Institute of Museum and Library Services (IMLS), NFAH.
The Institute of Museum and Library Services (Institute) has amended its Privacy Act regulations to reflect administrative changes at the agency and to conform to the President's Memorandum of June 1, 1998—Plain Language in Government Writing. These regulations establish procedures by which an individual may determine whether a system of records maintained by the Institute contains a record pertaining to him or her; gain access to such records; and request correction or amendment of such records. These regulations also establish exemptions from certain Privacy Act requirements for all or part of certain systems of records maintained by the Institute.
February 2, 2006.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Nancy E. Weiss, General Counsel, Institute of Museum and Library Services, 1800 M Street, NW., Ninth Floor, Washington, DC 20036. E-mail: firstname.lastname@example.org. Telephone: (202) 653-4787. Facsimile: (202) 653-4625.End Further Info End Preamble Start Supplemental Information
The Institute operates as part of the National Foundation on the Arts and the Humanities under the National Foundation on the Arts and the Humanities Act of 1965, as amended (20 U.S.C. 951 et seq.) The corresponding regulations published at 45 CFR Chapter XI, Subchapter A apply to the entire Foundation, while the regulations published at 45 CFR Chapter XI, Subchapter E apply only to the Institute. The proposed rule was published by the Institute in the Federal Register on November 23, 2005. The Institute received no comments suggesting changes to the text of the rule.
This final rule adds Privacy Act regulations to Subchapter E (45 CFR part 1182), replacing the existing regulations in Subchapter A (45 CFR part 1115) with regard to the Institute. The new regulations provide additional detail concerning several provisions of the Privacy Act, and are intended to increase understanding of the Institute's Privacy Act policies. The Institute is authorized to propose the new regulations under 5 U.S.C. 552a(f) of the Privacy Act.
I. Matters of Regulatory Procedure
Regulatory Planning and Review (E.O. 12866)
Under Executive Order 12866, the Institute must determine whether the regulatory action is “significant” and therefore subject to OMB review and the requirements of the Executive order. The Order defines a “significant regulatory action” as one that is likely to result in a rule that may: (1) Have an annual effect on the economy of $100 million or more or adversely affect in a Start Printed Page 6375material way the economy, a sector of the economy, productivity, competition, jobs, the environment, public health or safety, or State, local, or tribal governments or communities; (2) create a serious inconsistency or otherwise interfere with an action taken or planned by another agency; (3) materially alter the budgetary impact of entitlements, grants, user fees, or loan programs or the rights and obligations of recipients thereof; (4) raise novel legal or policy issues arising out of legal mandates, the President's priorities, or the principles set forth in the Executive Order.
The rules add Privacy Act regulations to Subchapter E (45 CFR part 1182), replacing the existing regulations in Subchapter A (45 CFR part 1115) with regard to the Institute. The new regulations provide additional detail concerning several provisions of the Privacy Act, and are intended to increase understanding of the Institute's Privacy Act policies. As such, it does not impose a compliance burden on the economy generally or on any person or entity. Accordingly, this rule is not a “significant regulatory action” from an economic standpoint, and it does not otherwise create any inconsistencies or budgetary impacts to any other agency or Federal Program.
Regulatory Flexibility Act
Because this rule adds Privacy Act regulations to Subchapter E (45 CFR part 1182), replacing the existing regulations in Subchapter A (45 CFR part 1115) with regard to the Institute, the Institute has determined in Regulatory Flexibility Act (5 U.S.C. 601 et seq.) review that this rule will not have a significant economic impact on a substantital number of small entities.
Paperwork Reduction Act
This rule is exempt from the requirements of the Paperwork Reduction Act, since it adds Privacy Act regulations to Subchapter E (45 CFR part 1182), replacing the existing regulations in Subchapter A (45 CFR part 1115) with regard to the Institute. An OMB form 83-1 is not required.
Unfunded Mandates Reform Act
For purposes of the Unfunded Mandates Reform Act of 1995 (2 U.S.C. chapter 25, subchapter II), this rule will not significantly or uniquely affect small governments and will not result in increased expenditures by State, local, and tribal governments, or by the private sector, of $100 million or more as adjusted for inflation) in any one year.
