What is the Privacy Act and why does it exist?
The Privacy Act of 1974 (5 U.S.C. 552a, as amended) is a code of Fair Information Practice Principles (FIPPs) that governs how Federal agencies in the Executive branch collect, use, and maintain records about individuals. It was enacted into law to balance a person's right to privacy with the Federal Government's need to collect personal information that is required to carry out its responsibilities. An overview of the Privacy Act is provided in this brief video developed by the Federal Privacy Council: FPC: The Privacy Act of 1974.
Who is covered under the Privacy Act?
The Privacy Act protects the rights of U.S. citizens and lawful permanent resident aliens (referred to as individuals). The Privacy Act does not cover records of deceased persons or non-persons (businesses, agencies, institutions).
What type of records are covered by the Privacy Act?
The Privacy Act uses the term “system of records” to distinguish records that are subject to the provisions of the Privacy Act. A system of records may consist of paper documents, electronic files, or a combination of both. To be designated as a system of records under the Privacy Act the identified records must:
- contain information on individuals who are covered by the Privacy Act;
- be maintained by Federal agencies of the Executive branch of government; and
- the records are retrieved by use of a personal identifier, such as a person's name, Social Security Number, biometrics (fingerprint, facial recognition), medical record number or other unique identifier.
How do I know if a Federal Agency is maintaining records about me in a system of records that is subject to the provisions of the Privacy Act?
The Privacy Act requires Federal agencies to notify individuals of the existence of systems of records through public notice in the Federal Register and by providing individual notice when the personal information is collected from the individual.
The Privacy Act requires Federal agencies to publish a System of Records Notice (SORN) in the Federal Register when a system of records is established, changed, or decommissioned. The SORN provides guidance on who you should contact to confirm if you are a subject in the system of records. In addition, it tells you how you may submit a Privacy Act Request to access the records and your rights to amend the information contained therein. Federal agencies are required to make their SORNs publicly available via the department’s privacy office webpage; use the following link to access DOI SORNs.
Individual notice is provided by presenting the person with a Privacy Act Statement (PAS) when personal information is collected. The statement may be included on the collection instrument (form/web form) or presented as a separate article that may be retained by the individual. The PAS must inform the individual of: (a) the authority to collect their information (whether granted by statute, or by executive order of the President); (b) whether providing their information is mandatory or voluntary; (c) the purpose or purposes for which the information is intended to be used; (d) the routine uses which allow for disclosure of information to specified third parties; (e) the effects on the individual, if any, for not providing all or any part of the requested information; and (f) the SORN(s) that cover the records.
Does the Privacy Act cover records regarding an employee?
What type of information is collected in these records? Yes, as your employer, DOI needs to collect and maintain certain personal information on you to carry out its managerial and administrative responsibilities. DOI uses this information to provide many essential services, to include management of your pay, medical benefits, training, and retirement.
Who has access to information/records about an employee?
The Privacy Act was enacted to maximize access for the person who is the subject of the record (first-party), while minimizing access to other people (third-party). Under the Privacy Act, there are twelve exceptions that allow an individual’s information to be disclosed to a third party without their explicit consent. The exceptions include personnel who have a need to know within the agency, such as immediate supervisors, managers, and other Department employees who may require access to employee records in the performance of their official duties. When requested by competent authority, employee records may be disclosed to law enforcement officials, a court of law, Congress, the Census Bureau, and other Federal agencies to comply with statutory requirements (example the Internal Revenue Service for tax reporting). Information may also be shared with other entities specified as Routine Uses in the published SORN. Further, access may be granted to a person designated by the subject of the record, parent of a minor, or a legally appointed guardian/conservator.
Why does the Privacy Act restrict who has access to employee records?
Simply stated, access is restricted to protect individuals from an unwarranted invasion of privacy. Employee records contain personal information that may be sensitive in nature, for example, information about a person’s health, disability, job performance, religious beliefs, criminal record, family members, or union membership.
The Privacy Act also includes provisions that allow agencies to further restrict access to information in a system of records by stipulating ten exemptions. Federal agencies must promulgate regulations to exempt records and incorporate the final rule in the applicable SORN. Exempt systems of records are also included in the agency Privacy Act Regulations published in the Code of Federal Regulations (CFR). The DOI Privacy Act Regulation is at 43 CFR Part 2, Subpart K.
Why do we have to follow the Privacy Act?
The Privacy Act is designed to protect your privacy from unwarranted invasion, to make sure that personal information in possession of Federal agencies is properly used, and to prevent any potential misuse of personal information entrusted to the Federal government. Agencies are required to establish and implement administrative, technical, and physical safeguards to ensure the security and confidentiality of records from hazards or threats that could result in substantial harm, embarrassment, inconvenience, or unfairness to the individual who is the subject of the records. Willful violations of the Privacy Act may result in civil or criminal penalties against the agency and/or an agency employee who fails to comply with Federal privacy laws.
Where can I find additional information on the Department’s implementation of Privacy Act requirements?
Information on the DOI Privacy Program can be accessed on the web at DOI Privacy Program. You may also direct your questions and concerns to the USGS Associate Privacy Officer (APO) via email at email@example.com.