Implementation of Privacy Act of 1974
This document institutes the Recovery Accountability and Transparency Board's (Board) final rule implementing a set of procedural regulations under the Privacy Act of 1974 (Privacy Act or the Act), 93, 5 U.S.C. 552a. These regulations have been written to conform to the statutory provisions of the Act. They are intended to expedite the processing of Privacy Act requests received by the Board and to ensure the proper dissemination of information to the public.
3 actions from August 3rd, 2009 to November 20th, 2009
August 3rd, 2009
October 2nd, 2009
- NPRM Comment Period End
November 20th, 2009
- Final Action
Table of Contents Back to Top
- FOR FURTHER INFORMATION CONTACT:
- SUPPLEMENTARY INFORMATION:
- Public Comment
- Comments on the Proposed Rule and Explanation
- Executive Order 12866
- Regulatory Flexibility Act
- Paperwork Reduction Act
- List of Subjects in 4 CFR Part 200
- CHAPTER II—RECOVERY ACCOUNTABILITY AND TRANSPARENCY BOARD
- PART 200—PRIVACY ACT OF 1974
DATES: Back to Top
Effective November 20, 2009.
FOR FURTHER INFORMATION CONTACT: Back to Top
Jennifer Dure, General Counsel, (202) 254-7900.
SUPPLEMENTARY INFORMATION: Back to Top
The proposed rule was published in the Federal Register on August 3, 2009 (74 FR 38363) for a public comment period to end on October 2, 2009. This rule sets forth the procedures to be used by members of the public when requesting records from the Board under the Privacy Act. It also establishes a timeframe for responses, a fee schedule for copying records, and charges for obtaining information, when applicable.
Public Comment Back to Top
The Board received one comment on the proposed rule requesting an explanation concerning the differences between the proposed Privacy Act and Freedom of Information Act (FOIA) rules regarding what is procedurally required in order for an individual to request access to records, in the custody of the Board. A discussion of the comment and the Board's response are set forth below.
Comments on the Proposed Rule and Explanation Back to Top
Under the Board's proposed Privacy Act rules, all requests should include, among other things, the requesters full name, address, and telephone number. Requests for Privacy Act records may be made in writing, by fax, by telephone, or in person. The commenter contends that there are additional and more stringent requirements placed on a requester who requests access to his or her records in person. More specifically, such a requester must contact the Board's office at least one week before the desired appointment date. In addition, before a requester can review his or her records, the requester must provide proof of identification. Identification should be a valid copy of one of the following: A government ID, a driver's license, a passport, or other current identification that contains both an address and a picture of the requester.
According to the commenter, the process for requesting records under the Board's proposed FOIA rules “seem[s] quite simplified.” Under the proposed FOIA rules (74 FR 38366), all requests for records must include the requester's full name, address, and telephone number. Such a request can be made in writing, via e-mail, or via fax. The commenter correctly points out that the proposed FOIA rule does not provide the option of an in-person request. The commenter concluded that the differences in treatment of requesters for access to the Board's Privacy Act records seem unnecessary, especially with respect to the identification information required of a requester seeking information in person.
The commenter correctly points out the difference between the proposed Privacy Act and FOIA rules, but there is a reason for the difference between them which stems from the laws at issue. Briefly, a Privacy Act request is a request from an individual seeking to review and/or make corrections to federal records, maintained and retrieved in an approved system of records, which are about that individual—with very limited exceptions, no one else can ask for these records. A FOIA request is a request from the general public for copies of specific records maintained by a federal agency—any member of the public can make such a request. When individuals request information about themselves contained in an approved Privacy Act system of records, the request should be handled under the Privacy Act. Requested records about an individual not contained in an approved system of records asked for under the Privacy Act will have their request processed under the FOIA, since no access rights exist under the Privacy Act.
Because the nature of a Privacy Act request is narrow and specific to an individual in an approved system of records, the Board feels that providing the additional provisions to request and examine records in person is reasonable. In addition, in order to ensure that individuals who request to examine records in person are who they claim to be, it is necessary to require that individuals provide the proper proof of identification as set forth in the proposed Privacy Act rules. This Privacy Act requirement is designed to protect requesters from having their personal information disclosed to anyone else.
