Court Services and Offender Supervision Agency, Pretrial Services Agency—Privacy Act of 1974; Systems of Records Notice

Decision

Matter of: Court Services and Offender Supervision Agency, Pretrial Services Agency—Privacy Act of 1974; Systems of Records Notice

File: B-334005

Date: January 18, 2023

On January 11, 2022, the District of Columbia Court Services and Offender Supervision Agency (CSOSA), Pretrial Services Agency (PSA) published a notice in the Federal Register entitled Privacy Act of 1974; System of Records (SORN). 87 Fed. Reg. 1402. PSA published the SORN, as required by the Privacy Act of 1974 (Privacy Act), to create a new system of records to maintain records of employees who applied for a religious accommodation exempting them from the requirement, established in Executive Order 14043, that all federal employees be vaccinated against COVID‑19.

The Congressional Review Act (CRA) requires that before a rule can take effect, an agency must submit the rule to both the House of Representatives and the Senate as well as the Comptroller General, and provides procedures for congressional review where Congress may disapprove of rules. CRA incorporates the Administrative Procedure Act’s (APA) definition of a rule for this purpose with certain exceptions. We conclude the SORN is not a rule for purposes of CRA because it does not meet the APA definition of a rule.

On January 11, 2022, the District of Columbia Court Services and Offender Supervision Agency (CSOSA), Pretrial Services Agency (PSA) published a notice in the Federal Register entitled Privacy Act of 1974; System of Records (SORN). 87 Fed. Reg. 1402. We received a congressional request for a decision as to whether the SORN is subject to the Congressional Review Act (CRA). Letter from Congressional Requestors to Comptroller General (Feb. 3, 2022). For the reasons described below, we conclude it is not.

Our practice when rendering decisions is to contact the relevant agencies to obtain their legal views on the subject of the request. GAO, Procedures and Practices for Legal Decisions and Opinions, GAO-06-1064SP (Washington, D.C.: Sept. 2006), available at https://www.gao.gov/products/gao-06-1064sp. Accordingly, we reached out to PSA to obtain the agency’s legal views. Letter from Assistant General Counsel, GAO, to General Counsel, CSOSA (Feb. 22, 2022). We received PSA’s response on March 11, 2022. Letter from Attorney Advisor, PSA, CSOSA, to Assistant General Counsel, GAO (Mar. 11, 2022) (Response Letter).

BACKGROUND

The Privacy Act

The Privacy Act of 1974 (Privacy Act), 5 U.S.C. § 552a, is one of several statutes that regulate how federal agencies collect and maintain information from entities and individuals.[1] Specifically, the Privacy Act is “the principal law governing the handling of personal information in the federal government.” Department of Justice, Overview of the Privacy Act of 1974 (2020), at 1, available at https://www.justice.gov/d9/pages/attachments/2020/10/16/overview_2020_final.pdf (last visited Oct. 26, 2022) (DOJ Overview). The Privacy Act establishes certain agency requirements for maintaining, collecting, using, or disseminating any information about an individual. See 5 U.S.C. § 552a(a)(3), (4). Agencies often use personally identifying information for a variety of reasons, and agencies often store and use personally identifying information[2] in databases or other recordkeeping systems. The Privacy Act acknowledges this by defining and regulating such recordkeeping systems as a “system of records”.[3]

For each system of records, the Privacy Act imposes several requirements on agencies maintaining such a system. 5 U.S.C. § 552a(e); see also DOJ Overview, at 155. One of the requirements is that an agency establishing or revising a system of records publish a system of records notice in the Federal Register. 5 U.S.C. § 552a(e)(4); see also DOJ Overview, at 166‒67. Each system of records notice must include information such as the name and location of the system and the categories of individuals on whom records are maintained in the system. 5 U.S.C. § 552a(e)(4)(A)‒(B). Willfully maintaining a system of records without complying with the system of records notice requirements may result in criminal prosecution. 5 U.S.C. § 552a(i)(2).

PSA’s SORN

On September 9, 2021, the President issued Executive Order 14043, which required all federal employees in the executive branch to be vaccinated against COVID-19, subject to exceptions required by law. Exec. Order No. 14043, Requiring Coronavirus Disease 2019 Vaccination for Federal Employees, 86 Fed. Reg. 50989, (Sep 14, 2021). One recognized exception was for religious accommodation. Safer Federal Workforce Task Force, Frequently Asked Questions, Vaccination, available at https://www.saferfederalworkforce.gov/faq/vaccinations/ (last visited Oct. 27, 2022) (Guidance). The Safer Federal Workforce Task Force’s[4] (Task Force) Guidance indicated that compliance with the Privacy Act would be a necessary consideration for agencies in developing their forms to collect information related to religious accommodation requests. Id. The Guidance also provided a template agencies could use to provide employees information on seeking a religious exemption and to collect the necessary information to consider the request. Id. PSA explained in the SORN that to satisfy the requirements of the Executive Order and the Task Force recommendations in the Guidance, it would need to establish a system of records to facilitate collection, storage, dissemination, and disposal of employee religious accommodation requests. 87 Fed. Reg. 1403. PSA then explained the Privacy Act requirements and discussed the required statutory elements. Id. at 1403‒05.

