The FOIA and Privacy Act are long-established mechanisms for individuals to seek access to government records. See 5 U.S.C. § 552 and § 552a (2018). These statutes, each with their own distinct access provisions, overlap to some extent, but not entirely. While the Privacy Act is designed to maintain trust between individuals and agencies in connection with the collection, use, and dissemination of records pertaining to them, the FOIA is designed to increase the public’s access to governmental information. See Greentree v. U.S. Customs Serv., 674 F.2d 74, 76 (D.C. Cir. 1982). The FOIA operates under a presumption of disclosure and “is often explained as a means for citizens to know ‘what their Government is up to.’” NARA v. Favish, 541 U.S. 157, 171-72 (2004) (quoting DOJ v. Reporters Comm. for Freedom of the Press, 489 U.S. 749, 773 (1989)). When processing first-party requests for Privacy Act records, agencies often need to consider an individual's access rights under both the FOIA and the Privacy Act. First-party requests are those requests whereby an individual is asking for records about themselves. This guidance addresses the interface between these two statutes and is intended to assist FOIA professionals in processing requests involving Privacy Act records.
Distinctions Between the FOIA and the Privacy Act
The FOIA and the Privacy Act have different purposes. “Disclosure . . . is the dominant objective of [the FOIA].” Dep't of Air Force v. Rose, 425 U.S. 352, 361 (1976). FOIA is intended to increase the public’s access to government information. The Privacy Act is designed to foster a relationship of trust between an individual and an agency, by requiring that the agency’s collection, use, and maintenance of records pertaining to individuals must be compatible with the purposes for which the record was collected or created, or otherwise be expressly permitted under the Act. If not compatible or otherwise permitted, the Act prohibits disclosure of a Privacy Act record without the prior written consent of the individual to whom the record pertains.
Definition of Record
Both the FOIA and the Privacy Act permit individuals to access records pertaining to themselves, but the two statutes also differ in how they define the term “record.” The universe of records subject to the FOIA is broader than that of those subject to the Privacy Act. For the purposes of the FOIA, which applies to all agency records, the Supreme Court has set out a two-prong test for determining when a record is considered an agency record. See DOJ v. Tax Analysts, 492 U.S. 136, 144-45 (1989). Under the FOIA, an agency record is any record that is: 1) either obtained or created by an agency, and 2) under agency control when a FOIA request is received. Id. When determining control, four factors, while not exclusive, are helpful to consider. “’(1) the intent of the document's creator to retain or relinquish control over the record; (2) the ability of the agency to use and dispose of the record as it sees fit; (3) the extent to which agency personnel have read or relied upon the document; and (4) the degree to which the document was integrated into the agency's record systems or files.’” Burka v. HHS, 87 F.3d 508, 515 (D.C. Cir. 1996) (quoting Tax Analysts v. DOJ, 845 F.2d 1060, 1069 (D.C. Cir. 1988)). Overall, determining whether a record is an “agency record” requires looking at the totality of the circumstances related to the document's creation, use, possession, or control. See Rojas v. FAA, 941 F.3d 392, 408 (9th Cir. 2019).
By contrast, the Privacy Act defines the term “record” in a much narrower sense. A Privacy Act “record” must: 1) contain information “about an individual,” and 2) “contain a name, identifying number, symbol or other identifying particular assigned to the individual.” 5 U.S.C. § 552a(a)(4). The FOIA right of access applies to any agency record, whether or not it contains information about an individual and an identifier assigned to the individual. However, an individual’s right of access under the Privacy Act applies only to a Privacy Act record stored in a “system of records” where that term is defined to mean “a group of any records under the control of any agency from which information is retrieved by the name of the individual or identifying number, symbol or other identifying particular assigned to the individual.” 5 U.S.C. § 552a(a)(5). As FOIA professionals, the most straightforward way to determine whether a record is a Privacy Act record from a particular system of records is to identify whether a published System of Records Notice (SORN) covers that record. These are typically posted on agency privacy websites. FOIA professionals who are uncertain about whether a record falls under an existing SORN should contact their Senior Component Official for Privacy (within the Department of Justice) or their agency’s Senior Agency Official for Privacy.
