Whereas the rights the Privacy Act grants are to individuals on whom agencies collect and keep information, the obligations which the Act imposes are on the agencies themselves. First and foremost among the agency obligations is the obligation to honor the rights of the individuals on whom they collect and keep information. That's obvious. Rights are claims against other parties. In this case, the claims are against the agencies. The ability of the individuals to enjoy their rights rests with agencies who have the obligation to honor them. Agencies have obligations that go beyond honoring the individual rights we've just described. We can classify most of these additional obligations under the following five categories:
- Restrictions on Collecting and Maintaining Information
- Care of Records Requirements
- Publication Requirements
Restrictions on Collecting and Maintaining Records:
An agency is obligated to:
- Maintain in its record only such information about an individual as is relevant and necessary to accomplish a purpose of the agency. This purpose must be required by law or an Executive Order of the President.
- Collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under federal programs.
- Maintain no record describing how any individual exercises rights guaranteed by the First Amendment unless expressly authorized by statute or by the individual about whom the record is maintained, or unless pertinent to and within the scope of an authorized law enforcement activity.
Care of Records:
Agencies are required to take good care of the personal records they collect and maintain, not only to prevent misuse but to insure fairness and guard against careless hazards and harms. The language of the Privacy Act is instructive in describing more fully this good care requirement and bears direct quotation here.
An agency is required to:
Maintain all records which are used by the agency in making any determinations about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.
An agency is also required to:
Establish appropriate administrative, technical, and physical safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity which could result in substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom the information is maintained.
Another requirement that can be considered a "good care" requirement is the one that requires agencies to develop rules of conduct concerning their employees' obligations under the Privacy Act.
Additional privacy protections to those afforded by the Privacy Act were contained in the E-Government Act of 2002, such as privacy impact assessments.
One of the key ideas behind the Privacy Act is that agencies maintain no secret records. To carry out this no secrecy purpose, agencies are required to publish a description of all their systems of records in the Federal Register, an official publication published daily by the U.S. Government. The description includes the following main titles: name; location; categories of individuals covered by the system; categories of records covered in the system; authority for maintenance of the system; routine uses of the records; policies and practices for storing, retrieving, accessing, retaining and disposing of records; name and address of the system manager; notification, record access, and contesting record procedures; and record source categories. Any changes in previously published systems of records must also be published.
Special publication requirements apply to the routine uses. Agencies must allow 30 days for public comment before making any disclosures under them. If they receive any public comments, they must respond to them in the Federal Register before disclosures can be made.
Agencies are required to publish rules on how individuals can exercise their rights under the Privacy Act. These rules are called regulations, and they, too, are published in the Federal Register. (The RRB's regulations implementing the Privacy Act can be found at 20 CFR, Section 200.5)
Agencies are required to provide an annual Privacy Management Report to the Office of Management and Budget on their implementation of Privacy Act and other privacy provisions required, such as privacy impact assessments required by the E-Government Act of 2002. Also, whenever they want to establish a new system of records or substantially alter an existing one, they must report their intention to OMB and to the Senate and House of Representatives. This is in addition to the requirements to publish the changes in the Federal Register.