Small Business Regulatory Enforcement Fairness Act (SBREFA)
This rule is not a major rule under 5 U.S.C. 804(2), the Small Business Regulatory Enforcement Fairness Act. This rule:
a. Does not have an annual effect on the economy of $100 million or more.
b. Will not cause a major increase in costs or prices for consumers, individuals industries, Federal, State, or local government agencies, or geographic regions.
c. Does not have significant adverse effects on competition, employment, investment, productivity, innovation, or the ability of U.S.-based enterprises to compete with foreign-based enterprises.
Takings (E.O. 12630)
In accordance with Executive Order 12630, the rule does not have significant takings implications. No rights, property or compensation has been, or will be taken. A takings implication assessment is not required.
Federalism (E.O. 13132)
In accordance with Executive Order 13132, this rule does not have federalism implications that warrant the preparation of a federalism assessment.
Civil Justice Reform (E.O. 12988)
In accordance with Executive Order 12988, the Institute has determined that this rule does not unduly burden the judicial system and meets the requirements of sections 3(a) and 3(b)(2) of the Order.
Consultation With Indian tribes (E.O. 13175)
In accordance with Executive Order 13175, the Institute has evaluated this rule and determined that it has no potential negative effects on federally recognized Indian tribes.
National Environmental Policy Act
This final rule does not constitute a major Federal action significantly affecting the quality of the human environment.Start List of Subjects
List of Subjects in 45 CFR Part 1182End List of Subjects Start Signature
Dated: February 2, 2006.
Nancy E. Weiss,
General Counsel, Institute of Museum and Library Services.
For the reasons stated in the preamble, the Institute amends Title 45, Code of Federal Regulations, Subchapter E, by adding Part 1182 to read as follows:End Amendment Part Start Part
PART 1182—IMPLEMENTATION OF THE PRIVACY ACT OF 1974
- Purpose and scope of these regulations.
- Inquiries about the Institute's systems of records or implementation of the Privacy Act.
- Procedures for notifying the public of the Institute's systems of records.
- Procedures for notifying government entities of the Institute's proposed changes to its systems of records.
- Limits that exist as to the contents of the Institute's systems of records.
- Institute procedures for collecting information from individuals for its records.
- Procedures for acquiring access to Institute records pertaining to an individual.
- Identification required when requesting access to Institute records pertaining to an individual.
- Procedures for amending or correcting an individual's Institute record.
- Procedures for appealing a refusal to amend or correct an Institute record.
- Fees charged to locate, review, or copy records.
- Policies and procedures for Institute disclosure of its records.
- Procedures for maintaining accounts of disclosures made by the Institute from its systems of records.
- Institute responsibility for maintaining adequate technical, physical, and security safeguards to prevent unauthorized disclosure or destruction of manual and automatic record systems.
- Procedures to ensure that Institute employees involved with its systems of records are familiar with the requirements and of the Privacy Act.
- Institute systems of records that are covered by exemptions in the Privacy Act.
- Penalties for obtaining an Institute record under false pretenses.
- Restrictions that exist regarding the release of mailing lists.
The regulations in this part set forth the Institute's procedures under the Privacy Act, as required by 5 U.S.C. 552a(f), with respect to systems of records maintained by the Institute. These regulations establish procedures by which an individual may exercise the rights granted by the Privacy Act to determine whether an Institute system contains a record pertaining to him or her; to gain access to such records; and to request correction or amendment of such records. These regulations also set identification requirements, prescribe fees to be charged for copying records, Start Printed Page 6376and establish exemptions from certain requirements of the Act for certain Institute systems or components thereof:
The definitions of the Privacy Act apply to this part. In addition, as used in this part:
(a) Agency means any executive department, military department, government corporation, or other establishment in the executive branch of the Federal government, including the Executive Office of the President or any independent regulatory agency.
(b) Business day means a calendar day, excluding Saturdays, Sundays, and legal public holidays.
(c) Director means the Director of the Institute, or his or her designee;
(d) General Counsel means the General Counsel of the Institute, or his or her designee.
