Enacted during the 93^rd Congress, the Privacy Act of 1974¹ is a product of and response to scandals eroding public trust in the government's handling of personal information, including Watergate and the Federal Bureau of Investigation's Counter Intelligence Program.² At the same time, the environment of information management was changing from paper-based recordkeeping to digital formats, allowing for large quantities of information to be exchanged at speeds and distances not previously possible.

Beyond the expanding quantities and speed of information sharing, these new technologies also raised questions about the ability of the government to appropriately store and secure information on individuals. In their corresponding joint report on the Privacy Act's legislative history, the House and Senate Committees on Government Operations found that the "rapid proliferation, at the Federal level, of data banks in the 1960s and 1970s—containing in excess of 1¼ billion separate records on American residents—lent substance to the worries of many that the nation's tradition of limited government was in jeopardy."³

Congress had previously passed legislation addressing information access and protection, including the Freedom of Information Act (FOIA),⁴ the Fair Credit Reporting Act,⁵ and the Family Educational Rights and Privacy Act.⁶ With regard to government information, the Privacy Act "represents a landmark achievement in securing for each citizen of the United States the right of privacy with respect to confidential information held by the Federal Government" and is the result of conversations on how to manage and mitigate unintended consequences from computerized recordkeeping.⁷

The Privacy Act prescribes how the government is to store agency records with individually identifying information, who may access information on individuals, and when the government may use or disclose it.⁸ Subject to 12 exceptions, the Privacy Act prohibits agency disclosure of records pertaining to an individual without the individual's prior written consent.⁹ Under the act, record means "any item, collection, or grouping of information about an individual that is maintained by an agency" that includes the person's name or another identifier.¹⁰

In addition, the act assigns responsibility to the director of the Office of Management and Budget (OMB) to develop and issue guidelines and regulations for the act's implementation.¹¹ OMB first issued Privacy Act guidance in 1975 and has subsequently issued related guidance in the form of circulars and memoranda.¹²

The Privacy Act represents the statutory implementation of the Fair Information Practice Principles (FIPPs), a series of tenets intended to guide the oversight, ethical use, and protection of information on individuals.¹³ The Department of Justice (DOJ) explains that these principles

allow individuals to determine what records pertaining to them are collected, maintained, used, or disseminated by an agency; require agencies to procure consent before records pertaining to an individual collected for one purpose could be used for other incompatible purposes; afford individuals a right of access to records pertaining to them and to have them corrected if inaccurate; and require agencies to collect such records only for lawful and authorized purposes and safeguard them appropriately.¹⁴

These principles, when combined with the definitions provided in the Privacy Act regarding the types and storage of information subject to its requirements, have ongoing implications for how policymakers may seek to balance individual rights to privacy against public interests in transparency and government efficiency. DOJ further cautions, "Just as loss of trust in the governance framework would harm the interests of all, so proper and appropriate use of personal information within a secure governance framework would maintain trust and benefit the interests of all."¹⁵ In this light, Congress may wish to examine whether the Privacy Act, in its current form, achieves these principles or whether current agency practices and transparency mechanisms warrant reconsideration.

This report provides an overview of the Privacy Act and related issues. This includes an examination of the Privacy Act's underlying privacy-related principles and how the act relates to FOIA in both statutory text and practice. With this foundation, the report details the Privacy Act's key terms, exemptions from its coverage, and exceptions allowing disclosure without obtaining written consent from the individual. The report also provides an overview of agency requirements related to the Privacy Act, including systems of records notices (SORNs), privacy impact assessments (PIAs), and the role of senior agency officials for privacy (SAOPs). The report concludes with a discussion of evolving conceptions of privacy and related issues for Congress.

The Privacy Act: Principles and Framework

In a 1973 report prepared for the Secretary of Health, Education and Welfare (hereinafter, HEW Report), experts alerted federal government officials of the potential harmful consequences "that may result from uncontrolled application of computer and telecommunications technology to the collection, storage, and use of data about individual citizens."¹⁶ Congress used the existing information-sharing framework in FOIA and expanded upon principles of information protection through enactment of the Privacy Act.

While Congress was designing the Privacy Act, agencies were grappling with the promise and peril of centralized recordkeeping on individuals. In the HEW Report, then-Secretary of Health, Education and Welfare Caspar Weinberger warned that the management and dissemination of information on individuals could become a double-edged sword: "On the one hand, it can help to assure that decisions about individual citizens are made on the basis of accurate, up-to-date information. On the other, it demands a hard look at the adequacy of our mechanisms for guaranteeing citizens all the protections of due process in relation to the records we maintain about them."¹⁷

This section discusses the environment in which the Privacy Act was considered, beginning with the development and incorporation of the FIPPs into the Privacy Act, and how the Privacy Act builds upon and integrates with the disclosure and transparency procedures provided in FOIA.

Fair Information Practice Principles (FIPPs)

The Privacy Act represents the implementation of a shared set of values known as the FIPPs.¹⁸ The Federal Privacy Council, an interagency forum to improve agency privacy practices, has circulated these nine principles that DOJ describes as "central to the framework of the Privacy Act" and informing "the basis of almost every other privacy law and treaty in the world today."¹⁹ In this way, the FIPPs tie the Privacy Act together with other privacy and information management statutes, such as the European Union's General Data Protection Regulation and the U.S. Health Insurance Portability and Accountability Act of 1996.²⁰ However, unlike these other statutes, which typically regulate companies and other third parties, the Privacy Act is concerned specifically with the federal government's collection, use, and access to information on individuals.

Specifically, the FIPPs provide values to consider when agencies create, collect, use, process, store, maintain, disseminate, or disclose information with an individual's identifying particular, such as an individual's name or some identifying number or symbol.²¹ Selected principles suggest that agencies, as a best practice

• provide individuals with appropriate access to view and correct their associated records and seek individuals' consent to use their information;
• minimize the collection and use of individually identifying information and maintain it only for as long as is necessary to accomplish a legally authorized purpose;
• provide notice of the specific purpose and use of individually identifying information; and
• be transparent about its information policies, practices, roles, and responsibilities with respect to individually identifying information.²²

These principles correspond to provisions of the Privacy Act requiring, for example, that agencies maintain systems of records with only such information about individuals as is relevant and necessary,²³ provide notices in the Federal Register about proposed uses of such records,²⁴ and publish agency procedures for the disclosure to an individual upon request for information pertaining to him or her,²⁵ among other provisions.

