Overview of the Privacy Act: 2020 Edition
Definitions
A. 5 U.S.C. § 552a(a)(1) – Agency
“[T]he term ‘agency’ means any Executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the [federal] Government (including the Executive Office of the President), or any independent regulatory agency.” 5 U.S.C. § 552a(a)(1) (incorporating 5 U.S.C. § 552(f)(1) (2018), which in turn incorporates 5 U.S.C. § 551(1) (2018)).
Comment:
Executive branch agencies, their components, and government-controlled entities are “agencies.”
The Privacy Act – like the Freedom of Information Act (FOIA), 5 U.S.C. § 552 – applies only to a federal Executive Branch “agency,” and it incorporates the FOIA’s definition of “agency.” See OMB 1975 Guidelines, 40 Fed. Reg. 28,950-51, https://www.justice.gov/paoverview_omb-75; 120 Cong. Rec. at 40,408, reprinted in Source Book at 866, (discussing scope of the Act’s “agency” definition and its application to components of agencies, i.e., agencies within agencies). The Privacy Act “is intended to give ‘agency’ its broadest statutory meaning” so records can be transferred between the various offices and components that comprise an agency on a “need-for-the-record basis.” 120 Cong. Rec. at 36,967, reprinted in Source Book at 958, (providing DOJ as example of an “agency” and recognizing propriety of subsection (b)(1) “need to know” disclosures between its various components, e.g., FBI, DEA, and ATF). See also Cloonan v. Holder, 768 F. Supp. 2d 154, 162 (D.D.C. 2011) (“[N]aming components as defendants under the Privacy Act is appropriate since the statute’s plain language is clear that ‘an agency need not be a cabinet-level agency such as the DOJ to be liable.’” (quoting Lair v. Treasury, No. 03 Civ. 827, 2005 WL 645228 (D.D.C. Mar. 21, 2005)); but see Iqbal v. FBI, No. 3:11-cv-369, 2012 WL 2366634, at *4 (M.D. Fla. June 21, 2012) (declining to dismiss “just because the Plaintiff brought his claims against the FBI instead of the Department of Justice”).
The Privacy Act applies to government corporations and government-controlled corporations, and it is intended to apply to establishments like the Postal Service and the Postal Regulatory Commission. See 5 U.S.C. § 552a(a)(1); 120 Cong. Rec. at 40,408, reprinted in Source Book at 866, (indicating congressional intent for Privacy Act to apply to Postal Service and Postal Rate Commission (later renamed the Postal Regulatory Commission)); NLRB v. USPS, 841 F.2d 141, 144 n.3 (6th Cir. 1988) (Postal Service is an “agency” because it is an “independent establishment of the executive branch”).
Courts may look at the characteristics of establishments to determine whether they are “agencies” under the Privacy Act. See, e.g., Thompson v. State, 400 F. Supp. 2d 1, 21-22 (D.D.C. 2005) (finding Foreign Service Grievance Board to be an “agency” because it “consists of members appointed exclusively by an executive department, administers federal statutes, promulgates regulations, and adjudicates the rights of individuals”). Courts may consider non-federal entities to be “agencies” under the Privacy Act when the non-federal entities operate establishments that are under the supervision and control of federal Executive Branch agencies pursuant to contracts in which the non-federal entities agree to comply with the Act. See Shannon v. Gen. Elec. Co., 812 F. Supp. 308, 313, 315 n.5 (N.D.N.Y. 1993) (“no dispute” that GE falls within definition of “agency” subject to requirements of Privacy Act where, pursuant to contract, it operated Department of Energy-owned lab under supervision, control, and oversight of Department and where by terms of contract GE agreed to comply with Privacy Act).
The White House, federal courts, and entities merely linked to the government are not “agencies.”
With regard to the White House, courts have held that those components of the Executive Office of the President whose sole function is to advise and assist the President are not “agencies” for purposes of the Privacy Act. See, e.g., Alexander v. FBI, 456 F. App’x 1, 2 (D.C. Cir. 2011) (per curiam), aff’d 691 F. Supp. 2d 182 (D.D.C. 2010) (determining case’s prior contrary interpretation, 971 F. Supp. 603, 606-07 (D.D.C. 1997), was “no longer the correct one”); Falwell v. Exec. Office of the President, 113 F. Supp. 2d 967, 968-70 (W.D. Va. 2000). In fact, the Court of Appeals for the District of Columbia Circuit observed that “Congress did not inadvertently omit the Offices of the President and Vice President from the Privacy Act’s disclosure requirements.” Wilson v. Libby, 535 F.3d 697, 708 (D.C. Cir. 2008).
Federal entities outside of the executive branch are not subject to the Act. See, e.g., Hankerson v. U.S. Dep’t of Prob. & Parole, No. 5:13-CV-78, 2014 WL 533495, at *1 (M.D. Ga. Feb. 7, 2014) (federal courts); Goddard v. Whitmer, No. 09-CV-404, 2010 WL 116744, at *2 (E.D. Ky. Jan. 6, 2010) (federal courts); Cobell v. Norton, 157 F. Supp. 2d 82, 86 & n.6 (D.D.C. 2001) (federal district court); Standley v. DOJ, 835 F.2d 216, 218 (9th Cir. 1987) (grand jury); Hankerson v. United States, 594 F. App’x 608, 609 (11th Cir. 2015) (per curiam) (probation office); Kates v. King, 487 F. App’x 704, 706 (3d Cir. 2012) (per curiam) (probation office); Fuller-Avent v. Prob. Office, 226 F. App’x 1, 2 (D.C. Cir. 2006) (probation office); Schwartz v. DOJ, No. 95-6423, 1996 WL 335757, at *1 (2d Cir. June 6, 1996) (probation office); Morris v. Prob. Servs., 723 F. Supp. 2d 225, 227 (D.D.C. 2010) (probation office); Jackson v. DOJ, No. 09-0846, 2009 WL 5205421, at *4 (D. Minn. Dec. 23, 2009) (probation office); Kyles v. Kaufman, No. 08-4169, 2008 WL 4906141, at *1 (D.S.D. Nov. 14, 2008) (probation office); Harrell v. BOP, No. 99-1619, slip op. at 6 (W.D. Okla. Mar. 5, 2001), aff’d on other grounds sub nom. Harrell v. Fleming, 285 F.3d 1292 (10th Cir. 2002) (probation office); Callwood v. Dep’t of Prob. of the V.I., 982 F. Supp. 341, 343 (D.V.I. 1997) (probation office); In re Adair, 212 B.R. 171, 173 (Bankr. N.D. Ga. 1997) (federal bankruptcy court).
Similarly, the Smithsonian Institution, although having many “links” with the federal government, “is not an agency for Privacy Act purposes.” Dong v. Smithsonian Inst., 125 F.3d 877, 879-80 (D.C. Cir. 1997); see also Dodge v. Trs. of Nat’l Gallery of Art, 326 F. Supp. 2d 1, 10-11 (D.D.C. 2004) (finding that “the National Gallery is a Smithsonian Museum” and explaining that “Smithsonian Museums . . . are not subjected to the limitations of the Privacy Act because they do not fall within the definition of an ‘agency’”). Amtrak is another entity with links to the federal government that the courts have held is not an “agency” under the Privacy Act. See United States v. Jackson, 381 F.3d 984, 989-90 (10th Cir. 2004) (citing Ehm, infra, and holding that Amtrak is not an “agency”); Ehm v. Nat’l R.R. Passenger Corp., 732 F.2d 1250, 1252-55 (5th Cir. 1984) (Amtrak held not to constitute a “Government-controlled corporation”).
State and local government agencies are not “agencies” under the Privacy Act.
State and local government agencies are not covered by the Privacy Act. See, e.g., Clancy v. Fla. Dep’t of Corr., 782 F. App’x 779, 781 (11th Cir. 2019) (finding Interstate Commission for Adult Offender Supervision to be an agency of compacting states that is not subject to Privacy Act); Hatfield v. Berube, 714 F. App’x 99, 105-06 (3rd Cir. 2017); N’Jai v. Pittsburgh Bd. of Public Educ., 487 F. App’x 735, 737 (3d Cir. 2012) (per curiam); Spurlock v. Ashley Cnty., 281 F. App’x 628, 629 (8th Cir. 2008); Schmitt v. City of Detroit, 395 F.3d 327, 331 (6th Cir. 2005); Perez-Santos v. Malave, 23 F. App’x 11, 12 (1st Cir. 2001) (per curiam); Dittman v. California, 191 F.3d 1020, 1026, 1029 (9th Cir. 1999); Nguyen v. Pennsylvania, No. 19-CV-2551, 2019 WL 3423651, at *3 (E.D. Pa. Sept. 28, 2019); Brown v. Kelly, No. 93-5222, 1994 WL 36144, at *1 (D.C. Cir. Jan. 27, 1994) (per curiam); Williams v. City of New York, No. 12 Civ. 8518, 2014 WL 1383661, at *13 (S.D.N.Y. Mar. 26, 2014); Linder v. Friedman, No. 1:12-cv-3051, 2012 WL 6633905, at *1 (D.S.C. Dec. 20, 2012); Warnock v. City of Canton, S.D., No. 11-4023, 2012 WL 2050734, at *7 (D.S.D. June 7, 2012); Oliver v. Garfield Cnty. Det. Facility, No. CIV-10-1281, 2012 WL 668802, at *3 (W.D. Okla. Feb. 8, 2012); Roggio v. City of Gardner, No. 10-40076, 2011 WL 1303141, at *7 (D. Mass. Mar. 30, 2011); Willis v. DOJ, 581 F. Supp. 2d 57, 67-68 (D.D.C. 2008); Barickman v. Bumgardner, No. 1:07CV134, 2008 WL 2872712, at *3 (N.D. W. Va. July 22, 2008); Fetzer v. Cambria Cnty. Human Servs., 384 F. Supp. 2d 813, 816 (W.D. Pa. 2005); Daniel v. Safir, 175 F. Supp. 2d 474, 481 (E.D.N.Y. 2001) (although characterizing claims as under FOIA, dismissing Privacy Act claims against local agency), aff’d, 42 F. App’x 528 (2d Cir. 2002); Atamian v. Ellis, No. 00-797, 2001 WL 699016, at *3 (D. Del. June 19, 2001), aff’d, 35 F. App’x 356 (3d Cir. 2002) (unpublished table decision); McClain v. DOJ, No. 97 C 0385, 1999 WL 759505, at *2 (N.D. Ill. Sept. 1, 1999), aff’d, 17 F. App’x 471 (7th Cir. 2001); Ferguson v. Ala. Criminal Justice Info. Ctr., 962 F. Supp. 1446, 1446-47 (M.D. Ala. 1997); Connolly v. Beckett, 863 F. Supp. 1379, 1383-84 (D. Colo. 1994); MR by RR v. Lincolnwood Bd. of Educ., Dist. 74, 843 F. Supp. 1236, 1239-40 (N.D. Ill. 1994), aff’d sub nom. Rheinstrom v. Lincolnwood Bd. of Educ., Dist. 74, No. 94-1357, 1995 U.S. App. LEXIS 10781 (7th Cir. May 10, 1995).
Additionally, neither federal funding nor regulation converts state and local entities into covered agencies. See St. Michaels Convalescent Hosp. v. California, 643 F.2d 1369, 1373 (9th Cir. 1981); Logan v. Matveevskii, 57 F. Supp. 3d 234, 275-76 (S.D.N.Y. 2014) (finding federally subsidized housing authorities are not agencies under Privacy Act); Adelman v. Discover Card Servs., 915 F. Supp. 1163, 1166 (D. Utah 1996).
Likewise, the Privacy Act does not apply to tribal entities, the governments of territories or possessions of the United States, or the District of Columbia’s government. See 5 U.S.C. § 551(1) (specifically excluding governments of territories or possessions of U.S. and government of D.C. from statutory definition of “agency” incorporated into Privacy Act); Neptune v. Nicholas, No. 1:17-cv-88-GZS, 2017 WL 1102716, at *2 (D. Me. Mar. 24, 2017) (unpublished table decision) (citing Stevens v. Skenandore, 234 F.3d 1274 (7th Cir. 2000)) (finding no right of action against tribal officials under Privacy Act)); Williams v. District of Columbia, No. 95CV0936, 1996 WL 422328, at *2-3 (D.D.C. July 19, 1996) (acknowledging Privacy Act does not apply to D.C.). However, the D.C. Circuit has held that National Guard units are within the Privacy Act’s definition of “agency” at all times – not just when they are on active federal duty. See In re Sealed Case, 551 F.3d 1047, 1049-50 (D.C. Cir. 2009) (concluding that “Privacy Act’s definition of agency includes federally recognized National Guard units at all times” and not solely when unit is on active federal duty). But see Reno v. United States, No. 4-94CIV243, 1995 U.S. Dist. LEXIS 12834, at *6 (W.D.N.C. Aug. 14, 1995) (holding national guard to be state entity in case decided prior to In re Sealed Case).
An exception to the rule that state and local entities are not “agencies” under the Privacy Act, however, is the social security number usage restrictions contained in section 7 of the Privacy Act, which do apply to federal, state, and local government agencies. Pub. L. No. 93-579, § 7, 88 Stat. 1896, 1909 (codified at 5 U.S.C. § 552a note, “Disclosure of Social Security Number”). This special provision is discussed below under “Disclosure of Social Security Number.”
Private entities are not “agencies.”
Private entities are not subject to the Act. See Probert v. Kalamarides, 528 F. App’x 741, 742 (9th Cir. 2013); Johnson v. Mel Foster Co. Ins., 475 F. App’x 640, 640 (8th Cir. 2012) (per curiam); Chimarev v. TD Waterhouse Investor Servs., 99 F. App’x 259, 261-62 (2d Cir. 2004); Sharwell v. Best Buy, No. 00-3206, 2000 WL 1478341, at *2 (6th Cir. Sept. 26, 2000); Sutton v. Providence St. Joseph Med. Ctr., 192 F.3d 826, 844 (9th Cir. 1999); Mitchell v. G.E. Am. Spacenet, No. 96-2624, 1997 WL 226369, at *1 (4th Cir. May 7, 1997); Gilbreath v. Guadalupe Hosp. Found., 5 F.3d 785, 791 (5th Cir. 1993) (per curiam); Gourdine v. Synchrony Bank/Fraud Unit, No. 19-CV-17158, 2019 WL 5558832, at *2 (D.N.J. Oct. 28, 2019); Smith v. Citimortgage, Inc., No. 1:13-cv-2177, 2014 WL 279728, at *7 (N.D. Ga. Jan. 24, 2014); Curran v. Mark Zinnamosca & Assoc., No. 1:12-cv-750, 2014 WL 271634, at *10 (M.D. Pa. Jan. 23, 2014); Metro. Life Ins. Co. v. Blyther, 964 F. Supp. 2d 61, 71 (D.D.C. 2013); Barnes v. Med. Dep’t, No. 13-cv-00285, 2013 U.S. Dist. LEXIS 51298, at *3 (S.D. Ill. Apr. 10, 2013); Sethunya v. Monson, No. 2:12-CV-454, 2013 WL 65471, at *3 (D. Utah Jan. 4, 2013); Abdelfattah v. DHS, 893 F. Supp. 2d 75, 81 n.4 (D.D.C. 2012), aff’d, 787 F.3d 524, 533 n. 4 (affirming District Court’s dismissal of claims against private entities as Privacy Act does not apply to them); Cintron-Garcia v. Supermercados Econo, Inc., 818 F. Supp. 2d 500, 510 (D.P.R. 2011); Chapman v. Wright Transp., No. CA 11-0097, 2011 U.S. Dist. LEXIS 96913, at *6 n.4 (S.D. Ala. Aug. 10, 2011); Brooks v. AAA Cooper Transp., 781 F. Supp. 2d 472, 487-88 (S.D. Tex. 2011); Nouri v. TCF Bank, No. 10-12436, 2011 WL 836764, at *4 (E.D. Mich. Mar. 9, 2011); DeConcini Family Trust v. Home Fed. Bank, No. 2:10-CV-258, 2011 WL 635257, at *1 (D. Utah Feb. 11, 2011); Wilkerson v. H & S Lee, Inc., No. CV609-033, 2010 WL 2942635, at *2 (S.D. Ga. June 22, 2010), aff’d per curiam, 438 F. App’x 769 (11th Cir. 2011); Fox v. Cal. Franchise Tax Bd., No. 08-cv-01047, 2010 WL 56094, at *6 (D. Colo. Jan. 5, 2010); Tyree v. Hope Village, Inc., 677 F. Supp. 2d 109, 110 (D.D.C. 2009); Lengerich v. Columbia Coll., 633 F. Supp. 2d 599, 607-08 (N.D. Ill. 2009); Piper v. R.J. Corman R.R. Group, No. 05-CV-104, 2005 WL 1523566, at *8 (E.D. Ky. June 28, 2005); Locke v. MedLab/Gen. Chem., No. 99-2137, 2000 WL 127111 (E.D. Pa. Feb. 3, 2000); Payne v. EEOC, No. 99-270, slip op. at 2-3 (D.N.M. July 7, 1999), aff’d, No. 00-2021, 2000 WL 1862659, at *2 (10th Cir. Dec. 20, 2000); Davis v. Boston Edison Co., No. 83-1114-2, 1985 U.S. Dist. LEXIS 23275 (D. Mass. Jan. 21, 1985).
