The Privacy Act of 1974: An Assessment. APPENDIX 4 TO The Report of The Privacy Protection Study Commission.. Compatible and Incompatible Uses

01/07/1977

One can find many routine uses that clearly meet the test of compatibility with the purpose for which the information was originally collected. Forwarding payroll information on a government employee to the Department of the Treasury so that a paycheck can be generated for him unquestionably meets the compatibility test. So do many other interagency transfers as the following typical notices illustrate.

Equal Employment Opportunity Commission/3 - Charge of Discrimination Case Files

1.    to conduct compliance reviews with local, state and federal agencies, such as the Office of Federal Contract Compliance, Department of Justice, Department of Labor, Office of Revenue Sharing of the Treasury Department, Law Enforcement Assistance Administration, and other federal agencies as may be appropriate or necessary to carrying out the Commission's functions under the Title [See 42 U.S.C. 2000e-4(g)(l), 8(b) and (d)]; (2) sharing information contained in these records with state and local agencies administering state or local fair employment practices laws [See 42 U.S.C. 2000e4(g)(l), 8(b) and (d)]. [41 F.R. 42171 (September 24, 1976)]

Environmental Protection Agency/1 - Payroll System

To conduct all necessary and appropriate intra-agency payroll activities. To furnish information U. S. Treasury requires to issue paychecks and distribute pay according to employees' directions. To report tax withholding to IRS and appropriate State and local taxing authorities; FICA deductions to SSA; dues deductions to labor unions; withholdings for health and life insurance to insurance carriers and U.S. C.S.C.; charity contribution deductions to agents of charitable institutions; annual W-2 statements to taxing authorities and the individual. Also see routine use paragraphs in Prefatory Statement. [41 F.R. 39689 (September 15, 1976)]

FDIC/1 - Legal Intern Applicant System

Disclosure of information may be made in requesting information of individuals or concerns whose names were supplied by the applicant as references and/or past or present employers. [41 F.R. 40424 (September 17,1976)]

FDIC/12 - Payroll and Employee Financial Records

Information developed from these records is routinely provided to State, City and Federal income tax authorities, including, at the Federal level, the Internal Revenue Service and the Social Security Administration, and, to other recipients, as authorized by the employee, including the United States Treasury Department, savings institutions, insurance carriers and charity funds. Records are periodically made available for inspection to auditors employed by the Government Accounting Office. [41 F.R. 40427 (September 17,1976)]

Other routine uses, however, merely continue disclosures, regardless of compatibility, that an agency habitually made prior to passage of the Privacy Act. The following are good examples:

Justice/USA/001 - U. S. Administrative Files

A record may be disseminated to a federal agency, in response to its request, in connection with the hiring or retention of an employee, the issuance of a security clearance, the reporting of an investigation of an employee, the letting of a contract, or the issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information relates to the requesting agency's decision on the matter. [41 F.R. 40015 (September 16, 1976)] (emphasis added).

Federal Revenue Systems/9 - FRB Consultant File

Routine uses include, but are not restricted to, selection, monitoring, evaluation and control, audit and analysis, routine management activity and statistical use without individual identification; verification and confirmation; and referral when used as a basis for prospective employment by other than the Board; to provide information or disclose to a Federal agency, or any other employer or prospective employer, in response to its request, in connection with the hiring or retention of an employee, the letting of a contract, or issuance of a license, grant, or other benefit by the requesting agency, to the extent that the information is relevant and necessary to the requesting agency's decision on the matter. [41 F.R. 39707 (September 15, 1976)] (emphasis added)

Allowing the recipient's needs to influence an agency's decision as to whether a disclosure should be deemed a proper routine use is not uncommon, and some are even more indiscriminate. For example, the routine uses established for the Department of Transportation's Documentation System countenance the disclosure of information to "anyone having business with or an interest in a documented vessel."82 Likewise, the routine uses for DOT's Merchant Vessel Casualty Reporting System include "use by the general public."83

Agencies also interpret the routine use provisions of the Act to permit the free flow of information to and between law enforcement and investigative units of government without having to comply with subsection

3(b)(7) that provides for the disclosure of a record about an individual

. . . to another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request . . . specifying the particular portion [of the record] desired and the law enforcement activity for which the record is sought. . . . [5 U.S.C 552a(b)(7)] (emphasis added)

Law enforcement agencies particularly established broad-worded routine uses to assure the easy flow of information between organizations within the law enforcement community. The Bureau of Alcohol, Tobacco, and Firearms in the Treasury Department, for example, includes as a routine use of information in its "Criminal Investigation Report System" disclosure to "personnel of the Department of Justice and other agencies, Federal, State and local, foreign and domestic, having prosecutive and civil law enforcement functions." [41 F.R. 45446 (October 14, 1976)] Non-law enforcement agencies also adopt broad routine use provisions that facilitate the exchange of information with law enforcement agencies, a good example being the provisions the Veterans Administration ordinarily incorporates in its systems notices. [41 F.R. 9294 (March 3, 1976), Routine Uses 12 and 24]

On the other hand, some agencies apply the compatible-purpose test so strictly that agencies and other organizations accustomed to receiving information from them have complained that they are no longer able to fulfill their missions. For example, prior to passage of the Privacy Act, the Railroad Retirement Board (RRB) regularly obtained name, address, and benefit information from the Social Security Administration (SSA). It used this information to monitor the accuracy of payments it made to claimants under the Railroad Unemployment Insurance Act (RUIA), since, by law, the amount of RUIA benefits paid must take into account other social insurance, unemployment, or sickness benefits payable under any other law. For almost two years after the effective date of the Act, however, SSA's strict application of the compatible-purpose test made it impossible for RRB to obtain data from SSA files.

