United States, Department of Veterans Affairs, Medical Center, Charleston, South Carolina (Agency) and National Association of Government Employees, Local R5-136 (Union)
[ v58 p706 ]
58 FLRA No. 170
VETERANS AFFAIRS, MEDICAL CENTER
CHARLESTON, SOUTH CAROLINA
OF GOVERNMENT EMPLOYEES,
July 17, 2003
Before the Authority: Dale Cabaniss, Chairman, and
Carol Waller Pope and Tony Armendariz, Members [n1]
I. Statement of the Case
These matters are before the Authority on exceptions to the awards of Arbitrators David A. Singer, Jr. and Sheldon H. Adler filed by the Agency under § 7122 of the Federal Service Labor-Management Relations Statute (the Statute) and part 2425 of the Authority's Regulations. The Union filed an opposition to both of the Agency's exceptions. [n2]
The Arbitrators in both cases found that the Agency violated the Privacy Act, 5 U.S.C. § 552a (hereinafter the Privacy Act) by requesting information from the grievants' medical providers without first seeking to obtain the information directly from the grievants. As a remedy, the Arbitrator in case AR-3628 ordered that the grievant be made whole for all losses incurred; the Arbitrator in case AR-3639 ordered the Agency to pay the grievant $1,000 for each of the three violations of the Act that he found.
For the following reasons, we set aside the awards as contrary to law.
II. Background and Arbitrators' Awards
The grievant was injured at work and received worker's compensation, which allowed her to work four hours per day while receiving pay for eight hours per day. This arrangement continued for several years until the Agency identified a position in which the grievant could work eight hours per day. Shortly thereafter, the grievant suffered another injury at work and filed another worker's compensation claim. While the claim, which ultimately was denied, was pending, the grievant discovered that the Agency's worker's compensation specialist had contacted her medical providers and obtained information about her medical condition without her knowledge.
The grievant filed a grievance alleging that the Agency violated the Privacy Act by obtaining medical information directly from her medical providers without first requesting the information from her. [n3] When the grievance was unresolved, the parties submitted the matter to arbitration, and the Arbitrator set forth the following issues:
Was [the grievant] denied her privacy rights, secured under the provisions of [t]he Privacy Act of 194 [a]mended, and, if so, what is the appropriate remedy?
Award at 1 (emphasis omitted).
The Arbitrator found that the Agency contacted the grievant's medical providers directly and obtained medical information about the grievant without the grievant's knowledge or consent. According to the Arbitrator, the grievant did not engage in any "obstructive and/or uncooperative" behavior that would have given the Agency "the right to bypass the [g]rievant . . . ." Id. at 20. The Arbitrator found that "the information sought by the Agency resulted in an `adverse determination' about [the [g]rievant's] rights, benefits, and privileges under [f]ederal programs." Id. at 25. Therefore, the Arbitrator concluded that the Agency violated the Privacy Act.
In reaching this conclusion, the Arbitrator rejected the Agency's claim that its actions were permitted by 20 C.F.R. § 10.506, which allows agencies to contact an employee's doctor directly, in certain circumstances. [n4] According to the Arbitrator, the Agency contacted [ v58 p707 ] the grievant's medical providers by phone and contacts made under this provision must be in writing only. The Arbitrator also rejected the Agency's claims that its actions were permitted by certain Department of Labor (DOL) regulatory guidance. [n5] According to the Arbitrator, none of the authorities cited by the Agency override the Agency's obligations under the Privacy Act.
Based on the foregoing, the Arbitrator concluded that the Agency violated the Privacy Act. As a remedy, the Arbitrator ordered that the grievant "be made whole for all losses incurred." Id. at 26.
The grievant was injured at work and received worker's compensation, which allowed her to be paid for time spent away from work while attending therapy sessions. The Agency became suspicious that the grievant had inappropriately requested compensation and, on three occasions, contacted the grievant's medical providers to verify her appointments. During those contacts, the Agency also requested, and received, certain information about the grievant's medical condition, relevant to her job duties.
