The Privacy Act
Entry into force:1974
The Privacy Act of 1974 (5 U.S.C. 552a, 1974) is the main legal framework protecting personal data held by the public sector in the United States. It protects record held by US government agencies and requires them to apply fair information practices. From a first overview of the main provisions of Privacy Act, it appears that the Code of Fair Information Practices was strongly integrated in the wording. All the five principles find their place in the law. The transparency principle is translated in (e)(4): “Each agency that maintains a system of records shall […] publish in the Federal Register upon establishment or revision a notice of the existence and character of the system of records […]”. The access and correction principles shape the provisions of the section (d) on “access to records”. Data security is addressed in section on “agency requirements”, at (e)(5) and (10). Finally, the purpose limitation principle is enshrined in (e)(1), stating that each agency shall “maintain in its records only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required to be accomplished by statute or by Executive order of the President”.
Furthermore, the Privacy Act identifies aspecific class of sensitive data: “records describing how any individual exercises rights guaranteed by the First Amendment” (e)(7). Such records shall not be maintained unless strict and cogent rules. The Privacy Act provides for the establishment of Data Integrity Boards within agencies participating or conducting matching programs (u). Such Data Integrity Board has essentially review, approval and guidelines setting powers. It has no enforcement powers and is not structurally independent, consisting of “senior officials designated by the head of the agency”(u)(2).
Finally, sections (g) and (i) defines the procedures of legal redress available toindividuals and of criminal penalties in case of certain categories of misconduct ofgovernment officers.