October 1, 1979
79-73 MEMORANDUM OPINION FOR THE GENERAL COUNSEL OFFICE OF PERSONNEL MANAGEMENT
Federal Computer Systems—Access by Contractor Employees—Authority to Screen for Security Purposes (31 U.S.C. § 18a; 5 U.S.C. §§ 301, 552a; 44 U.S.C. § 3102)—Due Process
You have asked for our views concerning the authority o f executive branch agencies to implement Transmittal M em orandum No. 1 to Office o f Management and Budget (OMB) Circular No. A-71, dated July 27, 1978. The Transmittal M em orandum , among other things, requires Fed eral agencies to establish personnel security policies for screening all in dividuals participating in the design, operation, or maintenance o f Federal com puter systems or having access to data in Federal com puter systems. You have asked us to confine our opinion to the question o f an agency’s authority to investigate and screen non-Federal employees before granting them access to unclassified inform ation in Federal com puter systems. We conclude that Federal agencies have the authority to implement the Transmittal M emorandum by screening contractor employees' in any reasonable m anner, but that such implementation must be consistent with due process o f law.
'A lthough your request referred to the authority to investigate non-Federal personnel, in cluding employees o f contractors and prospective contractors, we are unaware o f any non- Federal employees who would come within the purview o f the Transm ittal M em orandum who would not be contractor personnel. For example, the T ransm ittal M em orandum says (at p. 3) that “ [tjhese policies should be established for government and contractor personnel.”
384 Authority to Screen Non-Federal Personnel
The Transmittal M em orandum was intended to promulgate policy and define the responsibilities o f various executive branch agencies for com puter security. This function appears to be within the broad authority o f the Director o f the Office o f M anagement and Budget to “ develop im proved plans for the organization, coordination, arid management o f the executive branch o f the Government with a view to efficient and economical service.” 31 U ,S.C . § 18a (1976). The mem orandum makes it the responsibility of the head o f each execu tive agency to assure an adequate level o f security for all agency com puter data whether processed in-house or commercially. In the area o f personnel security, it requires that each agency at a minimum— [Establish personnel security policies for screening all in dividuals participating in the design operation or m aintenance of Federal com puter systems or having access to data in Federal com puter systems. The level o f screening required by these policies should vary from minimal checks to full background in vestigations commensurate with the sensitivity o f the data to be handled and the risk and m agnitude o f loss or harm that could be caused by the individual. These policies should be established for government and contractor personnel. Personnel security policies for Federal employees should be consistent with policies issued by the Civil Service Commission, [p. 3.] It should be noted that the m em orandum contemplates a range o f screen ing procedures varying from minimal checks to full background investiga tions depending upon the risk o f harm and the sensitivity o f the data. It may be that adequate security can be assured in many cases without an ac tual investigation o f contractor employees. For example, in some instances submission o f inform ation or certification by the employer may be suffi cient. In other cases it may be advisable to obtain verification o f an employee’s arrest record, or lack thereof. There will, no doubt, also be in stances where a full background investigation o f a contractor is war ranted. The memorandum directs the head o f each agency to exercise discretion in choosing a screening m ethod to fit the circumstances o f par ticular data-processing contracts. We have found three statutory sources o f agency authority to take ac tion to assure the security o f agency records. The head o f every executive or military departm ent has the authority to “ prescribe regulations for the government o f his departm ent, the conduct o f its employees, the distribu tion and performance o f its business, and the custody, use, and preserva tion o f its records, papers and property.” 5 U .S.C . § 301 (1977). Although that section specifically notes that it does not authorize the withholding o f information from the public, it does appear to authorize regulations o f the sort contem plated by OMB to assure the security o f data-processing rec ords and property.
385 The Privacy Act o f 1974 gives Federal agencies a more specific mandate. T hat Act was passed in response to a congressional finding that [t]he increasing use o f com puters and sophisticated inform ation technology, while essential to the efficient operations o f the Governm ent, has greatly magnified the harm to individual privacy that can occur from any collection, m aintenance, use, or dissemination o f personal inform ation * * *. [Pub. L. 93-579, § 2(a)(2), quoted at 5 U .S.C . § 552a note.] In order to prevent such harm to individual privacy, the Privacy Act re quires that each agency establish (1) rules o f conduct for persons involved in the design, operation, or m aintenance o f any system o f records; and (2) ap propriate administrative, technical, and physical safeguards to ensure the security and confidentiality o f records. 5 U .S.C . § 552a(e) (9) and (10). A lthough the Privacy Act applies only to systems o f records that contain in form ation about individuals,2 5 U .S.C . § 552a(a), the Act does provide that an agency, consistent with its authority, shall cause the requirements o f the Act to be applied to government contractors who operate a system of records to accomplish an agency function. M oreover, the employees o f a contractor are to be considered employees o f the agency for purposes o f criminal penalties under the Act. 5 U .S.C . § 552a(m). The head o f each Federal agency is also required by 44 U .S.C . § 3102 to provide for “ effective controls over the creation and over the maintenance and use o f records in the conduct o f current business” and in cooperation with the A dm inistrator o f General Services to “ prom ote the maintenance and security o f records deemed appropriate for preservation.” 3 To the ex tent that com puter records are involved in the current conduct o f agency business or deemed appropriate for preservation, this section would pro vide further authority for the imposition o f controls on access to com puter inform ation.
