Vol. III, No. 4
Privacy Protection Practices Examined
All federal agencies maintain at least some sensitive personal privacy information in their files, even if only in the personnel records kept on agency employees. Some agencies maintain virtually "cradle to grave" information about American citizens.
The proper protection of such information is a responsibility to be discharged as carefully as possible by all agencies, under both the FOIA and the Privacy Act of 1974, and many agencies have established formal procedures by which they do so. Agency practices in this area necessarily vary according to the types of personal information maintained.
The Department of Defense is one of those agencies which truly maintains "cradle to grave" personal records, according to Lt. Col. William C. Goforth, coordinator of privacy matters for DOD.
"We have the records of complete communities," says Col. Goforth. "Of everything from the grocery store to the mortuary. We have schools from kindergarten through the war college. We have medical records on service members and their families. At DOD, we have records on just about any sort of matter that could be regarded as privacy-related."
In recognition of this wide range of personal information, DOD in 1975 established the Defense Privacy Board to resolve privacy issues within DOD and to promote the uniform treatment of issues arising under both the FOIA and the Privacy Act. "While the primary focus is usually on the Privacy Act's protections," Goforth says, "we must remember that determining permitted disclosure under the Privacy Act quite often requires a disclosure analysis under Exemption 6 of the FOIA." (See FOIA Update, March 1982. page 3.)
The Defense Privacy Board is headed by D.O. Cooke, a deputy assistant secretary of defense. Each of the armed services appoints a representative to the board, as do the DOD's general counsel and the Defense Logistics Agency. Representatives from other DOD components are appointed from time to time. Privacy questions are submitted to the board, where Col. Goforth, who serves as staff executive, researches them for the board's legal committee, comprised of component attorneys. Usually, the legal committee hammers out a proposed answer for approval by the board. When the legal committee cannot agree, the question is submitted to the board for full consideration.
Defense Privacy Board decisions, if they are of broad interest, are published and circulated to all DOD components. Thus far in 1982, there have been four major board decisions, including a revision of its guidelines covering the release of information from military personnel records.
The guidelines provide, in part: "Although it is not possible to categorically identify information that must be withheld or released from military records in every instance, the following items of personal information may normally be released from military records without an unwarranted invasion of personal privacy: name, rank, date of rank, gross salary, present and past duty assignments, future assignments which have been finalized, duty or office telephone number, source of commission, military and civilian educational level and promotion sequence number."
Goforth observes that the "hard areas" where problems keep coming up time and time again include: "Demographic studies
Currently, Goforth and the board's legal committee are working on a policy on lists
At the National Institutes of Health, sub-agency of the Department of Health and Human Resources, a great deal of personal information comes into the agency's possession through its grant and contracting activities. Before awarding a research grant or contract, NIH analyzes the backgrounds and credentials of persons connected with the proposed project.
In recognition of the privacy considerations involved, NIH has developed guidelines for submitters governing the disclosure of such information. "This allows them to have a fairly clear idea of what will and will not be disclosed," says Bowen Hosford, the drafter of the guidelines.
He points out that NIH also stresses to subrnitters that it needs "an adequate and convincing justification" in order to withhold such personal information under Exemption 6. Says Hosford, "NIH must balance the need to keep a person's private affairs from public scrutiny against the public's right to information pertaining to the award of Government grants and contracts."
Under its guidelines, NIH usually releases almost all information about the principals involved. It does, however, protect the names and any identifying details about support staff. But except for names and other identifying information, NIH usually discloses the information in all resumes submitted. "By withholding the identifying information alone," Hosford says, "we feel that we're properly striking the balance with full regard for the public's right to know."
At the Federal Bureau of Investigation, where a great deal of sensitive investigatory information is amassed, special measures are taken to ensure full privacy protection for persons mentioned in investigatory files. The FBI, as well as other federal law enforcement agencies, takes the position that even the mention of a person's name in the context of a law enforcement investigation is so laden with privacy implications that it almost always should be kept secret pursuant to Exemption 7(C).
As a logical extension of that principle, the FBI takes the position that it will not even acknowledge the existence of an investigatory file on someone without that person's consent. Thus, all third party requests for FBI records on individuals are met with the response that the requester must submit a notarized authorization from that person permitting the FBI to acknowledge the existence of any such records.
Absent the receipt of a proper authorization, or unless the person is so notorious that the fact of an FBI investigation is widely known, the FBI refuses on threshold privacy grounds either to confirm or deny the existence of any responsive records. Says FBI FOIPA Section Chief James K. Hall: "We believe this position is absolutely necessary to provide proper personal privacy protection in the law enforcement context."
Go to: FOIA Update Home Page