                                                                         October 1, 1979



79-73       MEMORANDUM OPINION FOR THE
            GENERAL COUNSEL OFFICE OF PERSONNEL
            MANAGEMENT

            Federal Computer Systems—Access by Contractor
            Employees—Authority to Screen for Security
            Purposes (31 U.S.C. § 18a; 5 U.S.C. §§ 301, 552a;
            44 U.S.C. § 3102)—Due Process


   You have asked for our views concerning the authority o f executive
branch agencies to implement Transmittal M em orandum No. 1 to Office
o f Management and Budget (OMB) Circular No. A-71, dated July 27,
 1978. The Transmittal M em orandum , among other things, requires Fed­
eral agencies to establish personnel security policies for screening all in­
dividuals participating in the design, operation, or maintenance o f Federal
com puter systems or having access to data in Federal com puter systems.
You have asked us to confine our opinion to the question o f an agency’s
authority to investigate and screen non-Federal employees before granting
them access to unclassified inform ation in Federal com puter systems.
   We conclude that Federal agencies have the authority to implement the
Transmittal M emorandum by screening contractor employees' in any
reasonable m anner, but that such implementation must be consistent with
due process o f law.




   'A lthough your request referred to the authority to investigate non-Federal personnel, in­
cluding employees o f contractors and prospective contractors, we are unaware o f any non-
Federal employees who would come within the purview o f the Transm ittal M em orandum
who would not be contractor personnel. For example, the T ransm ittal M em orandum says (at
p. 3) that “ [tjhese policies should be established for government and contractor personnel.”

                                            384
                Authority to Screen Non-Federal Personnel

   The Transmittal M em orandum was intended to promulgate policy and
define the responsibilities o f various executive branch agencies for com ­
puter security. This function appears to be within the broad authority o f
the Director o f the Office o f M anagement and Budget to “ develop im­
proved plans for the organization, coordination, arid management o f the
executive branch o f the Government with a view to efficient and
economical service.” 31 U ,S.C . § 18a (1976).
   The mem orandum makes it the responsibility of the head o f each execu­
tive agency to assure an adequate level o f security for all agency com puter
data whether processed in-house or commercially. In the area o f personnel
security, it requires that each agency at a minimum—
     [Establish personnel security policies for screening all in­
     dividuals participating in the design operation or m aintenance of
     Federal com puter systems or having access to data in Federal
     com puter systems. The level o f screening required by these
     policies should vary from minimal checks to full background in­
     vestigations commensurate with the sensitivity o f the data to be
     handled and the risk and m agnitude o f loss or harm that could be
     caused by the individual. These policies should be established for
     government and contractor personnel. Personnel security
     policies for Federal employees should be consistent with policies
     issued by the Civil Service Commission, [p. 3.]
It should be noted that the m em orandum contemplates a range o f screen­
ing procedures varying from minimal checks to full background investiga­
tions depending upon the risk o f harm and the sensitivity o f the data. It
may be that adequate security can be assured in many cases without an ac­
tual investigation o f contractor employees. For example, in some instances
submission o f inform ation or certification by the employer may be suffi­
cient. In other cases it may be advisable to obtain verification o f an
employee’s arrest record, or lack thereof. There will, no doubt, also be in­
stances where a full background investigation o f a contractor is war­
ranted. The memorandum directs the head o f each agency to exercise
discretion in choosing a screening m ethod to fit the circumstances o f par­
ticular data-processing contracts.
   We have found three statutory sources o f agency authority to take ac­
tion to assure the security o f agency records. The head o f every executive
or military departm ent has the authority to “ prescribe regulations for the
government o f his departm ent, the conduct o f its employees, the distribu­
tion and performance o f its business, and the custody, use, and preserva­
tion o f its records, papers and property.” 5 U .S.C . § 301 (1977). Although
that section specifically notes that it does not authorize the withholding o f
information from the public, it does appear to authorize regulations o f the
sort contem plated by OMB to assure the security o f data-processing rec­
ords and property.

