using the Privacy Act as his access vehicle than he would if his request for access were processed under the Freedom of Information Act. Because agencies may currently ignore the time limits suggested in guidelines for implementation of the Privacy Act issued by the Office of Management and Budget,12explicit time limits should also be added to the Privacy Act so that by making the Act the individual's exclusive access vehicle he will not lose the time limit protections now in the Freedom of Information Act. The fees, appeal rights, and sanctions of the Privacy Act, however, would still apply.
Besides the direct benefits for the individual of such an approach there are certain procedural benefits to the agencies which should be noted. Currently, Freedom of Information Act offices and officers are required to respond to requests for access to both personal information about individuals and information about agency activities (e.g., regarding agency policies). By making the Privacy Act the exclusive access vehicle for any individual requesting information about himself, some stress will be removed. The actual number of requests for information will not be affected, but this approach better divides responsibility in the agencies. Perhaps some of the confusion surrounding the interrelation between the Freedom of Information Act and the Privacy Act will even be reduced.
In addition to requiring an agency to assist an individual in reasonably describing the records to which he seeks access, it is important for an individual to have access to, and the right to amend, information about which he may not have enough detailed knowledge to formulate a specific request. Thus, the Commission believes that access to substantially similar or derivative versions of records sought by an individual should be provided automatically in response to his request for the original record to the extent that providing such access does not constitute an unreasonable burden on the agency.
There are two related situations at issue here. The first is where there may be an exact duplicate of a record maintained in another part of the agency. The second, and more important, is where some portion of a record may have been copied and then subsequently amended, appended, or otherwise altered. Alternatively, two records, or portions thereof, may have been combined. In each of these cases, it can be reasonably inferred that the individual would want to know about all versions of the record were he aware of them. Thus, the burden must be on the agency to take reasonable affirmative steps to describe and, if requested, to make available to the individual the several versions. While the individual may not want to see an exact duplicate of the original record, for example, he may wish to amend it if he amends the original. Moreover, the uses and disclosures of exact duplicates of a record, as well as substantially similar or derivative versions of the record, often will not be the, same as the uses and disclosures of the original, and thus it can be assumed that the individual will want to know about them.
The Commission believes that the Privacy Act's approach to exemptions from the individual access requirement should be modified to parallel that of the Freedom of Information Act. Currently, Privacy Act exemptions are claimed in advance and apply to entire systems of records. Pre-claimed exemptions can be waived on a case-by-case basis, and while there is evidence that agencies are not using all of the exemptions claimed, they still seem to be claiming every one possible (including, in some cases, exemptions to which they would not appear to be entitled), but then using them only as needed. This creates uncertainty for the individual which the framers of the Act did not intend.
Abandonment of the system-of-records definition currently in the Privacy Act necessitates a different exemption strategy than the one the Act now has. The natural model to use is the Freedom of Information Act. The FOIA allows exemptions for certain types of information rather than for entire systems of records; exemptions may be invoked only when applicable, not claimed in advance. In addition, any segregable portion of a record which by itself does not qualify for an exemption must be provided to the individual. The FOIA approach appears to be working well, and its presumption that access should be granted to any part of a record for which an agency cannot sustain an exemption claim seems highly desirable.
Using the FOIA approach to exemptions would have the unintended effect, however, of voiding the Privacy Act provision that allows the CIA and law enforcement agencies to maintain unverified information obtained from intelligence or investigative sources.13 Consequently, if the suggested exemption policy is adopted, it should allow the CIA, or any agency or component thereof which performs as its principal function any activity relating to the enforcement of criminal laws, to maintain information whose accuracy, timeliness, completeness, or relevance is questionable, provided however, that such information is clearly identified as such to all users or recipients of it. This would preserve the Act's current policy. The only new requirement would be that the unverified information be clearly identified as such when it is disclosed to anyone else.
The Commission believes that certain of the specific exemptions in the Freedom of Information Act should actually be duplicated in the Privacy Act. These include the Freedom of Information Act exemptions dealing with information specifically authorized to be kept secret in the interest of national defense and foreign policy, certain investigative information compiled for law enforcement purposes, and operating reports used by an agency responsible for the supervision of financial institutions. This, too, would clarify, without altering current policy, and it would have the further advantage of incorporating the existing body of judicial interpretation as to what may or may not be withheld pursuant to the FOIA exemptions. Today, an individual is supposed to be granted access to the larger of the amounts of information to which he would be entitled under the FOIA or the Privacy Act, so there seems to be no practical reason for the two Acts to have different exemptions in the same area.
Finally, the Commission believes that the Act's requirements with respect to a patient's access to a medical record an agency maintains about him should be brought into line with Recommendation (5) in Chapter 7 of this report. The Commission also believes that the Act should be refined to allow agencies to deny access to a parent or legal guardian in those situations in which another statute authorizes such withholding.
THE INDIVIDUAL PARTICIPATION PRINCIPLE
The third Privacy Act principle holds that an individual should have the right to challenge the contents of a record on the grounds that it is not accurate, timely, complete, or relevant. The principle specifically recognizes that information can be a source of unfairness to an individual. In theory, the right to participate in the maintenance of a record allows for complaint, involvement, and representation in order to force a balancing of the individual's interests against the record keeper's. If this principle is enforced, the individual is able to keep some measure of control (although not absolute control) over the substance of what he himself reveals to an agency, as well as to check on what the agency collects about him from other sources.
The Act has made significant progress toward fulfillment of this principle through its requirement that agencies establish procedures whereby the individual may request correction or amendment of a record, appeal any denial of his request, and file a statement of disagreement if the denial and appeal result in a stand-off, either before or after judicial review. In allowing the individual to file a statement of disagreement, even after the agency's denial of his request is upheld by a court, the Act implicitly recognizes that the agency and the individual may have divergent interests in the content of a record, as well as the fact that there may be no clear-cut criteria for assessing accuracy, timeliness, completeness, or relevance.