When the grievant discovered that the Agency had requested and received her medical information directly from her medical providers without requesting the information from her, she filed a grievance alleging that the Agency had violated the Privacy Act. When the grievance was unresolved, the matter was submitted to arbitration. As relevant here, the Arbitrator set forth the following issues:
Did the Agency violate the Privacy Act (5 U.S.C. § 552a) by its solicitation and obtaining of medical information . . . from [the grievant's] medical providers without having gone through the grievant to obtain this information? [If so,] what is the proper remedy?
Award at 4.
Initially, the Arbitrator noted that there was no dispute as to what took place in this case, see Award at 10 citing Magee v. United States Postal Serv. et al., 903 F. Supp. 1022 (W.D.La. 1995) (Magee), and he concluded that the Agency violated the Privacy Act. In reaching this conclusion, the Arbitrator rejected the Agency's claim that its actions were necessary, given certain time restraints, and consistent with certain DOL regulatory guidance. [n6] The Arbitrator found that the Agency made "no attempt to obtain the information . . . from the grievant" and that the Agency's failure to do so was "willful and deliberate." Id. at 12. According to the Arbitrator, the grievant was under a "cloud of suspicion" for requesting reimbursement for therapy sessions she did not attend, and the Agency did not confront her immediately to "clear the air[,]" even though there was no proof that she had acted deliberately. Id.
The Arbitrator found that the Agency's use of the information it collected could have resulted in an adverse determination about the grievant's rights, benefits, or privileges. In these circumstances, according to the Arbitrator, "removing the grievant from the picture . . . [was] sufficient to show an adverse effect upon the grievant." Id. Accordingly, the Arbitrator found that the Agency violated the Privacy Act, and the Arbitrator awarded the grievant $1,000 for each of the three violations.
III. Agency's Exceptions
The Agency excepts to the Arbitrator's award on two grounds. First, the Agency argues that the Arbitrator lacked jurisdiction to resolve the alleged Privacy Act violation because "by its very terms," the Privacy Act provides that only federal district courts may resolve such matters. Exceptions at 2. The Agency points out that the Merit Systems Protection Board (MSPB), the Federal Claims Court, and the United States Tax Court all lack jurisdiction to resolve Privacy Act matters. [n7]
Second, the Agency asserts that the award is contrary to the Privacy Act. In this regard, the Agency [ v58 p708 ] asserts that "numerous other authorities . . . work in concert with the Privacy Act to allow employers to fulfill [their] responsibility" of "managing the rights and benefits of [f]ederal employees injured on-the-job[.]" Id. at 3. In particular, the Agency asserts that the DOL's Publication CA-810 "authorizes agencies to obtain information directly from a physician" as a "routine use" under the Privacy Act. Id. Moreover, the Agency asserts that 20 C.F.R. § 10.506 allows agencies to contact an employee's physician "[t]o aid in returning an injured employee to suitable employment[.]" Id. According to the Agency, "even if [it] did not strictly adhere to all procedures outlined in the CFR, that, in and of itself, would not constitute a violation of the Privacy Act . . . ." Id. at 4. Accordingly, the Agency asserts that it acted within its authority when it contacted the grievant's medical providers. Id.
With respect to the Arbitrator's jurisdiction, the Agency restates its arguments made in AR-3628 and adds that Privacy Act claims must be brought as a "suit" and not a "grievance." Exceptions at 8. The Agency further adds that the Arbitrator lacked authority to award monetary damages and attorney fees under the Privacy Act and requests that the Authority reconsider its decision to the contrary in AFGE, Local 987, 57 FLRA 551 (2001) (Chairman Cabaniss dissenting) (AFGE).
As to the merits, the Agency restates its arguments made in AR-3628, and also asserts that its efforts to obtain information directly from the grievant's medical providers were authorized under the "routine use" exception of the Privacy Act. Id. at 6. In addition, the Agency asserts that the Arbitrator inappropriately relied on Magee because the alleged Privacy Act violations at issue in that case were dismissed. See id. Finally, the Agency asserts that the Arbitrator "made no clear finding about any `adverse effect' . . . as required by the Privacy Act . . . ." Id. at 7.