Executive Order 12866 Back to Top
The proposed regulation does not meet the criteria for a significant regulatory action under Executive Order 12866. Therefore, review by the Office of Management and Budget is not required.
Regulatory Flexibility Act Back to Top
The proposed rule adds Privacy Act regulations to 4 CFR Part 200 and will not have a significant economic impact on a substantial number of small entities.
Paperwork Reduction Act Back to Top
The rule imposes no additional recording and recordkeeping requirements and is therefore exempt from the requirements of the Paperwork Reduction Act.
Therefore, the Board amends Title 4 of the Code of Federal Regulations by adding Part 200 to read as follows:
CHAPTER II—RECOVERY ACCOUNTABILITY AND TRANSPARENCY BOARD Back to Top
PART 200—PRIVACY ACT OF 1974 Back to Top
- 200.1 Purpose and scope.
- 200.2 Definitions.
- 200.3 Privacy Act records maintained by the Board.
- 200.4 Privacy Act inquiries.
- 200.5 Requests for access to records.
- 200.6 Processing of requests.
- 200.7 Fees.
- 200.8 Appealing denials of access.
- 200.9 Requests for correction of records.
- 200.10 Disclosure of records to third parties.
- 200.11 Maintaining records of disclosures.
- 200.12 Notification of systems of Privacy Act records.
- 200.13 Privacy Act training.
- 200.14 Responsibility for maintaining adequate safeguards.
- 200.15 Systems of records covered by exemptions.
- 200.16 Mailing lists.
§ 200.1 Purpose and scope.
This part sets forth the policies and procedures of the Board regarding access to systems of records maintained by the Board under the Privacy Act, 93, 5 U.S.C. 552a. The provisions in the Act shall take precedence over any part of the Board's regulations in conflict with the Act. These regulations establish procedures by which an individual may exercise the rights granted by the Privacy Act to determine whether a Board system of records contains a record pertaining to him or her; to gain access to such records; and to request correction or amendment of such records. These regulations also set identification requirements and prescribe fees to be charged for copying records.
§ 200.2 Definitions.
As used in this part:
(a) Agency means any executive department, military department, government corporation, or other establishment in the executive branch of the federal government, including the Executive Office of the President or any independent regulatory agency;
(b) Individual means any citizen of the United States or an alien lawfully admitted for permanent residence;
(c) Maintain means to collect, use, store, or disseminate records as well as any combination of these recordkeeping functions. The term also includes exercise of control over, and therefore responsibility and accountability for, systems of records;
(d) Record means any item, collection, or grouping of information about an individual that is maintained by the Board and contains the individual's name or other identifying information, such as a number or symbol assigned to the individual or his or her fingerprint, voice print, or photograph. The term includes, but is not limited to, information regarding an individual's education, financial transactions, medical history, and criminal or employment history;
(e) System of records means a group of records under the control of the Board from which information is retrievable by use of the name of the individual or by some number, symbol, or other identifying particular assigned to the individual;
(f) Routine use means, with respect to the disclosure of a record, the use of a record for a purpose that is compatible with the purpose for which it was collected;
(g) Designated Privacy Act Officer means the person named by the Board to administer the Board's activities in regard to the regulations in this part;
(h) Executive Director means the chief operating officer of the Board;
(i) Days means standard working days, excluding weekends and federal holidays.
§ 200.3 Privacy Act records maintained by the Board.
(a) The Board shall maintain only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required by statute or by Executive Order of the President. In addition, the Board shall maintain all records that are used in making determinations about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to that individual in the making of any determination about him or her. However, the Board shall not be required to update retired records.
(b) The Board shall not maintain any record about any individual with respect to or describing how such individual exercises rights guaranteed by the First Amendment of the Constitution of the United States, unless expressly authorized by statute or by the subject individual, or unless pertinent to and within the scope of an authorized law enforcement activity.
