The Privacy Act of 1974 — PII and System of Records
Privacy Act Foundation
Privacy Act 1974
The Privacy Act of 1974 (as amended) establishes a code of fair information practices that govern the:
- Collection of personal information
- Maintenance of personal information
- Use of personal information
- Dissemination of personal information
…about individuals that is maintained in a system of records by federal agencies.
Individual Rights
Individual Rights
The Privacy Act provides individuals with a means by which to:
- Seek access to their records
- Amend their records
…and sets forth agency record-keeping requirements.
Disclosure of Information
Disclosure Foundation
Privacy Act rights are personal to the individual who is the subject of the record and CANNOT be asserted derivatively by others.
Disclosure Prohibition
Disclosure Prohibition
The Privacy Act PROHIBITS the disclosure of information from a system of records WITHOUT the written consent of the subject individual.
Right to Access/Amend
Right to Access/Amend
Individuals have the right to request access or amendment to their records in a system.
Acting on Behalf
Acting on Behalf
The parent of any minor, or the legal guardian of an incompetent, may act on behalf of that individual.
Collection of Information
Collection Limit
The Privacy Act limits the collection of information to what the law or executive orders authorize.
SORN Publication
SORN Publication
System of Records Notices (SORNs) must be published in the federal register allowing the public a 30-day comment period.
First Amendment Restriction
First Amendment
Such collection must NOT conflict with the rights guaranteed by the First Amendment to the U.S. Constitution.
Privacy Act Statement
Privacy Act Statement
A Privacy Act statement must be given when individuals are asked to provide personal information about themselves for collection in a system of records.
System of Records Maintenance
SOR Definition
Privacy Act system of records is a group of any records under the control of any agency from which information is retrieved by:
- The individual's name
- Number
- Or unique identifier
When Disclosure Permitted
When Disclosure Permitted
Department of Defense personnel may disclose records to:
- Other offices in the Department of Defense when there is "an official need to know"
- Other federal government agencies or individuals when a disclosure of record is a "routine use" published in the SORNs
- As authorized by a Privacy Act exception
Subject Consent Disclosure
Subject Consent Disclosure
Information may be released for a disclosed specified purpose with the subject's consent.
Office of Primary Responsibility
OPR Tracking
The office of primary responsibility of the data should keep an account of all information they've released.
Personally Identifiable Information
PII Foundation
Personally identifiable information in a system of records must be safeguarded to:
- Ensure "an official need to know" access of the records
- Avoid actions that could result in harm, embarrassment, or unfairness to the individual
PII Breach Definition
PII Breach Definition
The Office of Management and Budget defines a personally identifiable information breach as:
- A loss of control
- Compromise
- Unauthorized disclosure
- Unauthorized acquisition
- Unauthorized access
…or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic.
PII Reference
AFI 33-332 Reference
For further information, definitions, exemptions, exceptions, or responsibilities and procedures for safeguarding and reporting of personally identifiable information breaches, refer to AFI 33-332.