Copies of the original document can be ordered from the Government Printing Office (202) - - for $3.00 each?. Document # A Citizens Guide on Using the Freedom of Information Act and the Privacy Act of 1974 to Request Government Records 102nd Congress House Report. 102-146 July 10, 1991 Committed to the Committee of the Whole House on the State of the Union and ordered to be printed Sponsor: Mr. Conyers, from the Committee on Government Operations, submitted the following: Fourth Report Conference Report based on a study by the government information, justice, and agriculture subcommittee On June 26, 1991, the Committee on Government Operations approved and adopted a report entitled "A Citizens Guide on Using the Freedom of Information Act and the Privacy Act of 1974 to Request Government Records." The chairman was directed to transmit a copy to the Speaker of the House. I. Preface In 1977, the House Committee on Government Operations issued the first Citizens Guide on how to request records from federal agencies. The original Guide was reprinted many times and widely distributed. The Superintendent of Documents at the Government Printing Office reported that almost 50,000 copies were sold between 1977 and 1986 when the guide went out of print. In addition, thousands of copies were distributed by the House Committee on Government Operations, Members of Congress, the Congressional Research Service, and other federal agencies. The original Citizens Guide is one of the most widely read congressional committee reports in history. A Citizens Guide on How to Use the Freedom of Information Act and the Privacy Act in Requesting Government Documents, House Report No. 95-796, 95th Cong., 1st Sess. (1977). In 1987, the Committee issued a revised Citizens Guide. The new edition was prepared to reflect changes to the Freedom of Information Act made during 1986. As a result of special efforts by the Superintendent of Documents at the Government Printing Office, the availability of the new Guide was well publicized. The 1987 edition appeared on GPOs "Best Seller" list in the months following its issuance. A Citizens Guide on Using the Freedom of Information Act and the Privacy Act of 1974 To Request Government Records, House Report No. 100-199, 100th Cong., 1st Sess. (1987). During the 100th Congress, major amendments were made to the Privacy Act of 1974. The Computer Matching and Privacy Protection Act of 1988 added new provisions to the Privacy Act and changed several existing requirements. None of the changes affects a citizens rights to request or see records held by federal agencies. However, some of the information in the 1987 Guide became outdated as a result, and a third edition was issued in 1989. Public Law 100-503. A Citizens Guide on Using the Freedom of Information Act and the Privacy Act of 1974 To Request Government Records, House Report No. 101-193, 101st Cong., 1st Sess. (1989). During the 101st Congress, the Privacy Act of 1974 was amended through further adjustments to the Computer Matching and Privacy Protection Act of 1988. The changes do not affect access rights. This fourth edition of the Citizens Guide reflects all changes to the FOIA and Privacy Act made through the end of 1990. Minor editorial changes have also been made. II. Introduction A popular Government without popular information or the means of acquiring it, is but a Prologue to a Farce or a Tragedy or perhaps both. Knowledge will forever govern ignorance, and a people who mean to be their own Governors, must arm themselves with the power knowledge gives. James Madison Letter to W.T. Barry, August 4, 1822, in G.P. Hunt, ed., IX The Writings of James Madison 103 (1910). The Committee wishes to acknowledge the assistance of Harold C. Relyea, Specialist, American National Government, Government Division, Congressional Research Service, in the preparation of this report. The Freedom of Information Act (FOIA) establishes a presumption that records in the possession of agencies and departments of the Executive Branch of the United States government are accessible to the people. This was not always the approach to federal information disclosure policy. Before enactment of the FOIA in 1966, the burden was on the individual to establish a right to examine these government records. There were no statutory guidelines or procedures to help a person seeking information. There were no judicial remedies for those denied access. With the passage of the FOIA, the burden of proof shifted from the individual to the government. Those seeking information are no longer required to show a need for information. Instead, the "need to know" standard has been replaced by a "right to know" doctrine. The government now has to justify the need for secrecy. The FOIA sets standards for determining which records must be disclosed and which records can be withheld. The law also provides administrative and judicial remedies for those denied access to records. Above all, the statute requires federal agencies to provide the fullest possible disclosure of information to the public. The Privacy Act of 1974 is a companion to the FOIA. The Privacy Act regulates federal government agency record keeping and disclosure practices. The Act allows most individuals to seek access to federal agency records about themselves. The Act requires that personal information in agency files be accurate, complete, relevant, and timely. The subject of a record may challenge the accuracy of information. The Act requires that agencies obtain information directly from the subject of the record and that information gathered for one purpose not be used for another purpose. As with the FOIA, the Privacy Act provides civil remedies for individuals whose rights have been violated. Another important feature of the Privacy Act is the requirement that each federal agency publish a description of each system of records maintained by the agency that contains personal information. This prevents agencies from keeping secret records. The Privacy Act also restricts the disclosure of personally identifiable information by federal agencies. Together with the FOIA, the Privacy Act permits disclosure of most personal files to the individual who is the subject of the files. The two laws restrict disclosure of personal information to others when disclosure would violate privacy interests. While both the FOIA and the Privacy Act support the disclosure of agency records, both laws also recognize the legitimate need to restrict disclosure of some information. For example, agencies may withhold information properly classified in the interest of national defense or foreign policy, trade secrets, and criminal investigatory files. Other specifically defined categories of confidential information may also be withheld. The essential feature of both laws is that they make federal agencies accountable for information disclosure policies and practices. While neither law grants an absolute right to examine government documents, both laws establish the right to request records and to receive a response to the request. If a record cannot be released, the requester is entitled to be told the reason for the denial. The requester also has a right to appeal the denial and, if necessary, to challenge it in court. These procedural rights granted by the FOIA and the Privacy Act make the laws valuable and workable. As a result, the disclosure of federal government information cannot be controlled by arbitrary or unreviewable actions. III. Recommendations The Committee recommends that this Citizens Guide be made widely available at low cost to anyone who has an interest in obtaining documents from the federal government. The Government Printing Office and federal agencies subject to the Freedom of Information Act and the Privacy Act of 1974 should distribute this report widely. The Committee also recommends that this Citizens Guide be used by federal agencies in training programs for government employees who are responsible for administering the Freedom of Information Act and the Privacy Act of 1974. The Guide should also be used by those government employees who only occasionally work with these two laws. IV. How To Use This Guide This report explains how to use the Freedom of Information Act and the Privacy Act of 1974. It reflects all changes to the laws made since 1977. Major amendments to the Freedom of Information Act passed in 1974 and 1986. A major addition to the Privacy Act of 1974 was enacted in 1988. Minor amendments to the Privacy Act were made in 1989 and 1990. This Guide is intended to serve as a general introduction to the Freedom of Information Act and the Privacy Act. It offers neither a comprehensive explanation of the details of these Acts nor an analysis of case law. The Guide will enable those who are unfamiliar with the laws to understand the process and to make a request. In addition, the complete text of each law is included in an appendix. This Guide is primarily intended to help the general public. It includes a complete explanation of the basics of the two laws. In the interest of producing a guide that would be both simple and useful to the intended audience, the Committee deliberately avoided addressing some of the issues that are highly controversial. The Committee cautions against treating the neutrally written descriptions contained in this report as definitive expressions of the Committees views of the law or congressional intent. The Committee has expressed its views on some of these issues in other reports. See, for example, Security Classification Policy and Executive Order 12356, House Report No. 97-731, 97th Cong., 2d Sess. (1982); Who Cares About Privacy? Oversight of the Privacy Act of 1974 by the Office of Management and Budget and by the Congress, House Report 98-455, 98th Cong., 1st Sess. (1983); Electronic Collection and Dissemination of Information by Federal Agencies: A Policy Overview, House Report 99-560, 99th Cong., 2d Sess. (1986); Freedom of Information Act Amendments of 1986, House Report 99-832, 99th Cong., 2d Sess. (1986) (report to accompany H.R. 4862). The latter report is a legislative report for a bill reforming the business procedures of the FOIA. The bill did not become law. The 1986 amendments to the FOIA were made by the Freedom of Information Reform Act of 1986, Public Law 99-570. There were no committee reports in either House or Senate accompanying the Freedom of Information Reform Act. Readers should be aware that FOIA litigation is a complex area of law. There are thousands of court decisions interpreting the FOIA. These decisions must be considered in order to develop a complete understanding of the principles governing disclosure of government information. Anyone requiring more details about the FOIA, its history, or the case law should consult other sources. There has been less controversy and less litigation over the Privacy Act, but there is nevertheless a considerable body of case law for the Privacy Act as well. There are other sources of information on the Privacy Act as well. See, e.g., U.S. Department of Justice, Freedom of Information Case List (published annually). However, no one should be discouraged from making a request under either law. No special expertise is required. Using the Freedom of Information Act and the Privacy Act is