OVERVIEW OF THE PRIVACY ACT OF 1974

INDIVIDUAL'S RIGHT OF ACCESS

"Each agency that maintains a system of records shall--upon request by any individual to gain access to his record or to any information pertaining to him which is contained in the system, permit him and upon his request, a person of his own choosing to accompany him, to review the record and have a copy made of all or any portion thereof in a form comprehensible to him, except that the agency may require the individual to furnish a written statement authorizing discussion of that individual's record in the accompanying person's presence." 5 U.S.C. § 552a(d)(1).

comment --

The Privacy Act provides individuals with a means of access similar to that of the Freedom of Information Act. The statutes do overlap, but not entirely. See generally Greentree v. United States Customs Serv., 674 F.2d 74, 76-80 (D.C. Cir. 1982). The FOIA is entirely an access statute; it permits "any person" to seek access to any "agency record" that is not subject to any of its nine exemptions or its three exclusions. By comparison, the Privacy Act permits only an "individual" to seek access to only his own "record," and only if that record is maintained by the agency within a "system of records"--i.e., is retrieved by that individual requester's name or personal identifier--subject to ten Privacy Act exemptions (see the discussion of Privacy Act exemptions, below). Thus, the primary difference between the FOIA and the access provision of the Privacy Act is in the scope of information requestable under each statute.

An individual's access request for his own record maintained in a system of records should be processed under both the Privacy Act and the FOIA, regardless of the statute(s) cited. See H.R. Rep. No. 98-726, pt. 2, at 16-17 (1984), reprinted in 1984 U.S.C.C.A.N. 3741, 3790-91 (regarding amendment of Privacy Act in 1984 to include subsection (t)(2) and stating: "Agencies that had made it a practice to treat a request made under either [the Privacy Act or the FOIA] as if the request had been made under both laws should continue to do so."); FOIA Update, Vol. VII, No. 1, at 6; see also Blazy v. Tenet, 979 F. Supp. 10, 16 (D.D.C. 1997) (quoting subsection (t)(2) and stating that "[d]ocument requests therefore must be analyzed under both Acts"), summary affirmance granted, No. 97-5330, 1998 WL 315583 (D.C. Cir. May 12, 1998); Harvey v. United States Dep't of Justice, No. 92-176-BLG, slip op. at 8 (D. Mont. Jan. 9, 1996) ("Even though information may be withheld under the [Privacy Act], the inquiry does not end. The agency must also process requests under the FOIA, since the agency may not rely upon an exemption under the [Privacy Act] to justify nondisclosure of records that would otherwise be accessible under the FOIA. 5 U.S.C. § 552a(t)(2)."), aff'd, 116 F.3d 484 (9th Cir. 1997) (unpublished table decision); cf. Wren v. Harris, 675 F.2d 1144, 1146 & n.5 (10th Cir. 1982) (per curiam) (construing pro se complaint to seek information under either Privacy Act or FOIA even though only FOIA was referenced by name); Hunsberger v. United States Dep't of Justice, No. 92-2587, slip op. at 2 n.2 (D.D.C. July 22, 1997) (system from which documents at issue were retrieved was exempt pursuant to Privacy Act exemption (j)(2), "[c]onsequently, the records were processed for release under the FOIA"); Kitchen v. FBI, No. 93-2382, slip op. at 7 (D.D.C. Mar. 18, 1996) (although all requested documents were exempt under Privacy Act, they "were also processed under FOIA in the interest of full disclosure"); Kitchen v. DEA, No. 93-2035, slip op. at 9 (D.D.C. Oct. 12, 1995) (same), appeal dismissed for failure to prosecute, No. 95-5380 (D.C. Cir. Dec. 11, 1996); Freeman v. United States Dep't of Justice (FBI), 822 F. Supp. 1064, 1066 (S.D.N.Y. 1993) (implicitly accepting agency's rationale that "because documents releasable pursuant to FOIA may not be withheld as exempt under the Privacy Act," it is proper for agency not to distinguish between FOIA and Privacy Act requests when assigning numbers to establish order of processing, and quoting Report of House Committee on Government Operations, H.R. Rep. No. 726, which was cited by agency as "mandat[ing]" such practice); Pearson v. DEA, No. 84-2740, slip op. at 2 (D.D.C. Jan. 31, 1986) (same as Wren).

