Skip to main content

Overview of the Privacy Act: 2020 Edition

Individual's Right of Access

“Each agency that maintains a system of records shall . . . upon request by any individual to gain access to his record or to any information pertaining to him which is contained in the system, permit him and upon his request, a person of his own choosing to accompany him, to review the record and have a copy made of all or any portion thereof in a form comprehensible to him, except that the agency may require the individual to furnish a written statement authorizing discussion of that individual’s record in the accompanying person’s presence.”  5 U.S.C. § 552a(d)(1).

A. The Privacy Act and the FOIA


The Privacy Act and the FOIA are often read in tandem; The Privacy Act allows individuals to access records about themselves, while the FOIA allows the public to access government information.

The Privacy Act provides individuals with a means to access government records about themselves.  The right of access under the Privacy Act is similar to that of the Freedom of Information Act (FOIA), and the statutes do overlap, but not entirely.  Compare 5 U.S.C. § 552a(d)(1) with 5 U.S.C. § 522(a)(3)(A); see generally Greentree v. U.S. Customs Serv., 674 F.2d 74, 76 (D.C. Cir. 1982) (“While the Privacy Act was designed to provide individuals with more control over the gathering, dissemination, and accuracy of agency information about themselves, FOIA was intended to increase the public’s access to governmental information.”).  The FOIA is entirely an access statute and “is often explained as a means for citizens to know ‘what their Government is up to.’”  NARA v. Favish, 541 U.S. 157, 171-72 (2004) (quoting DOJ v. Reporters Comm. for Freedom of the Press, 489 U.S. 749, 773 (1989)); see generally FOIA Guide, at 1, (FOIA provides that “any person has a right, enforceable in court, to obtain access to federal agency records” that are not subject to any of its exemptions or exclusions).  By comparison, the Privacy Act permits only an “individual” to seek access to only his own “record,” and only if that record is maintained by the agency within a “system of records” – i.e., is retrieved by that individual requester’s name or personal identifier – subject to ten Privacy Act exemptions (see the discussion “Ten Exemptions,” below).  See Sussman v. Marshals Serv., 494 F.3d 1106, 1121 (D.C. Cir. 2007) (concluding that Privacy Act gives individuals “access only to their own records, not to all information pertaining to them that happens to be contained in a system of records”); see also Burton v. Wolf, 803 F. App’x 120, 122 (9th Cir. 2020) (finding that plaintiff was not entitled to records retrievable only with identifying information of his estranged wife); Aguiar v. DEA, 334 F. Supp. 3d 130, 146 (D.D.C. 2018) (request for information about GPS contractor did not relate to plaintiff’s own records and was not accessible under Privacy Act); Goldstein v. IRS, 279 F. Supp. 3d 170, 187 (D.D.C. 2017) (“Plaintiff's Privacy Act claim fails because the information that Plaintiff seeks … is not ‘about’ him.”).

Thus, the primary difference between the FOIA and the access provision of the Privacy Act is the scope of information accessible under each statute.

Agencies should consider individuals’ access requests under both the Privacy Act and the FOIA.