as simple as writing a letter. This Citizens Guide explains the essentials. V. Which Act To Use The access provisions of the FOIA and the Privacy Act overlap in part. The two laws have different procedures and different exemptions. As a result, sometimes information exempt under one law will be disclosable under the other. In order to take maximum advantage of the laws, an individual seeking information about himself or herself should normally cite both laws. Requests by an individual for information that does not relate solely to himself or herself should be made only under the FOIA. Congress intended that the two laws be considered together in the processing of requests for information. Many government agencies will automatically handle requests from individuals in a way that will maximize the amount of information that is disclosable. However, a requester should still make a request in a manner that is most advantageous and that fully protects all available legal rights. A requester who has any doubts about which law to use should always cite both the FOIA and the Privacy Act when seeking documents from the federal government. VI. The Freedom of Information Act A. The Scope Of The Freedom of Information Act The federal Freedom of Information Act applies to documents held by agencies in the executive branch of the federal government. The executive branch includes cabinet departments, military departments, government corporations, government controlled corporations, independent regulatory agencies, and other establishments in the executive branch. The FOIA does not apply to elected officials of the federal government, including the President, Vice President, Senators, and Congressmen. The FOIA does not apply to the federal judiciary. The FOIA does not apply to private companies; persons who receive federal contracts or grants; tax-exempt organizations; or state or local governments. The Presidential Records Act of 1978, 44 U.S.C. 2201-2207 (1982), does make the documentary materials of former Presidents subject to the FOIA in part. Presidential papers and documents generated after January 20, 1981, will be available subject to certain restrictions and delays under the general framework of the FOIA. Virtually all official records of the Congress are available to the public. The Congressional Record, all bills introduced in the House and the Senate, and all committee reports (except for those containing classified information) are printed and disseminated. Most committee hearings are also printed and available. Copies of most congressional publications are available at federal depository libraries throughout the county. Historical records of the Congress are made available in accordance with procedures established by House and Senate rules. In addition, almost all activities of the Congress take place in public. The sessions of the House and Senate are normally open to the public and televised. Most committee hearings and markups are open to the public, and some are televised. All States and some localities have passed laws like the FOIA that allow people to request access to records. In addition, there are other federal and state laws that may permit access to documents held by organizations not covered by the federal FOIA. See, e.g., the Federal Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. (1982) (providing for access to files of credit bureaus); the Federal Family Educational Rights and Privacy Act of 1974, 20 U.S.C. 1232g (1982) (providing for access to records maintained by schools and colleges). Some states have enacted laws allowing individuals to have access to personnel records maintained by employers. See, e.g., Michigan Compiled Laws Annotated 423.501. B. What Records Can Be Requested Under The FOIA? The FOIA requires agencies to publish or make available for public inspection several types of information. This includes: (1) descriptions of agency organization and office addresses; (2) statements of the general course and method of agency operation; (3) rules of procedure and descriptions of forms; (4) substantive rules of general applicability and general policy statements; (5) final opinions made in the adjudication of cases; and (6) administrative staff manuals that affect the public. This information must either be published in the Federal Register or made available for inspection and copying without the formality of an FOIA request. All other "records" of a federal agency may be requested under the FOIA. However, the FOIA does not define "record." Any item containing information that is in the possession, custody, or control of an agency is usually considered to be an agency record under the FOIA. Personal notes of agency employees may not be agency records. A document that is not a "record" will not be available under the FOIA. The form in which a record is maintained by an agency does not affect its availability. A request may seek a printed or typed document, tape recording, map, photograph, computer printout, computer tape or disk, or a similar item. Of course, not all records that can be requested must be disclosed. Information that is exempt from disclosure is described below in the section entitled "Reasons Access May Be Denied Under the FOIA." The FOIA carefully provides that a requester may ask for records rather than information. This means that an agency is only required to look for an existing record or document in response to an FOIA request. An agency is not obliged to create a new record to comply with a request. An agency is not required to collect information it does not have. Nor must an agency do research or analyze data for a requester. When records are maintained in a computer, an agency is required to retrieve information in response to an FOIA request. The process of retrieving the information may result in the creation of a new document when the data is printed out on paper or written on computer tape or disk. Since this may be the only way computerized data can be disclosed, agencies are required to provide the data even if it means a new document must be created. Requesters must ask for existing records. Requests may have to be carefully written in order to obtain the desired information. Sometimes, an agency will help a requester identify a specific document that contains the information being sought. Other times, a requester may need to be creative when writing an FOIA request in order to identify an existing document or set of documents containing the desired information. There is a second general limitation on FOIA requests. The law requires that each request must reasonably describe the records being sought. This means that a request must be specific enough to permit a professional employee of the agency who is familiar with the subject matter to locate the record in a reasonable period of time. Because agencies organize and index records in different ways, one agency may consider a request to be reasonably descriptive while another agency may reject a similar request as too vague. For example, the Federal Bureau of Investigation has a central index for its primary record system. As a result, the FBI is able to search for records about a specific person. However, agencies that do not maintain a central name index may be unable to conduct the same type of search. These agencies may reject a similar request because the request does not describe records that can be identified. Requesters should make requests as specific as possible. If a particular document is required, it should be identified precisely, preferably by date and title. However, a request does not always have to be that specific. A requester who cannot identify a specific record should clearly explain his or her needs. A requester should make sure, however, that a request is broad enough to include all desired information. For example, assume that a requester wants to obtain a list of toxic waste sites near his home. A request to the Environmental Protection Agency for all records on toxic waste would cover many more records than are needed. The fees for such a request might be very high, and it is possible that the request might be rejected as too vague. A request for all toxic waste sites within three miles of a particular address is very specific. But it is unlikely that EPA would have an existing record containing data organized in that fashion. As a result, the request might be denied because there is no existing record containing the information. The requester might do better to ask for a list of toxic waste sites in his city, county, or state. It is more likely that existing records might contain this information. The requester might also want to tell the agency in the request letter exactly what information is desired. This additional explanation may help the agency to find a record that meets the request. Many people include their telephone number with their requests. Some questions about the scope of a request can be resolved quickly when an agency employee and the requester talk. This is an efficient way to resolve questions that arise during the processing of FOIA requests. It is to everyone's advantage if requests are as precise and as narrow as possible. The requester benefits because the request can be processed faster and cheaper. The agency benefits because it can do a better job of responding to the request. The agency will also be able to use its resources to respond to more requests. The FOIA works best when both the requester and the agency act cooperatively. C. Making an FOIA Request The first step in making a request under the FOIA is to identify the agency that has the records. An FOIA request must be addressed to a specific agency. There is no central government records office that services FOIA requests. Often, a requester knows beforehand which agency has the desired records. If not, a requester can consult a government directory such as the United States Government Manual. This manual has a complete list of all federal agencies, a description of agency functions, and the address of each agency. A requester who is uncertain about which agency has the records that are needed can make FOIA requests at more than one agency. The United States Government Manual is sold by the Superintendent of Documents of the U.S. Government Printing Office. Virtually every public library should have a copy on its shelves. Agencies normally require that FOIA requests be in writing. Letters requesting records under the FOIA can be short and simple. No one needs a lawyer to make an FOIA request. Appendix 1 of this Guide contains a sample request letter. The request letter should be addressed to the agency's FOIA Officer or to the head of the agency. The envelope containing the written request should be marked Freedom of Information Act Request in the bottom left-hand corner. All agencies have issued FOIA regulations that describe the request process in greater detail. For example, large agencies may have several components each of which has its own FOIA rules. A requester who can find agency FOIA regulations in the Code of Federal Regulations (available in many libraries) might find it useful to check these regulations before making a request. A requester who follows the agency's specific procedures may receive a faster response. However, the simple procedures