Guidance Implementing Federal Statutes relevant in the Information Sharing Environment (ISE)
Privacy Act Guidance
The Attorney Generals’ Guidelines for Domestic FBI Operations (September 2008) (46 pp. PDF) – applies to the “investigative activities conducted by the [Federal Bureau of Investigation] FBI within the United States or outside the territories of all countries.” “The FBI may provide investigative assistance to state, local, or tribal agencies in the investigation of matters that may involve federal crimes or threats to the national security….” The Guidance addresses the Privacy Act specifically.
- “The Privacy Act restricts the maintenance of records relating to certain activities of individuals who are United States persons, with exceptions for circumstances in which the collection of such information is pertinent to and within the scope of an authorized law enforcement activity or is otherwise authorized by statute. 5 U.S.C. 552a(e)(7). Activities authorized by these Guidelines are authorized law enforcement activities or activities for which there is otherwise statutory authority for purposes of the Privacy Act. These Guidelines, however, do not provide an exhaustive enumeration of authorized FBI law enforcement activities….”
- See also page 13 of the 2000 guidelines, which states: “maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained or unless pertinent to and within the scope of an authorized law enforcement activity;”
- See also FBI Fact sheet on the “new” (2008) consolidated Guidelines
The FBI Domestic Investigations and Operations Guide (DIOG) (Unclassified Version; 248 pp. PDF) issued October 15, 2011, includes detailed discussions related to respecting First Amendment, equal protection and privacy rights while conducting investigations. It amends and supersedes the Domestic Investigation and Operations Guide published December 16, 2008. Note that the “DIOG is a privileged document that cannot be released in whole or in part to persons or agencies outside the Federal Bureau of Investigation, nor can it be republished in whole or in part in any written form not containing this statement, including general use pamphlets, without the approval of the Director of the Federal Bureau of Investigation.”
The DIOG requires FBI agents to assure that civil liberties and privacy are protected throughout any assessment or investigative process and states that agents are to conduct no investigations based solely upon one’s exercise of First Amendment activities (the free exercise of speech, religion, assembly, press or petition) or on the race, ethnicity, national origin or religion of the subject. (§18.104.22.168 and §22.214.171.124.) Section 4, “Privacy and Civil Liberties, And Least Intrusive Methods” states six basic principles designed to ensure FBI investigative activities respect civil liberties and privacy and conform with the Constitution and law:
- Protecting the public includes protecting their rights and liberties;
- Only investigate for a proper purpose (all FBI investigations must have a law enforcement, national security or foreign intelligence purpose);
- Race, ethnicity, religion or national origin alone can never constitute the sole basis for initiating investigative activity;
- Only perform authorized activities in pursuit of investigative objectives;
- Employ the least intrusive means that otherwise do not compromise FBI operations (particularly if there is the potential to interfere with protected speech and association, damage someone’s reputation, intrude on privacy, or interfere with the sovereignty of foreign governments);
- Apply best judgment to the circumstances at hand to select the most appropriate investigative means to achieve the investigative goal.
Section 4.1.3 specifically refers to the Privacy Act of 1974 (5 U.S.C. § 552a) as balancing the government’s need for information with the rights of individuals to be protected against unwarranted invasions of their privacy stemming from the government’s use, collection, maintenance and dissemination of that information.
DOJ Overview of the Privacy Act of 1974- 2010 Edition (Updated August, 2011) – Department of Justice (DOJ) discussion includes citations to court decisions interpreting agency Privacy Act of 1974 data quality requirements.
OMB Privacy Guidance General - This Office of Management and Budget (OMB) web page provides links to several guidance documents issued from 1975 to 2003 related to implementing the Privacy Act or other federal provisions. Among the links at that site are:
- OMB Privacy Act Guidance—Update (May 24, 1985) (10 pp. PDF) – This memo identifies “three areas in which agencies should amend their practices to new interpretations of the Privacy Act which have resulted from recent Congressional action or judicial interpretation.” Suggestions affect Section 6 of the Privacy Act of 1974 and were created to help agencies implement the Act’s provisions.
- Implementation of the Privacy Act of 1974, Supplementary Guidance, 40 Fed. Reg. 5674, (December 4, 1975) (3 pp. PDF) – Guidance from the Office of Management and Budget to the Heads of Federal Executive Departments and Establishments regarding “comments and questions of general interest” raised in the wake of the release of the Privacy Act of 1974.
- OMB Privacy Act Implementation, Guidelines and Responsibilities, 40 Fed. Reg. 28948, 28965 (July 9, 1975) (32 pp. PDF) – Memorandum from the Office of Management and Budget to the Heads of Executive Departments and Establishments regarding legislation implemented to insure that Federal agencies protect individual privacy rights when collecting personal information.
Final Guidance Interpreting the Provisions of Public Law 100-503, the Computer Matching and Privacy Protection Act of 1988, 54 Fed. Reg. 25818 (June 16, 1989) (12 pp. PDF) – Guidance issued by the Office of Management and Budget regarding interpretation of the provisions of Public Law 100-503 and the Computer Matching and Privacy Protection Act of 1988. The Computer Matching and Privacy Protection Act of 1988 (5 U.S.C. 552a(o) et seq.) amended the Privacy Act by describing the manner in which computer matching involving federal agencies could be performed and by adding certain protections for individuals applying for and receiving federal benefits. The Guidance document discusses procedural safeguards affecting agencies’ use of Privacy Act records in performing certain types of computerized matching programs, such as matching of federal to state records to determine eligibility for federal benefit programs.