Neither federal funding nor regulation renders private entities subject to the Act. See Burch v. Pioneer Credit Recovery, Inc., 551 F.3d 122, 125 (2d Cir. 2008); Unt v. Aerospace Corp., 765 F.2d 1440, 1448 (9th Cir. 1985); United States v. Miller, 643 F.2d 713, 715 n.1 (10th Cir. 1981) (finding that definition of “agency” does not encompass national banks); United States v. Haynes, 620 F. Supp. 474, 478-79 (M.D. Tenn. 1985); Dennie v. Univ. of Pittsburgh Sch. of Med., 589 F. Supp. 348, 351-52 (D.V.I. 1984), aff’d, 770 F.2d 1068 (3d Cir. 1985) (unpublished table decision).
Individual agency officials generally are not considered “agencies.”
A civil action under the Privacy Act is properly filed against an “agency” only, not against an individual, a government official, an employee, or the United States. See, e.g., Palmieri v. United States, 896 F.3d 579, 586 (D.C. Cir. 2018) (“[u]nder the Privacy Act, an individual person is not an ‘agency’”); Kates v. King, 487 F. App’x 704, 706 (3d Cir. 2012) (per curiam); Flores v. Fox, 394 F. App’x 170, 172 (5th Cir. 2010) (per curiam); Jones v. Luis, 372 F. App’x 967, 969 (11th Cir. 2010) (per curiam); Weinberger v. Grimes, No. 07-6461, 2009 WL 331632, at *8 (6th Cir. Feb. 10, 2009); Pennyfeather v. Tessler, 431 F.3d 54, 55 (2d Cir. 2005); Connelly v. Comptroller of the Currency, 876 F.2d 1209, 1215 (5th Cir. 1989); Schowengerdt v. Gen. Dynamics Corp., 823 F.2d 1328, 1340 (9th Cir. 1987); Unt. v. Aerospace Corp., 765 F.2d at 1447; Brown-Bey v. United States, 720 F.2d 467, 469 (7th Cir. 1983); Windsor v. The Tennessean, 719 F.2d 155, 159-60 (6th Cir. 1983); Bruce v. United States, 621 F.2d 914, 916 n.2 (8th Cir. 1980); Parks v. IRS, 618 F.2d 677, 684 (10th Cir. 1980); Osborne v. United States, No. 3:14-cv-25, 2014 WL 309468, at *7 (W.D.N.C. Jan. 28, 2014); Padilla-Ruiz v. United States, 893 F. Supp. 2d 301, 309 (D.P.R. 2012); Lim v. United States, No. 10-2574, 2011 WL 2650889, at *8 (D. Md. July 5, 2011); Blanton v. Warden, No. 7:10-cv-00552, 2011 WL 1226010, at *3 (W.D. Va. Mar. 30, 2011); Hollins v. Cross, No. 1:09cv75, 2010 WL 1439430, at *3 (N.D. W. Va. Mar. 17, 2010); Truesdale v. DOJ, 657 F. Supp. 2d 219, 227 (D.D.C. 2009); Walker v. Gambrell, 647 F. Supp. 2d 529, 536 (D. Md. 2009); Fetzer, 384 F. Supp. 2d at 816; Burns v. Potter, 334 F. Supp. 2d 13, 20-21 (D. Mass. 2004); Stokes v. Barnhart, 257 F. Supp. 2d 288, 299 (D. Me. 2003); Mumme v. Labor, 150 F. Supp. 2d 162, 169 (D. Me. 2001) (“[A] claimant bringing a Privacy Act claim must bring suit against a particular agency, not the entire United States.”), aff’d, No. 01-2256 (1st Cir. June 12, 2002); Dennie, 589 F. Supp. at 351-53.
Furthermore, “courts have consistently declined to imply a Bivens-style right of action against individual officers for conduct that would be actionable under the Privacy Act.” Gordon v. Gutierrez, No. 1:06cv861, 2006 WL 3760134, at *3 (E.D. Va. Dec. 14, 2006). One court also noted, though, that while a Privacy Act action “must be maintained against an agency,” it is “unaware of any authority which requires the Plaintiffs to specifically name, either as an individual defendant or within the body of a complaint, each and every agency employee who may have contributed to an alleged Privacy Act violation.” Buckles v. Indian Health Serv., 305 F. Supp. 2d 1108, 1112 (D.N.D. 2004).
The District Court for the District of Columbia has explained that “[i]n order for an agency to be liable for a Privacy Act violation allegedly committed by one of its employees, the responsible agency employee must have been acting within the scope of his or her employment.” Convertino v. DOJ, 769 F. Supp. 2d 139, 147 (D.D.C. 2011) (“Therefore, even if [plaintiff] could prove that the leak must have come from a DOJ employee – which he cannot – his claim would fail because no reasonable fact-finder could conclude that any such DOJ employee was acting within the scope of his or her employment at the time of the leak.”), rev’d and remanded on other grounds, 684 F.3d 93 (D.C. Cir. 2012).
Some courts have held that the head of an agency, if sued in his or her official capacity, can be a proper party defendant under the Privacy Act. See Hampton v. FBI, No. 93-0816, slip op. at 8, 10-11 (D.D.C. June 30, 1995); Jarrell v. Tisch, 656 F. Supp. 237, 238 (D.D.C. 1987); Diamond v. FBI, 532 F. Supp. 216, 219-20 (S.D.N.Y. 1981), aff’d, 707 F.2d 75 (2d Cir. 1983); Nemetz v. Treasury, 446 F. Supp. 102, 106 (N.D. Ill. 1978); Rowe v. Tennessee, 431 F. Supp. 1257, 1264 (M.D. Tenn. 1977), vacated on other grounds, 609 F.2d 259 (6th Cir. 1979); cf. Cloonan, 768 F. Supp. 2d at 162 (“find[ing] that plaintiff’s error in naming only individual defendants was harmless” because “[o]n its face, the Complaint makes clear that in naming former attorney general Michael Mukasey, plaintiff was naming the Department of Justice as a defendant” and because complaint named Attorney General only in his official capacity). But see Williams v. Fanning, 63 F. Supp. 3d 88, 90 n.2 (D.D.C. 2014) (dismissing Secretary of Air Force and Commanding Officer of Headquarters Air Force Personnel Center as improper parties under Privacy Act and proceeding with Air Force as only proper defendant under Privacy Act).
Suits against agency heads by pro se plaintiffs may be more likely to be construed as suits against the respective agencies because pro se pleadings are construed liberally. See Walker, 647 F. Supp. 2d at 536. Further, leave to amend a complaint to substitute a proper party defendant ordinarily is freely granted where the agency is on notice of the claim. See, e.g., Reyes v. Supervisor of DEA, 834 F.2d 1093, 1097 (1st Cir. 1987); Petrus, 833 F.2d at 583. But cf. Doe v. Rubin, No. 95-CV-75874, 1998 U.S. Dist. LEXIS 14755, at *9 (E.D. Mich. Aug. 10, 1998) (granting summary judgment for defendant where plaintiff had named Secretary of Treasury as sole defendant and had filed no motion to amend). In addition, at least one court has held that while the head of an agency is not a proper defendant under the Privacy Act, an agency can waive any objections to the naming of an improper party if it received proper notice of the action and did not dispute its designation as a defendant. See Bavido v. Apfel, 215 F.3d 743, 747 (7th Cir. 2000) (finding SSA Commissioner was not proper party defendant, but SSA had waived any objection as to naming of proper party agency defendant).
Note that a prosecution enforcing the Privacy Act’s criminal penalties provision, 5 U.S.C. § 552a(i) (see “Criminal Penalties” discussion, below), would properly be filed against an individual. See Stone v. Def. Investigative Serv., 816 F. Supp. 782, 785 (D.D.C. 1993) (“Under the Privacy Act, this Court has jurisdiction over individually named defendants only for unauthorized disclosure in violation of 5 U.S.C. § 552a(i).”); see also Hampton, No. 93-0816, slip op. at 8, 10-11 (citing Stone).
B. 5 U.S.C. § 552a(a)(2) – Individual
“[T]he term ‘individual’ means a citizen of the United States or an alien lawfully admitted for permanent residence.” 5 U.S.C. § 552a(a)(2).
Comment:
The Privacy Act’s definition of “individual” is much narrower than the FOIA’s definition of “person,” which draws from the Administrative Procedures Act. See 5 U.S.C. § 551(2) (2018) (defining person as “an individual, partnership, corporation, association, or public or private organization other than an agency.”); see also, e.g., Raven, 583 F.2d at 170-71 (comparing “use of the word ‘individual’ in the Privacy Act, as opposed to the word ‘person,’ as more broadly used in the FOIA”); Cudzich v. INS, 886 F. Supp. 101, 105 (D.D.C. 1995) (A plaintiff whose permanent resident status had been revoked “is not an ‘individual’ for the purposes of the Privacy Act. . . . Plaintiff’s only potential access to the requested information is therefore under the Freedom of Information Act.”).
The Privacy Act generally covers citizens and lawful permanent residents, but others have some protections.
Generally, individuals under the Privacy Act are US citizens and lawful permanent residents. See S. Rep. No. 93-1183, at 79, reprinted in Source Book at 232, OMB 1975 Guidelines, 40 Fed. Reg. at 28,951, https://www.justice.gov/paoverview_omb-75. The Privacy Act as initially enacted did not generally protect non-resident foreign nationals. See, e.g., Raven v. Panama Canal Co., 583 F.2d 169, 170-71 (5th Cir. 1978) (referencing legislative history that “reflects the congressional intent to exclude nonresident aliens from Privacy Act coverage”); Soto v. State, 244 F. Supp. 3d 207, 208-09 (D.D.C. 2017) (per curiam) (unpublished table decision) (citing Fares v. INS, 50 F.3d 6 (4th Cir. 1995)) (“[Privacy] Act only protects citizens of the United States or aliens lawfully admitted for permanent residence.”).
The Judicial Redress Act of 2015, however, enables citizens of certain foreign countries to bring suit under certain provisions of the Privacy Act in the same manner as U.S. citizens and lawful permanent residents. See 5 U.S.C. § 552a note. The Judicial Redress Act is discussed further under “Judicial Redress Act” above.
In addition, the OMB 1975 Guidelines provide that while the Act does not apply to records pertaining solely to non-resident foreign nationals, “[w]here a system of records covers both citizens and nonresident aliens, only that portion which relates to citizens or resident aliens is subject to the Act but agencies are encouraged to treat such systems as if they were, in their entirety, subject to the Act.” OMB 1975 Guidelines, 40 Fed. Reg. at 28,951, https://www.justice.gov/paoverview_omb-75. Other OMB guidelines establish protections for personally identifiable information, regardless of citizenship or other legal status of the individuals whose information is involved. See, e.g., OMB Circular A-130, at 33, https://www.justice.gov/paoverview_omb-a-130; see also Nat’l Inst. of Standards & Tech., Spec. Pub. 800-53, Rev. 5, Security and Privacy Controls for Federal Information Systems and Organizations, at 483 (2020), https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final (defining “personally identifiable information” without regard to citizenship or other legal status).
“Individuals” do not include the deceased, corporations, organizations, derivatives, or, in some courts, sole proprietors.
Deceased individuals do not have any Privacy Act rights, nor do executors or next-of-kin. See generally OMB 1975 Guidelines, 40 Fed Reg. at 28, 951, https://www.justice.gov/paoverview_omb-75 (stating “the thrust of the Act was to provide certain statutory rights to living as opposed to deceased individuals” and “the Act did not contemplate permitting relatives and other interested parties to exercise rights granted by the Privacy Act to individuals after the demise of those individuals”); see also Warren v. Colvin, 744 F.3d 841, 843-44 (2d Cir. 2014) (“deceased individuals generally do not enjoy rights under the Privacy Act”); Whitaker v. CIA, 31 F. Supp. 3d 23, 48 (D.D.C. 2014) (deferring to agency’s interpretation of OMB’s guidance and concluding that “Privacy Act does not speak to the access rights of relatives of deceased individuals”); Crumpton v. United States, 843 F. Supp. 751, 756 (D.D.C. 1994), aff’d on other grounds sub nom. Crumpton v. Stone, 59 F.3d 1400 (D.C. Cir. 1995); cf. Flores v. Fox, 394 F. App’x 170, 171-72 (5th Cir. 2010) (per curiam) (“[Plaintiff’s] claim for injunctive relief to correct his prison records . . . is mooted by his death.”).
Privacy Act rights are personal to the individual who is the subject of the record and cannot be asserted derivatively by others. See, e.g., Warren v. Colvin, 744 F.3d 841, 843-44 (2d Cir. 2014) (“Privacy Act does not provide an individual with a right to demand materials pertaining to him but contained only in another individual’s records.”); Parks v. IRS, 618 F.2d 677, 684-85 (10th Cir. 1980) (concluding union lacked standing to sue for damages to its members); Word v. United States, 604 F.2d 1127, 1129 (8th Cir. 1979) (finding criminal defendant lacked standing to allege Privacy Act violations regarding use at trial of medical records concerning third party); Dresser Indus., 596 F.2d at 1238 (finding company lacked standing to litigate employees’ Privacy Act claims); Whitaker, 31 F. Supp. 3d at 48 (rejecting plaintiff’s argument that agency was “required to process his requests for his father’s records under the Privacy Act as well as FOIA”); Pub. Emps. for Envtl. Responsibility, 926 F. Supp. 2d at 54-55 (finding third-party organization did not have standing to sue even though given written consent by subject individual allowing EPA to disclose records pertaining to him); Lorenzo v. United States, 719 F. Supp. 2d 1208, 1215-16 (S.D. Cal. 2010) (holding plaintiff lacks standing to pursue claim for recovery for adverse effects she suffered based on disclosure of her husband’s record); Research Air, Inc. v. Kempthorne, 589 F. Supp. 2d 1, 11 (D.D.C. 2008) (asserting that individual’s attorney has no Privacy Act rights to request documents relating to client absent client’s written consent); Sirmans v. Caldera, 27 F. Supp. 2d 248, 250 (D.D.C. 1998) (“[Plaintiffs] may not object to the Army’s failure to correct the records of other officers.”); Abramsky v. U.S. Consumer Prod. Safety Comm’n, 478 F. Supp. 1040, 1041-42 (S.D.N.Y. 1979) (stating that union president cannot compel release of records pertaining to employee’s termination). But see Nat’l Fed’n of Fed. Emps. v. Greenberg, 789 F. Supp. 430, 433 (D.D.C. 1992) (finding union had associational standing because members whose interests union sought to represent would themselves have standing), vacated & remanded on other grounds, 983 F.2d 286 (D.C. Cir. 1993).
Corporations and organizations also do not have any Privacy Act rights. See, e.g., Hurry v. FINRA, 782 F. App’x 600, 602 (9th 2019) (“The Act applies to records of natural persons only, and only natural persons may sue under the Act.”); Corey v. USPS, 485 F. App’x 228, 229 (9th Cir. 2012) (holding USPS is not an “individual” under the Privacy Act); St. Michael’s Convalescent Hosp. v. California, 643 F.2d 1369, 1373 (9th Cir. 1981); Dresser Indus. v. United States, 596 F.2d 1231, 1237-38 (5th Cir. 1980); Cell Assocs. v. NIH, 579 F.2d 1155, 1157 (9th Cir. 1978); Stone v. Exp.-Imp. Bank of the United States, 552 F.2d 132, 137 n.7 (5th Cir. 1977); Arruda & Beaudoin v. Astrue, No. 11–10254, 2013 WL 1309249, at *10 (D. Mass. Mar. 27, 2013); Pub. Emps. for Envtl. Responsibility v. EPA, 926 F. Supp. 2d 48, 55 (D.D.C. 2013); Falwell v. Exec. Office of the President, 158 F. Supp. 2d 734, 736, 739 n.3 (W.D. Va. 2001); Comm. in Solidarity v. Sessions, 738 F. Supp. 544, 547 (D.D.C. 1990) (“Privacy Act does not confer standing upon organizations on their own or purporting to sue on behalf of their members.”), aff’d on other grounds, 929 F.2d 742 (D.C. Cir. 1991); United States v. Haynes, 620 F. Supp. 474, 478-79 (M.D. Tenn. 1985); see also OMB 1975 Guidelines, https://www.justice.gov/paoverview_omb-75. But cf. Recticel Foam Corp. v. DOJ, No. 98-2523, slip op. at 11-15 (D.D.C. Jan. 31, 2002) (finding corporation had standing to bring action under Administrative Procedure Act to enjoin agency from disclosing investigative information about company; “[T]he fact that Congress did not create a cause of action for corporations under the Privacy Act does not necessarily mean that Recticel’s interests do not fall within the ‘zone of interests’ contemplated by that Act. It is sufficient for a standing analysis that Plaintiffs’ interests ‘arguably’ fall within the zone of interests contemplated by the statute.”), appeal dismissed, No. 02-5118 (D.C. Cir. Apr. 25, 2002).
