June 26, 1987
Subject: Interim Guidance for the Administration of the Privacy Act under Department of Health and Human Services, Public Health Service Awards
This memo provides interim guidance and background documents to facilitate a single, forceful response to attempts by the Department of Health & Human Services (HHS) to incorporate the Privacy Act as a condition of award in research agreements. The University should continue to challenge the applicability of the Privacy Act except in the rare circumstance when the award clearly meets the requirement set forth in Subsection 552(m) of the Privacy Act that the contract is to create or maintain a system of records on individuals to fulfill a federal agency function. In the event you have no other choice but to accept the Privacy Act clause in your contracts, you should follow the general interim guidance outlined in this memo. See Enclosure 1 for copies of the Federal Acquisition regulation (FAR), Part 24, Protection of Privacy and Freedom of Information; FAR Clause 52.224-1, Privacy Act Notification; FAR Clause 52,224-2, Privacy Act; and HHSAR Clause 352,224-70, Confidentiality of Information.
A. Negotiation Strategies
The most cogent arguments against the applicability of the Privacy Act to research agreements are outlined in University Counsel Spiekerman's August 8, 1986 letter to the DHHS General Counsel (Enclosure 2). Among other arguments, the letter states: "The mere fact that incidentally the University creates or maintains a system of records to satisfy reporting requirements or to gather background data for a study or report to be made to a federal agency is insufficient to trigger applicability of the Privacy Act." The letter goes on to further argue that if the federal objective of applying the Privacy Act is to protect an individual's privacy, the Confidentiality of Information clause (HHSAR 352.224-70) combined with Human Subjects regulations should provide adequate protection.
1. Challenge the Basis or Authority for Inclusion of the Privacy Act
In challenging the applicability of the Privacy Act, you should request the HHS to (1) cite what statute or regulation authorizes HHS to create the system of records, and (2) describe what HHS agency function is being performed. It is also recommended that the scope of the system of records to be designed, developed or to be operated by the University to accomplish an agency function be clearly defined and set forth in the agreement, thereby avoiding any gray area about whether other records generated or used by the project are subject to the Privacy Act requirement.
2. Question the Criteria Used by HHS for Deciding that the Act Applies
DHHS Associate General Counsel's August 25, 1986 response (see Enclosure 3) to University Counsel Spiekerman's letter provides additional criteria upon which to challenge the applicability of the Privacy Act. The HHS response states that National Institutes of Health (NIH) staff have been directed to determine if the Privacy Act applies by examining whether the contract work is "closely related to, or is a direct extension of, research done in-house by NIH scientists and whether NIH scientists would be involved in guiding or participating in the contractual work to a degree substantially exceeding the involvement normally associated with a project officer on a contract." HHS should be requested to verify these criteria and University project personnel should also be contacted for corroboration.
B. Fallback Position
If your negotiations with NIH are unsuccessful and you have no choice but to accept the Privacy Act clause in an HHS contract, it is recommended that the following special provision be incorporated in the contract:
Notwithstanding any other provision of the contract, the University of California shall not be required to disclose to (name of federal agency sponsor, e.g. National Institutes of Allergy and Infectious Diseases), in an individually identifiable manner, any record or data on human subjects participating in this contract.
This clause is based upon the assumption that the assurance provided in the final paragraph of HHS Associate General Counsel Grinstead's August 25, 1986 response that "the contract does not require the University to furnish individually identifiable data to NIH" would be applicable to all agreements requiring the Privacy Act.
C. Summary of Privacy Act Provisions
The implications of accepting the Privacy Act are summarized as follows:
1. Litigation Exposure
The University and individual investigators would be subject to suit in the event that the Privacy Act is violated and individual names or records in an individually identifiable manner are released without adherence to the Privacy Act requirements.
Individual employees would be subject to criminal penalties for failure to comply with the Act and are considered employees of the government for purposes of the Act. Enclosure 4 is a copy of the. Privacy Act,
P.L. 93-579. Section 552(e) generally outlines responsibilities for maintaining a system of records; Section 552(g) outlines civil remedies which may be taken against the agency; and Section 552(h) (i)(1) outlines criminal penalties, which states: "Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established thereunder, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000."
University Policy and Order of Precedence
University policy and guidelines for release of individually identifiable and personal information provided in Business and Finance Bulletin RMP-8, "Legal Requirements on Privacy of and Access to Information," Section VII, which is patterned after the California Information Practices Act, is generally satisfactory for assuring compliance with the Federal Privacy Act. As such, if employees follow this section of RMP-8, it is unlikely that they would violate the Federal Privacy Act. If, however, the federal Privacy Act is more restrictive as to disclosure of personal information to third parties, that Act would prevail over State Law. If you have questions regarding this interpretive matter, you should contact the local Coordinator of Information Practices and General Counsel's office. Enclosure 5 is a copy of RMP-8.
