Privacy Act
The Privacy Act of 1974 established requirements for the federal government's use of PII.
Description
Protections
When collecting PII, a government agency is required to inform an individual of:
- the agency's legal authority to collect this PII
- the principal purposes of the collection
- the routine uses of this PII
- any effects on the individual of providing PII
Before records systems can be established by a federal agency, they must publish in the Federal Register a notice of:
- the type of PII that will be collected and stored
- the routine uses of the records system
- the security controls used in and around the records system
- how individuals can determine if their PII is stored in the records system
- how individuals can obtain a copy of their PII from the records system
PII stored in a records system can only be disclosed if (1) the corresponding individual submits a written request to disclose, or (2) has given prior written consent to disclose.
Exemptions and Applicability
National security systems are exempt from the Privacy Act.
Investigatory material collected for law enforement purposes is exempt with conditions.
A system that is required by statute to only be used for statistical purposes is exempt.
A 2017 executive order clarified that the Privacy Act applies only to U.S. citizens. Furthermore, agencies were ordered to update privacy policies to explicitly exclude anyone who is not a U.S. citizen or permanent resident.