Reconciling FOIA and the Privacy Act

When you request records about yourself from the Federal government, agencies apply both the Freedom of Information Act (FOIA) and the Privacy Act of 1974 (Privacy Act) to grant the most access possible.

FOIA and the Privacy Act have different purposes. FOIA provides the public with a right of access to government records while the Privacy Act was created to protect information about individuals from release to others while allowing them to access it. OGIS has written about the basic differences between both laws before, and on October 24, 2012, we partnered with the Justice Department’s Office of Information Policy for our quarterly Requester Roundtable to tackle this topic in person.

About 20 requesters and agency FOIA and Privacy Act professionals covered many of the technical provisions of the laws and posed some helpful questions—and answers.

Q:  How do you request your own records under the Privacy Act?

  • You do not need to cite the name of the law in your request. When you request records about yourself, the agency will automatically process the request using both FOIA and the Privacy Act.
  • You must validate your identity by using a certification of identity, or other such form, that you sign under penalty of perjury verifying that you are who you say you are. This DOJ form is a good example. Other departments and agencies have different forms for this purpose and you should check agency FOIA websites for the proper form to use.
  • After a review for withheld material, the records will be released to you (or to a designee) and are not considered a release to the public. With FOIA, a release to one is a release to all. With the Privacy Act, a release is intended only for the individual requester.

Q:  We know that FOIA applies to all agency records, which is just about anything that an agency maintains, but what is covered by the Privacy Act?

  • Only Federal agencies are subject to the Privacy Act; state and local governments are not.
  • Only records of U.S. citizens or Lawful Permanent Residents are covered; corporations, associations and foreign nationals are excluded.
  • Records must be about an individual and contained in a location (or “system” in Privacy Act terms) where they can be retrieved by a name or identifier (such as a case number).
  • The record must actually be retrieved by that name or identifier in its system of records. This becomes important in the digital age now that records are not necessarily kept in physical paper files. If a record is electronically stored, it does not matter that it could be retrieved by name; for it to qualify as a Privacy Act record, the record must actually be retrieved by name.

Q:  How will the agency use both laws to process the request?

  • The agency FOIA professional processing your request will likely start the analysis under the Privacy Act.
    • If no Privacy Act exemptions apply, that ends the analysis and the record is released.
    • If one of the 10 Privacy Act exemptions apply to any part of the record, the agency will then look to FOIA to determine if the information is also exempt under FOIA.
    • If a Privacy Act exemption and FOIA exemption applies, the agency must withhold the information. The information must be exempt under both statutes to be withheld from disclosure.

Q:  Can agencies disclose records about individuals without a request?

  • Agencies must have what is called a “routine use” established through rulemaking, which includes public notice and comment, in order to share Privacy Act-protected information absent a request or the individual’s written consent. The Privacy Act also contains 12 conditions of disclosure under which agencies can disclose information about individuals without a request or consent. 5 U.S.C. § 552a(b).
    • Agencies may only share information among themselves if the disclosure would fall within one of the 12 conditions of disclosure or there is a routine use that allows the sharing of information between agencies. OGIS is working to establish a routine use with all agencies so we can streamline our processes to discuss FOIA disputes.
    • Agencies must have a specific purpose for a routine use to share information with the public, such as disclosure of sex offenders pursuant to federal law.
  • If an agency makes a disclosure outside of what is allowed under the Privacy Act and a routine use does not apply, the individual can sue the agency for money damages.

Q:  What if a record is about me, but not contained in a “system or records” or retrieved by my name or identifier?

  • That record is not considered a Privacy Act record and would be processed under FOIA, applying any exemptions that might apply to protect privacy interests of third parties, such as Exemptions 6 or 7(C). 5 U.S.C. §§ 552(b)(6) or (7)(C).
  • The good news is that since more agency records are not contained within Privacy Act “systems of records,” requesters have access to a bigger universe of records under FOIA.

Q:   What if someone else requests records about me?

  • The Privacy Act has a “no disclosure without consent” provision such that an agency cannot release your records without your permission.
  • If your records are maintained in another individual’s file, the records would be processed under FOIA and FOIA privacy exemptions would apply unless you provided your signed consent to allow the release of your records.

Q: Who oversees the Privacy Act and the FOIA?