suggested in this guide will be adequate to meet the minimum requirements for an FOIA request. There are three basic elements to an FOIA request letter. First, the letter should state that the request is being made under the Freedom of Information Act. Second, the request should identify the records that are being sought as specifically as possible. Third, the name and address of the requester must be included. Under the 1986 amendments to the FOIA, fees chargeable vary with the status or purpose of the requester. As a result, a requester may have to provide additional information to permit the agency to determine the appropriate fees. Different fees can be charged to commercial users, representatives of the news media, educational or noncommercial scientific institutions, and individuals. The next section explains the fee structure in more detail. There are several optional items that are often included in an FOIA request. The first is the telephone number of the requester. This permits an agency employee processing a request to speak with the requester if necessary. A second optional item is a limitation on the fees that the requester is willing to pay. It is common for a requester to ask to be notified in advance if the charges will exceed a fixed amount. This allows the requester to modify or withdraw a request if the cost may be too high. Also, by stating a willingness to pay a set amount of fees in the original request letter, a requester may avoid the necessity of additional correspondence and delay. A third optional item sometimes included in an FOIA request is a request for a waiver or reduction of fees. The 1986 amendments to the FOIA changed the rules for fee waivers. Fees must be waived or reduced if disclosure of the information is in the public interest because it is likely to contribute significantly to public understanding of the operations or activities of the government and is not primarily in the commercial interest of the requester. Decisions about granting fee waivers are separate from and different than decisions about the amount of fees that can be charged to a requester. A requester should keep a copy of the request letter and related correspondence until the request has been finally resolved. D. Fees and Fee Waivers FOIA requesters may have to pay fees covering some or all of the costs of processing their requests. As amended in 1986, the law establishes three types of fees that may be charged. The 1986 law makes the process of determining the applicable fees more complicated. However, the 1986 rules reduce or eliminate entirely the cost for small, non-commercial requests. First, fees can be imposed to recover the cost of copying documents. All agencies have a fixed price for making copies using copying machines. A requester is usually charged the actual cost of copying computer tapes, photographs, and other nonstandard documents. Second, fees can also be imposed to recover the costs of searching for documents. This includes the time spent looking for material responsive to a request. A requester can minimize search charges by making clear, narrow requests for identifiable documents whenever possible. Third, fees can be charged to recover review costs. Review is the process of examining documents to determine whether any portion is exempt from disclosure. Before the 1986 amendments took effect, no review costs were charged to any requester. Effective on April 25, 1987, review costs may be charged to commercial requesters only. Review charges only include costs incurred during the initial examination of a document. An agency may not charge for any costs incurred in resolving issues of law or policy that may arise while processing a request. Different fees apply to different requesters. There are three categories of FOIA requesters. The first includes representatives of the news media, and educational or noncommercial scientific institutions whose purpose is scholarly or scientific research. A requester in this category who is not seeking records for commercial use can only be billed for reasonable standard document duplication charges. A request for information from a representative of the news media is not considered to be for commercial use if the request is in support of a news gathering or dissemination function. The second category includes FOIA requesters seeking records for commercial use. Commercial use is not defined in the law, but it generally includes profit making activities. A commercial user can be charged reasonable standard charges for document duplication, search, and review. The third category of FOIA requesters includes everyone not in the first two categories. People seeking information for personal use, public interest groups, and non-profit organizations are examples of requesters who fall into the third group. Charges for these requesters are limited to reasonable standard charges for document duplication and search. Review costs may not be charged. The 1986 amendments did not change the fees charged to these requesters. Small requests are free for a requester in the first and third categories. This includes all requesters except commercial users. There is no charge for the first two hours of search time and for the first 100 pages of documents. A non-commercial requester who limits a request to a small number of easily found records will not pay any fees at all. In addition, the law also prevents agencies from charging fees if the cost of collecting the fee would exceed the amount collected. This limitation applies to all requests, including those seeking documents for commercial use. Thus, if the allowable charges for any FOIA request are small, no fees are imposed. Each agency sets charges for duplication, search, and review based on its own costs. The amount of these charges is listed in agency FOIA regulations. Each agency also sets its own threshold for minimum charges. The 1986 FOIA amendments also changed the law on fee waivers. Fees now must be waived or reduced if disclosure of the information is in the public interest because it is likely to contribute significantly to public understanding of the operations or activities of the government and is not primarily in the commercial interest of the requester. The 1986 amendments on fees and fee waivers have created some confusion. Determinations about fees are separate and distinct from determinations about fee waivers. For example, a requester who can demonstrate that he or she is a news reporter may only be charged duplication fees. But a requester found to be a reporter is not automatically entitled to a waiver of those fees. A reporter who seeks a waiver must demonstrate that the request also meets the standards for waivers. Normally, only after a requester has been categorized to determine the applicable fees does the issue of a fee waiver arise. A requester who seeks a fee waiver should ask for a waiver in the original request letter. However, a request for a waiver can be made at a later time. The requester should describe how disclosure will contribute to public understanding of the operations or activities of the government. The sample request letter in the appendix includes optional language asking for a fee waiver. Any requester may ask for a fee waiver. Some will find it easier to qualify than others. A news reporter who is only charged duplication costs may still ask that the charges be waived because of the public benefits that will result from disclosure. A representative of the news media, a scholar, or a public interest group are more likely to qualify for a waiver of fees. A commercial user may find it difficult to qualify for waivers. The eligibility of other requesters will vary. A key element in qualifying for a fee waiver is the relationship of the information to public understanding of the operations or activities of government. Another important factor is the ability of the requester to convey that information to other interested members of the public. A requester is not eligible for a fee waiver solely because of indigence. E. Requirements for Agency Responses Each agency is required to determine within ten days (excluding Saturdays, Sundays, and legal holidays) after the receipt of a request whether to comply with the request. The actual disclosure of documents is required to follow promptly thereafter. If a request is denied in whole or in part, the agency must tell the requester the reasons for the denial. The agency must also tell the requester that there is a right to appeal any adverse determination to the head of the agency. The FOIA permits an agency to extend the time limits up to ten days in unusual circumstances. These circumstances include the need to collect records from remote locations, review large numbers of records, and consult with other agencies. The agency is supposed to notify the requester whenever an extension is invoked. Agencies that take more than ten days to respond to a request do not always notify each requester that an extension has been invoked. The statutory time limits for responses are not always met. An agency sometimes receives an unexpectedly large number of FOIA requests at one time and is unable to meet the deadlines. Some agencies assign inadequate resources to FOIA offices. The Congress does not condone the failure of any agency to meet the laws time limits. However, as a practical matter, there is little that a requester can do about it. The courts have been reluctant to provide relief solely because the FOIA's time limits have not been met. The best advice to requesters is to be patient. The law allows a requester to consider that his or her request has been denied if it has not been decided within the time limits. This permits the requester to file an administrative appeal or file a lawsuit in federal district court. However, this is not always the best course of action. The filing of an administrative or judicial appeal will not necessarily result in any faster processing of the request. Each agency generally processes requests in the order of receipt. Some agencies will expedite the processing of urgent requests. Anyone with a pressing need for records should consult with the agency FOIA officer about how to ask for expedited treatment of requests. F. Reasons Access May Be Denied Under the FOIA An agency may refuse to disclose an agency record that falls within any of the FOIA's nine statutory exemptions. The exemptions protect against the disclosure of information that would harm national defense or foreign policy, privacy of individuals, proprietary interests of business, functioning of the government, and other important interests. A document that does not qualify as an "agency record" may be denied on this basis. However, most records in the possession of an agency are "agency records" within the meaning of the FOIA. An agency may withhold exempt information, but it is not always required to do so. For example, an agency may disclose an exempt internal memorandum because no harm would result from its disclosure. However, an agency is not likely to agree to disclose an exempt document that is classified or that contains a trade secret. When a record contains some information that qualifies as exempt, the entire record is not necessarily exempt. Instead, the FOIA specifically provides that any