DATE: August 26, 2010
SUBJECT: The Privacy Act of 1974, As Amended
1. PURPOSE. This Directive restates policy and assigns responsibilities for carrying out the requirements of the Privacy Act of 1974, as amended (Act). This Directive also authorizes the issuance of Treasury Directive Publication (TD P) 25-04, Privacy Act Handbook.
2. SCOPE. This Directive applies to all bureaus, offices, and organizations in the Department of the Treasury, including the offices of inspectors general within the Department. The provisions of this Directive shall not be construed to interfere with or impede the authorities or independence of the Department�s inspectors general.
3. POLICY. It is the policy of the Department that all employees and contractors shall be made aware of and comply with the Privacy Act, and that information about individuals shall be collected, maintained, used, and disseminated in accordance with the Act and Treasury regulations set forth at 31 Code of Federal Regulations (CFR) Part 1, Subpart C.
4. BACKGROUND. The Privacy Act provides safeguards against an invasion of privacy through the misuse of records by Federal agencies. Employees are expected to safeguard information about other individuals to which they are exposed to during their employment with the Department. Records about an individual may not be disclosed unless the disclosure is permitted by the Act, or made pursuant to a published routine use. The Act requires that information maintained in an agency's systems of records be accurate, complete, timely, and relevant. The Act permits individuals to receive notification if a system of records contains a record pertaining to them. The Act also requires the Department to provide the following: access to any record it maintains about the individual in a system of records; an accounting of any disclosures to the individual upon request; the amendment of a record, if needed; and the ability to appeal any initial determination not to amend a record.
5. DEFINITIONS. All terms that are defined in the Privacy Act, 5 USC 552a (a), and in the Treasury regulations, 31 CFR 1.21, apply. Other terms in the Treasury regulations that are applicable are:
a. Responsible Official. The official having custody of the records requested, or a designated official, who make initial determinations whether to grant or deny requests for notification, access to records, account of disclosure, and amendments of records.
b. System Manager. The official identified in the system notice as the manager of the system of records.
6. RESPONSIBILITIES. System managers, program managers, personnel employees, procurement employees, attorneys/advisors, and disclosure personnel shall be knowledgeable about the provisions and requirements of the Act. All other Department personnel and contractors shall be aware of their responsibilities to protect Privacy Act records.
a. The Assistant Secretary for Management and Chief Financial Officer (ASM/CFO) serves as the Chief Privacy and Civil Liberties Officer for the Department, as well as the Senior Agency Official for Privacy (SAOP). In this role, the Assistant Secretary shall oversee all Departmental activities relating to the Privacy Act, including rules of conduct, training, and redress activities that stem from adverse agency determinations for amendment of records as allowed under the Act.
b. The Deputy Assistant Secretary for Privacy, Transparency and Records (DASPTR) shall serve as the principal advisor to the ASM/CFO in his role as Chief Privacy and Civil Liberties Officer for the Department. The DASPTR shall approve, subject to Treasury Directive (TD) 28-01, the notices and regulations required to be published by the Privacy Act of 1974. The DASPTR shall also submit reports on new or altered systems of records notices to the Office of Management and Budget (OMB) and Congress when required by Section (r) of the Privacy Act. This includes the authority to ratify, where necessary, any such notice or regulation previously issued. The authority in this paragraph may not be delegated. During the absence of the DASPTR, any required notices, reports, determinations and regulations shall be approved by the ASM/CFO.
c. The Director, Office of Privacy and Civil Liberties (OPCL) shall represent and report to the DASPTR on all Departmental matters relating to the Act, as well as oversee activities of the Departmental Privacy Act Officer, and shall:
1) manage the implementation of the Act within the Department;
2) issue, and revise, as needed, Treasury regulations implementing the Act and review proposed changes to the bureaus privacy regulations;
3) provide appropriate Privacy Act training to employees and contractors, and training on the code of conduct (see 31 CFR 1.28(b); and
4) ensure that the bureaus:
a) carry out the provisions of this Directive, OMB Circular A-130, Appendix I, Treasury Privacy Act regulations found at 31 CFR Part 1, and the Act; and
b) in partnership with the Office of the Deputy Assistant Secretary for Information Systems and Chief Information Officer, participate on government-wide task forces on computer technology concerned with establishing or affecting policies for collecting, compiling, using, maintaining and safeguarding Federal Privacy Act systems of records.
