The IT Law Wiki
The IT Law Wiki

Definition[]

In the Privacy Act of 1974, the term system of records (SOR) means

a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.[1]

OMB Guidelines[]

The OMB Privacy Act Implementation, Guidelines and Responsibilities explain that a system of records exists if: (1) there is an "indexing or retrieval capability using identifying particulars [that is] built into the system"; and (2) the agency "does, in fact, retrieve records about individuals by reference to some personal identifier."[2] The Guidelines state that the "is retrieved by" criterion "implies that the grouping of records under the control of an agency is accessed by the agency by use of a personal identifier; not merely that a capability or potential for retrieval exists."[3]

Judicial Interpretations[]

It is important to note that by its very terms the statute includes as personal identifiers items beyond the perhaps most commonly used name and social security number. As the Court of Appeals for the District of Columbia Circuit pointed out when considering a "photo file":

Recall that a system of records is "a group of any records . . . from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." 5 U.S.C. §552a(a)(5) (emphasis added). The term "record" includes "any item . . . about an individual . . . that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph." Id. § 552a(a)(4) (emphasis added). Under the Act's plain language, then, a "system of records" may be a group of any records retrieved by an identifying particular such as a photograph. In other words, the personal identifier may be the photograph itself.[4]

The D.C. Circuit also has addressed the "system of records" definition in the context of computerized information in Henke v. United States Department of Commerce,[5] and noted that "the OMB guidelines make it clear that it is not sufficient that an agency has the capability to retrieve information indexed under a person's name, but the agency must in fact retrieve records in this way in order for a system of records to exist."[6] The issue in Henke was whether or not computerized databases that contained information concerning technology grant proposals submitted by businesses constituted a "system of records" as to individuals listed as the "contact persons" for the grant applications, where the agency had acknowledged that "it could theoretically retrieve information by the name of the contact person."[7] The D.C. Circuit looked to Congress's use of the words "is retrieved" in the statute's definition of a system of records and focused on whether the agency "in practice" retrieved information.[8] The court held "that in determining whether an agency maintains a system of records keyed to individuals, the court should view the entirety of the situation, including the agency's function, the purpose for which the information was gathered, and the agency's actual retrieval practice and policies."[9]

Applying this test, the D.C. Circuit determined that the agency did "not maintain a system of records keyed to individuals listed in the contact person fields of its databases" because the agency's "purpose in requesting the name of a technical contact [was] essentially administrative and [was] not even necessary for the conduct of the [program's] operations," nor was there "any evidence that the names of contact persons [were] used regularly or even frequently to obtain information about those persons."[10]

Other district courts have also reached this result in the context of computerized information.[11]

Another district court, in considering whether an agency's website constituted a system of records, also looked to the OMB Guidelines and the reasoning of Henke. In McCready v. Principi, the District Court for the District of Columbia stated that "[b]ecause of the purpose and context of the Privacy Act, the Court finds that the practice of retrieval by name or other personal identifier must be an agency practice to create a system of records and not a 'practice' by those outside the agency." Thus, the court held that the VA's Web site did not constitute a system of records, because the VA did "not retrieve documents therefrom by the use of any personal identifier."[12]

The D.C. Circuit in Henke, in looking to the "purpose" for which the information was gathered, also drew a distinction between information gathered for investigatory purposes and information gathered for, in that case, administrative purposes. The court stated that where information is compiled about individuals "primarily for investigatory purposes, Privacy Act concerns are at their zenith, and if there is evidence of even a few retrievals of information keyed to individuals' names, it may well be the case that the agency is maintaining a system of records."[13]

The Court of Appeals for the Tenth Circuit, in Pippinger v. Rubin,[14] finding the approach in Henke "instructive," held that "consistent with Henke, a properly 'narrow' construction of 5 U.S.C. §552a(a)(5)" led it to the conclusion that an Internal Revenue Service database containing an "abstraction" of information from two existing Privacy Act systems did not constitute a new system of records because it could be "accessed only by the same users, and only for the same purposes, as those published in the Federal Register for the original 'system[s] of records.'"[15]

The highly technical "system of records" definition is perhaps the single most important Privacy Act concept, because (with some exceptions) it makes coverage under the Act dependent upon the method of retrieval of a record rather than its substantive content.[16] For example, if agencies do not retrieve personal information by identifier, the act’s protections do not apply.

