Privacy Act Requirements
Most employees are involved with managing information – including information about individuals. Do you maintain files about individuals? Develop or use a database which includes names of people, even a small one residing on your own computer? Develop surveys, forms or questionnaires? Develop a Web site and collect information from it? If so, it is important to be aware of your part in being stewards of the information entrusted to you by the public, other employees and financial institutions.
Part of that stewardship is ensuring that Privacy Impact Assessments (PIAs) are completed when considering the collection of information on individuals or managing a database with information on individuals. (See information below).
What is Privacy?
Privacy is the right to be left alone and to control the conditions under which information pertaining to you is collected, used and disseminated.
What is the Privacy Act?
The Privacy Act is a federal law that balances the Government's need to maintain information about individuals with the right of the individuals to be protected against unwarranted invasions of their privacy.
The Privacy Act establishes special requirements for the Executive Branch of Government when collecting, creating, maintaining, and distributing records that can be retrieved by the name of an individual, or other identifier (whether in paper or electronic form).
Privacy Act Core Requirements
The Privacy Act core requirements provide for:
- Limitations on the collection, use and dissemination of personally identifiable information about an individual.
- Disclosure restrictions to third parties.
- Access and amendments rights of the individuals who are subjects of the files.
- Notification to the public of collections of information on them (forms and Web sites), and record systems (Federal Register Privacy System Notice). Secret records on individuals cannot be maintained.
- Requirements for data collection include:
- Is the information relevant and necessary?
- Is the information accurate, timely, and complete?
- Is the information from the subject?
- Is there a notice addressing the purpose and use of the information?
- Are safeguards in place to protect the integrity of the information?
- Interagency data sharing requirements apply when matches are made with another Federal or state government agency when the matches are used to verify an initial eligibility for federal benefits programs.
Who is Responsible for Complying with the Law?
FDIC managers, the Chief Privacy Officer, systems managers and you.
Because you may:
- Handle information on individuals?
- Respond to requests for information in a system of records, or about individuals?
- Collect information and file it by name or ID?
- Manage a database with information on individuals?
Employee Privacy Act Responsibilities
Employees who handle information on individuals should become familiar with References and Guidelines on the Privacy Act and privacy protection. Be aware of the most common Privacy Act situations so you will be alerted to potential problems before they arise.
Privacy Impact Assessments
The Privacy Impact Assessment (PIA) is a checklist required by the E-Government Act of 2002. The purpose of the PIA is to ensure that privacy protections and Privacy Act requirements are considered when designing and developing a new or modified information system that contains information on individuals.
PIA requirements should be considered when establishing new electronic information collections from the public, collections of information from Web sites, creation of new databases or amendments of others, and use of new technology that may impact individuals.
For more information see the following links:
Links to Guidelines and References
Federal Laws and Guidelines
Web Site Privacy Requirements
Other Laws and Guidelines that Support the Privacy Act
This information is not intended to make you a specialist on Privacy Act matters, but just increase your awareness of your role and privacy issues. FDIC has a Chief Privacy Act Officer (CPO) who is available to help you deal with Privacy Act questions and problems. If you have any questions on whether the Privacy Act applies in a situation, contact the Privacy Program Manager.
Even though information on individuals may not be filed by a name or other identifier, which would make them covered by the Privacy Act, other laws such as the Freedom of Information Act (FOIA) apply in protecting privacy. For example FOIA Exemption 6 and 7(C) are exemptions addressing the protection of personal information.