d. The Departmental Privacy Act Officer shall:
1) be prepared to report the results of reviews conducted by the bureaus as specified in OMB Circular A-130, Appendix I, paragraph 3.a., to the Director, OMB, including any corrective action taken;
2) collect, review, consolidate, and submit the data, as well as manage and conduct other compliance reporting requirements, as needed;
3) furnish policy, technical advice, and assistance to the bureaus on publication of notices of systems of records;
4) coordinate, review, revise, and submit to OMB, Congress, and the Federal Register:
a) the Privacy Act compilation of notices of Treasury's systems of records;
b) notices and reports on new or altered systems of records;
c) proposed and final rules for exempt systems of records; and
d) notices for computer matches covered under the provisions of the Computer Matching and Privacy Protection Act of 1988 to the Federal Register on behalf of Treasury;
5) review all Treasury forms and data collection screens used to collect information about individuals (except forms and data collection screens developed and used by the individual bureaus), reserving the right to disapprove the use of any such forms or data collection screens not believed to be in compliance with the Privacy Act and implementing regulations and guidelines; and
6) serve as the permanent Secretary of the Treasury Data Integrity Board.
e. Heads of Bureaus, as it relates to their respective bureaus, shall:
1) establish internal procedures to ensure the effectiveness of Treasury's Privacy Act program and to safeguard individual privacy in the collection, compilation, maintenance, use, and dissemination of Federal records;
2) submit the following to the Office of Privacy, Transparency and Records for the review and approval of the DASPTR:
a) a notice and report for each new or altered system of records;
b) a proposed and final rule for any determination to exempt a system of records from provisions of the Privacy Act;
c) a notice and report of the establishment or alteration of a matching program; and
d) any proposed or final rules to existing Privacy Act regulations for review and concurrence prior to the review and concurrence procedures under TD 28-01;
3) establish procedures allowing an individual to appeal an initial adverse agency determination regarding a request for amendment of records; and
4) submit to the Office of DASPTR a copy of the bureau's initial determination and response to an appeal regarding a request to amend records.
f. System Managers shall:
1) establish, maintain, revise, or delete systems of records in accordance with applicable laws and regulations relating to privacy and Federal records;
2) establish administrative and physical controls to ensure the protection of records systems from unauthorized access or disclosure, and from physical damage or destruction;
3) provide an appropriate means for the accounting of disclosures of records;
4) retain records in accordance with an approved record retention schedule and dispose of such records in a manner that will not compromise personally identifiable information (PII); and
5) prepare reports or provide data to OPCL as required by statute, Executive Order, OMB, Government Accountability Office (GAO), or the SAOP.
g. Responsible Officials shall ensure that Privacy Act requests for notification, access to and amendment of records are processed in accordance with Treasury's disclosure implementing regulations, at 31 CFR Part 1, and that a determination is issued.
h. The Assistant General Counsel (General Law, Ethics and Regulation) shall provide assistance as required by the Departmental Disclosure Officer in the clearance of reports, notices of systems of records, proposed rules, and other related matters to be submitted by Treasury to Congress, OMB, and other parties.
i. The Chief Information Officer (CIO) shall:
1) provide assistance as needed to the DASPTR regarding any proposed or anticipated change to computer installations, communications networks, or other electronic data collecting mechanisms that may be potentially subject to the Privacy Act;
2) assist the bureaus in the implementation of uniform and consistent policies and standards governing the acquisition, maintenance and use of computers or other electronic or telecommunications equipment in the collection, compilation, maintenance, use, or dissemination of Privacy Act records; and
3) provide the DASPTR with proposed data collection screens, or other electronic data collecting mechanisms used to collect information about individuals, for Privacy Act compliance review prior to their use on the Intranet or Internet.
a. Privacy Act of 1974, as amended, 5 USC 552a.
b. Treasury Order 102-25, �Delegation of Authority Concerning Privacy and Civil
c. Department of the Treasury Regulations, 31 CFR Part 1, Subpart C.
a. E-Government Act of 2002.
b. Department of the Treasury Employee Rules of Conduct, 31 CFR Part 0.
c. OMB Circular A-108, �Privacy Act Implementation, (July 9, 1975).
d. OMB Circular A-130, �Management of Federal Information Resources,
(November 30, 2000).
e. M-03-22, OMB Guidance for Implementing the Privacy Provisions of the
E-Government Act of 2002, (September 30, 2003).
f. Office of Personnel Management, Privacy Procedures for Personnel Records,
5 CFR 297.
g. TD 28-01, Preparation and Review of Regulations.
h. TD 25-06, The Treasury Data Integrity Board.
i. TD 25-07, Privacy Impact Assessment (PIA).
j. TD 25-08, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
k. TD P 25-04, Privacy Act Handbook.
l. TD P 85-01, "Treasury IT Security Program."
9. CANCELLATION. TD 12-54, Approval of Privacy Act Documents; authority delegation, dated January 15, 2004, is cancelled. TD 25-04, The Privacy Act of 1974, As Amended, dated March 1, 2000, is superseded.
10. OFFICE OF PRIMARY INTEREST. Office of the Deputy Assistant Secretary for Privacy, Transparency and Records and the Office of the Assistant Secretary for Management and Chief Financial Officer.
Assistant Secretary for Management
and Chief Financial Officer