Criticism[]

A major criticism of the Privacy Act is that it can easily be circumvented. If personally identifiable information (records) is not retrieved by identifier but instead accessed through some other method or criteria — for example, by searching for all individuals who have a certain medical condition or who applied for benefits on a certain date — the system would not meet the Privacy Act’s system-of-records definition and therefore would not be governed by the Act’s protections. OMB’s 1975 Privacy Act implementation guidance OMB Privacy Act Implementation, Guidelines and Responsibilities reflects an acknowledgment that agencies could potentially evade the Act’s requirements by organizing personal information in ways that may not be considered to be retrieved by identifier.[17]

This scope of the system-of-records definition has been an issue since the Privacy Act became law in 1974. In its 1977 report, the Privacy Protection Study Commission (PPSC) pointed out that retrieval by name or identifier reflected a manual rather than a computer-based model of information processing and did not take into account emerging computing technology. As the study explained, while manual record-keeping systems are likely to store and retrieve information by reference to a unique identifier, this is unnecessary in computer-based systems that permit attribute searches. The PPSC noted that retrieval of individually identifiable information by scanning (or searching) large volumes of computer records was not only possible but an ever-increasing agency practice.

The GAO's 2003 report concerning compliance with the Privacy Act found that the PPSC’s observations had been borne out across federal agencies. A key characteristic of agencies’ systems of records at the time was that a large proportion of them were electronic, reflecting the government’s significant use of computers and the Internet to collect and share personal information. Based on survey responses from 25 agencies in 2002, the GAO estimated that 70 percent of the agencies’ systems of records contained electronic records and that 11 percent of information systems in use at those agencies contained personal information that was outside a Privacy Act system of records. The GAO also reported that among the agencies surveyed, the most frequently cited reason for systems not being considered Privacy Act systems of records was that the agency did not use a personal identifier to retrieve the personal information.[18]

Recent OMB guidance reflects an acknowledgement that, although personally identifiable information does not always reside in Privacy Act systems of records, it should nevertheless be protected. Following a number of highly publicized data breaches at government agencies, OMB issued guidance instructing agencies to take action to safeguard “personally identifiable information.” Beginning in May 2006, OMB required senior agency privacy officials to “conduct a review of policies and processes and take corrective action as appropriate to ensure adequate safeguards to prevent the intentional or negligent misuse of, or unauthorized access to personally identifiable information.” Most recently, in May 2007, OMB required agencies to review and reduce “all current holding of personally identifiable information.” This guidance is not limited to information that is “retrieved by identifier” or contained within systems of records.

Data mining, a prevalent technique used by federal agencies36 for extracting useful information from large volumes of data, may escape the purview of the Privacy Act’s protections. Specifically, a data-mining system that performs analysis by looking for patterns in personal information located in other systems of records or that performs subject-based queries across multiple data sources may not constitute a system of records under the Act.

References[]