reasonably segregable portions of a record must be provided to a requester after the deletion of the portions that are exempt. This is a very important requirement because it prevents an agency from withholding an entire document simply because one line or one page is exempt. Exemption 1. Classified Documents The first FOIA exemption permits the withholding of properly classified documents. Information may be classified in the interest of national defense or foreign policy. The rules for classification are established by the President and not the FOIA or other law. The FOIA provides that, if a document has been properly classified under a presidential Executive Order, the document can be withheld from disclosure. Classified documents may be requested under the FOIA. An agency can review the document to determine if it still requires protection. In addition, the Executive Order on Security Classification establishes a special procedure for requesting the declassification of documents. If a requested document is declassified, it can be released in response to an FOIA request. However, a document that is declassified may still be exempt under other FOIA exemptions. At the time that this guide was prepared, the current Executive Order on Security Classification was E.O. 12356 which was promulgated by President Reagan on April 2, 1982. The text of the order can be found at 47 Federal Register 14874-84 (April 6, 1982). The rules for mandatory review for declassification are in Section 3.4 of the Executive Order. Exemption 2. Internal Personnel Rules and Practices The second FOIA exemption covers matters that are related solely to an agency's internal personnel rules and practices. As interpreted by the courts, there are two separate classes of documents that are generally held to fall within exemption two. First, information relating to personnel rules or internal agency practices is exempt if it is trivial administrative matter of no genuine public interest. A rule governing lunch hours for agency employees is an example. Second, an internal administrative manual can be exempt if disclosure would risk circumvention of law or agency regulations. In order to fall into this category, the material will normally have to regulate internal agency conduct rather than public behavior. Exemption 3. Information Exempt Under Other Laws The third exemption incorporates into the FOIA other laws that restrict the availability of information. To qualify under this exemption, a statute must require that matters be withheld from the public in such a manner as to leave no discretion to the agency. Alternatively, the statute must establish particular criteria for withholding or refer to particular types of matters to be withheld. One example of a qualifying statute is the provision of the Tax Code prohibiting the public disclosure of tax returns and tax return information. Another qualifying Exemption 3 statute is the law designating identifiable census data as confidential. Whether a particular statute qualifies under Exemption 3 can be a difficult legal question. 26 U.S.C. 6103 (1982). 8517 13 U.S.C. 9 (1982). 4. Exemption 4. Confidential Business Information The fourth exemption protects from public disclosure two types of information: trade secrets and confidential business information. A trade secret is a commercially valuable plan, formula, process, or device. This is a narrow category of information. An example of a trade secret is the recipe for a commercial food product. The second type of protected data is commercial or financial information obtained from a person and privileged or confidential. The courts have held that data qualifies for withholding if disclosure by the government would be likely to harm the competitive position of the person who submitted the information. Detailed information on a company's marketing plans, profits, or costs can qualify as confidential business information. Information may also be withheld if disclosure would be likely to impair the governments ability to obtain similar information in the future. Only information obtained from a person other than a government agency qualifies under the fourth exemption. A person is an individual, a partnership, or a corporation. Information that an agency created on its own cannot normally be withheld under exemption four. Although there is no formal requirement under the FOIA, many agencies will notify a submitter of business information that disclosure of the information is being considered. The submitter then has an opportunity to convince the agency that the information qualifies for withholding. A submitter can also file suit to block disclosure under the FOIA. Such lawsuits are generally referred to as "reverse" FOIA lawsuits because the FOIA is being used in an attempt to prevent rather than to require the disclosure of information. A reverse FOIA lawsuit may be filed when the submitter of documents and the government disagree whether the information is confidential. See "Predisclosure Notification Procedures for Confidential Commercial Information," Executive Order 12600 (June 23, 1987). Exemption 5. Internal Government Communications The FOIAÕs fifth exemption applies to internal government documents. An example is a letter from one government department to another about a joint decision that has not yet been made. Another example is a memorandum from an agency employee to his supervisor describing options for conducting the agency's business. The purpose of the fifth exemption is to safeguard the deliberative policy making process of government. The exemption encourages frank discussion of policy matters between agency officials by allowing supporting documents to be withheld from public disclosure. The exemption also protects against premature disclosure of policies before final adoption. While the policy behind the fifth exemption is well-accepted, the application of the exemption is complicated. The fifth exemption may be the most difficult FOIA exemption to understand and apply. For example, the exemption protects the policy making process, but it does not protect purely factual information related to the policy process. Factual information must be disclosed unless it is inextricably intertwined with protected information about an agency decision. Protection for the decision making process is appropriate only for the period while decisions are being made. Thus, the fifth exemption has been held to distinguish between documents that are pre-decisional and therefore may be protected, and those which are post-decisional and therefore not subject to protection. Once a policy is adopted, the public has a greater interest in knowing the basis for the decision. The exemption also incorporates some of the privileges that apply in litigation involving the government. For example, papers prepared by the governments lawyers can be withheld in the same way that papers prepared by private lawyers for clients are not available through discovery in civil litigation. Exemption 6. Personal Privacy The sixth exemption covers personnel, medical, and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy. This exemption protects the privacy interests of individuals by allowing an agency to withhold intimate personal data kept in government files. Only individuals have privacy interests. Corporations and other legal persons have no privacy rights under the sixth exemption. The exemption requires agencies to strike a balance between an individualÕs privacy interest and the publics right to know. However, since only a clearly unwarranted invasion of privacy is a basis for withholding, there is a perceptible tilt in favor of disclosure in the exemption. Nevertheless, the sixth exemption makes it harder to obtain information about another individual without the consent of that individual. The Privacy Act of 1974 also regulates the disclosure of personal information about an individual. The FOIA and the Privacy Act overlap in part, but there is no inconsistency. An individual seeking records about himself or herself should cite both laws when making a request. This ensures that the maximum amount of disclosable information will be released. Records that can be denied to an individual under the Privacy Act are not necessarily exempt under the FOIA. Exemption 7. Law Enforcement The seventh exemption allows agencies to withhold law enforcement records in order to protect the law enforcement process from interference. The exemption was amended slightly in 1986, but it still retains six specific subexemptions. Exemption (7)(A) allows the withholding of a law enforcement record that could reasonably be expected to interfere with enforcement proceedings. This exemption protects an active law enforcement investigation from interference through premature disclosure. Exemption (7)(B) allows the withholding of information that would deprive a person of a right to a fair trial or an impartial adjudication. This exemption is rarely used. Exemption (7)(C) recognizes that individuals have a privacy interest in information maintained in law enforcement files. If the disclosure of information could reasonably be expected to constitute an unwarranted invasion of personal privacy, the information is exempt from disclosure. The standards for privacy protection in Exemption 6 and Exemption (7)(C) differ slightly. Exemption (7)(C) protects against an unwarranted invasion of personal privacy while Exemption 6 protects against clearly a unwarranted invasion. Also, Exemption (7)(C) allows the withholding of information that "could reasonably be expected to" invade someone's privacy. Under Exemption 6, information can be withheld only if disclosure "would" invade someone's privacy. Exemption (7)(D) protects the identity of confidential sources. Information that could reasonably be expected to reveal the identity of a confidential source is exempt. A confidential source can include a state, local, or foreign agency or authority, or a private institution that furnished information on a confidential basis. In addition, the exemption protects information furnished by a confidential source if the data was compiled by a criminal law enforcement authority during a criminal investigation or by an agency conducting a lawful national security intelligence investigation. Exemption (7)(E) protects from disclosure information that would reveal techniques and procedures for law enforcement investigations or prosecutions or that would disclose guidelines for law enforcement investigations or prosecutions if disclosure of the information could reasonably be expected to risk circumvention of the law. Exemption (7)(F) protects law enforcement information that could reasonably be expected to endanger the life or physical safety of any individual. 8. Exemption 8. Financial Institutions The eighth exemption protects information that is contained in or related to examination, operating, or condition reports prepared by or for a bank supervisory agency such as the Federal Deposit Insurance Corporation, the Federal Reserve, or similar agencies. 