Agencies should process an individuals’ access requests for their own records maintained in system of records under both the Privacy Act and the FOIA, regardless of the statute(s) cited.  See 5 U.S.C. § 552a(t)(1) and (2) (prohibiting reliance on FOIA exemptions to withhold under Privacy Act, and vice versa); H.R. Rep. No. 98-726, pt. 2, at 16-17 (1984), as reprinted in 984 U.S.C.C.A.N. 3741, 3790-91 (regarding amendment of Privacy Act in 1984 to include subsection (t)(2) and stating:  Agencies that had made it a practice to treat a request made under either [the Privacy Act or the FOIA] as if the request had  been made under both laws should continue to do so”); FOIA Update, Vol. VII, No. 1, at 6, http://www​; see also Martin v. Office of Special Counsel, 819 F.2d 1181, 1184 (D.C. Cir. 1987) (“[A]ccess to records under [FOIA and Privacy Act] is available without regard to exemptions under the other.”); Shapiro v. DEA, 762 F.2d 611, 612 (7th Cir. 1985) (“Congress intends that the courts construe the Privacy Act and the Freedom of Information Act separately and independently so that exemption from disclosure under the Privacy Act does not exempt disclosure under the Freedom of Information Act, and vice versa.”); Murray v. Shulkin, 273 F. Supp. 3d 87, (D.D.C. 2017) (“[A]gencies routinely process requests for records under both statutes, consistent with the overarching goal of ‘open government, and especially, accessibility of government records.’” (citations omitted)); Espinoza v. DOJ, 20 F. Supp. 3d 232, 244 (D.D.C. 2014) (finding that “the Privacy Act specifically exempts from its nondisclosure provisions documents that are otherwise required to be disclosed under the FOIA”); Menchu v. HHS, 965 F. Supp. 2d 1238, 1246-47 (D. Or. 2013) (finding that “[t]he application of § 552a(d), rather than § 552a(b)(2), and the underlying goal of the legislature to allow individuals broad access to their own records, supports the conclusion that § 552a(t) requires disclosure of the records sought when allowed under either the [FOIA] or the Privacy Act” in light of fact that plaintiff was requesting information about himself and not about third party); Sussman v. DOJ, No. 03-3618, 2006 WL 2850608, at *4 (E.D.N.Y. Sept. 30, 2006) (“[A]n exemption under the FOIA is not a bar to release files under the Privacy Act and . . . a Privacy Act exemption is not to bar release of files under the FOIA.”); Brown v. DOJ, No. 02-2662, slip op. at 18 n.36 (D. Ala. June 21, 2005) (concluding that plaintiff’s request must be analyzed under both FOIA and Privacy Act because “access to documents under these statutes [is] dissimilar”); Bogan v. FBI, No. 04-C-532-C, 2005 WL 1367214, at *6 (W.D. Wis. June 7, 2005) (explaining that if records are requested under both FOIA and Privacy Act, requester can gain access to those records by showing that they were accessible under either statute); Harvey v. DOJ, No. 92-176-BLG, slip op. at 8 (D. Mont. Jan. 9, 1996) (“Even though information may be withheld under the [Privacy Act], the inquiry does not end. The agency should also process requests under the FOIA, since the agency may not rely upon an exemption under the [Privacy Act] to justify nondisclosure of records that would otherwise be accessible under the FOIA.  5 U.S.C. § 552a(t)(2).”), aff’d, 116 F.3d 484 (9th Cir. 1997) (unpublished table decision); cf. Wren v. Harris, 675 F.2d 1144, 1146 & n.5 (10th Cir. 1982) (per curiam) (construing pro se complaint to seek information under either Privacy Act or FOIA even though only FOIA was referenced by name); Gonzales & Gonzales Bonds & Ins. Agency, Inc. v. DHS, 913 F. Supp. 2d 865, 868 n.3 (N.D. Cal. 2012) (noting DHS’ error in responding to plaintiff’s FOIA requests under the Privacy Act, and stating that “the FOIA and the Privacy Act are distinct mechanisms for obtaining government information, and it is legal error to conflate them”); Skurow v. DHS, 892 F. Supp. 2d 319, 330 (D.D.C. 2012) (rejecting “plaintiff’s argument that [information related to plaintiff being on the watch list] should be released because plaintiff has requested the information under the Privacy Act, in addition to FOIA” because provision in TSA’s [Sensitive Security Information (SSI)] regulation specifically states that “records containing SSI are not available for public inspection or copying, nor does TSA . . . release such records to persons without a need to know”); Hunsberger v. DOJ, No. 92-2587, slip op. at 2 n.2 (D.D.C. July 22, 1997) (exempting system of records, from which documents at issue were retrieved, pursuant to Privacy Act exemption (j)(2); “[c]onsequently, the records were processed for release under the FOIA”); Freeman v. DOJ, 822 F. Supp. 1064, 1066 (S.D.N.Y. 1993) (accepting agency’s rationale that “because documents releasable pursuant to FOIA may not be withheld as exempt under the Privacy Act,” it is proper for the agency not to distinguish between FOIA and Privacy Act requests when assigning numbers to establish the order of processing, and quoting Report of House Committee on Government Operations, H.R. Rep. No. 98-726, which was cited by the agency as “mandat[ing]” such practice); Pearson v. DEA, No. 84- 2740, slip op. at 2 (D.D.C. Jan. 31, 1986) (construing pro se complaint to seek information under either Privacy Act or FOIA even though only FOIA was referenced by name).

Unlike the FOIA, see 5 U.S.C. § 552(a)(6)(A), the Privacy Act does not give a requester the right to administratively appeal any adverse determination that an agency makes on his or her access request.  However, because agencies should process an individual’s access request under both statutes – which includes processing the request through any administrative appeal – there is no practical effect of this distinction.  See, e.g., 28 C.F.R. § 16.45 (2020) (explaining DOJ Privacy Act regulation regarding appeals from denials of requests for access to records).


B. FOIA/Privacy Act Interface Examples: Access

Suppose John Q. Citizen writes to Agency: “Please send to me all records that you have on me.”

For purposes of this example, assume that the only responsive records are contained in a system of records retrieved by Mr. Citizen’s own name or personal identifier. Thus, both the Privacy Act and the FOIA potentially apply to the records.


1. If No Privacy Act Exemption Applies

Result: Mr. Citizen should receive access to his Privacy Act records where Agency can invoke no Privacy Act exemption.

The Agency cannot rely upon a FOIA exemption alone to deny Mr. Citizen access to any of his records under the Privacy Act.  See 5 U.S.C. § 552a(t)(1) (FOIA exemptions cannot defeat Privacy Act access); see also Martin v. Office of Special Counsel, 819 F.2d 1181, 1184 (D.C. Cir. 1987) (“If a FOIA exemption covers the documents, but a Privacy Act exemption does not, the documents must be released under the Privacy Act.” (emphasis added)); Hoffman v. Brown, No. 1:96cv53-C, slip op. at 4 (W.D.N.C. Nov. 26, 1996) (agreeing with plaintiff that “no provision of the Privacy Act allows the government to withhold or redact records concerning [his] own personnel records” and ordering production of e-mail and other correspondence regarding plaintiff’s employment), aff’d, 145 F.3d 1324 (4th Cir. 1998) (unpublished table decision); Viotti v. Air Force, 902 F. Supp. 1331, 1336-37 (D. Colo. 1995) (“If the records are accessible under the Privacy Act, the exemptions from disclosure in the FOIA are inapplicable.”), aff’d, 153 F.3d 730 (10th Cir. 1998) (unpublished table decision).

