Skip to Content

Proposed Rule

Regulations Implementing the Privacy Act of 1974

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Occupational Safety and Health Review Commission.

ACTION:

Notice of proposed rulemaking.

SUMMARY:

The Occupational Safety and Health Review Commission (OSHRC) is proposing to amend its regulations implementing the Privacy Act of 1974, 5 U.S.C. 552a, as amended. The Privacy Act has been amended multiple times since OSHRC first promulgated its regulations in 1979. The proposed amendments to OSHRC's regulations at 29 CFR part 2400 will assist the agency in complying with the requirements of the Privacy Act.

DATES:

Comments must be received by OSHRC on or before August 28, 2006.

ADDRESSES:

You may submit comments by any of the following methods:

  • E-mail: regsdocket@oshrc.gov. Include “PRIVACY ACT PROPOSED RULEMAKING” in the subject line of the message.
  • Fax: (202) 606-5417.
  • Mail: One Lafayette Centre, 1120-20th Street, NW., Ninth Floor, Washington, DC 20036-3457.
  • Hand Delivery/Courier: Same as mailing address.

Instructions: All submissions must include your name, return address and e-mail address, if applicable. Please clearly label submissions as “PRIVACY ACT PROPOSED RULEMAKING.” If you submit comments by e-mail, you will receive an automatic confirmation e-mail from the system indicating that we have received your submission. If, in response to your comment submitted via e-mail, you do not receive a confirmation e-mail within five working days, contact us directly at (202) 606-5410.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Ron Bailey, Attorney-Advisor, Office of the General Counsel, via telephone at (202) 606-5410, or via e-mail at rbailey@oshrc.gov.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

OSHRC's regulations implementing the Privacy Act of 1974 were first promulgated on January 19, 1979, 44 FR 3968. These regulations have not been revised, except for changes made to the office address referenced in §§ 2400.6 and 2400.7, 58 FR 26065, April 30, 1993. Since 1979, however, the Privacy Act has been amended on numerous occasions. As explained below, these statutory changes, along with intervening case law, compel OSHRC to propose various amendments to its regulations. Because OSHRC proposes extensive revisions to its existing regulations implementing the Privacy Act, OSHRC has reproduced, for the convenience of the reader, the revised regulations to 29 CFR part 2400 in their entirety in its proposed rulemaking.

The specific amendments that OSHRC proposes include the following changes which are discussed in regulatory sequence.

OSHRC proposes amending its authority citation to exclude all references to popular names and statutes at large. The Office of the Federal Register has expressed a preference for citing only to the United States Code when referencing a Federal statute.

In § 2400.1 (Purpose and scope), OSHRC proposes making several changes to clarify what 29 CFR part 2400 covers. In accordance with the amendments to the Privacy Act contained in section 2(b), Public Law 97-365 (5 U.S.C. 552a(m)(2)), OSHRC proposes amending § 2400.1 to reflect that part 2400 no longer covers systems of records “that are disclosed to consumer reporting agencies under [section] 3711(e) of title 31, United States Code.” Additionally, OSHRC proposes amending § 2400.1 to reflect that part 2400 applies only to “records that are maintained by [OSHRC].” Presently, § 2400.1 states that OSHRC's Privacy Act regulations “are applicable only to such items of information as relate to the agency or are within its custody.” However, the term “record” is defined in the Privacy Act at 5 U.S.C. 552a(a)(4) while the term “items of information” is not. Therefore, amending § 2400.1 to substitute “record” for “items of information” would more appropriately limit the purpose and scope of the regulations in accordance with the statute. OSHRC also proposes deleting the last sentence of § 2400.1, which states “[t]his part is intended to protect individual privacy, and affects all personal information collection and usage activity of the agency,” because it is overly broad. Based on these proposed amendments, new § 2400.1 would read as follows:

The purpose of the provisions of this part is to provide procedures to implement the Privacy Act of 1974 (5 U.S.C. 552a). This part is applicable only to records that are maintained by the Occupational Safety and Health Review Commission (OSHRC or the Commission), which includes all systems of records operated on behalf of OSHRC, pursuant to a contract, to accomplish an agency function, except for records that are disclosed to consumer reporting agencies under section 3711(e) of title 31, United States Code. This part is not applicable to the rights of parties appearing in adversary proceedings before the Commission to obtain discovery from an adverse party. Such matters are governed by the Commission's Rules of Procedure, which are published at 29 CFR 2200.1 et seq.

Revising § 2400.1 in this manner would incorporate a statutory change to the Privacy Act, as well as clarify the proper scope of the agency's regulations under this Part.

In § 2400.2 (Description of agency), OSHRC proposes adding a sentence to the end of the section that provides additional details about the designation of one of the Commissioners as the Chairman and his responsibilities for the administrative operations of the Start Printed Page 42786Commission, consistent with section 12(e) of the Occupational Safety and Health Act of 1970, 29 U.S.C. 661(e). OSHRC also proposes a simple change in nomenclature by deleting “Occupational Safety and Health Review Commission” and replacing it with “The Commission.” The agency's full name would first be noted in revised § 2400.1 based on the amendments to that section discussed above.

OSHRC proposes amending several items in § 2400.3 (Delegation of authority). In paragraph (a) of § 2400.3, OSHRC proposes revised language providing that “[t]he Chairman shall designate an OSHRC employee as the Privacy Officer, and shall delegate to the Privacy Officer the authority to insure agency-wide compliance with this part.” In the current version of paragraph (a), this authority is delegated to the Executive Director. In recent years, the Office of Management and Budget (OMB) has issued various guidance memoranda regarding the responsibilities of executive departments and agencies on privacy matters, including Safeguarding Personally Identifiable Information, OMB-06-15 (May 22, 2006); Designation of Senior Agency Officials for Privacy, OMB Memorandum M-05-08 (Feb. 11, 2005); and OMB Guidance for Implementing the Privacy Provision of the E-Government Act of 2002, OMB Memorandum M-03-22 (Sept. 30, 2003). By creating the position of Privacy Officer and providing this individual with the authority to handle Privacy Act matters, OSHRC would be better able to respond to future changes in requirements and subsequent guidance in the privacy arena.

