APPLICATION OF SUBSECTION (M) OF THE PRIVACY ACT

tA1-_ U I VE OFFICE OF THE PRESIDENT "% OFFICE OF MANAGEMENT ANF I ifTwr C)rC Has RP_viP_WP_fl 4z M Subject: Application of Subsection (m) of the Privacy Act Attached for your information ib a recent legal opinion from the OMB Office of General Counsel interpreting the applic- ability of subsection (m) of the Privacy Act to certain research and other contracts. We request that you review your agency's policies and procedures for handling personal records under the control of contractors to assure that these records systems are maintained in accordance with this interpretation of the Privacy Act. If there are any questions, pleise contact the Informatior Systems Policy Division at 395-3785. Sincerely, Walter W. Haase Deputy Associate Director for Information Systems Policy Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  Approved F wRelease 2002/07/03 : CIA-RDP83T00 00200240018-8 November 30, 1979 MEMORANDUM FOR : Mary M. Coggin, Chief Administrative Law Branch, SSW FROM: William M. Nichols-. SUBJECT: Application of Subsection (m) of the Privacy Act This is in response to your request for our comments on the HEW interpretation of the application of subsection (m) of the Privacy Act (5 U.S.c. 552a) to certain research and other (unspecified) contracts. Sub:r3ection (m) provides that: "When an agency provides by a contract for the operation by or on behalf of the agency of a system of records to accomplish an agency function, the agency shall, consistent with its Authority, cause the requirements of this section to be applied to such system. For purposes of subsection (i) of this section any such contractor and any employee of such contractor, if such contract is agreed to on or after the effective date of this section, shall be considered to be an employee of an agency." The HEW position, as stated in the memorandum entitled "Application of Privacy Act to HEW Contracts, from William H. Taft, General Counsel, to John Ottina, Assistant Secr-star, for Administration and Management, dated May 17, 1976, (so- called "Taft memorandum"), is that: . .the requirements of the Privacy Act of 1974 are not applicable to HEW research and other contracts which call for the contractor merely to furnish to the HEW contracting agency statistical or other reports, even though it is necessary for the contractor to establish a system of records to perform the contract. Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  Approved Fiar`felease 2002/07/03: CIA-RDP83T0C100200240018-8 Where the contracting agency .if% interested only in obtaining the results of the research or other work performed under the contract (generally in the form of a re'ort) and does not, require the contractor to furnish it individually identifiable records from the system established by the contractor, it cannot be said that the system is one which 'but for' the contract, the ag ncy would have established." (Taft memo, p. 2). We disagree with Lhis iiit._erpretatie.:. The application of Subsection (m) is not. dependent upc i the dipclosure of individually identifiable records by the contractor to the agency. Nothing in the statute, its legislative history, or the OMB Privacy Act Implementation Guidelines (40 Fed. Reg. No. 132, Wedneseday, July 9, 1975, p. 28948) supports such a reading of the law. The contract puts the personally identifiable information into the hands of the contractor. The data would have been collected and maintained by the agency if the work performed under contract had remained in-house. The contractor is performing an agency function and the Act applies. Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  Approved fear Release 2002/07/03 : CIA-RDP83T0W3R000200240018-8 office of Management and Budget Information Systems Policy Division 3 tnuary 4, 1980 Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  ApproveslrFor Release 2002/07/03: CIA-RDP83T 573R000200240018-8 The Privacy Act of 1974 (Public Law 9 -579) was enacted to ensure an appropriate balance between the Federal Government's need for information about its citizens and the individual's right to privacy. The Act seeks to achieve this objective by establishing procedures to regulate, the collection, mainte- nance, use and disF.omin it-ion of personal information by Federal agencies. The Act establishes a system of checks and balances to ensure the effective operation of these procedures. These checks and balances include provisions for the exercise of individual rights, public scrutiny of agency recordkeepinq practices, Office of Management and Budget and congressional oversight of agency activities, and both civil and criminal sanctions. This document summarizes OMB activities to implement the Act and outlines the internal processes established by OMB to exercise its oversight responsibilities under the Act. This document is being provided to Federal agencies and the public to foster a greater understanding of how the administrative processes work, and to provide greate1 opportunities for the public to participate in these process-.es by understanding how