In other words, a requester is entitled to the combined total of what both statutes provide.  See Clarkson v. IRS, 678 F.2d 1368, 1376 (11th Cir. 1982); Wren v. Harris, 675 F.2d 1144, 1147 (10th Cir. 1982) (remanding to the district court for consideration of the request under the Privacy Act where the court “analyzed the request for documents solely under the FOIA” and “made no attempt to decide whether the documents were discoverable under the” Privacy Act) (per curiam); Kearns v. Fed. Aviation Admin., 312 F. Supp. 3d 97, 106 (D.D.C. 2018) (concluding that although the interaction between FOIA and Privacy Act exemptions “sounds like a sphinxian riddle,” “[t]he interaction between the two statutes … boils down to a rather straightforward edict: ‘Where a request for documents is made under both FOIA and the Privacy Act, the responding agency must demonstrate that the documents fall within some exemption under each Act.’” (quoting Barouch v. DOJ, 962 F. Supp. 2d 30, 66 (D.D.C. 2013))); Fagot v. FDIC, 584 F. Supp. 1168, 1173 (D.P.R. 1984) (“[A]ccess to information request [that] falls under both the FOIA and the Privacy Act… is entitled to the cumulative result of what both statutes provide.”), aff’d in part & rev’d in part, 760 F.2d 252 (1st Cir. 1985) (unpublished table decision); see also 120 Cong. Rec. 40,406 (1974), reprinted in Source Book at 861.


2. If a Privacy Act Exemption Applies

Result: Where a Privacy Act exemption applies, Mr. Citizen is not entitled to obtain access to his records under the Privacy Act.

But he may still be able to obtain access to his records (or portions thereof) under the FOIA.  See 5 U.S.C. § 552a(t)(2) (Privacy Act exemption(s) cannot defeat FOIA access); Martin, 819 F.2d at 1184 (“[I]f a Privacy Act exemption but not a FOIA exemption applies, the documents must be released under FOIA.”) (emphasis added); Savada v. DOD, 755 F. Supp. 6, 9 (D.D.C. 1991) (citing Martin and holding that agency must prove that document is exempt from release under both FOIA and Privacy Act); see also Ehlmann v. DHS, No. 4:12 CV 1392, 2013 WL 3724906, at *1 (E.D. Mo. July 15, 2013); Shapiro v. DEA, 762 F.2d 611, 612 (7th Cir. 1985); Riser v. State, No. 09-3273, 2010 WL 4284925, at *6 (S.D. Tex. Oct. 22, 2010) (explaining that even if Privacy Act applied to record, “that statute cannot be used to withhold any record ‘which is otherwise accessible to [an] individual’ under FOIA”); Miller v. United States, 630 F. Supp. 347, 348-49 (E.D.N.Y. 1986); Nunez v. DEA, 497 F. Supp. 209, 211 (S.D.N.Y. 1980).  The outcome will depend upon FOIA exemption applicability.


3. If No Privacy Act Exemption and No FOIA Exemption Apply

Result:  The information should be disclosed.


4. If Both Privacy Act and FOIA Exemptions Apply

Result:  The record should be withheld, unless the agency, after careful consideration, decides to disclose the record to the first-party requester as a matter of administrative discretion.  See Memorandum from Eric Holder, Attorney General, for Dept. of Justice Heads of Exec. Dept. & Agencies, The Freedom of Information Act (FOIA) (Mar. 19, 2009),​/paoverview_agfoia [hereinafter AG FOIA 2009] (encouraging agencies “to make discretionary disclosures of information” when they may legally do so). 

But remember: When an individual requests access to his own record (i.e., a first-party request) that is maintained in a system of records, an agency must be able to invoke properly both a Privacy Act exemption and a FOIA exemption in order to withhold that record.


Note also that Mr. Citizen’s first-party request – because it is a FOIA request as well – additionally obligates Agency to search for any records on him that are not maintained in a Privacy Act system of records.  With respect to those records, only the FOIA’s exemptions are relevant; the Privacy Act’s access provision and exemptions are entirely inapplicable to any records not maintained in a system of records.


C. Records Requests and Searches

The Privacy Act does not require agencies to create records that do not exist.