§ 200.4 Privacy Act inquiries.
(a) Inquiries regarding the contents of record systems. Any person wanting to know whether the Board's systems of records contain a record pertaining to him or her may file an inquiry in person, by mail or by telephone.
(b) Inquiries in person may be submitted at the Board's headquarters located at 1717 Pennsylvania Avenue, NW., Suite 700, Washington, DC 20006. Inquiries should be marked “Privacy Act Inquiry” on each page of the inquiry and on the front of the envelope and directed to the Privacy Act Officer.
(c) Inquiries by mail may be sent to: Privacy Act Officer, Recovery Accountability and Transparency Board, 1717 Pennsylvania Avenue, NW., Suite 700, Washington, DC 20006. “Privacy Act Inquiry” should be written on the envelope and each page of the inquiry.
(d) Telephone inquiries may be made by calling the Board's Privacy Act Officer at (202) 254-7900.
§ 200.5 Requests for access to records.
(a) All requests for records should include the following information:
(1) Full name, address, and telephone number of requester.
(2) The system of records containing the desired information.
(3) Any other information that the requester believes would help locate the record.
(b) Requests in writing. A person may request access to his or her own records in writing by addressing a letter to: Privacy Act Officer, Recovery Accountability and Transparency Board, 1717 Pennsylvania Avenue, NW., Suite 700, Washington, DC 20006.
(c) Requests by fax. A person may request access to his or her records by facsimile at (202) 254-7970.
(d) Requests by phone. A person may request access to his or her records by calling the Privacy Act Officer at (202) 254-7900.
(e) Requests in person. Any person may examine and request copies of his or her own records on the Board's premises. The requester should contact the Board's office at least one week before the desired appointment date. This request may be made to the Privacy Act Officer in writing or by calling (202) 254-7900. Before viewing the records, proof of identification must be provided. The identification should be a valid copy of one of the following:
(1) A government ID;
(2) A driver's license;
(3) A passport; or
(4) Other current identification that contains both an address and a picture of the requester.
§ 200.6 Processing of requests.
Upon receipt of a request for information, the Privacy Act Officer will ascertain whether the records identified by the requester exist, and whether they are subject to any exemption under § 200.15. If the records exist and are not subject to exemption, the Privacy Act Officer will provide the information.
(a) Requests in writing, including those sent by fax. Within five working days of receiving the request, the Privacy Act Officer will acknowledge its receipt and will advise the requester of any additional information that may be needed. Within 15 working days of receiving the request, the Privacy Act Officer will send the requested information or will explain to the requester why additional time is needed for a response.
(b) Requests in person or by telephone. Within 15 days of the initial request, the Privacy Act Officer will contact the requester and arrange an appointment at a mutually agreeable time when the record can be examined. The requester may be accompanied by no more than one person. In such case, the requestor must inform the Privacy Act Officer that a second individual will be present and must sign a statement authorizing disclosure of the records to that person. The statement will be kept with the requester's records. At the appointment, the requester will be asked to present identification as stated in § 200.5(e).
(c) Excluded information. If a request is received for information compiled in reasonable anticipation of litigation, the Privacy Act Officer will inform the requester that the information is not subject to release under the Privacy Act (see 5 U.S.C. 552a(d)(5)).
§ 200.7 Fees.
A fee will not be charged for searching, reviewing, or making corrections to records. A fee for copying will be assessed at the same rate established for the Freedom of Information Act requests. Duplication fees for paper copies of a record will be 10 cents per page for black and white and 20 cents per page for color. For all other forms of duplication, the Board will charge the direct costs of producing the copy. However, the first 100 pages of black-and-white copying or its equivalent will be free of charge.
§ 200.8 Appealing denials of access.
(a) If access to records is denied by the Privacy Act Officer, the requester may file an appeal in writing. The appeal should be directed to Executive Director, Recovery Accountability and Transparency Board, 1717 Pennsylvania Avenue, NW., Suite 700, Washington, DC 20006.
(b) The appeal letter must specify the denied records that are still sought, and state why denial by the Privacy Act Officer is erroneous.
(c) The Executive Director or his or her designee will respond to appeals within 20 working days of the receipt of the appeal letter. The appeal determination will explain the basis of the decision to deny or grant the appeal.
§ 200.9 Requests for correction of records.
(a) Correction requests. Any person is entitled to request correction of his or her record(s) covered under the Act. The request must be made in writing and should be addressed to Privacy Act Officer, Recovery Accountability and Transparency Board, 1717 Pennsylvania Avenue, NW., Suite 700, Washington, DC 20006. The letter should clearly identify the corrections desired. In most circumstances, an edited copy of the record will be acceptable for this purpose.
(b) Initial response. Receipt of a correction request will be acknowledged by the Privacy Act Officer in writing within five working days. The Privacy Act Officer will provide a letter to the requester within 20 working days stating whether the request for correction has been granted or denied. If the Privacy Act Officer denies any part of the correction request, the reasons for the denial will be provided to the requester.
§ 200.10 Disclosure of records to third parties.
(a) The Board will not disclose any record that is contained in a system of records to any person or agency, except with a written request by or with the prior written consent of the individual whose record is requested, unless disclosure of the record is:
(1) Required by an employee or agent of the Board in the performance of his/her official duties.
(2) Required under the provisions of the Freedom of Information Act (5 U.S.C. 552). Records required to be made available by the Freedom of Information Act will be released in response to a request in accordance with the Board's regulation published at 4 CFR Part 201.
(3) For a routine use as published in the annual notice in the Federal Register.
(4) To the Census Bureau for planning or carrying out a census, survey, or related activities pursuant to the provisions of Title 13 of the United States Code.
(5) To a recipient who has provided the Board with adequate advance written assurance that the record will be used solely as a statistical research or reporting record and that the record is to be transferred in a form that is not individually identifiable.
(6) To the National Archives and Records Administration as a record that has sufficient historical or other value to warrant its continued preservation by the United States government, or for evaluation by the Archivist of the United States, or his or her designee, to determine whether the record has such value.
(7) To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity, if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the Board for such records specifying the particular part desired and the law enforcement activity for which the record is sought. The Board also may disclose such a record to a law enforcement agency on its own initiative in situations in which criminal conduct is suspected, provided that such disclosure has been established as a routine use, or in situations in which the misconduct is directly related to the purpose for which the record is maintained.
(8) To a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual if, upon such disclosure, notification is transmitted to the last known address of such individual.
(9) To either House of Congress, or, to the extent of matters within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee.
(10) To the Comptroller General, or any of his or her authorized representatives, in the course of the performance of official duties of the Government Accountability Office.
(11) Pursuant to an order of a court of competent jurisdiction. In the event that any record is disclosed under such compulsory legal process, the Board shall make reasonable efforts to notify the subject individual after the process becomes a matter of public record.
(12) To a consumer reporting agency in accordance with 31 U.S.C. 3711(e).
(b) Before disseminating any record about any individual to any person other than a Board employee, the Board shall make reasonable efforts to ensure that the records are, or at the time they were collected, accurate, complete, timely, and relevant. This paragraph (b) does not apply to disseminations made pursuant to the provisions of the Freedom of Information Act (5 U.S.C. 552) and paragraph (a)(2) of this section.
§ 200.11 Maintaining records of disclosure.
(a) The Board shall maintain a log containing the date, nature, and purposes of each disclosure of a record to any person or agency. Such accounting also shall contain the name and address of the person or agency to whom or to which each disclosure was made. This log will not include disclosures made to Board employees or agents in the course of their official duties or pursuant to the provisions of the Freedom of Information Act (5 U.S.C. 552).
(b) An accounting of each disclosure shall be retained for at least five years after the accounting is made or for the life of the record that was disclosed, whichever is longer.
(c) The Board shall make the accounting of disclosure of a record pertaining to an individual available to that individual at his or her request. Such a request should be made in accordance with the procedures set forth in § 200.5. This paragraph (c) does not apply to disclosure made for law enforcement purposes under 5 U.S.C. 552a(b)(7) and § 200.10(a)(7).