FISMA Privacy Management and Implementation
Annual Reporting Instructions for the Federal Information Security Management Act (FISMA) and Agency Privacy Management – Annual memorandum released by the Office of Management and Budget to the heads of departments and agencies within the Federal Government providing instructions for agency reporting under the Federal Information Security Management Act of 2002. Declares that OMB will not ask for privacy related information in annual E-Government Act submissions. The more recent memoranda are listed below:
- OMB M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (27 pp. PDF)
- OMB M-09-29, FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (25 pp. PDF)
- OMB M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (43 pp. PDF)
- OMB M-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (43 pp. PDF)
- OMB M-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management (42 pp. PDF)
OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22, 2007) (22 pp. PDF) – This Memorandum released by the Office of Management and Budget to the heads of executive departments and agencies within the Federal Government requires Federal agencies to develop and implement a “breach notification policy.” The Memorandum defines “breach” to include the loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. The term “personally identifiable information” is defined in the Memorandum to refer to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
OMB Circular A-130, Management of Federal Information Resources (Revised) (November 28, 2000) (23 pp. PDF) – Memorandum released by the Office of Management and Budget to the heads of executive departments and agencies within the Federal Government providing policy for the management of Federal information resources. Includes procedural and analytic guidelines for implementing specific aspects of these policies.
- OMB Circular A-130, Appendix I, Federal Agency Responsibilities for Maintaining Records About Individuals – Appendix released by the Office of Management and Budget, accompanying the release of OMB Circular A-130 (above). “Describes agency responsibilities for implementing the reporting and publication requirements of the Privacy Act of 1974.”
OMB M-99-05, Instructions on Complying With President’s Memorandum of May 14, 1998, “Privacy and Personal Information in Federal Records” (January 7, 1999) – Memorandum released by the Office of Management and Budget to the heads of departments and agencies within the Federal Government providing instructions on complying with the President’s Memorandum of May 14, 1998, on “Privacy and Personal Information in Federal Records.” As stated in the Memorandum, a primary purpose of the Instructions is to ensure “that the Federal government protects the privacy of personal information…(because)…privacy is a cherished American value.”
Freedom of Information Act (FOIA)
Presidential Memoranda issued January 21, 2009 – provides direction to Federal agencies on the FOIA. “All agencies should adopt a presumption in favor of disclosure, in order to renew their commitment to the principles embodied in FOIA, and to usher in a new era of open Government.”
- On March 19, 2009, the U.S. Attorney General issued a “Memorandum For Heads Of Executive Departments and Agencies” implementing the mandate of the Presidential Memorandum of 1/21/09. It rescinds a previous Attorney General’s FOIA Memorandum of October 12, 2001, which stated that the Department of Justice would defend decisions to withhold records "unless they lack a sound legal basis or present an unwarranted risk of adverse impact on the ability of other agencies to protect other important records." Instead, under the new guidelines, the Department of Justice will defend a denial of a FOIA request only if (1) the agency reasonably foresees that disclosure would harm an interest protected by one of the statutory exemptions, or (2) disclosure is prohibited by law.
USDOJ- FOIA Reference Guide. The Department of Justice Freedom of Information Act Reference Guide (Revised January, 2010) provides guidance for making Freedom of Information Act requests to the Department of Justice. It provides a consolidated list of information found at various USDOJ sites.
USDOJ-FOIA OIP Guidance: Referrals, Consultations, and Coordination: Procedures for Processing Records When Another Agency or Entity Has an Interest in Them (Updated December, 2011). The guidance document addresses how to handle records which either originated with another agency, or another component within their agency, or which contain information that is of interest to another agency or component.
E-Government Act of 2002
OMB M03-02, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (September 26, 2003) – Memorandum released by the Office of Management and Budget to the heads of executive departments and agencies within the Federal Government providing instructions for implementing the Privacy Provisions of the E-Government Act of 2002. Instructs on privacy protections “when Americans interact with their government." The guidance directs agencies to “conduct reviews of how information about individuals is handled within their agency when they use information technology (IT) to collect new information, or when agencies develop or buy new IT systems to handle collections of personally identifiable information.
DHS Privacy Guidelines Regarding Collection, Use, Retention, and Dissemination of Information on Non-U.S. Persons
As stated in the Memorandum, “As a matter of law the Privacy Act… does not cover visitors or aliens. As a matter of DHS policy, any personally identifiable information (PII) that is collected, used, maintained, and/or disseminated in connection with a mixed system by DHS shall be treated as a System of Records subject to the Privacy Act regardless of whether the information pertains to a U.S. citizen, Legal Permanent Resident, visitor, or alien.” The impact of this policy is that the DHS handles non-U.S. person PII held in mixed systems in accordance with the fair information practices, as set forth in the Privacy Act. Non-U.S. persons have the right of access to their PII and the right to amend their records, absent an exemption under the Privacy Act. The policy does not extend or create a right of judicial review for non-U.S. persons.