(e) Individual means any citizen of the United States or an alien lawfully admitted for permanent residence;
(f) Institute means the Institute of Museum and Library Services;
(g) Institute system means a system of records maintained by the Institute;
(h) Maintain means to collect, use, store, or disseminate records, as well as any combination of these recordkeeping functions. The term also includes exercise of control over and, therefore, responsibility and accountability for, systems of records;
(i) Privacy Act or Act means the Privacy Act of 1974, as amended (5 U.S.C. 552a);
(j) Record means any item, collection, or grouping of information about an individual that is maintained by an agency and contains the individual's name or another identifying particular, such as a number or symbol assigned to the individual, or his or her fingerprint, voice print, or photograph. The term includes, but is not limited to, information regarding an individual's education, financial transactions, medical history, and criminal or employment history;
(k) Routine use means, with respect to the disclosure of a record, the use of a record for a purpose that is compatible with the purpose for which it was collected;
(l) Subject individual means the individual to whom a record pertains. Uses of the terms “I”, “you”, “me”, and other references to the reader of the regulations in this part are meant to apply to subject individuals as defined in this paragraph (l); and
(m) System of records means a group of records under the control of any agency from which information is retrieved by use of the name of the individual or by some number, symbol, or other identifying particular assigned to the individual.
Inquiries about the Institute's systems of records or implementation of the Privacy Act should be sent to the following address: Institute of Museum and Library Services; Office of the General Counsel; 1800 M Street, NW., 9th Floor, Washington, DC 20036.
(a) From time to time, the Institute shall review its systems of records in the Federal Register, and publish, if necessary, any amendments to those systems of records. Such publication shall not be made for those systems of records maintained by other agencies while in the temporary custody of the Institute.
(b) At least 30 days prior to publication of information under paragraph (a) of this section, the Institute shall publish in the Federal Register a notice of its intention to establish any new routine uses of any of its systems of records, thereby providing the public an opportunity to comment on such uses. This notice published by the Institute shall contain the following:
(1) The name of the system of records for which the routine use is to be established;
(2) The authority for the system;
(3) The purpose for which the record is to be maintained;
(4) The proposed routine use(s);
(5) The purpose of the routine use(s); and
(6) The categories of recipients of such use.
(c) Any request for additions to the routine uses of Institute systems should be sent to the Office of the General Counsel (see § 1182.3).
(d) Any individual who wishes to know whether an Institute system contains a record pertaining to him or her should write to the Office of the General Counsel (see § 1182.3). Such individuals may also call the Office of the General Counsel at (202) 653-4787 on business days, between the hours of 9 a.m. and 5 p.m., to schedule an appointment to make an inquiry in person. Inquiries should be presented in writing and should specifically identify the Institute systems involved. The Institute will attempt to respond to an inquiry regarding whether a record exists within 10 business days of receiving the inquiry.
When the Institute proposes to establish or significantly change any of its systems of records, it shall provide adequate advance notice of such proposal to the Committee on Government Reform of the House of Representatives, the Committee on Governmental Affairs of the Senate, and the Office of Management and Budget (OMB), in order to permit an evaluation of the probable or potential effect of such proposal on the privacy or other rights of individuals. This report will be submitted in accordance with guidelines provided by the OMB.
(a) The Institute shall maintain only such information about an individual as is relevant and necessary to accomplish a purpose of the agency required by statute or by executive order of the President. In addition, the Institute shall maintain all records that are used in making determinations about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to that individual in the making of any determination about him or her. However, the Institute shall not be required to update retired records.
(b) The Institute shall not maintain any record about any individual with respect to or describing how such individual exercises rights guaranteed by the First Amendment of the Constitution of the United States, unless expressly authorized by statute or by the subject individual, or unless pertinent to and within the scope of an authorized law enforcement activity.
The Institute shall collect information, to the greatest extent practicable, directly from you when the information may result in adverse determinations about your rights, benefits, or privileges under Federal programs. In addition, the Institute shall inform you of the following, either on the form it uses to collect the information or on a separate form that you can retain, when it asks you to supply information:
(a) The statutory or executive order authority that authorizes the solicitation of the information;
(b) Whether disclosure of such information is mandatory or voluntary;
(c) The principal purpose(s) for which the information is intended to be used;Start Printed Page 6377
(d) The routine uses that may be made of the information, as published pursuant to § 1182.4; and
(e) Any effects on you of not providing all or any part of the required or requested information.
