As companies scramble to conduct privacy audits and implement privacy compliance procedures that address the increasing number of new privacy-related statutes and regulations, companies that do business with the federal government should take heed that they already may face serious restrictions on their ability to use or release personal information developed, gathered, or maintained for the federal government. The Privacy Act of 1974, 5 U.S.C. § 552a, as amended (the “Privacy Act”), and its implementing regulations provide one source of such restrictions.
Congress enacted the Privacy Act in 1974 to protect individuals against invasions of personal privacy by requiring federal agencies maintaining personal information files to ensure the accuracy of such information and to prevent its misuse. The Privacy Act limits the creation of secret government data files on individuals and strictly controls the dissemination of personal information maintained by federal agencies. Personal records maintained by an agency generally may be disclosed only with the consent of the individual to whom the record pertains, absent certain extreme circumstances, e.g., a court order, compelling circumstances regarding the health or safety of an individual, a proper request from a United States law enforcement entity, etc.
The Privacy Act subjects agency officers and employees to criminal penalties for the illegal disclosure or improper use of agency records containing personal information. To constitute a “record” for purposes of the Privacy Act, a document must reflect some confidential quality or characteristic about an individual. Furthermore, the Privacy Act also includes federal contractors maintaining personal records for an agency within the purview of its criminal penalty provisions.
Federal Acquisition Regulation (FAR) Subpart 24.1, which implements the Privacy Act, requires contracting agencies to apply the Act to contractors and their employees when contracts provide for “design, development, or operation of a system of records on individuals on behalf of an agency to accomplish an agency function.”
The FAR includes two Privacy Act clauses for inclusion in contracts involving the design, development, or operation of an agency records system. These clauses, like the statute, provide that violations of the Act may result in the imposition of serious penalties. The clauses also mandate that contractors include similar clauses in subcontracts involving the design, development, or operation of a covered system of records.
Individual agencies also issue regulations implementing the Privacy Act and further restricting contractor use and handling of covered personal information. For example, 32 C.F.R. § 310.12 provides the Department of Defense’s regulation applying the Privacy Act’s provisions to contractors maintaining agency personal records. Although agency Privacy Act admonishments to companies may appear quite sweeping in scope, the Privacy Act does not apply to records maintained by a company on its own behalf, e.g., employee personnel records, merely because the company entered a covered contract with the federal government.
The Privacy Act’s criminal provisions and the FAR’s related contract provisions (if included in a given contract) expose federal contractors with covered contracts to substantial (criminal and contract) penalties for violations of the Act and its implementing regulations. Clearly, companies conducting business with the federal government should proceed cautiously when dealing with any federal records containing personal information. Companies handling even potentially covered federal personal records should review the terms of their federal contracts and educate their contracting personnel regarding the Privacy Act to ensure Privacy Act and contract compliance. Such measures may assist in avoiding costly litigation and possible liability in the future.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
We operate a free-to-view policy, asking only that you register in order to read all of our content. Please login or register to view the rest of this article.