The Department of Labor had a similar problem. Several States have laws that require their unemployment insurance programs to verify the amount of any Social Security benefits a claimant receives. Initially, however, SSA did not establish such disclosures as a routine use of the information in its Earnings Recording and Self-Employment Income System and, thus, the affected States were forced to operate their unemployment compensation programs in violation of their own statutes.

These difficulties have been resolved in various ways. Both the Labor Department and the RRB problem were resolved by the routine-use notices SSA published on June 29, 1977. [42 F.R. 33079] In at least one other instance, the Congress overrode a routine-use determination in language so sweeping that it effectively nullifies the routine-use concept. In September 1976, the Congress amended the Veterans Administration's enabling legislation to require the head of any Federal department or agency to

provide such information to the Administrator [of the Veterans Administration] as he may request for purposes of verifying other information with respect thereto. [38 U.S.C. 3006]

In other situations, agencies have pursued more than one solution to the same problem. The Civil Service Commission, which is the agency responsible for most Federal personnel files, did not issue its guidelines on disclosures to labor unions representing Federal employees until 15 months after the Privacy Act took effect. Part of the reason for the delay was the CSC's effort to coordinate the drafting with the Federal employees labor union. Meanwhile, however, the Department of Defense and the Veterans Administration reduced the amount of information they were willing to give out to labor unions, while DHEW made no change. The American Federation of Government Employees was often excluded from labormanagement negotiations in which information in records subject to the Privacy Act was to be discussed unless the union first obtained the express written consent of all employees concerned. The USPS was charged with an unfair labor practice for refusing to disclose certain records subject to the Privacy Act. At the VA, unions were not allowed to review merit promotions at all, whereas at DHEW merit promotion records were released with the names removed in response to a Freedom of Information Act request.

The confusion was finally dispelled at the end of December 1976 when the Civil Service Commission published Federal Personnel Manual (FPM) Letter 711-126 explaining a routine-use notice it had published two weeks earlier. The notice provided that information about an individual could be disclosed to labor unions without his consent "when relevant and necessary to their duties of exclusive representation concerning personnel policies and practices and matters affecting working conditions." The CSC, however, instructed the officials responsible for making such disclosures to provide information whenever possible without personal identities attached, and to withhold highly sensitive information that could reasonably be expected to harm the individual if disclosed, unless and until the individual authorizes its release. This was interpreted to mean that information concerning salary, title, veterans' preference, and awards received should be released, but information concerning marital status, age, grades in training courses, allegations of misconduct, or proposed disciplinary actions should not.84

At least one other knotty routine-use problem was resolved by avoiding the compatibility criterion altogether. Within days of enacting the Privacy Act, the Congress passed another law that authorized State parentlocator units to obtain information on absent parents from the Social Security Administration. SSA, however, interpreted such disclosures as incompatible with the purpose for which the information in its files was originally collected and thus resisted establishing them as a routine use. The matter was resolved when the DHEW Secretary decided that the DHEW Parent Locator Service (at the time administered by the Social and Rehabilitation Service, another DHEW component) could obtain the information from SSA on an intra-agency "need-to-know" basis (i.e., as provided in subsection 3(b)(1) of the Act) and then disclose it to the States as a routine use (i.e., as provided in subsection 3(b)(3)).85

Some agencies have also decided that a statutory requirement to disclose information enacted before the Privacy Act can be construed as automatically meeting the compatible-purpose test.86 On its face, such a determination seems reasonable, but it also assumes that each of the many disclosure requirements in the U.S. Code would survive an examination that weighed the recipient agency's need for the information against the individual's interest in protecting his personal privacy. An even murkier area is where a preexisting statute authorizes but does not require a disclosure that would not meet the Privacy Act's compatible-purpose test. How such statutory authorization should be treated is an area of interpretative controversy that remains largely unresolved.

Finally, some officials claim that agencies have begun to "trade" routine uses. That is, when one agency wants information maintained by another, it asks the agency holding the information to publish a routine use allowing the information to be disclosed to it, and the holding agency agrees so long as the requesting agency in turn publishes a reciprocal routine use allowing information in its records to flow the other way. There is nothing illegal about this so long as all published routine uses meet the compatiblepurpose test. Yet, from a privacy protection viewpoint, it would seem preferable for an agency that wants information about an individual from another agency to require the individual to sign an authorization allowing it to acquire the information it seeks rather than to handle the matter as a quid pro quo arrangement, of which the individual is likely to be unaware