Despite the Act's sophistication in this area, however, the correction and amendment rights have not been widely exercised. This doubtless reflects the small number of access requests under the Privacy Act; but it may also be due in part to the fact that so many of the agency records an individual might want to correct or amend are exempt from the individual access requirement and therefore not open for correction or amendment. Nevertheless, the right to correct or amend a record, once access has been obtained, is an area in which the Privacy Act represents a significant advance for the individual.
THE COLLECTION LIMITATION PRINCIPLE
The fourth principle of the Privacy Act is that there shall be limits on the type of information a record-keeping institution collects about an individual, as well as certain requirements with respect to the manner in which it may be collected. An agency may not collect whatever information it wishes, nor may it collect information in whatever manner it wishes. The principle is implemented by requiring that agencies (1) collect only information that is relevant and necessary to accomplish a lawful purpose; 14 (2) collect information to the greatest extent practicable directly from the subject individual; 15 (3) give every individual a Privacy Act Statement at the time individually identifiable information is requested of him; 16 and, (4) in certain instances, refrain from collecting an individual's Social Security number17 and information relating to his exercise of First Amendment rights.18
The requirement to limit collection to information that is relevant and necessary to accomplish a lawful purpose of the agency seems to have resulted in a modest amount of revision and reduction of data-collection forms, and consequently a modest reduction in data collection itself. In contrast, the requirement that agencies collect information to the greatest extent practicable from the subject individual does not appear to have changed practices at all.
The required "Privacy Act Statement" seems not to have had much of an effect on the amount of information individuals are asked to provide about themselves or on their willingness to provide it. There appears to have been a slight reduction in the willingness of individuals to answer survey questions since passage of the Act, but this cannot be confidently attributed to the Privacy Act Statement.
In addition, there appears to be some troublesome ambiguity in the subsection of the Act that contains the "Privacy Act Statement" require-ment. Subsection 3(e)(3) reads in part:
Each agency that maintains a system of records shall-
(3) inform each individual whom it asks to supply information . . .
Some agencies have interpreted this to require a statement only when individually identifiable information is collected from the subject individual and not to require it when such information is collected from a third party. The Commission believes that a Privacy Act Statement should be provided to all individuals from whom individually identifiable information is collected, including third parties.
On the other hand, the Privacy Act Statement must now be supplied or read each time individually identifiable information is collected, regardless of the frequency of contact between an agency and an individual. This is burdensome to the agency and can cause the Statement to be ignored by the individual. The purpose of the Statement is to provide the individual with enough information to allow him to judge whether or not to provide the information requested. There appears to be no useful purpose in doing this repeatedly if the individual has been provided with a copy of the Statement within a reasonable period of time prior to a follow-up request for information so long as the follow-up request is consistent with the original statement. Thus, the Commission believes that the burden on agencies could be safely reduced by requiring that the individual be given a Privacy Act Statement only if he had not already been given a retention copy within a reasonable period of time prior to a subsequent request for information from him.
A second problem with the Privacy Act Statement is that it tends to state the obvious and does not explicitly spell out other possible uses of the information. The Commission, consistent with its recommendations in other areas, believes that the Statement should describe those uses of information that could - ·zsonably be expected to influence an individual's decision to provide or not - provide the information requested. Since the individual's decision may be influenced by the techniques used to verify the information he provides, the Statement should also include a description of the scope, techniques, and sources to be used to verify or collect additional information about him.
Providing a concise statement on uses and third-party sources may, upon occasion, prove to be more confusing than enlightening. Therefore, the Statement should, in addition, identify the title, business address, and business telephone number of a responsible agency official who can answer any questions the individual may have about the Privacy Act Statement.
The proscription on the collection of information about how an individual exercises his First Amendment rights appears to have had no noticeable effect on agency collection practices. The prohibition does not apply when an agency is expressly authorized to collect such information either by statute or by the individual, or where collection is "pertinent to and within the scope of an authorized law enforcement activity." [5 U.S.C. 552a(e)(7)] Because virtually all government agencies can be said to be involved in some type of law enforcement, the latter exception, in particular, has tended to negate the prohibition. A more accurate, and hence more effective, way of stating the congressional intent would be to refer to "an authorized investigation of a violation of the law." This change would not prohibit an agency from collecting a specific item of information whose collection is expressly required by statute or expressly authorized by the individual to whom it pertains, or whose collection would be a reasonable and proper library, bibliographic, abstracting, or similar reference function.
Section 7 of the Privacy Act, which attempts to limit collection of the Social Security number from individuals, also appears to have had little effect on agency practice. Its "grandfather clause," which allows agencies to continue to demand the number if they did so under statute or regulation prior to January 1, 1975, has encompassed almost all uses of the Social Seourity number at the Federal level, as indicated in Chapter 16 below.
THE USE LIMITATION PRINCIPLE
The fifth Privacy Act principle asserts that, once collected, there are limits to the internal uses to which an agency may put information about an individual. Once an agency has legitimately obtained information, it still may not use it internally without restriction.
The Act requires an agency to obtain an individual's written consent before disclosing a record about him to any of its employees other than "officers and employees . . . who have a need for the record in the performance of their duties." [5 U.S.C. 552a(b)(1)] However, because the terms "need" and "duties" are open to interpretation, the effect of this restriction is limited.
In theory, the requirement speaks to the kind of situation described in Chapter 6, wherein the employee-employer relationship was seen to subsume other record-keeping relationships, such as the medical-care and insurance ones. A problem inherent in the provision is the fact that one agency may have many different types of relationships with an individual but the provision takes no account of the difference between them; for that reason it has no practical effect on limiting certain internal uses of information. This is particularly true in the case of the larger cabinet departments which, for purposes of the Privacy Act, have defined them-selves as one "agency."
Where differences in record-keeping relationships have been recog-nized in other statutes, such as where a component of the Department of Health, Education, and Welfare is subject to a confidentiality statute elsewhere in the U. S. Code, the integrity of the relationship that the statute addresses may be preserved within the framework of Subsection 3(b)(1). Section 1106 of the Social Security Act, for example, limits the disclosure of records maintained by the Social Security Administration, and thus it functions as a limitation on internal agency uses of records, even though the Department of Health, Education, and Welfare has defined itself as one agency for the purposes of the Privacy Act.