9. Exemption 9. Geological Information The ninth FOIA exemption covers geological and geophysical information, data, and maps about wells. This exemption is rarely used. G. FOIA Exclusions The 1986 amendments to the FOIA gave limited authority to agencies to respond to a request without confirming the existence of the requested records. Ordinarily, any proper request must receive an answer stating whether there is any responsive information, even if the requested information is exempt from disclosure. In some narrow circumstances, acknowledgment of the existence of a record can produce consequences similar to those resulting from disclosure of the record itself. In order to avoid this type of problem, the 1986 amendments established three "record exclusions." The exclusions allow an agency to treat certain exempt records as if the records were not subject to the FOIA. An agency is not required to confirm the existence of three specific categories of records. If these records are requested, the agency may respond that there are no disclosable records responsive to the request. However, these exclusions do not broaden the authority of any agency to withhold documents from the public. The exclusions are only applicable to information that is otherwise exempt from disclosure. The first exclusion may be used when a request seeks information that is exempt because disclosure could reasonably be expected to interfere with a current law enforcement investigation (exemption (7)(A)). There are three specific prerequisites for the application of this exclusion. First, the investigation in question must involve a possible violation of criminal law. Second, there must be reason to believe that the subject of the investigation is not already aware that the investigation is underway. Third, disclosure of the existence of the records as distinguished from the contents of the records could reasonably be expected to interfere with enforcement proceedings. When all of these conditions exist, an agency may respond to an FOIA request for investigatory records as if the records are not subject to the requirements of the FOIA. In other words, the agency's response does not have to reveal that it is conducting an investigation. The second exclusion applies to informant records maintained by a criminal law enforcement agency under the informants name or personal identifier. The agency is not required to confirm the existence of these records unless the informants status has been officially confirmed. This exclusion helps agencies to protect the identity of confidential informants. Information that might identify informants has always been exempt under the FOIA. The third exclusion only applies to records maintained by the Federal Bureau of Investigation which pertain to foreign intelligence, counterintelligence, or international terrorism. When the existence of these types of records is classified, the FBI may treat the records as not subject to the requirements of FOIA. This exclusion does not apply to all classified records on the specific subjects. It only applies when the records are classified and when the existence of the records is also classified. Since the underlying records must be classified before the exclusion is relevant, agencies have no new substantive withholding authority. In enacting these exclusions, congressional sponsors stated that it was their intent that agencies must inform FOIA requesters that these exclusions are available for agency use. Requesters who believe that records were improperly withheld because of the exclusions can seek judicial review. H. Administrative Appeal Procedures Whenever an FOIA request is denied, the agency must inform the requester of the reasons for the denial and the requesters right to appeal the denial to the head of the agency. A requester may appeal the denial of a request for a document or for a fee waiver. A requester may contest the type or amount of fees that were charged. A requester may appeal any other type of adverse determination including a rejection of a request for failure to describe adequately the documents being requested. A requester can also appeal because the agency failed to conduct an adequate search for the documents that were requested. A person whose request was granted in part and denied in part may appeal the part that was denied. If an agency has agreed to disclose some but not all requested documents, the filing of an appeal does not affect the release of the documents that are disclosable. There is no risk to the requester in filing an appeal. The appeal to the head of the agency is a simple administrative appeal. A lawyer can be helpful, but no one needs a lawyer to file an appeal. Anyone who can write a letter can file an appeal. Appeals to the head of the agency often result in the disclosure of some records that had been withheld. A requester who is not convinced that the agency's initial decision is correct should appeal. There is no charge for filing an administrative appeal. An appeal is filed by sending a letter to the head of the agency. The letter must identify the FOIA request that is being appealed. The envelope containing the letter of appeal should be marked in the lower left hand corner with the words "Freedom of Information Act Appeal." Agency FOIA regulations will normally describe the appeal procedures and requirements with more specificity. At some agencies, decisions on FOIA appeals have been delegated to other agency officials. Requesters who have an opportunity to review agency regulations in the Code of Federal Regulations (available in many libraries) may be able to speed up the processing of the appeal. However, following the simple procedures described in this Guide will be sufficient to maintain a proper appeal. Many agencies assign a number to all FOIA requests that are received. The number should be included in the appeal letter, along with the name and address of the requester. It is a common practice to include a copy of the agency's initial decision letter as part of the appeal, but this is not required. It can also be helpful for the requester to include a telephone number in the appeal letter. An appeal will normally include the requesters arguments supporting disclosure of the documents. A requester may include any facts or any arguments supporting the case for reversing the initial decision. However, an appeal letter does not have to contain any arguments at all. It is sufficient to state that the agency's initial decision is being appealed. Appendix 1 includes a sample appeal letter. The FOIA does not set a time limit for filing an administrative appeal of an FOIA denial. However, it is good practice to file an appeal promptly. Some agency regulations establish a time limit for filing an administrative appeal. A requester whose appeal is rejected by an agency because it is too late may refile the original FOIA request and start the process again. A requester who delays filing an appeal runs the risk that the documents could be destroyed. However, as long as an agency is considering a request or an appeal, the agency must preserve the documents. An agency is required to make a decision on an appeal within twenty days (excluding Saturdays, Sundays, and federal holidays). It is possible for an agency to extend the time limits by an additional ten days. Once the time period has elapsed, a requester may consider that the appeal has been denied and may proceed with a judicial appeal. However, unless there is an urgent need for records, this may not be the best course of action. The courts are not sympathetic to appeals based solely on an agency's failure to comply with the FOIAÕs time limits. I. Filing a Judicial Appeal When an administrative appeal is denied, a requester has the right to appeal the denial in court. An FOIA appeal can be filed in the United States District Court in the district where the requester lives. The requester can also file suit in the district where the documents are located or in the District of Columbia. When a requester goes to court, the burden of justifying the withholding of documents is on the government. This is a distinct advantage for the requester. Requesters are sometimes successful when they go to court, but the results vary considerably. Some requesters who file judicial appeals find that an agency will disclose some documents previously withheld rather than fight about disclosure in court. This does not always happen, and there is no guarantee that the filing of a judicial appeal will result in any additional disclosure. Most requesters require the assistance of an attorney to file a judicial appeal. A person who files a lawsuit and substantially prevails may be awarded reasonable attorney fees and litigation costs reasonably incurred. Some requesters may be able to handle their own appeal without an attorney. Since this is not a litigation guide, details of the judicial appeal process have not been included. Anyone considering filing an appeal can begin by reading the provisions of the FOIA on judicial review. More information on judicial review under the FOIA and Privacy Act can be found in Adler, Litigation Under the Federal Freedom of Information Act and Privacy Act (American Civil Liberties Union Foundation) (published annually). VII. The Privacy Act of 1974 A. The Scope of the Privacy Act of 1974 The Privacy Act of 1974 provides safeguards against an invasion of privacy through the misuse of records by federal agencies. In general, the Act allows a citizen to learn how records are collected, maintained, used, and disseminated by the federal government. The Act also permits an individual to gain access to most personal information maintained by federal agencies and to seek amendment of any incorrect or incomplete information. The Privacy Act applies to personal information maintained by agencies in the executive branch of the federal government. The executive branch includes cabinet departments, military departments, government corporations, government controlled corporations, independent regulatory agencies, and other establishments in the executive branch. Agencies subject to the Freedom of Information Act (FOIA) are also subject to the Privacy Act. The Privacy Act does not generally apply to records maintained by state and local governments or private companies or organizations. The Privacy Act applies to some records that are not maintained by an agency. Subsection (m) of the Act provides that, when an agency provides by contract for the operation of a system of records on its behalf, the requirements of the Privacy Act apply to those records. As a result, some records maintained outside of a federal agency are subject to the Privacy Act. Descriptions of these systems are published in the Federal Register. However, most records maintained outside of federal agencies are not subject to the Privacy Act. The Privacy Act only grants rights to United States citizens and to aliens lawfully admitted for permanent residence. As a result, a foreign national cannot use the Acts provisions. However, a foreigner may use the FOIA to request records about himself or herself. In general, the only records subject to the Privacy Act are records that are maintained in a system of records. The idea of a "system of records" is unique to the Privacy Act and requires explanation. The Act defines a "record" to include most personal information maintained by an agency about an individual. A record contains individually identifiable information, including but not limited to information about