Right of Access
Additionally, the FOIA and Privacy Act differ in who has a right of access under each statute. Under the FOIA, generally anyone can make a request for records. This includes U.S. citizens, lawful permanent residents, non-U.S. citizens, and organizations. 5 U.S.C. § 552(a)(3). Under the Privacy Act, generally only “individuals”—defined as U.S. citizens and lawful permanent residents (U.S. persons)—have a right to request access to these files. 5 U.S.C. § 552a(a)(2). In practice, since some agency systems of records contain information about both U.S. persons and non-U.S. persons, many agencies find it easier to process access requests for information in those systems the same way as a matter of policy, regardless of whether the requester is a U.S. person or not. See OMB 1975 Guidelines, 40 Fed. Reg. at 28,951. Additionally, while not applicable in most cases, the Judicial Redress Act of 2015 provides some Privacy Act protections to certain law enforcement records pertaining to covered individuals from foreign countries where the records were shared with certain U.S. law enforcement agencies. Judicial Redress Act of 2015, § 2(a), Pub. L. No. 114-126, 130 Stat. 282 (2015).
In sum, the access rights under the FOIA and the Privacy Act are distinct and non-exclusive. Because FOIA’s rights of access are so much broader, individuals seeking access under the Privacy Act generally also have a right to seek access under FOIA, but not everyone who has a right to seek access under the FOIA will also have rights under the Privacy Act. This guidance informs how agencies should process requests involving Privacy Act records.
Processing Requests Involving Privacy Act Records
When an agency receives a request for Privacy Act records, the agency processes the records differently depending on whether it is a first-party request or third-party request. Agencies may need to process records under both the FOIA and Privacy Act when processing a first-party request for Privacy Act records. This is because subsection (t) of the Privacy Act provides that agencies cannot rely on FOIA exemptions to withhold records to which individuals have access under the Privacy Act, nor can agencies withhold records under the Privacy Act when release is required under FOIA. 5 U.S.C. § 552a(t)(1)-(2). The effect of subsection (t) ensures the broadest possible access by individuals to records about themselves. When a third party requests access to another individual’s Privacy Act records, however, agencies should process these requests under the FOIA only. Third parties do not have a Privacy Act right of access to Privacy Act records, but the Privacy Act permits release to the third party if the FOIA requires disclosure. See 5 U.S.C. § 552a(b)(2). The following guidance provides a framework to analyze records for release when the Privacy Act is implicated when processing access requests, and it sets out the differences and similarities of the Acts. In addition to the following guidance, helpful examples that illustrate the interface between the FOIA and Privacy Act are available in the Overview of the Privacy Act of 1974.
As noted above, a first-party request is a request in which an individual seeks access to records about themselves. When a first-party request for Privacy Act records is received, agencies should process the request by applying one statute at a time to conduct a proper analysis. Before proceeding with any first-party request, agencies should confirm that the requester has satisfied applicable certification of identity requirements as defined in agency regulations. Note that a request submitted on behalf of someone else (such as a parent on behalf of a minor child or an attorney on behalf of a client) should be treated as a first-party request. Once the first-party's status is confirmed and the agency locates responsive records, it should proceed with the disclosure analysis.
Privacy Act records located in response to a first-party request should be analyzed first under the Privacy Act. Under the Privacy Act, a first party individual has a right to access records about themselves, except to the extent that the record was compiled in reasonable anticipation of a civil action or proceeding, 5 U.S.C. § 552a(d)(5), or where the agency has completed a rulemaking process to invoke one of a number of Privacy Act exemptions at subsections 552a(j) or (k) of the Act. To determine whether one of these Privacy Act exemptions has been invoked by the agency, agency employees should review their Privacy Act regulations. Even where an agency has invoked an exemption in its regulations, it is important to confirm that the exemption applies to the record at issue. If one of the Privacy Act exemptions does not apply, the document would generally be released to the first-party requester and need not be separately processed under the FOIA.