they work and by making suggestions for their improvement. Comments and suggestions are welcome. Walter W. Haase Deputy Associate Director for Information Systems Policy Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8 BASIC PROVISIONS OF THE ACT 4 IMPLEMENTATION APPROACH POLICY GUIDANCE INVENTORY OF FED1,:RAL PERSONAL DATA SYSTEMS PRESIDENT'S ANNUAL REPORT TE? CONGRESS REVIEW OF AGENCY REVIEW OF RFP?:;R't' CONSIDERATION OF 1 JLFS AND NOTICES ON NEW AND ALTERED SYSTEMS PE.IVACY IN THE BUDGET PROCESS 14 CONSIDERATION OF PRIVACY TN THE LEGISLATIVE REVIEW PROCESS HANDLING OF PUBLIC INQUIRIES IMPACT ON GOVERNMENT OPERATIONS IMPACT ON PRIVACY OF INDIVIDUALS Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  . ApproverFor Release 2002/07/03 : CIA-RDP831:60573R000200240018-8 BASIC PROVISIONS OF THE ACT The Privacy Act of 1974 recognizes a fundamental right of individual privacy, and sets forth a system of checks and balances to regulate the collection, maintenance, use and dissemination of l)er:;oval information by the Federal Government. The provisions of the Act are designed to achieve a balance between the Government's need for infor- mation and the indivi.dual's right t) privacy. The Act: 1. Establishes cer.t,:iin rights of individuals. Individuals must be permitted to: ? Know the authority under which information about them is collected, the purpose for which it is collected, how it will be used, and the effect on them of not providing information. ? Review agency records about them and to review agency records; on any disclosure of this informa- tion. ? Request. t. tat Oersonal information tahich they believe to be incorrect be amended, corrected or removed. ? Appeal agency denials of requests for amendment or correction Sue an agency in U.S. District Court for certain violations of the Act. 2. Makes the heads of Federal agencies responsible and accountable for complying with operational requirements established by the Act. Agency heads must: ? Appropriately balance the Government's need for information with an individual's right to privacy. ? Comply with standards and procedural provisions of the Act pertaining to the collection, mainte- nance, use and dissemination of personal informa- tion. ? Collect and m, intain only that personal infor- mation which is relevant and necessary to carry out agency f-unctions authorized by law or executive order. ? Ensure, th tt individuals are given a way to exercise their ri~rl:ts ;ender the Act. Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  Approved FowRelease 2002/07/03 : CIA-RDP83T0057OR000200240018-8 ? Open their agencies' personal recor_dk?.eping practices to public scrutiny. ? Safeguard personal data and ppr.event its unauthorized disclosure. 3. Provides for enforcement of th(7~ provisions of the Act throw h a number of the ks, balances and sanctions. The Act, whi.c11 is }ased on the concept of agency accountability, provides for enforcerncnt through: ? The exercise of rights by individual s. ? Subjecting the agency's personal recordkeeping practices to public scrutiny. Civil sanction, which can be exercised against the Government for certain violations. ? Criminal sanctions which can he exercised against any Federal empl~-_)yee for certain violations and against member; of the public at largee for certain violations. 4. Makes OMB r_ esi)on-; , .) 1 e for overseein admi nistr. ation `of the Act. $specifirally, OMB must: ? Provide gr i.del. i nc's and regulations fog use by the agencies. ? Provide continuing ii s:;.istance to agencies. ? Oversee the procediural mechanisms established by the Act. s MPF:IMPN'!'ATTON APP~ZOACH OMB's approach to implementing and overseeing administra- tion of the Act has been directed toward: 1. Ensuring that the heads of agencies and Federal employees understand their obligations and responsi- bilities under the Act. 2. Developing and issuing guidelines and otherwise assisting agencies in their implementation of the provisions of the Act. 3. Allowing for agency discretion in the manner by which they fulfill their responsibilities under the Act, by minimizing issuance of requl.ations and detailed pro- cedures by OMB. Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  Approved For%Release 2002/07/03 : CIA-RDP83T0057-hR000200240018-8 4.. Closely monitor i nq agencies 1 administration of the Act calling their at:.tent:ion to apparent violations, and requesting them to take appropriate corrective action, 5. Using existinq management control processes and the people administering those processes wherever possible to assist in administering the requirements of the Act 6. Establishing a system of checks and balances to ensure effective operation and enforcement of the Act. Consistent with this approach, OMB has delegated responsi- bility for developing privacy policy guidance (within thE- framework of OMB policy and oversight) to a number of othez central policy agencies. For example: ? The Director of titre Offie,- of Personnel Management (formerly the Civil Service commission) was made responsible for revising Federal personnel manage- ment reclul.ations to