Relationship to the Freedom of Information Act

The Privacy Act builds upon and extends requirements for the federal governance of information from earlier statutes. While FOIA allows any person to request access to government information, DOJ explains that the Privacy Act is designed to maintain trust between individuals and agencies with regard to the use of information on individuals.²⁶

FOIA and the Privacy Act are intertwined both in function and statutory placement. Notably, the Privacy Act uses FOIA's definition of agency. When agencies process requests for information under the Privacy Act, they must also consider the applicability of FOIA to the request. As DOJ describes, "The Privacy Act and the FOIA are often read in tandem," although the scope of each differs.²⁷ In practice, agencies generally treat Privacy Act requests in the same manner as FOIA requests when preparing responses. DOJ recommends that agencies process individuals' access requests for their own records "under both the Privacy Act and the FOIA, regardless of the statute(s) cited."²⁸

Information provided by an agency in response to a records request may be redacted under either FOIA or the Privacy Act and therefore may appear incomplete. While FOIA's main purpose is to inform the public of the federal government's operations, the act excludes certain private and governmental interests from disclosure. FOIA lists nine exemptions from its disclosure requirements that permit (but do not require) agencies to withhold information or records that are otherwise subject to release. These include reasons related to national defense or foreign policy; matters exempted from disclosure under other statutes; and personnel, medical, and similar files.²⁹

Definitions of Key Terms and Scope

Moving from the theoretical discussion of what privacy policy could look like, this section examines the statutory framework of the Privacy Act. The Privacy Act governs the access, use, and disclosure of information by agencies and the public. Specifically, the act concerns agency use of an individual's records that are maintained and retrieved within a system of records. Descriptions of these key terms, from both statute and DOJ guidance, are provided below.

• Agency. The Privacy Act uses FOIA's definition of agency.³⁰ This definition covers executive branch agencies, their components, and government-controlled entities but excludes Congress, the legislative branch, the White House, federal courts, and state and local governments.³¹
• Individual. An individual is defined in the act as "a citizen of the United States or an alien lawfully admitted for permanent residence."³² This definition excludes deceased persons, corporations, or organizations. In certain instances, parents or legal guardians may act on behalf of individuals.³³
• Record. Statute defines record as "any item, collection, or grouping of information about an individual that is maintained by an agency" that contains the individual's name, identifying number, or other identifying particular assigned to the individual.³⁴ Courts have variously interpreted how closely associated the information needs to be with an individual to count as a record for purposes of the Privacy Act.³⁵ Like FOIA, the Privacy Act pertains only to federal information, and most courts have held that it does not require agencies to create records.³⁶
• System of Records. A system of records is a "group of any records under the control of any agency" from which the information is retrieved by the name of the individual or other identifying particular.³⁷

Identifying Particulars and Personally Identifiable Information (PII)

The Privacy Act prohibits agency disclosure of records pertaining to an individual containing an individual's name, number, or identifying particular. However, the debate concerning what constitutes an individual's record for the purposes of the Privacy Act has not been definitively resolved.³⁸

As outlined by DOJ, while some courts have broadly interpreted the statute as governing any record linked to an individual's identifying information, others have claimed more narrowly that the record must reflect "some quality or characteristic of the individual involved."³⁹ Still other courts have held a middle ground approach: Records "must both be 'about' an individual and include his name or other identifying particular."⁴⁰ DOJ concludes that additional courts "have adopted different, narrow, and, at times, conflicting interpretations of the term 'record.'"⁴¹ Relatedly, the Privacy Act's protections related to transparency and ethical use of such information hinges on whether or not a series of records is considered a system of records, where the information is queried and retrieved by an identifying particular.⁴² These divergent and conflicting interpretations affect the ability of individuals and policymakers to ensure appropriate application of the Privacy Act to such types of records.

In its initial 1975 Privacy Act guidance, OMB provided examples of what would constitute a unique identifying particular. OMB explained that information that "suggests any element of data (name, number) or other descriptor (finger print, voice print, photographs)" could be used to identify individuals. However, OMB also notes that identifying particulars "are not always unique (i.e., many individuals share the same name) but when they are not unique (e.g., name) they are individually assigned—as distinguished from generic characteristics."⁴³

More recently, in 2006, OMB began publicly referring to information with identifying particulars as personally identifiable information or PII.⁴⁴ In 2007, OMB defined PII as "information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc."⁴⁵ OMB has incorporated this term in related information management documents, such as OMB Circular No. A-130,⁴⁶ as well as in guidance concerning the Federal Information Security Management Act (FISMA),⁴⁷ the Confidential Information Protection and Statistical Efficiency Act (CIPSEA),⁴⁸ and others.

10 Exemptions for Certain Records and Systems of Records⁴⁹

The Privacy Act exempts certain records and systems of records from its coverage in 10 circumstances. These exemptions permit federal government use of individually identifying information in instances where notifying the individual may hinder the purpose of the information sharing, such as in cases of national security or investigations or where the information cannot reasonably be associated with an individual, such as for statistical research.