It should be noted that the Privacy Act--like the FOIA--does not require agencies to create records that do not exist. See DeBold v. Stimson, 735 F.2d 1037, 1041 (7th Cir. 1984); Perkins v. IRS, No. 86-CV-71551, slip op. at 4 (E.D. Mich. Dec. 16, 1986); see also, e.g., Villanueva v. Department of Justice, 782 F.2d 528, 532 (5th Cir. 1986) (rejecting argument that FBI was required to "find a way to provide a brief but intelligible explanation for its decision . . . without [revealing exempt information]"). But compare May v. Department of the Air Force, 777 F.2d 1012, 1015-17 (5th Cir. 1985) ("reasonable segregation requirement" obligates agency to create and release typewritten version of handwritten evaluation forms so as not to reveal identity of evaluator under exemption (k)(7)), with Church of Scientology W. United States v. IRS, No. CV-89-5894, slip op. at 4 (C.D. Cal. Mar. 5, 1991) (FOIA decision rejecting argument based upon May and holding that agency not required to create records).

For a discussion of the unique procedures involved in processing first-party requests for medical records, see the discussion below under 5 U.S.C. § 552a(f)(3).


FOIA/PRIVACY ACT INTERFACE EXAMPLE: ACCESS

Suppose John Q. Citizen writes to Agency: "Please send to me all records that you have on me."

For purposes of this example, assume that the only responsive records are contained in a system of records retrieved by Mr. Citizen's own name or personal identifier. Thus, both the Privacy Act and the FOIA potentially apply to the records.

(1) IF NO PRIVACY ACT EXEMPTION APPLIES

Result:

Mr. Citizen should receive access to his Privacy Act records where Agency can invoke no Privacy Act exemption.

The Agency cannot rely upon a FOIA exemption alone to deny Mr. Citizen access to any of his records under the Privacy Act. See 5 U.S.C. § 552a(t)(1); see also Martin v. Office of Special Counsel, 819 F.2d 1181, 1184 (D.C. Cir. 1987) ("If a FOIA exemption covers the documents, but a Privacy Act exemption does not, the documents must be released under the Privacy Act.") (emphasis added); Hoffman v. Brown, No. 1:96cv53-C, slip op. at 4 (W.D.N.C. Nov. 26, 1996) (agreeing with plaintiff that "no provision of the Privacy Act allows the government to withhold or redact records concerning [his] own personnel records" and ordering production of e-mail and other correspondence regarding plaintiff's employment), aff'd, 145 F.3d 1324 (4th Cir. 1998) (unpublished table decision); Viotti v. United States Air Force, 902 F. Supp. 1331, 1336-37 (D. Colo. 1995) ("If the records are accessible under the Privacy Act, the exemptions from disclosure in the FOIA are inapplicable."), aff'd, 153 F.3d 730 (10th Cir. 1998) (unpublished table decision); Savada v. DOD, 755 F. Supp. 6, 9 (D.D.C. 1991) (citing Martin for proposition that "[i]f an individual is entitled to a document under FOIA and the Privacy Act, to withhold this document an agency must prove that the document is exempt from release under both statutes"); cf. Stone v. Defense Investigative Serv., 816 F. Supp. 782, 788 (D.D.C. 1993) ("[T]he Court must determine separately [from the FOIA] whether plaintiff is entitled to any of the withheld information under the Privacy Act."); Rojem v. United States Dep't of Justice, 775 F. Supp. 6, 13 (D.D.C. 1991) ("[T]here are instances in which the FOIA denies access and the Privacy Act compels release."), appeal dismissed for failure to timely file, No. 92-5088 (D.C. Cir. Nov. 4, 1992); Ray v. United States Dep't of Justice, 558 F. Supp. 226, 228 (D.D.C. 1982) (requester entitled, under subsection (c)(3), to addresses of private persons who requested information about him as "defendant is unable to cite a specific [Privacy Act] exemption that justifies non-disclosure of this information"), aff'd, 720 F.2d 216 (D.C. Cir. 1983) (unpublished table decision).