In paragraph (b) of § 2400.3, OSHRC proposes replacing the term “[c]ustodians” with the more specific term “[c]ustodians of the systems of records” in order to better define those persons covered by paragraph (b). In accordance with the changes proposed to § 2400.3(a), OSHRC would also replace the term “Executive Director” with “Privacy Officer.” OSHRC further proposes to break out existing paragraph (b) into paragraphs (b)(1) and (b)(2) and to add a new paragraph (b)(3) in order to highlight the various duties of the custodians of the systems of records. Specifically, OSHRC proposes to reformat paragraph (b) by turning the first and second sentences of the current paragraph (b) into new paragraphs (b)(1) and (b)(2), respectively. OSHRC proposes making several grammatical changes in new paragraph (b)(1) by transforming the words “adherence,” “collection,” “use,” and “disclosure” into present participles. OSHRC also proposes to replace (1) the word “information” and the phrase “personal information” with the word “records,” and (2) the phrase “personal records systems” with the phrase “systems of records.” Because the terms “record” and “system of records” are defined in the Privacy Act at 5 U.S.C. 552a(a)(4) and (5), use of these terms would better delineate the scope of revised paragraph (b). OSHRC then proposes adding a new paragraph (b)(3), which would make the custodians of the systems of records responsible for maintaining an accurate accounting of each disclosure in conformance with § 2400.4(d) and its statutory counterpart in the Privacy Act at 5 U.S.C. 552a(c). Although § 2400.4(d) presently requires that “[a]n accurate accounting of each disclosure” be maintained, the current regulations do not specify who is responsible for complying with this provision. OSHRC believes, however, that custodians of the systems of records are best suited to maintain an accounting of each disclosure because they have the most interaction with the systems of records and are usually involved in processing the requests for records. -

With regard to § 2400.4 (Collection and disclosure of personal information), OSHRC proposes making several structural and substantive changes, as well as some minor changes in wording. In paragraph (a)(1)(i) of § 2400.4, OSHRC proposes adding the phrase “in its records” after “[s]olicit, collect and maintain” to clarify that OSHRC's responsibilities under this provision only extend to information that is maintained in a record. OSHRC also proposes adding a new paragraph (a)(1)(ii) that lists the responsibilities set forth in 5 U.S.C. 552a(e)(5), which requires each agency to—

Maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination.

While this provision has always been in the Privacy Act, it was never incorporated into OSHRC's regulations. With the addition of new paragraph (a)(1)(ii), § 2400.4(a)(1) would better reflect OSHRC's responsibilities under the Privacy Act. OSHRC then proposes to renumber current paragraphs (a)(1)(ii) and (iii) as new paragraphs (a)(1)(iii) and (iv). In order to better track the statutory language of 5 U.S.C. 552a(e)(2), OSHRC further proposes adding the phrase “under Federal programs” after “benefits or privileges” in the newly renumbered paragraph (a)(1)(iii). Finally, OSHRC proposes a minor change by deleting “the” before “OSHRC” in new paragraph (a)(1)(iv).

OSHRC proposes no changes to paragraph (a)(2), however, in paragraph (a)(3) of § 2400.4, OSHRC proposes replacing the word “information” with “record” because the term “record” is defined in the Privacy Act at 5 U.S.C. 552a(a)(4) while the term “information” is not. Amending paragraph (a)(3) in this manner would better define this paragraph's scope. OSHRC also proposes adding the phrase “or maintenance of the record” after “collection” to clarify that all of the requirements and exceptions in the paragraph apply to both the collection and maintenance of records. Finally, OSHRC proposes amending paragraph (a)(3) to include language excluding records that are “pertinent to and within the scope of an authorized law enforcement activity” in accordance with 5 U.S.C. 552a(e)(7). We propose no changes to § 2400.4(a)(4).

OSHRC proposes making structural and substantive changes to paragraphs (b)(1) and (b)(2) of § 2400.4. Specifically, OSHRC proposes amending paragraph (b)(1) to incorporate the opening statutory language contained in 5 U.S.C. 552a(b). The revised paragraph (b)(1) would thus read:

OSHRC shall not disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.

The current regulation at § 2400.4(b)(1) regarding disclosures-which, in part, prevents OSHRC from disseminating records “unless reasonable efforts have been made to assure that the information is accurate, complete, timely and relevant”—could be construed as applying to Freedom of Information Act (FOIA) requests. Under 5 U.S.C. 552a(e)(6), however, agency responses to FOIA requests are specifically exempted from the Privacy Act requirement that agencies must make reasonable efforts to ensure, when disclosing records about an individual to any person, that such records are accurate, complete, timely, and relevant. This exemption makes sense because the purpose of a FOIA request may be, for example, to gather information that reflects an agency's propensity for maintaining inaccurate records. Consequently, it would not be appropriate to require that such records requested under the FOIA be examined in this manner under the Privacy Act. Thus, in order to eliminate such an interpretation, OSHRC proposes Start Printed Page 42787amending paragraph (b)(1) in the aforementioned manner, amending paragraph (b)(2) to list exceptions to revised paragraph (b)(1), and adding new paragraph (b)(5) which would define when records should be “accurate, complete, timely and relevant.”

As to paragraph (b)(2) of § 2400.4, OSHRC proposes the following changes. First, in order to reflect that revised paragraph (b)(2) lists exceptions to the rule set forth in revised paragraph (b)(1), OSHRC proposes revising the opening clause to read, “Exceptions: A record may be disseminated without satisfying the requirements of paragraph (b)(1) of this section if disclosure is made: * * *” Second, OSHRC proposes replacing the word “information” with “record” in paragraphs (b)(2)(ii) and (b)(2)(iv), because the term “record” is defined in the Privacy Act at 5 U.S.C. 552a(a)(4), while the term “information” is not. Third, in paragraph (b)(2)(iv), OSHRC proposes adding the words “OSHRC with” between “provided” and “adequate advance written assurance” in order to clarify that notice must be provided to OSHRC. In that paragraph, OSHRC also proposes replacing the phrase “individually identifiable” with “personally identifiable” because this is a term of art used in the privacy field. Fourth, OSHRC proposes a change in nomenclature by spelling out “United States” in paragraph (b)(2)(v) and deleting “the” before “OSHRC” in paragraph (b)(2)(viii). Fifth, in accordance with the amendments to the Privacy Act contained in section 107(g)(1), Public Law 98-497 (5 U.S.C. 552a(b)(6)), OSHRC proposes modifying, in paragraph (b)(2)(vi), “National Archives of the United States” to read “National Archives and Records Administration,” and “Administrator of General Services” to read “Archivist of the United States or the designee of the Archivist.” Sixth, OSHRC proposes modifying, in paragraph (b)(2)(viii), “Federal agency” to read “another agency.” This revision better tracks the statutory language at 5 U.S.C. 552a(b)(7) and makes clear that the records can be disclosed to federal, state, or local agencies. In this regard, OMB states in its guidelines, 40 FR 28948, 28955, July 9, 1975, that in addition to providing for disclosures to federal law enforcement agencies, section 552a(b)(7) allows an agency, “upon receipt of a written request, [to] disclose a record to another agency or unit of State or local government for a civil or criminal law enforcement activity.” Seventh, in order to better track the language of 5 U.S.C. 552a(b)(9), OSHRC proposes modifying paragraph (b)(2)(ix) of § 2400.4 to read, “To either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, or any joint committee of Congress or subcommittee of any such joint committee.” Eighth, in accordance with the GAO Human Capital Reform Act of 2004, Public Law 108-271, 118 Stat. 811, OSHRC proposes modifying, in paragraph (b)(2)(x), “General Accounting Office” to read “Government Accountability Office.” Finally, OSHRC proposes adding a new paragraph (b)(2)(xii) which, in accordance with the amendments to the Privacy Act contained in section 2(a), Public Law 97-365 (5 U.S.C. 552a(b)(12)), would permit disclosures “[t]o a consumer reporting agency in accordance with section 3711(e) of title 31, United States Code.”