It can reasonably be assumed that the Privacy Act was not intended to nullify other statutes which limit the use and dissemination of information. Indeed, while the Act is silent on this issue, the OMB Guidelines advise that: "Agencies shall continue to abide by other constraints on their authority to disclose information to a third party including, where appropriate, the likely effect upon the individual of making that disclosure."19 One would expect the OMB guidance to be definitive, but the internal use issue is a murky one. The "confidentiality" statutes in the U.S. Code are many and various, and it is not clear how statutes that authorize use or disclosure, rather than prohibit it, should be treated in relation to Subsection 3(b)(1).
The Commission believes that the way to resolve this issue is through a revised routine-use provision that would apply to both internal and external agency uses and disclosures of information. Such a provision would act as a minimum standard against which potential uses and disclosures of informa-tion would be measured. It would supersede preexisting statutes that authorize disclosures in a vague or general manner, but not statutes in which the Congress, as a matter of public policy, has called for the use and disclosure of specific types of information in specific situations. Such a provision, moreover, would not be construed as expanding an agency's authority to use or disclose information if the agency was already subject to a preexisting statute that restricted its use and disclosure of information more narrowly than the Privacy Act does.
The only way for the individual to discover the internal agency uses of a record about himself is through the "Privacy Act Statement," which cannot anticipate future uses over which the agency has no control. For example, two days after the Privacy Act was passed, the Congress passed another law creating a Federal Parent Locator Service (PLS) authorized to obtain information from the Social Security Administration upon request, regardless of the strictures of other statutes such as the Privacy Act. As already noted, moreover, the "Privacy Act Statement" need not inform the individual that information about him may be collected from third parties, thereby diluting the effect of the Use Limitation Principle even further.
While the Commission believes that the problem of controlling internal uses of information cannot be solved by levying specific require-ments on the agencies, the "routine use" provision, which forbids disclosures that are not compatible with the purpose for which the information was originally collected, should be applied to internal agency uses. In addition, by strengthening the individual enforcement mechanism and establishing a central office within each agency for Privacy Act implementation (see below), compliance with the spirit of the internal use requirements will be improved.
THE DISCLOSURE LIMITATION PRINCIPLE
The sixth Privacy Act principle asserts that there must be limits on the external disclosures of information an agency may make. That is, once an agency has legitimately obtained information, it still may not disclose it externally without restriction.
The Privacy Act authorizes ten categories of external disclosures that may be made without the consent of the individual. The most important one is found in Subsection 3(b)(3) which authorizes any disclosure that has been established as a "routine use"; that is, any disclosure for a "purpose which is compatible with the purpose for which [the information] was collected." [5 U.S.C. 552a(b)(3),- 5 U.S.C. 552a(a)(7)] The key word is "compatible," which some agencies have interpreted quite broadly. As but one example, the United States Marshals Service published a routine-use notice on September 16, 1976, which read in part:
A record may be disseminated to a Federal agency, in response to its request, in connection with . . . the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information relates to the requesting agency's decision on the matter. 20 [emphasis added]
Other agencies, however, have interpreted the routine-use provision narrowly. Prior to passage of the Privacy Act, the Railroad Retirement Board (RRB) obtained benefit and employee name and address information from the Social Security Administration (SSA) to check the accuracy of payments made to claimants under the Railroad Unemployment Insurance Act (RUIA). The statute requires RUIA benefits to be calculated in the light of all other social insurance, employment, or sickness benefits payable to an individual by law. Today, however, the RRB is no longer obtaining information from the SSA, because the SSA has concluded that it cannot legitimately establish the disclosure as a routine use. The RRB estimates that this is costing it more than $85,000 a year in unnecessary payments.
Another problem with the routine-use provision for disclosures in Subsection 3(b)(3) is its relation to Subsection 3(b)(7), which authorizes disclosures of individually identifiable information to agencies for law enforcement purposes if the head of the agency requests the information in writing and specifies the legitimate law enforcement activity for which the information is desired. While treating the routine-use provision narrowly for some purposes, most agencies have employed it in combination with other laws to facilitate the flow of information to and between law enforcement and investigative units.
The combination of the Privacy Act's routine-use provision and Section 534 of Title 28, for example, permits agencies to circumvent the requirements of Subsection 3(b)(7). Under Section 534 of Title 28, the Department of Justice is required to maintain a central law enforcement information bank and to provide a clearinghouse for such information, particularly for agencies of the Federal government. Agencies have understood this provision to be a congressional endorsement of the routine exchange of law enforcement information, at least under the auspices of the Attorney General.
Currently, agencies of the Federal government seem to be employing the routine-use provision in order to permit the free flow of law enforcement and investigative information without having to comply with the standards of Subsection 3(b)(7). Agency system notices frequently indicate that information will be supplied to appropriate Federal, State, local, and, sometimes, foreign law enforcement agencies of government. In short, the Privacy Act does not-place an effective burden on, or barriers to, the free flow of information within the law enforcement and investigative community.
Concurrent with formal endorsement of relatively unrestricted infor-mation flow to and between investigative agencies, the agents of investiga-tive units have continued to employ the informal information network that exists within the law enforcement community. An agent of one unit may call his counterpart in a second agency to see if it might have any information on the subject of an investigation or any leads to people who might be appropriate to investigate. As the system currently operates, there would be some impediments to such disclosure-though not insurmountable ones-where the units of government involved only investigative agencies and the information exchanged came exclusively from their files. Today, however, the unfettered ability to exchange information between law enforcement and investigative units amounts to access by such units to virtually any governmental records without the need to comply with the strictures in Subsection 3(b)(7).
Almost all agencies have law enforcement units of one sort or another through which information desired by other units in other agencies may be channeled. Indeed, the law enforcement unit of an agency might seek information on an individual from records maintained by other components of an agency and transmit it to a second agency which could subsequently maintain it in a form (e.g., retrievable by docket number) which leaves it free of Privacy Act restrictions. Law enforcement units and investigation agencies can, and often do, operate in this fashion and thus function as a conduit for the exchange of information with other law enforcement units. The problem is not so much that law enforcement units disclose information about individuals to illegitimate recipients, but rather that the determination of legitimacy is more often than not highly informal, with the decision to disclose being made by anyone from the field agent level to the head of an agency. Such informality presents substantial potential for improper disclosure. This is a problem the Commission has not dealt with extensively, though a structure for effective examination of it is suggested later in this chapter.