The following procedures apply to records that are contained in an Institute system:
(a) You may request review of records pertaining to you by writing to the Office of the General Counsel (see § 1182.3). You also may call the Office of the General Counsel at (202) 653-4787 on business days, between the hours of 9 a.m. and 5 p.m., to schedule an appointment to make such a request in person. A request for records should be presented in writing and should identify specifically the Institute systems involved.
(b) Access to the record, or to any other information pertaining to you that is contained in the system shall be provided if the identification requirements of § 1182.9 are satisfied and the record is determined otherwise to be releasable under the Privacy Act and these regulations. The Institute shall provide you an opportunity to have a copy made of any such record about you. Only one copy of each requested record will be supplied, based on the fee schedule in § 1182.12.
(c) The Institute will comply promptly with requests made in person at scheduled appointments, if the requirements of this section are met and the records sought are immediately available. The institute will acknowledge, within 10 business days, mailed requests or personal requests for documents that are not immediately available, and the information requested will be provided promptly thereafter.
(d) If you make your request in person at a scheduled appointment, you may, upon your request, be accompanied by a person of your choice to review your record. The Institute may require that you furnish a written statement authorizing discussion of your record in the accompanying person's presence. A record may be disclosed to a representative chosen by you upon your proper written consent.
(e) Medical or psychological records pertaining to you shall be disclosed to you unless, in the judgment of the Institute, access to such records might have an adverse effect upon you. When such a determination has been made, the Institute may refuse to disclose such information directly to you. The Institute will, however, disclose this information to a licensed physician designated by you in writing.
The Institute shall require reasonable identification of all individuals who request access to records in an Institute system to ensure that they are disclosed to the proper person.
(a) The amount of personal identification required will of necessity vary with the sensitivity of the record involved. In general, if you request disclosure in person, you shall be required to show an identification card, such as a driver's license, containing your photograph and sample signature. However, with regard to records in Institute systems that contain particularly sensitive and/or detailed personal information, the Institute reserves the right to require additional means of identification as are appropriate under the circumstances. These means include, but are not limited to, requiring you to sign a statement under oath as to your identity, acknowledging that you are aware of the penalties for improper disclosure under the provisions of the Privacy Act.
(b) If you request disclosure by mail, the Institute will request such information as may be necessary to ensure that you are properly identified. Authorized means to achieve this goal include, but are not limited to, requiring that a mail request include certification that a duly commissioned notary public of any State or territory (or a similar official, if the request is made outside of the United States) received an acknowledgment of identity from you.
(c) If you are unable to provide suitable documentation or identification, the Institute may require a signed, notarized statement asserting your identity and stipulating that you understand that knowingly or willfully seeking or obtaining access to records about another person under false pretenses is punishable by a fine of up to $5,000.
(a) You are entitled to request amendments to or corrections of records pertaining to you pursuant to the provisions of the Privacy Act, including 5 U.S.C. 552a(d)(2). Such a request should be made in writing and addressed to the Office of the General Counsel (see § 1182.3).
(b) Your request for amendments or corrections should specify the following:
(1) The particular record that you are seeking to amend or correct;
(2) The Institute system from which the record was retrieved;
(3) The precise correction or amendment you desire, preferably in the form of an edited copy of the record reflecting the desired modification; and
(4) Your reasons for requesting amendment or correction of the record.
(c) The Institute will acknowledge a request for amendment or correction of a record within 10 business days of its receipt, unless the request can be processed and the individual informed of the General Counsel's decision on the request within that 10-day period.
(d) If after receiving and investigating your request, the General Counsel agrees that the record is not accurate, timely, or complete, based on a preponderance of the evidence, then the record will be corrected or amended promptly. The record will be deleted without regard to its accuracy, if the record is not relevant or necessary to accomplish the Institute function for which the record was provided or is maintained. In either case, you will be informed in writing of the amendment, correction, or deletion. In addition, if accounting was made of prior disclosures of the record, all previous recipients of the record will be informed of the corrective action taken.
