Memoranda 99-05, Attachment B (Privacy and Personal Information in Federal Records)
M-99-05, Attachment B
INSTRUCTIONS FOR COMPLYING WITH THE
A. WHAT IS THE PURPOSE OF THE REVIEW?
PRESIDENT'S MEMORANDUM OF MAY 14, 1998,
"Privacy and Personal Information in Federal Records"
The Privacy Act of 1974 (5 U.S.C. § 552a, the Act) requires agencies to inform the public of the existence of systems of records containing personal information, to give individuals access to records about themselves in a system of records, and to manage those records in a way to ensure fairness to individuals in agency programs.
For the Privacy Act to work effectively, it is imperative that each agency properly maintain its systems of records and ensure that the public is adequately informed about the systems of records the agency maintains and the uses that are being made of the records in those systems. Therefore, agencies must periodically review their systems of records and the published notices that describe them to ensure that they are accurate and complete. OMB Circular A-130, "Management of Federal Information Resources," (61 Fed. Reg. 6428, Feb. 20, 1996) requires agencies to conduct periodic reviews, and this memorandum satisfies that requirement for calendar year FY 1999. Agencies should continue to conduct reviews in accordance with the schedule in Appendix I of the Circular.
In addition to directing agencies to ensure the accuracy and completeness of their systems of records, the President also directed agencies to review their data sharing practices with state, local and tribal governments.
B. WHAT ACTIONS MUST AGENCIES TAKE?
Please notify OMB promptly of the name, title, address, phone number, and electronic mail address of the designated Senior Official for your agency.
Each agency shall conduct a thorough review of its systems of records, system of records notices, and routine uses in accordance with the criteria and guidance below. Because the President directed agencies to review systems of records, we have provided guidance on a subset of the Privacy Act's requirements that are particularly relevant to systems of records.
The goal is to focus agency resources on the most probable areas of out-of-date information, so that reviews will have the maximum impact in ensuring that system of records notices remain accurate and complete. An agency may rely on its ongoing reviews under Circular A-130 to help focus its review. An agency might decide to pay particular attention to identifying those systems of records that may have been altered by the application of new technology, changes in function, or changes in organizational structure that have occurred since the agency's last review of its systems of records. In addition, an agency may find the President's directive provides an opportunity to strengthen agency procedures to ensure reviews are timely conducted.
An important way for an agency to protect individual privacy is to limit the amount of information that the agency maintains about individuals. Therefore, each agency shall review its systems of records to ensure that they contain only that information about individuals that is "relevant and necessary" to accomplish an agency purpose.
The Privacy Act limits agencies to maintaining "only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or Executive order of the President." 5 U.S.C. § 552a(e)(1). Information that was relevant and necessary when a system of records was first established may, over time, cease to be relevant or necessary. This may result, for example, from a change in agency function or reorganization, or from a change in how the agency operates a program.
If your agency determines that any information about individuals in a system of records is no longer relevant and necessary, or if your agency determines that the entire system of records itself is no longer relevant and necessary, then the agency should expunge the records (or system of records) in accordance with the procedures outlined in the Privacy Act notice(s) and the prescribed record retention schedule approved by the National Archives and Records Administration. The system notice should be accordingly revised (or rescinded).
For that information which agencies do maintain, agencies must ensure the information's security and confidentiality. Therefore, each agency shall review its systems of records to ensure that the safeguards in place are appropriate to the types of records and the level of security required.
The Privacy Act requires agencies to "establish appropriate administrative, technical and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom the information is maintained." 5 U.S.C. § 552a(e)(10). In addition, the Paperwork Reduction Act requires agencies to "implement and enforce applicable policies, procedures, standards, and guidelines on privacy, confidentiality, security, disclosure and sharing of information collected or maintained by or for the agency" and "identify and afford security protections commensurate with the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of information collected or maintained by or on behalf of an agency." 44 U.S.C. § 3506(g).
Over time, and given changes in how records are used and maintained, safeguards that may have been appropriate in the past may no longer be sufficient, or they may no longer be necessary. For example, safeguards that were appropriate for a system of records maintained in paper form may no longer be appropriate when the system of records has been converted to electronic form.
If your agency determines that changes to the safeguards should be made, then the agency should implement the changes and publish a system of records notice that reflects the updated safeguards. Note that the system of records notice should not state that access is limited to those who need the information in the course of their duties. Rather, the notice should explain how access is limited by describing the types of safeguards in place, such as locks, building access controls, passwords, network authentication, etc.
Non-statutory disclosures created by administrative mechanisms should only be made when appropriate. Therefore, each agency shall review its "routine uses" to identify any routine uses that are no longer justified, or which are no longer compatible with the purpose for which the information was collected.