The Privacy Act – like the FOIA – only requires agencies to search for existing records; it does not require “an agency to create records that do not exist.”  DeBold v. Stimson, 735 F.2d 1037, 1041 (7th Cir. 1984); Schoenman v. FBI, 764 F. Supp. 2d 40, 48 (D.D.C. 2011) (reiterating that “agencies are under no obligation to create or generate records in the course of discharging their obligations under FOIA and the Privacy Act”); Harter v. IRS, No. 02-00325, 2002 WL 31689533, at *5 (D. Haw. Oct. 16, 2002) (“the Privacy Act does not require that the IRS create records in response to individual requests”); but see May v. Air Force, 777 F.2d 1012, 1015-17 (5th Cir. 1985) (finding that (k)(7) exemption for protecting source’s identity is subject to “reasonable segregation requirement” that obligates agency to create and release typewritten version of handwritten evaluation forms so as not to reveal identity of evaluator under exemption (k)(7)); cf ACLU v. DHS, 738 F. Supp. 2d 93, 117 (D.D.C. 2010) (concluding in a FOIA case that disclosure was appropriate where DHS produced typed renditions rather than handwritten notes).

Individuals must specify the documents requested, and agencies need only search for records consistent with the request.

Individuals seeking documents pursuant to the Privacy Act must identify with sufficient specificity the documents requested.  Manga v. Knox, No. CV ELH-17-1207, 2018 WL 3239483, at *12 (D. Md. July 3, 2018) (summarily dismissing a plaintiff’s claim because “[a]bsent a description of the documents sought, as well as details of the refusal to turn over the requested information, it is impossible to determine if [plaintiff] has stated a viable claim.” (quoting Carroll v. SSA, WDQ-11-3005, 2012 WL 1454858, at *2 (D. Md. Apr. 24, 2012); Fleischman v. Comm’r of Soc. Sec., No. 3:15-CV-897-J-PDB, 2016 WL 7474577, at *3 (M.D. Fla. Dec. 29, 2016) (plaintiff’s Privacy Act claim was dismissed because he did “not allege the substance of his request for records with sufficient specificity to indicate whether his request was proper”); cf. Marshall v. Cuomo, 192 F.3d 473, 485 (4th Cir. 1999) (affirming dismissal of FOIA claim where plaintiff failed to identify specific documents requested).

The Privacy Act only requires agencies to conduct a search consistent with the scope of the request.  Ewell v. DOJ, 153 F. Supp. 3d 294, 302-03 (D.D.C. 2016) (the Privacy Act “does not obligate an agency to conduct a search for all records relating to a requester where a requester has asked the agency only to look for certain records”) (emphasis in original).

The Privacy Act, consistent with the FOIA, requires an agency to conduct an adequate and reasonable search for records.

The standard for determining the adequacy of a search pursuant to the Privacy Act “is essentially the same” as that under the FOIA, and where the government satisfied the requirements for a reasonable search under FOIA, it also satisfied the Privacy Act search requirements.  Jackson v. GSA, 267 F. Supp. 3d 617, 624 (E.D. Pa. 2017), aff’d, 729 F. App’x 206 (3d Cir. 2018); Hillier v. CIA, No. CV 16-CV-1836, 2018 WL 4354947, at *5 (D.D.C. Sept. 12, 2018). 

Under both the Privacy Act and FOIA, an agency must conduct an adequate and reasonable search for relevant records.  For example, the Court of Appeals for the District of Columbia Circuit applied the FOIA standard to an access claim brought under the Privacy Act in Chambers v. Interior, 568 F.3d 998, 1003 (D.C. Cir. 2009).  “In a suit seeking agency documents – whether under the Privacy Act or FOIA – ‘[a]t the summary judgment stage, where the agency has the burden to show that it acted in accordance with the statute, the court may rely on a reasonably detailed affidavit, setting forth the search terms and the type of search performed, and averring that all files likely to contain responsive materials (if such records exist) were searched.’”  Id. (quoting McCready v. Nicholson, 465 F.3d 1, 14 (D.C. Cir. 2006), which in turn quotes Valencia-Lucena v. Coast Guard, 180 F.3d 321, 326 (D.C. Cir. 1999), FOIA case addressing agency adequacy of search obligations); cf. New Orleans Workers’ Ctr. for Racial Justice v. ICE, 373 F. Supp. 3d 16, 35 (D.D.C. 2019) (discussing adequacy of search in FOIA context); Schulze v. FBI, No. 1:05-CV-0180, 2010 WL 2902518, at *15 (E.D. Cal. July 22, 2010) (“While the court is of the opinion that there exists some doubt that Congress intended that the Privacy Act provide civil remedies for an agency’s failure to adequately search its files, . . . [t]he court, in the interests of giving fullest consideration to Plaintiff’s claims, will follow Chambers and apply FOIA standards to Plaintiff’s failure to search claims to the extent those claims are asserted under the Privacy Act.”).

An agency’s search obligations “are dictated by whether the scope of the search is reasonably calculated to uncover all relevant documents.”  Mobley v. CIA, 924 F. Supp. 2d 24, 44 (D.D.C. 2013) (internal quotation marks omitted), aff’d, 806 F.3d 568 (D.C. Cir. 2015); Lane v. Interior, 523 F.3d 1128 (9th Cir. 2008) (“The search need only be reasonable, and the government may demonstrate that it undertook an adequate search by producing ‘reasonably detailed, nonconclusory affidavits submitted in good faith’”) (citation omitted); cf. SAI v. TSA, 315 F. Supp. 3d 218, 243 (D.D.C. 2018) (failure to uncover records does not mean that the search was inadequate).