Additionally, the OMB 1975 Guidelines suggest individuals have no standing under the Privacy Act to challenge agency handling of records that pertain to them solely in their “entrepreneurial” capacities. See OMB 1975 Guidelines, 40 Fed. Reg. at 28,951, https://www.justice.gov/paoverview_omb-75 (quoting legislative history and stating it “suggests that a distinction can be made between individuals acting in a personal capacity and individuals acting in an entrepreneurial capacity (e.g., as sole proprietors) and that th[e] definition [of ‘individual’] (and, therefore, the Act) was intended to embrace only the former”); see also St. Michaels Convalescent Hosp., 643 F.2d at 1373 (stating that “sole proprietorships[] are not ‘individuals’ and thus lack standing to raise a claim under the Privacy Act”).
However, not all courts have adopted OMB’s personal/entrepreneurial distinction. Compare Shermco Indus. v. Sec’y of the Air Force, 452 F. Supp. 306, 314-15 (N.D. Tex. 1978) (accepting distinction), rev’d & remanded on other grounds, 613 F.2d 1314 (5th Cir. 1980), and Daniels v. FCC, No. 77-5011, slip op. at 8-9 (D.S.D. Mar. 15, 1978) (same), with Rice v. United States, 245 F.R.D. 3, 5-6 (D.D.C. 2007) (rejecting distinction without referencing OMB 1975 Guidelines and observing that “line between personal and business information is blurred for farmers, ranchers, and other family-owned businesses”); Scarborough v. Harvey, 493 F. Supp. 2d 1, 13 n.28 (D.D.C. 2007) (rejecting distinction); Metadure Corp. v. United States, 490 F. Supp. 1368, 1373-74 (S.D.N.Y. 1980) (same); Fla. Med. Ass’n v. HEW, 479 F. Supp. 1291, 1307-11 (M.D. Fla. 1979) (same); and Zeller v. United States, 467 F. Supp. 487, 496-99 (E.D.N.Y. 1979) (same).
Parents or legal guardians may, however, act on behalf of certain individuals.
The parent of a minor or the legal guardian of an incompetent may act, however, on behalf of that individual. See 5 U.S.C. § 552a(h); Gula v. Meese, 699 F. Supp. 956, 961 (D.D.C. 1988); cf. Maldonado Guzman v. Massanari, No. 00-2410, slip op. at 6-7 (D.P.R. Aug. 10, 2001) (holding plaintiff had no avenue of relief for obtaining information about his emancipated daughter under Privacy Act because he did not provide documentation required by agency regulations to verify he was her legal guardian), subsequent related opinion sub nom. Maldonado Guzman v. SSA, 182 F. Supp. 2d 216 (D.P.R. 2002). The OMB 1975 Guidelines note that subsection (h) is “discretionary and that individuals who are minors are authorized to exercise the rights given to them by the Privacy Act or, in the alternative, their parents or those acting in loco parentis may exercise them in their behalf.” 40 Fed. Reg. at 28,970, https://www.justice.gov/paoverview_omb-75; but see OMB Supplementary Guidance, 40 Fed. Reg. at 56,742, https://www.justice.gov/paoverview_omb-75-supp (noting that “[t]here is no absolute right of a parent to have access to a record about a child absent a court order or consent”).
C. 5 U.S. § 552a(a)(3) – Maintain
“[T]he term ‘maintain’ includes maintain, collect, use or disseminate.” 5 U.S.C. § 552a(a)(3).
Comment:
The definition of “maintain” embraces various activities with respect to records and has a meaning much broader than the common usage of the term. See OMB 1975 Guidelines, 40 Fed. Reg. at 28,951, https://www.justice.gov/paoverview_omb-75. The United States Court of Appeals for the Ninth Circuit recently considered the meaning of “maintain” in the context of records describing First Amendment activity. Garris v. FBI, 937 F.3d 1284, 1300 (9th Cir. 2019). The Ninth Circuit presumed that because Congress defined “maintain” to include “maintain” and “collect,” Congress intended the provision to apply to distinct activities. Id. at 1295. For an agency to “maintain” a record describing how an individual exercises rights guaranteed by the First Amendment “pertinent to and within the scope of an authorized law enforcement activity,” the Ninth Circuit found that, “to give each of these verbs its meaning,” the most reasonable reading of the statute as a whole is that the record must be pertinent to an authorized law enforcement activity both “at the time of gathering, i.e., collecting, [and] at the time of keeping, i.e., maintaining.” Id. at 1295 (quoting J. Roderick MacArthur Found. v. FBI, 102 F.3d 600, 607 (D.C. Cir. 1996) (Tatel, J., concurring in part and dissenting in part)). See also, e.g., Albright v. United States, 631 F.2d 915, 918-20 (D.C. Cir. 1980) (analyzing scope of term “maintain” in context of subsection (e)(7) challenge to record describing First Amendment-protected activity and stating that “the Act clearly prohibits even the mere collection of such a record, independent of the agency’s maintenance, use or dissemination of it thereafter”).
D. 5 U.S.C. § 552a(a)(4) - Record
“[T]he term ‘record’ means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.” 5 U.S.C. § 552a(a)(4).
Comment:
A Privacy Act “record” must identify an individual.
To qualify as a Privacy Act “record,” the information must identify an individual. See, e.g., Reuber v. United States, 829 F.2d 133, 142 (D.C. Cir. 1987) (concluding that letter reprimanding individual sent to and disclosed by agency was “record” because it clearly identified individual by name and address); Albright, 631 F.2d 915 at 920 (citing subsection (e)(7) case holding that videotape of meeting constituted “record” because “[a]s long as the tape contains a means of identifying an individual by picture or voice, it falls within the definition of a ‘record’ under the Privacy Act”); Fleming v. U.S. R.R. Ret. Bd., No. 01 C 6289, 2002 WL 252459, at *2 (N.D. Ill. Feb. 21, 2002) (citing Robinson, 1988 WL 5083, at *1) (holding that summary of investigation of plaintiff disclosed in semi-annual report to Congress did not identify plaintiff and thus did not constitute a “record” because disclosure “would have identified plaintiff only to an individual who had other information that would have caused that individual to infer from the report that plaintiff was the subject of the investigation”); cf. Speaker v. HHS Ctrs. for Disease Control & Prevention, 623 F.3d 1371, 1383-87 n.12 (11th Cir. 2010) (reversing district court’s dismissal of complaint, finding that complaint sufficiently alleged that CDC disclosed plaintiff’s identity); Cacho v. Chertoff, No. 06-00292, 2006 WL 3422548, at *6 n.3 (D.D.C. Nov. 28, 2006) (declining to decide “the novel issue of whether a disclosure of the absence of information from a system of records can constitute the disclosure of a record”; given that plaintiff deliberately did not report his health problems, “accepting plaintiff’s characterization of his failure to report them as itself constituting a record that is afforded protection by the Privacy Act would stretch the meaning of the statute beyond its intended purpose”).
The OMB 1975 Guidelines state that the term “record” means “any item of information about an individual that includes an individual identifier,” and “can include as little as one descriptive item about an individual.” 40 Fed. Reg. at 28,951-52, https://www.justice.gov/paoverview_omb-75 (quoting legislative history appearing at 120 Cong. Rec. 40,408, 40,883 (1974), reprinted in Source Book at 866, 993.
The courts of appeals have established differing tests for identifying a “record” under the Act.
Several courts of appeals have articulated tests for determining whether an item qualifies as a “record” under the Privacy Act, resulting in different tests for determining whether information meets the “record” definition:
1. Broad Definition - Any Record Linked to Individual’s Identifying Information
Consistent with the OMB 1975 Guidelines, the Courts of Appeals for the Second, Third, and Fourth Circuits have broadly interpreted the term “record” to include any record that is linked to an individual through identifying information. See Bechhoefer v. DEA, 209 F.3d 57 (2d Cir. 2000); Williams v. VA, 104 F.3d 670, 673-74 (4th Cir. 1997); Quinn v. Stone, 978 F.2d 126 (3d Cir. 1992). The Third Circuit held that the term “record” “encompass[es] any information about an individual that is linked to that individual through an identifying particular” and is not “limited to information which taken alone directly reflects a characteristic or quality.” Quinn, 978 F.2d at 133 (holding that out-of-date home address on roster and time card information are records covered by the Privacy Act). The Second Circuit, after analyzing the tests established by the other courts of appeals, adopted a test “much like the Third Circuit’s test.” Bechhoefer, 209 F.3d at 60. The Second Circuit did so for three reasons. First, it found the Third Circuit’s test to be “most consistent with the ‘broad terms’ . . . of the statutory definition.” Id. Second, it found the Third Circuit’s test to be the only one consistent with the Supreme Court’s decision in DOD v. FLRA, 510 U.S. 487, 494 (1994), which held that federal civil service employees’ home addresses qualified for protection under the Privacy Act. Bechhoefer, 209 F.3d at 61. Finally, it found the Third Circuit’s test to be supported by the legislative history of the Privacy Act and OMB guidelines and regulations. Id. at 61-62. The Second Circuit held that the term “record” “has ‘a broad meaning encompassing,’ at the very least, any personal information ‘about an individual that is linked to that individual through an identifying particular.’” Id. at 62 (quoting Quinn and holding that letter containing plaintiff’s name and “several pieces of ‘personal information’ about him, including his address, his voice/fax telephone number, his employment, and his membership in [an association],” were “records” covered by Privacy Act).
The Court of Appeals for the Fourth Circuit has also construed the term “record” broadly, holding that “the legislative history of the Act makes it clear that a ‘record’ was meant to ‘include as little as one descriptive item about an individual,’” and finding that “draft” materials qualified as “records” because they “substantially pertain to Appellant,” “contain ‘information about’ [him], as well as his ‘name’ or ‘identifying number,’” and “do more than merely apply to him”). Williams, 104 F.3d at 673-74 (quoting Source Book at 866.
Several district courts also have applied a broad interpretation of the term “record.” See, e.g., Akmal v. United States, No. C12–1499, 2014 WL 906231, at *2 (W.D. Wash. Mar. 7, 2014) (finding that “[a]gency employee names, addresses, phone numbers, and dates of birth are ‘records’ covered by the Privacy Act”); Walia v. Napolitano, 986 F. Supp. 2d 169, 186 (E.D.N.Y. 2013) (finding that documents maintained by DHS in Plaintiff’s employment and personnel files, including plaintiff’s EEO activity, “may qualify as ‘records’ [in the broadest sense] because they identify the Plaintiff by name and contain information about a prospective investigation premised on the Plaintiff’s alleged misconduct”); Arruda & Beaudoin v. Astrue, No. 11–10254, 2013 WL 1309249, at *10 (D. Mass. Mar. 27, 2013) (quoting Bechhoefer and finding “queries satisfy these criteria” as “record” under the Privacy Act); Sullivan v. USPS, 944 F. Supp. 191, 196 (W.D.N.Y. 1996) (finding that disclosing to plaintiff’s employer that applicant had applied for employment with Postal Service constituted disclosure of “record” under Privacy Act; mere fact of record’s existence was sufficient to constitute record because applicant’s name was part of information contained in application and Postal Service disclosed that particular applicant by that name had applied for employment).
2. Narrow Definition - Record Must Reflect Individual Quality or Characteristic
The Courts of Appeals for the Ninth and Eleventh Circuits have limited Privacy Act coverage by adopting a narrow construction of the term “record” and requiring that the information “must reflect some quality or characteristic of the individual involved.” Boyd v. Sec’y of the Navy, 709 F.2d 684, 686 (11th Cir. 1983) (per curiam) (although stating narrow test, finding that memorandum reflecting “Boyd’s failure to follow the chain of command and his relationship with management” qualified as Privacy Act record); accord Unt v. Aerospace Corp.,765 F.2d 1440, 1448-49 (9th Cir. 1985) (finding letter written by employee – containing allegations of mismanagement against corporation that led to his dismissal – held not his “record” because it was “about” corporation and reflected “only indirectly on any quality or characteristic” of employee); but see Unt, 765 F.2d at 1449-50 (Ferguson, J., dissenting) (opining that majority’s narrow interpretation of term “record” “is illogical, contrary to the legislative intent, and defies the case laws’ consistent concern with the actual effect of a record on a person’s employment when assessing that record’s nature or subject”).
3. Middle Ground - Record Must be “About” Individual, But Need Not Reflect Quality or Characteristic
The Courts of Appeals for the District of Columbia and Fifth Circuits have staked out the middle ground. See Pierce v. Air Force, 512 F.3d 184, 188 (5th Cir. 2007); Tobey v. NLRB, 40 F.3d 469, 471 (D.C. Cir. 1994). The D.C. Circuit held that to qualify as a “record,” the information “must both be ‘about’ an individual and include his name or other identifying particular.” Tobey, 40 F.3d at 471. The D.C. Circuit rejected the Third Circuit’s determination in Quinn that information could qualify as a record “if that piece of information were linked with an identifying particular (or was itself an identifying particular),” because “[it] fails to require that information both be ‘about’ an individual and be linked to that individual by an identifying particular.” Id. (discussing Quinn, 978 F.2d at 133).
On the other hand, the D.C. Circuit found the Ninth and Eleventh Circuits’ definitions in Unt and Boyd too narrow, stating that: “So long as the information is ‘about’ an individual, nothing in the Act requires that it additionally be about a ‘quality or characteristic’ of the individual.” Tobey, 40 F.3d at 472. Ultimately, the D.C. Circuit concluded that an NLRB computer system for tracking and monitoring cases did not constitute a system of records because its files contained no information “about” individuals, despite the fact that the information contained the initials or identifying number of the field examiner assigned to the case. Id. at 471-73. Although the court recognized that the case information could be, and apparently was, used in connection with other information to draw inferences about a field examiner’s job performance, it stated that that “does not transform the [computer system] files into records about field examiners.” Id. at 472-73. See also Sussman v. Marshals Serv., 494 F.3d 1106, 1121 (D.C. Cir. 2007) (“[the record] must actually describe him in some way”); Houghton v. State, 875 F. Supp. 2d 22, 34-36 (D.D.C. 2012) (following standard set out in Tobey and determining transcripts at issue were not “about” plaintiff but rather “about a Memorandum of Understanding [between governments]” and “[e]ven the parts of the transcripts that mention [plaintiff] are about a letter he wrote that was published . . . not about him … The mere fact that the transcripts contain reference to or quote from plaintiff’s written work is not sufficient to make it a ‘record.”); Aguirre v. SEC, 671 F. Supp. 2d 113, 121-22 (D.D.C. 2009) (following Sussman and concluding that where plaintiff sought “records of an investigation of his allegation that the SEC “fired [him] for questioning” the decision to give “preferential treatment to one of Wall Street’s elite,” plaintiff had “alleged that the records describe the reasons for his termination” and, therefore it was, “at the very least, plausible that these records . . . describe him in some way”); Hatfill v. Gonzalez, 505 F. Supp. 2d 33, 35-39 (D.D.C. 2007) (concluding that information in news articles and reports concerning plaintiff’s suspected involvement in criminal activity that were leaked to reporters by government officials were “records”); Scarborough v. Harvey, 493 F. Supp. 2d 1, 15-16 (D.D.C. 2007) (asserting documents naming individual plaintiffs and describing their involvement in allegedly criminal activities were “about” plaintiffs and therefore were not excluded from definition of “records,” even if these activities were undertaken in connection with plaintiffs’ businesses); Leighton v. CIA, 412 F. Supp. 2d 30, 38-39 (D.D.C. 2006) (finding information included in magazine column, which did not name plaintiff contractor or contain identifier but stated that “the CIA is looking at contractors and suspended two in June for talking to the press,” was not “record” “about” plaintiff); Roberts v. DOJ, 366 F. Supp. 2d 13, 26 (D.D.C. 2005) (finding that FBI director’s public response to OIG report investigating plaintiff’s allegations of FBI wrongdoing was not “about” plaintiff; rather, it was an examination of the “validity of public allegations of misconduct lodged against [the FBI]”); Tripp v. DOD, 193 F. Supp. 2d 229, 236 (D.D.C. 2002) (citing Tobey and finding salary information for position plaintiff applied for “is not ‘about’ plaintiff – the fact that she could receive that salary had she been chosen for the position does not convert this into information ‘about’ plaintiff”); Voinche v. CIA, No. 98-1883, 2000 U.S. Dist. LEXIS 14291, at *8, 11-12 (D.D.C. Sept. 27, 2000) (citing Tobey and Fisher, infra, and finding that records regarding plaintiff’s administrative appeal concerning prior access request and case files of plaintiff’s prior Freedom of Information Act litigation, “while identifying plaintiff by name, are not ‘about’ the plaintiff, but rather are ‘about’ the administrative appeal and prior litigation under the FOIA”); Fisher v. NIH, 934 F. Supp. 464, 466-67, 469-72 (D.D.C. 1996) (following Tobey and finding that bibliographic information published in scientific journals including title of article and publication, name and address of author, summary of article and annotation [“scientific misconduct – data to be reanalyzed”], provides “information ‘about’ the article described in each file, not ‘about’ [the author],” even though information “could be used to draw inferences or conclusions about [the author]”; “The fact that it is possible for a reasonable person to interpret information as describing an individual does not mean the information is about that individual for purposes of the Privacy Act.”), summary affirmance granted, No. 96-5252 (D.C. Cir. Nov. 27, 1996); Henke v. Commerce, No. 94-0189, 1996 WL 692020, at *3 (D.D.C. Aug. 19, 1994) (holding that names of four reviewers who evaluated grant applicant’s proposal are applicant’s “records” under Privacy Act), aff’d on other grounds, 83 F.3d 1445 (D.C. Cir. 1996), abrogated on other grounds, Mobley v. CIA, 924 F. Supp. 2d 24, 57 (D.D.C. 2013) (finding Henke holding that “information contained in one individual’s record is exempt from the disclosure requirements of the Privacy Act simply because the same information is also contained in another individual’s records” did not survive Sussman) Doe v. DOJ, 790 F. Supp. 17, 22 (D.D.C. 1992) (applying Nolan, infra, and alternatively holding that “names of agents involved in the investigation are properly protected from disclosure”); Topuridze v. FBI, No. 86-3120, 1989 WL 11709, at *2 (D.D.C. Feb. 6, 1989) (citing Unt with approval and holding that letter written about requester, authored by third party, cannot be regarded as third party’s record; it “does not follow that a document reveals some quality or characteristic of an individual simply by virtue of the individual having authored the document”), reconsideration denied sub nom. Topuridze v. USIA, 772 F. Supp. 662, 664-65 (D.D.C. 1991) (reaffirming that “[i]n order to be about an individual a record must ‘reflect some quality or characteristic of the individual involved,’” stating that document “may well be ‘about’ the author,” after in camera review, as it discussed author’s family status, employment, and fear of physical retaliation if letter were disclosed to plaintiff, and ultimately ruling that it need not reach issue of whether or not letter was “about” author and denying reconsideration on ground that letter was without dispute about subject/plaintiff); and Shewchun v. U.S. Customs Serv., No. 87-2967, 1989 WL 7351, at *1 (D.D.C. Jan. 11, 1989) (finding that letter concerning agency’s disposition of plaintiff’s merchandise “lacks a sufficient informational nexus with [plaintiff] (himself, as opposed to his property) to bring it within the definition of ‘record’”).
