“A bill to amend title 5, United States Code, to address records maintained on individuals, and for other purposes.”
No CRS summary available for this bill.
This section revises definitions in the Privacy Act of 1974 (5 U.S.C. § 552a), which regulates federal agencies' collection, use, maintenance, and disclosure of personal records, as follows: (1) expands the term "individual" to a natural person who is a U.S. person (as defined in 50 U.S.C. § 1801) or in the United States (from a U.S. citizen or alien lawfully admitted for permanent residence); (2) redefines "record" as any personally identifiable information processed by an agency (from any item, collection, or grouping of information about an individual that contains the individual's name or other identifying particular, such as a fingerprint or photograph) and "system of records" as a group of any records maintained by or for, or under the control of, any agency (from a group of records retrieved by the individual's name or other identifying particular); (3) adds definitions of "personally identifiable information" as any information that identifies or is linked or reasonably linkable, alone or in combination with other data, to an individual or a device that identifies or is linkable to an individual; and "process," with respect to such information, as performing an operation or set of operations on it (including storing, analyzing, organizing, structuring, using, modifying, or otherwise handling it, whether automated or not); (4) modifies the "matching program" definition to include any computerized comparison involving data from one or more systems of records (from two or more automated systems of records or a system of records with non-Federal records); (5) revises agency contractor provisions to cover any contract or other agreement, including with another agency, for operating a system of records on the agency's behalf; and (6) makes technical and conforming amendments, including updating the cross-reference for "agency," certain exclusions from matching programs, and the name "National Archives and Records Administration."
This section amends the Privacy Act of 1974 (5 U.S.C. 552a) to strengthen protections for personal records maintained by federal agencies. **(a) Collections, uses, and disclosures.** It revises the definition of "routine use" to require that any disclosure also be appropriate and reasonably necessary for efficient and effective government conduct; limits disclosures under the Freedom of Information Act to those consistent with and related to an identified purpose of use; requires agencies to publish the legal authority (i.e., citation to law, executive order, or other authority) for each purpose of record use; and mandates that agencies (1) use records only for legally authorized purposes and (2) minimize information disclosed to the minimum necessary. **(b) Matching programs.** It expands the exclusion from the definition of "matching program" for research or statistical matches by clarifying that results may not be used for decisions on individual rights, benefits, or privileges or for adverse actions against federal personnel; strikes an existing exclusion clause; and makes conforming redesignations. **(c) Civil remedies.** It expands the scope of agency noncompliance actionable in district court to include any violation with or reasonably leading to an adverse effect on any person, including states, territories, political subdivisions, or Indian Tribes; and for suits alleging intentional or willful agency action, authorizes preliminary/equitable/declaratory relief plus liability for actual damages (minimum $1,000 per individual or person), costs and attorney fees, and punitive damages. **(d) Criminal penalties.** It establishes a new felony punishable by fine up to $250,000, imprisonment up to 10 years, or both for knowingly disclosing records for commercial advantage, personal gain, or malicious harm; and upgrades unauthorized disclosure by agency personnel to a felony punishable by fine up to $100,000 (from misdemeanor fined up to $5,000).
This section establishes effective dates for amendments made by sections 2 and 3 (amending the Privacy Act of 1974, 5 U.S.C. §552a). Such amendments generally take effect two years after enactment, except that they apply on the date of enactment to Privacy Act-governed actions (e.g., use, disclosure, maintenance, or control of records or systems of records; matching programs) by or involving: (1) the U.S. DOGE Service or U.S. DOGE Service Temporary Organization (or successors); (2) special government employees, temporary or intermittent experts/consultants procured under 5 U.S.C. §3109, or individuals in temporary transitional Schedule C positions; (3) agencies headed by or controlled by the head of an entity in (1) or (2); (4) the DOGE Team (as described in Executive Order 14158); (5) agencies within or subject to review by entities in (1), (3), or (4); or (6) officers, employees, experts, consultants, contractors, volunteers, or other individuals of, within, or providing services to entities in (1), (3)–(5). The immediate applicability under these exceptions extends to such persons' actions even outside their described capacity and to matching programs where such entities or persons serve as source or recipient agencies or control relevant systems of records.
This section establishes a rule of construction defining the Privacy Act as 5 U.S.C. §552a as in effect prior to enactment and providing that nothing in this Act or its amendments may be construed to affect the interpretation, regulations, application, scope, legality, remedies, or damages under the Privacy Act.