“When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section to be applied to such system. For purposes of subsection (i) of this section any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of this section [9-27-75], shall be considered to be an employee of an agency.” 5 U.S.C. § 552a(m)(1).
“A consumer reporting agency to which a record is disclosed under section 3711(e) of Title 31 shall not be considered a contractor for the purposes of this section.” 5 U.S.C. § 552a(m)(2).
For guidance concerning this provision, see OMB Guidelines, 40 Fed. Reg. 28,948, 28,951, 28,975-76, (July 9, 1975), available at http://www.whitehouse.gov/sites/default/files/omb/assets/omb/inforeg/implementation_guidelines.pdf, and the legislative debate reported at 120 Cong. Rec. 40,408 (1974), reprinted in Source Book at 866, available at http://www.loc.gov/rr/frd/Military_Law/pdf/LH_privacy_act-1974.pdf. See generally Boggs v. Se. Tidewater Opportunity Project, No. 2:96cv196, U.S. Dist. LEXIS 6977, at *5 (E.D. Va. May 22, 1996) (finding subsection (m) inapplicable to community action agency that was not “in the business of keeping records for federal agencies”).
The Federal Acquisition Regulation sets forth the language that must be inserted in solicitations and contracts “[w]hen the design, development, or operation of a system of records on individuals is required to accomplish an agency function.” 48 C.F.R. § 24.104 (2012); see also id. § 52.224-1 to -2. The regulation defines “operation of a system of records” as “performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records.” Id. at § 52.224-2(c)(1). But cf. Koch v. Schapiro, 777 F. Supp. 2d 86, 91 (D.D.C. 2011) (concluding, in context of claim brought under Rehabilitation Act, that “a contract to investigate complaints of discrimination by employees of the agency on behalf of the [agency’s] EEO Office” is “not a contract for the design or development of a system of records” and therefore is “not the type of contract covered by 48 C.F.R. pt. 24”).
Additionally, see the discussion regarding treatment of contractors as “employees” for purposes of subsection (b)(1) disclosures under “Conditions Of Disclosure To Third Parties,” above.
Even when subsection (m) is applicable, the agency – not the contractor – remains the only proper party defendant in a Privacy Act civil lawsuit. See Campbell v. VA, 2 Gov’t Disclosure Serv. (P-H) ¶ 82,076, at 82,355 (S.D. Iowa Dec. 21, 1981); see also Repetto v. Magellan Health Servs., No. 12-4108, 2013 WL 1176470, at *5-6 (D.N.J. Mar. 19, 2013) (“The key word [in subsection (m)] is ‘requirements,’ and when read in the context of § 552a (i.e., ‘this section’), this word only seems to address the operative, privacy-related provisions of the Act  The civil remedies provision found in § 552a(g) cannot reasonably be considered a ‘requirement’ as that word is commonly understood. If Congress wanted government contractors to be subject to suit for violations, it could have included the word ‘remedies’ in § 552a(m). Instead, Congress deliberately ensured that only agencies were the subjects of the requirements and the remedies, but only extended the Act’s requirements to the government contractors.”); Patterson v. Austin Med. Ctr., No. 97-1241, slip op. at 4-5 (D. Minn. Jan. 28, 1998) (finding subsection (m) “does not create a private cause of action against a government contractor for violations of the Act”), aff’d, No. 98-1643, 1998 U.S. App. LEXIS 22371 (8th Cir. Sept. 11, 1998). But cf. Shannon v. Gen. Elec. Co., 812 F. Supp. 308, 311-15 & n.5 (N.D.N.Y. 1993) (stating that “GE is subject to the requirements of the Privacy Act, inasmuch as it falls within the definition of ‘agency’”). See generally Adelman v. Discover Card Servs., 915 F. Supp. 1163, 1166 (D. Utah 1996) (finding no waiver of sovereign immunity for action brought for alleged violation by state agency working as independent contractor to administer federal program for Social Security Administration, even though procedures and standards governing relationship between SSA and state agency explicitly stated that in event of alleged violation of Privacy Act concerning operation of system of records to accomplish agency function, civil action could be brought against agency).