Individual's Right of Access
“Each agency that maintains a system of records shall . . . upon request by any individual to gain access to his record or to any information pertaining to him which is contained in the system, permit him and upon his request, a person of his own choosing to accompany him, to review the record and have a copy made of all or any portion thereof in a form comprehensible to him, except that the agency may require the individual to furnish a written statement authorizing discussion of that individual’s record in the accompanying person’s presence.” 5 U.S.C. § 552a(d)(1).
The Privacy Act provides individuals with a means of access similar to that of the FOIA. The statutes do overlap, but not entirely. See generally Greentree v. U.S. Customs Serv., 674 F.2d 74, 76-80 (D.C. Cir. 1982). The FOIA is entirely an access statute; it permits “any person” to seek access to any “agency record” that is not subject to any of its nine exemptions or its three exclusions. By comparison, the Privacy Act permits only an “individual” to seek access to only his own “record,” and only if that record is maintained by the agency within a “system of records” – i.e., is retrieved by that individual requester’s name or personal identifier – subject to ten Privacy Act exemptions (see the discussion of Privacy Act exemptions, below). Thus, the primary difference between the FOIA and the access provision of the Privacy Act is in the scope of information accessible under each statute.
An individual’s access request for his own record maintained in a system of records should be processed under both the Privacy Act and the FOIA, regardless of the statute(s) cited. See 5 U.S.C. § 552a(t)(1) and (2) (prohibiting reliance on FOIA exemptions to withhold under Privacy Act, and vice versa); H.R. Rep. No. 98-726, pt. 2, at 16-17 (1984), reprinted in 1984 U.S.C.C.A.N. 3741, 3790-91 (regarding amendment of Privacy Act in 1984 to include subsection (t)(2) and stating: “Agencies that had made it a practice to treat a request made under either [the Privacy Act or the FOIA] as if the request had been made under both laws should continue to do so.”); FOIA Update, Vol. VII, No. 1, at 6, available at http://www.justice.gov/oip/foia_updates/Vol_VII_1/page5.htm (“FOIA Counselor Q & A”); see also Martin v. Office of Special Counsel, 819 F.2d 1181, 1184 (D.C. Cir. 1987) (“[A]ccess to records under [FOIA and Privacy Act] is available without regard to exemptions under the other.”); Shapiro v. DEA, 762 F.2d 611, 612 (7th Cir. 1985) (“Congress intends that the courts construe the Privacy Act and the Freedom of Information Act separately and independently so that exemption from disclosure under the Privacy Act does not exempt disclosure under the Freedom of Information Act, and vice versa.”); Espinoza v. DOJ, 20 F. Supp. 3d 232, 244 (D.D.C. 2014) (finding that “the Privacy Act specifically exempts from its nondisclosure provisions documents that are otherwise required to be disclosed under the FOIA”); Menchu v. HHS, 965 F. Supp. 2d 1238, 1246-47 (D. Or. 2013) (finding that “[t]he application of § 552a(d), rather than § 552a(b)(2), and the underlying goal of the legislature to allow individuals broad access to their own records, supports the conclusion that § 552a(t) requires disclosure of the records sought when allowed under either the [FOIA] or the Privacy Act” in light of the fact that plaintiff was requesting information about himself and not about a third party); Blazy v. Tenet, 979 F. Supp. 10, 16 (D.D.C. 1997) (quoting subsection (t)(2) and stating that “[d]ocument requests therefore must be analyzed under both Acts”), summary affirmance granted, No. 97-5330, 1998 WL 315583 (D.C. Cir. May 12, 1998); Sussman v. DOJ, No. 03-3618, 2006 WL 2850608, at *4 (E.D.N.Y. Sept. 30, 2006) (“[A]n exemption under the FOIA is not a bar to release files under the Privacy Act and . . . a Privacy Act exemption is not a bar to release of files under the FOIA.”); Brown v. DOJ, No. 02-2662, slip op. at 18 n.36 (D. Ala. June 21, 2005) (following Blazy and concluding that plaintiff’s request must be analyzed under both FOIA and Privacy Act because “access to documents under these statutes [is] dissimilar”); Bogan v. FBI, No. 04-C-532-C, 2005 WL 1367214, at *6 (W.D. Wis. June 7, 2005) (explaining that if records are requested under both FOIA and Privacy Act, requester can gain access to those records by showing that they were accessible under either statute); Harvey v. DOJ, No. 92-176-BLG, slip