Due Process
Although we conclude that the head o f a Federal agency has authority to screen contractor employees before granting them access to Federal data-processing systems, there are legal and constitutional limits to the ex ercise o f any authority. We will discuss the application o f due process to this situation because we understand that some agencies have expressed concern about Greene v. McElroy, 360 U.S. 474 (1959). In that case the Supreme C ourt found that the authority o f the Departm ent o f Defense to screen contractor employees for work on classified projects was not specific enough to permit action that would deprive a person o f his or her ability to pursue his or her chosen profession without the safeguards o f confrontation and cross-examination.
Free access — add to your briefcase to read the full text and ask questions with AI
October 1, 1979
79-73 MEMORANDUM OPINION FOR THE GENERAL COUNSEL OFFICE OF PERSONNEL MANAGEMENT
Federal Computer Systems—Access by Contractor Employees—Authority to Screen for Security Purposes (31 U.S.C. § 18a; 5 U.S.C. §§ 301, 552a; 44 U.S.C. § 3102)—Due Process
You have asked for our views concerning the authority o f executive branch agencies to implement Transmittal M em orandum No. 1 to Office o f Management and Budget (OMB) Circular No. A-71, dated July 27, 1978. The Transmittal M em orandum , among other things, requires Fed eral agencies to establish personnel security policies for screening all in dividuals participating in the design, operation, or maintenance o f Federal com puter systems or having access to data in Federal com puter systems. You have asked us to confine our opinion to the question o f an agency’s authority to investigate and screen non-Federal employees before granting them access to unclassified inform ation in Federal com puter systems. We conclude that Federal agencies have the authority to implement the Transmittal M emorandum by screening contractor employees' in any reasonable m anner, but that such implementation must be consistent with due process o f law.
'A lthough your request referred to the authority to investigate non-Federal personnel, in cluding employees o f contractors and prospective contractors, we are unaware o f any non- Federal employees who would come within the purview o f the Transm ittal M em orandum who would not be contractor personnel. For example, the T ransm ittal M em orandum says (at p. 3) that “ [tjhese policies should be established for government and contractor personnel.”
384 Authority to Screen Non-Federal Personnel
The Transmittal M em orandum was intended to promulgate policy and define the responsibilities o f various executive branch agencies for com puter security. This function appears to be within the broad authority o f the Director o f the Office o f M anagement and Budget to “ develop im proved plans for the organization, coordination, arid management o f the executive branch o f the Government with a view to efficient and economical service.” 31 U ,S.C . § 18a (1976). The mem orandum makes it the responsibility of the head o f each execu tive agency to assure an adequate level o f security for all agency com puter data whether processed in-house or commercially. In the area o f personnel security, it requires that each agency at a minimum— [Establish personnel security policies for screening all in dividuals participating in the design operation or m aintenance of Federal com puter systems or having access to data in Federal com puter systems. The level o f screening required by these policies should vary from minimal checks to full background in vestigations commensurate with the sensitivity o f the data to be handled and the risk and m agnitude o f loss or harm that could be caused by the individual. These policies should be established for government and contractor personnel. Personnel security policies for Federal employees should be consistent with policies issued by the Civil Service Commission, [p. 3.] It should be noted that the m em orandum contemplates a range o f screen ing procedures varying from minimal checks to full background investiga tions depending upon the risk o f harm and the sensitivity o f the data. It may be that adequate security can be assured in many cases without an ac tual investigation o f contractor employees. For example, in some instances submission o f inform ation or certification by the employer may be suffi cient. In other cases it may be advisable to obtain verification o f an employee’s arrest record, or lack thereof. There will, no doubt, also be in stances where a full background investigation o f a contractor is war ranted. The memorandum directs the head o f each agency to exercise discretion in choosing a screening m ethod to fit the circumstances o f par ticular data-processing contracts. We have found three statutory sources o f agency authority to take ac tion to assure the security o f agency records. The head o f every executive or military departm ent has the authority to “ prescribe regulations for the government o f his departm ent, the conduct o f its employees, the distribu tion and performance o f its business, and the custody, use, and preserva tion o f its records, papers and property.” 5 U .S.C . § 301 (1977). Although that section specifically notes that it does not authorize the withholding o f information from the public, it does appear to authorize regulations o f the sort contem plated by OMB to assure the security o f data-processing rec ords and property.
