1 / 26

What Every Executive Should Know About FOIA and the Privacy Act

EEOC Executive Leadership Conference. What Every Executive Should Know About FOIA and the Privacy Act. Charlene Wright Thomas US Department of State. Freedom of Information Act. FOIA Resources 5 U.S.C. 552 Your agency FOIA Officer

shanae
Télécharger la présentation

What Every Executive Should Know About FOIA and the Privacy Act

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EEOC Executive Leadership Conference What Every Executive Should Know About FOIA and the Privacy Act Charlene Wright Thomas US Department of State

  2. Freedom of Information Act FOIA Resources • 5 U.S.C. 552 • Your agency FOIA Officer • Department of Justice’s Freedom of Information Act Guide, available on DOJ’s website • DOJ FOIA Counselor: (202) 514-FOIA

  3. Freedom of Information Act • Statutory right of access to agency records enforceable in court • Any person can make a request • Reason for the request is irrelevant • President Obama instructs that “a presumption of openness should be applied to all decisions involving FOIA”

  4. Freedom of Information Act Three types of disclosure • Automatically published in the Federal Register: agency organization, functions, etc.; • Automatically put on agency internet “reading room”: final opinions, policy, staff manuals, frequently requested records; and • Disclosure by request

  5. Freedom of Information Act Creation of a Record Not Required

  6. Freedom of Information Act Reasonable Search May require a hand search of hard copy records as well as an electronic search – with new or existing computer programming – including search of e-mail

  7. Freedom of Information Act Time Limits Generally 20 working days to make a determination on disclosure If requested, 10 days to make a decision on whether to expedite a request; if expedited, as soon thereafter as practicable Reasons for expedition: threat to life or safety; media, if there is urgency Possible fee penalties for late responses

  8. Freedom of Information Act • Exemption 1: (A) specifically authorized “under criteria established by an Executive order to be kept secret in the interest of national defense or foreign policy” and (B) “in fact properly classified pursuant to such Executive order” • Exemption 2: “related solely to the internal personnel rules and practices of an agency” • Exemption 3: permitted or required to be withheld by another federal statute

  9. Freedom of Information Act • Exemption 4: “trade secrets and commercial or financial information obtained from a person [that is] privileged or confidential” • Exemption 5: “inter-agency or intra-agency memorandums or letters which would not be available by law to a party other than an agency in litigation with the agency” • Exemption 6: “personnel and medical files and similar files” the disclosure of which would cause a clearly unwarranted invasion of personal privacy

  10. Freedom of Information Act • Exemption 7(A): “records or information compiled for law enforcement purposes . . . to the extent that [their] production . . . could reasonably be expected to interfere with enforcement proceedings” • Exemption 7(B): “records or information compiled for law enforcement purposes … to the extent that [their] production …would deprive a person of a right to a fair trial or impartial adjudication” • Exemption 7(C): “records or information compiled for law enforcement purposes…to the extent that [their] production … could reasonably be expected to constitute an unwarranted invasion of personal privacy”

  11. Freedom of Information Act • Exemption 7(D): law enforcement information that could reasonably be expected to identify a confidential source or, in a criminal or national security file, any information provided by the confidential source • Exemption 7(E): law enforcement information that would reveal law enforcement techniques or procedures • Exemption 7(F): “records or information compiled for law enforcement purposes…to the extent that [their] production…could reasonably be expected to endanger the life or personal safety of any individual”

  12. Freedom of Information Act • Exemption 8: related to examination, operating, or condition reports prepared by agencies that supervise or regulate financial institutions • Exemption 9: geological and geophysical information and data concerning wells

  13. Freedom of Information Act FOIA policy under President Obama, as implemented by Attorney General Holder: • Emphasis on discretionary disclosures: release unless an exemption is applicable and (1) there is a readily foreseeable harm from disclosure, or (2) disclosure is prohibited by statute • Emphasis on Exemptions “low 2,” 5, and 7 (age and sensitivity are key factors) • Review pending litigation • FOIA is everyone’s responsibility • Proactive online disclosures

  14. Privacy Act Privacy Act Resources • 5 U.S.C. 552a • Your agency Privacy Act Officer • The Privacy Act Overview available on DOJ’s website • OMB Guidelines

  15. Why the Privacy Act? • Is permanent consequence of the Watergate scandal • Curb abuses from Government's use of computers to amass personal records (secret files, compilation of dossiers) • Balance Government's need for personal information with privacy rights of individuals • Tighten conditions under which an agency discloses records to another agency, outside entity, or person

  16. Privacy Act Contains a system of disclosure similar to the FOIA which sometimes provides individual with greater access and sometimes lesser access to records about self

  17. Privacy Act Individual “[A] citizen of the United States or an alien lawfully admitted for permanent residence”

  18. Privacy Act Record – “[A]ny item, collection or grouping of information about an individual” that contains his or her name or personal identifier

  19. Privacy Act Criminal Penalties 1. An employee who willfully makes a wrongful disclosure 2. An employee who maintains a system of records without publishing notice of it in the Federal Register 3. Anyone knowingly and willfully obtaining records by false pretenses

  20. Major Features of the Act • Publish a notice (called a “SORN”) in the Federal Register about the existence and nature of the records • Tender a notice at point of collection, e.g., on a paper or web form, as an introduction to a data gathering interview • Inform individuals of procedures for them to inspect or correct their records (subject to there not being exemptions) • Limit agencies’ prerogatives to disclose records to outside persons or entities, including other agencies • Enforce civil and criminal penalties for violations

  21. Violations and Penalties • CRIMINAL VIOLATIONS • Maintaining a system of records without meeting the SORN notification requirement • Unlawful and willful disclosure • Acting under false pretenses or facilitating those acting under false pretenses to obtain a record • CRIMINAL PENALTIES • Misdemeanor charge (jail up to a year) • Fine of not more than $5,000 • CIVIL VIOLATIONS • Unlawfully refusing to grant access or to amend a record • Failure to maintain accurate, relevant, timely, and complete data • Failure to comply with any Privacy Act provision or agency rule that results in any adverse effect • CIVIL PENALTIES • A court may award actual damages sustained by the individual • In no case shall a person entitled to recovery receive less than the sum of $1,000, plus reasonable attorney fees and litigation costs

  22. Common Mistakes • Unknowingly collecting Privacy Act information • Not issuing rules of conduct to those who handle the information, including to contractors • Not including the standard FAR privacy clauses in a contract • Disclosing records outside the agency without a published authority to do so • Disclosing records when an exemption prevents it • Allowing use to grow beyond what is compatible with the original purpose and authority for collection • Not focusing sufficient attention on the “insider threat” to the confidentiality and integrity of records

  23. RECENT EVENTS Breaches in the News

  24. TODAY’S PRIVACY LANDSCAPE • Risky designs • PII on portables • Remote access and telework arrangements • Outgoing emails • USB devices • Ineffective real time monitoring of user actions, e.g., curiosity browsing

  25. Our risk is growing, not shrinking • It is not a matter of “if” you will have a PII breach, but “when” • Are you willing to spend over $200 for each breached record? (Ponemon Institute’s estimate) • If you don’t collect it, then you don’t need to protect it • So challenge every proposed collection of PII, element by element, in new or existing systems

  26. QUESTIONS ??????

More Related