Although the effect of the routine-use provision has been limited, due mainly to the fact that it has been interpreted as applying only to external transfers of information, its safety-valve aspects should be preserved. The disclosure provisions of the Privacy Act must allow for a certain amount of agency discretion, since, in an omnibus statute, it is impossible to enumerate all of the necessary conditions of disclosure. Nonetheless, the Commission believes that the compatible-purpose test of the routine-use provision should be augmented by a test for consistency, with the conditions or reasonable expectations of use and disclosure under which the information was provided, collected, or obtained. The individual's point of view must be represented in the agency's decision to use or disclose information, and today the compatible-purpose test only takes account of the agency's point of view.
The routine-use definition should also apply to internal, as well as external, agency uses and disclosures of information. This is important, since the majority of uses of information are made by the agency that originally collects it.
Congress may, of course, elect, as it has done in the Tax Reform Act of 1976, to authorize particular uses or disclosures of information that are either incompatible with the purpose for which the information was collected, or inconsistent with the individual's reasonable expectations of use and disclosure. Such additional uses and disclosures of information should be treated as routine uses, provided that the statute authorizing them establishes specific criteria for use or disclosure of specific types of information. Ideally, the Congress should review all the statutes that authorize such incompatible uses and disclosures and determine which ones it wishes to retain. The point, however, is that the Commission, as in other areas, believes that blanket disclosure authorizations or limitations should be actively discouraged.
One might think of incompatible uses and disclosures as "collateral uses." The question of whether a particular use or disclosure qualifies as a "collateral use" would then arise only after it has been established that the proposed use or disclosure was not a "routine use." The "collateral use" concept would also give the Congress a means of relating subsequently enacted disclosure statutes to the Privacy Act so that there will be no question about whether such disclosures are subject to the Act's require-ments. As indicated earlier, and as discussed more thoroughly in Chapter 14, the Tax Reform Act of 1976 is a good example of how this would work.
Besides resolving the routine-use issue, there is also a need to take explicit account in the Act of agency disclosures concerning constituents of Members of Congress. In the early days of the Act's implementation, Congress had trouble obtaining information for its own use. Congressional caseworkers found that they were unable to get individually identifiable information from agencies when they called them on behalf of constituents. Agencies refused to give out information to Members of Congress unless they received prior consent from the individual, since Subsection 3(b)(9) only authorizes disclosures to congressional committees or to the House or Senate as a whole. Members of Congress felt this undermined their role as representatives of iheir constituents, and it was, in fact, an oversight in the drafting of the current law.
To solve this problem, the OfFice of Management and Budget suggested to agencies that they establish disclosures to congressional offices as a routine use,21 and this is now a government-wide practice. The Commission believes this practice should be allowed to continue but that a specific provision should be included in the Act to permit it, since the current solution puts a strain on the interpretation of the compatible-purpose test. Disclosure of a record should be allowed to a Member of Congress, but only in response to an inquiry from the Member made at the request of the individual involved, provided the individual is a constituent of the Member. Such a request could also be made by a relative or legal representative of the individual, if the individual is incapacitated or otherwise clearly unable to request the Member's assistance himself, and the requestor or the individual is a constituent of the Member.
Finally; some observers are of the view that, because the Privacy Act limits disclosures to the public, and the Freedom of Information Act directs disclosure to the public, there is an unresolvable conflict between the two laws. This view, however, is overly simplistic and, in the final analysis, an erroneous formulation of the relationship between the two statutes. The Privacy Act and the Freedom of Information Act mesh well. There are no statutory conflicts. Recent court decisions have also better defined the balances that must be struck between the competing interests. Nonetheless, there do appear to be some practical problems in the implementation of these two laws.
The "conditions of disclosure" section of the Privacy Act that establishes the ten categories of permissible external disclosures allows an agency to disclose a record about an individual to a member of the public who requests it, if the disclosure would be required under the Freedom of Information Act.22 On the other hand, Subsection (b)(6) of the Freedom of Information Act allows an agency to refuse to disclose a record to a member of the public (i.e., anyone other than the individual to whom the record pertains) if it is a medical, personnel, or similar record, the disclosure of which would constitute a "clearly unwarranted invasion of personal privacy."23
To understand the meshing of these requirements, it is useful to consider first the situation prior to the passage of the Privacy Act. The exemptions on access to information in the Freedom of Information Act are discretionary, not mandatory. Thus, under the FOIA (prior to the passage of the Privacy Act), an agency could withhold information, the disclosure of which would, in the agency's opinion, constitute a "clearly unwarranted invasion of personal privacy," but the agency was not required to do so. Today, after passage of the Privacy Act, an agency is still required, by the Freedom of Information Act, to disclose information that would not constitute a "clearly unwarranted invasion of personal privacy," but now an agency no longer has the discretion to disclose information it believes would constitute such a clearly unwarranted invasion.
A major problem in this area, however, is that agency operating personnel responsible for the day-to-day implementation of the two Acts have not been clearly enough apprised of how the laws mesh, of the applicable interpretations and court decisions, and of an agency's corre-sponding responsibilities under them. As a result, confusion, widely differing implementation, and occasional frustration of the intent of both laws have resulted. While determining what constitutes a "clearly unwar-ranted invasion of personal privacy" will always require a certain amount of interpretation, more can and should be done to assist and guide those who have to make such determinations in the course of their daily work. Indeed, one of the primary functions of the entity recommended by the Commission in Chapter 1 would be to assist agencies in developing policy to assist agency employees in making such determinations.