Agreeing with Tobey, the Fifth Circuit concluded that information must be both “about” an individual and contain an identifying particular assigned to that individual to qualify as a “record.” See Pierce, 512 F.3d at 188. In Pierce, the Fifth Circuit explained that “[a]lthough the Privacy Act protects more than just documents that contain a person’s name, it does not protect documents that do not include identifying particulars.” Id. at 187. In determining whether a “final response letter” and “summary report of investigation” containing only “duty titles” constituted “records,” the court concluded that, because duty titles did “not pertain to one and only one individual,” they did not qualify as “identifying particulars” and thus, did not qualify as records under Privacy Act. Id. at 187-88. However, the court also recognized that “where duty titles pertain to one and only one individual . . . duty titles may indeed be ‘identifying particulars’ as that term is used in the definition of ‘record’ in the Privacy Act.” Id.
Additional courts have adopted different, narrow, and, at times, conflicting interpretations of the term “record.”
Several other courts have limited Privacy Act coverage by applying narrow constructions of the term “record” without explicitly adopting the Ninth and Eleventh Circuits’ requirement that information must reflect some characteristic of the individual involved. See, e.g., Minshew v. Donley, 911 F. Supp. 2d 1043, 1071 (D. Nev. 2012) (finding that emails revealing information about plaintiff were “the method of disclosure, not the source of the Privacy Act protected material” and, thus, the emails themselves were not “records”); Counce v. Nicholson, No. 3:06cv00171, 2007 WL 1191013, at *15 (M.D. Tenn. Apr. 18, 2007) (concluding that “email contain[ing] information regarding a potential presentation on bullying that [plaintiff’s] supervisors directed her to submit for their review” was not “record”); Lapka v. Chertoff, No. 05-C-668, 2006 WL 3095668, at *6-7 (N.D. Ill. Oct. 30, 2006) (citing Unt and explaining that “[u]nder the Privacy Act, records that are generated in response to a complaint are not records about the complainant but rather are considered records about the accused”); Nolan v. DOJ, No. 89-A-2035, 1991 WL 36547, at *10 (D. Colo. Mar. 18, 1991) (holding names of FBI special agents and other personnel are not requester’s “record” and therefore “outside the scope of the [Privacy Act]”), aff’d, 973 F.2d 843 (10th Cir. 1992); Blair v. U.S. Forest Serv., No. A85-039, slip op. at 4-5 (D. Alaska Sept. 24, 1985) (holding “Plan of Operation” form completed by plaintiff is not his “record” as it “reveals nothing about his personal affairs”), appeal dismissed, No. 85-4220 (9th Cir. Apr. 1, 1986); Windsor v. A Fed. Exec. Agency, 614 F. Supp. 1255, 1260-61 (M.D. Tenn. 1983) (noting that “record” includes only sensitive information about individual’s private affairs), aff’d, 767 F.2d 923 (6th Cir. 1985) (unpublished table decision) Cohen v. Labor, 3 Gov’t Disclosure Serv. (P-H) ¶ 83,157, at 83,791 (D. Mass. Mar. 21, 1983) (record includes only “personal” information); AFGE v. NASA, 482 F. Supp. 281, 282-83 (S.D. Tex. 1980) (determining that sign-in/sign-out sheet was not “record” because, it was not “in and of itself, reflective of some quality or characteristic of an individual”).
For a further illustration of conflicting views concerning the meaning of the term “record” in the context of individuals’ right to access their records under subsection (d)(1), compare Voelker v. IRS, 646 F.2d 332, 334 (8th Cir. 1981) (requiring agency to provide individual with access to his entire record, even though some information in that record “pertained” to a third party), with Sussman, 494 F.3d at 1121 n.9 (interpreting subsection (d)(1) “to give parties access only to their own records, not to all information pertaining to them that happens to be contained in a system of records”; “[f]or an assemblage of data to qualify as one of [plaintiff’s] records, it must not only contain his name or other identifying particulars but also be about him”). See also Aguirre v. SEC, 671 F. Supp. 2d 113, 121 (D.D.C. 2009), Nolan v. DOJ, No. 89-A-2035, 1991 WL 36547, at *3 (D. Colo. Mar. 18, 1991), aff’d, 973 F.2d 843 (10th Cir. 1992), and DePlanche v. Califano, 549 F. Supp. 685, 693-98 (W.D. Mich. 1982). These important cases are discussed further below under “Individual’s Right of Access.”
One district court, in a case concerning the Privacy Act’s subsection (b)(3) routine use exception, held that a plaintiff may choose which particular “item of information,” i.e., one document, contained within a “collection or grouping of information” to designate as a “record” and challenge as wrongfully disclosed. Covert v. Harrington, 667 F. Supp. 730, 736-37 (E.D. Wash. 1987), aff’d on other grounds, 876 F.2d 751 (9th Cir. 1989). Purporting to construe the term “record” narrowly, the district court in Covert ruled that the Department of Energy’s routine use permitting disclosure of relevant records where “a record” indicates a potential violation of law did not permit its Inspector General to disclose personnel security questionnaires to the Justice Department for prosecution because the questionnaires themselves did not reveal a potential violation of law on their face. 667 F. Supp. at 736-37. Covert is discussed further below under “Conditions of Disclosure to Third Parties,” “Agency Requirements,” and “Civil Remedies.”
Private notes are not “records,” but may become them once used to make a determination about an individual.
Purely private notes – such as personal memory refreshers – generally are found not to be subject to the Privacy Act because they are not “agency records.” Bowyer v. Air Force, 804 F.2d 428, 431 (7th Cir. 1986); see also Johnston v. Horne, 875 F.2d 1415, 1423 (9th Cir. 1989); Boyd, 709 F.2d at 686; Harmer v. Perry, No. 95-4197, 1998 WL 229637, at *3 (E.D. Pa. Apr. 28, 1998), aff’d, No. 98-1532 (3d Cir. Jan. 29, 1999); see also OMB 1975 Guidelines, 40 Fed. Reg. at 28,952, https://www.justice.gov/oip/page/file/1199421/download#page=10.
However, in Chapman v. NASA, 682 F.2d 526, 528-29 (5th Cir. 1982), the Court of Appeals for the Fifth Circuit, relying on the fair recordkeeping duties imposed by subsection (e)(5), ruled that private notes may “evanesce” into records subject to the Act when they are used to make a decision on the individual’s employment status well after the evaluation period for which they were compiled. See also Thompson v. Coast Guard, 547 F. Supp. 274, 283-84 (S.D. Fla. 1982) (holding timeliness requirement of subsection (e)(5) met where private notes upon which disciplinary action is based are placed in system of records “contemporaneously with or within a reasonable time after an adverse disciplinary action is proposed”); cf. Risch v. Henderson, 128 F. Supp. 2d 437, 441 (E.D. Mich. 1999) (stating that “another person’s witnessing of a personal note converts it to a Level 2 – Supervisor’s Personnel Record, and therefore it is properly maintained under the Privacy Act” in a system of records in accordance with the agency manual).
Publicly available information can be a “record.”
Publicly available information, such as newspaper clippings or press releases, can constitute a “record.” See Clarkson v. IRS, 678 F.2d 1368, 1372-73 (11th Cir. 1982) (permitting subsection (e)(7) First Amendment challenge to agency’s maintenance of newsletters and press releases); Krieger v. DOJ, 529 F. Supp. 2d 29, 51 (D.D.C. 2008) (permitting subsection (e)(7) challenge to agency’s maintenance of copies of plaintiff’s speech announcements and publicly filed court complaint); see also OMB Supplementary Guidance, 40 Fed. Reg. at 56,742, https://www.justice.gov/paoverview_omb-75-supp (“Collections of newspaper clippings or other published matter about an individual maintained other than in a conventional reference library would normally be a system of records.”); cf. Gerlich v. DOJ, 659 F. Supp. 2d 1, 12-16 (D.D.C. 2009) (concluding without discussing that “printouts” of “[i]nternet searches regarding [job] candidates’ political and ideological affiliations” constituted “records”), aff’d in part, rev’d in part & remanded, on other grounds, 711 F.3d 161 (D.C. Cir. 2013); Fisher, 934 F. Supp. at 469 (discussing difference between definition of “record” for purposes of FOIA and statutory definition under Privacy Act and rejecting argument, based on FOIA case law, that “library reference materials” are not covered by Privacy Act)., 934 F. Supp. at 469 (discussing difference between definition of “record” for purposes of FOIA and statutory definition under Privacy Act and rejecting argument, based on FOIA case law, that “library reference materials” are not covered by Privacy Act).
One court has held that grand jury materials are not “records.”
One court has relied on non-Privacy Act case law concerning grand jury records to hold that a grand jury transcript, “though in possession of the U.S. Attorney, is not a record of the Justice Department within the meaning of the Privacy Act.” Kotmair v. DOJ, No. S 94-721, slip op. at 1 (D. Md. July 12, 1994) (citing United States v. Penrod, 609 F.2d 1092, 1097 (4th Cir. 1979), for above proposition, but then confusingly not applying same theory to analysis of FOIA accessibility), aff’d, 42 F.3d 1386 (4th Cir. 1994) (unpublished table decision).
Agencies are not required to create “records.”
The Privacy Act – like the FOIA – does not require agencies to create records that do not exist. See DeBold v. Stimson, 735 F.2d 1037, 1041 (7th Cir. 1984); see also, e.g., Villanueva v. DOJ, 782 F.2d 528, 532 (5th Cir. 1986) (rejecting argument that the FBI was required to “find a way to provide a brief but intelligible explanation for its decision . . . without [revealing exempt information]”). But see May v. Air Force, 777 F.2d 1012, 1015-17 (5th Cir. 1985) (singularly ruling that “reasonable segregation requirement” obligates agency to create and release typewritten version of handwritten evaluation forms so as not to reveal identity of evaluator under exemption (k)(7)). For further analysis of this principle, see the “Individual’s Right of Access” section below.
E. 5 U.S.C. § 552a(a)(5) - System of Records
“[T]he term ‘system of records’ means a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” 5 U.S.C. § 552a(a)(5).
Comment:
To be a “system of records,” documents must be retrievable by, and agencies must actually retrieve them by, a personal identifier.
The statutory definition of a “system of records” requires that: (1) “there is an indexing or retrieval capability using identifying particulars built into the system”; and (2) the agency “does, in fact, retrieve records about individuals by reference to some personal identifier.” OMB 1975 Guidelines, 40 Fed. Reg. 28,948, 28,952 (July 9, 1975), https://www.justice.gov/paoverview_omb-75. The OMB 1975 Guidelines state that the “is retrieved by” criterion “implies that the grouping of records under the control of an agency is accessed by the agency by use of a personal identifier; not merely that a capability or potential for retrieval exists.” Id. (emphasis added).
By its very terms, the statute includes, as personal identifiers, items beyond the most commonly used name and social security number. As the Court of Appeals for the District of Columbia Circuit pointed out when considering a “photo file”:
Recall that a system of records is “a group of any records . . . from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” 5 U.S.C. § 552a(a)(5) (emphasis added). The term “record” includes “any item . . . about an individual . . . that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.” Id. § 552a(a)(4) (emphasis added). Under the Act’s plain language, then, a “system of records” may be a group of any records retrieved by an identifying particular such as a photograph. In other words, the personal identifier may be the photograph itself.
Maydak v. United States, 363 F.3d 512, 519-20 (D.C. Cir. 2004) (remanding case to district court to determine whether prisons’ compilation of photographs constitutes system of records), on remand No. 1:97-cv-02199, slip op. at 2-4 (D.D.C. Mar. 30, 2006) (“Searching through a box or collection of unidentified photos with the hope of recognizing an inmate does not fit the definition because the photos are not ‘retrieved’ by any ‘assigned’ personal identifier.”), aff’d in part on other grounds, vacated in nonpertinent part, 630 F.3d 166, 179 (D.C. Cir. 2010) (electing to “simply assume, without deciding, that BOP’s review and retention of the duplicate photos constituted a ‘system of records’” and to “focus on whether Government officials acted intentionally or willfully to violate appellants’ rights under the Act”); see also Aguiar v. Recktenwald, No. 3:13-CV-2616, 2015 WL 4066703, at *2 (M.D. Pa. July 2, 2015) (finding Facebook account is not record under Privacy Act and that disclosure of account’s existence is information that is not maintained by BOP in its systems of records); 10 Ring Precision v. Jones, 722 F.3d 711, 725 (5th Cir. 2013) (finding that ATF’s “Firearms Tracing System is not a ‘system of records,’ because traces are conducted by entering an identifying characteristic of the firearm, not the individual, into ATF’s database”); Chambers vs. Interior, No. 05-0380, 2006 WL 8433911, at *4-5 (D.D.C. September 26, 2008) (finding performance evaluation at issue was retrievable by name which is linked directly to plaintiff but that genuine issue of fact existed whether supervisor’s hard copy “hot topics” file, electronic hard drive, or floppy disk was system of records, where defendant’s own witnesses provided conflicting evidence); but see Ingerman v. IRS, No. 89-5396, slip op. at 6 (D.N.J. Apr. 3, 1991) (“An individual’s social security number does not contain his name, identifying number, or other identifying particular. . . . [A] social security number is the individual’s identifying number, and therefore, it cannot qualify as a record under . . . the Privacy Act.”), aff’d, 953 F.2d 1380 (3d Cir. 1992) (unpublished table decision).
The Court of Appeals for the District of Columbia Circuit also concluded that to be a “system of records,” “it is not sufficient that an agency has the capability to retrieve information indexed under a person’s name, but the agency must in fact retrieve records in this way in order for a system of records to exist.” Henke v. Commerce, 83 F.3d 1453, 1460 n.12 (D.C. Cir. 1996); see also Elec. Privacy Info. Ctr. v. DHS, 653 F.3d 1, 8 (D.C. Cir. 2011) (“Even if . . . the [agency] has the ability to combine various sources of information and then to link names to the images produced using [advanced imaging technology], [the petitioners’] Privacy Act claim still fails because they offer no reason to believe the [agency] has in fact done that.” (citing Henke)); Chang v. Navy, 314 F. Supp. 2d 35, 41 (D.D.C. 2004) (“[A]n agency’s failure to acknowledge that it maintains a system of records will not protect the agency from statutory consequences if there is evidence that the agency in practice retrieves information about individuals by their names or personal identifiers. . . . [H]owever, mere retrievability – that is, the capability to retrieve – is not enough.”).