op. at 8 (D. Mont. Jan. 9, 1996) (“Even though information may be withheld under the [Privacy Act], the inquiry does not end. The agency must also process requests under the FOIA, since the agency may not rely upon an exemption under the [Privacy Act] to justify nondisclosure of records that would otherwise be accessible under the FOIA. 5 U.S.C. § 552a(t)(2).”), aff’d, 116 F.3d 484 (9th Cir. 1997) (unpublished table decision); cf. Wren v. Harris, 675 F.2d 1144, 1146 & n.5 (10th Cir. 1982) (per curiam) (construing pro se complaint to seek information under either Privacy Act or FOIA even though only FOIA was referenced by name); Gonzales & Gonzales Bonds & Ins. Agency, Inc. v. DHS, 913 F.Supp.2d 865, 868 n.3 (N.D. Cal. 2012) (noting DHS’ error in responding to plaintiff’s FOIA requests under the Privacy Act, and stating that “the FOIA and the Privacy Act are distinct mechanisms for obtaining government information, and it is legal error to conflate them”); Skurow v. DHS, 892 F. Supp. 2d 319, 330 (D.D.C. 2012) (rejecting “plaintiff’s argument that [information related to plaintiff being on the watch list] should be released because plaintiff has requested the information under the Privacy Act, in addition to FOIA” because the provision in the TSA’s [Sensitive Security Information (SSI)] regulation specifically addresses the issue by stating that “records containing SSI are not available for public inspection or copying, nor does TSA . . . release such records to persons without a need to know”); Hunsberger v. DOJ, No. 92-2587, slip op. at 2 n.2 (D.D.C. July 22, 1997) (exempting system of records, from which documents at issue were retrieved, pursuant to Privacy Act exemption (j)(2); “[c]onsequently, the records were processed for release under the FOIA”); Kitchen v. FBI, No. 93-2382, slip op. at 7 (D.D.C. Mar. 18, 1996) (stating that although all requested documents were exempt under Privacy Act, they “were also processed under FOIA in the interest of full disclosure”); Kitchen v. DEA, No. 93-2035, slip op. at 9 (D.D.C. Oct. 12, 1995) (same), appeal dismissed for failure to prosecute, No. 95-5380 (D.C. Cir. Dec. 11, 1996); Freeman v. DOJ, 822 F. Supp. 1064, 1066 (S.D.N.Y. 1993) (accepting agency’s rationale that “because documents releasable pursuant to FOIA may not be withheld as exempt under the Privacy Act,” it is proper for the agency not to distinguish between FOIA and Privacy Act requests when assigning numbers to establish the order of processing, and quoting Report of House Committee on Government Operations, H.R. Rep. No. 98-726, which was cited by the agency as “mandat[ing]” such practice); Pearson v. DEA, No. 84-2740, slip op. at 2 (D.D.C. Jan. 31, 1986) (construing pro se complaint to seek information under either Privacy Act or FOIA even though only FOIA was referenced by name).
In addition, unlike the FOIA, see 5 U.S.C. § 552(a)(6)(A), the Privacy Act does not speak of a requester’s right to administratively appeal any adverse determination that an agency makes on his access request. However, because agencies should process an individual’s access request under both statutes – which includes processing the request through any administrative appeal – there is no practical effect of this distinction. See, e.g., 28 C.F.R. § 16.45 (2014) (explaining DOJ Privacy Act regulation regarding appeals from denials of requests for access to records).
It should be noted that the Privacy Act – like the FOIA – does not require agencies to create records that do not exist. See DeBold v. Stimson, 735 F.2d 1037, 1041 (7th Cir. 1984); Schoenman v. FBI, 764 F. Supp. 2d 40, 48 (D.D.C. 2011); Harter v. IRS, No. 02-00325, 2002 WL 31689533, at *5 (D. Haw. Oct. 16, 2002); Perkins v. IRS, No. 86-CV-71551, slip op. at 4 (E.D. Mich. Dec. 16, 1986); see also, e.g., Villanueva v. DOJ, 782 F.2d 528, 532 (5th Cir. 1986) (rejecting argument that FBI was required to “find a way to provide a brief but intelligible explanation for its decision without [revealing exempt information]”). But compare May v. Air Force, 777 F.2d 1012, 1015-17 (5th Cir. 1985) (finding “reasonable segregation requirement” obligates agency to create and release typewritten version of handwritten evaluation forms so as not to reveal identity of evaluator under exemption (k)(7)), with Church of Scientology W. United States v. IRS, No. CV-89-5894, slip op. at 4 (C.D. Cal. Mar. 5, 1991) (rejecting FOIA decision argument based upon May and holding that agency is not required to create records).
