The Freedom of Information Act presumes that government records belong to the public, but that presumption has never extended to handing over the private details of identifiable individuals. Two of the act’s nine exemptions exist specifically to protect personal privacy: Exemption (b)(6) and Exemption (b)(7)(C). Together they are among the most frequently invoked grounds for withholding, because almost any substantial body of agency records contains names, contact information, and other identifying data about employees, applicants, beneficiaries, witnesses, and ordinary members of the public.
These two exemptions are closely related but not identical. Both ask agencies to weigh an individual’s privacy interest against the public’s interest in disclosure, yet they apply to different categories of records and they set that balance at different points. Understanding how they differ — and how they work together — is essential for anyone who processes requests, redacts documents, or manages the records that requests reach.
What Exemption (b)(6) Protects
Exemption (b)(6) covers “personnel and medical files and similar files” the disclosure of which would constitute a clearly unwarranted invasion of personal privacy. Courts have read the phrase “similar files” broadly: it reaches essentially any record that contains information identifying a particular individual, not just formal personnel or medical folders. A roster, an email signature block, a list of program participants, a home address, or a date of birth can all fall within its scope.
The exemption is not automatic. Once an agency determines that a privacy interest exists, it must balance that interest against any public interest in disclosure — and under FOIA the only cognizable public interest is the extent to which release would shed light on the government’s own conduct, what the public is “entitled to know about what their government is up to.” If releasing a person’s information would reveal little or nothing about agency operations, the privacy interest usually prevails. The word “clearly” signals that (b)(6) tips the balance somewhat in favor of disclosure: the invasion must be clearly unwarranted before the material may be withheld.
What Exemption (b)(7)(C) Protects
Exemption (b)(7)(C) protects personal privacy in a narrower but more strongly weighted context: information compiled for law enforcement purposes whose release could reasonably be expected to constitute an unwarranted invasion of personal privacy. It is one of several sub-parts of Exemption 7, all of which require that the records first qualify as law enforcement records.
The key distinction from (b)(6) is the strength of the privacy tilt. Where (b)(6) requires a clearly unwarranted invasion, (b)(7)(C) requires only an unwarranted one, and it uses the more forgiving “could reasonably be expected to” standard. Courts have recognized that people named in investigative files — suspects, subjects, witnesses, informants, and even the agents and analysts who work the case — have a heightened interest in not being publicly associated with law enforcement activity. As a result, (b)(7)(C) generally provides broader protection, and agencies routinely withhold the identities of third parties mentioned in investigative records absent a compelling public-interest showing.
How Agencies Balance Privacy Against Public Interest
In practice, applying either exemption is a structured balancing test:
- Identify the privacy interest. Determine whether the information identifies an individual and how sensitive it is. Medical conditions, financial details, and association with an investigation weigh heavily; a name appearing in a routine business context may weigh less.
- Identify the public interest, if any. The requester’s purpose is largely irrelevant; what matters is whether disclosure would illuminate government conduct.
- Weigh the two. If the public interest is slight or nonexistent, privacy ordinarily wins. A request seeking information about a private individual for reasons unrelated to agency operations often produces little public interest to set against the privacy harm.
A recurring doctrine in this area is the Glomar response — neither confirming nor denying that responsive records exist — used when the very acknowledgment of records would itself invade privacy, such as confirming whether a named person is the subject of an investigation.
Privacy Exemptions and the Privacy Act
The FOIA privacy exemptions do not operate in isolation. They run alongside the Privacy Act of 1974, which governs how federal agencies collect, maintain, use, and disclose records about individuals retrieved by name or other personal identifier. The two regimes overlap but serve different functions: FOIA controls public release on request, while the Privacy Act gives individuals rights over their own records and restricts disclosure of those records to others. Agencies frequently analyze a request under both statutes, and information protected under the Privacy Act is often withheld under (b)(6) as well.
Why Recordkeeping Makes Privacy Protection Possible
Exemptions can only be applied accurately if an agency can find its records, understand what they contain, and identify the personal information inside them. Reliable metadata, consistent filing, and trustworthy retention practices are what allow a reviewer to locate responsive records, recognize identifying data, and apply line-by-line redaction defensibly. The same recordkeeping disciplines that support timely FOIA and public-records processing also reduce privacy risk by limiting how long sensitive personal data is retained and by documenting who accessed it.
Modern electronic recordkeeping is governed by standards-based requirements rather than a single product specification. After NARA revoked its endorsement of the DoD 5015.2 standard in 2022 in favor of the Universal Electronic Records Management Requirements developed through the Federal Electronic Records Modernization Initiative (FERMI), agencies are expected to manage records — including the personal data that drives privacy exemptions — using functional requirements that emphasize retention, search, and disposition rather than a checklist tied to one tool.
Key Takeaways
- (b)(6) protects personal privacy in personnel, medical, and “similar files,” and withholds only where the invasion would be clearly unwarranted.
- (b)(7)(C) protects privacy in law enforcement records under a more protective standard, broadly shielding the identities of third parties.
- Both require balancing the individual’s privacy interest against the narrow public interest in understanding government conduct.
- The Privacy Act of 1974 operates alongside these exemptions, and sound records management is what makes consistent, defensible privacy protection possible.
Sources & further reading
Authoritative government and non-profit references.
- FOIA frequently asked questions — FOIA.gov / U.S. DOJ
- DOJ Office of Information Policy (FOIA guidance) — U.S. Department of Justice
- Privacy Act of 1974 — U.S. Department of Justice
How to cite this page
APA
RM University Editorial Team. (2026). The Privacy Exemptions: (b)(6) and (b)(7)(C). Records Management University. https://www.recordsmgmt.org/articles/foia-privacy-exemptions-b6-and-b7c/
MLA
RM University Editorial Team. "The Privacy Exemptions: (b)(6) and (b)(7)(C)." Records Management University, 16 June 2026, www.recordsmgmt.org/articles/foia-privacy-exemptions-b6-and-b7c/.