A code of fair information practice has been established under 5 U.S.C. 552(a)* which governs the collection, maintenance, use, and dissemination of personally identifiable information (PII) about individuals maintained in systems of records by federal agencies. No agency shall release any record which contains any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of the individual to whom the record pertains. The Privacy Act requires agencies who maintain a system of records to provide individuals access to records on file. The individual should be allowed to review the records and a copy should be provided within 30 days upon written request from the individual whom the information pertains or via written consent. In the event the individual believes the record(s) are erroneous then a request for correction should be submitted in writing to correct or remove any inaccurate documentation. The agency must respond to the request for correction in writing within a reasonable period of time, by making the requested changes or advising why the agency refuses to alter the record and provide the individual with information advising them of their appeals rights.

Appeal Process

If the individual decides to appeal by submitting the request in writing, the agency has 30 days to complete a review of any and all documents supporting the initial decision. After the review, the agency must provide the individual with a letter explaining why he/she agrees or disagrees with the request. A copy of the decision will become permanent record in the employee file. The employee will need to follow any additional appeal rights as warranted.

What you should know…

As the Administrator, you are responsible for providing the injured worker access to their personal and medical information on file, as well as approving access to individuals with a need to know and those to whom the injured worker have given consent to review written and/or verbal correspondences. This includes records of all conference calls and telephonic meetings with a follow up written documentation in the injured worker's file.

Protective Measures

• Limit use of Social Security numbers
• Keep laptop in secure space or under lock and key when not in use
• Digitally sign and encrypt all emails containing PII
• Ensure PII are properly marked – For Official Use Only (FOUO)
• Use a Privacy Act Cover Sheet (DD FORM 2923) when faxing PII information
• Scan documents using secured means such as encryption

Criminal Penalties for Violating the Privacy Act

If any officer or employee of a government agency knowingly and willfully discloses PII and is found guilty of a misdemeanor, the employee and/or agency can be fined a maximum of $5,000. Also, if any agency employee or official willfully maintains a system of records without disclosing its existence and relevant details, as specified above, can be fined a maximum of $5,000. The same misdemeanor penalty (and $5,000 maximum fine) can be applied to anyone who knowingly and willfully requests an individual’s record from any agency under false pretenses.

*Privacy Act of 1974