Vol. I, No. 3
Privacy Act/FOIA, Conflict or Harmony?
The relationship of the Privacy Act to the Freedom of Information Act (FOIA) is a subject of recurring concern. All agency records are subject to FOIA, while the Privacy Act applies only to records in "systems" [defined in 5 U.S.C. § 552a(a)(5)] from which information is retrieved by the individual's name or other identifier.
Interface questions arise in two contexts:
(1) requests from a third party for records about another individual in a Privacy Act system of records; and
(2) requests from a first party "individual" for his or her own records in a Privacy Act system.
Third party requests raise only substantive interface questions over how much information may be given to the requester. First party requests present both substantive problems and procedural questions over what "rules of the game" apply.THIRD PARTY REQUESTS
When a third party requests records about another person that are subject to both Acts, the answer to the interface question is straightforward if the records are not exempt under FOIA. The Privacy Act has no limitations on release of such records. Specific language in the Privacy Act [5 U.S.C. § 552a(b)(2)] authorizes releases of records where FOIA would require release. An agency must release all requested records which are not exempt under FOIA.
If some FOIA exemption, such as (b)(6), exists to allow an agency legally to withhold the records requested by the third party, then an agency must deny access or justify any discretionary release of those records under one of the ten other types of release permitted by subsection (b) of the Privacy Act without the consent of the individual to whom the records pertain.FIRST PARTY REQUESTS
First party requests present much more complicated interface problems. When the Privacy Act was passed, there was disagreement as to whether it had become the exclusive vehicle for persons seeking their own records from a system of records. The answer to this question is an unqualified "no." The fact that someone is an "individual" with rights of access under the Privacy Act does not in any way change the fact that he or she is also a "person" with rights of access under FOIA.
Thus, although it need not be counted as such for statistical purposes, a Privacy Act request for access to records should normally be considered as, in effect, also a FOIA request. If, however, all or any portion of the requested material is to be denied, it must be considered under the substantive provisions of both acts. The withholding must be justified by the assertion of a legally applicable exemption in each Act.
The fact that a record is exempt under one of the two acts is not determinative; if it is not exempt under the other, it must be released to a first patty. Furthermore, this is the result whether or not the requester cites the Privacy Act only, FOIA only, both acts, or neither act.
In practice, agencies would not reach the FOIA exemption question unless the records were exempt under the Privacy Act because subsection (q) of the Privacy Act provides that no FOIA exemption may be used to deny an individual's Privacy Act rights of access.FOIA/PA PROCEDURAL INTERFACE
In addition to these substantive issues, first party requests present significant procedural interface problems. FOIA requires that initial requests for access be answered in ten working days and administrative appeals in twenty. The Privacy Act contains no such administrative deadlines for responding to access requests. The Office of Management and Budget (the lead agency on Privacy Act matters) has recommended that such requests be acknowledged within ten working days and that "[w]henever practicable, that acknowledgment should indicate whether or not access can be granted, and, if so, when." 40 Fed. Reg. 28,957 (1975).
Thus, the question arises as to what procedures are to be followed in processing first party requests for records in a Privacy Act system of records. Although technical arguments can be made that the FOIA time limits apply, OILP believes the substantive complexities of dual processing justify following Privacy Act procedures, including any time limits an agency has imposed on itself by regulation. See, e.g., 28 C.F.R. §§ 16.45 (initial requests) and 16.57 (appeals). We recommend, however, that because of the technical arguments mentioned above, agencies process these first-party requests in accordance with the FOIA time limits whenever possible.
In closing, note that the above discussion applies only to first-party requests for records in a Privacy Act system of records. First-party requests for records not in such a system are processed only under FOIA.
Go to: FOIA Update Home Page