The Congressional Review Act

CRA, enacted in 1996 to strengthen congressional oversight of agency rulemaking, requires federal agencies to submit a report on each new rule to both Houses of Congress and to the Comptroller General for review before a rule can take effect. 5 U.S.C. § 801(a)(1)(A). The report must contain a copy of the rule, “a concise general statement relating to the rule,” and the rule’s proposed effective date. Id. Each House of Congress is to provide the report on the rule to the chairman and ranking member of each standing committee with jurisdiction. 5 U.S.C. § 801(a)(1)(C). CRA allows Congress to review and disapprove rules issued by federal agencies for a period of 60 days using special procedures. 5 U.S.C. § 802. If a resolution of disapproval is enacted, then the new rule has no force or effect. Id.

CRA adopts the definition of rule under the Administrative Procedure Act (APA), 5 U.S.C. § 551(4), which states that a rule is “the whole or a part of an agency statement of general or particular applicability and future effect designed to implement, interpret, or prescribe law or policy or describing the organization, procedure, or practice requirements of an agency.” 5 U.S.C. § 804(3). CRA excludes three categories of rules from coverage: (1) rules of particular applicability; (2) rules relating to agency management or personnel; and (3) rules of agency organization, procedure, or practice that do not substantially affect the rights or obligations of non-agency parties. Id.

PSA did not submit a CRA report to Congress or the Comptroller General on the SORN. In its response to us, PSA stated the SORN was not subject to CRA because it did not announce or implement any new PSA policy. Response Letter, at 2. PSA explained that instead the SORN was necessary to comply with Privacy Act requirements for the executive branch-wide vaccination program. Id. For the reasons explained below, we find the SORN does not meet the definition of a rule. Thus, it is not subject to the CRA.

DISCUSSION

At issue here is whether the SORN is a rule under CRA. Applying the statutory framework of CRA, we first address whether the SORN meets the definition of rule under the APA. We conclude it does not. Because we conclude the SORN does not meet the definition of a rule, we need not address the CRA exceptions.

First, the SORN is an agency statement because it is an official PSA document published in the Federal Register. 87 Fed. Reg. 1402; see also B-333501, Dec. 14, 2021. Second, the SORN is a statement of future effect because it describes a system of records to be created after publication of the SORN. See 87 Fed. Reg. 1403. While the SORN meets the first two elements of the definition of a rule, we must decide whether the SORN was designed to implement, interpret, or prescribe law or policy or describe the organization, procedure, or practice requirements of an agency.

An agency action implements, interprets, or prescribes law or policy when the action issues new regulations, changes regulatory requirements or official policy, or when it alters how the agency will exercise its discretion, amongst other things. See Industrial Safety Equipment Association, Inc. v. Environmental Protection Agency, 837 F.2d 1115, 1120 (D.C. Cir. 1988). In Industrial Safety Equipment v. Environmental Protection Agency, the court held an agency action that summarized the safety features of several respirators was not a rule under the APA. See id at 1117, 1120-1121. In that case, the Environmental Protection Agency and the Occupational Safety and Health Administration issued a report describing the safety features of each of the 13 approved types of respirators. Id. at 1116-1117. The report also provided a model program for asbestos abatement operations, recommending two of the types of respirators as providing maximum protection. Id. at 1117. The court, though, stated the report was not a rule under the APA because it “does not change any law or official policy presently in effect [and] [i]t does not narrow or alter the grounds on which the [agencies] will act to certify any of the [13] lawful respirator types.” Id. at 1120. The court went further to classify the report as merely “technical”. Id. at 1121. Significantly, the report only provided descriptions of each respirator type and left it for employers to determine which type to use. Id. at 1120-1121; see also Independent Equipment Dealers Association v. Environmental Protection Agency, 372 F.3d 420, 428 (D.C. Cir. 2004) (“By restating EPA's established interpretation of the certificate of conformity regulation, the EPA Letter tread no new ground. It left the world just as it found it, and thus cannot be fairly described as implementing, interpreting, or prescribing law or policy.”) (emphasis in original).

Our prior cases have illustrated this principle. In B-287557, we found a Record of Decision issued by the Department of the Interior (Interior) was a rule for purposes of CRA. B-287557, May 14, 2001, at 7-8. We found “[t]he [statute] delegated to Interior the authority to determine the action necessary to restore the anadromous fishery on the Trinity River[,] [and] [t]he entire purpose of the [Record of Decision] [was] to set a future course of action intended to achieve that purpose, as directed by [statute].” Id. at 8. Because the Record of Decision would be the basis for future policy decisions, we found it to be a rule under CRA. Id. In particular, the Record of Decision changed official policy outlining how Interior would seek to protect the Trinity River, thus implementing policy. Id. at 5.

