@INFO.POLICY: Robert Gellman

Web data and the Privacy Act are in conflict

Robert Gellman

How far can agencies go in making records available through their Web sites? I hope the answer is: Pretty far.

But conflicts may be lurking over the accessibility of records subject to the Privacy Act of 1974. The act establishes privacy and records management standards for federal systems of records about individuals.

While recently helping some agencies update their Privacy Act systems of record notices, I discovered a potential problem with disclosing personal records on the Internet. I also found a solution.

A brief word on the legal background. The act requires that whenever an agency discloses a Privacy Act record'except to agency employees or Freedom of Information Act requesters'it must maintain an audit trail of the date, nature and purpose of the disclosure and the person or agency to which it was released.

The maintenance of such audit trails is supposed to protect privacy by deterring wrongful disclosures and by allowing the tracing of any record sharing.

Unfortunately it doesn't work very well in the real world. Many federal workers are simply unaware of the accounting requirement. As a result, agencies sometimes comply'or don't'merely by accident.

Another problem with audit trails is that there is apparently little demand for them from record subjects. Ask around your agency and see if you don't get blank stares.

Public data included

The accounting requirement applies even when an agency discloses a wholly public record, such as an agency telephone book. Increasingly, agencies allow the public to use telephone books and similar resources on the Internet. Ethics reports and other similar filings are also public. Nevertheless, agencies that put public comments and docket information online in searchable form may be making disclosures from a system of records.

But here's the difficult question: If someone retrieves a record from an online service, does the accounting requirement apply? If it does, then we have a mess.

First, agencies commonly allow the public to use online resources without any registration. But if an accounting is required, then both the public and the agency would be burdened with collection of information of little interest. Besides, many Net users are annoyed when asked for personal information as a condition of access.

Obnoxious registration requests have certainly sharpened my own lying skills. I rarely give accurate information about myself on the Net. If you ask Web users for their names as a condition of getting a telephone number for a federal worker, expect to learn that Mickey Mouse makes a lot of requests.

Second, records about public use of the Internet might reflect how individuals exercise their First Amendment rights'for example, petitioning for redress of grievances. But the Privacy Act prohibits collecting information about the exercise of First Amendment rights without good cause.

So if attaching accounting requirements for public Internet files is a poor idea, how can you avoid it?

One approach is to deny that the information is retrieved from a system of records. Agencies must account for disclosures only when information retrieved by an individual identifier comes from a system of records. But arguing that most records are not retrieved by name is ignoring reality.

A better and more general approach is to treat public records as exempt from accounting. No one has addressed this point with any authority, but a decent argument can be extrapolated from old Privacy Act guidance from the Office of Management and Budget and from case law. The formal argument is too long and legalistic for this space, but I found it modestly convincing.

The argument is sustained in part by amendments to the Electronic Freedom of Information Act. One purpose of those amendments was to require agencies to make more information available by what the law calls 'computer telecommunications.'

Simply put, the law tells agencies to put more stuff on their Web sites. But if agencies must account for disclosures of public records, then the goal of the law will be significantly undermined for some records.

Can you safely ignore accounting requirements for your agency Web site? Maybe. Only your general counsel knows for sure. Perhaps if someone asked, OMB would issue updated Privacy Act guidance.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at [email protected].


  • senior center (vuqarali/Shutterstock.com)

    Bmore Responsive: Home-grown emergency response coordination

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/Shutterstock.com)

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected