CENTRAL INTELLIGENCE AGENCY ANNUAL PRIVACY ACT REPORT FOR 1975

Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9 DDIA Registry File 30 April 1976 MEMORANDUM FOR: Mr. James T. Lynn, Director Office of Management and Budget Washington, D. C. 20503 ATTENTION : Mr. Walter M. Hasse, Deputy Associate Director of Information Systems FR(X`1 : John F. Blake Deputy Director for Administration SUBJECT Central Intelligence Agency Annual Privacy Act Report for 1975 In accordance with. MM Circular No. A-108, Transmittal Memorandum No. 2, forwarded herewith is the CIA Annual Privacy Act Report for 1975. - John/ , Blake O-DD/A:JEP/ms (30 April 76) Distribution: Orig - Addressee, w/Att + 4 additional cys of Att w/o 1 - Chief, IPS Chrono, w/Att 1 - Chief, IPS Subject, w/Att 1 - DD/A Chrono, w/Att / DD/A RoUtstry Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9  30 April 1976 Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9 1. Claiming of Exemptions Via Rulemaking A. The CIA regulations promulgated pursuant to subsection (j) of the Privacy Act authorize the withholding of any information pertaining to an individual which would reveal intelligence sources and methods. The criteria applied under subsection (j) is similar to the criteria applied under subsection (b)(3) of the Freedom of Information Act. The general exemption under subsection (j) was exercised in a way that: polygraph records are exempt from all sections as provided under the exemption except for Section (3)(e) (1) and (5) (these provisions require that only those records necessary to accomplish a statutory purpose be maintained in an accurate, complete and timely manner); and, those portions of all other systems of records that contain intelligence sources and methods are exempt from certain provisions as authorized under subsection (j) except for Section (3)(c) (4), (e)4 (H) and (I), and (e) (1), (5), and (8). (It was determined that compliance with these provisions would not jeopardize the protection of intelligence sources and methods, ergo these provisions apply to all systems except polygraph records.) B. Under subsection (k), regulations were promulgated which provide that all provisions of this subsection apply to all systems of records. Information that meets the criteria defined in pro- visions (K-1) through (K-7) may be exempted from subsection d, individual access. 2. Administration of Exempt Systems A. Although the Privacy Act permits the Director of Central Intelligence to exempt virtually all information in CIA systems of records pertaining to individuals, the Director exercised this authority in a limited way. The exemption policies developed take into account the fine balance that must be struck in weighing individual rights against the obligation of the Director to pro- tect certain information from unauthorized disclosure. Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9  Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9 B. To a large extent the CIA deals in classified information; the purpose and mission of the CIA require this. However, infor- mation contained in a file may vary from unclassified records to highly sensitive classified information. A review of CIA systems of records subject to the Act reveals that only one record system, Polygraph Files, requires the full protection from certain of the Act's provisions as authorized in subsection (j). Thus, of the 57 systems of records subject to the Act, only the polygraph record system is totally exempt from access. Recognizing that the other systems of records contain both information that should be made available to individuals upon request and information that requires protection from unauthorized disclosure, CIA promulgated regulations that permit access by individuals to information pertaining to them to the extent that such access is consistent with the Director's responsibility to protect intelligence sources and methods or otherwise should be withheld under the provisions of subsection (k). The effect of this approach is that, with the single exception of the Polygraph Files, all appropriate systems of records are searched upon request and information surfaced in the search is reviewed for release. This, we believe, is consistent with the intent of the Act; i.e., the exemptions are permissive, not manda- tory, that a positive decision to release or withhold information must be made in each case. 3. Record System Inventory The CIA record system inventory is attached herewith. The estimated number of individuals on whom records are maintained is indicated for only those systems of records where disclosure would not be mission revealing. 1. CIA identified 57 record systems subject to the Act and published in the Federal Register a Notice of Systems of Records and rules to implement the Act on 28 August 1975. No public comment was received on either the systems notices or the CIA rules; the systems notices and rules were adopted without change on 27 September 1975. 2. CIA published an internal regulation on implementation of the Privacy Act which was given broad dissemination within the Agency. This regulation explains the purpose of the Privacy Act, details the procedures to be followed in processing requests submitted under the Act, outlines the restrictions on disclosure of personal information, and sets forth the penalties for violation of the Act, including disciplinary actions that may be imposed by the Agency. Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9  Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9 3. A Privacy Act Orientation Program was initiated to familiarize Agency personnel with provisions of the Act and to explain the procedures adopted by CIA to implement the Act. A briefing team presented the Pro- gram to over 900 personnel in 20 sessions. In addition, briefings were given to senior officers and their staffs. 4. All forms that require an individual to supply his/her Social Security Number (SSN) have been reviewed and modified to conform with Section 7 of the Privacy Act. Of the 111 forms reviewed, the require- ment for SSN was deleted from 51; 70 forms were revised to inform the individual whether the supplying of SSN is mandatory or voluntary and the appropriate information concerning what uses may be made of the SSN. 5. A study group was formed to review the Agency's Notice of Systems of Records published in the Federal Register. The primary objectives of the study were to: A. review each of the Agency's systems of records described in the Notice of Systems of Records to ensure that the description of each in the Federal Register is complete and accurate; and, B. determine whether all systems of records main- tained by the Agency and covered by the Privacy Act are identified in the Federal Register and to draft whatever supplements or amendments that are needed. Although the study was completed after the close of calendar year 1975, the following actions have been taken: A. A report of new systems was submitted to the Office of Management and Budget, Congress, and the Privacy Study Commission on two record systems that were inadvertently omitted from CIA's initial Notice of Systems of Records. B. Three record systems identified in the Notice of Systems of Records have been merged into one system. C. Changes to 13 record systems were made to refine the system descriptions. Notice has been published in the Federal Register concerning the above and the public has been invited to submit written comments. 