|Freedom of Information Act (FOIA)||
Privacy Act (PA)
|Federal Advisory Committee Act (FACA)||
- What is personally identifiable information (PII)?
- What are examples of PII?
- What are the risks if personally identifiable information (PII) is misused?
- Why should I be interested in the Privacy Act?
- What information is covered under the Privacy Act?
- What Information to Include in Your FOIA Request
- Sample FOIA Request Letter
- FOIA Office Contact Information
Personally identifiable information (PII) is any information that can be used to distinguish or trace a person's identity.
Examples of personally identifiable information (PII) include :
- Social Security Number (SSN), passport number, driver's license number, taxpayer identification number, patient identification number, and financial account or credit card number;
- Personal address and phone number;
- Biometric records such as photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, retina scan, voice signature, facial geometry; and
- Information that when combined with other information like that listed above which can then be used collaboratively to identify a specific individual. For example, date of birth, place of birth, race, religion, geographical indicators, employment information, medical information, education information, financial information.
Both the individual whose personally identifiable information (PII) was the subject of the misuse and the organization that maintained the PII may experience some degree of adverse effects. Depending on the type of information involved, an individual may suffer social, economic, or physical harm resulting in potential loss of life, loss of livelihood, or inappropriate physical detention. If the information lost is sufficient to be exploited by an identity thief, for example, the person may suffer from a loss of money, damage to credit, a compromise of medical records, threats, and/or harassment. The individual may also suffer tremendous losses of time and money to address the damage. Other potential harms which may result from the compromise of an individual's PII include embarrassment, improper denial of government benefits, blackmail, and discrimination.
Likewise, organizations may experience harm as a result of a loss of PII maintained by the organization. Harm may include administrative burden, remediation costs, financial losses, loss of public reputation and public trust, and legal liability.
The Privacy Act of 1974 as amended at 5 U.S.C. 552a, is a code of fair information practices which mandates how Federal agencies, like the Department of Defense, maintain personally identifiable information (PII), i.e., records that uniquely identify you. The basic provisions of the Act require government agencies to:
- collect only information that is relevant and necessary to carry out an agency function;
- maintain no secret records on you;
- explain, at the time the information is being collected, why it is needed and how it will be used;
- ensure that the records are used only for the reasons given, or seek your permission when another purpose for their use is considered necessary or desirable;
- provide adequate safeguards to protect the records from unauthorized access and disclosure;
- allow you to see the records kept about you and provide you with the opportunity to correct inaccuracies in your records; and
- allow you to find out about disclosures of your records to other agencies and persons.
The Privacy Act prohibits disclosure of these records without the written consent of the individual(s) to whom the records pertain unless one of the twelve disclosure exceptions enumerated in the Act applies. These records are held in Privacy Act 'systems of records.' A notice for each such system of records is published in the Federal Register. These notices identify the legal authority for collecting and storing the records, individuals about whom records will be collected, what kinds of information will be collected, and how the records will be used.
The Privacy Act binds only Federal agencies, and covers only records in the possession and control of Federal agencies.
Only information held within a Federal agency's systems of records is protected under the Privacy Act.
A system of records (SOR) is a group of records under the control of a Federal government agency from which personal information about an individual is retrieved by the name of the individual, or by some other identifying number, symbol, or other unique identifier.
A system of records notice (SORN) is a description of any Privacy Act system of records. SORNs generally describe the 'who, what, where, and why' of a system and describe the processes for individuals to access or contest the information being held on them in that system. SORNs are required to be published in the Federal Register for a period of public comment before the system data collection (paper based or electronic) is started.