Answering Questions on the Privacy Act

Last week we held another meeting of our continuing Requester Roundtable series.  These meetings allow a regular opportunity for members of the requester community to meet with agency personnel to discuss various topics surrounding the administration of the FOIA. The topic for this past meeting was the “FOIA and Privacy Act Interface,” where OIP Director Melanie Ann Pustay led a discussion on the two principal ways in which the Privacy Act of 1974 impacts agency processing of FOIA requests.  Passed nearly a decade after the FOIA, the Privacy Act establishes a code of fair information practices that governs the handling of certain information about individuals that is maintained in agency files.  The Privacy Act provides requesters with a right to seek access to their own records.  It also prohibits agencies from disclosing information about an individual to someone else, without their consent, unless the disclosure falls within one of twelve exceptions.  These provisions and the way agency personnel take them into account when processing FOIA requests were discussed at the roundtable.  Among the topics of interest to the group were:

• Certification of Identification – When individuals make requests for records on themselves, agencies typically require them to verify their identity.  At the roundtable we discussed the importance of this requirement in protecting privacy by ensuring that one person's records are not inappropriately released to someone else.  We also discussed how individuals can authorize release of their records to someone that they designate.  Typically, to verify a person's identify the agency will ask the individual to provide his or her full name, current address, and date and place of birth.  The individual must then certify to their identity by having their signature either notarized or submitted under penalty of perjury.   At the Department of Justice, Form DOJ-361 can be used both to verify an individual's identity and to authorize release of an individual's records to someone else.
• Privacy Act System of Records – The Privacy Act only applies to records that are located in a "system of records."  As defined in the Privacy Act,  a system of records is “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual."  5 U.S. C. § 552a(a)(5) (2006 & Supp. IV 2010).  This is a significant contrast from the FOIA, which broadly covers any agency record.  

As a matter of longstanding practice, agencies afford requesters the benefit of access under both the Privacy Act and the FOIA whenever someone makes a request for records on themselves.  The scope of access under the two laws was yet another focus of discussion at the roundtable. The Justice Department’s Office of Privacy and Civil Liberties publishes the Overview of the Privacy Act of 1974, which describes in detail all the various provisions of the Privacy Act and the cases interpreting them.  OIP will again be partnering with the Office of Government Information Services for another slate of Requester Roundtable meetings over the upcoming fiscal year.  These meetings are open to the public and interested agency personnel, with topics generally announced a few weeks before each scheduled meeting.  The next meeting is scheduled for the beginning of 2013, and details will be announced here on FOIA Post as they are finalized.