OSHRC further proposes some minor changes, such as capitalizing “Service” in paragraph (b)(3) and revising “§ 2400.4(b)(3) above” to read “paragraph (b)(3) of this section” in paragraph (b)(4). In paragraph (b)(3), OSHRC also proposes changing “The Personnel Office” to “OSHRC's Office of Administration” based on the agency's recent reorganization.

OSHRC next proposes adding new paragraphs (b)(5) and (b)(6) to § 2400.4, which would essentially incorporate the statutory language of 5 U.S.C. 552a(e)(6) and (d)(5), respectively. Paragraph (b)(5) would read:

Disclosures to third parties. OSHRC shall not disseminate any record about an individual to any person other than an agency unless the record is disseminated pursuant to paragraph (b)(2)(i) of this section, or reasonable efforts have been made to ensure that the record is accurate, complete, timely and relevant.

Paragraph (b)(6) would read:

Anticipated legal action. Nothing in this section shall allow an individual access to any information compiled in reasonable anticipation of a civil action or proceeding.

OSHRC believes that these provisions should be added to § 2400.4 in order to track the statute and make the regulations comprehensive.

Additionally, OSHRC proposes moving current § 2400.4(c) and re-designating it as new § 2400.5(c). Current section 2400.4(c), which pertains to notifying certain persons and agencies about corrections made to a record, is a better fit for new § 2400.5(c), which pertains to “notification of amendment.” Proposed modifications to the language in the re-designated § 2400.5(c) are discussed below in that section.

In response to the change above, OSHRC proposes re-designating paragraph (d) of § 2400.4, which sets forth the procedures for maintaining an accounting of disclosures, as new paragraph (c) of § 2400.4. OSHRC proposes streamlining the language of new paragraph (c)(1). Rather than spelling out that the accounting requirements do not pertain to instances “in which disclosure is made to OSHRC employees in the performance of their duties or is required by the Freedom of Information Act (5 U.S.C. 552), in conformance with section 552a(c) of the Privacy Act,” OSHRC proposes simply stating that “any disclosure made pursuant to paragraphs (b)(2)(i) and (b)(2)(ii) of this section” is excepted. Also, OSHRC proposes inserting the phrase “OSHRC shall maintain” at the beginning of paragraph (c)(1) to emphasize that it is, in fact, OSHRC's responsibility to maintain an accurate accounting of certain disclosures. OSHRC further proposes adding a new paragraph (c)(2) that lists the information required, in accordance with 5 U.S.C. 552a(c)(1), for a proper accounting of each disclosure. New paragraph (c)(2) would read as follows:

When an accounting is required under paragraph (c)(1) of this section, the following information shall be recorded: The date, nature, and purpose of each disclosure of a record to any person or to another agency, and the name and address of the person or agency to whom the disclosure is made.

OSHRC proposes renumbering current paragraph (d)(2) as new paragraph (c)(3), and modifying the language “for at least five (5) years or the life of the record” to read “for at least five (5) years after disclosure or for the life of the record” in order to clearly define the length of time that an accounting must be maintained. Finally, OSHRC proposes renumbering current paragraph (d)(3) as new paragraph (c)(4), adding a cross-reference to “§ 2400.6 for suggested form of request,” and deleting the word “provision” because it adds nothing to the sentence.

With regard to § 2400.5 (Notification), OSHRC proposes making various changes in substance and nomenclature. In the opening sentence of paragraph (a) of § 2400.5, OSHRC proposes modifying the phrase “personal records systems” to read “systems of records” because only the latter phrase is defined in the Privacy Act at 5 U.S.C. 552a(a)(5).

In paragraph (a)(2) of § 2400.5, OSHRC proposes deleting the word “personal” because the definitions of “record” and “system of records” in the Privacy Act at 5 U.S.C. 552a(a)(4) and (5), respectively, already reflect that personal identifiable information is at issue. In accordance with the amendments to the Privacy Act Start Printed Page 42788contained in section 201(a), Public Law 97-375 (5 U.S.C. 552a(e)(4)), OSHRC also proposes deleting the word “annually” from paragraph (a)(2) and adding the phrase “[u]pon establishing or revising a system of records.” Additionally, OSHRC proposes modifying paragraph (a)(2) to reflect the data elements that are required by the Office of the Federal Register for Privacy Act notices. These fields include: (i) System name and location; (ii) security classification; (iii) categories of individuals covered by the system; (iv) categories of records in the system; (v) authority for maintenance of the system; (vi) purpose(s) of the system; (vii) routine uses of records maintained in the system, including categories of users and the purpose(s) of such uses; (viii) disclosures to consumer reporting agencies; (ix) policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system; (x) system manager(s) and address; (xi) procedures by which an individual can be informed whether a system contains a record pertaining to himself, gain access to such record, and contest the content, accuracy, completeness, timeliness, relevance, and necessity for retention of the record; (xii) record source categories; and (xiii) exemptions claimed for the system. Finally, in the opening sentence of paragraph (a)(2) of § 2400.5, OSHRC proposes minor grammatical changes, such as inserting “the” before the words “existence” and “systems.”

In accordance with the amendments to the Privacy Act contained in section 3(b), Public Law 100-503 (5 U.S.C. 552a(r)), OSHRC proposes adding a new paragraph (a)(3) to § 2400.5 that sets forth the reporting requirements for system-of-records notices. New paragraph (a)(3) would read as follows:

OSHRC shall submit a report, in accordance with guidelines provided by the Office of Management and Budget (OMB), in order to give advance notice to the Committee on Government Reform of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and OMB of any proposal to establish a new system of records or to significantly change an existing system of records.

