Reconciling FOIA and the Privacy Act
When you request records about yourself from the Federal government, agencies apply both the Freedom of Information Act (FOIA) and the Privacy Act of 1974 (Privacy Act) to grant the most access possible.
FOIA and the Privacy Act have different purposes. FOIA provides the public with a right of access to government records while the Privacy Act was created to protect information about individuals from release to others while allowing them to access it. OGIS has written about the basic differences between both laws before, and on October 24, 2012, we partnered with the Justice Department’s Office of Information Policy for our quarterly Requester Roundtable to tackle this topic in person.
About 20 requesters and agency FOIA and Privacy Act professionals covered many of the technical provisions of the laws and posed some helpful questions—and answers.
Q: How do you request your own records under the Privacy Act?
- You do not need to cite the name of the law in your request. When you request records about yourself, the agency will automatically process the request using both FOIA and the Privacy Act.
- You must validate your identity by using a certification of identity, or other such form, that you sign under penalty of perjury verifying that you are who you say you are. This DOJ form is a good example. Other departments and agencies have different forms for this purpose and you should check agency FOIA websites for the proper form to use.
- After a review for withheld material, the records will be released to you (or to a designee) and are not considered a release to the public. With FOIA, a release to one is a release to all. With the Privacy Act, a release is intended only for the individual requester.
Q: We know that FOIA applies to all agency records, which is just about anything that an agency maintains, but what is covered by the Privacy Act?
- Only Federal agencies are subject to the Privacy Act; state and local governments are not.
- Only records of U.S. citizens or Lawful Permanent Residents are covered; corporations, associations and foreign nationals are excluded.
- Records must be about an individual and contained in a location (or “system” in Privacy Act terms) where they can be retrieved by a name or identifier (such as a case number).
- The record must actually be retrieved by that name or identifier in its system of records. This becomes important in the digital age now that records are not necessarily kept in physical paper files. If a record is electronically stored, it does not matter that it could be retrieved by name; for it to qualify as a Privacy Act record, the record must actually be retrieved by name.
Q: How will the agency use both laws to process the request?
- The agency FOIA professional processing your request will likely start the analysis under the Privacy Act.
- If no Privacy Act exemptions apply, that ends the analysis and the record is released.
- If one of the 10 Privacy Act exemptions apply to any part of the record, the agency will then look to FOIA to determine if the information is also exempt under FOIA.
- If a Privacy Act exemption and FOIA exemption applies, the agency must withhold the information. The information must be exempt under both statutes to be withheld from disclosure.
Q: Can agencies disclose records about individuals without a request?
- Agencies must have what is called a “routine use” established through rulemaking, which includes public notice and comment, in order to share Privacy Act-protected information absent a request or the individual’s written consent. The Privacy Act also contains 12 conditions of disclosure under which agencies can disclose information about individuals without a request or consent. 5 U.S.C. § 552a(b).
- Agencies may only share information among themselves if the disclosure would fall within one of the 12 conditions of disclosure or there is a routine use that allows the sharing of information between agencies. OGIS is working to establish a routine use with all agencies so we can streamline our processes to discuss FOIA disputes.
- Agencies must have a specific purpose for a routine use to share information with the public, such as disclosure of sex offenders pursuant to federal law.
- If an agency makes a disclosure outside of what is allowed under the Privacy Act and a routine use does not apply, the individual can sue the agency for money damages.
Q: What if a record is about me, but not contained in a “system or records” or retrieved by my name or identifier?
- That record is not considered a Privacy Act record and would be processed under FOIA, applying any exemptions that might apply to protect privacy interests of third parties, such as Exemptions 6 or 7(C). 5 U.S.C. §§ 552(b)(6) or (7)(C).
- The good news is that since more agency records are not contained within Privacy Act “systems of records,” requesters have access to a bigger universe of records under FOIA.
Q: What if someone else requests records about me?
- The Privacy Act has a “no disclosure without consent” provision such that an agency cannot release your records without your permission.
- If your records are maintained in another individual’s file, the records would be processed under FOIA and FOIA privacy exemptions would apply unless you provided your signed consent to allow the release of your records.
Q: Who oversees the Privacy Act and the FOIA?
- The Office of Management and Budget is the legal authority for the Privacy Act.
- The Attorney General is charged with encouraging FOIA compliance.
- The Justice Department’s Office of Information Policy develops FOIA policy.
- OGIS is charged with reviewing agencies’ FOIA policies, procedures and compliance. While Privacy Act matters fall outside the scope of OGIS’s mission, because they often overlap with FOIA, we provide ombuds services to individuals requesting their own records.