The Privacy Act of 1974: An Assessment. APPENDIX 4 TO The Report of The Privacy Protection Study Commission.. Notes

01/07/1977

1 This chapter has previously been published as Chapter 13 of Personal Privacy in an Information Society, the Privacy Protection Study Commission's fmal report to the President and the Congress.

2 DHEW Secretary's Advisory Committee on Automated Personal Data Systems, Records; Computers and the Rights of Citizens (Washington: U.S. Government Printing Office, 1973), p. 41.

3 This identification of eight principles results from Commission analysis, not a specific Congressional statement.

4 The Act defines a "record" as "any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph." [5 U.S.C. 552a(a)(4)J

5 Two examples will illustrate the extremes of agency implementation of the "system of records" provision. A small component of one agency rearranged its personnel records by Civil Service grade, instead of individual identifier, in order to avoid the Act's requirements. The Department of the Navy, on the other hand, elected to bring a file of interview records under the Act even though they were filed (and hence retrieved) by the date of the interview.

6 An "attribute search," contrary to the more common "name search," or "index search," starts with a collection of data about many individuals and seeks to identify those particular individuals in the system who meet the prescribed conditions or who have the prescribed attributes.

7 The "Privacy Act Statement" contains the authority for the solicitation of the information, the principal purposes for which it will be used, its "routine uses," and the effect on the individual of not providing the information. [5 U.S.C. 552a(e)(3)]

8 5 U.S.C.. 552(b)(5).

9 5 U.S.C. 552(b)(6).

10 U.S. Office of Management and Budget, "Privacy Act Implementation: Guidelines and Responsibilities" (hereinafter OMB Guidelines), 40 F.R. 28948-78 (July 9, 1975).

11 5 U.S.C. 552a(j).

12 5 U.S.C. 552a(e)(1).

13 5 U.S.C. 552a(e)(2).

14 5 U.S.C. 552a(e)(3).

15 Section 7 of Public Law 93-579.

16 5 Ú.S.C. 552a(e)(7).

17 For a more detailed discussion of the Social Security number issue, see Chapter 16 of the Commission's final report.

18 OMB Guidelines, p. 28953.

19 41 F.R 40015 (September 16, 1976).

20 Ofrice of Management and Budget, Implementation of the Privacy Act of 1974, Supplementary Guidance, 40 F.R. 56741-43 (December 4, 1975).

21 5 U.S.C. 552a(b)(2).

22 5 U.S.C. 552(b)(6).

23 5 U.S.C. 552a(e)(1).

24 5 U.S.C. 552a(e)(3).

25 5 U.S.C. 552a(e)(4).

26 5 U.S.C. 552a(e)(5).

27 5 U.S.C. 552a(c)2).

28 5 U.S.C. 552a(e)10).

29 Written statement of the Bureau of Health Insurance, Social Security Administration, Medical Records, Hearings before the Privacy Protection Study Commission, July 20, 1976, p. 11.

30 U.S. National Bureau of Standards (Department of Commerce), Guidelines for Automatic Data Processing Physical Security and Risk Management, June, 1974.

31 U.S. National Bureau of Standards (Department of Commerce), Computer Security Guidelines for Implementing the Privacy Act, May 30, 1975.

32 5 U.S.C. 552a(i).

33 Letter from Hon. Bert Lance, Director, Office of Management and Budget, to Senator Abraham A. Ribicoff, Chairman, Committee on Governmental Affairs, United States Senate, March, 1977, including a report on Costs of Implementing the Privacy Act of 1974, p. 5.

34 As of December 21, 1975, there were 6,723 systems of records of varying size containing 3.8 billion records about individuals which had been declared.

35 Letter from Hon. Bert Lance to Senator Ribicoff, op. cit.

36Federal Register, Volume 8, Number 237, November 30, 1943. This order provides that whenever a head of a Federal agency "fmds it advisable to establish a new system of permanent account numbers pertaining to individual persons, [he] shall utilize exclusively the Social Security Act account numbers. . . . " This was ordered "in the interest of economy and orderly administration." (See Chapter 16 of the Commission's final report for a more detailed discussion of this topic.)

37 Between April 1971 and February 1974 the FBI monitored requests for information in the NCIC made by State and local government agencies. The monitoring was conducted on behalf of the Department of Justice and other agencies of the Federal Government. The monitoring involved flagging the names of persons in whom the Federal agencies had some interest, including 4,700 who had no criminal record. In other words, any inquiry by a State or local government agency that included a flagged name was automatically noted and recorded for later examination by Federal agents. See letter of July 18, 1975, from Hon. John V. Tunney, U.S. Senator, to Hon. Harold Tyler, Deputy U.S. Attorney General; letter of August 29, 1975, from Hon. Harold Tyler to Hon. John V. Tunney.