OSHRC believes it is necessary to add new paragraph (a)(3) to § 2400.5 in order to provide a comprehensive explanation of the notification requirements.

In paragraph (b) of § 2400.5, OSHRC proposes replacing the phrase “personal information” with “record pertaining to the individual” because the term “record” is defined in the Privacy Act at 5 U.S.C. 552a(a)(4), while the term “information” is not.

OSHRC also proposes substantial changes to paragraph (c) of § 2400.5. Presently, paragraph (c) states as follows: “Notification of amendment. (See § 2400.7 relating to amendment of records upon request.)” OSHRC proposes deleting this language, and, as discussed earlier, inserting the text of current § 2400.4(c), which pertains to notifying certain persons and agencies about corrections made to a record, and designating it as new paragraph (c)(1) in § 2400.5. OSHRC would thus modify the text to read as follows:

OSHRC shall inform any person or other agency about any correction or notation of dispute made by OSHRC to any record that has been disclosed to the person or agency, if the correction or notation was made pursuant to § 2400.8, and an accounting of the disclosure was made pursuant to § 2400.4(c).

The current version of this paragraph states that its requirements apply where a “personal record has been or is to be disclosed.” However, the phrase “is to be disclosed” is not included in 5 U.S.C. 552a(c)(4), the regulation's statutory counterpart. Moreover, from a practical standpoint, it would be difficult to notify a person or an agency of a correction if the record has not yet been disclosed to that person or agency. The remaining changes to new paragraph (c)(1), shown above, are based on the statutory text at section 552a(c)(4).

OSHRC proposes adding a new paragraph (c)(2) to § 2400.5 setting forth the requirements of 5 U.S.C. 552a(d)(4), which explains how agencies are to treat disputed portions of the record. New paragraph (c)(2) would read as follows:

In any disclosure to a person or other agency containing information about which the individual has filed a statement of disagreement and occurring after the statement was filed, OSHRC shall clearly note any portion of the record which is disputed and provide copies of the statement and, if OSHRC deems appropriate, copies of a concise statement of OSHRC's reasons for not making the requested amendments.

OSHRC believes that adding this statutory requirement to § 2400.5 would help ensure that the rights of those covered by the Privacy Act are preserved.

In accordance with 5 U.S.C. 552a(e)(11), OSHRC proposes amending paragraph (d) of § 2400.5 to allow interested persons to “submit written data, views, or arguments to OSHRC” after a system-of-records notice has been published in the Federal Register. OSHRC also proposes adding the word “routine” before “use,” and replacing “personal information” with “a system of records” because, under section 552a(e)(11), notification is required only for new and revised routine uses of systems of records. OSHRC proposes no changes to paragraph (e) of § 2400.5.

With regard to § 2400.6 (Procedures for requesting records), OSHRC proposes various substantive and structural changes, as well some changes in nomenclature. Throughout § 2400.6, OSHRC proposes replacing “personal information” with “record” because the term “record” is defined in the Privacy Act at 5 U.S.C. 552a(a)(4) and the term “information” is not. OSHRC also proposes a change in nomenclature by replacing “Executive Director,” “responsible official,” and “disclosure officer” with “Privacy Officer” in accordance with the proposed changes to § 2400.3(a).

In the opening sentence of § 2400.6, OSHRC proposes a change in wording by replacing the word “have” with “gain.” OSHRC also proposes deleting the phrase “within a comprehensive format” as unnecessary.

In paragraph (a)(1) of § 2400.6, OSHRC proposes deleting the last sentence which says the following:

Access to OSHRC records maintained in National Archives and Records Service Centers may be obtained in accordance with the regulations issued by the General Services Administration.

According to section 107(g)(2), Public Law 98-497 (5 U.S.C. 552a(l)(1)), the records that OSHRC sends to the Federal processing center are still considered to be under OSHRC's control. Thus, disclosure of such records must be in accordance with OSHRC's regulations. OSHRC also proposes amending the agency's mailing address to include the last four digits of the ZIP code and to spell out “Ninth Floor.”

OSHRC proposes deleting the last sentence in paragraph (a)(2) of § 2400.6, which reads, “Upon request, OSHRC also shall disclose to the individual an accounting of any disclosures made from the individual's records.” This sentence is redundant because new § 2400.4(c)(4) (current § 2400.4(d)(3)) already covers an individual's request for an accounting.

In paragraph (a)(3) of § 2400.6, OSHRC proposes revising the Privacy Officer's period for response to read “10 working days” rather than “10 days,” because 5 U.S.C. 552a(d)(2)(A) states that Saturdays, Sundays, and legal holidays are excluded from the 10-day requirement.

Paragraphs (b)(1) and (b)(2) of § 2400.6 would remain unchanged. However, OSHRC proposes amending paragraph (b)(3) of § 2400.6 to reflect that a declaration made in accordance Start Printed Page 42789with 28 U.S.C. 1746 may serve as an alternative to a notarized statement, in accordance with section 1(a), Public Law 94-550 (28 U.S.C. 1746) and Summers v. United States Dep't of Justice, 999 F.2d 570, 573 (D.C. Cir. 1993).

While paragraph (c) on verification of guardianship remains unchanged, OSHRC proposes modifying paragraph (d) of § 2400.6 to indicate that the authorization form discussed in that paragraph must be provided by OSHRC. Because the form is intended, in part, to protect OSHRC from liability that may arise when records are disseminated to a third party accompanying the individual whose records are being accessed, OSHRC must make certain that the form is legally adequate.

OSHRC also proposes deleting current paragraph (e) of § 2400.6, which sets forth special rules for requesting medical records, and adding a new section § 2400.7 that provides a more legally sound procedure for requesting such records. OSHRC also proposes re-designating current paragraph (f) as new paragraph (e).

OSHRC proposes re-designating paragraph (g) of § 2400.6 as new paragraph (f) and amending its language to require that the Privacy Officer, upon denying an individual's request for personal records, notify the individual of his or her right to an administrative appeal. The paragraph presently requires that the requester be advised of his right to judicial review in a district court of the United States. However, the administrative appeal is an equally important aspect of the review process and, therefore, should be included in the Privacy Officer's statement. OSHRC also proposes deleting the phrase “or other appropriate official,” thereby requiring that the Privacy Officer sign any reply denying an individual's written request to review a record. Placing clear limits on who has authority to deny such a request is necessary to maintain the integrity of the administrative appeal process.