The Privacy Act authorizes agencies to disclose information about individuals under a "routine use." A routine use is defined as a disclosure of a record outside of the agency "for a purpose which is compatible with the purpose for which it was collected." 5 U.S.C. § 552a(a)(7), (b)(3).
The Act requires agencies to include in their systems of records notices a description of the routine uses for which information in a system of records may be disclosed. 5 U.S.C. § 552a(e)(4)(D).
It may be the case that the circumstances which justified a routine-use disclosure have ceased to exist, or that the purpose for which the records are collected has changed over time so that the routine use no longer makes sense. Agencies should consult the Privacy Act Overview published by the Department of Justice each November (and available through the Government Printing Office) for judicial rulings which may affect the agency's routine uses. Such changes may well mean that the routine use is no longer justified or that the routine use is no longer compatible with the purpose for which the information is being collected. Agencies should review each routine use to ensure that each continues to be appropriate. In addition, agencies should review the associated system of records notices to ensure that it accurately and completely describes the routine uses, including the categories of users and the purpose of such use.
If an agency determines that a routine use is no longer appropriate, the agency should discontinue the routine-use disclosures and delete the routine use from the system of records notice. If an agency determines that the system of records notice does not accurately and completely describe the routine uses, the agency should revise the notice accordingly.
In order to ensure fairness to individuals they must be able to determine who has seen their records and when they were seen. Therefore, each agency should review its procedures for accounting for disclosures to ensure they are working properly.
The Privacy Act requires agencies to "keep an accurate accounting" regarding "each disclosure of a record to any person or to another agency, "and to retain the accounting for at least five years or the life of the record, whichever is longer." 5 U.S.C. § 552a(c). As in the other contexts discussed above, "changes in technology, function, and organization" may result in accounting procedures becoming outdated or may result in inadequate implementation of accounting procedures that remain appropriate. An agency is relieved by the statute of accounting for disclosures made within the agency on a need-to-know basis or disclosure required by the Freedom of Information Act. 5 U.S.C. § 552a(c)(1). However, all other disclosures under 5 U.S.C. § 552a(b) must be accounted for, including those made under routine uses, and those made pursuant to requests from law enforcement agencies (even though the latter may be exempt from disclosures to the subject individual). While an agency need not keep a running tabulation of every disclosure at the time it is made, the agency must be able to reconstruct an accurate and complete accounting of disclosures so as to be able to respond to requests in a timely fashion.
If an agency determines that changes to the accounting procedures should be made, then the agency should implement the changes promptly.
Groups of records which have different purposes, routine uses, or security requirements, or which are regularly accessed by different members of the agency staff, should be maintained and managed as separate systems of records to avoid lapses in security. Therefore, agencies shall ensure that their systems of records do not inappropriately combine groups of records which should be segregated. This ensures, for example, that routine uses which are appropriate for certain groups of records do not also apply to other groups of records simply because they have been placed together in a common system of records.
Over time, changes in agency operations or functions may result in increased differences among the records that are contained within a common system of records. Groups of records that once were appropriately combined into a common system may have become sufficiently different that they should be divided into separate systems. Accordingly, during the course of the agency's review of its systems of records under B.2. of these instructions, and of its systems notices under B.3. of these instructions, an agency should identify instances where a system of records includes groups of records which -- because of their different purposes, routine uses, or security requirements -- should not be combined together into a common system of records, but instead should be maintained and managed as separate systems of records.
In addition, agency systems of records should not duplicate or be combined with those systems which have been designated as "government wide systems of records." A government wide system of records is one for which one agency has regulatory authority over records in the custody of many different agencies. Usually these are federal personnel or administrative records. Such government-wide systems ensure that privacy practices with respect to those records are carried out in accordance with the responsible agency's regulations uniformly across the federal government. For example, a civilian agency subject to the personnel rules of the Office of Personnel Management should manage its official personnel folders in accordance with the government wide notice published by OPM for those records, OPM/GOVT-1. The custodial agency need not, and should not, publish a system of records which covers the same records. A list of government-wide systems of records may be found at Attachment C, along with the name of someone who can answer specific questions about those systems of records.
3. Ensure notices describing systems of records are up-to-date, accurate and complete.
In order to exercise their rights, individuals must have access to an up-to-date statement of what types of information are maintained and for what reasons. Therefore, each agency shall conduct a review of its systems of records notices to ensure that they are up-to-date, to conform with any necessary changes identified during the review under section B.2. of these instructions.
