The Privacy Act of 1974: An Assessment. APPENDIX 4 TO The Report of The Privacy Protection Study Commission.. Agency Rules

01/07/1977

Subsection 3(f) of the Privacy Act requires an agency to promulgate regulations43 that:

(1) establish procedures whereby an individual can be notified in response to his request if any system of records named by the individual contains a record pertaining to him;
(2) define reasonable times, places, and requirements for identify-ing an individual who requests his record or information pertaining to him before the agency shall make the record or information available to the individual;
(3) establish procedures for the disclosure to an individual upon
his request of his record or information pertaining to him, including [a] special procedure, if deemed necessary for the disclosure to an individual of medical records, including psychological records, pertaining to him;
(4) establish procedures for reviewing a request from an individu-al concerning the amendment of any record or information pertaining to the individual, for making a determination on
the request, for an appeal within the agency of an initial adverse agency determination, and for whatever additional means may be necessary for each individual to be able to exercise fully his rights under this section; and
(5) establish fees to be charged, if any, to any individual for making copies of his record, excluding the cost of any search for and review of his record. [5 U.S. C 552a(f)]

Although the Office of the Federal Register developed a model format for the agencies to use in preparing their Privacy Act rules for publication [40 F.R. 25988 (June 19, 1975)], there is great variety in the way the rules have been published, and some formats are so complex that the average individual could have great difficulty understanding (and in some instances, locating) the correct procedure to follow. The rules promulgated by the Department of the Air Force in 1975, for example, were in eight parts and 58 sections [32 CF.R 806.b], and many sections had to be consulted to understand fully how to exercise the individual's access and correction rights. Similarly, the Treasury Department's rules for 1976 [31 CF.R 1.20-1.36] are in 17 sections and 12 appendices (with different procedures for 12 different components of the Department), totalling 29 pages of material.

The procedures the rules establish also vary greatly. For example, all agencies have established procedures for verifying the identity of the individual requesting a record, but while some require nothing more than a signature, others require extensive personal identification. OMB itself is one of the latter. Its regulations provide as follows:

(a) current or former employees: verification by visual observation or alternatively, some employment related documenta tion such as employee I.D. card, driver license, or "employee copy" of any official personnel document;
(b) other than (a) above: two forms of identification and whatever else may be required by a specific system notice; (c) by mail: by comparison of signature on a notarized statement of identity;
(d) if no documentation available: notarized statement of identity and knowledge of penalties for lying and (as needed) notarized statement from other individual attesting to reque-stor's identity;
(e) parent or guardian: legal documents providing guardianship and suitable personal I.D. [5 CF. R. 1302.2]

Then, too, some agencies require more or less personal identification depending on the character of the record to which the individual seeks access. For example, the Tennessee Valley Authority minimally requires an identification card and comparison of signatures, but more stringent verification (such as in-person confirmation of identity) when the record sought is "sensitive." [18 CF.R. 301.14]

Most agency rules require that a request for a record identify the system of records in which the record is thought to reside. This is permitted by subsection 3(f)(1) of the Act [5 U.S.C 552a(f)(1)], and is consistent with the Congress' desire to avoid an undue administrative burden on the agencies. However, asking the individual to identify the system of records can place a substantial burden on him. Few Americans have ever heard of the Federal Register and even fewer are likely to know how to find a system notice in it.

By and large the agencies have tried to help the individual either by giving him a copy of the agency's annual notices and asking him to identify likely systems, or by directing him to someone in the agency whose job is to help him, or both. Some agencies have even tried to dispense with the system identification requirement altogether. OMB, for example, does not require specific reference to a system notice and makes copies of its notices available to anyone who addresses his request to the Office of the Assistant Director for Administration. [5 C.F.R 1302.1(a)] Similarly, the Department of the Interior's rules do not mention any need to identify the system, although they clearly presuppose a knowledge of the Department's annual notices. [43 C.F.R. 2] All agencies' rules provide for access to a record about an individual by his parent or guardian, and, with the individual's written authorization, by someone who accompanies him at the time he exercises his access right. Many agencies also have special procedures for giving an individual access to medical records pertaining to him, although some, such as the Depart-ment of Housing and Urban Development [24 CF R. 16] and the Defense Intelligence Agency [32 C.F. R. 292a], do not. The Federal Trade Commis-sion provides for access to a medical record through a physician designated by the individual, presumably leaving it to the physician to decide whether the individual should be allowed to see and copy the record [16 C.F.R. 4.13(f)], but the Department of Health, Education, and Welfare (DHEW) provides for direct access by the individual in many instances. [45 C.F.R. 56.6]