education, financial transactions, medical history, criminal history, or employment history. A "system of records" is a group of records from which information is actually retrieved by name, social security number, or other identifying symbol assigned to an individual. Some personal information is not kept in a system of records. This information is not subject to the provisions of the Privacy Act, although access may be requested under the FOIA. Most personal information in government files is subject to the Privacy Act. The Privacy Act also establishes general records management requirements for federal agencies. In summary, there are five basic requirements that are most relevant to individuals. First, each agency must establish procedures allowing individuals to see and copy records about themselves. An individual may also seek to amend any information that is not accurate, relevant, timely, or complete. The rights to inspect and to correct records are the most important provisions of the Privacy Act. This guide explains in more detail how an individual can exercise these rights. Second, each agency must publish notices describing all systems of records. The notices include a complete description of personal-data record keeping policies, practices, and systems. This requirement prevents the maintenance of secret record systems. Third, each agency must make reasonable efforts to maintain accurate, relevant, timely, and complete records about individuals. Agencies are prohibited from maintaining information about how individuals exercise rights guaranteed by the First Amendment to the U.S. Constitution unless maintenance of the information is specifically authorized by statute or relates to an authorized law enforcement activity. Fourth, the Act establishes rules governing the use and disclosure of personal information. The Act specifies that information collected for one purpose may not be used for another purpose without notice to or the consent of the subject of the record. The Act also requires that each agency keep a record of some disclosures of personal information. Fifth, the Act provides legal remedies that permit an individual to seek enforcement of the rights granted under the Act. In addition, federal employees who fail to comply with the Acts provisions may be subjected to criminal penalties. B. The Computer Matching and Privacy Protection Act The Computer Matching and Privacy Protection Act of 1988 (Public Law 100-503) amended the Privacy Act by adding new provisions regulating the use of computer matching. Records used during the conduct of a matching program are subject to an additional set of requirements. Computer matching is the computerized comparison of information about individuals for the purpose of determining eligibility for federal benefit programs. A matching program can be subject to the requirements of the Computer Matching Act if records from a Privacy Act system of records are used during the program. If federal Privacy Act records are matched against state or local records, then the state or local matching program can be subject to the new matching requirements. In general, matching programs involving federal records must be conducted under a matching agreement between the source and recipient agencies. The matching agreement describes the purpose and procedures of the matching and establishes protections for matching records. The agreement is subject to review and approval by a Data Integrity Board. Each federal agency involved in a matching activity must establish a Data Integrity Board. For an individual seeking access to or correction of records, the computer matching legislation provides no special access rights. If matching records are federal records, then the access and correction provisions of the Privacy Act apply. There is no general right of access or correction for matching records of state and local agencies. It is possible that rights are available under state or local laws. There is, however, a requirement that an individual be notified of agency findings prior to the taking of any adverse action as a result of a computer matching program. An individual must also be given an opportunity to contest such findings. The notice and opportunity-to-contest provisions apply to matching records whether the matching was done by the federal government or by a state or local government. Section 7201 of Public Law 101-508 modified the due process notice requirement to permit the use of statutory or regulatory notice periods. The matching provisions also require that any agency federal or non-federal involved in computer matching must independently verify information used to take adverse action against an individual. This requirement was included in order to protect individuals from arbitrary or unjustified denials of benefits. Independent verification includes independent investigation and confirmation of information. Public Law 101-508 also modified the independent verification requirement in circumstances in which it was unnecessary. Most of the provisions of the Computer Matching and Privacy Protection Act of 1988 were originally scheduled to become effective in July 1989. Public Law 101-56 delayed the effective date for most matching programs until January 1, 1990. C. Locating Records There is no central index of federal government records about individuals. An individual who wants to inspect records about himself or herself must first identify which agency has the records. Often, this will not be difficult. For example, an individual who was employed by the federal government knows that the employing agency or the Office of Personnel Management maintains personnel files. Similarly, an individual who receives veterans benefits will normally find relevant records at the Department of Veterans Affairs or at the Defense Department. Tax records are maintained by the Internal Revenue Service, social security records by the Social Security Administration, passport records by the State Department, etc. For those who are uncertain about which agency has the records that are needed, there are several sources of information. First, an individual can ask an agency that might maintain the records. If that agency does not have the records, it may be able to identify the proper agency. Second, a government directory such as the United States Government Manual 22 contains a complete list of all federal agencies, a description of agency functions, and the address of the agency and its field offices. An agency responsible for operating a program normally maintains the records related to that program. The United States Government Manual is sold by the Superintendent of Documents of the U.S. Government Printing Office. Virtually every public library should have a copy. Third, a Federal Information Center can help to identify government agencies, their functions, and their records. These Centers, which are operated by the General Services Administration, serve as clearinghouses for information about the federal government. There are Federal Information Centers throughout the country. Fourth, every two years, the Office of the Federal Register publishes a compilation of system of records notices for all agencies. These notices contain a complete description of each record system maintained by each agency. The compilation which is published in five large volumes is the most complete reference for information about federal agency personal information practices. The information that appears in the compilation also appears sometimes in the Federal Register. Each system notice contains the name of the system; its location; the categories of individuals covered by the system; the categories of records in the system; the legal authority for maintenance of the system; the routine disclosures that may be made for records in the system; the policies and practices of storing, retrieving, accessing, retaining, and disposing of records; the name and address of the manager of the system; procedures for requesting access to the records; procedures for requesting correction or amendment of the records; the source of the information in the system; and a description of any disclosure exemptions that may be applied to the records in the system. Agencies are required to publish in the Federal Register a description of each system of records when the system is established or amended. In the past, agencies were required to publish an annual compilation in the Federal Register, but that requirement was eliminated in 1982. As a result, for most agencies it will be difficult to find a complete list of all systems of records in the Federal Register. Some agencies do, however, reprint all system notices from time to time. An agency's Privacy Act officer may be able to provide more information about the agency's publication practices. The compilation formally called Privacy Act Issuances may be difficult to find and hard to use. It does not contain a comprehensive index. Copies will be available in some federal depository libraries and possibly in other libraries as well. Although the compilation is the best single source of detailed information about personal records maintained by federal agencies, it is not necessary to consult the compilation before making a Privacy Act request. A requester is not required to identify the specific system of records that contains the information being sought. It is sufficient to identify the agency that has the records. Using information provided by the requester, the agency will determine which system of records has the files that have been requested. Those who request records under the Privacy Act can help the agency by identifying the type of records being sought. Large agencies maintain hundreds of different record systems. A request can be processed faster if the requester tells the agency that he or she was employed by the agency, was the recipient of benefits under an agency program, or had other specific contacts with the agency. D. Making a Privacy Act Request for Access The fastest way to make a Privacy Act request is to identify the specific system of records. The request can be addressed to the system manager. Few people do this. Instead, most people address their requests to the head of the agency that has the records or to the agency's Privacy Act Officer. The envelope containing the written request should be marked " Privacy Act Request" in the bottom left-hand corner. All agencies have Privacy Act regulations that describe the request process in greater detail. Large agencies may have several components, each of which has its own Privacy Act rules. Requesters who can find agency Privacy Act regulations in the Code of Federal Regulations (available in many libraries) might read these regulations before making a request. A requester who follows the agency's specific procedures may receive a faster response. However, the simple procedures suggested in this guide are adequate to meet the minimum statutory requirements for a Privacy Act request. There are three basic elements to a request for records under the Privacy Act. First, the letter should state that the request is being made under the Privacy Act. Second, the letter should include the name, address, and signature of the requester. Third, the request should describe the records as