In other words, a requester is entitled to the combined total of what both statutes provide. See Clarkson v. IRS, 678 F.2d 1368, 1376 (11th Cir. 1982); Wren v. Harris, 675 F.2d 1144, 1147 (10th Cir. 1982) (per curiam); Searcy v. Social Sec. Admin., No. 91-C-26 J, slip op. at 7-8 (D. Utah June 25, 1991) (magistrate's recommendation), adopted (D. Utah Sept. 19, 1991), aff'd, No. 91-4181 (10th Cir. Mar. 2, 1992); Whittle v. Moschella, 756 F. Supp. 589, 595 (D.D.C. 1991); Fagot v. FDIC, 584 F. Supp. 1168, 1173-74 (D.P.R. 1984), aff'd in part & rev'd in part, 760 F.2d 252 (1st Cir. 1985) (unpublished table decision); see also 120 Cong. Rec. 40,406 (1974), reprinted in Source Book at 861. For access purposes, the two statutes work completely independently of one another.

(2) IF A PRIVACY ACT EXEMPTION APPLIES

Result:

Where a Privacy Act exemption applies, Mr. Citizen is not entitled to obtain access to his records under the Privacy Act.

But he may still be able to obtain access to his records (or portions thereof) under the FOIA. See 5 U.S.C. § 552a(t)(2) (Privacy Act exemption(s) cannot defeat FOIA access); Martin, 819 F.2d at 1184 ("[I]f a Privacy Act exemption but not a FOIA exemption applies, the documents must be released under FOIA.") (emphasis added); Savada, 755 F. Supp. at 9 (citing Martin and holding that agency must prove that document is exempt from release under both FOIA and Privacy Act); see also Shapiro v. DEA, 762 F.2d 611, 612 (7th Cir. 1985); Grove v. CIA, 752 F. Supp. 28, 30 (D.D.C. 1990); Simon v. United States Dep't of Justice, 752 F. Supp. 14, 22 (D.D.C. 1990), aff'd, 980 F.2d 782 (D.C. Cir. 1992); Miller v. United States, 630 F. Supp. 347, 348-49 (E.D.N.Y. 1986); Nunez v. DEA, 497 F. Supp. 209, 211 (S.D.N.Y. 1980). The outcome will depend upon FOIA exemption applicability. See generally FOIA Update, Vol. XV, No. 2, at 3-6 (encouraging discretionary disclosure whenever possible despite FOIA exemption applicability); FOIA Update, Vol. XIX, No. 4, at 3-5 (same).

(3) IF NO PRIVACY ACT EXEMPTION AND NO FOIA EXEMPTION APPLIES

Result:

The information should be disclosed.

(4) IF BOTH PRIVACY ACT AND FOIA EXEMPTIONS APPLY

Result:

The record may be withheld. But remember: When an individual requests access to his own record (a first-party request) maintained in a system of records, an agency must be able to invoke properly both a Privacy Act exemption and a FOIA exemption in order to withhold that record.

Rule:

ALL PRIVACY ACT ACCESS REQUESTS SHOULD ALSO BE TREATED AS FOIA REQUESTS

Note also that Mr. Citizen's first-party request--because it is a FOIA request as well--additionally obligates Agency to search for any records on him that are not maintained in a Privacy Act system of records. With respect to those records, only the FOIA's exemptions are relevant; the Privacy Act's access provision and exemptions are entirely inapplicable to any records not maintained in a system of records.

comment --

A particularly troubling and unsettled problem under the Privacy Act arises where a file indexed and retrieved by the requester's name or personal identifier contains information pertaining to a third party that, if released, would invade that third party's privacy.

As a preliminary matter, it should be noted that this problem arises only when a requester seeks access to his record contained in a non-law enforcement system of records--typically a personnel or background security investigative system--inasmuch as agencies are generally permitted to exempt the entirety of their criminal and civil law enforcement systems of records from the subsection (d)(1) access provision pursuant to 5 U.S.C. § 552a(j)(2) and (k)(2).