The Court of Appeals for the District of Columbia Circuit has addressed the issue of the adequacy of an agency’s search in response to an access request under the Privacy Act. See Chambers v. Interior, 568 F.3d 998 (D.C. Cir. 2009). In Chambers, the Court of Appeals applied the standard articulated by courts for adequacy of search for records under the Freedom of Information Act to an access claim brought under the Privacy Act. See id. at 1003. The Court of Appeals stated: “In a suit seeking agency documents – whether under the Privacy Act or FOIA – ‘“[a]t the summary judgment stage, where the agency has the burden to show that it acted in accordance with the statute, the court may rely on a reasonably detailed affidavit, setting forth the search terms and the type of search performed, and averring that all files likely to contain responsive materials (if such records exist) were searched.’” Id. (quoting McCready v. Nicholson, 465 F.3d 1, 14 (D.C. Cir. 2006), which in turn quotes Valencia-Lucena v. Coast Guard, 180 F.3d 321, 326 (D.C. Cir. 1999), a FOIA case addressing agency adequacy of search obligations); cf. Schulze v. FBI, No. 1:05-CV-0180, 2010 WL 2902518, at *15 (E.D. Cal. July 22, 2010) (“While the court is of the opinion that there exists some doubt that Congress intended that the Privacy Act provide civil remedies for an agency’s failure to adequately search its files, . . . [t]he court, in the interests of giving fullest consideration to Plaintiff’s claims, will follow Chambers and apply FOIA standards to Plaintiff’s failure to search claims to the extent those claims are asserted under the Privacy Act.”). See also Erwin v. State, 2013 WL 6452758, at *3 (N.D. Ill. Dec. 9, 2013) (finding that the “agency bears the burden of establishing that the search was adequate … [b]ecause of the "asymmetrical distribution of knowledge" in FOIA and Privacy Act cases "where the agency alone possesses, reviews, discloses, and withholds the subject matter of the request") (quoting Judicial Watch, Inc. v. FDA, 449 F.3d 141, 146 (D.C. Cir. 2006)).
In Chambers, the Court of Appeals was also presented with the question of “whether [the agency] intentionally destroyed the [record sought] after [plaintiff] requested access to it.” Chambers, 568 F.3d at 1000. The court of appeals reversed the district court’s grant of summary judgment to the agency, reasoning that the agency’s “search would not be adequate under the Privacy Act if [agency] officials, aware of Chambers’s document requests, deliberately destroyed her performance appraisal before completing the search in order to avoid providing the document to her . . . Such a search would not be ‘“reasonably calculated to uncover all relevant documents”‘ – which is what the Privacy Act, like FOIA, requires.” Id. at 1005. In remanding the case back to the district court, the Court of Appeals noted that “should Chambers prevail on [her access claim], the available remedies may be limited given that additional searches at this late date would likely prove futile,” but went on to state that “nonetheless, she may be entitled at a minimum to ‘reasonable attorney fees and other litigation costs.’” Id. at 1008. On remand, the district court concluded that it “need not reach” the question of whether the agency intentionally destroyed the record at issue because the plaintiff “failed to sustain her burden of proof” on the question of “whether the document in question ever existed.” Chambers v. Interior, No. 05-0380, 2010 WL 2293262, at *2-3 (D.D.C. May 28, 2010).
For a discussion of the unique procedures involved in processing first-party requests for medical records, see the discussion below under 5 U.S.C. § 552a(f)(3).
FOIA/PRIVACY ACT INTERFACE EXAMPLE: ACCESS
Suppose John Q. Citizen writes to Agency: “Please send to me all records that you have on me.”
