Hi there. It is Chris Stevens. I'm the privacy gremlin and I'm also the InfoSec Institute's instructor for its information privacy essentials for cyber-security professionals learning path, which is a mouthful. Now we're going to continue our discussion looking at some of those US laws at the federal level that relate to privacy. Now in this discussion, we're going to talk about the Privacy Act of 1974. I love talking about the Privacy Act of 1974. It's funny, when I joined the military in 1982, I saw forms and the drill sergeant and recruiter told me I had to sign them. I had no idea what I was signing throughout my 35 years of combined military service and civilian service in the US intelligence community. Again, oftentimes I still saw requirements of the Privacy Act of 1974, but I never truly knew what that meant. Even as a senior executive, I knew I had some insights that I was supposed to handle a person's personal identifiable information. I understood how I'd handle classified information. Again, I had an understanding of what those obligations were. It wasn't until I became a privacy professional that I really began to understand the Privacy Act of 1974. It was written hastily by Congress, and it has been amended, had certain imperfections. But I think the thought was that given the way that the US government executive branch, and it applies to the executive branch, had handled and collected American citizens and legal permanent residents, their personal identifiable information without having their appropriate oversight and requirements in place, they felt a need to pass this Act. Let's talk about it. Now these are some of the things we're going to talk about. We're going to talk about the history of the Privacy Act of 1974. We are going to talk about some definitions because they're important. We're going talk about some of those conditions when information can be disclosed, a third party personal identifiable information, how organizations have to account for certain disclosures, your rights as an American citizen, if you are one, or legal permanent residents to access your information, your right get correct that information when allowed under the law. What are those requirements that are levied on the organizations to make sure that their protecting American citizens and legal permanent residents, their personal identifiable information? What are some of those agency rules, some of those rules that agencies have to promulgate so their workforce and others understand what their obligations are under this important Act. We're going to talk about again, some of the civil penalties for non-compliance. We're going to talk about criminal penalties. They're both. They can be enforced of an organization or an agency, words matter, or an officer of that agency is non-compliant with this important Act. We're going to talk about 10 exemptions. There's one special exemption. They break it down into seven general, and then there are two others that we'll talk about. Then for the better part, the Privacy Act of 1974 only applies to Federal government executive branch agencies. However, when it comes to social security usage, then it also extends to state and local governments, and we're going to talk about that. Buckle your seat belts, get ready for this ride because again, you're letting the privacy gremlin talk about a topic that he truly loves, information privacy and data protection. Let's look at the history. I alluded to this earlier in the course to where the former Secretary of Health, Education and Welfare, we know that department now as the Department of Health and Human Services, just wanted to look at how the federal government itself, executive branch agencies, were collecting information using an automated means and other means, collecting that information from American citizens, legal permanent residents and then storing that in records that we're going to find it shortly. That advisory committee looked long and hard. I shared the history, coming out in the 1950s. We have McCarthyism, collecting information on individuals accusing them of being communists. In the 60s, we had collection by executive branch agencies, by the FBI, some of the others against war protesters, students themselves, against civil rights leaders and that information was compiled to support investigations by the FBI in their Counter Intelligence Program, COINTELPRO. Then we had the Watergate scandal 1973, where you have more political party trying to obtain information on individuals of the opposing party and use it for its own needs without consent. What were those findings that are important to us? They were. They determined that US federal government agencies, Executive branch agency for maintaining secret dossiers on American citizens and legal permanent residents, shame on them. It also saw that you and I as an American citizen, if you are one or a legal permanent residents didn't know when information was being collected on them. They didn't know how that information is being used, they had no way of correcting or amending that information that was inaccurate, both objectively and subjectively. The organizations entrusted with collecting this information didn't have mechanisms in place to ensure that information was accurate, timely, and relevant. Nor did they have a way of identifying the misuse of this data as it applied to US citizens and legal permanent residence. That's what we talked about. What happened is, it said that in 1974, we developed the first US Code of Fair Information Practices. That became the essence of the Privacy Act of 1974. We're going to talk about some definitions. I didn't list them all, but I thought some were important. We're going to find what it means to be an agency, an individual records, and system of records. Let's talk about agency. That's any agency that's a part of the federal government Executive branch. That's the Cabinet agencies, the Office of the President, the Office of the Vice President. We're talking about any quasi-government entity itself, like the US Postal Service. They all have to comply with the Privacy Act of 1974. What do we mean when we talk about an individual? That's an American citizen or legal permanent residence. It doesn't extend protection to others outside of those two classes. What's a record? A record is a compilation of any information on an American citizen or a legal permanent resident that store, maintained