Generally, the “system of records” definition makes the method of retrieval of a record more important than the content of the record.
The highly technical “system of records” definition is perhaps the single most important Privacy Act concept, because (with some exceptions discussed below) it makes coverage under the Act dependent upon the method of retrieval of a record rather than its substantive content. See Baker v. Navy, 814 F.2d 1381, 1384 (9th Cir. 1987) (noting the “overwhelming support for using a record’s method of retrievability to determine the scope of accessibility”); see also Burton v. Wolf, 803 F. App’x 120, 122 (9th Cir. 2020) (concluding that records were not in a system of records under the Privacy Act because they were “retrievable only with the identifying information of his estranged wife in her A-File, not his own”); Kearns v. FAA, 312 F. Supp. 3d 97, 108 (D.D.C. 2018) (concluding that requested documents were not retrieved from system of records because they were not retrieved by plaintiff’s name or identifier but by the case number); Mulvey v. Hugler, No. 3:14-CV-01835, 2017 WL 1737851, at *7 (M.D. Tenn. May 4, 2017) (granting summary judgment because plaintiff failed to allege that email was retrieved from system of records and not simply reply which was copied to third person and because office email is not system of records); Lambert v. U.S., No. 3:15-CV-147, 2016 WL 632461, at *5 (E.D. Tenn. Feb. 17, 2016) (dismissing claim where no allegation was made that either ethics legal opinion or investigation files were actually retrieved by personal identifier); Barouch v. DOJ, No. 14-0552, 2015 WL 5544424, at *4-5 (D.D.C. Sept. 18, 2015) (finding audio recording located only in personal files of Special Agent was not contained in system of records); Corr v. Bureau of the Pub. Debt, 987 F. Supp. 2d 711, 720 (S.D.W. Va. 2013) (finding that “Administrative Inquiry File was retrievable only by the names of [p]laintiff’s supervisors” and not contained in system of records retrievable by plaintiff’s name); Mata v. McHugh, No. 10-CV-838, 2012 WL 2376285, at *6 (W.D. Tex. June 22, 2012) (finding that “[p]laintiff’s resume was retrieved by his job description, not his name, and is thus not a record in a system of records”); Krieger v. DOJ, 529 F. Supp. 2d 29, 44-46 (D.D.C. 2008) (“That several of the documents do not fit th[e] description [of label used to retrieve them] does not mean that [agency employee] has intentionally evaded the provisions of the Privacy Act,” because “agency finding that employee seeking to find records relating to [plaintiff] would have to individually review each document” is not “an ‘actual practice of retrieval by name’” and “[b]ecause the agency’s press releases are actually retrieved by date and not by individual identifier, they cannot be characterized as included within a system of records.” (quoting McCready v. Nicholson, infra)); Lee v. Geren, 480 F. Supp. 2d 198, 207 (D.D.C. Mar. 29, 2007) (citing Henke and finding that record was not maintained in system of records because record was retrieved by log number that was “unrelated to specific individuals”); Lee v. DOJ, No. 04-1013, 2007 WL 2852538, at *9-10 (W.D. Pa. Sept. 27, 2007) (concluding that plaintiff’s wrongful disclosure claim must fail because record at issue was “retrieved by the name of the fugitive,” not by plaintiff’s name); Artz v. United States, No. 3:05-CV-51, 2007 WL 1175512, at *5 (D.N.D. Apr. 20, 2007) (maintaining that although the report named plaintiffs, it was not contained in a “system of records” because it was retrieved by date, not by plaintiffs’ names); Smith v. Henderson, No. C-99-4665, 1999 WL 1029862, at *5 (N.D. Cal. Oct. 29, 1999) (applying Henke and finding that “locked drawer containing a file folder in which [were] kept . . . notes or various other pieces of paper relating to special circumstances hires” did not constitute system of records because agency “did not utilize the drawer to systematically file and retrieve information about individuals indexed by their names”), aff’d sub nom. Smith v. Potter, 17 F. App’x 731 (9th Cir. 2001); Crumpton v. United States, 843 F. Supp. 751, 755-56 (D.D.C. 1994) (maintaining that although records disclosed to press under FOIA contained information about plaintiff, they were not retrieved by her name and therefore Privacy Act did not apply), aff’d on other grounds sub nom. Crumpton v. Stone, 59 F.3d 1400 (D.C. Cir. 1995); Shannon v. Gen. Elec. Co., 812 F. Supp. 308, 321 (N.D.N.Y. 1993) (determining method of retrieval rather than substantive content controls determination of whether record is in system of records).
Indeed, a major criticism of the Privacy Act is that it can easily be circumvented by not filing records in name-retrieved formats. See Privacy Commission Report, at 503-04 n.7, https://www.justice.gov/paoverview_ppsc. Recognizing this potential for abuse, some courts have relaxed the “actual retrieval” standard in particular cases (examples in cases cited below). Moreover, certain subsections of the Privacy Act have been construed to apply even to records not incorporated into a “system of records.” See “Definition” of “5 U.S.C. § 552a(a)(5) - System of Records” analysis below.
The agency, rather than those outside the agency, must be in the practice of retrieving records by an identifying particular to meet the “system of records” definition.
Note also that the “practice of retrieval by name or other personal identifier must be an agency practice to create a system of records and not a ‘practice’ by those outside the agency.” McCready v. Nicholson, 465 F.3d 1, 13 (D.C. Cir. 2006) (holding that agency’s public website, which was not used by agency personnel to retrieve information by personal identifier, did not constitute a “system of records”). See also Yonemoto v. VA, No. 06-00378, 2007 WL 1310165, at *5-6 (D. Haw. May 2, 2007) (“[I]t was not the agency, but the public who caused [information contained in e-mails] to be retrieved. Just because an agency is capable of retrieving the information, and just because it does so to comply with a FOIA request, does not mean that the information is maintained in a Privacy Act ‘system of records.’”), appeal dismissed as moot, 305 F. App’x 333 (9th Cir. 2008); Freeman v. EPA, No. 02-0387, 2004 WL 2451409, at *11-12 (D.D.C. Oct. 25, 2004) (internal quotation marks omitted) (explaining that because agency’s search for records pursuant to FOIA request “will normally trigger a search beyond the narrow confines of a Privacy Act system of records,” it is not conclusive as to whether any responsive records would be “retrieved by [plaintiff’s] name or some other identifying particular assigned to the individual”).
Retrievability, alone, is not enough to be part of a “system of records.”
Courts have held that retrievability alone is insufficient to satisfy the system of records “retrieved by” requirement; the records must also be organized by personally identifying information. See In re 2122 21st Rd. N. Arlington, No. 1:17–CR–00236, 2018 WL 534161, at *4 (E.D. Va. Jan. 23, 2018) (reasoning that plaintiff failed to show that evidence seized during search conducted in criminal investigation constituted records “contained in a system of records” under Privacy Act); Lewis v. SSA, No. 9:14-CV-31, 2015 WL 9664967, at *5 (E.D. Tex. Dec. 7, 2015) (magistrate’s recommendation) (allowing case to proceed because pleadings did not rule out possibility that SSA had retrieved information by plaintiff’s name or by some identifying number, symbol, or other identifying particular), adopted, 2016 WL 81577 (E.D. Tex. Jan 06, 2016); Walia v. Holder, 59 F. Supp. 3d 492, 501-02 (E.D.N.Y. 2014) (finding disclosing agent acquired personal knowledge through contemporaneous conversations with plaintiff such that information did fall within exception from actual retrieval rule where personal knowledge of disclosed information was gained from investigation disclosing party initiated); Mobley v. CIA, 924 F. Supp. 2d 24, 56 (D.D.C. 2013) (“Since the WISE database is essentially a database of e-mail messages, some of which are messages containing ‘open source media articles,’ . . . it is logical that such messages would not be organized by the name or personal identifying information of individuals discussed in such articles, and [plaintiff] has offered no evidence to contradict this explanation”); York v. McHugh, 850 F. Supp. 2d 305, 306, 314-315 (D.D.C. 2012) (holding where agency stored electronic documents containing plaintiff’s medical information in “shared network drive” accessible to other employees, shared drive did not constitute system of records even though this method of storage “allowed [plaintiff] to discover the files by searching the shared . . . drive for [her name]”; “The fact that some documents were labeled with [plaintiff’s] name does not convert the shared . . . drive into a system of records, particularly where there is no evidence that the agency used the shared drive to retrieve the personal information by personal identifiers and the drive was not created for employees to do so.”); Krieger, 529 F. Supp. 2d at 42-44, 45-46 (finding that plaintiff “offers no facts suggesting that [emails] would have been indexed by name, or that an electronic folder existed that grouped emails related to him by name or other identifier” and noting that “a search function does not [make it] a system of records”); Chang, 314 F. Supp. 2d at 41 (applying Henke and stating that “[p]laintiff’s assertion that it is ‘technically possible’ to retrieve the [document] by searching for [plaintiff’s] name is insufficient to meet the requirement that the data was retrieved in such a manner”); Fisher v. NIH, 934 F. Supp. 464, 472-73 (D.D.C. 1996) (applying Henke and stating: “[T]he primary practice and policy of the agency [during the time of the alleged disclosures] was to index and retrieve the investigatory files by the name of the institution in which the alleged misconduct occurred, rather than by the name of the individual scientist accused of committing the misconduct. The fact that it was possible to use the plaintiff’s name to identify a file containing information about the plaintiff is irrelevant.”), summary affirmance granted, No. 96-5252, 1996 WL 734079 (D.C. Cir. Nov. 27, 1996); Beckette v. USPS, No. 88-802, slip op. at 19-22 (E.D. Va. July 3, 1989) (finding that even though the agency “could retrieve . . . records by way of an individual’s name or other personal identifier,” that fact “does not make those records a Privacy Act system of records. The relevant inquiry is whether the records or the information they contain are [in fact] retrieved by name or other personal identifier.”).
Indeed, the issue in Henke was whether or not computerized databases that contained information concerning technology grant proposals submitted by businesses constituted a “system of records” as to individuals listed as the “contact persons” for the grant applications, where the agency had acknowledged that “it could theoretically retrieve information by the name of the contact person.” Id. at 1457-58. The D.C. Circuit looked to Congress’s use of the words “is retrieved” in the statute’s definition of a system of records and focused on whether the agency “in practice” retrieved information. Id. at 1459-61. The court held that “in determining whether an agency maintains a system of records keyed to individuals, the court should view the entirety of the situation, including the agency’s function, the purpose for which the information was gathered, and the agency’s actual retrieval practice and policies.” Id. at 1461. Regarding the purpose for which the information was gathered, the court drew a distinction between information gathered for investigatory purposes and information gathered for administrative purposes. Id. at 1461. The court stated that where information is compiled about individuals “primarily for investigatory purposes, Privacy Act concerns are at their zenith, and if there is evidence of even a few retrievals of information keyed to individuals’ names, it may well be the case that the agency is maintaining a system of records.” Id. Applying this test, the D.C. Circuit determined that the agency did “not maintain a system of records keyed to individuals listed in the contact person fields of its databases” because the agency’s “purpose in requesting the name of a technical contact [was] essentially administrative and [was] not even necessary for the conduct of the [program’s] operations,” nor was there “any evidence that the names of contact persons [were] used regularly or even frequently to obtain information about those persons.” Id. at 1456, 1461-62.
Several courts have followed Henke insofar as it calls on them to “view the entirety of the situation, including the agency’s function, the purpose for which the information was gathered, and the agency’s actual retrieval practice and policies” in determining “whether an agency maintains a system of records keyed to individuals.” Id. at 1461. See Maydak, 363 F.3d at 520 (quoting Henke, remanding case to district court to determine whether prisons’ compilation of photographs constituted system of records, and instructing district court to “take into account ‘the entirety of the situation, including the agency’s function, the purpose for which the information was gathered, and the agency’s actual retrieval practices and policies’”); Pippinger v. Rubin, 129 F.3d 519, 526-27 (10th Cir. 1997) (finding approach in Henke “instructive” and holding that under “a properly ‘narrow’ construction of 5 U.S.C. § 552a(a)(5),” an IRS database containing an “abstraction” of information from two existing Privacy Act systems did not constitute new system of records because it could be “accessed only by the same users, and only for the same purposes, as those published in the Federal Register for the original ‘system[s] of records’”); Sussman v. Marshals Serv., 657 F. Supp. 2d 25, 27-28 (D.D.C. 2009) (“Given the function of the Marshals Service, Privacy Act concerns are at their zenith . . . [T]he Marshals Service’s declarations do not establish a record that sufficiently explains the purpose for which all of the information on Sussman was gathered, or its actual retrieval practice and policies for the information maintained in various locations on Sussman”), on remand from 494 F.3d 1106 (D.C. Cir. 2007); Koenig v. Navy, No. 05-35, 2005 WL 3560626, at *4 (S.D. Tex. Dec. 29, 2005) (“[A]lthough neither party presented any evidence regarding where or in what manner the request for medical leave was kept, common sense and experience in an office setting lead to the conclusion that the record was most likely either kept in a file with the plaintiff’s name on it, or entered into her leave record, which also would have been accessible by her name or social security number.”); Doe v. Veneman, 230 F. Supp. 2d 739, 752 (W.D. Tex. 2002) (quoting language from Henke regarding “even a few retrievals,” and determining that noninvestigatory information “f[e]ll within the ambit of the Privacy Act” where information could “be retrieved by personal identifiers” and information was maintained in “single data repository from which more than 200 different types of reports [we]re generated,” all from raw data entered into system), aff’d in pertinent part, rev’d & remanded on other grounds, 380 F.3d 807 (5th Cir. 2004); Walker v. Ashcroft, No. 99-2385, slip op. at 17-18 (D.D.C. Apr. 30, 2001) (alternative holding) (applying Henke and finding no evidence that FBI “independently collected, gathered or maintained” document containing plaintiff’s prescription drug information given to FBI by state investigator, or that FBI “could, in practice, actually retrieve the record by reference to [plaintiff’s] name”), summary affirmance granted on other grounds, No. 01-5222, 2002 U.S. App. LEXIS 2485 (D.C. Cir. Jan. 25, 2002); Alexander v. FBI, 193 F.R.D. 1, 6-8 (D.D.C. 2000) (applying Henke and finding that agency maintained system of records, considering “purpose for which the information was gathered and the ordinary retrieval practices and procedures”), mandamus denied per curiam sub nom. In re: Exec. Office of the President, 215 F.3d 20 (D.C. Cir. 2000); cf. Gerlich v. DOJ, 711 F.3d 161, 168 (D.C. Cir. 2013) (holding that because “[a]ppellants’ argument regarding the ‘functional’ incorporation of the [records] into the Department’s system of records appears only in a footnote to their opening brief” and appellant failed to make this argument in district court, appellants’ “functional” argument “that the lack of physical incorporation into a system of records is not dispositive of the question whether the record at issue were ‘functionally’ and thus legally, within an appropriate personnel records system” was not properly before circuit court), aff’d in part & rev’d in part, 659 F. Supp. 2d 1 (D.D.C. 2009). But see Williams v. VA, 104 F.3d 670, 676 (4th Cir. 1997) (finding “narrow Henke rationale – that since this document was not in practice actually retrieved ‘by the name of the individual or by some identifying number,’ 5 U.S.C. § 552a(a)(5), it cannot be a record within a ‘system of records’– unconvincing in these circumstances where there appears to exist already a formal system of records of which the [document] may be a part”).
1. Systems of Records and Disclosures under Subsection (b)
a. Retrieved from System of Records
A record is “disclosed” under the Privacy Act only if it is retrieved from a system of records.