6. Proposed rule changes have been submitted to the Office of Management and Budget, Congress, and the Privacy Study Commission based on recommendations prepared by an 0MB task force review of CIA rules. Notice of the proposed changes has been published in the Federal Register. The period for public comment concludes the end of April. Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9  Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9 7. The CIA maintains stringent controls to safeguard the physical and technical integrity of its information. Records are stored in secure containers or specially designed areas to protect against unauthorized access. Systems managers issue authorized access lists which restrict, access to only those Agency personnel who need the information to per- form their official duties. Carefully controlled accounting and handling procedures are employed for information systems that are automated. 8. The CIA regulations which implement the Privacy Act limit the collection of information about an individual to that which is relevant and necessary to accomplish a purpose of the Agency as required by statute or Executive Order. The CIA regulations which implement the recently issued Executive Order 11905, pertaining to CIA activities, specify restrictions on the collection of information about individuals. 9. As a matter of policy, the CIA does not let contracts for the operation of record systems; all systems of records on individuals are operated and maintained by CIA staff personnel. 10. CIA plans to issue a policy and procedures handbook that will codify the existing Agency regulations on FOIA, Privacy Act and E.O. 11652 for handling of requests for information from the public. The handbook is scheduled for completion in June 1976. Inasmuch as the operation of an intelligence organization requires that information be carefully controlled and protected as a matter of course, it is difficult, given the relatively short time-frame that this report covers, to make a meaningful assessment of the impact of the additional protection requirements of the Privacy Act. The deluge of FOIA requests from individuals asking for information about them- selves, both prior and subsequent to the effective date of the Privacy Act, muddies the waters all the more in trying to ferret out changes, trends, etc., related only to the Privacy Act. This, coupled with the Congressional moratorium on the destruction of CIA records, further clouds the impact experience. 1. Reductions in the Collection of Personal Information Certain information gathering activities of CIA have been discontinued. However, in accordance with a Congressional moratorium on the destruction of CIA records, there has been no reduction in Agency record holdings. Although certain records which have been identified for destruction continue to be maintained, no use is made of this information other than to respond to FOIA and Privacy Act requests. When the mora- torium is rescinded, CIA plans to destroy these records. Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9  Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9 2. Obtaining Information from Individuals There is no perceptible change in the willingness of individuals to provide personal information about themselves as a result of the Privacy Act. With respect to information about individuals solicited from third parties, e.g., security background investigations on applicants for employment, the number of requests for pledges of confidentiality have not changed significantly since the Privacy Act became effective. 3. Obtaining Information from Other Agencies Aside from some confusion during the initial implementation phase of the Act, there have been no special problems associated with obtaining official information from other agencies. 4. Disclosing Information The requirement to obtain the written consent of the individual prior to release of information concerning him, save the limited exceptions, has, in some instances, caused delays that ultimately affect the individual concerned. Although the number of requests that fall into this category is indeed small, there have been some delays in processing requests from state unemployment compensation bureaus when the inquiries did not contain the written consent of the individual to release his records. To alleviate this, CIA intends to amend the appropriate systems of records to provide a routine use that will cover these dis- closures. 5. Individual Access to Agency Records A. Since the Privacy Act became effective in September 1975, the CIA has received 552 requests for information pertaining to the requester. For the most part these requests were in the form of "do you have a file on me" and cited the FOIA. Very few requests cited the Privacy Act and even fewer cited specific systems of records to be searched. As the CIA regulations implementing the Privacy Act require that all requests for personal information must include certain personally identifiable information, CIA corresponded, almost without exception, with each requester to obtain the additional personal identification. Our experience with Privacy Act requests per se is limited. The Agency was inundated with requests from the public, both prior and subse- quent to the effective date of the Act, due primarily to press reports of alleged improper domestic activities by CIA. Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9  Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9 B. Following is a summary of actions taken on requests for the period 27 September through 31 December 1975: Number of requests received . . . . . . . . . . . 552 Final responses . . . . . . . . . . . . . . . 196 No record on the requester. . . . . . . 189 Requests granted in full. . . . . . . . 4 Requests granted in part. . . . . . . . 3 Requests denied . . . . . . . . . . . . 0 Requests pending . . . . . . . . . . . . . . 356 The large number of pending cases is due in part to delays in the receipt of additional personal identification from the requester. Too, the large volume of requests submitted for information under the FOIA exceeded our capability to respond promptly despite a large-scale diversion of manpower to handle these requests. 6. Sale or Rental of Mailing Lists CIA does not sell or rent mailing lists. 7. Use of the Social Security Account Number as a Personal Identifier There have been no new systems of records which went into effect after 1 January 1975 that use the SSN as an identifier. 8. Public Scrutiny of Agency Recordkeeping Practices CIA received no comments from the public concerning the Notice of Systems of Records or the CIA rules to implement the Privacy Act published in the Federal Register. John F. Blake Deputy Director for Administration Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9  Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9 Next 6 Page(s) In Document Exempt Approved For Release 2002/06/11 : CIA-RDP79-00498A000600110013-9