Privacy Act Frequently Asked Questions
- Under what conditions is the Privacy Act applicable to a study or other data collection project?
- Is it always inappropriate to collect individually identified data?
- Does the Privacy Act place any restrictions on the type of information to be collected?
- Does the Privacy Act apply to all records in which individually identified data are collected?
- If an agency is maintaining a Privacy Act system of records, what measures must be taken to comply with the Act?
- What steps should be taken to ensure that a new study or project with individually identified records is covered under a CDC or ATSDR Privacy Act system notice?
- When does the Privacy Act apply to a project in which a contractor is involved in data collection/management?
- What are factors to consider in deciding whether the Privacy Act applies to a contract?
- Does the Privacy Act apply to projects in which data collection is being performed by a grantee or cooperative agreement holder?
- Can an agency promise absolute and complete confidentiality to participants when records are protected solely by the Privacy Act?
- What are some clues that the Privacy Act might be involved in a data collection project?
- If I maintain a Privacy Act system what measures must I take?
- How much protection does the Privacy Act afford?
- Does the Privacy Act prohibit all disclosures except those expressly authorized by subject individual?
- What records are not protected by the Privacy Act?
- Is the Privacy Act the legislative authority that permits withholding of personal information?
Under what conditions is the Privacy Act applicable to a study or other data collection project?
The Privacy Act is applicable only when records are maintained by a federal agency in a "system of records." The term "system of records" refers to a group of records under the control of a Federal agency from which information is retrieved by the name of the individual, identifying number, or some other identifying particular.
- The Department of Health and Human Services and OMB discourage collection of names except in unusual circumstances.
- One should always ask whether unidentifiable information would suffice --consider collecting the first four letters of the last name, a soundex code, having a State health department keep names and send CDC only code numbers, etc.
- If names are essential (as to conduct follow up in the future), the Privacy Act permits the investigator to do so, but Privacy Act provisions must be followed.
- A key objective of the Privacy Act is to minimize the amount of information collected and maintained, thereby reducing the possibility of misuse;
- The Privacy Act provisions limit the collection of personal information to that collected to accomplish an agency purpose required by law;
- The Privacy Act limits the use of SSN for identity verification purposes;
- The Privacy Act requires that an agency maintain records used in making any determination about any individual with information that is relevant, accurate, timely, and complete;
- The Privacy Act requires that agencies collect information directly from the subject individual, to the greatest extent practicable, particularly if it could result in an adverse determination about an individual’s rights, benefits, or privileges.
- whether the individually identified data are maintained at a Federal agency -- the Privacy Act applies if data are retrieved by name or other identifying particular;
- whether the individually identified data are being collected and/or maintained by a contractor, grantee, or cooperative agreement holder -- Privacy Act may or may not apply -- see responses to questions below;
- the primary method by which the data will be retrieved -- The Privacy Act applies if data are retrieved by name or SSN; but if data are primarily retrieved by another variable, the Privacy Act may not apply.
- Agencies must maintain safeguards--physical, technical, and administrative--to protect the data. Safeguards include keeping records in locked file cabinets, locked rooms, password protecting computer files, limiting access to agency employees with a "need to know," etc.;
- To grant access by the subject individual to his/her records, procedures must be followed -e.g., notarized signature, special parental requirements to access records of minors, etc.;
- Project participants must be provided with Privacy Act notification statement information either on the data collection instrument or within the consent form (data collection authority, purpose of project, anticipated disclosures, whether participation is voluntary, effects of nondisclosure, availability of accounting of disclosures).
- The staff associated with the project should know the Privacy Act system notice covering the data collection and the "routine uses" (permissible, unconsented to disclosures outside HHS) described in the notice covering the record system that has been published in the Federal Register.
What steps should be taken to ensure that a new study or project with individually identified records is covered under a CDC or ATSDR Privacy Act system notice?
To comply with Privacy Act requirements, CDC and ATSDR has published in the Federal Register system notices (See Index) covering a wide variety of topics. Umbrella systems such as CDC’s 09-20-0136, "Epidemiologic Studies and Surveillance of Disease Problems," ATSDR’s 09-19-0001, "Records of Persons Exposed or Potentially Exposed to Toxic or Hazardous Substances," and NIOSH’s 09-20-0147, "Occupational Health Epidemiological Studies" were designed to include a broad range of research projects or surveillance activities undertaken by agency investigators. However, to enable an accurate accounting of Privacy Act records, the CIO Privacy Act Liaison must be informed so that the project or study can be registered as a component of an official Privacy Act record system.