THE INFORMATION MANAGEMENT PRINCIPLE
The Privacy Act incorporates the principle that there are proper approaches to the management of information and that agencies should take affirmative steps to assure that their information management practices conform to a reasonable set of norms. Subsection 3(e)(1) of the Privacy Act requires an agency to:
maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by executive order of the President; [5 U.S.C 552a(e)(1)]
In addition, Subsection 3(e)(5) requires that:
all records which are used by [an] agency in making any determina-tion about an individual [must be maintained] with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination; [5 U.S.C. 552a(e)(5)]
Further, Subsection 3(ex10) requires an agency to:
establish appropriate administrative, technical, and physical safe-guards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarassment, inconvenience or unfairness to any individual on whom informa-tion is maintained; [5 U.S. C 552a(e)(10)]
In theory, these requirements, in combination with the requirements implementing the Individual Participation and Accountability Principles, keep the individual from having to bear the full burden of monitoring the content of records an agency maintains about him, and they also grant him recourse when he can prove damages as a consequence of willful behavior in violation of the Act's requirements.
The Act's several information management provisions have had a positive effect on agency conduit by focusing an agency's attention on its policies and practices relating to the collection, maintenance, use, and dissemination of records about individuals. In addition, the Act's require-ment that information must be relevant and necessary to accomplish a mandatory agency purpose seems to have reduced slightly the amount of information agencies maintain.24 Likewise, the "Privacy Act Statement" requirement25 and the annual notice requirement26 have somewhat limited the number of systems of records. But the requirement that information be kept accurate, timely, complete, and relevant27 appears to have had little effect on reducing or altering the types of information maintained.
Most agencies, to the extent they have a position, stand by their prior record maintenance practices. They contend that they have always attempted to achieve accuracy, and that the terms "timely, complete, and relevant" are meaningful only in the context of a specific record or record-keeping situation-which is true. Nonetheless, interviews with operating personnel suggest that, although some accuracy standards have been tightened and retention periods for documents have been re-examined, agencies continue to maintain a substantial amount of information that is not as accurate, timely, complete, and relevant as it should be. The fact is that there are few if any formal mechanisms to review existing records and there is seldom, if ever, enough time to do so.
Because no specific, consistently applied criteria have been established for determining when an agency is in compliance with the Act's information management principles, they are not being adequately implemented. Within agencies, there has often been little or no compliance monitoring, as well as no office to which agency operating personnel can turn for guidance. Although efforts to train agency personnel are being made, awareness of the Act's requirements is much weaker than it should be-in all areas, not just information management.
Generally speaking, each agency or major agency component has a nucleus of employees who are well versed in matters relating to the Privacy Act, but many middle-level and lower-level operating personnel still do not know enough about the Act to allow them to carry out their responsibilities under it. For example, the Privacy Act is too often cited as the reason for withholding information from the public, when, in fact, such withholding is improper. Yet, without training, it appears that the one thing an agency employee is likely to know about the Act is that it contains criminal penalties for unauthorized disclosures, and thus that he should behave warily, particularly in responding to third-party Freedom of Information Act requests of the sort discussed in the preceding section on the Disclosure Limitation Principle.
The Commission has found that those agencies that have established formal, structured approaches and mechanisms to implement the Privacy Act are the most successful in their implementation of the Act. They have provided the best training for their personnel, have issued detailed, consistent internal guidelines, and have devised procedures for auditing their own compliance with the Act. In addition, agencies with previous experience with issues relating to information policy have generally adapted more readily to the requirements of the Act than have agencies for which information policy issues can be considered a relatively new experience.
In order to provide for more effective implementation of the Act, the Commission believes that the head of each agency should designate one official with authority to oversee implementation of the Act. The official's responsibili ties would include issuing instructions, guidelines, and standards, and making such determinations, as are necessary for the implementation of the Act. He would also be responsible for taking reasonable affirmative steps to assure that all agency employees and officials responsible for the collection, maintenance, use and dissemination of individually identifiable records are aware of the requirements of the Act.
The Commission believes that this is the minimum step necessary to ensure effective implementation of the Privacy Act. It parallels, and enhances, the approach taken by the agencies which are currently most successful in their implementation of the Act. Someone other than the individual record subject must be in a position to hold agency record keepers accountable; the Act's individual enforcement model is simply ineffective on a broad scale. Moreover, someone must have the authority to make decisions under the Act (e.g., to interpret the "reasonableness" and "compatible-purpose" tests); someone must be in a position, for example, to review a particular record-keeping practice or computer system design and assert, with authority, that it is reasonable. Obviously, such an approach addresses more than information management, and it can reasonably be expected that the designated agency official's activities would span the gamut of issues relating to the Act's implementation.
The Commission looks with favor on the Act's basic assumption that each agency is in the best position to judge what is best, reasonable, or appropriate for it. As indicated in the implementation in Chapter 1, it favors abandonment of the individual agency autonomy model of the Privacy Act only in instances where a clear societal interest is at stake or where it is necessary to establish an independent check on the agency.
Strengthening the individual agency enforcement mechanisms in the Privacy Act by the appointment of a Privacy Act officer in each agency is not intended to relieve the agency's operating personnel of their responsibili ties under the Act. Rather, it is intended to make their jobs easier by providing a mechanism for guidance, instruction, and interpretation. A "reasonableness" test in the law is important for a court, but it does little to provide insight and guidance for those charged with the day-to-day implementation of the law.
By the same token, creation within an agency of an enforcement mechanism will serve to hold agency employees accountable in a way that no external entity or individual record subject can. This is as it should be, for ultimately the record-keeping agency must bear the burden for assuring that its record-keeping practices are fair.
While the Commission found that the Act's requirements regarding the necessity, accuracy, timeliness, completeness, and relevance of informa-tion in records [5 U.S.C. 552a(e)(1); 5 U.S.C. 552a(e)(5)] appear to have had little effect on agency practices, it suggests no specific changes in those requirements. Rather, it believes that by altering the implementation strategy and incentives for compliance along the lines it suggests, the goals of these requirements will be achieved.