IV. Union's Oppositions
According to the Union, the Agency's argument that the Arbitrator lacked jurisdiction to resolve the alleged Privacy Act violation was not raised below, and therefore, should not be considered by the Authority. In any event, according to the Union, Privacy Act violations may be considered in grievance arbitration because they affect conditions of employment within the meaning of § 7103(a)(9)(C)(ii) of the Statute. See Opposition at 3 (citing AFGE). Therefore, the Union argues that the Agency's exception should be denied.
The Union also asserts that the award is consistent with the Privacy Act because the Privacy Act requires "at least some effort" on the Agency's part to collect the information directly from the grievant, and the Agency "made no effort" to do so. Id. at 5. The Union acknowledges that the Agency had a legitimate interest in, and right to request, the information. However, the Union asserts that the information "had a strong potential" to negatively affect the grievant's worker's compensation benefits and pending claim. Id. at 6. According to the Union, the grievant was adversely affected because the information was used to contest the grievant's worker's compensation claim, and the claim ultimately was denied.
Finally, the Union asserts that, even if the Agency's actions were consistent with other regulations, that would not excuse its failure to comply with the Privacy Act.
The Union restates its arguments made in opposition to the Agency's exceptions in AR-3628 regarding the Arbitrator's jurisdiction and conclusion that the Agency violated the Privacy Act. The Union adds that the information collected was intended to minimize the amount of the grievant's worker's compensation benefits, and therefore, had a "strong potential" to adversely effect the grievant's worker's compensation claim. Id. at 5.
V. Preliminary Matter
The Union asserts that the Agency did not raise below its claim that the Arbitrators lacked jurisdiction to review the alleged Privacy Act violations. However, the award in AR-3628 demonstrates that the Agency challenged the arbitrator's jurisdiction to consider the Privacy Act matter. See Award AR-3628 at 2. The record in AR-3639 demonstrates that the argument was raised in that case also. See Agency's pre-arbitration statement at tab 13. Accordingly, we reject the Union's argument and rule on the Agency's exceptions concerning jurisdiction.
VI. Analysis and Conclusions
A. The Arbitrators did not lack jurisdiction to resolve the alleged Privacy Act violations.
The Agency argues that federal district courts have exclusive jurisdiction to resolve alleged Privacy Act violations. However, the Authority has long reviewed [ v58 p709 ] arbitration awards in which the underlying grievances concerned compliance with the Privacy Act. See, e.g., AFGE, Local 3184, 50 FLRA 449 (1995); NAGE, Local R5-66, 40 FLRA 504 (1991). The Authority's review of Privacy Act matters is consistent with § 7103(a)(9)(C)(ii) of the Statute, which defines "grievance" as "any complaint . . . by any employee, labor organization, or agency concerning . . . any claimed violation, misinterpretation, or misapplication of any law . . . affecting conditions of employment[.]" Applying this definition, it is clear that the rights and obligations created by the Privacy Act affect the conditions of employment of federal employees. For example, the Privacy Act plays a significant role in agency maintenance of employee personnel records. See United States Dep't of Transp., FAA, N.Y. TRACON, Westbury, N.Y., 50 FLRA 338, 339 n.3 (1995); see also United States Dep't of the Air Force, 56th Support Group, Macdill Air Force Base, Fla., 51 FLRA 1144, 1145 n.2 (1996) (citing 5 U.S.C. § 552a(4), (5)). As such, and as demonstrated by the Authority's precedent, the Privacy Act has had a prominent role in significant aspects of federal sector labor-management relationships. See, e.g., United States DOJ, Fed Corr. Facility, El Reno, Okla., 51 FLRA 584 (1995) (addressing disclosure requirements under the Privacy Act); United States Dep't of the Treasury, IRS, 51 FLRA 310 (1995) (same).
Based on the foregoing, we conclude, consistent with AFGE, that the Privacy Act is a law "affecting conditions of employment" within the meaning of § 7103(a)(9)(C)(ii) of the Statute. This conclusion is not inconsistent with the D.C. Circuit's decision holding that the term "`law, rule, or regulation affecting conditions of employment' can be only interpreted . . . to confine grievances to alleged violations of a statute or regulation that can be said to have been issued for the very purpose of affecting the working conditions of employees--not one that merely incidentally does so." United States Dep't of the Treasury, United States Customs Serv. v. FLRA, 43 F.3d 682, 689 (D.C. Cir. 1994). As demonstrated above, the Privacy Act's effect on federal employees' working conditions is more than "merely incidental[.]" AFGE, 57 FLRA at 555.