by an agency that refers to that person's education, financial transactions, medical history, any criminal information, employment history. Again, that information itself in that record is retrieved by, or contains a person's name or some type of identifying number, like a social security number. Or some symbol associated with that American citizen and legal permanent resident, or any other type of identifier, particular that might directly relate to that individual. It can be a fingerprint, it can be a voiceprint, biometric data. It can be a photograph. A system of records is a group of those records that are maintained by that agency to where you can retrieve a record by using a name, identifying number, or some other type of identifying particular that allow you to identify the person associated with that record. It's an important distinction, because previously we talked about Privacy Impact Assessments. While we do those, we're going to talk about that again, later when we get to the E-Government Act of 2002 Section 208 B discussion. Agencies also have to maintain the system of records and give notifications on those systems of records. We're going to talk about that a little later in this discussion. Then the requirements levied on them by the Federal Information Security Modernization Act of 2014 says, that annually, these agencies have to report this information to the Office of Management and Budget for us to review. They also have to, unless there's some type of classified information, will classify systems associated with someone's or PIA's, also have the policies publicly for the public's review. Good stuff. Let's talk about some of those conditions of disclosure to third parties. The Privacy Act of 1974, it's pretty explicit on how information contained in records or stored in system for records can be shared outside of an organization's routine use for that information. Let's talk about the "No Disclosure Without Consent" rule. If you are a federal government agency in the executive branch, and you're storing information and records, and you have a system of records that relate to an American citizen or a legal permanent resident, then you're not supposed to disclose that information unless you have the written consent of that individual to whom that record pertains or that system of record pertains. Unless, you meet one or 12 exceptions. Now, any officials working on behalf of those Executive branch agencies must maintain the confidentiality of those records. Wow, don't get sticker shock, but we have 12 exemptions that again, allow our federal government agencies to be able to share this information in ways. Unless, it's not allowed on the Privacy Act of 1974. We're going to talk about these. Let's go back, my apologies. You need to have a need to know if there's an associative Freedom of Information Act disclosure required under the law. If it's for routine use of that information, be able to provide a benefit or service, if the information is being shared with the US Census Bureau as of being used for statistical research, if there's a requirements stored in the National Archives and Records Administration or NARA and supportive investigations and support a law enforcement for health and safety reasons to maintain the health and safety of an individual. If it's a request from the US Congress. If the information is requested as part of an audit or an investigation by the General Accounting Office, GAO and I talked to you about my experience with the GAO. If there's a legal, a lawful court order for that information or if it's being shared in support of satisfying a debt under the debt collection act. Let's talk about accounting for certain disclosures on the privacy act. No federal government agencies in the executive branch have to meet these requirements were accounting for certain disclosures. Again, you've got to maintain be cognizant of all those system of records that are maintained by that agency and they got to do that by keeping a record of the date, nature, and purpose of the disclosure of a record as it pertains to an American citizen or legal permanent resident. If that information being shared with another agency, you got to have the name and the contact information for that person or the agency to whom that information will disclose. Now, if you're sharing that information for entry and if you sharing that data for routine uses and within your own organization or you're satisfying have to respond to a FOIA request, then again, that's excluded. Now you have to maintain these accountings of disclosure for five years or the life of that record, whichever one is longer from the time that you actually disclose the record or system of records. Now again, an American citizen or a legal permanent resident, has the ability upon submitting a written request to get access to this accounting of disclosures and then if you are the organization, the agency or an official of that agency, then you've got to let me know or the agency know about it and that pass these records or system of records about any changes that are made to the record, any individual complaints or disputes from the time that you disclosed that information. We have rights, I keep saying we. American citizens and legal permanent residents have rights under the Privacy Act of 1974 to request access to their personally identifiable information stored in records or system of records unless it's prohibited by the law. If you are executive branch agency and you receive that request for access to a record of system of records, then applying, reviewing, verifying the identity, verifying the request, then you supposed to provide that information to the individual or if they have a legal representative, allow them to review that record and make a copy of it free of charge in a form that's understandable. But like I said, in today's environment, you have to make sure you're verifying the identity of that information before you release that record or source of information on a record or a system of records, you allow them to review those records, assessing the records. Especially if they're going to have a legal permanent resident that is representing them. Now when we look at FOIA and we look at the Privacy Act, individuals can request access to information. The difference is is that from the Privacy Act, you can only request information that's specific to your records. You can't