specifically as possible. Appendix 1 includes a sample Privacy Act request letter. It is a common practice for an individual seeking records about himself or herself to make the request under both the Privacy Act of 1974 and the Freedom of Information Act. See the discussion in the front of this guide about which act to use. A requester can describe the records by identifying a specific system of records, by describing his or her contacts with an agency, or by simply asking for all records about himself or herself. The broader and less specific a request is, the longer it may take for an agency to respond. It is a good practice for a requester to describe the type of records that he or she expects to find. For example, an individual seeking a copy of his service record in the Army should state that he was in the Army and include the approximate dates of service. This will help the Defense Department narrow its search to record systems that are likely to contain the information being sought. An individual seeking records from the Federal Bureau of Investigation may ask that files in specific field offices be searched in addition to the FBI's central office files. The FBI does not routinely search field office records without a specific request. An agency will generally require a requester to provide some proof of identity before records will be disclosed. Agencies may have different requirements. Some agencies will accept a signature; others may require a notarized signature. If an individual goes to the agency to inspect records, standard personal identification may be acceptable. More stringent requirements may apply if the records being sought are especially sensitive. An agency will inform requesters of any special identification requirements. Requesters who need records quickly should first consult agency regulations or talk to the agency's Privacy Act Officer to find out how to provide adequate identification. An individual who visits an agency office to inspect a Privacy Act record may bring along a friend or relative to review the record. When a requester brings another person, the agency may ask the requester to sign a written statement authorizing discussion of the record in the presence of that person. It is a crime to knowingly and willfully request or obtain records under the Privacy Act under false pretenses. A request for access under the Privacy Act can only be made by the subject of the record. An individual cannot make a request under the Privacy Act for a record about another person. The only exception is for a parent or legal guardian who can request records for a minor or a person who has been declared incompetent. E. Fees Under the Privacy Act, fees can only be charged for the cost of copying records. No fees may be charged for the time it takes to search for records or for the time it takes to review the records to determine if any exemptions apply. This is a major difference from the FOIA. Under the FOIA, fees can sometimes be charged to recover search costs and review costs. The different fee structure in the two laws is one reason many requesters seeking records about themselves cite both laws. This minimizes allowable fees. An individual seeking records about himself or herself under the FOIA should not be charged review charges. The only charges applicable under the FOIA are search and copy charges. Many agencies will not charge fees for making a copy of a Privacy Act file, especially when the file is small. If paying the copying charges is a problem, the requester should explain in the request letter. An agency can waive fees under the Privacy Act. F. Requirements for agency responses Unlike the FOIA, there is no fixed time when an agency must respond to a request for access to records under the Privacy Act. It is good practice for an agency to acknowledge receipt of a Privacy Act request within ten days and to provide the requested records within thirty days. At many agencies, FOIA and Privacy Act requests are processed by the same personnel. When there is a backlog of requests, it takes longer to receive a response. As a practical matter, there is little that a requester can do when an agency response is delayed. Requesters should be patient. Agencies generally process requests in the order in which they were received. Some agencies will expedite the processing of urgent requests. Anyone with a pressing need for records should consult with the agency Privacy Act officer about how to ask for expedited treatment of requests. G. Reasons access may be denied under the Privacy Act Not all records about an individual must be disclosed under the Privacy Act. Some records may be withheld to protect important government interests such as national security or law enforcement. The Privacy Act exemptions are different than the exemptions of the FOIA. Under the FOIA, any record may be withheld from disclosure if it contains exempt information when a request is received. The decision to apply an FOIA exemption is made only after a request has been made. In contrast, Privacy Act exemptions apply not to a record but to a system of records. Before an agency can apply a Privacy Act exemption, the agency must first issue a regulation stating that there may be exempt records in that system of records. Without reviewing system notices or agency regulations, it is hard to tell whether particular Privacy Act records are exempt from disclosure. However, it is a safe assumption that any system of records that qualifies for an exemption has been exempted by the agency. Since most record systems are not exempt, the exemptions are not relevant to most requests. Also, agencies do not always rely upon available Privacy Act exemptions unless there is a specific reason to do so. Thus, some records that could be withheld will nevertheless be disclosed upon request. Because Privacy Act exemptions are complex and used infrequently, most requesters need not worry about them. The exemptions are discussed here for those interested in the Acts details and for reference when an agency withholds records. Anyone needing more information about the Privacy Acts exemptions can begin by reading the relevant sections of the Act. The complete text of the Act is reprinted in an appendix to this guide. In 1975, the Office of Management and Budget issued guidance to federal agencies on the Privacy Act of 1974. Those guidelines are a good source of commentary and explanation for many of the provisions of the Act. The OMB guidelines can be found at 40 Federal Register 28948 (July 9, 1975). The Privacy Acts exemptions differ from those of the FOIA in another important way. The FOIA is mostly a disclosure law. Information exempt under the FOIA is exempt from disclosure only. The Privacy Act, however, imposes many separate requirements on personal records. Some systems of records are exempt from the disclosure requirements, but no system is exempt from all Privacy Act requirements. For example, no system of records is ever exempt from the requirement that a description of the system be published. No system of records can be exempted from the limitations on disclosure of the records outside of the agency. No system is exempt from the requirement to maintain an accounting for disclosures. No system is exempt from the restriction against the maintenance of unauthorized information on the exercise of First Amendment rights. All systems are subject to the requirement that reasonable efforts be taken to assure that records disclosed outside the agency be accurate, complete, timely, and relevant. Each agency must maintain proper administrative controls and security for all systems. Finally, the Privacy Acts criminal penalties remain fully applicable to each system of records. 1. General Exemptions There are two general exemptions under the Privacy Act. The first applies to all records maintained by the Central Intelligence Agency. The second applies to selected records maintained by an agency or component whose principal function is any activity pertaining to criminal law enforcement. Records of criminal law enforcement agencies can be exempt under the Privacy Act if the records consist of (A) information compiled to identify individual criminal offenders and which consists only of identifying data and notations of arrests, the nature and disposition of criminal charges, sentencing, confinement, release, and parole and probation status; (B) criminal investigatory records associated with an identifiable individual; or (C) reports identifiable to a particular individual compiled at any stage from arrest through release from supervision. Systems of records subject to the general exemptions may be exempted from many of the Privacy Acts requirements. Exemption from the Acts access and correction provisions is the most important. An individual has no right under the Privacy Act to ask for a copy of or to seek correction of a record subject to the general exemptions. In practice, these exemptions are not as expansive as they sound. Most agencies that have exempt records will accept and process Privacy Act requests. The records will be reviewed on a case-by-case basis. Agencies will often disclose any information that does not require protection. Agencies also tend to follow a similar policy for requests for correction. Individuals interested in obtaining records from the Central Intelligence Agency or from law enforcement agencies should not be discouraged from making requests for access. Even if the Privacy Act access exemption is applied, portions of the record may still be disclosable under the FOIA. This is a primary reason individuals should cite both the Privacy Act and the FOIA when requesting records. The general exemption from access does prevent requesters from filing a lawsuit under the Privacy Act when access is denied. The right to sue under the FOIA is not changed because of a Privacy Act exemption. 