--the acknowledgement by agency officials that they contracts where it should have been. --the almost complete lack of monitoring by contracting the general absence of new initiatives by contractors obligated to meet the act's requirements. Many agency and contractor officials believe this is not a cause for concern because: --prior practices by contractors often already assured the protection of personal information, and --in few, if any, cases have Federal contractors vio lated the privacy rights of individuals. Even so, there is a potential for harm of varying conconsequences to persons involved, because some Federal contractors handle highly sensitive and/or commercially valuable personal information and security practices vary extensively among contractors. Moreover, while the existing legislation perhaps could be further clarified, there is no doubt that the Congress intended that Federal contractors whose contracts provide for the operation of a "systems of records" containing personal data that, in effect replace agency systems, comply with the Privacy Act's requirements. Therefore, we believe the Office of Management Budget should direct and encourage Federal agencies and departments to improve their effort to comply with the subsection 3 (m) of the Privacy Act of 1974. More specifically, we believe that OMB should: --improve and expand its own guidelines to assist agencies in making decisions as to which contracts should be subject to the Act. A clear explanation of the rationale for coverage, and more examples, would be useful; --encourage the Civil Service Commission and agencies to include better coverage of subsection 3 (m) in Privacy Act training programs; --review and clarify procurement regulations to assure --reemphasize its existing guidance to agencies that --direct agencies to acquaint contractors--through --require that agencies establish an appropriate method of monitoring contractors' compliance If resources are unavailable for regular on-site reviews of contractors, other less costly alternatives, such as contractor certifications of compliance and periodic spotchecks, should be considered. I have discussed in this testimony the general absence of effective adherence to the 3(m) provision of the Privacy Act by both agencies and contractors. I have cited some steps OMB can take to improve agencies and departments compliance with subsection 3 (m) of the Act. What has not been discussed is what the Congress can do to clarify subsection 3 (m) of the Privacy Act. At least one major bill has been introduced in the Congress to change the entire Privacy Act. While numerous changes to subsection 3(m) other than the ones cited in House Bill 10076, introduced on November 11, 1977, are possible, we believe the language in this Bill, which is based on a specific recommendation of the Privacy Protection Study Commission would solve some of the problems noted in our review. It will for instance, replace the term "system of records" with a broader definition of personal information to be covered under the act. It would also specifically legislate agency responsibilities for insuring contractors compliance with the act. Additionally, conditions for contractor exclusion from the act are defined in considerable detail.1 While it may not be feasible to develop legislative language that will preclude some variations in interpretation we believe the proposed legislation, as it relates to subsection 3(m) of the current act, should lead to a more consistent interpretation of congressional intent and agency and contractor responsibility. Of course, if H.R. 10076 is enacted, the revision of subsection 3 (m), while providing some clarification, would also have other possibly major consequences which we have not analyzed, and on which we take no position at this time. We will try to answer This concludes my prepared statement. any questions you or other members of Subcommittee may have. Mr. WEISS. Our next and last witness this morning is Mr. Robert Saloschin, Chairman of the Freedom of Information Committee, Office of Legal Counsel, Department of Justice. With Mr. Saloschin we will be switching topics to the issue of administrative markings by Federal agencies, and how they are in conformance or nonconformance with the Freedom of Information Act. I understand you do not have a prepared statement, but that you do have a statement to make. STATEMENT OF ROBERT L. SALOSCHIN, CHAIRMAN, FREEDOM OF INFORMATION COMMITTEE, OFFICE OF LEGAL COUNSEL, DEPARTMENT OF JUSTICE; ACCOMPANIED BY ERIC RICHARD, ATTORNEY, OFFICE OF LEGISLATIVE AFFAIRS Mr. SALOSCHIN. That is correct, Mr. Chairman. We got rather short notice of this morning's hearing, and essentially for that reason I think it has been understood between your staff director, Mr. Ingram, and Mr. Eric Richard, who is accompanying me on my right, who is an attorney in our Office of Legislative Affairs, that because of this time element I will not be presenting official positions or views either for the executive branch as a whole, or for the Justice Department. I hope that is satisfactory with you. I am happy to be able to talk purely informally and personally. It seems to me that a system of government involving separate branches works best when you have some easy and informal exchange of ideas to supplement the more formal presentations. I have no other prepared statement to make. I have some general thoughts on this subject, but I will save them for the moment. Mr. WEISS. Suppose we start with some basics, then. Do you think that restrictive labels are necessary to protect information? What specific functions do you think such labels serve? Mr. SALOSCHIN. Before answering that question or after answering that question, I would like to qualify my understanding of the phrase "to protect information." If by protecting information is meant the ultimate withholding of information by an agency, that is not the proper function of these markings, these so-called unclassified classifications. But if I understand, you mean the alerting of agency personnel to give careful consideration to what might otherwise be a unwitting or casual release of information or documents, then in that sense I think either a cautionary or warning label or some alternative method of alerting the many people who may come in contact with various types of documents in various agencies is probably useful and necessary guidance. When I say that, I am not trying to quantify it. In other words, I don't mean to say that many thousands or hundreds of thousands of Government employees need this kind of cautionary warning with respect to large categories of records in most of the agencies. am not quantifying it. I am just saying I think sometimes this kind of an admonitory or warning flag is necessary, considering the vast variety of records and-I believe it is two million-plus-Government personnel who might be dealing with them, some of whom may be new to the Government and the program. Mr. WEISS. How widely are the labels used? Mr. SALOSCHIN. I would be inclined, not having been able to make a comprehensive survey, myself, of that question, I would say they are used moderately widely and would accept a draft report which Mr. Ingram furnished me as a general and perhaps more specific indication of that. I believe it was stated there that there were 102 instances throughout the government of patterns where such labels were used. Mr. WEISS. In the opening statement we refer to some of these labels: the "eyes only," or "official use only," or "administratively confidential.” Do you think all of the labels serve the same kind of cautionary function, or do you think that, in fact, an "eyes only" kind of label, for example, is in the area of protecting information which was not a legitimate type of protected information? Mr. SALOSCHIN. Let me respond to that in two ways. I don't doubt that, considering the size of the Government, the number of records, and the variety of labels used, something short of perfection would characterize the total picture. In other words, there may have been greater or lesser abuses of these labels, many of which I would hope are attributable to misunderstanding caused by lack of proper management training, communication, or organization. That is one side of it. I think the other side of it is that I draw a sharp distinction-at least from a legal viewpoint and also perhaps from a policy viewpoint-between restrictions on dissemination of a record within an agency and restrictions on dissemination of the record to the public. The latter, of course, is controlled primarily by the Freedom of Information Act. I think it is largely within the province of agency management, as it would be within the province of management in any organization, to channel the flow of information inside that organization: This unit gets it; these people get it; the other people get it if they need it; some other people get it sooner; some get it later; and some people may not get it at all. Mr. WEISS. Do you believe that the existence or utilization of those markings, in fact, sways the judgment of the responsible person in making that information available under the Freedom of Information Act? |