The problem stems from the fact that unlike under the FOIA, see 5 U.S.C. § 552(b)(6), (7)(C), the Privacy Act (ironically) does not contain any exemption that protects a third party's privacy. Cf. 5 U.S.C. § 552a(k)(5) (protecting only confidential source-identifying information in background security investigative systems). The Privacy Act's access provision simply permits an individual to gain access to "his record or to any information pertaining to him" that is contained in a system of records indexed and retrieved by his name or personal identifier. 5 U.S.C. § 552a(d)(1).

The leading case in this area is Voelker v. IRS, 646 F.2d 332, 333-35 (8th Cir. 1981). In Voelker, the Court of Appeals for the Eighth Circuit held that where the requested information--contained in a system of records indexed and retrieved by the requester's name--is "about" that requester within the meaning of subsection (a)(4)'s definition of a "record," all such information is subject to the subsection (d)(1) access provision. Id. at 334. In construing subsection (d)(1), the Eighth Circuit noted that there is "no justification for requiring that information in a requesting individual's record meet some separate 'pertaining to' standard before disclosure is authorized [and i]n any event, it defies logic to say that information properly contained in a person's record does not pertain to that person, even if it may also pertain to another individual." Id. Relying on the importance of the access provision to the enforcement of other provisions of the Privacy Act, and the lack of any provision in the exemption portion of the statute to protect a third party's privacy, the Eighth Circuit rejected the government's argument that subsection (b) prohibited disclosure to the requester of the information about a third party. Id. at 334-35. A careful reading of Voelker reveals that the Eighth Circuit appeared to equate the term "record" with "file" for subsection (d)(1) access purposes.

The District Court for the District of Columbia agreed with, and applied the reasoning of, Voelker in Henke v. United States Dep't of Commerce, No. 94-0189, 1996 WL 692020, at *4 (D.D.C. Aug. 19, 1994), aff'd on other grounds, 83 F.3d 1445 (D.C. Cir. 1996). In Henke, the government argued that information pertaining to third parties was exempt from disclosure because the same information was also contained in a system of records as to the third parties, and that disclosure of the information would violate subsection (b). Relying on Voelker, the court rejected the government's argument that information contained in one individual's records is exempt from the disclosure requirements of the Privacy Act simply because the same information is also contained in another individual's records, and it further stated that it would "not create an exemption to the Privacy Act that [C]ongress did not see fit to include itself." Id. On two earlier occasions, the D.C. District Court had held that subsection (b) could protect third-party information in a requester's file. See Savada v. DOD, 755 F. Supp. 6, 10 (D.D.C. 1991) (names of DIA security officials involved in investigation of plaintiff); Anderson v. United States Dep't of the Treasury, No. 76-1404, slip op. at 11-13 (D.D.C. July 19, 1977) (name of complainant). However, the rationale of these decisions is not entirely clear, and neither opinion was even mentioned in the more recent Henke opinion.

The result in Voelker also finds some tangential support in two other decisions--Wren v. Harris, 675 F.2d 1144, 1147 (10th Cir. 1982) (per curiam), and Ray v. United States Dep't of Justice, 558 F. Supp. 226, 228 (D.D.C. 1982), aff'd, 720 F.2d 216 (D.C. Cir. 1983) (unpublished table decision). In Wren, the Court of Appeals for the Tenth Circuit reversed a district court's judgment that FOIA Exemption 6 protected certain third-party information requested under the Privacy Act. 675 F.2d at 1147. In so ruling, the Tenth Circuit stated that "[o]n remand, should the district court find that the documents requested by Mr. Wren consist of 'his record' or 'any information pertaining to him,' and that they are 'records' contained in a 'system of records,' § 552a(a)(4), (5), (d)(1), then the court must grant him access to those documents as provided in § 552a(d)(1), unless the court finds that they are exempt from disclosure under [Privacy Act exemptions]," and it further observed that "the [district] court's reliance on [FOIA Exemption 6] to withhold the documents would be improper if the court determines that the [Privacy Act] permits disclosure." Id. In Ray, the court ruled that the requester was entitled to access, under subsection (c)(3), to the addresses of private persons who had requested information about him because no Privacy Act exemption justified withholding such information, notwithstanding that the agency's "concern about possible harrassment [sic] of these individuals may be legitimate." 558 F. Supp. at 228.

