U.S. Government FOIA/Privacy Act Practices (DCSA & FBI)

Prepared by: Safe Passage Strategies, LLC

Date: August 23, 2025

System Assessed: U.S. Government FOIA/Privacy Act Practices (DCSA & FBI)

Websites: https://www.dcsa.mil/ & FBI.gov

Reference: FOIA/Privacy Act Response Letter DCSA-B 25-11669

Background / Summary of System Access

The system under review is not a single software platform, but the federal record-keeping and disclosure framework that governs how individuals access their own investigative and adjudicative files through the Freedom of Information Act (FOIA) and the Privacy Act.

In practice, this framework is administered through multiple overlapping entities:

• Defense Counterintelligence and Security Agency (DCSA): Maintains investigative records for federal security clearances and suitability reviews.

• Federal Bureau of Investigation (FBI): Retains its own records and claims broad exemptions under criminal law enforcement authority.

• Office of Personnel Management (OPM) / National Background Investigations Bureau (NBIB): Historical custodians of clearance data, now folded into DCSA.

• Departmental Security Offices (e.g., Veterans Affairs, HHS): Request investigations and use results to adjudicate employment eligibility.

When individuals request access to their own records — as allowed by statute — the system routes those requests through FOIA and Privacy Act offices. However, rather than functioning as a unified access point, the framework is fragmented into silos of responsibility:

• Investigations vs. adjudications are separated.

• Each agency defers to another for certain records.

• Different exemptions are applied inconsistently depending on which agency responds.

For the requester, the result is not a seamless access system but a bureaucratic maze. Critical distinctions include:

• Investigative Files: Contain raw investigator notes, interview summaries, and source checks.

• Adjudicative Records: Contain determinations of clearance eligibility or suitability.

• Law Enforcement Overlays: FBI retains the right to redact or withhold information under criminal enforcement exemptions.

This framework was designed in the 1970s–1980s, long before modern data governance principles such as lifecycle management, auditability, and data subject rights. As such, it functions more like an archive of suspicion than a living system of records.

From a governance standpoint, the system is structured around protecting the institution rather than serving the data subject. Access is narrowed by exemptions, evidence trails are destroyed under retention schedules, and “issue-related material” can persist for decades without transparency or opportunity for correction.

In short: the “system of access” promised under FOIA and the Privacy Act is not truly access at all. It is a fragmented, past-centric framework that preserves government control while denying individuals meaningful oversight of the data that defines them in federal records.

In order to truly understand the frameworks the U.S. government relies upon — and that its agents continue to defend — I chose to put myself through the process directly. By submitting a request for my own records, I turned a personal inquiry into a form of investigative research, testing the system from the inside rather than critiquing it from the outside. This case study is therefore not abstract but lived: the flaws identified are not hypothetical, they were encountered firsthand. And if they are true for me, they are true for any individual who steps into the same process — with the exception, of course, of those who uphold and benefit from maintaining this outdated, illogical structure.

Annotated Flaw Log

Section 1: Fragmented Accountability

Excerpt: “Adjudication and clearance records are not maintained as part of your investigative file. To obtain any records that do not fall under the purview of DCSA, you must submit a request to the Privacy Act office of the federal agency that considered you for employment.”

Flaw Annotation: Responsibility is fragmented across multiple offices, creating a bureaucratic maze that undermines transparency. Instead of centralizing access, the system pushes requesters into endless loops.

Governance Gap: Violates modern governance principles of data stewardship and clear accountability chains (ISO 27001 A.5.1). Fragmented responsibility is a denial tactic masquerading as process.

Section 2: Records Destruction vs. Preservation

Excerpt: “We are unable to provide a copy of the investigators’ notes… any notes pertaining to your investigation were destroyed and are not available for release.”

Flaw Annotation: Core evidentiary materials were destroyed, yet “issue-related material” is retained without context. This is the equivalent of deleting raw logs while keeping flagged alerts.

Governance Gap: Contradicts the Federal Records Act principle of preserving decision-making documentation. From a cybersecurity standpoint, this is the absence of an audit trail, which undermines both accountability and forensic integrity.

Section 3: Misapplication of Privacy Exemptions

Excerpt: “We withheld information pursuant to Privacy Act exemption (k)(2) and FOIA exemptions (b)(6) and (b)(7)(C).”