4. Physical Separation of Records
Since acceptance of the Privacy Act could be a basis for a federal claim for access to all the records used by the project, not just to the system of records delivered to the government by the project, thereby possibly clouding the issue of title to records, it is recommended that, to the extent possible, the University keep records not considered part of the "system of records" deliverable to the government physically separate from those designated as deliverable to the government under the contract.
5. Confidentiality of Records
Records and reports delivered to the government should not provide the individual's name or other individually identifiable data, such as fingerprint, voiceprint, or address. In the unusual event that there is some future need to provide an individual's name to the government, the informed consent of the human subject must be obtained prior to release. If the above recommended special provision under paragraph B is incorporated in the contract, then the contract requirements would not be the basis for a future request by the government for individual names. However, if, independent of the contract requirements, the Principal Investigator determines that individually identifiable data is to be disclosed to the government, RMP-8 guidelines require advance notification to and prior consent of the individual. Further, in the absence of consent, disclosure. of certain information, such as AIDS-related information, cannot be disclosed to federal agencies. See Enclosure 6 for a copy of California Health and Safety Code, Chapter 1-12, Acquired Immune Deficiency Syndrome Research Confidentiality Act.
Any requirement to submit personally identifying data to the HHS may have a chilling effect upon the human subjects' willingness to participate in the research. This aspect should be examined in the process of determining the acceptability of the terms of a research agreement and when negotiating with HHS. Moreover, it is in NIH's interest to avoid the University's submission of personally identifying information to NIH personnel because such submission by the University also increases HHS's exposure to litigation for inadvertent disclosure.
It is our understanding that NIH program personnel are not pushing the applicability of the Privacy Act. Indeed, most of them prefer the previous HHS General Counsel Taft's position which was consistent with that of the University, and indicate the current HHS position is because HHS is tired of fighting the Office of Management and Budget (OMB) on the subject. Enclosure 2 includes a copy of the previous HHS General Counsel Taft's May 14, 1976 letter and Enclosure 7 is a copy of OMB's 1979 opinion which is the basis for the current HHS position. If we can get OMB to change their opinion on the subject, we should have little trouble getting HHS to back off on their requirements for applicability of the Privacy Act.
Our next step will be to prepare a brief of the arguments against applicability of the Privacy Act to research records created under a government contract and submit the brief to OMB. This proposed action is based upon the strong interest on the part of HHS personnel to continue to withstand OMB pressure; upon the University's continued strong interest in maintaining sole possession of and jurisdiction over access to University records; and upon our desire to eliminate, as much as possible, the exposure of University employees to criminal penalties and additional burdens inherent in accepting the Privacy Act clause. We would appreciate your continued assistance by informing this office of requests that you or your Principal Investigators receive for personally identifying information about research subjects or of your campus' responses to any requests for proposals indicating HHS's intent to require applicability of the Privacy Act or requirements for submission of personally identifying information about research subjects as a condition or award.
Refer: Barbara Yoder
Subject Index: 17
David F. Mears
University Contracts and Grants
Enclosures - Distributed only to Contract
and Grant Officers
Philip E. Spiekerman, w/Enclosures
Afton Crooks, w/Enclosures
Index to Enclosures
Enclosure 1, Federal Acquisition Regulation (FAR) Part 24, Protection of Privacy and Freedom of Information, - FAR Clause 52.224-1, Privacy Notification; FAR Clause 52.224-2, Privacy Act; HHSAR Clause 352.224-70 Confidentiality of Information; and HHSAR Clause 352.227-1, Rights in Data. encl01.pdf
Enclosure 2, August 8, 1986 letter from University Counsel Spiekerman to HHS General Counsel, including related background correspondence dated May 14, 1976 from HHS General Counsel Taft, IV, on Application of Privacy Act to HEW Contracts. encl02.pdf
Enclosure 3, August 25, 1986 letter from HHS Associate General Counsel Grinstead University Counsel Spiekerman. encl03.pdf
Enclosure 4, Public Law 93-579, Privacy Act of 1974. encl04.pdf
Enclosure 5, Business and Finance Bulletin RMP-8, "Legal Requirements on Privacy and Access to Information." encl05.pdf
Enclosure 6, California Health and Safety Code, Chapter 1-12, Acquired Immune Deficiency Syndrome Research Confidentiality Act. encl06.pdf
Enclosure 7, November 30, 1979 Office of Management and Budget memorandum to HEW on Application of subsection (m) of the Privacy Act. encl07.pdf