Voelker's rationale was purportedly distinguished (but in actuality was rejected) in DePlanche v. Califano, 549 F. Supp. 685, 693-98 (W.D. Mich. 1982), a case involving a father's request for access to a social security benefits file indexed and retrieved by his social security number which contained the address of his two minor children. In denying the father access to the children's address, the court reasoned that such third-party information, although contained in the father's file, was not "about" the father, and therefore by definition was not his "record" within the meaning of subsection (a)(4), nor was it information "pertaining" to him within the meaning of the subsection (d)(1) access provision. Id. at 694-96. In distinguishing Voelker, the court relied upon an array of facts suggesting that the father might harass or harm his children if their location were to be disclosed. Id. at 693, 696-98.

Other courts, too, have made findings that certain items of information, although contained in a file or document retrieved by an individual's name, did not qualify as Privacy Act records "about" that individual. See Nolan v. United States Dep't of Justice, No. 89-A-2035, 1991 WL 36547, at *10 (D. Colo. Mar. 18, 1991) (names of FBI agents and other personnel held not requester's "record" and therefore "outside the scope of the [Privacy Act]"), aff'd, 973 F.2d 843 (10th Cir. 1992); Haddon v. Freeh, 31 F. Supp. 2d 16, 22 (D.D.C. 1998) (applying Nolan and Doe, infra, to hold that identities and telephone extensions of FBI agents and personnel were not "about" plaintiff and thus were properly withheld); Springmann v. United States Dep't of State, No. 93-1238, slip op. at 8 & n.1 (D.D.C. Apr. 21, 1997) (citing Nolan and holding that name of foreign official who provided information to State Department and names of foreign service officers (other than plaintiff) who were denied tenure were "not accessible to plaintiff under the Privacy Act because the identities of these individuals d[id] not constitute information 'about' plaintiff, and therefore [we]re not 'records' with respect to plaintiff under the Privacy Act"); Hunsberger v. CIA, No. 92-2186, slip op. at 3-4 (D.D.C. Apr. 5, 1995) (citing Nolan and holding that names of employees of private insurance company used by Director of Central Intelligence and Director's unique professional liability insurance certificate number maintained in litigation file created as result of plaintiff's prior suit against CIA Director were not "about" plaintiff and therefore were not "record[s]" within meaning of Privacy Act); Doe v. United States Dep't of Justice, 790 F. Supp. 17, 22 (D.D.C. 1992) (citing Nolan and alternatively holding that "names of agents involved in the investigation are properly protected from disclosure"); cf. Allard v. HHS, No. 4:90-CV-156, slip op. at 9-11 (W.D. Mich. Feb. 14, 1992) (citing DePlanche with approval and arriving at same result, but conducting analysis solely under FOIA Exemption 6), aff'd, 972 F.2d 346 (6th Cir. 1992) (unpublished table decision).

The District Court for the District of Columbia was confronted with a more complex version of this issue in Topuridze v. USIA, 772 F. Supp. 662 (D.D.C. 1991), reconsidering Topuridze v. FBI, No. 86-3120, 1989 WL 11709 (D.D.C. Feb. 6, 1989), when the subject of a letter requested access to it and the agencies withheld it to protect the author's privacy interests. In Topuridze, the issue of access to third party information in a requester's file was further complicated by the fact that the information was "retrievable" by both the requester's identifier and the third party's identifier, Topuridze v. FBI, No. 86-3120, 1989 WL 11709, at *1 (D.D.C. Feb. 6, 1989)--the record was subject to "dual retrieval." In apparent contradiction to the subsection (d)(1) access provision, subsection (b) prohibits the nonconsensual disclosure of an individual's record contained in a system of records indexed and retrieved by his name or personal identifier to any third party. See 5 U.S.C. § 552a(b). Because the letter was both the requester's and the third party's Privacy Act record, the government argued that subsection (b), though technically not an "exemption," nevertheless restricts first-party access under subsection (d)(1) where the record is about both the requester and the third-party author, and is located in a system of records that is "retrievable" by both their names. See Topuridze v. FBI, No. 86-3120, 1989 WL 11709, at *1 (D.D.C. Feb. 6, 1989); Topuridze v. USIA, 772 F. Supp. at 665-66. Although the court had previously ruled that the document was not about the author, see Topuridze v. FBI, No. 86-3120, 1989 WL 11709, at **2-3 (D.D.C. Feb. 6, 1989), on reconsideration it ruled that it need not reach that issue, finding that "[b]ecause the document is without dispute about the [requester], it must be released to him in any event." 772 F. Supp. at 665. On reconsideration, the court embraced Voelker and rejected the government's argument that subsection (b) created a "dual record exemption" to Privacy Act access. Id. at 665-66.