Flaw Annotation: Privacy exemptions designed to protect third parties are misapplied to deny access to one’s own clearance file. This blocks the subject of the record from seeing and correcting adverse information.

Governance Gap: Violates data subject rights under GDPR-equivalent frameworks (Articles 15–16) and modern privacy standards (ISO 27701). Creates an opaque data governance model where errors cannot be corrected.

Section 4: FBI Withholdings

Excerpt: “On behalf of the FBI, we withheld information pursuant to Privacy Act exemption (j)(2) and FOIA exemption (b)(7)(E).”

Flaw Annotation:(j)(2) and (b)(7)(E) give law enforcement broad discretion to withhold records. Their invocation here shields not only sensitive methods but also any detail that might reveal institutional misconduct.

Governance Gap: These exemptions violate the principle of data minimization and timeliness (NIST CSF ID.GV-3). By refusing to differentiate between sensitive techniques and personal records, the government weaponizes data secrecy.

Section 5: Past-Centric Recordkeeping

Excerpt: “Our records indicate that on November 22, 2013, we received a request… issue-related material was maintained by our office.”

Flaw Annotation: The government preserves an unresolved “issue” from 2013 while continuing to allow employment, only to resurrect it years later.

Governance Gap: Contradicts clearance adjudicative guidelines that require assessment of the “whole person” and current conduct. Anchoring to decade-old issues is bad data governance: outdated, irrelevant, and misleading.

Section 6: Delivery Restriction

Excerpt: “Although you selected both electronic and hardcopy delivery, our policy does not permit two delivery methods.”

Flaw Annotation: FOIA law requires release “in any form or format requested if readily reproducible.” Denying dual delivery when both are feasible is bureaucratic obstruction.

Governance Gap: Fails to meet FOIA’s statutory mandate for flexible access. From a governance lens, it demonstrates process rigidity over service delivery.

Key Findings

• Stale Data Weaponization: Old “issue-related material” from 2013 is retained indefinitely and weaponized, despite being irrelevant to present integrity.

• Destroyed Evidence, Preserved Suspicion: Investigator notes (the evidentiary trail) are destroyed, while issue flags (unverified suspicion) are retained.

• Privacy Paradox: Exemptions intended to protect privacy are misused to deny individuals access to their own data.

• Past vs. Now: The government lives in archival suspicion, while humanity lives in dynamic reality. Governance rooted in the past undermines trust in the present.

• Cybersecurity Analogy: This is the equivalent of trying to secure tomorrow’s networks with floppy disks and shredded printouts — insisting it’s “for your protection.”

Conclusion

This case highlights a systemic governance failure: U.S. agencies anchor their security and accountability practices in the past, while society, technology, and humanity evolve in the Now. By hoarding stale “issue material,” destroying contextual evidence, and misapplying exemptions, agencies create a governance regime that is neither transparent nor trustworthy.

From a data governance and cybersecurity standpoint, this is indefensible:

• Audit trails are broken.

• Records are weaponized.

• Exemptions replace accountability.

The result is a government that governs the past while the living world — businesses, individuals, innovators — must operate in the present and build for the future.

Disclaimer

This case study is an independent analytical review conducted by Safe Passage Strategies, LLC. It is intended for educational and informational purposes only, to highlight data governance and cybersecurity issues within U.S. FOIA and clearance systems. This report does not constitute legal advice and should not be relied upon as a substitute for consultation with a licensed attorney.

While consultation with legal professionals is the conventional step, it must also be recognized that the judicial system — as one of government’s core pillars — often functions as a self-perpetuating industry. Its processes and officials are trained to keep individuals anchored in the past and bound to the very bureaucratic structures under critique. Legal proceedings frequently prioritize procedural gamesmanship, political interests, and economic capture over logic, fairness, or resolution. As such, even legal consultation may leave individuals and small businesses trapped in systemic loops designed more to absorb resources than to deliver justice.

This reality underscores the broader need to transcend inherited legal-bureaucratic structures in the U.S. and to design new systems of integrity, accountability, and sovereignty — systems aligned with the forward-looking demands of the Fifth Industrial Revolution (5IR).