What Are Permitted Disclosures?
The Privacy Act of 1974 generally requires written consent for disclosing PII from a system of records, but there are exceptions. These include sharing with agency employees who need the information for their duties, disclosures required under the Freedom of Information Act (FOIA), and routine uses defined in the system of records notice. For example, sharing with law enforcement for specific activities or with courts via a court order is permitted.
What Is Not a Permitted Disclosure?
Any disclosure not covered by the twelve exceptions and without the individual’s consent is not permitted. A common example is disclosing PII to a friend or family member without consent, as this doesn’t fit any exception. Another example is sharing for commercial purposes, like advertising, without it being a routine use.
Unexpected Detail: Possible 2024 Amendment
While the standard exceptions are twelve, there may be a thirteenth added in 2024 for disclosures to the Secretary of State for refugee status, but this isn’t fully confirmed in current online resources, adding complexity to the topic.
Survey Note: Detailed Analysis of Permitted and Non-Permitted Disclosures of PII
This section provides a comprehensive examination of the regulations surrounding the disclosure of Personally Identifiable Information (PII) contained in a system of records, focusing on the Privacy Act of 1974 and its implications. The analysis aims to clarify what constitutes a permitted disclosure and identify scenarios that are not permitted, addressing the complexity of the user’s query given the lack of specific options.
Legal Framework and Definitions
The Privacy Act of 1974 (5 U.S.C. 552a) establishes a code of fair information practices for federal agencies, governing the collection, maintenance, use, and dissemination of PII. A “system of records” is defined as a group of records under the control of an agency from which information is retrieved by the name of the individual or by some identifier, such as a Social Security number. The Act prohibits disclosure of records from such systems to third parties without the individual’s written consent, unless one of the statutory exceptions applies.
The term “disclosure” is defined as the release of a record or part thereof to any person or another agency, excluding transfers within the same agency component where sharing is anticipated in official duties. This distinction is crucial, as internal agency sharing is not considered a disclosure under the Act, focusing the analysis on external disclosures.
Permitted Disclosures: The Twelve Exceptions
The Privacy Act outlines twelve exceptions under section (b) where disclosure is permitted without individual consent. These exceptions, as detailed in the statute and supported by legal resources like the Department of Justice’s Overview (Office of Privacy and Civil Liberties | Overview of The Privacy Act of 1974 (2020 Edition)), include:
| Exception Number | Description |
|---|---|
| (b)(1) | To agency officers and employees with a need for the record in their duties. |
| (b)(2) | Required under the Freedom of Information Act (FOIA). |
| (b)(3) | For a routine use as defined in subsection (a)(7) and described under (e)(4)(D). |
| (b)(4) | To the Bureau of the Census for census or survey purposes under title 13. |
| (b)(5) | To a recipient with written assurance for statistical research, in non-identifiable form. |
| (b)(6) | To the National Archives and Records Administration for historical preservation. |
| (b)(7) | To state, tribal, or local government units as the primary source, under specific conditions. |
| (b)(8) | To a person for compelling health or safety circumstances, with notification. |
| (b)(9) | To Congress or its committees within their jurisdiction. |
| (b)(10) | To the Comptroller General or authorized representatives for duty performance. |
| (b)(11) | Pursuant to a court order of competent jurisdiction. |
| (b)(12) | To a consumer reporting agency under the Federal Debt Collection Procedures Act. |
These exceptions cover a range of scenarios, from administrative needs to legal obligations, ensuring agencies can share information when necessary while protecting individual privacy.
Possible Thirteenth Exception and 2024 Amendment
Research suggests there may be a thirteenth exception added in 2024, as indicated by some sources mentioning Pub. L. 118–104, which allegedly added a new paragraph (11) and redesignated former paragraphs (11) and (12) as (12) and (13), respectively. However, current online versions of the US Code, such as on Cornell Law School (5 U.S. Code § 552a – Records maintained on individuals | U.S. Code | US Law | LII / Legal Information Institute), still list only twelve exceptions, suggesting the amendment may not yet be reflected or is misreported. The potential new exception is speculated to be for disclosures to the Secretary of State for refugee status determination, but this requires further confirmation, adding complexity to the analysis.
Analysis of Non-Permitted Disclosures
Given the absence of specific options in the query, identifying which disclosure is not permitted requires understanding what falls outside the exceptions. Any disclosure to a third party that does not meet one of the (b)(1)-(12) conditions or lacks written consent is not permitted. Examples include:
- Disclosure for Personal Gain or Vendetta: Sharing PII with friends, family, or unauthorized individuals without justification, such as for personal benefit, does not fit any exception and is not permitted. For instance, an agency employee disclosing PII to a friend without consent is a clear violation, as highlighted in legal discussions (Office of Privacy and Civil Liberties | Overview of the Privacy Act: 2020 Edition).
- Disclosure for Commercial Purposes: Using PII for advertising or marketing without it being a routine use under (b)(3) is likely not permitted, as such uses are typically not included in system of records notices.
- Disclosure to Foreign Governments: There is no direct exception for sharing with foreign governments, so unless covered by a routine use or international agreement, this would not be permitted. Legal cases, such as those mentioned in the Department of Justice’s resources, reinforce that public filings with courts during litigation must comply with exceptions like (b)(11) for court orders, and unauthorized filings would not be permitted (Office of Privacy and Civil Liberties | Overview of the Privacy Act: 2020 Edition – Disclosures to Third Parties).
Contextual Considerations and Complexity
The complexity arises from the need for specific options to pinpoint the non-permitted disclosure, as the Privacy Act’s exceptions are nuanced and context-dependent. For instance, routine uses under (b)(3) vary by system of records, requiring agencies to publish notices in the Federal Register, which adds a layer to determining permissibility. Additionally, amendments like the Computer Matching and Privacy Protection Act of 1988 (Privacy Act of 1974 – Wikipedia) have expanded protections, but the core disclosure rules remain centered on the twelve exceptions.
The lack of options in the query suggests it may be part of a multiple-choice test, where common misconceptions, such as assuming public availability negates Privacy Act restrictions, could be tested. For example, disclosing PII because it is already public does not automatically make it permitted under the Act, as the original disclosure must still comply with legal standards.
Unexpected Detail: Evolution of Exceptions
An unexpected detail is that the number of exceptions has evolved, with recent amendments potentially adding a thirteenth exception for disclosures to the Secretary of State for refugee status, as noted in updates to 5 U.S.C. 552a(b)(13). This reflects ongoing legislative adjustments to balance privacy with operational needs, which may not be immediately apparent to users unfamiliar with recent changes.
Conclusion
In summary, permitted disclosures of PII from a system of records are those aligning with the twelve exceptions under 5 U.S.C. 552a(b) or with individual consent, while non-permitted disclosures include any unauthorized sharing, such as for personal, commercial, or foreign purposes without legal basis. Without specific options, the analysis leans toward identifying unauthorized disclosures, like to friends or family without consent, as not permitted, emphasizing the Privacy Act’s protective framework.
