What is the U.S. Privacy Act?

The Privacy Act of 1974 is a federal law governing the use and collection of records. This could include personal identifiers, such as social security number, name, or any other number or symbol. The Privacy Act prohibits Federal agencies from disclosing information without consent, with few exceptions.

There are three ways the Privacy Act offers protections. Individuals have the right to request their records, request a change if records aren’t accurate or relevant, and obtain protection from unwarranted privacy invasion in the form of collection and disclosure of personal information.

Consent is not required for 12 Privacy Act Exemptions

  • $1. Employees of the agency in need of record to perform duties
  • $2. FOIA disclosures
  • $3. Routine uses
  • $4. Bureau of the Census
  • $5. Those who provide written assurance of use for research, not individually identifiable
  • $6. National Archives and Records Administration
  • $7. United States civil or criminal law enforcement activity, with written request
  • $8. Person showing compelling circumstances for the health and safety of an individual
  • $9. House of Congress, joint and subcommittees
  • $10. Comptroller General in duty of the Government Accountability Office
  • $11. Court orders
  • $12. In accordance with the Debt Collection Act

How can you comply with the U.S. Privacy Act?

The Privacy Act of 1974 was created in response to concern about how the use of computerized databases could impact privacy rights. There are four objectives of the Privacy Act. “Collect, use, maintain, and disseminate data that is accurate, complete, relevant, and timely.” Failure to comply with any Privacy Act or agency rule resulting in adverse effect of the individual may result in civil or criminal penalties.

U.S. Privacy Act Compliance Checklist

  • NEnsure all recipients of personal information are need-to-know. Verify distribution lists before sending.
  • NValidate information use with purpose of collection.
  • NReview policy and record notice every two years.
  • NEnsure all telephone conversations are private and secure.
  • NMaintain and disseminate data that is complete, accurate, timely, and relevant.
  • NEncrypt all emails.
  • NUse secure software on computers, and no flash drives for transporting data.
  • NEnsure data is from a government authorized source.
  • NSecure areas where PII is stored, and dispose of records in alignment with official schedules.

U.S. Privacy Act Essentials

Record Keeping

Maintain record of movement of all media.

Policy and Procedures

Implement protocol and processes to safeguard facilities and internal equipment from unauthorized access, theft, and tampering.


Defense Privacy and Civil Liberties Office, Introduction to the Privacy Act

U.S. Office of Special Counsel, The Privacy Act of 1974

This information is not intended to serve as legal advice. Nor is it intended to act as compliance advice specific to the processes of any specific company. Application of compliance laws is a company-specific endeavor. We recommend that you contact compliance counsel to discuss the application of information found herein to your operations.