You can spend your whole life hearing that you have a “right to privacy,” and still be surprised by what the federal government can record about you, keep about you, and share about you.
The Privacy Act of 1974 is one of the main federal statutes that keeps the government from treating your personal file like an office junk drawer. It does not create a broad constitutional right to privacy. It does something more specific and more practical: it sets rules for how federal agencies manage records about identifiable people, and it gives you tools to see and correct certain information the government keeps about you.
If the Freedom of Information Act is the public’s window into government, the Privacy Act is the individual’s mirror. Sometimes you use one. Sometimes you use both.
Join the Discussion
Why Congress passed it
The Privacy Act was passed in the shadow of Watergate and a growing fear that modern bureaucracy plus modern technology could become a permanent surveillance infrastructure. The federal government was collecting more data, storing it more easily, and sharing it more casually than the public understood.
Congress responded with a law aimed at a narrow but consequential problem: when the government builds a record about you, that record can quietly shape what happens to you. It can affect employment decisions, benefits, immigration outcomes, security clearances, and law enforcement attention. A wrong detail can become an official fact simply because it is written down in an official place.
What the Privacy Act governs
It applies to federal agencies
The Privacy Act generally applies to agencies and departments of the federal executive branch. That includes cabinet departments and many federal agencies that maintain databases and files about individuals.
It is not a general rulebook for states, private companies, or your employer. And it generally does not apply to Congress or the federal courts.
Who counts as an “individual”
The Act’s core access and amendment rights are for U.S. citizens and lawful permanent residents. Some agencies extend certain Privacy Act-style access to other people as a matter of policy in specific systems, but the statute’s default protections are not universal for noncitizens.
It covers “records” about an identifiable person
A record can be a paper file or a digital entry. What matters is that it contains information about an individual and that the individual can be identified. That can include obvious identifiers like name and Social Security number, and it can also include other identifying particulars depending on how the system is structured.
The key concept: a “system of records”
The Privacy Act’s strongest protections for access, amendment, and disclosure generally attach when records are kept in a system of records, meaning the agency retrieves them by a personal identifier such as a name or number.
This matters because it draws a line between personal dossiers and more general agency files. A memo that happens to mention you is not always treated the same way as a database that is built to pull you up by your identifying information. At the same time, some Privacy Act duties reach beyond retrieval mechanics, like certain collection notices and general agency obligations around handling personal information.
- Covered in practice: personnel files, benefits records, certain investigative files, and databases keyed to personal identifiers.
- Often not the main target: agency policy files or program documents that are not retrieved by individual identifiers, even if they occasionally refer to individuals.
What agencies can and cannot do
Collection and “why are you asking me this?”
When an agency collects information from you, the Privacy Act pushes it toward transparency about the purpose and authority for the request, and how the information will be used. In plain terms: it is supposed to be harder for the federal government to gather personal data without explaining what it is for.
Limits on disclosure
One of the Act’s central rules is that an agency generally cannot disclose a covered record about you without your consent.
But “generally” is doing real work here. The statute includes exceptions that allow sharing in common government circumstances, including certain law enforcement uses and certain routine administrative uses.
Routine use
Agencies can disclose records for a routine use that is compatible with the purpose for which the records were collected. Routine uses must be published in advance, typically in a System of Records Notice in the Federal Register.
This is how much ordinary interagency sharing happens without needing your signature each time. It is also where a lot of the real-world privacy debate lives: how broad is “compatible,” and how broad are the routine uses an agency writes for itself? Courts have not treated that question the same way in every case, which is part of why the wording matters.
Your rights under the Act
The Privacy Act is often discussed like it is only about secrecy, but its day-to-day power is more concrete. It gives individuals a way to see certain federal records about themselves and to seek corrections when those records are wrong.
1) Access to your own records
At a conceptual level, the Act lets you request access to records about you that are maintained in a covered system of records, subject to exemptions.
This is not the same thing as making the government “open” in general. It is about your ability to see what the government is saying about you in an official file.
2) Correction and amendment
If you find that a record is inaccurate, irrelevant, untimely, or incomplete, the Act provides a path to request an amendment. Think of it as a mechanism for disputing the government’s permanent memory.
Importantly, amendment is not designed to let people rewrite history or force an agency to adopt their interpretation of an event. It is meant to correct factual errors and prevent administrative decisions from being built on bad data. A simple example is a benefits file that lists the wrong date of birth or a wrong employment end date, and that mistake triggers a denial or delay.
3) An accounting of certain disclosures
In some situations, the Act requires agencies to keep an accounting of disclosures so individuals can learn where information was sent. This can matter when information moves across agencies, contractors, or other recipients and you want to know how it traveled.
There are important carve-outs. For example, disclosures within the agency and certain FOIA-related disclosures are treated differently, and exemptions can remove the accounting requirement for particular systems.