In Chambers, the D.C. Circuit addressed the question of “whether [the agency] intentionally destroyed the [record sought] after [plaintiff] requested access to it.”  Chambers, 568 F.3d at 1000.  The court reversed the district court’s grant of summary judgment to the agency, reasoning that the agency’s “search would not be adequate under the Privacy Act if [agency] officials, aware of Chambers’s document requests, deliberately destroyed her performance appraisal before completing the search in order to avoid providing the document to her . . . Such a search would not be ‘reasonably calculated to uncover all relevant documents’ – which is what the Privacy Act, like FOIA, requires.”  Id. at 1005.  In remanding the case back to the district court, the Court of Appeals noted that “should Chambers prevail on [her access claim], the available remedies may be limited given that additional searches at this late date would likely prove futile,” but went on to state that “nonetheless, she may be entitled at a minimum to ‘reasonable attorney fees and other litigation costs.’” Id. at 1008.  On remand, the district court concluded that it “need not reach” the question of whether the agency intentionally destroyed the record at issue because the plaintiff “failed to sustain her burden of proof” on the question of “whether the document in question ever existed.”  Chambers v. Interior, No. 05-0380, 2010 WL 2293262, at *2-3 (D.D.C. May 28, 2010).

A reasonably detailed affidavit describing the Privacy Act search can be sufficient to establish that the search was adequate.

Agencies can generally establish that a search was adequate by submitting “a reasonably detailed affidavit, setting forth the search terms and the type of search performed, and averring that all files likely to contain responsive materials (if such records exist) were searched.”  Chambers v. Interior, 568 F.3d at 1003 (internal citations omitted); see also Elgabrowny v. CIA, No. 17-CV-00066, 2019 WL 1440345, at *7-11 (D.D.C. Mar. 31, 2019) (discussing the adequacy of several FOIA and Privacy Act requests); Demoruelle v. VA, No. CV 16-00562 LEK-KSC, 2017 WL 2836989, at *6 (D. Haw. June 30, 2017) (finding that whether requested information actually exists is “immaterial to whether or not the VA’s search was adequate” where VA provided a “detailed explanation of the records that it searched, the VA employee(s) who performed the search, and the process that it used for the search”).

An affidavit describing a FOIA and Privacy Act search is “reasonably detailed” if it includes “the search terms and the type of search performed, and aver[s] that all files likely to contain responsive materials (if such records exist) were searched.”  Sandoval v. DOJ, No. CV 16-1013 (ABJ), 2019 WL 316168, at *4 (D.D.C. Jan. 24, 2019) (quoting Oglesby v. Army, 920 F. 2d 57, 68 (D.C. Cir. 2010).  On the other hand, agency affidavits that “do not denote which files were searched, or by whom, do not reflect any systematic approach to document location, and do not provide information specific enough to enable [the requester] to challenge the procedures utilized” are insufficient to support summary judgment.  Sandoval v. DOJ, 2019 WL 316168, at *4, (quoting Weisberg v. DOJ, 627 F.2d 365, 371 (D.C. Cir. 1980)); see also SAI v. TSA, 315 F. Supp. 3d at 246 (concluding that “without evidence regarding the temporal scope” of the agency’s search, it was “impossible to know whether the search was adequate” and summary judgment was not appropriate); Defs. of Wildlife v. Border Patrol, 623 F. Supp. 2d 83, 92 (D.D.C. 2009) (finding declaration deficient where it failed to detail types of files searched, filing methods, and search terms used).

Agencies have the burden of justifying the withholding of records, and courts review those decisions de novo.

The Privacy Act places the burden to justify withholding of records on the agency, and provides for de novo review of decisions to withhold records.  See 5 U.S.C. § 552a(g)(3)(A); Louis v. Labor, 419 F.3d 970, 977 (9th Cir. 2005); Becker v. IRS, 34 F.3d 398, 408 n.26 (7th Cir. 1994); Doe v. United States, 821 F.2d 694, 697–98 (D.C. Cir. 1987) (en banc); Erwin v. State, 2013 WL 6452758, at *3 (N.D. Ill. Dec. 9, 2013) (finding that “agency bears the burden of establishing that the search was adequate … [b]ecause of the ‘asymmetrical distribution of knowledge’” in FOIA and Privacy Act cases “where the agency alone possesses, reviews, discloses, and withholds the subject matter of the request” (quoting Judicial Watch, Inc. v. FDA, 449 F.3d 141, 146 (D.C. Cir. 2006))).  Thus, no deference is due an agency’s determination of which records to disclose and which are exempt.  Doe v. Chao, 540 U.S. 614, 618-19 (2004) (distinguishing de novo review from “any form of deferential review”).