Subsection 552a(b), discussed in detail below under “Conditions of Disclosure to Third Parties,” prohibits only the disclosure of records that are retrieved from a system of records. 5 U.S.C. § 552a(a)(5), (b); see also, e.g., Paige v. DEA, 665 F.3d 1355, 1359-61 (D.C. Cir. 2012) (concluding that disclosure of video excerpted from longer video did not violate Privacy Act because video was not retrievable by appellant’s name or other personal identifier at time it was created and, therefore, was not record contained in system of records; “disclosure of [excerpted video] was not prohibited simply because [it] subsequently became a ‘record which is contained in a system of records’); Doe v. VA, 519 F.3d 456 (8th Cir. 2008) (finding Congress intended to limit liability for disclosures to a record “contained in a system of records”); Harris v. Holder, 885 F. Supp. 2d 390, 401 (D.D.C. 2012) (finding plaintiff’s complaint failed to state how an offending record with respect to an investigation was “about” plaintiff or was retrieved by plaintiff’s name or other personal identifier); White v. Schafer, 738 F. Supp. 2d 1121, 1139-40 (D. Colo. 2010) (holding plaintiff, who claimed that agency disclosed investigatory report in violation of subsection (b), failed to present evidence that report “was maintained within and retrieved from a ‘system of records’”), aff’d, 435 F. App’x 764 (10th Cir. 2011); Bechhoefer v. DOJ, 179 F. Supp. 2d 93, 95-101 (W.D.N.Y. 2001) (finding that disclosed record “never became a part of a system of records” where DEA agent “stuck [record] in his desk drawer along with a number o[f] other miscellaneous documents, and later retrieved it from that drawer, from his own memory and personal knowledge of where he kept it”; and noting that plaintiff’s allegation that agent looked at plaintiff’s name on record to retrieve it from drawer “confuses retrieving a document with identifying the document”; “If one is looking for a letter from a particular person, one will probably look at the name on the letter in order to identify it as the letter being sought. If that letter is in a stack of unrelated, miscellaneous documents, however, it cannot be said to be contained within a group of records organized in such a fashion that information can be retrieved by an individual’s name.”), aff’d, 312 F.3d 563, 567-68 & n.1 (2d Cir. 2002) (concluding that an “assortment of papers excluded from the agency’s formal files because they are deemed not relevant to the agency’s mission and left in a desk drawer are not part of the agency’s system of records, to which the obligations of the Act apply” and accordingly, finding no need to consider agency’s further argument concerning single instance of retrieval by individual’s name); Barhorst v. Marsh, 765 F. Supp. 995, 999-1000 (E.D. Mo. 1991) (dismissing plaintiff’s claim under subsection (b) on alternative grounds because record was retrieved by job announcement number rather than individual’s name and “‘mere potential for retrieval’ by name or other identifier is insufficient to satisfy the ‘system of records’ requirement” (quoting Fagot v. FDIC, 584 F. Supp. 1168, 1175 (D.P.R. 1984), aff’d in part & rev’d in part, 760 F.2d 252 (1st Cir. 1985) (unpublished table decision)); cf. Corey v. McNamara, 265 F. App’x 555, 557 (9th Cir. 2008) (finding that appellant “offered no evidence to counter [agency’s] evidence that [appellant’s] documentation, the disclosure of which forms the basis of [his] federal action, is not part of the [agency’s] ‘system of records’”); Gadd v. United States, No. 4:08CV04229, 2010 WL 60953, at *11 (E.D. Ark. Jan. 5, 2010) (concluding that DEA did not disclose record within system of records because plaintiff, DEA employee, “was the source of the medical records in dispute” and did not allege or present evidence that DEA disclosed documents initially obtained from system of records), aff’d per curiam, 392 F. App’x 503 (8th Cir. 2010); Smith v. BOP, No. 05-1824, 2006 WL 950372, at *3 (D. Md. Apr. 11, 2006) (finding “no basis in the Privacy Act for the conclusion that the Act’s elaborate record-keeping and notice requirements apply” where plaintiff’s “single item of correspondence” was intercepted in conformity with BOP regulations). But see Wall v. IRS, No. 1:88-CV-1942, 1989 U.S. Dist. LEXIS 9427, at *4-7 (N.D. Ga. July 5, 1989) (explaining that because agency official retrieved applicant’s folder by name from file maintained under vacancy announcement number, records were kept within “system of records” and thus subsection (b) was applicable).
Similarly, the disclosure of information “acquired from non-record sources – such as observation, office emails, discussions with co-workers and the ‘rumor mill’– does not violate the Privacy Act ... even if the information disclosed is also contained in agency records.” Dick v. Holder, 67 F. Supp. 3d 167, 180 (D.D.C. 2014), citing Cloonan v. Holder, 768 F. Supp. 2d 154, 164 (D.D.C. 2011) (citations omitted); see also deLeon v. Wilkie, No. CV 19-1250, 2020 WL 210089, at *9 (D.D.C. Jan. 14, 2020) (concluding that because security officer “had personal knowledge of Plaintiff’s physical altercation . . . and would have known about any ensuing disciplinary action,” the disclosure of information did not violate the Privacy Act). Krieger v. DOJ, 529 F. Supp. 2d 29, 47 (D.D.C. 2008) (citations omitted) (finding that disclosure of information “derived solely from independent sources is not prohibited by the statute even though identical information may be contained in an agency system of records”).
Several courts have stated that the first element a plaintiff must prove in a wrongful disclosure suit is that the information disclosed is a record within a system of records. See Jacobs v. Nat’l Drug Intel. Ctr., 423 F.3d 512, 516 (5th Cir. 2005); Davis v. Runyon, No. 96-4400, 1998 WL 96558, at *4-5 (6th Cir. Feb. 23, 1998) (affirming district court’s dismissal of wrongful disclosure claim pursuant to the Privacy Act where appellant’s factual allegations failed to indicate whether “‘information’ was a ‘record’ contained in a ‘system of records,’” whether it was “disclos[ed] within the meaning of the Act,” whether disclosure had “adverse effect,” or whether disclosure was “willful or intentional”); Quinn v. Stone, 978 F.2d 126, 131 (3d Cir. 1992); Atkins v. Mabus, No. 12cv1390, 2013 WL 524061, at *2-3 (S.D. Cal. Feb. 11, 2013); York v. McHugh, 850 F. Supp. 2d 305, 312 (D.D.C. 2012) (concluding that files at issue were not contained in a system of records because system was “not set up for employees to retrieve records by use of personal identifiers” and plaintiff did not submit evidence to establish that “agency in practice retrieves information about individuals by their names or personal identifiers”) (internal citations omitted); Harris, 885 F. Supp. 2d at 400-01; Al-Dahir v. Hamlin, No. 10-2571, 2011 WL 1666894, at *4 (D. Kan. May 3, 2011); Cloonan v. Holder, 768 F. Supp. 2d 154, 163 (D.D.C. 2011); Feldman v. CIA, 797 F. Supp. 2d 29, 38 (D.D.C. 2011); Banks v. Butler, No. 5:08cv336, 2010 WL 4537902, at *6 (S.D. Miss. Sept. 23, 2010) (magistrate’s recommendation), adopted, 2010 WL 4537909 (S.D. Miss. Nov. 2, 2010); White v. Schafer, 738 F. Supp. 2d at 1139-40; Walker v. Gambrell, 647 F. Supp. 2d 529, 536 (D. Md. 2009); Doe v. Treasury, 706 F. Supp. 2d 1, 6 (D.D.C. 2009); Armstrong v. Geithner, 610 F. Supp. 2d 66, 70 (D.D.C. 2009), aff’d, 608 F.3d 854 (D.C. Cir. 2010); Shutte v. IRS, No. 08-CV-2013, 2008 WL 2114920, at *2 (N.D. Iowa May 19, 2008); Mittleman v. Treasury, 919 F. Supp. 461, 468 (D.D.C. 1995) (“Undisputed evidence of record reveals that only a statement of general provisions of law was made to [newspaper columnist], not disclosure of information retained in [agency’s] records on [plaintiff]” and, therefore, general disclosure provisions of Privacy Act were not implicated), aff’d in part & remanded in part, on other grounds, 104 F.3d 410 (D.C. Cir. 1997); Hass v. Air Force, 848 F. Supp. 926, 932 (D. Kan. 1994); Bernson v. ICC, 625 F. Supp. 10, 13 (D. Mass. 1984) (finding plaintiff’s complaint failed to present a proper Privacy Act claim because disclosed information came from plaintiff’s tax record, not agency record system). But cf. Doe v. USPS, 317 F.3d 339, 342-43 (D.C. Cir. 2003) (precluding summary judgement because appellant’s claim sufficiently alleged that his supervisor told co-workers of his HIV status after learning of status from appellant’s Privacy Act-protected Family and Medical Leave Act form even though “evidence of retrieval [wa]s purely circumstantial” and noting “plaintiffs can rarely produce direct evidence that the government has disclosed confidential information obtained from their private records, requiring such evidence would eviscerate the protections of the Privacy Act”).
The Court of Appeals for the First Circuit has gone so far as to hold that a complaint that fails to allege a disclosure from a system of records is facially deficient, and some district courts in other jurisdictions have taken the same approach. Beaulieu v. IRS, 865 F.2d 1351, 1352 (1st Cir. 1989); see also Cross v. Potter, No. 3:09-CV-1293, 2013 WL 1149525, at *10 (N.D.N.Y. Mar. 19, 2013); Zahedi v. DOJ, No. 10-694, 2011 WL 1872206, at *4 (D. Or. May 16, 2011); Del Fuoco v. O’Neill, No. 8:09-CV-1262, 2011 WL 601645, at *9-10 & n.13 (M.D. Fla. Feb. 11, 2011) (finding plaintiff’s complaint insufficient because he failed to properly allege his record was from system of records even though DOJ stamped the record as confidential which implied DOJ considered record protected by Privacy Act); Thomas v. USPS, No. 3:10-CV-1091, slip op. at 7-8 (N.D. Tex. Nov. 3, 2010); Mumme v. Labor, 150 F. Supp. 2d 162, 175 (D. Me. 2001), aff’d, No. 01-2256 (1st Cir. June 12, 2002).
However, other courts have not held pleadings in Privacy Act cases to the same strict standard. The D.C. Circuit, for example, concluded that a plaintiff need not identify the particular records that were improperly disclosed because the complaint properly put the government on notice and alleged the essential elements of his claim, by alleging that “records concerning [himself] were wrongfully disclosed.” Krieger v. Fadely, 211 F.3d 134, 136-37 (D.C. Cir. 2000) (“If his lawsuit went forward, there would come a time when [plaintiff] would have to identify the particular records [defendant] unlawfully disclosed. But that point surely was not as early as the pleading stage.”); see also Feldman, 797 F. Supp. 2d at 41 (explaining that circuit court case law did not require plaintiff to allege full details of disclosure at pleading stage, noting “in the typical case, a plaintiff can hardly be expected to know the full details behind an improper disclosure prior to discovery, since those details are most likely to be under the control of the defendant”); Tripp v. DOD, 193 F. Supp. 2d 229, 237 (D.D.C. 2002) (following Krieger and “the liberal pleading standard permitted by the Federal Rules of Civil Procedure”); Tripp v. DOD, 219 F. Supp. 2d 85, 89-91 (D.D.C. 2002) (considering complaint that alleged “specific defendant repeatedly released information about plaintiff to the press and public that is contained in a Privacy Act system of records, including but not limited to the contents of plaintiff’s security forms and other personnel files,” and following Krieger to hold that Rule 8 of the Federal Rules of Civil Procedure “does not require plaintiff to plead facts to further elaborate which records were released, by which DOD officials, to which members of the press or public, or on which specific dates”); Johnson v. Rinaldi, No. 1:99CV170, 2001 WL 677306, at *5-6 (M.D.N.C. Apr. 13, 2001) (stating that “Federal Rules of Civil Procedure require only that the complaint put Defendants on notice” and that plaintiff “need not use the exact words ‘record’ or ‘system of records’ or state facts sufficient to show that the documents in dispute meet those legal definitions”); cf. Wade v. Donahoe, Nos. 11-3795, 11-4584, 2012 WL 3844380, at *10 (E.D. Pa. Sept. 4, 2012) (finding that plaintiffs must identify Privacy Act provision agency violated in order to meet pleading requirements of Rule 8 of Federal Rules of Civil Procedure); Sterling v. United States, 798 F. Supp. 47, 49 (D.D.C. 1992) (“[P]laintiff is not barred from stating a claim for monetary damages [under (g)(1)(D)] merely because the record did not contain ‘personal information’ about him and was not retrieved through a search of indices bearing his name or other identifying characteristics.”), subsequent related opinion, Sterling v. United States, 826 F. Supp. 570, 571-72 (D.D.C. 1993), summary affirmance granted, No. 93-5264, 1994 WL 88894 (D.C. Cir. Mar. 11, 1994).
It is not enough, however, for a plaintiff claiming that an agency disclosed information in violation of subsection (b) to show that the information was contained in any system of records maintained by the agency. See Sussman v. Marshals Serv., 494 F.3d 1106, 1123 (D.C. Cir. 2007). Rather, the plaintiff “must show [that] the [agency] improperly disclosed materials located in records retrievable by [the plaintiff’s] name as opposed to someone else’s name.” Id. The plaintiff in Sussman alleged that the agency disclosed information about him in violation of subsection (b). The Marshals Service did “not deny[] the materials were in a system of records” but argued that “[t]he information was not maintained in a system of records retrievable by [the plaintiff’s] name, but by [another individual’s] name.” Id. Reasoning in part that it “must construe § 552a(g)(1)(D)’s waiver of sovereign immunity narrowly,” the D.C. Circuit held that “for his action to survive, [the plaintiff] must present evidence that materials from records about him, which the [agency] retrieved by his name, were improperly disclosed.” Id.
Courts have held that information taken from a record in a system of records remains protected, even if later incorporated into a record that is not maintained in a system of records.
Furthermore, information taken from a protected record in a system of records, but subsequently incorporated into a record that is not maintained in a system of records, can nonetheless itself be deemed a protected record. See e.g., Jacobs, 423 F.3d at 516-519 (ruling that disclosure of executive summary, which was not retrieved by plaintiff’s name but was created from information in system of records that was so retrieved, was from system of records); see also Bartel v. FAA, 725 F.2d 1403, 1407-09 (D.C. Cir. 1984) (finding that letters that communicated sensitive information contained in report of investigation, which was “a record” maintained in “a system of records,” triggered disclosure provisions of the Privacy Act even though letters were not themselves considered “records,” because “an absolute policy of limiting the Act’s coverage to information physically retrieved from a record would make little sense in terms of [Privacy Act’s] underlying purpose”); Chang v. Navy, 314 F. Supp. 2d 35, 41 (D.D.C. 2004) (maintaining that, although it was undisputed that documents at issue – press release and “information paper” containing details of plaintiff’s non-judicial punishment – were not retrieved from system of records, information from system of records had been disclosed because “underlying documents, from which the documents were compiled, were contained in a system of records”).
Similarly, the First Circuit held that “the unauthorized disclosure by one agency of protected information obtained from a record in another agency’s system is a prohibited disclosure under the Act, unless the disclosure falls within the statutory exceptions.” Orekoya v. Mooney, 330 F.3d 1, 6-7 (1st Cir. 2003), abrogated on other grounds, Doe v. Chao, 540 U.S. 614 (2004); Doe v. Treasury, 706 F. Supp. 2d at 6 (“[T]he Privacy Act only covers disclosures of information which was either directly or indirectly retrieved from a system of records.” (quoting Fisher v. NIH, 934 F. Supp. 464, 473 (D.D.C. 1996))). In Orekoya, the First Circuit, although ultimately affirming the district court on other grounds, disagreed with the district court’s determination that such a disclosure was not a violation of the Privacy Act and stated that the language of the Privacy Act “does not support the view that an agency may immunize itself from liability by obtaining information from a different agency’s system of records and then saying its further unauthorized disclosure is protected because its own system of records was not the original source.” Id.
b. Actual Retrieval
Generally, a “disclosure” requires that the record be actually retrieved from a system of records; a disclosure made on the basis of knowledge acquired independent of actual retrieval from an agency’s system of records is not enough, even when the information happens to be in a system of records.
Although subsection (b) “does not specifically require that the information disclosed be retrieved directly from” a record contained in a system of records, “courts generally apply some type of retrieval requirement to give effect to the meaning and purpose of the Privacy Act.” Doe v. VA, 519 F.3d at 464 (Hansen, J., concurring); see also, e.g., Armstrong v. Geithner, 608 F.3d 854, 857 (D.C. Cir. 2010) (“To be actionable . . . a disclosure generally must be the result of someone having actually retrieved the ‘record’ from th[e] ‘system of records’; the disclosure of information is not ordinarily a violation ‘merely because the information happens to be contained in the records.’” (quoting Bartel v. FAA, 725 F.2d at 1408))); Doe v. VA, 519 F.3d at 461 (“[T]he only disclosure actionable under section 552a(b) is one resulting from a retrieval of the information initially and directly from the record contained in the system of records.” (quoting Olberding v. DOD, 709 F.2d 621, 622 (8th Cir. 1983))); Cloonan, 768 F. Supp. 2d at 164 (“[D]efinition [of ‘system of records’] – which incorporates the requirement that information ‘is retrieved’ – has given rise to the so-called ‘retrieval rule’ under the Privacy Act”). Thus, it has frequently been held that subsection (b) is not violated when a disclosure is made on the basis of knowledge acquired independent of actual retrieval from an agency’s system of records (such as a disclosure purely from memory), regardless of whether the identical information also happens to be contained in the agency’s systems of records.
The leading case articulating the “actual retrieval” and “independent knowledge” concepts is Savarese v. HEW, 479 F. Supp. 304, 308 (N.D. Ga. 1979), aff’d, 620 F.2d 298 (5th Cir. 1980) (unpublished table decision), in which the court ruled that for a disclosure to be covered by subsection (b), “there must have initially been a retrieval from the system of records which was at some point a source of the information.” 479 F. Supp. at 308. In adopting this stringent “actual retrieval” test, the court in Savarese reasoned that a more relaxed rule could result in excessive governmental liability, or an unworkable requirement that agency employees “have a pansophic recall concerning every record within every system of records within the agency.” Id.