(e) If after receiving and investigating your request, the General Counsel does not agree that the record should be amended or corrected, you will be informed promptly in writing of the refusal to amend or correct the record and the reason for this decision. You also will be informed that you may appeal this refusal in accordance with § 1182.11.
(f) Requests to amend or correct a record governed by the regulations of another agency will be forwarded to such agency for processing, and you will be informed in writing of this referral.
(a) You may appeal a refusal to amend or correct a record to the Director. Such appeal must be made in writing within 10 business days of your receipt of the initial refusal to amend or correct your record. Your appeal should be sent to the Office of the General Counsel (see § 1182.3), should indicate that it is an appeal, and should include the basis for the appeal.
(b) The Director will review your request to amend or correct the record, the General Counsel's refusal, and any other pertinent material relating to the appeal. No hearing will be held.
(c) The Director shall render his or her decision on your appeal within 30 Start Printed Page 6378business days of its receipt by the Institute, unless the Director, for good cause shown, extends the 30-day period. Should the Director extend the appeal period, you will be informed in writing of the extension and the circumstances of the delay.
(d) If the Director determines that the record that is the subject of the appeal should be amended or corrected, the record will be so modified, and you will be informed in writing of the amendment or correction. Where an accounting was made of prior disclosures of the record, all previous recipients of the record will be informed of the corrective action taken.
(e) If your appeal is denied, you will be informed in writing of the following:
(1) The denial and the reasons for the denial;
(2) That you may submit to the Institute a concise statement setting forth the reasons for your disagreement as to the disputed record. Under the procedures set forth in paragraph (f) of this section, your statement will be disclosed whenever the disputed record is disclosed; and
(3) That you may seek judicial review of the Director's determination under 5 U.S.C. 552a(g)(1)(a).
(f) Whenever you submit a statement of disagreement to the Institute in accordance with paragraph (e)(2) of this section, the record will be annotated to indicate that it is disputed. In any subsequent disclosure, a copy of your statement of disagreement will be disclosed with the record. If the Institute deems it appropriate, a concise statement of the Director's reasons for denying our appeal also may be disclosed with the record. While you will have access to this statement of the Director's reasons for denying your appeal, such statement will not be subject to correction or amendment. Where an accounting was made of prior disclosures of the record, all previous recipients of the record will be provided a copy of your statement of disagreement, as well as any statement of the Director's reasons for denying your appeal.
(a) The Institute shall charge no fees for search time or for any other time expended by the Institute to review a record. However, the Institute may charge fees where you request that a copy be made of a record to which you have been granted access. Where a copy of the record must be made in order to provide access to the record (e.g., computer printout where no screen reading is available), the copy will be made available to you without cost.
(b) Copies of records made by photocopy or similar process will be charged to you at the rate of $0.10 per page. Where records are not susceptible to photocopying (e.g., punch cards, magnetic tapes, or oversize materials), you will be charged actual cost as determined on a case-by-case basis. A copying fee totaling $3.00 or less shall be waived, but the copying fees for contemporaneous requests by the same individual shall be aggregated to determine the total fee.
(c) Special and additional services provided at your request, such as certification or authentication, postal insurance, and special mailing arrangement costs, will be charged to you.
(d) A copying fee shall not be charged or, alternatively, it may be reduced, when the General Counsel determines, based on a petition, that the petitioning individual is indigent and that the Institute's resources permit a waiver of all or part of the fee.
(e) All fees shall be paid before any copying request is undertaken. Payments shall be made by check or money order payable to the “Institute of Museum and Library Services.”
