170 Information should be disclosed to another agency only to carry out a lawfully authorized function of the recipient agency. Redisclosures to other agencies should be governed by the same general principles. Exceptions to these principles should be allowed only pursuant to the specific written request or authorization of the subject individual and not pursuant to a general open consent to disclosure; further, no agency should require an individual to execute such a consent nor should any agency deny an individual a right, privilege, or benefit provided by Federal law because of his failure or refusal to do so. In the interests of fairness to the individual and of sound administrative practices, these principles should be strictly observed and should not be vitiated by the imposition of numerous exceptions, as in the Privacy Act's present disclosure provisions. Two obvious exceptions would undoubtedly qualify the first principle, limiting interagency disclosures to those for the same purposes. Disclosure to another agency solely for statistical purposes, with appropriate confidentiality and security safeguards, would be one. Although not a disclosure for the same purpose, it is one that could result in no harm to the individual. The second would be a disclosure for law enforcement purposes. Although societal needs may require such information exchanges, there is much evidence in the PPSC report to support that Commission's expressed concern about the relatively unrestricted disclosure of data for law enforcement purposes and "the current pattern of unrestricted information flows between law enforcement and investigative agencies at all levels of government."14 In revising subsection (b) of the Privacy Act, Congress may want to reexamine the law enforcement exception now provided in subsection (b)(7) to consider whether a more narrowly defined proyision such as that suggested by the PPSC in several of its legislative recommendations 15-would provide a sounder balance between individual privacy rights and societal needs. With the above qualifications and with an effective administrative agency to monitor interagency disclosures, the Commission believes that a reasonable balance can be achieved between the protection of personal privacy and the interests of sound and efficient administration of Federal programs. The Commission proposes that the Privacy Act be amended to define more precisely the types of personal information covered by the Act and to establish a three-tiered approach to disclosures, providing that some information be exempt from disclosure (sensitive information, such as that related to alcohol and drug abuse programs, family planning programs, and the like), some information be disclosable to the public (directory-type data), and that some information be 14 N.10, supra, p. 535. 15 In general, the PPSC has suggested that such disclosures be limited to those necessary to investigate or prosecute suspected or alleged violations of law directly related to the particular program or activity for which the information was submitted. disclosable only to other government agencies. These proposed amendments would permit the more efficient use of a considerable amount of non-sensitive information about individuals while assuring individuals of fairness in the disclosure and use of such data and preserving the confidentiality of other more sensitive information. Equally important, this approach, adopting stricter confidentiality provisions for "sensitive" information than those now in the Privacy Act, would enable the Congress to repeal the numerous confidentiality provisions of other program laws and to encompass these into one comprehensive law regulating personal information about individuals. Recommendation No. 10 That Congress should substantially revise subsection (b) of the to replace and consolidate the numerous relevant confi- to define the kinds of personal information covered by the to set standards for the interagency disclosure of informa- Sanctions and Remedies. As more fully discussed in Section III of Subsection (g) provides that an individual may bring a civil action against an agency which has denied him access to his record or has refused to amend his record. An individual may also bring an action alleging agency noncompliance with any other provision of the Act but only if such noncompliance has had an "adverse effect" on him. To recover damages only "actual damages" the individual must prove actual injury resulting from agency noncompliance and an "intentional or willful" violation of the Act. In view of the difficulty of proving either one of these, the recovery of damages-the only relief provided becomes a somewhat illusory remedy. Moreover, we see no rational basis for the requirement that both these conditions be met. If an individual has, in fact, suffered injury as a result of an agency's negligence in recordkeeping practices, he should be able to recover compensatory damages without having to prove that the agency acted willfully or intentionally. As this report has already demonstrated, agency noncompliance with the recordkeeping provisions of the Act consists primarily of agencies' simply ignoring most of 171 172 these provisions — a pattern of disregard or neglect rather than of any willful, intentional, or malicious behavior. Moreover, if an agency has engaged in such "intentional or willful" noncompliance, an individual should be able to recover damages without demonstrating injury or "adverse effect" and without having to prove "actual damages." Otherwise, there will be little incentive for administrators to change current internal management or recordkeeping practices which may be potentially harmful to individual data subjects. Like the PPSC, this Commission sees no rationale for the requirement that an individual prove actual injury in order to be able to seek legal redress for agency noncompliance with all but the access and