request some information on other people and FOIA you can be anybody. It's not just for scope to an American citizen or legal permanent resident, anyone can submit a FOIA request, but then again, agencies also have exemptions from disclosing that information. You've got a right to amend your information. If you have American citizen or a legal permanent resident after you want to review your record or a system of record, you find out that information is inaccurate and you want to amend it, you have a right to do so unless it's not allowed under the law. Now, you're going to submit your requests. We're going to talk about these rights right now. Again, I can request an amendment to my own record. Upon receipt of that request, that agency has to acknowledge it in writing and either correct the information that request it as inaccurate, make sure it's accurate, timely, and relevant, or let me know that again is not going to amend the record and then the reason why you made that decision and how that individual can appeal that decision. Once I submit my statement of disagreement with the refuse of that agency to request review of that age, then they have to respond not later than 30 working days that I request that review. If they refuse to amend that record on my request, then I have to be allowed to put a statement of disagreement in my records stating, again, the agency's refusal to approve that request and my disagreement with it. We talked about the Privacy Act is specific to you and your specific record or system of records. Foye allows any individual to submit a request for access information, although there are exemptions. When I've worked at the Office of the Director of National Intelligence, my office is right next to the Foye office. My heart went out to them because they were always receiving these inquiries for access to information. Again, we would always have to go and provide any information we had in our holdings to the Foye officer although there are many exemptions there that prohibit the sharing of certain information like law enforcement, national security information with the broader public. Agencies have to meet certain requirements as it applies to the Privacy Act of 1974. You're only supposed to collect information and personal identified information and store it in a record or a system records when it's relevant to that agency providing some type of benefit of service to that American citizen or a legal permanent resident. You've got to let me know given the mechanism which you're collecting this information, how it's going to be collected, and what purpose it is. You got to tell me the authority, what law regulation allows you as an organization to collect this information, you got to let me know and provide that information if it's mandatory or if it's voluntary so I can have a choice of opting out of sharing that information. You got to let me know the purpose for which you're using that information and how it's going to be used. If it's going to be used for routing purposes, providing with a business or a benefit or a service, you have to provide that information to me. What happens if I don't disclose this information? Like there's a request for my social security number and I don't provide it; does that allow the organization not to grant me that benefit or service so I can make an informed decision? These agencies are required to post [inaudible] to system of record notifications to the public register for review by the public and others. They also have to provide these notification to Congress and to the OMB. This note is going to be laid out and you can access these systems of records, notifications so that you know exactly how a system that's being maintained by an organization is collecting information on you, storing it in a record or system to register purpose of that. But you're going to tell them the name, location of the system, which agency is responsible for maintaining this system, who are the individuals, American citizens or legal permanent residence to who the information being stored in records. The categorization of these records that are stored in the system. For each routine used by the organization itself or the agency itself, letting them know the categories of users and the purpose of those users. The organization's data retention and data extraction policies, its access control and other security requirements controls. Point of contact for the agency official that's responsible for maintaining and operating this system itself that's storing records, a system of records. How I can request information on information that's being stored, and in the system. How I can request information and amended it if it's an accurate. Then the categories or types of records that a process has stored in that system. Agencies have other requirements. You've got to maintain the relevance, accuracy, and timely of the information to make sure that we're treating individuals fairly and in a transparent method. We've got to make sure that before you share or disclose of record containing personally identifying information about an individual to another individual other than another agency, you got to let them know that that information before it's being shared is accurate, complete, timely or relevant. If it deals with my rights as an American citizen on legal permanent resident that are protected under the First Amendment, you can't maintain those records that, again, infringe upon those rights and freedoms unless it's part of a legal and lawful law enforcement activity. You got to make sure you make every attempt to give notice to that individual when their record or system of record is being shared with anyone else to satisfy some mandatory requirement unless it's a part of a public record. You got to have rules and policies, procedures in place that really document the inner workings of any system of records, how you maintain those records, how individuals will comply and respect the rights and freedoms of individuals, and also detail, have rules in place that talk about penalties for non-compliance. You got to have the appropriate security safeguards in place to protect the information stored in system of records, those administrative, physical, and technical security controls and make sure that you protect individuals from privacy invasions, privacy harms should someone be able to access that information in an unauthorized