Of the 10 exemptions, 3 are self-executing, meaning the agency holding the information does not have to take action in order to assert an exemption. Seven exemptions permit agencies to publish rules exempting certain systems of records from specific Privacy Act provisions.⁵⁰ A full list of the Privacy Act's 10 exemptions is located in the Appendix of this report. Two of these exemptions may warrant particular congressional interest: investigatory material compiled for law enforcement purposes and statistical records.⁵¹

Investigatory Material⁵²

The Privacy Act excludes from its scope investigatory material compiled for law enforcement purposes that did not result in an individual's loss of a right, benefit, or privilege.⁵³ According to DOJ, this exemption covers

• 1. material compiled for other investigative law enforcement purposes by any agency, and
• 2. material compiled for criminal investigative law enforcement purposes by nonprincipal function criminal law enforcement entities.⁵⁴

The first prong is known as a "general exemption."⁵⁵ It permits heads of agencies that perform law enforcement as a principal function (e.g., the Federal Bureau of Investigation or the Drug Enforcement Agency)⁵⁶ to promulgate rules to exempt a system of records from Privacy Act coverage when the record falls into one of three categories: (1) "information compiled for the purpose of identifying individual criminal offenders and alleged offenders," (2) "information compiled for the purpose of a criminal investigation," and (3) "reports identifiable to an individual compiled at any stage of the process of enforcement."

The second prong applies to agencies whose principal function is not law enforcement but nonetheless conduct some law enforcement activities. This specific exemption permits agency heads to promulgate rules that exempt any system of records if the records are "investigatory material compiled for law enforcement purposes."⁵⁷

The Privacy Act limits the scope of the special exemption for investigatory material by requiring that individuals have access to investigative records that were used as a basis for denying their rights, privileges, or benefits.⁵⁸ Examples of the types of investigations covered by this exemption include investigations of deportability under the Immigration and Nationality Act, taxpayer audits, and attorney misconduct investigations.⁵⁹ Information gathered for a routine background check as a condition of federal employment is not usually a law enforcement purpose unless the background check involves specific allegations of illegal activity.⁶⁰

Statistical Records

The Privacy Act also permits agency heads to exempt a system of records when that system of records is "required by statute to be maintained and used solely as statistical records."⁶¹ The Privacy Act defines statistical record as "a record in a system of records maintained for statistical research or reporting purposes only and not used in whole or in part in making any determination about an identifiable individual."⁶² Relatedly, other statutory provisions that involve the use of information by statistical agencies or units define statistical purpose as involving the description, estimation, or analysis of the characteristics of groups without identifying the individuals or organizations that comprise such groups.⁶³

OMB's 1975 Privacy Act guidelines state that the purpose of this exemption is to permit use of records for statistical research or program evaluation that, by law, cannot be used to make a determination about an individual.⁶⁴ Records that are subject to this exemption, accordingly, cannot be used to make decisions about the rights, benefits, or entitlements of any individual.⁶⁵ Due to the fact that these records are used entirely for statistical purposes, Congress did not believe that disclosure would provide any benefit to an individual because they have no direct effect on any individual in particular.⁶⁶

As a matter of policy and practice, however, the delineation between statistical records and other types of records may be artificially clear. While statistical records can be construed to be information where the identity of the subject is separated from other data in the record, experts at the time of the Privacy Act's initial consideration did note that data from administrative records containing individually identifiable information could sometimes be used for statistical purposes.⁶⁷ Use of statistical records is further explored in the "Statistical Information and Census" portion of this report.

Conditions of Disclosure

The Privacy Act allows individuals to request and view their information from agencies and generally prohibits disclosure of individually identifiable information to third parties without written consent. Specifically, an agency may not disclose a record to a third party without the individual's prior written consent unless such a disclosure falls under an exception in Title 5, Section 552a(b), of the U.S. Code.⁶⁸ This section examines the Privacy Act's individual right of amendment, how disclosure to third parties operates under the act, and recent developments related to the act's written consent requirement in a digital age.

Disclosure to the Individual

U.S. citizens and lawful permanent residents may request access to their information from agencies under the same guidelines as requests under FOIA.⁶⁹ An individual may request an agency to perform a search for information in a system of records based on his or her identifiers, such as a name or Social Security number. An individual might do this, for example, to ensure that his or her records are accurate and in order to request corrections.

Consistent with the FIPPs principle of access and amendment, the Privacy Act permits individuals to gain access to their records or any information pertaining to them for purposes of review. An individual may also be accompanied by another person to review the records.⁷⁰

Individuals are also statutorily able to request amendment of their records should they believe the records are not "accurate, relevant, timely, or complete," and agencies are to acknowledge such a request in writing within 10 business days.⁷¹ The agency must then inform the individual of whether it has decided to make the correction or, in the event the agency refuses, provide and explain to the individual the reason for the refusal, agency procedures to request a review of the refusal by the agency head or an officer designated by the agency head, and the name and business address of that officer.

Disclosure to Third Parties

Commonly, the need for an individual's written consent to disclose his or her documents to third parties arises in conducting congressional casework and during agency processing of benefits (for example, the administration of military and veterans' benefits). In these instances, the third party is often coordinating among federal agencies or governments on behalf of the individual for benefits administration, information correction, or research purposes.

Congressional Casework⁷²

In conducting casework, Members of Congress routinely solicit and respond to requests from constituents for assistance with federal agencies. In general, an agency cannot reply to a congressional inquiry without a Privacy Act release form signed by the constituent requesting assistance. The form authorizes the Member to access a constituent's individually identifiable information to assist in the resolution of a case and prevents the unauthorized disclosure of individually identifying information.⁷³

Manually obtaining a signed privacy release form and transmitting the form to an agency has been a time-consuming process for both constituents and caseworkers, which sometimes delays consideration of the case by an agency. In addition, agencies across the federal government have required different versions of privacy release forms specific to their agencies. Some agencies have accepted electronic versions of privacy release forms from congressional offices in a variety of formats despite lacking clear authorization to do so. This has raised casework management concerns in some congressional offices. A discussion on efforts to modernize this process, including the creation of privacy release form templates, follows in the "Written Consent" section below.