  • The Office of Management and Budget is the legal authority for the Privacy Act.
  • The Attorney General is charged with encouraging FOIA compliance.
  • The Justice Department’s Office of Information Policy develops FOIA policy.
  • OGIS is charged with reviewing agencies’ FOIA policies, procedures and compliance. While Privacy Act matters fall outside the scope of OGIS’s mission, because they often overlap with FOIA, we provide ombuds services to individuals requesting their own records.

9 thoughts on “Reconciling FOIA and the Privacy Act

  1. what about an attorney who requets personnel records of a client who is represented by the attorney with the clients permission, does FOIA apply?

    1. Individuals may authorize others to request records on their behalf, such as family members or legal representatives. The individual who is the subject of the request must sign an authorization that the designated requester will include in the request. The same DOJ form referenced in the post above includes a section that authorizes release to another person or organization. If a designated requester submits the proper authorization from the subject of the request the agency will treat the request as a first-party request, or as if the subject submitted the request him or herself. Again, be sure to check with the agency to see if it has its own required form.

  2. DOJ has said that FOIA and Privacy Act are both access laws, which is contrary to what it says in paragraph 2 of this post. If the Privacy Act was created to protect information, it would qualify as an Exemption 3 statute. However, DOJ has previously argued it does not because it is a law that was put in place to allow the public to access records about themselves that were created and/or maintained by the Federal government. Has there been a change in the original DOJ determination that the Privacy Act is an access law?

    1. Thank you for your comment. As we point out in Paragraph 2 of this post, the Privacy Act was created to, among other things, protect information about an individual from release to others while allowing the individual to access it. It is important to note both functions of the Act. If you wish to learn more about DOJ determinations or policies, you may want to contact DOJ directly or to consult DOJ’s Privacy Act Overview.

  3. You said: Only records of U.S. citizens or Lawful Permanent Residents are covered by the Privacy Act.

    But requests related to USICS’ A-Files, A-Files are released only to the individual named in the A-File or his or her attorney, according to USCIS.

    An A-file is created when INS (now USCIS) action is initially required for a particular person, who is not necessarily always a U.S. citizen or Lawful Permanent Resident as a file holder.

    How to you address the FOIA requests for those A-Files, named by neither U.S. citizens nor Lawful Permanent Residents?

    Should “reasonable segregation” mandate under Section (b) of FOIA be applied towards A-Files requests?

    1. Thank your for your questions, Yi.

      U.S. Citizenship and Immigration Services is an agency within the Department of Homeland Security (DHS) and there is a DHS Privacy Policy that addresses this issue. The policy (available here) generally states that DHS will treat all requests with any personally identifiable information that is collected, used, maintained, and/or disseminated in connection with DHS records systems as subject to the Privacy Act regardless of whether the information pertains to a U.S. citizen, Legal Permanent Resident, visitor, or alien. You may wish to review the DHS privacy policy for more detailed information.

  4. Great response Corinna!

    You also said: “the agency will automatically process the request using both FOIA and the Privacy Act.”

    Do you have the reference source for such a policy in DHS/USCIS?

    On its FOIA/PA form G-369, there is only one option to request your own records under the Privacy Act, not under FOIA or both.

    It seems to me that once the request is determined as a 3rd party request to a System of Records under the PA, there is no need to consider that the request for the specific information about himself can still be processed as a first party request towards the non-exempted portion (reasonably segregable) within the same System of Records under the FOIA.

    Am I right?

    1. Yi, you may wish to contact DHS directly with specific questions about that agency’s practices. The DHS FOIA contact information is available on the agency’s website here: The DHS FOIA Public Liaison may be in the best position to try to assist you. Best of luck going forward.

  5. I have found the relevant information under DHS Federal Register Publications 2003 FEDERAL REGISTER INTERIM REGULATIONS – 2003 Freedom of Information Act and Privacy Act Procedures [68 FR 4056] [DHS 3-03] § 5.20 General provisions..

    6 CFR § 5.20(a)(1), “…. the Department processes all Privacy Act requests for access to records under the Freedom of Information Act (FOIA) ( 5 U.S.C. 552), following the rules contained in subpart A of this part, which gives requests the benefit of both statutes.”

Comments are closed.