method. Then before you actually place this system in operation, then you've got to have at least 30 days prior to the publication release placing that system operation, you have to leave that notice in place with 30 days. There is another 10-day requirement to notify Congress and OMB. What are some agency rules? You've got to have rules in place that document how you are going to protect and maintain a system of records. These records have to provide certain guidelines, how are you going to satisfy individual requests, how are you going to identify individuals, verify their identity into the requesting records, your process for accounting for disclosures and disclosing the records, especially that's going to contain sensitive information? Your ability to have reasonable fees for individuals that request copies of their records and then also having processes in place to make sure that you allow individuals to plan verified requests to be able to access and review their records. These are all some of the protections that you have as an American citizen or a legal permanent resident. You got to give me notice if there is a system of records that contain information and my privacy is not part of that information. You got to state the reasonable time to place the requirements for identifying an individual who's requesting their record or any information and before that information is disclosed. You got to make sure that you've got procedures in place on how you will manage disclosure to an individual that maintain sensitive information, like information on a person's medical records, psychological records, et cetera. You got to have procedures in place for allowing an individual who submits a written request, or review their records, or amend their records, or a system of records, and also the appeal process if that agency is going to deny that individual the right to access and amend their records. Then you've got to have rules in place that say that, again, you can have reasonable cause for individuals that would have copies of the records made. Now, this doesn't include any search, it calls for the search and review of records because again, that's protected and covered under the Privacy Act. There are civil penalties for non-compliance. I as an American citizen or legal permanent resident, should I determine that an organization or an agency and the executive branch is in violation of the Privacy Act, I can go to court, private right of action. Now I can have the agency cease and desist using a [inaudible] relief, it can be an amendment lawsuit or an access lawsuit. Then two of the types of lawsuits allow for me to recoup, have compensatory relief in the form of monetary agencies, and also to cover attorney fees, reasonable attorney fees when appropriate. Even if I sued, again, the most that I could recoup is $1,000 for these types of violations of the law. We talked about amendment lawsuits, access lawsuit, damage lawsuits. We're going to talk about these a little in greater detail if you're willfully or intentionally in violation of the law. It gives me relief for actual damages that cause privacy harm and the privacy invasions and the ability to recoup attorney fees when appropriate or approved by the court. Here we talk about it in greater detail. If I, as an organization, decide not to amend a record and I'm not compliant with the Privacy Act, then again, an individual can sue because of that decision not to amend those records upon request if he deny me the right to access my records. You're in violation of the Privacy Act and I can sue you. If because of your mishandling of records, the disclosure of my records, the misuse of my records, and it poses privacy harms or privacy invasion or harm to me as an individual, then I can sue you. It's going to be the court that determines whether the non-compliance was intentional or willful. But if it determines that, then again, the individual that's suing can receive no more than $1,000. If it's for intention or willful standard, then again, you know the violations are more significant. If it's intentional willful then, you can sue for actual damages. If you can demonstrate that that agency or that agency representative was in violation, there was an adverse effect on me, the calls of that action, and if it was intentional or willful, then you've got to pay those actual damages that were sustained by me as an American citizen or a legal permanent resident. Again, you're only going to receive the sum no greater than $1,000. Now, the court can also for Amendment and Access lawsuits, then they can allow for the payment of attorney fees and costs, at the court's discretion. But for damage lawsuits, then they can't use it, it's not at the court's discretion. Let's talk about criminal penalties. If you got officials, other organs of agency itself that are not in violation of the Privacy Act of 1974, and this is where we have individuals keeping those secret dossiers, when people have shared information disclosing it outside the requirements of the Privacy Act. Here we are. If you're an official or an employee of a government agency and the executive branch that has access to records, access to accessible records that contain information on American citizens and legal permanent residence, their personal identifiable information and you disclose that information in a way that's not authorized on the Privacy Act, then you can be found guilty of a misdemeanor and you can be fined for not more than $5,000. If you're keeping secret dossiers and files and individuals in a system of records without giving the appropriate notice, then you will be found again, guilty of a misdemeanor and fined not more than $5,000. Any individual that knowingly and willfully illegally requests access and obtains a record on an individual from an agency under false pretenses, then they will be found guilty of a misdemeanor, and again, fined not more that $5,000 dollars. Now, there are 10 exemptions out there that really protect agencies themselves when they're disclosed on an individual's records. One is specific, two are general exemptions, and the third grouping are seven specific exemptions. Let's talk about those. When we talk about a special exemption, if there's an ongoing litigation cortex and civil action or proceeding, then agencies themselves don't have to disclose that information, if they believe, as in, anticipate some type of civil