Infotech and the Law: Privacy act a hidden trap of those outsourcing deals
- By Devon Hewitt
- Sep 20, 2002
With more and more federal agencies relying on outsourcing, contractors are providing a wide variety of support services on behalf of the government, including travel arrangements, fingerprinting and various security checks on people and banking services to agency employees. Many contractors, however, are unaware that in taking on these contracts, they now are subject to the terms of the Privacy Act of 1974.The privacy act prohibits disclosure of any record contained in a system of records to another person or agency without consent from the individual described in the record. A record is considered any information about an individual that is maintained by an agency and that may be retrieved by reference to a number, symbol, name or photograph associated with that individual. A system of records is a group of such records that is under an agency's control.In addition to prohibiting unauthorized disclosures of records, the privacy act requires agencies to comply with various requirements regarding the manner in which the system of records is developed and maintained. For example, the agency must establish appropriate safeguards to ensure the security and confidentiality of the records it maintains. An agency must also keep accurate records regarding the date, nature and purpose of any disclosure made of a record under certain exemptions to the act.While the privacy act generally applies to federal agencies, it also applies where an agency provides, by contract, for the operation of a system of records on its behalf to accomplish an agency function. Under this definition, a contractor who makes travel arrangements for agency personnel and keeps records of these services would be subject to the act. So would a contractor who performs security checks on people applying for certain positions within an agency.Although the information contractors collect under these contracts might be commercially useful, the privacy act typically restricts these contractors from using this information for purposes other than that stated in the contracts.Most contracts that are subject to the privacy act contain a clause advising the contractor, although the lack of the clause will not exempt the contractor from the act's requirements if it is otherwise applicable. Contractors need to be aware of the act's applicability not only to ensure compliance, but also to avoid the serious penalties that may be imposed for violations.The privacy act imposes criminal penalties (misdemeanor and fine) when an agency officer or employee knowingly and willfully violates the act by disclosing a record to an entity or individual without consent of the individual described in the record. Under the provision making the act's requirements applicable to contractors, contractor employees are considered to be agency employees for the purpose of applying the act's criminal penalties.The act also allows people to bring a civil action against an agency for failing to comply with the requirements if it resulted in an adverse effect on the individual. The act does not allow individuals to bring civil actions against government contractors on this basis. However, an agency that has been held liable for noncompliance in a civil action could bring an action against a contractor for breach of contract if the violation was, in fact, committed by a contractor or one of its employees. Devon Hewitt is a partner of Government Practices at ShawPittman in McLean, Va. She can be reached at firstname.lastname@example.org.