A CITIZEN'S GUIDE ON USING THE FREEDOM OF INFORMATION ACT
AND THE PRIVACY ACT OF 1974 TO REQUEST GOVERNMENT RECORDS
[ table of contents ] [ next section ]
VII. G. REASONS ACCESS MAY BE DENIED UNDER THE PRIVACY ACT
Not all records about an individual must be disclosed under the Privacy Act. Some records may be withheld to protect important government interests such as national security or law enforcement.
The Privacy Act exemptions are different than the exemptions of the FOIA. Under the FOIA, any record may be withheld from disclosure if it contains exempt information when a request is received. The decision to apply a FOIA exemption is made only after a request has been made. In contrast, Privacy Act exemptions apply not to a record but to a system of records. Before an agency can apply a Privacy Act exemption, the agency must first issue a regulation stating that there may be exempt records in that system of records.
Without reviewing system notices or agency regulations, it is hard to tell whether particular Privacy Act records are exempt from disclosure. However, it is a safe assumption that any system of records that qualifies for an exemption has been exempted by the agency.
Since most record systems are not exempt, the exemptions are not relevant to most requests. Also, agencies do not always rely upon available Privacy Act exemptions unless there is a specific reason to do so. Thus, some records that could be withheld will nevertheless be disclosed upon request.
Because Privacy Act exemptions are complex and used infrequently, most requesters need not worry about them. The exemptions are discussed here for those interested in the act's details and for reference when an agency withholds records. Anyone needing more information about the Privacy Act's exemptions can begin by reading the relevant sections of the act. The complete text of the act is reprinted in an appendix to this Guide.\37\
The Privacy Act's exemptions differ from those of the FOIA in another important way. The FOIA is a disclosure law. Information exempt under the FOIA is exempt from disclosure only. The Privacy Act, however, imposes many separate requirements on personal records. Some systems of records are exempt from the disclosure requirements, but no system is exempt from all Privacy Act requirements.
For example, no system of records is ever exempt from the requirement that a description of the system be published. No system of records can be exempted from the limitations on disclosure of the records outside of the agency. No system is exempt from the requirement to maintain an accounting for disclosures. No system is exempt from the restriction against the maintenance of unauthorized information on the exercise of first amendment rights. All systems are subject to the requirement that reasonable efforts be taken to ensure that records disclosed outside the agency be accurate, complete, timely, and relevant. Each agency must maintain proper administrative controls and security for all systems. Finally, the Privacy Act's criminal penalties remain fully applicable to each system of records.
\37\ In 1975, the Office of Management and Budget (OMB) issued guidance to Federal agencies on the Privacy Act of 1974. Those guidelines are a good source of commentary and explanation for many of the provisions of the act. The OMB guidelines can be found at 40 Federal Register 28948 (July 9, 1975).