Back in the late 60s and early 70s, the government had gotten itself into a bit of a problem. The Government and the Committee to Reelect the President (aka CREEP - No, I am not making that up-) - that President being President Nixon - had gotten into the habit of intruding on the privacy of citizens, conducting surveillance, and building files on individuals suspected to be threats to the State, or at least people that annoyed the President. In the backlash from Watergate, came, among other things, the Privacy Act of 1974, designed to curtail the ability of the government to build those files and empower citizens ability to control the gathered and held concerning them.
As a 1974 statute, the Privacy Act would not be said to have been directed at or conscious of the Internet. However, as a result of this law, Federal online sites find themselves under powerful privacy protection (unlike the private sector which is relatively unrestrained with regard to data collection). The Act "attempts to regulate the collection, maintenance, use, and dissemination of personal information by federal executive branch agencies." [DOJ]
The general thrust of the Privacy Act is to restrain the ability of a Federal agency to disclose personal information that it has collected.
No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.
[5 U.S.C. § 552a(b)].
A "record" is defined as any item, collection, or grouping of information about an individual that is maintained by an agency. A record in question would be one with a unique identifier that could connect that information to a specfic individual. The Privacy Act governs, for example, government collection and use of social security numbers.
The Privacy Act protects U.S. citizens and lawful permanent residents. It does not protect corporations or organizations. It also does not protect deceased individuals.
The federal government has ten major privacy procedures when dealing with records [5 USC s 552a(e)]:
- Limit collection
- Ensure information is accurate, timely, relevant and complete
- Public notice of system of records
- Information safeguards
- Privacy Impact Assessments
- Disclose information collection
- Train employees on Privacy Act
- Establish computer matching agreements (Computer Matching Act)
- Compliance Review
- Provide for a individuals ability to review and correct data
This rule has 12 expansive exceptions:
- need to know,
- required FOIA disclosure,
- routine use,
- Bureau of the Census,
- statistical research,
- National Archives,
- law enforcement request,
- health or safety of an individual,
- Congress,
- General Accounting Office,
- court order, and
- debt collection.
Most of these are permissive, not mandatory exceptions. Individuals have a right to access, review and correct information collected concerning themselves. [5 U.S.C. § 552a(d)]
Enforcement: If a government official
- Knowing disclosure of personally identifiable information;
- Willfully maintain indentifiable info without meeting the public notice requirements; or
- Knowingly and willfully request or obtain reocords concerning an individual under false pretenses
Penalties include criminal misdemeanor and fines of up to $5000 under the Privacy Act and potential disciplinary action.
The Department of Justice has an extensive guidance on the Privacy Act: US DOJ, Overview of the Privacy Act of 1974 (May 2002).