Although Topuridze has provided some further guidance, the difficult issue of an individual's right to access third party information retrieved by his name can be resolved only with careful consideration given to the following points:

(1) If the third-party information in the requester's file is truly not "about" him or her, could have no possible adverse effect on the requester, and is not retrieved by the third party's name or personal identifier, a plausible argument might be made (as in DePlanche, Nolan, and Doe) for withholding such information on the ground that it does not constitute an accessible "record" within the meaning of subsections (d)(1) and (a)(4).

(2) If third-party information in the requester's file is also "about" the requester--i.e., a "dual record"--subsections (d)(1) and (a)(4) seem to require release to the requester, for the reasons set forth in Voelker. See 646 F.2d at 333-35. The Act's definition of an accessible "record" does not contain any "exclusivity" requirement. See Unt v. Aerospace Corp., 765 F.2d 1440, 1450 (9th Cir. 1985) (Ferguson, J., dissenting). However, where release could lead to harassment or harm to the third party, as was the case in DePlanche, see 594 F. Supp. at 693, 696-98, a strong argument for withholding (one that, essentially, is an equitable one) may be possible. Yet, it is significant that the court in Topuridze concluded that the record at issue in that case must be released despite the credible argument that doing so could endanger the author; the court seemed to be no less concerned that such an argument "could be freely invoked by authors of even the most unfounded, defamatory and damaging records." See Topuridze v. USIA, 772 F. Supp. at 666. Furthermore, in light of the court's rejection of the government's more compelling "dual retrieval" argument in Topuridze, it would seem even less likely that the court would permit the withholding of third-party information that was not "dually retrieved," as was the case in DePlanche. Therefore, where DePlanche-type facts are present, agencies should consider use of in camera submissions to justify withholding such third-party information. See, e.g., Patton v. FBI, 626 F. Supp. 445, 447-48 (M.D. Pa. 1985), aff'd, 782 F.2d 1030 (3d Cir. 1986) (unpublished table decision).

(3) If the third-party information in the requester's file is also "about" the requester--i.e., a "dual record"--and the file is also indexed and retrieved by the third party's name or personal identifier--i.e., "dually retrieved," the Topuridze decision suggests that the information should be released to both parties. 772 F. Supp. at 665-66. The court in Topuridze specifically rejected the argument that subsection (b) prohibits disclosure to the requester absent consent of the third party, and it recognized that such a rule would operate to restrict "dual records" from disclosure to anyone other than the agency itself. Id.

A requester need not state his reason for seeking access to records under the Privacy Act, but an agency should verify the identity of the requester in order to avoid violating subsection (b). See OMB Guidelines, 40 Fed. Reg. 28,948, 28,957-58 (1975); see also 5 U.S.C. § 552a(i)(1) (criminal penalties for disclosure of information to parties not entitled to receive it); 5 U.S.C. § 552a(i)(3) (criminal penalties for obtaining records about an individual under false pretenses); cf., e.g., 28 C.F.R. § 16.41(d) (1999) (Department of Justice regulation regarding verification of identity).

Also, note that subsection (d)(1), like the FOIA, "carries no prospective obligation to turn over new documents that come into existence after the date of the request." Crichton v. Community Servs. Admin., 567 F. Supp. 322, 325 (S.D.N.Y. 1983).


Go to Table of Contents || Previous Section Accounting of Certain Disclosures || Next Section Individual's Right of Amendment