The Privacy Act of 1974: An Assessment. APPENDIX 4 TO The Report of The Privacy Protection Study Commission.. Guidance on Implementation

01/07/1977

The Senate draft of the bill that became the Privacy Act of 1974 provided for a Privacy Protection Commission with power to interpret the Act and to enforce compliance. This was strongly opposed by the Executive branch, and by the House, both of which favored making each agency fully responsible for its own implementation of the Act. In the end, it was agreed that each agency would be responsible for its own implementation, but that the Office of Management and Budget would have a limited guidance and oversight role. Thus, Section 6 of the Privacy Act directs OMB to:

(1) develop guidelines and regulations for the use of agencies in implementing the provisions of [the Privacy Act]; and
(2) provide continuing assistance to and oversight of the imple-mentation of the provisions of the Act by agencies.

As a first step in fulfilling this mandate, OMB, on July 1, 1975, issued Circular A-108, "Responsibilities for the Maintenance of Records About Individuals by Federal Agencies" [40 F.R. 289481. A-108 directed all Executive branch agencies to establish specified procedures in accordance with the Act and the Guidelines that were attached to it, and delegated the responsibility for issuing additional guidance or directives on specific aspects of Privacy Act implementation to four agencies. The four agencies and their respective responsibilities were:

  • The General Services Administration-responsibility for guidance on the proper Federal Register publication format, archiving procedures, approving forms used exclusively within the Federal government, and agency procurement policies;
  • The Civil Service Commission-responsibility for guidance on personnel training and revision of the Federal Personnel Manual;
  • The National Bureau of Standards (Department of Com-merce)-responsibility for guidance on computer and data security;
  • The Office of Telecommunications Policy-responsibility for revising Federal agency data-communications policy.

OMB itself established a temporary interagency task force to review agencies' Privacy Act regulations and revised its Federal Reports Act procedures for reviewing forms used to collect information from members of the public.38 On October 3, 1975, OMB issued Transmittal Memorandum No. 1 [40 F.R. 258771, which established the rules for preparing and submitting new system reports; and on December 4, 1975, it issued further "Supplementary Guidance" [40 F.R. 46741], amending and clarifying the Guidelines it had published the previous July. On March 25, 1976, OMB issued Transmittal Memorandum No. 2, instructing agencies how to submit material for use in the President's first annual report to the Congress on Privacy Act implementation. Finally, on May 17, 1976, OMB issued Transmittal Memorandum No. 3 that provided further guidance on preparing new systems reports.

The four agencies to which OMB delegated guidance responsibilities also issued a number of implementation documents over roughly the same period. The General Services Administration issued its Federal Register publication guidelines on June 19, 1975. [40 F.R. 25988] This document outlines a model regulation and prescribes a special encoding system for printing in the Federal Register.

On September 26, 1975, GSA published Federal Procurement Regulations Amendment 155 [40 F.R. 44502], establishing procedures for complying with subsection 3(m) of the Act regarding government contrac tors. This was followed by Temporary Federal Property Management Regulation E-42 [40 F.R. 48733], published on October 7, 1975. This temporary guidance contained an "ADP and Telecommunications Requirements Checklist" for use in all automated data processing (ADP) and telecommunications equipment and service procurement proposals. Its expiration date, March 1, 1978 at this writing, has been extended three times.

On October 24, 1975, GSA published Temporary Federal Property Management Regulation E-43 [40 F.R. 49936], which establishes privacy protection and data security rules for automated data-processing and telecommunications systems. These include requirements applicable to interagency services, and specify the responsibilities of user agencies, provider agencies, and contractors. Temporary Regulation E-43 became a final regulation on April 7, 1976, when it was published as Federal Property Management Regulation Amendment E-184, "Government-Wide Automat-ic Data Management Services." [41 F.R. 14732] GSA has since published Federal Property Management Regulation Amendment F-26, a technical cross-referencing amendment [41 F.R. 22938 (June 8, 1976)], and Federal Property Management Regulation Amendment E-197. The latter, published on November 4, 1976 [41 F.R. 48519], contains a model contract clause allowing government agency access to contractor facilities and records for the purpose of conducting privacy safeguard inspections.

OMB delegated responsibility for personnel training and for revising the Federal Personnel Manual to the Civil Service Commission (CSC). On September 30, 1975, the Commission published two sets of amendments to Title 5 of the Code of Federal Regulations setting forth basic policy on the maintenance of personnel records. [40 FR. 45094] On December 4, 1975, the CSC published a further amendment to Title 5 establishing procedures for determining when a source in a government background investigation may be promised confidentiality. [40 F.R. 56651] On December 30, 1976, it published Federal Personnel Manual (FPM) Letter 711-126 explaining the circumstances in which information about an individual can be released to labor unions.39

The National Bureau of Standards (NBS) was given responsibility for guidelines on computer and data security. On May 30, 1975, it published Federal Information Processing Standards (FIPS) Publication 41, "Computer Security Guidelines for Implementing the Privacy Act of 1974."40 This was followed in October 1975 by an Index of Automated System Design Requirements.41

Finally, OMB Circular A-108 delegated, to the White House Office of Telecommunications Policy (OTP), responsibility for revising Federal agency data-communications policy to the extent necessary to bring it into compliance with the Privacy Act. OTP began soliciting comments on its draft circular at the end of December 1976, but it is not clear when the circular will be published in final form. The draft covers topics such as operational control of communications networks, the interconnection of telecommunications networks, dedicated data-communications networks, and communications security devices.

The chronology of all these documents is worth noting as it highlights the fact that much of the formal guidance to the agencies was not published until after the Privacy Act was already in force. The Act established September 27, 1975, as the date on which the agencies were supposed to have published their system notices and Privacy Act regulations, and to have their internal operating procedures and training programs in place. As of September 27, however, most of the guidance documents were still not available, largely because the agencies responsible for preparing them were still working on them. Moreover, neither OMB nor any of the other agencies with guidance responsibilities have subsequently played an aggressive role in making sure that the agencies are equipped to comply with the Act and are, in fact, doing so. OMB continues to comment on agency regulations promulgated under subsection 3(f) of the Act and watches the Federal Register for agency initiatives whose privacy implications have not been recognized. On March 7, 1977, the new OMB Director issued a memoran-dum to all agencies calling for "particular emphasis on eliminating or curtailing systems containing personal information."42 Yet, much of the early momentum appears to have been lost. Most important, there seems to be more variation in agency practice under the Act than is necessary, and certainly more than is desirable if a prime object of the Act is to make it easy for individuals to have a say in how agencies collect, use, and disseminate records about them.