Veterans' Benefits and Next of Kin

Military servicemembers, veterans, and next of kin frequently seek access to military service records to receive related benefits, correct their service information, or conduct family research.⁷⁴ Disclosure of military service records, like other individually identifiable information the federal government maintains, is restricted by the Privacy Act. The Privacy Act pertains to living U.S. citizens and lawful permanent residents, and the courts and DOJ have interpreted the Privacy Act's definition of individual to exclude deceased individuals.⁷⁵

To comply with the Privacy Act, the agency solicits written consent of the servicemember via completion of form SF-180.⁷⁶ The form notes that FOIA provisions may restrict the release of complete information. However, the servicemember or his or her authorized legal recipient has "access to almost any information" contained in the servicemember's own record.⁷⁷

Requests for a living servicemember's records by someone other than the servicemember must be accompanied by the signature of the servicemember, court appointment documentation, authorization letter, or proof of power of attorney in order for documents to be released to the servicemember, next of kin, or authorized representative. Next of kin can receive greater access to a deceased veteran's records than a member of the general public by submitting proof of the servicemember's death with the form SF-180.⁷⁸

Written Consent⁷⁹

While the Privacy Act explicitly requires an individual's written consent, continued movement toward electronic recordkeeping has renewed conversations about how agencies can best solicit individuals' written consent while also streamlining the agencies' processes and user experience with government. The statute, however, does not further define the components of written consent.⁸⁰

Agencies have generally interpreted this requirement as requiring a paper document with a "wet" signature, which may be either notarized or submitted to the agency under penalty of perjury.⁸¹ Certain agencies may also require additional information from the individual to verify his or her identity, including such information as current address and date and place of birth.⁸² Individuals may opt to include their Social Security numbers in the request but are not mandated to disclose their Social Security numbers unless required by statute.⁸³ Further, the Privacy Act does provide that "Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000."⁸⁴

Intending to modernize and simplify the written consent process, Congress enacted the Creating Advanced Streamlined Electronic Services for Constituents Act of 2019 (CASES Act).⁸⁵ The CASES Act required OMB to issue guidance requiring agencies to (1) accept electronic identity proofing and authentication processes, (2) create templates for electronic consent and access forms and require posting of the templates on agency websites, and (3) accept electronic consent and access forms. Agencies were required to comply with implementation guidance in OMB Memorandum M-21-04 by November 21, 2021.⁸⁶

However, implementation of electronic identity proofing may continue to be of interest to Congress. OMB Memorandum M-21-04 requires agency implementation to conform to OMB privacy guidance and related National Institute of Standards and Technology (NIST) standards.⁸⁷ Challenges related to electronic identity proofing remain, as recently demonstrated by a March 2023 General Services Administration (GSA) inspector general report finding that Login.gov, "a single-sign on solution for government websites," was not meeting NIST electronic identity proofing criteria.⁸⁸ As of April 14, 2023, NIST has concluded its call for comments on its initial public draft revision to its digital identity guidelines.⁸⁹ This revision may impact both implementation of the CASES Act and administration of Login.gov.⁹⁰

12 Exceptions to Written Consent⁹¹

Information on an individual may be shared with other persons, such as congressional caseworkers or government agencies, subject to the Privacy Act's written consent requirement. However, the Privacy Act also provides 12 exceptions to the written consent requirement from individuals, which may raise questions about the interpretation and intended use of these exceptions by government agencies. A full list of these exceptions is located in the Appendix of this report.

Three of the exceptions have at times raised particular congressional concern. First, the Privacy Act permits an agency to disclose covered information with other employees of the same agency who have a need to know the information. Second, an agency can disclose information to the public if FOIA requires its disclosure. Third, an agency may disclose information if the purpose of the disclosure is a routine use of the information. A routine use, under the Privacy Act, is "use of such record for a purpose which is compatible with the purpose for which it was collected" and may include the sharing of information across agencies.⁹²

Need to Know⁹³

The Privacy Act permits an agency to disclose records covered by the Privacy Act "to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties."⁹⁴ This exception is known as the need to know exception, and it permits intra-agency disclosures for necessary, official purposes.

The need to know exception applies when the employee receiving the information—rather than the employee disclosing it—has a need for access to the information. In some circumstances, the need to know exception covers contractors who serve the function of agency employees.⁹⁵

The need for access to information includes a broad range of agency activities. Whether a need for the information truly exists, however, is determined on a case-by-case basis. In general, courts have held that intra-agency disclosure of records related to personnel or employment matters, medical treatment or expenses, administrative duties, and national security risks can all fall into the need to know exception so long as the information is needed to perform the receiving employee's duties.⁹⁶ The need for access is not unlimited, however. Courts have generally found that a need for access to information does not exist in instances where disclosing information serves to embarrass, discredit, or reveal personal information unrelated to the work of the agency.⁹⁷

Disclosure Under FOIA⁹⁸

The Privacy Act does not prohibit disclosure in cases where FOIA requires disclosure.⁹⁹ FOIA creates a presumption that all agency records are open to the public.¹⁰⁰ However, that broad presumption in FOIA is tempered by FOIA's nine statutory exemptions, which serve as reasons that an agency can invoke to withhold information.¹⁰¹ FOIA's exemptions allow an agency to withhold an agency record, but an agency is not required to invoke an exemption even if one would be applicable. Under FOIA alone, agencies generally have discretion to invoke one or more of the exemptions to withhold information.¹⁰²

The Privacy Act's FOIA exception is limited, however. The FOIA exception permits disclosure only where FOIA requires disclosure—that is, in situations in which no FOIA exemption applies. Where a FOIA exemption is applicable (i.e., when an agency can choose to withhold the record), the Privacy Act requires the agency to withhold the record from disclosure.

Among the nine classes of records FOIA exempts from disclosure, two are most likely to arise in the Privacy Act context.¹⁰³ FOIA permits agencies to withhold personnel files, medical files, or similar files "the disclosure of which would constitute a clearly unwarranted invasion of personal privacy."¹⁰⁴ FOIA also permits agencies to withhold "records or information compiled for law enforcement purposes, but only to the extent that the production of such law enforcement records or information … could reasonably be expected to constitute an unwarranted invasion of personal privacy."¹⁰⁵

Routine Use

One of the most discussed and debated exceptions is the routine use exception, which was included to allow individually identifiable information disclosures "for a purpose which is compatible with the purpose for which it was collected."¹⁰⁶

As described by DOJ

Courts have generally held that routine use disclosures to process an individual's application for a benefit, program participation, or a position are "compatible" disclosures under the routine use disclosure exception.¹⁰⁷

Determining a qualifying routine use is often left to the discretion of agencies and OMB, although routine uses must be noted and defined in publicly available SORNs.¹⁰⁸ As a result, agency and court interpretations of the routine use exception may both help and hinder the sharing of information for a variety of purposes, including congressional casework, benefits and program administration, and law enforcement.