(a) The Institute not disclose any record that is contained in a system of records to any person or to another agency, except pursuant to a written request by or with the prior written consent of the subject individual, unless disclosure of the record is:
(1) To those officers or employees of the Institute who maintain the record and who have a need for the record in the performance of their official duties;
(2) Required under the provisions of the Freedom of Information Act (5 U.S.C. 552). Records required to be made available by the Freedom of Information Act will be released in response to a request to the Institute formulated in accordance with the National Foundation on the Arts and the Humanities regulations published at 45 CFR part 1100;
(3) For a routine use as published in the annual notice in the Federal Register;
(4) To the Census Bureau for purpose of planning or carrying out a census; survey, or related activity pursuant to the provisions of Title 13 of the United States Code;
(5) To a recipient who has provided the Institute with adequate advance written assurance that the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable;
(6) To the National Archives and Records Administration as a record that has sufficient historical or other value to warrant its continued preservation by the United States government, or for evaluation by the Archivist of the United States, or his or her designee, to determine whether the record has such value;
(7) To another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity, if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the Institute for such records specifying the particular portion desired and the law enforcement activity for which the record is sought. The Institute also may disclose such a record to a law enforcement agency on its own initiative in situations in which criminal conduct is suspected, provided that such disclosure has been established as a routine use, or in situations in which the misconduct is directly related to the purpose for which the record is maintained;
(8) To a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual if, upon such disclosure, notification is transmitted to the last known address of such individual;
(9) To either House of Congress, or, to the extent of matter within its jurisdictions, any committee or subcommittee thereof, any joint committee of Congress, or subcommittee of any such joint committee;
(10) To the Comptroller General, or any of his or her authorized representatives, in the course of the performance of official duties of the General Accounting Office;
(11) To a consumer reporting agency in accordance with 31 U.S.C. 3711(e); or
(12) Pursuant to an order of a court of competent jurisdiction. In the event that any record is disclosed under such compulsory legal process, the Institute shall make reasonable efforts to notify the subject individual after the process becomes a matter of public record.
(b) Before disseminating any record about any individual to any person other than an Institute employee, the Institute shall make reasonable efforts to ensure that such records are, or at the time they were collected were, accurate, complete, timely, and relevant for Institute purposes. This paragraph (b) does not apply to dissemination made pursuant to the provisions of the Start Printed Page 6379Freedom of Information Act (5 U.S.C. 552) and paragraph (a)(2) of this section.
(a) The Office of the General Counsel shall maintain a log containing the date, nature, and purpose of each disclosure of a record to any person or to another agency. Such accounting also shall contain the name and address of the person or agency to whom each disclosure was made. This log need not include disclosures made to Institute employees in the course of their official duties, or pursuant to the provisions of the Freedom of Information Act (5 U.S.C. 552).
(b) The Institute shall retain the accounting of each disclosure for at least five years after the accounting is made or for the life of the record that was disclosed, whichever is longer.
(c) The Institute shall make the accounting of disclosures of a record pertaining to you available to you at your request. Such a request should be made in accordance with the procedures set forth in § 1182.8. This paragraph (c) does not apply to disclosures made for law enforcement purposes under 5 U.S.C. 552a(b)(7) and § 1182.13(a)(7).
The Chief Information Officer has the responsibility of maintaining adequate technical, physical, and security safeguards to prevent unauthorized disclosure or destruction of manual and automatic record systems. These security safeguards shall apply to all systems in which identifiable personal data are processed or maintained, including all reports and outputs from such systems that contain identifiable personal information. Such safeguards must be sufficient to prevent negligent, accidental, or unintentional disclosure, modification or destruction of any personal records or data, and must furthermore minimize, to the extent practicable, the risk that skilled technicians or knowledgeable persons could improperly obtain access to modify or destroy such records or data and shall further insure against such casual entry by unskilled persons without official reasons for access to such records or data.
(a) Manual systems. (1) Records contained in a system of records as defined in this part may be used, held, or stored only where facilities are adequate to prevent unauthorized access by persons within or outside the Institute.
(2) All records, when not under the personal control of the employees authorized to use the records, must be stored in a locked filing cabinet. Some systems of records are not of such confidential nature that their disclosure would constitute a harm to an individual who is the subject of such record. However, records in this category also shall be maintained in locked filing cabinets or maintained in a secured room with a locking door.
(3) Access to and use of a system of records shall be permitted only to persons whose duties require such access within the Institute, for routine uses as defined in § 1182.1 as to any given system, or for such other uses as may be provided in this part.