As discussed above, OSHRC proposes creating a new § 2400.7 by carving out current paragraph (e) of § 2400.6 and revising it to comport with new case law regarding special procedures for medical records. Under 5 U.S.C. 552a(f)(3), OSHRC must—

Establish procedures for the disclosure to an individual upon his request of his record or information pertaining to him, including special procedure, if deemed necessary, for the disclosure to an individual of medical records, including psychological records, pertaining to him[.]

Current paragraph (e) of § 2400.6 states the following:

Medical records shall be disclosed to the requester to whom they pertain unless the Executive Director, in consultation with a medical doctor named by the requesting individual, determines that access to such record could have an adverse effect upon such individual. In such a case, the Executive Director shall transmit such information to the named medical doctor.

However, in light of Benavides v. United States Bureau of Prisons, 995 F.2d 269 (D.C. Cir. 1993), current paragraph (e) may no longer be valid. In Benavides, the United States Court of Appeals for the District of Columbia Circuit found that, while an agency is authorized to devise a “special” methodology for disclosing medical records under section 552a(f)(3), the devised methodology must lead to disclosure of the medical records to the requesting individual. Id. at 272. Thus, the court held that a regulation which expressly contemplates that the requesting individual may never see certain medical records is not a permissible special procedure. Id. The court, however, rejected the argument that the Privacy Act requires direct disclosure of medical records to the requesting individual. Id. at 273. Recognizing the “potential harm that could result from unfettered access to medical and psychological records,” the court provided that an agency should have the freedom to craft special procedures to limit such harm, as long as the agency guarantees “the ultimate disclosure of the medical records to the requesting individual.” Id. Therefore, new § 2400.7 would address the concerns expressed in Benavides by setting forth a procedure that guarantees “the ultimate disclosure of medical records to the requesting individual,” but still requires the intervention of a physician in order “to limit the potential harm.” Id. In part, OSHRC's proposed procedures under this section are based on the procedures utilized by the Central Intelligence Agency, 32 CFR 1901.31.

OSHRC next proposes re-designating current § 2400.7 (Procedures for requesting amendment) as new § 2400.8. Throughout new § 2400.8, OSHRC would replace “Executive Director” with “Privacy Officer” in accordance with the proposed amendments to § 2400.3(a). OSHRC then proposes revising paragraph (b)(4) to reflect that the Privacy Officer will “[n]otify the requester of a determination not to amend the record, of the reasons for the refusal, and of the requester's right to appeal in accordance with [new] § 2400.9.” Inexplicably, the current version of paragraph (b)(4) does not require OSHRC to explain why a person's request for amendment is being denied. OSHRC also proposes severing paragraphs (c) and (d) of current § 2400.7 and renumbering them to create a new § 2400.9 pertaining to appeal procedures. Creating new § 2400.9 by separating the appeal procedures from current § 2400.7, which pertains to “procedures for requesting amendment,” is necessary because individuals should be permitted to appeal the agency's denial of inspection and copy requests, not just the denial of amendment requests.

In new § 2400.9 (current § 2400.7(c) and (d)), OSHRC proposes changing “Executive Director” to “Privacy Officer.” OSHRC also proposes the following changes. New paragraphs (a)(1) and (a)(2) of proposed § 2400.9 would coincide with current § 2400.7(c)(1) and (c)(2), new paragraph (b) would coincide with current § 2400.7(c)(3), new paragraph (c) would coincide with current § 2400.7(c)(4), and new paragraph (d) would coincide with current § 2400.7(d). In new paragraph (a)(1) (current § 2400.7(c)(1)), OSHRC proposes amending the last four digits of the ZIP code in its mailing address, spelling out “Ninth Floor,” and adding “Attn: Privacy Appeal” as the second line in the address. In new paragraph (b) of § 2400.9 (current § 2400.7(c)(3)), OSHRC proposes the following: (1) Adding the word “working” after the first mention of “30” because 5 U.S.C. 552a(d)(3) states that Saturdays, Sundays, and legal holidays are excluded from the 30-day requirement; (2) replacing the word “determination” with “decision” in order to make new paragraph (b) consistent with paragraph (c) (current § 2400.7(c)(4)); and (3) for the sake of readability, modifying “not complete, accurate, relevant, or timely,” to read “incomplete, inaccurate, irrelevant, or untimely.” In new paragraph (c) (current § 2400.7(c)(4)), OSHRC proposes to title the paragraph as “Decision requirements” and to add the phrase “of the United States” after “district court.” Finally, in new paragraph (d) (current § 2400.7(d)), OSHRC proposes adding “then” after “the requester,” and deleting the word “personal” because the definition of “record” in the Privacy Act at 5 U.S.C. 552a(a)(4) already reflects that personal identifiable information is at issue.

OSHRC proposes deleting current § 2400.7(e). This paragraph states that the Executive Director “is available to provide an individual with assistance in exercising rights pursuant to this part.” OSHRC believes that this language creates no affirmative duty and is therefore unnecessary. Moreover, OSHRC believes that its proposed regulations already adequately ensure Start Printed Page 42790that an individual requesting records or amendment to records would be provided with the information necessary to exercise his or her rights.

OSHRC proposes re-designating current § 2400.8 (Schedule of fees) as new § 2400.10. OSHRC would amend the schedule of fees to reflect the change in costs since the original promulgation of the current regulations in 1979. Rather than specifying a specific copying fee, OSHRC would incorporate by reference Appendix A to 29 CFR Part 2201—Schedule of Fees in the agency's proposed rulemaking implementing the FOIA published at 71 FR 41384, July 21, 2006. OSHRC proposes this revision for administrative ease and to ensure that the fees charged for FOIA and Privacy Act requests are consistent. Lastly, in accordance with 5 U.S.C. 552a(f)(5), OSHRC would amend paragraph (c) to reflect that no fee would be charged for reviewing records.

OSHRC proposes deleting current § 2400.9 (Exemptions), which states that “[s]ubsections 552a(j) and (k) of title 5 * * * empower the Chairman to exempt systems of records meeting certain criteria from various other subsections of section 552a.” Under 5 U.S.C. 552a(j) and (k), the head of an agency may promulgate rules, in some circumstances, to exempt various systems of records from certain Privacy Act requirements. A system of records cannot be exempted, however, unless a specific rule regarding it has been published. If ever there is a system of records that the head of the agency wants to exempt, he or she can simply publish a regulation at that time to exempt the system. Thus, deleting § 2400.9 would not in any way deprive the Chairman of this authority.

Executive Order 12866

The Commission is an independent regulatory agency, and, as such, is not subject to the requirements of E.O. 12866.