The Agency disagrees with the Authority's precedent, relying on § 552a(g)(1)(D), which provides that an "individual may bring a civil action against the agency, and the district courts of the United States shall have jurisdiction in the matter[.]" On its face, this provision establishes that federal district courts have jurisdiction to consider actions arising under the Privacy Act. However, nothing in this provision precludes jurisdiction over Privacy Act claims in other, appropriate fora. See id. at 556-57. That is, nothing in the provision establishes exclusive jurisdiction in the district courts. Compare id. with 28 U.S.C. § 1346(b) ("the district courts . . . shall have exclusive jurisdiction" over certain civil actions arising under the Federal Tort Claims Act) and 28 U.S.C. § 1251(a) ("[t]he Supreme Court shall have . . . exclusive jurisdiction of all controversies between two or more States"). Consequently, the Agency's reliance on the wording of § 552a(g)(1)(D) is misplaced.
The Agency's reliance on decisions of the MSPB, the Tax Court and the Claims Court that they lack jurisdiction over Privacy Act matters is also misplaced. In this regard, none of those decisions is based solely on a finding that federal district courts have exclusive jurisdiction over Privacy Act matters. See Martin v. Dep't of the Army, 2000 WL 1807419 at **2 (Fed. Cir.) (citing 5 U.S.C. § 7701(a) and 5 C.F.R. § 1201.3 in concluding that MSPB lacks jurisdiction over Privacy Act claims); Strickland v. Comm'r of Internal Revenue, 2000 WL 274077 (U.S. Tax Court) (citing Crowell v. Comm'r of Internal Revenue, 102 T.C. 683, 693 (1994), which found, in part, that Tax Court lacks jurisdiction over Privacy Act matters because § 7852(e) of the Internal Revenue Code "expressly provides that 5 U.S.C. § 552a(g) shall not be applied directly or indirectly to the determination of liability of any person for any tax."); Frasier v. United States, 43 F.3d at 1485 (holding that the Claims Court lacks jurisdiction over Privacy Act matters without explanation). In addition, the Authority is not bound by the decisions of the MSPB, the Tax Court or the Claims Court.
Consequently, we reject the Agency's argument that the Arbitrators lacked jurisdiction to resolve the alleged Privacy Act violations.
B. The Arbitrators erred in concluding that the Agency violated the Privacy Act.
1. Applicable Legal Standards
When an exception involves the award's consistency with law, the Authority reviews any question of law raised by the exception and the award de novo. See NTEU, Chapter 24, 50 FLRA 330, 332 (1995) (citing United States Customs Serv. v. FLRA, 43 F.3d 682, 686-87 (D.C. Cir. 1994)). In applying the standard of de novo review, the Authority assesses whether an arbitrator's legal conclusions are consistent with the applicable standard of law. See United States DOD, Dep'ts of the Army and the Air Force, Ala. Nat'l Guard, Northport, Ala., 55 FLRA 37, 40 (1998). In making that assessment, [ v58 p710 ] the Authority defers to the arbitrator's underlying factual findings. See id.
Section 552a(e)(2) requires federal agencies "to collect information to the greatest extent practicable directly from the individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs." 5 U.S.C. § 552a(e)(2). An individual who is adversely affected by an agency's intentional or willful failure to comply with this provision is entitled to relief under the Act. See id. at § 552a(g)(1)(D) and (g)(4). To obtain such relief, a grievant must show that: (1) the agency failed to elicit information directly from him or her to the greatest extent practicable; (2) the agency's violation of the Act was intentional or willful; and (3) the agency's action had an adverse effect on the grievant. See Waters v. Thornburgh, 888 F.2d 870, 872 (D.C. Cir. 1989). If these three factors are satisfied, then the grievant is entitled to the greater of $1,000 or the actual damages sustained, pursuant to § 552a(g)(4) of the Act. Id.