The DHEW rules affirm the individual's right of access to his medical records and when he requests access to them he is asked to designate a responsible representative to receive them if the Department believes that giving him direct access may be upsetting or otherwise harmful to him. The responsible representative need not be a physician or other health professional. A minor's medical record will be disclosed to a physician or other health professional (neither of whom may be a family member) provided that the physician or other health professional is informed, where appropriate, that further disclosure may constitute an unwarranted invasion of the minor's personal privacy. [45 C.F.R. 56.6]

Although most agencies' rules require that an individual's request for access to a record about himself be made in writing, the request can usually be submitted either in person or by mail, whichever the individual prefers. The big differences are in the agencies' procedures for acknowledging an individual's request. The Act is silent on the question but the OMB Guidelines say that an agency should acknowledge a request for access within ten days of receiving it.44 Department of Agriculture rules call for an acknowledgement indicating whether access will be granted-and if so, when and where-within 10 working days. [7 C.F.R. 1.114(a)] Department of Commerce rules also provide for a ten-day response and, in addition, specify the official to contact if a request is not acknowledged within ten days. [15 C.F.R 46.3(f) and 46.5(a)] In contrast, Interior Department rules [43 CF.R 2.64] provide only for "prompt" acknowledgement, while the rules of the Justice Department [28 C.F.R 16] and of the Defense Intelligence Agency [32 C F.R. 29a] do not mention response time.

There is also a time limit problem which arises from the fact that the Privacy Act does not specify how quickly an agency must comply with an individual's access request. The OMB Guidelines suggest that, where possible, the acknowledgement of a request should indicate whether access will be granted, and if it is to be granted, that it should be granted within 30 days thereafter (excluding Saturdays, Sundays, and legal public holidays), unless the agency, for good cause shown, is unable to comply within that timeframe, in which case the individual should be informed in writing within 30 days of the reasons for the delay and the date on which access can be anticipated.45 This suggested procedure closely parallels the one the Freedom of Information Act specifically requires when an agency receives an FOIA request for a record. [5 U.S.C. 552a(d)(2)]

In their 1975 annual reports, most agencies indicated that they were having no problem complying with the 30-day rule, but some, such as the FBI and the CIA, were experiencing long delays due to the number of requests they were receiving and the complexity of some of their records.46 The Drug Enforcement Administration also reported difficulties in connec-tion with about 20 percent of its records,47 and the Energy Research and Development Administration described two cases, each of which took approximately 32 days to process, and which eventually resulted in a denial of at least part of the request.48

The appeals procedures present still another problem. If an agency denies an individual's request for access to a record, the Act allows him, without further ado, to seek a Federal court order directing the agency to disclose the record to him. In such cases, it is up to the court to decide whether the record has been properly withheld pursuant to one of the Act's exemptions from the individual access requirement. Some agencies, how-ever, have established an administrative appeals procedure, along the lines of the one called for in the Freedom of Information Act. These procedures raise a serious question as to whether an individual whose access request is denied may proceed directly to court without first exhausting the remedies they afford him.

The situation with respect to denials of requests to correct or amend records presents a different kind of problem. There, the Act explicitly calls for a denial to be reviewed and reaffirmed within the agency before the individual can go to court. The review process is supposed to be completed within 30 days, but the head of the agency, for good cause shown, can extend it for another 30 days. [5 U.S.C. 552a(d)(3)] Moreover, some agencies have included a time limit in their rules, within which an individual may appeal a correction or amendment refusal. Those range from 20 days at the Department of the Interior [43 C.F.R. 274] to 90 days at the Postal Service [39 CF. R. 266.7(b)(4)(c)].

There is also a small problem in the handling of the "statement of disagreement." Subsection 3(d)(3) of the Act allows an individual to file a concise statement detailing his side of an unresolved dispute with an agency over the content of a record about himself. At least one agency (the Tennessee Valley Authority) has interpreted "concise" to mean no more than 100 words [18 CF.R. 301.19(f)]. This is often too short, as the vast majority of agencies have realized.