For purposes of this example, assume that the only responsive records are contained in a system of records retrieved by Mr. Citizen’s own name or personal identifier. Thus, both the Privacy Act and the FOIA potentially apply to the records.
(1) IF NO PRIVACY ACT EXEMPTION APPLIES
Result: Mr. Citizen should receive access to his Privacy Act records where Agency can invoke no Privacy Act exemption.
The Agency cannot rely upon a FOIA exemption alone to deny Mr. Citizen access to any of his records under the Privacy Act. See 5 U.S.C. § 552a(t)(1) (FOIA exemptions cannot defeat Privacy Act access); see also Martin v. Office of Special Counsel, 819 F.2d 1181, 1184 (D.C. Cir. 1987) (“If a FOIA exemption covers the documents, but a Privacy Act exemption does not, the documents must be released under the Privacy Act.” (emphasis added)); Hoffman v. Brown, No. 1:96cv53-C, slip op. at 4 (W.D.N.C. Nov. 26, 1996) (agreeing with plaintiff that “no provision of the Privacy Act allows the government to withhold or redact records concerning [his] own personnel records” and ordering production of e-mail and other correspondence regarding plaintiff’s employment), aff’d, 145 F.3d 1324 (4th Cir. 1998) (unpublished table decision); Viotti v. Air Force, 902 F. Supp. 1331, 1336-37 (D. Colo. 1995) (“If the records are accessible under the Privacy Act, the exemptions from disclosure in the FOIA are inapplicable.”), aff’d, 153 F.3d 730 (10th Cir. 1998) (unpublished table decision); Savada v. DOD, 755 F. Supp. 6, 9 (D.D.C. 1991) (citing Martin for the proposition that “[i]f an individual is entitled to a document under FOIA and the Privacy Act, to withhold this document an agency must prove that the document is exempt from release under both statutes”); cf. Stone v. Def. Investigative Serv., 816 F. Supp. 782, 788 (D.D.C. 1993) (“[T]he Court must determine separately [from the FOIA] whether plaintiff is entitled to any of the withheld information under the Privacy Act.”); Rojem v. DOJ, 775 F. Supp. 6, 13 (D.D.C. 1991) (“[T]here are instances in which the FOIA denies access and the Privacy Act compels release.”), appeal dismissed for failure to timely file, No. 92-5088 (D.C. Cir. Nov. 4, 1992); Ray v. DOJ, 558 F. Supp. 226, 228 (D.D.C. 1982) (entitling requester, under subsection (c)(3), to receive the addresses of private persons who requested information about him, as “defendant is unable to cite a specific [Privacy Act] exemption that justifies non-disclosure of this information”), aff’d, 720 F.2d 216 (D.C. Cir. 1983) (unpublished table decision).
In other words, a requester is entitled to the combined total of what both statutes provide. See Clarkson v. IRS, 678 F.2d 1368, 1376 (11th Cir. 1982); Wren v. Harris, 675 F.2d 1144, 1147 (10th Cir. 1982) (per curiam); Searcy v. SSA, No. 91-C-26 J, slip op. at 7-8 (D. Utah June 25, 1991) (magistrate’s recommendation), adopted, (D. Utah Sept. 19, 1991), aff’d, No. 91-4181 (10th Cir. Mar. 2, 1992); Whittle v. Moschella, 756 F. Supp. 589, 595 (D.D.C. 1991); Fagot v. FDIC, 584 F. Supp. 1168, 1173-74 (D.P.R. 1984), aff’d in part & rev’d in part, 760 F.2d 252 (1st Cir. 1985) (unpublished table decision); see also 120 Cong. Rec. 40,406 (1974), reprinted in Source Book at 861, available at http://www.loc.gov/rr/frd/Military_Law/pdf/LH_privacy_act-1974.pdf. For access purposes, the two statutes work completely independently of one another.
(2) IF A PRIVACY ACT EXEMPTION APPLIES
Result: Where a Privacy Act exemption applies, Mr. Citizen is not entitled to obtain access to his records under the Privacy Act.