The application and interpretation of routine use may therefore warrant congressional interest. In addition to legislative options, Congress, in its oversight efforts, may consider directing agencies to proactively review their interpretation of compatible routine uses to make agencies more responsive and to improve constituent interactions with the federal government.

Statistical Information and Census¹⁰⁹

An agency may also disclose information for use in statistical research. The Privacy Act states that the recipient of this information must provide the agency with "advance adequate written assurance that the record will be used solely as a statistical research or reporting record" and that the information is to be "transferred in a form that is not individually identifiable."¹¹⁰ Concerning this exception, OMB commented in its 1975 Privacy Act guidelines that

One may infer from the legislative history and other portions of the Act that an objective of this provision is to reduce the possibility of matching and analysis of statistical records with other records to reconstruct individually identifiable records. An accounting of disclosures is not required when agencies publish aggregate data so long as no individual member of the population can be identified.¹¹¹

To further facilitate statistical activities, OMB has issued a series of directives to provide standards and guidelines for statistical surveys; maintaining, collecting, and presenting federal data on race and ethnicity; and responsibilities of federal statistical agencies (FSAs) and statistical units.¹¹² With respect to FSA roles and responsibilities, OMB Statistical Policy Directive No. 1 is incorporated in part into the CIPSEA protections and requires FSAs to provide a uniform approach "any time an agency pledges to keep confidential the information it collects exclusively for statistical purposes."¹¹³ Additionally, OMB requires FSAs to use sound scientific and statistical limitation techniques to minimize risking re-identification of respondents' data.¹¹⁴

The Privacy Act also acknowledges Census Bureau–specific protections for statistical information. Under Title 13 of the U.S. Code, the Census Bureau is prohibited from using any data collected from its surveys "for any purpose other than the statistical purposes for which it is supplied," and any data collected during a Census Bureau survey may be accessed only by Department of Commerce and Census Bureau officers or employees.¹¹⁵ Additionally, published data must be de-identified.¹¹⁶

Agency Requirements and Roles

The Privacy Act prescribes certain agency requirements regarding accountability for and transparency into disclosures of individually identifying information. In addition to being required to keep an accurate accounting of disclosures, including to whom they are made and their purpose, agencies are obligated to issue and maintain SORNs and conduct PIAs for individually identifiable information that the agency maintains.¹¹⁷

To help administer the Privacy Act, OMB requires agencies to designate SAOPs. SAOPs, in cooperation with CIOs, are charged with agency implementation of these requirements. This section further explores agency requirements and roles in Privacy Act implementation.

Systems of Records Notices (SORNs)

For purposes of the Privacy Act, an agency may control a group of records where information is retrievable by an individual's name or other unique identifiers. As noted earlier, this group of records is referred to as a system of records.¹¹⁸ When an agency seeks to establish a new system of records or make significant changes to an existing system of records, the act requires the agency to submit a proposal to OMB and Congress.¹¹⁹ OMB explains that a significant change that would require submission of a revised SORN could include, for example

• a substantial increase in the number, type, or category of individuals about whom the records are maintained in the system, or a change that expands the types or categories of records in the system;
• a change that modifies the scope of the system or the purpose for which the information is maintained; and
• a new routine use or significant change to an existing routine use.¹²⁰

After review and potential comments from OMB, the agency publishes a SORN in the Federal Register and provides 30 days for the public to submit written views on the proposed use of the system.¹²¹ A typical SORN must include information such as

• the name and location of the system;
• the categories of records and individuals on whom records are maintained;
• each routine use of the records contained in the system, including the categories of users and the purpose of such use; and
• the policies and practices of the agency regarding storage, retrievability, access controls, retention, and disposal of the records.¹²²

As described above, certain systems of records may be exempted from selected Privacy Act requirements by an agency head based on the system's contents and subject to notice in the Federal Register.¹²³

The Federal Privacy Council maintains an online SORN dashboard, which pulls SORNs from the Federal Register and allows for targeted searching of SORNs for "government privacy analysts and privacy lawyers to make it easier."¹²⁴ Given the development of this additional tool to search SORNs, Congress may consider whether SORNs are sufficiently accessible and understood by the public in their current format.

Privacy Impact Assessments (PIAs)

Adjusting government processes and aspects of the Privacy Act to the electronic age, Section 208 of the E-Government Act of 2002¹²⁵ requires federal agencies to conduct PIAs to ensure sufficient protections for the privacy of personal information when the information is in an identifiable form. Per statute, PIAs are to be reviewed by the agency CIO, or equivalent official, as determined by the head of the agency.¹²⁶ Elements required to be addressed in a PIA include

• what information is to be collected,
• why the information is being collected,
• the information's intended agency use,
• with whom the information will be shared,
• what notice or opportunities for consent would be provided to individuals regarding information collection and sharing,
• how the information will be secured, and
• whether a system of records is being created.¹²⁷

Further, the act defines identifiable form as "any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means."¹²⁸ In the accompanying OMB Memorandum M-03-22, a PIA is required to be performed and "updated as necessary" when a change creates new privacy risks, including, for example, (1) when agencies convert paper-based records to electronic systems; (2) when functions applied to an existing information collection change anonymous information into information in identifiable form; or (3) when agencies adopt or alter business processes to allow for the merging, centralization, or matching of information with other databases.¹²⁹

In 2010, OMB provided additional guidance on PIAs for agency use of third-party websites and applications.¹³⁰ Congress might evaluate whether the current statute and guidance environment provide adequate considerations given the changes in information management since the law's passage in 2002. Additionally, Congress may inquire whether agency staff has sufficient training or guidance from OMB to understand when new collections, format changes, or modifications to information could create privacy risks that would necessitate an updated PIA.