For a discussion of the unique procedures involved in processing first-party requests for medical records, see the discussion below under “Agency Rules, 5 U.S.C. § 552a(f)(3) - Establish Procedures for Disclosure of Records to Individuals.”  For additional information regarding document searches in the FOIA context, see generally FOIA Guide at 57-58,​/oip/page/file/1199421/download#page=40


D. Third Party Interests

Courts have split over how to handle records that, if released under the Privacy Act, would violate a third party’s privacy interests.

A particularly troubling and unsettled problem under the Privacy Act arises where a file retrieved by the requester’s name or personal identifier contains information pertaining to a third party that, if released, would invade that third party’s privacy.

This problem arises only when a requester seeks access to a record contained in a non-law enforcement system of records – typically a personnel or background security investigative system – inasmuch as agencies are generally permitted to exempt the entirety of their criminal and civil law enforcement systems of records from the subsection (d)(1) access provision pursuant to 5 U.S.C. §§ 552a(j)(2) and (k)(2).

The problem stems from the fact that unlike the FOIA, see 5 U.S.C. § 552(b)(6), (7)(C), the Privacy Act does not contain any exemption that protects a third party’s privacy.  Cf. 5 U.S.C. § 552a(k)(5) (protecting only confidential source-identifying information in background security investigative systems).  The Privacy Act’s access provision simply permits an individual to gain access to “his record or to any information pertaining to him” that is contained in a system of records and retrieved by his name or personal identifier.  5 U.S.C. § 552a(d)(1).

The courts of appeals that have squarely addressed this issue have reached different conclusions.  Compare Voelker v. IRS, 646 F.2d 332, 333-35 (8th Cir. 1981), with Sussman v. Marshals Serv., 494 F.3d 1106, 1120-21 (D.C. Cir. 2007).  In Voelker, the Eighth Circuit held that where the requested information – contained in a system of records and retrieved by the requester’s name – is “about” that requester within the meaning of subsection (a)(4)’s definition of “record,” all such information is subject to the subsection (d)(1) access provision.  Voelker v. IRS, 646 F.2d at 334.  In construing subsection (d)(1), the Eighth Circuit noted that there is “no justification for requiring that information in a requesting individual’s record meet some separate ‘pertaining to’ standard before disclosure is authorized [and i]n any event, it defies logic to say that information properly contained in a person’s record does not pertain to that person, even if it may also pertain to another individual.”  Id.  Relying on the importance of the access provision to the enforcement of other provisions of the Privacy Act, and the lack of any provision in the exemption portion of the statute to protect a third party’s privacy, the Eighth Circuit rejected the government’s argument that subsection (b) prohibited disclosure to the requester of the information about a third party.  Id. at 334-35.  A careful reading of Voelker reveals that the Eighth Circuit appeared to equate the term “record” with “file” for subsection (d)(1) access purposes.  Cf. Wren v. Harris, 675 F.2d 1144, 1146-47 (10th Cir. 1982) (per curiam) (concluding that district court improperly relied on FOIA Exemption 6 to withhold certain third-party information without considering whether under Privacy Act request was for access “to his (own) record or to any information pertaining to him,” or for “records” contained in a “system of records,” and whether they were exempt from disclosure under Privacy Act exemptions); Henke v. Commerce, No. 94-0189, 1996 WL 692020, at *4 (D.D.C. Aug. 19, 1994) (rejecting government’s argument that information contained in one individual’s record is exempt from disclosure requirements of Privacy Act simply because same information is also contained in another individual’s records), aff’d on other grounds, 83 F.3d 1445 (D.C. Cir. 1996); Ray v. DOJ, 558 F. Supp.  226, 228 (D.D.C. 1982) (ruling that requester was entitled to access, under subsection (c)(3), to addresses of private persons who had requested information about him because no Privacy Act exemption justified withholding such information, notwithstanding that agency’s “concern about possible harassment [sic] of these individuals may be legitimate”), aff’d, 720 F.2d 216 (D.C. Cir. 1983) (unpublished table decision).