But he may still be able to obtain access to his records (or portions thereof) under the FOIA. See 5 U.S.C. § 552a(t)(2) (Privacy Act exemption(s) cannot defeat FOIA access); Martin, 819 F.2d at 1184 (“[I]f a Privacy Act exemption but not a FOIA exemption applies, the documents must be released under FOIA.”) (emphasis added); Savada, 755 F. Supp. at 9 (citing Martin and holding that agency must prove that document is exempt from release under both FOIA and Privacy Act); see also Ehlmann v. DHS, 2013 WL 3724906, at *1 (E.D. Mo. July 15, 2013); Shapiro v. DEA, 762 F.2d 611, 612 (7th Cir. 1985); Vazquez v. DOJ, 764 F. Supp. 2d 117, 120 (D.D.C. 2011); Riser v. State, No. 09-3273, 2010 WL 4284925, at *6 (S.D. Tex. Oct. 22, 2010) (explaining that even if Privacy Act applied to record, “that statute cannot be used to withhold any record ‘which is otherwise accessible to [an] individual’ under FOIA”); Grove v. CIA, 752 F. Supp. 28, 30 (D.D.C. 1990); Simon v. DOJ, 752 F. Supp. 14, 22 (D.D.C. 1990), aff’d, 980 F.2d 782 (D.C. Cir. 1992); Miller v. United States, 630 F. Supp. 347, 348-49 (E.D.N.Y. 1986); Nunez v. DEA, 497 F. Supp. 209, 211 (S.D.N.Y. 1980). The outcome will depend upon FOIA exemption applicability.
(3) IF NO PRIVACY ACT EXEMPTION AND NO FOIA EXEMPTION APPLY
Result: The information should be disclosed.
(4) IF BOTH PRIVACY ACT AND FOIA EXEMPTIONS APPLY
Result: The record should be withheld, unless the agency, after careful consideration, decides to disclose the record to the first-party requester as a matter of administrative discretion. See Attorney General’s Memorandum for Heads of Departments and Agencies, Subject: The Freedom of Information Act (Mar. 19, 2009), available at http://www.justice.gov/ag/foia-memo-march2009.pdf (encouraging agencies “to make discretionary disclosures of information” when they may legally do so). But remember: When an individual requests access to his own record (i.e., a first-party request) that is maintained in a system of records, an agency must be able to invoke properly both a Privacy Act exemption and a FOIA exemption in order to withhold that record.
Rule: ALL PRIVACY ACT ACCESS REQUESTS SHOULD ALSO BE TREATED AS FOIA REQUESTS.
Note also that Mr. Citizen’s first-party request – because it is a FOIA request as well – additionally obligates Agency to search for any records on him that are not maintained in a Privacy Act system of records. With respect to those records, only the FOIA’s exemptions are relevant; the Privacy Act’s access provision and exemptions are entirely inapplicable to any records not maintained in a system of records.
A particularly troubling and unsettled problem under the Privacy Act arises where a file indexed and retrieved by the requester’s name or personal identifier contains information pertaining to a third party that, if released, would invade that third party’s privacy.
As a preliminary matter, it should be noted that this problem arises only when a requester seeks access to his record contained in a non-law enforcement system of records – typically a personnel or background security investigative system – inasmuch as agencies are generally permitted to exempt the entirety of their criminal and civil law enforcement systems of records from the subsection (d)(1) access provision pursuant to 5 U.S.C. § 552a(j)(2) and (k)(2).
The problem stems from the fact that unlike under the FOIA, see 5 U.S.C. § 552(b)(6), (7)(C), the Privacy Act does not contain any exemption that protects a third party’s privacy. Cf. 5 U.S.C. § 552a(k)(5) (protecting only confidential source-identifying information in background security investigative systems). The Privacy Act’s access provision simply permits an individual to gain access to “his record or to any information pertaining to him” that is contained in a system of records indexed and retrieved by his name or personal identifier. 5 U.S.C. § 552a(d)(1).
The only two courts of appeals to have squarely addressed this issue have reached different conclusions. Compare Voelker v. IRS, 646 F.2d 332, 333-35 (8th Cir. 1981), with Sussman v. Marshals Serv., 494 F.3d 1106, 1120-21 (D.C. Cir. 2007).