Senior Agency Officials for Privacy

While CIOs are established by law, OMB administratively directed agencies to designate SAOPs.¹³¹ In combination, CIOs and SAOPs have key roles in the administration and oversight of agency activities covered by the Privacy Act, including information disclosure, privacy, and statistical policy. In 2016, as directed by Executive Order 13719, OMB issued Memorandum M-16-24, which further defined the designation process and role for an SAOP.

Under OMB Memorandum M-16-24, an SAOP is to be a senior official at the Deputy Assistant Secretary or equivalent level who is "positioned highly enough within the agency to regularly engage with other agency leadership, including the head of the agency."¹³² In addition, the SAOP is to have the necessary skills, knowledge, expertise, and agency authority to lead and direct the agency's privacy program and related privacy functions.¹³³ Notably, OMB Memorandum M-16-24 does not prohibit an agency CIO from serving as the SAOP, meaning that in some agencies, the CIO may serve in both positions.¹³⁴

OMB explains that the SAOP role is also responsible for an agency's policymaking functions, compliance, and risk management for privacy. The SAOP is to lead and address the agency's evaluation of the privacy implications of legislative proposals, congressional testimony, and other materials. In addition to monitoring compliance with the Privacy Act and FISMA as directed in separate OMB guidance,¹³⁵ the SAOP is to oversee, coordinate, and facilitate agency compliance with the Paperwork Reduction Act (PRA),¹³⁶ the E-Government Act of 2002,¹³⁷ and OMB Circulars A-130 and A-108,¹³⁸ among other statutes and guidance.

Lastly, the SAOP is also to manage and review privacy risks associated with any agency activities that involve "the creation, collection, use, processing, storage, maintenance, dissemination, disclosure, and disposal of PII by programs and information systems."¹³⁹

The Privacy Act originally required the President to submit a biennial report to Congress about Privacy Act implementation and administration, although this requirement was repealed.¹⁴⁰ OMB explains that in place of this report, OMB now reports to Congress on agencies' compliance with privacy requirements through the annual FISMA report, which is informed by and populated with information collected from SAOPs.¹⁴¹

Federal Privacy Council

The Federal Privacy Council was established in 2016 by Executive Order 13719 and includes the SAOPs of 25 agencies as its members. As part of its responsibilities, the council is to coordinate with the Federal CIO Council to promote consistency and efficiency across the executive branch with regard to privacy and information security issues.¹⁴² In addition, the council is to develop recommendations on policy for OMB; coordinate and share best practices with regard to protecting privacy; and assess and recommend how to address the hiring, training, and professional development needs of the federal government with respect to privacy matters.¹⁴³

Issues for Congress: The Privacy Act and the Future of Privacy Policy

In the Privacy Act's 1974 enumeration of findings and purposes, Congress found that "the increasing use of computers and sophisticated information technology, while essential to the efficient operations of the Government, has greatly magnified the harm to individual privacy that can occur from any collection, maintenance, use, or dissemination of personal information."¹⁴⁴ In many ways, the Privacy Act represents an expansion of the concept of privacy beyond "a narrow-property-based concept of individual control" and the beginnings of understanding privacy based on the content of the information itself rather than its paper or electronic format.¹⁴⁵

In deciding the future of privacy policy for new formats and uses, the FIPPs may be useful as Congress considers the adequacy of the Privacy Act in safeguarding the privacy of individuals while facilitating effective and efficient operation of government agencies and programs. As summarized by DOJ

[T]he authors of the HEW Report argued that the concept of privacy needed to be reimagined to recognize the mutual interests that institutions and individuals shared in the fair and appropriate management of personal information. This meant that instead of a property-based concept of individual control, what was needed was a governance framework designed to ensure the trust of the stakeholders in the information.¹⁴⁶

As technology advances, opportunities for use and misuse of systems of records may be present in ways not considered during the original design and implementation of the Privacy Act. Congress has passed legislation providing further direction on the sharing and storage of information maintained on individuals. Examples of legislation that interact with the Privacy Act include provisions associated with the Computer Matching and Privacy Protection Act (CMPPA),¹⁴⁷ FISMA,¹⁴⁸ and the CIPSEA 2018 amendments, which were included in Title III of the Foundations for Evidence-Based Policymaking Act of 2018 (FEBPA).¹⁴⁹

As Congress reviews the Privacy Act, it might consider evaluating the effectiveness of the law and its implementation based on multiple considerations and across many contexts. This report highlights the FIPPs of individual participation, minimization, and purpose specification and use limitation and examines the potential issues related to the Privacy Act for each of these principles.¹⁵⁰

Individual Participation

As previously discussed, the Privacy Act permits individually identifiable information to be disclosed without an individual's written consent pursuant to 12 statutory exceptions. Although Congress has sought to modernize the process of soliciting an individual's written consent, questions remain regarding not only whether individuals are sufficiently informed about how their information is being used but if appropriate precautions are being taken to validate an individual's identity. The principle of individual participation may be one concept used to explore different models of consent in government and digital identity authentication issues.

Examining Written Consent¹⁵¹

Recalling the routine use exception, which was included to allow individually identifiable information disclosures considered to be compatible with the original information collection, DOJ cautions that the exception, "because of its potential breadth, is one of the most controversial provisions in the Act."¹⁵²

While the routine use exception may allow agencies to more efficiently share information on individuals, potentially facilitating streamlined interactions with the government, individuals who consent to the use of their information may be unaware of how agencies could repurpose the information. Congress may consider whether the level of information individuals receive when providing written consent through the Privacy Act or through agency publication of SORNs is commensurate with the sensitivity of the information. Congress may also consider whether agencies adequately consider and justify compatible uses of existing information.

