Privacy Laws and Regulations
Note: The information on this page is intended to inform members of the public of GSA's privacy policies and practices as they apply to GSA employees, contractors, and clients.
- The Privacy Act of 1974 Overview
- Text of the Privacy Act of 1974 (5 U.S.C. Ã‚Â§ 552a)
- Department of Justice guidance on the Privacy Act
- Computer Matching and Privacy Protection Act of 1988; and Computer Matching and Privacy Protection Amendments of 1990
- E-Government Act of 2002 (Public Law 107-347, 44 U.S.C. Ch 36); and Federal Information Security Management Act of 2002
- OMB guidance
The Privacy Act of 1974, as amended (5 USC 552a), is the first and most comprehensive law governing the protection of personal information in the possession of the Federal government. The Privacy Act establishes for individuals the right to privacy for records that Federal agencies collect, maintain, and use. This law protects an individual's privacy from unwarranted invasion by requiring that personal information in possession of Federal agencies is properly used, and that agencies institute measures to prevent any potential misuse of information in their possession. The Privacy Act:
- Controls the use of personal information by restricting Federal agencies' collection, maintenance, use, and dissemination of personal information.
- Allows individuals to access information about themselves that agencies maintain.
- Allows individuals to correct their records when the information is not accurate, relevant, timely, or complete.
- Controls the disclosure of personal information in possession of a Federal agency.
- Requires that agencies follow mandated policies and procedures for:
- Collecting and using information
- Disclosing information
- Accounting for disclosure of information
- Accessing and amending records by individuals
- Maintaining information
- Civil remedies and criminal penalties when the Act's rules are violated
- Exemptions to access
- Treatment of archival records
- Applicability to contractors
- Mailing list prohibitions
- Matching agreements
- Reports to OMB
- Establishment of Data Integrity Boards
The Computer Matching and Privacy Protection Act of 1988, and the Computer Matching and Privacy Protection Amendments of 1990 concern the electronic sharing of information. These laws:
- Apply to automated systems of records when the information in the systems is shared between Federal or non-Federal agencies.
- Spell out the procedural requirements that agencies must follow when performing computer-matching activities.
- Require agencies to provide to individuals whose records are in matching systems the opportunity to receive notice and to refute adverse information before having a benefit denied or terminated.
- Require agencies which are engaged in matching activities to establish Data Integrity Boards to oversee computer-matching activities.
The provisions of these Acts have been incorporated into the following Sections of the Privacy Act (5 U.S.C. Ã‚Â§ 552a):
- (o), (p), (q), (r)
- (u) ; and
- 1994 & Supp.
The E-Government Act of 2002 (Public Law 107-347, 44 U.S.C. Ch 36) aims to ensure privacy in the conduct of Federal information activities. Title III of the E-Government Act, Federal Information Security Management Act of 2002 establishes computer security requirements for Federal automated information resources. Among its other system security provisions, this Act requires agencies to:
Conduct a periodic assessment of the risk and magnitude of the harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency;
Address information security throughout the life cycle of each agency information system.
OMB oversees, establishes rules and procedures, and provides guidance to agencies on the implementation of the Privacy Act and on information security. OMB's guidance is found in:
OMB Circular No. A-130, Appendix I, Federal Agency Responsibilities for Maintaining Records About Individuals, which establishes Privacy Act requirements and procedures;
OMB Circular No. A-130, Appendix III, Management of Federal Information Resources, which establishes guidelines for Federal agencies on complying with the fair information practices and security requirements for operating automated information systems.
- (M-03-22) Memorandum for Heads of Executive Departments and Agencies, OMB Guidance for Implementing the Privacy Provisions of E-Government Act of 2002.
- Title III of the E-Govt Act, Federal Information Security Management Act of 2002