Laws Governing Disclosure

Data privacy is not covered by a comprehensive law in the United States, though this is an idea that is under much current discussion. Instead, there are a variety of federal and state laws that form a patchwork of privacy protections for the disclosure of data in the United States. These include certain sector-specific laws, such as the Health Insurance Portability and Accountability Act (HIPAA) for personal medical data, the Family Educational Rights and Privacy Act (FERPA) for educational records, and the Gramm-Leach-Bliley Act (GLBA) for financial information. Some industry best practice standards, such as the Health Information Trust Alliance framework and the Payment Card Industry Data Security Standard also address disclosure, but focus more on data security controls.

The Privacy Act of 1974 covers the collection and release of information contained in U.S. federal government agency systems of records. It restricts disclosure of personally identifiable records, prohibits disclosure of an individual’s record without written consent—with certain exceptions, such as the release of certain information under a Freedom of Information Act (FOIA) request—and requires recordkeeping of all disclosures and releases of data. Activities of statistical agencies and units of the government are also governed by the Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA), which limits and protects the use of statistical data and is discussed below further in the context of the Census Bureau.

Signed into law in 2019, the Open, Public, Electronic and Necessary (OPEN) Government Data Act provides a mandate for all federal agencies to publish all nonsensitive information assets in “modern, open, and electronic format.” In 2009, the White House issued the Open Government Directive to improve data transparency in the federal government, which included an increase in the release of data online through the Data.gov site. The OPEN Government Act makes the Open Government Directive a requirement in statute, rather than a policy. In implementation of the act, the Office of Management and Budget (OMB) is set to issue guidance to agencies on “risks and restrictions related to the disclosure of personally identifiable information.” This includes the risk that although an individual data asset in isolation does not pose a privacy or confidentiality risk, this data “when combined with other available information may pose such a risk.”

The European Union has had a comprehensive privacy law for years, which was overhauled by the passage of the General Data Protection Regulation (GDPR) that went into effect in May 2018. The GDPR restricts disclosure of personally identifiable information under Recital 26 to data that is “anonymized.” The complicated issue of anonymization and potential re-identification are further discussed below in the section on de-identification of data, using the GDPR as an example.

Other country-specific laws, such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and Australia's Privacy Principles (APP), govern aspects of privacy and disclosure practices in varying ways. Internationally, privacy principles that define practices to follow in handling data, such as those developed by the Organization for Economic Co-operation and Development¹ and the Asia-Pacific Economic Cross-Border Privacy Rules² have also been adopted by some countries.