The Agency's assertion that the award is contrary to the Privacy Act is based on its claim that "numerous other authorities" permitted its actions. Exceptions at 3. The Agency's argument has merit. In this connection, the Privacy Act "does not make the [g]overnment strictly liable for every affirmative or negligent action that might be said technically to violate the Privacy Act's provisions." Albright v. United States, 732 F.2d 181, 189 (D.C. Cir. 1984) (Albright). Rather, liability is imposed "only when the agency acts in violation of the Act in a willful or intentional manner, either by committing the act without grounds for believing it to be lawful, or by flagrantly disregarding others' rights under the Act." Id. Accordingly, federal courts have found no violation of the Privacy Act where agencies have acted pursuant to regulations or other authority that the agencies justifiably believed authorized their actions. See, e.g., Wisdom v. Dep't of Housing and Urban Dev., 713 F.2d 422, 424 (8th Cir. 1983), cert. denied, 465 U.S. 1021 (1984) (intentional release of records pursuant to regulations not a willful violation of the Act); accord Bruce v. United States, 621 F.2d 914, 917 (8th Cir. 1980). Even where an agency does not fully comply with the authority that authorized its actions, no violation of the Privacy Act occurs. See, e.g., Wesley v. Don Stein Buick, Inc., 985 F. Supp. 1288, 1305-06 (D.Kan. 1997) (standard for willful violation not met where, although disclosure was "unlawful," agency acted with belief that disclosure was proper, and it would have been proper if procedures set forth in routine use had been followed) (Wesley).
The Agency claims, among other things, that 20 C.F.R. § 10.506 permitted its actions. As relevant here, that provision expressly permits an agency to "contact the employee's physician in writing concerning the work limitations imposed by the effects of the injury and possible job assignments." 20 C.F.R. § 10.506. Thus, § 10.506 permitted the Agency to obtain information about the grievant's medical condition directly from her medical providers. The Agency's contacts here were by phone rather than in writing. However, the grievance did not allege a violation of § 10.506. Moreover, even assuming, without finding, that the Agency violated § 10.506, that violation would not, in and of itself, amount to a willful and intentional violation of the Privacy Act, where the Agency's actions would have been proper had it fully complied with the regulation. See Wesley, 985 F.Supp. at 1305-06. Consequently, we conclude that the Arbitrator in AR-3628 erred in finding a violation of the Privacy Act, and we set aside the award.
The Privacy Act's adverse effect requirement has two components: (1) an adverse effect standing requirement and (2) a causal nexus between the agency's action and the adverse effect. [n8] See, e.g., Quinn, 978 F.2d at 131. The Agency argues that the Arbitrator "made no clear finding about any `adverse effect . . . .'" Exceptions at 7.
The Arbitrator found that the facts were "sufficient to show an adverse effect upon the grievant[,]" but he did not find that the grievant actually suffered an adverse effect. For instance, although the Arbitrator found that the information "would [result in] an adverse determination," if ultimately it proved that the grievant's injury did not affect her work, he did not find that the information did result in an adverse determination. Award at 12 (emphasis added). Similarly, although the Arbitrator found that the grievant was "under a cloud of suspicion," he did not conclude that this "cloud of suspicion" caused the grievant to suffer any adverse affects such as mental distress, emotional trauma, or embarrassment, which have been held sufficient to confer standing under the Privacy Act. Id.; see Quinn, 978 F.2d at [ v58 p711 ] 135 (citing Albright, 732 F.2d at 186); Parks v. United States, IRS, 618 F.2d 677, 683 (10th Cir. 1980)).
A de novo review of the record evidence demonstrates that the grievant did not lose any benefits to which she was entitled. To the contrary, the record shows that the grievant requested reimbursement for therapy sessions that she did not attend and that the Agency's actions prevented her from receiving benefits to which she was not entitled. In these circumstances, where the record does not support a finding that the Agency's actions caused an adverse affect, the Arbitrator's finding of a Privacy Act violation is deficient. Accordingly, we find that the award is contrary to the Privacy Act, and we set it aside.
VII. Decision [n9]
We deny the Agency's exceptions in both cases as to the Arbitrators' jurisdiction, and we set aside both awards as contrary to law.
