The Privacy Act of 1974: An Assessment. APPENDIX 4 TO The Report of The Privacy Protection Study Commission.. New System Reports

01/07/1977

Subsection 3(o) of the Privacy Act requires each agency to:

. . . provide adequate advance notice to Congress and the Office of Management and Budget of any proposal to establish or alter any system of records in order to permit an evaluation of the probable or potential effect of such proposal on the privacy and other personal or property rights of individuals or the disclosure of information relating to such individuals, and its effect on the preservation of the Constitutional principles of federalism and separation of powers. [5 U.S. C. 552a(o)]

The objective of this requirement is to facilitate anticipatory oversight of agency record-keeping practice.28 The Senate draft of the Privacy Act included a "Privacy Protection Commission" with authority to determine whether a proposed record-keeping system, or system change, would meet the privacy protection standards called for in the Senate bill. In the subsequent legislative compromise, this oversight function was assigned to the Congress and the Office of Management and Budget, both of which now receive the agencies' new system reports.

Compared to the annual system notices, the documents justifying and explaining a new system are supposed to be much more detailed and informative. The OMB Guidelines require that a new system report describe:

(a) the purpose(s) of the system of records;
(b) the authority for maintaining the system of records;
(c) the probable or potential effect of the system upon "privacy and other personal or property rights of individuals" and its effect upon "the preservation of the constitutional principles of federalism and separation of powers;" and
(d) the steps taken by the agency to minimize the risk of unauthorized access to the system of records and a discussion of higher or lower risk alternatives which were considered.29

In addition, an agency must file such a report, not only when it proposes to establish a new system of records, but also whenever it proposes to make any change in an existing system of records which:

(1) increases or changes the number or types of individuals on whom records are maintained . . . [The standard to be applied is that any change which] significantly alters the
character and purpose of the system of records [shall require a new system report] . . .;
(2) expands the type or categories of information maintained
(3) alters the manner in which the records are organized or the manner in which the records are indexed or retrieved so as to change the nature or scope of those records . . .;
(4) alters the purpose for which the information is used . . .; and
(5) changes the equipment configuration (i.e., hardware and/or software) on which the system is operated so as to create the potential for either greater or easier access . . . .30

Each new system report must be accompanied by an advance copy of the new or revised annual system notice; an advance copy of any new Privacy Act regulations or changes to published regulations that pertain to the system; and an advance copy of any proposed regulations setting forth the reasons why the system is to be exempted from any of the Privacy Act's requirements.31 It must be filed

60 days before an issuance of data collection forms and/or instructions, or 60 days before any public issuance of a Request for Proposal or Invitation to Bid for computer and/or communications systems or services intended to support the system of records.32

All new system reports must be transmitted in duplicate to the President of the Senate, who forwards them to the Senate Committee on Governmental Affairs; to the Speaker of the House, who forwards them to the House Subcommittee on Government Information and Individual Rights; to the Office of Management and Budget; and (during its lifetime) to the Privacy Protection Study Commission. OMB procedures allow for the 60-day advance notice requirement to be waived, and in 1976 it received requests for waivers from 12 agencies with respect to 467 systems. Of these, 439 were approved; two were denied; and 26 were withdrawn or not acted upon.33

The Senate Committee on Governmental Affairs has assigned the task of analyzing the reports to a staff member who contacts the agency in question or the OMB office responsible for evaluating the reports, if any procedures or practices described in one of them seem to be in conflict with either the letter or the spirit of the Act. The House Subcommittee procedure is identical. A staff member reads the incoming report and, if anything appears untoward, contacts OMB. On one occasion, the Congressional Office of Technology Assessment (OTA) has also been formally contacted for evaluation of a new system proposal.

At OMB the reports are all logged by the Information Systems Division, which arranges for an announcement to be published in the Federal Register that a new system report has been received. These announcements are not required by the Act and thus far, few of them have elicited any public comment. The Information Systems Division reviews each report for compliance with the Act and concurrently sends one copy to an OMB budget examiner who reviews it for consistency with established budget guidelines. This last step is most useful when the proposal involves a major system of records, such as the Veterans Administration's new TARGET system or the Internal Revenue Service's Tax Administration System (TAS). Otherwise, the budgetary impact tends to be below the examiner's threshold of significant concern.

In 1976, 25 agencies submitted 75 new system reports covering 808 systems.34 To increase visibility OMB published a bi-weekly summary of them in the Federal Register.35

The principal problem with the new system reports has been the lack of staff to evaluate them and the ambiguity of many of the statutorily prescribed evaluation criteria. Nonetheless, OMB officials believe that the new system reports requirement has had a significant and beneficial effect, while others contend that it has discouraged the establishment of some questionable systems. The FBI, for example, has apparently abandoned its plan to establish a system on known or alleged terrorists,36 and the Department of the Navy has scaled down an extensive attitudinal study of personnel being assigned overseas .37