SBA privacy program

The Privacy Act of 1974 is a federal law that is set forth in Title 5, Section 552a, of the United States Code (5 U.S.C.552a), as amended.


Introduction to the Privacy Act

The purpose of the Privacy Act is to balance the government’s need to maintain information about individuals with the rights of individuals to be protected against unwarranted invasions of their privacy resulting from the collection, maintenance, use, and disclosure of personal information. In general, the Privacy Act focuses on four basic policy objectives:

  • To restrict disclosure of personally identifiable records maintained by agencies
  • To grant individuals increased rights of access to agency records maintained on them
  • To grant individuals the right to seek amendment of agency records maintained on them upon showing that the records are not accurate, relevant, timely, or complete
  • To establish a code of “fair information practices” which requires agencies to comply with statutory norms for collection, maintenance, and dissemination of records

The Privacy Act applies only to U.S. citizens and aliens who are lawfully admitted for permanent residence in the United States. It applies only to personal information maintained by agencies in the executive branch of the federal government.

System of Records Notices (SORNs)

The Privacy Act pertains only to information that is maintained in a “system of records,” which the Act defines as a group of agency-controlled records from which information is retrieved by a unique identifier, such as an individual’s name, date of birth, social security number, or employee identification number. The Privacy Act further defines a “record” as any individually identifiable set of information that an agency might maintain about a person. Such records may include a wide variety of personal information including, but not limited to, information about education, financial transactions, medical history, criminal history, or employment history. However, the Privacy Act explicitly states that agencies may not maintain information about how individuals exercise their First Amendment rights, unless maintenance of that information is specifically authorized by statute, by the individual about whom the record is maintained, or relates to a law enforcement activity.

SBA's System of Records Notices (SORNs) are published in the Federal Register and are available online at the GPO govinfo website.

Computer Matching Agreements

The Computer Matching and Privacy Protection Act of 1988 further expands the matching of records established in the Privacy Act.  Federal agencies are required to enter into written agreements with other agencies before disclosing records for use in the computer matching programs. Matching must be done with at least two automated systems and excludes certain programs and conditions.

As of March 2024, the Computer Matching Agreement between Department of Housing and Urban Development and U.S. Small Business Administration Loan Systems has expired. New efforts are suspended until further notice.

Privacy Impact Assessments

SBA conducts assessments of all new and revised information systems. These Privacy Impact Assessments detail how SBA addresses privacy concerns and safeguards information.

Exemptions to the Privacy Act

There are two general and seven specific exemptions in the Privacy Act. The two general exemptions cover:

  • All records maintained by the Central Intelligence Agency (not applicable to SBA)
  • Selected records maintained by an agency or component thereof which performs as its principal functions any activity pertaining to the enforcement of criminal laws (only used by SBA’s Office of the Inspector General)

In addition, the Privacy Act provides seven specific exemptions:

  1. Information that is properly classified in the interest of national defense or foreign policy.
  2. Investigatory material compiled for law enforcement purposes not covered by the general exemptions. The specific law enforcement exemption is limited when—as a result of the maintenance of the records — an individual is denied any right, privilege, or benefit to which he or she would be entitled by federal law or for which he or she would otherwise be entitled. In such cases, disclosure is required except where it would reveal the identity of a confidential source who furnished information to the government under an express promise that the identity of the source would be held in confidence.
  3. Information maintained in connection with providing protective services to the President of the United States or other individuals who receive protection from the Secret Service.
  4. Information required by statute to be maintained and used solely as statistical records.
  5. Investigatory material compiled solely for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, military service, federal contracts, or access to classified information, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the government under an express promise that the identity of the source would be held in confidence.
  6. Testing or examination material used solely to determine individual qualifications for appointment or promotion in the Federal Service, but only to the extent that the disclosure of such material would compromise the objectivity or fairness of the testing or examination process.
  7. Evaluation material used to determine potential for promotion in the armed services, but only to the extent that the disclosure of such material would reveal the identity of a source who furnished information to the government under an express promise that the identity of the source would be held in confidence.

File a privacy complaint

We take your privacy seriously and have created a process by which you can formally file a complaint with our Chief Privacy Officer.

Privacy complaints we can help with

We accept written complaints about:

  • How SBA collects or uses personal information
  • How, when, and with whom SBA shares personal information
  • The type(s) and/or amount of personal information SBA collects
  • Any other concern(s) you may have about how SBA handles personal information and/or its impact(s) on personal privacy

Complaints about the privacy of a business entity, a corporation, or any entity other than a person are not covered by our privacy complaint procedures.

Please keep in mind that Privacy Act requests for access, amendment, or correction are not privacy complaints – filing a complaint does not negate or replace your right to seek judicial relief under the Privacy Act or other federal laws for violations of individual privacy rights.

Submit a privacy complaint

To submit a complaint, you can write a letter that includes:

  • Your name
  • A summary of your complaint or a written description of the specific circumstances
  • A summary of other steps taken, if any, by you or SBA to resolve this complaint
  • A preferred method of contact about your complaint — a mailing address, telephone number, email address or fax number

Send us the letter by email to or by regular mail to:

U.S. Small Business Administration
Attention: Privacy Officer
409 3rd St. SW, Fourth floor
Washington, DC 20416

Evaluation procedure

We will send you an acknowledgement letter within five business days of our receipt of your complaint. We will review and categorize the complaint as: Process and procedural, redress, operational or referral (we will refer it to the right office or federal agency if we’re not the right ones to address the issue).

The Chief Privacy Officer will recommend any necessary actions in response to the complaint. We’ll let you know once your complaint is closed and, in general, include what, if any, action we’re taking in response to the complaint.

Our goal is to review and close complaints within 20 business days. For complaints that we’ll need more than the normal time to close, we’ll contact you to give a status update.

Contact privacy officials

Contact Stephen Kucharski, Chief Information Officer and Senior Agency Official for Privacy (Acting) by email at or regular mail at:

U.S. Small Business Administration
Attention: Privacy Officer
409 3rd St. SW,  Fourth floor
Washington, DC 20416

Last updated March 8, 2024