The Privacy Act of 1974 applies to an "agency" as defined in subsection 552(e) of the Freedom of Information Act (FOIA) and to certain government contractors as defined by its own subsection 3(m). [5 U.SC 552a(m)] The original FOIA, passed in 1966, contained no definition of an agency, relying instead on the Administrative Procedures Act (APA). The APA defines an agency as "each authority of the government of the United States, whether or not it is within or subject to review by another agency . . . ." [5 U.S.C 55](1)] In 1971, in Soucie v. David [448 F2d. 1067,1073], this definition was interpreted by the Court of Appeals for the District of Columbia to mean that an agency is "any administrative unit with substantial independent authority in the exercise of specific functions." In other words, as the Attorney General later put it, there may be "agencies within agencies.1
In the autumn of 1974, just prior to enacting the Privacy Act, the Congress amended the Freedom of Information Act, in part to clarify and expand the classes of organizational entities to which the FOIA would apply. No longer relying solely on the APA definition, the Congress specifically defined the term "agency" to include
. . . any executive department, military department, Government corporation, Government controlled corporation, or other estab-lishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency. [5 U.S. C. 552(e)]
The House report on the 1974 Freedom of Information Act amend-ments states that this definition includes establishments such as the U.S. Postal Service (USPS), and, within the Executive Office of the President, the Office of Management and Budget (OMB), the Council of Economic Advisers (CEA), and the National Security Council (NSC). It also includes corporations controlled by the government but not wholly owned by it, along with wholly government-owned corporations established by Congress, such as the Tennessee Valley Authority and the Federal Crop Insurance Corporation. It does not, however, include corporations that simply receive appropriated funds, such as the Corporation for Public Broadcasting, nor does it include the President's immediate personal staff or units in the Executive Office of the President whose sole function is to advise and assist the President 2
In an April 1975 letter to the Office of Management and Budget, the Justice Department advised on the Privacy Act implications of the new FOIA definition as follows:
. . . it is our firm view that . . . it is for the over-unit-the Department or other higher-level "agency"-to determine which of its substantially independent components will function indepen-dently for Freedom of Information Act purposes. Moreover, as the Attorney General [has] noted . . ., "it is sometimes permissible to make the determination differently for purposes of various provi-sions of the [FOIA]-for example, to publish and maintain an index at the over-unit level while letting the appropriate subunits handle requests for their own records." (Attorney General's Memorandum on the 1974 Amendments to the Freedom of Information Act, February, 1975, p. 25). In our view, this practice of giving variable content to the meaning of the word "agency" for various purposes can be applied to the Privacy Act as well as the Freedom of Information Act. For example, it may be desirable and in furtherance of the purposes of the Privacy Act to treat the various components of a Department as separate "agencies" for purposes of entertaining applications for access and ruling upon appeals from denials, while treating the Department as the "agency" for purposes of those provisions limiting intragovernmental exchange of records. (Of course, dissemination among components of the Department must still be only on a "need-to-know" basis.) [5 U.S.C. 552a(b)(1)]. Needless to say, this practice must not be employed invidiously, so as to frustrate rather than to further the purposes of the Privacy Act; and there should be a consistency between the practice under the Privacy Act and the practice for comparable purposes under the Freedom of Information Act.3 .
The Justice Department's position has been reaffirmed by OMB which incorporated it in the OMB Guidelines on Privacy Act Implementation.4 The interpretation that emerges is clearly one based on function, not organiza tion. The agencies can use varying definitions of agency for varying functional purposes, regardless of the organizational structures involved. The only restriction is that the definitions adopted should not needlessly frustrate the purposes of the Act and, by and large, the definitions the agencies have adopted have not done so. The one problem, discussed in Chapter 2, below, is that to allow for the free flow of information about individuals within its own organizational boundaries, each agency has defined itself as an agency at the highest possible level. Thus, within a Cabinet Department that operates many different programs, it is theoreti-cally possible for a record about an individual maintained by one program to be available to all the others on a need-to-know basis. So far, however, there is no evidence that the flexibility the Act allows in that regard has been abused.
Government contractors are another category of entities to which the Privacy Act applies. Subsection 3(m) of the Act provides that:
When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of . . . [the Act] to be applied to such system. For purposes of subsection (i) [the criminal penalties provision] of [the Act] any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of [the Act], shall be considered to be an employee of an agency. [5 U.S.C. 552a(m)]
The legislative history of subsection 3(m) is unclear regarding the Congress' intent. The drafters of the Senate bill were primarily concerned with the flow of criminal-history records to and from State and local governments, and with the amount of money that had been spent through Federal grants to establish State and local criminal justice information systems. Thus, the Senate bill would have extended the provisions of the Privacy Act to contractors or grantees in situations where the purpose of the contract or grant was to establish or alter a system of records. The compromise amendment, however, permitted Federal law enforcement agencies to exempt most of their contractors from the Act's coverage, and also removed all grantees from the purview of the Act.
The OMB Guidelines state that subsection 3(m) was intended to cover de facto as well as de jure Federal agency systems;5 that is, to cover systems "taking the place of Federal systems which, but for the contract, would have been performed by the agency and covered by the Privacy Act "6 In practice, however, deciding when a contractor's system exists to "accom-plish an agency function" has often been difficult. The OMB Guidelines say that to fall under subsection 3(m) a contract would normally provide, as one of its specific requirements, that the contractor operate a system of records. Nonetheless, a contract that does not mention a system, but which can be performed only by the operation of one, would be covered; while the Act would not reach a contractor's system "used as a result of his management discretion," such as the personnel system of a large defense contractor.7
The difficulties and pitfalls in interpreting subsection 3(m) are exemplified by the following paragraph in a May 14, 1976, memorandum from the DHEW General Counsel to all of the Department's Privacy Act contacts and procurement officers:
It is fair to conclude that a system of records established by an HEW contractor for the purpose of enabling the contractor to prepare and submit to the HEW contracting agency statistical or other reports is not a system "actually taking the place of a Federal system which, but for the contract, would have been performed" by the agency. Where the contracting agency is interested only in obtaining the results of the research or other work performed under the contract (generally in the form of a report) and does not require the contractor to furnish it individually identifiable records from the system established by the contractor, it cannot be said that the system is one which "but for" the contract, the agency would have established.8
Strictly speaking, this interpretation is consistent with the OMB Guidelines, even though the memorandum goes on to advise DHEW contracting officers to incorporate into contracts, where appropriate, ". . . the provisions designed to protect the confidentiality of the records and the privacy of individual identifiers in the records." However, a position opposite to the memorandum's basic position would also be easy to defend. That is, if the study were not funded, the records would not exist, and thus the Federal government should not consider itself wholly without responsibility for the contractor's record-keeping practices. Moreover, it is widely recognized that subsection 3(m) excludes grantees who often perform functions that are indistinguishable in practice from the functions contractors perform.