In Voelker v. IRS, the Court of Appeals for the Eighth Circuit held that where the requested information – contained in a system of records indexed and retrieved by the requester’s name – is “about” that requester within the meaning of subsection (a)(4)’s definition of “record,” all such information is subject to the subsection (d)(1) access provision. 646 F.2d at 334. In construing subsection (d)(1), the Eighth Circuit noted that there is “no justification for requiring that information in a requesting individual’s record meet some separate ‘pertaining to’ standard before disclosure is authorized [and i]n any event, it defies logic to say that information properly contained in a person’s record does not pertain to that person, even if it may also pertain to another individual.” Id. Relying on the importance of the access provision to the enforcement of other provisions of the Privacy Act, and the lack of any provision in the exemption portion of the statute to protect a third party’s privacy, the Eighth Circuit rejected the government’s argument that subsection (b) prohibited disclosure to the requester of the information about a third party. Id. at 334-35. A careful reading of Voelker reveals that the Eighth Circuit appeared to equate the term “record” with “file” for subsection (d)(1) access purposes. Cf. Wren v. Harris, 675 F.2d 1144, 1147 (10th Cir. 1982) (per curiam) (reversing district court’s judgment that FOIA Exemption 6 protected certain third-party information requested under the Privacy Act; stating “[o]n remand, should the district court find that the documents requested by Mr. Wren consist of ‘his record’ or ‘any information pertaining to him,’ and that they are ‘records’ contained in a ‘system of records,’ § 552a(a)(4), (5), (d)(1), then the court must grant him access to those documents as provided in § 552a(d)(1), unless the court finds that they are exempt from disclosure under [Privacy Act exemptions]”; “the [district] court’s reliance on [FOIA Exemption 6] to withhold the documents would be improper if the court determines that the [Privacy Act] permits disclosure”); Henke v. Commerce, No. 94-0189, 1996 WL 692020, at *4 (D.D.C. Aug. 19, 1994) (rejecting government’s argument that information contained in one individual’s records is exempt from the disclosure requirements of the Privacy Act simply because the same information is also contained in another individual’s records, and further stating that it would “not create an exemption to the Privacy Act that [C]ongress did not see fit to include itself”), aff’d on other grounds, 83 F.3d 1445 (D.C. Cir. 1996); Ray v. DOJ, 558 F. Supp. 226, 228 (D.D.C. 1982) (ruling that requester was entitled to access, under subsection (c)(3), to addresses of private persons who had requested information about him because no Privacy Act exemption justified withholding such information, notwithstanding that agency’s “concern about possible harrassment [sic] of these individuals may be legitimate”), aff’d, 720 F.2d 216 (D.C. Cir. 1983) (unpublished table decision).
Voelker’s rationale was purportedly distinguished (but in actuality was rejected) in DePlanche v. Califano, 549 F. Supp. 685, 693-98 (W.D. Mich. 1982), a case involving a father’s request for access to a social security benefits file indexed and retrieved by his social security number which contained the address of his two minor children. In denying the father access to the children’s address, the court reasoned that such third-party information, although contained in the father’s file, was not “about” the father, and therefore by definition was not his “record” within the meaning of subsection (a)(4), nor was it information “pertaining” to him within the meaning of the subsection (d)(1) access provision. Id. at 694-96. In distinguishing Voelker, the court relied upon an array of facts suggesting that the father might harass or harm his children if their location were to be disclosed. Id. at 693, 696-98.
