9
disclosure of personal information about them. The Privacy Act focuses on the four basic policy
objectives listed here.
The Privacy Act applies to Federal agencies, including DoD, but not industry or state, local,
tribal, or territorial governments. However, equivalent State laws may apply depending on
location: The Privacy Act protects certain Federal Government records pertaining to individuals.
In particular, the Act covers systems of records that an agency maintains and retrieves by an
individual's name or other personal identifiers (e.g., social security number).
Kendra: As the slide states, the Privacy Act applies to federal agencies, including the Department
of Defense, and individuals that have authorized access to their information systems, regardless
of status. The Privacy Act does not apply to industry or state, local, tribal, or territorial
governments. Those entities may be subject to other federal, state, and local privacy laws
depending on their location and the nature of their organization. In general, the Privacy Act
prohibits unauthorized disclosures of the records it protects. It also gives individuals the right to
review records about themselves, to find out if these records have been disclosed, and to request
corrections or amendments of these records, unless the records are legally exempt. It's important
to note that Federal and DoD organizations will operate under a Systems of Records Notice or
SORN that describes the nature of collection, retention, and dissemination of records. If an
agency has a "record" that is not maintained in a "system of record," it generally may not be
disclosed unless by consent.
Exceptions to the Consent Rule
1. To agency or organization employees with a legitimate need to know
2. For when the FOIA requires release
3. For a “routine use” identified in the System of Records Notice (SORN) that has been
published in the Federal Register
4. To the Census Bureau for the purpose of conducting the census
5. For statistical research and reporting in which individuals will not be identified
6. To the National Archives and Records Administration
7. To civil or criminal law enforcement under U.S. control
8. For compelling circumstances affecting the health or safety of the individual
9. To either House of Congress
10. To the GAO
11. Pursuant to a court order (a subpoena signed by a judge)
12. To a consumer reporting agency in accordance with the Debt Collection Act
Kendra: The Consent Rule states that the individual subject of the file must provide consent to
allow disclosure of information from a Privacy Act system to a third party; however, there are 12
exceptions to the consent rule. I listed the exceptions on the screen, but I have them all on this on
a document for you to take with you. It also includes a link to the Department of Justice's Office
of Information Protection Justice Information Sharing webpage.
The Privacy Act Consent Rule Exceptions Job-Aid is linked on the screen.