Skip to main content

Overview of the Privacy Act: 2020 Edition

Government Contractors

“(1) When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its authority, cause the requirements of this section to be applied to such system.  For purposes of subsection (i) of this section any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of this section [Sept. 27, 1995], shall be considered to be an employee of an agency. 

(2) A consumer reporting agency to which a record is disclosed under section 3711(e) of Title 31 shall not be considered a contractor for the purposes of this section.”  5 U.S.C. § 552a(m)(1)-(2)


Generally, subsection (m) extends the requirements of the Privacy Act to contractors who maintain a system of records to accomplish the agency’s functions.  See generally Pennsylvania Higher Educ. Assistance Agency v. Perez, No. 3:18-CV-1114 (MPS), 2020 WL 2079634, at *12 (D. Conn. Apr. 30, 2020) (citing subsection (m) to conclude that contractor “had no more right to disclose the documents than an employee of the [agency] would have had.”); cf. Boggs v. Se. Tidewater Opportunity Project, No. CIV. A. 2:96CV196, 1996 WL 274381, at *2 (E.D. Va. May 22, 1996) (finding subsection (m) inapplicable where contractor was community action agency that was not “in the business of keeping records for federal agencies” as is required under subsection (m)).

The Federal Acquisition Regulation provides language that must be inserted in solicitations and contracts “[w]hen the design, development, or operation of a system of records on individuals is required to accomplish an agency function.”  48 C.F.R. § 24.104 (2020); see also id. § 52.224-1 to -2.  The regulation defines “operation of a system of records” as “performance of any of the activities associated with maintaining the system of records, including the collection, use, and dissemination of records.”  Id. at § 52.224-2(c)(1).  But cf. Koch v. Schapiro, 777 F. Supp. 2d 86, 91 (D.D.C. 2011) (concluding, in context of claim brought under Rehabilitation Act, that “a contract to investigate complaints of discrimination by employees of the agency on behalf of the [agency’s] EEO Office” is “not a contract for the design or development of a system of records” and therefore is “not the type of contract covered by 48 C.F.R. pt. 24”). 

Additionally, see the discussion of subsection (b)(1), “Twelve Exceptions to “No Disclosure without Consent, Conditions Of Disclosure to Third Parties, Need to Know Within Agency” above, regarding whether contractors are “employees” of an agency for purposes of disclosing a record in a system of records under that subsection.

Even when subsection (m) is applicable, the agency – not the contractor – remains the only proper defendant in a Privacy Act civil lawsuit.  See, e.g., Repetto v. Magellan Health Servs., No. 12-4108,  2013 WL 1176470, at *5-6 (D.N.J. Mar. 19, 2013) (rejecting plaintiff’s claims that §subsection (m) permits Privacy Act claims against corporations contracting with government and finding that, had “Congress wanted government contractors to be subject to suit for violations, it could have included word ‘remedies’ in § 552a(m).  Instead, Congress deliberately ensured that only agencies were subjects of requirements and remedies, but only extended the Act’s requirements to the government contractors.”); Patterson v. Austin Med. Ctr., No. 97-1241, 1998 WL 35276064, at *2 (D. Minn. Jan. 28, 1998) (finding subsection (m) “does not create a private cause of action against a government contractor for violations of the Act”), aff’d, 163 F.3d 602 (8th Cir. Sept. 11, 1998) (unpublished table case);  Adelman v. Discover Card Servs., 915 F. Supp. 1163, 1166 (D. Utah 1996) (finding that “a strict construction of ‘employee of the United States’ cannot include employees of state agencies administering a federal program,” and also finding that limited waiver of sovereign immunity afforded by § 552a(g)(1) applies only to federal agencies).  Contra Shannon v. Gen. Elec. Co., 812 F. Supp. 308, 315, n.5 (N.D.N.Y. 1993) (noting that “[t]here is no dispute that GE is subject to the requirements of the Privacy Act, inasmuch as it falls within the definition of ‘agency’”).

For additional guidance concerning this provision, see OMB 1975 Guidelines, 40 Fed. Reg. at 28,951, 975-76,, and the legislative debate reported at 120 Cong. Rec. at 40,408, reprinted in Source Book at 866.


Next Section: Mailing Lists

Updated October 22, 2022