User Login
   The Office of Management Assessment (OMA)


 Privacy Act

 The Privacy Act of 1974, as amended mandates
 that NIH have in place an administrative and physical
 security system to prevent the unauthorized release of
 personal information from records held by the agency.

Mobile smartphone with padlock and key on top.
Skip Navigation LinksPublic OMA > DMS > Privacy Program > Privacy Act



The Privacy Act safeguards privacy through the implementation of the Code of Fair Information Practice Principles in operational and procedural requirements. Government agencies must provide records pertaining to an individual upon request from that individual, if the records are maintained in a Privacy Act system of records. In addition, the Privacy Act places restrictions on how agencies can share an individual's data with other people and agencies.

The Privacy Act requires agencies to:

  • Publish the details of all of their “system of records” in the Federal Register;
  • Show an individual any records kept on them, make copies, and correct any factually incorrect information;
  • Provide members of the public with a notification statement to explain the legal authorization to collect information, the purpose of the collection, the intended use of the information, to whom it may be disclosed, and what, if any, consequences there will be if the information is not provided;
  • Set limits on how agencies can share an individual's data; and
  • Follow the "fair information practices" when gathering and handling personal data.

The Privacy Act identifies key mandates for Federal agencies to protect members of the public:

  • Applies to Federal records about U.S. citizens and permanent residents;
  • Limits an agency’s ability to disclose information in a "system of records";
  • Restricts the sharing of personal information between agencies;
  • Requires agencies to retain the minimum amount of information "relevant and necessary" to accomplish purposes; and
  • Requires that agencies keep a correct account of when, and to whom, it discloses information.
The Privacy Act contains multiple provisions for handling systems of records:
  • Defines a record as any item, collection, or group of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph (Privacy Act, 5 U.S.C. Section 552a(a)(4));
  • Defines a system of records as a group of any records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (Privacy Act, 5 U.S.C. Section 552a(a)(5));
  • Requires agencies to provide a Privacy Act Notice when collecting personal information in order to provide an explanation of the intended uses for obtaining information;
  • Requires the agency collecting the information to publish a System of Records Notice (SORN) in the Federal Register no less than 40 days prior to collection of the information;
  • Charges the Office of Management and Budget (OMB) with developing guidelines on how agencies should interpret and implement provisions of the Privacy Act;
  • Provides "right of action" for members of the public when an agency violates the Privacy Act;
  • Provides law enforcement exemptions; and
  • Requires Government agencies to disclose personally identifiable information (PII) so long as it is captured in the SORN’s ‘routine uses’ when creating or altering the system of records. 

 Privacy Act Exceptions

The Privacy Act provides that NIH will provide access to records within our possession unless one of the exceptions or general/specific exemptions applies. The exact language of the exemptions can be found in the Privacy Act.
Most of the NIH Privacy Act Systems of Records are non-exempt, meaning that there is no exemption rule claimed for the systems of records. It means the records contained with the system are releasable to the subject of the file in their entirety. However, there are exceptions to the rule:
  • Records that contain information about a third party; and
  • Information that is not about the subject of the file, and therefore not accessible under the Privacy Act.

Records that are excepted from Privacy Act access include records compiled in reasonable anticipation of a civil action or proceeding - 5 U.S.C. Section 552a(d)(5) (Litigation Protection).

Records that are exempted from Privacy Act access include the following: 

  • (j)(1) – 5 U.S.C. Section 552a(j)(1) (CIA Systems of Records) – "records maintained by the Central Intelligence Agency"; and
  • (j)(2) – 5 U.S.C. Section 552a(j)(2) (Criminal Investigatory Records) – "records maintained by an agency or component thereof which performs as its principal function any activity pertaining to the enforcement of criminal laws". This requirement is usually met by such obvious law enforcement components as the FBI, DEA and BATF. In addition, Justice Department components such as the U.S. Parole Commission, the Federal Bureau of Prisons, and the Office of the Pardon Attorney, have been held to qualify as "principal function" criminal law enforcement entities.
    Specific Exemptions 5 U.S.C. Section 552a(k): 
  • (k)(1) – 5 U.S.C. Section 552a(k)(1) (Classified Records) - "subject to the provisions of section 552(b)(1) of this title"; 
  • (k)(2) – 5 U.S.C. Section 552a(k)(2) (Law Enforcement Investigative Records) - "investigatory material compiled for law enforcement purposes other than material within the scope of subsection (j)(2) of this section"; 
  • (k)(3) – 5 U.S.C. Section 552a(k)(3) (Secret Service Records) - "records maintained in connection with providing protective services to the President of the United States or other individuals pursuant to Section 3056 of Title 18"; 
  • (k)(4) – 5 U.S.C. Section 552a(k)(4) (Statistical Records) - "records required by statute to be maintained and used solely as statistical records"; 
  • (k)(5) – 5 U.S.C. Section 552a(k)(5) (Background Investigative Records) - "investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section [9-27-75], under an implied promise that the identity of the source would be held in confidence"; 
  • (k)(6) – 5 U.S.C. Section 552a(k)(6) (Testing Records) - "testing or examination material used solely to determine individual qualifications for appointment or promotion in the federal service the disclosure of which would compromise the objectivity or fairness of the testing or examination process"; and 
  • (k)(7) – 5 U.S.C. Section 552a(k)(7) (Military Evaluation Records) - "evaluation material used to determine potential for promotion in the armed services, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the government under an express promise that the identity of the source would be held in confidence, or, prior to the effective date of this section [9-25-75], under an implied promise that the identity of the source would be held in confidence". 

