Last week, Senator Akaka introduced legislation that would update the Privacy Act of 1974 in several significant respects. The bill contains many of the principles that a CDT working group developed in 2009, such as revised definitions for key terms and stronger formal privacy leadership at federal agencies. Sen. Akaka’s “Privacy Act Modernization for the Information Age Act of 2011” would help rules governing agencies’ collection of individuals’ personal information keep pace with technology and Congress should consider it carefully.
The Privacy Act of 1974 is the foremost law controlling how the federal government collects, uses and retains identifiable information about individuals. Based on the Fair Information Practice Principles, the Privacy Act generally requires federal agencies to publicly announce – in what are called “system of record notices” – new information-gathering systems or material changes to new systems. The agencies are then prohibited from collecting or sharing the information for purposes beyond those described in the announcement. The Privacy Act also generally requires federal agencies to provide an individual, upon his or her request, the opportunity to review and amend information the agencies hold about the individual.
However, evolving technology has weakened the protective effect of the Privacy Act and many other privacy laws drafted decades ago, such as the Electronic Communications Privacy Act. As the volume and detail of personally identifiable information grew rapidly in the modern era, and the means of collecting and disseminating such information grew very sophisticated, there have been few corresponding revisions to the Privacy Act. In 2009, CDT brought together a working group of public interest organizations, government representatives, businesses and private sector experts to develop principles to update the Privacy Act. CDT’s working group recommendations included:
- Broaden the definition of “system of records.” The Privacy Act does not apply to information outside of a system of records, but the current definition of the term is far too narrow – covering only data retrieved by using an individual’s name or unique identifying number (like SSN). CDT recommended clarifying that all groups of records held by agencies are systems of records.
- Greater federal privacy leadership. The Office of Management and Budget, as well as all Executive branch departments and other major federal agencies, should appoint Chief Privacy Officers.
- Strengthen privacy notices. At present, a “system of records notice” need be published only on the Federal Register and need not disclose “routine uses” of the information collection system described in the notice. As such, system of records notices are often difficult for the public to access and read, and tend to only offer a partial picture of the scope of information collection. CDT recommended the creation of a centralized website of privacy notices. Notices themselves should contain clear and detailed statements of the purposes of the system of records.
Senator Akaka’s “Privacy Act Modernization for the Information Age Act of 2011” would adopt each one of these recommendations, as well as others the CDT working group recommended. The Act would give agencies’ privacy officers the authority to investigate violations of privacy laws, and the Act also includes an appropriate definition for “personally identifiable information” – any information that can be used to distinguish or trace an individual’s identity, and any other information that is linked or linkable to an individual.
CDT supports the bill overall and urges Congress to carefully consider it. Revisions to the Privacy Act have been introduced – and have failed to pass – before, notably the Federal Agency Protection of Privacy Act in 2004. However, commercial privacy has grown into a hot subject on Capitol Hill and it would make sense for Congress to address government collection and access to personal information as well, rather than leave the task of renovating the nation’s privacy laws unfinished.