Privacy Act: What You Need to Know
- Lance Johnson
- Oct 7, 2025
- 8 min read
Privacy Act (General Info)
The Federal Government collects massive amounts of data about people living in the United States. Almost every interaction with the Federal government is recorded, catalogued and maintained for later use. Even more so, Federal employees and members of the military have countless amounts of data collected by the government about them.
All information collected by the Federal Government that is retrievable by your name or an identifiable number is governed by the Privacy Act. That is, if you can search a system by your name or your social security number, employee number, or some other number, it is a Privacy Act record. In fact, for every tracking the Government uses they publish a Systems of Record Notice (SORN).
Many people are aware of the Privacy Act because of training they received while working for the Government. It’s also common to hear “if you share this information you will violate the Privacy Act” or see a cover sheet on a document saying the record is governed by the Privacy Act. But many people do not know what the Privacy Act really means to them.
The Privacy Act often gets confused with the FOIA. Basically, the Privacy Act allows a person to request information about themselves- and correct it- while the FOIA allows records about how the Government operates to be requested. And, if the record about you that is controlled by the Privacy Act is inappropriately shared you can sue for damages- that’s right- be awarded money for a Privacy Act violation (but more about that later). A Privacy Act record could be a medical record, Fitness Report, PWP, award, discipline record, investigation, and the like. A FOIA record is a government policy paper, an opinion, an investigation.
So, what does the Privacy Act mean for you?
The Privacy Act allows for access to your records and control of how they are released.
Generally, if a record is controlled by the Privacy Act the person who it is about gets full access to everything in it- none, or very few redactions, and a quick response.
Different than other government records, a Privacy Act record can only be shared if there is a routine use exemption in the SORN. That means your record can only be shared, or even looked at, if there is an exemption that allows- or that limit what you can get access to in your record.
And, if that Privacy Record is shared outside of one those limited exemption, the person who had their record illegally disseminated can sue for damages and a return of the record.
Privacy Act exemptions are very narrow that keep you from getting full access to your records, they are:
(d)(5) | Information compiled in reasonable anticipation of a civil action proceeding. This is material in your record that is entered in by a lawyer like attorney-client or attorney work product, similar to FOIA exemption (b)(5) |
(j)(2) | Material reporting investigative efforts pertaining to the enforcement of criminal law including efforts to prevent, control, or reduce crime or to apprehend criminals. Material in a criminal investigation record of yours that would give away law enforcement techniques, similar to FOIA exemption (b)(7)(E) |
(k)(1) | Information that is currently and properly classified pursuant to an executive order in the interest of the national defense or foreign policy, for example, information involving intelligence sources or methods. If you have a classified Privacy Act record and there is a national security concern if it is released to you |
(k)(2) | Investigatory material compiled for law enforcement purposes, other than criminal, which did not result in loss of a right, benefit or privilege under federal programs, or which would identify a source who furnished information pursuant to a promise that his/her identity would be held in confidence. Non-criminal investigations- personnel, EO, harassment, performance- that were unfounded or that gives a witness’s name- similar to FOIA exemptions (b)(7)(A) and (b)(7)(D) |
(k)(3) | Material maintained in connection with providing protective services to the President of the United States or any other individual pursuant to the authority of Title 18, United States Code, Section 3056. Limited Secret Service Records |
(k)(4) | Required by statute to be maintained and used solely as statistical records. Equal Opportunity, Census, demographic records |
(k)(5) | Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment or for access to classified information, the disclosure of which would reveal the identity of the person who furnished information pursuant to a promise that his/her identity would be held in confidence. Clearance or background investigations only when the identity of a reference would be disclosed to you |
(k)(6) | Testing or examination material used to determine individual qualifications for appointment or promotion in federal government service, the release of which would compromise the testing or examination process. Hiring or promotion information when there is testing required that could give away how the tests are made, conducted or graded |
(k)(7) | Material used to determine potential for promotion in the armed services, the disclosure of which would reveal the identity of the person who furnished the material pursuant to a promise that his/her identity would be held in confidence. Promotion board notes in your file |
Every SORN allows for blanket “routine uses” for a Privacy Act and each SORN is different. A routine use allows for the disclosure of a Privacy Act record without contacting the person who the record is about. However, these routine uses are very narrow and if they are done inappropriately have serious consequences.
As an example, a NCIS investigation of a subject has the following routine uses:
(1) To any criminal, civil, or regulatory law enforcement authority (whether Federal, state, local, tribal, or foreign) where the information is relevant to the recipient entity's law enforcement responsibilities.
(2) To a governmental entity lawfully engaged in collecting criminal law enforcement, criminal law enforcement intelligence, or national security intelligence information for law enforcement or intelligence purposes.