There are numerous subsection (b) cases that follow Savarese and apply the “actual retrieval” and “independent knowledge” concepts in varying factual situations. See, e.g., Doe v. VA, 519 F.3d at 460-63; Kline v. HHS, 927 F.2d 522, 524 (10th Cir. 1991); Manuel v. VA Hosp., 857 F.2d 1112, 1119-20 (6th Cir. 1988); Boyd v. Sec’y of the Navy, 709 F.2d 684, 687 (11th Cir. 1983) (per curiam); Thomas v. Energy, 719 F.2d 342, 344-46 (10th Cir. 1983); Doyle v. Behan, 670 F.2d 535, 538-39 & n.5 (5th Cir. 1982) (per curiam); Hanley v. DOJ, 623 F.2d 1138, 1139 (6th Cir. 1980) (per curiam); Marquez v. Johnson, No. 11-cv-545, 2012 WL 6618238, at *11 (D. Colo. Dec. 19, 2012), aff’d, 545 F. App’x 735 (10th Cir. 2013); deLeon v. Wilkie, No. 19-CV-1250, 2020 WL 210089, at *9 (D.D.C. Jan. 14, 2020) (finding that agency had not improperly disclosed records where plaintiff had not established that agency employee “retrieved any record” and employee who disclosed information “had personal knowledge” of plaintiff’s actions and “disclosure of information acquired from an independent source – including personal knowledge – does not violate the Act”); Minshew v. Donley, 911 F. Supp. 2d 1043, 1070-72 (D. Nev. 2012); Doe v. Treasury, 706 F. Supp. 2d at 9-11 (D.D.C. 2009); Tarullo v. Def. Contract Audit Agency, 600 F. Supp. 2d 352, 360-61 (D. Conn. 2009); Balbinot v. United States, 872 F. Supp. 546, 549-51 (C.D. Ill. 1994); Coakley v. DOT, No. 93-1420, 1994 WL 16953072, at *1 (D.D.C. Apr. 7, 1994); Olberding v. DOD, 564 F. Supp. 907, 913 (S.D. Iowa 1982), aff’d per curiam, 709 F.2d 621 (8th Cir. 1983); Gibbs v. Brady, 773 F. Supp. 454, 458 (D.D.C. 1991); McGregor v. Greer, 748 F. Supp. 881, 885-86 (D.D.C. 1990); Krowitz v. USDA, 641 F. Supp. 1536, 1545 (W.D. Mich. 1986), aff’d, 826 F.2d 1063 (6th Cir. 1987) (unpublished table decision); Howard v. Marsh, 654 F. Supp. 853, 855 (E.D. Mo. 1986); Johnson v. Air Force, 526 F. Supp. 679, 681 (W.D. Okla. 1980), aff’d, 703 F.2d 583 (Fed. Cir. 1981) (unpublished table decision); Jackson v. VA, 503 F. Supp. 653, 655-57 (N.D. Ill. 1980); King v. Califano, 471 F. Supp. 180, 181 (D.D.C. 1979); see also Armstrong, 608 F.3d at 858-60 (affirming district court finding that plaintiff failed to establish information disclosed was retrieved from record in system of records where agency employee disclosed information regarding investigation of plaintiff from independent sources – her own “‘observations and speculation’ or ‘those of others,’ or information ‘from the rumor mill’”); Reed v. Navy, 910 F. Supp. 2d. 32, 41 (D.D.C. 2012) (finding disclosures “were clearly derived from ‘records’” because defendant “did not personally witness any of the alleged incidents, nor did he disclose information gleaned from the ‘rumor mill’”; rather disclosures “were based on the report and other written documents that became part of the investigative case file”); Cloonan, 768 F. Supp. 2d at 169 (“[O]n its face, the language of the . . . letter is replete with references to ‘the record’ and ‘documentation’ from which a reasonable juror could conclude that the preparer of the document did in fact review, and is referring to, agency records.”); Finnerty v. USPS, No. 03-558, 2006 WL 54345, at *11-13 (D.N.J. Jan. 9, 2006) (“The fact that the memorandum documenting [a witness’] observations may have been simultaneously circulated to recipients and directed to a file and thereafter maintained as a ‘record’ in a ‘system of records’ does not change the fact that [the witness’] source of the information was his own observation, and not a retrieval of information from a system of records.”); Drapeau v. United States, No. Civ. 04-4091, 2006 WL 517646, at *6-7 (D.S.D. Mar. 1, 2006) (finding that disclosed information from agency employees regarding plaintiff’s dismissal for rules violation was not obtained from record in system of records but from employee who observed violation); Krieger v. Fadely, 199 F.R.D. 10, 13 (D.D.C. 2001) (ruling that discovery request seeking all communications that supervisor had with anyone, irrespective of relation between communication and Privacy Act-protected record, was overbroad, and stating that Privacy Act “does not create a monastic vow of silence which prohibits governmental employees from telling others what they saw and heard merely because what they saw or heard may also be the topic of a record in a protected file”); Fisher v. NIH, 934 F. Supp. 464, 473-74 (D.D.C. 1996) (holding that plaintiff failed to demonstrate that individuals who disclosed information learned it from investigatory file or through direct involvement in investigation), summary affirmance granted, No. 96-5252, 1996 WL 734079 (D.C. Cir. Nov. 27, 1996); Viotti v. Air Force, 902 F. Supp. 1331, 1338 (D. Colo. 1995) (“Section 552a(b) contemplates a ‘system of records’ as being the direct or indirect source of the information disclosed” and although agency employee admitted disclosure of information to press “based on personal knowledge,” plaintiff “was obligated to come forward with some evidence indicating the existence of a triable issue of fact as to the identity of the ‘indirect’ source”), aff’d, 153 F.3d 730 (10th Cir. 1998) (unpublished table decision); Mittleman, 919 F. Supp. at 469 (maintaining that although no evidence indicated that there had been disclosure of information about plaintiff, information at issue would not have been subject to restrictions of Privacy Act because “it was a belief . . . derived from conversations . . . and which was acquired independent from a system of records”); Stephens v. TVA, 754 F. Supp. 579, 582 (E.D. Tenn. 1990) (comparing Olberding and Jackson and noting “confusion in the law with respect to whether the Privacy Act bars the disclosure of personal information obtained indirectly as opposed to directly from a system of records”); cf. Rice v. United States, 166 F.3d 1088, 1092 n.4 (10th Cir. 1999) (noting that, in action for wrongful disclosure in violation of tax code, plaintiff had no Privacy Act claim for IRS’s disclosure in press releases because agency official procured disclosed information from review of indictment and attendance at plaintiff’s trial and sentencing); Feldman, 797 F. Supp. 2d at 41 (Feldman v. C.I.A., 797 F. Supp. 2d 29, 41 (D.D.C. 2011) (concluding that plaintiff’s motion was sufficient to survive motion to dismiss where it alleged that “person who fed the rumor mill the contents of a record that had been retrieved from a system of records may have violated the Privacy Act” (quoting Armstrong, 608 F.3d at 860)); Smith v. Henderson, No. C-96-4665, 1999 WL 1029862, at *6-7 (N.D. Cal. Oct. 29, 1999) (although finding no evidence of existence of written record retrieved from system of records, concluding that alleged disclosure was made from information “obtained independently of any system of records”), aff’d sub nom. Smith v. Potter, 17 F. App’x 731 (9th Cir. 2001).
In most courts, the “actual retrieval” requirement does not apply if the agency official disclosing the record also had a role in creating the record.
However, the Court of Appeals for the District of Columbia Circuit, in Bartel v. FAA, 725 F.2d 1403 (D.C. Cir. 1984), held that the “actual retrieval” standard is inapplicable where a disclosure is undertaken by agency personnel who had a role in creating the record that contains the released information. In other words, the “independent knowledge” defense is not available to agency personnel who were involved in creating the record. Id. at 1408-11. This particular aspect of Bartel has been noted with approval by several other courts. See Manuel, 857 F.2d at 1120 & n.1; Minshew, 911 F. Supp. 2d at 1072 (finding that “source of the disclosure was the record [that the supervisor] had a role in creating and maintaining, where there is no evidence presented that [supervisor] had independent knowledge”); Longtin v. DOJ, No. 06-1302, 2006 WL 2223999, at *3 (D.D.C. Aug. 3, 2006) (following Bartel and finding reasonable agency’s argument that requested disclosure of records concerning third-party criminal case would violate the Privacy Act by disclosing what was contained in a record that [official] had a primary role in creating ); Stokes v. SSA, 292 F. Supp. 2d 178, 181 (D. Me. 2003) (“[A]gency employees who . . . create or initiate records are not shielded from the Privacy Act merely because they do not have to consult or retrieve those records before disclosing the information that they contain.”); Pilon v. DOJ, 796 F. Supp. 7, 12 (D.D.C. 1992) (denying agency’s motion to dismiss, or alternatively, for summary judgment where information “obviously stem[med] from confidential Department documents and oral statements derived therefrom”); Kassel v. VA, 709 F. Supp. 1194, 1201 (D.N.H. 1989); cf. Walia v. Holder, 59 F. Supp. 3d 492, 503 (E.D.N.Y. 2014) (distinguishing Bartel where plaintiff could not “reasonably deny” that employee who disclosed information learned “from his personal experience and contemporaneous conversations with the Plaintiff and other agents” rather than from records in a system of records); Armstrong, 608 F.3d at 860 (explaining that “[t]he exception we suggested in Bartel does not extend to this case [in which employee who disclosed information] neither acquired the information . . . in any way related to a record, as an investigator might have done, nor used the record in her work for the agency”); Cloonan, 768 F. Supp. 2d at 156, 165-67 (holding that Bartel exception is “inapplicable” where plaintiff’s supervisor, who had been “involved in several interagency complaints and proceedings” with plaintiff, disclosed information critical of plaintiff’s performance because “[t]here is no evidence upon which the Court can conclude that any information [disclosed by supervisor] was learned by [supervisor] during the course of any investigation that he ordered, undertook or oversaw”); Doe v. Treasury, 706 F. Supp. 2d at 8-9 (declining to apply Bartel exception where IRS employee disclosed information about investigation, which he acquired from press release and from his own involvement in investigation, because he did not “institute” investigation, did not have a “primary role in creating and using” information, and did not acquire information from “record-related role”); Krieger v. DOJ, 529 F. Supp. 2d 29, 48 (D.D.C. 2008) (distinguishing Bartel, and finding no wrongful disclosures); Carlson v. GSA, No. 04-C-7937, 2006 WL 3409150, at *3-4 (N.D. Ill. Nov. 21, 2006) (finding that supervisor’s email detailing employee’s settlement of his wrongful termination claims was “‘communication’ of a protected ‘record’” even though supervisor, who conducted investigation that resulted in settlement, “compiled the email from his own memory”). But cf. Abernethy v. IRS, 909 F. Supp. 1562, 1570 (N.D. Ga. 1995) (holding that alleged statements made to other IRS employees that plaintiff was being investigated pertaining to allegations of EEO violations, assuming they were in fact made, did not violate Privacy Act “because the information allegedly disclosed was not actually retrieved from a system of records” even though individual alleged to have made such statements was same individual who ordered investigation), aff’d per curiam, No. 95-9489, 108 F.3d 343 (11th Cir. Feb. 13, 1997) (unpublished table decision).
The Court of Appeals for the Ninth Circuit followed the approach taken by the D.C. Circuit in Bartel, and also concluded that the “actual retrieval” standard is inapplicable where a disclosure is undertaken by agency personnel who had a role in creating the record that contains the released information. Wilborn v. HHS, 49 F.3d 597, 600-02 (9th Cir. 1995). Specifically, the court held that an Administrative Law Judge (“ALJ”) for the Department of Health and Human Services violated the Privacy Act when he stated in an opinion that one of the parties’ attorneys had been placed on a Performance Improvement Plan (“PIP”) while he was employed at HHS – despite the fact that there was no actual retrieval by the ALJ – because, as the creator of the PIP, the ALJ had personal knowledge of the matter. The Ninth Circuit noted the similarity of the facts to those of Bartel and held that “‘independent knowledge,’ gained by the creation of records, cannot be used to sidestep the Privacy Act.” Id. at 601. Additionally, it rejected the lower court’s reasoning that not only was there no retrieval, but there was no longer a record capable of being retrieved because as the result of a grievance action, all records relating to the PIP had been required to be expunged from the agency’s records and in fact were expunged by the ALJ himself. Id. at 601-02. The Ninth Circuit found the district court’s ruling “inconsistent with the spirit of the Privacy Act,” and stated that the “fact that the agency ordered expungement of all information relating to the PIP makes the ALJ’s disclosure, if anything, more rather than less objectionable.” Id. at 602.
The Court of Appeals for the Eighth Circuit, however, has twice taken a narrow view of the “actual retrieval” standard. In a per curiam decision in Olberding v. DOD, 709 F.2d 621 (8th Cir. 1983), the court ruled that information orally disclosed by a military psychiatrist to the plaintiff’s commanding general, revealing the results of the plaintiff’s examination – which had not yet been put in writing – was not retrieved from a “record.” Id. at 621 (adopting reasoning of trial court, which found that the conversation took place before the report was written, 564 F. Supp. 907, 910 (S.D. Iowa 1982)). Subsequently, in Doe v. VA, the court ruled that there was no actual retrieval from a record where a VA physician revealed an employee’s HIV status and marijuana use to a union representative because the physician recalled the information exclusively from discussions during employee’s medical appointments, not from any subsequent review of his medical notes. 519 F.3d at 459-62. Although the court purported to distinguish Bartel and Wilborn, id. at 462-63, Judge Hanson stated in his concurring opinion that were he not bound by Olberding, he would adopt a “scrivener’s exception” in order to “justify an exception to the general retrieval rule, particularly where ‘a mechanical application of the rule would thwart, rather than advance, the purpose of the Privacy Act.’” Id. at 464-65 (quoting Wilborn, 49 F.3d at 600).
2. Systems of Records and Access and Amendment under Subsections (d)(1) and (d)(2)
One of Congress’s underlying concerns in narrowly defining a “system of records” appears to have been efficiency – i.e., a concern that any broader definition would require elaborate cross-references among records and/or burdensome hand-searches for records. See OMB 1975 Guidelines, 40 Fed. Reg. at 28,957, https://www.justice.gov/paoverview_omb-75. As the Fifth Circuit has stated, the “system of records” requirement “reflects a statutory compromise between affording individuals access to those records relating directly to them and protecting federal agencies from the burdensome task of searching through agency records for mere mention of an individual’s name.” Bettersworth v. FDIC, 248 F.3d 386, 391 (5th Cir. 2001); see also Baker v. Navy, 814 F.2d 1381, 1385 (9th Cir. 1987); Carpenter v. IRS, 938 F. Supp. 521, 522-23 (S.D. Ind. 1996).
If a record is not retrieved by a personal identifier, it is not part of a “system of records” and the Privacy Act’s access and amendment provisions generally do not apply.
Consistent with OMB’s guidance, numerous courts have held that, under subsection (d)(1), an individual has no Privacy Act right of access to his record if it is not retrieved by his name or personal identifier. See Mobley v. CIA, 806 F.3d 568, 587 (D.C. Cir. 2015) (concluding plaintiff was not entitled to documents where agency official claimed that it did not organize records “by individuals who may be mentioned in those records,” or “retrieve records about individuals from that database by use of an individual’s name or personal identifier as a matter of practice.”); Bettersworth v. FDIC, 248 F.3d at 391-92; Gowan v. Air Force, 148 F.3d 1182, 1191 (10th Cir. 1998); Williams v. VA, 104 F.3d 670, 673 (4th Cir. 1997); Henke, 83 F.3d at 1458-62 (D.C. Cir. 1996); Manuel v. VA Hosp., 857 F.2d 1112, 1116-17 (6th Cir. 1988); Baker, 814 F.2d at 1383-84; Cuccaro v. Sec’y of Labor, 770 F.2d 355, 360-61 (3d Cir. 1985); Wren v. Heckler, 744 F.2d 86, 89 (10th Cir. 1984); Greenlaw v. Scalia, No. 18-CV-04932, 2020 WL 4001461, at *5 (N.D. Cal. July 15, 2020); Kearns v. FAA, 312 F. Supp. 3d 97, 108 (D.D.C. 2018); Corr v. Bureau of the Pub. Debt, 987 F. Supp. 2d 711, 720 (S.D. W.Va. 2013); Augustus v. McHugh, 825 F. Supp. 2d 245, 256-57 (D.D.C. 2011); Jackson v. Shinseki, No. 10-cv-02596, 2011 WL 3568025, at *6 (D. Colo. Aug. 9, 2011), aff’d, 526 F. App’x 814 (10th Cir. 2013); McCready v. Principi, 297 F. Supp. 2d 178, 188 (D.D.C. 2003), rev’d in part on other grounds sub nom. McCready, 465 F.3d at 1; Springmann v. State, No. 93-1238, slip op. at 9 n.2 (D.D.C. Apr. 21, 1997); Fuller v. IRS, No. 96-888, 1997 WL 191034, at *3-5 (W.D. Pa. Mar. 4, 1997); Carpenter, 938 F. Supp. at 522-23; Quinn v. HHS, 838 F. Supp. 70, 76 (W.D.N.Y. 1993); Shewchun v. Customs Serv., No. 87-2967, 1989 WL 7351, at *2 (D.D.C. Jan. 11, 1989); Bryant v. Air Force, No. 85-4096, slip op. at 4 (D.D.C. Mar. 31, 1986); Fagot v. FDIC, 584 F. Supp. 1168, 1174-75 (D.P.R. 1984), aff’d in part & rev’d in part, 760 F.2d 252 (1st Cir. 1985) (unpublished table decision); Grachow v. Customs Serv., 504 F. Supp. 632, 634-36 (D.D.C. 1980); Smiertka v. Treasury, 447 F. Supp. 221, 228 (D.D.C. 1978), remanded on other grounds, 604 F.2d 698 (D.C. Cir. 1979); see also OMB 1975 Guidelines, 40 Fed. Reg. at 28,957 (giving examples), https://www.justice.gov/paoverview_omb-75.