If a Privacy Act exemption applies, however, the agency will then need to analyze the records under FOIA before making a final release determination. See Greentree, 674 F.2d at 79 (“We must conclude . . . that . . . the Privacy Act represents a Congressional mandate that the Privacy Act not be used as a barrier to FOIA access.”). If a FOIA exemption does not apply to the material that is exempt under the Privacy Act, FOIA requires disclosure of the record. If a FOIA exemption does apply in addition to the Privacy Act exemption, the exempted material must be withheld under both the Privacy Act and FOIA exemptions. Agencies cannot discretionarily release information that is exempt under the Privacy Act and FOIA because the Privacy Act only permits release under FOIA if FOIA “requires” disclosure (i.e., no FOIA exemption applies). 5 U.S.C. § 552a(b)(2). Any releasable, segregable portions of the requested record should still be provided to the requester because requesters are “entitled to the cumulative result of what both [statutes] provide.” Martin v. Office of Special Counsel, Merit Sys. Prot. Bd., 819 F.2d 1181, 1184 (D.C. Cir. 1987).
In conducting the FOIA analysis, agencies should be mindful that FOIA and Privacy Act exemptions, while overlapping, are not necessarily exact matches. For example, Privacy Act Exemption (d)(5) covers “any information compiled in reasonable anticipation of a civil action or proceeding.” By contrast, FOIA Exemption (b)(5) covers, in part, inter- or intra-agency records prepared by or at the direction of an attorney in reasonable anticipation of litigation. At the same time, the Privacy Act does not contain counterparts to the deliberative process privilege and some other civil discovery privileges recognized under FOIA Exemption (b)(5). Accordingly, when processing Privacy Act records, agency employees should be clear about whether they are analyzing records under the Privacy Act only or under both the Privacy Act and the FOIA. Furthermore, they should be able to articulate why they have applied each exemption.
In summary, an individual's Privacy Act record can only be withheld from them when both Privacy Act and FOIA exemptions apply. This ensures that first-party requesters obtain the greatest access to which they are entitled under both statutes.
Third-party requests for Privacy Act records should be processed only under the FOIA. Third parties do not have right of access to records under the Privacy Act, so their only potential right of access comes from the FOIA. While the Privacy Act generally prohibits release without the prior written consent of the individual, the statute includes “required” releases under FOIA as a condition under which agencies can release Privacy Act records. See 5 U.S.C. § 552a(b)(2). A release is “required” under the FOIA if no FOIA exemption applies to all or portions of Privacy Act records responsive to a request.
In many cases, due to the privacy-sensitive nature of the information, Privacy Act records will be exempt in whole or in part under the FOIA's privacy exemptions 5 U.S.C. § 552(b)(6) or (b)(7)(C). However, if these or any other FOIA exemptions do not apply, the FOIA requires release and nothing in the Privacy Act permits the agency to withhold the record. When considering disclosure under the FOIA, the Privacy Act prohibits discretionary release (i.e., release of a record that is exempt) because if a FOIA exemption applies, the FOIA does not “require” release. See 5 U.S.C. § 552a(b)(2). Overall, agencies should process third-party requests for Privacy Act records just as they would process any other FOIA request. The only difference is that the agency lacks the discretion to disclose the record under the FOIA if a FOIA exemption applies.
Third-Party Information Within Privacy Act Records
To qualify as a Privacy Act record, the record must contain information “about an individual” and contain a name or other identifying particular. 5 U.S.C. § 552a(a)(4). Typically, when a first party requests a Privacy Act record and a Privacy Act exemption does not apply, the default is to provide access to the individual irrespective of any analysis under FOIA. An agency may not rely upon a FOIA exemption alone to deny a first-party requester’s access to records about themselves.
Occasionally, however, there may be cases where a Privacy Act record about a first-party requester also contains information identifying third parties where the third party has not consented to disclosure. Unlike the FOIA, the Privacy Act does not have exemptions to protect personal privacy. Although first-party requesters are entitled to their own non-exempt Privacy Act records, they are not necessarily entitled to information about a third-party that does not pertain to them. This is because the Privacy Act has a broad non-disclosure provision that applies to any record in a system of records, with exceptions for consent and other circumstances. 5 U.S.C. § 552a(b).