Paperwork Reduction Act

The Commission has determined that the Paperwork Reduction Act, 44 U.S.C. 3501 et seq., does not apply because these rules do not contain any information collection requirements that require the approval of OMB.

Executive Order 13132

The Commission is an independent regulatory agency, and, as such, is not subject to the requirements of E.O. 13132. However, as independent regulatory agencies are encouraged to comply with this executive order, OSHRC has examined the proposed regulatory action in light of its requirements. This proposed regulatory action does not have Federalism implications. Moreover, the action will not have substantial direct effects on the States, on the relationship between the national government and the States, or on the distribution of power and responsibilities among the various levels of government.

Regulatory Flexibility Act

The Commission has determined under the Regulatory Flexibility Act, 5 U.S.C. 605(b), that these rules, if adopted, would not have a significant economic impact on a substantial number of small entities. Therefore, a Regulatory Flexibility Statement and Analysis has not been prepared.

Unfunded Mandates Reform Act of 1995

The Commission is an independent regulatory agency, and, as such, is not subject to the Unfunded Mandates Reform Act, 2 U.S.C. 1501 et seq.

Small Business Regulatory Enforcement Fairness Act of 1996

This proposed rule is not a major rule under the Small Business Regulatory Enforcement Fairness Act, 5 U.S.C. 804(2). The proposed rule will not result in an annual effect on the economy of more than $100 million per year; a major increase in costs or prices for consumers, individual industries, Federal, State, or local government agencies, or geographic regions; or significant adverse effects on competition, employment, investment, productivity, innovation, or on the ability of United States based enterprises to compete with foreign-based companies in domestic and export markets.

Start List of Subjects

List of Subjects in 29 CFR Part 2400

End List of Subjects Start Signature

Signed at Washington, DC, on July 24, 2006.

W. Scott Railton,

Chairman.

End Signature

For the reasons set forth in the preamble, OSHRC proposes that Chapter XX, Part 2400 of Title 29, Code of Federal Regulations, be revised as follows:

Start Part

PART 2400—REGULATIONS IMPLEMENTING THE PRIVACY ACT

2400.1
Purpose and scope.
2400.2
Description of agency.
2400.3
Delegation of authority.
2400.4
Collection and disclosure of personal information.
2400.5
Notification.
2400.6
Procedures for requesting records.
2400.7
Special procedures for requesting medical records.
2400.8
Procedures for requesting amendment.
2400.9
Procedures for appealing.
2400.10
Schedule of fees.
Start Authority

Authority: 5 U.S.C. 552a(f); 5 U.S.C. 553.

End Authority
Purpose and scope.

The purpose of the provisions of this part is to provide procedures to implement the Privacy Act of 1974 (5 U.S.C. 552a). This part is applicable only to records that are maintained by the Occupational Safety and Health Review Commission (OSHRC or the Commission), which includes all systems of records operated on behalf of OSHRC, pursuant to a contract, to accomplish an agency function, except for records that are disclosed to consumer reporting agencies under section 3711(e) of title 31, United States Code. This part is not applicable to the rights of parties appearing in adversary proceedings before the Commission to obtain discovery from an adverse party. Such matters are governed by the Commission's Rules of Procedure, which are published at 29 CFR 2200.1 et seq.

Description of agency.

The Commission adjudicates contested enforcement actions under the Occupational Safety and Health Act of 1970 (29 U.S.C. 651-677). Decisions of the Commission on such actions are issued only after the parties to the case are afforded an opportunity for a hearing in accordance with section 554 of title 5, United States Code. All such hearings are conducted by an OSHRC Administrative Law Judge at a place convenient to the parties and are open to the public. Each Commission member has the authority to direct that a decision of a Judge be reviewed by the full Commission before becoming a final order. The President designates one of the Commissioners as Chairman, who is responsible on behalf of the Commission for the administrative operations of the Commission.

Delegation of authority.

(a) The Chairman shall designate an OSHRC employee as the Privacy Officer, and shall delegate to the Privacy Officer the authority to insure agency-wide compliance with this part.

(b) Custodians of the systems of records are responsible for the following:

(1) Adhering to this part within their respective units and, in particular, collecting, using and disclosing records, and affording individuals the right to Start Printed Page 42791inspect, obtain copies of and correct records concerning them;

(2) Reporting the existence of systems of records, changes to the contents of those systems and changes of routine use to the Privacy Officer, and also establishing the relevancy of records within those systems; and

(3) Maintaining an accurate accounting of each disclosure in conformance with § 2400.4(c) of this part.

Collection and disclosure of personal information.

(a) The following rules govern the collection of personal information throughout OSHRC operations:

(1) OSHRC shall:

(i) Solicit, collect and maintain in its records only such personal information as is relevant and necessary to accomplish a purpose required by statute or executive order;

(ii) Maintain all records which are used by OSHRC in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to ensure fairness to the individual in the determination;

(iii) Collect information, to the greatest extent practicable, directly from the subject individual when such information may result in adverse determinations about an individual's rights, benefits or privileges under Federal programs; and

(iv) Inform any individual requested to disclose personal information whether that disclosure is mandatory or voluntary, by what authority it is solicited, the principal purposes for which it is intended to be used, the routine uses which may be made of it, and any penalties or consequences known to OSHRC which shall result to the individual from such non-disclosure.

(2) OSHRC shall not discriminate against any individual who fails to provide personal information unless that information is required or necessary for the conduct of the system or program in which the individual desires to participate. See § 2400.4(a)(1)(i).

(3) No record shall be collected or maintained which describes how any individual exercises rights guaranteed by the First Amendment unless the Commission specifically determines that such information is relevant and necessary to carry out a statutory purpose of OSHRC, and the collection or maintenance of the record is expressly authorized by statute or by the individual about whom the record is maintained, or unless the record is pertinent to and within the scope of an authorized law enforcement activity.

(4) OSHRC shall not require disclosure of any individual's Social Security account number or deny a right, privilege or benefit because of the individual's refusal to disclose the number unless disclosure is required by Federal law.

(b) Disclosures— (1) Limitations. OSHRC shall not disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains.