reflect privacy considerations ---- thereby caking all agercy personnel officers responsible for assuring compliance with Federal per_sonnet privacy policies and procedures. ? The Administrator of the General Services Adminis- tration was made responsible for revising Federal records storage and archiving regulations to in- corporate privacy considerations -- thereby making those considerations part of the job of every records manager. ? Similar assiqnments of responsibility were made in other functional areas such as proburement and clearance of reports under the Federal Reports Act. Each assignment was made to take advantage of exist- ing functional processes and incorporate privacy considerations into the day-to-day operations of existing organizations. ? Many of the OMB oversight functions have been incorporated in the existing budget and legislative review processes. This approach: ? Instills privacy awareness and consciousness in a larger number of people than would be possible by other means. ? Takes advantage of the functional expertise which exists in various central policy agencies. Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  Approved Foi' elease 2002/07/03 : CIA-RDP83T00573R000200240018-8 ? Makes privacy consideration a responsibility of many people -- all of whom are subject. to criminal sanctions for certain improper action.,. ? Avoids excessive Costs by using existing administra- tive processes and personnel. POLICY GUIDANCE A wide range of policy, qui.dtel i_nes aid interpretations of the requirements of the Act has been developed and issued to guide agencies in their dministration of the Act. The most significant of these are listed below. Presidential Policy Di rec-t i on ? President Ford's January 1975 press: release issued upon signing of the Act. ? President Ford's September 29, 197`, statement. issued on the effective date of the Act stressed the importance of the Act and his support for it. ? President Ford's July 20, 1976 letters to the Speaker of the House and the President of the Senate transmitted the First Annual Report to Congress on executive branch activities to comply with the Privacy Act. ? President Carter's June 30, 1977 letters to the Speaker of the House and the President of the Senate transmitted the Second Annual Report to the Congress on executive branch activities to comply with the Privacy Act. The President endorsed the efforts of 0MB to reduce Government intrusion into the private lives of Americans and urged the Congress to consider the Federal experience in de- liberations on future privacy legislation. 0 President Carter's July 20, 1978 letters to the Speaker of the House and the President of the Senate transmitted the Third Annual Report to Congress on executive branch activities to comply with the Privacy Act. The President indicated that personal privacy was an important priority of his Administration. 0 President Carter's Auqust ?1, 1978 memorandum to the heads of executive departments and agencies requested agency heads to initiate further cef forts to reduce the amount of personal information collected by their agencies, avoid the unwarranted disc-I(-surrce of this information and improve their internal management of personal data systems. Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  Approved For%Release 2002/07/03 : CIA-RDP83T0057a3R000200240018-8 President Carter's April 2, 1 079 message to Congress announced a wide range of initiatives to protect individual privacy. To implement these policies the President proposed four new hills providing privacy protection for medical records, federally funded re- search records, financial retards, and news media notes and materials. The President asked that new procedures be set for Federal agencies' adminisLritive actions and called for action by State an local governments and the private sector to voluntarily adopt recordkeeping practices which would provide an appropriate level of protection for individual privacy. ? President Carter's August 16, 1979 letters to the Speaker of the House and the President of the Senate transmitted the Fourth Annual Report to Congress on executive branch activities to comply with the Privacy Act. The President urged the Congress to carefully consider the Administration's record of progress in implementing the Act as it considered the Administra- tion's legislative proposals on individual privacy. 