Other courts, too, have made findings that certain items of information, although contained in a file or document retrieved by an individual’s name, did not qualify as Privacy Act records “about” that individual. See Riser v. State, No. 09-3273, 2010 WL 4284925, at *6 (S.D. Tex. Oct. 22, 2010) (finding that OPM document describing “background investigations generally, with no reference to or identifying information about any individual” does “not constitute a ‘record’ for Privacy Act purposes”); Murray v. BOP, 741 F. Supp. 2d 156, 161 (D.D.C. 2010) (discussing names of individuals who visited plaintiff in prison and dates and times of their visits “certainly pertain to him in a generic sense – the visitors came to see him at the various BOP facilities where he had been incarcerated, and these visitors necessarily are linked to plaintiff”; However, “[e]ven if the information he seeks includes his name and identifying number . . . , the balance of the information requested pertains to the third party visitors personally; the information is not ‘about’ the plaintiff and therefore is not a ‘record.’”); Nolan v. DOJ, No. 89-A-2035, 1991 WL 36547, at *10 (D. Colo. Mar. 18, 1991) (holding names of FBI agents and other personnel were not requester’s “record” and therefore “outside the scope of the [Privacy Act]”), aff’d, 973 F.2d 843 (10th Cir. 1992); Haddon v. Freeh, 31 F. Supp. 2d 16, 22 (D.D.C. 1998) (applying Nolan and Doe, infra, holding that identities and telephone extensions of FBI agents and personnel were not “about” plaintiff and thus were properly withheld); Springmann v. State, No. 93-1238, slip op. at 8 & n.1 (D.D.C. Apr. 21, 1997) (citing Nolan and holding that name of foreign official who provided information to State Department and names of foreign service officers (other than plaintiff) who were denied tenure were “not accessible to plaintiff under the Privacy Act because the identities of these individuals d[id] not constitute information ‘about’ plaintiff, and therefore [we]re not ‘records’ with respect to plaintiff under the Privacy Act”); Hunsberger v. CIA, No. 92-2186, slip op. at 3-4 (D.D.C. Apr. 5, 1995) (citing Nolan and holding that names of employees of private insurance company used by Director of Central Intelligence and Director’s unique professional liability insurance certificate number maintained in litigation file created as result of plaintiff’s prior suit against CIA Director were not “about” plaintiff and therefore were not “record[s]” within meaning of Privacy Act); Doe v. DOJ, 790 F. Supp. 17, 22 (D.D.C. 1992) (citing Nolan and alternatively holding that “names of agents involved in the investigation are properly protected from disclosure”); cf. Allard v. HHS, No. 4:90-CV-156, slip op. at 9-11 (W.D. Mich. Feb. 14, 1992) (citing DePlanche with approval and arriving at same result, but conducting analysis solely under FOIA Exemption 6), aff’d, 972 F.2d 346 (6th Cir. 1992) (unpublished table decision).
The District Court for the District of Columbia was confronted with a more complex version of this issue in Topuridze v. USIA, 772 F. Supp. 662 (D.D.C. 1991), reconsidering Topuridze v. FBI, No. 86-3120, 1989 WL 11709 (D.D.C. Feb. 6, 1989), when the subject of a letter requested access to it and the agencies withheld it to protect the author’s privacy interests. In Topuridze, the issue of access to third-party information in a requester’s file was further complicated by the fact that the information was “retrievable” by both the requester’s identifier and the third party’s identifier, Topuridze v. FBI, No. 86-3120, 1989 WL 11709, at *1 (D.D.C. Feb. 6, 1989) – the record was subject to “dual retrieval.” In apparent contradiction to the subsection (d)(1) access provision, subsection (b) prohibits the nonconsensual disclosure of an individual’s record contained in a system of records indexed and retrieved by his name or personal identifier to any third party. See 5 U.S.C. § 552a(b). Because the letter was both the requester’s and the third party’s Privacy Act record, the government argued that subsection (b), though technically not an “exemption,” nevertheless restricts first-party access under subsection (d)(1) where the record is about both the requester and the third-party author, and is located in a system of records that is “retrievable” by both their names. See Topuridze v. FBI, No. 86-3120, 1989 WL 11709, at *1 (D.D.C. Feb. 6, 1989); Topuridze v. USIA, 772 F. Supp. at 665-66. Although the court had previously ruled that the document was not about the author, see Topuridze v. FBI, No. 86-3120, 1989 WL 11709, at *2-3 (D.D.C. Feb. 6, 1989), on reconsideration it ruled that it need not reach that issue, finding that “[b]ecause the document is without dispute about the [requester], it must be released to him in any event.” 772 F. Supp. at 665. On reconsideration, the court embraced Voelker and rejected the government’s argument that subsection (b) created a “dual record exemption” to Privacy Act access. Id. at 665-66.