Likewise, with regard to amendment under subsection (d)(2), several courts have ruled that where an individual’s record is being maintained allegedly in violation of subsection (e)(1) or (e)(5), the individual has no Privacy Act right to amend his record under subsection (d)(2), if it is not retrieved by his name or personal identifier. See, e.g., Baker, 814 F.2d at 1384-85 (“the scope of accessibility and the scope of amendment are coextensive”); Clarkson v. IRS, 678 F.2d 1368, 1376-77 (11th Cir. 1982) (maintaining that although subsections (e)(1) and (e)(5) apply only to records contained in a system of records, “find[ing] it both necessary and appropriate to construe the plain meaning of the language of subsections (d)(2) and (d)(3) to authorize the amendment or expungement of all records which are maintained in violation of subsection (e)(7)”); Seldowitz v. OIG of State, No. 99-1031, slip op. at 19-23 (E.D. Va. June 21, 2002), aff’d per curiam, 95 F. App’x 465 (4th Cir. 2004); Pototsky v. Navy, 717 F. Supp. 20, 22 (D. Mass. 1989) (following Baker), aff’d per curiam, 907 F.2d 142 (1st Cir. 1990) (unpublished table decision).
The D.C. Circuit, however, has recognized that “[t]he Privacy Act also offers relief for some claims based on the government’s information that is not ‘within a system of records,’” including “misstatements contained in a disparaging Inspector General’s report and associated agency documents” and “when an ‘adverse determination is made’ by the agency that maintained the flawed record or by an outside actor.” Liff v. OIG for Labor, 881 F.3d 912, 923 (D.C. Cir. 2018) (quoting McCready v. Nicholson, supra); see also Gerlich v. DOJ, 711 F.3d 161, 169 (D.C. Cir. 2013) (noting that “[t]he obligations the Privacy Act established in subsection (e)(5) . . . apply even when the agency does not maintain the records at issue in its system of records”); McCready, 465 F.3d at 10-12 (holding that subsection (g)(1)(C), the civil remedy provision for violations of subsection (e)(5), “applies to any record, and not [just] any record within a system of records” (internal quotation marks omitted)), discussed, below, under “Protections for Records not within a System of Records.”
With regards to the Privacy Act’s access and amendment provisions, courts have generally not permitted agencies to purposefully file records in an effort to evade retrieving by individual identifier.
However, with respect to access under subsection (d)(1), and amendment under subsection (d)(2), some courts have cautioned that an agency’s purposeful filing of records in a non-name-retrieved format, in order to evade those provisions, will not be permitted. See, e.g., Pototsky v. Navy, No. 89-1891, slip op. at 2 (1st Cir. Apr. 3, 1990) (per curiam); Manuel, 857 F.2d at 1120 (“The Court does not want to give a signal to federal agencies that they should evade their responsibility to place records within their ‘system of records’ in violation of the [Act].”); Baker, 814 F.2d at 1385; Kalmin v. Navy, 605 F. Supp. 1492, 1495 n.5 (D.D.C. 1985).
Several, but not all, courts have required agencies to keep adverse action records in a system of records, and therefore subject to the Privacy Act’s access and amendment provisions.
Following the rationale of the Fifth Circuit in Chapman v. NASA, 682 F.2d 526, 529 (5th Cir. 1982), several courts have recognized a subsection (e)(5) duty to incorporate records into a system of records – thus making them subject to access and amendment – where such records are used by the agency in taking an adverse action against the individual. See MacDonald v. VA, No. 87-544-CIV-T-15A, slip op. at 2-5 (M.D. Fla. Feb. 8, 1988); Lawrence v. Dole, No. 83-2876, slip op. at 5-6 (D.D.C. Dec. 12, 1985); Waldrop v. Air Force, 3 Gov’t Disclosure Serv. (P-H) ¶ 83,016, at 83,453 (S.D. Ill. Aug. 5, 1981); Nelson v. EEOC, No. 83-C-983, slip op. at 6-11 (E.D. Wis. Feb. 14, 1984); cf. Manuel, 857 F.2d at 1117-19 (asserting that there is no duty to place records within system of records where records “are not part of an official agency investigation into activities of the individual requesting the records, and where the records requested do not have an adverse effect on the individual”).
The D.C. Circuit, however, interpreted the rule differently in an unusual situation, i.e., where the agency’s regulations exempted such documents from its records. See Horowitz v. Peace Corps, 428 F.3d. 271, 280-81 (D.C. Cir. 2005). In Horowitz, the court denied the plaintiff access to a draft Administrative Separation Report (“ASR”) that was not in a “system of records” where the “Peace Corps’s regulations dictate that an ASR should not be maintained in the agency’s records if a volunteer resigns prior to an official decision to administratively separate him.” Because “the Peace Corps’s manual states that an ASR should not even be completed if a volunteer resigns before such a decision is made” and plaintiff “resigned before any final decision was made, the report was never completed and pursuant to the procedure specified by the manual was not maintained in the Peace Corps’s official files.” In addition, the court held that the plaintiff had not shown that the agency “nevertheless placed the draft ASR in a ‘system of records’” because the draft ASR was stored in Peace Corps’s Country Director’s safe and plaintiff “has not shown that files in the safe are, in practice, retrieved by individuals’ names.” See also Gowan v. Air Force, No. 90-94, slip op. at 7, 11, 13, 16, 30, 33 (D.N.M. Sept. 1, 1995) (finding access claim moot, “personal notes and legal research” in file “marked ‘Ethics’” that were originally kept in desk of Deputy Staff Judge Advocate but that was later given to Criminal Military Justice Section and used in connection with court martial hearing were not in system of records for purposes of either Privacy Act access or accuracy lawsuit for damages), aff’d, 148 F.3d 1182, 1191 (10th Cir. 1998) (concluding that “the word ‘Ethics’ was not a personal identifier” and stating that it did “not find the district court’s rulings regarding those documents to be clearly erroneous”).
3. Protections for Records Not Within a System of Records
The “system of records” threshold requirement is not a requirement for the application of all subsections of the Act. See OMB 1975 Guidelines, 40 Fed. Reg. at 28,952, https://www.justice.gov/paoverview_omb-75 (system of records definition “limits the applicability of some of the provisions of the Act”) (emphasis added). But see Privacy Commission Report, at 503-04, https://www.justice.gov/paoverview_ppsc (assuming that definition limits entire Act); cf. Henke v. Commerce, 83 F.3d 1453, 1459 (D.C. Cir. 1996) (“[T]he determination that a system of records exists triggers virtually all of the other substantive provisions of the Privacy Act.”); McCready v. Principi, 297 F. Supp. 2d 178, 185 (D.D.C. 2003) (“For almost all circumstances, the Act extends only to those records that are in a ‘system of records’ which is a specific term of art.”), aff’d in part & rev’d in part sub nom. McCready v. Nicholson, 465 F.3d 1 (D.C. Cir. 2006)., 465 F.3d 1 (D.C. Cir. 2006).
Records describing how individuals exercise First Amendment rights are protected under the Privacy Act, even if not maintained in a system of records.
Importantly, the D.C. Circuit has held that subsection (e)(7) – which restricts agencies from maintaining records describing how an individual exercises his First Amendment rights – applies even to records not incorporated into a system of records. Albright v. United States, 631 F.2d 915, 918-20 (D.C. Cir. 1980). Albright involved a challenge on subsection (e)(7) grounds to an agency’s maintenance of a videotape – kept in a file cabinet in an envelope that was not labeled by any individual’s name – of a meeting between a personnel officer and agency employees affected by the officer’s job reclassification decision. Id. at 918. Relying on both the broad definition of “maintain,” 5 U.S.C. § 552a(a)(3), and the “special and sensitive treatment accorded First Amendment rights,” the D.C. Circuit held that the mere collection of a record regarding those rights could be a violation of subsection (e)(7), regardless of whether the record was contained in a system of records retrieved by an individual’s name or personal identifier. Id. at 919-20; see also Maydak v. United States, 363 F.3d 512, 516, 518-19 (D.C. Cir. 2004) (reaffirming holding in Albright).
Albright’s broad construction of subsection (e)(7) has been adopted by several other courts. See MacPherson v. IRS, 803 F.2d 479, 481 (9th Cir. 1986); Boyd v. Sec’y of Navy, 709 F.2d 684, 687 (11th Cir. 1983); Clarkson v. IRS, 678 F.2d 1373, 1373-77 (11th Cir. 1982); Gerlich v. DOJ, 659 F. Supp. 2d 1, 13-15 (D.D.C. 2009), aff’d in part, rev’d in part & remanded, on other grounds, 711 F.3d 161 (D.C. Cir. 2013); Fagot v. FDIC, 584 F. Supp. 1168, 1175 (D.P.R. 1984). Further, the Court of Appeals for the Eleventh Circuit in Clarkson, held that, at least with respect to alleged violations of subsection (e)(7), the Act’s amendment provision (subsection (d)(2)) also can apply to a record not incorporated into a system of records. Clarkson, 678 F.2d at 1375-77. However, Judge Tjoflat’s concurring opinion in Clarkson intimated that something more than a bare allegation of a subsection (e)(7) violation would be necessary in order for an agency to be obligated to search beyond its systems of records for potentially offensive materials. Id. at 1378-79.
The D.C. Circuit also held that the “system of records” requirement does not apply in subsection (g)(1)(C) lawsuits challenging the accuracy of records.
In McCready v. Nicholson, 465 F.3d 1, 10-12 (D.C. Cir. 2006), the D.C. Circuit went even further and held that the terms of subsection (g)(1)(C) – the judicial remedy provision for subsection (e)(5) violations – “[do] not incorporate or otherwise refer to the Act’s definition of a ‘system of records’ found in § 552a(a)(5).” The D.C. Circuit stated that the “distinction between a claim that requires a system of records and a claim under § 552a(g)(1)(C) that does not require a system of records makes perfect sense.” Id. Unlike other types of Privacy Act claims, which are shielded by the system of records definition in order to avoid “costly fishing expeditions,” the D.C. Circuit reasoned, subsection (g)(1)(C) claims do not implicate “[t]his legitimate concern with preserving an agency’s resources” because “an individual and an agency already have identified the record at issue, that record is therefore easily retrieved, and the only issue is the accuracy of the record.” Id. See also Gerlich, 659 F. Supp. 2d at 15-16 (relying on McCready v. Nicholson to conclude that the system of records requirement did not apply to plaintiffs’ claim under subsections (e)(5) and (g)(1)(C)), aff’d in part, rev’d in part & remanded, on other grounds, 711 F.3d 161 (D.C. Cir. 2013).
Courts have varied on the extent to which they would extend coverage of other Privacy Act provisions to records that are not maintained in a system of records.
Some district courts have similarly extended the coverage of other Privacy Act provisions to records that are not maintained in a system of records. See Connelly v. Comptroller of the Currency, 673 F. Supp. 1419, 1424 (S.D. Tex. 1987) (construing “any record” language contained in 5 U.S.C. § 552a(g)(1)(C) to permit a damages action arising from an allegedly inaccurate record that was not incorporated into a system of records), rev’d on other grounds, 876 F.2d 1209 (5th Cir. 1989); Reuber v. United States, No. 81-1857, slip op. at 5 (D.D.C. Oct. 27, 1982) (relying on Albright for proposition that subsections (d)(2), (e)(1)-(2), (e)(5)-(7), and (e)(10) all apply to a record not incorporated into a system of records), partial summary judgment denied (D.D.C. Aug. 15, 1983), partial summary judgment granted (D.D.C. Apr. 13, 1984), subsequent decision (D.D.C. Sept. 6, 1984), aff’d on other grounds, 829 F.2d 133 (D.C. Cir. 1987); cf. Fiorella v. HEW, 2 Gov’t Disclosure Serv. (P-H) ¶ 81,363, at 81,946 n.1 (W.D. Wash. Mar. 9, 1981) (noting that subsections (e)(5) and (e)(7) “are parallel in structure and would seem to require the same statutory construction”).
However, the D.C. Circuit has declined to extend the holding in Albright to certain other subsections of § 552a(e). See Maydak v. United States, 363 F.3d 512, 517-19 (D.C. Cir. 2004). In Maydak, the Court of Appeals held that in accordance with OMB guidelines and regulations, the requirements contained in subsections (e)(1), (2), (3), and (10) are “triggered only if the records are actually incorporated into a system of records.” Id. The D.C. Circuit explained that it reached a different conclusion as to subsection (e)(7) in Albright because of “Congress’[s] own special concern for the protection of First Amendment rights.” Id. at 518 (quoting Albright, 631 F.2d at 919). The court stated that “at least in comparison to the other subsections at issue, subsection 552a(e)(7) proves the exception rather than the rule.” Id. at 519. See also Augustus v. McHugh, 825 F. Supp. 2d 245, 257-260 (D.D.C. 2011) (rejecting claims alleging violations of subsections (e)(2), (e)(4), and (e)(10), and Army regulations implementing (e)(3), because plaintiff failed to show that records at issue were contained in system of records); Gerlich, 659 F. Supp. 2d at 16 (“[S]ubsections (e)(1), (e)(2), (e)(6), (e)(9), and (e)(10) . . . only apply to records that are contained within a ‘system of records.’”), aff’d in part, rev’d in part & remanded, on other grounds, 711 F.3d 161 (D.C. Cir. 2013); Krieger v. DOJ, 529 F. Supp. 2d 29, 50-56 (D.D.C. 2008) (finding that subsections (e)(1), (4), (6), (9), and (10) apply only to records contained in a system of records); cf. Thompson v. State, No. 03-2227, 400 F. Supp. 1, 12 (D.D.C. 2005) (following Maydak and observing that “[i]t is not at all clear that subsection (e)(2) applies where the requested information never becomes part of [the] system”), aff’d, 210 F. App’x 5 (D.C. Cir. 2006).
Other courts have also declined to follow the D.C. Circuit’s Albright decision and have limited the applicability of the Privacy Act requirements that are contained in subsections other than (e)(7) to records that are maintained in a system of records. See, e.g., Gowan v. Air Force, 148 F.3d 1182, 1192 (10th Cir. 1998) (holding that appellant “ha[d] no § 552a(e)(5) cause of action” for maintenance of report that was not maintained in system of records); Clarkson, 678 F.2d at 1377 (declining to extend Albright rationale to subsections (e)(1) and (e)(5)); Bettersworth v. FDIC, No. A-97-CA-624, slip op. at 10 (W.D. Tex. Feb. 1, 2000) (magistrate’s recommendation) (recognizing holding in Connelly, but noting that both subsections (d)(1) and (g)(1)(C) contain same “system of records” language, and stating that court is “unpersuaded that Congress intended any other meaning than what has previously been applied”), adopted, (W.D. Tex. Feb. 17, 2000), aff’d on other grounds, 248 F.3d 386 (5th Cir. 2001); Felsen v. HHS, No. CCB-95-975, slip op. at 61-62, 65 (D. Md. Sept. 30, 1998) (granting defendants summary judgment on alternative ground that subsection (e)(2) is inapplicable to records not included in system of records); Barhorst v. Marsh, 765 F. Supp. 995, 999-1000 (E.D. Mo. 1991) (dismissing, on alternative grounds, Privacy Act claims under subsections (b), (e)(1)-(3), (e)(5)-(6), and (e)(10) because of finding that information was not in system of records; information was retrieved by job announcement number, not by name or other identifying particular).
Albright and its progeny establish that the “system of records” limitation on the scope of the Privacy Act is not uniformly applicable to all of the Act’s subsections. As is apparent from the above discussion, there has been some uncertainty about which particular subsections of the statute are limited to records contained in a “system of records.”
Next Section: Conditions of Disclosure to Third Parties