0MB Policy Direction OMB Circular Nc. A-!ON dated July 1., 1975, outlines agency responsibilities for irUementing and administer- ing the Act. - T.M. No. 1, dated saptember 30, 1975, sets forth agency requirements for proposals alter personal data systems. to establish or - T.M. No. 2, dated March 25, 1976, and T.M. No. 4, dated January 31, 1978, set forth agency reporting requirements for the annual report to Congress. - T.M. No. 3, dated May 17, 1976, sets forth revised guidance on agency proposals to establish or alter systems, establishes a provision for waiving the 60 day advance notice period, and provides for public review of the new system proposals. - T.M. No. 5, dated August 3, 1978, transfers to OMB the responsibilities for issuing policies regarding Govern.. ment telecommunications relative to the Privacy Act. Guidelines to agenciok for implementing the Privacy Act. issued by 0MB as a supplement to 0MB Circular No. A-108 on July 1, 1975 and amended on November 21, 1975. ? Director Lance's memorandum to agency heads, dated March 7ApOWN Fdri Rel AsS2OtOt2l0T7/ ?iAaI P43TB0&7i R 002@{ jQ?'jt$s on  Approved For?Release 2002/07/03 : CIA-RDP83T00574R000200240018-8 the reduction of personal recordkeepinf; in the course of efforts to reduce public reporting burden. This letter was followed by individual letters to heads of 15 major recordkeeping agencies requesting specific plans for reducing personal recordkeeping by their agencies. ? Director Lance's August 3, 1977 memorandum to agency heads, transmitted the President's Second Annual Report to the Congress and requested further efforts at reducing personal recordkeepinq. ? OMB Circular No. A-71, T.M. No. 1, "Security of Federal Automated Information Systems," was issued on July 27, 1978 to ensure protection of personal, proprietary and other sensitive data in Government computers. ? Director McIntyre's March 30, 1979 memorandum to agency heads provided guidelines to agencies for computer matching of personal rec-ords. ? Director McIntyre'.-; Mnv 22, 1979 memorandum to agency heads summarized Prcosident. Carter's privacy initiatives and required each agenc,.v head to designate an office or official to bear oversight responsibility for the administration of the P-ivacy Act within that agency. ? Mr. Walter W. Haase's linuary 2, 1980 memorandum to agency Privacy Act oversight officials transmitting an OMB legal opinion regarding the application of U Privacy Act requirements for publishing systems of records to research and other contractors who maintain agency records containing personal data. of Personnel Management Policy Direction OMB Circular No. A-108 assigned the Office of Personnel Management responsibility for revising civilian personnel recordkeeping policies to conform with the Act and to train agency personnel in the requirements of the Act. Policy guidance issued by OPM includes: ? Revision of Federal Personnel Manual, Chapters 293 and 297, September 30, 1975. ? Notices describing the operation of four government-wide systems of personnel records which are maintained for OPM by operating agcncics published August 27, 1975 and May 29, 1979. ? Regulations for t fte conc.uct of Federal service suitabil- ity investigations. FPM Chapter 736, December 4, 1975. Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  Approved Foi elease 2002/07/03 : CIA-RDP83T0057. 80002002400.18-8 ? Federal Personnel M,lnu ,l letter 732-7 "Personnel Secur Program for Posit -i on t; Associ . t ed with Federal Computer Systems," November 14, 1.978. General Services Administration Policy Guidance The Act assigned responsibility to the G;;A for coordinatirq agency publication of Privacy Act notice; and for prepari>~q the Annual C i omp lation of rules and notices. OMB Circula No A-108 i . ass gneci GSA responsibility for the issuance of policies pertaining to privacy consideration in records management and storage, in interagency data collection forms, and in the procurement of computer/ communications systems. Policy Guidance issued by GSA includes: ? "Guidelines for Records Management Systems to Implement the Privacy Act," issued by the National Archives and Records Service, August 1975. ? GSA Bulletin FPMR B-57, dated August 22, 1975, regarding agency records stored in Federal records centers. ? FPMR Temp. Reg. F-43, "ADP and Telecommunications Check- list," dated Octr;baer 17, 1975, establishing a checklist of privacy and other. requirements to be considered in agency procurement of- computer and communications system ? FPR Amendment 155, dated September 23, 1975, establishiii(r rules and proceduro.s for Government contracts involvinct personal recordknepinq. ? FPMR 101-35.17, dated June 16, 1978, "Privacy and Data Security for ADP and Telecommunications Systems." ? Publication requirements for the Privacy Act of 1974, dated June 17, 1975, updated April 8, 1977 and June 1, 1978. Department of Commerce Policy Guidance OMB Circular No. A-1OR assigned the National Bureau of Standards (NBS) responsibility for developing and issuing standards and quidelines on computer security. Guidance issued includes: ? FIPS Pub 41 "Cor9lnrter security Guidelines for Imple- menting the Privacy Act of 1974," dated May 30,.1975. ? "Index of Automated System Desiqn Requirements," dated October 1975. N pTg y1i&Ael&ttec2002M7/03(3(CIA4;;f 3TO 7 Ot 0094q(~IaZ* and Security i- -nput.or Systems. "  Approved ForRelease 2002/07/03 : CIA-RDP83T005' 8000200240018-8 ? NBS Technical Note 906, "A Methodology for Evaluation of Alternative Technical and Information Management Approaches to Privacy Requirements." ? Special Publication 500-10, "A Data Base Management Approach to Privacy Act. Compliance." Department of Justice Policy Guidance The Department of Justice has issued two policy letters regarding the Privacy Act: ? Establishment of "routine