(2) Exceptions. A record may be disseminated without satisfying the requirements of paragraph (b)(1) of this section if disclosure is made:

(i) To a person pursuant to a requirement of the Freedom of Information Act (5 U.S.C. 552);

(ii) To those officers and employees of OSHRC who have a need for the record in the performance of their duties;

(iii) For a routine use as contained in the system notices published in the Federal Register;

(iv) To a recipient who has provided OSHRC with adequate advance written assurance that the record shall be used solely as a statistical reporting or research record, and the record is to be transferred in a form that is not personally identifiable;

(v) To the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of title 13, United States Code;

(vi) To the National Archives and Records Administration as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Archivist of the United States or the designee of the Archivist to determine whether the record has such value;

(vii) To a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual, if upon such disclosure notification is transmitted to the last known address of such individual;

(viii) To another agency or an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity, if such activity is authorized by law and if the head of the agency or instrumentality has made a written request to OSHRC specifying the particular portion of the record desired and the law enforcement activity for which the record is sought;

(ix) To either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, or any joint committee of Congress or subcommittee of any such joint committee;

(x) To the Comptroller General or any of his authorized representatives in the course of the performance of the duties of the Government Accountability Office;

(xi) Pursuant to the order of a court of competent jurisdiction; or

(xii) To a consumer reporting agency in accordance with section 3711(e) of title 31, United States Code.

(3) Employee credit references. OSHRC's Office of Administration shall verify the following information provided by an employee to a credit bureau or commercial firm from which an employee is seeking credit: Length of service, job title, grade, salary, tenure of employment, and Civil Service status.

(4) Employee job references. Prospective employers of an OSHRC employee or a former OSHRC employee may be furnished with the information in paragraph (b)(3) of this section in addition to the date and reason for separation if applicable, upon the request of the employee or former employee.

(5) Disclosures to third parties. OSHRC shall not disseminate any record about an individual to any person other than an agency unless the record is disseminated pursuant to paragraph (b)(2)(i) of this section, or reasonable efforts have been made to ensure that the record is accurate, complete, timely and relevant.

(6) Anticipated legal action. Nothing in this section shall allow an individual access to any information compiled in reasonable anticipation of a civil action or proceeding.

(c) Accounting of disclosures—(1) OSHRC shall maintain an accurate accounting of each disclosure, except for any disclosure made pursuant to paragraphs (b)(2)(i) and (b)(2)(ii) of this section.

(2) When an accounting is required under paragraph (c)(1) of this section, the following information shall be recorded: The date, nature, and purpose of each disclosure of a record to any person or to another agency, and the name and address of the person or agency to whom the disclosure is made.

(3) The accounting shall be maintained for at least five (5) years after disclosure or for the life of the record, whichever is longer.

(4) The accounting shall be made available to the individual named in the record upon inquiry, except for disclosures made pursuant to paragraph Start Printed Page 42792(b)(2)(viii) of this section relating to law enforcement activities. See § 2400.6 for suggested form of request.

Notification.

(a) Notification of systems. The following procedures permit individuals to determine the types of systems of records maintained by OSHRC.

(1) Upon written request, OSHRC shall notify any individual whether a specific system named by him contains a record pertaining to him. See § 2400.6 for suggested form of request.

(2) Upon establishing or revising a system of records, OSHRC shall publish in the Federal Register a notice of the existence and character of the system of records. This notice shall contain the following information:

(i) System name and location;

(ii) Security classification;

(iii) Categories of individuals covered by the system;

(iv) Categories of records in the system;

(v) Authority for maintenance of the system;

(vi) Purpose(s) of the system;

(vii) Routine uses of records maintained in the system, including categories of users and the purpose(s) of such uses;

(viii) Disclosures to consumer reporting agencies;

(ix) Policies and practices for storing, retrieving, accessing, retaining, and disposing of records in the system;

(x) System manager(s) and address;

(xi) Procedures by which an individual can be informed whether a system contains a record pertaining to himself, gain access to such record, and contest the content, accuracy, completeness, timeliness, relevance and necessity for retention of the record;

(xii) Record source categories; and

(xiii) Exemptions claimed for the system.

(3) OSHRC shall submit a report, in accordance with guidelines provided by the Office of Management and Budget (OMB), in order to give advance notice to the Committee on Government Reform of the House of Representatives, the Committee on Homeland Security and Governmental Affairs of the Senate, and OMB of any proposal to establish a new system of records or to significantly change an existing system of records.

(b) Notification of disclosure. OSHRC shall make reasonable efforts to serve notice on an individual before any record pertaining to the individual is made available to any person under compulsory legal process when such process becomes a matter of public record.

(c) Notification of amendment— (1) OSHRC shall inform any person or other agency about any correction or notation of dispute made by OSHRC to any record that has been disclosed to the person or agency, if the correction or notation was made pursuant to § 2400.8, and an accounting of the disclosure was made pursuant to § 2400.4(c).

(2) In any disclosure to a person or other agency containing information about which the individual has filed a statement of disagreement and occurring after the statement was filed, OSHRC shall clearly note any portion of the record which is disputed and provide copies of the statement and, if OSHRC deems appropriate, copies of a concise statement of OSHRC's reasons for not making the requested amendments.

(d) Notification of new routine use. Any new or revised routine use of a system of records maintained by OSHRC shall be published in the Federal Register thirty (30) days before such use becomes operational. Interested persons may then submit written data, views, or arguments to OSHRC.

(e) Notification of exemptions. OSHRC shall publish in the Federal Register its intent to exempt any system of records and shall specify the nature and purpose of that system.

Procedures for requesting records.

The purpose of this section is to provide procedures by which an individual may gain access to his records.

(a) Submission of requests for access—(1) Manner. An individual seeking information regarding the contents of records systems or access to records about himself in a system of records should present a written request to that effect either in person or by mail to the Privacy Officer, OSHRC, One Lafayette Centre, 1120-20th Street, NW., Ninth Floor, Washington, DC 20036-3457.

(2) Specification of records sought. Requests for access to records shall describe the nature of the record sought, the approximate dates covered by the record, and the system in which the record is thought to be included as described in the “Notification” for that system as published in the Federal Register. The requester should also indicate whether he wishes to review the record in person or obtain a copy by mail. If the information supplied is insufficient to locate or identify the record, the requester shall be notified promptly and, if necessary, informed of additional information required.

(3) Period for response. Upon receipt of an inquiry the Privacy Officer shall respond promptly to the request and no later than 10 working days from receipt of such inquiry.

(b) Verification of identity. The following standards are applicable to any individual who requests records concerning himself:

(1) An individual seeking access to records about himself in person may establish his identity by the presentation of a single document bearing a photograph (such as a passport, employee identification card, or valid driver's license) or by the presentation of two items of identification which do not bear a photograph but do bear both a name and address (such as a valid driver's license, or credit card).

(2) An individual seeking access to records about himself by mail shall establish his identity by a signature, address, date of birth, place of birth, employee identification number, if any, and one other identifier such as a photocopy of an identifying document.