Conversely, in B-330288, we concluded a memorandum from the Secretary of Commerce to the Under Secretary for Economic Affairs was not a rule for purposes of CRA. B-330288, Feb. 7, 2019, at 4. The memorandum explained the Secretary’s rationale for their decision to include a citizenship question on the census and directed that the planned questions for the census be included in a required report to Congress. Id. at 2. We concluded the memorandum was not a rule because it only explained the rationale for a previously made decision. Id. at 3. Because the memorandum did not implement law or policy, it did not meet the APA definition of rule. Id. at 4.

Here, the SORN is more akin to the memorandum in B-330288 than the Record of Decision in B-287557. The President made a policy decision in Executive Order 14043 to require federal employees to be vaccinated for COVID-19 subject to exceptions as required by law. 86 Fed. Reg. 50989. Implementing guidance from the Task Force elaborated upon the President’s policy decision by specifying that an agency may be required to provide a reasonable accommodation where an employee is not vaccinated for religious reasons.[5] In accordance with the Executive Order and Guidance, PSA issued the SORN to comply with the Privacy Act in order to permissibly collect information related to religious accommodations to the vaccination requirement. 87 Fed. Reg. 1403. This is similar to the memorandum in B-330288, which was issued to aid in the preparation of a statutorily required report to Congress. The memorandum was issued after the policy decision had been made by the Secretary; it did nothing more than explain the prior policy decision. Similarly, the SORN was issued after the policy decision had been made by the President; the SORN itself only addressed a necessary statutory step implicated by the prior policy decision. Similar to the report in Industrial Safety Equipment v. Environmental Protection Agency, neither the SORN nor the memorandum in B-330288 changed policy themselves. Unlike the Record of Decision in B-287557, which, itself, changed policy by changing how Interior would preserve the Trinity River, the memorandum and SORN left the world as they found it prior to their issuance. Therefore, they did not implement, interpret, or prescribe law or policy.

The SORN also does not “describe the organization, procedure, or practice requirements of an agency.” Rules of this nature discuss the internal operations of the agency. See B-329926, Sept. 10, 2018, at 5. For example, rules of agency procedure or practice would govern the conduct of an agency’s proceedings. Id. Our decision in B-329926 is informative. In that case, the Social Security Administration issued the Hearings, Appeals, and Litigation Law Manual (HALLEX). Id. at 1. The HALLEX outlined “procedures for carrying out policy and provide[d] guidance for processing and adjudicating” benefits claims. Id. at 2. We acknowledged that HALLEX governed agency proceedings so was considered a rule of organization, procedure, or practice requirements of an agency.[6] Id. at 1, 7. Unlike the HALLEX, the SORN does not govern agency procedures or practice. The SORN only describes the system of records the agency is establishing as required by the Privacy Act. HALLEX was an act of agency discretion in how the Social Security Administration would conduct its adjudications. The SORN is not a matter of agency discretion but a statutory requirement imposed by the Privacy Act in response to the Executive Order’s announced policy.

The SORN was issued in response to a previously made policy decision, which triggered a statutory requirement under the Privacy Act. The SORN did not change existing policy but simply left the world as it found it, and, accordingly, does not implement, interpret, or prescribe law or policy nor does it describe the organization, procedure, or practice requirements of an agency. Therefore, the SORN does not meet the APA definition of rule, and, thus, also is not a rule for purposes of CRA.

CONCLUSION

PSA published the SORN in response to a prior policy decision made by the President and the Task Force, which implicated the Privacy Act. The SORN was not designed to implement, interpret, or prescribe law or policy nor does it describe the organization, procedure, or practice requirements of an agency . As such, the SORN is not a rule for purposes of CRA.

Edda Emmanuelli Perez
General Counsel

List of Congressional Requestors

Rick Scott
United States Senator

Daniel Webster
United States Representative

Thom Tillis
United States Senator

Bill Posey
United States Representative

Mike Braun
United States Senator

Scott Perry
United States Representative

Roger Marshall
United States Senator

Jeff Duncan
United States Representative

Randy Weber
United States Representative

Marco Rubio
United States Senator

Doug Lamborn
United States Representative

James Lankford
United States Senator

Ronny L. Jackson
United States Representative

Bob Good
United States Representative

Andy Biggs
United States Representative

Doug LaMalfa
United States Representative

Brian Mast
United States Representative

Glenn Grothman
United States Representative

Gus Bilirakis
United States Representative

Eric A. “Rick” Crawford
United States Representative

Mary E. Miller
United States Representative

Lauren Boebert
United States Representative

Tom Tiffany
United States Representative

Warren Davidson
United States Representative

Robert B. Aderholt
United States Representative

Ralph Norman
United States Representative

Dr. John Joyce
United States Representative

Brian Babin, D.D.S.
United States Representative

Ben Cline
United States Representative

Jim Jordan
United States Representative

Jason Smith
United States Representative

Michael Waltz
United States Representative

Kat Cammack
United States Representative

Lisa McClain
United States Representative

Dan Bishop
United States Representative

Tom McClintock
United States Representative

Byron Donalds
United States Representative

---