The Office of Personnel Management (OPM) has proposed amendments to its Privacy Procedures for Personnel Records found at 5 C.F.R. Part 297. NTEU submitted comments to OPM’s proposal, specifically objecting to two significant changes.
As background, the Privacy Act and its implementing regulations provide important privacy protections for individuals. Under the law, individuals generally can ask the government for records that pertain to them, and the government generally can retain only those records about an individual to the extent necessary to accomplish an agency’s purpose.
Under existing regulations, there are eight systems of records for which OPM can claim various exemptions from the Privacy Act. OPM proposes to add three additional systems of records to the exemption list. OPM provides no explanation, however, of the kinds of documents in these three types of files or why various exemptions should apply to the documents. Allowing individuals access to government records relating to themselves is one of the fundamental purposes of the Privacy Act. NTEU thus objects to OPM exempting entirely new categories of documents from disclosure without a sufficient explanation of why the exemptions are warranted.
OPM also proposes that it be allowed to retain records about individuals even if their accuracy “may be unclear” or if the information in the records “may not be strictly relevant.” According to OPM, inaccurate and/or irrelevant records “may aid” the agency in establishing patterns of wrongdoing by the individual.
NTEU objects to this sweeping change for multiple reasons:
- First and foremost, the Privacy Act provides that agencies should only maintain information about individuals “as is relevant and necessary to accomplish a purpose of the agency[.]” 5 U.S.C. § 552a (e) (1). OPM’s proposed change seems at odds with this statutory mandate. It would allow the agency to keep admittedly irrelevant and inaccurate information in its files for an unspecified length of time.
- Second, NTEU objects because OPM provides not even the barest explanation for why this substantial change is necessary.
- Third, NTEU objects because OPM provides no description of how, as a practical matter, this major change would work. For example, OPM states that the agency will decide whether to retain possibly irrelevant or inaccurate information on a “case-by- case” basis but does not specify who will be making that case-by-case determination or what criteria the decision-maker will use. OPM also does not define what constitutes a “pattern” of possible misconduct.
- Finally, as a general matter, NTEU is concerned with OPM expanding the types of sensitive information it proposes to retain because it cannot guarantee that it can keep such information secure. As you likely know, NTEU has filed a lawsuit on behalf of its members alleging that the OPM data breaches announced in 2015 violated our members’ constitutional right to informational privacy. Given that these security concerns have not yet been adequately addressed, OPM should not be retaining even more personal and voluminous information about individuals when it has demonstrated that it cannot keep such information secure.
I would very much like to know what you think of OPM’s proposal.