2. Specific Exemptions There are seven specific Privacy Act exemptions that can be applied to systems of records. Records subject to these exemptions are not exempt from as many of the Acts requirements as are the records subject to the general exemptions. However, records exempt under the specific exemptions are likely to be exempt from the Privacy Acts access and correction provisions. Nevertheless, since the access and correction exemptions are not always applied when available, those seeking records should not be discouraged from making a request. Also, the FOIA can be used to seek access to records exempt under the Privacy Act. The first specific exemption covers record systems containing information properly classified in the interest of national defense or foreign policy. Classified information is also exempt from disclosure under the FOIA and will normally be unavailable under either the FOIA and Privacy Acts. The second specific exemption applies to systems of records containing investigatory material compiled for law enforcement purposes other than material covered by the general law enforcement exemption. The specific law enforcement exemption is limited when as a result of the maintenance of the records an individual is denied any right, privilege, or benefit to which he or she would be entitled by federal law or for which he or she would otherwise be entitled. In such a case, disclosure is required except where disclosure would reveal the identity of a confidential source who furnished information to the government under an express promise that the identity of the source would be held in confidence. If the information was collected from a confidential source before the effective date of the Privacy Act (September 27, 1975), an implied promise of confidentiality is sufficient to permit withholding of the identity of the source. This distinction between express and implied promises of confidentiality is repeated throughout the specific exemptions of the Privacy Act. The third specific exemption applies to systems of records maintained in connection with providing protective services to the President of the United States or other individuals who receive protection from the Secret Service. The fourth specific exemption applies to systems of records required by statute to be maintained and used solely as statistical records. The fifth specific exemption covers investigatory material compiled solely to determine suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information. However, this exemption applies only to the extent that disclosure of information would reveal the identity of a confidential source who provided the information under a promise of confidentiality. The sixth specific exemption applies to systems of records that contain testing or examination material used solely to determine individual qualifications for appointment or promotion in federal service, but only when disclosure would compromise the objectivity or fairness of the testing or examination process. Effectively, this exemption permits withholding of questions used in employment tests. The seventh specific exemption covers evaluation material used to determine potential for promotion in the armed services. The material is only exempt to the extent that disclosure would reveal the identity of a confidential source who provided the information under a promise of confidentiality. 3. Medical Records Medical records maintained by federal agencies for example, records at Veterans Administration hospitals are not formally exempt from the Privacy Acts access provisions. However, the Privacy Act authorizes a special procedure for medical records that operates, at least in part, like an exemption. Agencies may deny individuals direct access to medical records, including psychological records, if the agency deems it necessary. An agency normally reviews medical records requested by an individual. If the agency determines that direct disclosure is unwise, it can arrange for disclosure to a physician selected by the individual or possibly to another person chosen by the individual. 4. Litigation Records The Privacy Acts access provisions include a general limitation on access to litigation records. The Act does not require an agency to disclose to an individual any information compiled in reasonable anticipation of a civil action or proceeding. This limitation operates like an exemption, although there is no requirement that the exemption be applied by regulation to a system of records before it can be used. H. Administrative appeal procedures for denial of access Unlike the FOIA, the Privacy Act does not provide for an administrative appeal of the denial of access. However, many agencies have established procedures that will allow Privacy Act requesters to appeal a denial of access without going to court. An administrative appeal is often allowed under the Privacy Act, even though it is not required, because many individuals cite both the FOIA and Privacy Act when making a request. The FOIA provides specifically for an administrative appeal, and agencies are required to consider an appeal under the FOIA. When a Privacy Act request for access is denied, agencies usually inform the requester of any appeal rights that are available. If no information on appeal rights is included in the denial letter, the requester should ask the Privacy Act Officer. Unless an agency has established an alternative procedure, it is possible that an appeal filed directly with the head of the agency will be considered by the agency. When a request for access is denied under the Privacy Act, the agency explains the reason for the denial. The explanation must name the system of records and explain which exemption is applicable to the system. An appeal may be made on the basis that the record is not exempt, that the system of records has not been properly exempted, or that the record is exempt but no harm to an important interest will result if the record is disclosed. There are three basic elements to a Privacy Act appeal letter. First, the letter should state that the appeal is being made under the Privacy Act of 1974. If the FOIA was cited when the request for access was made, the letter should state that the appeal is also being made under the FOIA. This is important because the FOIA grants requesters statutory appeal rights. Second, a Privacy Act appeal letter should identify the denial that is being appealed and the records that were withheld. The appeal letter should also explain why the denial of access was improper or unnecessary. Third, the appeal should include the requesters name and address. It is a good practice for a requester to also include a telephone number when making an appeal. Appendix 1 includes a sample letter of appeal. I. Amending records under the privacy act The Privacy Act grants an important right in addition to the ability to inspect records. The Act permits an individual to request a correction of a record that is not accurate, relevant, timely, or complete. This remedy allows an individual to correct errors and to prevent incorrect information from being disseminated by the agency or used unfairly against the individual. The right to seek a correction extends only to records subject to the Privacy Act. Also, an individual can only correct errors contained in a record that pertains to himself or herself. Records disclosed under the FOIA cannot be amended through the Privacy Act unless the records are also subject to the Privacy Act. Records about unrelated events or about other people cannot be amended unless the records are in a Privacy Act file maintained under the name of the individual who is seeking to make the correction. A request to amend a record should be in writing. Agency regulations explain the procedure in greater detail, but the process is not complicated. A letter requesting an amendment of a record will normally be addressed to the Privacy Act officer of the agency or to the agency official responsible for the maintenance of the record system containing the erroneous information. The envelope containing the request should be marked " Privacy Act Amendment Request" on the lower left corner. There are five basic elements to a request for amending a Privacy Act record. First, the letter should state that it is a request to amend a record under the Privacy Act of 1974. Second, the request should identify the specific record and the specific information in the record for which an amendment is being sought. Third, the request should state why the information is not accurate, relevant, timely, or complete. Supporting evidence may be included with the request. Fourth, the request should state what new or additional information, if any, should be included in place of the erroneous information. Evidence of the validity of the new or additional information should be included. If the information in the file is wrong and needs to be removed rather than supplemented or corrected, the request should make this clear. Fifth, the request should include the name and address of the requester. It is a good idea for a requester to include a telephone number. Appendix 1 includes a sample letter requesting amendment of a Privacy Act record. J. Appeals and Requirements For Agency Responses An agency that receives a request for amendment under the Privacy Act must acknowledge receipt of the request within ten days (not including Saturdays, Sundays, and legal holidays). The agency must promptly rule on the request. The agency may make the amendment requested. If so, the agency must notify any person or agency to which the record had previously been disclosed of the correction. If the agency refuses to make the change requested, the agency must inform the requester of: (1) the agency's refusal to amend the record; (2) the reason for refusing to amend the request; and (3) the procedures for requesting a review of the denial. The agency must provide the name and business address of the official responsible for conducting the review. An agency must decide an appeal of a denial of a request for amendment within thirty days (excluding Saturdays, Sundays, and legal holidays), unless the time period is extended by the agency for good cause. If the appeal is granted, the record will be corrected. If the appeal is denied, the agency must inform the requester of the right to judicial review. In addition, a requester whose appeal has been denied also has the right to place in the agency file a concise statement of disagreement with the information that was the subject of the request for amendment. When a statement of disagreement has been filed and an agency is disclosing the disputed information, the agency must mark the information and provide copies of the statement of disagreement. The agency may also include a concise statement of its reasons for not making the requested amendments. The agency must also give a copy of the statement of disagreement to any person or agency to whom the record had previously been disclosed. K. Filing a Judicial Appeal The Privacy Act provides a civil remedy whenever an agency denies access to a record or refuses to amend a record. An individual may sue an agency if the agency fails to maintain records with accuracy, relevance, timeliness, and completeness as is necessary to assure fairness in any agency determination and the agency makes a determination that is adverse to the individual. An individual may also sue an agency if the agency fails to comply with any other Privacy Act provision in a manner that has an adverse effect on the individual. The Privacy Act protects a wide range of rights about personal records maintained by federal agencies. The most important are the right to inspect records and the right to seek correction of records. Other rights have also been mentioned here, and still others can be found in the text of the Act. Most of these rights can become the subject of litigation. An individual may file a lawsuit against an agency in the federal district court in which the individual lives, in which the records are situated, or in the District of Columbia. A lawsuit must be filed within two years from the date on which the basis for the lawsuit arose. Most individuals require the assistance of an attorney to file a judicial appeal. An individual who files a lawsuit and substantially prevails may be awarded reasonable attorney fees and litigation costs reasonably incurred. Some requesters may be able to handle their own appeal without an attorney. Since this is not a litigation guide, details about the judicial appeal process have not been included. Anyone considering filing an appeal can begin by reviewing the provisions of the Privacy Act on civil remedies. See note 20.