385 The Privacy Act o f 1974 gives Federal agencies a more specific mandate. T hat Act was passed in response to a congressional finding that [t]he increasing use o f com puters and sophisticated inform ation technology, while essential to the efficient operations o f the Governm ent, has greatly magnified the harm to individual privacy that can occur from any collection, m aintenance, use, or dissemination o f personal inform ation * * *. [Pub. L. 93-579, § 2(a)(2), quoted at 5 U .S.C . § 552a note.] In order to prevent such harm to individual privacy, the Privacy Act re quires that each agency establish (1) rules o f conduct for persons involved in the design, operation, or m aintenance o f any system o f records; and (2) ap propriate administrative, technical, and physical safeguards to ensure the security and confidentiality o f records. 5 U .S.C . § 552a(e) (9) and (10). A lthough the Privacy Act applies only to systems o f records that contain in form ation about individuals,2 5 U .S.C . § 552a(a), the Act does provide that an agency, consistent with its authority, shall cause the requirements o f the Act to be applied to government contractors who operate a system of records to accomplish an agency function. M oreover, the employees o f a contractor are to be considered employees o f the agency for purposes o f criminal penalties under the Act. 5 U .S.C . § 552a(m). The head o f each Federal agency is also required by 44 U .S.C . § 3102 to provide for “ effective controls over the creation and over the maintenance and use o f records in the conduct o f current business” and in cooperation with the A dm inistrator o f General Services to “ prom ote the maintenance and security o f records deemed appropriate for preservation.” 3 To the ex tent that com puter records are involved in the current conduct o f agency business or deemed appropriate for preservation, this section would pro vide further authority for the imposition o f controls on access to com puter inform ation.
Due Process
Although we conclude that the head o f a Federal agency has authority to screen contractor employees before granting them access to Federal data-processing systems, there are legal and constitutional limits to the ex ercise o f any authority. We will discuss the application o f due process to this situation because we understand that some agencies have expressed concern about Greene v. McElroy, 360 U.S. 474 (1959). In that case the Supreme C ourt found that the authority o f the Departm ent o f Defense to screen contractor employees for work on classified projects was not specific enough to permit action that would deprive a person o f his or her ability to pursue his or her chosen profession without the safeguards o f confrontation and cross-examination.
:The Act defines “ individual” as “ a citizen o f the U nited States or an alien lawfully a d mitted for perm anent residence.” 5 U .S.C . § 552a(a)(2). ’The scope o f the term “ records” as used in this section can be found in 44 U .S.C . § 3101. That definition appears to be sufficiently broad to encom pass data-processing materials.
386 The plaintiff in Greene was an aeronautical engineer and general manager o f a corporation that had defense contracts that required it to ex clude from its premises persons not having security clearances. Although the plaintiff had been granted security clearances on previous occasions, he was eventually deprived o f his clearance on the basis o f alleged Com munist associations and sympathies. He was notified o f specific written allegations and was permitted to present evidence to refute the allegations at several hearings concerning the revocation o f his clearance. However, he was denied access to the source o f much of the inform ation against him and was not permitted to confront or cross-examine witnesses against him. As a result o f the loss o f his clearance, he resigned from his position and was effectively barred from the practice o f his profession. Proceeding very cautiously, the Supreme C ourt held that in authorizing or acquiescing in Department o f Defense procedures to restrict dissemination o f classified information, neither the President nor Congress intended to dispense with safeguards o f confrontation or cross-examination. Accordingly, it in validated the Defense Departm ent procedures as beyond the scope o f the agency’s authority. In a subsequent case, Cafeteria & Restaurant Workers Union v. McElroy, 367 U.S. 886 (1961), the Supreme C ourt distinguished and limited its holding in Greene. Cafeteria Workers involved a cook who was barred from her jo b at a naval facility upon failure to meet security re quirements. Noting that the due process issue had not been resolved in Greene, the C ourt held that the Due Process Clause will be involved if an agency’s action in excluding certain contractor employees is likely to result in the foreclosure o f other employment for them in the data-processing field. We would suggest that in any such case the agency general counsel be consulted for more particular guidance concerning the application o f due process principles.4
L eon U lm an
Deputy Assistant A ttorney General Office o f Legal Counsel
‘In this connection, see, Doe v. United States Civil Service Commission, 483 F. Supp. 539 (D .S.D . N.Y. 1980).