  1. 5 U.S.C. §552a(a)(5).
  2. OMB Guidelines, 40 Fed. Reg. 28,948, 28,952 (July 9, 1975).
  3. Id. (emphasis added).
  4. Maydak v. United States, 363 F.3d 512, 519-20 (D.C. Cir. 2004)(full-text) (remanding case to district court to determine whether prisons' compilation of photographs constitutes system of records). But see Ingerman v. Internal Rev. Serv., No. 89-5396, slip op. at 6 (D.N.J. Apr. 3, 1991) ("An individual's social security number does not contain his name, identifying number, or other identifying particular. . . . [A] social security number is the individual's identifying number, and therefore, it cannot qualify as a record under . . . the Privacy Act."), aff'd, 953 F.2d 1380 (3d Cir. 1992) (unpublished table decision).
  5. 83 F.3d 1453 (D.C. Cir. 1996)(full-text).
  6. Id. at 1460 n.12; see also Chang v. Department of the Navy, 314 F. Supp. 2d 35 (D.D.C. 2004)(full-text) ("[A]n agency's failure to acknowledge that it maintains a system of records will not protect the agency from statutory consequences if there is evidence that the agency in practice retrieves information about individuals by their names or personal identifiers . . . however, mere retrievability — that is, the capability to retrieve — is not enough."); McCready v. Principi, 297 F. Supp. 2d 178, 185 (D.D.C. 2003)(full-text) ("Only when 'there is actual retrieval of records keyed to individuals' in some way does the Privacy Act apply." (quoting Henke)).
  7. Id. at 1457-58.
  8. Id. at 1459-61.
  9. Id. at 1461.
  10. Id. at 1456, 1461-62; cf. Walker v. Ashcroft, No. 99-2385, slip op. at *17-*18 (D.D.C. Apr. 30, 2001) (alternative holding) (applying Henke and finding no evidence that the FBI "independently collected, gathered or maintained" a document containing plaintiff's prescription drug information given to the FBI by a state investigator, or that the FBI "could, in practice, actually retrieve the record by reference to [plaintiff's] name"), summary affirmance granted on other grounds, No. 01-5222, 2002 U.S. App. LEXIS 2485 (D.C. Cir. Jan. 25, 2002); Alexander v. Federal Bureau of Investigation, 193 F.R.D. 1, 6-8 (D.D.C. 2000) (applying Henke and finding that the agency maintained a system of records, considering the "purpose for which the information was gathered and the ordinary retrieval practices and procedures"), mandamus denied per curiam sub nom. In re Executive Office of the President, 215 F.3d 20 (D.C. Cir. 2000)([1]); Smith v. Henderson, No. C-99-4665, 1999 WL 1029862, at *5 (N.D. Cal. Oct. 29, 1999) (applying Henke and finding that "locked drawer containing a file folder in which [were] kept . . . notes or various other pieces of paper relating to special circumstances hires" did not constitute a system of records because the agency "did not utilize the drawer to systematically file and retrieve information about individuals indexed by their names"), aff'd sub nom. Smith v. Potter, 17 Fed. Appx. 731 (9th Cir. 2001). But cf. Williams v. Veterans Admin., 104 F.3d 670, 674-77 & n.4 (4th Cir. 1997)(full-text) (although remanding case for further factual development as to whether records were contained within system of records, and noting that it was "express[ing] no opinion on the Henke court's rationale when applied to circumstances where a plaintiff seeks to use retrieval capability to transform a group of records into a 'system of records,' as in Henke," nevertheless finding the "narrow Henke rationale . . . unconvincing" in circumstances before the court where there "appear[ed] to exist already a formal system of records," where "published characteristics of the agency's formal system of records ha[d] not kept current with advances in and typical uses of computer technology," and where record was "poorly developed" on such point).
  11. See Chang v. Department of the Navy, 314 F. Supp. 2d 35 (D.D.C. Apr. 22, 2004)(full-text) (applying Henke, rejecting plaintiff's assertion that document was retrievable by searching within the computer files of the relevant officers, and stating that "[p]laintiff's assertion that it is 'technically possible' to retrieve the [document] by searching for [plaintiff's] name is insufficient to meet the requirement that the data was retrieved in such a manner"); Fisher v. National Inst. of Health, 934 F. Supp. 464, 472-73 (D.D.C. 1996)(full-text) (applying Henke and stating: "[T]he primary practice and policy of the agency [during the time of the alleged disclosures] was to index and retrieve the investigatory files by the name of the institution in which the alleged misconduct occurred, rather than by the name of the individual scientist accused of committing the misconduct. The fact that it was possible to use plaintiff's name to identify a file containing information about the plaintiff is irrelevant."), summary affirmance granted, No. 96-5252 (D.C. Cir. Nov. 27, 1996); Beckette v. USPS, No. 88-802, slip op. at 19-22 (E.D. Va. July 3, 1989) (Although the plaintiff demonstrated that the agency "could retrieve . . . records by way of an individual's name or other personal identifier," that fact "does not make those records a Privacy Act system of records. The relevant inquiry is whether the records or the information they contain are [in fact] retrieved by name or other personal identifier.").
  12. 297 F. Supp. 2d at 198-99.
  13. 83 F.3d at 1461; see also Maydak v. United States, 363 F.3d at 520 (quoting Henke and remanding case to district court to determine whether prisons' compilation of photographs constitutes system of records and instructing district court to "take into account 'the entirety of the situation, including the agency's function, the purpose for which the information was gathered, and the agency's actual retrieval practices and policies'"); Fisher, 934 F. Supp. at 473 (quoting Henke but determining that agency's "primary practice and policy" was to retrieve investigatory files by name of institution rather than by name of individual); cf. Doe v. Veneman, 230 F. Supp. 2d 739, 752 (W.D. Tex. 2002) (quoting language from Henke regarding "even a few retrievals," and determining that noninvestigatory information "f[e]ll within the ambit of the Privacy Act" where information could "be retrieved by personal identifiers" and information was maintained in "single data repository from which more than 200 different types of reports [we]re generated," all from the raw data entered into the system) (appeal pending); Walker, No. 99-2385, slip op. at 17-18 (D.D.C. Apr. 30, 2001) (alternative holding) (applying Henke and finding no evidence that the FBI "independently collected, gathered or maintained" a document containing plaintiff's prescription drug information given to the FBI by a state investigator, or that the FBI "could, in practice, actually retrieve the record by reference to [plaintiff's] name").
  14. 129 F.3d 519 (10th Cir. 1997)(full-text).
  15. Id. at 526-27.
  16. See Baker v. Dep't of the Navy, 814 F.2d 1381, 1384 (9th Cir. 1987)(full-text); Shannon v. General Elec. Co., 812 F. Supp. 308, 321 (N.D.N.Y. 1993)(full-text) (although records disclosed to press under FOIA contained information about plaintiff, they were not retrieved by her name and therefore Privacy Act did not apply), aff'd on other grounds sub nom. Crumpton v. Stone, 59 F.3d 1400 (D.C. Cir. 1995)(full-text).
  17. According to OMB, “systems should not be subdivided or reorganized so that information which would otherwise have been subject to the act is no longer subject to the act. For example, if an agency maintains a series of records not arranged by name or personal identifier but uses a separate index file to retrieve records by name or personal identifier it should not treat these files as separate systems.” 40 Fed. Reg. 28963 (July 9, 1975).
  18. GAO, Privacy Act: OMB Leadership Needed to Improve Agency Compliance (GAO-03-304) (June 30, 2003).