THE PRIVACY ACT by captainrhoades


									                                     THE PRIVACY ACT

The Privacy Act (PA) is designed to accomplish several purposes. Primarily, it limits the
government’s ability to collect information about an individual to that authorized by law or
executive order and necessary for government business. The PA also authorizes individuals to
access records maintained on them by the government and to correct factual errors therein. The
PA only governs activities of the federal executive branch of government.


 Every system of records must be listed in the Federal Register, regardless of who establishes
  or maintains the records, before information may be collected

   -- A system of records contains information on individuals that is retrieved by the
      individual’s name or personal identifier (such as SSN); all systems of records must have a
      PA warning on them

   -- System of records developers and managers must perform Privacy Impact Assessments
      before creating a system of records or modifying information contained in a system of

   -- Personal notes maintained by a supervisor as memory aids at her own initiative are not
      considered a system of records, even if maintained by name or personal identifier, unless
      the records are required by command policy or regulation, or the supervisor shows the
      records to other agency personnel

 Contractors who maintain systems of records for an executive agency are bound by the PA

 Before being required to provide information for a system of records, an individual must be
  given the opportunity to read the Privacy Act Statement (PAS) for the system of records; the
  PAS appears in the Federal Register listing for the system of records and can be posted as a
  sign or printed and handed to the individual. The PAS may also be verbally told to the
  individual. It includes the authority for collecting the information, whether disclosure is
  voluntary or mandatory, routines uses of the information, and consequences of not providing
  the information, if any


 To the subject of the record

   -- Subjects of PA records and their designated representatives may request copies of their

       --- Individuals do not need to state a reason for requesting access
   --- System managers must verify the requester’s identity

-- Requesters must describe the records they are seeking; “all records on me” is not
   sufficient; system managers may ask for clarification

-- Requesters may not use government resources to create or send their request

-- If records will be released, system manager must notify sender within 10 work days and
   provide access to the record within 30 work days of receiving the request; the system
   manager may take up to 20 work days to determine whether release is authorized if he
   notifies the requester of the reason for the delay within 10 work days

-- The requester may have to pay fees if the record exceeds 100 copied pages

-- Denials

   --- For a record to be denied, it must be covered by an exemption published in the
       Federal Register as a final rule

       ---- Only specific documents in the record covered by the exemption may be denied

       ---- Segregate non-exempt documents and release them

   --- Third-party information contained in the record may be redacted depending on the
       nature of the information and its relevance to the record; always contact your
       servicing legal office for guidance on releasing third party information in a PA record

   --- System managers send recommendations for denials to their servicing legal office and
       PA office for review within five days of receiving the request

   --- MAJCOM commanders take action on recommended denials

-- Limits on release to subject of record

   --- Do not release information collected in anticipation of civil litigation or created as
       attorney work product

   --- Have medical records reviewed by a doctor before release; if the doctor determines
       disclosing the records could cause mental harm or hardship to the requester, ask the
       requester for the name of a physician to whom the records can be sent. Include a
       letter to that physician with the records explaining the reviewing doctor’s basis for
       not disclosing the records directly to the requester

    --- Consult AFI 41-210 and DOD 6025.18-R for additional guidance regarding medical
 To third parties

   -- The PA requires written consent from the subject before releasing information unless one
      of 12 exceptions applies. Use this checklist to determine whether release to a third party
      is appropriate

   -- Do not place PA information in areas where individuals without an official need to know
      will have access (including common drives on computer systems)

   -- Before releasing information other than that specifically protected by the PA, balance the
      public interest in disclosing the information against the subject’s probable loss of privacy

   -- Exceptions allowing disclosure to third parties without subject consent

       --- To DoD employees with an official need to know

       --- Disclosure is required by the Freedom of Information Act (FOIA)

       --- To agencies outside DoD, if consistent with the routine uses listed in the Federal
           Register’s system of records notice

       --- To the Bureau of the Census

       --- Compilations of statistical data where individual data is not identifiable

       --- To the National Archives and Records Administration for permanent storage

       --- To a federal, state, or local agency for civil or criminal law enforcement action
           (requires written request from head of the agency)

       --- To An individual or agency requiring the information for compelling health or safety
           reasons (the subject of the records need not be at risk)

       --- To the Congress

       --- To the Comptroller General

       --- To a court of competent jurisdiction in response to a court order from the judge

       --- To a consumer reporting agency (see 31 U.S.C. § 3711 for guidelines), if allowed by
           system of records notice


 Medical Records of Minors
   -- If overseas and the minor is between ages 15 and 17, inclusive, do not release a minor’s
      medical records to the minor’s parents or legal guardians without court order or consent
      from the minor, if regulation or statute provides for confidentiality of the records and the
      minor has asked for confidentiality

   -- If within the territorial United States, state laws may limit parental access to medical
      records of their children. Consult with your servicing legal office for compliance

 When transmitting PA material using e-mail, the sender must include a warning that the e-
  mail contains PA material and is FOUO at the beginning of the message and include
  “FOUO” at the beginning of the subject line

 Do not place PA material on Internet sites accessible by individuals without an official need
  to know the information

 Violations

   -- Subjects may file suit in civil court to gain access to PA materials and correct errors in
      those materials; the court may award attorneys fees, court costs, and damages of $1,000
      or more

   -- Individuals may be criminally prosecuted for willful, unauthorized disclosures of PA
      information or maintenance of an unauthorized system of records; this is a misdemeanor
      offense carrying a maximum fine of $5,000

5 USC § 552a, Privacy Act
DoD 6025.18-R, DoD Health Information Privacy Regulation, 24 January 2003
AFI 33-332, Privacy Act Program, 29 January 2004
AFI 41-210, Patient Administration Functions, 12 November 2003

To top