uses" for the referral of information for law enforcement and Federal employment purposes, dated June. 5, 1975. ? Disclosure of Payroll Information to State/local Taxing Jurisdiction in the Absence of Withholding Agreements, dated March 23, 1976. Privacy Act Litigation The Act and all the policies, procedures and regulations which have been established to implement the Act are ,designed to seek an appropriate balance between Government needs for personai information and an individual's right to privacy. This i,,alancinq of conflicting interests will inevitably result. in differences of judgment between individuals and the Government which can only be resolved in the courts. This case law will, over time, provide additional interpretive guidance. During 1976 and 1977, 210 suits were filed. At the end of 1978, 101 suits remained unresolved. Since the Privacy Act and the Freedom of Information Act (FOIA) are both parts of the same statute (5 U.S.C. 551 et. seq.) and deal with access to Government records, many lawsuits are brought under both Acts. Thus, FOIA and Privacy Act case laws are related and familiarity with both is helpful to in understanding of either. INVENTORY OF FEDERAL PERSONAL DATA SYSTEMS A computerized inventory of all Federal. personal data systems subject, to the Act is maintained by OMB to: ? Describe the size, nature and purpose of personal infor- mation systems maintained by Federal agencies. Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  Approved FoibRelease 2002/07/03 : CIA-RDP83T0067 8000200240018-8 ? Observe and analyze aclency use of the exemption provi- sions, use of computers for processing personal data, and a wide variety of other trends an a basis for formulating further policy by OMB. ? Measure agency iccompl tshments in reducing (or curtail- ing growth in) t he number and type of personal records which they maintain. The 1978 inventory contained description of 5,881 personal data systems maintained by Federal agencies. It is periodically updat:ed based on information contained in agency reports on new and altered systems submitted to OMB and information contained in agency systems notices published in the Federal Register. Annually, the agencies are asked to validate and update the inventory as a part of the information which they submit for the President's Annual Report to Congress. PRESIDENT'S ANNUAL REPORT TG CONGRESS The Privacy Act requires the President to report annually to the Speaker of `:he House and President of the Senate on .executive branch activities to comply with the Privacy Act. OMB prepares the !'resident's Report based on agency reports. Consistent with the pol i_cy of agency accountability for complying with the requirements of the Act, agencies are required to provide annual reports on their administration of the Act to OMB. The requirements placed on agencies :)y OMB stress report.inq of: ? Agency accomplishments and plans for protecting individual privacy and reducinq the magnitude of personal records maintained by the agency. ? Agency actions to ensure that: individuals are allowed to exercise their rights, to open their recordkeeping practices to public scrutiny, and to administer the exemption provision. ? Agency recommendations on actions that should be taken t:, address major problems that have arisen in their adminis- tration of the provisions of the Act -- through changes in Administration policies or by'seeking legislative change to the Act. The agency reports are analyzed by OMB and used to prepare the President's Annual Report to Congrest. To date, four annual reports have been submitted to Congress, one by Pr *aiereld Rw Releasd 20621 07/0131 C1 t?Jpc Ifi0-OWSRO42Q0240018-8  Approved For.Release 2002/07/03 : CIA-RDP83T005,73R000200240018-8 REVIEW OF AGENCY RULES AND NOTICES The Act requires agencies to publish rules (in accordance with the Administrative Procedure Act) to advise the public of procedures for exercising their rights under the Act and agency justification for invoking certain exemptions per- mitted by the Act. IL also requires agencies to annually publish notices describing each of their personal data systems subject to the Act in order to provide for public review of their r~: or lke }: i ng pr ivtices. The Act required agencies to publish these rules and initia' notices by September 27, 1975. OMB convened a task force o agency personnel to assist agencies in preparing and issu.i ric; their rules in accordance with the requirements of the Act and to achieve some degree of consistency in rules for similar systems. The OMB staff oversees aq ency rulemaking and the publicatiot. of notices by reviewing the Federal Register daily and providing comments on agency issuances as necessary. REVIEW OF REPORTS ON NEW AND ALTERED SYSTEMS The Act states that "each agency shall provide adequate advance notice to Congress and the Office of Management and Budget of any proposal to establish or alter any system of records in order to permit an evaluation of the probable or potential effect of such proposal on the privacy and other personal or property rights of individ- uals..." OMB policies implementing this provision require agencies to submit reports on proposed new or altered systems (RONS) to Congress and OMB 60 days prior'to the issuance of any data collection forms or instructions, 60 days before entering any personal information into the new or altered system, or 60 days prior to the issuance of any requests for proposals for computer and communications systems or services to support such systems, whichever is earlier. OMB Review of RONS Each RONS is reviewed by OMB to: ? Determine whether the agency has adequately complied with the reporting criteria established by OMI3 -- in form and substance. ? Determine whet her t-.ho . t em is consi stmt with agency mission requirements. Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  Approved Fot?Release 2002/07/03 : CIA-RDP83T00574R000200240018-8 ? Determine whether appropriate consideration has been given to personal privacy consistent with the letter, spirit and intent of the Act. After such review, any action considered necessary is initiated with the agency. Public review of RONS While the new system reporting requirements were established primarily for the purposes of congressional and OMB oversight over the development of new (or altered) systems by agencies, OMB has established a process to give the general public ai opportunity to comment on the agency proposals. ? A summary of agency proposals to establish or alter per- sonal data systems provided to OMB and the Congress is published in the Federal Regist-er by OMB approximately every two weeks. ? Copies of this public announcement are mailed directly to the staff of Members of Congress who have indicated an interest in privacy, the trade press and a list of private citizens and organizations which have indicated an interest in privaac:y. About 95 copies are distributed Waiver Procedures OMB procedures permit a waiver of the advance notice regni:--e- ment when the agency can show that the delay caused by the 60 day advance notice would not he in the public interest. A waiver of the 60 day advance notice period does not re iive an agency of the obligation to publish ,a notice describing the system and allow 30 days for public comment on the proposed routine uses of the personal. information to be collected. CONSIDERATION-OF.-PRIVACY IN THE fUDGET PROCESS Agency budget requests for information system development efforts, computer/telecommunication hardware procurement and software development activities are given special emphasis in the OMB budget review process. Privacy is one of a number of important policy issues that are closely examined in this process. Internal OMB procedures for reviewing agency budget proposals establish stringent criteria for reviewinq agency budget justifications for information processing activities. These procedures require a review of the agency justifications to ascertain that they --- Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  . Approved FofRelease 2002/07/03: CIA-RDP83T0057R000200240018-8 ? "Include a clear indication of the necessity for such data collections and the safeguards the agency will employ to preclude inadvertent or surreptitious access by unauthorized persons to such data," and that ? "The acquisition of data processing and telecommunica- tion equipment should he reviewed to assure that the requirements of t ho Privacy Aci (P. L . 93-579) have been met." As a part of the Adm i n s;t ra i i.on' : multi-year budget initiative, OMB requires agencios to identify major computer and telecommunication !w~wstem acquisitions in the current year, the midget year and each year for four years beyond the budget year. 0P`B proviides this infor- mation to Congress in order to provide earlier opportu- nities for congressional review of agency plans. The list of acquisitions are provided to GSA to assist them in carrying out their computer lrocurernerit control functions. This additional review provides an opportu- nity to evaluate the probable impact of these systems on personal privacy. CONSIDERATION OF !>R IVAC-Y IN TFIE LEGISLATIVE REVIEW PROCESS The legislative coordination and clearance responsibilities of OMB are an important corollary to OMB budget and manage- ment functions, since the President's prorjram and budget recommendations are dependent upon legislation to carry oat the proposals. The OMB legislative coordination and clearance process in- cludes assisting in the preparation of the President's legislative program, coordinating and clearing of agency legislative reports and draft bills, responding to requests of committees of the Congress for OMB reports and testify- ing on pending hills and handling of enrolled bills. The process is coordinated by a central staff in OMB whicn seeks the view- and judgments of many people, both in OMB and throughout the Government, before advising the President through the Director. is through this means that privac.