The Privacy Act requires agencies to publish, upon the establishment of a system of records, a notice that describes the system. 5 U.S.C. § 552a(e)(4). The core purpose of a system of records notice is to inform the public what types of records the agency maintains, who the records are about, and what uses are made of them. As the President noted in his Memorandum, however, "changes in technology, function, and organization" may have the effect of making system of records notices "out of date."
A systems of records notice should accurately and completely describe each category in the notice to comply with the requirements of 5 U.S.C. § 552a(e)(4) and the Federal Register Document Drafting Handbook. (The Handbook can be found at the web page of National Archives and Records Administration (NARA), at http://www.nara.gov/fedreg/draftres.html or by contacting the Office of the Federal Register.) The goal is to provide a notice helpful to someone who might be a subject of the records. The reviewer should ask, "If this system of records contained information about my friends or relatives, would this notice allow them to understand what type of records are kept, who uses them, and why?"
Agencies should take note that the descriptive categories for systems of records notices have changed over time. For example, the Drafting Handbook now requires that each system of records include a Purpose statement. This statement should briefly explain the program purpose for which the records are collected and which the system of records supports.
While a notice-by-notice review may be appropriate, an agency may also decide to concentrate its review by focusing on those notices that are more likely to contain outdated information. An agency using this targeted approach, for example, could begin its review by identifying changes in technology, function, and organization -- that is, changes in how the agency operates -- that would have the potential to make a system of records notice out-of-date. Based on this analysis, the agency would then identify those systems of records that would most likely have been affected by these changes in agency operations. Under this approach, an agency should focus its review on those notices that apply to systems of records that have been automated; that are operated by an office (or for a program) that has been assigned increased (or decreased) responsibilities; or that have been involved in an agency reorganization. This is not meant to be an exhaustive list; an agency should seek to identify other ways in which changing agency operations may have affected the accuracy and completeness of its systems of records notices.
4. Identify any Unpublished Systems of Records.
In passing the Privacy Act, the Congress made a strong policy statement that in order to ensure fairness, there shall be no record keeping systems the very existence of which is secret. Therefore, each agency shall review its operations to identify any de facto systems of records for which no system of records notice has been published.
If the agency identifies any such unpublished systems of records, then the agency should publish a system of records notice for the system promptly. Agencies shall implement appropriate measures (e.g., training) to ensure that system of records are not inadvertently established, but instead are established in accordance with the notice and other requirements of the Privacy Act.
5. Review Information Sharing Practices with State, Local and Tribal Governments.
In accordance with the President's May 14, 1998, directive and the Vice President's announcement on July 31 that the Administration intends to open a dialogue with the States about information sharing, each agency shall review their practices of sharing personal information with State, local and tribal governments. This review should include a review of the agency's systems of records, computer matching programs, and routine uses which provide for intergovernmental collection or disclosure of information. Agencies should not survey the States to collect information, but should use internal sources of information to conduct the review.
Agencies should pay particular attention to the types of information that is being shared; the purpose(s) for which the information is shared; the frequency with which it is shared; and the rules (if any) regarding the retention, re-disclosure, and destruction of Federally-supplied information by the State, local or tribal governments. In conducting this review, agencies shall evaluate whether each collection or disclosure continues to be appropriate and consider whether adequate confidentiality and security safeguards apply. In this regard, "changes in technology, function, and organization" (whether at the Federal level or at the State, local or tribal level) may render outdated the sharing of certain types of information (or the frequency of sharing), or may result in applicable safeguards being inadequate (or inadequately implemented).
Based on these reviews, agencies should identify any potential changes to information sharing practices that deserve further review. Agencies should address, including through discussions with their governmental counterparts, whether and how such potential changes should be made.
6. Report to OMB.
After completing the review outlined above, each agency should summarize its findings in a report to OMB, as described below.
b. A summary of the actions taken as a result of the review, including citations to the Federal Register notices of any issuances of, or revisions to, systems of records notices.
c. A summary of future actions that the agency plans to take as a result of the review to assure sound privacy practices across the agency, and a schedule of when those actions will be completed.
d. A summary of the agency's review of its routine uses, including, in particular, the extent to which the agency found that its routine uses remain justified and compatible with the purpose for which the information was collected.
e. A description of the agency's major information sharing practices with State, local and tribal governments, including in particular whether the review identified potential changes to sharing practices that will undergo further review (and if so, a description of such potential changes).
f. Any subjects on which the agency would like further OMB guidance on the Privacy Act, and any recommendations regarding such guidance.
D. WHO CAN ANSWER QUESTIONS ABOUT THIS MEMORANDUM?
Maya A. Bernstein
Senior Policy Analyst
Information Policy and Technology Branch
Office of Information and Regulatory Affairs
725 17th Street, NW
Washington, DC 20503