Last week we held another meeting of our continuing Requester Roundtable series. These meetings allow a regular opportunity for members of the requester community to meet with agency personnel to discuss various topics surrounding the administration of the FOIA. The topic for this past meeting was the “FOIA and Privacy Act Interface,” where OIP Director Melanie Ann Pustay led a discussion on the two principal ways in which the Privacy Act of 1974 impacts agency processing of FOIA requests. Passed nearly a decade after the FOIA, the Privacy Act establishes a code of fair information practices that governs the handling of certain information about individuals that is maintained in agency files. The Privacy Act provides requesters with a right to seek access to their own records. It also prohibits agencies from disclosing information about an individual to someone else, without their consent, unless the disclosure falls within one of twelve exceptions. These provisions and the way agency personnel take them into account when processing FOIA requests were discussed at the roundtable. Among the topics of interest to the group were:
- Certification of Identification – When individuals make requests for records on themselves, agencies typically require them to verify their identity. At the roundtable we discussed the importance of this requirement in protecting privacy by ensuring that one person's records are not inappropriately released to someone else. We also discussed how individuals can authorize release of their records to someone that they designate. Typically, to verify a person's identify the agency will ask the individual to provide his or her full name, current address, and date and place of birth. The individual must then certify to their identity by having their signature either notarized or submitted under penalty of perjury. At the Department of Justice, Form DOJ-361 can be used both to verify an individual's identity and to authorize release of an individual's records to someone else.
- Privacy Act System of Records – The Privacy Act only applies to records that are located in a "system of records." As defined in the Privacy Act, a system of records is “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." 5 U.S. C. § 552a(a)(5) (2006 & Supp. IV 2010). This is a significant contrast from the FOIA, which broadly covers any agency record.