The Commission has also found that the Act's requirements for propagation of corrections does not adequately assure that decisions are made on the basis of accurate, timely, complete and relevant information. Under the Act, for example, corrections do not have to be sent to prior internal agency recipients or to the sources of erroneous information. In addition, corrections of erroneous information initiated by the agency rather than by the individual, no matter how important, do not have to be propagated at all. As in other areas it has examined, the Commission believes that corrections made by the record-keeping agency, as well as those made by the individual, should be propagated; and that, with some exceptions, corrections should be sent automatically to sources and prior internal and external recipients who provided or received the erroneous information, within a reasonable period of time prior to the making of the correction, as well as to any person (organization or individual) the individual spec~rlcally designates.
The Commission believes that corrections of erroneous information by the agency, in accordance with the Act's requirements to "maintain all records which are used by the agency in making any determination about any individual with such accuracy, timeliness, completeness, and relevance as is reasonably necessary to assure fairness . . ." [5 U.S.C. 552a(e)(5)] should be automatically propagated if two conditions exist: first, if the correction could reasonably be expected to affect a determination about the individual by the source or a prior recipient of the erroneous information that provided or received the information, within a reasonable period of time prior to the making of the correction; and second, if the source or prior recipient could not reasonably be expected to otherwise become aware of the error. However, propagation should not be required to prior recipients who received the erroneous information under the Freedom of Information Act or to any source who, acting on his own behalf, rather than in an official capacity, provided the erroneous information to the agency.
This approach provides for propagation of corrections in cases in which they would make an important difference to the individual, while limiting to the greatest extent possible the burden on the agency. Relating the propagation requirement to the Act's fairness-in-decision-making provision is important because doing so excludes certain corrections, such as those made to keep an historical record accurate.
The Commission believes it appropriate to place the basic responsibili-ty for propagating corrections on the agency because there is no other realistic way for the individual to protect himself against the spread of erroneous information about him through the Federal government. Information can flow so freely within and between agencies, and decision points are so diffuse or difficult to isolate, that linking a propagation of correction requirement to an adverse determination, or to an initiative by the individual, destroys its efficacy.
By including the requirement that corrected information be sent to internal agency recipients and to sources, the Commission is also responding to evidence that suggests that more harm or unfairness can result to an individual from inaccurate internal agency uses and disclosure than from external uses and disclosures, since the former are more frequent and less apt to be independently verified. The requirement that an agency notify any person specifically named by the individual to whom the information pertains, of any corrections made by either the individual or the agency, is included to allow for propagations that the individual determines are important to him. -
The Privacy Act requirement to maintain an accounting of disclosures of information about an individual is widely regarded as the statute's single most burdensome provision. It also appears to be one which has engendered little interest on the part of the general public. There are three objectives which can be potentially served by this requirement: (1) providing the record subject with a listing of the uses and disclosures of a record about him; (2) facilitating the propagation of corrections; and (3) internal agency auditing and compliance monitoring. Currently, the emphasis is on the first objective. Consequently, the Act, with two exceptions, requires an account-ing of disclosures to every recipient of information from a system of records, including the individual himself, and the accounting must include the date, nature, and purpose of the disclosure, as well as information identifying the recipient. This required accounting is frequently burdensome, as well as occasionally unnecessary, and has led a number of Federal agencies to construe it as inapplicable in cases in which the individual is the recipient of the information. Moreover, an accounting does not have to be kept of internal agency uses and disclosures, and these are frequently of the most interest to the individual and the most important insofar as the propagation of corrections is concerned.
The Commission believes that the primary emphasis of the accounting of disclosure requirement should be on its utility in propagating corrections and that a "reasonableness" test should be established for determining the period of time for which an accounting must be kept, as well as for the amount of detail about each disclosure that must be kept. In addition, the Commission believes that when an individual so requests, an agency should make available to him its accounting of disclosures about him to (a) all prior recipients to whom it could reasonably be expected to propagate corrections, and (b) other recipients of which it could reasonably be expected to be aware. This would allow an individual to see the information an agency must maintain on its disclosures about him for the purpose of propagating corrections automatically, but would not require a log in any greater detail than that. This requirement, coupled with the suggested propagation of corrections requirement, would, however, mean that an individual would be able to obtain an accounting of disclosures to internal agency recipients of information, as well as to external ones, since under the new approach all prior internal recipients will now receive corrections when they are propagated.
An agency should be left free to decide how long to keep an accounting of disclosures based on its determination of how long it needs to keep the information for propagating corrections, as well as the amount of detail that needs to be kept about each disclosure. In all accountings disclosed to the individual, however, an agency should take reasonable affirmative steps to inform the individual, in a form comprehensible to him, of the date, nature, and purpose of each disclosure and the name and address of the person or agency to whom the disclosure was made.
One principal difference between this approach and the Act's accounting requirement is that an accounting would not need to be kept for five years, or the life of the record, whichever is longer.28 The Commission would also preserve the Act's use of the word "accounting" as opposed to "record," in order to allow for any scheme that enables the agency to reconstruct a list of past disclosures; that is, an explicit record or log entry need not be made for each disclosure. This is especially important in the case of frequent bulk transfers of data (when even the nature and purpose may only be generally known.)
The Privacy Act requirement that agencies establish safeguards to assure the security of individually identifiable records29 has run the gamut from business-as-usual to extreme measures aimed at forestalling any conceivable risk, no matter how small its chance of occurring. On balance, however, the "safeguarding of information" requirement has resulted in minor modifications, and some strengthening, of agency data-security standards.
A recently publicized example of a government information system with inadequate security involved the computer and telecommunications system, SSADARS, which connects private insurance companies acting as Medicare intermediaries for the government with the Social Security Administration (SSA) data file. The Social Security Administration reported at the Commission hearings on Medical Records in July 1976 that its longstanding policy of protecting the confidentiality of individually identifi-able information in its files had been adequately carried out in its administrative and technical safeguards. On October 23, 1976, however, SSA announced that it had discovered that it was mistaken in its belief that there was "no way the Medicare intermediaries and carriers can use their telecommunications system to gain access to the files used to administer"30 other SSA programs. SSA staff found that the SSADARS terminals installed in the offices of two intermediaries could have been altered relatively easily, thereby permitting access to files other than the Medicare eligibility files the intermediaries needed to see. Although no actual access to other SSA program information is believed to have occurred, the technical safeguards to assure the confidentiality of information in the SSADARS system were not as effective as SSA had thought.