In other contexts, processes exist to educate individuals on the collection and use of their information. For example, the CMPPA, which complies with the Privacy Act's disclosure provisions, requires a federal agency to have procedures for notifying individuals that information they provide to it may be compared to other information maintained by other agencies through matching programs.¹⁵³

This notice can be direct, such as some form of contact between the government and the subject at the time an individual applies for a federal benefit or in a notice that arrives with the benefit, or constructive, where the notice, routine use disclosure, or matching program is published in the Federal Register.¹⁵⁴ Congress may consider if there are certain information uses that should rely on direct (rather than constructive) notice for purposes of providing consent under the Privacy Act.

Ascertaining Identity¹⁵⁵

Agencies have interpreted the Privacy Act's written consent requirement to mean a signed document that may be either notarized or submitted to the agency under penalty of perjury.¹⁵⁶ However, these previously accepted methods of identity validation have been reexamined as Congress and the executive branch explore providing government services and access to individuals through electronic means. In recent years, Congress and the executive branch have worked to digitize and streamline processes where members of the public interact with the federal government. For example, in 2015, Congress required GSA to develop and implement a "single sign-on trusted identity platform" for individuals accessing public agency websites, which has become known as Login.gov.¹⁵⁷

In an August 22, 2017, announcement, GSA described Login.gov as "a single sign-on solution for government websites that will enable citizens to access public services across agencies with the same username and password."¹⁵⁸ Further, Login.gov aims to allow users to "securely sign in to participating government websites and securely verify their identity" in accordance with NIST guidelines for providing different levels of identity and authenticator assurance.¹⁵⁹

Login.gov came under scrutiny in a March 2023 GSA inspector general report and as the subject of a March 2023 House Committee on Oversight and Accountability subcommittee hearing.¹⁶⁰ The report found that Login.gov improperly advertised the level of confidence its digital processes could provide in validating an individual's identity. With regard to the Privacy Act, Congress may continue to consider the role and ability of the federal government to provide identity authentication in digital formats, the adequacy of processes to ascertain identity in the context of written consent, and opportunities to improve agency implementation.

Minimization

Given existing and emerging computer technologies at the time of its consideration, the Privacy Act included numerous safeguards to avoid privacy-related harms to the public and considered the need to update privacy protections for digital information. Especially in a digital context, the principle of minimization—that is, reducing the collection and use of individually identifying information and maintaining it only for as long as is necessary to accomplish a legally authorized purpose—takes on new meaning. The ability of digitized information to be available outside of physical filing cabinets or libraries may make the information more convenient, but such formats also reduce the ability to control the use of the information after its release. In particular, the phenomenon of the mosaic effect and the ability to recombine seemingly de-identified data into PII shows how the principle of minimization may relate to the Privacy Act and its implementation.

Mosaic Effect¹⁶¹

Data access and sharing may still involve significant risks even with seemingly de-identified data. OMB has warned of the mosaic effect, a problem that could occur as multiple versions of public and private information on individuals become accessible on the internet or through other channels. In a 2013 memorandum to agencies, OMB explained

The mosaic effect occurs when the information in an individual dataset, in isolation, may not pose a risk of identifying an individual (or threatening some other important interest such as security), but when combined with other available information, could pose such risk. Before disclosing potential PII or other potentially sensitive information, agencies must consider other publicly available data—in any medium and from any source—to determine whether some combination of existing data and the data intended to be publicly released could allow for the identification of an individual or pose another security concern.¹⁶²

The ubiquity of digital information has created increased privacy risks, and there appears to be no consensus on whether the shared or combined information can be destroyed in the same manner as paper records. Digital formats raise new questions regarding how information could or should be released and how agencies prospectively determine privacy risks after its disclosure.

OMB advises that agencies should perform privacy analysis at each stage of the information's life cycle.¹⁶³ In this analysis, the agency must review the information that is collected or created for valid release restrictions and determine if the information can be made publicly available without jeopardizing privacy.¹⁶⁴ However, OMB warns agencies to consider the mosaic effect and conduct risk-based analyses in making their determinations, but OMB defers to NIST security standards for further implementation guidance.¹⁶⁵

What Is Considered to Be "Identifiable Form"?

The Privacy Act and associated OMB guidance state how agencies should control and restrict the use, sharing, or dissemination of information on individuals in identifiable form. However, the Privacy Act itself does not define what is to be considered identifiable form. The statistical and computing technologies available at the time the Privacy Act was considered have markedly changed in the decades since its enactment. Where information was previously dispensed in analog and paper formats, the ability to share and re-share information in digital and electronic formats may complicate current understandings of privacy.

OMB considers PII to consist of information that can be used to distinguish or trace an individual's identity either alone or when combined with other information that is linked or linkable to a specific individual.¹⁶⁶ Relatedly, the E-Government Act of 2002 specifies that identifiable form means any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.¹⁶⁷ However, each of these definitions hinges on a common understanding of when linking information can reveal an individual or what manipulations to information could reveal an individual from seemingly de-identified data.

In addition to appropriate agency governance, developments in computer science and statistics have created new methods of protecting PII while facilitating ethical use of the information.¹⁶⁸ These methods—which may involve manipulating the information, creating secure ways of matching information, or creating artificially manufactured data, among others—are known as privacy-enhancing technologies (PETs). Similarly, researchers are working to create utility metrics to measure how the release of limited or obscured information impacts the accuracy or validity of analysis that uses such information.¹⁶⁹ Application of these new technologies may enable agencies to achieve greater understanding of programmatic impacts and efficiencies while still hewing to the principle of information minimization.

In March 2023, components of the Office of Science and Technology Policy released a "National Strategy to Advance Privacy-Preserving Data Sharing and Analytics" describing strategic priorities and recommending actions for agencies to adopt PETs. They define PETs as "a broad set of technologies that protect privacy by removing personal information, by minimizing or reducing personal data, or by preventing undesirable processing of data, while maintaining the functionality of a system."¹⁷⁰ However, agency adoption of PETs may be influenced by factors such as cost and scalability, information loss after manipulation, or tradeoffs between accuracy and utility of the information.¹⁷¹

Purpose Specification and Use Limitation

While government information can be inherently valuable for researchers, members of the public, and other agencies or governments, uncontrolled access to information may also put individual privacy at risk. Under the principle of purpose specification and use limitation, agencies are to balance the utility of the information against threats to privacy by providing notice of the specific purpose and use of individually identifying information.

