Weakness in Privacy Act show every four years

The Privacy Act of 1974 recently had its quadrennial 15 minutes of fame in connection
with the "Filegate" investigation of the sharing of files between the FBI and
the White House.


During recent presidential campaigns, it seems someone always discovers a Privacy Act
violation. It is amusing to watch members of Congress, political appointees and
commentators wringing their hands over this, when they couldn't care less about the law
otherwise.


Remember when President Bush's State Department tried to retrieve Bill Clinton's
passport records during the 1992 campaign? This sparked a special prosecutor investigation
into Privacy Act violations. But when the campaign was over and the political interest
died, the privacy violations were quietly overlooked.


Between campaigns, the Privacy Act goes back to sleep. Without a political connection,
no one cares about any violation of the act.


I got a new perspective on the law recently. A small federal agency asked me to help
with a Privacy Act audit. There were no politics involved. Agency managers had discovered
that the organization had done nothing about its Privacy Act responsibilities since first
implementing the law in 1975. Admirably, they decided to rectify the situation.


This was an interesting experience for me. I had been used to dealing with legislation
from the point of view of a Capitol Hill draftsman concerned about policy. The details of
actual implementation usually are left to the agencies. For the audit, however, I was
forced to address those details and help the agency understand what it was expected to do
and how to do it.


The first thing I learned was that far too many agencies have inadequate, incomplete,
illegal or out-of-date Privacy Act notices. The law requires agencies to publish
descriptions of record-keeping practices for systems of records containing personal
information. Many descriptions are woefully out of date. Some don't even hint at the use
of desktop computers and computer networks in government. Too many agencies haven't
updated their Privacy Act notices since the days of the Lexitron.


Glaring deficiencies also are common in the routine-use section of the notices. A
routine use is akin to a regulation that authorizes an agency to disclose a personal
record. Without a proper routine use, disclosure of personal information outside the
agency is illegal. Nevertheless, deficient routine uses abound. During Filegate, the FBI
discovered that it had had an improper routine use in place for years. It is not alone.


From time to time, the Office of Management and Budget has issued guidance to keep
agencies current with court decisions about routine uses. Most agencies haven't bothered
to follow the OMB guidance. Remarkably, even OMB doesn't follow its own advice.


The second thing I learned was that figuring out how to comply with the act is not
obvious. Sometimes legislation is specific, and the challenge to agencies is to discern
how to conduct their activities and still comply with the minutia.


The Privacy Act is different. The law's general requirements give agencies tremendous
discretion in implementation. This latitude is challenging in its own way.


Because there are so many methods of compliance and so little legislative direction,
decision-making is just as hard, if not harder. Some long-time Privacy Act officers think
it would help if the law were more detailed. The tradeoffs between legislative
micro-management and administrative flexibility are much more complex than I thought.


Another observation is that it takes agencies a long time to comply with publication
requirements, especially small agencies that do not have full-time staffs to oversee
administrative activities such as the Privacy Act. Maybe the law needs to show more
understanding of the demands of keeping publications current.


For most agencies, the Privacy Act is like a reverse lottery ticket. If an agency's
number happens to come up--as the FBI's did during Filegate--it will pay a price for years
of neglect. Intense scrutiny and publicity will make the agency look very bad for a while.


It does not take a lot of effort for agencies to comply with the law and avoid
potential liability and embarrassment, but most aren't even trying. Why should they? It's
four years until the next Privacy Act story emerges during the presidential campaign in
2000.


Robert Gellman, former chief counsel to the House Government Operations
Subcommittee on Information, Justice, Transportation and Agriculture, is a Washington
privacy and information policy consultant. His e-mail address is rgellman@cais.com.
 



inside gcn

  • When cybersecurity capabilities are paid for, but untapped

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above