% is considered and balanced with other policy and budget considerations. Examples of recent hills which involved privacy questions are the Tax Reform Act of 1976, the Social Services Amend- ments, and the Riqht to Financial Privacy Bill. Other examples are agency draft: bills on confidentiality of private sector Rrepart12data 11-Q01 318reaii % to e}2~`~l~~ii1 Mgr c longitudinal medical studies, and standards for enlist- ment in tho Armed Forces  Approved Fof-Release 2002/07/03 : CIA-RDP83T0057 8000200240018-8 HANDLING OF PUBLIC INQUIRIES OMB, by virtue of its oversight responsibilities, rereive,; a large volume of' inquiries by telephone and mail about the Act. These include citizen complaints on Government actions, inquiries regarding rights and privileges under the Act, Foreign, State, and ibc-al government inquiries on U.S. Federal Government experience under the Act, and a wide range of of-her ctuuestions. Public inquiries are generally handled as follows: ? Informational inquiries or those seeking interpretation of Federal policy and experience are handled directly by OMB. ? Complaints about a particular agency's practices are usually answered by providing individuals with infor- mation on their rights and agoncy responsibilities under the Act and then referring the complaint to the responsible agency. Follow-up action with the agency is initiated only in those cases where the agency does; not appear to be fulfilling its responsibilities under the Act. TMPAC r ON GOVERNMENT OPSRA'rIONS A number of provisions of the Act were designed to chance existing agency practices on the collection and discloser( of personal data. These changes have had an impact on the patterns of information exchange about individuals. Ex- perience to date .ndicates that: ? The public is becoming. more reluctant to provide personal data and willing to challenge Federal agency requests fcr information. ? Agencies are demonstrating more caution in exchanging personal data. ? Some agencies are experiencing difficulty in obtaining personal information from third party sources. They indicate that less information is being provided and the information that is provided is less candid. ? Inconsistencies hetwecn Federal, State, and local privacy laws have created some problems in obtaining personal information from academic institutions, lending organi;~atir)ns and medical facilities. Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  Approved FoMRelease 2002/07/03 : CIA-RDP83T0057OR000200240018-8 However, no agency has indicated that the provisions of the Act have made it impossible to obtain information needed to carry out Federal programs. IMPACT ON PRIVACY OF INDIVIDUALS While it is difficult, if not impossible, to quantify "privacy protection" achieved by the Act, there are a number of measures and subjective observations which suggest that the Act has had a significant impact on achieving a better balance between the Government's need for information and protecting an individual's right to privacy. ? Review of agency proposals for new and altered systems and public scrutiny of agency recordkeeping practices suggest that the majority of personal information collected is proper and necessary to carry out Government functions. ? Agencies report that Choy have received very few questions from Congress about their proposals for new or altered systems and very few comments from the public at large on their personal recordkeeping practices as described in public notices. ? Privacy administrators in the agencies believe that the privacy consciousness which has been created by the Act, coupled with its sanctions, has established a deter- rent to unnecessary or improper collection of personal information and has created greater sensitivity to proper and fair handling of such information. ? During the first four years of the Privacy Act imple- mentation both the number of agency systems of personal records and the number of individual records have been significantly reduced. ? Further statistics on the effects of the Act are contained in the four Annual Reports to Congress. In summary, OMB believes that the intended purposes of the Act are being achieved and that the agencies are sincerely working to establish and operate effective privacy protection programs. We draw this conclusion despite the fact that the effectiveness of privacy protection is not something that is susceptible to quantitative measurement and proof. Nor is it something that is possible to achieve merely by regulatory fiat. Rather, it can only be brought about by instilling a continuing concern for privacy in the consciousness of over two million Federal workers, many of whom are involved daily in t hAppokidfbe?teI ass200 /e- dGI RuFl TQ4)07 02?0 P41a 8n  Approved Foelease 2002/07/03 : CIA-RDP83T0057W000200240018-8 personal records. The procedures which have been estab- lished to administer the ?:ct, along with continual OMB, congressional and public oversight. of these activities have sensitized the Federal workforce to the concerns of privacy and are working to achieve the objectives of the Act. Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8  STATINTL Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8 Next 1 Page(s) In Document Exempt Approved For Release 2002/07/03 : CIA-RDP83T00573R000200240018-8