                                     385
   The Privacy Act o f 1974 gives Federal agencies a more specific mandate.
T hat Act was passed in response to a congressional finding that
     [t]he increasing use o f com puters and sophisticated inform ation
     technology, while essential to the efficient operations o f the
     Governm ent, has greatly magnified the harm to individual
     privacy that can occur from any collection, m aintenance, use, or
     dissemination o f personal inform ation * * *. [Pub. L. 93-579,
     § 2(a)(2), quoted at 5 U .S.C . § 552a note.]
In order to prevent such harm to individual privacy, the Privacy Act re­
quires that each agency establish (1) rules o f conduct for persons involved in
the design, operation, or m aintenance o f any system o f records; and (2) ap­
propriate administrative, technical, and physical safeguards to ensure the
security and confidentiality o f records. 5 U .S.C . § 552a(e) (9) and (10).
A lthough the Privacy Act applies only to systems o f records that contain in­
form ation about individuals,2 5 U .S.C . § 552a(a), the Act does provide that
an agency, consistent with its authority, shall cause the requirements o f the
Act to be applied to government contractors who operate a system of
records to accomplish an agency function. M oreover, the employees o f a
contractor are to be considered employees o f the agency for purposes o f
criminal penalties under the Act. 5 U .S.C . § 552a(m).
   The head o f each Federal agency is also required by 44 U .S.C . § 3102 to
provide for “ effective controls over the creation and over the maintenance
and use o f records in the conduct o f current business” and in cooperation
with the A dm inistrator o f General Services to “ prom ote the maintenance
and security o f records deemed appropriate for preservation.” 3 To the ex­
tent that com puter records are involved in the current conduct o f agency
business or deemed appropriate for preservation, this section would pro­
vide further authority for the imposition o f controls on access to com puter
inform ation.

                                        Due Process

   Although we conclude that the head o f a Federal agency has authority
to screen contractor employees before granting them access to Federal
data-processing systems, there are legal and constitutional limits to the ex­
ercise o f any authority. We will discuss the application o f due process to
this situation because we understand that some agencies have expressed
concern about Greene v. McElroy, 360 U.S. 474 (1959). In that case the
Supreme C ourt found that the authority o f the Departm ent o f Defense to
screen contractor employees for work on classified projects was not
specific enough to permit action that would deprive a person o f his or her
ability to pursue his or her chosen profession without the safeguards o f
confrontation and cross-examination.


  :The Act defines “ individual” as “ a citizen o f the U nited States or an alien lawfully a d ­
mitted for perm anent residence.” 5 U .S.C . § 552a(a)(2).
  ’The scope o f the term “ records” as used in this section can be found in 44 U .S.C . § 3101.
That definition appears to be sufficiently broad to encom pass data-processing materials.

                                              386
   The plaintiff in Greene was an aeronautical engineer and general
manager o f a corporation that had defense contracts that required it to ex­
clude from its premises persons not having security clearances. Although
the plaintiff had been granted security clearances on previous occasions,
he was eventually deprived o f his clearance on the basis o f alleged Com ­
munist associations and sympathies. He was notified o f specific written
allegations and was permitted to present evidence to refute the allegations
at several hearings concerning the revocation o f his clearance. However,
he was denied access to the source o f much of the inform ation against him
and was not permitted to confront or cross-examine witnesses against him.
As a result o f the loss o f his clearance, he resigned from his position and
was effectively barred from the practice o f his profession. Proceeding very
cautiously, the Supreme C ourt held that in authorizing or acquiescing in
Department o f Defense procedures to restrict dissemination o f classified
information, neither the President nor Congress intended to dispense with
safeguards o f confrontation or cross-examination. Accordingly, it in­
validated the Defense Departm ent procedures as beyond the scope o f the
agency’s authority.
   In a subsequent case, Cafeteria & Restaurant Workers Union v.
McElroy, 367 U.S. 886 (1961), the Supreme C ourt distinguished and
limited its holding in Greene. Cafeteria Workers involved a cook who was
barred from her jo b at a naval facility upon failure to meet security re­
quirements. Noting that the due process issue had not been resolved in
Greene, the C ourt held that the Due Process Clause will be involved if an
agency’s action in excluding certain contractor employees is likely to result
in the foreclosure o f other employment for them in the data-processing
field. We would suggest that in any such case the agency general counsel
be consulted for more particular guidance concerning the application o f
due process principles.4

                                              L eon U   lm an

                                 Deputy Assistant A ttorney General
                                                      Office o f Legal Counsel




  ‘In this connection, see, Doe v. United States Civil Service Commission, 483 F. Supp. 539
(D .S.D . N.Y. 1980).

                                           387