5 U.S.C. § 552a(e)(2) provides that:
Each agency that maintains a system of records shall . . . collect information to the greatest extent practicable directly from the subject individual when the information may result in adverse determinations about an individual's rights, benefits, and privileges under Federal programs[.]
5 U.S.C. § 552a(g)(1)(D) provides that:
Whenever any agency . . . fails to comply with any other provision of this section, or any rule promulgated thereunder, in such a way as to have an adverse effect on an individual, the individual may bring a civil action against the agency, and the district courts of the United States shall have jurisdiction in the matters under the provisions of this subsection.
5 U.S.C. § 552a(g)(4) provides that:
In any suit brought under the provisions of subsection (g)(1)(C) or (D) of this section in which the court determines that the agency acted in a manner which was intentional or willful, the United States shall be liable to the individual in an amount equal to the sum of-- (A) actual damages sustained by the individual as a result of the refusal or failure, but in no case shall a person entitled to recovery receive less than the sum of $1,000; and (B) the costs of the action together with reasonable attorney fees as determined by the court.
20 C.F.R. § 10.506 provides that:
The employer may monitor the employee's medical progress and duty status by obtaining periodic medical reports. Form CA-17 is usually adequate for this purpose. To aid in returning an injured employee to suitable employment, the employer may also contact the employee's physician in writing concerning the work limitations imposed by the effects of the injury and possible job assignments. (However, the employer shall not contact the physician by telephone or through personal visit.) When such contact is made, the employer shall send a copy of any such correspondence to OWCP and the employee, as well as a copy of the physician's response when received. The employer may also contact the employee at reasonable intervals to request periodic medical reports addressing his or her ability to return to work.
Concurring Opinion of Chairman Cabaniss:
I write separately to note that, consistent with my separate opinions in AFGE, Local 987, 57 FLRA 551, 558 (2001) and AFGE, Local 2382, 58 FLRA 270, 272 (2002), I would find that the Privacy Act does not constitute a "law, rule, or regulation affecting conditions of employment" under § 7103(a)(9) of our Statute. As a result, the Agency here could not be found to have violated the Privacy Act because such determinations are not subject to arbitral review.
Footnote # 1 for 58 FLRA No. 170 - Authority's Decision
Footnote # 2 for 58 FLRA No. 170 - Authority's Decision
Footnote # 3 for 58 FLRA No. 170 - Authority's Decision
Footnote # 4 for 58 FLRA No. 170 - Authority's Decision
Footnote # 5 for 58 FLRA No. 170 - Authority's Decision
Footnote # 6 for 58 FLRA No. 170 - Authority's Decision
The specific guidance cited in AR-3639 includes: 20 C.F.R. § 10.506, the Center Policy Memorandum #05-33, the Compensation and Treatment for Work Injury (Form CA-2), and the Duty Status Report (Form CA-17). See Award at 3, 5, 11.
Footnote # 7 for 58 FLRA No. 170 - Authority's Decision
The Agency cites Martin v. Dep't of the Army, 251 F.3d 170 (Fed. Cir. 2000) (based on § 7701(a), the court found that the MSPB does not have jurisdiction to consider alleged violations of the Privacy Act); Strickland v. Comm'r of Internal Revenue, 2000 WL 274077 (U.S. Tax Ct.) (based on its own precedent, the court found that Privacy Act claims fall outside the Tax Court's jurisdiction); and Frasier v. United States, 43 F.3d 1485 (Fed. Cl. 1994) (based on its own precedent, the Claims Court determined that Privacy Act claims are not within its jurisdiction).
Footnote # 8 for 58 FLRA No. 170 - Authority's Decision
The adverse effect that a plaintiff must show within the meaning of (g)(1)(D) is not necessarily equivalent to "actual damages" recoverable under (g)(4)(A). Quinn v. P.W. Stone, 978 F.2d 126, 135 n.15 (3rd Cir. 1992) (citing Dickson v. Office of Personnel Management, 828 F.2d 32, 37 (D.C. Cir. 1987)) (Quinn).
Footnote # 9 for 58 FLRA No. 170 - Authority's Decision