Other courts, however, have found that certain information, although contained in a file or document retrieved by an individual’s name, did not qualify as a Privacy Act record because it was not “about” that individual.  For example, Voelker’s rationale was rejected by DePlanche v. Califano, 549 F. Supp. 685, 693-98 (W.D. Mich. 1982), a case involving a father’s request for access to a social security benefits file indexed and retrieved by his social security number that contained the address of his two minor children.  In denying the father access to the children’s address, the court reasoned that such third-party information, although contained in the father’s file, was not “about” the father, and therefore by definition was not his “record” within the meaning of subsection (a)(4), nor was it information “pertaining” to him within the meaning of the subsection (d)(1) access provision.  Id. at 694-96.  In distinguishing Voelker, the court relied upon an array of facts suggesting that the father might harass or harm his children if their location were to be disclosed.  Id. at 693, 696-98; see also Murray v. BOP, 741 F. Supp. 2d 156, 161 (D.D.C. 2010) (concluding that, although names of individuals who visited plaintiff in prison and dates and times of their visits “certainly pertain[] to him in a generic sense,” and “include[] his name and identifying number . . ., the balance of the information requested pertains to the third party visitors personally; the information is not ‘about’ the plaintiff and therefore is not a ‘record’”); Nolan v. DOJ, No. 89-A-2035, 1991 WL 36547, at *10 (D. Colo. Mar. 18, 1991) (holding names of FBI agents and other personnel were not requester’s “record” and therefore “outside the scope of the [Privacy Act]”), aff’d, 973 F.2d 843 (10th Cir. 1992); Haddon v. Freeh, 31 F. Supp. 2d 16, 22 (D.D.C. 1998) (applying Nolan and Doe, infra, holding that identities and telephone extensions of FBI agents and personnel were not “about” plaintiff and thus were properly withheld); Springmann v. State, No. 93-1238, slip op. at 8 & n.1 (D.D.C. Apr. 21, 1997) (citing Nolan and holding that name of foreign official who provided information to State Department and names of foreign service officers (other than plaintiff) who were denied tenure were “not accessible to plaintiff under the Privacy Act because the identities of these individuals d[id] not constitute information ‘about’ plaintiff, and therefore [we]re not ‘records’ with respect to plaintiff under the Privacy Act”); Hunsberger v. CIA, No. 92-2186, slip op. at 3-4 (D.D.C. Apr. 5, 1995) (citing Nolan and holding that names of employees of private insurance company used by Director of Central Intelligence and Director’s unique professional liability insurance certificate number maintained in litigation file created as result of plaintiff’s prior suit against CIA Director were not “about” plaintiff and therefore were not “record[s]” within meaning of Privacy Act); Doe v. DOJ, 790 F. Supp. 17, 22 (D.D.C. 1992) (citing Nolan and alternatively holding that “names of agents involved in the investigation are properly protected from disclosure”); cf. Allard v. HHS, No. 4:90-CV- 156, slip op. at 9-11 (W.D. Mich. Feb. 14, 1992) (citing DePlanche, supra, with approval and arriving at same result, but conducting analysis solely under FOIA Exemption 6), aff’d, 972 F.2d 346 (6th Cir. 1992) (unpublished table decision).

The District Court for the District of Columbia was confronted with a more complex version of this issue of third-party information when the subject of a letter requested access to it and the agencies withheld it to protect the author’s privacy interests.  Topuridze v. USIA, 772 F. Supp. 662 (D.D.C. 1991), reconsidering Topuridze v. FBI, No. 86-3120, 1989 WL 11709 (D.D.C. Feb. 6, 1989).  In Topuridze, the issue of access to third-party information in a requester’s file was further complicated by the fact that the information was “retrievable” by both the requester’s identifier and the third party’s identifier, i.e., “dual retrieval.”  Topuridze v. FBI, No. 86-3120, 1989 WL 11709, at *1 (D.D.C. Feb. 6, 1989).  In apparent contradiction to the subsection (d)(1) access provision, subsection (b) prohibits the nonconsensual disclosure of an individual’s record contained in a system of records retrieved by his name or personal identifier to any third party.  See 5 U.S.C. § 552a(b).  Because the letter was both the requester’s and the third party’s Privacy Act record, the government argued that subsection (b), though technically not an “exemption,” nevertheless restricts first-party access under subsection (d)(1) where the record is about both the requester and the third-party author, and is located in a system of records that is “retrievable” by both their names.  See Topuridze v. FBI, No. 86-3120, 1989 WL 11709, at *1 (D.D.C. Feb. 6, 1989); Topuridze v. USIA, 772 F. Supp. at 665-66.  Although the court had previously ruled that the document was not about the author, see Topuridze v. FBI, No. 86-3120, 1989 WL 11709, at *2-3 (D.D.C. Feb. 6, 1989), on reconsideration it ruled that it need not reach that issue, finding that “[b]ecause the document is without dispute about the [requester], it must be released to him in any event.”  772 F. Supp. at 665.  On reconsideration, the court embraced Voelker and rejected the government’s argument that subsection (b) created a “dual record exemption” to Privacy Act access.  Id. at 665-66.