However, the Court of Appeals for the District of Columbia Circuit reached a result different from those reached in Voelker and Topuridze, although the court did not mention either of those cases. See Sussman, 494 F.3d 1106. The U.S. Marshals Service processed Sussman’s subsection (d)(1) request “by searching for records indexed to his name” and found only one document. Sussman v. Marshals Serv., No. Civ. A. 03-610, 2005 WL 3213912, at *1 (D.D.C. Oct. 13, 2005). Sussman argued that the Marshals Service performed an inadequate search and identified a “Wanted Poster” that the Marshals Service had issued for Keith Maydak, which listed “Michael Sussman” as an alias for “Keith Maydak.” 494 F.3d 1109. The Marshals Service conducted a second search, “now taking into account Sussman’s connections to Maydak.” Id. at 1110. The second search yielded more than 800 pages of documents “relating to Sussman.” Id. The district court stated that “the [Marshals Service] searched Keith Maydak’s files for records related to or pertaining to [Sussman] or that mentioned [Sussman] by name.” 2005 WL 3213912, at *2. The Marshals Service disclosed only some of these records to Sussman. 494 F.3d at 1110. Sussman brought a subsection (d)(1) claim against the Marshals Service. Id. The D.C. Circuit “interpret[ed] 5 U.S.C. § 552a(d)(1) to give parties access only to their own records, not to all information pertaining to them that happens to be contained in a system of records.” Id. at 1121. The court explained that “[f]or an assemblage of data to qualify as one of Sussman’s records, it must not only contain his name or other identifying particular but also be ‘about’ him. . . . That is, it must actually describe him in some way.” Id.; see also Aguirre v. SEC, 671 F. Supp. 2d 113, 122 (D.D.C. 2009) (declining to dismiss claim seeking access to record that “clearly contains plaintiff’s name and describes him, his history at the SEC and details related to his termination” because record “sufficiently describes plaintiff to satisfy the standard established by Sussman”). Thus, the court held, “the Marshals Service must disclose to Sussman those materials – and only those materials – contained in records about him, the release of which would not violate 5 U.S.C. § 552a(b).” Id. In a footnote, the court explained that “[i]f certain materials pertain to both Sussman and other individuals, from whom the Marshals Service has received no written consent permitting disclosure, the Privacy Act would both require (5 U.S.C. § 552a(d)(1)) and forbid (id. § 552a(b)) their disclosure.” Id. at n.9. In such a situation, subsection (d)(1) must give way because “the consent requirement in § 552a(b) is one of the most important, if not the most important, provisions in the Privacy Act.” Id.; see also Mobley v. CIA, 924 F. Supp. 2d 24, 57 (D.D.C. 2013) (following Sussman and denying plaintiff access to information about plaintiff but also about third-party individuals who did not provide written consent to have their information disclosed); Anderson v. Treasury, No. 76-1404, slip op. at 13 (D.D.C. July 19, 1977) (presaging Sussman by finding name of third-party complainant in requester’s file to be “about” complainant and, therefore, denying requester access to complainant’s name).
The D.C. Circuit’s opinion in Sussman seriously calls into question the validity of Topuridze, insofar as Topuridze could be read to require an agency to disclose to a requester “those materials . . . contained in records about him” even if the release of those materials would violate the subsection (b) rights of the non-requesting party. See Sussman, 494 F.3d at 1121. While Sussman controls in the D.C. Circuit, which has universal venue for Privacy Act matters, the holding in Voelker remains undisturbed in the Eighth Circuit.
A requester need not state his reason for seeking access to records under the Privacy Act, but an agency should verify the identity of the requester in order to avoid violating subsection (b). See OMB Guidelines, 40 Fed. Reg. 28,948, 28,957-58 (July 9, 1975), available at http://www.whitehouse.gov/sites/default/files/omb/assets/omb/inforeg/implementation_guidelines.pdf; see also 5 U.S.C. § 552a(i)(1) (stating criminal penalties for disclosure of information to parties not entitled to receive it); 5 U.S.C. § 552a(i)(3) (stating criminal penalties for obtaining records about an individual under false pretenses); cf., e.g., 28 C.F.R. § 16.41(d) (2014) (stating DOJ regulation regarding the verification of identity).
Also, although it has been observed that subsection (d)(1) “carries no prospective obligation to turn over new documents that come into existence after the date of the request,” Crichton v. Cmty. Servs. Admin., 567 F. Supp. 322, 325 (S.D.N.Y. 1983), the D.C. Circuit has held that under the FOIA a date-of-request cut-off policy – as opposed to a date-of-search cut-off policy – was unreasonable under the facts of that case. Pub. Citizen v. State, 276 F.3d 634, 644 (D.C. Cir. 2002). See generally FOIA Post, “Use of ‘Cut-Off’ Dates for FOIA Searches,” available at http://www.justice.gov/oip/foiapost/2004foiapost14.htm.