Privacy Act Exemptions (You Really Need to Know This)
[REDACTED]
So here’s the deal — we know the government collects information about us, and we know they keep that information in many different systems, and for a lot of different purposes. We know this because law says the government has to tell us about it in System of Records Notices, or SORNs. And they do. We’ve talked about SORNs and some of the kinds of databases used by the government in an earlier post:
The Privacy Act is a pretty important piece of law, created specifically because of privacy rights concerns in these newfangled computer databases (the law has been in place since the mid-70s). It basically does four things — requires agencies to share the data they have with the person the records are about; makes agencies follow fair practices in collecting and holding personal data; restricts the sharing of that data; and provides that individuals can sue agencies that violate the law. The law gives us quite a few rights in our personal details (knowing it’s out there, how it’s used, etc.) and says that information in these systems can’t be released without our written permission — but only all of this unless (oh, you knew it was coming) there’s not a qualifying exemption.
What does that look like, and how do we know? Well, they’ve got to tell us that, too. Let’s take a look and walk through it.
So, back this last May, the FBI proposed several exemptions from the Privacy Act for its Next Generation Identification (NGI) System. This system, much like Homeland Security’s IDENT discussed in the earlier database article above, contains biometrics on individuals. Exemptions are fairly common when an agency releases a System of Records Notice, and here is how the FBI’s Final Rule for Privacy Act Exemptions reads:
“The following system of records is exempt from 5 U.S.C. 552a(c)(3) and (4); (d)(1), (2), (3) and (4); (e)(1), (2) and (3); (e)(4)(G), (H)(I); (e)(5) and (8); (f) and (g) of the Privacy Act….”
So you totally know what is exempted from the Privacy Act now, right?
…
Yeah, we didn’t think so.
But we watch the news. We know the FBI really likes decrypting things. Some of us even went to law school. So let’s lead by example and see what that goobledygook means in actual words:
1. Section 552a(c)(3) and (4) = Tracking
The Privacy Act allows federal agencies to release information contained in the SORN, but the agency must keep track of what was disclosed and to whom it was disclosed. Normally §552a(c)(3) would also require that the disclosure be made available to the individual named in the record, at his or her request.
This exemption means you can’t request what exact personal information was released, or to whom the information was disclosed. If the FBI gives information to other agencies or entities, it doesn’t have to notify you.
2. Sections 552a (d)(1),(2), (3), and (4) = Reviews
These sections allow individuals to “gain access to his record or to any information pertaining to him which is contained in the system.” If the information is inaccurate, the individual may request that the agency correct the inaccuracies or explain the reason the agency will not update the record.
This exemption means an individual may no longer gain access to the information contained on him or her in the NGI, and cannot request to correct any inaccurate information.
3. Section 552a (e)(4)(G), (H)(I) = Procedures
The law requires that an agency must notify the public of any changes to the existence and character of a system of record. This exemption provides that agencies don’t have to include procedures to see if the database contains information about an individual, or the procedures to access that information, in such a notice.
This one makes sense, of course. Without a right, there’s no remedy. Wouldn’t do much good to send out notices of the procedures for requesting access and redress if there’s no access or redress in the first place.
4. (e)(4)(I) = Sources
This section allows an agency to not release all of the categories of sources of the records in the system. This one is interesting, and sticky. Most SORNs allow the reader to know where the information contained in the database comes from. This exemption means the NGI doesn’t.
Let’s say someone was inaccurately included on the No Fly List. To the extent any kind of correction is possible (assuming you’re dealing with a database that permits access and redress), this exemption makes it difficult to fully know the upstream or downstream systems that feed into one another. If that individual does not know where the corrections need to be made (or can’t verify they were made), the potential for damage remains.
5. (e)(5) = Recordkeeping
This section would normally require that the agency maintain “all records which are used by the agency in making any determination about an individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.”
So why does the FBI say they can’t? “[I]n the collection of information for authorized law enforcement purposes it is impossible to determine in advance what information is accurate, relevant, timely and complete. … Most records in this system are acquired from state and local law enforcement agencies and it would be impossible for the FBI to vouch for the compliance of these agencies with this provision.”
6. (e)(8) = Legal
This would normally require an agency to inform an individual if any their records were made available to any person under “compulsory legal process when such process becomes a matter of public record.”
So if a record is released to be used in any type of public legal proceeding, the FBI does not have an obligation to inform the individual of that proceeding under the Privacy Act. Note: our criminal laws, the Fourth Amendment, etc., still apply, so there other laws and rules that require disclosure of most of this information. And if you’re in court, yeah, you probably are already well aware.
7. 552a(f) = Rules
This section requires agencies to promulgate rules that establish detailed procedures for individuals to access their records, correct their records, etc. Again, if individuals no longer have access to their records, then the FBI doesn’t need rules to inform people how to access them.
8. 552a(g) = Lawsuits
This section would normally allow an individual to bring a civil action against the federal agency for not complying with the Privacy Act. However, a federal agency, to a certain degree, can exempt itself from a civil action, even if it does not comply with the Privacy Act’s requirements. How? Just like that.
This, of course, brings us to why — we can reasonably assume the FBI has some valid use for the information, and the arguments for controlling sensitive information are pretty strong. We’re talking about some serious national and homeland security stuff here, and some bad people who would like to do some bad things to us — so it’s not just some kind of pointless bureaucratic voyeurism.
On the one hand, all of these exemptions make sense, and in the end are actually for our individual protection. On the other, having to drill down through all the red tape and wrap our heads around it by ourselves seems to inject a bit of unnecessary public frustration and effort, and ultimately damages the trust we’d like to have in responsible government stewardship.
Like the first database article, we wrote this post to inform both ourselves and the public. Where there is nothing to hide, there is nothing to fear, and we shouldn’t shy away from acknowledging that asking — and answering — hard questions, is part of our job as both homeland security professionals and citizens.
We hope you agree.