The Privacy Act's multi-stakeholder approach to governance of information, in DOJ's view, seeks to balance the "need for other legitimate secondary users, such as public health authorities, financial oversight agencies, law enforcement and national security agencies—indeed any stakeholder with a legitimate need to use the information in the public interest—to access and appropriately use the information."¹⁷² Congress may wish to revisit this principle with respect to efforts to limit agency information collections and the ability of government entities to store individually identifying information.

Information Collections and the Paperwork Reduction Act¹⁷³

Congress enacted the PRA primarily to address a concern that the federal government was requiring businesses, individuals, and other entities to spend too much time filling out paperwork at the behest of federal agencies.¹⁷⁴ The PRA requires agencies to justify a proposed public information collection by evaluating the need and the burden of the information collection, among other criteria.¹⁷⁵ The act also empowers the OMB director to review and approve information collections.¹⁷⁶

With regard to the principle of purpose specification and use limitation, in addition to agency justification of the information collection, the agency must ensure that each information collection is inventoried and informs the respondent of the reasons the information is being collected, how it is to be used, and whether responses to the information collection are voluntary or mandatory.¹⁷⁷

The PRA also requires the OMB director, in consultation with other federal officials, to develop and maintain a plan to reduce information burdens on the public, including "through the elimination of duplication and meeting shared data needs with shared resources."¹⁷⁸ Relatedly, a Senate committee report on the PRA stated that "sharing information among government agencies also serves the goal of minimizing the burden imposed on the public by government collection of information" while reiterating that such disclosures need to be consistent with other laws, such as the Privacy Act.¹⁷⁹

Because the PRA empowers the OMB director to approve of information collections and seek ways to eliminate information collection duplication, Congress may consider the role of OMB in understanding and adjudicating information collection requests and also whether agencies and OMB are able to adequately inform the public of new uses of the information they provide. Congress may also seek to examine whether agencies are striking an appropriate balance between their need to collect information versus agency use of existing data resources to accomplish similar goals.

Exploring the Concept of a Data Clearinghouse¹⁸⁰

Since the advent of the computing era, policymakers have intermittently considered the creation of a centralized clearinghouse to combine government data.¹⁸¹ Proponents suggest that such a clearinghouse or "data warehouse" could provide access to agencies and researchers to foster learning, improve programs, and reduce the cost of studies. Critics, on the other hand, suggest that such access could come at the cost of individual privacy or allow the government or malicious actors to target individuals or groups. Such concerns prevented the creation of a national data center in 1965 and informed passage of the Privacy Act.¹⁸² In considering the Privacy Act, the Senate Committee on Government Operations wrote

We believe that the creation of formal or de facto national data banks, or of centralized Federal information systems without certain statutory guarantees would tend to defeat these purposes, and threaten the observance of the values of privacy and confidentiality in the administrative process.¹⁸³

Congress and the executive branch continued to consider ways to gain the value of such information for research and program evaluation purposes without sacrificing privacy. However, an absence of specific statutory authorization or concerns about public acceptance often led agencies to take restrictive and variable approaches to data sharing for statistical purposes.¹⁸⁴ Subsequently, some efforts to promote data sharing for exclusively statistical purposes were undertaken on a case-by-case basis.¹⁸⁵

In 2016, Congress established the Commission on Evidence-Based Policymaking (CEP) to consider, among other things, whether "a data clearinghouse should be established to ensure federal data is available to policymakers, and also study how best to protect the privacy rights of individuals who interact with federal agencies."¹⁸⁶ CEP interpreted clearinghouse to mean "a data storage facility that permanently stores records from multiple databases from multiple agencies and, therefore, grows with each new data linkage."¹⁸⁷ CEP rejected the clearinghouse model, however, citing "well-founded concerns about the potential privacy harm such a clearinghouse could raise."¹⁸⁸

CEP's 2017 report suggested that advances in technology could support creation of a National Secure Data Service (NSDS), which could combine data without risking individual privacy or warehousing data through the application of de-identification methods and assigning expiration dates to data used by the NSDS.¹⁸⁹ In 2022, to further explore the creation of such a service, Congress instructed the director of the National Science Foundation, in consultation with the director of OMB, to create an NSDS demonstration project and authorized funds for the project for FY2023-FY2027.¹⁹⁰ Congress may wish to consider the nature of information management for privacy as it conducts oversight of the demonstration project.

Both statute and associated OMB guidance are to direct the administration of the NSDS demonstration project.¹⁹¹ According to statute, the demonstration project may be operated directly or via a contract managed by the National Center for Science and Engineering Statistics. The statute also requires the demonstration project to "align" with the principles, best practices, and priority actions recommended by an advisory committee to the extent feasible.¹⁹² Consistent with the purpose specification and use limitation principle, only authorized analysts are permitted to perform statistical queries necessary to answer approved project questions.¹⁹³ In December 2022, OMB released Memorandum M-23-04 providing for the establishment of a standard application process through which federal agencies, intergovernmental organizations, and researchers may apply to access confidential data assets.¹⁹⁴

In terms of privacy protections, the demonstration project is to operate within the restrictions of CIPSEA and the Privacy Act. However, neither CIPSEA nor the Privacy Act specify when or how shared information or information concerning individuals is to be destroyed or whether such linkages are to be temporary instead of permanent. The director of the National Science Foundation is to further ensure that raw data and other sensitive inputs are not accessible to recipients of statistical outputs from the demonstration project and that no individual entity's data or information is revealed to any other party in an identifiable form.¹⁹⁵ Recalling the principle of minimization, the statute suggests that the demonstration project may use "the appropriate application of privacy-enhancing technologies and appropriate measures to minimize or prevent reidentification risks."¹⁹⁶ As Congress continues to oversee privacy and the pilot project, multiple FIPPs may be implicated.

Appendix. Additional Resources