- If data collection includes names, Social Security numbers, or some other identifying particulars; and
- the contract calls for the establishment, maintenance, or operation of a system of records which, but for the contract, the Federal agency would perform.
- If the contractor is adding to his/her already established record system (e.g., a medical school health clinic is asked to collect survey data on patients already presenting to the clinic for treatment) --The Privacy Act would not apply.
- If the contractor has an already established record system, but the contract is requiring extensive additional data collection such that a separate record system must be established (e.g., a health department clinic that routinely provides immunizations collecting only minimal information is asked to collect extensive demographic information, contact household members to collect data on their health status, etc.) -- the Privacy Act would apply.
Does the Privacy Act apply to projects in which data collection is being performed by a grantee or cooperative agreement holder?
The Privacy Act is not applicable to data collections performed by grantees and is not generally applicable to data collections performed by a cooperative agreement holder.
Can an agency promise absolute and complete confidentiality to participants when records are protected solely by the Privacy Act?
No, the Privacy Act permits 12 disclosures without the subject individual’s consent -- the most common ones being for a routine use (defined above) and in response to a court order. Note: Only with special confidentiality protection provided under the authority of Section 301(d) or 308(d) of the Public Health Service Act and granted by the Director, CDC, can participants be assured that their data will be shared only with those individuals/organizations specifically listed in the consent form.
- Am I asking for name or social security number on a data collection instrument?
- Am I setting up or adding to a system in which records are retrieved by name or social security number?
- Have I begun to retrieve records by name or social security number that previously were filed by some other primary reference (course name, drug name, etc.)?
- Safeguard records - Keep records in locked file cabinets, do not leave records uncovered on desks, lock rooms after hours, password protect computerized records, limit access to agency employees with a "need to know" to perform job duties.
- Follow specified access procedures - Before releasing records to subject individual, obtain a notarized signature or certification statement; parents must produce birth certificate and designate a health professional to receive records.
- Know "routine uses" (permissible, unconsented to disclosures outside HHS) described in the published notice covering the record system. CDC has 34 system notices; however, a large number of projects at CDC are covered by umbrella systems (broad systems covering a variety of research projects). The two principal umbrella systems are 09-20-0136, "Epidemiologic Studies and Surveillance of Disease Problems" (NCPDCID) and 09-20-0147, "Occupational Health Epidemiological Studies" (NIOSH).
- Furnish project participants with Privacy Act notification elements -- authority (usually Public Health Service Act, Section 301), purpose, anticipated disclosures, whether participation is voluntary or compulsory, effects of nondisclosure, and availability of an accounting of disclosures. These elements should appear on the data collection instrument or on the consent form.
- Refer requests by third parties (including attorneys) to the Office of the CDC Freedom of Information Act Officer, Office of Communications
- Consult with the CDC Privacy Act Officer on Request for Contracts involving collection or use of names.
- Records collected for one purpose cannot be used for another.
- Subject individual has access to his/her own records but access by others is limited.
- Records are safeguarded.
Does the Privacy Act prohibit all disclosures except those expressly authorized by subject individual?
No, the Privacy Act has 12 disclosures that are permissible without the subject's consent. The most common ones are: to agency employees with a "need to know," for a routine use (e.g., to cooperating medical authorities), when a medical emergency affecting the health and safety of others occurs, to a Congressional committee, and in response to a court order. The system manager is permitted, but not coerced to share data under these circumstances, but research participants should be aware of these possible disclosures.
- Records of dead persons.
- Records of individuals who are not U.S. citizens or lawfully admitted liens.
- Records not the property of a Federal Government agency.
- Records not containing full names, social security numbers, or other unique identifiers.
- Records containing names but not primarily filed and retrieved by name or social security numbers (e.g., job announcements filed by announcement number, course data filed by course name.)
Is the Privacy Act the legislative authority that permits withholding of personal information?
No, it is the Freedom of Information Act (FOIA). Only the FOIA Officer of an agency may withhold the release of data. The exemption most frequently used at CDC is FOIA Exemption 6 -- a clearly unwarranted invasion of personal privacy.
- Page last updated: April 11, 2012