Privacy information is information about an individual including, but not limited to, personal identifying information, social security number, payroll number, information on education, financial transactions, medical history including results of drug testing, and criminal or employment history.
The Privacy Act addresses information contained in "Federal systems of records." A system of records is a collection of information on individuals in which the information is retrievable by the individual's name, identifying number, symbol, or other identifying particular. An individual is defined in the act as a citizen of the U.S. or an alien lawfully admitted for permanent residence.
The Privacy Act requires that privacy information in the custody of the Federal Government be protected from unauthorized disclosure and provides for both civil and criminal penalties for violation of the act.
Privacy information in the custody of government contractors is not covered by the Privacy Act unless the contractor is performing on a contract under which the contractor is provided access to or custody of such information by the Federal Government. Under this condition, the law would apply to contractor personnel the same as it applies to government personnel.
Government contractors in most states are subject to state privacy laws that require companies to protect privacy information as defined by state law.
Statutory/Regulatory Responsibilities & Obligations
Office of Management and Budget (OMB) has oversight responsibility for government policies to protect privacy information.
Access to Privacy Information
The Privacy Act requires government departments and agencies to promulgate rules regarding circumstances under which an individual has a right to see his or her own records. It also requires all departments and agencies to develop rules of conduct and training for personnel with access to privacy records.
The Privacy Act lists 12 circumstances under which privacy information may be communicated to other persons without the prior written consent of the individual to whom the record pertains. Any other communication of privacy information requires a written request or the prior written consent of the individual to whom the record pertains.
Marking and Safeguarding Privacy Information
The law does not specify specific marking or safeguarding requirements. It does require that each government agency that establishes a system of records containing privacy information also establish "appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity "
Title 5 USC 552a, allows civil remedies against the United States for noncompliance, criminal penalties for individual acts of non-compliance, and criminal penalties for maintaining a system of records without meeting the reporting requirements of the Privacy Act.
Title 12 USC 3417 of the Right to Financial Privacy Act allows civil penalties to agencies and requires an investigation by the Office of Personnel Management and appropriate disciplinary action for federal employees disclosing financial information.
Title 18 USC 1905 applies to disclosure by a government employee of any information provided to the government by a company or other nongovernment organization, if the provider of the information identified it as proprietary or as being provided to the government in confidence. The penalty is mandatory removal from office (termination of employment), and the offender may be fined not more than $1,000 and imprisoned not more than one year.
Legal & Regulatory Authorities
Title 5 USC 552a
Records Maintained on Individuals (Privacy Act)