Like other companies, governmental agencies are also required to maintain the privacy of records in their possession. The Privacy Act prohibits government agencies from disclosing “any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.” The Privacy Act allows disclosure without consent only in limited circumstances, including:
- Disclosure to the Census Bureau and the Bureau of Labor Statistics;
- Disclosure for routine uses within a U.S. government agency;
- Disclosure when “a record which has sufficient historical or other value to warrant its continued preservation by the United States Government;”
- Disclosure to law enforcement agencies;
- Disclosure to aid in congressional investigations; or
- Disclosure for other administrative purposes.
The penalties for violating the Privacy Act can be harsh. Federal courts can award reasonable attorneys’ fees, litigation costs, and damages. If a court finds that the agency acted willfully or intentionally, the court can award actual damages or the amount of $1,000.00 per person, whichever is greater.
The Computer Matching and Privacy Protection Act of 1988 (Pub. L. No. 100-503) amended the Privacy Act to add several new provisions. These provisions add procedural requirements for agencies to follow when engaging in computer-matching activities; provide matching subjects with opportunities to receive notice and to refute adverse information before having a benefit denied or terminated; and require that agencies engaged in matching activities establish Data Protection Boards to oversee those activities.