(3) An individual seeking access to records about himself by mail or in person who cannot provide the necessary documentation of identification may provide a notarized statement, or a declaration in accordance with 28 U.S.C. 1746, swearing or affirming to his identity and to the fact that he understands the penalties for false statements pursuant to 18 U.S.C. 1001. Forms for notarized statements may be obtained on request from the Privacy Officer.

(c) Verification of guardianship. The parent or guardian of a minor or a person judicially determined to be incompetent and seeking to act on behalf of such minor or incompetent shall, in addition to establishing his own identity, establish the identity of the minor or other person he represents as required in paragraph (b) of this section and establish his own parentage or guardianship of the subject of the record by furnishing either a copy of a birth certificate showing parentage or a court order establishing the guardianship.

(d) Accompanying persons. An individual seeking to review records about himself may be accompanied by another individual of his own choosing. Both the individual seeking access and the individual accompanying him shall be required to sign a form provided by OSHRC indicating that OSHRC is authorized to discuss the contents of the subject record in the presence of both individuals.

(e) When compliance is possible—(1) The Privacy Officer shall inform the requester of the determination to grant the request and shall make the record available to the individual in the Start Printed Page 42793manner requested, that is, either by forwarding a copy of the information to him or by making it available for review, unless:

(i) It is impracticable to provide the requester with a copy of a record, in which case the requester shall be so notified, and, in addition, be informed of the procedures set forth in paragraph (b)(2) of this section, or

(ii) The Privacy Officer has reason to believe that the cost of a copy of a record is considerably more expensive than anticipated by the requester, in which case he shall notify the requester of the estimated cost, and ascertain whether the requester still wishes to be provided with a copy of the information.

(2) Where a record is to be reviewed by the requester in person, the Privacy Officer shall inform the requester in writing of:

(i) The date on which the record shall become available for review, the location at which it may be reviewed, and the hours for inspection;

(ii) The type of identification that shall be required in order for him to review the record;

(iii) Such person's right to have a person of his own choosing accompany him to review the record; and

(iv) Such person's right to have a person other than himself review the record.

(3) If the requester seeks to inspect the record without receiving a copy, he shall not leave OSHRC premises with the record and shall sign a statement indicating he has reviewed a specific record or category of record.

(f) Response when compliance is not possible. A reply denying a written request to review a record shall be in writing signed by the Privacy Officer and shall be made only if such a record does not exist or does not contain personal information relating to the requester, or is exempt. This reply shall include a statement regarding the determining factors of denial, and the requester's rights to administrative appeal and thereafter judicial review in a district court of the United States.

Special procedures for requesting medical records.

(a) Upon an individual's request for access to his medical, including psychological records, the Privacy Officer shall make a preliminary determination on whether access to such records could have an adverse effect upon the requester. If the Privacy Officer determines that access could have an adverse effect on the requester, OSHRC shall notify the requester in writing and advise that the records at issue can be made available only to a physician of the requester's designation. Upon receipt of such designation, verification of the identity of the physician, and agreement by the physician to review the documents with the requesting individual, to explain the meaning of the documents, and to offer counseling designed to temper any adverse reaction, OSHRC shall forward such records to the designated physician.

(b) If, within sixty (60) days of OSHRC's written request for a designation, the requester has failed to respond or designate a physician, or the physician fails to agree to the release conditions, then OSHRC shall hold the documents in abeyance and advise the requester that this action may be construed as a technical denial. OSHRC shall also advise the requester of his rights to administrative appeal and thereafter judicial review in a district court of the United States.

Procedures for requesting amendment.

(a) Submission of requests for amendment. Upon review of an individual's personal record, that individual may submit a request to amend such record. This request shall be submitted in writing to the Privacy Officer and shall include a statement of the amendment requested and the reasons for such amendment, e.g., relevance, accuracy, timeliness or completeness of the record.

(b) Action to be taken by the Privacy Officer. Upon receiving an amendment request, the Privacy Officer shall promptly:

(1) Acknowledge in writing within ten (10) working days the receipt of the request;

(2) Make such inquiry as is necessary to determine whether the amendment is appropriate; and

(3) Correct or eliminate any information that is found to be incomplete, inaccurate, irrelevant to a statutory purpose of OSHRC, or untimely and notify the requester when this action is complete; or

(4) Notify the requester of a determination not to amend the record, of the reasons for the refusal, and of the requester's right to appeal in accordance with § 2400.9.

Procedures for appealing.

(a) Submission of appeal—(1) If a request to inspect, copy or amend a record is denied, in whole or in part, or if no determination is made within the period prescribed by this part, then the requester may appeal to the Chairman, Attn: Privacy Appeal, OSHRC, One Lafayette Centre, 1120-20th Street, NW., Ninth Floor, Washington, DC 20036-3457.

(2) The requester shall submit his appeal in writing within thirty (30) days of the date of denial, or within ninety (90) days of such request if the appeal is from a failure of the Privacy Officer to make a determination. The letter of appeal should include, as applicable:

(i) Reasonable identification of the record to which access was sought or the amendment of which was requested.

(ii) A statement of the OSHRC action or failure to act being appealed and the relief sought.

(iii) A copy of the request, the notification of denial and any other related correspondence.

(b) Final decisions. The Chairman shall make his final decision not later than thirty (30) working days from the date of the request, unless he extends the time for good cause to be shown by him but not to exceed ninety (90) days from the date of the request. Any record found on appeal to be incomplete, inaccurate, irrelevant, or untimely, shall within thirty (30) working days of the date of such findings be appropriately amended.

(c) Decision requirements. The decision of the Chairman constitutes the final decision of OSHRC on the right of the requester to inspect, copy, change or update a record. The decision on the appeal shall be in writing and, in the event of a denial, shall set forth the reasons for such denial and state the individual's right to obtain judicial review in a district court of the United States. An indexed file of the agency decisions on appeal shall be maintained by the Privacy Officer.

(d) Submission of statement of disagreement. If the final decision does not satisfy the requester, then any statement of reasonable length, provided by that individual, setting forth a position regarding the disputed information, shall be accepted and included in the relevant record.

Schedule of fees.

(a) Policy. The purpose of this section is to establish fair and equitable fees to permit reproduction of records for concerned individuals.

(b) Reproduction—(1) For the fees associated with reproduction of records, refer to Appendix A to Part 2201, Schedule of Fees.

(2) OSHRC shall not normally furnish more than one copy of any record.

(c) Limitations. No fee shall be charged to any individual for the Start Printed Page 42794process of retrieving, reviewing, or amending records.

End Part End Supplemental Information

[FR Doc. E6-12124 Filed 7-27-06; 8:45 am]

BILLING CODE 7600-01-P