DHEW's compliance with the Privacy Act is coordinated through the Fair Information Practice (FIP) Staff of the Office of the Assistant Secretary for Management and Budget. The DREW Fair Information Practice staff is unique among Federal agency Privacy Act units in that it traces its organizational ancestry to the staff of the Secretary's Advisory Committee on Automated Personal Data Systems, whose report, Records, Computers, and the Rights of Citizens,53 influenced the drafting of the Privacy Act of 1974. (It is also unusual for having staffing and coordinating functions with respect to other privacy protection statutes and regulations, such as the Family Educational Rights and Privacy Act of 1974, the so-called Buckley-Pell Amendments.) The FIP staff, one member of which serves as the Department's Privacy Coordinator, is responsible for all DHEW Federal Register publications concerning record-keeping systems and practices subject to the Privacy Act, and it reviews all DHEW proposals to establish new systems of records.
In addition, each major component of the Department has its own Privacy Act Coordinator, and each component is free to publish supplemental directives which, when appropriate, are reviewed by the Fair Information Practice Staff for compatibility with Departmental directives. Privacy Act coordinators serve on the Department's Legal Policy Working Group, which is jointly chaired by the Fair Information Practice Staff and the Office of the General Counsel. The Working Group meets periodically to examine legal and policy questions raised by the Privacy Act and otherwise to assist in coordinating the Department's implementation of the statute.
The Department's administrative procedures manual has been amended to include separate chapters on information practices under the Privacy Act and to establish guidelines for compliance. There is also an ongoing computer security program within the Department and a Departmental team has been conducting a year-long inspection of DHEW computer facilities aimed at establishing and maintaining the degree of data security the Act requires. Each component, however, is responsible for regular audits of its own operations.