(4) Other than for access within the Institute to persons needing such records in the performance of their official duties or routine uses as defined in § 1182.1, or such other uses as provided in this part, access to records within a system of records shall be permitted only to the individual to whom the record pertains or upon his or her written request to the General Counsel.
(5) Access to areas where a system of records is stored will be limited to those persons whose duties require work in such areas. There shall be an accounting of the removal of any records from such storage areas utilizing a log, as directed by the Chief Information Officer. The log shall be maintained at all times.
(6) The Institute shall ensure that all persons whose duties require access to and use of records contained in a system of records are adequately trained to protect the security and privacy of such records.
(7) The disposal and destruction of records within a system of records shall be in accordance with rules promulgated by the General Services Administration.
(b) Automated systems. (1) Identifiable personal information may be processed, stored, or maintained by automated data systems only where facilities or conditions are adequate to prevent unauthorized access to such systems in any form. Whenever such data, whether contained in punch cards, magnetic tapes, or discs, are not under the personal control of an authorized person, such information must be stored in a locked or secured room, or in such other facility having greater safeguards than those provided for in this part.
(2) Access to and use of identifiable personal data associated with automated data systems shall be limited to those persons whose duties require such access. Proper control of personal data in any form associated with automated data systems shall be maintained at all times, including maintenance of accountability records showing disposition of input and output documents.
(3) All persons whose duties require access to processing and maintenance of identifiable personal data and automated systems shall be adequately trained in the security and privacy of personal data.
(4) The disposal and disposition of identifiable personal data and automated systems shall be done by shredding, burning, or, in the case of tapes or discs, degaussing, in accordance with regulations of the General Services Administration or other appropriate authority.
(a) The Director shall ensure that all persons involved in the design, development, operation, or maintenance of any Institute system are informed of all requirements necessary to protect the privacy of subject individuals. The Director also shall ensure that all Institute employees having access to records receive adequate training in their protection, and that records have adequate and proper storage with sufficient security to assure the privacy of such records.
(b) All employees shall be informed of the civil remedies provided under 5 U.S.C. 552a(g)(1) and other implications of the Privacy Act, and the fact that the Institute may be subject to civil remedies for failure to comply with the provisions of the Privacy Act and the regulations in this part.
(a) Pursuant to and limited by 5 U.S.C. 552a(j)(2), the Institute system entitled “Office of the Inspector General Investigative Files” shall be exempted from the provisions of 5 U.S.C. 552a, except for subsections (b); (c)(1) and (2); (e)(4)(A) through (F); (e)(6), (7), (9), (10), and (11); and (i), insofar as that Institute system contains information pertaining to criminal law enforcement investigations.
(b) Pursuant to and limited by 5 U.S.C. 552a(k)(2), the Institute system entitled “Office of the Inspector General Investigative Files” shall be exempted from 5 U.S.C. 552a(c)(3); (d); (e)(1); (e)(4)(G), (H), and (I); and (f), insofar as that Institute system consists of investigatory material compiled for law Start Printed Page 6380enforcement purposes, other than material within the scope of the exemption at 5 U.S.C. 552a(j)(2).
(c) The Institute system entitled “Office of the Inspector General Investigative Files” is exempt from the provisions of the Privacy Act noted in this section because their application might alert investigation subjects to the existence or scope of investigations; lead to suppression, alteration, fabrication, or destruction of evidence; disclose investigative techniques or procedures; reduce the cooperativeness or safety of witnesses; or otherwise impair investigations.
(a) Under 5 U.S.C. 552a(i)(3), any person who knowingly and willfully requests or obtains any record from the Institute concerning an individual under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000.
(b) A person who falsely or fraudulently attempts to obtain records under the Privacy Act also may be subject to prosecution under other statutes, including 18 U.S.C. 494, 495, and 1001.
The Institute may not sell or rent an individual's name and address unless such action specifically is authorized by law. This section shall not be construed to require the withholding of names and addresses otherwise permitted to be made public.
[FR Doc. 06-1122 Filed 2-7-06; 8:45am]
BILLING CODE 7036-01-M