In spite of the Privacy Act, and assurance by the Social Security Administration that insurance company employees are subject to criminal sanctions as if they were Federal employees, SSA's Data Acquisition and Response System (SSADARS) has created a great deal of concern among the public and press. Inasmuch as the SSADARS system is a forerunner of the type of computer and telecommunications system which would be necessary for the administration of a broad-based Federal health-insurance program, it is imperative that Federal agencies take immediate affirmative measures to prevent information in such a system from becoming a source of unfairness to the individuals to whom it pertains. Therefore, the Commission recommends:
That a Federal agency administering a health-insurance program which employs the services of a private health-insurance intermediary provide to the intermediary only that information necessary for the intermediary to carry out its responsibilities under the program.
Compliance with this recommendation would require that Federal agencies administering health-insurance plans develop administrative, physical, and technical safeguards as required by Section 3(e)(10) of the Privacy Act to assure the integrity of, and to prevent unauthorized access to, federally maintained data bases.
To correct the drafting deficiencies in the current safeguard require-ment, as well as to make the obligation imposed by the requirement more realistic, the Commission believes that an agency should be required to establish reasonable administrative, technical, and physical safeguards to assure the integrity, confidentiality, and security of its individually identifiable records so as to minimize the risk of substantial harm, embarrassment, inconvenience, or unfairness to the individual to whom the information pertains. Such a change would be consistent with the Act's legislative history and should protect against the overreaction occasioned in some agencies by the current language of the Act which requires agencies to establish appropriate safeguards against any anticipated threats or hazards.
There is another related issue which also must be addressed. The Commission was specifically required by Subsection 5(c)(2)(B)(iv) of Public Law 93-579, to examine the issue of:
whether and how the standards for security and confidentiality of records under section 3(e)(10) of [the Privacy Act] should be applied when a record is disclosed to a person other than an agency.
The use of the word "standards" in this directive raises the question of the type of standards contemplated by the drafters. Within the Federal sector, the term standards has a precise meaning, and there are well defined procedures for establishing Federal Information Processing Standards (FIPS). A standard may be considered as synonymous with a "require ment," and, once established, is binding on Federal agencies. On the other hand, the term "guideline" may be equated with a "suggestion," and is not binding on Federal agencies. It seems clear from a reading of the Act and the legislative history, however, that the drafters did not intend the term standards, as used in Subsection 5(c)(2)(B)(iv), to be interpreted precisely, but rather to be interpreted more broadly as meaning "general criteria" for the establishment of security and confidentiality safeguards. Regardless of the meaning intended, however, the conclusion of the Conunission remains the same.
The Commission's inquiry has shown that there are currently no standards, in the strict sense of the word, for security and confidentiality at the Federal level. Guidelines have been issued by the National Bureau of Standards, but their specificity and hence their utility is uneven. FIPS Publication No. 31,31 which establishes guidelines for automatic data processing physical security and risk management, is much more detailed and specific than FIPS Publication No. 41,32 which is intended to establish computer security guidelines for implementing the Privacy Act of 1974. As already noted, the Commission's assessment of the Federal experience indicates that agency practice in response to the safeguard requirement in Subsection 3(e)(10) is extremely varied, ranging from no response whatsoe-ver to what could be termed technological overkill. At the Federal level, in other words, there are, at best, limited standards, guidelines, or general criteria for safeguars which are susceptible to extension to any non-Federal agency recipient of information subject to the Privacy Act. Thus, in response to the mandate given it in Subsection 5(c)(2)(B)(iv), the Commission recommends:
That there should be a continued examination of the standards, guidelines, and general criteria for safeguards within the Federal government, but there should not be a general extension of any Federal standards, guidelines, or general criteria for safeguards for security and confidentiality of records when a record is disclosed to a person other than an agency, except as specifically provided in other recommendations of the Commission.
THE ACCOUNTABILITY PRINCIPLE
The eighth principle of the Privacy Act holds that an institution should be accountable for its personal-data record-keeping policies and practices, or, more specifically, for adherence to the other seven information policy principles. Under the Privacy Act, a Federal agency can be held account-able for its record-keeping policies and practices in several ways. The individual can hold the agency accountable through exercise of his rights to see, copy, and challenge the contents of a record about himself, to review an agency's accounting of disclosures made of a record about him, and to sue for any damages he incurs as a consequence of agency misconduct. In addition, agency employees are subject to criminal sanctions for particular violations of the law's requirements.33
The access, correction, and amendment procedures have been discussed. They appear to work reasonably well, although they have not been widely used. As previously noted, the agencies regard the Act's accounting of disclosures requirement as the most burdensome of the Act's provisions. It represents 26 percent of the operating costs of the Act34 and requires extra effort by agency employees on an almost daily basis. The Social Security Administration, which keeps its accounting of disclosures manually, has stated that to perform the accounting effectively it would have to totally redesign its computer system. In addition, few individuals have asked for an accounting of the disclosures made of a record about them, perhaps because they do not know they have a right to do so. Even when an individual does ask, however, he will not learn about internal agency disclosures, as no accounting need be kept of them.
The civil remedies provided by the Act are similarly ineffective from the individual's point of view. The vast number of systems involved,35 the need to establish willful or intentional behavior on the part of the agency, and the cost and time involved in bringing a law suit, often make enforcement by the individual impractical. Moreover, an individual must show actual injury in all cases except the ones that can be brought to force an agency to allow an individual to see and copy, or correct or amend, a record.
The criminal penalties also require a showing of willfulness and apply only to unauthorized disclosures, failures to publish annual system notices, and obtaining a record from an agency under false pretenses. The circumstances in which an individual can bring suit, his possible reward for doing so, and the instances in which a court can order an agency into compliance with the Act are all too limited to provide an effective accountability mechanism. Consistent with its recommendations in other areas, the Commission believes that a suit should be permitted to force compliance with the requirements of the Act absent a demonstration of injury to, or adverse effect on, the individual and that a court should be able to order an agency to comply.
