Except for the two subsections of the Privacy Act that authorize criminal sanctions against Federal employees (for failing to publish an annual system notice or for knowingly and willfully making an unauthorized disclosure of a record about an individual), action by the individuals on whom agencies maintain records is the primary means of making sure that the Act has its intended effect on agency record-keeping practices. The Act gives the individual five instruments for encouraging agency compliance: (1) a right of access to a record an agency maintains about him; (2) a right to seek correction or amendment of such a record; (3) a right to review the accounting an agency must keep of the external disclosures it makes of a record about him; (4) a right to comment on an agency's proposed procedures for implementing the Act; and (5) a right to sue an agency under specified circumstances if he believes it has failed to comply with the Act or with its own rules for implementing it.
As explained earlier, unless a record has been exempted from the individual access requirement under subsections 3(j) or 3(k), subsection 3(d)(1) of the Act gives an individual the right to see and copy it. Equally important, subsection 3(d)(2) gives an individual the right to request correction or amendment of a record pertaining to himself; and, if the agency refuses, to request a review and possible reversal of its refusal, initially by the head of the agency (as provided in subsection 3(d)(3)), and ultimately by a Federal court (as provided in subsection 3(g)(1)(A)). Moreover, if the agency head refuses to make the requested change, the individual is entitled to file a concise statement of his side of the dispute which the agency must forward to certain past and all future recipients of the disputed information.
There are no reliable data on the number of requests individuals have made for records about themselves since the Privacy Act took effect. Nor are there reliable data on the types of records individuals have asked to see and copy. Apart from the requests made to agencies like the Federal Bureau of Investigation and the Central Intelligence Agency, most requests seem to have come from agency employees. For example, the Department of Defense has reported that in 1976, 90 to 95 percent of its requests came from current or former DOD employees.57 Similarly, the Civil Service Commis-sion, Bureau of Personnel Investigations, reports that as of August 27, 1977, it had received 2,856 requests from individuals seeking access to files resulting from investigations of their suitability for employment by the Federal government or its contractors.58 The U.S. Information Agency (USIA) noticed a significant increase in the number of employee requests for access to personnel and security files following the training sessions it conducted on Privacy Act compliance.59 Nonetheless, given the number of records agencies maintain about individuals (3.85 billion as of December 31, 1976), it would appear that overall there have been very few access requests.
Leaving aside the Department of Defense which counted 116,505 requests in 1975 (56,281 of them from current employees),60 all the agencies combined reported approximately 15,855 requests during the first three months after the Act took effect 61 The actual figure was probably somewhat higher. Some unknown number of requests, by Federal employees, were not counted because they were made under agency access procedures that antedated the Privacy Act, while other would-be Privacy Act requests, by members of the public, were counted as Freedom of Information Act requests. The FBI estimates that close to 90 percent of the Freedom of Information Act requests it receives are requests by individuals trying to find out if the agency maintains a record on them.62 Overall, however, the number has not been great and also appears to be declining. In the summer of 1976, the FBI and the CIA both had a large backlog of Privacy Act and Freedom of Information Act requests, resulting in processing delays of up to nine months at the FBI.63 By the fall of 1976, however, both agencies reported that the number of new requests was decreasing, with the CIA's requests dropping about 90 percent.64 The President's 1976 annual report on the Privacy Act singled out the Justice Department as the only agency reporting a significant number of access requests-35,723 in all.65
Requests to correct or amend records and to file statements of disagreement have also been infrequent as have requests to review the agencies' accountings of disclosures of records about individuals. In 1976, DHEW reported receiving 19,202 requests for amendment of personnel records, of which only 79 were denied.66 The Department of Defense received 11,043 and fully granted 10,899, partially granted 50, and denied 94.67 The number of reported appeals of access and amendment denials was 1,852 (1,556 of them at the Justice Department which includes Freedom of Information Act appeals in its count).68
In general, there has been less use of the Act and less evidence of public interest in it than was predicted at the time the legislation was enacted. In addition to an unexpectedly small number of access and correction requests, the agencies, in their 1975 annual reports, said that they had received only 30 sets of comments on their publications in the Federal Register, four of them from other government agencies and one from an employee union .69 In the President's 1976 annual report, only five agencies were said to have received comments from the public on their rules and system notices.70
In part, this less than expected utilization of the Act can be attributed to the difficulty of finding out how to use the Federal Register, and of wending one's way through the maze of agency Privacy Act procedures. The Department of Defense appears to have received an unusually large number of access requests because of the number of records it maintains on civilian and military employees, both past and present, and because of its extensive training program. However, there is also reason to believe that use of the access right, in particular, can be strongly affected by how much confidence the public has in an agency's record-keeping operations. The comparatively large number of requests to the FBI and the CIA would certainly seem to bear that out.
