The Consumer Financial Protection Bureau (CFPB) recently made our work a little bit easier in one small way. We no longer have to ask CFPB’s Freedom of Information Act (FOIA) requesters who come to OGIS for assistance to provide consent so the agency can discuss their requests with us.
That’s because CFBP alerted the world through a Federal Register notice that it will routinely share information in its FOIA records with OGIS without first getting the consent of the individual requester.
CFPB joins seven Cabinet-level departments and five agencies which have such an agreement—known as a Privacy Act Systems of Records Notice (SORN).
We’ve written before about the Privacy Act of 1974, which covers FOIA and Privacy Act request files at every agency. FOIA request files, which are retrieved by an individual’s name or personal identifier, cannot be disclosed to another person (outside of the agency) or to another agency, with certain exceptions.
One exception is when an individual consents to disclosure of his or her records request file. Another exception to the Privacy Act’s non-disclosure provision is when an agency “routinely” needs to disclose those records for certain purposes: think the Department of Justice (DOJ) and the Department of Homeland Security. Most agencies have a pretty long list of “routine uses,” many of which are common across agencies (for example, sharing records with the DOJ when there is litigation involving the individual’s FOIA request.)
Streamlining the way agencies share with us information about FOIA requests that is covered by the Privacy Act is about more than the mediation services we offer—it also strengthens our nascent agency assessment program. That’s because without a SORN that says the agency will, as a matter of routine, share information with OGIS, we will not be able to review agency FOIA files without the agency first obtaining the consent of each individual requester. Part of our assessment program includes reviewing FOIA request files.
We’ve asked all 15 Cabinet-level departments to include an OGIS routine use in their Privacy Act SORNs. The Departments of Defense; Health and Human Services; Homeland Security; Justice; State; Transportation; and Treasury have OGIS routine uses, as do six smaller agencies, including CFPB. Thank you!
So how difficult is it to amend a Privacy Act SORN?
Several years ago, OGIS worked with DOJ to develop a model routine use that agencies can use for this purpose:
To the National Archives and Records Administration, Office of Government Information Services (OGIS), to the extent necessary to fulfill its responsibilities in 5 U.S.C. § 552(h), to review administrative agency policies, procedures and compliance with the Freedom of Information Act (FOIA), and to facilitate OGIS’ offering of mediation services to resolve disputes between persons making FOIA requests and administrative agencies.
We hope the agencies that don’t have such language in their Privacy Act SORNs will consider adding it.