In many cases, it is simply too difficult to show injury or adverse effect as a result of a violation of the Privacy Act. In the case of a violation of the notice requirements, for example, such a showing is most likely impossible. Even in the case of inaccurate information, it can be difficult to demonstrate actual injury. Hence, the Commission believes an individual should be granted standing without the requirement to show injury. While it could be argued that this will encourage frivolous law suits, experience to date indicates that it is not likely to do so. Moreover, this approach should increase agency accountability and provide agencies with increased incentives to comply with the Act in order to avoid law suits by individuals.
Under the Privacy Act contractors and grantees are not directly liable for violations (although they are subject to the Act's criminal penalties) and the government may indemnify them for any civil liability resulting from their performance of a contract. This defeats the intent of the Act. If the Act's protections are so important that the government is waiving its sovereign immunity and thus subjecting itself to civil liability, it would seem reasonable for the same standard to apply to contractors and discretionary grantees, as discussed earlier. Therefore, the Commission believes that contractors and grantees which fall within the scope of the Act should be made civilly liable under the Act in the same manner that the government makes itself civilly liable, and no official or employee of any Federal agency should include or authorize to be included in any contract or grant any provisions indemnifying the contractor or grantee from civil liabilities under the Act.
In a related area, the Commission's mandate specifically required an examination of "whether the Federal government should be liable for general damages incurred by an individual" when an agency violates his rights under the Act. [Section S(c)(2)(B)(iii) of Public Law 93-579] This required consideration of whether the current liability standard in the statute which limits recovery to "actual damages" should be broadened. To reach a judgment on the appropriate recovery standard, the Commission needed to answer two questions: (1) what the definitions of actual and general damages are or ought to be; and, (2) what the costs and benefits of each would be were it to be the Act's standard for recovery against the government.
Traditionally, damages have been divided into two classifications, general and special. Compensation for any injury done to an individual is available under a claim of general damages. An individual can make claims for losses due to pain and suffering, for example, even though it is impossible to fix a precise dollar value to such an injury. Special damages, on the other hand, only compensate for injury that has caused clear economic loss to the individual. The Commission has found that there is no generally accepted definition of "actual damages" in American law, but the Commission has concluded that, within the context of the Act, the term was intended as a synonym for special damages as that term is used in defamation cases. For that reason, the Commission believes the phrase "actual damages" should be discarded in favor of the more traditional and clearer term, special damages.
In addition, special damages in defamation cases are more limited than in other situations; the injuries clearly covered by them are loss of specific business, employment, or promotion opportunities, or other tangible pecuniary benefits. Injuries not provided for are those which may be labeled intangible: namely, loss of reputation, chilling of constitutional rights, or mental suffering (.where unaccompanied by other secondary consequences).
The legislative history and language of the Act suggest that Congress meant to restrict recovery to specific pecuniary losses until the Commission could weigh the propriety of extending the standard of recovery. It has determined that the arguments in favor of extending recovery to general damages, within dollar limits, appear stronger than the arguments against such extension.
The restriction on recovery articulated in the "actual damage" standard of the Privacy Act reflects the ancient limitation on governmental liability embodied in the principle of sovereign immunity. Arguments in support of this limitation of liability focus primarily on the need to protect the public purse and the problems involved in making the government fully responsible for the vast scope of its operations, which it has no practical means of controlling. One set of counter-arguments to this position derives from notions of fairness, which require both that wrongdoers be responsible for their wrongdoing and that those who benefit from governmental activity be asked to pay the price of their enjoyment, instead of letting that cost fall wholly on the small group of injured parties. Another counter-argument derives from basic notions of social utility. If the costs of government information practices are borne by the government, it is in a better position to decide whether the benefits of the activity outweigh their costs. In other words, restricting liability only restricts the incentive for government to reform its practices.
If the rights and interests established by the Privacy Act are worthy of protection, then recovery for intangible injuries such as pain and suffering, loss of reputation, or the chilling effect on constitutional rights, is a part of that protection. There is evidence for this proposition both in the cases which have already been brought under the Act and in common law privacy cases. Thus, to protect individuals under the Privacy Act more fairly and effectively, while ensuring that recovery does not become too burdensome, and to clarify the meaning of the Act, the Commission recommends:
That the Privacy Act of 1974 permit the recovery of special and general damages sustained by an individual as a result of a violation of the Act, but in no case should a person entitled to recovery receive less than the sum of $1,000 or more than the sum of $10,000 for general damages in excess of the dollar amount of any special damages.
In addition to the individual's enforcement opportunities and the modest oversight role assigned to the Office of Management and Budget (OMB) [Section 6 of Public Law 93-579], the Act also requires that reports on new or materially altered record systems be sent to OMB and both Houses of Congress [5 U.S.C. 552a(o)], and to the Privacy Protection Study Commission. [Section 5(e)(2)(A) of Public Law 93-579] None of these bodies, however, has had the staff nor the consolidated expertise necessary to evaluate each report submitted. Furthermore, there is no agreement on how to assess the potential impact of a proposed system change along the lines called for in the Aci, that is:
the probable or potential effect . . . on the privacy and other personal or property rights of individuals or the disclosure of information relating to such individuals, and its effect on the preservation of the constitutional principles of federalism and separation of powers. [5 U.S.C 552a(o)]
Currently, although this requirement has had the healthy effect of forcing agencies to examine the need for, and the details of, the particular system, the kind of information needed to evaluate it is not always supplied nor is it always presented in enough detail to permit an in-depth and independent evaluation of the system in question.
Given this weak enforcement framework and the flexibility of interpretation many provisions of the Act allow, there are few incentives for more than minimal compliance with most of its provisions. For example, there is a universal lack of post-award monitoring of contractor perfor-mance; and as previously noted, many agencies have not established any effective internal compliance monitoring procedure. This can be partly explained by the fact that Congress appropriated no additional funds for Privacy Act implementation. While many of the requirements of the Act represent procedures or steps that the agencies should have been following anyway, there is still cost associated with them.36 In addition, attention to information policy issues is not usually a priority concern of agency personnel. While many employees view the Privacy Act and the issues it raises as important, a sizeable number still see the Act as a nuisance and an impediment to the performance of their agency's missions and functions.