Office of Government Information Services (OGIS)

The Privacy Act

The Privacy Act and FOIA

Both FOIA and the Privacy Act of 1974, 5 U.S.C. § 552a (Privacy Act), grant a right of access to Federal records. FOIA applies to all executive branch agency records and “any person” can request records under FOIA. FOIA applies to records that are either created or maintained by an agency or under the agency’s control. The Privacy Act grants individuals access to their own records that are maintained by the Federal government. Most often, but not always, requests for one’s own records are considered Privacy Act requests, or first-party requests. The Privacy Act’s access provisions apply only to U.S. citizens and lawful permanent residents. The Privacy Act applies to any item, collection or grouping of information about an individual that is maintained in a “system of records.”  A Privacy Act “system of records” exists when information from this system is retrieved using an individual’s name or personal identifier (case file number, Social Security number, etc.)

Federal agencies process access requests under both FOIA and the Privacy Act to provide requesters with the greatest degree of access.  When requests are processed under both laws, information may be withheld only if it is exempt under both laws – if only one of the laws declares the information exempt, it must be released.

OGIS and the Privacy Act

OGIS does not have statutory authority regarding Privacy Act requests. However, many Privacy Act requests overlap with FOIA; therefore, OGIS provides ombuds services for these types of requests. OGIS provides  Privacy Act requesters with information about the status of requests and/or about the Privacy Act/FOIA process within an agency. OGIS does not have a statutory role in reviewing policies, procedures and compliance with the Privacy Act as it does with FOIA.

Additional Privacy Act Information

The Privacy Act requires the Office of Management and Budget (OMB) to develop and, prescribe guidelines and regulations for the use of agencies in implementing the Act; and provide continuing assistance to and oversight of the implementation of the Act by agencies ( 5 U.S.C. § 552a(v)).  The majority of OMB guidelines for the Privacy Act can be found online, however, many areas have been supplemented through the years.

The Department of Justice’s Office of Privacy and Civil Liberties has compiled an Overview of the Privacy Act of 1974, which contains a summary of the Privacy Act as well as a discussion of its disclosure prohibition, its access and amendment provisions, and its agency recordkeeping requirements.

Amending your own records

Unlike FOIA, the Privacy Act allows for an individual to request an amendment to records that are not accurate, relevant, timely or complete. To request to amend your records, contact the Privacy Office of the agency where the records are kept. An agency has 30 working days to review a requested amendment and make a final determination. If the agency refuses to amend the record, you may submit a concise statement regarding the reasons for the disagreement that will be included in any future disclosures of the record. If an agency officially determines that it will not amend the record, you also may seek judicial review.

Privacy Breaches

If there is an unlawful release of Privacy Act-protected information, both the affected individual and the agency can take action.  If you believe that there has been a breach of Privacy Act-protected records, please contact the agency’s Privacy Officer to report the breach. Once the agency is aware of a breach, it must provide notice to affected individuals and possibly take additional measures such as provide credit monitoring for a specific period of time.