However, the D.C. Circuit reached a result different from those reached in Voelker and Topuridze, although the court did not mention either of those cases.  Sussman, 494 F.3d 1106.  The Sussman court concluded that information retrieved about the requestor and another third party could not be disclosed to the requestor unless the third party had consented.  The U.S. Marshals Service had processed Sussman’s subsection (d)(1) request “by searching for records indexed to his name” and found only one document.  Sussman v. Marshals Serv., No. Civ. A. 03-610, 2005 WL 3213912, at *1 (D.D.C. Oct. 13, 2005).  Sussman argued that the Marshals Service performed an inadequate search and identified a “Wanted Poster” that the Marshals Service had issued for Keith Maydak, which listed “Michael Sussman” as an alias for “Keith Maydak.”  494 F.3d 1109.  The Marshals Service conducted a second search, “now taking into account Sussman’s connections to Maydak.”  Id. at 1110.  The second search yielded more than 800 pages of documents “relating to Sussman.”  Id.  The district court stated that “the [Marshals Service] searched Keith Maydak’s files for records related or pertaining to [Sussman] or that mentioned [Sussman] by name.”  2005 WL 3213912, at *2.  The Marshals Service disclosed only some of these records to Sussman.  494 F.3d at 1110.  Sussman brought a subsection (d)(1) claim against the Marshals Service.  Id.  The D.C. Circuit “interpret[ed] 5 U.S.C. § 552a(d)(1) to give parties access only to their own records, not to all information pertaining to them that happens to be contained in a system of records.”  Id. at 1121.  The court explained that “[f]or an assemblage of data to qualify as one of Sussman’s records, it must not only contain his name or other identifying particulars but also be ‘about’ him. . . . That is, it must actually describe him in some way.”  Id.; see also Aguirre v. SEC, 671 F. Supp. 2d 113, 122 (D.D.C. 2009) (declining to dismiss claim seeking access to record that “clearly contains plaintiff’s name and describes him, his history at the SEC and details related to his termination” because record “sufficiently describes plaintiff to satisfy the standard established by Sussman”).  Thus, the court held, “the Marshals Service must disclose to Sussman those materials – and only those materials – contained in records about him, the release of which would not violate 5 U.S.C. § 552a(b).”  Id.  In a footnote, the court explained that “[i]f certain materials pertain to both Sussman and other individuals, from whom the Marshals Service has received no written consent permitting disclosure, the Privacy Act would both require (5 U.S.C. § 552a(d)(1)) and forbid (id. § 552a(b)) their disclosure.”  Id. at n.9.  In such a situation, subsection (d)(1) must give way because “the consent requirement in § 552a(b) is one of the most important, if not the most important, provisions in the Privacy Act.”  Id.; see also Mobley v. CIA, 924 F. Supp. 2d 24, 57 (D.D.C. 2013) (following Sussman and denying plaintiff access to information about plaintiff but also about third-party individuals who did not provide written consent to have their information disclosed); Anderson v. Treasury, No. 76-1404, slip op. at 13 (D.D.C. July 19, 1977) (presaging Sussman by finding name of third- party complainant in requester’s file to be “about” complainant and, therefore, denying requester access to complainant’s name).

The D.C. Circuit’s opinion in Sussman seriously calls into question the validity of Topuridze, insofar as Topuridze could be read to require an agency to disclose to a requester “those materials -- contained in records about him” even if the release of those materials would violate the subsection (b) rights of the non-requesting party.  See Sussman, 494 F.3d at 1121.  While Sussman controls in the D.C. Circuit, which has universal venue for Privacy Act matters, the holding in Voelker remains undisturbed in the Eighth Circuit.

Individuals are not required to provide a reason for requesting access to records, but agencies must verify individuals’ identities before releasing requested records.

A requester need not state his reason for seeking access to records under the Privacy Act, but an agency should verify the identity of the requester in order to avoid violating subsection (b).  See OMB 1975 Guidelines, 40 Fed. Reg. at 28,957-58,; see also 5 U.S.C. § 552a(i)(1) (criminal penalties for disclosure of information to parties not entitled to it); 5 U.S.C. § 552a(i)(3) (criminal penalties for obtaining records about individual under false pretenses); cf., e.g., 28 C.F.R. § 16.41(d) (2020) (DOJ regulation requiring requestor to verify identity).

Agencies are not obligated to turn over documents that are created after the date of an access request, but, in the FOIA context, courts have held that agencies must act reasonably and notify the requestor when setting a cut-off date.

Although subsection (d)(1) “carries no prospective obligation to turn over new documents that come into existence after the date of the request,” Crichton v. Cmty. Servs. Admin., 567 F. Supp. 322, 325 (S.D.N.Y. 1983), the Courts have acknowledged that agencies may set a cut-off date for FOIA searches, but have imposed limitations such as reasonableness and notice to the requestor.  For example, the D.C. Circuit has held that under the FOIA, a date-of-request cut-off policy regardless of circumstances – as opposed to a date-of-search cut-off policy – was unreasonable under the facts of that case.  Pub. Citizen v. State, 276 F.3d 634, 644 (D.C. Cir. 2002); Leopold v. DOJ, 411 F. Supp. 3d 1094, 1102 (C.D. Cal. 2019) (“the agency generally uses the date the search was run as the cut-off date”); Prop. of the People, Inc. v. DOJ, 405 F. Supp. 3d 99, 120 (D.D.C. 2019) (“[T]he FBI’s ‘unpublicized temporal limitation of its searches’ was improper.” (quoting McGehee v. CIA, 697 F.2d 1095, 1101 (D.C. Cir. 1983))); Vento v. IRS, 714 F. Supp. 2d 137, 144–45 (D.D.C. 2010) (concluding that a date of request cutoff was appropriate and harmonizing Pub. Citizen v. State).  

For further information regarding the Privacy Act exception for disclosures under the FOIA, see the discussion above under “Conditions of Disclosure to Third Parties, Twelve Exceptions to the ‘No Disclosure without Consent’ Rule, 5 U.S.C. § 552a(b)(2) - Required FOIA Disclosure.”


Next Section: Indviudal's Right of Amendment

Updated October 22, 2022