 Records Request


 Contact the NIH Privacy Program

NIH Senior Official for Privacy: Karen Plá
National Institutes of Health
6011 Executive Blvd, Suite 601
Rockville, Maryland 20892-7669
Phone: 301-451-3426
Fax: 301-402-0169
Privacy Yammer Groups (Privacy Matters and Privacy Professionals)

 NIH Privacy Program Areas


 Quick Links


 Privacy Act Links


 Fair Information Practice Principles


The Code of Fair Information Practice Principles are widely accepted in the United States and internationally as a general framework for privacy.  They are reflected in various federal and international laws and policies.  In a number ​of organizations, they serves as the basis for analyzing privacy risks and determining mitigation strategies.


  1. There must be no personal data record-keeping systems whose very existence is secret.
  2. There must be a way for a person to find out what information about the person is in a record and how it is used.
  3. There must be a way for a person to prevent information about the person that was obtained for one purpose from being used or made available for other purposes without the person's consent.
  4. There must be a way for a person to correct or amend a record of identifible information about the person.
  5. Any organization creating, maintaining, using or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data. 


HHS 45 CFR Section 5b.13 Fees.
(a) Policy
  • Where applicable, fees for copying records will be charged in accordance with the schedule set forth in this section:
    Fees may only be charged when an individual requests that a copy be made of the record to which he/she is granted access;
  • No fee may be charged for making a search of the system of records whether the search is manual, mechanical, or electronic;
  • Where a copy of the record must be made in order to provide access to the record (e.g., computer printout where no screen reading is available), the copy will be made available to the individual without cost; and
  • Where a medical record is made available to a representative designated by the individual or to a physician or health professional designated by a parent or guardian under section 5b.6 of this part, no fee will be charged.

(b) Fee schedule: 
  • Copying of records susceptible to photocopying - $.10 per page;
  • Copying records not susceptible to photocopying – at actual cost to be determined on a case-by-case basis; and
  • No charge will be made if the total amount of copying does not exceed $25.00.


Records that contain information that is inaccurate, incomplete, untimely, or irrelevant may be amended. To contest such information, individuals should contact the System Manager identified in the SORN. The individual should reasonably identify the record, specify the information contested, the corrective action sought, and state the reason(s) for requesting the correction, along with supporting information to show how the record is inaccurate, incomplete, untimely, or irrelevant.
Requesters who wish to appeal the refusal of NIH to correct or amend the individual’s record must do so within 30 days of the receipt of a letter from NIH. The following information should be provided:
  • Reasons why the requested information should be corrected or amended under the Act; and
  • Why the denial may be in error.
Requesters wishing to submit an appeal should attach a copy of their original request and response letter to the NIH appeal authority, clearly mark the letter and the outside envelope "Privacy Act Appeal" and mail the documents to the following address:
NIH Senior Official for Privacy
National Institutes of Health
6011 Executive Boulevard
Suite 601, MSC 7669
Bethesda, Maryland 20892-7669
Requestors who wish to appeal an NIH decision should attach a copy of their original request and response letter to their appeal, clearly mark the letter and the outside envelope "Privacy Act Appeal"" and mail the documents to the following address:
Director, News Division
Mary E. Switzer Building
330 C Street, SW
Room 2206 
Washinton, DC, 20201

Site Last Updated on August 13, 2013

This site is best viewed using current versions of Microsoft Internet Explorer 9