§ 200.12 Notification of systems of Privacy Act records.
(a) Public Notice. The Board periodically reviews its systems of records and will publish information about any significant additions or changes to those systems in the Federal Register. Information about systems of records maintained by other agencies that are in the temporary custody of the Board will not be published. In addition, the Office of the Federal Register biennially compiles and publishes all systems of records maintained by all federal agencies, including the Board.
(b) At least 30 days before publishing additions or changes to the Board's systems of records, the Board will publish a notice of intent to amend, providing the public with an opportunity to comment on the proposed amendments to its systems of records in the Federal Register.
§ 200.13 Privacy Act training.
(a) The Board shall ensure that all persons involved in the design, development, operation, or maintenance of any Board systems of records are informed of all requirements necessary to protect the privacy of individuals. The Board shall ensure that all employees having access to records receive adequate training in their protection and that records have adequate and proper storage with sufficient security to ensure their privacy.
(b) All employees shall be informed of the civil remedies provided under 5 U.S.C. 552a(g)(1) and other implications of the Privacy Act and of the fact that the Board may be subject to civil remedies for failure to comply with the provisions of the Privacy Act and the regulations in this part.
§ 200.14 Responsibility for maintaining adequate safeguards.
The Board has the responsibility for maintaining adequate technical, physical, and security safeguards to prevent unauthorized disclosure or destruction of manual and automated records systems. These security safeguards shall apply to all systems of records in which identifiable personal data are processed or maintained, including all reports and output from such systems of records that contain identifiable personal information. Such safeguards must be sufficient to prevent negligent, accidental, or unintentional disclosure, modification, or destruction of any personal records or data; must minimize, to the extent practicable, the risk that skilled technicians or knowledgeable persons could improperly obtain access to modify or destroy such records or data; and shall further ensure against such casual entry by unskilled persons without official reasons for access to such records or data.
(a) Manual systems. (1) Records contained in a system of records as defined in this part may be used, held, or stored only where facilities are adequate to prevent unauthorized access by persons within or outside the Board.
(2) Access to and use of a system of records shall be permitted only to persons whose duties require such access to the information for routine uses or for such other uses as may be provided in this part.
(3) Other than for access by employees or agents of the Board, access to records within a system of records shall be permitted only to the individual to whom the record pertains or upon his or her written request.
(4) The Board shall ensure that all persons whose duties require access to and use of records contained in a system of records are adequately trained to protect the security and privacy of such records.
(5) The disposal and destruction of identifiable personal data records shall be done by shredding and in accordance with rules promulgated by the Archivist of the United States.
(b) Automated systems. (1) Identifiable personal information may be processed, stored, or maintained by automated data systems only where facilities or conditions are adequate to prevent unauthorized access to such systems in any form.
(2) Access to and use of identifiable personal data associated with automated data systems shall be limited to those persons whose duties require such access. Proper control of personal data in any form associated with automated data systems shall be maintained at all times, including maintenance of accountability records showing disposition of input and output documents.
(3) All persons whose duties require access to processing and maintenance of identifiable personal data and automated systems shall be adequately trained in the security and privacy of personal data.
(4) The disposal and disposition of identifiable personal data and automated systems shall be done by shredding, burning, or, in the case of electronic records, by degaussing or by overwriting with the appropriate security software, in accordance with regulations of the Archivist of the United States or other appropriate authority.
§ 200.15 Systems of records covered by exemptions.
The Board currently has no exempt systems of records.
§ 200.16 Mailing lists.
The Board shall not sell or rent an individual's name and/or address unless such action is specifically authorized by law. This section shall not be construed to require the withholding of names and addresses otherwise permitted to be made public.
Ivan J. Flores,
Paralegal Specialist, Recovery Accountability and Transparency Board.
[FR Doc. E9-27878 Filed 11-19-09; 8:45 am]
BILLING CODE 6820-GA-P