Federal Internet Law & Policy
An Educational Project

Privacy Act

Dont be a FOOL; The Law is Not DIY

For you young'uns,
Nixon is the one on the left

Back in the late 60s and early 70s, the government had gotten itself into a bit of a problem. The Government and the Committee to Reelect the President (aka CREEP - No, I am not making that up-) - that President being President Nixon - had gotten into the habit of intruding on the privacy of citizens, conducting surveillance, and building files on individuals suspected to be threats to the State, or at least people that annoyed the President. In the backlash from Watergate, came, among other things, the Privacy Act of 1974, designed to curtail the ability of the government to build those files and empower citizens ability to control the gathered and held concerning them.

As a 1974 statute, the Privacy Act would not be said to have been directed at or conscious of the Internet. However, as a result of this law, Federal online sites find themselves under powerful privacy protection (unlike the private sector). The Act "attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies." [DOJ]

The general thrust of the Privacy Act is to restrain the ability of a Federal agency to disclose personal information that it has collected.

[5 U.S.C. 552a(b)].

The agency that maintains a system of records must comply with requirements set forth in 5 USC § 552a(e) including

The Privacy Act protects U.S. citizens and lawful permanent residents. It does not protect corporations or organizations. It also does not protect deceased individuals.

The Privacy Act applies to Federal Agencies and to Federal Contractors. [5 U.S.C. § 552a(m)] OMB Guidelines,PDF 40 Fed. Reg. 28,948, 28,951, 28,975-76, (July 9, 1975). FAR Subpart 24-1, Protection of Individual Privacy; FAR 52.224-1 - 52.224-2 (2010). This is relevant as Feds consider Cloud Computing through third party vendors.

The federal government has ten major privacy procedures when dealing with records [5 USC s 552a(e)]:

This rule has 12 expansive exceptions:

  1. need to know,
  2. required FOIA disclosure,
  3. routine use,
  4. Bureau of the Census,
  5. statistical research,
  6. National Archives,
  7. law enforcement request,
  8. health or safety of an individual,
  9. Congress,
  10. General Accounting Office,
  11. court order, and
  12. debt collection.

Most of these are permissive, not mandatory exceptions. Individuals have a right to access, review and correct information collected concerning themselves. [5 U.S.C. § 552a(d)]


To engage in data collection, a federal agency needs a System of Records Notice (SORN) [5 USC § 552a(e)(4)&(11)] and a Privacy Impact Assessment. OMB Circular A-130

Enforcement: If a government official

Penalties include criminal misdemeanor and fines of up to $5000 under the Privacy Act and potential disciplinary action.

The Department of Justice has an extensive guidance on the Privacy Act: US DOJ, Overview of the Privacy Act of 1974 (May 2002).


Regulatory Activity

© Cybertelecom ::