4) Notice through published systems
The Act pushes agencies to describe their systems of records publicly. That way, the public can at least see what categories of personal data are being kept and for what reasons. The theory is simple: secrecy is easier when people do not even know the file exists.
How to use it
In practice, you usually file a first-party request with the agency’s FOIA and Privacy Act office. Agencies often process requests for your own records under both FOIA and the Privacy Act, then release what the law allows. Expect identity verification, because the whole point is to keep your file from being released to the wrong person.
Exemptions
The Privacy Act is not a universal key. Congress carved out exemptions that allow agencies to withhold records or limit amendment rights in sensitive contexts.
Law enforcement and national security
Records tied to criminal investigations, intelligence, and certain security functions are often the first place exemptions show up. The logic is familiar: if a subject can see everything in an investigative file, the investigation can be compromised, sources can be exposed, and methods can be revealed. A background investigation or intelligence file is a common place where access or amendment rights may be narrowed by exemption.
Testing and evaluations
Some exemptions are designed to protect the integrity of examinations and evaluation tools, or to preserve candid internal assessments in specific contexts.
What exemptions mean in real life
Exemptions do not necessarily mean an agency can ignore the Privacy Act entirely. They often mean that particular systems or categories of records can be treated differently, especially when disclosure would undermine a legitimate government function.
The practical takeaway is this: the Privacy Act can be powerful for correcting bureaucratic errors in routine files, and less powerful when the records sit inside investigative or intelligence machinery.
Privacy Act vs FOIA
People regularly mix up FOIA and the Privacy Act because both can involve requesting records from the government. But their purposes point in different directions.
FOIA is about the public’s right to know
FOIA is designed to make government operations visible. It is the tool journalists use, researchers use, and ordinary citizens use when they want records about what the government did, decided, paid for, or withheld.
The Privacy Act is about your file
The Privacy Act is centered on protecting individuals from the consequences of inaccurate or improperly disclosed personal information. It is not primarily a transparency law. It is a fairness and accountability law for personal records.
The most important difference
- FOIA: Any person can request agency records, and the answer turns on FOIA exemptions like national security, deliberative process, or personal privacy.
- Privacy Act: You generally request records about yourself in certain systems, and you may have rights to correct them.
They can overlap
Sometimes a request for records about yourself could be processed under both statutes, depending on how the agency organizes its files and which law offers broader access in that context.
Conceptually, this is the neat symmetry: FOIA asks, “What is the government doing?” The Privacy Act asks, “What is the government saying about me, and is it accurate?”
Enforcement and remedies
The Privacy Act is not just a set of polite suggestions. It has consequences.
- Civil lawsuits: In certain situations, you can sue in federal court. That can include lawsuits to compel access to records or to require an agency to consider an amendment request. For some unlawful disclosures or failures to maintain accurate records that cause an adverse effect, the Act can also allow damages when the legal standard is met.
- Criminal penalties: The Act includes criminal penalties for certain willful misconduct by government employees, such as knowingly and willfully disclosing covered records in violation of the statute.
In real life, most disputes are resolved through the administrative process first, but the ability to go to court is the backstop that gives the rules weight.
What it does not do
To understand what the law is, it helps to be clear about what it is not.
- It does not ban the federal government from collecting personal data. It regulates how certain data is collected, used, disclosed, and corrected.
- It is not a constitutional privacy amendment. It is a statute passed by Congress and applied through agency practice and the courts.
- It does not cover most private-sector databases. Your bank, your phone, your apps, and your data broker profiles are mostly outside the Privacy Act’s scope.
- It does not guarantee access to every record that mentions you. Coverage often hinges on whether the agency keeps it in a system of records retrieved by your identifier, and whether exemptions apply.
Why it still matters
Constitutional privacy debates often live at the Supreme Court level, where rights are inferred, narrowed, expanded, and sometimes retracted. The Privacy Act lives lower to the ground, where ordinary governance actually happens.
It matters because modern government runs on files. Not just investigative files, but benefits files, employment files, travel and credentialing systems, contracting databases, and eligibility determinations. If you cannot see the record, you cannot challenge the record. And if you cannot challenge the record, the bureaucracy’s version of you becomes the only version that counts.
The Privacy Act does not solve the national privacy puzzle. But it draws a boundary line around a specific power: the power of the federal government to create and circulate personal dossiers without accountability.
Quick takeaways
- The Privacy Act of 1974 regulates how federal executive-branch agencies handle certain personal records.
- Its core protections focus on records about identifiable individuals kept in systems retrieved by personal identifiers, though some duties apply more broadly.
- U.S. citizens and lawful permanent residents receive the statute’s main access and amendment rights.
- It provides access and correction tools, but exemptions are significant, especially for law enforcement and national security systems.
- FOIA is for public oversight of government. The Privacy Act is for individual oversight of the government’s records about you.
- If an agency violates the Act, the statute includes administrative processes, the possibility of civil litigation in federal court, and limited criminal penalties for certain willful misconduct.