"When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section to be applied to such system. For purposes of subsection (i) of this section any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of this section [9-27-75], shall be considered to be an employee of an agency." 5 U.S.C. § 552a(m)(1).
"A consumer reporting agency to which a record is disclosed under section 3711(e) of Title 31 shall not be considered a contractor for the purposes of this section." 5 U.S.C. § 552a(m)(2).
For guidance concerning this provision, see OMB Guidelines, 40 Fed. Reg. 28,948,
28,951, 28,975-76, (July 9, 1975), available at http://www.whitehouse.gov/omb/assets/omb/inforeg/implementation_guidelines.pdf,
and the legislative debate reported at 120 Cong. Rec. 40,408 (1974), reprinted
in Source Book at 866, available at http://www.loc.gov/rr/frd/Military_Law/pdf/LH_privacy_act-1974.pdf.
See generally Boggs v. Se. Tidewater Opportunity Project, No. 2:96cv196, U.S.
Dist. LEXIS 6977, at *5 (E.D. Va. May 22, 1996) (subsection (m) inapplicable
to community action agency that was not "in the business of keeping records
for federal agencies").
The Federal Acquisition Regulation sets forth the language that must be inserted in solicitations and contracts "[w]hen the design, development, or operation of a system of records on individuals is required to accomplish an agency function." 48 C.F.R. § 24.104 (2008); see also id. § 52.224-1 to -2.
Additionally, see the discussion regarding treatment of contractors as "employees" for purposes of subsection (b)(1) disclosures under "Conditions Of Disclosure To Third Parties," above.
Even when subsection (m) is applicable, the agency -- not the contractor --
remains the only proper party defendant in a Privacy Act civil lawsuit. See
Campbell v. VA, 2 Gov't Disclosure Serv. (P-H) ¶ 82,076, at 82,355 (S.D.
Iowa Dec. 21, 1981); see also Patterson v. Austin Med. Ctr., No. 97-1241, slip
op. at 4-5 (D. Minn. Jan. 28, 1998) (Subsection (m) "does not create a
private cause of action against a government contractor for violations of the
Act."), aff'd, No. 98-1643, 1998 U.S. App. LEXIS 22371 (8th Cir. Sept.
11, 1998). But cf. Shannon v. Gen. Elec. Co., 812 F. Supp. 308, 311-15 & n.5
(N.D.N.Y. 1993) (although subsection (m) not mentioned, stating that "GE
is subject to the requirements of the Privacy Act, inasmuch as it falls within
the definition of 'agency'"). See generally Adelman v. Discover Card Servs.,
915 F. Supp. 1163, 1166 (D. Utah 1996) (with no mention of subsection (m),
finding no waiver of sovereign immunity for action brought for alleged violation
by state agency working as independent contractor to administer federal program
for Social Security Administration, even though procedures and standards governing
relationship between SSA and state agency explicitly stated that in event of
alleged violation of Privacy Act concerning operation of system of records
to accomplish agency function, civil action could be brought against agency).
Go to Table of Contents || Previous Section Social Security Number Usage || Next Section Mailing Lists