lawsuit. When we talk about two general exemptions, then again, if head of an agency can promulgate rules that don't allow the access to a system of records when that information is maintained by the CIA or is maintained by a law enforcement agency and the conduct of criminal investigations like the FBI, federal law enforcement agencies. Then we get the seven specific exemptions and we've talked about some of these earlier under our exceptions. The head of an agency can establish rules, draft rules that exempt the sharing of any access, any system of records if they pertain to a four-year exemption, if it's information in support of a law enforcement investigation, if an information that talks about secret service information, that talks about how we protect the President and other key individuals, for statistical purposes. If you are information that's part of an investigation to determine if an individual is suitable or eligible or qualified for hiring by a federal government agency to join the military, to participate in federal contracts, or to gain access to classified information. If we're lasting information on some of the tests and examination materials used to determine if I qualify for appointment of promotion in the federal government, and that information would impact the casting examination process. If we're talking about information evaluation materials used to determine if you can be promoted within the Armed Services, and I'm going to do both of those. All of these in many ways have applied to me given the different jobs I've had. Again, in the military we go for promotion boards and our records are sent forward. It protects the information. Oftentimes individuals will request information, want to know the proceedings of the promotion board, and so it protects that information that's used to make those evaluations for being shared broadly. When we talk about social security numbers, this is where the law extends itself beyond just federal government executive branch agencies. This where extends to any federal, state, or local government agency that puts protect the place you can't deny me the right to a benefit of service if I refuse to disclose security number. Now it doesn't apply if it's required by law, some federal law or if disclosure of security number to a federal, state, or local agency was requested or maintain a system of records prior to January 1, 1975, when the Privacy Act was fully enforced. Let's talk about this important law. Again, the Privacy Act of 1974 and corporation or the first five set of code of fair information practice that gives guidance to federal government executive branch agencies on how they're supposed to collect, disclose, retain, dispose of an individual's American citizens or legal permanent residents personally identifying information is fair. I want you to remember this because sometimes we confuse the Privacy Act of 1974, its provisions with FOIA, the Freedom of Information Act. If we talk about the Privacy Act and only provides protections to American citizens and legal permanent residents. Anyone can request access information from the US federal government under FOIA and the Privacy Act, remember, you can only request access to review access and a menu records that pertains specifically to you. The Privacy Act requires that you again, you got to account for certain disclosure the third parties, and you also have to maintain less, you meet one of those exceptions and again, you have to have the written request or approval from individual before their records can be shared. We defined a record as a set of records, as a compilation of information on an individual that's used, contains a name and identifying number like a social security number and other identifying number or some other type of identifying particular like a photograph some type of bio-metric information. We defined a system of records as a system of records being a compilation of these records by which they are retrieved from that system of records by using a name and identifying number like a social security number, so identify particular like bio-metric data or photograph. We said the Privacy Act of 1974 get establishes rules and places obligations on those federal government agencies themselves on how they can have to maintain these records, respond to access request, also respond to a [inaudible] request. We know that there are penalties for noncompliance, we know also that if you are a federal government agency in the executive branch, that you have to publish an issue, the systems of records, notifications to the public and they have to be placed in the Federal Register for time period of 30 days before you place that system of records in operation. We know that the Federal Information Security Modernization Act of 2014 placing requirement on organizations to where they have to report annually the number of songs that they've produced and also the number PIAs that they produced annually to OMB. We also know that outside of those 30 days and again, those agencies are going to implement or modifying assessment for records and they account for that in their system of records notification have 10 days in which to allow Congress and OMB to review that record. Some agencies really adopt a tiny period of 40 days before they place that system of records in place. We know that one area where the Privacy Act of 1974 extends beyond just federal government executive branch agencies, as with the usage of social security numbers and provides guide not only to the federal government executive branch. But also to state and local governments. It says as you, if I decide as an American citizen or legal permanent resident that I don't want to disclose my social security number to gain access to a record or a system of records that you can't deny me benefits and services on their. FISMA, the Federal Information Security Modernization Act of 2014 also place a requirement on Federal government executive branch agencies also annually to provide documentation on how they're trying to reduce their use of social security numbers. I hope you enjoyed the discussion. There's more to follow. I get so excited about talking about privacy and data protection with you, I hope you, your family members and significant others are safe and well. Wherever you are on this beautiful earth of hours, I hope that you are safe and well. It's Chris from the Privacy Grumbling. Take care.