(3) To contractors, grantees, experts, consultants, students, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for the Federal Government, when necessary to accomplish an agency function related to this system of records.
(4) In an appropriate proceeding before a court, or administrative or adjudicative body, when NCIS determines that the records are arguably relevant to the proceeding; or in an appropriate proceeding before an administrative or adjudicative body when the adjudicator determines the records to be relevant to the proceeding.
(5) To an actual or potential party to litigation or the party's authorized representative for the purpose of negotiation or discussion of such matters as settlement, plea bargaining, or in informal discovery proceedings.
(6) To a former employee of NCIS for purposes of responding to an official inquiry by a Federal, state, or local government entity or professional licensing authority, in accordance with applicable NCIS regulations; or facilitating communications with a former employee that may be necessary for personnel-related or other official purposes where NCIS requires information and/or consultation assistance from the former employee regarding a matter within that person's former area of responsibility.
(7) To such recipients and under such circumstances and procedures as are mandated by Federal statute or treaty.
(8) To complainants and/or victims to the extent necessary to provide such persons with information and explanations concerning the progress and/or results of the investigation or case arising from the matters of which they complained and/or of which they were a victim.
(9) To commercial insurance companies in those instances in which they have a legitimate interest in the results of the investigation, but only to that extent and provided an unwarranted invasion of privacy is not involved.
(10) To the White House for the purpose of personnel actions requiring approval of the President of the United States as provided for in DoD Instruction 1320.4.
(11) To any person or entity if deemed by NCIS to be necessary in order to elicit information or cooperation from the recipient for use by NCIS in the performance of an authorized law enforcement activity.
(12) To any individual, organization, or governmental entity in order to notify them of a serious terrorist threat for the purpose of guarding against or responding to such a threat.
So, what does this mean?
Of these 12 routine uses, NCIS can only share an investigation to an approved organization and reason as mentioned above.
As an example, NCIS could share an investigation with a State Troopers office if they are also investigating the subject for a same or similar offense. But, if NCIS was to share an investigation of you with a media outlet that was covering a trial, or just who requested it because they heard about an investigation, that would not be a routine use because that media organization is not an approved organization and there is not a valid reason. If NCIS did, you could sue. (More on that later).
Ultimately, the Privacy Act also allows for two very unique actions by the individual- the right to correct the record if there is a factual inaccuracy and to sue if there is an authorized disclosure.
Privacy Act (Corrections)
Under the Privacy Act if there is a factual matter that is incorrect you have the right to amend your record. That is, if there is something wrong in your record, you have the right to fix it.
At Rights to Records we have assisted in amendments of:
Fitness Reports
Performance Work Plans
Performance Appraisals
Awards
Promotions
Investigations
Arrest Records
Many members of the military or Federal civilian work forces are familiar with the Boards of Military Correction or Merit Status Protection Boards. Privacy Act amendments are very similar to these formal, standing boards, but they allow for a basic correction of one’s own records.
As an example, a Military Board of Correction has the mandate to correct when a decision was made contrary to statue, law or regulation or in the interest of justice. This is very similar to what a Privacy Act amendment does but not the same.
If there is a factual issue in a Privacy Act record you can correct it through the amendment process. This is when there is a non-subjective, not a matter of opinion, item in your record. These factual matters can be supported through letters from a superior who evaluated you, emails discovered through FOIAs, records that were found when the record you seek was created, or others.
Generally, Rights to Records will assist you in finding your record, identifying the error, gaining evidence to support the factual challenge, the administrative correction, and, if needed, litigation to change the record. This can greatly assist clients when correcting an amending their records, vital for future employment, benefits, housing, and countless other matters.
Privacy Act (Violations)
Privacy Act records are much different than those that can be access under the FOIA. The FOIA allows for the public to understand how the government works. Rare, if ever, should a Privacy Act record ever be released to the public. And occasions for sharing to other Government organizations are very limited.
In fact, only if in the System of Records Notice that the record about you states there is a routine use, can they share your information.
So, let’s say you are a nurse at a Federal hospital and you have a conflict with your superior. That conflict could be captured in Privacy Act SORN like an investigation or an appraisal. The Federal Government, if it was requested, could share the investigation or your PA/PWP/Fitness Report with the state nursing board you are licensed with because they have a civil enforcement and licensing mandate. But they cannot share it with your nursing school, someone who requests it from the public, another hospital, another employer. If they do share that information with an unapproved organization or for an unapproved reason you can sue for damages. Additionally, attorney fees, the cost to hire Rights to Records, is covered in the suit by the Government if you win- meaning you do not have to pay for Rights to Records nor does it come out of your damages from the Government.
Comments