Courts have reached different conclusions when considering third-party information in the context of a first-party request. For instance, in Voelker v. IRS, 646 F.2d 332, 334 (8th Cir. 1981), the Eight Circuit found that information retrieved from a system of records using requester’s personal identifier was “about” the requester even if it pertained to a third party. By comparison, the D.C. Circuit, which has universal jurisdiction for Privacy Act matters, and other courts have held that to the extent information is not “about” the requester, it is not part of the requester's Privacy Act “record” and cannot be released under the Privacy Act without the third party’s consent. See, e.g., Sussman v. U.S. Marshals Serv., 494 F.3d 1106, 1121 & n.9 (D.C. Cir 2007) (finding that information retrieved about the requester and a third party could not be disclosed to the requester without the third party’s consent); Nolan v. DOJ, 1991 WL 36547, *10 (D. Colo. 1991), aff'd, 973 F.2d 843 (10th Cir. 1992) (holding that information identifying FBI agents and support staff was outside the scope of the Privacy Act); DePlanche v. Califano, 549 F. Supp. 685, 694-96 (W.D. Mich. 1982) (holding that a father was not entitled to disclosure of his minor children’s address because this information, while physically located in the same folder as the father’s own information, was not “about” the father). Generally, agencies should consider whether a requester has Privacy Act access to all information retrieved using their personal identifier from a system of records or whether any of the information implicates a privacy interest of a third party that has not consented to disclosure.
Agencies should keep in mind, however, that not all third-party information will be outside the scope of the first party's Privacy Act record, particularly if the information is about the requester. See, e.g., Topuridze v. U.S. Info. Agency, 772 F. Supp. 662, 665 (D.D.C. 1991) (ordering the release of a letter drafted by a third-party author about the requester because while “the document may well be ‘about’ the author . . . [it] is without dispute about the plaintiff,” qualifying it for release under the Privacy Act). Furthermore, the Privacy Act itself presumes that certain third-party information would be disclosed. For instance, when a source speaks to the government in connection with a background security investigation, Privacy Act Exemption (k)(5) generally protects the identity of a confidential source but would not protect the identity of a non-confidential source. See, 5 U.S.C. § 552a(k)(5) (providing an exemption for “investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for Federal civilian employment, military service, Federal contracts, or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the Government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section [September 27, 1975], under an implied promise”) (emphasis added). Accordingly, agencies should carefully consider whether information referencing third parties is or is not part of the requester’s Privacy Act record.
If third-party information within a responsive document is ultimately considered not to be part of the requester’s Privacy Act record, that information should be processed under the FOIA. One or both of the FOIA's personal privacy exemptions may apply to this information. 5 U.S.C. § 552(b)(6), (7)(C). If an agency is separating out information about a third party when processing a first-party request, the agency should explain to the requester that certain information responsive to their request consists of third-party information that does not pertain to them and to which they do not have access under the Privacy Act. See, e.g., Haddon v. Freeh, 31 F. Supp. 2d 16, 22 (D.D.C. 1998). As noted, however, agencies should still process the information under the FOIA, redact it if applicable, and release it to the extent possible.
Annual FOIA Report and the Privacy Act
Agencies should include in their Annual FOIA Reports any request involving analysis under the FOIA. For example, if an agency processes a first-party request for Privacy Act records that are exempt under the Privacy Act, a FOIA analysis is required. This request would count as a FOIA request for annual reporting purposes. Additionally, a search that extends beyond a Privacy Act “system of records” constitutes a FOIA search. See 5 U.S.C. § 552a(a)(5). For this reason, a records request that requires search outside of a system of records must also be reported in the agency’s Annual FOIA Report. Requests that are handled exclusively under the Privacy Act (i.e., first-party requests where the agency releases Privacy Act records in full) should not be included in an agency’s Annual FOIA Report. For additional information about the Annual FOIA Report, see the most recent version of the Department of Justice Handbook for Agency Annual FOIA Reports available on OIP's Reports page.
While the stated purposes, definitions, and access rights under the FOIA and the Privacy Act are different, both statutes serve to help requesters obtain government records about themselves and others. By understanding how to identify Privacy Act records and by being mindful of when the Privacy Act triggers analysis under the FOIA, agency employees can ensure that they properly handle Privacy Act records under both statutes when processing requests. Accurate processing will also benefit agencies when they seek to finalize their Annual FOIA Reports.
For additional information about the Privacy Act, agencies are encouraged to consult with their Senior Agency Official for Privacy or Senior Component Official for Privacy (DOJ components). The Office of Management and Budget, Office of Information and Regulatory Affairs issues privacy guidance and is responsible for assisting agencies with privacy matters. The Department of Justice's Office of Privacy and Civil Liberties’ Overview of the Privacy Act provides a comprehensive summary of Privacy Act case law. Questions on the interface between the FOIA and Privacy Act when processing access requests can be directed to the Office of Information Policy.