record amendment provisions of the Act. We also agree with the PPSC that the damages provisions in subsection (g) should be amended to allow for the recovery of general as well as actual or compensatory damages. We would go further, however, and revise those provisions which set forth the standards of proof required for the recovery of damages. Accordingly, the Commission proposes that the recovery of actual or compensatory damages be allowed to individuals who have suffered injury as a result of agency noncompliance without a need to prove "intentional or willful" noncompliance, and that the recovery of general damages be allowed upon a showing of "intentional or willful" agency noncompliance. The Commission believes it essential to provide individuals with meaningful legal remedies not only to compensate them for any injuries suffered but, equally important, to enforce agency compliance with the Act. The provisions at issue here are the most basic to the Act those guaranteeing fairness in recordkeeping and protecting the individual from the misuse of agency data about himself and the most difficult to monitor. Even after the establishment of an agency to monitor compliance, judicial review will be an essential incentive to agency compliance with these provisions. Recommendation No. 11 That Congress should amend subsection (g) of the Privacy Act to provide (1) that, whenever an agency fails or refuses to comply with any of the provisions of the Act, an individual who is the subject of records maintained by that agency may bring an action against the agency to enforce compliance and to recover damages; (2) that the court, in any such action, may order the agency to comply with any of the provisions of the Act; and (3) that the Government shall be liable for actual or compensatory damages sustained by individuals adversely affected by such noncompliance (withouth a need to prove willful or intentional violation) and for general damages in those cases where the court determines that the agency has intentionally or willfully refused to comply with the Act (regardless of proof of adverse effect or injury to the individual resulting from such intentional or willful noncompliance). The recovery of general damages should be limited to a minimum of $1000 and a maximum of $10,000. Extension of the Privacy Act. At various points in this report, we to provide guarantees, when information is disclosed from to provide security safeguards for confidential information to provide, as in the administration of welfare programs, to provide confidentiality and security guarantees for to clarify the language in subsection (m) of the Act, Clearly, the extension of the Privacy Act would greatly enhance and Two questions remain: When and in what form should the Act be extended prior 173 How broad should the coverage of the Act be? This report has pointed to many deficiencies in the Privacy Act and contains recommendations for revising or amending several of its basic provisions. Yet, even with these deficiencies, the Privacy Act provides significant protection to individuals in many respects. Accordingly, the Commission would not ordinarily suggest awaiting amendment of the Act, in accordance with the recommendations in this report, to extend its coverage to other levels of government or to other organizations. For some programs, however, such as the welfare programs mentioned above, the Act cannot be extended in its present form, at least not until the adoption of Recommendation No. 10, calling for the substantial revision of the disclosure provisions of the Act and the repeal of existing confidentiality provisions in relevant program laws. For those programs requiring the collection and maintenance of much sensitive information, statutory changes must first be made to provide additional safeguards for protecting the confidentiality of such data while, at the same time, permitting freer exchanges of other types of data which would, for example, enable agencies to utilize single application forms for several related programs. Accordingly, the Commission proposes that, at the same time that Recommendation No. 10 is adopted and subsection (b) of the Act is revised, the Congress extend its coverage to certain programs and activities receiving Federal financial assistance. Recommendation No. 10 cannot be adopted immediately as it must follow the comprehensive review of existing legislation proposed in Recommendation No. 6. Thus, there will be ample time and opportunity for Congress - or its appropriate committees - to explore the ways in which the Act may most easily be extended and the enforcement or compliance machinery that will be necessary to ensure its effective administration. The Commission has already suggested, earlier in this report, that Privacy Act requirements be extended to welfare, health, and education programs receiving Federal financial assistance. We have also indicated that the provisions of the Act should apply to any Federal contractor, grantee, or subcontractor who, in connection with a contract or discretionary grant, must create a system of records containing identifiable information about individuals. The Commission has also suggested that ultimate compliance responsibility be placed in the new agency proposed in Recommendation No. 3 rather than with the head of any particular Federal department or agency. We have not, however, defined the outer limits of the proposed extension of the Privacy Act-whether, for example, the Act should apply to programs receiving Revenue Sharing funds or Federal loans or to all programs or activities receiving Federal financial aid. Recognizing the additional paperwork and compliance burdens that will accompany the increased coverage, the Commission suggests that the Act's extension be limited initially to those programs which require or have required the creation of new recordkeeping systems containing individually identifiable information. |