There is also some evidence that the Act has served to strengthen preexisting access and correction rights. For example, the Coast Guard claims that while it has long had procedures for giving its employees access to their personnel records, the Privacy Act has made it easier for them to get their personnel records corrected.71 Individuals today also seem to find it much easier to gain access to the medical records and employment-related investigatory files that agencies maintain on them. The effect of the changes on agency practices governing the collection, use, and disclosure of records about individuals is the subject of Chapter 2, below. The Commission's general conclusion is that their impact has been much less than was originally anticipated, but, on the other hand, there is evidence that they could be an effective force for change in agency practice if the Act were clarified and strengthened.
As to the Act's civil remedies, the district courts of the United States have jurisdiction over all actions brought to enforce the Privacy Act's requirements. Civil actions by individuals are provided for in subsection 3(g). Stated briefly, an individual has a cause of action whenever an agency makes a determination not to correct or amend a record (subsection 3(g)(1)(A)); refuses him access to a record (subsection 3(g)(1)(B)); fails to maintain a record properly (subsection 3(g)(1)(C)); or fails to comply with any, other provision of the Act (subsection 3(g)(1)(D)). In suits to correct or amend or to obtain access to a record, the court is directed to determine the matter de novo and, if the complainant substantially prevails, the court may direct the government to pay his attorneys fees and other reasonable litigation fees incurred.
In cases brought under subsections 3(g)(1)(C) and 3(g)(1)(D), the court is also empowered to grant attorneys fees and litigation costs. Furthermore, upon a showing that the agency's actions were (1) intentional or willful, and (2) resulted in demonstrable injury to him, the complainant is entitled to a monetary judgment in an amount equal to his actual damages or $1,000, whichever is greater.
As is characteristic of a new statute, case law under the Privacy Act has been slow to develop. In a memorandum dated November 12, 1976, the Information and Privacy Section of the Department of Justice reported a nationwide caseload of approximately 70 ongoing court actions. Over 20 of these involved requests for records and most were being treated as Freedom of Information Act rather than Privacy Act requests. Another group of about 20 was made up of actions under subsection 3(g)(1)(A)-to force an agency to amend some portion of an individual's record. One recent case has been won on the merits by the government, the trial judge holding that the plaintiff had failed to carry his burden of proof. Some 15 individuals have sought injunctions against the disclosure of information by an agency and about a dozen have sought damages under subsections 3(g)(1)(C) or 3(g)(1)(D).72 No case seeking damages has yet been decided against the government, although one has recently been settled out of court.73
One case that bears mention involves a class action suit in the United States District Court of Northern California brought by the American Civil Liberties Union (ACLU) on behalf of a number of applicants for federally guaranteed student loans. The DHEW Guaranteed Student Loan Program included on its application a blanket statement authorizing it to disclose student-supplied information as necessary in the course of processing and servicing a loan. Its final paragraph stated:
I understand that as a result of this consent, the U.S. Office of Education will not keep an accounting of disclosures of information regarding the application and loan [45 C.F.R. 5ó.9(c); 40 F. R. 47413 (October 8, 1975)], since this notice informs me of the uses which may be made of the information. (emphasis added)
The ACLU withdrew its suit after the Office of Education agreed to delete the authorization statement and to process the 1,500 applications that had been set aside because of the applicants' refusal to sign it.74
The Privacy Act also establishes criminal penalties for certain knowing and willful violations of its requirements. Subsection 3(i) provides that an officer or employee of an agency may be found guilty of a misdemeanor and fined up to $5,000 for knowingly and willfully disclosing individually identifiable information, the disclosure of which is prohibited by the Act or agency regulations thereunder, or for willfully failing to publish an annual Federal Register notice on a system of records. The same penalties may also be assessed against anyone who knowingly and willfully requests or obtains an agency record about an individual under false pretenses. Numerous allegations of criminal violations of the Act have been made to the Public Integrity Section of the Department of Justice but almost all have involved conduct that can best be described as negligent rather than knowing and willful. Thus far, only one case has been prosecuted.75